Skip navigation

Geek Speak

12 Posts authored by: Brandon Carroll Employee

I’ve spent countless hours trying to find the perfect tool for the job. In fact, I’ve spent more hours searching at times than I have doing the work. You’ve probably done that before. I hear a lot of people are the same way. I look at it as if I’m searching for that needle in a haystack. When I find it, I’m over the moon. But what about when it comes to our end users? Do we trust them enough to locate that needle in the haystack when it comes to software that will enable them to perform their work? I'd venture to guess that in larger organizations the resounding answer is no! But why?

 

Elemedia Player

Let's use the media consumption application Elemedia Player as a working example. Now it's true that our end users probably won't need Elemedia Player to get their job done, but the method behind what happened here is what I'm interested in discussing.

 

On October 19, 2017, ESET Research reported that Elmedia Player had been briefly infected with the Proton malware strain. In fact, the developers of Elemedia Player, Eltimalater reported on their blog that they were directly distributing the compromised software from their servers. In this case, the malware is delivered via the supply chain.

 

Let's now put this in the perspective of our end users. Imagine that an end user shows up at work to find that their workstation doesn't have some set of software that they use at home. They feel comfortable using this software and decide to find it on the interwebs and download it themselves. They grab said software package and install it. Off to work! Another great day.

 

However, in this instance, they have obtained a package that's infected with malware. It's now on your network. Your day has just gone downhill fast. You'll likely spend the rest of the day restoring a machine or two, trying to figure out how far the malware has spread, and second-guessing every control you've put in place. In fact, you may not even realize that there's malware on the network initially, and it could be days or weeks before the impact is realized.

 

Taking it to the Enterprise

Let's move this discussion to something more fitting for the enterprise. We've already discussed online file storage services in this series, but let's revisit that a bit.

 

Imagine that we couple the delivery of malware packaged into an installer file along with the strong encryption that's performed by these online services and you can pretty much throw your visibility out the window. So here's the scenario. A user wants to share some files with a colleague. They grab a free Dropbox account and share some work stuff, some much, and some apps that they like, perhaps Elemedia Player with an infected installer. You can see where this is going.

 

My point to all of this is that we have to provide the tools and prohibit the user from finding their own or things start to go off the rails. There's no way for us to provide security for our organization if our users are running amuck on their own. They may not mean it, but it happens. In fact, this article written my Symantec discusses the very same idea. So instead of finding a needle in a haystack, we end up falling on a sword in a pile of straw.

 

How do you feel about these services being used by end users without IT governance? How do you handle these situations?

I've rarely seen an employee of a company purposefully put their organization at risk while doing their job. If that happens, the employee is generally not happy, which likely means they’re not really doing their job. However, I have seen employees apply non-approved solutions to daily work issues. Why? Several reasons, probably, but I don’t think any are intentionally used to put their company at risk. How do I know this?

 

My early days as an instructor

When I started out as a Cisco instructor, I worked for a now-defunct learning partner that used Exchange for email. The server was spotty, and you could only check email on the go by using their Microsoft VPN. I hated it because it didn’t fit any of my workflows and created unnecessary friction. In response to this, I registered a domain that looked similar to the company’s domain and set up Google apps, now called G-Suite, for the domain. That way I could forward my work emails to an address that I set up. No one noticed for several months.  I would reply to them from my G-Suite address and they just went with it. Eventually, most people were sending emails directly to my “side” email.

 

After becoming the CTO, I migrated the company off our rusty Exchange server and over to G-Suite, but I couldn’t help but think that I would have reamed someone if they would have done what I did. In hindsight, it was not the smartest thing to do. But I wasn’t trying to cause any issues or leak confidential data; I was just trying to get my job done. Management needs to come to terms with the fact that if it makes an employee's work/life difficult, they will find another way. And it may not be the way you want.

 

Plugging the holes

Recently, I saw a commercial for FlexTAPE. It was amazing. In one part, you see a swimming pool with a huge hole in the side with water gushing out of it. A guy slaps a piece of FlexTAPE over the hole from the inside of the pool, and the water stops flowing. It reminded me of some IT organizations that metaphorically attempt to fix holes by applying FlexTAPE to them. But, by that point, so much water has escaped that the business has already been negatively impacted. Instead, companies should be looking for the slow leaks that can be repaired early on.

 

Going back to my first example, once people learned how I was handling my email, they started asking me to set up email addresses for them so they could do the same. First one colleague, then another. Eventually, several instructors had an “alternate” email address that they were using regularly. The size of that particular hole grew quite large.

