2015 Q1/Q2 Update



Time flies when you're having fun, or so the old adage goes. It also flies when you're busy which I certainly have been since Christmas. I'm taking the opportunity to write this summary update as I head out to an industry summit (ILTA LegalSec) being hosted in Baltimore.

So what's been keeping me so busy?

Primarily, I've been busy since starting a new job. In December I joined the security function at DLA Piper supporting the Global business in both a technical and compliance capacity.  With any new job comes new challenges and the world's largest law firm certainly comes with its fair share. Anyone whose known me for any length of time can vouch for my appetite for a challenge and the legal industry seems to have a lot to offer. The role is a good fit for me and it seems like I've joined the firm at just the right time. In addition to a raft of technical and operational projects I'm getting the opportunity to adorn my compliance hat again and contribute (typically as lead auditor and principle adviser) to improving and expanding our ISO27001:2013 scope and coverage. It's rewarding work and its allowing me to really engage with the business.  

Despite maintaining a busy schedule, I've still found time to dabble in a few things of my own as well as doing a little bit of travel.


In terms of vulnerabilities and research I disclosed my first bugs back in in March and managed to net my first bug bounties. I managed to find an information disclosure vulnerability in the hosted presentation platform Prezi which, by their own numbers, is used by 50 million people and 80% of Fortune 500 companies. In return for proper and ethical disclosure I was awarded the single highest score for a disclosure in their bug bounty scheme to date and which ranks me 3rd overall out of anyone that's disclosed a vulnerability to the Prezi team. At the time of reporting, I didn't know they had a bug bounty scheme  (I didn't waste time looking once I spotted the issue). I wasn't really sure how they would take the news, but they were delighted to hear from me and a real pleasure to work with. In addition to a cash prize and the honorary mentions, the team at Prezi went as far as inviting me to CraftConf they were hosting in Budapest but unfortunately I couldn't make it.



In the same week I reported an open redirect vulnerability in the employee benefits application CorporatePerks which according to their own numbers is employed by 95% of Fortune 100 and 70% of Fortune 1000 companies. Again they were delighted to receive the news in a responsible, actionable fashion. The team at CorporatePerks wrote back with thanks and with news that they didn't have a bug bounty scheme. A few days past and they wrote back again to inform me they'd started one, and with that I'd be getting awarded the first prize. They even asked me to review and comment on the rules of engagement they'd drafted and engaged with me to perform re-testing.



Despite my predisposition to warmer climates I allowed myself to be persuaded to visit Iceland in late March. Looking back on the trip now I can safely say I wouldn't need persuading for a second visit. Despite the climate, which in itself has its charms, Iceland is a magnificent country. New meets old and both stand amidst some of the most profound natural beauty I've ever been lucky enough to behold. I've compiled a small sample of photos and shared them on flickr for anyone who might be considering a trip. The reason why I mention it here isn't for bragging rights (well, maybe just a little), rather whilst I was there I started to pull together some ideas about a research project in the region. Recently, FireEye wrote about threats to the Nordic countries. More to follow on this later.


Whilst all this was going on I've been collaborating on some tooling for simulating targeted phishing campaigns with my good friend @leighhall. We've dubbed the tool 'macrosploit' given the form the initial payloads were taking. In addition to testing user awareness and end point controls we've set out to design and build a solution that can test and infer the state of broader technical controls. I'm concentrating on the architecture and back-end whilst Leigh has been cooking up all kinds of payloads in his lab. It never stops to astound me how far you can take a 'what if...' conversation when you're working with people with a real passion for their work. In CERT-UK's annual report they continue to identify malware as the No.1 risk to cyber security and phishing remains the principle delivery mechanism for it. Every organisation should take steps to understand how well their defences will play out when they are targeted. Again, more on this to follow in later posts.

Popular posts from this blog

Tools & Techniques - Cloud Firewalls (DigitalOcean)

Image
My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent. They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.  Initial Impressions - Pros, Cons and Limitations Pros No Cost (free!!) - Cloud Firewalls are available at no additional cost. Availability - Cloud Firewalls are available in ever region DigitalOcean operate.
Read more

PCI-DSS: Your CDE may be getting bigger

Image
In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words: “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.” The guidance goes on to visualise a scoping process, considering each category of system in turn: I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the: System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity). System component can connect
Read more

WAR GAMES - Simulating Security Incidents

Image
Why it's a good idea There are a myriad of reasons to test in peace time, the controls and processes which collectively represent your incident readiness. These include: Validating your Incident Readiness - testing can confirm that you are as ready as you think you are, and that nothing has changed resulting in an end state which prevents you from initiating IR.  Assess Controls Coverage and Identify Gaps - testing can confirm your controls coverage is adequate as well as highlighting those gaps which you'd rather not have in the event of a real issue. Demonstrate value of investment - you've probably spent a lot of time and other people's money acquiring controls, attracting talent and preparing for the eventually of an incident. Internal stakeholders will likely already be looking for assurance that their investment has been worth while.  Demonstrate investment and commitment to interested parties - internal stakeholders considered, you'll lik
Read more