Infosec (Cyber Security): We're Doing It Wrong

so thanks for having me here today I I'm this is not I'm not dropping OD days uh we're going to look at Basics um and this is based upon on my experience um in the summertime and you know I'm Bill Gardner I teach digital forensics and information insurance at Marshall University this is also called what I did on my summer vacation because when I don't teach I consult so last summer um had a lot of fun doing assessments for small and medium siiz companies uh none of this represents the uh opinions of Marshall University I think I misspelled opinions maybe anyway uh so if I say anything stupid it's my own stupidity not Marshall's also thanks for Marshall

University for scraping up the money in a really tough budget year to send me down to speak to you all and they are I guess an unofficial sponsor of this event um hi I'm Bill and I'm a hacker the good kind not the bad kind also play any W players in here oh come on it's going to affect your grade um I always tell my students playing Alliance will affect your grade uh so I'm on uh has changed every PVP server which is funny because now I do our raids and dungeons which is tve uh as I said I'm an assistant professor at Marsh University also stabbed some people apparently according to news feed um but

anyway I'm an author uh first book building information security awareness program came out August of last year still haven't made a dime On It Go by it please um Google testing uh Google Hack of P ation testers comes out they tell me now sress has been all over the map with this it's been um in post production for a month and a half now they're telling me it will be out by Christmas so it makes a great Christmas gift birthdays anniversaries uh and all the money that really we're going to make off Google hacking is going to to part a big part of it is going to support Johnny Long hackers for charity um if you don't know

Johnny's story about picking up selling his house and everything he owns and moving Uganda to help people the poorest of poor in Africa um check out his he's got a couple of talks on on YouTube um we're actually uh agreement with singr to revise his no Tech hacking book has anyone ever seen Johnny's no Tech hacking talk or read the book very good book I'm the CCDC adviser and unfortunately we've never made it Beyond virtual qualifiers uh this is what's known as public shaming uh so we're hoping this year that they do better uh one of my students won captured a flag and a black badge at secure WV this year so I'm very proud of him so the first thing I did

was have him go back and tell the rest of the team how he did it uh I'm volunteer for hackers for charity uh we started a hackers for charity student group at Marshall it's the first of its kind uh so we're raising money uh for Johnny and sending it straight over to him and they have a lot of fun doing it and the biggest problem has been trying to explain what hacking for charity is but we have a lot of fun and it's a new uh new student organization so it's getting people uh at the student level already in the idea idea of service and Service Learning they're having a Mario Kart tournament coming up next

week uh where everyone's going to throw in five bucks we send it over to Johnny they also um there's a membership fee five bucks a person so every every semester they collect money and send it to Johnny today is the uh 45th anniversary of the Marshall University plane crash um it was hard for me to fly yesterday for that reason which sounds weird has anyone seen We Are Marshall uh it's the worst sporting uh disaster in history but uh today is actually the day we turn on the fountain at Marsh University so I didn't know this coincide cided with this but this is a very emotional time if you haven't seen Le are Marshall it's a great

movie I'm the host of reboot it is anyone listen to reboot it that's what I thought I think there's like five people listen to it anyway uh reboot at podcast.com it's also on iTunes uh last couple weeks we've talked to n threat last week we talked about red teaming what's red teaming what's penetration testing what's vol ility scan um people in our industry tend to throw those together and confuse them I think we tried at least to Define them I have really bad knees so if I start wavering up here it's not that I'm drunk not yet uh but I I my knees hurt all the time so uh if you have to follow me up or down

the stairs I'm sorry so we're starting here I guess I can't wonder too much right um this is the security P pyramid it actually appears in the first book the first thing you need to do to build a mature security program is start with policies and procedures the second would be user training patch management and all on that but I'm not going to read it to you but people are buying way too many blinky light boxes putting it in their environment and wanting it to do magic for them um there's a lot of companies that will sell you cyber AP protector but do you really know what that box is doing if you're if you're

going for the top of the pyramid without doing the things at the bottom of pyramid you're you're really doing yourself a disfavor and I see this a lot in small and mediumsized companies so what's a penetration test I think the penetration testing execution standard is really the best definition um and if you go check that out uh Dave Kennedy Chris Nickerson some other people got together a few years ago put together a really nice website as well as defining the terms they have the execution standard which talks about the tools that you need in order to do proper testing so pre-engagement the first thing you want to do is walk in someplace usually they think I'm there

