Context Security

Just received an email pitching the Community SANS SEC560 course that I will teaching in February 2009.  Glad I opened and read it, as I was informed that I will be giving a one hour webcast on 2009 Trends in Network Security.  Good to know

Here are the details:

SANS would like to give you a free sample of the training you will receive from the Community SANS Atlanta event.  On Wednesday, January 14, we will host a free one hour webcast delivered by Community SANS instructor Seth Misenar entitled “2009 Trends in Network Security”.  To register for this free webcast, please email community@sans.org and we will provide you with the registration details.

As always, please feel free to use my discount code, COINS-SM, for an upto an additional 15% off the cost of this or any Community SANS class.

The folks at Websense Security Labs have found some malware that is leveraging users’ trust in Google to undermine them.  Specifically, Google’s “Sponsored Links”, where folks pay Google for advertising there link at the top for specific search terms.  In Google We Trust…?

A thorough walkthrough can be found at the link below:

http://securitylabs.websense.com/content/Blogs/3264.aspx

In my role as Technical Director for SANS OnDemand, I will now be providing a monthly “article” (or at least some security oriented content) to the new SANS OnDemand Newsletters…  The first Newsletter is below:

************************************************************************
SECURITY TIMES SPECIAL

As a thank you for receiving our SANS OnDemand Security Times
Newsletter, you may take an additional 5% off our listed current
specials through December 26.

For single courses, see http://www.sans.org/info/35939 for our current
offer. Use discount code “T1_add5″ for a total of 30% off any OnDemand
course.

For groups or multiple courses, take an additional 5% off our lowest
listed pricing at http://www.sans.org/info/35944.

Check out our Free OnDemand Demos at http://www.sans.org/info/35949
************************************************************************
WHAT’S UPCOMING?

For courses currently being developed in OnDemand, take advantage of our
30% Development Discount.  For a full list of upcoming courses, go to
http://www.sans.org/info/35954
************************************************************************
EARN REWARDS POINTS

Receive one OnDemand Reward Point for every dollar that you spend for
SANS OnDemand training, including the OnDemand Bundle.  To begin
receiving reward points, visit http://www.sans.org/info/35959
************************************************************************
SECURITY TIP

Whether you are a small Mom & Pop shop or a multinational corporation,
your employees are almost certainly leveraging sites with user generated
content.  User generated content sites (e.g. Myspace, Youtube, Facebook,
Craigslist, Blogger, and Flickr) are routinely in the top 20 most
visited websites.

From a numbers perspective, it goes without saying that your
employees/colleagues/superiors, and likely you, are users of these
popular sites.  Although the most obvious risk posed by employee usage
of these sites is productivity loss [1], perhaps the more serious risk
is posed by the break-neck speed with which these sites are allowing
active user generated content and applications to flourish [2][3].
Therein lies part of the appeal, but so too, some of the risks. In order
for these sites to be useful, users configure their browsers to allow
this content to run virtually unfettered.  However, the risk posed by
active content isn’t the point of this article either [4]…

A somewhat less discussed “feature” of sites containing user generated
content is the significant information disclosure posed by users from
your organization.  Imagine, if you will, that you were being targeted
by an attacker.  Of course, _you_ aren’t being targeted, but just bear
with me… Perhaps you have really done a bang up job hardening your
perimeter, patching systems, etc., such that you feel relatively secure
in your overall security program and architecture.  If an attacker could
find a trusted insider that was willing to disclose details regarding
the products, programming languages, patch levels, etc., in use at your
organization, could it subvert some of those feelings of security?  In
effect, social networking sites are a veritable treasure trove for
attackers wishing to gain this type of intelligence.  What’s more,
sometimes they are able to gain this information without engaging in
even the most rudimentary of social engineering attacks.  For instance,
users with profiles on LinkedIn frequently list their resume, including
both specialties and employers, for the world to see.  This and other
information is like gold to an attacker. This type of information,
coupled with attackers armed with information mining tools like Maltego
(i.e., Rapleaf and Spock transforms) can really lower the bar for a
successful targeted attack [5].

Now that the little thought experiment is over, let’s think about the
primary assumption – you are being targeted by an attacker.  Some of you
fully accept this as a given, but most of you likely dismiss this
without much thought (we are too small, no one has heard of us, why
would anyone come after us).  Well, consider that restaurants in West
Monroe, LA (pop. 12,951)[6] were part of a group of restaurants in
Mississippi and Louisiana targeted by a ring of thieves harvesting
credit card numbers [7].  If something as innocuous as a family owned
diner can be targeted for an attack, then certainly any organization can
become a likely target.

