S3E4: "More Audits Than the IRS"

Posted
Modified
Comments 0

Navigation
Previous EpisodeNext Episode
Log
Recorded (UTC) Aired (UTC) Editor
2018-04-13 02:23:54 2018-04-22 20:33:48 "Edita"
Verification
Format SHA256 GPG Audio File
MP3 a7046035b029c9620dc1e0265ec11247422644a4fd00a6c13ed082ef522ca6e1 click click
OGG 3b38fac9c5416c504c01d16a16cf9a9b2ff0eec49dd9831e8a78fbefa0db73ac click click
Quicklisten:

In which we talk about conducting audits and why hardware vulns are such a big deal. We also mention a charity event we want to do at HOPE!

News

Notes

Starts at 36m25s.

I was drinking Jefferson’s Reserve bourbon. Paden was drinking water. Jthan was drinking the ‘Bout Damn Time IPA from Four Noses Brewing Company.

  • Paden passed the CompTIA LXO-103! He talks a bit about how he prepped for the exam.
  • Just why are the intel SME and amd vulns so bad if they require root/admin access to exploit? (40m25s)
    • Persistence. If you get a virus, you can just wipe a machine.
    • With a hardware-level vulnerability like these, wiping the OS won’t do anything since malignant code could have been injected into the hardware/firmware itself.
  • Conducting audits (43m28s)
    • Security audits
      • We recommend you hire an actual InfoSec firm to handle this (as we’ve talked about in the past) as they have specialized training (or have an in-house dedicated InfoSec team/department).
      • We talk more about providing (cursory) self-pentests in S0E6
      • For more in-depth discussion on incorporating infosec contractors/firms, you may want to check out S1E14 and S2E18.
    • Backups
      • The backup processes are completing properly.
      • The schedule should be correct.
      • All hosts that SHOULD be backed up ARE being backed up.
      • A backup isn’t a backup if you can’t restore from it. “An untested backup system is not a backup system.” Avoid the “Schrödinger Backup”.
    • Inventory
      • Nmap is useful for comparing network points.
      • Make sure your asset tags, etc. are up to date, your hardware components are properly updated, etc. (dmidecode and python’s psutil and dmidecode module (dead?) are very valuable tools for this).
    • Access
      • MySQL users are username and host-specific, your GRANT statements are up to date.
      • Shell users are appropriately locked/unlocked, octal modes and ownership on files are correct, etc. (mtree is incredibly useful for this. I recommend NetBSD’s mtree. Building example for Linux can be found here.)
      • SUID/GUID are locked down.
      • SSH is locked down.
      • VPN access is revoked for employees or contractors no longer in service.
      • LDAP/other centralized authentication/authorization mechanisms immediately make so much of this easier.

Sysbadministration Award

In this segment, we highlight system administration mistakes. Think of them as the IT equivalent of the Darwin Awards. (55m30s)

T-Mobile responds to a security risk completely flippantly.

Errata

Music

Music Credits
Track Title Artist Link Copyright/License
Intro amusement park. Ryan Little click CC-BY-SA 4.0
Outro Coastin' Defy the Mall click CC-BY-SA 4.0
(All music is royalty-free, properly licensed for use, used under fair use, or public domain.)

Author
Categories

Comments

There are currently no comments on this article.

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.