to get everyone fired which is always fun because I usually see clients after a breach and I to this day say that nobody cares about security until they get breached so we usually go in and say you know what do you want do you want a vulnerability scan do you want a pin test and you have to explain to the client the difference between the two uh scoping like Kevin Johnson said earlier in his keynote that scoping document is very important and you should never go beyond that scoping document um technically if you do you're breaking the law your goodl jail free call card only applies the things that you agree to in that first meeting

scheduling um you know I'm pick and choose what I do which is pretty cool but if you work at a large organization you probably have people selling penetration tests way way with way way too too little time to actually do a proper job um so that can be an issue also pricing smaller organizations have different needs so you tend the price that differently I've been going through a flat fee model for my smaller midsize clients um than doing it hourly then there's different kinds of penetration test defined I once had a u contract for wireless penetration tests which was really the easiest thing I've ever done cuz I showed up and they didn't have a wireless

network so whenever you have people making the decisions that aren't technical be careful one of the things uh you know the thing and I didn't say this this my friend Dave Kennedy who came up I'm I'm sorry I'm name dropping I just want to give credit where credit do I'm going to name drop and get hell on Facebook for it's all over with um your job as a network Defender and this is a sort of a network Defender talk more and as an offensive talk we'll talk about blending those together later on you is to protect what makes your organization money so if you work at cak you're you're protecting the secret formula for Coke which is basically

gasoline and uh something else here it dissolves pennies but I'm not sure um if you work work at a big drug firm you're protecting the formula for Viagra think as much as a little laugh this thought it would but anyway um so your job is protect things what I run into with smaller companies say you're a law firm and you do medical defense you're going to have lots and lots of medical records uh I have one client in West Virginia that has we estimate has more medical records than many of the small hospitals in West Virginia if you're doing uh product liability defense you have the drawings for all these products if you're doing U

you know drug interaction defense somebody dies because they took a specific kind of drug you're going to have all this information setting in your network and the first part you need to do is convince people that yes somebody wants it and usually that unfortunately I hate to say the Chinese do everything but they love intellectual property so they're going to look at the weakest link they're going to look at your business associat your business associates and you're going to Target those people so whenever you're doing testing make sure that your client who engages you to do that testing understands what they're getting themselves into and then try to figure out if you know what you're getting

yourself into so anyone here work at a small and mediumsized Company okay couple who works at Fortune F Fortune tens okay wow Fortune 500s Fortune 1000s okay who does penetration testing who buys penetration tests so we need to talk to each other about what a penetration test is um who thinks that a penetration test is necess scan who thinks the penetration test is an inmap scan okay well you're pretty either you're lying to me or you're pretty educated about this um one of the things in scope you have to deal with is a lot of small mediumsized companies don't know what's on their Network um and so when you show up and they don't know what's on their Network

you have to step back and say well we're not having a penetration test the first thing we're going to do is figure out what's on your network and this sort of goes into what I'm going to talk about coming up which is purple team who's heard of the idea purple team so purple team is red team blue team working together so if I show up the pon your network in your network you don't even know what your network is for scoping how am I supposed to pone it um the other thing is you don't want to throw people to the Lions if they're not ready uh to fight in the Gladiator AR cage and most people

who the reason that people buy things like penetration tests at this point are they're either dealing with some sort of Industry regulation or they bought cyber security and the insurance company says we need you to show us that you're secure I can make a lot of documents writing email saying yes you're secure the problem is is that most of these companies who are engaging for these sorts of activities never have done the basics back to the security pyramid they've never built policies and procedures uh they're not patching so definition of what you're doing and when you're doing it is very important identify your technical contact whenever you break their Network you know who to call and say I'm sorry I

didn't mean mean to break your network um because things do go WR the other thing you have to Define is when can you do testing most people only want you to test at nighttime which is lots of fun when you can't stay up all night because I'm getting old

