Thursday, May 21, 2015

Security Measures on a Budget - Part 4

Microsoft security, everyone’s favorite topic to poke fun at. For both the offense and the defense it is considered to be our job security, the bane of our existence, and sometimes an unobtainable goal. Whether we like it or not Windows Server and Desktop environments have their roots sunk deep into the infrastructure of the corporations and homes of the world. We must learn how to actively manage Windows environments without them getting away from us. How many of you can say that your home or work environment has completely removed depreciated operating systems? XP was end of life April 8th, 2014 and the extended support for Windows Server 2003 is coming up this July (https://support.microsoft.com/en-us/lifecycle/search/default.aspx). Just please do not tell me that you have anything prior than that on your network. I know there is a good chance that you do, just don’t tell me about it. It is scary enough some of the things that are out there on the internet. From old Windows 3.1 boxes, IP cameras, electrical control systems and more. HD Moore has a great talk about the scan of the internet that he performed over the whole year of 2012 and the data he collected on internet facing systems (https://youtu.be/VuYi7gVy3dI). Which includes a large amount of windows systems.
It is extremely hard to tell companies “Just patch/upgrade everything to where it needs to be”. I realize it is not just that simple. You may have business critical applications that only run on depreciated Operating Systems, the newest OS may not run on the hardware that you do not have it in the budget to replace, or maybe you just don’t have the time. Honestly most of these are just excuses in the mind of someone in information security. You are putting convenience, money, and time before protecting your critical assets. In an upcoming article I’ll cover asset and risk management is not something many do right, but it is one of the most important planning strategies that you can have.
Moving away from the obvious upgrades to current OS and software there are still many low cost or free enhancements that you can accomplish in Windows to create a more secure environment. Many can be accomplished via Group Policy (if you are in fact on an Active Directory Domain). Here are some links that I’ve always relied on and pointed others to for reference:

Best practices for GPOs (Group Policy Objects)
http://www.grouppolicy.biz/best-practices/
http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html
http://www.giac.org/paper/gsec/4138/group-policy-security-risks-practices/104227

Defend your Active Directory
https://youtu.be/uccM2xtE5SA - “Active Directory: Real Defense for Domain Admins”

Set local admin account passwords
http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx

Reduce the amount of people in Domain Admins. No one should be logging into their desktop as a domain admin. Ever. Period.

Fix everything listed here. Just do it
http://blog.spiderlabs.com/2013/09/top-five-ways-spiderlabs-got-domain-admin-on-your-internal-network.html

Implement EMET
Dave Kennedy has a great article on pushing it out domain wide. https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/

Setup urlscan on IIS servers
http://www.iis.net/downloads/microsoft/urlscan

Setup bitlocker on laptops. 
This is a must if you have any chance of that laptop containing sensitive data that could be detrimental to your organization.

A few of these changes will cause growing pains as they are made, others not so much. Stronger password policies can cause the user populous to come after you with pitchforks if it’s not something that you have ever needed to change before. No cached credentials, windows firewall settings, and making changes to local system/service accounts can all create changes in process that not many people will be happy with. I’m not saying it’s easy, but these should all be a part of your overall security no matter how small or large your company happens to be.

Tuesday, May 5, 2015

Quit your bitching and get back to work

Regarding @tableflipclub

I normally wouldn't give this stuff a second glance. More girls bitching about unfair pay/opportunities. But since you asked here we go.

Do I believe them?
     I border on the line between not wanting to give a fuck about what they are saying and trying to believe that there is that much of an abundance of these type of companies out there. Because honestly I haven't had any bad experiences like they are referring to that have kept me down. They mention mediocre men whizzing by them, being called "shrill", "abrasive", and "hard to work with".        It's hard to put your self in someone else's shoes when you haven't had those types of experiences before. Taking that sort of "fuck this I'm out of here" attitude without being skeptical is really difficult. I've had many mediocre people whiz by me. Be it because of shitty management, people knowing how to bullshit, who they knew, or maybe because I didn't like my job and was being more mediocre than they were. Because we're in a male dominated industry of course an abundance of them are going to be men.
     Maybe you are difficult to work with. Lots of people are. There are three categories that I put people in to be able to stand working with them.
1. Kick ass technically, but an absolute jerk with no other qualities.
2. An amazing person, nice, polite, hard worker, but doesn't know how to do shit.
3. Half way between (or on the rare occasion both) 1 & 2.

If you aren't one of these three, I would't want to work with you either.

Opinions are like assholes, everyone has one:

     We all have opinions and views that are based on where we've been in life, what we've seen, and the attitude we bring to the table. I've always been drawn to typical male job roles. The reason why is a whole other story for another day. My personal experiences have shaped my work ethic, my drive, and how I see the world. I was raised on a farm in the middle of nowhere, had a job in at orchard starting at 12, on a farm at 14, tractor supply after that, a couple more male dominated roles, and then into I.T. ALL of which were male dominated roles.
     What drew me to them was the lack of utter bullshit that large groups of women seem to spew out when all together. Yea boys can be dramatic, but it doesn't last, they don't hold grudges about stupid stuff, and I find them more pleasant to work with. Have I gotten paid less than my male counterparts? Sure I have, I know that for a fact. It's also a fact that men are more aggressive by nature, ask for more raises, take riskier career moves, and other things that would advance them faster than females would.
     So what did I do when I knew I was getting paid less than a male counterpart? I worked with my company to find out why. It wasn't because he was male btw (surprise surprise). They had offered to pay me equal, maybe a bit more. But it was still not as good as the next company. The previous year had helped shape me as a person even more, and I had grown technically. So I left, and let them know why. It wasn't because I was a girl, it was because they couldn't pay me as well as the next place.


My thoughts on sexism:

I already kind of summed them up here http://infosystir.blogspot.com/2014/08/soapbox-rant-sexism-bsideslv-bonehenge.html

It's really on my ideas of sexism in general, not so much as growing and achieving more in the workplace. But it still helps put some of my thoughts forward.


Why this type of movement annoys me:

     Quit your bitching and whining. Put your big girl panties on and get to work. Have you ever thought the reason you aren't moving up fast enough or getting paid more is because you do shitty work and need to try harder? Or maybe you really do work for a fucking horrible company, well leave and find one that treats you well. Don't ostracize everyone for the mistakes of a few. People that gravitate towards these type of movements are usually people I can't stand. Whiny, annoying, gen-x, "I deserve it because it's me" type people.
     Have I been called sexist before? Sure I have...people have tried to dox me because of being silly or not caring about the same things as them. But at the end of the day I'm the happy and content one. I don't let things get me down (too much anyways). Life isn't fair and I never forget it. But if I stop being content and happy, I change what needs to be.

I like how Georgia said it best "Do good work, speak at events, mentor young girls who are interested in tech, do anything besides just bitch about how oppressed you are please!"