SDL Episode94

From Paul's Security Weekly
Jump to: navigation, search

Recorded on January 8, 2018 at G-Unit Studios in Rhode Island!

Hosts

  • Russell Beauchemin
    Cybersecurity & Network Security Program Advisor and Director of Instructional Support & Learning Innovation at Roger Williams University.
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Announcements

    • RSA Conference 2019 is the place to be for the latest in cybersecurity data, innovation and thought leadership. From March 4 – 8, San Francisco will come alive with cybersecurity’s brightest minds as they gather together to discuss the industry’s newest developments. Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass!
    • If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass.
    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.

    Topic: New Year's Resolutions

    So, Security resolutions for us:

    1. Use a VPN. We have done shows about this and I still hear people asking about "should I use a vpn on my phone/laptop?" Seriously, it's time to bite the bullet (which sounds just awful) and get a VPN. They're cheap and they work to prevent your data from being grabbed on open wifi (or even secure wifi). And just a shout out to all those CISO types who thought blocking the use of VPN on their networks was a good idea, NO, it's not. Allow people to use VPNs. (you know who you are). I have no idea who thought it was a good idea to block vpn outbounds but some people do that, so listen, that is a BAD thing. I realize it nibbles away at your ability to act as total overlord and master of your pathetic users but get with the program, you want them using VPN, you should provide one, seriously. We are really getting tired of saying this! And for all of you consumers out there, wether or not your employer/IT department provides one, buy a subscription to one yourself. Make sure you look for multiple-licenses-for-one-low-price so you can protect all your devices with one subscription, a kill switch so that if your VPN can't connect, you can't get online "accidentally", and multiple servers internationally in the event you travel (or don't and want it to seem like do)!
    2. Use 2FA Use 2FA. Swear it. On a stack of punch cards, repeat after me, "I, your name here, do solemnly swear, that I will use 2FA wherever it is possible to do so and I will use different passwords and usernames on all my sites so that even the non 2FA ones will not matter so much, so help me Grace Hopper." Look, you need this. There are people that have your password, you know that one you use all the time because you thought no one could (loong-AH poov in Klingon) ever figure out your clever scheme. Well, they didn't have to because you know, Marriott, and all those others who lost your data, well, lost your data. So look, you need this. I am telling you right here and now, swear it. If you don't believe us, just Google the following: "Password lists for sale"!
    3. Get more paranoid. I hate to say it but the phishers are getting better and more sophisticated. Used to, a guy in broken English who says his name is Bobby calls and tells you to give up your mother's maiden name (and by the way, don't ever use your mother's maiden name), you said "Bite Me" with great aplomb. Today, they use every dirty trick in the book and combine that with dark web info, clever clickbait and so forth. Look, these guys are working night and day to take you and they realized pretty quick they could get real people named Bobby to call, they could use robots named Majel with sexy voices, they could probably even use emails with the name of your boss/teacher/friend/child embedded in them and get you to click. My favorite one of last year was from the "president" of my university and told me that the board of trustees had passed a new rule about the public behavior of faculty and that things like tattoos, bad language, public intoxication and urination, all those things we hold so dear were going to be disallowed, even when not on campus. Now, I was laughing and thinking this ought to be the most amusing firestorm of the year, what a bunch of maroons, and was about to click when I said, wait a minute... You have to get more paranoid if you are going to avoid getting spear phished. As these attacks got more sophisticated in 2018, the concept also evolved to realize that trusts could be exploited and even small phish were valuable, so dump the "can't happen to me since I am just a student/parent/unemployed trapezoidal dancing expert/alcohol abuser/teacher/non c-level/etc." and get more paranoid. Like a LOT more paranoid. The other day, my daughter came home and said "can I borrow your keys for a minute?" Well, when the pepper spray wore off, I realized it wasn't a rubber mask and maybe I shouldn't watch Mission Impossible (the old ones) anymore but the idea was sound. And speaking of paranoia, you can start checking (monthly if not more frequently) if you've been compromised in one of the thousands of daily data breaches that occur by looking up your email addresses at Have I Been Pwned (https://haveibeenpwned.com/). This should be a catalyst to kickstart your (hopefully) nascent data defense diligence.
    4. Get a plan. There are three plans here you need as a user. 1) Get a plan for backing up your data beyond the reach of ransomware/phishing. How are you going to recover when you lose a hard drive, get ransomwared, get malwared/erased, or something else (like say a fire/cat urine incident). Seriously, these happen all the time. It's time to stop saying "It can't happen to me. My cat is well behaved." 2) Get a plan for your password management. You need multi-tiered approaches so that your financial data is safe (that means, strong, 2FA, vaulted, and never used again) as well as your Gmail account. Don't use the same passwords everywhere, use strong passwords, use 2FA, all that. Assume (I know it makes an ass of u and me but I don't care) your password will be guessed or compromised. It's a safe assumption. 3) Get a plan for when you get phished or compromised. What are you going to do? What are you going to do first? Look, when you don't have a plan, there will always be a period of time when you just have to run in circles screaming before you realize there is a fire extinguisher right there. Get a plan.
