cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Shields Down Conversation Number Two

Product Manager
Product Manager


THWACK members, I'm 100% loving the comments in this series! You all are giving me a much-needed boost in security thoughts and ideas. Thank you so much!

Conversation Number One led me to realize that I need to jot down the resources I use as my "go-to's." These are links to several places that help me to be cyber-aware if you will.  I would love for all of you to share your resources as well so we can help create a thread of wholesome greatness! tomiannelli, your comment, from Conversation One, that provided a link for more information (18 U.S. Code § 1030 - Fraud and related activity in connection with computers) was really thoughtful. I truly appreciate the sharing of knowledge.

Now, let's dive in, shall we?

Security Conferences

InfoSec

Conferences - O'Reilly Media

ShmooCon

SANS Events

Knowledge Links

Department of Homeland Security

I spend hours on this site trying to see which direction the government is leaning toward. I also like going there to view their education suggestions and which cyber security fields they are hiring in.

National Vulnerability Database

Checklists, data feeds, vulnerability metrics, and more resource links provided within. This is a bookmarked staple.

SANS Institute InfoSec

This is a white paper that I find myself reflecting on a lot. Especially when I'm focusing on new security plans with companies that have never really had one in place. The concepts and case studies within help to ground me for some reason.

Ciscohttps://learn-umbrella.cisco.com/ebooks Umbrella

Okay, if you click on this one it will want you to fill out information before you download any of their books. I'm a huge Cisco user and when it comes to security and concepts, well, I'm just like my best friend, Kate Asaff, when Apple has a release. Let's just say that I'm interested in the new capabilities and features.

There is SO much more, but these are my top picks that I consistently go back to. Now, DEF CON is not on any of my previous lists, and this is merely because I would assume it's expected. 

The challenge now (drum roll, please), is to prompt EVERYONE reading this to share your favorite security sites. On your mark, get set, GO!

60 Comments

In no particular order:

Level 10

Those are all great sites and I am interested in what others have to submit as well. I will submit a couple of sites many may overlook or spend a ton of money having an outside service perform for them.

From the "Know thy Enemy" list

https://www.offensive-security.com/

https://www.kali.org/

If you do not test your security how can you rely on it.

Security sites, conferences,etc are all great places to stay up to date on security related information, however the most overlooked aspect of a security policy is always the elephant in the room...... the security exception. Security exceptions are the unprotected thermal exhaust ports of your security policy's means to bring order and security to your network, the more exhaust ports you have to more likely it is that some nefarious actor will get a lucky attack in and i think we all know how that ends.

MVP
MVP

Nice

(ISC)2 Congress - Austin TX 2017 coming up soon. 

(ISC)² Security Congress 2017 - Cybersecurity Conference | Information Security Event | Online Regis...

ISSA is in confrence next month.  ISSA International Conference - Home Page - Information Systems Security Association

Infragard (an FBI - Business partnership) is meeting later this month in Dallas.  Events & Conferences - InfraGard Critical Infrastructure Protection and Information Sharing

ThwackCamp 2017.....

Links

Cybrary is a nice free learning site with Free content.  I thought their CISSP material was better than others that cost money.   Cybrary - Online Cyber Security Training, Free, Forever

SANS training is great. SANS Information Security Training | Cyber Certifications | Research

SANS Internet Storm Center Podcast "StormCast".    Cyber Security Podcasts - SANS Internet Storm Center 

Level 21

networkcanuck​ had some great resources in his Geek Speak post HERE.

Level 20

I like offensive security too!

Level 20

Infragard is pretty good.  I'm a CISSP so I get the ISC2 stuff for sure!  Nice ones RT!

CPE's CPE's CPE's!!!!

Level 20

I was thinking the exact thing too byrona... I was thinking... didn't we just have a geek speak about this the other week lol!

Level 12

Back in the day, DARPA designed firewalls that had true "strike-back" capabilities.  They eventually spun them off into Secure Computing, which called the firewalls "Sidewinders".

When the military used them, their version could respond to probes with a wide variety of passive or active rules, including sending a very rapid "ping-of-death" to the source addresses, effectively shutting them down via DOS.

The commercially available versions only has passive strike-back options, but even those were helpful.  They included things like automatic traceroutes, net lookups, ignores/drops, etc.

I used Sidewinders for 20 years and never had a breach that we were aware of.

