The Necessity of Security Standards

Having been working in the Information Security industry for almost two decades, I’ve seen what has and has not worked well for organizations approach to Security. One of the biggest pitfalls I’ve seen is a type of insanity in repeating the same mantras over and over again to supporting groups and stakeholders and then wondering why this incessant repetition keeps returning full circle. Guidance that is provided tends to be slightly different each iteration enough to make each case sound like it’s unique, but it isn’t.  

One project manager approaches someone on the security team and asks, “Hey, our vendor says they can only support DES encryption, is that OK?” Few hours later another PM from a different project approaches a different security team member and asks, “What encryption algorithms does our vendor need to use?” To which the security analyst replies, “We cannot use anything weaker than AES-128.” In this short, but all too common scenario we have two distinct answers to the same question one of which could have serious repercussions in that DES has been broken since 1976!

This is where the need for adopting organizationally sanctioned security standards come into play. The the earlier could have been solved by having an established Cryptography standard that would mandate the approved encryption algorithms to be used in the organization. Thus, when Larry the project manager swings by the Information Security area to ask what are acceptable encryption algorithms you just point them to the Cryptography security standard that documents those requirements. When Joe the other project manager stops by asking the same question for a different project the same guidance is given and then you have a consistent standard from which the entire organization works from. 

Over the years I’ve found that there is a minimal list of security domains that you should have security standards for to formalize security standards across the organization:

  • Access Control 
  • Asset Inventory
  • Authentication
  • Cryptography
  • Certificate Management
  • Data Protection 
  • Incident Management
  • Logging
  • Malicious Software
  • Monitoring
  • Network
  • Operating System – You should have a standard for each OS deployed. 
  • Remote Access
  • Virtualization
  • Vulnerability Management

Your mileage will vary depending upon the organization your working for and how they are leveraging the security domains outlined, but the important first step is getting them drafted and ensuring senior management supports not only their content, but their enforcement across the organization or they will end up becoming suggestions instead of requirements. Security standards are just one component of the overall Information Security ecosystem; you still need to have security policies to drive them and security architectures to ensure they are being adhered to. 

Arminianism & Church Revitalization

Ed Stetzer has a new blog entry in which he describes the five necessary characteristics that are needed to be an effective church revitalizer. Now on the surface there doesn’t seem to be anything wrong with the characteristics that he lays out in his article. The big question I have is: Why is church revitalization even necessary?

The main theme in this article if you read it is the church should be treated the same way you treat a fortune 500 business that is losing its edge. You need to focus on leadership, organizational ability, and relational patience to name a few that he mentions.

He states, “At one church I served at, the leadership team had been elected to their positions and many were business leaders.”
So the first question I’m going to raise is: Is such a position warranted in Scripture? To answer this question we goto the Scripture
itself and the well known, ‘Great Commission’ verse in Matthew 28:16-20 [KJV]:

“Then the eleven disciples went away into Galilee, into a mountain where Jesus had appointed them. And when they saw him, they worshipped him: but some doubted.

And Jesus came and spake unto them, saying, All power is given unto me in heaven and in earth. Go ye therefore, and teach all nations, baptizing them in the name of the Father, and of the Son, and of the Holy Ghost:
Teaching them to observe all things whatsoever I have commanded you: and, lo, I am with you alway, even unto the end of the world. Amen.”

So we can see from this section of Scripture that the role of the Church is to teach the nations, baptize them in the name of the Trinity, and ensuring the observance of said teaching and all of Christ’s teaching. What you see is Stetzer’s Arminianism coming out that silently asserts that Scripture and God’s providence and grace is not enough and that in order for the Church to be successful man’s ingenuity and efforts are needed to ensure that the church continues to be revitalized and not to grow stagnant.

When most Christians think of Arminianism they usually think of it just in terms of of the doctrines of grace and not in terms of how you define what the Church is and what it’s role is within the bounds of Scripture. Like Calvinism it permeates all facets of the Christian life, so if the root is corrupt, so will its branches be.

Stop Referrering to TLS as SSL!

Having worked in the Information Security field for close to 20 years now, one of my biggest pet peeves is when Security professionals use technical terms that no longer comport to current realities. So as a word of warning this blog post is going to be a rant.

It is first important to understand some basic history around the progression of the protocol from SSL to TLS. As is the case with most security protocols each new version is created to address security defects in the previous version.

SSL/TLS Implementation Timeline – SSL First Introducted in 1993-1994 by Netscape – SSL 1.0 was never released due to serious security flaws – SSL 2.0 released in 1995 to address the security flaws found in SSL 1.0 – SSL 3.0 released in 1996 as a pretty much rewrite of the protocol to address defects found in SSL 2.0 – TLS 1.0 released in 1999 to address some “minor” issues identified in SSL 3.0 – TLS 1.1 released in 2006 to provide additional security enhancements – TLS 1.2 released in 2008 to provide enhancements around SHA-256 along with support of additional authenticated encryption ciphers.

SSL/TLS Vulnerability Timeline – 2011 – SSL 3.0 and TLS 1.0 found to be vulnerable to BEAST attack – 2014 – SSL 3.0 found to be vulnerable to the POODLE attack

As can be deduced from the above timelines, no one should be using “SSL” as defined in the RFC’s since 1999, but absolutly not since 2011 due to BEAST. Information Security professionals certainly should not be referring to TLS as SSL as I’ve observed time and time again over the last decade.

What is the big deal you may ask? Certainly everyone knows what you are talking about when you tell a client or a customer, “Just secure the HR website with SSL and you’ll be fine.”. Your client or customer then does a proverbial Google search and they find that anyone securing their site with SSL is without doubt a psychotic. They then call you and ask you why you would configure their highly sensitive HR website with a protocol that has been exploitable for the past 7+ years. To which you respond, “Oh no, we would never configure your site with SSL as the security best practice is to only enable it with TLS 1.1 or above.”.

You have know learned why terminology that reflects actual reality matters.

References

  1. Transport Layer Security(TLS)
  2. TLS/SSL Explained – Examples of a TLS Vulnerability and Attack, Final Part

Reformed.IO Project

I have recently purchased the Reformed.IO domain with the goal of providing collaborative means for Reformed Christians to commune.There has been of late a number of incidents on the major social media platforms (Facebook & Twitter) that have censored content specific to holding a Christian worldview. I do not think it is too unrealistic to see this trend continuing with the ultimate risk of the Christian witness being completely inoculated.

I’m currently investigating a number of different technical frameworks to use, but to host this and to make it successful will require funding. This will mostly amount to monthly expenses around paying for compute power. The more folks utilize the service the more it will cost to continue maintaining it and having it operate at acceptable levels.

I already have some high-level objectives defined and here the main ones:

  • Forum Boards – To discuss various topics such as Sola Scripture, Confessions, Christology, and the like.
  • File Exchanges – Ability to exchange files of interest
  • Collaboration Teams – Create teams for specific discussions and collaboration.
  • Real-time Chat

I’m estimating if there is a lot of activity with the service it will take about $30 a month to get things going. If you are interested in seeing this project take place, please consider becoming a monthly Patreon by clicking the link below. If just 30 people commit to $1 a month it would go live.

Patreon for Justin Andrusk

Cybersecurity Podcasts

I was recently asked to give recommendations for Cybersecurity Podcasts to students in college that are majoring in Security. The usual problem with security podcasts (and podcasts in general) is that they frequently become static and in some cases a year or more goes by before they are updated.

There are actually a large number more of Cybersecurity related podcasts than what I have listed here, but these should keep your mind update enough without getting overloaded.

 

Here are some of the main ones that I know that are kept up to date.

Threatpost Security Podcast

Breaking Security Podcast

White Rabbit Podcast

Security Weekly

Defensive Security Podcast

OWasp 24/7 Podcast

Risky Business Podcast

Pushing The Antithesis – Part 4 – Worldview Features

beermat_apologetics.012-300x225The fourth chapter of the book focuses on the different components that comprise a worldview. They are the building blocks of a worldview and without any one of them you can not have a complete worldview and this is why it’s so important to define each one and to expand upon each level to under the questions that they need to answer.

Another key factor that each of these worldview building blocks serve to show how utterly non-sensical the Atheist worldview is in that since it cannot accept order in the Universe and therefore is left to attribute every event to chance he cannot justify in what he observes.

Metaphysics

The study on what is the nature of reality. Beyond the physical as in laws of logic & science.

Metaphysics seeks to address three core questions:

  • What does it mean to exist?
  • What is the nature of man? Is he free? Good? An animal?
  • What is the nature of the universe? Is it objectively real? Or is it simply appearance?

Metaphysicians seek to understand the world as a whole.

What Metaphysicians study is actually Christian theology in secular dress.

God is the ultimate ground of all reality. – Gen 1:1, Exodus 20:11, Neh 9:6, Rev 4:11

Epistomology

The study of the nature and limits of human knowledge.

Epistemological inquiry focuses on four class of questions:

  • What is the nature of truth & objectivity?
  • What is the nature of belief and of knowledge? What are their relationships? Can we know and yet not believe?
  • What are the standards that justify belief?
  • What are the proper procedures for science & discovery? How can they be trusted?

 
The unbeliever will not be able to rationally to account for the order of the universe which he experiences, since he is committed to the fate of chance.

There is no way to account for reason in the non-Christian system.

Ethics

Studies right & wrong attitudes, judgments, and actions, as well as moral responsibility and obligation.

Focuses on four main areas of concern:

  • What is the nature of good and evil?
  • What are the standards for ethical evaluation?
  • What about guilt and personal peace?
  • How do we attain or produce moral character?

For the non-Christian there is no sure basis for ethics.

The chapter can be best summed up in this Atheist Creed crafted by Christian scholar Steve Kumar:

There is no God.
There is no objective Truth.
There is no ground for Reason.
There are no absolute Morals.
There is no ultimate Value.
There is no ultimate Meaning.
There is no eternal Hope.

Recommended Reading

Bahnsen, Greg, “The Concept and Importance of Canonicity

Butler, Michael R., “A Truly Reformed Epistemology

Chicago Statement on Biblical Inerrancy

Humanist Manifesto II

Thompson, Bert, “In Defense of the Bible’s Inspiration” Part 1 | Part 2

Building Metasploitable 3 on Ubuntu/Debian

Recently I attempted to build the new Rapid 7 Metasploitable 3 VM for use in my pentest lab on Ubuntu 16.10. Followed the instructions on their Github page to the letter, but failed in variety of areas. The good news is that I was able to hack my way through all them to get it built. This blog entry is going the steps you need to take to successfully build the VM on a Ubuntu/Debian based system. I’m assuming you may run into similar issues on a Fedora-type system, but your mileage may vary.

 

Packer

No issues with Packer, beyond just installing it with: sudo apt-get install packer

Vagrant

First you to need to install Vagrant: sudo apt-get install vagrant

Second, you before you can build the vagrant-reload plugin, you need to install the ruby-dev package with:

sudo apt-get install ruby-dev

Now you can install the plugin with: vagrant plugin install vagrant-reload

Due to the dependency upon WinRM and with the Vagrant version in the Ubuntu/Debian repo you will need to install:

vagrant plugin install winrm --plugin-version 1.8.1
vagrant plugin install winrm-fs

The 1.8.1 version is key in order for the build to complete successfully.

Metasploitable 3 Build Script

The Metasploitable 3 build script has some checks that fail due to the latest version of Virtualbox that’s in the Ubuntu/Debian repo. The main reason is they are checking for a specific version of Virtualbox and since with Ubuntu/Debian your running a newer version than what the build script requires, it fails.

Since we know we already have the necessary dependencies built, we can just run the build commands manually:

TMPDIR=/home/tmp packer build windows_2008_r2.json

The TMPDIR directive was another gotcha as I only had 1GB of space allocated to my /tmp filesystem and the process ran out of space. Point the TMPDIR variable to a path where you have enough space.

Now we can create the Vagrant box with:

vagrant box add windows_2008_r2_virtualbox.box --name metasploitable3

And then start it up with just: vagrant up and your good to go.

Happy Hacking!

Book Review: Natural Law and the Two Kingdoms

churchstate-300x186

Series: Emory University Studies in Law and Religion

Publisher: Wm. B. Eerdsmans Publishing Co.

Copyright: 2010

ISBN: 978-0802864437

Pages: 512

Natural Law and the Two Kingdoms can be summarized as a survey of the historically reformed Christians position on the two key concepts of the Two Kingdoms and Natural Law. Those two terms in the title are the key to understanding this book both in how the data the author uses to interpret the reformed position on these two concepts along with how they work themselves out in both the civil and ecclesiastical realms.

The book is an excellent work of collating the historical position on these two concepts going all the way back to Pre-Reformation area with Augustine all the way down to Greg Bahnsen and R.J. Rushdooney. One of the main reasons that I picked up this book is that I could not find a book that has attempted such a large venture and the author should be commended for such a work. The author does a good job of defining what he means when he interprets what Natural Law means from the historical sources he cites.

In regards to the term, “Natural Law” the book essentially defines it as the decalogue applied to unregenerate man being made in the image of God. It is vital to understand that this term has nothing to do with the Ecclesiastical part of the book (this is covered in the Two Kingdoms term), but purely in the civil realm in regards to how un-generate man can rule the civil realm in righteousness and justice. This presents a problem from the Christian Reformed position in that the assertion has always been that although man has been created in the image of God, man is dead in trespasses and sins. This is no problem when it comes to the doctrine of the church, but with this book the position is negated when it comes to the civil realm and the “Natural Law” of man.  The author claims early in the book that he’s not trying to defend the position in the book, but merely to express what the historical Reformed Christian position has been on the subject. If you do read this book you will begin to see that the author holds to the actual premise that he’s attempting to demonstrate: that the Reformed position is providing chapter by chapter is the correct one and deviations from this are wrong and heretical.

The second motif in the book has to do with the Two Kingdoms. This is where the role of the church and the role of the state is expounded from the historical Reformed Christian sources he documents. The author seems to handle this in a more consistent way until towards the end of the book when he discusses Cornelius Van Til and Greg Bahnsen. It’s the classic position where the church operates in it’s own sphere of church doctrine and discipline and the state (civil polity) operates in its own realm in governing and legislating according to it’s own doctrines and precepts. The author essentially puts Christ Kingdom into two domains: Christ as Creator and Christ as Redeemer. The domain of Christ as creator is argued to mean that Christ governs the civil realm as Creator along with the providence he gives to unregenerate man through natural law and the other domain being Christ as Redeemer where he rules and governs his church by His Word. Natural Law is the link in the authors chain as to how he justifies these two kingdoms.

A key and problematic theme that is recognized in the book is an appeal to pagan authors and authorities more so on the Natural Law side than the Two Kingdom side, but one that is most disturbing. There’s even a section in the book where the author appears to be passively mocking those that would have God’s law as the standard in the civil realm as ‘Biblicists’. This seems to me to be most disturbing given his Reformed Christian presuppositions.

I did find it interesting on his response to Bahnsen’s theonomic position, but then again it aligns with the whole argument of leaving sinful man to rule the civil realm and only expecting the regenerate in Christ to rule the ecclesiastical realm. You will also find in this book that when it came to the Reformed tradition actually executing their presuppositions that the author articulates various consistencies come to light. He highlights some of this in Calvin’s Geneva with the execution of Servetus being the best use case against the authors position since he was executed for an ecclesiastical charge and not one bound in the law of the civil realm at that time.

Concluding the book is a good survey of the historical Reformed position on the two areas of Natural Law and the Two Kingdoms, but the premise that this position is correct or even consistent for that matter is questionable. As a Reformed Christian, I believe the Reformers were spot on in regards to the various doctrines of the church that they expounded and fought for, I just don’t think their position in the civil realm has been consistent for biblically driven enough to warrant the position that the author assumes. If the Scriptures are to be the only rule for faith in life, this includes the civil as well as the ecclesiastical realm.

 

Pushing The Antithesis – Part 3 – Defining Worldviews

beermat_apologetics.012-300x225The third part of the series has to do with as the title suggests, defining worldviews. The actual definition for what a worldview is plays a critical role in understanding the presuppositions one brings to the table for interpreting reality, knowledge, and ethics.

One of the reoccurring themes you will notice through this blog series is Bahnsen’s emphasis on the myth of neutrality. This becomes even more apparent when defining what a worldview actually is. In each of the major domains of a worldview you must assert truth’s in each area and this itself removes the option of neutrality. An assertion has only a binary conclusion; true or false.

Bahnsen defines a worldview as:

“A worldview is a network of presuppositions(which are not verified by the procedures of natural science) regarding reality(metaphysics), knowing(epistemology), and conduct(ethics) in terms of which every element of human experience is related and interpreted.”

Another quote worth providing is viewing the Christian faith as a complex system:

“We must recognize that the Christian faith is a complex system of mutually-supported, interwined beliefs filling out a broader interdependent worldview.”

Like in Systems Engineering each component affects the overall health of the whole system, so each element of a worldview affects that worldview as a whole. Each subcomponent functions as a link in the chain and if one link is inconsistent with the others the system will break down. The Christian faith is no different, which is why the Bible must be the only rule for faith, life, and apologetics, otherwise Christianity will self-destruct on the sand of human autonomy.
 

Recommended Reading

Bahnsen, Greg, “Worshipping the Creature Rather Than the Creator

Hurd, Wesley, “Me and my Worldview

Moore, T.M., “Beyond Creation vs. Evolution: Taking the Full Measure of the Materialist Challenge

Nickel, James, “Mathematics: Is God Silent?

Stump, James, “Science, Metaphysics, and Worldviews

Pushing The Antithesis – Part 2 – Destroying Philosphical Fortresses

beermat_apologetics.012-300x225The second part of the series has to do with taking down philosophical fortresses. Although we have not covered chapter 3 on worldviews you may consider this prep work as a number of principles will nicely lead into the next series.

Try to understand why the unbelieving mind is hostile to the Christian worldview; understand why no one can be neutral and still remain philosophically consistent; what is meant by the “noetic” effects of sin.

 

The main points to be observed from this chapter are:

  • Factually we must recognize that the unbeliever is not neutral.
  • Morally, we must understand that the believer should not be neutral.
  • Any claim to neturality is a pretense, and it is philosophically impossible.
  • “Noetic” is derived from the Greek word, nous, which means “mind”.
  • This is one aspect of the doctrine of “total depravity”, which declares that the fall reaches deep down into a man’s very being, even to his mind, and his reasoning faculties.
  • The world and the universe do not operate randomly by blind chance or under their own inherent power.
  • In fact, you will even give account for every “idle word” that you speak (Matt 12:36).
  • None of your words is neutral; each one is subject to God’s evaluative judgement.
  • We are not saying unbelievers “know nothing.” We are saying that they do not know anything “truly,” because they do not recognize the most fundamental reality: All facts are God-created facts, not brute facts.

Recommended Reading

Flashing, Sarah J., “The Myth of Secular Neutrality: Unbiased Bioethics?

Kruger, Michael J., “The Sufficiency of Scripture in Apologetics

Oliphant, Scott, “The Noetic Effects of Sin

Woodward, Thomas E., “Staring Down Darwinism: A Book Review