Sorry, you need to enable JavaScript to visit this website.

NetWorks Group Blog

Red Teaming - Is it right for you?

01/28/2015

Last week, I wrote an article for a popular online journal regarding the similarities between cyber security agility and militant warfare.  It was an exhaustive piece, and geared toward high level strategic planning (see full article here: http://redteamjournal.com/2015/01/red-teams-scale-terrorism-cybersecurity-agility/)

I want to write a separate article here that talks about how to actually apply the concept of “red teams” in your enterprise.  First, and foremost, red teaming for cyber security refers to the concept of a small team of hackers reviewing an organization to determine if they can gain access to critical assets.  This may not sound much different than a penetration test, but one crucial piece is almost non-existent in a red team exercise:  scope.  A red team will utilize a web application, mobile platform, physical, social engineer, and network tester as part of a team whose goal is to profile the organization and gain access.

Let me be the first to say that I am not stating that every organization needs to hire or employ a red team.  As with any security assessment, the right amount of intelligence gathering must be performed to determine if your organization is even a potential target for a red team test.  I want to highlight how to help determine if a red team test is right for you.

First thing that every organization should determine is who is targeting them.  This is a critical and often overlooked step.  Organizations will sometimes default to the answer of “everyone” which is not always the case.  This is often time referred to as “threat intelligence” and involves reviewing several non-technical aspects of the organization.  Threat intelligence is a beast in itself, and outside the scope of this conversation.  Some easy questions that you can ask yourself are:

  • What is valuable in my organization?
    • Do we influence financial market places?
    • Do we provide technical details on any market spaces?
    • Do we employ personnel whose knowledge can be used against us?
  • Does my organization affect other organizations?
    • Do we provide strategic, technical, or monetary advantages for larger corporations or conglomerates?
    • Do we have technical connections (VPNs or other secure connections) or other vendors who may have ties with other corporations?
  • Is our organization a political ally/enemy of someone?
    • Would success or failure of the enterprise or its partners provide positive or negative influence over the regional or global landscape?

As you can see these are not overly technical questions, but they can help you to evaluate the types of threats that could face your organization.  After we have performed our own threat intelligence, we can then look to determine the “Levels of Hackers” that might be interested in our organization.  If you are unfamiliar with our levels or hackers, then I encourage you to read my previous article.  In a nutshell, Level 1 represents our least sophisticated hackers, while Level 3 represents our most sophisticated hackers.  Believe it or not, red teams can be employed by all levels of hackers in our model.  Organizations that are not as fluent in their security posture as they should be can easily find themselves victim to very unsophisticated attacks but hacker groups that do not possess the operation doctrine employed by cybercriminal or state sponsored attackers.  However, the tactics employed by these attackers can resemble red teaming activities.

After your organization has determined its threat, and the types of attacker that could be targeting it, finally it’s time to allow your security team to go to work.  This is the easiest part.  Your security teams should be employed with the people and resources they need to conduct testing in the same fashion your attackers are.  As an organization, you should strive to allow your testing entity the freedom of movement throughout your organization as they see fit.  If the organization attempts to limit the scope of a red team test, you run the risk of negatively isolating segments of your organization that pose the greatest risk.

If you consistently outsource your testing to a third party (such as NetWorks Group), then that organization has to do steps 1 and 2 above before they test your organization, and the good ones will.  After all, the success of the red team helps to push organizational security farther.

Vulnerability Management - A Call to Arms

1/13/2014

I had a completely different article typed up, however after catching up on my morning news and seeing a huge amount of controversy regarding Coordinated Vulnerability Disclosure (CVD) from Microsoft, I decided to reach out to the NetWorks Group Community and help our customers (past, current, and prospective) understand what that means to them.

Reference:  http://blogs.technet.com/b/msrc/archive/2015/01/11/a-call-for-better-coordinated-vulnerability-disclosure.aspx

Vulnerability management is a crucial part of an organizations security posture.  But that is a given, I want to talk about the why. The article from Microsoft talks about Coordinated Vulnerability Disclosure (CVD) which, in short, is a way for security researchers to disclose security information in coordination with the vendors to prevent exploit code from being utilized in the wild ahead of security patches.  For those who have not spent a lot of time in this arena, there is a constant battle between how quickly can security researchers find vulnerabilities, and how quickly can companies get them fixed. It is the essential “chicken and egg” problem.  We need researchers to find vulnerabilities and release them to the public, so that scan vendors can create scanning signatures, so that we can defend our networks with more agility.  However, the industry still struggles with what a good vulnerability management program looks like.

