Security Ripcord

As I mentioned in the SMTP Server Security post, “I have just finished writing a paper for a SANS‘ initiative that Stephen Northcutt is working on.” I have recently learned that this paper has been accepted for the SANS MGT512 Courseware Update and, in whole or part, will be influencing Security Managers from around the world when it is introduced into the SANS course rotation. For those of you who are not familiar with the SANS Security Leadership Essentials For Managers with Knowledge Compression here is an excerpt from the course description.

This completely updated course is designed to empower advancing managers who want to get up to speed fast on information security issues and terminology.You don’t just learn about security, you learn how to manage security. Lecture sections are intense; the most common student comment is that it’s like drinking from a fire hose. The diligent manager will learn vital, up-to-date knowledge and skills required to supervise the security component of any information technology project. Additionally, the course has been engineered to incorporate the NIST Special Papers 800 guidance so that it can be particularly useful to US Government managers and supporting contractors.

Attending this course will help Security Managers achieve the GIAC Security Leadership Certification (GSLC) which is required for those who are responsible for being in compliance with DoD 8570 IAM Level 1, 2, or 3.

I worked hard on this small little piece of the puzzle and I am very happy that it was included. I would like to give you a little taste of the write up here but I am afraid that you are just going to have to register and complete the course. I can tell you, however, that I did manage to work in a quote about data loss prevention by my friend Rich Mogull (get well quick, Rich) over at Securosis and the Network Security Podcast which he wrote for Network World back in February of 2008.

Although an important topic, DLP is an evaluation of “an overview of major gateways, data repositories, and endpoint management infrastructure” which should be performed as its own initiative.

So I did spread the love, at least a little.

As to “Influencing Security Managers AROUND THE WORLD!!!?” Well, it is a big job, but somebody had to do it. Actually, I am glad I could contribute even if it was just a little bit.

Go forth and do good things,

Don C. Weber

P.S. Remember, I am a SANS Affiliate. If you are going to be attending any SANS classes start by clicking on a link from this site. SANS will kick me a few bucks that will help contribute to my training and conference appearances. My, and Security Managers AROUND THE WORLD!!!, thanks in advance.

SANS, security, email, smtp, Security Ripcord, SANS MGT 512

I have just finished writing a paper for a SANS‘ initiative that Stephen Northcutt is working on. Although I do not have permission to provide it here (yet) I thought you all might be interested in some of the resources I have tracked down relating to this subject. There is no particular order and some of the information may be redundant, but here you go.

General guidance SANS Top 20: http://www.sans.org/top20/

Open relay source: http://www.spamhelp.org/shopenrelay/

Mail relay and spoof source: http://www.defendingthenet.com/Newsletters/HackingSMTPGatewaysCommandReference.htm

Open relay mitigation source: http://www.mail-abuse.com/an_sec3rdparty.html

Mail relay testing source: http://www.abuse.net/relay.html

DoD bans webmail source: http://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=102

Microsoft 2007 Security Guide: http://technet.microsoft.com/en-us/library/bb691338.aspx#BestPractices

Email spoofing source: http://www.windowsecurity.com/articles/Email-Spoofing.html

How email works source plus securing your server: http://www.ftc.gov/bcp/conline/pubs/buspubs/secureyourserver.shtm

Server security source: http://spamlinks.net/prevent-secure.htm

Spoofed email source: http://www.cert.org/tech_tips/email_spoofing.html

spoof detection source: http://www.fraudguides.com/internet_detect_spoofed_email.asp

Linux Journal article: http://www.linuxjournal.com/article/5753

7 reasons why HTML e-mail is EVIL!!!: http://www.georgedillon.com/web/html_email_is_evil.shtml

Expert warns of security dangers from webmail: http://www.itwire.com/content/view/2373/53/

Internal/External email server: http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

SMTP Security: http://technet2.microsoft.com/windowsserver/en/library/ded0ca67-f81c-49ad-91d4-cb21bc91dd0b1033.mspx

Data loss prevention: http://www.networkworld.com/columnists/2008/020408insider.html?fsrc=rss-security

Go forth and do good things,

Don C. Weber

SMTP, Server, Security, email, SANS, Security Ripcord, Stephen Northcutt

I find it interesting what professors will say and do when it comes to providing an educational experience to their students. On one hand I can understand that the professor is trying to discover the best way possible to quickly train their students about a specific topic. On the other hand I am concerned about the, at times, lack of intelligent thought process on how it is going to affect other students, faculty and staff that also use and maintain the same resources and network environment.

