Saturday, April 6, 2013

Book Review: Joker One

Joker One: A Marine Platoon's Story of Courage, Leadership, and Brotherhood


 by Donovan Campbell 
Narrated by: David Drummond
Publisher: Tantor Media
Date Published: Apr 9, 2009
Total Length: 11 Hours, 41 Minutes

Publisher: Random House
ISBN: 1400067731
Date Published: March 10, 2009
Number of Pages: 336


 I first heard about Joker One on NPR during an episode of Fresh Air with Terry Gross interviewing Donovan Campbell.  I was struck by the depth of character and conviction to responsibility that I heard in this interview.  Several weeks later, I remembered listening to the interview and decided to download the audio book.  Wow.  I was not disappointed.  Impressed by not only the quality of the story itself but also the quality of the story telling.  First Lt. Donovan Campbell of 1st Platoon, Company G ('Golf'), 2nd Battalion, 4th Marine Regiment, led a group of 40 marines in 2004 during the beginning and the height of the insurgency.  They were stationed in Ramadi and had to deal with much of the fallout from the first and second battles of Fallujah.  Ramadi soon came to be labelled the most dangerous place in Iraq.

The book tells of Campbell's officer training at Quantico, his first days on the job as Lieutenant of his infantry platoon (call sign 'Joker One'), building relationships and respect with his men, patrolling the streets in Ramadi during some of the most intense resistance of the Iraq war, and returning to 'normal' life back home after serving in combat. 'Golf' Company suffered a 50% casualty rate, which exceeded that of any other Marine or Army combat unit since Vietnam.  

Throughout this book it is clear that Campbell truly embraces the meaning of "servant leader".  This excerpt taken from page 5 has truly profound insight: 

"If you are a Marine lieutenant in a firefight, a situation that's probably as good a proxy as any for hell, then it's your job to figure out at least 50 to 70 percent of what is going on around you so that you can make intelligent decisions, which translate into good orders, which lead to focused, effective and decisive action.  This whole process needs to be rapid to be relevant, but if you're too hasty, then you can lead your men to their deaths, all the while believing you are leading them to safety.  It's not an easy tension to manage on an ongoing basis.

"However, it can be done, and to do it well you must have absolutely no concern for your own safety.  You can't think of home, you can't miss you wife, and you can't wonder how it would feel to take a round through the neck.  You can only pretend that you're already dead and thus free yourself up to focus on three things: 1) finding and killing the enemy, 2) communicating the situation and resulting actions to adjacent units and higher headquarters, and 3) triaging and treating your wounded.  If you love your men, you naturally think about number three first, but if you do you're wrong.  The grim logic of combat dictates that numbers one and two take precedence."

Reflections

The stories told in Joker One are so vivid that I can recall many of the details even though it has been a while since I first listened to this book (I also bought a hard copy soon afterward to refer back to).  A few of the things that really stand out to me include: 

Split Second Decisions - As seen in the excerpt above, being willing to make the tough calls in the midst of chaos and without having all of the facts laid out in from of you is an amazing skill.  It is difficult to say whether decisions made in such circumstances are the "right" decisions.  But the lesson I get from this is that being able to act now and continually adapt is often more critical than the time lost through hesitating over the "right" decision.

Mastery of Details - When Joker One arrived in Kuwait and were preparing to launch into Iraq, they spent time going over and over things that most people probably wouldn't think as being all that important.  For example practicing dismounting from vehicles, as described on page 71: 

"In our world, basic tasks have to be repeatedly rehearsed in conditions mimicking predicted combat scenarios as faithfully as possible.  For example, you can never be sure which small detail might mean the difference between exiting a vehicle caught in an enemy ambush kill zone in two seconds or in ten.  That kind of time differential can be fatal.  Where is the door handle on the seven-ton truck?  Do you have to pull it up or down to get out?  How far is the drop out of the truck bed, and where exactly do you need to put your feet before you hurl yourself out the door?  Once all the little questions have been answered, those answers must be practiced again and again until they become muscle memory.  The Marines didn't like the mind-numbingly repetitive nature of such drills, and they didn't exactly love the squad leaders and me for putting them through the endless rehearsals, but every time we did something tedious and painful, we tried to lay out the reason behind the drills to everyone.  I became amazed at how much my men would tolerate if someone just took the time to explain the why of it all to them"

Trusting Your Team - One of the situations Joker One ran into while patrolling was when a group of kids started throwing rocks at his men.  The men radioed up to Campbell at the front of the patrol that the rocks were really starting to hurt.  While he was thinking about how to handle the situation, one of his men radioed back and said the situation was under control.  The men had gained the aid of an old Iraqi man who scolded the children and they ran away.  As a leader, you won't have the answer to every dilemma that pops up.  So it is important to train your team on the principals you want them to follow and allow them to think for themselves.

Succession Planning - Keeping an eye open for future leaders and take time to build on their talent.  There's a great example on page 22 talks about Campbell's first encounter with with Lance Corporal Carson on a training hike, carrying two packs and pushing another Marine up hill and shouting at him not to fall out.  Carson was later promoted to a team lead.

