So, after the telemarketer misread my name as Rob a couple times and I was finally able to get a word in edgewise, I politely informed him that we were already a customer of the company. And that’s how much we mean to that company.

This is why we’re different at BTB. I swear on the Easter Bunny that I would rather make 5 calls a week and have an intelligent conversation about our company and services than just blast telemarket 15,000 companies. This is our approach to our service delivery as well. We’re not a factory and we don’t make widgets, every customer is different and our flexibility in our approach is why our clients love us and keep coming back. We strive to be that “refreshing” voice in the sea of the same vendor pitches, output and garbage.

I promise we’ll stay this way too.

Get a degree to build a solid foundation. Sure not all degrees are the same, but the degree does help open some doors for you. If you don’t have a degree, that’s fine. Everybody chooses their path in life differently.

Get experience in any way that you can. Go be the IT “everything” man, which can be great for experience and exposure to new technologies. However, it does take the time away from trying to focus on the security field. If you can get an entry level job in security consulting or as the low man on the totem pole, do it.

When we started and dust hadn’t been invented yet, there weren’t many CISO, or CSOs, it was mostly driven by government but there were a fair share of security analysts, etc. The field then wasn’t as well documented as it is now. Read and consume anything that you can get your hands on related to security. Find good sources for security material (magazines, online forums, sites, books) and just start reading. If nothing else, you’ll start to get familiar with terminology, technology in use and trends. The CISSP review book is probably a daunting task to undertake, especially if you have no experience in the field.

If you’re still in school, get an internship. Again, start as the low man on the totem pole basically doing IT Audit/Security/…even support type work. 

Start doing some networking either through things like meetup.com or by joining your local ISACA, ISSA, Infragard chapter.

If you truly have a passion for it, it will still take some time. Stick with it, stay current, continue to learn new things and don’t be afraid to push yourself….it’s a rewarding career.

If you were expecting some secret sauce advice, you should know by now that’s not how we operate.

After that successful event in early February, the BTB Security then participated as a sponsor at the PA Chamber IT Security Roundtable in Harrisburg, PA. Again, great participation and turnout for the event.

And to finish off the month, we participated in our first Career Fair at Juniata College in Huntingdon, PA. Always amazing to meet college aged individuals with drive, and excitement for the field.

We’d like to sincerely thank all of the organizations for hosting these events, and look forward to further participation and sponsorship in the future. Now….on to March!

You might be asking yourself, “who are these third-party providers that you speak of?” Well, here are some examples:

• Application service providers “in the cloud” (e.g., web-based business apps)
• IT service providers (e.g., helpdesk, VARs)
• Hosting providers – direct or via another vendor (e.g., web developer)
• Facility custodial services

These are just a few examples…you can probably rattle off another dozen or so in a matter of seconds.

So, what do we find that providers aren’t doing well with respect to providing security for you? Well, that list is expansive, but here are some examples of weaknesses that we find in correlation to the list of providers above:

• Applications with security weaknesses (check out the OWASP Top 10)
• Poor people authentication processes (i.e., how does the helpdesk identify a user when a password reset request is made?)
• Development firm says NO to application testing or hosting provider says NO to penetration testing
• Unauthorized and/or unscheduled changes to production environments
• Custodial staff props doors open

That is just the tip of the iceberg and normally leads to many, many more questions and the revelation of other security findings that end up in our deliverables.

What can be done to address this? Given the proliferation of “the cloud”, the “collapse of the perimeter”, and all of those other buzzy phrases we hear, something needs to be done to address this. The answer starts with the contract and your expectations from your providers. The contract must include language to support your right to audit (assessments, penetration tests, physical reviews, documentation reviews, etc.). The contract should also indicate what you expect them to provide with regards to security (based on your policy) and what recourse you have in the event that the provider doesn’t perform. Remember, you’re the customer and have the right to have your requirements met; otherwise, you should consider another provider that is willing to work with you.

Obviously the contract simply indicates your requirements … you have to enforce them as well by evaluating vendor performance on a regular basis. This can be a daunting task, but with a well-defined risk management program (and some help from BTB *wink* *wink*), it can become manageable and will be successful.

• Application service providers “in the cloud” (e.g., web-based business apps)
• IT service providers (e.g., helpdesk, VARs)
• Hosting providers – direct or via another vendor (e.g., web developer)
• Facility custodial services

Yes, we should divert some of our focus to emerging threats and trends, such as BYOD and Cloud security…but let’s not forget to evolve in how we approach the “blocking and tackling” of vulnerability management and basic data protection. Know what you have, understand the risks, and create comprehensive plan to mitigate the threats to your infrastructure and information.

Don’t be the “No-Man”, but get involved in making sure technology and practices that are new to your organization are vetted through some process. As the consumerization of IT continues, the discovered and inherent threats to the infrastructure and information will grow…..are you prepared?

BTB showcased its service offerings including Penetration Testing, Vulnerability Assessments, Web Application Assessments, Governance Assessments, Incident Response and Forensics. In addition, the targeted Meaningful Use Assessment was showcased specifically highlighting BTB’s approach to the HITECH Act requirements.

This one-day summit brought together healthcare information security, privacy and compliance executives from the largest and most influential healthcare sector organizations.The summit featured speakers from all over the country, covering a variety of topics.

