Why I became a Cisco Champion

Posted on November 11, 2018 by Emintzer

Cisco is a great company – they have many wonderful products and services plus the company seems to treat its employees like family. It also knows that customers are what keeps it in business because without paying customers you do not have a revenue stream. Plus, Cisco realizes that customers sometimes know a thing or two about products and technologies. This is one of the reasons that the Cisco Champion program is so awesome. It is a way for Cisco to recognize individuals that do not work for Cisco but still share a passion for technical products and technologies.

A lot of Cisco Champions have written about why they decided to join the pgroam. My story may be a little different. I feel that it started in 2015 at CiscoLive in San Diego. This was the first year I went to CiscoLive by myself. Because I had been on Twitter for about a year at that time, I was already familiar with the CiscoLive social media team. This led me to the tweetup on Sunday. Almost immediately, I met quite a few interesting people that I ended up hanging out with that week. The following year, I followed the same course of action in Las Vegas. But that year one of the Cisco staff thought I was in the Cisco Champion program for a brief second – this was the first I had ever heard of the program so I looked into it. Of course, when I read that it was for technical evangelists (and I knew some of the people in the program were a lot more technical than I) I immediately assumed that I was not Champion material. Trying to compare myself to some Champions that are Cisco Press authors is kind of daunting.

At CiscoLive in 2017, one person in particular (Kim Austin @ciscokima) “harassed” me all week about being in the program. She learned some things about me through my time at CiscoLive. She knew I had a good understanding of the technology and that I enjoyed learning new concepts. Plus, that was the year I was asked to speak at the New to CiscoLive session hosted by Cisco for first timers. So, after I got back from CiscoLive and I saw the posts about joining the program, I decided to give it a shot. What was the worst thing that could happen? I would get rejected but I would still go on with my life.

Well, I did get in and let me tell you that I am so glad that I did. Over this past year, I have gotten some pre-briefings on future products, interacted with some of Cisco’s technical and managerial staff, and met some really wonderful people from across the globe (at least virtually). Cisco hosts some private chat rooms (through Cisco Webex Teams, of course) where we discuss interesting topics and get some technical insight from other smart people. Of course, it is not always technical stuff we discuss. Among other topics, I have discussed and seen pictures of kids, pets, and food – who knew that some of these incredibly technical people had many other talents? Plus, the snark is strong with many of them.

So, if you are even somewhat knowledgeable about technology, take a look at the program. A good post about the program can be found at https://community.cisco.com/t5/cisco-champions-public-documents/cisco-champion-program-faq-updated-october-2018/ta-p/3732770. Take a look at eligibility requirements – it does not state that you are an “expert at technology” but rather describes that you are a technical evangelist. Really, it is about wanting to inform others about what you know technically – wanting to teach. I got into writing this blog to help others. Sometimes my topics come from having to do too much research. I can put my experiences down here for others to review. That is being a Champion – wanting to better others when it comes to technology.

I am proud to call myself a Cisco Champion.

Posted in Cisco Champion, CiscoLive | Tagged | Comments Off on Why I became a Cisco Champion

Phishing Campaign

Posted on October 17, 2018 by Emintzer

October is Cybersecurity awareness month, which is a time to educate people on good security practices. Unfortunately, the users that really need the training are usually the ones that ignore the training opportunities. How do you get these people to actually take cybersecurity seriously? You trick them.

Ok – I know that sounds bad and I am not suggesting being a bad guy. What I did was launch a phishing campaign against the entire office part of my organization. That is roughly 5000 people globally. I really did not know what to expect when I started the campaign. I was hoping for better results but, regardless of the outcome, it was a really interesting project. At my level of involvement, I was privy to a lot of details that I cannot divulge even to other people in my organization. However, I can help you understand why this is a really good tool to help with the training effort.

Let’s discuss data privacy which can be a dreaded topic for international companies. Workers in the US should not expect data privacy, which means there are things that can be performed easier for security staff. However, there are laws and regulations in other countries that take data privacy seriously – just look up the EU data privacy laws (especially GDPR) to get an understanding of what I am referring to. This is why you need to get Legal and HR buy-in before moving forward with phishing your users. I think the important concept that helped my efforts was making sure I was not collecting any IDs and Passwords AND (this one may be more important) names will not get divulged under any circumstances. It is OK that IT Security knows these details because that is part of the job – how can you collect information without knowing the details? The important part is that IT Security will only be divulging statistical details – the percentages of users doing something. Statistics should be divulged to everyone including senior management but names should not be divulged to anyone under any circumstance.