 

At some point, management realized that they couldn’t pedal backward on the issue, and was forced to update certain protocols. I often wonder how much confidential information could have been leaked once I was no longer the only one using the new email domain. Fortunately, those who were using it didn’t have access to confidential information, but lots of content could have been exfiltrated. That would have been bad, but in my particular organization, I don’t know if anyone would have known.

 

Coming full circle

Today I own my own business and deal with several external clients. When I have employees, I try to be flexible because I understand the problem with friction. I also understand that friction may not be the only reason one turns to a non-approved solution to get their work done. For core business operations, organizations would do well to clearly define approved software packages. Should an employee use services like Dropbox, iCloud, Google Drive, or Box.com? If they do, are there controls in place? How does the solution impact their role? Do employees have a way to express their frustrations without fear of reprimand? Having an open line of communication with an employee can help them feel like their role is important. It also helps management really understand the issues they face. If you neglect that, employees will choose their own solutions to get work done, and potentially create security issues. And we don’t want that now, do we?

Is Shadow IT in your crosshairs?  As a network security professional, do you recognize the implications of people taking IT into their own hands and implementing solutions without corporate approval? Let's examine one area that I believe is a huge data security risk in terms of shadow IT: file sharing. Sure, solutions like Box, Dropbox, iCloud, and so on, make sharing files between users and locations very easy, but there’s an inherent problem with these solutions that users don’t think about, which is that once you start using one of these services outside of corporate control, you lose control. How so? Let’s have a look.

 

Let’s pick on Dropbox first to get a sense for what could happen. Now, I'll openly admit that in a pinch I’ve used Dropbox to share a link so I could open a file on another machine. This activity may seem to be benign, but in an age where data exfiltration is rampant, this can be something detrimental to business. Furthermore, what happens if the link you generate is accidentally shared via social media? I once read of someone taking some photos, emailing a link to a folder in Dropbox, but mistyping the recipient address. Whoops!  Now someone has access to these pictures, and they are hopefully not of a personal nature. But this is common practice these days. In fact, many organizations enforce a limit to the attachment size. Users can subvert this by sending Dropbox links. It was recently reported that a health care provider leaked user data inadvertently through an email error. I'm not sure that we will ever know if this was done using a Dropbox link or the like, but there's always the possibility that it could have been.

 

But what else can go wrong? Let's also consider the installation of the Dropbox application on a local system. In 2016, it was reported that Dropbox was giving itself permissions to control your computer without gaining user permissions. This was eventually sorted out and Apple began blocking this in MacOS Sierra. However, it reveals an underlying issue. When a user installs an application and doesn’t fully know how it operates, they are quite possibly exposing the organization to attack. In this case, if someone were to expose a flaw in Dropbox programming, they could effectively control your computer. While this is hypothetical, it could still happen, and it should be considered. This is one of the reasons IT organizations are a bit slower to approve applications for use internally. There is usually a vetting process that takes place in which these things are considered. I know that most of you will probably agree.

 

But let's stop picking on Dropbox. Several other services and applications allow users to share files that come with similar concerns. Google is known for scouring your data and using it for advertising purposes among other things. What if a user were to sign up for a free Gmail account, and use the free Google drive service to share files. Could Google be scanning and analyzing the files you store there? What can they do with that data? Who could they sell it to? What would they do with it? The list of questions goes on.

 

I must say that I'm not making the statement that these popular file-sharing services are bad. If an organization has reviewed the product, agrees to the EULA and it is approved internally, then have at it!  But what if it's not approved? That's the gray area I'm fishing in here. I mean, just think about it. There are peer-to-peer sharing and torrent sites, instant messengers, desktop sharing and control apps, and more. These all have a slew of concerns that follow. Let's also not forget that it's pretty easy these days to throw up an ad hoc FTP server that lacks security and allows connectivity and data transfer in clear text. Again, these all have the potential to become a means of data exfiltration as well as an attack vector for malware delivery, command and control connections, and the like.

 

So back to the problem at hand. Users will find their own solutions when we don't provide a satisfactory one for them. Sometimes this comes in the form of installing Dropbox or using some other form of file transfer to share data. While it may not be their intent to cause a security issue or share data with people they shouldn't, the fact is that it can happen. Are you as concerned as I am about this? What’s your take on this behavior, and what do you see being the happy medium between a well-vetted system for sharing data that is still user-friendly and friction-free in a users daily life?

Well, here we are in our final post in the series. We’ve discussed several topics related to entering the network security job force. And with today’s market there’s more potential than ever to secure a job as an entry-level security analyst. The question we will address in this post is this: “How do I make the transition into a cybersecurity role, and then where do I go?”

