Brianne Fahey

Blog Page

Reputation by Site

by

Websites can get a reputation from the material they contain, the company they feature or attract, as well as from the internet reputation machines that scan and crawl them. My hypothesis is that if I can do some legwork to positively impact the machines and databases of the internet, it will help buy goodwill and trust that helps bridge into a more positive personal reputation.

What do the internet respectability engines think about BrianneFahey.com?

I like to come to a conclusion from an aggregate of data, so let’s check a few different options and put together a story of my website’s reputation. Two of the common sources of website safety information are included in the anti-virus and computer protection packages from McAfee and Symantec/Norton.  Having one of these programs installed allows you to see some immediate feedback when you search for a website before you go to that site. It’s like looking through the peephole before deciding whether to open the door.

I would definitely be more comfortable visiting a site with a green check mark than a grey question mark or that evil red x. I installed the browser extension for both McAfee WebAdvisor and Norton Safe Search and navigated to BrianneFahey.com.  Both plugins are greyed out, and when I mouse over them, they indeed say they are registering no reputation feedback. I’m relieved to not have to overcome any negative reputation marks, but to get to green we need to fill in this blank slate with facts.

The good news is that my reputation is mine to influence at this point.

Web crawlers can use the information posted on the site including text and images and other files to rank you, but they are not sentient so they may not be able to determine the intent of your site.  It’s up to you to convince them that you have good intent and wish no harm on the people of the internet and you deserve a green check mark. My plan to establish a good reputation involves visiting the machines that are generating, collecting, and providing this information to make sure they are understanding my intent.

Review and Correct the Reputation and Categorization

Internet filters and proxies can rely on website categorization to determine what blocks of URLs to allow and what block to deny. You can review what the engines have categorized your site as and suggest a more appropriate category.  If you start a small business and create a quick website – you need to be aware of whether entire enterprises are being blocked form viewing your website inside their corporate network because it is misclassified as Gambling or Adult/Mature Content or worse. There is some risk in being unclassified as well because some filters might be set to default block unclassified or very new sites to protect themselves from domain generating algorithms (DGA) that spin up and disappear within weeks to facilitate phishing attacks. You’re going to want to review the available categories and their definitions to make the most appropriate choice as any petitions to recategorize a site will be reviewed before they are accepted.

  • Symantec Norton SafeWeb
    • I registered as the owner of my site and Norton sent me an email with a method to validate.
  • Symantec BlueCoat Web Pulse
    • BrianneFahey.com was initially categorized as “Search Engines/Portals”.  I submitted a request to have it classified as “Personal Sites” and “Computer/Information Security”.
  • WebSense ForcePoint
    • BrianneFahey.com was initially uncategorized. I submitted a request to have it classified as “Societies and Lifestyles: Blogs and Personal Sites”
  • Trend Micro Site Safety Center
    • BrianneFahey.com was initially categorized as “Untested” and “Newly Observed Domain”. I requested the site be retested and submitted that it be classified as “Personal Sites” and “Computers/Internet”.

Check the Pulse

Websites change and reputations evolve.  It’s a good idea to regularly check in on your site’s ratings and feedback. A simple way to generically have the web checked for you is to setup Google Alerts for your domain and name.

Beyond the sites and tools mentioned above, here are a few other open sources of intelligence (OSINT) tracking website reputation and safety.

Website Name Potential Feedback
URL Void
Virus Total
Google Safe Browsing
RiskIQ Passive Total

Good luck protecting your web domain’s reputation!

I like to go through an exercise of putting thoughts into a visual model that makes sense while I’m working through something.  Time does not always allow (and alert queues are not always forgiving) but it leaves me with clarity and the easier ability to repeat a procedure if needed.  I’m utilizing a 30-day free trial of Mindjet MindManager 2018.  It is fantastic, but pricey for individual home use so I’ll evaluate my needs and priorities and I will miss it when it’s gone.  Made use of MindManager by assembling a visual procedure to summarize the steps described in this post.

 

Packet Analyzing

by

I recently finished Chris SandersApplied Network Defense online course for Practical Packet Analysis.  Before I give you my impressions of the course, let me give you an idea of where I’m coming from and what I expected.