Level 10

DEZ, how ironic that you are talking about security and we find out that there has been possibly one of the biggest data breaches in the US with Equifax. Is nothing sacred anymore?

Level 12

They dropped the ball. Talk about an Agency or Industry that should be top in their game where protecting Personal information is concerned. The PID they have is exactly what the financially motivated hackers have been after. I do hope that there is some investigation as to how this occurred, and I don't just mean the full debriefing on the attack vectors used, but I think more importantly, was this key target industry doing everything possible to stay alert and prepared with appropriate defenses. In other words were their fulfilling their legal obligations to protect this personal data or did they let their guard down (due to economics or something else?) . I think much can be learned from proper disclosure of this information, too many times this occurs and the "Circle the wagon" mentality does not allow other operations to learn from mistakes made, then other businesses end up falling prey to similar attacks.

Level 12

Dez​ I think these Shields Down blog is a great addition and conversation starter around a key aspect of many of our Day-to-day operations. Thank you for starting it. It would be cool to have an organized library of security resources that all contributors and commenters have provided...

" . . . to have an organized library of security resources . . ."

pastedImage_0.png

Level 13

Image result for data breach photo

Level 12
Product Manager
Product Manager

The bad thing is that we are only hearing about the hacks/breaches that they find out about!  Think about that for a moment and look at how long it took them to know they were breached.  Secuirty is  a business issue and should be a very fluid,  proactive, with a highly readily available reaction.

man, I've been in the mountains away from all technology and as soon as I got signal today I was blowing up with the equifax breach.

I think i might head head back to the land of no technology, lol.

~Dez~

Product Manager
Product Manager

I agree!  I'm going to work with the THWACK team and see what can be done

~Dez~

Level 15

Sem mais.Claudia França

2017-09-10 21:25 GMT-03:00 Dez :

<http://thwack.solarwinds.com>

Shields Down Conversation Number Two

new comment by Dez

<https://thwack.solarwinds.com/people/Dez?et=blogs.comment.created> - View

all comments on this blog post

<https://thwack.solarwinds.com/community/solarwinds-community/geek-speak_tht/blog/2017/09/06/shields-down-conversation-number-two?et=blogs.comment.created#comment-274978>

Level 12

I hope Equifax burns and the company is basically left for dead after this. Such a huge breach with something they are supposed to be professionals on. The amount of information and the type of information that was leaked, combined with how they have handled it so far and will likely continue to do so is unforgivable and unacceptable. There NEED to be held accountable for this as a company, and that starts with the executives, not some middle management or some engineer in the basement. Sadly what will happen is it will be on the radar for a little while and then go away like nothing ever actually happened. No one will be held accountable for it and the only people who notice anything are those who had their information leaked and abused.

MVP
MVP

What sucks is that the people exposed were not "paying" customers...but rather their data was hosted for other companies to use.

Fact: Equifax security was breached, resulting in the lost of personal information (e.g.: SSI, birth date, birth location, name, street address, telephone number, etc.) for a reported 143 Million people.

Fact: Equifax executives sold millions of dollars of their personal stock in Equifax after the breach was discovered, but before the breach was reported.

Fact: Equifax stock value plummeted after the breach was reported.

Fact: Equifax reported that the upper executives who sold their Equifax stock (before the breach was reported and the stock values dropped) did not know there had been a breach, and that not reporting the breach until after they'd sold their shares is merely a coincidence.

Conjecture:

pastedImage_4.png

Level 12

Pretty much SOP Seems to happen all the time when something big that is going to affect a few top Execs, Board members or Shareholders - just making sure their pockets remain lined. Sad but true. Enron may be the most famous, but we have all seen similar actions throughout the years... what's the difference?

1200px-Logo_de_Enron.svg.pngECorp.png

Level 12

^^^^ This is exactly my problem with the whole thing. I have never done business with them before. I hate the concept of their business in reality. Yet now all my information is out there and there is literally nothing I can do about it but wait and hope I'm not worth as much as some other people out there that got caught by this as well. Basically I am completely screwed for the rest of my life because of this company that I have never had dealings with holding on to all of this information about me and implementing poor security practices and questionable business choices along the way. As someone who is currently looking at purchasing a house or some land and building a house, this is a serious problem for me. As if I don't have enough to worry about on a daily basis now I have to watch my credit like a hawk and make sure nothing fishy is going on.