The risks associated with websites, in general, and social networking
sites, in particular, are discussed in several SANS courses available
via OnDemand (AUD507, MGT512, SEC401 and SEC502).  The social
engineering and reconnaissance exposure made possible by these sites is
explored in SEC560.

For more info on these courses, visit:
AUD507: Auditing Networks, Perimeters & Systems
(http://www.sans.org/link.php?id=1032&mid=6)
MGT512: SANS Security Leadership Essentials For Managers
(http://www.sans.org/link.php?id=1032&mid=62)
SEC401: SANS Security Essentials
(http://www.sans.org/link.php?id=1032&mid=61)
SEC502: Perimeter Protection In-Depth
(http://www.sans.org/link.php?id=1032&mid=17)
SEC560: Network Penetration Testing and Ethical Hacking
(http://www.sans.org/link.php?id=1032&mid=937)

Seth Misenar
SANS OnDemand Virtual Mentor

1: “Facebook ‘costs businesses dear’ ” -
http://news.bbc.co.uk/2/hi/technology/6989100.stm
2:  More than 33,000 Facebook applications -
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/23/BU7C11TAES.DTL
3:  More than 400,000 registered Facebook developers -
http://www.facebook.com/press/releases.php?p=48242
4: “Elaborate Facebook Worm Spreading” -
http://www.techcrunch.com/2008/08/07/elaborate–facebook-worm-virus-spreading/
5: “Maltego Part I – Intro and Personal Recon” -
http://www.ethicalhacker.net/content/view/202/24/
6: U.S. Census Bureau, 2007 Population Estimates -
http://factfinder.census.gov
7: “Attacks Continue on Retail Stores, Restaurants” -
http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=211201193

This is content that I previously posted to the GIAC Alumni mailing list.  This was written in response to a request from someon who had recently earned the GCIH credential and was interested in information on how to score a infosec job…

****************************************************************
You’ve already gotten some great advice that I agree with wholeheartedly.

Also, with the GCIH, I think you have learned a very effective attack
methodology that is overtly applicable to job searching.

“If you know neither your future employer nor yourself, you will surely never get a jobby-job” – Sun Tzu  (or some variation upon that theme.

Joking aside, I very much think that the attack methodology is applicable…
For those that chose another GIAC cert or GCIHers that are rusty on the
Attack Methodology, the phases, and how they apply to job seekers, are:

Reconnaissance – This phase is the steady state for the job seeker until an
attack/search is successful (and if you are young then this seems to be your
steady state regardless).  Here you are looking for possible targets, which,
upon finding, you will perform more detailed recon.

Scanning – this is where you craft your packets (read:resume) based on the
recon above and fire them at the target organizations.  You also might try
to glean further information in a more active manner; port scan some target
individuals (employees of the target org) to determine possible weaknesses.
If offered an interview, the recon and scanning become more focused on
actionable intelligence with which to convince the org that you, in fact,
are the droid they are looking for.

Exploitation – This phase of the attack is where you leverage all of the
intelligence and weaknesses gathered in the recon and scanning phases and
try to successfully score the job.  The information warfare concept of
perception management (see gnothi sauton/nosce te ipsum/know thyself for
additional information) should be well understood to be successful in this
phase.  You know what they want/need because of the previous two phases, now you have to convince them of your being the only rational choice.

Keeping Access – Congratulations! Your attack was successful and you have landed a position.  Now you must determine a means to ensure you maintain said position.  In particular, you might look to perform a privilege
escalation attack.

Covering Tracks - I should like to think that this one isn’t as directly
applicable to job seeking behavior, but I suppose it depends upon the
lengths that you went to in order to score the position.

<shameless plug>I will be teaching these phases in detail at Community SANS Tucson in December.  See my sig for a 15% discount code on this and other Community SANS events</shameless plug>

gnothi sauton/nosce te ipsum/know thyself

In addition to the emphasis on the target organization, you also need to
think about yourself. We generally are pretty aware of our strengths, so I
recommend you think of yourself from the vantage point of someone who is
attempting to sabotage your attempts to land the job at the target
organization.  There very well might be someone within the organization that
is threatened by your presence and will do what they can to keep you from
being hired;I’ve seen it at work both consciously and otherwise too many
times.  Even if there isn’t an evil insider (we’ll call them, incident
handler to keep with the analogy) trying to thwart your successful
compromise of the target, you will have made yourself a better attacker
(candidate) for having thought of her (be she existent or a figment of your
own paranoid imagination

