March 8, 2021

The Cyber Rants Podcast

Episode #19 - Diagram Delight!

This week the guys discuss why it's vital for an organization to have a Network Architecture Diagrams, Network Configuration Diagrams, discuss best practices for building them (scotch can help), and explain why a little effort now will make your work life so much better.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to cyber ants podcast this is your co-host zach

fuller joined by mike rotondo and lauro chavez and this is the podcast where we answer your deepest

questions about cyber security and compliance while we solve some of the world's biggest

problems or something like that today we are talking about a another topic that is especially

important and has tremendously beneficial but it's another one of those things that a lot of people

don't do so before we dive into that laurel we're going to switch it up a little bit today why don't

you kick us off with the exploits cool thanks zach i don't really want to dive in but if you've got

if you haven't seen the zero day from uh microsoft exchange make sure you google zero day exchange

and deploy those four patches that are out for that i'm pretty sure that the seriousness of

that most most of the organizations that have at least are using the exchange have become aware of

that something you're probably not aware of those if you're using zen cart in any capacity uh which

has been out for a while it's uh kind of a cots product that you can you used to be able to go

buy it best buy in a little box with a cd kind of like aol um anyways but zen cart is sort of a

e-commerce kind of shopping cart for your website if you're gonna you know host some stuff you're

gonna sell some merch anyways really really really cool remote code execution um has been written and

validated for medisplay pretty awesome stuff it's it's a very simple python script but it deploys a

it deploys a server-side script to the database that calls back and gives you

a remote command pretty awesome stuff so make sure you're patching the cve for that

is from 2021 of this month so make sure you look into that it's 32.91

and um yeah awesome stuff coming out of the uh some of the metallic teams so very very cool mike

you know change can be good uh so we switched it up today so here we go with the headlines

um nsa and microsoft promote a zero trust approach to cyber security uh they're really

pushing the combination of user and device data with security relevant information uh in order to

do authentication it's the admission that simple password isn't enough mfa has been exploited

so we gotta do something else from i'm calling bs on this pile and this is just my personal opinion

intern cause solarwinds 123 password leak from solarwinds for former solarwinds ceo says i have a

real problem there should have been productions in place protections in place to keep an intern from

creating an admin password so blame the intern someone had to burn poor kid man

i bet he was wearing a red shirt yeah as i was gonna say is this an episode of star

trek we have the unnamed crewman going down to the planet jimmy's never making it back yeah

it's his first trip he's never coming back kirk will mourn you for the rest of his days

and sometimes you just pull the short straw you know just like

yes you'll be mentioned in the captain's log forever

ensign what is what's his name got crushed by a boulder anyway and from the i didn't know

they still existed files aol phishing email states your account will be closed i wasn't aware aol was

still a thing but you know tell you know granny and pop pop and uh you know me ma and grampy that

you know they need to stop using aol or they need to not click on this email so my brother has an

aol account from 1992 i believe still i find my my aol account works best with my dial-up modem

yeah it's so hard to get 9 600 baud these days my password's private post exposed in hack of gab

so gab has been hacked there's some ddos stuff in there and uh so be careful with your social media

uh malicious npm packages target amazon slack with new dependency attacks this is another attack

creating you know hitting high profile cyber security or high profile attack so

microsoft accuses china over email cyber attacks um everybody that's surprised please raise your

hand that china is attacking our infrastructure telemarketing biz exposes 114 000 in cloud

config error so if telemarketers aren't bad enough they're now exposing your data firm

counts lending marketplace lending tree liberty mutual insurance and smart security vendor vivinet

among its customers so if you're a customer of one of those if you have a telemarketer reaching out

to you your data may have been exposed microsoft rushes out patches for exchange zero day attacks i

didn't realize i still had this in there um but yeah there's uh there's it's a mess go get it

fixed uh palo alto has also released some patches for it as well so you can stop it at the at the uh

perimeter cyber analyst finds links between suncrypt and q a crypt ransomware this is a

russian cyber criminal group called full of deep i'm sure that translates to something really scary

in russian uh but anyway that's a new cyber a new uh new ransomware that's out there there's

a now fixed linux kernel vulnerabilities enabled local privilege escalations so cve 2021-26708 it