I never captured a packet before mid-2017.

I knew I’d need some practice analyzing packets to maximize my experience in the SANS SEC503; Intrusion Detection in Depth course later this year. I’ve never had a job role that gave me the opportunity to work hands-on with networks so at times networking can be an Achilles heel of mine. I’ve done a lot of reading and a little bit of experimenting at home, so I was eager to pour myself into some labs and figure out what I could do and what I needed to work harder toward.

I purchased myself a course license and started chipping away at the materials in September.  I also bought a copy of Chris’s Practical Packet Analysis book through No Starch to use as a reference.

The Practical Packet Analysis course runs on demand (you can start as soon as you purchase a license) and includes more than 100 videos and more than 20 lab exercises. It’s available to you for 6 months.  I worked on it off and on a few hours a week for about 5 months and I noted a few lectures and labs I’d like to revisit in my last few weeks of access.  Because it was that good.

This course covers so much material.

It does a really incredible job of incrementally walking the student through progressively more specific and challenging material.  You start off with some high level network concepts and a lot of attention to the OSI Model, work into understanding how those protocols and activities manifest in real life, and then top it off with learning to efficiently comb through the packets captured from this network activity with tcpdump and Wireshark.

This course is worth every hour you put into it.

I will be able to use things I learned in this course immediately, even without needing to analyze packets daily in my day job. The lectures are well communicated. The material is current and specific.  Chris Sanders doesn’t lean on expensive tools or on only one way to approach a question.  He teaches you to think it through and answers questions by providing applicable advice instead of answers.  Certainly you can skim past sections you already know and visit subjects you’re struggling with more than once.  I particularly benefited from focusing on understanding the explanations for the malware labs analysis, examining HTTP responses, carving out transferred files, and exploring traffic manipulation.

I’m pleased to have finished the course and definitely open to taking any of the other Applied Network Defense Courses when I need to go deeper into the other available subjects.

Typically Mean Averages

by

I wonder if I am a typical security analyst?

But what is typical?  Hard to tell what an average is since for every person near the core of the bell curve, there are quite a few outliers keeping things both challenged and balanced.  If asked to describe the typical security analyst, I would throw out a few generalizations based on what I’ve encountered in my experiences.

A profile performed by DataUsa.io has put together a slick Profile of the Average Security Analyst. The typical analyst experiences a solid salary, strong job growth, highly educated peers, demanding technical skill requirements, and a roughly 75% white 75% male field.

From https://datausa.io/profile/soc/151122/

Sounds awesome. And intimidating.

Everyone has their own reasons for moving to a Security Analyst role. I fit some of the general averages noted above, but not all. Certainly diversity of people bring diversity of thought.  If one of the main tenants of a secure enterprise is “Defense in Depth“, then certainly you should invest energy into building defense by diversity. Perhaps it is wise for both your layers of security and your team resources be deep, diverse, adept, and agile.

I don’t always love difficult people, but I do love challenging work.

I don’t see myself as a typical analyst because I bring differences in thought and approach.  I ask questions. I draw connections. I talk to people in the business. I look for ways to align things. I act with a goal in mind.  I draw it out or write it down and hone it till it works or throw it out and take another path toward the goal. I aim to evolve and improve. When I want to learn about someone I ask them out for a coffee walk or a breakfast.  I sometimes make songs out of the ideas I’m working through or take a doodling break to try to think into a breakthrough.

I do see myself as a typical analyst because I like to make order out of chaos. I want to understand what happened and enact protections. I often feel exhausted after a day with a lot of people interactions.  I easily memorize IP addresses and hostnames while I research events but I don’t always remember the names of my people I just met. I believe that Ex Machina and Black Mirror are equally awesome and terrifying because they’re tangibly realistic.

In this industry, the pace is fiery fast and the challenges are densely packed. The targets move and I’m sure the typical averages will also.

Find a Flow

by

If you can see it, you can get to it.

When I think through the parts of an event analysis, I look to put things in order and in perspective on my way from a hypothesis to a conclusion. Putting together a thought outline that works for me was a good excuse to test out LucidChart.

