Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

How fast can a stranger put together a complete picture of your organization?

26-Jul-2012 - According to Joe Cummins, president and principal consultant at Red Tiger Security the more...

knowledge you have and the more knowledge you project, the more somebody else can pick up about you. Knowledge breeds information, which breeds the ability to move ahead by interpreting that information for his clients.

“We’ve gone to 'scare lunches' or 'scare breakfasts' where attendees witness live demonstration of actual investigations,” he said. “These attendees lose their minds. They want to know how we’re able to extract a couple of sensitive pieces of information from one or two lightweight applications. It’s because I’ve been watching trends for months. Can I make it happen and translate better for them? For sure.”

Cummins is the first to admit he’s addicted to and loves his tools.

“Single-source intelligence for organizations wasn’t a concept two or three years ago. Now we have tools that present a lightweight footprint of what that organization looks like on the web. So drop in firstname.lastname.org and that information can be translated into many different bits of information. We can do the same thing with metadata, especially with everybody trying to push their data to the cloud.”

Small bits of trivial information found in .xls, .doc and .pdf documents, when combined with 300 other documents, allow a careful investigator to begin formulating a network silhouette of an organization. Most docs include the default printer for that network, including naming conventions.

In industrial control systems, the PDF – whether a batch control job or how much gasoline or nuclear material was refined that morning – is indexed to search and reference.

Now anybody can get that information – user name, maybe even passwords of that user. The application and the person who created the document have already done the majority of the work. 

Another trend Cummins and his friends in security have been talking about is the idea of how BYOD is leading to Manchurian devices. That one is picking up steam, leading to a number of high profile exposures.

“If they can install substandard or recycled and re-branded parts into high performance aircraft, what’s stopping them from infecting a small PLC and putting malware into a chip?” he asked.

“You can infect a device at the manufacturing plant. Nobody is going to do the black box assessment when they receive 20 million parts into the plant. They’re going to roll it out and go. That’s very frightening when you think of the large-scale applications.”

Everything boils down to training, which Cummins sees as the silver bullet.

“It doesn’t matter how much they’re being paid. We’ve seen government IT orgs with tiny budgets finding the right brains, to figure out the smart efficient way to move forward. They’ll research it, and have the training already to understand the concepts and move around them. They come up with very creative solutions.”

Open source is the most common route to security solutions. They’re lightweight and supported by the community... deliver zero latency uptime-downtime... and there’s nothing else in that price range.

“They used the training they had in the room. It’s not a complex solution. Having the right education and training gave them everything they needed.”

As for type of training, hands-on gives the best results. Red Tiger training begins with performance exercises to assess where attendees are.

“Any group that does not give hands on training, is wasting your and your orgs money on training it doesn’t need,” Cummins asserted. “At least from my perspective hands-on is the standard.”

For example, trainees are given a VM that’s been compromised, to see how many people in the room can figure out what the compromise is and how it came in.

“Perhaps five of them might find it, and that’s being generous,” Cummins said. “As we go through the series, showing telltale signs, that hands-on work locks the knowledge into their skulls. You let them come back to it over and over again, so when they’re in the field and run into a similar problem, they know to ask, ‘Hey, what was that tool I used in that training course?’”

If you want a winning team, you need this mindset. Cummins compares it to a movie buff watching a movie will know that it touches on a known technique or tip of the hat to another famous movie.

“That hacking or malicious mindset really pays off. Combining training with the cognitive mindset and the world is your oyster.”