The Countermeasure is security commentary and news focused on the enterprise, hand-delivered to your inbox every Saturday morning.
I see red people...
In This Issue:
- How penetration testing and Red Teams are the same – and different.
- BSD is the new Linux. Linux is the new Windows. Windows is the new Unix.
- Vendor risk management is necessary, difficult, and a growing concern for everyone.
- Infosec in all the colors of the rainbow.
Seeing Red (Team)
Do you know The Difference Between a Penetration Test and a Red Team Engagement ? If you not, you need to learn the distinction between the two terms. Penetration testers are narrowly focused. They have a specific goal, and they set about accomplishing it.
Red teams, on the other hand, aim to compromise the organization more completely. While both groups share most of the same toolkit, red teams rely more on physical and human reconnaissance, social engineering, and so forth.
Penetration testing is not enough to defend today's organizations. Formal red team testing is required, because they test all your defences: human, as well as technological. A red team will exploit any hole in business processes, employee training, even how you conduct interviews with potential staff. Make red teaming your own organization a regular part of your infosec diet.
The Changing OS Security Landscape
Take yourself back in time. Go back all the way to the end of the previous millennium, and think about the operating system landscape of the late 1990s. Way back then, Unix was what you used if you wanted true enterprise support, and were willing to pay for it. Windows came in two primary flavors: consumer and mainstream server. Linux was steadily improving, and increasingly became the platform for those looking for a little more security than Windows could offer, but for people who didn't have the money to spend on Unix.
Two decades later, the players have shifted, but the basic outlines remain (more or less) the same. Unix has retreated into a niche, and Windows has become the OS for those who have the money to pay for support. Linux now dominates the mainstream: RHEL and Debian-based distros make up the majority of mainstream servers, while Android has been the planet's consumer endpoint OS for years.
BSD, meanwhile, is stepping into the role of the up-and-coming group of operating systems, and is where much of the serious security development is taking place today, especially for those who can't afford to buy Microsoft's attention.
Comparing and contrasting Windows and BSD is an interesting exercise. Microsoft is no slouch on security. They’ve developed a number of top-notch security technologies, many of which are now making their way into BSD distributions like HardenedBSD. HardenedBSD is the first operating system to ship with LLVM's Non-Cross-DSO CFI applied to the entire base OS, and is an example of the painstakingly hard work being done in the open source space.
Not content to sit still, Microsoft is also introducing Windows Sandbox. Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation . Windows Sandbox looks and smells a lot like Bromium's technology, and if it isn't Microsoft licensing Bromium under the hood, then they've probably taken the time to clone it. Bromium is a Good Thing, so it stands to reason that Windows Sandbox will prove to be as well.
Microsoft manages to accomplish its intensive focus on security thanks in part to what can be politely described as its innovative approach to quality assurance. All non-enterprise Windows 10 instances are beta testing for Windows 10 Enterprise and Windows Server. And Microsoft even managed to convince millions of people to pay for the privilege. Microsoft also has its Microsoft Insiders program, in which individuals and organizations volunteer to be Alpha testers of upcoming OS releases.
This novel approach to testing has allowed Microsoft to make Windows significantly more secure, and reliable for its enterprise and Long Term Service Branch (LTSB) customers, and is assisting it in taking over duties traditionally filled by Unix. BSD, meanwhile, is much like Linux of the past: it trails Microsoft's security and feature innovations, much as Linux followed Unix, but is developed by obsessive purists who let others reap the benefits of their labors for free.
It's time to reconsider the role various operating systems play in our IT infrastructures. The various BSD distributions deserve a much more serious look than most organizations give them. IT teams need to educate themselves about the differences in the various editions and servicing branches of Windows, and what implications they have for security, privacy, reliability, and administrative control over the various components of the OS.
2018 Was Not a Good Year for Vendor Risk Management
There's always a new buzzword in infosec. At a high level, being an infosec professional means being professionally paranoid. The finicky little details of our collective and individual paranoia, however, are why they’re paid. A question that is all too infrequently asked is Are You Using These Best Practices to Build a Vendor Risk Management Program?.
Vendor risk management is not a new concept, and has been a concern for years. Despite this, 2018 has been a year replete with major information security breaches, scandals, and abject failures that are the result of poor vendor risk management. These events were attributable not to poor IT security on behalf of the organization that ultimately took the heat for the breach, but to suppliers, partners, and contractors who practiced poor infosec hygiene.
it's time to start vetting any vendor, partner, or contractor in your supply chain that can have an impact on your organization's information security. This starts with IT vendors who supply operating systems, applications, and so forth, but it also includes logistics suppliers, payment processors, and many, many more.
Infosec In all the Colors of the Rainbow
A worthy mention this week for Louis Cremen. Introducing the InfoSec color wheel — blending developers with red and blue security teams. The Infosec color wheel is an attempt to expand how organizations think about information security by including more stakeholders in everyday infosec language.
Take the time to peruse Cremen's piece on the infosec color wheel. At a minimum, consider adopting the language of Red Teams, Blue Teams, and Yellow Teams. The other three colors are worth considering as well, but are more likely to be formalized only in larger organizations.
This Week's Threads
If you're a lady nerd, join! If you have lady nerd friends, get them to join! The world needs more people in infosec, so champion every attempt to boost the ranks.
"Join #WiCyS as a member of the #nonprofit organization! You can become one at no charge *until* 1/1/2019, and have access to benefits all year!" – Women in Cybersecurity Organization (@WiCySorg)
This week's threads are perhaps a little more solipsistic than most, but that's not abnormal for the infosec community, especially around the holidays, when all the crazy really starts leaking out of the vendors, retailers, and social media networks of the world:
"If your #infosec defense strategy - whether to detect/block a wiper or an #ICS disruptive attack or even theft - is focused on adversary actions on objectives, the final stage of the attack, then you've voluntarily ceded initiative and much ground to your adversary." – Joe Slowik (@jfslowik)
"This blockbuster @nytimes investigation is why 1) I am deleting Facebook profile…" – Ida Bae Wells (@nhannahjones)
Additional light reading that is both entertaining and probably important to know about.
Unlocking Android phones with a 3D-printed head – Graham Cluley – The State of Security
On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE – Chris Williams – The Register
Signal app to Australia: Good luck with that crypto ban – Cyrus Farivar – Ars Technica
A Chief Security Concern for Executive Teams – Brian Krebs - KrebsOnSecurity