In my example, I start by enumerating the actor’s profile and the activity that generated a signal.  If I can source, trace, and verify the details pulled out of the logs to connect activities to an IP or a piece of hardware or an application or a procedure or an owner, I can work to build out the story and resolve my questions. When the case requires input from an investigation partner like human resources, you’ll have a solid frame of notes and findings to rely on for that discussion.

One of the reasons I chose this scenario as an example is because I believe a successful analysis is a complete analysis. Thorough, of course – to your personal quality level, but not necessarily ending the the proving out of malicious activity. Vetting that activity can be anomalous and still acceptable is a decent outcome.

You don’t have to catch a bad guy to do a good job.

Build a structure that works for you.  Once you establish your flow and create a template, you’ll start to save some time without sacrificing quality. Find your flow and go catch yourself some answers.

Virtually No Room for Ego

by

You can’t watch from the sidelines forever…

One of the reasons I’m such a fan of continuous learning is for the perspective it brings. For me, going through a capture the flag (CTF) exercise or packet capture lab is a humbling experience.

From https://behappy.me/poster/every-next-level-of-your-life-will-demand-a-different-y-o-u-1164332

Even if you’re confident in your grasp of the concepts, implementing them is a totally different experience. It reminds you to value people who have skills you don’t. It reminds you that doing something is harder than saying something. It reminds you to teach or show anytime you can to pay back so the help you ask of others. It reminds you that no one does it alone. It reminds you to celebrate small victories.

Last week I wanted to setup a clean Linux distribution virtual machine to enable practicing packet capture and analysis with an operating system different than my host machine. Again, the concepts are understandable, implementing in an environment you’re comfortable with is a challenge, and trying in a less comfortable environment is like writing with your not dominant hand: ugly unless you do it repeatedly.

When you can’t complete your original plan, recalibrate and regroup!

Short story long, I ran into hiccups with my Linux vm install, had to start over twice, and ended up putting hours into what should have been as easy as ‘start program’. Packets practice was an after thought to establishing a solid virtual environment. And I’m left feeling again like I’m learning to tie my shoes with boxing gloves on my hands.

To those who can do the things in my learning list; I commend you for your mastery of trades and topics that don’t come easy to most. I also would like to take you out for a coffee sometime and pick your brain. And when you need a tip about Excel, Process Flow Diagrams, or Buffy the Vampire Slayer, text me.

from buffy the vampire slayer by joss whedon

Information Security Writing

by

Learn a byte at a time.

About a month into the year, I’ve completed my first planned personal training goals: Chris Sanders’ Applied Network Defense course called Effective Information Security Writing.

This course is absolutely worth the cost!

Write Now, Reference Later

I’m a firm believer in capturing information while you’re attaining it with the goal of ultimately having a polished reference page or standard operating procedure. My process involves creating a lot of short & sweet OneNote pages as things are happening that I can revisit to combine, order, and edit later.

Writing things down is not a popular pastime among my peers. Events come in high volumes and move fast.  Capturing details seems like a luxury. I never regretted having a slick wiki page to reference when I was on-call or entering an incident analysis cold. I figured no one was into using my help pages as much as me until I was contacted via LinkedIn by a colleague from a former job to thank me for writing guides five years earlier for a tool he just inherited without much time to get up to speed.

What worked for me?

The Effective Information Security Course offered a mix of videos, exercises, templates, and online discussion.  I’d recommend it to anyone who is asked to write documentation, even if it is not the exact types of reports this course covers. The course is extremely relevant if you’re already writing reports for pen tests, vulnerability compromise reports, or case notes.

Taking time to see something through another person’s point of view often reveals your own biases and blocks to help you become aware of how you can improve. I learned that the executive summary is typically the last section of a report you write – not the first as I had been doing.  This makes total sense. Get out the long parts first and then condense it down into the highlights.  Seems so obvious but since it was logistically first int he report, it never occurred to me to write it at the end. Simple and impactful.

