September 20, 2023 • 29 mins
Talking about old vulnerabilities coming back to haunt and Incident Response planning and tabletop exercises.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
You're listening to Dave the IT Guycoming to you from an undisclosed location.
Do not be afraid. Dave ishere to help with all of your security
and hacking questions and news. Weown them now and we are in control.
Sit back, turn it up,and let's get started from three two
one one. Right. I amDave the I T Guy, and you
(00:27):
are listening to bring your own securityRadio. Hey, today is a new
day. First of all, anew season. We took some time off.
I took some time off to justrefresh decide if the IT security field
(00:49):
really needs me to do a podcastin What I realized is that I need
to do it for me to feelbetter, for me to put out the
information that I think is important,and so I hope you feel the same
way on an episode to episode basis. If you don't, feel free to
(01:11):
hit me up on x former lateTwitter of course at BYOS Radio. Let
me know, let me know contentor topics that you would like, and
let me know what you didn't like. I'm okay with that too. I've
got a thick skin. So today, coming back into this, I want
(01:33):
to talk about what's old is newagain and what I mean by that is,
I want to talk about how oldvulnerabilities are coming back to haunt us
on a day to day basis now. And I've got a couple other topics
that I'll bring up as this thirtyminutes goes through, and by the way,
(01:53):
on an ongoing basis, I'm gonnatry to keep these two little thirty
minute bite sized podcast as. Imay be one or two minutes short,
or I may go one or twominutes over, but by and large,
we're gonna spend thirty minutes every episodeand talk about things that I think are
important. So let's get into theinitial topic for today, and that is
(02:19):
old vulnerabilities. Now, we allknow that the average company goes vulnerabilities.
They say, oh, all thesecriticals and highs, we need to get
those right now, and the informationals, loads and mediums and not so much
not that important. I mean,honestly, with the total number of vulnerabilities
(02:42):
out there today, what company,what security team has the willpower to go
out and secure tens of thousands ofvulnerabilities almost on a monthly basis. I
mean, nobody really has that kindof I kind of bandwidth and throughput in
their environment. You know, thecloud based stuff is an interesting topic too,
(03:08):
and we'll get to that all right, because I've got some thoughts there
too. But you know, let'stalk about the old stuff. You know,
there are older vulnerabilities, especially likewith Cisco, I S, gosh,
just about everything Microsoft of course,but even Linux flavors. You know,
(03:28):
people researchers are finding vulnerabilities that existedyears ago but nobody knew about them,
and now they're getting released as insome cases zero days or at least
proof of concepts, and they areat the very least they are problematic.
(03:51):
An example, Cisco A essays havea vulnerability from two thousand and eight that
was initially rated as like a fourpoint something on the CVSS two scale.
The cvs S three scale bumped itup a little bit to like five point
(04:12):
two or some other middle of theroad nonsense. But what has happened is
that a group of Russians was ableto daisy chain this particular vulnerability. And
I don't want to get into thespecifics of the bone and how they did
it, because I don't for thosethat don't know how to do it or
(04:34):
don't know what the vulnerabilities are,I'd hate to give those hackers the idea
of what to do. But sufficeit to say that this particular group of
hackers took a vulnerability from two thousandand eight that by and large wasn't even
(04:54):
touched across most assays because of itslowest severity level or medium severe ere the
level, and a daisy chain thatwith some some scanning and some other efforts
to basically take three vulnerabilities and putthem in order to where they could do
(05:16):
one thing basically scan and find you. They found you, and then they
went through either a brute force orpossibly a fishing campaign or some other method
to get a set of passwords,and then they get logged in, and
then they use this particular vulnerability toget started, get a foothold, and
(05:41):
then basically a VPN concentrator or anASA firewall. If you get in and
you have the right users credentials,of course your latter of movement at that
point is crazy open. And that'sexactly what happened. So in the case
of old vulnerabilities, you know,we need to take a step back and
(06:03):
we need to decide, you know, what vulnerabilities are truly you know,
necessary to go after. There aresome what's considered critical or high vulnerabilities identified
by the vendors that have no activeexploitation. Now you're probably robbing Peter to
(06:25):
pay Paul. But if you knowsomething's being actively exploited and you have it
in your environment, why would younot fix that versus something not being actively
exploited. Conversely, you know,you need to apply a little bit of
threat intelligence, a little bit ofcommon sense, you know, And that's
(06:47):
a subjective term, and you needto decide, you know, what's what's
of value to you in your environment. Not everybody has the same needs or
requirements as far as what should befirst. It is going to vary based
on your individual needs. There aretools that allow you to prioritize. There
(07:14):
are some tools that even take threatintelligence and combine the vulnerability information from the
vendor. They combine known known attacks, they combine known pocs, et cetera,
and they put all that together torescore of vulnerability. Now they are
(07:41):
lacking still, most of these toolsat least are lacking with the ability to
stack on top of each other,to daisy chain on top of each other.