Another important thing to mention is to inform users that give their credentials but, more importantly, do not make them feel dumb about it. Yes, they just did a really stupid thing but let them know why it was stupid. The message should not be “hey, you are stupid” but rather “oops, you fell for a phishing email – good news it was fake this time.” Also, add details around the campaign such as why it is being performed. Let the users know that there is a good reason for this and it is to help them be better with cybersecurity awareness. This is a good time to point out any tools that you have to help identify bad emails.

When performing these types of campaigns, you should not be looking to trick your users. The actual bad players are getting better but they do make mistakes The emails I used were (to me) obvious fakes. For starters, there was some tools already implemented to help the users. First, I had previously implemented a simple tag in the emails by prepending the email subject line showing that external emails were external. So, when the users receive an email from the “CEO” and the subject says it is external, they may do a better job realizing it is not really the CEO. I made sure all of my phishing emails included this tag. Some of the phishing emails purported to come from one of the executives so having that tag should have been an obvious sign (or at least I thought). Second is to use different but similar domains since this does happen in the wild. Finally, I made sure there was some spelling and grammar mistakes in the email body – nothing too crazy but a few here and there. Another tool I had already deployed was branding our Office365 login – the company logo and a photo inside one of my locations was added. One of my phishing emails claimed to be from IT asking to change their Office 365 password but I used the same screen that Microsoft uses as a default. I thought that not seeing the company logo would be a good sign that it was fake.

One thing to note is that the IT staff that deals with end users will get very anxious during the campaign. Their usual reaction to a major incident like a global phishing campaign is to notify users to be aware of it. This is where management needs to walk the tightrope by not allowing them to send out that notification. In addition, they need to be given some information about what is happening but not all of it as they should be part of the test. Besides, the more people that know about the campaign means the more risk that information will get out sooner.

The final part of my campaign was to inform all of the users about what happened. At this point, the people that gave over their credentials knew about the campaign and I am willing to bet that they shared that information with some others. However, there were people that still did not know. Most importantly is to share the information that you can. This is when the statistical findings should be shared so everyone can understand what happened. This should be done in a forum where the most people will hear. I was able to get the word out during my company’s quarterly employee forum and was able to include some details around the correct way to report bad emails. There were some interesting responses as to what happened but most were positive.

So what can I share about my campaign? Roughly 15% of the users gave their credentials willingly and roughly the same amount reported the attempts IT Security the way they were told to. There were a few users (roughly 2%) that reported it but not in a way that helps – if these were real phishes, IT would be forced to follow up with these users for further information. Of course, that means there was over 60% of the users that were unaccounted for. I can only assume that these people either deleted the email without notifying anyone or may have just not read the email, yet. Either way, it is a big number of people that did not do anything to help the situation. Unfortunately, these are probably the same people that tend to ignore cybersecurity training.

Even with those numbers, I think the campaign was a success. Why am I claiming this? Because there has been a genuine uptick in phishing reports since the campaign ended. Unfortunately, there has been an uptick in false reports, too. Roughly 35% of the email reports since the campaign are legitimate emails including some internal ones. I guess a future follow up training may include how to spot fake emails (and that some emails are SPAM, not phishing). Regardless, it is an improvement and I think my users are genuinely questioning emails more. I would recommend performing a phishing campaign to any company.

Posted in Phishing | Tagged , , | Comments Off on Phishing Campaign

Umbrella Migration

Posted on June 13, 2018 by Emintzer

Not too long ago, we switched to a new Internet security solution. Our previous solution was a Cisco product called Cisco Web Security, or CWS. This was a cloud proxy solution and it worked well. But, being a proxy, it had its short comings with a big one being that it would rewrite all the web pages – of course, that is the nature of using a proxy-based solution. Secure sites (HTTPS) were even worse since CWS could not secure them unless it was allowed to perform man-in-the-middle style of rewriting the web page. This was an ok way of securing these sites as it would not always work well.