 

Securing a job

First, you’ll need to polish up your resume if you plan on targeting a cybersecurity role. You’ll want to include your training and certifications, but what about experience? You could gain some experience by participating in open hackathons, which will allow you to demonstrate some security skills. Aside from that, you could volunteer or intern part time to gain some valuable experience. I have a friend who requested to be the network liaison for any security projects his company had. Being on the team that deployed FirePOWER helped him immensely.

 

Job boards

Once your resume is polished, you’ll want to head to the job boards. Today, I find that LinkedIn provides a pretty active environment filled with recruiters that scour the vast pool of online profiles. If you’re looking for some temp to hire work, this might be a good place to begin. Aside from that, the standard job sites exist, but more often than not it’s best to have someone you know that’s already in a role that can help you out. Have you found success using LinkedIn? If so, I’d love or hear your comments about the process, as well as any recommendations. Share them in the comments.

 

Lets keep this a secret

I was talking to a colleague some time back about a new position he took with the federal government. He was already on a networking team that managed an unclassified network, and his day-to-day was pretty mundane. After his transition into a security team, he was having a hard time with the secrecy about his work. It wasn’t so much that he couldn’t talk about anything, it was more that he had to be very careful about what he said. Assume he’s out having drinks with some co-workers. In casual conversation he mentions that he is dealing with a widespread breech inside the government network that has caused certain data to be leaked. Unknowingly there is a guy next to him at the bar that works for the press. The next morning there’s a front page story about data loss at the Pentagon. You see ow bad this could be, right? In actuality, he doesn’t work at the Pentagon, the data that was leaked was unclassified reports about tidal flows, and the government agency he works for is NOAA. I should mention here that this scenario is complexity fabricated to simply make my point. When you transition into a security role, you’re going to have to learn to keep a tight lip on what you’re doing, more so than when you worked on the network team.

 

Politics

I’ll keep this section brief. Are there politics to play in the cybersecurity job force? Yep. But I don’t play them, or even attempt to comment on them. Just do your job to the best of your ability.

 

Education

You’ll need to beef up your education a bit more than before if your transitioning from a networking role. The world of security changes more rapidly, and threads morph and take on new forms much more aggressively than ever before. InfoSec World is a trade show that you may be interested in following. There are others you may want to attend at least once a year, for the purpose of networking with peers and receiving updates on the latest threats, and products that can help mitigate them. You may not have much of a say in your organization's purchasing decisions, but if you can add intelligent dialogue to those conversations, you are much more valuable as an employee.

 

Where to go from there?

From there, I’d recommend working your way up through the ranks. Decide what niche you want to focus on and become a specialist in that area. Keep current In your certifications in the event you need to look to another organization for employment. It’s good to be a loyal employee, but your loyalty should be first and foremost to you and your family. If you are being taken advantage of in your current position, quietly find work elsewhere and do it the right way. Give your notice and don’t burn bridges. This world is small and odds are you may cross paths with former supervisors in the future.

 

There’s so much to do in the world of cybersecurity. Really, the sky’s the limit. If you’re on the verge of a transition to a security role, I wish you the best and urge you to keep on learning. Maybe you can even give back some of what you glean from the community by contributing yourself.

As you spend more time in security, you start to understand that keeping up with the latest trends is not easy. Security is a moving target, and many organizations simply can’t keep up. Fortunately for us, Cisco releases an annual security report that can help us out in this regard. You can find this year's report, as well as past reports, here. In this post, I wanted to share a few highlights that illustrate why I believe security professionals should be aware of these reports.

 

Major findings

A nice feature of the Cisco 2017 Annual Cyber Security Report is the quick list of major findings. This year, Cisco notes that the three leading exploit kits -- Angler, Nuclear, and Neutrino --  are vanishing from the landscape. This is good to know, because we might be spending time and effort looking for these popular attacks while other lesser-known exploit kits start working their way into the network. And based on Cisco’s findings, most companies are using several security vendors with more than five security products in their environment, and only about half of the security events received in a given day are reviewed. Of that number, 28% are deemed legitimate, and less than half that number are remediated. We’re having a hard time keeping up, and our time spend needs to be at a live target, not something that’s no longer prevalent.

 

Gaining a view to adversary activity

In the report's introduction, Cisco covers the strategies that adversaries use today. These include taking advantage of poor patching practices, social engineering, and malware delivery through legitimate online content, such as advertising. I personally feel that you can't defend your network properly unless you know how you’re being attacked. I suppose you could look at it this way. Here in the United States, football is one of the most popular sports. It’s common practice for a team to study films of their opponents before playing them. This allows them to adjust their offensive and defensive game plan ahead of time. The same should be true for security professionals. We should be prepared to adjust to threats, and reviewing Cisco’s security report is similar to watching those game films.

