7 Minute Security

Well, after over-teasing this last week, I'm excited to announce that I've started my own company! 7 Minute Security, LLC gives me an outlet to do all my favorite infosec stuff, such as: Network assessments Vulnerability scanning Penetration testing Training Public speaking I welcome you to check out 7MinSec.com for more information. Or 7MinuteSecurity.com or SevenMinuteSecurity.com. Collect 'em all! What does this mean for the podcast? Nada - I'll keep cranking it out. Maybe we'll cover a few more business related topics (people have asked about how to get an LLC off the ground, so I might do an episode or two on that), but otherwise everything's the same! What about the Patreon project? Because I've been blessed with this opportunity - which will in turn help me keep the 7MS lights on - the Patreon campaign will close down soon. For you lovely Patreons, I've sent you a message (via Patreon site and via email) with more details.

We're continuing to hammer on the CSCs again this week. Here's some rad resources that can get your CSC efforts in the right direction: CIS Implementation Guide for SMEs CIS Cybersecurity quarterly newsletters Netdisco lets you locate machines by MAC or IP, show the corresponding switch port, and disable it if necessary. Defensive Security Handbook isn’t specifically mapped to CSCs but offers great advice to tie into them. Open-Audit tells you what’s on your network, how it’s configured, and when it changes.

Nothing to do with security, but I've heard this song way too much this week. I love the CIS Controls but it seems like there isn't a real good hands-on implementation guide out there. Hrmm...maybe it's time to create one? Speaking of that, check out the MacMon project and chat with us about it via Slack. After hearing rave reviews about Fingbox (not a sponsor), I picked one up (~$120) and wow, I'm impressed! It's got a lot of neat features that home users and SMBs would like as it related to mapping to CSC #1: Ability to map network devices to users to create an inventory Email alerts for new devices that pop up on the network Block unwanted users from the app, even when not directly connected to the LAN Nice set of troubleshooting tools, such as wifi throughput test, Internet speed test, and port scanning of LAN/WAN devices More on today's show...

For a long time I've been electronically in love with the Critical Security Controls. Not familiar with 'em? The CIS site describes them as: The CIS Controls are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization. Cool, right? Yeah. And here are the top (first) 5 that many organizations start to tackle: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Google searches will show you that you can definitely buy expensive hardware/software to help you map to the CSCs, but I'm passionate about helping small businesses (and even home networks!) be more secure, so I'm on a quest to find implementable (if that's a word?) ways to put these controls in place. I'm focusing on control #1 to start, and I've heard great things about using Fingbox (not a sponsor) to get the job done, but I'm also exploring other free options, such as nmap + some scripting magic. More on today's episode...

My plans for this week's podcast went hush-hush, kablooie, bye-bye, see ya, adios. So, I'm pinch-hitting and going off-topic and talking about...of all things...cops. Now wait! Wait wait! Don't run away. I'm not going all political on you or anything like that. Just wanna share some anecdotes and perspectives on the following: What it was like growing up with a dad who was a cop Losing a cousin in the line of duty Getting a call from my local police department this week claiming I was a danger to a school bus full of kids. Whaaaaa? Oh, and I sing a little bit on this episode too.

I'm gonna level with you: it's been a heck of a week. So I thought I'd try something a little different (and desperate?) and use this episode to answer some FAQs that come in via email and Twitter DM. Today's burning questions include: Q: Do I think it's dangerous to podcast and drive? A: Not really, especially now that I got one of these babies. Q: What is the eJPT cert all about? A: It looks like a pentest training/cert path that sits somewhere (difficulty wise) between CEH and OSCP. It's favorably reviewed and will set you back a few hundred dollars. Have you taken this cert? I'd love your feedback and, if possible, to do a mini Skype interview with you for the show. Drop me a note and lets chat. Q: What's a good place to practice Web hacking skills online? A: I've been a long time fan of Juice Shop, and up next in my queue is HackTheBox. Q: Any more Vulnhub.com VMs in the works? A: Kinda. Listen to today's episode :-)