So if anybody were to make thattype of software where you could daisy
chain and attack based on vulnerabilities andexpose that through a risk reward system.
(08:05):
You'll make millions. So there's yourthere's my idea to you for free.
If you can develop some type ofsoftware that does that, man, you'll
make millions. But I digress,So to step back, you know,
I'll plug one. I got nono skin in the game here, but
(08:28):
a company that I once worked forused risk Sense, which is now owned
by Ivanti. So what risks Sensedoes is take all the known information that
they can find. They correlate thatdata with you know, tall hosts and
(08:50):
other Palo Alto and other organizations threatintelligence. They combine it with their own
internal research, They combined the CVSSscoring, and they say, okay,
based on all of these factors,and based on the fact that our internal
(09:11):
researchers and hackers could do this withthat information, we're going to rescore this
as a whatever up or down thatallows you to kind of take a real
time look at your environment and decide, oh, man, that medium or
(09:33):
low or even that informational that Ciscoor Microsoft or whoever put out, and
decide what to do for yourself withthat information. And again, where I
find important to my environment may notbe the same for you. So that's
where a tool like risks sense.There are some open source tools that do
(09:56):
that. There are other paid toolsrisks and it is not the cheapest,
as I recall, but they certainlyare a leader and if you look at
the gardener quadrants, Magic quadrants,etcetera, etcetera, they're certainly very highly
ranked and very highly regarded in thatway. So again, thanks for thanks
(10:22):
for tolerating me on that topic.But I really just I really feel like
if you're not revisiting you're old yourold vulnerabilities, then you're opening yourself up
for something new. And also wouldwant to state that if you developed a
(10:43):
vulnerability program three years ago and somebodyreads it says yet puts their name on
the log that says reviewed this dayand this day, are they really reviewing
it to today's standards or are theyjust reviewing and saying, yep, that's
what we still do. Let's signoff on it, right. And when
(11:03):
it comes to a review of thosethose kind of policies and procedures, soops,
you really need to review them forcurrent quantitative information and make sure that
it's going to still do what youwanted to do. So there you go.
(11:24):
Old is new, and there wego when it comes to that piece.
A second topic I wanted to bringup today was now that you have
your vulnerabilities and scored and your riskand all that good stuff tied in with
that, you probably have an incidentresponse plan somewhere in your company. Least
(11:46):
I hope you do. My goodness, I hope you do. An IR
plan is great when you write itup and you send an email out to
everybody with your PDF and you say, okay, so and so, this
is your job. This is yourjob. This is your job. And
when you maybe you do a disasterrecovery test, maybe you you test your
(12:09):
backups, right, but are youtesting the plan? Are you using a
tabletop exercise? Are you involving allof the groups of people that you need
to involve? You know, arethe legal people on the call with you
during an incident response event? Youknow you need to have someone from legal
(12:31):
represented so that you can have thatthat level of protection as a work product,
legal coverage. You know, youneed them to say they were they
being you and your company, We'retalking to their lawyer at the time.
You can't openly use this. Youwant your public communications people to be involved.
(12:58):
You need them to understand in termswhat those words mean, how they
fit into the IT security world,and how they fit into the world of
your company. And you need tomake sure that your executive leadership also understands
all of those terms, because they'rethe ones ultimately that are on the hook,
(13:20):
you know, with a board ofdirectors or with investors or whomever that
happens to be. You know,if they get out there and say one
thing but they meant something else anddidn't know the difference, they could actually
hurt you more than help you.So you want to keep that in mind.
The who that's involved is important.Must see, we talked about your
(13:41):
your public information people. You talkedabout, you know, your social media
people. When do they get involved? You know, do you when do
you start posting that you have anoutage or that you have some kind of
issue. What words do you use? Are you going to have them put
on their their social media that hey, we've been hacked, we're down,
(14:01):
or are they going to say somethinglike well with the MGM, you know,
we've had an IT event. Youknow, picking and choosing these words
carefully up front and testing that processwith those people will make sure that in
the scrum of a high pressure,high urgency situation, those folks don't go
(14:26):
you know, off script, soto speak. So you need to practice
those terms. You need to makesure they understand what's going on, and
they need to be involved at leastwith a conference call or what we call
bridge call, or in person asthe case might be, depending what happens.