 

In the security report, Cisco breaks down the most commonly observed malware by the numbers. It also discusses how attackers pair remote access malware with exploits in deliverable payloads. Some of what I gleaned from the report shows that the methods being used are the same as what was brought out in previous reports, with some slight modifications.

 

My take

From my point of view, the attacks are sophisticated, but not in a way that’s earth shattering. What I get from the report is that the real issue is that there are too many alerts from too many security devices, and security people can't sort through them efficiently. Automation is going to play a key role in security products. Until our security devices are smart enough to distinguish noise from legitimate attacks, we’re not going to be able to keep up. However, reading reports like this can better position our security teams to look in the right place at the right time, cutting down on some of the breaches we see. So, to make a long story short, be sure to read up on the Cisco Annual Security report. It’s written well, loaded with useful data, and helps security professionals stay on top of the security landscape.

A few years back, I had the privilege of attending InfoSec World in Orlando. I served on a security panel for Tech Field Day Live, where we discussed some game changers in security. It was a strange feeling being there. I don’t think anyone knew who we were or what Tech Field Day was. I was a security guy, at least from my point of view I was. I was sitting next to the former program manager of the CCIE Security, Natalie Timms, Edward Haletky, and Jack Daniel. I had been on Twitter for years, written a few books for Cisco Press, and I still felt out of place.

 

As I sat at dinner with Stephen Foskett, I came to the conclusion that these security folk were not very social. I think things have loosened up a bit, but it’s still not an easy world to break into. Why is this important? For some of you, it’s not. For me, time and again being on social networking sites has saved my bacon when I found myself in a jam. What about now?

 

Well, I can’t say that social networking has improved a lot for security professionals. It may have, but I don’t run in those circles. What I can tell you is that security vendors see the value in, and advertise and respond to, direct inquiries. Sometimes their response to social networking questions is days ahead of an email request submitted through a web form.

 

Still, following a few security accounts on Twitter can’t hurt. Here are a few that I think are beneficial. Trust me when I say that I have followed several, and unfollowed them just as fast. There’s a lot of repetition and noise out there.

 

Illumio

Illumio is a security vendor that I learned about while attending a networking field day. They are based out of Sunnyvale, California, and most of their posts are informative and focus on adaptive security for the data center. They have an interesting solution that I should have taken the time to break down a bit more on my personal blog. You can look them up on the Tech Field Day website. The video is worth a watch, as is their Twitter feed.

 

InfoSecurityMag

I’ve followed @infosecuritymag for some time. They also have informative news that tends to be focused on general information security. You’re not going to learn earth-shattering techniques here, but for someone breaking into the world of security, it will give you a variety of topics to discuss with your peers.

 

Krebs on Security

Brian Krebs is a journalist who frequently covers profit-seeking cybercriminals. He uses his platform to inform on various security topics. He’s become quite a name in the space and can be found on Twitter; he also hosts his own podcast. In late 2016, he was the target of one of the largest DDoS attacks on record. Yep. He ticked off that certain person that made it a point to shut his site, Krebs on Security, down for quite some time.

 

Cisco Security

If you work with Cisco Security products, you may be interested in following @ciscosecurity on Twitter. The bulk of what you see here is going to be product announcements and write-ups on whatever direction Cisco thinks is important these days. It’s hard to ignore Cisco, even though many will argue the quality of their security portfolio. But when you consider that they house the Talos group, and have tons of customer-provided data that they can analyze, which keeps them up-to-date on emerging threats, it’s worth a little bit of marketing just to get to the good stuff.

 

Others I’ve Followed

I’ve also followed Bruce Schneier, but after a while his posts don’t really interest me. But you have to admit that the guy is brilliant. Aside from Bruce, there have been others that are more Cisco-specific, but I wouldn’t really recommend them for someone starting out in security.

 

Final Thoughts

If you are coming from a data networking background and transitioning into a security role, the news is a solid start. Trying to engage individual security professionals as you would networking and virtualization guys is a tough nut to crack. As time goes by, you’ll likely become familiar with peers you meet at conferences and such. Those are the ones to interact with online, if possible. When you find yourself in a bind, these are the folks you want to ask. However you should be aware that the conversation you have may not be in the public eye. Many security professionals are a little but more hush-hush publicly. They understand that certain things that are said could lead people to the wrong conclusions about the organizations they represent. You can’t blame them. The lawyers are going to force their organizations' representatives to be very tight-lipped about possible breeches and such. For example, if you ask a question about some ransomware that you’ve just encountered, and a buddy of yours that happens to work for Wells Fargo tells you how to fix the issue, people may naturally assume that Wells Fargo has experienced a similar breech. Yep, that’s bad for press.

