cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

THWACK Monthly Mission - October 2019

Community Manager
1909_Core_October_THWACK_Mission_Blog_Header_900x300_noCTA.png

October is Cyber Security Awareness Month and all the contestants line up to play a game of Security Sleuth. It seems fun, and in a way it is, until you realize the stakes. You look around you as the game is about to begin and think to yourself which one of these people is the planted mole?

It’s a good ol’ whodunit, and the security of your network, the integrity of your privacy, the very foundation on which you’ve built your IT organization is at risk. So, security sleuth, master of mystery, will you detect defects capable of destroying our data, will you investigate infections imperiling our information, will you expose the evildoers endangering our eudemonia?

Protect us, cybersecurity connoisseur, start your mission.



OCTOBER MISSION

Use the mission’s resources to complete the tasks and answer the questions for a chance to win!

Correctly answer each question during the week and you'll be entered for a chance to win the weekly prize.

Correctly answer all 20 questions over the course of the month and you'll be entered for a chance to win the grand prize.

150 points are being awarded for each correctly answered question. There are 20 questions, which means you can earn a maximum of 3,000 points for this mission.

Want to join the mission, but not a member? Sign up FREE now!

PRIZES

Weekly Prizes & Drawing Dates:
October 14, 2019: Best of Agatha Christie Volume 1-4 (Region 1)

October 21, 2019: Apple Airpods

October 28, 2019: Clue Board Game and Culinario Mortale Deadly Fame - Murder Mystery Dinner Party Game

November 4, 2019: Anker PowerCore

Grand Prize:
November 4, 2019: SimpliSafe Wireless Home Security System



MISSION RULES

A new question will open every day (Monday - Friday) starting on October 7, 2019. Once a question has opened, it will remain open until November 3, 2019 at 11:59 p.m. CT. Check the schedule below for exact open/close times.



MISSION SHORTCUT

Complete the mission shortcut between October 7, 2019 and November 3, 2019 to be entered to win a Go Pro HERO 7 Black!

Security is the responsibility of all IT staff. However, not everyone has the same amount of time or resources available to increase their networks’ security posture. Security Event Manager (SEM) is designed to be another pair of eyes, always on the lookout for suspicious behaviour, and can alert you when it finds potential threats. For this shortcut we’ll have you take the first step towards automating threat detection by setting up a log source in SEM.

Shortcut Steps:

  1. Download a free trial of Security Event Manager (or if you already use SEM you can skip this step, but be sure you’re on version 6.7 or higher)
  2. Navigate to “Nodes”
  3. Click on “Add agent node,” select the appropriate agent for local installation, and follow the instructions or read more here
  4. Once the server is connected, navigate to “Events” and take a screen shot of events coming in from the log source and post to the mission
    1. Please anonymize any sensitive data like machine name or user names

DOWNLOAD FREE TRIAL  SUBMIT SCREENSHOT

WEEKLY PRIZESMONTUEWEDTHUFRIWINNERS
Week 1: Complete questions 1-5 by October 13, 2019 to be entered to win: Best of Agatha Christie Volume 1-4 (Region 1)
Week 2: Complete questions 6-10 by October 20, 2019 to be entered to win: Apple Airpods
Week 3: Complete questions 11-15 by October 27, 2019 to be entered to win: Clue Board Game and Culinario Mortale Deadly Fame - Murder Mystery Dinner Party Game
Week 4: Complete questions 16-20 by November 3, 2019 to be entered to win: Anker PowerCore

Correctly answer all 20 questions by November 3, 2019 and get entered to win the Grand Prize! SimpliSafe Wireless Home Security System



September Mission Terms & Conditions: US, UK, and Canada | Germany | Australia

September Mission Shortcut Terms & Conditions: US, UK, and Canada | Germany | Australia

157 Comments
Level 12

Free account?  Are you talking about mission shortcut?

Level 13

From yesterday's and today's hint (Product Blog: Introducing Solarwinds Idnetity Monitor), you will find a link to sign up for free.

pastedImage_0.png

Level 13

knucklebusted​, the information has been obtained on from the web from public sources and private hacking databases. Solarwinds is not making any previously private data available. They are letting us know about personal data that is no longer private. You can sign-up for the free account in the hint announcing SIM, and check it out. When I did, I added my personal e-mail account. I needed to login to my personal e-mail and verify my ownership of the account before it displayed the information in SIM. This means that you can not put someone else's e-mail address in there to get their passwords (unless they unwittingly verify the verification e-mail for you, LOL).

Some of the same info is on haveibeepwned.com -- but not as much info, and not as good a representation of the information.

Regards.

Level 10

As someone with chronic hypertension that gets exacerbated by work stress (amongst other things), it may not be in your best interests to effectively skew your results... Nothing wrong with the doctors knowing what's representative.

