Tuesday, January 26, 2016

Express Scripts Mock Interview Questions

Express Scripts Mock Interview

Thank you for your service

If you were defining an information security strategy from scratch, what would the primary building blocks be?

We understand that compliance does not equal security, but it still hurts when the auditors report findings. What regulations do you expect we need to be most focused on?

What do you feel are the key aspects of risk management?

We realize there are a number of security frameworks, which one do you think we should model our program after and why?

The financials have done well using a threat modeling approach to prioritize and define risk, do you think that is important for Express Scripts and why? Can you give us an example of using threat modeling in information management.

One area of focus for this job is the external information protection ecosystem, including suppliers, clients, subsidiaries, and auditors. What approach would you recommend for working with suppliers? What about clients?

To be candid, the former person in the position you are applying to had challenges working with key executives: CEO, President, CFO, SVP of Sales etc.  What do you feel is the best approach for working with the senior executives?

One of the selection factors in the job posting is a CISSP or CISA, we did not see that listed in your resume, did we miss it? What experience do you have with information systems audit?

From Monster: http://jobs.monster.com/l-saint-louis,-mo.aspx
What interests you about Express Scripts?
What other employers in the Saint Louis area are you considering?
"There are currently nine employers in Saint Louis and nearby Clayton that rank on the Fortune 500 list: Monsanto, Express Scripts, Centene, Edward Jones Investments, Peabody Energy, Emerson Electric, Reinsurance Group of America, Ameren and Graybar Electric. Other influential employers for Saint Louis jobs are those in the financial industry include MasterCard, TD Ameritrade, Wells Fargo Advisors and Scottrade. The city is also a hub for biotechnology and medicine, so many of the top jobs in Saint Louis are in the healthcare industry. Barnes-Jewish Hospital, located in Saint Louis, is the fifth largest in the world, and this hospital co-operates the world-famous Alvin J. Siteman Cancer Center. The parent company of the hospital, BJC Health Care, employs more than 25,000 individuals."

Sample GDWP - ISE 5700

GDWP Assignment

Dear XXX

Your ISE5700 assignment is below. Please do not discuss the details of the assignment with other students for at least 30 days, but if you have questions or concerns, feel free to contact Stephen Northcutt, (Stephen@sans.edu) directly.

If you do call with questions, after the call is complete, please have a member of the team create a Memo to Record of what was discussed and what was decided and email to all involved parties with your final project submission.


There are THREE parts to your total project submission:

A. Technical report counts as 50% of GDWP score.
Your paper should include a CIO level executive summary to introduce your recommendations. The technical report should include: executive summary, the sub-assignments, and any appendices, and/or references. The rubric for grading the paper is shown below in the assignment. Max length fifteen (15) pages, typed single spaced, double-spaced between paragraphs. Hard and soft copies expected, (hard copy to the onsite STI representative), email soft copy to Stephen Northcutt (Stephen@sans.edu) , Toby Gouker (tgouker@sans.edu), Chris Crowley (chris@montance.com) with copies to registrar@sans.edu. Submitted project emails must be sent before the live presentation.

B. "Back-of-the-envelope project plan" counts as 10% of the score.
Plan should include the relevant tasks, milestones, resources assigned to
the tasks and schedule. This is the first thing you do after receiving your
project assignment. Email to Stephen Northcutt Stephen Northcutt
(Stephen@sans.edu) , Toby Gouker (tgouker@sans.edu), Chris Crowley (chris@montance.com) with copy to
registrar@sans.edu as soon as reasonable. Text only is fine. If you create a
diagram using computer tools, send as a JPEG or similar. If hand- done, scan
it or take a legible picture with a smartphone. Make sure to record the
amount of time to develop the plan and treat completion of the plan as a
milestone for the completed submission. Can you change your plan if you run into trouble? Of course, but create a version 1.1 of your plan. "A plan is so you know what you are deviating from." - Capt. Dan Ellrick USMC.
10 points possible.

C. Oral presentation with Slides counts as 30% of GDWP score.
Only one person presents, exactly 7 slides, 15 minute time limit, with a
couple of extra minutes for questions. Notes pages under slides should have
sufficient content so that someone not present can understand what you are
trying to convey.  Remember to start and end on time; presentation skills
and content both count.
1. Presentation and presenter execute at the CIO level while accurately summarizing and supporting proposed processes. 10 points possible.
3. Presenter quality, (includes question handling), 10 points possible.
4. Presentation quality, 10 points possible.

Assignment Scenario:

Your company, GIAC Enterprises, is a small to medium sized growing business. It employs 1,500 employees, including 750 business and IT workers at corporate HQ, 250 employees at the Indonesian office and the remainder remote workers distributed worldwide. GIAC Enterprises has standardized on HP for desktop and laptop systems and Cisco for networking equipment. The servers are more diverse, almost of them run Linux. The company is the largest supplier of Fortune Cookie sayings in the world and prides itself on a rich history as well as cutting edge original research. The current primary product of GIAC Enterprises is the content of the fortunes themselves, i.e., the data. Data is stored and processed in 2 data centers at highly rated colocation facilities, one in the US and one in Indonesia.

