Month: December 2019

Here’s some of the cool stuff I captured on a CCSP boot camp in December 2019.

First up is a list of books, websites, and videos recommended by our instructor:

The Art of Profiling: Reading People Right the First Time Hardcover – 1 Jul 2012

by Dan Korem

A recommendation for red teaming. The book details a system for rapid-fire profiling people after just a few minutes of interaction. Used by USAF for gaining confidence and entry to site etc.

CSA Security Trust Assurance and Risk (STAR)

A site to find out about major cloud service providors audits and assurance. The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

https://cloudsecurityalliance.org/star/

Consensus Assessments Initiative Questionnaire v3.0.1

The “cake” is the defacto standard supplier assessment questionnaire. 

The CAIQ is based upon the CCM and provides a set of questions to ask a CSP: https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-0-1/

Cloud Security Alliance – Privacy Level Agreement

https://cloudsecurityalliance.org/research/working-groups/privacy-level-agreement/

STIGS

Useful security configuration guides from the Defense Information Systems Agency (DISA) called the Security Technical Implementation Guides (STIGs). 500+ guides covering all platforms and systems.

https://public.cyber.mil/stigs/downloads/

OODA Loop 

Like the Plan / Do / Check / Act (PDCA) cycle the OODA Loop was a military interpretation of the Demming model used by the USAF https://en.wikipedia.org/wiki/OODA_loop

Can be applied in a cyber context.

Scientists Extract RSA Key from GnuPG Using Sound of CPU

Keys can now be extracted from hardware / chips using microphones:

“In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones.”

https://it.slashdot.org/story/13/12/18/2122226/scientists-extract-rsa-key-from-gnupg-using-sound-of-cpu

RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

http://www.cs.tau.ac.il/~tromer/acoustic/

https://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf

Data Protection in Outer Space

Following a discussion about cloud hosting in the ocean, the discussion turned to what happens about data protection and privacy in space. It turns out its already been thought about:

https://www2.deloitte.com/nl/nl/pages/risk/articles/privacy-in-space.html

https://iclg.com/practice-areas/data-protection-laws-and-regulations/2-the-application-of-data-protection-laws-in-outer-space

There has already been a cyber crime in space!

Common Criteria

Common Criteria (CC) is an internationally recognised certification scheme for security enforcing products:

https://www.commoncriteriaportal.org/products/

https://www.ncsc.gov.uk/information/common-criteria-0

This is the source of the evaluations that give the EAL ratings (which rarely exceed 4 in civilian applications).

Public Key Exchange Videos

Public key cryptography – Diffie-Hellman Key Exchange (full version)

The history behind public key cryptography & the Diffie-Hellman key exchange algorithm.

From Art of the Problem

Also (not shown on the course)

Public Key Cryptography: RSA Encryption Algorithm

Distrusted Certificate Authority

Symantec’s SSL / Certificate Authority / PKI business was sold to Digicert following Googles decision to not trust Symantec certs in Chrome:

https://en.wikipedia.org/wiki/DigiCert

OWASP Top Ten Proactive Controls Project:

The Top 10 Proactive Controls

The goal of the OWASP Top 10 Proactive Controls project (OPC) is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. 

The list is ordered by importance with list item number 1 being the most important:

C1: Define Security Requirements

C2: Leverage Security Frameworks and Libraries

C3: Secure Database Access

C4: Encode and Escape Data

C5: Validate All Inputs

C6: Implement Digital Identity

C7: Enforce Access Controls

C8: Protect Data Everywhere

C9: Implement Security Logging and Monitoring

C10: Handle All Errors and Exceptions

https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf

Also of use is the OWASP The Ten Most Critical Web Application Security Risks

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

The Fallacy of the “Zero-Trust Network” Video 

Funny and usual vitriolic content about de-perimeterisation. Basically the Jerico foundation anger brought up to date for the cloud and zero trust age:

Some useful content.

