Every week I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts. A related reading is posted to expandingsecurity.com

If you would like to learn about PKI in our live class Friday February 3, 2012 at 12:30 Central time, wait till class time and type your name Here

This post with the video is here.

PKI is often overlooked and underutilized by commercial entities for fear that they might lose. Lose what? When we want to get our message out to you, we don’t want to take any chance that your systems cannot read or receive our message. So we panic. The standard mantra is: “rip that security crap out of there so we can tell the world about our new thing.”

But all that is changing now in many ways. On the client side we have Sender Policy Framework (SPF) and the Microsoft specific version Sender ID framework. On the server side we use Domain Keys Identified Mail (DKIM) or DomainKeys. DomainKeys is being subsumed by DKIM. Only DKIM truly uses PKI. The other way to deal with suspect hosts and $PAM is to write some rules on your mail server configuration that look for use of PKI certificates.

If you want to know technically how to do the server side of DKIM look at the details link below.

So now we have tools that don’t force users to fight the PKI battle, but still keep the e-mail flowing. Remember the ultimate  goal is to make more security easier to implement, not get in the way of business.

What can we do to make it better for us, for you?

Policy:

• Verify PKI policy
• Restrict inbound mail based upon need

Action items:

• Research DKIM implementations for the server side
• Research SPF implementations for the client side

So all this makes me want to start sending mail with that PKI to improve my score with $PAM review engines.

Don’t know how to do these activities? Come to our free class! CISSP: Crypto PKI & PGP 2012-02-03 12:30:00

http://www.expandingsecurity.com/contact-us/adobe-connect-login?theclassid=3114&company=pp1205&namex=DB&link=http%3A%2F%2Ftraining411.na3.acrobat.com%2Ff_23%2F

Or http://bit.ly/painpill1205

Some technical details you might want:

Miscrosofts version of SPF names Senderid: http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

Thanks diaryofaninja for the how to set up DKIM: http://www.diaryofaninja.com/blog/2011/11/16/when-you-really-need-your-email-delivered-ndash-signing-your-mail-using-domain-keysdkim

I saw about 25 people try to attend class last week, and half made it. If you are trying and not getting in, drop me an email. I think everything is working, but I could be fooling myself. I certainly hope I’m not fooling or frustrating you. We had fun. This week Thursday 7-8PM Central we are going to discuss the Pen Testing topic of Scanning Networks. Click this link, type your name, and you are in!

This post can be found online here.

Once per month this year I am going to talk about a less technical topic and more of a business topic. This time:

How do we manage virtual Pen testing teams?

I would really like a cool office with lots of people jumping on planes flying all over the world like they do in the TV show Leverage, but brick-and-mortar is sooo last century. Further, the cost is crazy unless you are willing to rent a garage next to a drug dealer and take a middle seat with 3 plane changes. I certainly don’t want to pay the cost of having a team of experts sitting around. You know who pays that cost? The customer. So no one is happy doing this face-to-face.

So let’s go VIRTUAL!

Have you ever tried to manage a team of experts? Really smart people who get bored? The phrase herding cats (the old EDS commercial) pops into my head. I have been doing it for a few years now. I learned a few things that should help you other pen testers. Basics items for everyone to keep in mind:

• Virtual cats are even more difficult to keep together.
• More than 6 time zones are impossible for meetings.
• Big meetings are a big mess where nothing gets done.
• Never invite a technician to a high-level meeting.
• Never invite a manager to a execution meeting.
• Even if you like virtual meetings someone else does not.
• Project management skills are even more critical.

Why should the customer care about my business problem and why should you?

Every meeting is going virtual. You say – Dean we have been doing this for years. I am on 2-3 hours of concalls and webcasts per day… Yes, but we are talking about the business of pen testing. We are talking about many people, many IP addresses connecting to your business in an attack-like stance. The customer needs to be ready. The testing team needs to prepare a different way. I see three viewpoints that need to be addressed: the organization, the team tester, and the team leader. Some of what is listed below is common sense to you and I, but people need to hear it anyway.

As the organization who hires testers, these are some things you should think about:

• Short meetings with narrow scopes.
• Prepare for meetings by sending questions in advance.
• Require encryption on all work artifacts.
• If you have EC2 instances get permission from Amazon early.
• Crossing jurisdictional boundaries means contracts will be more strict.
• Address third party service providers’ contracts early in the process.
• Do small scope tests first to see if the virtual process will work for you.
• Connections to your network should be via virtual private network.