appeared in linux kernel version 5.5 in november 2019 and uh basically allowed for local privilege

exclamation escalation ransomware as a service is a new big problem for businesses much like the

ever-evolving legitimate tech industry apparently cyber criminals are now evolving to provide

create a service industry called ransomware as a service be aware of that just like every other

piece of ransomware out there all your computers are belong to us exactly microsoft we're cracking

down on excel macro malware according to them um okay we'll see it when it happens another

chrome zero day exploit so get that update done yep that's chrome is under attack i think this

is probably there's been a bunch of these in the last couple weeks and lastly copycon msp confirms

ongoing outage following malware and snip this is a something we touch on the book actually about

concerns about msps how they can you know one on msp being taken down can take down a whole lot of

uh other customers so a lot of the customers so beware watch your msp make sure they're

up to date on security maybe get a security company to validate what they're actually doing

um and ensure your company can maintain its focus and function all right from there zach do you want

to introduce or you want me to introduce i'll dive in just a minute i'm updating chrome here

no really today we are talking about um something that um non-technical people or without a people

without a background in this would talk about those pictures with the um the circle thingies

connected to the square thingies and the lines and there's some numbers and letters and such

and oftentimes that's how they're recognized and they can be extremely confusing to people but our

assumption is that if you're listening to this podcast you probably have some level of technical

background and so for this uh purposes of this podcast we are talking about network architecture

diagrams and um we'll start out by before diving into how they should be made what should be

included and such i think it's most important to share a little bit about our thoughts on why

they're important you know so why why should an organization have architecture diagrams in place

up to date um and to add to that question why do are so many companies missing those well i think

what's happening is it's becoming a compliance requirement first of all but it is a best practice

more importantly and i think what we what you need is not only network but you need infrastructure

you need data flow diagrams in order to be able to track your data sufficiently and understand

have a visual picture of how your infrastructure actually works but it's also critical for your

dr disaster recovery ir instant response your business continuity uh to be able to re

recreate your existing environment you know if you if something government happens is that there's

a lot out there that you know if you're a big company you probably already got this right but

for the small to medium size or emerging market companies these things are critical you need to be

able to put the pieces back together when humpty dumpty falls off the wall and visual diagrams

will help you do that now there's two types of diagrams there's the machine generated diagram

and then there's the infrastructure diagram that you actually hand draw i think everybody in this

call would lean towards the one that you hand draw not because it's great billable hours that you do

while listening to music and drinking scotch but because it is something that you can be more in

depth it's more effective and it certainly is a lot cleaner so that's my soapbox moment lordy i'm

assuming you have comments or zach i had a friend of mine that got himself promoted up into uh you

know i t management we were out at lunch one day and he said you know i'm i knew this role you know

is there is there any advice that you know you'd give me that you know that i could really kind of

take with me and i just kind of thought i'm in it and i said you know always remember well that

that's it there's there's no punchline i mean it was just general advice i always remember right so

um just because it's a it's good to not forget things and then you walked away yeah and then

he walked away there's no always remember this was the intern you were talking to

so no always remember solarwinds123 is a great password that is always remember like yeah yeah

you don't want to forget stuff anyways so i could say never forget i almost told him that too but

then he would ask me the same thing never forget what i'm like no just never forget anything ever

part of that joke is enter into the the network diagram right the infrastructure

diagram the architecture diagram the drawing with the pretty colors that needs to be very detailed

you know mike i think everything you said is is absolutely true and necessary and

i think you know if we look at civil engineering how they you know can't

build things without permits and you know you you have to have these blueprints

that you know really you know i'm sure that there are a lot of really smart civil engineers who

could just go build a house right but to do it right when they want to do it right they build

the they build the diagram first the blueprint and they lock out where everything's going to go the

electrical outlets or the plumbing they know how many feet of everything they need right it's all

all in the building materials right on the bomb and we can so benefit from that from that

method of thinking as we go into infrastructure and um and and technology with software and

everything else because those diagrams have to be that source of truth and like you said when when

humpty dumpty falls off the wall you better have some some method that's you know i can't tell you

how many companies that we've worked with recently that only were taking snapshots they had no real

backup plan and the snapshots weren't complete and so it was a it was a you know when you have to

rebuild in a bad time it's a lot better when you have everything that you you can can have around