um really and and I say plan for things going wrong because they will go wrong um so what's some of the tools that we use for small medium size networks um we just start with a harvester it's amazing you can go to the website and find a lot of things lawyers love to tell their life story on the website where they were born what schools they went to uh one of my clients has their secretary and their secretary email and phone number listed on the website so if you can't Spear Fish the main target you can always get their trusted person which is their secretary um you know Harvester is a great tool but a lot of times you don't

have to go that far in order to gather information about an organization um there are some really big challenges to Social Engineering in a smaller organization um you know and May in Andy Griffith's show when all the strangers showed up from out of town they were to do wrong well when somebody walks into your network you don't know who the hell they are um you're going to get a lot of questions they know who the UPS guy is if you come in wearing a UPS uniform it's not going to end well um even sending email I I did the spear fishing campaign as the system administrator in an organization this Summer that didn't end well because they all knew the soci

system administrator knew how he wrote realized that that didn't sound like Matt and maybe they ought to give somebody a call um I think smaller organizations is probably one of the toughest environments for social engineering that you can find the other thing is the old USB attack you know be leave a bunch of USBS lying around right well at least in West Virginia people return them oh I found this USB it's probably something important so I'll sew very hard need to be less uh they need to be a lot less polite so one of the things I did find is that people are busy and they don't pay a lot of attention to things like domain names

so I bought a lot of domain names that was one letter off this summer and that worked wonderfully because they see that domain they don't you know look that close at it and then they end up uh actually clicking on links and things things uh there's an interesting um there's an interesting tool out there called URL crazy that will help you with this it will go through permutations that might be available but you're still going to have to do manual work uh looking to make sure that those domains are available and go with a cheap domain registar um you don't want to spend a ton of money on this because you're going to have to charge it back to the

client so go out and find a $6 domain registar so you're not um running up your expenses so technical challenges I work at home from the summer guess who my internet service provider is I don't know what the hell they're doing with ports but uh it just did not work so I had to move Beyond Comcast somehow um and the way that I did that because we've already talked about the other things in this slide is a VPS SSH and PD F PTF does anyone know what PTF is penetration test testing framework so in the olden days when you were old uh Cloud box you spend all of your time trying to figure out how

you're going to install Metate this week because it seems to change every time you turn around um and and hunting down tools the penetration testing framework which is a a trusted SE um Dave Kennedy tool will basically install everything in its brother for you but let me forewarn you it will break things he actually recompiles the kernel at one point um so if you use armatage for example it does not work if you use the specific tool but it's great for using on a VPS because you don't need a graphic user interface and in about 40 minutes the most even on a slow connection you have a totally up and running penetration testing box um my personal favorite is

LIN node do anyone use Lin node uh Amazon's got weird about using their um AWS for testing they also have way too many features for me I look at it going okay now how did I restart this machine um so I moved away from Amazon the other one is social engineering toolkit very simple ways to fish people and if you don't know about the social engineering toolkit there are tons of videos out there about it um but basically the social engineering toolkit you can do uh browser attacks you can clone websites then use that one letter off domain name so set set to the rescue how many of you are still clicking on shorten links we all do these still work in

fishing attacks so if you're doing a test short and Le LS still work we have basically we we have trained users to click okay yes okay yes and click shorten links because they're busy uh so shorten links still work um I heard this interesting story about phone factor is anyone here using phone Factor so it's a two- Factor authentication so it will either call or text you I believe um if whenever you're logging into something you just click okay well uh I know someone that was on a penetration test and he says he's never had a problem getting around it that basically the user will see something pop up on their phone and just click

okay and he asked why they were doing it and they're like it had to be something important I walk into stuff all day I didn't know maybe maybe I missed logging into something um so uh if you're using phone factory you may want to put that in your security uh information

security um sorry I'm getting trolled while I'm standing up here is this live streaming my friends will troll me at the strangest times and uh I'm like anyway so what were we talking about who are who are you people this is the worst than teaching um so VPS Plus P PTF plus set equals wiin when so really we we've entered a time where when you come in and you're a black T-shirt wearing jackass and you pone all the things and you write a report saying you pawned all the things and your client's stupid uh we really need to move beyond that um and that's the reason for blue team I mean the purple team purple team