On July 31, 2015, GIAC CIO/CISO, Karen Brown, walked into the office of one of the senior engineers, Chris Brown, and noticed a news story on her screen from LATimes:

Together they read the story, the LATimes article was similar to:

The CIO then remarked, “Tell me about that, a couple weeks ago, I was on UA Express 6395 Nashville -> Chicago (ORD) plane that had taxied to the TARMAC when they stopped operations. We were delayed 30 minutes, but when we got to ORD my next flight was delayed 45 minutes and the crazy thing is, the United employees didn’t seem to have a clue. They kept thinking the plane would be here shortly and Chicago is United’s HQ. I pity the poor souls that had their flights canceled.”

Chris said, “Crazy day, WSJ and the NY Stock exchange also had their share of troubles, here let me show you that story.”:

“Holy cow, were they hacked? Is this nation state? Or are these people clueless?”

Chris replied, I am not sure anyone knows, if they do, they aren’t talking, at least not yet.

“Hmmm”, Karen remarked, “we ought to review our incident response procedures so that when we make the call whether is it malicious or just a mistake, we have a good chance of being right. I think I will put a team together and I will sleep better if I have a first cut tomorrow about this time.”

Your CIO, Chris Smith, tasks you to create a technical report with the following items:

1) The three glitch scenarios: United Airlines, NYSE, WSJ should be considered guidance for “use cases”, i.e router glitch, computer glitch, web site glitch that have a significant impact.

a) For each glitch scenario summarize the architecture, essentially a critical controls 1 and 2 report. Keep in mind this is the size of GIAC Enterprises, NOT the New York Stock Exchange, (NYSE).
NOTE: feel free to choose the technology involved. For instance, if you read that the Wall Street Journal web servers ran Apache, but you are more familiar with Microsoft IIS, you are encouraged to create your checklist, (sub-assignment “b)” below), using Microsoft IIS.
15 points possible

b) For each scenario create a checklist to help the incident response leader determine if the cause of the glitch is human error or malicious intent. The checklist should be technical in nature and based on a technology that you understand and defined in sub-assignment “a)” above. Make sure to explain the “why” for each step. For each check give examples of what you would expect to find if it was user error or what you would expect to find if it was malicious intent.
30 points possible

c) Direct research for either “a) or b)” document in any: labs, scripts, screen shots, team created videos, interviews, demonstrations, that show you went beyond harvesting web pages on the Internet. This should be documented in the references section of your technical report.
5 points possible.

2) For each glitch, analyze and summarize what each organization did to manage PR:
Look for quotes in news stories and for full points try to find primary source examples, e.g. the Jennifer Dohm United Airlines “router email” or official United Tweets, or press releases from the three organizations etc.
5 points possible

Create a recommendation for each example use case on what they could have done better, (suggestions for improvement).
5 points possible

NOTE: While the executive summary of your paper is at the CIO level, (CIOs
only read the executive summary), the written technical paper should assume
a technical audience.
-- NOTE: when you send the email package, please point out the direct
research that you did. There is a risk that the graders might miss some of
-- NOTE: If you use someone's diagrams or a significant portion of their
material, you must ask for and receive permission to use. Please submit that
with your project.

* * *

Your oral presentation with Slides is scheduled for June 14 at 7:30pm in the
Billie Holiday 1 Room and your graders will be Toby Gouker.

Good luck and enjoy! (Remember that if you have any questions about the
assignment, please contact Toby Gouker and/or Stephen Northcutt).

* * *

Saturday, January 9, 2016

SCORE has published a new Linux Security Checklist

The checklist can be found here. I did a short interview with Simeon Blatchley.

What prompted you to update the checklist, it looks like a lot of effort went into that project?

Simeon: A big problem with security is that documentation is not up to date, and documents/checklists on Linux can kind of be ignored. So we figured that if we put the time to create the document, we should maintain it. Security changes every second, so keeping documentation and instructions accurate and up to date is essential.

They used to say the single most important thing you could do to protect and operating system was keep the patches up to date. Does that apply to linux?

Simeon: I like to compare Linux and Windows systems to a regular and unlocked smartphone. On your typical locked phone [Windows], the primary thing you really can do for security is make sure it is updated/patched regularly, since security is not locally managed. But on an unlocked phone [Linux], you have control over many more aspects of the system (as does an intruder), so you must take greater measures to secure it. Therefore, while it is important to ensure you're patched and up to date, Linux systems in an enterprise environment need to take further measures to prevent exploitation. Most attacks against Linux are well crafted exploiting things normal patching won't protect.

Have you been contacted yet by users of the checklist with questions or suggestions?