I am pretty sure that Cisco recognized these shortcomings since they purchased a company to replace CWS. They bought OpenDNS which had a unique solution to Internet security. One of the key components of the Internet is Domain Name Servers, or DNS. DNS is why you can use a URL (like www.itsecdef.com) and not have to know the IP address. Rather than looking at the content of the site, OpenDNS would categorize the site itself. When you request an approved site you would get the address for the site AND you would go directly to the site – no rewriting of the web page. However, when you went to a site that was either blocked by policy or identified as malicious you would not get the site’s address. Rather, you would get the address for an OpenDNS server to explain why you cannot get to the bad site. This was a really good product and Cisco made it even better by augmenting it with other solutions including some of the CWS features. They even changed the name to Cisco Umbrella since it covers more features (umbrella, get it?).

If you have ever had the chance to migrate a company’s Internet security solution then you know it is not a fun project and has really bad outcomes when things go wrong. When someone cannot get to the company’s ERP system, they just open an incident – no real complaining since they cannot work. Alternatively, if someone cannot get to their news site or watch videos on YouTube, they can get really cranky. If it is because you messed up the Internet migration, watch out for the pitchforks. Well, this was not the case for me with Umbrella.

There were two main phases to the migration: network and client. The network migration took all of 1 hour – actually it took a lot less but I had to wait for my testers and that always starts with some initial banter. All we had to do was repoint our DNS servers to the OpenDNS IP addresses for recursive lookups. Seriously, that was it. Once that was done, all DNS lookups for Internet sites went through Umbrella. The second phase was the clients. When people are remote (and not on VPN) they are secured through the use of a module on the AnyConnect client. We used our SCCM system to upgrade the client, remove the CWS module, and add the Umbrella module. Of course, this took longer than the network migration but it was facilitated by SCCM so we could monitor the progress.

There are some other features with Umbrella to allow for securing sites based on user ID’s (like Active Directory) but we did not deploy these. The main reason for this was EU data privacy regulations. If we did not know the user ID’s that accessed websites then we would not know what users were going to which websites. As a security person, I was not fond with the loss of data but the EU Works Councils did not care about my feelings. As the person responsible for getting us to Umbrella, this actually made the migration quicker. To get Active Directory integration working we would have had to deploy appliances within the network to point computers to (instead of our existing DNS servers) and add an AD connector. This migration could be done by altering DHCP but that means someone has to hit every DHCP scope. For a global company, that is a good amount of manual labor.

What did I learn about Umbrella during this migration? For starters, Cisco is still working to better the product, which includes more integrations such as with their Cloudlock service (CASB). I am planning to research these other product integrations when I get some more personal bandwidth. Additionally, using our DNS servers made the migration really easy. One thing I would mention is that you want each DNS server to point to the OpenDNS servers – do not point all the internal DNS servers to one specific internal DNS server and have it go outside. There really is no need to do this and it allows for Internet breakouts to be wherever (as long as the Internet provider allows you to use any DNS server). Finally, unlike CWS, Umbrella is able to secure more than web surfing since DNS is used for more than just the Internet. For instance, malware can utilize DNS to communicate back to a control system – unless Umbrella is there to respond with a different address. In conclusion, Umbrella is a product that works great. Your users will not thank you for switching to it but they will not grab the pitchforks either.

Posted in Cisco, Umbrella | Tagged , , , | Comments Off on Umbrella Migration

Are passwords enough?

Posted on April 17, 2018 by Emintzer

The traditional method of securing data for many years has been through a user ID and password. Over the years, the recommendations around passwords has changed. Password length has always been important. Adding a single character (i.e. changing from 6 characters to 7) will make it exponentially harder to brute force crack. Using more than the simple 26 characters of the alphabet makes it even harder so it is best to use upper and lower case and special characters to make it take even longer.

It is now 2018 and brute force password cracking is not what any bad guy really wants to do anymore. While it is still a threat, is it as much of a concern as before? A lot of malicious parties have changed their methods. For instance, it is easier to send a specially crafted email that look like it comes from someone you know and it contains a link to a document. The receiving party clicks on the link and it looks like Office 365 login – the person enters his/her credentials to see the document and now the attacker does not need to do a brute force hack.

So what can the IT Security team do if the end users are just going to give up credentials? For starters, make changes to login screens. By using branding, your users can see when they are at their Office 365 login. If there is no branding then the users should question the login. Users are both gullible and smart at the same time. Give them the tools to make better decisions. But is that enough?

The ID and password combination is no longer enough. Multi-factor authentication (MFA) gives the end users another factor in the login process. After users enters their ID and password, they get a notification on their mobile phone to approve the login. MFA is not new and it has been getting better but, as Stephen Hawking said, nothing is fool-proof to a sufficiently talented fool. If they get an authentication request on their phone and did not enter credentials, this could mean that someone else is attempting to login as them. But remember when I said users can be dumb? Too many MFA requests could mean that the end users could approve requests even when it was not from them.