For the pen testing team member:

• Get a multi-timezone clock.
• The customer’s time zone is now your time zone.
• Specialization is critical in global teams.
• If you know a deadline is looming, be early.
• Learn the skill-set of the other team members.
• Slow down, explain more, delete the jargon.
• Collect your data, review it, summarize.
• Never argue; you are a unified team of experts.

As the pen testing team leader:

• Let the client, not the team, lead the discussion.
• Be ready to reschedule the test or the meeting.
• Schedule meetings when the client is ready.
• Rehearse your part before the meeting.
• Have all your team’s notes the day before.
• Be prepared to speak for your team members.
• Let your team speak, you moderate and translate.
• Internet connectivity is always in doubt; have a backup, have two.

Over the past four years have been in virtual meetings and done virtual testing about 2-4 hours per day every day. For every minute online, I spend 3-5 preparing and planning. The reward has been that when things go wrong, I am not phased.  Oh and have fun with what you do. A joke or two goes a long way. To those who have been part of my virtual teams in the past I hope you remember the Olympics of 2008 and the special events at the end.

What can we do to make it better for us, for you?

• Think about how your teams work.
• Think about how you can make them better at virtual meetings.

Come to our free class! Thursday 7-8 PM Central - CEH: 03 Scanning Networks 2012-01-26 19:00:00

http://www.expandingsecurity.com/contact-us/adobe-connect-login?theclassid=4192&company=ExpSec&namex=pp1204&link=http%3A%2F%2Ftraining411.adobeconnect.com%2Fceh03%2F

Or bit.ly/painpill1204

Details-

Metasploit – EC2 Instance

If you don’t think HD virtual meetings are big look at Cisco/Webex, Citrix/Goto, Adobe/Connect, and Microsoft/Skype. Oh and don’t forget Logitech/Lifesize.

The steps below, the files, and links within, are numbered in order of what you will need to read and do. If this set of steps is unclear, please attend orientation for a walk-through.

Start of each week, Start of each domain process

01: Prepare – Download

Download all the meeting files below to your local drive and then copy to a USB drive.  You will open a new tab or window in your browser, authenticate, and then choose download. To make it easier, leave the authenticated window open until you download all files.

Download Excel tracking sheet same each week

Download these weekly, per domain to a portable drive; print only when absolutely necessary.

• Cases Combined – M39-M40
• Glossary – Law
• Readings -

M39-p71

M40-p55

M41 only ISC2 ethics on their site

02: Print at the beginning of the week and add to binder.

• Case study overview (once at beginning of the course)
• Template Case worksheet (five  per week) or 44 total copies for class

03: Before any reading - Build Flash Cards from domain glossary download above

• You will need 50 lined note cards per week. A pack of 300 for the whole course.
• Get terms and definitions from 01 glossary download above.
• Hand written: blank side has the term, lined side has the definition.
• Write term big so you can see without your glasses
• If you are weak in concepts or process: build extra flash cards from readings bold headings =  term

04: Least Crappy Answer review

• 2-4 times over the 10 weeks review our exam taking tips recording.

Daily process: Before class. Repeat for each section of the domain.

05: Readings from 01 downloads section above

Know how fast you read and how well you comprehend. Input these results on your Excel tracking sheet for your instructor (test is here) These reading assignments are on a meeting by meeting basis.These can be as short as 20 pages and as long as 120. Please review the page counts and your reading speed to plan your readings before class. Try to read as much on your computer as possible to increase your portability. Reading 30-60 pages in pdf format is not optimal, but as a CISSP you must learn to do a great deal of reading on the computer. Sifting is a way of life.

06: Practice your note cards

• Carry your cards with you for that 5 minutes of study opportunity
• Get a partner to quiz you on the cards
• 20 seconds each
• Make one pile for Yes and No
• As you get a pile of Yes’s, move them to the big stack stored at home
• Keep working the No’s until they are gone

07: Do case study

• Use the combined cases from downloads section 01
• Case study overview
• Use the Case worksheet to write out your notes and thoughts on the business problem and solution
• Use your computer’s notepad or text editor to rewrite your problem and solution
• At class time, you will copy and paste to the chat for the case
• If you feel like you want more help on cases, email your notes to the instructor for input

Daily Process: At class time

08: Prepare notepad/text editor for Case notes from 06

• Copy and paste separately: problem and solution when directed by instructor
• Don’t do both at same time because we want to see what everyone says

Daily Process: After class

09: Write last flash card definitions from class

• Carry over all No’s to next week

LET IT GO! MOVE ON! DO NOT DOUBLE UP.