Simeon: As far as I am aware, we have not been contacted by any users. However, I have been made aware that it is the main Linux checklist used by Cyberpatriot teams.
What is your favorite variant of linux and why?
Simeon: I personally use Kali, mostly...well for obvious reasons. Plus I studied the martial art so that's cool. Aside from that it looks really good! 

About Simeon: 

Simeon Blatchley is an Analyst at SAIC in Denver Colorado and a Senior at the University of Maryland University College, where he will be receiving his BSc in Cybersecurity. Simeon’s formal immersion in cybersecurity was at 16, when he participated in the AFA Cyberpatriot competition with a Civil Air Patrol team coached by Simeon’s father William Blatchley. The following year Simeon acted as an assistant Coach to the same team (Team Wolfpack), and they won the Cyberpatriot Finals in Maryland at the USAF Cyberfutures conference. Simeon and some cyber minded friends are currently working on starting their own company which will connect highly qualified college students receiving their degree in a computer related field, with jobs and with other people in their field to help facilitate the future of cyber engineering. The company, LinkX RDP, was recently endorsed by NASA and will hopefully launch officially this year. Simeon enjoys playing piano, reading, doing computer stuff, and telling jokes that really aren’t funny.

Phishing and browser security Jan 9, 2016

Interesting morning. It is a very Voggy day on Kauai so I am off to a slow start, was working on the SANS Boston 2016 program, and got a notification I received an email from a grad student team getting ready to work on the Ransom32 problem. They pointed out, "After conducting our initial research into the Ransom32 malware, we have some questions regarding the scope of the assignment. While the published articles we have read suggest that the JavaScript source code that forms the basis of Ransom32 could easily be weaponized to run on Linux or OSX and the Javscript source code might be able to be adapted to run within a browser, the only samples thus far encountered in the wild are Windows PE files created using NW.js and mostly delivered via spearphishing emails. http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/. "

Yup. The more things change, the more they stay the same. Nifty Javascript attack, but same delivery; phishing. This actually came up on the GIAC Advisory Board mailing list [heavily sanitized]. A credit union's members were targeted.. response was as follows:
"Quick sounding board for steps taken,

-Created an alert on the companies web site regarding the phishing attempt.
-Made a post on social media (Facebook, twitter) that the Credit Union
would never ask for Username/Password etc and should also contact us
directly if you have an concerns.

- The site "harvesting" the credentials appears to have been hacked,
emailed the owners of the site (using the email in the "contact us"
section) to let them know.
- Used the abuse email address in the domain registry to also report that
the site has been hacked.
(Does gmail have a place I can submit for email abuse? its about 48 hours+
after the attack so most likely a moot point but could help someone else if
they want to use the same account)"

All wise and proportional steps. Then, a real treat, Lance Spitzner steps in: 

"First don't feel bad, you are facing a common problem shared by
most organizations.  However to answer your question we have to first ask
you a question.  Are you training your employees to report phishing
attacks, and if so how are you training them and how often?  If you are not
teaching them the indicators of a phishing attack AND how you want them to
report it, then you can't expect them to be effective sensors." 

This is an extremely important point. Until one of these phishing emails gets reported, the security folks can't get involved to take the actions the credit union took. Lance continues:

We see organizations that regularly phish their employees can get the number that
fall victim to less than 10% (sometimes less than 5%) and quite often those
that are falling victim are the new hires.  Same thing with reporting.  The
more you train people on reporting AND the easier you make reporting, the
greater your reporting %.  Warning though, you have to be prepared for
success.  We have seen organizations turn on their "Human Sensors" only to
have their SOC overwhelmed with reports.  That is why we see some
organizations tell their employees if they see an obvious phish, just
delete it. Its the trickier attacks they want reported.  It all depends on
what you want reported and the resources you can dedicate to it.


Lance Spitzner
Director, SANS Securing The Human
Mobile: +1.708.557.6006
Twitter: @lspitzner

I am going to have to ponder this for a while. I can see how to train employees to either report everything they think is suspicious. I can see telling them if you think it is a phish, delete it and move on. But it is not immediately obvious to me how to tell them how to report the trickier attacks. I can do it, (and do), you can do it, but we are security people, we think about this stuff all the time. There are some security company phishing quizzes, opendns, and mcaffe for example. Perhaps they could be incorporated into an organization's security awareness program. Now in the specific case of the credit union:

Some good news, looks like Firefox was blocking the site when the attack
took place, and Chrome started blocking it within 24 hours (and i think

that's awesome, thanks to anyone who works on those applications).

It probably makes sense for organizations to be sure their browsers are taking advantage of the protections available.

The capability is built into most browsers, for example on an El Capitan Mac:
In Safari, Preferences, Security, Warn when visiting fraudulent sites.
In Firefox, Preferences, Security, Block reported attack sites
In Chrome, Preferences, Advanced Settings, Privacy, Protect you and your device from dangerous sites

Phishing will always be with us. We have technology solutions, we have security awareness solutions, we need both and we need to adjust and remind from time to time to lower, not eliminate, the risk.