Wednesday, July 19, 2017

Senior Enterprise Architect Wanted - I think this is in the Washington DC area

(Please forgive the grey shading, this is what I got from the recruiter)

For further info, please call:
Gregory Price
Vice President of Defense Programs
Trowbridge & Trowbridge, LLC

Cell: 815.531.9667
1430 Spring Hill Road, Suite 200, McLean, VA  22102 |  |  O: 571-298-8478 | F: 571-499-4153

= = = = =
Senior Enterprise Architect 

Work Experience, min 12 years:
5+ years primary role operating, troubleshooting, installing network routers and switches
5+ years primary role designing, architecting routed and switched networks
2+ years as senior or lead network architect in multi-tenant network
2+ years as senior or lead network architect in planning, designing, and building software defined networks 3+ years DoD environment

At least two nationally recognized certifications for senior network administrators/engineers/architects, and one of these certifications must be tied to the proposed solution’s routers and switches.
IAT Level III in accordance with DoD 8570.01-M
Bachelor’s degree in Information Systems, Engineering or Equivalent; Master’s degree preferred
Demonstrated Skills:
Ability to analyze requirements; plan and develop technical solutions and frameworks; develop test and implementation plans, analyze and evaluate networks,
Use of current and emergent network design principles and protocols
Experience with network virtualization technologies and vendors
Experience with multi-tenant network architectures
Experience with specific designing and modernize a complex network to separate control from data planes. Familiarity with a width variety network routing and switching equipment devices from multiple vendors Scripting languages such as Pearl, Python.

Awareness of DoD JIE-JRSS architecture, and design experience for a DoD network within the last 3 years.
Active or current Top Secret clearance, SCI eligible, adjudicated through DoD Central Adjudicative Facility (CAF).
67 of 79 SDN Solution Final PWS v1.0 As Of: 23May17_1700hours 

Friday, July 14, 2017

Cybersecurity research: What and How

Friday July 7, 2017, I was asked by the folks at SANS.EDU to help the graduate students submit research proposals to be evaluated by the STI research committee. It was fun work, and a glimpse at a new, (to me), part of the research process at STI.

In the first batch there were a number of potentially great proposals, but only one student took the time to clearly articulate what she was going to do and how she was going to do it. Not surprisingly, when this proposal reached the committee for a go/no go decision, the answer was go, (approved), and several faculty members volunteered to be the advisor on the project.

The experience led me to wonder, "what is the difference between the successful project proposals and the ones we evaluate as not yet ready?" From the title of the blog post you can probably guess the answer is the successful students clearly articulate what they are going to do and how they are going to do it. Before we examine that, let's take a minute to define a Cybersecurity Research Proposal. There are, amazingly, three key words to consider:

    Cybersecurity: all of the proposals fell into the realm of computer security, so we don't need to belabor this point. We can leave Better methods of picking daisies to some other worthy institution.

    Research: we ran into some problems here.  Research is studious inquiry. Research is not regurgitation of already published information, or an opportunity to recount one's personal experience.

    Proposal: this is where the student defines what they are going to do and how they are going to do it.

As mentioned, most of the proposals had potential in the sense that the topics were timely and interesting. So where did so many miss the mark?  There seemed to be two major pitfalls, overly broad topics, (failure to succinctly define "what") and research process that cannot be practically accomplished, (failure to pragmatically understand/define how).

Since it is frustrating to be sent "back to the drawing board", here are a couple suggestions for success the first time through the process.

1) Know what you want to do. Ideally, your topic will be something that you want to learn more about, or that will benefit your employer. In the best of all possible worlds your topic will satisfy both conditions. If you do not know what you want to do, you will not be able to explain it in the proposal. That results in "fuzzy writing" which ends up frustrating all parties, student and advisor. Only you can know what you want to do.

2) Use the literature search part of the process to explore the uniqueness of your proposal. If there are lots of papers, tutorials, YouTube videos, etc on "Using Wireshark to monitor the TCP/IP 3 Way Handshake", it could be an indication that ground has already been covered. However, keep in mind that just about everything you can imagine has been published on the Internet in one form or fashion. The published material may not be supported by studious inquiry and/or empirical results. In that case, you may still have a valid topic and this is a discussion you should have with your advisor.

Summary: if your research proposal: reflects studious inquiry, covers new ground and adds to the body of knowledge, clearly explains what you intend to do and how you intend to do it, then the odds are better than average it will be accepted the first time.

Wednesday, June 7, 2017

Guy Bruneau Commendation

No one can remember a time when this was issued to a civilian, (maybe Guy has a uniform stashed away in a closet somewhere, eh).

Friday, June 2, 2017

What Are Your Data Protection Best Practices? Please take our SANS Survey

From Deb Radcliff

For years, cradle-to-grave data protection has been a pipe dream, but today it’s even more important because data moves into and out of the cloud, onto mobile devices and elsewhere outside the perimeter. That’s why SANS is now conducting its first survey on Data Protection Best Practices and we’re asking for you to take the survey and share your experience and knowledge.

