Category : Information Security

NIST 800-171 requirements for contractors

Meeting NIST Requirements while using SaaS Software.

December 312017, Organizations who process, store, and transmit Controlled Unclassified Information (CUI) need to comply with NIST Special Publication 800-171.  The question organizations need to consider is what does it mean for their SaaS Applications? How do you do it in the “bring your own cloud,” (BYOC) world we live in? I am going to walk you through critical things you need to think of for SaaS applications about as you go through this.

read more

UPDATE: Hacking Puerto Rico Disaster Relief

Since the first Red Lion Puerto Rico post, lots of things have happened!

  • Hackers for Charity has a direct donation page – Hit the button that says “Support the Puerto Rico Disaster Relief Effort”.
  • The towns we are directly supporting are Carlos Perez home town of Toa Alta and Jose Quinones Borrero’s town of Catano & Bayamon.
  • And most importantly, every piece of gear, every experience, every misstep, every tip and trick and hack we figure out painfully along the way, is being written up as a recipe, so we have a repeatable cookbook for disasters. And the Information Technology Disaster Relief Center is working with us to use our cookbook, get volunteers from the hacking community, and help Puerto Rico! Sign up now at ITDRC.org!

Recap!

read more

Hackers aren’t all bad… $15k for Puerto Rico Recovery

Janice Paulson, my wife, and I attend quite a few hacker conventions every year. We run BSidesDE, are semi-officially listed on the organizer’s council for BSidesDC, attend BSidesLV and Defcon, work Derbycon and Shmoocon, and probably go to another 2-3 conferences a year, besides these.

And at Derbycon, in Louisville, KY, I met up with some friends of mine. Ok, about 2500 friends of mine. Derbycon is a hacker conference, run by Dave Kennedy, Erin Kennedy, Martin Bos, etc etc. TrustedSec employees and friends put a lot of effort into the conference. Part of that conference is a 2 day training time, where high quality paid training is performed. One of the trainers, Carlos Perez, is a master of post-exploitation, and his training is highly valued. Jose L. Quinones Borrero, the primary organizer of BSidesPR in Puerto Rico, is also at Derbycon.

Carlos and Jose are both Puerto Rican natives and fantastic guys. Both of their wives told them to come to the conference, and to have a good time. They’ve weathered hurricanes before, and it wouldn’t be too bad. They were wrong.

read more

Assessing Big Picture Risk Through the Lens of the Equifax Breach

Authored by: Joshua Marpet – COO, Red Lion & Janice Paulson – Data Scientist, Red Lion

Disclaimer

Red Lion has no intimate knowledge of why or how the Equifax breach occurred. Red Lion was not involved in the security planning, implementation, or strategy for Equifax, nor have we been consulted for the incident response, crisis communications, or any aspect of Equifax’s security, compliance, security testing, etc.

Your Personal Data and Privacy

Equifax holds information about the bulk of all Americans who participate in common banking and credit transactions. They gather this information from your credit applications such as mortgage paperwork, car loans, and credit cards. They buy information about your address, family members, and other personal information from various sources, and re-sell, along with their assessment of your credit worthiness to banks and other lending institutions.

You consent to this every time you participate in the banking or credit lending system.

read more

OWASP Top 10 Vulnerabilities List is Changing

OWASP!!! RUN!!!!

OWASP is changing their TOP 10! Ok, so this really isn’t as serious as I thought, but, wait, what is that? IT IS!  Whether IPv4 or IPv6, common vulnerabilities can be found all over the place. OWASP, is finally updating their Top 10. So let’s look at some of the finer points.

read more

First Impressions of ITPro’s Studio – Get a Discount

Getting There

Recently, the Red Lion team paid a visit to ITPro.tv studios in Gainesville, FL using a “party bus” set up by the company’s leaders Tim Broom and Don Pezet. Once there, the entire staff greeted us.

Layout

ITPro’s journey didn’t start out as flashy as they are today.  To get to their current setup, they transitioned from a closet, then a warehouse, finally to their current 10,000 sqft facility.  The first thing they did after moving in was to tear up the ground and re-lay the subfloor. They also laid pipes from the control center to each of the 5 “pods”/studios. This allows for the running of extra needed cabling to and from the control center. Then, they equipped each pod with soundproofing foam squares, overhead scaffolding, lighting, and cameras.  The best part is that the control center can control all pods at the same time.   And, all sets are built for maximum flexibility to fit the needs of their presenters.

[embedyt] https://www.youtube.com/watch?v=YWCNcgW3PRY[/embedyt]

Why this is important?

This configuration is “typical” for most production studios. However, keeping the offices on the production floor allows for massive flexibility and a “Wow this is cool!” factor that is off the charts.

What does ITPro.tv do?