The basic areas for vulnerability management can easily be visualized by breaking it down into four distinct areas:  Baseline, Assess, Resolve, and Lifecycle (See figure below).

During the “Baseline” phase, organizations need to prioritize establishing where their technological debt is in the enterprise.  Believe it or not, most organization do not know where all of their assets are on the network, what their purpose is, or the risk they pose to the integrity of the network.  Secondary to that is policy development, especially as it pertains to obtaining new systems and decommissioning retired systems.  I’ve been to organizations that will “decommission” systems only to leave the network cable attached.  I would compromise a decommissioned system as part of a penetration test and the organization would swear that it was no longer on the network only to find out that it was never unplugged.

Phase two is the “Assess” phase.  We need this phase in the enterprise.  This is the organizations “eyes” into the threat footprint of the organization.  We want to assess our networks threats on a monthly basis, at a minimum.  The great thing about a vulnerability management program, is that it can be incredibly affordable when compared to services like penetration tests.  At the same time, with the proper evaluation of the information, it can be a great indicator to the results of a penetration test when utilized effectively.

Equally important, at phase three, is the “Resolve” phase.  Believe it or not, this is where your organization will struggle the hardest.  There is no other way to say it, but your organization must develop a plan to remediate or mitigate anything identified in the Assess phase.  Otherwise:  What is the point?  One concept that is often overlooked, and causes the biggest stumbling block, is the misconception that everything must be patched.  Poorly equipped Infosec people are to blame for this.  Organizations must make a risk decision regarding remediation.  By prioritizing assets from phase one based on criteria such as business impact, and using threat assessment information from phase two, you are better equipped to make informed decisions about when and how to remediate or mitigate your assets.

Finally, we include a phase called “Lifecycle”.  This is about building a culture of good security practices inside of the organization.  We want to have organizations identify how the system got into the vulnerable state to being with.  Was the patching process flawed?  Did the system get added to the inventory outside of the normal purchasing process?  Is there a delinquent equipment refresh process that prevents systems from being upgraded timely?  We need to evaluate how we got into this situation so that we can realistically change those habits and make for a more productive security mindset in the organization.

In the end, organizations should employ a robust and cyclical vulnerability management program.  That program should provide the organization with information that helps them to assess the threat and risk of all information technology assets within the enterprise.  The vulnerability management program as a whole is key to ensuring constant information is being provided to the teams that need to make strategic and dynamic changes to the posture of the network.

Penetration Testing for the Executive

12/16/2014

Whether you are a veteran security executive who has received hundreds of penetration testing reports, or a part-time security manager whose primary roles lay in traditional business management, it can be difficult to decipher the encrypted text held within some penetration testing reports.  The problem exists because there is not a standard for penetration testing reporting inside of the industry.  I’ve seen literary works that range anywhere from Dr. Seuss to William Shakespeare.  I have peer reviewed reports for associates whose bad grammar could make a first grader wince.  The goal here is to identify what makes a penetration test report good, how to interpret the results, and finally how to put them to use in your strategic planning to improve organizational security.

There are many frameworks for the penetration testing report, and this is not a discussion of which ones are best.  However, an important conversation to have is what elements make a report valuable to the people reading it.  As penetration testers, we have to remember we could potentially have every level of an organization reading our reports, from the tactical level where technicians will fix our findings to the leadership level where they need to take responsibility for the security of their organization.  First and foremost, the report you receive should tell you the impact a breach on your network would cause.  We, as penetration testers, MUST speak to the business impact a breach would have on an organization.  A well-conducted penetration test, that simulates an attackers attempt to breach your network, should tell you the data and information that was successfully compromised.  This information should be directly relevant to your business.  For example, if your organization stores payment card information then this should indicate what, if any, payment card data was compromised.  This should also include how many systems were compromised as part of the penetration test.

