Hello World

Thought I’d give taking ISACA’s Certified Information Security Manager (CISM) certification a go given the large amount of non-IT literate business people I’ve been dealing with needing careful hand holding when it comes to providing security to their operations. These people know their business operations inside and out until it’s connected to a computer and then it suddenly a black box of mystery.

As part of service to the business we (IT security folk) learn their language, terms and requirements but some business owners seem disinterested in even attempting the understanding the fundamentals of something that’s now critical to their business survival. Is it a simple fear of the unknown or the fear of being mocked for asking someone to explain something they have no understanding of ? Business-crippling IT stories are now filtering into the popular mainstream media, as a few examples:  administrators going mad and faceless people attacking companies from the far side of the world, deleting their web sites and even the very IT security aware companies losing their critical data.

If it makes the business folk feel as if I’m approachable without me having an MBA, seems an easy step to take to help breach that gap.

I’m booked in for the 10 December 2011 exam in Sydney, so better get on with some study.

As an example of the missing images, if I attempted to view one of the failed images say, http ://someweb_site/Style%20Library/Images/btn_home.gif, it would display :

 (the white square and red cross is intentional, please don’t adjust your screens)

rather than  

In case you haven’t memorised the HTTP codes Wikipedia offers this refresher:

 304 Not Modified

Indicates the resource has not been modified since last requested. Typically, the HTTP client provides a header like the If-Modified-Since header to provide a time against which to compare. Using this saves bandwidth and reprocessing on both the server and client, as only the header data must be sent and received in comparison to the entirety of the page being re-processed by the server, then sent again using more bandwidth of the server and client.

Even though fiddler does a cracking job of recording what happening, I can never resist firing up Wireshark to confirm the same information. Below shows the server returning the 304 Not Modified response.

So the file was being requested from the server and the server was telling the client it hadn’t changed since last visit. But I hadn’t visited the site before. I flushed the client’s web browser cache just to be sure and still got the same error. To me that confirmed the error was at the server end.

SharePoint has its own caches to speed up page and content delivery.  The one I was interested in is the binary large objects (BLOB) cache and initial thought was to flush this cache and fix the problem, MS have a nice simple powershell script to do this http://technet.microsoft.com/en-us/library/gg277249.aspx

Flushed BLOB cach for the site, but still no dice. Then took a bit of a step back and looked at how SP used blog caches. Tobias Zimmergren’s blob piece was very help in understand where to look for the BLOB setting in the web.config file. A few simple checks showed that this site wasn’t using BLOB caching. Somehow SharePoint must have got confused in to thinking it did have a BLOB cache and was trying to return the images and JavaScript from the non-existent cache.

The fix was easy; we created a BLOB cache and everything worked beautifully, then we disable the BLOB cache and everything still worked. Despite the web page displaying the content correctly, I confirmed under the hood with fiddler and as you can see a much happier result.

Two of the people I know that have proudly public announced their assault on the GSE exam are Ash* and Dennis I wish them, and their mysterious other exam mates, the very best of luck.

Both will be facilitators after taking the two day GSE hands-on lab; Dennis will be the happy face at the back of the class Forensics 610: Reverse-Engineering Malware: Hands-On Analysis Tools and Techniques with Lenny Zeltser and Ash will Rob Lee’s whipping boy in Forensics 508: Advanced Computer Forensic Analysis and Incident Response

Other than personal drive to pass the GSE, SANS and the GIAC folks GSE qualification has been voted:

GIAC GSE Awarded Best Professional Certification Program by SC Magazine 2011

http://www.sans.org/press/giac-gse-best-professional-certification-program-sc-awards-2011.php

It’s fantastic to be among the few to have achieved the qualification, so why not line it up for your next goal in 2012?

*As Ash is from the far north Australia, he will be hard to understand. Be friendly – pat him on the head and hand a prawn fresh off the “Bar-bee” followed by six strong drinks.

SANS Cyber Guardian Program

I just though this was groovy.

Security 401: SANS Security Essentials Bootcamp Style

Not only can you achieve a top notch security certification, but SEC 401 provides credit towards a Masters degree at Charles Sturt University. Credit can be applied to either the Master of Information Systems Security or the Master of Management degrees at CSU when taking the forensic stream.

See the following links for details:
http://www.itmasters.edu.au/WhichQualification/ITManagement/MasterofManagementInformationTechnology/DigitalForensics.aspx and
http://www.itmasters.edu.au/WhichQualification/MasterofInformationSystemsSecurity/DigitalForensics.aspx

The second class Security 660: Advanced Penetration Testing, Exploits, and Ethical Hacking is designed as a logical progression point for those who have completed SANS SEC560 Network Penetration Testing and Ethical Hacking, or for those with existing penetration testing experience. Students with the prerequisite knowledge to take this course will walk through dozens of real world attacks used by the most seasoned penetration testers.

Taking either class will being an eye-opener given Craig’s knowledge, experience and practical background.

Click on the links to sign up.

This may sound suspiciously like a Vegas show, by I can assure you Bryce is a great speaker and it will be well worth the time to go and listen to his presentation on “Defending Your Weakest Link…End Users”.

Get along there, especially if you’re a AISA member and soak up what he has to say. Don’t be afraid to ask questions and get involved.

Details

Date: Monday, July 11
Time: 17:30 – 19:30
Venue: ANZ Centre – Core B Upper Ground Conference Suites, 833 Collins Street, Melbourne

Abstract:
In most organizations, a single end-user’s click is all it takes to put critical assets at risk. Hackers mercilessly leverage our ignorance, arrogance and apathy. Traditional defenses are failing us. We’re being hit from every angle: anti-virus evasion, full disk encryption bypass, flash drives, drive-by downloads, social networking, resumes, smart phones, web portals (e.g. Outlook Web Access), open wireless networks, attachments, social-engineering and so much more.

We must understand the true risk we face in today’s threatscape if we are to have a chance to defend ourselves.

This presentation will highlight some of the most salient threats our end users face both in and out of the office and what can be done to mitigate them.

Wouter’s got some fantastic experience in this complex and fascinating field, so by mentoring this class he’s sure to share that knowledge he’s sweated to acquire.

Check out his web site here or the SANS mentor page here for details.

Even with quiet, little blogs such as this, it’s well worth having logging set up and enabled.

For a while now, starting on 13th of June 2011 at 07:18:02, there’s been a consistant slow brute force password attack. Roughly three attempts per hour at guessing the on WordPress admin account. The attack is being redirected from a German hosted open proxy site with the IP address of 95.168.191.160.

It’s been fun for a while to watch, but it’s time to add a block in the ol’ .htaccess file.

There’s a very detail guide on how to use the .htaccess file to lock out those naughtly IP addresses, plus a bunch of over very funky things:

http://www.javascriptkit.com/howto/htaccess.shtml

I expect our friend to find another proxy – if it’s not a bot, or a smarter bot - and continue on.

Part of the joys of being a part of the internet.