How is your security awareness training?

You read about new threats every day. New malware are being discovered, new exploits are being developed and your security is constantly under attack. Sometimes it does seem futile, but there is one key factor to consider if you are going to stay safe or not. That key factor is your users as they can be your best friend or your worst enemy from a security perspective.

As attacks become more and more advanced, your technical security solutions will not be able to keep up. Hackers are almost every time at least once and probably a few steps ahead of you, no matter how hard you try to stay current. So, by showing your users how to stay safe, you can probably shift the outcome of the battle a bit. This is because a lot of the attacks today involve user interaction, they need the user to do something. Whether it is clicking a link or plugging in a USB stick they found in the parking lot, their action might make all the difference. If your users see a stranger lurking around, do they care or not? Do they care if a person tailgates? Do they know not to assume that all emails come with good intentions? Do they pick up that USB stick and plug it in or not? Do they act without thinking because they trust all that security technology that you as the security administrator has implemented? If they do, then you have missed something, that being to train your users to remain vigilant.

It does not really matter what kind of company or organization you work for, security awareness training is important. The only problem is that most security awareness training I have witnessed is plain stupid and misleading, even trying to strike a bit of fear into users if they do something wrong. The last bit really annoyed me, as you need your users to trust you, not fear you. It is OK do do something wrong, but I want them to come forward with it. Then you have a chance to correct it, otherwise you are in the dark.

Security awareness training is something that I think should be taught live, not using elearning where users simply read a slide and answer a question, then another slide and another question. It does not provide the kind of feedback as a live meeting with an ongoing discussion can provide. Also, when listening to and interacting with a person one can really see users reactions to different statements and discussed topics. Provide examples and perhaps demonstrate a hacking tool or two just to let them see how it is done in the real world. In my opinion, nothing beats a live show, and I think we can all agree that security awareness is very much needed, so why not aim to make security awareness training an awesome event. I know I intend do.

Problems migrating from Windows XP to Windows 7 using MDT 2013 and ADK 8.1

Are you using MDT 2013 with ADK 8.1 to try and migrate Windows XP to Windows 7? Then chances are that you have experienced a problem with the bootsect program or the presence of the bootmgr file.

The bootmgr file in C:\ should not exist on Windows XP, and MDT will try to use it if it exists. MDT creates this file once you try to deploy your MDT task sequence and thats OK, but it should not exist prior to running your MDT task sequence.

Second, the bootsect program used from ADK 8.1 and is located in your deployment share folder under tools\<architecture>\ can produce the wonderful error message on your Windows XP machine, which says it is not a valid Win32 application. Unfortunately, this is true, and Windows XP will therefor be unable to use it to set the boot sector on the machine you wish to deploy to boot using your Windows PE installation in MDT.

The only solution I have found for this error is to the use the bootsect program from the Windows ADK version 8 instead of 8.1. Install the PE environment and Deployment tools from version 8 (on a separate machine from your MDT host) and extract the bootsect programs for both x86 and x64, and replace your 8.1 versions 8(on your MDT host) with the ones from version 8. Do backup the 8.1 bootsect programs first though.

If you simply want to test it, replace the bootsect programs in your deployment share under tools\<architecture>\ and try your task sequence again. The reason for replacing the files in the ADK 8.1 install directory is because MDT will use those bootsect programs every time you update (regenerate) your deployment share. If you have not replaced the files, it will use the 8.1 version and your task sequence will once again fail.

Some mention different using Windows PE versions, but for me it works with version 5 from HP, since I deploy HP machines.

Happy deploying!

Password complexity in Active Directory

Password complexity in Active Directory is something you either switch or off for your entire domain, right? It is right, but that does not mean that you have to enforce password complexity for all of your users. Instead you can use fine grained password policies to map certain password requirements for different users or groups. This kind of policy can not be linked to an OU as a GPO can, it is mapped directly against users or global security groups.

This was introduced in Windows 2008 and is a great way of managing different password requirements for different user groups. It will not let you configure what complexity actually means but there are various other options that you can configure, such as number of login attempts, password length, lockout period and more.

In Windows 2012 a new tool called Active Directory Administrative Center was introduced and this tool contains a GUI for configuring fine grained password policies. Managing fine grained password policies was previously done using either Powershell or ADSI-Edit. Now it can be done with a GUI which makes it easier for you as an administrator.

Password complexity prevents some of the worst passwords from being used, but still it allows a password such as P@ssw0rd as a valid complex password. Password complexity requirements depend on two things, making sure your users know how to construct a good complex password and also allows them to remember it. If those dependencies are not met, your users will most likely choose poor complex passwords or write them down. Either way, password complexity becomes quite useless and in the worst case, gives you a false sense of security.

Read more about Microsofts view on password complexity as well as how to implement fine grained password complexity policies using the Windows 2008 way, or the 2012 way.

Trusting encryption technology

Whatever encryption technology you use, I assume you use it because you trust it? Perhaps you only use it because it was available, or it was easy to install, configure or or use it? Whatever the case may be, relying on a piece of technology you are not able to fully understand can be a bit scary. Myself, I use use different encryption technologies, such as Macos X disk encryption, Microsoft disk encryption and others, but can I trust them?

In a way, I really have no choice but to trust them if I decide to use them, but if I do feel a bit concerned, I can add additional levels of protection. I am quite sure that both Apple and Microsoft provide disk encryption that is resilient to attack, depending on my password or pass-phrase of course. The thing about passwords and pass-phrases are something that many users don’t seem to understand how it makes disk encryption good or virtually useless.

Every password or pass-phrase can be brute forced, basically guessed until you find the correct password or pass-phrase. Depending on the quality of your chosen password or pass-phrase, the disk encryption you might have implemented might not protect your data. If you enable BitLocker in Windows and choose a poor password, an attacker will be able to decrypt your data. If you have chosen a good password, an attacker faces an impossible task of guessing the correct password. The debate of what makes up a good password is ongoing, but I will say this; using dictionary words or abbreviations of those words is probably a bad idea. A good password is based on random characters and the other key factor is length. The longer the password is, the harder it will be to guess, if it based on random characters.

So, adding additional layers of security, how can this be done?

Personally, I add layers of encryption to sensitive material which of course adds to the complexity of managing the information, but I feel that it is worth the extra effort to make absolutely sure that no other than authorized people can access the data. One way to do this is to start with the hardware, as an example an USB drive. There are USB drives that comes with hardware encryption. Second, utilize operating system encryption such as BitLocker on the device, and as last step, add a software encryption container on the device itself. That makes 3 layers of encryption which will make it very hard for any attacker to gain access to the data. If you also make sure to use 3 different random and quite long passwords for the different layers of encryption, I think you can feel that your data is pretty safe. Is it hard to manage a solution like this as a ordinary user? I would say, not that hard that I would say that it is not worth doing. Entering a pin on the hardware device before plugging it in the computer is step 1, entering BitLocker password is step 2 and finally mount the encrypted container is step 3. It is not as hard or as difficult as it may sound. Give it a try, you might like it enough to start using it to protect your sensitive data.

WPScan tool

If you are like me and uses WordPress CMS, you should take a look at the WPScan tool. It is included per default in Kali Linux and is a tool I have started to use to check the security of my own blog. Today I noticed something most of us are not to happy to see, but usually glad we are able to find out about. As for me, I have not enabled Edge Mode, but I would like to see a patch for the W3 Total Cache plugin never the less. Below is a screenshot from my WPScan run against this blog.