Of course, you want your ITpeople involved because if something got ransomed
(14:48):
or ransomware or something like that,they had to start rebuilding servers or rebuilding
desktops or whatever the case might be. They might have to start recovering data
their data recovery, which is whereyou start testing dr You know, they
may have had a bad design andthe ransomware trickled over into the backups and
(15:11):
how your backups are encrypted. Now, what are you gonna do? You
know, you need to test howlong that's going to be to get that
data back car recovery time, andthen you get recovery process right, so
and then a data point like atwhat point in time did we recover from
was it we took our last snapshotor back up at one o'clock yesterday we
(15:35):
took it every two hours, sowe're only losing two hours of data plus
recovery time. You know, youneed to understand all these and everybody else
needs to understand that. One ofthe worst things that you can do is
not teach people these terms and whatthese terms mean. For example, you
(15:56):
are the server administrator and you aretrying to rebuild eight virtual server vm boxes
and each one of those vmboxes hostten servers. Now you have to turn
around and answer twenty phone calls andpossibly your phone's gonna be buzzing with email
(16:19):
coming through your phone through the cloudif it's not knocked down. But people
saying how much longer is this gonnatake? You know, you've got a
company of a thousand people. Evenif fifty of them is asking you how
much longer is this gonna take?That's time consumption that you don't have time
for. You know, you needto get your work done. Who's gonna
(16:40):
run interference for you? What arethey going to say? You know,
so again there's a lot of differentmoving parts. And we haven't even talked
about the security people yet. Youknow, what does what does your security
team have the capability of doing?Do you have a one man show or
one person show? I'm sorry?Do you have a three person security team?
Do you got twenty? How bigis your team? Are they forensics
(17:04):
people? They can start digging intomemory artifacts and other artifacts? Uh?
Take uh network traffic sniffing peacaps andunderstand what happened and where it came from.
You know, do you have athird party that you've prepaid for and
how do you get in touch withthem? And if your servers are gonna
be down, how are you goingto get them the information? What if
(17:27):
you can't send an email, youcertainly cannot facts a peacap file, So
how do you how are you goingto get that? If desktops are down
or if the network is down,you can't even log into like your Gmail
or Yahoo account to send the databecause your computer is down, that networks
(17:48):
down. So all of these thingsneed to be considered and all of the
right people need to be brought involved. You know, if you think that
that some of the stuff is toopreposterous, ask HIMGM. You know,
they started off with an effective tenminute phone call to their help desk that
(18:10):
helped us person gave out a passwordthat that person should not have been given
out. The hackers use that passwordto get in do some of their stuff,
and then they start pivoting. Andthat's why you saw originally things like
our credit card machines are down,our room key situation is offline, and
(18:32):
then later on their slot machines areoffline, and then the ATMs are offline,
and then the reservation computers offline.The websites go offline. You know,
they can't do anything but take cash, anything that's electronic as toast.
Now they have Las Vegas. Youknow, they've got Don Blox of Mississippi.
(18:53):
MGM has ser servers. Listen tome. They have a casinos in
Ohio all over the place. Right, how did it take? How did
it go from point A to pointB to point c, et cetera,
and spread? Some of it waspivoting. Some of it has shared services,
which is a cloud which I didpromise we'll get to. And some
(19:17):
of it it's just bad luck,you know, and poor design, poor
architecture. But let's jump into thatcloud based side. You know, how
many people know that if you haveAWS or Google that when it comes to
your devices, whatever you want tocall them, you can call them your
(19:45):
web application, firewalls, or wafts. You can be your servers, it
can be your vpcs, it couldbe whatever they are right you have your
devices. Did you know that aTOWS, at least specifically, is only
responsible for the actual WAFT service tobe up and running. They're not responsible
(20:07):
for any changes that you make,meaning any rules that you put in place.
They're not gonna be responsible unless youpay them to help you for any
kind of outage downtime unless it's theirfault, you know, like, hey,
the whole data center went offline forsome crazy reason, then that's a
(20:29):
different story. That's up to themto fix that. Servers are a great
example. So many people think,well, I've got Amazon Aws. You
know, I've got a server.I don't need to patch it. I
don't need to do anything. Nottrue at all. Amazon is not going
to patch your servers, your operatingsystem, your third party apps, or
(20:51):
even the application that you built toput on there. That's entirely up to
you and your people to do that, and that gets missed so much.
I don't know how many times I'veconsulted with the company and find that they
hadn't done anything in the years sincethey've had aws or in some cases Google
because they didn't understand what cloud trulymeant. So, you know, one
(21:15):
of those things to keep in mindis there's a lot to happen with an
incident response plan. The plan looksgreat on paper, if if this happens,
I'm going to rebuild my servers,I'm going to recover my data.
You know, my recovery time isgoing to take me four days. I'm
(21:37):
gonna lose four days of data plustwo hours and I'll be good. But
how do you recover? How doyou get your data back? How do
you put that information out in themeantime? How do you invoice your customers,
(21:59):
how do you service those customers?How do you stop from losing those
customers? How do you convince themthat their data is safe? And what
if it's not safe? What ifdata got exfiltrated and then got encrypted away
from you? Then what you know, how much of that is going to
(22:21):
kill your business or put you outof business. Lots of things go involved
or are involved with putting up aninstant response plan. None of it,
none of it is just a quickone pager. So if you've got people
that just need a one pager justexplain it to them. I don't know
(22:44):
what to tell you with Elle.So that's a lot. I know,
that's a lot of information. I'monly key to keep this. Like I
said to about thirty minutes, we'reabout twenty three minutes into this. Clearly,
there's so much more about both ofthese topics that could be said that
(23:04):
I will later at a later episode, I will break it down to even
more in depth on a especially thetabletop exercise, the in depth plan.
