Monday, August 30, 2021

Building High Performance Teams (3 X 3 Framework)

 


When we talk about building a high performance teams, it will always be revolving around these five key characteristics. Trust, Clear Communication, Defined Roles and Responsibilities, Engaged Leadership and Collective Goals.

Trust
This is the key factor that differentiate between the high performing team over the average one. With Trust, they will be more comfortable in taking risks and working through challenges and conflicts positively

Clear Communication

High performing teams find ways to streamline and optimise communication. They know when to call, when to IM, when to email or even pop by your desk. They may also use technology to stay organised and track progresses.

Defined Rules and Responsibilities
Clearly defined roles and responsibilities eliminates confusion. when team members knows their roles and responsibilities well, this prevent conflicts, which will maximize productivity. 

Engaged Leadership
Being Engaged is not micro-managed. It is about providing direction and full support to help the team to succeed. An engaged leader provide positive working environment thru regular communication and building trust and respect among the team.

Collective Goals
Even though each team member has their own responsibilities, but they all are collectively working towards one main goal and contributes to the overall success. High performing teams will step in to help each other to ensure all goals are met.

3 X 3 Framework

Recently, I came across a interesting idea on building high performing team. it changes my understanding on how goals and roles should be defined and how a high performing team should be.

It uses a 3 x 3 framework.There are three foundations that team needs have in place - Goals, Roles and Norms. Then the three elements of ongoing reflection and change - Commit, Check and Close, to maintain peak performance.

Goals
This is main direction for the team. Getting agreement on where the project goes and what to accomplish. Importantly, each team member should have a personal "what's in it for me" connection to the goal.

Roles
Being clear about who is doing what specific activities and how these tasks overlap. In a real team, there should be overlap of tasks. If there are only parallel activities, we only get a "co-acting group" not a team. 

Norms
Norms are ground rules in areas such as information-sharing, decision-making, and conflict-resolution. Others common norms such as respecting each others, avoid hidden agendas are also important.

The ongoing 3 steps function:
Commit - Have good conversation with the team. Getting the team to commit to the explicit goals, roles and norms. 

Check - As our day to day working in multiple teams and/or projects, there are too many distraction, we tend to lose focus and slowly drift from the goals, roles and norms. Check in from time to time. Revisit the committed goals, roles and norms.

Close - As we revisit the goals and commitment, we may find misalignment among the team. We will work to close the gap. Taking small steps on targeted and specific changes. 

Some advice for the high performing team,
- Have good conversations among the team.
- Focus on a few things rather than a lot of things. Teams get overwhelm.
- Paying attention on whats going on in the team.

Common problems
- Relying too much on one person.
- Focus too much on a plan but not thinking about the execution and organising people around that plan.
- Not paying too much attention on individual role.

Finally , leader of high performing team should create a "Psychological Safety" environment, which member will feel "safe" to share their thoughts, able to be creative. To create this environment, you need to build trust in the team, having good one on one conversations, be a good listener and by showing empathy, showing that you care.


Related Articles:
- Forbes: 5 Key Characteristics Of High Performing Teams 
- Forbes: 'Committed Teams' Captures Spirit Of Wharton Teamwork Lab



Saturday, August 21, 2021

How to be a CISO?

Being a Certified Information Systems Security Professional (CISSP) and Certified Infirmation Security Manager (CISM) for more than 10 over years. I have been wondering recently, on the quality of being a Chief Information Security Officer (CISO). 

There are many aspects and view on how to be a CISO. EC-Council, one of the leading IT Security training and certification organisation, provide a training and certification program called the Certified Chief Information Security Officer - C|CISO. It is based on the EC-Council CCISO Body of Knowledge, which covers five Information Security Management Domains: 
  • Governance and Risk Management 
  • Information Security Controls, Compliance and Audit Management 
  • Security Program Management and Operations 
  • Information Security Core Competencies 
  • Strategic Planning, Finance, Procurement and Vendor Management
Whereas (ISC)2 seems to have a more interesting view. They have the idea of CISO Mind Map, which contains seven phases.

It start off with the Architecture, the Framework, the Risk Assessments and the Governance. Then the Threat Intelligence and Vulnerability Assessments fits into the Security Operations and finally to have continuing Education.

Architecture
It is the foundation for the CISO. He got to make sure he understand the enterprise information architecture. How is the network been designed (e.g. where is the DMZ. Are the firewall and control place correctly?). He have to make sure all the part in the architecture fits well and defensible.

Framework
Framework is useful to help in designing the architecture. There are many different types of framework, from ISO to NIST. Each framework helps to serve a specific purpose, which guide and protect your infrastructure. CISO need to find the right frameworks that fits the architecture in place.

Risk Assessments and Governance
CISO going to be identifying risks, eliminating or mitigating them, together with the Governance Committee. CISO need to based on the architecture, the frameworks, the control objectives and the use of risk assessments to present a clear picture on how secure they are, to the Governance Committee.

Threat Intelligence and Vulnerability Assessments
Threat intelligence constantly feeding from multiple sources. Vulnerability assessments are using those threats and make determinations if there are really a problem. CISO need to work on the taken threat intelligence, the vulnerability assessments to risk assessed and come to conclusion.

