Questions from SANS Pen Test Hackfest 2019
This week I had the pleasure of speaking twice at the SANS Pen Test Hackfest Summit 2019. I had an excellent time and got to meet up with some old friends and make new acquittances. That is one of the most important things about these events. Attending pulls us from behind our virtual cubicles and gets us in front of human beings with common interests. It allows us to participate in conversations and, hopefully, have interactions where the communications include body language, facial expressions, and vocal inflections.
Three-Person Panel
The first talk was a panel with Steven Sims (@Steph3nSims) and Kevin Tyers (@waronshrugs) titled: “Break it ‘Til You Make it: How Playing with Fire Levels Up Your Offensive Skills.” We were asked to describe ourselves and some of our experiences. Steven and Kevin gave some excellent input that I’m not going to paraphrase here, as I would not them justice. For me, I spoke about the challenges I experienced getting started in the field of information security. I discussed my early blogging and podcast efforts that helped me educate myself and introduced me to so many like-minded individuals. I also talked about my struggles with fighting through the learning process and accepting my initial “failures” as me learning and getting better. Yes, I still struggle with this. I’m just quicker to remind myself to be nice to myself.
Penetration Testing ICS Presentation
My second talk was about “Pen Testing ICS and Other Highly Restricted Environments.” It contained a condensed message about how to approach and be successful at conducting assessments where the testing steps could have a negative impact on safety and the process. The slides for the talk are up if you would like to take a look at my approach. What was great is that Lesley Carhart (@hacks4pancakes) also spoke on penetration testing ICS environments. She gave an excellent introduction of the concepts and technologies associated with processes. She raised many of the points that I continued in my own talk. Her introduction allowed me to take a deeper dive into how information security professionals are imposing roadblocks by harping on the fragility of process technologies rather than understanding the requirements that lead to their architecture.
Interesting Questions
My previous posts and talks have a similar message, so I won’t expand it any further here. I would rather focus on some of the questions I received while I was at the conference.
First Question
At the end of my presentation, Jake Williams (@malwarejake), asked. “What do you do if you come across industrial control systems or devices, that you didn’t know where there, during a penetration test?” He intended this as a slow pitch softball for me to hit out of the park. I fumbled with it a bit (things I need to work on). The easy and best answer is “stop.” Stop what you are doing, communicate with your point-of-contact, and determine if this was expected, and decide if you need to avoid specific systems or subnets or continue testing.
Second Question
At the end of the conference I was approached by a person and asked (paraphrased), “Aren’t manufacturers doing something about the insecurity and vulnerabilities in their products?” I explained that they are making headway. Their customers are requesting that they make it easier to understand vulnerabilities and implement updates. Customers are also asking that, where appropriate, the vendors and integrators provide security settings and produce documentation that helps their team implement and maintain secure configurations. However, in my opinion, vendors and integrators are not doing enough to educate the clients that are not asking. I gave the example of a recent experience I had discussing vendor-provided guidance during an assessment. My client, the primary IT lead for the OT environment, did not know if there were resources for being informed of vulnerabilities and understanding what needed to be patched. He just figured all risks needed to be accepted unless the integrator reached out. Interestingly, when we spoke with the POC for their integrator, we were informed that they had a subscription-based mailing list that provided this information. He was more than happy to discuss the impact of vendor and OS patches and how it would impact the processes when the customer reached out. He also identified that they have a virtual environment where they test application and OS patches when they are released. And, most importantly, he stated that they could build a virtual representation of the customer’s process (for a cost) where things could be tested. So, vendors and integrators are making headway, but their clients need to be requesting and looking for those resources. Communications is a two-way street, everybody can to a little better.
Third Question
The last question that comes to mind was from young lady from Canada. She is considering joining the Canadian air force and my background as a US Marine lead her to ask about US Marines and information security. She has noticed a trend of US Marines moving towards the information security field and she was wondering why. While I cannot be completely sure, I mentioned that Marines consider everything a weapons platform, defensive and offensive. It is easy for us to think of technologies in this way and, I extrapolate, that a lot of Marines are experiencing technologies more and more on the battlefield (actually in the field or in garrison). Additionally, information security is about defending something from adversaries. This definitely appealed to me and could be why she is experiencing this in the Marines she has run across. Lastly, there is also an excellent program sponsored by Microsoft called Microsoft Software and Systems Academy. This program provides transitioning military veterans with training in technology careers. One of this program’s tracks is in information security. They are doing an excellent job at training our veterans and I highly recommend it. If you know a veteran who wants training or needs to refocus themselves, please point them in this direction.
Conclusion
I’m hoping that SANS publishes both talks to the Summit website in the near future. In the case that they do not, I’ll do my best to get the raw footage and post it here. So, check back soon.
I had a great time during the conference. I would like to thank Ed Skoudis (@edskoudis) and Steven Sims (@Steph3nSims) for inviting me. Although, it was Jennifer Santiago (@SANSJen) that truly paved the way for me and I am extremely appreciative.
Go forth and do good things,
Don C. Weber
Cutaway Security, LLC.
Email: don@cutawaysecurity.com
Website: https://www.cutawaysecurity.com
Twitter: https://twitter.com/cutaway
SANS Instructor: https://www.sans.org/instructors/don-c-weber