ITPro services the needs of the information security community in many forms. From being the Sherpas of solid technical content to enabling the career changing transformation of all people that want to better themselves, ITPro is the place to start. Their price as of the time of writing is $570 for the year or $57 per month with no annual commitment! This pales in comparison to the SANS Training at ~$5000/course. That being said, this is not a replacement for the boot camp style of training that most look forward to (and other dread). This can be an economical option for tight budget constraints, or someone with an individual desire to learn.

Get Involved

ITPro’s offerings can be found in their course catalog. They have a free trial that will allow you to sign up and start viewing content. Sign up today and start changing your career.

Discount Code

For being a Red Lion regular you get 30% off on your subscription to ITPro.tv when you use the Discount Code: RedLion.

read more

Focusing on the fundamentals in the software development process.

Build secure software

Peter Hesse of 10Pearls wrote an article about the future and failure of information security. From Security Today, “Why is the Security Industry Failing?” is a wonderful recitation of the problems besetting the information security industry.

Peter describes the money-hungry vendor culture, where every problem is seen as a potential billion dollar product or service. He talks about how companies aren’t paying attention to the Top 10, 12, 15, or even 20 security control failures, from whichever creator of those lists you wish to name.

Hesse’s solution is to build security into software. Specifically, he says we need to, “focus on building security into our software applications and technology platforms.” In other words, create secure software and platforms during the development process, do not bolt security on top or add it in hindsight.

Peter, I’m sorry; you’re right…and wrong. Wait, hear me out.

You’re right. As it stands now, the typical software application is built to be sold, to send that code out the door as fast as possible so it can generate money for the company. Developers are instructed, “Deploy code quickly,” not “Deploy secure code quickly!” That one word, “secure,” makes all the difference in the world. Bolting on security ex post facto is always worse than building it in. Using sane frameworks, where input sanitization and code/data separation are part of the process? Genius! Using secure hardware with hardware security modules (HSMs), locked-down memory addressing, and very well-tested methodologies for encryption, messaging, and error handling just makes sense.

Now, Peter works for a software development company so his views fit his situation. I bet 10Pearls has fantastic code security policies and tests the heck out of its code. But are all development teams from myriad types of companies that way?

They are not, so… Peter, you’re also wrong, unless you think that all companies will use secure frameworks, will factor in code/data separation, will prioritize user security over immediate profit. To illustrate the point, how many camera companies issued firmware updates after the Mirai botnet was made public? One? Eight? None?!

In all seriousness

With the venture capital backed system we have now, coupled with stockholder priorities, it’s a rare company that thinks beyond the end of the current fiscal quarter and the magic “numbers” the company “needs to hit.” It’s difficult for most companies to develop a long-term view of the organization’s growth strategy. Yet a longer term view is absolutely necessary to prioritize security in software, systems, applications, and consumer electronics.

How do we fix the problem? We bake security into the processes, into procedures. We build structures which we slot systems and applications into. We perform that most horrible of rituals, compliance. (But it works, so that’s cool.) We use devices with Mobile Device Management systems, and lock down users’ profiles. Smart admins never log in as an admin and then surf the internet.

In other words, we focus on the fundamentals. We lock things down. We patch. We scan and test. We automate to make systems reproducible, and we segment to localize problems. We follow established standards, perform compliance audits, and prepare for $DEITY knows what, because it will happen.

Peter, until all software is written to a standard, and a standard that you and I can agree on and work with, I know you and I will keep recommending to our clients that they focus on the fundamentals. You know what? Even then, I bet we’ll still keep doing the basics. They work, after all.

read more

NEMA – Electro Industry

 

Read the full magazine below. Our article starts on page 11:

[pdf-embedder url=”http://blog.redlion.io/wp-content/uploads/2017/04/EI_Jan17.pdf”]

read more

Thoughts about Network Security and Policy Accountability

Network Security Definition

What does Network Security mean? Network security is an over-arching term that describes that the policies and procedures implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources. This means that a well-implemented network security blocks viruses, malware, hackers, etc. from accessing or altering secure information. Health Check: The first layer of network security is enforced through a username/password mechanism, which only allows access to authenticated users with customized privileges. When a user is authenticated and granted specific system access, the configured firewall enforces network policies, that is, accessible user services. However, firewalls do not always detect and stop viruses or harmful malware, which may lead to data loss. An anti-virus software or an intrusion prevention system (IPS) is implemented to prevent the virus and/or harmful malware from entering the network. Network security is sometimes confused with information security, which has a different scope and relates to data integrity of all forms, print or electronic.

Policies and practices

Compaines must adapt to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Policy and Accountability

When the organization’s policy structure sets clear accountabilities for risk and the compensation system reinforces those accountabilities, there is a positive impact on the organization’s risk awareness and culture. Effectively articulated risk accountabilities lay the groundwork for balancing the entrepreneurial, revenue-generation side of the business and the control, risk oversight side of the business, so that neither one is too disproportionately strong relative to the other. This balance is elusive, which is why a strong foundation of clear accountabilities is vital to any organization.

 

http://blog.redlion.io/aide-digital-evidence/

read more