Security Operations
CISO needs to have great business impact analysis. The foundation of that is to make sure business continuity and disaster recovery are well taken care of. Security Operation also includes the managing of critical systems based on their threat intelligence and vulnerability assessments.

Education
CISO needs to present education budget. He need to show that education is not optional, highlight why his team needs to have certain courses, why these certifications are important and why constant training is required. 


Related Links:

Sunday, November 8, 2020

What is Attack Surface Management?

Attack surface is about all possible security risk exposures, especially all internet-accessible external assets that adversary could discover and gain foothold into your environment.

Attack Surface Management (ASM) is an emerging category of solutions that use an external attacker’s perspective to help organizations better manage these type of risk exposures. 

These include:

  • Continuous discovery and Inventory of unknown assets (Cloud and shadow IT)
  • Classification and Prioritization of risk and vulnerabilities 
  • Continuous monitoring of assets and Threat Intelligence 

Is ASM a Asset Management? or is it Vulnerability Management?
It is actually more of a Risk Management with the following Use Cases.

  • Identifying and visualizing external gaps
  • Discovering of unknown assets
  • Attack Surface risk management
  • Risk-based vulnerability prioritization
  • Assessing Mergers and Acquisitions (M&A), and subsidiary risk
Evaluating of Attack Surface Management 
SANS recently released a guide on evaluating ASM solution. the guide discuss about 2 major requirements: Product and Operational requirements

Product requirement
  • Automated Discovery - An advanced algorithm capable of building a map of assets with minimal input and limited false positives.
  • Continuous Monitoring - Ability to detect change by frequently scanning the attack surface. When an asset is removed, the ASM solution should maintain the information in the database for historical purposes.
  • Risk Based Management - Create and maintain a risk score for each asset that combines the ASM provider’s external threat assessment with user provided information on relative business value, impact and remediation status.
Operational requirement
  • Alerting - Ability to monitor and alert on changes.
  • Enterprise Management - ASM solutions should include basic enterprise management capabilities that enable large teams and organizations to operationalize the solution.
  • Interoperability & Integrations - Supports third party integrations and custom development using a provided API.

Related Link:


Tuesday, August 9, 2016

Trane ComfortLink XL850 thermostats running firmware version 3.1 or lower are vulnerable to information disclosure and remote access due to a weak authentication mechanism and hardcoded credentials. The device uses a custom protocol and a predictable port number to administer remote access to virtually all of the device functions. When you combine hardcoded credentials with a network accessible port, you have a device ripe for attack from the network or even an attack from the Internet if the thermostat is exposed through the router.

Once an attacker has gained access they can quickly extract all information from the device including the home heating and cooling schedule, current operation mode, current temperature, chat and alarm history, serial number, active socket connections, trusted URLs, secret IDs, software version info and detailed address and installer information. These will allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input. Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers.

Below shows the exploit that affect the device. The "Get Connected" banner at the top of the screen is a marketing prompt indicating that the device is not enrolled in any remote services or special features.


Tuesday, June 7, 2016

Hacking of Facebook Messenger

Recently Check Point disclosed a vulnerability found in Facebook Messenger, it allows an attacker to change conversation thread in the Facebook messenger.

Hacker can manipulate message history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.

Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person.

This vulnerability can also be used as a malware distribution. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address.

Below is the demo of the hack



Monday, June 6, 2016

Hijack and Impersonate Whatsapp account

Attacker are able to hijack a Whatsapp account and impersonate as the legitimate user.
How they do it?  There is actually a vulnerability in Signaling System 7 (SS7), a global network of carriers that acts as a central hub to connect the world. The attack is done by tricking the telecom network into believing the attacker’s phone has the same number as the target’s.

The attacker would now create a new WhatsApp account and receive the secret code that authenticates their phone as the legitimate account holder.Once complete, the attacker now controls the account, including the ability to send and receive messages.

Below is a demo of the attack.



You can find my previous post on extracting messages from Whatsapp in "Can you extract message and photo from Whatsapp?"

Saturday, June 4, 2016

Hacking of LG handphone


Check Point disclosed today two vulnerabilities (CVE-2016-3117, CVE-2016-2035) which can be used to elevate privileges on LG mobile devices to attack them remotely at the LayerOne 2016 conference in Los Angeles.

The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device.
The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. Attacker could use it to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.

Steps to mitigate the risk of this attack:
- Verify any app installation request before accepting it to make sure it is legitimate.
- Use a personal mobile security solution that monitors your device for any malicious behavior.
- Lookout for LG latest update on these vulnerabilities and patch it immediately

Below is the video demo of the remote attack.

