SDL Episode106

From Paul's Security Weekly
Jump to: navigation, search

Recorded on April 16, 2019 at G-Unit Studios in Rhode Island!

Hosts

  • Russell Beauchemin
    Cybersecurity & Network Security Program Advisor and Director of Instructional Support & Learning Innovation at Roger Williams University.
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Announcements

    • Register for our upcoming webcast with ServiceNow by going to https://securityweekly.com/webcasts. If you have missed any of our previously recorded webcasts, you can find them at https://securityweekly.com/ondemand.

    • You can now submit your suggestions for guests in our recently released guest suggestion form! Go to https://securityweekly.com/guests and enter your suggestions!

    • We've heard from our listeners that they love our content, but the amount of content we distribute can sometimes be overwhelming. We've recently released our customizable listener interest list. Visit https://securityweekly.com/subscribe and click the button to Join the Listener List and let us know your interests.

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Topic: What to do when the power is out?

    • So, you basically rely pretty heavily on the internet. I mean, companies all the time have things like: "Internet down, go to our website...". So, there are two things that relate to you here:
    1. Security when your hair's on fire, and
    2. What do you really need?
    • When things are bad, you aren't going to be able to do anything about it so you really need todevelop a plan now, if you don't want to be doomed at the end of the world.

    The reason that police and military people train all the time is because when things really start to fall apart, you need a muscle memory kind of response and also you need to understand what you really need.

    What data do you have that you really need to do most everything?

    I think my first one is maps. One of the things I rely on so much is maps either from google maps or waze. If you are travelling especially, you really need to document (outside of your equipment) where you are are and how to get from place to place. This has gotten way crazy in the last few years because now, we just say "hey sheila, where is the airport?" I noticed in Russia and in France recently, I didn't even know the address of the hotel. It was in googlemaps. So, in Russia, I did an old thing I used to ALWAYS do when travelling, get their card from the desk and put one in my backpack and left one in my wallet. But, I used to always buy maps of where I was going and get some idea where I needed to be before I even left home so I could find my way if I needed it.

    So, in this category, I think you should document escape routes. I don't mean the kind of surivalist stuff you see, just how do you get where you need to be in an emergency? I figure it's just a matter of time till GPS gets hacked or your cell towers are down and you are trying to figure how to evacuate so you might seriously want to get a map and put it in your domicile.

    A second one is data. Is there data you need all the time? More and more everything relies on an internet connection just to start. Office 365 will still run (if you installed it locally) but if your files are on a cloud drive, they are not going to be accessible. So, you may want to audit yourself or your business and identify remove vs. local things and see what you really have to have. Those pictures of your grandparents anniversary may be valuable but you probably don't need to them just to get by but if you critical information (like prescriptions, passwords, account numbers, pins, I don't know) stored in the cloud, what if you can't get to the cloud. I can't tell you what these things are, but I can tell you that it's going to be bad if you can't get to them for days.

    My password idea is old but the idea is called a red card (I named it in 1986) and it means that you really should have a place where you can safely store key information (include the usernames) like a firesafe or something. It shouldn't be something you can get to easily but it should be reacheable quickly. It's also a good idea to make photocopies of your passport and dL and put them in there too. Do you know your blood type? It's on your phone? Sorry, those are all out of service.

    - Try and think like a security professional about a disaster or just a long power outage with no internet and think about what you really need to survive in terms of data access. I noticed today that to report an outage, I had to have my account number and login information.

    - Then there is security when your hair is on fire. Can you even get into your domicile? A web lock won't work if your internet is down or you phone battery has died. How do you get in? Can you get out?

    - What about your equipment? Has it ever rebooted? When it did, did it fail open or fail closed? If so, well, you should know that.

    - One of the stories I always tell my classes is about a rack in mid size business (call it 50,000 customers). Now, they had this problem: In Cisco, the running confs and saved confs are not the same unless you sync them manually. Likewise, you don't have to login to consoles unless they are logged out. So, this enterprise had not turned anything off in years. I mean years. They had a back up generator etc. so it just never came up. One day, a worker was inspecting something in the server room and tripped over the power cord, yes it wasn't safety approved and it didn't lock. This pulled the main power plug for the whole rack. All the servers went down as did the console and the Cisco stuff. When they powered it back up, years of conf changes were gone, but that was the smallest problem:

    1. The Cisco devices reverted to old passwords that no one knew because they had changed them only in the running confs (yes, I know I bypassed using the console).
    2. They didn't know what the console password was since no one had ever done that in years. They couldn't get into the console at all so we had to use a monitor, keyboard (no, wait, that server didn't use a usb keyboard and they didn't have a PS2 keyboard. I had to order one.
    3. Some of their servers admin passwords were unknown since they left them logged in on the console.
    • One of the things I would note is that we ended up air gapping the routers because we didn't know what was now open since the firewall reverted to some old conf. No idea what rules were in place and so, for all I knew, telnet was open or who knows what. Certainly, no one there knew.

    This little event cost them a lot of money (and bought me a new car).

    • So, again, you need to think about these kind of security issues. You really need to think about what devices you have and what they will do when they lose power and restore. Once you think you have a handle on it, you may want to run a test and actually power down (or at least simulate it). Can you still login to your refrigerator?
    • The other I would suggest is to keep a list of default passwords for your devices. You won't be able to locate that user manual in the dark (if your cats haven't eaten it) and you won't be able to jump online to look it up. So, even if you push that dreaded reset button, you still may not be able to get in.
    • I would really encourage you to check this for doors or alarm systems that rely on your phone. I see those a lot now and if your garage doors and front doors only unlock from your phone, what's the backup plan?w My friend came home and the power was out. He didn't have a key since he uses his phone to open the door or the garage door opener to open the garage. None is working since the internet is down and the power is out. Well, that's why they have hotels.
    • Lastly, what about backups. I have seen businesses using cloud backup. What if your power is down and your data is wrecked? Do you have a password to get in from some strange system? (like we all use password vaults now). Password vaulting is great but those elaborate passwords you use may not be available if the building is flooded and you have to set up at a hot/warm/cold (explain) site.
    • Another simple one: Do you actually know a phone number? or is it just in your contacts and you say "hey shiela, dial Katie." Hmmmm. Is your contact list local or is it stored in the cloud? Might want to write some of those down with your red cards.
    • So, I guess the point is: You need to think about this and develop a plan. You probably should test the plan to see if it actually works or if, worse, you are making assumptions or have forgotten something important like your wifi password or that your front door won't unlock without an internet connection (note most of those have keys but do you have a key somewhere? do you know where it is?)
    • I realize we all talk about this stuff and every agency on earth recommends planning for disaster, but actually taking the time to make a plan, practice the plan, and ensure the plan will work is another whole matter. Everyone should have a bug out bag but you may want to have a bug out bag for your digital equipment as well. Just sayin'.