If you miss class

10: Recording Links: for your review of class presentations.

These are updated no later than one week after the new class has recorded.

You can get your quiz  in the recording, by pausing the recording and clicking through your quiz. See the orientation for more details. These will be post at the end of the week.

MP 40 Class Recording

MP 41 Class Recording

End of week

11: Submit your completed Excel tracking sheet

• Your goal is to pass the exam on your first attempt
• We can find trends and problems before they become a failure
• If you are not ready for your exam we can help
• If you are not sure what to do, your instructor will use this data to make decisions
• We realize you have a life, a job, and a family and you need to get it all done
• Sometimes class and the exam are not a priority
• We still need the true data to make good decisions

All content is copyright protected. Downloading or reviewing any material means you consent to the copyright restrictions placed on all works by the author. You are forbidden from using any of this material in the teaching of any class. You are only permitted to use this as a current student of Expanding Security.  You are not permitted to copy and distribute these materials in any way.

2012 HP Training Agreement:  Please read this page before making your certification training selection.

We are very happy to support the C.S.G. team at HP.  After you enroll, you will receive an account login for Adobe Connect and class information.  Orientations are held every two weeks.

Your HP certification training agreement comes with exam costs included- You must buy from the links below in order for us to process your enrollment correctly.

You must use your valid HP email address ending in @hp.com.  Also, please use your HP code to receive the HP price with exam fees included.

When asked for payment arrangements, our main site and payment gateway accepts Visa, Master card and Amex. There are no other fees.

Our regular training posted elsewhere doesn’t include extra exam fees.

Your training options are:

Click here for CEH – Certified Ethical Hacker – 10 week course meets live online Tuesdays and Thursdays 7pm Central for one-hour.  Class Recordings are always available if you miss class.

Click here for CISSP - Certified Information Systems Security Professional – 10 week course meets live online, 3 to 5 times per week, depending on the Domain.  Tuesday and Thursday classes are 6 – 7pm Central [CST/CDT]; Wednesday, Friday, and sometimes Saturday classes are 12:30 – 1:30pm Central [CST/CDT]. Class Recordings are always available if you miss class.

Click here for CEH & CISSP – Combination each class can be started when you are ready, you do not need to take them back-to-back.  Orientations are held every two weeks.

In order to take advantage of the offer, you  must be an active HP employee and use the reference discount code starting with “DV”

If you are not an HP customer, you can not receive these pricing options.

If you have any questions about the training Dean Bushmiller is your point of contact.

• dean(D0T)bushmiller@ExpandingSecurity.com
• 347-927-9786

If you have any payment questions Helaine Thornton is your point of contact.

• Helaine(d0T)Thornton@ExpandingSecurity.com
• 619-327-9786

Every week I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. Come to class Wednesday at 12:30 Central time. Click this link

Type your name and Turn up your speakers.

If you need continuing education credits, this counts.

This is your last chance to get the ethical hacker class in January. Pen testing is fun; where else can you get paid to attack other people’s networks?

This post  and video are located here.

Business Impact Assessment (BIA) as a part of continuity planning is very different than Risk Assessment (RA).

I get a lot of people who start learning BIA and make the mistake of thinking that it is the same thing as Risk Assessment.  They look the same, but they have a very different goal and you must adopt a very different attitude when developing each.

BIA has a time element and is focused around a service or process.

• How long could we be without that mail server?
• What resiliency or fault-tolerance do we have?
• Availability

RA assumes no time and focus is set by the scope of asset(s).

• What are the chances of something bad happening to this asset?
• With what controls will we secure this?
• Integrity or Confidentiality

Both address:

• What is the value of the asset or service to us?
• How do we protect it?

Where is the problem?

In large organizations we seek out ways to reduce cost by consolidation of process. What happens is:  Process optimization people looks at this from an enterprise architecture view and see a great deal of the same data is being collected by two different groups. This begs the question: Why not consolidate these into one data collection process?

In most cases you would be correct. In this case, you lose.

By only looking at a business process from a support of availability or fault tolerance view, we might use an old system to keep the business running. When would a controls person ever think about using the old firewall when the new one protects us against the current threat? Never? In this case we are framing the problem as a purely availability problem.  When you focus on availability with a goal of limping along until the optimized process is recovered, the business wins.