A second, critical, section of any penetration report should be the very detailed “kill chain” on how your organization was compromised, how the data was accessed, and how that information was used to perpetuate additional compromises.  This section can be more tactical and should speak to the organizations technicians who would be tasked with remediating the compromise.  This section should be riddled with screenshots used as validation of the compromise.  We oftentimes joke about how all executives can understand are pictures.  However, a far more practical reason for showing pictures in this section is to illustrate the compromise so that technicians at the tactical level cannot “snowball” leadership with confusing jargon.

The two elements outlined above represent what I feel are the “must haves” to a good penetration testing report.  It is important to point out that other elements may be included, and you should weigh them equally for how they will directly help your organization.  It is also important to remember that a penetration test is a “demonstration of exploitability”.  This means that if you receive a penetration test report that lists your vulnerabilities, but doesn’t have any demonstrative examples or validation you should challenge those who conducted your penetration test.

Now that you have your penetration testing report, you need to be able to execute on your organizations strategic goals for security, using those results as direction.  Remember, a penetration test is a “demonstration of exploitability” and you should utilize the results that come out of a test to show the immediate need for security changes.  Well rounded organizations that are conducting regular vulnerability management, and patching, should consider those security measures as the “good hygiene” efforts of security.  The successful results of a penetration test should immediately highlight security issues that fall outside the identification capabilities of your vulnerability scanner, or assist with identifying issues in your current vulnerability management process.  This helps you to prioritize the penetration test results ahead of your normally identified vulnerabilities.

Penetration testing can be an integral part of your organizations security strategy when the results are presented in a way that helps your organization visualize and prioritize.  Never be afraid to challenge the results of your penetration testing vendor if you do not understand or feel the information is presented in a way that helps your organization strategically.  You paid for this information, and should be able to utilize it.

NetWorks Group is Proud to be Sponsoring BSides Detroit 2013

June 6th, 2013

IT Security is thriving in the Detroit Metro area and we're proud to be sponsoring BSides Detroit 2013 this year!  Security BSides is an innovative new un-conference style meetup that brings local security professionals together to share experiences, knowledge, and network.

Security B-Sides Detroit 2013 comes to the Renaissance Center on June 7-8 . The conference honors the tradition of Security B-Sides while continuing to build on its own unique history. We continue to showcase local speakers and stories that attendees not found at other conferences. With two days of content and several tracks, the conference will also feature some of the best and brightest national speakers. This year's event features workshops, contests, and a capture the flag contest. B-Sides Detroit is setting a new standard for Security B-Sides conferences. The tickets are available to users, security professionals and business leaders at http://bsidesdetroit13.eventbrite.com.

 

A play on words, Security B-Sides began as a small conference besides a major conference featuring B-track speakers. The Security B-Sides conference began in 2009 in Las Vegas, along side the Black Hat security conference. The idea of a community-driven event spread. By the end of 2010, Security B-Sides events had been held in San Francisco, Austin, Boston, Atlanta, and Dallas/Fort Worth running concurrently with such conferences as RSA, SxSW, and Source.

 

BSides Detroit was part of a new wave of cities that followed. Detroit broke the mold in many ways. First, unlike the original events, BSides Detroit began as a standalone destination conference. A commonly told joke is that Detroit is literally beside itself, as the conference is larger and longer than the early BSides events. While BSides Detroit embraces the local speaker model, the organizers also concentrate on attracting A-list national speakers. 

http://www.securitybsides.com/w/page/63094316/BSidesDetroit13About

We'll see you Tomorrow(6/7/2013) and Saturday(6/8/2013) for some great talks and workshops!

Twitter Adds Two-Factor Authentication for Users

May 24th, 2013

After a string of high-profile account compromises that included the Associated Press and Burger King, Twitter has added an additional (but optional) layer of authentication to help protect users from being the next big-name account that's compromised.

By adding a second-factor of authentication (that's to say, beyond the user's password), Twitter is able to provide a higher-level of integrity to the authentication process by utilizing a user's cell phone number to send an SMS with a one-time token. In this manner, a compromised password will not yield account access unless that same attacker is able to intercept the SMS or steal the user's phone. Clearly, this is a great step in the right direction and something other companies have done previously, such as Dropbox and Facebook.

If you or your company wants to proactively protect a Twitter account, simply review the step-by-step directions posted by CNET. By enabling this extra step, the likelihood of an attacker compromising a Twitter account will generally plummet (save for some very sophisticated attackers).