 

So be patient, interact with those you know personally, and use social networking to keep up on industry trends. Doing so may guide your learning path as you progress as a network security professional.

There are several security certifications that one can choose from. While the list is long, we're primarily going to touch on five of them here. But for good measure and simply to prove our point, here's a more extensive mound of security certifications that sit before you.

 

CompTIA Security+

The CompTIA Security+ certification has been around for a long time and is a well-recognized and respected certification in the field. In fact, it meets the ISO 17024 standard and is approved by U.S. Department of Defense to fulfill Directive 8570.01-M requirements. That being said, this certification is more entry level than anything else. You can find the details on the CopmTIA web site. This certification is going to provide you with understanding in the following areas:

  • Threat management
  • Cryptography
  • Identity management
  • Security systems
  • Security risk identification and mitigation
  • Network access control
  • Security infrastructure

All of these areas are powerful in terms of what would be useful in a production environment. You'll probably want to have the Network+ certification first, or at least hold that level of knowledge before this material can fully sink in.

 

Would the CompTIA Security+ Certification Benefit Me?

If you're in a government job and need to meet certain standards, this certification may prove to be useful.  If you're a newbie to security, this certification will likely offer you a good introduction to security, but many hiring managers understand that this is an introductory certification. This is probably not the kind of certification that's going to dress your resume up enough to demand the big bucks, but it can't hurt to have it. Time learning is usually not time wasted.

 

GSEC: SANS GIAC Security Essentials

This is another entry-level security course, but it's designed a bit differently. This course is designed to demonstrate hands-on capability in security administration. The certification is good for four years before you need to renew it, and it is much more expensive compared to the Security+. Whereas the Security+ certification will cost you $320.00 USD, the SANS GIAC Security Essentials exam will run you just over $1200.00 USD.

You can find the details on the giac.org Web site.

Topics covered by this certification include:

  • Identifying and preventing common attacks
  • Identifying and preventing wireless attacks
  • Access controls
  • Authentication and password management
  • DNS Security
  • Cryptography fundamentals
  • ICMP Security
  • IPv6 Security
  • Public key infrastructure
  • Linux security
  • Network mapping

 

Would the GSEC: SANS GIAC Security Essentials Certification Benefit Me?

For a lot of people, hands-on is the way to go. In fact, the CCIE Certification Program offered by Cisco has been seen as one of the most credible certifications to hold. Much of that has to do with the fact that it's a hands-on certification, which has the benefit of credibility. If you've passed one of these exams, you must know how to do whatever you were tested on. So if you want to break in at the entry level with a bit more than a sheet of paper, this is the cert for you.

 

Certified Ethical Hacker (CEH)

The CEH certification is a common certification that is considered intermediate-level. It's not uncommon for organizations to request network security assessments. The CEH certification is a key certification that companies engaged in this type of offering look for.  This certification teaches you the same techniques that hackers use.  Armed with this knowledge you would then be better positioned to identify threats as they come across the network.

Some areas touched on in this certification include:

  • Reconnaissance
  • Scanning networks
  • Enumeration
  • Trojans, worms and viruses
  • Sniffers
  • Denial-of-Service attacks
  • Session hijacking
  • Hacking web servers, wireless networks, and web applications
  • SQL injection
  • Cryptography
  • Penetration testing
  • Evading IDS, firewalls, and honeypots

As you can see, the list is a bit more extensive than the Security+ certification. You'll need to have that general security knowledge before you take on a certification like this. This is another intermediate certification.

 

Would the CEH Benefit Me?

If you want to be an ethical hacker, this certification is a must. If you want to be a Cyber Security Analyst working in a Security Operations Center, this certification is also valuable because it lets you identify potentially malicious activity much easier than if you didn't have this underlying knowledge.  At the end of the day, I see a lot of people get this for the fun of it rather than to advance their career, but employers still recognize the certification. In specialized environments, they look for it.

 

Certified Information Systems Security Professional (CISSP)

The CISSP is an advanced-level certification. It's vendor neutral and is one of the certs that's been around the longest. It's been on the "Certifications Most-wanted" list within organizations for many years. Those that hold the CISSP are usually Senior Security Personnel and thus make a bit more cash. Some of the topics you'd be tested on include:

  • Risk management
  • Access control
  • Application security
  • Cryptography
  • Security architecture and design
  • Investigation and ethics

 

Would the CISSP Benefit Me?

If you have a minimum of 5 years experience in two of what the (ISC)2 called a Common Body of Knowledge domain, or 4 years experience and a college degree, this is your cert.  That's because these are the requirements to obtain this certification. But what are the domains you ask? They are Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.

