Category Archives: video

Secure Access as a Business Accelerator: a Conversation with Pulse Secure

In this Security Ledger Conversations Video, we speak with Sudhakar Ramakrishna, the CEO of the firm Pulse Secure on that company’s journey from Juniper Networks’ remote access business unit to a thriving, independent company selling secure access technology to firms with on premises, cloud and mobile deployments. Technology has...

Read the whole entry... »

Related Stories

Become A Professional Pentester with PTPv5

The Penetration Testing Professional training course version 5, PTPv5 is now available for enrollment. See what’s new and how you can benefit from this professional pentesting course to better your skills.

The PTPv5 training course is the best way to learn everything a professional pentester needs to know. How? You’re right to ask! PTPv5 will give you access to the exact same training material currently used by the most important security companies and many of the Fortune 500 companies to train their IT Security teams.

How Can I Benefit From PTPv5?

  • Lifetime access to your training material – No rush or missed deadlines
  • Decide when and for how long to study each module – Self-paced training in PTPv5
  • Take advantage of the virtual labs in Hera to practice what you learned
  • Non-expiring (or even unlimited) lab hours to do the important hands-on training
  • Flexibility in your learning style – Interactive slides, HQ videos, forum, virtual labs
  • Access an exclusive forum to interact with/ get help from your instructors and thousands of other PTP students
  • Use the exam voucher to prove your practical hands-on skills and get certified

Brand New Sections & Labs

1/ New Sections

PTPv5 comes with two new, extensive sections:

  • Linux Exploitation
  • PowerShell For Pentesters
Linux Exploitation

Linux and other variants of UNIX make up a very large segment of the overall internet infrastructure (including Critical Infrastructure), not to mention the exponentially expanding “Internet of Things” ecosystem of whose devices are mostly dependent on some form of *NIX or another. Those facts make Linux an increasingly popular target.

PowerShell for Pentesters

PowerShell is a powerful built-in shell and scripting environment we can utilize as penetration testers considering its wide-spread availability on all modern Windows-based systems. The use of PowerShell allows us to take advantage of the “living-off-the-land” concept, where using tools that are built-in to the Operating System work to our advantage once we’ve obtained access to a system.

2/ Updated Materials
  • Network Security, Module 2 – Scanning: Stealthier scanning techniques
  • Network Security, Module 3 – Enumeration: Addition of the EyeWitness tool
  • Network Security, Module 4 – Sniffing and MitM Attacks: Addition of the Responder tool (Incl. multirelay)
  • Network Security, Module 5 – Exploitation: MS17-010 (EternalBlue), Addition of rsmangler, crunch and CeWL for customized wordlists, and addition of the Mentalist tool
  • Network Security, Module 6 – Post Exploitation: Cover PTH for RDP using xfreerdp, Describe DNS exfiltration, DLL hijacking (detection and exploitation), Privilege escalation by exploiting services configured with unquoted paths, Update on passing the hash against newer systems, Using reverse_https of Metasploit, using custom certificates
  • Web Application Security, Module 2 – Information Gathering: Addition of the newer dirsearch, and slurp tools
  • Wi-Fi Security, Module 6 – Attacking WiFi NetworksAttacking WPA2-Enterprise (802.1x) networks, and introduction of “eaphammer” tool and Mana Toolkit for Rogue AP attacks.

Click HERE to see the detailed syllabus

3/ Additional Labs
  • Finding and Exploiting DLL Hijacking Vulnerabilities: Hands-on lab on finding and exploiting DLL hijacking vulnerabilities. You will also practice privilege escalation via DLL hijacking during this lab.
  • NBT-NS Poisoning and Exploitation with Responder: Hands-on lab simulating an internal penetration test. During this lab, you will use Responder for initial foothold and MS17-010 for lateral movement.
  • Brand new labs for both Powershell For Pentesters and Linux Exploitation

Get Practical with PTPv5

Aspiring to become a professional penetration tester? Enjoy 30% Off and a Free Edition Upgrade on the PTPv5 training course fees until May 31, 2018. To get the discount, just use the coupon code “PTP-D4A” on the checkout page 😉

BAREBONE EDITION
FULL EDITION
Regular course fees: $1299 Regular course fees: $1499

*Launch offers are also valid in installments

Click HERE to see what’s included in each Edition of the PTPv5 training course.

PS. If you’re already an eLearnSecurity student please check your email for your exclusive course launch offers 😉

Connect with us on Social Media: Twitter | Facebook | LinkedIn | Instagram

Forget C-I-A, Availability Is King

In the traditional parlance of infosec, we've been taught repeatedly that the C-I-A triad (confidentiality, integrity, availability) must be balanced in accordance with the needs of the business. This concept is foundational to all of infosec, ensconced in standards and certification exams and policies. Yet, today, it's essentially wrong, and moreover isn't a helpful starting point for a security discussion.

The simple fact is this: availability is king, while confidentiality and integrity are secondary considerations that rarely have a default predisposition. We've reached this point thanks in large part to the cloud and the advent of utility computing. That is, we've reached a point where we assume uptime and availability will always be optimal, and thus we don't need to think about it much, if at all. And, when we do think about it, it falls under the domain of site reliability engineering (SRE) rather than being a security function. And that's a good thing!

If you remove availability from the C-I-A triad, you're then left with confidentiality and integrity, which can be boiled down to two main questions:
1) What are the data protection requirements for each dataset?
2) What are the anti-corruption requirements for each dataset and environment?