One of these situations arose in my organization the other day. A college is in the processes of providing computer security courses that will train the students in subjects such as risk assessment, programming, networking, and defensive and offensive tactics (to name a few). Because it is a new program the college faculty and staff are still gathering resources, deploying them in labs, and creating the teaching platforms. All of this while the courses are being taught.

When the college decided to start providing the students with this type of course work they did approach the university’s networking team to let them know what was happening. After a few meetings it was determined that it was necessary to operate any labs that would be doing offensive tactics from a lab that was completely isolated from the university network as well as the Internet. Although very good in theory, completely isolating a network in this manner really brings forward some interesting problems. Problems that require a lot of planning, coordination, work and money.

The following is a list of a few things that should be taken into consideration as you are developing security courseware.

1. Because of the types of network and other computer activities associated with information security the details on any lab deployments must be handled just like any other system development and bringing together all of the people and organizations involved and follow a life cycle. By doing this you will determine issues and identify problem areas in the design phase and before classes start. As with any system design, it is much harder to change or address issues during production. The whole “fixing the plane while it is flying” issue.

2. Labs that will be conducting offensive operations or monitoring must be completely isolated from the school’s network and the Internet. There are many reasons for this.

• Network traffic will contain plain text personal information related to other students, faculty, and staff. I used the gmail attack tools developed by Robert Graham and presented at DefCon 15 as an example to drive this point home.
• Student attack tool activities are hard to distinguish from malicious attack tool activities. Many tools are designed this way to avoid network and other protections.
• Being convicted, or even just accused, of hacking a resource without permission could ruin the career of the student and any teachers involved with the incident. Each student is trying to learn and grow. The majority of them are youths who want to test their boundaries and skill levels. Sometimes the temptation is just too much, not to mention the potential for improper configuration, and they might scan or attempt to exploit a vulnerability. The school administrators and teachers must help protect their students from this.
• The reputation of a school is involved. If the school’s students and professors are accused of attempting to hack computers connected to the Internet then the school is going to see a serious reduction in the amount of students attending the security courses and the rest of the school’s curriculum.

3. When you are building your labs be sure to take into considerations that students operating on an isolated network are still going to need access to the Internet. They will need this to obtain tools, read manuals and howtos, and interact with their Facebook/MySpace accounts. Although having a few computers off to one side is a good quick fix, it is not the optimal situation and you will be reading complaints about this in the class evaluations. Perhaps a better solution is to have dual input monitors that can be quickly switched back and forth by the students. Each system should have different backgrounds or operating systems so that the students are aware which system they are using. Considering thin clients is also a viable solution and would prevent network cables from being swapped around.

4. Create separate networks for security classes and regular classes. Nothing is more frustrating for a student or a teacher to come to a lab they have been working on most of the semester only to find that somebody has modified its configuration or hacked their resources. This is detrimental to the learning experience and will lead to finger pointing and bad blood.

5. Create update serves that can be a repository for OS and application patches. With properly document procedures these servers can be kept on the campus’ main network in order to retrieve updates via the Internet and then reconfigured to provide service to the isolated network. Updating in this manner is a great learning experience for the students and will prepare them better for real world experiences.

6. Start a tool repository to version control tools. Many tools change rapidly and also disappear. Maintaining this repository is a good way to show students product evolution. It is also a good way to monitor these for malicious activity. This helps keep developers honest. Let’s face it, eventually some tool will be updated with malicious intent. It is only a matter of time, and think of the publicity your school will get if you are the first to identify it.