What about the other way?

Let’s throw that RA out the door and do BIA with a little added security? No, because now you have stopped looking at the evil, the adversarial issues, and the new vectors of attack. You’ve lost your edge in areas like: defense-in-depth.

What can we do to make it better for us, for you?

Keep them both and let them feed each other!

Policy:

• Require all BIA data to be communicated to the RA team
• Communicate in terms of Availability, Integrity and Confidentiality

Action items:

• Reset your BIA and RA to be at opposite ends of a time cycle
• Validate the focus of BIA is Availability
• Validate the focus of RA is Integrity and Confidentiality

Don’t know how to do these activities? Come to our free class!

CISSP: Bus. Continuity Planning Understanding Organization 2012-01-18 CENTRAL 12:30:00

Click here

Adobe connect is very stable. The way the server works when dealing with upgrades is assuming the worst about the client environment.  Every time the server is upgraded, the default behavior is to require a new install of the add-in for each client. Depending on your client  O.S. and the security configurations, this could problematic.

The theory is default behavior overwrite will work. It may or may not cleanly install or overwrite the previous installation.

So you need to track down the data and check for yourself:

when you are in the classroom  identify your current install in adobe room

• Top Left side Help |about adobe connect

Note your client environment:

• O.S. and service pack.
• Browser and version
• Flash Version

1. Test to see if you have an existing install

For windows

• Add and remove software
• Then remove the old folders
• Application data is a hidden folder- you might need to show
• In Windows XP: Delete the bin folder ‘C:\Documents and Settings\<<USER>>\Application Data\Macromedia\Flash Player\www.macromedia.com’
• In Windows Vista/7:  Delete the bin folder C:\User\<<USER NAME>>\App Data\Roaming\Macromedia\Flash Player\www.macromedia.com’

For Mac

• Drag and Drop  Adobe Connect Add in from applications folder  to trash
• Remove bin folder from User/Library/Preferences/Macromedia/Flash Player/www.macromedia.com

This is the most current install for each O.S.

• http://www.connectusers.com/downloads/

If you are still having problems adobeconnect will support you

• 800-422-3623

Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts.

CEH class starts January 21st! If you know someone, we are at least going to get certified, we will have fun, and we will definitely learn something about ethical hacking and penetration testing.

This post  is located here.

I know the world runs on databases, but I wish they all would get along, interoperate, or allow migration from one to another without an act of congress or a connector that blows my programming budget for the whole year. While I am wishing, let’s go for the whole enchilada: I wish security were not so squishy. What I mean is the claim that: if the operating system is secure, then the database is secure. With all the  the other tools that we use, we require that the tool stand on its own and not be dependent on the security of something else. Some database tools like encryption are a good idea in spirit, but as soon as availability goes down, management screams and the encryption is out the window.

How you deal with protection. Let’s limit our discussion:

The scope of database security:

• Authentication – yes or no you have an account
• Authorization – Permissions by role
• Auditing – Transaction details

Threats that are difficult to address:

• Inference – a guess
• Aggregation – combining two data points

Now if you cannot stay away from vendor specific options I understand, but try. Here are my suggestions until we come up with something better.

What can we do to make it better for us, for you?

Policy:

• Set expectations that databases are an integrity and availability tool, not a confidentiality tool
• Build roles examination into early phases of SDLC projects.

Action items:

• Research Tokenization
• Segregate data when you are dealing with internet facing databases

Don’t know how to do these activities? Come to our free class! Tonight!

CISSP: Application Security Databases

2012-01-10 18:00:00 Central

http://www.expandingsecurity.com/contact-us/adobe-connect-login?theclassid=3093&company=expsec&namex=drb1202&link=http%3A%2F%2Ftraining411.na3.acrobat.com%2Ff_15%2F

Or http://bit.ly/painpill1202

FROM DON MURDOCH

Modern databases can do more than just manipulate data in tables. In particular, they can run stored procedures which interact with the operating system by running operating system commands, or running object code that can do a myriad of tasks.

In order to accommodate these features, many organizations run database under a specific account.  And herein lays a hidden weakness which can be very, very difficult to detect. If an organization runs all of its database servers under the same account – say “DBServ” – then anyone with the account credentials can login to one database server, use those credentials to connect to a second server, install code or a stored procedure which can then go out and perform a malicious act. Even if the organization runs each database server with its own specific account, there is still a potential avenue of exploitation – a privileged entity that has access to multiple accounts can login to one database server with one account, connect to a second server with its specific account, and execute the same exploit.