As end-users, the best way to get other companies to follow-suit is to use these types of features when made available to show that demand exists. Through implementation of two-factor authentication, the user once again has a fighting chance against password brute-forcing and general phishing attacks.

Failing Gracefully: Using AWS for Web Site Failover

May 13th, 2013

When it comes to the Internet, keeping your organization's presence online is crucial to the accessibility of resources for customers, potential and existing. At NetWorks Group, we understand that despite the best of intentions and planning, downtime will likely still occur, at least a few minutes per year. Many teams put forth a goal of 100% uptime for their web site, but often get a dose of reality when a large storm hits their data center or other issues pop-up that may be out of their direct control. To this end, we wanted a way to minimize full-downtime so that our presence on the Internet would only be down as minimally as possible, without going over-the-top on infrastructure to do so.

Amazon Web Services provides a plethora of cloud services to help teams do more for their environment with less overhead of capital expenditures. By cherry-picking needed services with AWS, you can find great cost-saving solutions to otherwise expensive — or complicated — problems. In the instance of a web site, the overhead costs and management of a second (or third?) data center to avoid an hour of downtime a year may be overkill for many organizations. For NetWorks Group, our web site being down, while not desirable, is not so critical that it will impede our ability to provide amazing service to our customers. With that in mind, we wanted to take a direction with web site downtime that would be economical, easy to manage, but also give us a minimal downtime of our Internet presence.

By utilizing the AWS services Route 53 and S3, we're able to provide a great failover solution when our primary web server is unreachable or down. In February 2013, Route 53 added features to allow for DNS Failover and S3 Website Hosting. The idea is that a simple health check — i.e., AWS verifies it can receive a 200 response code from your web server — will decide whether or not to failover your web site from its regular home to a special S3 bucket with your "downtime" page. By configuring a low DNS Time-to-Live (TTL), your DNS record can be changed to point to this failover end-point within a minute or two.  Through having this S3 bucket at the ready, you can automatically failover to a static-content site to provide critical information to customers such as contact information, expected time-to-recovery, etc.

So the next time your team is considering spending double or triple its budget to handle a few annoying minutes of downtime, think about utilizing Amazon or other cloud service providers to handle the problem gracefully and economically.

NetWorks Group is Hiring: Come Join Our Team!

May 6th, 2013

If you're a fan of delicious restaurants, awesome concert venues, Big 10 sports, or just a bike-friendly city, then you should probably be working with us in beautiful downtown Ann Arbor, Michigan. The team at NetWorks Group works at the corner of Main and Huron, a central-point to blocks of great places to shop, eat, and relax at. Located a short distance from the University of Michigan, NetWorks Group benefits from the feeling of both a college-town and an active business hub for southeastern Michigan. For a vibrant mixture of cultures, architecture, and activities, Ann Arbor is hard to beat!

Beyond the location though, NetWorks Group allows for the growth of employees into various realms of information security and technology. If you've never had the opportunity to work for a Managed Services Provider before, you're in for one of the best learning experiences of your life. By interacting with dozens of different types of companies and industries in one position, you'll get a chance to learn about technologies and organizations that you likely never knew about. While the work is sometimes fast-paced, the knowledge gained is very rewarding and valuable to have. If you're passionate about maximizing your growth as a professional or gain knew insights into an industry you thought you already knew, we're here to lead the way.

If you're just getting started in IT or are 15-years in, we'd love to discuss the opportunities that we're currently looking to fill with bright and talented people. Even if a position matching your unique skill-set isn't listed, please still reach out to us and we'll certainly determine if we have a spot for you now, or in the near future. By working at NetWorks Group you will be joining a team of accomplished, talented professionals who love to take new challenges head-on.

Whether your talents or interests are in web application development, ethical hacking, compliance, network engineering, or systems administration, there's likely a place for you on our team. Be sure to take a look at our Careers page and check back often as our needs are always changing.

Configuration Backups for Enterprise Business Continuity

April 29th, 2013

Does your organization have backups? How about backups that are outside the confines of your primary data center? According to research (The Acronis Global Disaster Recovery Index: 2012) looking at data from 6,000 IT respondents, "Almost a quarter (23%) of all businesses still don’t have an offsite backup strategy in place today." The need for an off-site backup can be much more than just an added protection for availability, but also a point of integrity for changes occurring within your enterprise. Consider what would happen if an attacker was able to breach your network and then altered a crucial configuration file. Without an off-site backup, they could potentially edit the existing backups to hide their malicious change and you'd never be the wiser. Much in the same way that log backups sent off-site have added integrity, configuration backups also benefit from this technique.