Privacy-first – DNS service

The 1.1.1.1 is a free Domain Name System (DNS) service that is supposed to protect privacy. There is also a mobile app. Run by cloudflare.

https://en.wikipedia.org/wiki/1.1.1.1

Chaos Engineering

Netflix have developed resilience testing tools that initiate process kills, network failurse and other issues that test resiliency of services:

https://en.wikipedia.org/wiki/Chaos_engineering

Network and Security Monitoring

Zeek is the new name for the long-established Bro system. Bro was used by the instructors business to monitor multiple businesses along with Zabbix.

Home

Security Onion

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

https://securityonion.net/

Zabbix

Monitor anything with Zabbix. Solutions for any kind of IT infrastructure, services, applications, resources.

https://www.zabbix.com/

Kibana

Kibana is an open source data visualization dashboard for Elasticsearch. It provides visualization capabilities on top of the content indexed on an Elasticsearch cluster.

https://en.wikipedia.org/wiki/Kibana

Snort NIDS

https://www.snort.org/

Critical Stack

Capital ONE’s secure container orchestration 

https://criticalstack.com/

PSTools

https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Also Mark Russinovich is now CTO of Microsoft Azure https://en.wikipedia.org/wiki/Mark_Russinovich

Gray Hat Hacking: The Ethical Hacker’s Handbook, Fifth Edition

The group remembered the contribution of Shon Harris and apert from her CISSP book the following book was recommended:

Gray Hat Hacking: The Ethical Hacker’s Handbook, Fifth Edition explains the enemy’s current weapons, skills, and tactics and offers field-tested remedies, case studies, and ready-to-try testing labs.

The Cathedral & the Bazaar

The book on open source software is by Eric S. Raymond. Interesting point made – how come with no central leadership can open source be better? Many eyes means less faults.

Daily News Feeds

Bleeping Computer – Website

https://www.bleepingcomputer.com/

The 443 – Security Simplified – Podcast

https://www.secplicity.org/category/the-443/

Windows Logging Recommendation

The best windows logging resource recommended on the internet is Randy’s:

https://www.ultimatewindowssecurity.com/

SPAM and Scam Beating:

Comedian James Veitch / Veech: The agony of trying to unsubscribe | James Veitch – TED Talk on Youtube (and other related videos)

Also – good old:

https://www.419eater.com/

https://www.419eater.com/html/john_boko.htm

Cloud Infrastructure as Code

Use Infrastructure as Code to provision and manage any cloud, infrastructure, or service with Terraform:

https://www.terraform.io/

General Bits and Pieces

Blackhat Europe Keynote – Malwaretech 

Bluetooth Vulnerability for Android and IOT

https://en.wikipedia.org/wiki/BlueBorne_(security_vulnerability)

Police using dogs to sniff out thumb drives

https://www.theverge.com/2018/6/11/17449002/police-k9-training-thumb-drives

Insider Threat: US Military example

https://en.wikipedia.org/wiki/John_Anthony_Walker

Google random rewards and recognition

Oracle / Sun Micro Systems ZFS file system

George Gilder: Visionary – Highly Recommended Author by the Instructor

Life after Television (1985) by George Gilder – for told the way we use the internet today

Life after Google (2018) – predicts the shift away from current advertising driven model

The Feynman Technique Model

To memorise things, write them down then say them out loud. More detail at:

https://mattyford.com/blog/2014/1/23/the-feynman-technique-model

Kali Linux Adds ‘Undercover’ Mode to Impersonate Windows 10

https://www.bleepingcomputer.com/news/security/kali-linux-adds-undercover-mode-to-impersonate-windows-10/

Agile Manifesto

Bill Gates – “The source code is the documentation”

Exploits of a Mom – XKCD

Innovators Dilemma – Book

Carbon Black – VM Ware tools

ISO References

27001

27002

27017

27018

27050

27037

31000

15408

19086-1. -2.  -3

19941

19944

19933

27036

22237

19441

11889

17788

27034-1

22301

27031

27034

20000

20050

18788

270017

270018