Although I think the mindset/framework above is the most important aspect of a successful job search, here are some detailed tips sans the analogy/reference model…

Security Recruiters
Although I have never used any of these organizations, you might want to
consider an Information Security focused recruiter like the following:
http://www.altaassociates.com/ (current public searches:

http://www.altaassociates.com/pb_html/pb12112007144032.php)

http://www.securityrecruiter.com/ (current public searches:
http://www.securityrecruiter.com/job_openings.php)
http://www.ljkushner.com/

SecurityFocus Jobs
Also, if you haven’t already, I would check out SecurityFocus Jobs
http://www.securityfocus.com/jobs (current postings:
http://www.securityfocus.com/jobs/opportunities).  I find the signal-to-noise ratio to be much higher here than in standard job sites.

LinkedIn Toolbar
(Caveat emptor: the LI toolbar previously had a well publicized remote code
execution exploit, http://www.securiteam.com/exploits5QP0L15M0Q.html, so, as with any software YMMV).

Regarding LinkedIn, which a previous response already mentioned, one
compelling/clever add-on component for the job seeker is the JobsInsider
portion of the LinkedIn toolbar.  The basic premise of the JobsInsider part of
the LI toolbar is that it can tell you how you are connected (via LI
connections) to a hiring company as you browse postings on major job sites
(monster, careerbuilder, dice, simplyhired, etc.).  If nothing else, it is
interesting to see how many licks it takes to get to the center of a given
company’s Tootsie Pop…  (For you Pen Testers out there, I think this is an
interesting adjuvant to the reconnaissance phase that can be later used for
social engineering pay dirt (depending on your rules of engagement, of
course)).  If you end up applying for the job this can help in myriad ways
(use your imagination and/or review the “Research Your Target” section of the
blog Rick W. posted earlier: http://it.toolbox.com/blogssecuritymonkey/get-hired-in-security-today-12526).

LI Toolbar JobsInsider info here:
http://www.linkedin.com/static?key=jobsinsider_download

Hope this helps.

Seth
———————————————-
15% discount – SANS Alumni can use the following code for a 15% discount on
these or any Community SANS Event: COINS-SM
10% discount – Anyone else can use the following code for a 10% discount on
these or any Community SANS Event: COINS-SM

Upcoming classes I will be teaching:
SEC542: Web App Pen Testing (Memphis 10/20-10/23) -
http://www.sans.org/training/description.php?tid=1722
SEC401: Security Essentials (@Home) -
http://www.sans.org/athome/details.php?nid=14379
SEC504: Hacker Techniques, Exploits & Incident Handling (Tucson 12/8-12/13) -
http://www.sans.org/training/description.php?tid=1442
———————————————-

Seth Misenar will be teaching SANS 401: Security Essentials and 538: Web App Pen Testing Immersion at SANS Phoenix 2009.

SEC401: Security Essentials
3/23/2009-3/28/2009

SEC538: Web Application Pen Testing Immersion
3/29/2008-3/30/2009

Seth Misenar will be teaching SANS 401: Security Essentials at SANS Calgary 2009.

SEC401: Security Essentials
4/14/2009-4/19/2009

Seth Misenar will be teaching SANS 560: Network Penetration Testing and Ethical Hacking at Community SANS Atlanta 2009.

SEC560: Network Penetration Testing and Ethical Hacking
2/2/2009-2/7/2009

Discount Code:
COINS-SM
15% discount for SANS Alumni
10% discount for anyone

Seth Misenar will be teaching SANS 504 at Community SANS Ft. Lauderdale 2009.

SEC504: Hacker Techniques, Exploits & Incident Handling
1/19/2009-1/24/2009

Discount Code:
COINS-SM
15% discount for SANS Alumni
10% discount for anyone

Seth Misenar will be teaching SANS 542: Web Application Penetration Testing at SANS Secure Europe 2009 – Amsterdam

SEC542: Web Application Penetration Testing
5/11/2009-5/16/2009

I plan to add a widget that includes the upcoming conferences I am scheduled to teach as well as my discount code… However, until then I thought it would be good to go ahead and post my SANS discount code.

COINS-SM

15% off all Community SANS classes for SANS Alumni
10% off all Community SANS classes for anyone else

As always, the current list of Community SANS classes is available here:

http://www.sans.org/community_sans/