1. Intro to INFOSEC
Sean Whalen
sean@seanpwhalen.com
https://seanpwhalen.com
@SeanTheGeek
2. To view this slide deck with links
https://j.mp/infosecintro
3. Disclaimer
The views and opinions expressed
here are my own, and may not
represent those of my past,
current, and post-apocalyptic
employers.
4. Who is this guy
• I’m an Information Security Engineer
• Specializations: Intelligence, malware analysis, and network defense
• Human log parser
• Fairfield CC/Reynoldsburg HS ’09 – Ohio Dominican University ‘13
• Work(ed) for
• DISA/DoD (Columbus, OH)
• CBTS/GE Aviation (Cincinnati, OH)
• Cardinal Health (Dublin, OH)
5. Topics
• What INFOSEC is and isn’t
• The importance of INFOSEC at it relates to business
• How attacks work, and how they can be prevented
• The challenge and fun of security
• The state of the industry and job market
• The benefits and limits of a college education
• Thoughts on career
6. What is INFOSEC
Information Security (INFOSEC) is the
practice of applying reasonable controls that
mitigate threats to the integrity,
confidentiality, and availability of
information.
It includes layers of non-technical controls,
such as policies, training, and locks.
The goal is to make attacks impractical,
while respecting business needs.
The tricky part is finding balance.
Wikipedia/John Manuel
11. How encryption is used
• To protect data at rest (e.g. on a portable hard drive)
• To protect data in transit (e.g. login submission)
• A system that uses encrypted data must be able to decrypt it
• A vulnerable application can leak keys and/or plaintext data
12. Windows is inherently insecure.
Macs don’t get viruses.
Of course it’s secure, it’s open source!
13. Operating system
security
Any operating system can and should be
hardened: Installing patches, disabling
unused features, limiting users, etc.
Malware can be written for any OS.
The security of an OS is largely dependent
on the vigilance of its admin, and the
trustworthiness of its users.
Windows security has steadily improved
since XP SP2.
Apple still adjusting to being a larger target
as its market share grows.
Decades-old flaws have been discovered in
extremely common open source software.
16. It’s easy to hide on the internet.
Catch me if you can!TOR andVPNs FTW!
17. OPSEC
Operational Security –Securing the details of
what people do.
Only sharing
• Who?
• What?
• When?
• Why?
• How?
On a “need-to-know” basis
Changing behavior, passwords, and keys
Securing communications
It goes against human nature. People like to
brag/help.
18. Meet Ross Ulbricht
Convicted of charges related to operating
the “hidden” online illegal drug marketplace,
Silk Road.
While an IRS Special Agent was looking for
directions on how to access the hidden site,
he found early forum posts from a user
named altoid, promoting the site on the
normal internet.
Looking at the altoid’s earlier posts, he
found the user posted his email as
rossulbricht@gmail.com.
He was sentenced to life in prison without
the possibility of parole, as required by the
“Super Kingpin” section of the CCE statute.
His lawyers are appealing.
The incredibly simple story of how the gov’t Googled Ross Ulbricht
20. Industrial Espionage
It’s real.
A group of PLA officers/employees were
indicted by grand jury in the US.
Evidence shows that they were actively
engaged in industrial espionage, something
China denies.
Although it is extremely unlikely that the
group will be extradited, such attribution
shows that even state actors can be sloppy
with OPSEC, and the state can be called out
on its actions, if desired.
An attacker’s sloppy OPSEC can be used for
defense, even if the attackers cannot be
directly identified and/or arrested.
United States of America v.Wang Dong, et al. (Crim. No. 14-118 W.D.Pa.)
21. The Cyber Kill Chain
A concept for modeling attacks, developed
by Lockheed Martin.
Allows defenders to build intelligence from
both failed and successful attacks.
By building intelligence-driven defenses for
each stage of an attack, you are more likely
to catch future attacks.
Force the attacker to change tactics across
all attack stages, providing more intel.
The more they try, the more you learn.
Can be used to group attacks/attackers.
Intel can be shared among groups for herd
immunity. Intelligence-Driven Computer Network Defense
Informed by Analysis of Adversary Campaigns and
Intrusion KillChains
22. Sharing is hard
What do you collect?
What do you share?
Can you share it?
How do you share it?
Who do you share it with?
Who can you trust?
What can you do with shared information?
Declassified SASC Inquiry Into Cyber
Intrusions ofTRANSCOM Contractors
23. Standards
IT INFOSEC is still a very new field.
Organizations want to be secure.
Most are trying to figure out how to do that.
How do we hire? What tools do we need?
There are many “standards” for sharing
security information –none are compatible
with each other.
xkcd
25. Motivation matters!
• More than anything, good employers look for these things in a candidate:
• Basic understanding of the concepts
• Ability to communicate and work with peers and management
• Willingness/eagerness to learn
• Passion for the work you do
• Don’t chase a job just for the big bucks
• Find your niche in CS/engineering/networking/programing
• Do what you enjoy doing, you’ll be great at it, and the big bucks will follow
• It’s pretty easy to change roles in an IT career; stick around for a couple
years at least and build reputation unless you absolutely hate it
26. Tips for career building
• Create a GitHub account, create little projects for things that interest you
• Doesn’t have to be anything fancy
• Could be something to make your life/school a little easer
• Could be something fun and wacky, so long as it’s SFW
• Shows employers that you know how to code be creative
• Buy your own domain after your name (they’re cheap)
• Create a simple, one-page web version of your resume
• Add a professional photo, and links to projects
• Maybe add a journal blog to track what you are learning
• Showcase all of these things on your paper resume to show employers you
are motivated!