Level 12

Password reuse is the mirror problem of password reset policies that require users to create long, complicated passwords on multiple unconnected systems with different password creation rules, and which have to be significantly changed every X weeks or months, and therefore inevitably end up on Post-it notes on the user's desk.  It has become impossible to remember all the passwords I need to do my job, and that doesn't include the myriad passwords I have for my personal accounts.

I know there are software packages that promise to remember them for you, but then what happens if one of them is compromised?  Every account you have is out there in one fell swoop.

Level 14

On the other hand they usually double what you tell them anyway.  I was once asked how many units of alcohol I drank per week.  I told the truth and the doc nearly fell of her chair.  I didn't think it was that much but she had assumed I was lying and doubled it.  If I really did drink that much I'd probably fall off MY chair.

Level 9

I did exactly the same thing - and got a red X as well!

I can't deny your logic, Simeon.  You're making good sense to me, too.  I make a specific point of noting the lower BP readings when I'm at annual checkups, and report why I suspect they're better when I've not improved my diet or added more exercise to my week.  The doctors/nurses aren't making their decisions in a vacuum--at least not in my case.

Historically they have been less likely to record my blood pressure when it's high at the beginning of the appointment due to my rushing to get there on time.  They actually suggest arriving early so a person isn't stressed by the simple act of getting to the appointment on time.  Which is what I've been doing, and enjoying the better results.

When the reading is high at an exam they read it a second time later in the exam.  If it's still high they read it again at the end of the exam, giving a person more time to calm down.  They record the lower of the three readings.  Thu they avoid artificially high readings caused by short-term travel stress.

Ideally they'd also find a way to measure BP randomly during the day when I'm at my cube/desk working on network projects & challenges.  And then also when I'm in meetings, or discussing progress with my supervisor.  And taking information from all of those settings and making decisions about what my actual real-time and long-term BP is, for better diagnostics.

While we're at it, it probably would be interesting to also generate unobtrusive and random BP monitoring while a person is driving, stuck in traffic, interacting with spouse or children or parents or siblings or in-laws.  And also taking readings during the holiday season.  And during exercise and after sitting in a cube staring at screens for a few hours.

I don't know how that could happen today, but I've read Futurists predicting that people will have two-way wifi-like communication equipment (micro-chips) installed inside their bodies within the next fifteen years.  The assumption is we'd be able to think "Call Fred's brain" or "call the police" or "Receive Fred's brain call to my brain" and then we'd be able to carry on a two-way conversation.  I sort of doubt that.  Folks also dream/hope  that they'd be able to watch videos inside their own heads anywhere they have wireless reception.  I rather hope that's not a possibility ever.

But such an implant MIGHT be able to send medical information anytime, anywhere, including BP. 

I bet we'd all be amazed at the results.

It seems the answer to your question focuses on restricted access to a password manager.  For example, my organization provides password management apps to all of us, but requires us to store them in the network instead of on PC's or laptops or smartphones.  Access to my own, or my team's, password database is restricted by source address, AD account, and requires MFA.  All we need remember is one password and to have our cell phone; it gives us access to however many passwords / accounts we choose to store.

It's not as convenient as having only one password for everything (or using post-it notes), but it's reliable and highly available, and secure enough to pass PCI and HIPAA audits.

Level 14

I watch videos inside my head now.  No wait, that's daydreaming.     

Level 9

By now I should know to read the comments first. Got Q3 wrong.

Level 14

Ya.. the correct answer box is my favorite...

Level 9

I read the comments and still got Q3 wrong.

Level 10

I agree with rschroeder​'s statement. And to add to this for those that are unaware, many of the password vaults that are web based can be used for free if intended for personal use. These services do all the work for you, even generating desired length and complexity of passwords so you don't have to come up with your own. When you update a password, it even throws it in your vault if you have the add-on enabled in chrome. Easy peazy.

I have over 100 password between work and personal. Without these vaults I would be lost. I do not have to have a password that is the same for any of them. 🙂

LastPass and Keeper Security are a few that work really well.

Level 14

Having a hard time making out what the screenshots show in today's hint. The resolution is very low.

Level 11

Same.  I'm waiting for some discussion on this one.....or more coffee.

Level 11

Agreed, hints are hopelessly out of focus even on a 27" monitor and enlarged.

Level 14

That's a relief.  I thought my eyesight had finally gone.

I work for a company that employs a lot of folks who are not computer savvy.  They know enough to do their job and not much else, nor do they WANT to know much else.  We recently implemented a password policy that looks something like this:

1. Minimum password length: 16 characters

2. No more than three (3) repeating characters

3. Must contain 3 of the following:

    A. Upper-case Letters

    B. Lower-case Letters

    C. Base-10 Numbers (0-9)

    D. Special characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

4. Password age: 6 months

There are a few other quirks but you get the gist.  So, how do folks who don't like computers to begin with deal with said policy?  well, there's nothing that says that you can't use simple phrases (and spaces, for that matter), so you get things like:

Idontlikemondays2019

or

1967Chevycamarosrule!