I mean, I could speak foryou know, a couple of hours just
on setting up a tabletop exercise,who to get involved, what it would
(23:26):
look like, what it would soundlike, you know, the curveballs that
you might get thrown in the middleof it. You know, all of
a sudden, what if oh Igot a great one for you. I
had this happened to me. Whatif you're on the phone with a vendor
and you're getting help because of anincident, and it's getting late in the
day, and all of a sudden, you've got either your own people who
(23:49):
are wanting to go home, oryou have people on the vendor side who
say, Okay, I'm gonna handyou off to SEW and so At what
point are you willing to accept lettingthat vendor hand you off, and then
(24:10):
that other person has to get upto speed with whatever's going on, especially
on day one of an event.Now you've got a step back, kind
of waste a little bit of timegetting another person up to speed and hoping
that they have the skill set toactually continue whatever path you've been on.
(24:33):
Same for your internal people. Youknow, are your people going to tell
you it's time for me to gohome? Are they unwilling to work over
time? Are they unwilling salary peopleto to not stay more than maybe an
hour or two extra. You know, there are a lot of different things
from a personnel perspective, and evenif you have to have somebody from every
(25:00):
group there, what if you doa tabletop exercise, or you distribute the
PDF of your IR plan and yourpublic affairs public information people send somebody down
and that person says, wow,I didn't realize during an incident response was
this involved, And I'm sure gladI came to this today. And then
(25:26):
five months down the road that personis off work, gone, doesn't work
there anymore, on vacation whatever.And now somebody who's never been through this
type of stuff, has no ideawhat to do? How often do you
retrain? How often do you setthe task up to where Hey, so
(25:48):
and so you've been taught this,it's up to you to go and pass
your information, your knowledge that youlearn in this tabletop exercise to your next
person. You just assume they're gonnado that or is that a requirement?
So again, more more stuff tothink about. That's about it. I'm
(26:11):
I'm gonna cut you a break.I'm not gonna throw anything more at you
on these topics. There's a lot, and there's so much more. Next
time around, we're gonna talk aboutthe value of going to an in person
conference or a meet up versus asmaller event versus online events, and where
(26:33):
can you get your value? AndI've got a lot of a lot to
say about that. I've been tosmaller regional events. I've been through Black
Hat for Crap more than a decade. I've been a devcom more than a
decade. I've been RSA a lot. I can't keep saying them all because
you know, B sides different Bsides events around the country, So there
(26:55):
there are a lot of different typesof events and and shout out to at
Trusted SEC. You know they usedto have Derby Khan and down in Kentucky
and unfortunately got ended. But thatwas one of the best what I guess
I would call a medium sized eventon the books. I mean, Dave
(27:18):
Kennedy and his peeps. Man,you guys got a I know I can't
say you got to, but Ihope something comes that that's at the end
for you. With that type ofstuff. We're gonna talk about some tool
decision. How do you map outand plan if you truly need a tool,
And I don't care if it's paidfor open source. That parts irrelevant
(27:38):
to me. But you know,sometimes you just need a tool to help
you automate some stuff or to dosome stuff. And I've got quite a
bit of stuff I can talk aboutthere. I even got a decision matrix
that I will blink out some ofmy previous decisions and maybe I'll even keep
(27:59):
one where I've full we decided onsomething and show you their guidelines what I
used to decide on that something,and I'll tweet it out before before we
go. I'll put it as avine on vines or I don't know,
paths and Facebook, and wherever elseI can think of. I don't know
(28:19):
LinkedIn. All right, that's it. We're twenty eight and a half minutes
into this. I appreciate you listeningtoday. Stay tuned. I will publish
another episode. Today is Wednesday,the twentieth. I think, yeah,
let's go with the twentieth and solook for me about every three to four
(28:45):
days for about the next two months. Then after that I will be posting
once a week. So until then, I'm Dave the it guy. This
is Bring your Own Security Radio.You can find me on all the MA
you're podcasting h apps, you know, Apple, Spotify, Spreaker, crap
(29:08):
I came, I think, callStitcher, iHeart radio, you name it.
I'm on it, check it outreach out. Until then, stay
safe and as secure as you can. Nothing is unhackable. Don't get too
stressed if you can help it,and stay safe. Goodbye,
You're listening to Dave the IT Guycoming to you from an undisclosed location.
Do not be afraid. Dave ishere to help with all of your security
and hacking questions and news. Weown them now and we are in control.
Sit back, turn it up,and let's get started from three two
one one. Right. I amDave the I T Guy, and you
(00:27):
are listening to bring your own securityRadio. Hey, today is a new
day. First of all, anew season. We took some time off.