What can we do to make it better for us, for you?

• Segregation – organize databases and their respective DBA users very carefully.
• Control accounts – segregate password management. Have someone other than the DBA assign the service account startup account properties.
• Set expectations – as we said previously …
• Logon trigger – Most modern DBMS systems can be setup so that a logon trigger fires whenever a logon occurs which records the source IP, application, and other details which can help respond.

The steps below, the files, and links within, are numbered in order of what you will need to read and do. If this set of steps is unclear, please attend orientation for a walk-through.

PREREQUISITE FOR THIS DOMAIN: REVIEW ALL BCP CISSP CLASS RECORDINGS:

F34 Recording CISSP

F35 Recording CISSP

F36 Recording CISSP

F37 Recording CISSP

F38 Recording CISSP

MOL BCP CISSP

Start of each week, Start of each domain process

01: Prepare – Download

Download all the meeting files below to your local drive and then copy to a USB drive.  You will open a new tab or window in your browser, authenticate, and then choose download. To make it easier, leave the authenticated window open until you download all files.

Download Excel tracking sheet same each week

Download these weekly, per domain to a portable drive; print only when absolutely necessary.

• Cases Combined – M34-M38
• Glossary – BCP Use Regular size (here), if you cannot find it and you need more use the BIG (here)
• Readings -

Memorize  DRII 7 steps BCI primer

These are all combined readings below

M34 p55

M35 p47

M36 p34

M37 p38

M38 p71

Extras SP800-34 p149 Disaster recovery p36

02: Print at the beginning of the week and add to binder.

• Case study overview (once at beginning of the course)
• Template Case worksheet (five  per week) or 44 total copies for class

03: Before any reading - Build Flash Cards from domain glossary download above

• You will need 50 lined note cards per week. A pack of 300 for the whole course.
• Get terms and definitions from 01 glossary download above.
• Hand written: blank side has the term, lined side has the definition.
• Write term big so you can see without your glasses
• If you are weak in concepts or process: build extra flash cards from readings bold headings =  term

04: Least Crappy Answer review

• 2-4 times over the 10 weeks review our exam taking tips recording.

Daily process: Before class. Repeat for each section of the domain.

05: Readings from 01 downloads section above

Know how fast you read and how well you comprehend. Input these results on your Excel tracking sheet for your instructor (test is here) These reading assignments are on a meeting by meeting basis.These can be as short as 20 pages and as long as 120. Please review the page counts and your reading speed to plan your readings before class. Try to read as much on your computer as possible to increase your portability. Reading 30-60 pages in pdf format is not optimal, but as a CISSP you must learn to do a great deal of reading on the computer. Sifting is a way of life.

06: Practice your note cards

• Carry your cards with you for that 5 minutes of study opportunity
• Get a partner to quiz you on the cards
• 20 seconds each
• Make one pile for Yes and No
• As you get a pile of Yes’s, move them to the big stack stored at home
• Keep working the No’s until they are gone

07: Do case study

• Use the combined cases from downloads section 01
• Case study overview
• Use the Case worksheet to write out your notes and thoughts on the business problem and solution
• Use your computer’s notepad or text editor to rewrite your problem and solution
• At class time, you will copy and paste to the chat for the case
• If you feel like you want more help on cases, email your notes to the instructor for input

Daily Process: At class time

08: Prepare notepad/text editor for Case notes from 06

• Copy and paste separately: problem and solution when directed by instructor
• Don’t do both at same time because we want to see what everyone says

Daily Process: After class

09: Write last flash card definitions from class

• Carry over all No’s to next week

LET IT GO! MOVE ON! DO NOT DOUBLE UP.

If you miss class

10: Recording Links: for your review of class presentations.

These are updated no later than one week after the new class has recorded.

You can get your quiz  in the recording, by pausing the recording and clicking through your quiz. See the orientation for more details. These will be post at the end of the week.