Again, you get the picture.  And yes, Joe, in the field, I see sticky notes, labels, all sort of things with passwords on them.

To dovetail onto the password manager discussion, I've been using PasswdSafe for almost 20 years now and it's been amazing.  I still have things in there from the early 21st century (that reminds me, probably should clean it out one of these decades!) but it's easy to use, can make suggestions for strong ciphers and you can set it to follow your organization's password security policy.  The one that the company has available is LastPass, and I've seen that a lot lately.  have not tried it but I hear it's decent.  I'm just old and set and my ways, that's all.. 😄

Level 14

We use LastPass in the IT department as somewhere that isn't an Excel spreadsheet to store the multitude of passwords for the thousands of systems and devices we look after.  It's OK for that and is accessible externally with 2FA authentication which is useful if we are off site and need to retrieve a password.  It also generates really complex passwords which are useful for service accounts.  We are looking to move away from this and implement a Privilaged Access Management solution.  We are currently evaluating.  CyberArk and Thycotic are leading contenders at present.  We are also implementing Okta Single Sign On for the users.  They just have to remember one password, Okta does the rest.  If they are in any of our sites worldwide they just sign on as normal.  Off site they get 2FA as part of the sign on.  Stressful times.

Actually, in today's (10/14) case, I found that the verb(atim)iage on the hint page is sufficient for answering the question.  Did not even look at the screenshots.

Level 14

The only issue I had was whether they were looking for the "All of the above" answer.  Always get a bit nervous when that appears.

Level 14

Thanks!  I always want to look at screenshots since I've been burned in the past.

I know that this is going to be 74 or later, but it just goes to show that you never know from whence inspiration will come...

pastedImage_0.png

It's time once again ladies and gentlemens, boys and girls, Damen und Herren, Mister and Misses America and all the ships at sea, for another...

EARWORM ALERT!

Now, you're probably saying to yourself "Alex, have you lost your bloody mind?  What could the number '73' possibly have to do with music?"  Ah, listen to the great words of The Blues Image on this very esoteric ditty from the '70s:

The Blues Image - Ride Captain Ride - YouTube

Level 10

Happy Birthday to me! Don't overthink it.

Level 9

Here's to hoping I win this week's prize hehehe

Level 14

Q6 14th Oct

That was nerve wrecking. Is it? Isn't it? This one? or That one? or was it All of them?

I see now that chayden18 said "Don't over-think it". Ooops - too late.

Level 9

This is great feedback, thanks ebradford​. Similarly found some of my credentials floating around there, in plaintext...

Level 9

My thoughts exactly!

MVP
MVP

InthisCorner.jpg

Level 12

oh yea I am sending this to all the people named Dave that I know. 

MVP
MVP

Congrats jdawger765​ - learning makes this valuable, winning makes it fun!

MVP
MVP

When I worked in Vermont there was a series of radio commercials with the ending tag line of "Don't be a Dave." The Dave in the office never heard the end of it. I just sent the image to the team leader up there to show in their next meeting.

Level 12

Just a heads-up for Week 2 Q.9 - read the hint answers carefully to match up with the correct answers in the question. It would be easy to scan the alphabetical list and miss an answer.

I nearly did, but double-check saved the day.

Level 9

Oh that is Cheating!

Writting SQL Server Audit on the question and Microsoft SQL Server Audit on the page

MVP
MVP

Oh no fair!

Should have read the comments before i answered, big red X for me today

Level 9

Fell for it, I hate these damn trick questions.

Level 9

I should have read the comments first.  I rushed it and got a big red X.

Level 9

Got me as well...

Level 14

They got me today too.  These "gotcha" questions are so annoying because they're based on technicalities that have no value whatsoever.  I learned nothing about the SW tools and features in the question, only that I need to pay closer attention to get the thwack points.  Woe is me. 

Level 10

I concur with the above comments. It is almost cheating to give an alphabetical list and then have the question worded differently. I don't like missing an answer on a technicality.

Level 9

Yeah that was just cheap, I get that we should have read a little better. But that's unfortunate overall.

Level 10

wow. got the curve when expecting the fastball.

Level 11

So, is MS SQL more specific than generic SQL for the context of the question. My gut says SQL is NOT MS SQL in the same way that all rectangles are not necessarily squares.

Level 10

Filthy stuff.

Level 9

Same, I want a reset. The question says SQL but they only added MS SQL. I'm sure that connector doesn't work with MySQL, PostgreSQL, etc

Level 11

Note to self: read the comments first, and SQL starts with an M.

Level 9

Today's question seemed so easy.  Nope!

Level 10

Wow, glad I read these blog comments! Thanks!!!

Level 9

Normally I agree with the mistakes I get, and think the questions aren't a problem.  But todays is just wrong.

SQL Server Audit is not the same as Microsoft SQL Server Audit.

SQL Server Audit means it could be used on any system that supports SQL of different flavors.  PostgreSQL, SQLite, MySQL and Microsoft SQL server.  Just to mention a few.