I took some time off to justrefresh decide if the IT security field
(00:49):
really needs me to do a podcastin What I realized is that I need
to do it for me to feelbetter, for me to put out the
information that I think is important,and so I hope you feel the same
way on an episode to episode basis. If you don't, feel free to
(01:11):
hit me up on x former lateTwitter of course at BYOS Radio. Let
me know, let me know contentor topics that you would like, and
let me know what you didn't like. I'm okay with that too. I've
got a thick skin. So today, coming back into this, I want
(01:33):
to talk about what's old is newagain and what I mean by that is,
I want to talk about how oldvulnerabilities are coming back to haunt us
on a day to day basis now. And I've got a couple other topics
that I'll bring up as this thirtyminutes goes through, and by the way,
(01:53):
on an ongoing basis, I'm gonnatry to keep these two little thirty
minute bite sized podcast as. Imay be one or two minutes short,
or I may go one or twominutes over, but by and large,
we're gonna spend thirty minutes every episodeand talk about things that I think are
important. So let's get into theinitial topic for today, and that is
(02:19):
old vulnerabilities. Now, we allknow that the average company goes vulnerabilities.
They say, oh, all thesecriticals and highs, we need to get
those right now, and the informationals, loads and mediums and not so much
not that important. I mean,honestly, with the total number of vulnerabilities
(02:42):
out there today, what company,what security team has the willpower to go
out and secure tens of thousands ofvulnerabilities almost on a monthly basis. I
mean, nobody really has that kindof I kind of bandwidth and throughput in
their environment. You know, thecloud based stuff is an interesting topic too,
(03:08):
and we'll get to that all right, because I've got some thoughts there
too. But you know, let'stalk about the old stuff. You know,
there are older vulnerabilities, especially likewith Cisco, I S, gosh,
just about everything Microsoft of course,but even Linux flavors. You know,
(03:28):
people researchers are finding vulnerabilities that existedyears ago but nobody knew about them,
and now they're getting released as insome cases zero days or at least
proof of concepts, and they areat the very least they are problematic.
(03:51):
An example, Cisco A essays havea vulnerability from two thousand and eight that
was initially rated as like a fourpoint something on the CVSS two scale.
The cvs S three scale bumped itup a little bit to like five point
(04:12):
two or some other middle of theroad nonsense. But what has happened is
that a group of Russians was ableto daisy chain this particular vulnerability. And
I don't want to get into thespecifics of the bone and how they did
it, because I don't for thosethat don't know how to do it or
(04:34):
don't know what the vulnerabilities are,I'd hate to give those hackers the idea
of what to do. But sufficeit to say that this particular group of
hackers took a vulnerability from two thousandand eight that by and large wasn't even
(04:54):
touched across most assays because of itslowest severity level or medium severe ere the
level, and a daisy chain thatwith some some scanning and some other efforts
to basically take three vulnerabilities and putthem in order to where they could do
(05:16):
one thing basically scan and find you. They found you, and then they
went through either a brute force orpossibly a fishing campaign or some other method
to get a set of passwords,and then they get logged in, and
then they use this particular vulnerability toget started, get a foothold, and
(05:41):
then basically a VPN concentrator or anASA firewall. If you get in and
you have the right users credentials,of course your latter of movement at that
point is crazy open. And that'sexactly what happened. So in the case
of old vulnerabilities, you know,we need to take a step back and
(06:03):
we need to decide, you know, what vulnerabilities are truly you know,
necessary to go after. There aresome what's considered critical or high vulnerabilities identified
by the vendors that have no activeexploitation. Now you're probably robbing Peter to
(06:25):
pay Paul. But if you knowsomething's being actively exploited and you have it
in your environment, why would younot fix that versus something not being actively
exploited. Conversely, you know,you need to apply a little bit of
threat intelligence, a little bit ofcommon sense, you know, And that's
(06:47):
a subjective term, and you needto decide, you know, what's what's
of value to you in your environment. Not everybody has the same needs or
requirements as far as what should befirst. It is going to vary based
on your individual needs. There aretools that allow you to prioritize. There
(07:14):
are some tools that even take threatintelligence and combine the vulnerability information from the
vendor. They combine known known attacks, they combine known pocs, et cetera,
and they put all that together torescore of vulnerability. Now they are
(07:41):
lacking still, most of these toolsat least are lacking with the ability to
stack on top of each other,to daisy chain on top of each other.
So if anybody were to make thattype of software where you could daisy
chain and attack based on vulnerabilities andexpose that through a risk reward system.
(08:05):
You'll make millions. So there's yourthere's my idea to you for free.