MP 34 Class Recording

MP 35 Class Recording

MP 36 Class Recording

MP 37 Class Recording

MP 38 Class Recording

End of week

11: Submit your completed Excel tracking sheet

• Your goal is to pass the exam on your first attempt
• We can find trends and problems before they become a failure
• If you are not ready for your exam we can help
• If you are not sure what to do, your instructor will use this data to make decisions
• We realize you have a life, a job, and a family and you need to get it all done
• Sometimes class and the exam are not a priority
• We still need the true data to make good decisions

All content is copyright protected. Downloading or reviewing any material means you consent to the copyright restrictions placed on all works by the author. You are forbidden from using any of this material in the teaching of any class. You are only permitted to use this as a current student of Expanding Security.  You are not permitted to copy and distribute these materials in any way.

Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts. A related reading is posted to expandingsecurity.com

Commercial-

• We have online classes come see if you like it. (see  below)
• CISSP starts Jan 14- Pass or we pay guarantee.
• CEH starts Jan 21

This post  is located here. Video is located here.

In the penetration test that I perform, the first thing I ask for is the last report; the outcome of the last penetration test. You would be surprised at the number of emails forwarded with the original report in plain text. Yes, the original email from the last testing team. Think about it. This is a list of everything that is or was wrong with the environment. Details such as servers, IP addresses, software versions, and screen captures are commonly communicated in plain sight.

Some would say there are many things wrong with the request. Some would say my request should be refused. They are all missing the point. Some penetration tester thought it would be easy or convenient for the client to have the details of their flaws forever floating around in the clear.  Where is this data? In email backup tapes or server snapshots, or local workstation .pst files copied to some cloud storage drive totally out of control and unprotected.

So how do we as penetration testers protect the client from themselves?

A few rules:

1. Encryption for all things not public
2. Abstraction of details when possible
3. Small chunks of sensitive details

1. Encryption for all things not public

Last week I walked into a meeting and the first thing we did was pick a password. There were four of us in that meeting. I took a little bit from each person and made a password that we all could remember, and then I added my own complexity. We agreed at that moment not to transmit that password ever in any digital communications. If any of us were to break that rule, a new password would be generated immediately. We agreed that any data that was not public would be encrypted with this password and we would use the heaviest encryption possible. For encryption tools: I suggest some tool that is cross-platform capable and easily available to all, like truecrypt.

So let us go back to the example from above. Yes the report could be floating around in cyberspace, in back up tapes, in archives of your .pst file, but now unless you have the password and the encryption algorithm, you would be hard pressed to decrypt the sensitive data.  This is not enough…

2. Abstraction of details when possible

You can easily communicate what the weakness is and how to fix it without exposing your client directly.

A bad report example

For the domain, ‘myclient.online.com’ the below listed IPs were scanned. The listed ports appear to be open on the server.

• Domain: myclient.online.com
• IP Address: 1.0.1.256
• Port No: 25 80 143 443

Apache Tomcat contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input to the /server/ mappings. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user’s browser within the trust relationship between the browser and the server, leading to a loss of integrity.

The same data with abstraction

The main server described in the scope of the test was found to have three critical services running when only one was described as reasonable for that type of server.  The main service has a flaw that is considered extreme with a CVSSv2 Base Score between 7 and 8. For details please see item number 2011.12.30.123.a

Notice we did not need to give the IP address or the exact flaw to communicate how important this problem is to fix. People within the organization would know exactly what server we are talking about and with a score stated between two numbers we would not allow someone to do research to find the exact flaw from the CVSS or osbdb.org database. Lastly, we pointed the reader to exact details and an identifying number if they really needed to know more.

3. Small chunks of sensitive details.

I was given a past report from a client of mine that made a THUD when it hit the desk. Some would say this is impressive. I say taking a data dump on the client’s desk shows you only know how to kill trees, not how much you know about their business. Do we really need that much data AND all at once? No one is going to actually act on these items as if it were checklist. They are going to divide this up and give it to the people who need to patch, or to other people who are going to change the authentication, or to others that will address something else.

I suggest you do the work for the client if you can.  This entails identifying who will be taking what actions, cutting the report into smaller pieces, and distributing these smaller reports. This will limit the exposure of the infrastructure to those smaller chunks. These chunks should be encrypted, but you knew that from rule number 1.

Summary

Following these rules is a question of methodical planning and a good understanding of the client’s environment. You may not have visibility into the business process when you do your black-box test. You may not be given a tight scope. Your report may be four pages long and it might not be worth it to abstract the details. I doubt it.

I am betting your client will know you mean business about security when you take the time to protect report data from situations that arise long after you are gone. It is more likely that the client will hire you again if you secure the report.

What can we do to make it better for us, for you?