For more details of these vulnerabilities, visit "OEMs Have Flaws Too: Exposing Two New LG Vulnerabilities"
http://blog.checkpoint.com/2016/05/29/oems-have-flaws-too-exposing-two-new-lg-vulnerabilities/ 


Saturday, December 20, 2014

Misfortune Cookies Vulnerability

As everybody was focusing on the Sony hacking incident, there was a vulnerability that is affecting over 12 million Internet routers located in 189 countries across the globe been announced. At least over 200 different models of the devices are vulnerable. These lists of vulnerable devices consist of companies such as ASUS, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

This vulnerability, which is discovered by the researchers from Check Point’s Malware and Vulnerability Research Group, called it "Misfortune Cookie vulnerability". It is exploitable due to an error within the HTTP cookie management mechanism in the affected software. It allows an attacker to determine the ‘fortune’ (critical information) of a request by manipulating cookies. Attackers can then send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state, which will trick the device’s web server to treat the current session with administrative privileges.

The actual vulnerability lies on the software that is the embedded web server RomPager from AllegroSoft. Devices running RomPager services with versions before 4.34 are vulnerable.

So what can you do with the exploit of this vulnerability? With administrative access to your device, an attacker could take control over your wired and/or wireless network infrastructure. Depending on your gateway device, there may be risk of Man-in-The-Middle attacks, provide a possible attack vector for LAN-side vulnerabilities, and also gave the attacker the ability to extract useful information from the network connections from your devices.

With information extracted from your network, it also provide the stage for further attacks, such as installing malware on devices and making permanent configuration changes the bypassing gateway protection just as firewall or network isolation of your local network.

Since this is one of the most widespread vulnerabilities revealed in recent years, how can we mitigate it? There is actually a patch to the vulnerable software. AllegroSoft issued a fixed version to address this “Misfortune Cookie vulnerability” in 2005. It is advice to check with the device vendor if the patched firmware is already available.

But there is always this common issue of device vendors taking too long to patch up their firmware. Even if the patch of the vulnerable software available, they need to integrate this patch into their device firmware, test to make sure nothing breaks and then make it available which normally takes a long time.

Other mitigation that can be considered will be to deploy Intrusion Prevention Systems (IPS) in front of your device. There are IPS signatures available for this vulnerability (CVE-2014-9222 and CVE-2014-9223). 

Reference:
Misfortune Cookie

Saturday, October 19, 2013

Information Leakage and Improper Error Handling

Information leakage and improper error handling used to be in the OWASP Top 10 2004 and 2007. But they have rename to "Security Misconfiguration" since 2010 and with a wider scope.

While doing my online shopping today, I accidentally triggered an SQL query timeout error. The error page review quite a number of information, which can be useful for the programmer to carry out troubleshooting. But best of all, it also provide the hacker with information to carry out the next level of "attack" to the server.

The error page provides table information, file paths that helps in launching SQL injections and XSS attacks.

















The error page also shows the application that the server is using and its version number. Based on the information, the Microsoft .NET framework version is not the latest. It may contains critical vulnerability that allows elevation of privileges and remote code execution.






Planning to inform the Site administrator on this issues and nobody hacked it yet.


Thursday, October 25, 2012

IPv6 InSecurity. Is your company ready for IPv6?

Everybody is announcing that IPv4 addresses are running out. Countries and major IT companies (such as Google) are encouraging others to move into IPv6. IPv6 have always been portrayed to be more secured than IPv4.

Image from Google

But in the recent talk by van Hauser on "IPv6 Insecurity" in HITB, he share that there are huge grow in the number of vulnerabilities found related to IPv6 in recent years. Several times more than IPv4.

So is IPv6 mature/stable enough? Do you think companies are ready for the change to IPv6? Should we be encouraging our companies to make the change now? These are the questions that I think we need to ask ourselves as a security professional.

Beside worrying about the readiness of IPv6, van Hauser also highlighted the importance for companies (even those in pure IPv4 environment) to be aware and understand the threats from IPv6. Desktop and network devices these days may already support IPv6 and may enabled by default. Attackers may use these "channel" to target companies in IPv4 environment and bypass their network protection (e.g IPS), which is not IPv6 aware.

Related articles:
- HITB slides: Marc Heuse - IPv6 Insecurity Revolutions.pdf


Tuesday, October 16, 2012

HITB playing AC/DC concert

While waiting for the next speaker during the HITB (Hack In The Box) Conference in Kuala Lumpur, the screen in the conference hall starts to play the song "ThunderStruck" by AC/DC (shown in the video below).



The music video is actually part of the introduction for the presentation titled "Behind Enemy Lines" by Mikko Hypponen of F-Secure. His speech talks about the various cyber "enemy" (Types of hackers) and their motives. He also share with us some of the ways to defend against this "enemy" and avoid being the target.

You can download the slides from HITB website here




Sunday, September 23, 2012

USB hacking obsolete?

With Windows autorun feature disabled by default, USB hacking method such as Pod slurping and tronjanized flash drive no longer possible?

I have recently wrote an article "Pentesting with Teensy" for PenTest Magazine that describes how you can emulate a device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.

For those who have not read the article, I have make a short video to demostrate how you can still carry out the USB hacking using Teensy.

Besides using teensy as a pentesting or hacking tool, it can also be useful for auditors to verify system hardening and configuration with system commands pre-set into the device.

More information about my article, refer to my previous post "Pentesting with Teensy".