If you can develop some type ofsoftware that does that, man, you'll
make millions. But I digress,So to step back, you know,
I'll plug one. I got nono skin in the game here, but
(08:28):
a company that I once worked forused risk Sense, which is now owned
by Ivanti. So what risks Sensedoes is take all the known information that
they can find. They correlate thatdata with you know, tall hosts and
(08:50):
other Palo Alto and other organizations threatintelligence. They combine it with their own
internal research, They combined the CVSSscoring, and they say, okay,
based on all of these factors,and based on the fact that our internal
(09:11):
researchers and hackers could do this withthat information, we're going to rescore this
as a whatever up or down thatallows you to kind of take a real
time look at your environment and decide, oh, man, that medium or
(09:33):
low or even that informational that Ciscoor Microsoft or whoever put out, and
decide what to do for yourself withthat information. And again, where I
find important to my environment may notbe the same for you. So that's
where a tool like risks sense.There are some open source tools that do
(09:56):
that. There are other paid toolsrisks and it is not the cheapest,
as I recall, but they certainlyare a leader and if you look at
the gardener quadrants, Magic quadrants,etcetera, etcetera, they're certainly very highly
ranked and very highly regarded in thatway. So again, thanks for thanks
(10:22):
for tolerating me on that topic.But I really just I really feel like
if you're not revisiting you're old yourold vulnerabilities, then you're opening yourself up
for something new. And also wouldwant to state that if you developed a
(10:43):
vulnerability program three years ago and somebodyreads it says yet puts their name on
the log that says reviewed this dayand this day, are they really reviewing
it to today's standards or are theyjust reviewing and saying, yep, that's
what we still do. Let's signoff on it, right. And when
(11:03):
it comes to a review of thosethose kind of policies and procedures, soops,
you really need to review them forcurrent quantitative information and make sure that
it's going to still do what youwanted to do. So there you go.
(11:24):
Old is new, and there wego when it comes to that piece.
A second topic I wanted to bringup today was now that you have
your vulnerabilities and scored and your riskand all that good stuff tied in with
that, you probably have an incidentresponse plan somewhere in your company. Least
(11:46):
I hope you do. My goodness, I hope you do. An IR
plan is great when you write itup and you send an email out to
everybody with your PDF and you say, okay, so and so, this
is your job. This is yourjob. This is your job. And
when you maybe you do a disasterrecovery test, maybe you you test your
(12:09):
backups, right, but are youtesting the plan? Are you using a
tabletop exercise? Are you involving allof the groups of people that you need
to involve? You know, arethe legal people on the call with you
during an incident response event? Youknow you need to have someone from legal
(12:31):
represented so that you can have thatthat level of protection as a work product,
legal coverage. You know, youneed them to say they were they
being you and your company, We'retalking to their lawyer at the time.
You can't openly use this. Youwant your public communications people to be involved.
(12:58):
You need them to understand in termswhat those words mean, how they
fit into the IT security world,and how they fit into the world of
your company. And you need tomake sure that your executive leadership also understands
all of those terms, because they'rethe ones ultimately that are on the hook,
(13:20):
you know, with a board ofdirectors or with investors or whomever that
happens to be. You know,if they get out there and say one
thing but they meant something else anddidn't know the difference, they could actually
hurt you more than help you.So you want to keep that in mind.
The who that's involved is important.Must see, we talked about your
(13:41):
your public information people. You talkedabout, you know, your social media
people. When do they get involved? You know, do you when do
you start posting that you have anoutage or that you have some kind of
issue. What words do you use? Are you going to have them put
on their their social media that hey, we've been hacked, we're down,
(14:01):
or are they going to say somethinglike well with the MGM, you know,
we've had an IT event. Youknow, picking and choosing these words
carefully up front and testing that processwith those people will make sure that in
the scrum of a high pressure,high urgency situation, those folks don't go
(14:26):
you know, off script, soto speak. So you need to practice
those terms. You need to makesure they understand what's going on, and
they need to be involved at leastwith a conference call or what we call
bridge call, or in person asthe case might be, depending what happens.
Of course, you want your ITpeople involved because if something got ransomed
(14:48):
or ransomware or something like that,they had to start rebuilding servers or rebuilding
desktops or whatever the case might be. They might have to start recovering data
their data recovery, which is whereyou start testing dr You know, they
may have had a bad design andthe ransomware trickled over into the backups and
(15:11):
how your backups are encrypted. Now, what are you gonna do? You
know, you need to test howlong that's going to be to get that
data back car recovery time, andthen you get recovery process right, so
and then a data point like atwhat point in time did we recover from
was it we took our last snapshotor back up at one o'clock yesterday we
(15:35):
took it every two hours, sowe're only losing two hours of data plus
recovery time. You know, youneed to understand all these and everybody else
needs to understand that. One ofthe worst things that you can do is
not teach people these terms and whatthese terms mean. For example, you
(15:56):
are the server administrator and you aretrying to rebuild eight virtual server vm boxes
and each one of those vmboxes hostten servers. Now you have to turn
around and answer twenty phone calls andpossibly your phone's gonna be buzzing with email
(16:19):
coming through your phone through the cloudif it's not knocked down. But people
saying how much longer is this gonnatake? You know, you've got a
company of a thousand people. Evenif fifty of them is asking you how
much longer is this gonna take?That's time consumption that you don't have time
for. You know, you needto get your work done. Who's gonna
(16:40):
run interference for you? What arethey going to say? You know,
so again there's a lot of differentmoving parts. And we haven't even talked
about the security people yet. Youknow, what does what does your security
team have the capability of doing?Do you have a one man show or
one person show? I'm sorry?Do you have a three person security team?