It's also stated in the report by Acronis that "human error is still the most common cause (60%) of system downtime." Think about every change that happens to your firewall on a daily basis, policy update to your AV configuration, or VLAN alteration on a switch. Without a previous configuration, it can often be difficult (if not impossible) to determine how and when a change occurred to a given device. Further, by allowing for many backups to be retained off-site, differentials of backups can occur, helping to clarify any confusion around the way that a given device has been changed over time.

Because NetWorks Group is focused on helping a wide variety of customers, the need to support an equally broad set of device types is required. When you utilize our Configuration Backup service, your team can rest assured that we are taking regular (daily, weekly, monthly — your choice) backups of your most critical devices and services. Because our customer's needs change so rapidly, we're constantly adding support for new backup types. If you're curious what we currently backup, here's our point-in-time view of backup types currently being supported:

  • Juniper: Junos, ScreenOS, Network and Security Manager, Trapeze, SSL VPN, RingMaster
  • Trend Micro: OfficeScan, Email Encryption Gateway, Worry-Free, InterScan (Web or Messaging) Security Virtual Appliances
  • Cisco: IOS, ASA
  • ​Aruba: Wireless Controllers
  • Check Point: Firewall
  • Axway: Mailgate
  • Miscellaneous: Web Servers (e.g. Apache + MySQL), Asterik PBX, BIND, Nagios

The need to backup these configurations is no more evident than in the following research quote: "The vast majority of organizations surveyed (86%) had experienced one or more instances of system downtime during the past 12 months that had, on average, lasted 2.2 days." Most teams can't afford to be down for hours, let alone days. Don't spend your time at 2AM trying to remember how to build a complex firewall configuration or IPS policy; let NetWorks Group provide you with the off-site backup of the configuration when you need it most.

Through a focus on redundancy and cryptography, NetWorks Group protects your data so that it's both safe from attackers and ready-to-go in a pinch. Remember, if you don't see your device or platform supported, just click "Contact Us" below and we'll be glad to discuss how our team can better serve yours. There's too much at stake not to.

Hiring an Ethical Hacker: Tips for Success

April 23rd, 2013

At a recent ISSA Motor CIty chapter meeting one of our Sr. Security Engineers, Mark Stanislav, presented his thoughts on how the process of hiring Ethical Hacking (EH) services could be better accomplished by an organization who may not be familiar with doing so. During Mark's presentation he outlined ten big-picture topics and sub-points to each, covering a broad set of ideas. We thought we'd share some of those points today in a post regarding this crucial and sometimes complicated process. If your company is trying to hire penetration testing services (or other EH projects), we hope these notes may give you a bit better of a sense of what to expect and how to ensure success with your project.

Understand Why You Need the Service
It's extremely common request for our team to handle a penetration test or web application security review for an organization based on the requirements of their customer or a compliance auditor. However, we always make sure that the service they are requesting is the service that they actually need. Because of the rather broad set of phases thrown around for Ethical Hacking services, customers sometimes are told to have "security testing" done, but not much more guidance is given. We highly recommend that for any required services a very clear statement of expectations is provided to you by your customer or auditor. Further, auditors should be able to clearly state, "You require an external penetration test.", or "You require a web application security review.", and not simply, "Test your security!".

Communicate With Your Teams
While the reasons for an Ethical Hacking project may vary customer-to-customer, we generally advise sharing the discussion with as many stakeholders as possible. We recommend to customers to let their team leaders, IT security managers, ISPs, data centers, and cloud services providers all know of the pending work. If we are interrupted during testing due to someone blacklisting our IP addresses or having an ISP null-route our network, the ability for us to assess security is highly impeded. Unless the goal of the test is a fully-stealth assessment, we recommend letting us test and report with the least impedance beyond proper security controls (e.g. IPS, existing firewalls, etc.). By communicating with your teams, everyone will be able to receive the most value from the work and we can do ours as intended!