 

Certified Information Security Manager (CISM)

The CISM certification is designed for anyone that's going to be managing, developing, and overseeing information security systems. This is a newer certification on the scene, but what sets it apart is that its geared toward maintaining the highest quality standards when it comes to audit, control, and security of an organization's security systems. It's not an entry-level certification either. This certification is designed for one with experience. The requirements for this certification include:

  • Agree to ISACA's code of professional ethics
  • Pass an exam
  • Have 5 years experience
  • Comply with a continuing education policy
  • Submit a written application

As you can tell, there's a bit of work included in just obtaining the certification, and that's not counting the actual security knowledge you need.

 

Would the CISM Benefit Me?

The CISM is a bit more expensive compared to other certifications. If you have the money, have the time, and can meet the requirements, then holding this certification is extremely beneficial.  Hiring managers recognize the certification, and when you combine it with experience, the Infosec Institute ranges the pay from $52,402 to $243,610.  Yes that's a very wide range, but you have to factor experience into the mix. An entry-level position isn't going to pay top dollar, no matter what certification you hold.

 

Final Thoughts

At the end of the day it's up to you. How much time to you want to commit to certifications vs hands-on experience?  Are you even looking for a job? I knew a guy that had about 40 different certifications and the only reason he got them is because he was bored at work. He had no intention of leaving his high-paying job that was paying for him to become certified. Especially when he didn't have much to do when he did have to work.

 

Still, one should recognize that employers try to filter through potential candidates, and having a security certification can help shuffle your resume to the top. If you get that far you'll have to prove that you know your stuff in an interview, and that's a whole other conversation.

For a long time there has been a bit of isolation between the person referred to as a network engineer and the security guy. The security guy is nice to have around because when all else fails, you can blame the firewall. That’s right. The network is fine, but you have to talk to the security guy. The security guy won’t tell you much. Why? Because in security you’re on a need-to-know basis, and you don’t need to know.

 

Alas, the point of this blog post is not to discuss the network and security silos and the way we point fingers at different departments. This is, in part, because there’s a shift that's been happening for some time now. Network engineers have been turning into security engineers. I think there are a few reasons for this shift. Let me explain.

 

Networking People Might Be Worried About Their Jobs

For the past several years, the fundamentals of networking as a career have shifted. In times past, the network engineer role dealt with cabling up equipment, connecting cables, drawing complex diagrams of the network, configuring various features and protocols via the command line, and testing and monitoring the network. With the advent of Software Defined Networking (SDN) and Network Function Virtualization, these things are quickly disappearing. There’s not much to physically connect now (at least not as much as before), and the network is building itself dynamically through the use of software tools, controllers, and so on.

 

Security Has Some Exciting Aspects that Challenge Network Engineers

It’s true that security elements like a firewall and an IPS can be set up using a controller, and that there’s a lot that software can do. However, there’s an aspect of forensics that adds an exciting aspect to network security that may be appealing to network engineers. As network automation takes more of a hold, network engineers are taking up coding and using languages like Python and such. Learning these languages actually helps in the transition to security. Decoding the activity of a would-be attacker and figuring out what their script does and how to put a stop to it is a mind exercise that’s appealing to network engineers.

 

Security Certifications Look Good on a Resume

Another fact that lends itself to the appeal is the fact that employers are looking for cybersecurity professionals, and there’s money in that work. Forbes said that there were 1 million cybersecurity jobs available in 2016. Information Week says that intrusion detection, secure software development, risk mitigation, cloud security, network monitoring and access management, security analysis, and data security skills are all in high demand. Putting these certifications on a resume increases your chances of landing a high-paying job in the security space.

 

So How Do I Keep Up?

It is true that it's hard to keep up these days. In this series of articles, I’ll tackle some areas that I think are helpful in breaking into the cybersecurity space as a network engineer. In the next article, I'll look at the mound of security certifications that are available, and discuss which ones are of most value. After that we will dive into the world of security in the social space. Believe it or not, there’s a large segment of security professionals that don’t engage in social communities like Twitter and Facebook. We’ll talk about why, and highlight some of the more vocal security folks out there. Then in our fourth post, I'll cover Cisco’s annual security report and why you should care to read it. Finally, we’ll wrap up the segment by discussing the transition into a security role and where to go from there.

 

I look forward to the comments and perhaps even questions that I can address in these future articles. Until then, happy labbing!

Recently the Cisco Firepower Next-Generation Firewall was released and according to Cisco, it’s the “first fully integrated, threat-focused next-gen firewall with unified management.”   It’s capabilities include Application Visibility and Control (AVC), Firepower next-gen IPS (NGIPS), Cisco® Advanced Malware Protection (AMP), and URL Filtering.  That’s a lot to roll into a single OS, especially when you consider the stateful firewall capability.