Do you got twenty? How bigis your team? Are they forensics
(17:04):
people? They can start digging intomemory artifacts and other artifacts? Uh?
Take uh network traffic sniffing peacaps andunderstand what happened and where it came from.
You know, do you have athird party that you've prepaid for and
how do you get in touch withthem? And if your servers are gonna
be down, how are you goingto get them the information? What if
(17:27):
you can't send an email, youcertainly cannot facts a peacap file, So
how do you how are you goingto get that? If desktops are down
or if the network is down,you can't even log into like your Gmail
or Yahoo account to send the databecause your computer is down, that networks
(17:48):
down. So all of these thingsneed to be considered and all of the
right people need to be brought involved. You know, if you think that
that some of the stuff is toopreposterous, ask HIMGM. You know,
they started off with an effective tenminute phone call to their help desk that
(18:10):
helped us person gave out a passwordthat that person should not have been given
out. The hackers use that passwordto get in do some of their stuff,
and then they start pivoting. Andthat's why you saw originally things like
our credit card machines are down,our room key situation is offline, and
(18:32):
then later on their slot machines areoffline, and then the ATMs are offline,
and then the reservation computers offline.The websites go offline. You know,
they can't do anything but take cash, anything that's electronic as toast.
Now they have Las Vegas. Youknow, they've got Don Blox of Mississippi.
(18:53):
MGM has ser servers. Listen tome. They have a casinos in
Ohio all over the place. Right, how did it take? How did
it go from point A to pointB to point c, et cetera,
and spread? Some of it waspivoting. Some of it has shared services,
which is a cloud which I didpromise we'll get to. And some
(19:17):
of it it's just bad luck,you know, and poor design, poor
architecture. But let's jump into thatcloud based side. You know, how
many people know that if you haveAWS or Google that when it comes to
your devices, whatever you want tocall them, you can call them your
(19:45):
web application, firewalls, or wafts. You can be your servers, it
can be your vpcs, it couldbe whatever they are right you have your
devices. Did you know that aTOWS, at least specifically, is only
responsible for the actual WAFT service tobe up and running. They're not responsible
(20:07):
for any changes that you make,meaning any rules that you put in place.
They're not gonna be responsible unless youpay them to help you for any
kind of outage downtime unless it's theirfault, you know, like, hey,
the whole data center went offline forsome crazy reason, then that's a
(20:29):
different story. That's up to themto fix that. Servers are a great
example. So many people think,well, I've got Amazon Aws. You
know, I've got a server.I don't need to patch it. I
don't need to do anything. Nottrue at all. Amazon is not going
to patch your servers, your operatingsystem, your third party apps, or
(20:51):
even the application that you built toput on there. That's entirely up to
you and your people to do that, and that gets missed so much.
I don't know how many times I'veconsulted with the company and find that they
hadn't done anything in the years sincethey've had aws or in some cases Google
because they didn't understand what cloud trulymeant. So, you know, one
(21:15):
of those things to keep in mindis there's a lot to happen with an
incident response plan. The plan looksgreat on paper, if if this happens,
I'm going to rebuild my servers,I'm going to recover my data.
You know, my recovery time isgoing to take me four days. I'm
(21:37):
gonna lose four days of data plustwo hours and I'll be good. But
how do you recover? How doyou get your data back? How do
you put that information out in themeantime? How do you invoice your customers,
(21:59):
how do you service those customers?How do you stop from losing those
customers? How do you convince themthat their data is safe? And what
if it's not safe? What ifdata got exfiltrated and then got encrypted away
from you? Then what you know, how much of that is going to
(22:21):
kill your business or put you outof business. Lots of things go involved
or are involved with putting up aninstant response plan. None of it,
none of it is just a quickone pager. So if you've got people
that just need a one pager justexplain it to them. I don't know
(22:44):
what to tell you with Elle.So that's a lot. I know,
that's a lot of information. I'monly key to keep this. Like I
said to about thirty minutes, we'reabout twenty three minutes into this. Clearly,
there's so much more about both ofthese topics that could be said that
(23:04):
I will later at a later episode, I will break it down to even
more in depth on a especially thetabletop exercise, the in depth plan.