you to make that process simpler and and happen faster because not only is you're going to be on

the wire to build it all back but you're going to have people looking at you and sitting over

your shoulder watching you recover this waiting right like like i wait for the guy at the dairy

queen to make my smoothie actually it's not it's not a smoothie i lied it's it's one of the ones

with candy in it what do they call that concrete blizzard a blizzard thank you sir yeah but i still

do i stand there at the counter anxiously waiting i prefer the peanut buster parfait that's my

parfait this show is not sponsored in any part by dairy queen any subsidiary

it's a dairy queen how do we recommend the consumption of meat dairy products that might

include lactose exactly you know obviously when something breaks it helps to have

a blueprint to understand how to fix it right so that's that's critical now let's talk about

you know what are your thoughts from an incident response perspective what happens if you don't

have good diagrams and something happens that's potentially malicious in nature screaming i mean

yeah panic gnashing of teeth pulling a pair flaming pointing the fingers at the intern

instant bilbo it's paul he had the password yeah one two three we entrusted you you had one job

password you were the password vault you're not supposed to put it online

um you know what happens is that you don't necessarily know how everything goes back

together again right i mean you you don't know what device goes on what what you know for

taking example esx host right you don't know what vm's going what server necessarily you don't know

what connectivity is required you don't know what ports are required to be open you do not know

what's encrypted what's not encrypted you you know you may have a vague idea but it would be better

to have a blueprint right it would be better to have a map that shows you where to go right i mean

google maps is a thing for a reason because we don't want to know how to get to some place right

um yeah when you have hardware security modules that you've deployed like maybe in like almost

2 million dollars worth yeah and then somebody leaves and you put somebody in charge that doesn't

know what they're doing and they have to figure out how to update them and configure them and what

what communication is required how they're deployed today what that looks like i mean

that that's just like a such a helpful handoff right for somebody coming on

that doesn't happen just hypothetically speaking you're saying right yeah like you know just in

case just that that was a totally hypothetical scenario totally hypothetical scenario

hypothetical you know and it could be anything right i mean it could be you know it could be

another like an antibiotic solution you know what i mean but there are a lot more components

that just you're gonna you know you're gonna worry about your main things like exchange

um right an active directory you're going to want to get that going so everybody can get

onto the network right you're going to if you're microsoft you're going to believe that that is

establishing that is the number one step back to normaldom so you'll go you'll go

that route but then you'll have ancillary things that are out there your web apps

internal applications that are running for people your hardware security modules maybe there's

you know now firewalls need to be redeployed or re-architected because of changes the more data

you have on what that port protocol and everything else looks like coming in and

out of those tech is going to help you rebuild that infrastructure quicker better and stronger

so it ties back into your business continuity plan as well um capacity planning right i mean and it

should be integral to your change management yep and vendor vetting yeah for tech vendors so

so it's you know it's critical for a lot of reasons um you know obviously the basically to

run the operations of your and security measures around your technologies um what would you say

so when you're going into an organization so let's let's say an organization has no

architecture diagrams or maybe they have some kind of automated you know stuff that was just

made with a tool and and and isn't very accurate or helpful what are your steps or what is your

approach to building these for in case somebody wants to go in and and take this on yourself

what advice would you give them to start building out their their diagrams for their organization

oh i got one i got two this is this is my method i know mikey might have growth i think we've done

this like first off you got to get a room with a big white board yeah you got dry erase markers

the squirt stuff that cleans the board really nice and a good a good set of wipes and then then you

got to make sure there's food on site okay because you're not getting any information out of anybody

without the nibbles on site um so make sure you you invest in those two things first

don't keep on the bagels get the good bagels don't you know pay the extra five dollars and

go to a good deli and get good bagels you want good data you gotta have good bagels exactly

and get get the cream cheese with the locks in it if you really

you know what i mean like come on now um ask for capers on the side it'll make a

world of difference to the individuals that are going in there and then here's the thing is it

let everybody eat first okay let them have their bagel and get down let them at least get

four bites in before you start grilling them on the board but start start on the board little

simple things as they eat write some things down some you know objectives you want to accomplish

right it's an information gathering session right with with picture drawing and then you've got to

have a camera on site because you're going to need to remember what you drew on the whiteboard that