User and entity behavior analytics (UEBA) is the next method to safeguard company assets. By analyzing what end users are doing – how they are logging in normally – IT Security can get notifications when something out of the ordinary occurs. Also, it can lower the number of events for the IT Security teams to analyze. When a user performs a login in New York and ten minutes later attempts a login from Russia, there is a very good chance that someone else got the user’s password as this is an impossible travel situation. It is not always a hack attempt – for instance, a VPN connection can make it look like an impossible travel situation but IT Security should be able to differentiate a VPN connection.

EUBA is something that I am starting to look into for my company. As I research the different products, I will post some more on the topic. Till then, keep safe and remind users to stay diligent.

Posted in Passwords | Tagged , , | Comments Off on Are passwords enough?

CiscoLive 2018 Scoop – Big Ideas Theater

Posted on March 31, 2018 by Emintzer

CiscoLive has been getting bigger every year. The logistics of making the show work so well can be staggering and there is a small group of people from Cisco that are responsible for it. Every year they are challenged with bringing fresh, new experiences to attendees and every year they do a great job.

One of the big changes that a lot of people noticed for 2018 is the loss of the Social Media Pass. While this was a relatively inexpensive way to go to CiscoLive, it really did not have a lot of perks. If I am going to CiscoLive, I want to hear from visionaries and technologists so I can bring back great information. I go on the full conference pass since I want to hear from the technologists – the people that help make Cisco’s products. But that may not be for everyone.

Technology immersion is not the only part of CiscoLive. So, in 2018 the CiscoLive Team has given customers a new option: the Imagine Pass. This pass has a cost ($695 for early bird pricing) but it comes with some really good features. Basically, the return on investment (ROI) is pretty good. Just like the Social Media Pass from before, you get to go to all the keynotes, the Customer Appreciation Event, and the World of Solution floor. The difference is that you get meals and access to the Innovation Showcase and Big Ideas Theater, which are both new for 2018.

But what is the Big Ideas Theater? Just from the name, you can guess that it is about ideas, concepts, and visionary thought. The theater will contain a diverse lineup of thought leaders, strategists, technologists, and other provocative voices from across industries. This looks to be a great change for Cisco attendees that don’t want to immerse themselves in the technology tracks. Here is the official lineup:

Monday:
1:30 – 2:30 pm: Star Search
Hakeem Oluseyi (Astrophysicist and the Space Sciences Education Lead for the Science Mission Directorate at NASA Headquarters)

4:00 – 5:00pm: Shift Your Brilliance: Leading Amidst Uncertainty
Simon Bailey (Best-selling author and renowned teacher)

Tuesday:
9:00 – 10:00 am: Emotional AI and the Future of Work
Dr. Rana el Kaliouby (Pioneer in Emotional AI, Co-Founder and CEO of Affectiva)

1:30 – 2:30 pm: Herding Tigers: Be The Leader The Creative People Need
Todd Henry (Author, Inspiring Speaker and Expert on Managing Creatives)

4:00 – 5:00 pm: Finding Your True North: Possibility Through Positivity
Grant Korgan (World-class adventurer, Nano scientist, and professional athlete)

Wednesday:
9:00 – 10:00 am: The Future Is Talent
Jenna Carpenter (Founding Dean & Professor of Engineering at Campbell University)

1:30 – 2:30 pm: The Neuroscience of Innovation
Amy Posey (CEO & Facilitator)

4:00 – 5:00 pm: How This Entrepreneur Turned Her Diet Soda Addiction Into a Company
Kara Goldin (Founder & CEO of Hint Water)

Posted in CiscoLive | Comments Off on CiscoLive 2018 Scoop – Big Ideas Theater

CiscoLive Tips

Posted on February 11, 2018 by Emintzer

I have been to CiscoLive quite a few times and have learned things each time. Here are some of my tips that I have gathered over the years.

Do not show up Monday morning as your starting point. There is always a line at registration on Monday and almost none on Sunday. Besides, Cisco is now doing a session on Sunday designed for first time attendees. I know it is a good sessions as I am one of the speakers. We talk about some of the things we have experienced and take questions from the audience. So, come on Sunday (or earlier) and get your badge so you can be ready to go Monday morning. Also, come to the session for first timers and hear from people like me, even if you are not a first timer.