Completion Note

 

I thrive on courses that are flexible, and that don’t require me to be sitting a a computer the entire duration.  I could take a walk and listen to a few lectures – then settle in at my desk to try the exercises. I finished the course in roughly 10 hours over a month of nights and weekends. I started both EISW and Practical Packet Analysis at about the same time since I knew the latter would require much more attention (and time).  I had no trouble switching back and forth between the two courses while keeping track of the path and the ideas in the lessons.

Find out for yourself!

Check out the course details and consider adding this one to your own personal plan.

EXIF Interview

by

I realized what I did immediately.

Upon publishing my previous blog entry and viewing the refreshed page in my browser, one of my plug-ins alerted me to a personal operational security (OPSEC) lapse. I took that picture of my visual training map on my phone and did not bother to check the image for any personal or descriptive information before posting it.

Blog Image with Browser EXIF Viewer

What is my EXIF Telling the World?

I have an EXIF viewer plug-in installed in my browser which shows me available EXIF data for any image I mouse over.  EXIF stands for exchangeable image file format (per the Wikipedia article) and is basically an image standard for digital cameras. EXIF data attached to a digital photo can include quite a lot of information about the camera settings, date and time, and image attributes.

To find out more about the EXIF in my image, I needed to dig into some Open Source Intelligence (OSINT).  I utilized the fantastic OSINT Framework site.

OSINTFramework.com for Research

The OSINT Framework led me to Jeffrey’s Image Metadata Viewer. I entered the URL for the image on my site and took a look at the results.  The results are detailed, and not particularly overwhelming except for the details about the camera itself.

Jeffrey Image Viewer Results

Hiding in Plain Sight

The EXIF data clearly shows that my camera is a Samsung, which you can extrapolate is likely a mobile phone.  In fact, if you look up the model and software on Google, it will tell you exactly which model of phone I am using and which version of firmware is installed. This might not seem like much, but if someone was looking to target me, they could certainly customize their exploit to take advantage of something I have exposed that I use.

So What’s the Learning Opportunity?

You can’t remove all EXIF metadata from images, but you certainly can cleanup some of it.  Right click on the image file o your computer and go to the properties menu, then look at the details.

  • See the listing of the data embedded in the image file.
  • Select the link to “Remove Properties and Personal Information”.
Right Click Image to Cleanup EXIF Data

I cleaned up the camera model and software from my file and replaced the initial image in my blog post.

People Are Very Creative

One of the reasons I am aware of EXIF data is because of an online project called Stolen Camera Finder. This site uses uploaded images to create a database of EXIF attributes and then crawls the web to match images taken to the EXIF data.  Let’s say you leave your camera on vacation in Key West, someone picks it up, uses it to take some photos of their friends, and posts them with a location tag to Instagram. When you upload the image EXIF from a photo on your computer taken with your camera, Stolen Camera Finder crawls Instagram and attempts to match the EXIF data.  In some cases, the match can yield location data as well.

 

Stolen Camera Finder Map

Everyone knows that once information is available online, it can and will be used.  I believe there is good in the world and that data can be used to do positive things – like helping people reunite with a lost camera.  It doesn’t take much for someone to use the same information for nefarious purposes though.

Think Before You Click

The oldest advice is the best advice.  This was an excellent reminder for me to be careful with my personal operational security.  For some reminders on ways to protect your online presence, visit the National Cyber Security Alliance’s Stay Safe Online website.

Visualizing a Plan

by

Getting Somewhere

When I’m out on a long walk, I orient and motivate myself by saying “if you can see it, you can get to it”. This is particularly useful on a day when all the elements are in your favor, but holds true even when the path is less certain.

Quick, Rough, and Useful

Instead of making resolutions this year, I sketched up a quick visual map of my learning plan. Once everything was out on paper, I could see it was too much to tackle immediately, but by bringing it onto a timeline, I could start to orient and adjust. Duration, priority, and opportunity all play into when and how I can start to address some of the things I want to learn more about.

Visual Map of my Personal Plan

Seeing It is Motivation

I’ve already started acting on it and I’m open to adapting the plan when life and work and time and opportunity start having their impacts. Nothing is set in stone, but I have an idea of where I’m going.  I’m motivated to do something, so let the lessons continue and the skill set evolve.