I went to my first ever banking-focused infosec conference a few weeks ago (WBA's Secure-IT) and learned a ton. I met some really great people and had many productive conversations around security. The main takeaways from the conference that I talk about in today's episode: Standing all day and talking about security is exhausting! You can thwart "swag whores" (sorry mom, but I learned that that's what they're called!) by pushing your merch table deep into the booth so it's touching the rear curtain. That way people have to go through your "people perimeter" and engage in conversation with you in order to be granted access to the swag! From the conversations I had with the staff at these small banks, they're definitely wanting to slurp up as much helpful info from the sessions as possible. Specifically, finding ways to better improve security posture using free/cheap tools is ideal! I attended a few sessions that got my blood boiling. The outline of these talks went something like this (slight exaggeration added, but not much): Hackers are way smarter and more physically attractive than you, and they can get by all your defenses with ease You're helpless, hopeless, and not physically attractive Luckily we (Vendor X) are here and we offer our patented Super Solution Y that will thwart the APTs 100% of the time, no question, guaranteed People don't appreciate being talked down to, nor do they want to be shamed, blamed or scared into making security better. More on today's episode...

I'm excited to announce I'm going to be a PacktPub author! I'm going to work with them to create a course on network/vulnerability scanning. I'm pumped, but kinda nervous, so when I had the initial conversations with PacktPub staff, I made sure I hit them with my burning questions: Q: Are you going to ask me to create a sweet course and then pay me pennies for every digital copy sold? A: No. Authors get paid a lump sum up front and then share in profits for digital copies sold. Q: Who's gonna dictate the project outline - as well as timeline for recording it? A: It's a joint effort. The author dreams up the timeline, fine-tunes it with PacktPub, and then hammers out a mutually agreeable project timeline. Q: Do I have to buy some expensive software/hardware to make these videos? A: Not really. PacktPub did recommend I buy a better microphone (so I got a Snowball), and then they license authors a copy of Panopto to record the videos. More Qs and As covered on today's episode!

Intro The patching solutions review concludes this week with Ivanti's patch solution, as well as PDQ Deploy/Inventory. As a quick reminder, here's where our bake-off currently sits: Ninite (covered in 7MS #275) ManageEngine (covered in 7MS #277) Quick reminder: none of these solutions are bribing me with fat wads of cash to plug their products. Some day I hope to have such problems, but today is not that day. Ivanti You might know Ivanti as Shavlik - that's the product name I'm more familiar with anyways. Back in February, Shavlik became Ivanti. Pros Pretty easy to install and manage - even without a deep background in IT (in today's episode I tell a story that can back this claim based on my experience) Does a solid job of applying patching Windows OS and third party Cons Pricing is a little steep - last figures I saw were ~$80 per server, per year and ~$40 per workstation, per year. ITScripts library (that allows for GPO-style policy enforcement) is a little slim when compared to similar functionality offered from other solutions PDQ Deploy/Inventory Pros Lets you crazy with building custom packages you can deploy to granular groups Awesome online help resources, including a YouTube video library that's got a video for just about everything Quick response to support tickets Cons A bit more complicated to get comfortable with than the other solutions A little confusing on the Windows patching side - not quite as "point and patch" as some of the other solutions Agentless system - machines have to be able to "see" the PDQ

Intro We're breaking ground with this episode, folks! For the first time in 7MS history, we've got a guest on the show (finally, right?!). Rob Sell is an IT manager who has been working in IT for many years, with a focus on information security specifically for the last 4 years. He recently came home from Defcon 25 with a third place in the SE CTF. Rob sat down with me to discuss the CTF, how to make an outstanding CTF audition video, OSINT tools/tips/techniques, the value of tech/security certifications, career advice, and more! Interview notes and links Here's Rob's Defcon CTF audition video EchoSec helps you see a geographical area at a certain point in time. According to the Web site, EchoSec is "the most comprehensive social sentiment tool on the market" - hmmmm, seems like a great SE tool! X-Ray is "a tool for recon, mapping and OSINT gathering from public networks." Michael Bazzell's Web site has online training, free tools and other goodies. Michael also has some books. Christopher Hadnagy has a podcast that's strictly focused on SE. He's also got some books. ArcGIS isn't necessarily labeled as an SE tool, but can certainly be used for SE efforts.