then you can then take back to vizio or um edraw or some other program right where you're gonna

cad where you're gonna put where you can put the powerpoint yeah and if you start before you let

them eat a little bit though they're gonna be thinking about is damn i got this great bagel

in front of me exactly yeah after i've had about three or four bites i'm all i'm all yours that's

fine just just let me let me have like half of it half a cup of coffee you know so ease into

that meeting but you know you have to run it like a um i mean you really have to do a whiteboarding

session and you know now with with covet and everything you can you know you can use um google

or anything else with whiteboard sessions but it it's helpful to get the right people in the room

and i think that's the the next most important thing besides the the good food and the white

board and the um the colorful markers like how do you how do you think is the best to get

the right people because we see a lot where we've been we'll be in there we'll ask questions and

the individual will know maybe two things of the 40 things we need to know i think it shows

that sometimes management doesn't know who the right people are so you really actually need to

talk to the smes because they'll be like oh that's fred that does that it's not you know it's not me

he's the guy that knows all that stuff or you know this guy has all the travel knowledge or she's the

one that you know does the you know it's created the database schema and the set and the other

thing so it's a lot of times it's like the initial the pre-meeting is what's going to tell you

how to get the right people into there writing people into the whiteboard meeting yeah so just

yeah so i mean you bring everybody in for you know just a big one a big you know one-time meeting to

talk about what the initiatives are and then out of that have the breakout sessions um and then i

think i've always benefited by you know doing it by the layers right meeting with the network team

understanding what they've got going on and then bringing in the tools teams there you know as well

as they're needed to have those kind of breakout sessions so that you can

start putting that that kind of like a holistic diagram set together

yeah but you can tell you what not to do before those meetings i remember the time when we were

traveling and uh one of the consultants we were traveling with decided that he wanted to uh

drink a lot the night before slammed a couple bakers which as you know is 130 proof bourbon

um and uh proceeded to actually get up in the middle of a meeting and leave and we looked

out the window and he was working in a parking space just outside the window which was great in

front of the client i thought that was not me for people no no no it's nobody on this call some of

you on this call or some of you listening to this podcast may know exactly what i'm talking about

but no names to have no place here no no no what there's more to that story i just

gave you the highlights but yeah don't be flammable when you walk to the meeting room

so you have your data collection session and hopefully nobody walks out

growing up but once you once you've done that what do you guys find as far as back and forth goes

once you're sitting down in front of your machine and actually on vizio drawing these out then what

well i i find and you know we joked about it but you know you get your pictures out if you have a

couple monitors that'll help because you can keep a picture up and then look at the vizio

but you know create a relaxing environment for you it's hard as hell to do in a cubicle

i'm gonna be honest with you i mean the best drawings that i do just like the best

writing i do is at night you have my music on i'm in a relaxed you know area my space

and star drawing you know in the nude no no we're not going to do that

let's go oh i was talking about me my bag but yes well you have a stand-up desk i have a sit down so

you know it's true toucher but yes find someplace relaxing and you're absolutely right you know that

the easiest thing to do is to whiteboard it out with everybody in a room make it a

fun thing right try to make it fun because it's it's you know people are going to have different

opinions on why this information is being yanked out of them right so make sure you make it fun

make make sure everybody's involved and take pictures with your camera phone and um make

sure you take those pictures home if you've been in a relaxed place however you prefer robe silky

um and uh slippers aromatherapy candles uh peach peaches and bourbon burning in the background

sometimes some naga chamba maybe just a little um yeah but what's important is that you take

that data that you got from those sessions and that you can then accurately report it back to

you know whatever you know i guess application you're going to keep it in right vizio or

yi draw i think those are probably two main ones i think cad's kind of unrealistic

although microsoft word or powerpoint are going to be sufficient at first i think what's important

to talk about now is probably the data that you need to include and that's probably one of the

things that i think gets missed in a lot of the drawings we see wouldn't you say mike i think

i don't want to talk bad about people's artwork right i think any having anything is great

but you should be looking to improve always right um personal philosophy anyways

the data that that exists on there needs to really be detailed um and i mean what

yeah and relevant and so it not only does the data need to be accurate it needs to be um it means

to be a part of the change process so that you're looking at the document when when the architecture