27. INFOSEC job market
• Columbus is (IMO), the best job market for IT in Ohio, and among the
top in the country
• INFOSEC specialists are in demand at mid-to-large size businesses
• However, most businesses require some experience before they will
hire someone for INFOSEC, even at entry level
• It’s common for someone to start as a sysadmin or developer, and
gain INFOSEC-related experience as they work
• Security+ could give your resume a little boost
29. Common INFOSEC roles
• Incident Responder – Responds to alerts generated by security tools
• Information Assurance Manager (IAM) – DoD role that checks
systems to ensure compliance with policy
• Vulnerability Manager – Responsible for running vulnerability scans
on systems and applications
• Risk manager – Helps to define IT policy, and ensure compliance with
that policy
30. Specialized roles
• These roles are usually only found within large organizations, or
security firms:
• Intelligence Analyst – Responsible for collecting, managing, and
sharing threat intel
• Reverse Engineer – Responsible for reverse engineering malware,
and determining Indicators of compromise
• Pentester – Responsible for conducting penetration tests against the
organization
31. News sources
• Please don’t get your INFOSEC news from gadget blogs.They have
no idea what they are talking about.
• Come Good sources
• ArsTechnica
• Krebs on Security
• https://twitter.com/SeanTheGeek/lists/infosec
• /r/netsec (great aggregation!)
• The Full Disclosure mailing list
32. Education
• Most employers require a bachelors degree
• Your degree can be general CS, but there is one NSA certified program in
Ohio
• UC’s cybersecurity program (Dr. Franco)
• To make the most out of your college education, start looking at
internships. Ask questions in class. Make tuition worth it.
• Find topics that interest you, and start learning.There are lots of
great free, online resources.
33. Learning resources
• How to be an INFOSEC Geek
• Iron Geek –Videos of almost every conference talk, podcasts, and
more!
• Reverse engineering – Practical Malware Analysis
• Pentesting – HackYourself First
• Web app security – OWASP –Web Security Dojo
• Attack detection – Security Onion
• Automate the Boring Stuff with Python – Awesome, free online book
• The InfoSec Speakeasy –Tutorials and news
42. Security tips
• Always install up-to-date patches for your OS, browsers, browser plugins, and office suites
• If you useWindows
• Upgrade toWindows 10 (its free), and be sure to configure the privacy settings to your liking
• You should turn off Wi-Fi Sense
• Install Microsoft EMET
• Avoid free third partyAV like Avast and AVG.Windows 10 comes with free AV that is quite good, assuming
you follow safe computing habits like these
• Remember: Malware is increasing for Mac, Linux, and, mobile devices too
• Don’t download or install freeware, shareware, pirated software, cracks, keygens, or warez
• Use separate passwords for key accounts (e.g. OS,Wi-Fi. Email, banking, social media)
• Limit third party app access to your accounts
• Never loan or borrow devices, storage media, or credentials
I used to say “Hollywood-style *never* happens!”…and then it happened, to hollywood! Screenshot of ransom note left on SONY Picture’s PCs by North Korean hackers.
You might me thinking of a nice new work at home job right now, but…
Here we have the creatively named “Stealer” program used by the “Ajax Security Team” in Iran. They are my favorite APT group to talk about because there’s
so much public documentation on them. Not because FireEye is so awesome, but because their OPSEC was so poor as they transitioned from hacktivisim to
espionage.
I did some digging on VirusTotal, and found a sample of their Stealer bundled with a copy of UltraSurf, a legit tool to circumvent internet censorship.
This suggests that their espionage targets included Iranian dissidents, thus aligning themselves with an Iranian government agenda.
The main part of the program is an unobfiscated .NET PE, so you can decompile it to source code in a few clicks with ILSpy. Winning!
Reverse engineering is rarely this easy.
You can see they set static variables for a passphrase and salt; bad practices right off the bat…
They also run a DLL, whose sole purpose in life is to ship out files Stealer makes via FTP.
Then they proceed to completely ignore the variables they created in AES crypto calls, which are copypastad over and over...and they misspelled proxy.
The combination of FTP and symmetric encryption left the attackers open to being pwned.
Yet, once you start digging through the rest of the code beyond the main class, you’ll find it is well-written. There’s even code to send and receive files via various protocols, including FTP and HTTP (which would be most successful), and stubs for SFTP and SMTP. That makes AppTransferWiz.dll completely unnecessary. The stark contrast in quality suggests that Ajax team appropriated most of this code from someone else, which isn’t surprising given their start as hacktivists.
It’s easy to laugh about this, until you see they were targeting the aerospace industry with well-designed phishing attacks during a time of heightened US-Iran tensions.
According to FireEye, there is evidence that they continued to use this malware for some time. This suggests that Stealer was successful at least some of the time.
If it ain’t broke, don’t fix it. Right
Stealer can steal credentials from common browsers and IM programs
This is from a much less sophisticated attacker from Nigeria who uses OWA creds to send scam emails, but this crude phishing still works in a lot of organizations
Many companies have ESL employees who might not spot bad grammar or spelling. Some employees may not be familiar with standard IT procedures. These people aren’t stupid, just under-informed.