Level 12

I think the difference this time around is that it results in half the american population having their credit (lives) basically hung out to dry as a result of this. There will be consequences, at least I hope.

Congress is already looking at ways to lock these companies down and prevent this kind of issue, and their basically lock down their unchecked and rampant abuse of power.

Only time will tell if anything actually happens though.

MVP
MVP

Inconceivable !!!

Level 12

Pretty sure your Congress or any other Gov't Legislation from any country will do little. I think we have to remember the money involved in these Companies. I mean what changed when 15 million Social Security numbers of T-Mobile Customers were lost in the 2015 breach against TransUnion and Experian. To name but one.

I think a better approach to legislation would be a Global one - an agreement between all Countries much like other Security/Intelligence Agreements but focused on Corporations. Might make it easier to hold them accountable as well as gathering data to track those responsible.

Ticks me off that even though the breach began in May and went undetected till July, yet they still did not openly report it until the beginning of this month?

  • Personal Details of 143 Million People stolen
  • 209,000 Credit Card numbers
  • Numbers of Drivers Licences not released
  • What else have they not released or are unaware of?

Love their website statement though, fills me full of confidence:

"You'll feel safer with Equifax. We're the leading provider of data breach services, serving more than 500 organizations with security breach events everyday,"

Level 10

If you honestly believe our Congress will do anything to make this right, I have a bridge I can sell you. Having been in politics in a previous life, I can tell you that the only voive that they ever hear is the ones that talk dollars. Congress has become a joke and so has our government if you don't have money, you are not important. Sorry to sound so negative, buit I am not blind to what is going on and it just makes me sick because we all know they will get away with this with at the most a slap on the hand and nothing more.

Level 12

Not Negative dtolemy​ - right on the mark.

That last phrase you provided seems to take on a new meaning now . . .

pastedImage_2.png

"You'll feel safer with Equifax. We're the leading provider of data breach services, serving more than 500 organizations with security breach events everyday,"

It's as if Equifax serves data breaches to their customers . . .

pastedImage_0.png

Level 12

You are probably right. I know any time I go and do something that I know will require a credit check, I will ask what firm they are going to check it against. If they say equifax I will ask them to chose another firm. If they do not, I may decide to take my business elsewhere. Likely will not work at all and will have no impact on it at all, but its about all us worms can do at this point.

I will not be surprised to learn the other "leading" credit reporting agencies have vulnerabilities--perhaps greater than or equal to those of Equifax.

And certainly those companies are targets equal in importance to those who breached Equifax.

Level 10

rschroeder Expert I agree I am sure this is just the tip of the ice berg (Oh wait they are melting) sometimes I think it pays more to stay home and hack then it does to work for an honest living... So SAD, So Sad

Level 12

I would not be surprised to find out they have already been breached. I imagine the hackers who did the equifax one had to at lest send a poke at the other 2 as well. Maybe they were in all 3 of them at the same time and equifax found them first? Guess only time will tell on this one.

Level 12

Yup that's the point.... Direct quote from their website 

Equifax Data Breach Solutions

  1. equiwhat.png

That seems most likely to me, too.

Level 12

Do you feel Safer? I sure do  

I was working a tech support issue with a gentleman based in India last night.  I asked him what sites he reads / surfs in his spare time.  He surprised me by saying he got rid of his home Internet connection, doesn't have a smart phone (only a plain cell phone), and he intentionally stays disconnected when away from work.

He rides motorcycle in the dunes in his spare time, which seems a LOT better than having one's face buried in a screen all the time.  And riding motorcycle in loose sand might potentially be safer than staying connected, given what we know about Equifax.

Product Manager
Product Manager

The more "convenience" options and technology add ons we buy into allows us to be pleasantly looking down while our pockets are being picked.

Unplugged is a great way to keep yourself "safer", but the reality is that other people will still have your information...

~Dez~

Level 12

Yeah no way to avoid that in this day and age. If you have  SIN or Social Security Number, bank account, most utilities, ,mortgage or other loan, Email, ISP services yada yada yada.... only good thing about being unplugged is you don't learn what is going on with your data while you are unplugged.

"Ignorance is bliss" 

You're exactly right, Destiny.