    5. Get a framework, but don't just tick boxes. On the xmas show, I was trying to say this but it got lost in all that Rye that Jeff brought and just kind of came out as "bbebaalraefha, yeah." NIST, COBIT, et. al. all have great frameworks that provide a baseline guide to what you should be doing. The danger I was trying to express was that all too often we jump into the framework pool and we have no idea of what should be done and how it should be done but instead spend time trying to check as many boxes as possible. Read the framework, evaluate it, and then decide how it should be implented and tested (and yes, if you don't test it, you just wasted a lot of time and money). Then the framework can be your friend and guide but it can't be your leader, it has to be your mentor. Those are different things. Decide what works best for you and your organization but stop and think about it too.
    6. Get IoT under control. We all love gadgets, I want them all. Russ has them all and Paul has all the other ones that Russ didn't get because they were banned. The problem is, we are just starting to realize that these things have access to our networks, file shares, etc. and they phone home. Where is home? Well, that's a good question. You don't know and I don't know unless we start analyzing these things and figuring out how to keep them under control. Lots of them won't even work if they can't talk to home base. So, what's a mother to do? Well, good question, again, you need a plan, and you need to test these things, even at home. Just the other day I was thinking, what's that Hue bulb up to, is it flickering in binary and talking to the drone hovering outside my window that is communicating with my refrigerator to remind it to berate me for getting the wrong salad dressing while my toaster likes its comment on my Facebook feed and joins in on the hate. Don't worry, I had my attack drone swarm take them both out in retaliation. But look, IoT is going to continue to dominate our lives going forward and everyone (not just "us") is going to come out to play. That means your IoT may be interacting with your neighbor's microwave and that's how you get mutant ants. Watch out.
    7. Get Containers under control. If you aren't already using containers, you will be. (I promise, I will do a show about containers soon). Containers are going to be the next common thing and they are often black boxes that talk both home and away. Did you build it? Ok, but I bet you are going to use container instances built by others if you aren't already. When that starts happening, what's inside that glowing sphere? You probably won't have Dixie Flatline to advise you, and well, good luck. Get a handle on these things before you get mutant ants.
    8. Watch more podcasts and develop trusted sources. I know, I know, the podcaster is telling me to watch more podcasts. Well, I am. We all need to develop our ability to keep up. We rely too heavily on things like facebook to tell us what is going on and need trusted sources (like the radar page, et. al). But you have to decide what you trust and what works for you. When I was a kid, my Dad and the Rubbles next door got a morning and evening paper. He read it religiously cover to cover, in the morning and at night. You need to get used to doing that. Every day there are incidents, big and small, you need to be aware of them and put them in your head. It's hard to do but you need to be doing it regardless of where you sit on the org chart. I asked a high level executive a question about Spectre and Meltdown recently and he had no idea what it was. Seriously? I called his bluff and he said "well, you can't keep up with everything." I wanted to toss a rabid octopus in his face but oh well...
    9. Learn something new. Just take the time. You don't have to invest 10000 hours and become an expert but add something to your backpack this year. New programming language, learn to use that firewall you bought, learn how you properly configure your router, learn to use wireshark, learn how to perform regular security audits on your home/SOHO network, I don't know. Pick something and learn it. Don't just sit there watching the weather change or you will have a really bad experience when they downsize/rightsize/equalize or whatever they call it when they fire a lot of people. Every tech thing you know is a plus and adds to your overall abilities and understanding. Want to be a better security professional, (I can't do Yoda sorry) then a better security professional you should be.
    10. Check your trust. What do you trust? Do you even know. How many connections are there to your network/hardware in both directions? How many? Is that vendor that puts the prawn and mayo sandwiches in the Lucas Electronics machine connected to your database server? How do you assess that? Did you just install an app on your phone that puts a cat picture on your background every day? Did you add that app that allows you to make sure your farm animals don't die of rabies in Farm World 2019, the refarmining? Yeah, you didn't.



    I could go on. Really. This is a (long) list. All in all, you need to start thinking about these things and more. I guess if I had to sum it up, it mostly boils down to "get organized, get paranoid, and buy more rabid octopi". Thanks for joining us as we begin our third year of visiting with you once a week. This year will have more conferences, more fun, and hopefully, improvements in security. Happy New Year.