was originally I think uh was an idea Mick Douglas uh another Martin Bose Bose boss excuse me and Eric milum have done talks as well as Dave Kennedy on purple team and the idea the way that I use it uh with my clients is I say once you build all the ground level stuff so once you write the policies and procedure once you help them figure out what's on their Network um and they're still not ready for a penetration test let's see if you can detect specific things so you say I'm going to send exploit X did it work it didn't work did you detect it if they say I'm still waiting for it and you've got shells they have a

problem so then you try to figure out how to fix that um you know it's not just saying you have a problem you have to help them move beyond their problem and you can do do that in this sort of Engagement um I don't sell Security Solutions I'm not going to sell somebody blinky light box um there are some things if you've got active directory domain issues I am not going to come in and fixure active directory but I will help you test your security in this Kinder more Gentle Way um most small ORS or even mediumsized organizations don't have mature Security Programs uh lack of documentation lack of policies is a problem and and red

teaming in a small or medium siiz organization doesn't scale scale well at all if you have uh ver Fortune 10 or you're um a bigger organization with resources and you have a lot to protect bread teaming is for you it's sort of penetration Plus+ but generally um it doesn't scale well for medium and small businesses reporting um I've seen some really bad reports out there the most important thing you can do is do a good succinct overview about what the problem is uh write an executive sum summary that explains the business impact because your job is to figure out what how they need to protect what makes the money and uh the technical findings need to be in

there but that's not something you're going to throw up the top uh it's going to be at the bottom so how do you figure out if someone broke in your network um I was actually noticed that secure ideas used to have a product called Network Scout which he's changed the name to scout God bless them Network Scout is something that was developed by my students it's a u Raspberry Pi and you run uh run the pies in uh um and Mon it's sort of a network monitor we're using Dave Kennedy's artillery and then it has reporting interface so basically you put one of these in each logical or physical part of your network and then it reports back

to its own Sim or it will report back through assis log or you can use whatever you want to in order to watch alerts but this is doesn't go to the edge of your network it's inside your network you should never see a thing on it so if somebody click on a link or opens an attachment social Engineers you this thing's going to tell you hey there's somebody trying to Pivot inside your network it's free it's open source low cost uh and it's on GitHub the best place to find if you look into it's a lot of fun to build they did things like add an LED screen so it tells you what the IP address is because you plug the

same thing your network start scanning for it's just going to ban you which is a problem um but generally generally uh we've had good experience with network Scout is scaled well for bigger uh for bigger networks and I use these a lot in my smaller client smaller munici clients so you know have any questions I told you I could run through this fast yes you the

are basically they uh I think that when we purple team basically what we're doing is we're coming as red teamers and we're saying hey how can we help you so it's a lot of skipping down the highway holding hands um I don't know that people understand what red teaming is sometimes so you have to let them understand what red teaming is maybe they they'd be ready for a red team uh a red team engagement a pure penetration test but you have to help them become a mature organization first and purple teaming is about helping uh an organization grow their security program to become educated on their security program uh more than anything else does that answer your

question and I do as much Network defense as I do offensive stuff I mean I spend as much time defending um defending networks to this day because someone got pwned or you know they're getting attacked it's a very important website it needs to stay up because it's for an event that's coming up in a couple months so I do a lot of that too and I'll I'll say it now I do a lot of it for free I have a job um so you know if you have some problem let me know I'll help you as much as I can I get bored in summertime I'm not used to having Summers off and that sounds like

a really weird problem but you know I went I come from um an IT background as an IT administrator and the manager where I work 880 hours a week on a good week and and Academia has taken some getting used to but without moving in Academia I would not have the opportunity to come do this uh I wouldn't have the opportunity to write books so I'm not knocking it doesn't pay well but I'm happy any other questions if I boor you all to death you're not as sleepy as most of my students are so I guess we're okay and it's after lunch too this is a tough crowd so I appreciate you coming out to

see me I'll be circulating around here if you have any questions also I'm looking for someone to share an Uber with to the airport tomorrow should mean like $400 I think a piece um so um what time is the FL I think it's at six or 7 yeah oh yeah I I've already had this discussion with people so so please go out and uh do the ATM jackpotting jackpotting challenge pick locks um even get in CTF there's no better word way of learning than doing so um thanks for having me again and I hope to come back I like this conference a lot

thanks