I have enjoyed each CiscoLive and it gets better every year. Unfortunately, it also gets bigger every year. You cannot do everything and this is ok. There are a lot of technical sessions on many different topics. Don’t go to a session because you think you are an expert – use these sessions to have a conversation. There are other people that will be in the same session that have similar questions – ask your questions and interact with the instructor. Just be a little careful – do not come to the session to solve all your problems. If you want to expand on something, wait till after the session to talk with the instructor.

Almost all of the sessions have slide decks you can download (even in advance) and can be used after the show. A good number of instructors even add more content to their downloads. If there are any sessions that you do not have questions, use the slide decks instead of going – consider it a way to save some of your time for other parts of the show.

World of Solutions (called WoS) is the show floor. There are lots of vendors located here – lots of vendors. They give away free stuff so you can go home with plenty of SWAG. Be careful here – don’t pick up more stuff that you can bring home. Personally, CiscoLive is the one time I check a large bag rather than try to go with a carryon. My kids love the free stuff and so do the people in the office.

When planning your sessions, leave some time to peruse WoS. Personally, I find Wednesday afternoon to be the perfect time for this. Monday and Tuesday I am trying to absorb all the information from my sessions so by Wednesday afternoon I feel like I need a break. By scheduling an hour or two after lunch to walk around WoS and chat with vendors, I can get ready for more technical sessions and get my tchotchkes for the kids.

Social media is a big deal and it is huge at CiscoLive. Come down to the Social Media hub and meet the people that are behind Cisco’s social media. Plus, it is a good place to meet other attendees. The past few events, Cisco has put the Social Media hub in a key location because they know how important it is. It is called a hub for a really good reason.

Wednesday night is a big party known as the Customer Appreciation Event or CAE. This is always an event and you get a free hat. Go to this!!!! There have been entertainers in the past like Aerosmith, Train, and Bruno Mars. Cisco rents out some really big venues like the T-Mobile center in Las Vegas, Petco Park in San Diego, and Universal Studios in Orlando. It is a time to have fun with other attendees – this is not a place to do work. Just remember that you have one more day of the show.

8am meetings on Thursday come quickly especially if you partied too hard at the CAE. Remember, this is the last day so power through. There are some sessions on Thursday that are great for thinkers so it is a day to drink an extra cup of coffee or soda or down some chocolate – anything to get you moving. Plus, Cisco has one more special treat in the guest speaker. This is a famous person that may or may not have to do with technology. Probably my favorite guest speaker was two guests in one, Adam Savage and Jaime Hyneman – also known as the original Mythbusters. This is always a good way to end the show.

The last thing I want to tell you is to network while at the show. This is not Cisco networking but rather getting to know other attendees. I have made some good friends at CiscoLive that I chat with throughout the year, but only get to see at this event. The end of my show usually is with dinner with some of these people. You never know where your next job will come from and there are plenty of people at the show that may be looking to hire.

I hope that these tips can help you with attending CiscoLive. It is a great show both from a technical perspective and a fun time.

Posted in Cisco, CiscoLive | Tagged , | Comments Off on CiscoLive Tips

Social Media

Posted on November 21, 2017 by Emintzer

October was National Cybersecurity Awareness Month and, since I am in IT Security, it was a busy month for me. Besides having to deal with the day-to-day operational activities and the on-going project work, I had to come up with Cybersecurity stuff for the month. “Stuff” is my technical term for all of it: mass emails to my company on topics such as physical security and social engineering (do you know what vishing is?); presentations that I had to approve for others; and my presentation to the corporate office.

The presentation that I gave was on Social Media. It included a brief history of the Internet as it relates to Social Media, the good parts, the bad parts, some helpful tips, and information about my company’s policy on the topic. Fortunately, I had help for the last part from my Corporate Communications department – it is great to collaborate with others on presentations.

I cannot share my presentation as it is internal (and has my company’s name all over the place). However, the tips were my own and really designed for anyone.