 

In the past we’ve seen Cisco package the FirePOWER services on a module that sits in the ASA.  Using the MPF you can forward traffic to the module.  The module is managed by the FirePOWER Management Center or by a local FMC that’s part of ASDM.  It’s still separate from ASA policy.  With the new Cisco Firepower NGFW it’s all managed in one place.  This is a significant step in the right direction.

 

So the short answer is “Yes.”  Yes you can put all that capability into one box.  Cisco isn’t the first to do it.  In fact, Cisco’s pretty late to the game on this one.  Of course Cisco would likely contend that they have some special sauce baked into the Firepower NGFW.  The new 4100 series hardware provides a platform for Firepower NGFW, Cisco AMP, and the traditional ASA (although I can’t imagine the traditional ASA stays around much longer.)

 

Should We Care?

 

So now the question is, should we really care that Cisco has another firewall?  Absolutely.  The architecture of this devices allows Cisco and Third Party Vendors to quickly add security services as the network evolves.

 

Architecture.png

 

Of particular interest to me is what a third-party vendor could run as a service on this platform.  Could monitoring be an added service?  A Correlation engine?  There’s a lot to this architecture that’s interesting to me.  The API access, OpenFlow, the orchestration layer.  I think with modern developments in orchestration combined with this new architecture and some third-party services we can do some interesting things.

 

What’s Your Take?

 

At this point I open it up to you.

  1. Do you feel this is a significant development in Cisco’s security portfolio?
  2. What would you like to see third-party developers working on for this platform?
  3. What did I miss?

Access control extends far beyond the simple static statements of a Cisco ACL or IP tables.  The access control we deal with today comes with fancy names like Advanced Malware Protection or “Next-Generation.”  If you work with Cisco devices that are part of the FirePOWER defense system you know what I’m talking about here.  For example, the Cisco FirePOWER services module in the ASA can work with Cisco Advanced Malware Detection to send a file hash to a Cisco server in the cloud.  From there, the Cisco server will respond with an indication that the file contains malware, or that its clean.  If it contains malware then of course the access control rule would deny the traffic.  If its determined that the traffic is clean it would allow the traffic. 

 

In this situation discussed previously, the file itself is never sent over the wire, just a hash is sent.  How is this at all helpful?  Cisco gathers correlation data from customers around the globe.  This data helps them to build their database of known threats, so when you send them a hash, its likely that they’ve already seen it and have run the file in a sandbox.  They use advanced tools like machine learning to determine if the file is malicious.  Then they catalog the file with a hash value so when you send a hash, they compare the hash, and there you have it!  This is very low overhead in terms of processing data.  What about the cases where Cisco doesn’t have any data on the file hash we’ve sent?  This is where things get interesting in my opinion. 

 

In this case, the file needs to be sent to Cisco.  Once Cisco receives the file they run it in a sandbox.  Using machine learning amongst other methods lets them determine if the file is doing something malicious or not.  At this point they would catalog the information with a hash value so they don’t have to look at it again.  This is all good, because we can usually get a quick response on wether something is good or bad, and our access-control rules can do their job.  But here’s where a few questions could be raised.  Aside from not having a hash for a file I’m sending or receiving, what determines that the file needs to be forward to Cisco?  Do they log the file or discard it after the sandbox run of the file?  I ask these questions because in my mind it’s realistic that all files could be sent to Cisco and cataloged meaning authorities could potentially subpoena that data from Cisco to see anything I’ve sent or received.  If this is the case then our “Advanced Malware Detection” could also be “Advanced Privacy Deterioration.” 

 

What are your thoughts?  Is it a bad idea to get the cloud involved in your access-control policies or do we just trust the direction vendors are taking us?

A week ago Leon Adato shared a fine post titled What “Old” Network Engineers Need To Remember.  I enjoyed reading his post and agreed with every point.  And so I thought I’d make my own list this week and share my thoughts on how “Not” to be a bad network security engineer.

So let’s get right two it shall we?