Don't "Fix Things" During Testing
It's extremely tempting for a developer or systems administrator to make adjustments during a security assessment to slant the outcomes a bit more favorable to their roles. However, changing code or configuration during an assessment can lead to confusion among the people assessing your security which leads to delays and inaccurate findings. Unimpeded testing allows the professional that your organization has hired to best do their job and accurately represent the current status of information security. The myopic attitude of "I'll fix it before it's on the report" will likely end-up with us investigating with leadership why and how something changed during our work and still figuring out what changed and why. Letting the results stand as results gives a great way to have a direction for real, honest improvement for your organization which will surely benefit everyone in the long run.

We hope that you have found some value and insight in these points. While there are certainly many more that Mark shared with his audience, we thought these may give some direction to the organizations out there having to hire Ethical Hacking services for the first time! As always, we're happy to discuss how we handle EH projects, from penetration testing and vulnerability assessment, to web application security and code reviews. Feel free to contact us via the "Contact Us" button below for any additional information your organization needs about these important services.

Come Chat with NetWorks Group at an Upcoming Event

April 17th, 2013

At NetWorks Group, we put a lot of value in interacting in person with the various technology communities important to our team. More than that, we love to be able to meet with customers and people looking to find out more about what we do and how our team could help yours achieve tough goals.

Part of this community interaction often leads our team to present and attend at a variety of events, especially in the mid-west. Here are some upcoming events where you can meet and chat with some of our team!

  • ISSA Motor-City — Livonia, MI — http://www.issa-motorcity.org/
    Mark Stanislav (Sr. Security Engineer) and Don Ledwidth (Sr. Auditor) will be in attendance on April 18th, 2013. Mark will be one of the presenters that evening, with his talk titled, "So You Want to Hire a Penetration Tester? 10 Tips for Success".
     
  • NOTACON — Cleveland, OH — http://www.notacon.org/
    Scot Armstrong (Account Manager) and Mark Stanislav (Sr. Security Engineer) will be headed down to Cleveland April 19th - 21st, 2013, for the tenth NOTACON! Mark will be presenting regarding RubyMotion iOS development.
     
  • Penguicon — Pontiac, MI — http://www.penguicon.org/
    Mark Stanislav (Sr. Security Engineer) will be presenting on Sunday, April 28th, 2013 at Penguicon. This will be the third year in a row that Mark has presented at this content-diverse event. He'll be discussing the downfalls of poor web application programming and more!
  • #misec — Royal Oak, MI — http://michsec.org/
    Mark Stanislav (Sr. Security Engineer) will be giving a talk about core Linux security practices on May 9th, 2013, calling upon over a decade of systems administration experience during his career. Come meet with one of the largest monthly-ran security groups in Michigan.
     
  • Michigan Cybersecurity Industry Summit — Ann Arbor, MI — http://www.merit.edu/cyberrange/industrysummit.php
    Matt Warner (Creative Manager) and Mark Stanislav (Sr. Security Engineer) will be in attendance for this first annual event on May 14th, 2013. The line-up is great, so we hope to see you there for the talks and conversation.
     
  • Great Lakes 2013 InfraGard Conference — Ypsilanti, MI — http://efmevents.com/2013/infragard/
    Mark Stanislav (Sr. Security Engineer) will be presenting his talk, "Core Linux Security: 0-Day Isn't Everything", at this year's annual event on May 16th, 2013. InfraGard provides for an exciting variety of talks from information technology to homeland security.
     
  • Stir-Trek — Columbus, OH — http://stirtrek.com/
    Mark Stanislav (Sr. Security Engineer) will be attending the latest installment of this event on May 17th, 2013. Mark will be speaking about web application security. If you love technology and want to catch a free movie, this event is for you!
     
  • Security B-Sides Detroit — Detroit, MI —  http://www.securitybsides.com/w/page/61144863/BSidesDetroit13
    Matt Warner (Creative Director) will be attending the third year of this community-driven event. Free attendance downtown in the beautiful Renaissance Center! Come hang out June 7th and 8th, 2013.

If you know of any cool events happening that we should be attending or maybe even presenting at, feel free to contact us using the "Drop Us A Line" button below, we'd love to hang out. Come find us at one of these events and we'll be sure to update everyone where we'll be headed later this Summer and Fall in a future blog post.

Pages

Drop us a line.

Personal Information
Company Details
What are you interested in?
Anything else we should know?

Subscribe to our mailing list.

* indicates required