ManageEngine Desktop Central Overall, I have to bluntly say that I really enjoyed playing with ManageEngine's solution. It's got a crap-ton of features built into it - above and beyond patching - that I think IT/security folks will really appreciate. Pros Agent or agentless management of systems MDM (didn't play with it but it certainly looks feature-rich) Application white/blacklisting Ability to push out configurations for things you'd normally use GPOs for - i.e. setting a login banner, enforcing screen locks, setting IE homepage and search engine, etc. Patch management is full-featured - it's easy to setup a simple "scan systems, download and deploy missing patches." Or just a "scan to identify missing patches" kind of thing. It's easy to run a variety of reports to find out which systems are most vulnerable, which patches are missing across the enterprise, etc. Software deployment engine - there's a big package library where you can easily search and deploy things like Dropbox, Adobe Reader, etc. It also includes a self-service portal where users can simply select certain packages and have them installed automagically! Inventory - ability to have detailed hardware/software level details on each machine. Ability to block software by path and/or hash. You can also give people a warning saying "We're gonna nuke dropbox in 2 days if you keep it on here!" Agent-based install gives you ability to chat with users, remote control systems, send announcements, drop to a command line at a target machine, etc. Reports - you can create a report for just about anything under the sun like AD group changes, user logon reports, users that are disabled/expired, and on and on... Email alerts - I think you can trigger an email alert for just about ANYTHING that happens in the environment. ...more on today's episode!

This is it! The worldwide Internet debut of an original infosec-themed song called CryptoLocker'd, and as the name implies, it's about a CryptoLocker incident. Here's the quick back story: A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on fire, and they played ignorant to what was going on. I found the user's handling of the situation humorous (read: not the CryptoLocker infection itself!), so I was inspired to write a song about it. Today's episode has the audio, and I welcome you to follow along with the lyrics below (head to 7ms.us to see the full lyrics as they are included in a GitHub gist)

This episode continues our series on comparing popular patching solutions, such as: Ninite ManageEngine Ivanti PDQ Ninite This week I focused on Ninite, and here's the TLDR version: Pros Does one thing (third party patching) and does it really well Extremely affordable User interface is clean, simple and really easy to use/learn Cons No "agentless" option - it's an agent or nothin' I'm not sure if Ninite has the brand name recognition and reputation to be accepted/respected by large companies I need to do more homework on how they pull down their packages...are they ripping apart packages and repackaging them at all? That could be a big avenue for side-loading icky stuff.

I'm back from Vegas! My talk went really well and I'm excited to tell you about it in today's episode. First, some conference/trip highlights: During the ILTACON conference I attended a great talk by Don McMillan about how to infuse humor into your work environment. Really enlightening, and you know those things you hear about how humor lowers blood pressure, increases satisfaction and just overall makes you a more pleasant person to be around? Turns out it's true! On the day before my presentation I got my first experience touring around the Vegas strip, and the people watching did not disappoint. I also saw the Muhammad Ali and Van Gogh exhibits, which were awesome. When it came to the actual talk, everything went really well. The audio/visual stuff all worked perfect, and I felt the content delivery went over well too. People asked a lot of questions and even hung out afterwards to discuss security topics further. There were two big surprises I wasn't expecting, though: A podcast listener was at the conference, and shared with me that after listening to lots of 7MS episodes, he always figured I looked like Jared from Subway. :-( There were super talented artists from a company called Filament did a comic-book style retelling of my talk live as I was doing it. I love crazy-talented people like this, so I was totally geeking out. I reposted the renderings (with their permission) at my personal portfolio site if you wanna check 'em out.

I ran out of time in episode #272 to tell you about why preparing to be a speaker for ILTACON was way more stressful that preparing for Secure360 a few months ago. The main points of difference/stress were: ILTA wanted to see PowerPoint deck progress weekly, whereas with Secure360 it was pretty much "Your talk is accepted - see you at the conference!" ILTA is going to show a "speaker slide" with bio a few minutes before the sessions starts. That way the session is focused on content (and probably avoids people who like to talk about themselves too much :-) ILTA requested my PowerPoint and handouts a few weeks before the session so they could put on their Web site for attendees to see. Although that put some pressure on me to get content done early, I think it's great because presumably some people at the talk will have screened the content and therefore be more tuned in.