About Harry McLaren

Oct.20

Practical Risk Tolerance

Excellent article on security risk management from Black Swan Security:

“…but I don’t hear any formalisation of measuring and assessing controls that are beyond the Control Tolerance of an organisation. We care about risk tolerances and exceptions, the risk owners care about these but the risk owners and the business managers also care about the ‘Control Tolerance’ or at least they care about controls beyond it.”

“If the practical risk tolerance that the security teams are working to is below the control tolerance then such a reset is inevitable. If the control implementations are below the Control Tolerance but the Risk Tolerance would practically have allowed for less stifling control environments then such a reset will likely not only reduce the impact of stifling controls but also unnecessarily increase the overall risk tolerance and associated exposure to security risk. Ironically over-zealous security controls lead to a less well-secured environment.”

Security

Jun.25

The Cult of Passion in Infosec

Recently I read an interesting analysis (by the talented Chris Sanders) reflecting on passion; how we use it to screen infosec candidates and asking the question if what we really mean (or should mean) is ‘curiosity‘.

“Passion is very difficult to attribute to a source. In fact, most people aren’t good at identifying the things they are passionate about themselves. The vast majority of security practitioners are not passionate about information security itself. Instead, they’re passionate about problem-solving, being an agent of justice, being intelligent, being seen as intelligent, actually being intelligence, solving mysteries, making a lot of money, or simply providing for their families.”

One particularly interesting observation which caused me to pause and reflect was the line:

“Not everyone is extraordinary and that’s okay. There is this myth that we all must be the best. As Ricky Bobby famously said, “If you ain’t first, your last!”. But, by constantly trying to be the best it breeds things like imposter syndrome, self-doubt, and depression.”

It is sometimes difficult to not constantly look to the ‘next-step’ overly focusing on comparisons with other members of the infosec community. Staying grounded is important and using self-awareness and reflection to identify areas for steady development; but not at the detriment to your own well-being or the people around you.

Sending out a thank you to Chris for drawing further attention to both the issue of misplaced searching for ‘passion’ and also to the dangers of trying to be in that 5% of practitioners who truly are exceptional but who also often sacrifice other areas of their life to fuel their passion.

Wellbeing

Jun.24

Analyzing Documents for Insights into Malicious Macros

Recently read an interesting piece asking the question why so many attacks/compromise analysis papers/articles only focus on the malware and not the dropper/document which is often (and increasingly so) the method of initial compromise (from either an infected web page or attachment). The author (Harlan Carvey) points out that understanding the way in which a document is used (via macros) to infect a target machine gives the defenders lots of useful insight and threat data which can be used to thwart future (or on-going) attacks.

“In the output we see what appear to be 2 base64-encoded Powershell commands, one that downloads PupyRAT to the system, and another that appears to be shell code.  Copying and decoding both of the streams gives us the command that downloads PupyRAT, as well as a second command that appears to be some form of shell code.  Some of the variable names ($Qsc, $zw5) appear to be unique, so searching for those via Google leads us to this Hybrid-Analysis write-up, which provides some insight into what the shell code may do.”
Source

See here for a great write up and deconstruction of one such document:

“Recently, we’ve seen reports of malicious files that misuse the legitimate Office object linking and embedding (OLE) capability to trick users into enabling and downloading malicious content. Previously, we’ve seen macros used in a similar matter, and this use of OLE might indicate a shift in behavior as administrators and enterprises are mitigating against this infection vector with better security and new options in Office.

In these new cases, we’re seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.”
Source

Security

May.25

The Future of Ransomware – It’s Bad & Getting Worse

Schneier has written a great post outlining the current and future risk of criminals/organisations/individuals holding our digital enabled devices against us for ransom. The impact of this is already being highlighted by attacks like WannaCry and are only going to get more server in the coming months.

“Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It’s coming, and it’s coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.”

Security

Apr.27

A Private Network for IoT Devices

Cloudflare has just announced an interesting and potential game changer for IoT-based threats:

“Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, Cloudflare protects it from exploits. And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.

For the last year, Cloudflare has been working with a number of IoT vendors to develop Orbit. Already more than 120 million IoT devices are safer behind Cloudflare’s network. Lockitron is one of the IoT companies using Cloudflare. “Keeping our products and customers secure is our primary concern,” says Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.””

Source: https://blog.cloudflare.com/orbit/

Security,News