7. Network isolation is a common practice in the security research field. Ed Skoudis developed his SANS GCIH class to be an isolated environment. The SANS Integrated Cyber Exercise (ICE) is conducted in an isolated environment. And the RootWars at Learn Security Online are conducted in an isolated environment. It can be done but it requires planning.

8. Finally, listen to and leverage the experience of the information security professionals within your organization. Teaching security courseware is one thing, but working as a security professional is completely different. There are different goals and different mindsets. If the information security professionals within your organization are good they will get you what you need while also maintaining an acceptable level of security for the entire organization.

Remember, you are training the future information security professionals of the world. You should show them that security is necessary as well as implementable. Circumventing a schools security and infrastructure policies and procedures just to provide additional or “real world training” to the students is not setting a good example. It is, in fact, sending the wrong message.

If you have any additional concerns or recommendations, please leave a comment sot that others can take it into consideration.

Go forth and do good things,
Cutaway

education, SANS, GCIH, Integrated Cyber Exercise, security labs, Ed Skoudis, Robert Graham, Security Ripcord

The results are in. Just click on view results below (there is no easy way to force the results or I would have) or checkout the new Security Ripcord Polls page. For those who don’t want to click it was a tie between “No” and “Yes, if my employer paid for it.” “Yes, I would pay for it myself” did not get a single vote.

Unfortunately the results reflect what I recently found out with my attempt to Mentor a SANS GSEC here in Corpus Christi. People are not going to pay for this type of training out of their pocket. So, unfortunately my first attempt at being a SANS Mentor was not successful. I am going to try and get out a little more in the Corpus Christi community before I try to spin up a class again. I think I just need to come to the realization that there are not enough large businesses here in Corpus Christi to support this type of training event. Everybody wants the knowledge but they all tend to balk when they see the price tag associated with the training and certification.

I would like to thank Martin and Michael for their attempts to get the word out for me. It was very much appreciated.

Go forth and do good things,
Cutaway

mentor, SANS, GSEC, poll, Security Ripcord, SANS Mentor

Inspired by AndyITGuy I have decided to start doing polls. The first poll has to do with the SANS Mentoring program since I will be participating in this program by Mentoring a GSEC here in Corpus Christi.

So cast your vote and let me know if you think this program is worth its salt or, at least, the GIAC GSEC certification you will achieve by participating in this program.

So, vote here in this post and keep your eye out for future polls in the right sidebar.

Go forth and do good things,
Cutaway

AndyITGuy, SANS, GIAC, GSEC, Security Ripcord, SANS Mentor

Martin McKeay has broken the news for me. I will be mentoring a SANS Security Essentials class in Corpus Christi, Texas. The classes will be held from Thursday, September 6, 2007 – Thursday, November 8, 2007.

I am truly looking forward to the experience. Currently I am drumming up local contacts to send this information to within my fine city. Tracking down the proper personnel has not been a challenge but it has been time consuming. Hopefully we get enough participation. If all goes well then this will be the first of many security training opportunities in Corpus Christi.

UPDATE: Don’t forget to fill out the poll question in the right sidebar.

Go forth and do good things,
Cutaway

SANS, GIAC, GSEC, Security Ripcord, Corpus Christi, security training

Darknet has pointed out that there is a new rash of malicious programs out there that are extorting money from computer end-users. I know that this is not necessarily new news but all the same it really ticks me off that there are people out there who are willing to resort to this type of behavior. I guess this is one of the reasons that I have chosen to become a security professional. I really wish that I could find a team that was actively targeting these individuals so that I could be of some type of assistance and we could get them arrested and put up on charges. Of course the far reaching tendrils of the Internet make these malicious programmers almost untouchable. Too bad.

For a really great resource that you can use to help educate your end users look to the SANS Stay Sharp program. There are courses for all levels of computer users and new courses are being added all of the time. Take some time and have a look at the course descriptions. Specifically, you may want to send some of your people to the Stay Sharp: Computer and Network Security Awareness. If you cannot get a SANS certified professional to teach this course for you then just contact SANS and I am sure they would be willing to help.