In the survey, we want to find out who holds responsibility for data security, what type of sensitive data (and associated regulations) organizations are handling, and how well their security programs keep up with agile development, DevOps, containerization and other contemporary development methodologies.

Results and advice will be shared in a SANS community whitepaper developed by SANS Analyst Program research director, Barb Filkins, who specializes in healthcare and data privacy laws. The paper will be provided to the community during a live webcast and also presented at the SANS Data Breach Summit in September. 

The goal is to get the dialog moving on cradle-to-grave data protection, identify weak links, improve data protection practices, and raise awareness at the highest levels of the organization.

“From a legal and regulatory viewpoint, management is very often the responsible party for setting policy around the protection, privacy and security of data held by the organization,” says Filkins. “Yet they are often unaware of the risks involved in protecting the actual data and information. The results of this survey will help managers and their IT staffs identify and remediate these risks.”

We call upon your experiences: Please take the survey (and in the process you may also enter to win a $400 Amazon Gift Card OR a free pass to the SANS Data Breach Summit). Survey will be removed June 26.

Tuesday, May 30, 2017

Improving phishing detection methods

We all know detecting things we do not know exist such as a zero day attack is hard if not downright impossible. However, that does not mean that the occasional joust at a windmill is off the table.

Early this morning, (my time), a member of the GIAC Advisory Board, Kevin Holleran posted a comment that maybe if we could categorize types of phishing that would give us some traction. His original list was:

- Call to Action from a Position of Trust (i.e. CEO Fraud)
- Offers / Products
- Trusted Services (masquerading as Dropbox, Office, etc.)
- Targeted / Spear
- Spoofed Insider
- Credential Harvesting

- Simple (sentence) vs. Complex (HTML)

If you have suggestions on:
- Additional categories
- Keywords or phrases to identify those categories

Please add them to the comments field on this post or the Linkedin announcement. I realize there are a number of scholarly papers on automated phishing detection and over the weekend I will pour through a few, but I am interested in ideas from the people in the trenches. 

Before you say, "that will never work". Let me remind us of a similar field, in fact, I should check they may have already solved this and that is SPAM in general.

A long time ago, my employer, SANS, was a LAMP shop. Our SPAM tool was Spam Assassin. Yes, it had to be configured weekly and yes, there were leakers, (SPAM that got through the filter). As the company grew, they started looking a commercial software and suggested Barracuda. People loved it. SPAM never bothered me, I just deleted it, but the improved solution meant a lot to a lot of people. Here are a few words from Barracuda on how they did it: 

A message "is scored for spam probability. This score ranges from 0 (definitely not spam) to 10 or higher (definitely spam). Based on this score, the Barracuda Email Security Gateway either tags (inbound messages only), quarantines, blocks or allows (or sends, for outbound) the message."

Kevin, Lance and I would love your ideas please post them in a comment field, the occasional snarky remark is fine as well, but go for humor. I used Kevin's ideas with permission:
Absolutely, I am very interested in feedback from the community.

I also agree with Lance's assessment as far as the focus on training, but I believe there is considerable value in being able to focus on realizable threats to a specific organization.  We are not going to be able to get 100% coverage of every threat out there in our programs, so let's work to drive the most value.


Kevin Holleran
Master of Science, Computer Information Systems
Grand Valley State University
Master of Business Administration
Western Michigan University

"Do today what others won't, do tomorrow what others can't" - Smokejumpers Creed

Tuesday, May 23, 2017

Where are all these people coming from, (cybersecurity experts)?

In 1997 I knew about half the packet ninjas in the world and if I needed an insight from someone I did not know I could get an introduction. As the security world grew and my focus started to change to general cybersecurity, I was able to track the majority of the folks with the time, talent, knowledge and name recognition to be a SANS Instructor. I even managed to keep up with things for a while as we started to break into disciplines, forensics, pen-testing etc.

I joined Linkedin in 2007 and soon worked my way up to about 200 connections. Fast forward 10 years and it is 11,337 according to the website. Do I actually know 11k people? I don't think so. When I read about conferences other than SANS, it is common for me to not recognize a single name. But if I look them up on Linkedin or some other source they are all world renowned experts in whatever cybersecurity field grabs their fancy.

One of the few things from my Virginia Tech Artificial Intelligence class in 1997, that is still with me, "The problem with expert systems is there aren't many actual experts to build them". Exactly.

Trying to keep up in this field is hard. You post a few packet decodes, marvel at some of the Wannacry decodes, even build a chatbot in case that is the new, new thing. But nobody on this planet is going to stay current in all the cyber disciplines.