Policy:

• Email content scanning policy for pen testing
• Define pen test report as highest label possible

Action items:

• Tag sensitive inbound reports
• Remove attachments
• Search for key words relating to test, audit, vulnerability

Don’t know how to do these activities? Come to our free class!

CISSP: Operations Security IDS & IPS
2012-01-06
12:30:00 Central time

Click here 5 minutes before class

Or bit.ly/painpill1201

Details-

Content filtering via email- product review

The steps below, the files, and links within, are numbered in order of what you will need to read and do. If this set of steps is unclear, please attend orientation for a walk-through.

Start of each week, Start of each domain process

01: Prepare – Download

Download all the meeting files below to your local drive and then copy to a USB drive.  You will open a new tab or window in your browser, authenticate, and then choose download. To make it easier, leave the authenticated window open until you download all files.

Download Excel tracking sheet same each week

Download these weekly, per domain to a portable drive; print only when absolutely necessary.

• Cases Combined – M15-M18
• Glossary – SDLC
• Readings – please note readings are long this week

M15 Readings_SD_M15_Combined_p54

M16 Readings_SD_M16_Combined_p101

M17 Readings_SD_M17_Combined_p119

M18 Readings_SD_M18_Combined_p31

There is no M19 class

02: Print at the beginning of the week and add to binder.

• Case study overview (once at beginning of the course)
• Template Case worksheet (five  per week) or 44 total copies for class

03: Before any reading - Build Flash Cards from domain glossary download above

• You will need 50 lined note cards per week. A pack of 300 for the whole course.
• Get terms and definitions from 01 glossary download above.
• Hand written: blank side has the term, lined side has the definition.
• Write term big so you can see without your glasses
• If you are weak in concepts or process: build extra flash cards from readings bold headings =  term

04: Least Crappy Answer review

• 2-4 times over the 10 weeks review our exam taking tips recording.

Daily process: Before class. Repeat for each section of the domain.

05: Readings from 01 downloads section above

Know how fast you read and how well you comprehend. Input these results on your Excel tracking sheet for your instructor (test is here) These reading assignments are on a meeting by meeting basis.These can be as short as 20 pages and as long as 120. Please review the page counts and your reading speed to plan your readings before class. Try to read as much on your computer as possible to increase your portability. Reading 30-60 pages in pdf format is not optimal, but as a CISSP you must learn to do a great deal of reading on the computer. Sifting is a way of life.

06: Practice your note cards

• Carry your cards with you for that 5 minutes of study opportunity
• Get a partner to quiz you on the cards
• 20 seconds each
• Make one pile for Yes and No
• As you get a pile of Yes’s, move them to the big stack stored at home
• Keep working the No’s until they are gone

07: Do case study

• Use the combined cases from downloads section 01
• Case study overview
• Use the Case worksheet to write out your notes and thoughts on the business problem and solution
• Use your computer’s notepad or text editor to rewrite your problem and solution
• At class time, you will copy and paste to the chat for the case
• If you feel like you want more help on cases, email your notes to the instructor for input

Daily Process: At class time

08: Prepare notepad/text editor for Case notes from 06

• Copy and paste separately: problem and solution when directed by instructor
• Don’t do both at same time because we want to see what everyone says

Daily Process: After class

09: Write last flash card definitions from class

• Carry over all No’s to next week

LET IT GO! MOVE ON! DO NOT DOUBLE UP.

If you miss class

10: Recording Links: for your review of class presentations.

These are updated no later than one week after the new class has recorded.

You can get your quiz  in the recording, by pausing the recording and clicking through your quiz. See the orientation for more details. These will be post at the end of the week.

MP 15 Class Recording

MP 16 Class Recording

MP 17 Class Recording

MP 18 Class Recording

End of week

11: Submit your completed Excel tracking sheet

• Your goal is to pass the exam on your first attempt
• We can find trends and problems before they become a failure
• If you are not ready for your exam we can help
• If you are not sure what to do, your instructor will use this data to make decisions
• We realize you have a life, a job, and a family and you need to get it all done
• Sometimes class and the exam are not a priority
• We still need the true data to make good decisions

All content is copyright protected. Downloading or reviewing any material means you consent to the copyright restrictions placed on all works by the author. You are forbidden from using any of this material in the teaching of any class. You are only permitted to use this as a current student of Expanding Security.  You are not permitted to copy and distribute these materials in any way.