Good luck out there and stay aware,

Cutaway

The lastest edition of the SANS Advisor is out. This time they used two of my articles: “Taking SNMP for a Walk” and “Please Don’t Decrypt My File.” The first article talks about the importance of treating SNMP community string as if they were passwords (which, in a sense, they are). Of course, in a perfect world everybody would be using SNMPv3 which can be configured to use encryption. Check out a quick README about this at the Net-SNMP site. The second article describes a personal blunder on my part. I was attempting to transfer a file securely but working too fast bit me in the butt. This is a good argument for slowing down and double checking when security is important.

A few of the links to the tools and references I talked about include:

• Securing Cisco Routers: Step-by-Step <- EDIT: I removed the link to this because the SANS store is no longer offering this text. Dang it!
  
• Hardening Cisco Routers
• Cisco SNMP configuration attack with a GRE tunnel
• Net-SNMP
• ADMsnmp
• SNScan
• GnuPG

An interesting side note, Paul Asadoorian also had an article published in this volume. His article, “Secure Instant Messaging for OS X,” stays on track with the theme which is Instant Messaging. You should definitely check out his Security Weekly Podcast.

Please let me know what you think about these articles.
Thanks,
Cutaway

As a part of the SANS Advisory Board I try to respond to questions whenever possible. Recently somebody wrote in about how to secure a workstation designed for auditing. The following was my response.

Securing an auditing workstation is important but you also want to
be sure that you do not limit services that you may need to use during
an audit or penetration test. I usually protect my system with a
host-based firewall and create a backup of the system should I need to
restore it to a known good state (Knoppix style security toolkits make
this easier still). Perhaps the most important thing is to control the
system and limit access to it to specific personnel.

Perhaps you should consider using a laptop for this type of
activity. That way you can control access to the system better and it
will not be constantly connected to your network. Two factor
authentication (fingerprint, smart cards, etc) using included or add-on
hardware is becoming more prevalent and easier to obtain. You might
take this into consideration to protect such a precious and potentially
dangerous system.

You may also have to consider your network configuration when doing
testing. Some traffic may be denied by your network devices. Although
this could stop an attack it does not necessarily mean that your system
or application is secure. You may need to permit unusual traffic to and
from this system so that you can fully test your environment. You
should be very careful making these types of changes and have procedures
and inspections to return the environment to the operation state.

If you still want to lock down the operating system and applications
on this system, I would take a look at the checklists provided on the
S.C.O.R.E site (https://www.sans.org/score/). This site also has links
to the CIS tools and guides mentioned by others.

Hopefully this is helpful to others as well. Another board member also pointed out that he has written an honors paper covering this topic: Auditing a Systems Security Consultant’s Laptop Running Fedora Core 2. Having written a paper for my GNSA-Gold certification and having voted on dozens of GSEC honors papers (under the old honors process) I know that this paper is thought of highly by the GNSA graders. After a quick review I think that it is a very good place to start. Although this paper is written for a laptop system most of the issues it addresses can and should be applied to any auditing system. Just because a system is not portable does not mean it cannot get up and walk away.

A system configured for auditing and penetration testing should be considered a high risk asset and treated as one. The capabilities of this system and the potential information that it contains are underprotected at your own risk. One other consideration should be made about how to restrict and protect information collected by this system and written to media. A perfect example of this is the recent activity at McAfee as outlined in the InfoWorld article Auditor loses thousands of McAfee employees’ data.

Personal Kudos on this one.

I have been included in another SANS Advisor article. This time the subject concerned moving from SSH password authentication to Pre-shared key authentication. It briefly (very briefly as we only have 250 words to work with) covers the importance of the moving way from the usual password authentication as well is pointing out a few concerns that go along with the move. The SANS newsletter is published in PDF format and the December, 2005 version is titled Advisor Vol.1 No. 5.