  1. Don’t assume bad motives.  Too often we assume that users are doing something they shouldn’t be and when we get the call that their computer has malware or we find something funny in the logs we treat them pretty bad.  Sure, some people are jerks and try to get around the rules.  But most people just want to get work done with as little friction as possible.
  2. Don’t assume that everyone knows the latest malware or ransomware delivery methods.  I have a friend that works for an autoparts distributor.  He deals with shipments all the time.  One of the emails he received was a failed shipping notification.  He opened it and boom!  Cryptolocker.  It encrypted everything on the shared drives he was connected to and left the business limping along for a few hours while they restored the previous nights backups.  He had no idea.  Malware  and Ransomware isnt in his job description.
  3. Educate your users in a way that isn’t demeaning to them.  I know the old “Nick Burns” videos are humorous.  But again, if you take the time to train your users and your not a jerk about it, they’re more apt to respond in a positive manner.
  4. Now for the technical stuff.  If you’re using a ton of ACL statements to control traffic, please add remarks.  By adding remarks to your ACL statementns those who come after you will think you’re a pretty nice guy.  I’ve inherited ACLs with thousands of lines and no clue what any of the entries were for.  Not cool!
  5. Use Event Logging and Correlation to your benefit.  Too many network security professionals try to get by without a solid logging and correlation strategy.  So instead of having all the info, they tend to tread water trying to keep up with what’s going on in the network.  There are a number of SIEM solutions today that offer event correlation and really good filtering on the logs.  If you don’t have one, build a case for one and present it to upper management.

It’s true that we’re in a very tough spot some times.  We manage systems that have a lot of power in terms of network connectivity.   It’s good for us to be transparent to users but at the same time we don’t want our users activity to be transparent to us.  It’s quite a balance we have to strike, but it’s worth it when we can.  And using some of the more advanced tools made available today can help give us the visibility we need.  Here’s a good example of how you can use Solarwinds LEM to create rules for real-time correlation and response..  This is just one example of how we can use today technology to provide security services while being somewhat transparent to users.  And as far as the five points mentioned above, these are but a few point I’ve learned over the years that have proven to be useful.  There are many more of course.  If you have one perhaps you’d share it below.  Iron sharpens iron after all!

Network Access of Old

I remember back in the days when I worked at the phone company.  We had a security desk right inside the door and at the counter was a desktop that had the company directory on it.  What didn’t make a lot of sense to me was that the Ethernet port was on the front of the wall, not behind the counter.  Anyone could walk into the office and unplug the corporate directory PC and plug their own in.  DHCP would give them an address and they were on the LAN.  Sad thing is that people did.  I would come walking in from lunch and often see some random guy copping a squat on the floor with his laptop connected.  Back they we really didn’t have a clear way of preventing access to the network.

What We Used to Do

Prior to 802.1X we did have a few solutions but they had their limitations.  One way we could control things was by using a VLAN Membership Policy Server (VMPS).  With a VMPS the MAC address would dictate which VLAN you were assigned to.  If you were not listed in our database you would not get a VLAN assignment on the LAN.  The drawback here was that you had to manage the MAC database.  If an employee had a NIC failure and the NIC were replaced, we would have to remember to update the database.  This happened a lot back when the laptops had a PCMCIA NIC with the flimsy dongle.

Another way we would control network access was with Port Security.  This of course only worked if your switch supported the feature.  If it did you had a few ways to handle business.  You could enter the MAC that should be connected to each port and then limit the number of MAC addresses to 1.  This didn’t scale well either.  We could sticky learn the MAC which helped, but again, scalability issues.  So even though we had a few solutions, nothing was really a great fit.  Fast forward to today and 802.1X is the clear fit.  While we had 802.1X back then, or at least we started to see it, client support was limited.

Network Access Today

Today we still don’t have all the answers.  We primarily use 802.1X and EAP to authenticate and authorize a user on a switch port or on a wireless SSID.  This method of controlling access works well because we have much better support for EAP in our native supplicants today.  For some of the more advanced EAP methods we have clients like Cisco Anyconnect.  Using 802.1X and an external authentication server scales better than the previous solutions discussed in this article.  Along with the scalability comes a great deal of context data that’s useful in determining who is connecting, where they are connecting, how they are connecting and so on.  From a policy perspective this is fantastic.  We have a level of visibility today that we didn’t have back in my early days.  Still, the solution isn’t perfect and there are still some things we need to address, like all that log data.

Where Do the Logs Go?

Your identity management solution is but one source of log information that you’re receiving.  You have the logs from the switches, APs, and Firewalls where your VPN is terminating.  There’s a handful of logging solutions out there that can handle the volume we see on most networks today.  The key to consuming log data is not just being able to store it and handle the shear amount of data being received, but its also being able to use the data in a meaningful way.  So what are some of the things you’d need to identify?  A good solution would help identify users on the network that are doing things that aren’t exactly normal.  When you consider the prevalence of  Bontnets and DDoS attacks it would be advantageous to implement a solution that would identify if your assets are participating in these types of attacks.

The attacks here are just a few examples.  There are many more.  But I’ll leave this post with two questions:

  1. What are you implementing as your Identity Management Solution?
  2. How are you using the log data from that solution and other network devices to mitigate attacks and minimize unauthorized activity on your network?

Filter Blog

By date: By tag: