Meet the Experts
Paula Januszkiewicz is CQURE’s CEO and a Microsoft Regional Director. She’s a top-notch penetration tester and award-winning speaker who has more MVP titles than there are Digimon movies.
You probably know IT security researcher, trainer, Michael Graffneter as the inventive creator of the Thycotic Weak Password Finder, but did you also know that this Digital Renaissance Man is the author of the DSInternals PowerShell Module?
Doctor Mike Jankowski-Lorek is a machine learning expert who rocks a pair of glasses better than Leonard Hofstadter and lectured at the Polish-Japanese Academy of IT in Warsaw.
In between picking up awards for his speaking sessions, long-term MVP Sami Laiho, aka Ransomware Blocker, teaches OS troubleshooting, management, and security.
6 Crucial Windows Security Skills
Azure Active Directory Security
This cloud-based identity and access management service will make surviving whatever 2021 throws at you much easier. It’s an easy-to-use tool that lets you manage and secure on-premises users via single sign-on and multi-factor authentication. Plus, you can use it to access external and internal resources like apps on a company’s corporate network. With Azure AD, IT Admins can ensure that the right people have the right access to the right resources, preventing a ton of cyber-attacks.
PKI and Infrastructure Configuration Mistakes
How many cyber-incidents have you read about this year that could have been avoided if the right configuration was used? Save yourself the embarrassment of letting malicious hackers into your system by learning what configuration mistakes to avoid.
Forensic Analysis and Data Log Extraction
Use on point forensic analysis to identify vulnerabilities and follow the steps of the hackers after the attack. If an attack does occur, log extraction skills will give you some of the intel you need to stop it happening again.
Advanced Malware Analysis
If you get attacked with malware, it’s vital you know what hit you! Make sure you are aware of the latest malware analysis techniques so you can determine the functionality, origin and potential impact of whatever worm, virus or Trojan attackers used.
Effective Whitelisting in 2020 (and Effective Code Execution Prevention)
Whitelisting (aka Allowlisting) is an effective code execution prevention that will block a lot of dodgy domains and suspect email addresses from troubling you in 2021.
Secure and Automated Infrastructure Management
However incredible your cybersecurity skills are, your time is limited. Let technology help you out by using it to secure and automate the management of your infrastructure. Embracing automation will allow you to benefit from early warning systems and unburden yourself from repetitive routine tasks that can be overlooked when things get busy. Ditch the digital paper-pushing now!
Technical Demos
In the first of four demos, Paula takes a deep dive into a drive-by download vulnerability that was detected in the 64-bit version of the web browser Chrome. Drive-by download attacks are notoriously difficult to spot because, while malware is being downloaded in the background, the compromised web page looks completely normal to the user. Paula examines the vulnerability from the perspective of the attacker who seeks to exploit it and looks at how potential victims can prevent this type of attack from occurring in the future.
Next, Michael discusses whether a world without passwords is possible and if so, how long it will take us to get there. After examining some of the security issues associated with the password, he looks at the advantages and disadvantages of viable alternatives including multi-factor authentication and smart cards. Michael then puts the standards FIDO2 and web authentication under the microscope and explores how security keys can offer faster and more secure authentication.
The third demo, given by Mike, reveals the intricacies of Public Key Infrastructure and examines how misconfigured PKI certificate templates can be used to bypass security and compromise your system. Learn how attackers can impersonate accounts on the network by requesting and receiving a specially crafted PKI certificate. It’s simpler than you might think!
Finally, Sami demonstrates how to protect environments in the future using allow(white)-listing, a feature that is available in several versions of Windows. Preceded by software restriction policies, allow-listing is still the top security recommendation for blocking malware. Sami demonstrates how to get the best out of Microsoft’s AppLocker and explores why you should be using this time-saving application allow-listing technology.
Below is a permanent link to CQURE’s entire collection of free downloadable CQ hacking tools, including the ones mentioned by the experts in their demos.
Get your questions answered
Although it is still not the end. Below you will viewer’s questions answered by the CQURE experts.
Check out how to become a security expert
Are there any courses that you have for newbies at security? Not so basics but for some kind in the middle?
Depending on the skills you want to improve, check out our courses created on our daily working experience and available on our website:
The Advanced Windows Security Course 2021
30-day Windows Security Crash Course
1 Day Forensics and Prevention Mastery Course (The New Reality Edition)
1 Day to Maintain Stealth Communication Mastery” — a NEW Cybersecurity Crash Course by Tom Nowakowski
CQURE Academy’s Open Virtual Classes – Autumn 2020 Edition
What advice would you give to a new graduate?
Choose what job position you would like to pursue and start learning tools and getting skillset required for that position. Apply for a junior position and continue learning.
How to jump from Sys Admin/ Technical Engineer to Infosec Expert?
Start by understanding risks, threats and learning how attackers are thinking or using vulnerabilities. Next learn and read a lot and apply for a new job position.
Should I consider getting a cert in IT Security or what carts will be best since many positions are yet to be filled?
IT Security is a very broad domain and first, you should think about which field or what job position you would like to pursue. Based on this you can obtain certification from EC-Council, GIAC, ISC2, OSCP or other.
Is it worth learning Python while being a security specialist?
In general, it is very good to know Python, PowerShell, which can be used to facilitate and speed up your work also in security.
For the “Advanced Malware Analysis” module, does it require pre-work in terms of Assembly code familiarity?
The preparation list will be always presented before each module, but for this one, we will probably not go this time into assembler.
For those who want getting deeper into the CQURE experts presentations
Whitelisting, blacklisting… What about greylisting?
Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will “temporarily reject” any email from a sender it does not recognize. This term does not apply to applications.
Does Windows Defender ATP detect and prevent this attack?
Windows Defender ATP should be able to stop this attack, to be certain you must perform a test.
Paula Januszkiewicz is DEP enabled on the Victim machine?
In this video, it was on default settings.
What’s FIDO2 and is it a new type of authentication or has it been around awhile?
The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication standard and the FIDO Client to Authenticator Protocol.
To authenticate my YubiKey, what version of IOS is required?
iOS and iPadOS 13.3+
Can we back up those FIDO2 keys? What if we lost it?
There is no possibility of making a backup of the FIDO key as it is hardware-based. Users can have multiple keys if one is lost you can replace it with next and remove trust for previous.
What API is leveraged by the console application for the FIDO pop-up?
FIDO2 is used for web applications.
How do you set the FIDO2 via Bluetooth?
Depends on the vendor of keys.
Can you tell me who is the manufacturer of the device presented in the last slide from the last presenter?
We are refraining from recommending any particular vendor.
Haven’t Stuxnet used properly signed binaries?
Stuxnet used digitally signed libraries.
Do program files also include C:\ProgramData?
No, program files are different locations than program data.
Can you use Active Directory to centrally manage AppLocker on OU basis?
Yes, you can find more details under this link
If I see that explorer.exe creates a connection out to the internet – when can I suspect that it’s a malicious connection?
It is necessary to verify to which host and for what purpose the connection is established.
In Azure AD, you can reset the local admin password. Is there a way to block this?
If your device is controlled by Azure AD there is no way of blocking it.
With the big move to using the MS security suite from Bitlocker Defender Firewall App Guard isn’t it becoming the scenario of putting all your eggs into one basket?
At the same time, it gives us the opportunity to integrate multiple solutions and have better visibility of interconnected solutions which are making the whole solution complete.
If some Windows process for example explorer.exe has like 100+ threads – is that suspicious?
Depends on the type of the process and its current state.
I suppose Applocker logs when someone tries to run something outside of the whitelist. Have you got any stories when SOC teams actually recognized threat activity through Applocker logs?
Yes, it can be used as an alternative way to get information about started processes but it should not be treated as the main source of such information.
How much knowledge of regular on-site Active Directory deployment is transferable to Azure Active Directory?
Azure AD is completely different from AD DS besides some basic concepts.
When IE 11 has gone, what will run legacy sites, like public, government, etc.?
Depends on the application, keeping also so legacy application is not a good idea.
Aren’t virtual smartcards deprecated features of the Windows OS?
Currently, Microsoft is marking VSC as deprecated, WHfB is a technology that is replacing it.
Are you using windows by yourself? Or is it just work keeping you to closed projects?
We personally use Windows on a daily basis.
Do the Applocker logs work in conjunction with Sysmon logs?
Both solutions are using different approaches and are not dependent.
Can you stop malicious PowerShell scripts with allowlisting? You can’t turn off the PowerShell completely.
You can block the danger functionality of PS. You can block PowerShell completely for standard users or use Constrained Language Mode to limit its functionalities. Under this link, you can read more about this.
What is your stance on AI security systems like Darktrace?
AI or rather ML not AI is a future of security.
Before running vulnerability assessment / pentesting, what areas should be prepared first in procedures? E.g. like network, systems, applications, processes or memory?
It’s best not to prepare for the pentest just do it and then remediate and prepare for the retest. Pentest should show you what you have been doing wrong before.
IIRC you mentioned Intune with Applocker. Is Intune required or does GPO work? I work for a very small company and we don’t use Intune or SCCM.
You can deploy Applocker with only GPO.
We are in AD 2012 R2, do you recommend upgrading to 2019 deploying Applocker?
Applocker does not require an upgrade. We always recommend following the new OS with all brand new features especially between 2012 and 2016/19.
How good is Nessus as a Vulnerability Scanner?
Scanner Nessus is a good tool for infrastructure scanning, but it will not perform e.g. tests of web applications. It all depends on what we want to use it for.
Looking for more insights to prepare better for the 2021 threats?