Which brings us to the core issue of this post. How do you tell real balanced news from biased news from "fake news". It is a very hard problem. How can you identify a competent doctor from an incompetent one? Thank heavens it was a minor problem, but I visited three podiatrists in a row that did not appear to know a foot is the thing inside of a shoe. How can you tell a competent cybersecurity practitioner from the "fake news" version. Let me illustrate with a simple example. When Wannacry came out, everyone that was switched on was sharing information and had a pretty good idea of how it worked and what was vulnerable. Three days later you started seeing every security vendor posting a webcast, document, you name it. And the titles, some were straight out of the marketing department.

We have some tools to separate the cybersecurity wheat from the chaff. There are respected certifications, look for specifics on resumes like tools, publications and presentations certainly help. But it is tricky. Anyone that has been in the field for a while has had the unpleasant experience of interviewing someone for a job that sounded great and after onboarding couldn't even find the bathroom. I thank the Lord the first one of those I experienced happened three weeks after I took on a management role; I have been gun-shy ever since. I have also found some of the MSSP sales presentations to be jaw droppers. This is another case of being lucky over smart, one of my friends was director of operations for one of the first MSSPs. The would literally take people off the street, (with aptitude), give them three weeks training and shop them as experts.

To summarize. Not everyone in cybersecurity that claims to be an expert actually is, but hey, you already knew that. You also know one are more people in the field that have expertise, (at least in some aspect of security). Hang on to those connections, stay in touch, once or twice a year is plenty. Then, when you need information, use a validated source. You are going to pay either way, might as well get something useful for your money.

Saturday, May 13, 2017

Honeypots and the French election

NOTE: this post is primarily a reprint of other sources. I credit them of course. I just wanted to get the information in one place for quick reference. The main points that cannot be reasonable disputed are:
- There was some sort of attack on the Macron presidential election campaign targeting email and documents.
- The tech savvy Macron folks had prepared in advance with a honeypot strategy that was at least partially effective
- Many indicators are Russian in nature with Fancy Bear/APT28 at the top of the list, however, Forbes was wise to bring attribution into question. I have worked on attribution in one manner or another for fifteen years and there is a real risk of drawing an incorrect conclusion.

An article published by Ars Technica describes the Russian attempt to influence the French presidential election. "The failed effort by Russian attackers to influence the outcome of the French presidential campaign in its final hours was in part a forced error, thanks to an active defense by the digital team of French president-elect Emmanuel Macron's campaign organization, the digital director of the campaign has claimed. Campaign team members told the New York Times that as the phishing attacks mounted, they created a collection of fake e-mail accounts seeded with false information.
"We created false accounts, with false content, as traps," Macron campaign digital director Mounir Mahjoubi told the Times. "We did this massively, to create the obligation for them to verify, to determine whether it was a real account."

In their haste, they left tailtale signs of their identity, "According to a Trend Micro report on April 25, the Macron campaign was targeted by the Pawn Storm threat group (also known as "Fancy Bear" or APT28) in a March 15 "phishing" campaign using the domain The domain was registered by a "Johny Pinch" using a webmail address. The same threat group's infrastructure and malware was found to be used in the breach of the Democratic National Committee in 2016, in the phishing attack targeting members of the presidential campaign of former Secretary of State Hillary Clinton, and in a number of other campaigns against political targets in the US and Germany over the past year."

Forbes, however cautions the evidence is not conclusive, "And, Doman told me, he had not seen "anything definitive" linking the two phishing domains found by Trend Micro and the Macron dump, "though it seemed likely."
Muddying the waters even further is the fact that En Marche's digital lead Mounir Mahjoubi indicated to French press Macron's campaign may have put its own fake data on its servers as part of a "honeypot," set up to attract hackers and trick them into pilfering tagged data. Typically, honeypots are used as traps to track attackers' activities."

Attribution is, and will always be, one of the most challenging problems of cybersecurity response. The folks that are willing to say "probably" as opposed to "surely" are to be congratulated.

This operation will certainly add credibility to Macron's emphasis on cybersecurity and tech for France and his efforts to combat extremism. "French presidential candidate and frontrunner Emmanuel Macron said on Monday he would step up efforts to get technology firms such as Google or Facebook to share encrypted content from messaging services with authorities."

"With an eye on the Elysée Palace, Mr Macron has been only too happy to associate himself with France’s burgeoning tech scene, hoping its open-mindedness and can-do attitude would reflect back on him. When he was economy minister he hastily organised a glitzy reception for him and French entrepreneurs at the Consumer Electronics Show in Las Vegas in 2016. Prosecutors are probing irregularities in the way the party was organised, although the investigation does not involve him.
As economy minister in a socialist government he enthusiastically backed a government initiative to promote the country’s tech ecosystem under a single brand at home and abroad. “Macron has been a strong advocate for the French tech scene,” says Frederic Mazzella, co-founder of ride-sharing company BlaBlaCar."