or something in the architecture changes and to review the document before you make a change

to make sure you're not modifying any of the architecture that may require other departments

or other changes they need to be a source of truth almost like your policy documentation right

mike i mean oh yeah yeah you know supports and protocols right um we do colors right so reds are

our secured uh transmission so if you're running tls uh from uh from a database to uh to a web app

um you know um is an example right uh it's gonna be you know red um if you're running just plain

old sql it's gonna be black right or you can make database connections another color right i mean

but they need to include everything that that application needs and you're going to find that

by rtfm right right you're going to need to read the manuals right go to the vendor find out what

portion protocols are being used put your names on there what what are you calling it is this

you know did you give it some weird name from you know the constellations

you know it's going to make you look at your naming convention also in your organization

like because these servers and you have you know fqdns right so they can operate internally and

then you'd have an ip address you probably don't need the mac on there but it might be helpful

but you run into space issues with mac but yeah i mean the ip the memory the disk the

os the os version you know all those kind of things need to be on every server yeah because

if you've got to rebuild a vm and you didn't know how much resources it had at first you may

you know may have problems and not be aware that you're not given enough memory right so that that

stuff that would have all been sorted out in real time operations that could have been reflected

into the diagram you would have that truth right someplace other than a technology that could be

turned down right yeah and then you know what data cluster connects to what

ports obviously what you touched on what inbound ports are open to it you know does you know

you know that uh i mean that's that's the big ones right i mean yeah inbound ports always and then

that's going to help you with pci and other types of initiatives that are asking you to understand

what what inbound you know connections you require versus outbound and authorize the whole authorized

ports and protocols conversation right it'll help you understand that and this may be big drawing

right it may take up multiple pages there's really no wrong way to do it i think as long as you

approach it from a data science perspective and just try to record everything accurately as and as

it exists today so that you could you could build it back right well you again especially i was

just thinking about vlans right i mean what ports are allowed to access through what vlan what you

know what what firewall contacts is allowing what ports to get into what area what traffic you know

if you're if you have that much of a networks you know segmentation yeah actually i think we have a

example um up in our resources for the cyber ants oh yeah i think we do very good i believe so

well it's um and is it okay to use emojis for poorly configured or well-configured systems

no that's not allowed i need to stop doing that then i didn't know that mike

damn i thought that meant it was good i gotta stop yeah i miss clippy i could just ask it a question

that was a that was a good uh good talk on something that uh people need but oftentimes

hate to do anything throwing the caveat that we are actually doing this at nine o'clock in the

morning not five o'clock at night at a bar so just just so you're aware yep that's right i did have a

cup of black tea which does have some caffeine so yeah i put almond milk in my coffee this morning

any final comments or smart remarks about uh architecture diagrams uh you know just

do them you know yeah it's like washing your armpits you just gotta do it

change your underwear you know yeah yeah it's just it's good hygiene like you wouldn't run with

lice would you i mean maybe you would i don't know if you tie it into your change management

process it becomes i mean it's initially it's a heavy lift but once you tie it in your change

management process it becomes just minor you know 15 20 minutes here there you know

depending on the amount of change you actually have in your environment so just like everything

else we do from a compliance standpoint right it's compliance spreadsheets that

look massive and scary and then you go through it and you only got and you're probably 60

done just by doing best practices one you know it makes it much simpler you just kind of get over

that initial hurdle that initial big lift get the diagrams done and then just integrate it into your

operational behavior and it makes life easier that way keep it all it's easier keep it up up to date

don't get it don't let it get old and broken or yeah or um and as as the the old army saying goes

if it ain't broke fix it until it is them going yeah i think key takeaways from today um

first one build your architecture diagrams or get somebody in there to do it for you but either way

it should be done um critical and will make your life a lot easier moving forward and then second

takeaway of course is always blame the intern so thank you very much for joining us today

please rate our podcast reach out let us know your comments ideas thoughts things that you

want us to talk about and we will address those in future episodes have a great day

pick up your copy of the cyber ants book on amazon today and if you're looking to

take your cybersecurity program to the next level visit us online at www.silentsector.com

join us next time for another edition of the cyber rants podcast

Episode #19 - Diagram Delight!

Send Us Your Questions & Rants!