Leadership
A mRr3b00t Adventure
Join me on an adventure of rambling and exploring the idea that you can in fact not lose the security leadership game! This blog is WIP, it’s just my brain wondering around the question of: can we win the in the face of a seemingly insurmountable force? What do we do as a security leader to protect ourselves and the organisation? How do we start?
Read more “How to not lose your job as a CISO”
Leadership
I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:
Read more: UK laws and cyber security considerations for businesscan you think of any others that I should add?
Thanks Gary and Kevin and the other AVIS I can’t name for inputting!
Education
I wrote this in 2018 and don’t believe it ever made it to the interwebs, so I’m basically posting as is with an extra section for some useful links! Hopefully it still stands the test of time!
Risk assessments are complex, they require cross domain knowledge and generally do not deal in absolutes. Threats, vulnerabilities and asset intelligence is combined, weighed and assessed, leading to the construct of a risk assessment document. It can be easy to overcomplicate this process, which in turn (in my experience) often leads to far wider reaching consequences (the business starts to bypass security management or take short cuts), so I thought I would write a short post to clarify what I’ve seen work out in the field. So, to start with let’s try and align on what exactly a risk is.
Read more “Information Security Risk Management “
Defense
Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:
A typical consumer may be about:
Leadership
How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.
When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:
Read more “Organisational Approach to Technology and Security”
Vulnerabilities
Yesterday I created a honeypot running Exchange 2019 in the lab. I configured very little and setup a test rule as per the MS blog to stop the SSRF from the “Autodiscover” endpoint to the Powershell function call. I put a custom response with some humour (coz why not!) but I disabled the rule:
This rule was placed in the Autodiscover virtual directory which in Exchange by default is here:
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config
My custom rule:
Read more: Exchange Emergency Mitigation (EM) service|
<rewrite> <rules> <rule name=”RequestBlockingRule1″ enabled=”false” patternSyntax=”Wildcard” stopProcessing=”true”> <match url=”*” /> <conditions> <add input=”{REQUEST_URI}” pattern=”.*autodiscover\.json.*\@.*Powershell.*” /> </conditions> <action type=”CustomResponse” statusCode=”403″ statusReason=”No Hacks for You” statusDescription=”Say no to exploits!” /> </rule> </rules> </rewrite> |
This morning I checked the Honeypot, and I found the following:
This rule is hosted in:
C:\inetpub\wwwroot\web.config
|
<rewrite> <rules> <rule name=”EEMS M1.1 PowerShell – inbound” stopProcessing=”true”> <match url=”.*” /> <conditions> <add input=”{REQUEST_URI}” pattern=”.*autodiscover\.json.*\@.*Powershell.*” /> </conditions> <action type=”AbortRequest” /> </rule> </rules> </rewrite> |
As you can see this was modified at 03:21 01/10/2022
This comes from:
Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn
“Exchange Emergency Mitigation (EM) service”
You can check if this is enabled by running the following PowerShell:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
Get-OrganizationConfig | Select-Object MitigationsEnabled
So here we can see that with this enabled, the Exchange server will download and deploy the HTTP re-write rules automatically (if the server has the required version/config etc.)
You can enable or disable it with the following:
Set-OrganizationConfig -MitigationsEnabled $true
Set-OrganizationConfig -MitigationsEnabled $falseYou can check this feature works using the following (modify path as required for relevent exchange version)
. "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Test-MitigationServiceConnectivity.ps1"
Check the MS docs and check your Exchange Server version to see if you have this feature etc.
GCM exsetup |%{$_.Fileversioninfo}You learn something new everyday!
Leadership
Everyone loves talking about how to get into Cyber! It’s like the cliché thing to talk about! Hell, there’s people who have been in jobs for minutes writing guides, It’s odd… my advice, gardening! Seriously you will see the outside, will learn skills that are useful and keep physically fit! Wait you still want to cyber? You sure? Ok there’s some super awesome fun parts of cyber, not going to lie, it sounds super cool! What do you do? I’m a CYBER! See cool AF!
Read more “mRr3b00t’s little blog about the Cyberz and getting into them!”
Breach
Cyber incidents are never nice, I wasn’t exactly overcome with joy when I say there was a cyber attack on an NHS supplier on the 4th of August 2022. There’s still lots of unknowns with the scenario, it’s impacts and how this will play out. I’m always cautious to speculate too much however cyber incidents aren’t magic, they are usually bound to certain patterns. A week ago this was reported as likely being restored by Tueday, since then there’s been another press release and now even more articles in the maintream media. I am however not convinced with the press release contents, I’m also unsure as to why there isn’t a more concise view… something doesn’t seem to add up, my spider sense is tingling. So, here’s my star gazing (experienced based) view so far.
Read more “NHS 111 Supply Chain Cyber Attack Summary – events so far”
Guides
MFA was the “silver bullet” but friction and security kind of go hand in hand, the idea of a push notification and simple “authorise” is great in theory, but in practise it is vulnerable to brute force and human error. In this post we are going to check out enabling number matching authentication in Azure.
This is just one configuration option, as you can see there are loads of options for methods and specific configurations. Bear in mind the pros and cons for each one, for example SMS based 2FA can be vulnerability to SIM swapping attacks. I’m going to focus on Number Matching in Authenticator for this post: Read more “Enable Number Matching in Azure MFA”
Education
Oh that’s “just a Nessus scan” or that’s not a real pen test etc. is something that if you are in the infosec/cyber world for a few minutes you will probably hear.
It’s honestly a bit odd, some sort of way of diminishing something because a tool was used, which doesn’t really make a whole lot of sense given most activity involves using something that already exists (sure there are fields and scenarios where this isn’t true but I’m generalising).
So why are we as an industry obsessed with tools and obsessed with berating people for using them? It’s all rather odd.
It perhaps ties in with this Cyber Myth about penetration testing being the tool that’s good and useful in every scenario… I hate to break it to people, but it’s not the principles of security and it certainly isn’t the best/most appropriate “tool” in every scenario. Read more “When running Nessus is a good thing!”