• Morning Keynote – Dr. Bryan A Wolf, SVP and CIO Childrens Hospital of Philadelphia
• Eric Svetcov, CISO MedeAnalytics – SF Bay Area Chapter Member – Cloud Computing and its impact on Healthcare Information Security
• Phil Curran, CISO Cooper University Hospital – Philadelphia Chapter – Security, Privacy, and Access in Healthcare
• John Huston, VP, Privacy and Information Security & Associate Counsel UMPC – Evolving Requirements and Solutions – Healthcare Identity Management
• Ken Patterson, CISO Harvard Pilgrim Healthcare – Boston Chapter – Abundance of Security Protections
• Darryl Defendorf, Dir IT Risk Management & Compliance McKesson – Atlanta Chapter – Data Governance in the Healthcare Sector
• Expert Panel: Darren Lacey, CISO Johns Hopkins; Keith Fricke, CISO, Catholic Health Partners; Jason Taule, CR/ISCO & Privacy CSC Healthcare IT; Cathy Beech, CISO, Children’s Hospital of Philadelphia; and David Snyder, CISO, Independence Blue Cross.

BTB would like to thank the CISO Executive Network and all participating members and guests, as well as some of our valued clients who were able to attend.

1. If the deal is too good to be true, it probably is. The old adage remains true for online shopping. Take a breather, step away from the computer and do some comparison shopping. Don’t get caught up in getting THAT deal – it may turn out to bite you.

2. Know who you’re dealing with. Quick research and reviews about the site give you insight into how they conduct business and how trustworthy they are. Again, online shopping is not like the pushing and shoving that goes on in stores. Take your time and be confident in the retailer that you’re buying from.

3. Be stingy about how your payment information is recorded and transmitted. Look for “https” in the prefix of the Web address or the lock icon in the status bar of your browser. This should be a deal breaker….IMMEDIATELY. This is the bare minimum protection for online shoppers.

4. Pay with a credit or charge card – they still offer the best protection for online fraud. Even better, if your card offers the option to create a “one time card number”, use those for each online purchase to ensure your real card number does not get abused. DO NOT purchase anything with a wire transfer. Money orders are also like cash and don’t offer any buyer protection. Your credit card company or bank will actually fight the seller if you are ripped off or if the card account info is compromised.

5. Check your financial accounts regularly to verify all activity. We should all be doing this anyway, but during heavy spending times, it is more critical. Reconcile what you bought with what you paid and ensure everything is received.

Pretty simple non-tech steps, but very valuable.

If you do a “show advanced” at the Metasploit command prompt, psexec has an option called EXE::Custom. It’s pretty self explanatory. I had messed with it before but got nothing to work. Watching psexec run, it is pretty obvious – the loaded exe is run as a Windows service. Therefore the exploit needs to be in a program capable of running as a service.  So, my goal here is to make a encrypted service executable to run and deploy via psexec. 

As an aside, when previously building standalone executables, I noticed bind_tcp Meterpreters are built using the RHOST variable. Since the exe runs on the victim host and binds to a port, RHOST is only useful for the multi/handler or the handler of the exploit run (in this case psexec). As long as the handler on the attacker side has the correct RHOST, you are good to go. What does this mean? Easy to mass deploy encrypted bind_tcp Stage 1 Meterpreters!

Ok, so here’s how it is done. The prerequisites are:

• Visual C++ Express, or some other C++ compiler
• A PE32 encryption program (use whatever you like)

Now, you need to get the Meterpreter Stage 1 code using Msfvenom (click to see the full size image).

For this example, we are going to use the service.c template file that is bundled with Metasploit.  Make a copy of the service.c file from the path “data/templates/src/pe/exe/service” inside the Metasploit directory tree.

Edit the file and replace the “PAYLOAD:” string with your Stage 1 character buffer.

After you save the file, compile it with your C++ compiler. Note: you will have to link this against USER32.lib and ADVAPI32.lib. You should have a fully working service executable*. 

Now all you have to do is encrypt the executable to avoid AV detection. Keep in mind, AV software always catches up, so you will need to constantly change this step. So, run it with:

• pe32_crypter service.exe -o service_crypt.exe

During the test that ran into the evening I had obtained a foothold into my customer’s network through several Internet-facing services and also had access to a few user systems with BTB’s “bot”. These were obtained very late in the day on the last day of testing, but I hadn’t yet captured the business targets I was seeking. Sure, I could have stopped here and told my customer that I had this limited foothold and one could speculate what I could do from there, but how boring is that?

Rather than calling it a day and ending the test, I focused on finding a way to escalate my privileges within the environment and capturing some good business targets. Within a matter of hours I had found a way to bypass an antivirus solution, extract and crack an administrator password, and re-use that password to gain full privileges over the Windows domain. Finally, I used those privileges to locate some valuable business data – in this environment it was Personally Identifiable Information (PII), namely social security numbers. Not only did I find the business targets, but I was also able to provide my customer with additional recommendations around system hardening that I may not have discovered had I stopped at 5pm.

In another test I had gained access to an application that allowed me to reveal credit card numbers one at a time. Of course I wanted to know how this worked and if I could extract credit card numbers in bulk. Unfortunately, I was on-site and running out of time to continue investigating this, so I gathered up some network captures and data to be analyzed. I was convinced that there were some serious flaws with this application that needed to be investigated – I recommended to my customer that a deeper application assessment be completed, but I really wanted to be able to demonstrate that there was a serious issue here. I spent another half a day hacking away at the information I had gathered, decompiling some application DLLs, locating encryption keys and algorithms, and writing a tiny Perl script to decrypt my sample data. Now I was certain and could prove there was a serious problem with this application.

Why do I share these stories? Because so many security consulting companies are constrained by hours or don’t have the capability to go that extra mile when their customers could benefit from it. Here at BTB we recognize these shortcomings and aim to provide a level of service that surpasses our customer’s expectations and to provide useful information to help our customers improve their security posture. We always go the distance.