I mean, I could speak foryou know, a couple of hours just
on setting up a tabletop exercise,who to get involved, what it would
(23:26):
look like, what it would soundlike, you know, the curveballs that
you might get thrown in the middleof it. You know, all of
a sudden, what if oh Igot a great one for you. I
had this happened to me. Whatif you're on the phone with a vendor
and you're getting help because of anincident, and it's getting late in the
day, and all of a sudden, you've got either your own people who
(23:49):
are wanting to go home, oryou have people on the vendor side who
say, Okay, I'm gonna handyou off to SEW and so At what
point are you willing to accept lettingthat vendor hand you off, and then
(24:10):
that other person has to get upto speed with whatever's going on, especially
on day one of an event.Now you've got a step back, kind
of waste a little bit of timegetting another person up to speed and hoping
that they have the skill set toactually continue whatever path you've been on.
(24:33):
Same for your internal people. Youknow, are your people going to tell
you it's time for me to gohome? Are they unwilling to work over
time? Are they unwilling salary peopleto to not stay more than maybe an
hour or two extra. You know, there are a lot of different things
from a personnel perspective, and evenif you have to have somebody from every
(25:00):
group there, what if you doa tabletop exercise, or you distribute the
PDF of your IR plan and yourpublic affairs public information people send somebody down
and that person says, wow,I didn't realize during an incident response was
this involved, And I'm sure gladI came to this today. And then
(25:26):
five months down the road that personis off work, gone, doesn't work
there anymore, on vacation whatever.And now somebody who's never been through this
type of stuff, has no ideawhat to do? How often do you
retrain? How often do you setthe task up to where Hey, so
(25:48):
and so you've been taught this,it's up to you to go and pass
your information, your knowledge that youlearn in this tabletop exercise to your next
person. You just assume they're gonnado that or is that a requirement?
So again, more more stuff tothink about. That's about it. I'm
(26:11):
I'm gonna cut you a break.I'm not gonna throw anything more at you
on these topics. There's a lot, and there's so much more. Next
time around, we're gonna talk aboutthe value of going to an in person
conference or a meet up versus asmaller event versus online events, and where
(26:33):
can you get your value? AndI've got a lot of a lot to
say about that. I've been tosmaller regional events. I've been through Black
Hat for Crap more than a decade. I've been a devcom more than a
decade. I've been RSA a lot. I can't keep saying them all because
you know, B sides different Bsides events around the country, So there
(26:55):
there are a lot of different typesof events and and shout out to at
Trusted SEC. You know they usedto have Derby Khan and down in Kentucky
and unfortunately got ended. But thatwas one of the best what I guess
I would call a medium sized eventon the books. I mean, Dave
(27:18):
Kennedy and his peeps. Man,you guys got a I know I can't
say you got to, but Ihope something comes that that's at the end
for you. With that type ofstuff. We're gonna talk about some tool
decision. How do you map outand plan if you truly need a tool,
And I don't care if it's paidfor open source. That parts irrelevant
(27:38):
to me. But you know,sometimes you just need a tool to help
you automate some stuff or to dosome stuff. And I've got quite a
bit of stuff I can talk aboutthere. I even got a decision matrix
that I will blink out some ofmy previous decisions and maybe I'll even keep
(27:59):
one where I've full we decided onsomething and show you their guidelines what I
used to decide on that something,and I'll tweet it out before before we
go. I'll put it as avine on vines or I don't know,
paths and Facebook, and wherever elseI can think of. I don't know
(28:19):
LinkedIn. All right, that's it. We're twenty eight and a half minutes
into this. I appreciate you listeningtoday. Stay tuned. I will publish
another episode. Today is Wednesday,the twentieth. I think, yeah,
let's go with the twentieth and solook for me about every three to four
(28:45):
days for about the next two months. Then after that I will be posting
once a week. So until then, I'm Dave the it guy. This
is Bring your Own Security Radio.You can find me on all the MA
you're podcasting h apps, you know, Apple, Spotify, Spreaker, crap
(29:08):
I came, I think, callStitcher, iHeart radio, you name it.
I'm on it, check it outreach out. Until then, stay
safe and as secure as you can. Nothing is unhackable. Don't get too
stressed if you can help it,and stay safe. Goodbye,
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cardiac Cowboys
The heart was always off-limits to surgeons. Cutting into it spelled instant death for the patient. That is, until a ragtag group of doctors scattered across the Midwest and Texas decided to throw out the rule book. Working in makeshift laboratories and home garages, using medical devices made from scavenged machine parts and beer tubes, these men and women invented the field of open heart surgery. Odds are, someone you know is alive because of them. So why has history left them behind? Presented by Chris Pine, CARDIAC COWBOYS tells the gripping true story behind the birth of heart surgery, and the young, Greatest Generation doctors who made it happen. For years, they competed and feuded, racing to be the first, the best, and the most prolific. Some appeared on the cover of Time Magazine, operated on kings and advised presidents. Others ended up disgraced, penniless, and convicted of felonies. Together, they ignited a revolution in medicine, and changed the world.