  1. Double-check your privacy and security settings. While Social Media sites will (usually) not change your settings, they can change the settings themselves (even add or remove settings). Take a quick look every so often to make sure you are sharing what you want to share.
  2. Check you public profile. “Google” yourself. Log out and search for yourself. See what others that you do not know can see about you. If someone is trying to scam you, this can be a great way to find our details about you.
  3. Do not accept all “friend” requests. I am on LinkedIn and get a lot of friend requests. If I do not know the person, I do not accept. You have no control on what your friends do so there is no need to be friends with someone you do not know.
  4. Limit your personal information. Seems obvious but it goes back to your public profile and scammers.
  5. Do not post anything that you would not share with others. Barring the social interaction issue, if you are unwilling to stand up in a crowd of strangers and tell them something about yourself, why post it online?
  6. Be careful with add-ons. Ever play a game on Facebook? That can have a different end user licensing agreement and you could be accepting something that you should not.
  7. Review the Terms of Service at least annually. These can change without your knowledge and Social Media companies do not have to tell you. If you do not have that much time, start at the bottom as that is where the juicy stuff tends to exist.

So these tips are not earth shattering but they are good to remember. Even IT Security people can forget simple rules from time to time. Good things to remember as you surf the online social world.

(BTW, vishing is voice phishing – a topic that I may take up in a future post)

Posted in Social Media | Tagged , , , | Comments Off on Social Media

Cisco Umbrella

Posted on August 11, 2017 by Emintzer

Many years ago, most companies added Internet access by purchasing some form of Internet line at the corporate office. A firewall was added to keep the bad guys from getting in. Eventually, the powers that be got word that employees were surfing to questionable sites. For instance, at one company I was at I had to show them a list of the sites people were going to – I setup a SPAN port and connected a 3rd party product that looked at HTTP/HTTPS traffic. There were some sites that were really bad and would get people in front of HR really quick (one site I remember seeing was mybigfatwhitebooty.com – seriously).

This started the purchase of URL filtering. Initially it was through something on-site like routing all web traffic through a proxy server. This was good but it created a bottleneck plus did not grow well when a company wanted to add other Internet access points. A few years back, proxy in the cloud was born. One company called Scansafe did a pretty good job at this – it worked so well that Cisco bought the company. That is roughly when I got introduced to them. Cisco rebranded it as Cloud Web Security or CWS for short.

We have been using CWS for a few years and it is definitely better that our own proxy. For starters, there is no hardware for us to deal with. Secondly, we connected our firewalls to it so all web traffic leaving the company goes through it – not just company computers. Finally, through the AnyConnect client we can redirect laptops when they are not within the confines of the company network. All was good with CWS making this security guy really happy. Unfortunately, web traffic is not always ports 80 and 443 so CWS is limited.

Umbrella to the rescue. This is another Cisco purchase previously called OpenDNS. This will eventually replace CWS (actually, CWS is getting folded into Umbrella) so it is about time for all CWS customers to start the migration. Umbrella is really cool with what they did. DNS works as a backbone for Internet traffic by exchanging names for addresses. Think of it like a location on a map. There are not many people that can tell you exactly where something is by geographic coordinates but many more can tell you a city or town name – that is kind of like DNS. Umbrella works at the DNS level and since almost all Internet traffic uses DNS then you are getting almost all traffic even when it does not use ports 80 or 443. Once again, as a security person I really like this since we can secure other connections than standard web browsing.

My current company just signed our contract for Umbrella and we will be migrating away from CWS soon. All my Umbrella knowledge is based on marketing material and talking with the engineers – no first hand experience, yet. Sometime in the future (after we are done with the migration) I will write another post on my thoughts about Umbrella. For now, I am just excited to get started.

Posted in Cisco | Tagged , , | Comments Off on Cisco Umbrella

Windows Patching

Posted on August 2, 2017 by Emintzer

WannaCry was an eye opener for a lot of companies. For anyone that did not hear about it (and I don’t know how since it was even on the nightly news) it was ransomware that made use of a NSA tool called Eternal Blue, which was released by Shadow Brokers as part of Vault7. Eternal Blue made use of a flaw in SMB version 1 which allowed the ransomware to spread to other computers without end user interaction. Microsoft released a patch (MS17-010) to close this flaw but a lot of companies were too relaxed with system patching. Of course, this meant that a lot of computers were vulnerable to the ransomware. This made a lot of IT people really nervous.

Microsoft releases at least a couple of patches each month, and sometimes releases critical ones out of the normal cycle. Fortunately, they have a free service for patching home computers and offer a solution for enterprises. In addition, there are 3rd party products that will do the same and more. However, there is a problem with the patching cycle: when Microsoft releases a service pack, their patching solutions will no longer offer any new patches. What I mean is that the only thing offered is the service pack and only after it is installed will the computer ask for more patches. How is this a problem? Well, companies may not want to push service packs to computers the same way as patches as it can be a bandwidth problem and tie up computers for longer than normal patching. This could mean that companies would think they are compliant with patches like MS17-010 (no computers reporting that the patch is needed) when in reality there are vulnerable machines.