In the first case you quickly go down the data governance path (inclusive of data security), which must factor in requirements for control, retention, protection (including encryption), and masking/redaction, to name a few things. From an overall "big picture" perspective, we can then more clearly view data protection from an inforisk perspective, and interestingly enough it now makes it much easier to drill down in a quantitative risk analysis process to evaluate the overall exposure to the business.

As for anti-corruption (integrity) requirements, this is where we can see traditional security practices entering the picture, such as through ensuring systems are reasonably hardened against compromise, as well as appsec testing (to protect the app), but then also dovetailing back into data governance considerations to determine the potential impact of data corruption on the business (whether that be fraudulent orders/transactions; or, tampering with data, like a student changing grades or an employee changing pay rates; or, even data corruption in the form of injection attacks).

What's particularly interesting about integrity is applying it to cloud-based systems and viewing it through a cost control lens. Consider, if you will, a cloud resource being compromised in order to run cryptocurrency mining. That's a violation of system integrity, which in turn may translate into sizable opex burn due to unexpected resource utilization. This example, of course, once again highlights how you can view things through a quantitative risk assessment perspective, too.

At the end of the day, C-I-A are still useful concepts, but we're beyond the point of thinking about them in balance. In a utility compute model, availability is assumed to approach 100%, which means it can largely be left to operations teams to own and manage. Even considerations like DDoS mitigations frequently fall to ops teams these days, rather than security. Making the shift here then allows one to more easily talk about inforisk assessment and management within each particular vertical (confidentiality and integrity), and in so doing makes it much easier to apply quantitative risk analysis, which in turn makes it much easier to articulate business exposure to executives in order to more clearly manage the risk portfolio.

(PS: Yes, I realize business continuity is often lumped under infosec, but I would challenge people to think about this differently. In many cases, business continuity is a standalone entity that blends together a number of different areas. The overarching point here is that the traditional status quo is a failed model. We must start doing things differently, which means flipping things around to identify better approaches. SRE is a perfect example of what happens when you move to a utility computing model and then apply systems and software engineering principles. We should be looking at other ways to change our perspective rather than continuing to do the same old broken things.)

Are we all RoboCops in the future?

7457645618_1c7dcd0523_oInternet together with small and inexpensive digital cameras have made us aware of the potential privacy concerns of sharing digital photos. The mobile phone cameras have escalated this development even further. Many people are today carrying a camera with ability to publish photos and videos on the net almost in real-time. Some people can handle that and act in a responsible way, some can’t. Defamatory pictures are constantly posted on the net, either by mistake or intentionally. But that’s not enough. Now it looks like the next revolution that will rock the privacy scene is around the corner, Google Glass.

Having a camera in your phone has lowered the threshold to take photos tremendously. It’s always with you and ready to snap. But you still have to take it out of the pocket and aim it at your object. The “victim” has a fair chance to notice that you are taking photos, especially if you are working at close distance.

Google Glass is a smartphone-like device that is integrated in a piece of headgear. You wear it all the time just like ordinary glasses. The screen is a transparent piece in your field of view that show output as an overlay layer on top of what’s in front of you. No keyboard, mouse or touchscreen. You control it by voice commands. Cool, but here comes the privacy concern. Two of the voice commands are “ok, glass, take a picture” and “ok, glass, record a video”. Yes, that’s right. It has a camera too.

Imagine a world where Google Glasses are as common as mobile phones today. You know that every time you talk to someone, you have a camera and microphone pointed at you. You have no way of knowing if it is recording or not. You have to take this into account when deciding what you say, or run the risk of having an embarrassing video on YouTube in minutes. A little bit like in the old movie RoboCop, where the metallic law enforcement officer was recording constantly and the material was good to use as evidence in court. Do we want a world like that? A world where we all are RoboCops?

We have a fairly clear and good legislation about the rules for taking photos. It is in most countries OK to take photos in public places, and people who show up there must accept to be photographed. Private places have more strict rules and there are also separate rules about publishing and commercial use of a photo. This is all fine and it applies to any device, also the Google Glass. The other side of the coin is peoples’ awareness of these laws, or actually lack thereof. In practice we have a law that very few care about, and a varying degree of common sense. People’s common sense do indeed prevent many problems, but not all. It may work fairly OK today, but will it be enough if the glasses become common?

I think that if Google Glass become a hit, then it will force us to rethink our relationship to photo privacy. Both as individuals and as a society. There will certainly be problems if 90% of the population have glasses and still walk around with only a rudimentary understanding about how the law restricts photography. Some would suffer because they broke the law unintentionally, and many would suffer because of the published content.

I hope that our final way to deal with the glasses isn’t the solution that 5 Point Cafe in Seattle came up with. They became the first to ban the Google Glass. It is just the same old primitive reaction that has followed so many new technologies. Needless to say, much fine technology would be unavailable if that was our only way to deal with new things.

But what will happen? That is no doubt an interesting question. My guess is that there will be a compromise. Camera users will gradually become more aware of what boundaries the law sets. Many people also need to redefine their privacy expectation, as we have to adopt to a world with more cameras. That might be a good thing if the fear of being recorded makes us more thoughtful and polite against others. It’s very bad if it makes it harder to mingle in a relaxed way. Many questions remain to be answered, but one thing is clear. Google Glass will definitively be a hot topic when discussing privacy.

Micke

PS. I have an app idea for the Glass. You remember the meteorite in Russia in February 2013? It was captured by numerous car cameras, as drivers in Russia commonly use constantly recording cameras as measure against fraudulent accusations. What if you had the same functionality on your head all the time? There would always be a video with the last hour of your life. Automatically on all the time and ready to get you out of tricky situations. Or to make sure you don’t miss any juicy moments…

Photo by zugaldia @ Flickr