But . . . you'll be healthier for the outside activities and exercise and less burned out by screen time, and I'd bet you'll probably sleep better for the fresh air and activity.

All while someone's using your Equifax info to make purchases against your credit cards.

As I rethink his comments about disconnecting while away from the job, I think he had a few goals other than Internet security in mind:

  • Being active is more healthy than keeping one's head buried in a screen
  • Staying away from the screen enabled him to get much better quality time with his wife, kids, and friends
  • Screen time prior to bed has been linked to poor sleep patterns and difficulty falling asleep; he doesn't have to worry about that.  Sure, he might worry about identify theft, and that would maybe keep him from falling asleep . . .
  • Less time online means less opportunity to click a bad link, catch a virus/Trojan/wyrm, be hit with ransomware . . .   If you're never online, no one's getting you to respond to their phishing expeditions.

There's no increased safety for your personal data already out there.  There's just less stress, healthier habits, better rest.  I'd buy into it.

I told him I should arrange with my wife to try a screen-free weekend once a month and see how we reconnect with each other instead of with Facebook and Youtube and work.

Level 12

Boy it just keeps getting better and better over and Equifu**s HQ.

Equifax’s Latest Data Breach: Argentina - DataBreachToday

Default admin credentials for an employee portal with faxes and other data. Clear text uersnames and passwords being stored in there as well for staff. Brilliant, just brilliant.

I think they are taking the whole "Shields Down" blog series theme a little to literally here Dez​......

Level 12

Commendable goals...like a shortened version of the "Digital Detox" many folks are practicing. By this time next week I will be in a place where literately 15 minutes out of town there is no Cellular signal and without a Sat phone you are out of comms signals.... Can't wait!  Just me, my bike and the bears... 🙂

Level 10

Sounds really nice, wish I could do the same thing.

I try to spend a few weeks in places like that every year.  Once I was able to expand the size of my Network team, and try to get them enough training and access to the right support contracts, it became easier for me to visit isolated areas and finally let go of the mental stress.

pastedImage_0.png

I am loving this thread as well. I am in the process of building out a Security Architecture for my employer. I have relied heavily on you and Josh Habermann for direction and vision. Keep 'em coming!  🙂

Product Manager
Product Manager

How about LifeLock selling credit protection that stems from Equifax?  Oh, and lets not forget the insider trading and the breach in March they had also...  SMH

CRAZINESS is everywhere, I'm not paranoid...  LOL

~Dez~

About the Author
I started in networking and security around 2002 by taking Cisco Certified Network Associate and Security+ courses from Central Vo-tech. This is where I fell in love with technology in general. From there I venture out to internships and started using the Engineers Toolset from SolarWinds which made me wonder about software. The company I was with purchased Cirrus which is now Network Configuration Manager (NCM) and I was officially hooked. I searched out for SolarWinds and well you guessed it I started working for them and believe it or not in sales. That was the only position open but I knew I wanted to be here. So I quickly worked my way in to the support side and became the first Sales Engineer and then the first Applications Engineer. Since I am a very curious person I have since in my 9 years of being at SolarWinds decided to pursue more education. Security is always a fascination to me so I started taking classes on INFOSEC Assessment Methodology (IAM) and INFOSEC Evaluation Methodology (IEM) of the NSA. Then I went and took the CIW Masters for web development and ventured to databases. MCITP SQL Server and Development certifications that led me to a database development degree in college. I’m pretty much a jack of all trades and LOVE IT! This all applied to my work with SolarWinds as I wanted to be able to help customers solve their issues or needs. So knowing more information allowed me to do this successfully. I also dabbled in Cisco UCS management and currently taking classes to venture toward a CCIE (crossing fingers). NCM is a product that I have worked with since its beginning. I even had the opportunity to fly to the NSA to create templates for some of their devices. I used to be the sole MIB database controller so I’m definitely your huckleberry on MIBs and OIDs. As an Applications Engineer I focused on Network Performance Monitor, Network Configuration Manager, Web Performance Monitor, Enterprise Operations Console, Patch Manager, User Device Tracker, and the Engineers Toolset. See why I like to constantly learn new things I had a lot to be on top of! SolarWinds is a passion of mine still to this very day. My new role as a Product Manager for NCM is home to me. Funny how I circled around back to my favorite product that got me here in the first place. :) My goal is to educate and work with customers to leverage our products to their fullest degree!