How can IT determine if a computer is vulnerable if a patch is not reported as needed? NMAP to the rescue (http://nmap.org). NMAP is a free tool to scan computers for open ports and is part of my own arsenal of security tools – highly recommended. There is even a GUI front end called ZenMap to make it easy for anyone to use. If you go to https://nmap.org/nsedoc/categories/vuln.html you can see a list of scripts that people have written to help NMAP look for specific vulnerabilities. Download smb-vuln-ms17-010 and follow the directions in the script on how to run it – it is really easy and you can point it at any machine. In a very short time you will know if the machine is vulnerable to the SMB bug.

An alternative is a free (for now) scanner called Eternal Blues. It was written by Elad Erez, Director of Innovation at Imperva. Recently, I had an email conversation with Elad to help with some bugs and I did some testing for him to help the program. Eternal Blues can be found at http://omerez.com/eternalblues/ and it offers a simple GUI. Just enter a range of IP addresses (or just a single one) and the program will scan for SMB vulnerabilities.

In short, Ransomware writers are getting trickier and their software is getting more sinister. As an IT Security professional, this is something that worries me especially after I talk with some of my clients. Fortunately, there are tools out there to help. Just because the patching tool does not report a patch is needed does not always mean there is no problem. Stay vigilant and we can diminish the risk.

Posted in Patching | Tagged , , , , , | Comments Off on Windows Patching

Presenting to CiscoLive

Posted on July 28, 2017 by Emintzer

I have been to many technical trade shows over the years and my favorite is CiscoLive. It offers some great sessions from the people that actually work with the products. Plus, you can get your technical questions answered (or at least discussed). But there was always one thing that I dreamed about and in 2017 I got to do it: be a presenter.

My first CiscoLive was in 2011 in Las Vegas and it was awesome. But one thing troubled me – I showed up Monday morning not knowing anything about what to expect. The following year, I went again but at least I knew some of what to expect, such as getting your badge on Sunday so you are not waiting in line Monday morning. I learned more each year and Cisco added more to the show.

A few years ago, a Cisco customer named Johnathon Davis (twitter: @subnetwork) had the great idea to have a welcome session for new attendees and he was able to get Cisco to back it. The first session was not well known and had probably less than 100 attendees. Last Year’s session had more attendees and a few NetVets (including myself) show up to help with any questions. It was in a hallway and used a portable sound system – I was in the back and could not hear a word that Johnathon said. I guess it got some good reviews because in 2017 Cisco really got behind it: Cisco’s Marketing and Communication department took over the planning and reached out to a couple more people to help. I was fortunate to be one of those people.

When I agreed to help, I thought they just wanted me to come answer any questions or help with some of the first timers. But my first discussion with that group was when they told me what I would be speaking about. Wait!! They want me to speak about different parts of the CiscoLive experience – what have I gotten myself into? Then, I realized that this could be an experience, Plus, I would get to be one of the people on stage – now I started to get excited.

I did a little research and, along with my own experiences, made some notes. I got the notes to fit on one piece of paper along with some cues for what I wanted to make sure to say. Normally, I am in shorts and t-shirts while attending but since I was speaking I had to bring pants, a nice shirt, and shoes this year. As we discussed, I arrived to the room early and I helped Johnathon and the Cisco team to survey the area. It was a big room and we were expecting over 1000 people. This year, they put lavalier microphones on us and had a sound system throughout the room. Plus, the Cisco team brought in beer, wine, and some snacks, although we were told that we would have to wait till after speaking to get a drink.

When the time came to speak there were about 1300 people in the room and it was standing room only in the back. The picture below is my selfie I did during the session. One of my topics was the social media hub and I thought it would be really cool to take a selfie while on stage and then send it to the Cisco Live Social Media team so they can post it on their board. It worked out pretty well and if you look close some of the front row attendees even got into it. When it was over, I felt really good about doing it and was even told that I may be back next year to do it again. One of the coolest parts was when attendees later in the week recognized me – it was definitely a cool celebrity moment for me.

 

Posted in CiscoLive | Tagged , | Comments Off on Presenting to CiscoLive