Dedication to the Mission - Campbell gave a recent interview with Steve Paulson, 10 Years in Iraq, where he recalls one of the events described in the book when the insurgents attacked his platoon.  The rocket-propelled grenade (RPG) that was fired at his men miss them, but instead detonated in a group of school children.  Campbell had the option of getting his men out of the situation, which meant abandoning the injured children or digging in, setting up a perimeter and helping the kids, which most likely meant facing another attack.  I'll let you listen to the interview (or read the book) to hear what happened.
Not only was I impressed by the stories told by Joker One, but what really stands out to me is the contrast I see to my own life.  In 2004, I had been out of college for a little while and making decent money for the first time in my life, and really just living the life of a slacker.  Reading this book gave me a lot more respect for the challenges that young soldiers in the armed forces have to go through and the character it can build.  I like to think of myself as someone who is up for a challenge, strong, courageous; but this book puts me to shame.  I don't think I could have made it Iraq.  However, I truly value the lessons shared within the pages of Joker One.

 This book should be required reading for anyone leading a team to understand the amount of care that must be invested in your team.
 
The Leader's Code

I am anxiously waiting for Donovan's newest book, The Leader's Code: Mission, Character, Service, and Getting the Job Done to arrive.  I pre-ordered it last week and I'm looking forward to digging through it for more valuable leadership lessons.  Stay tuned for another book review!

Posted by at No comments:
Labels: , , , , , ,

Friday, April 5, 2013

Social Media H@x0rz

Someone once told me that they had just signed up for a Facebook account.  My reaction was to ask "Why?"  This person responded that weren't sure why they signed up, but surely 200 million people (at that time) couldn't be wrong.  That was several years ago and millions of people were rushing to sign up.  As of this writing there are somewhere north of 1 billion Facebook accounts.

This is a great video to help drive home the point that if you post information online, it is not private.

Hahaha... I guess all the H@x0rz really do wear ski masks!

Posted by at No comments:
Labels: , ,

Thursday, April 4, 2013

Don't Surrender to Your Smartphone, Part 2


See the original Smartphone rant here.

Gotta love Meme Generator!


http://memegenerator.net/
Posted by at No comments:
Labels: , ,

Wednesday, March 27, 2013

Windows Firewall with Advanced Security

I don't know very many people that take the Windows Firewall seriously.  That's too bad because the Windows Firewall with Advanced Security in Windows Vista, 7, Server 2008, and newer operating systems has some features that can help you baseline what "normal" traffic is on your systems.  

Below is a sample script I use when building out a 2008R2 server. (Yeah, I know Netsh is supposed to be going away, so maybe I'll re-write this in PowerShell for a future post.)

Configure Logging 

First of all I want to turn on logging for everything inbound and outbound.  By default, the settings for logging are disabled (only verified this for Windows 7 and Server 2008R2).  I want to set the log size to the max 32 MB and log all dropped and allowed connections.  

Sample Script:



This is important because the default firewall settings only drop inbound connections that do not explicitly match a defined rule.  Outbound connections are allowed anywhere, anytime by default.  (I'll come back to this topic in another post later.)



Disable Unused Rules

Also, best practice is to disable anything you aren't using, and since I'm not running IPv6 on my network, I want to disable all of the IPv6 related rules.  It is always good to double check that IPv6 is actually unchecked on your NIC as well.


Sample Script:




ICMP Echo Request

Next I want to enable the default echo request rule so I can ping this new server. 

Sample Script:



There may be some other rules that you should disable depending on your environment, (such as DCHP or IGMP), but this should provide a decent example to get started with Netsh and the Windows Firewall with Advanced Security.
Posted by at No comments:
Labels: , , , , , , , ,

Monday, March 25, 2013

Product Review: Ibex 17 Inch Notebook Backpack

The Ibex 17 Inch Notebook Backpack by Swiss Gear is a fantastic backpack.  I ordered one of these from Amazon.com to have something to carry around the 17" Dell Inspiron N7110 I've been using lately.  There are pockets all over the place and even the smaller pockets are a lot bigger than they look.  The 17" laptop actually fits really well.  It is built well, very sturdy and still fairly lightweight.
 



This thing is like a portable file cabinet.  There is enough room for the laptop, several text books, file folder, phone charger, snacks, water bottle, power cable, patch cables, spare hard drives, an assortment of USB cables/dongles/connectors, CD/DVD case full of disks, pens, pencils, flashlight, screw drivers, leatherman, wifi hotspot, sticky notes, more snacks and some paper clips just in case I need to pull a MacGyver at some point.


 I've had this Ibex for several months and use it on a daily basis back and forth to the office and on several out of town trips.  The only real downside for me is that it doesn't have a chest buckle which would be nice for longer hikes.
Posted by at No comments:
Labels: , , , ,

Saturday, March 23, 2013

SANS 2013 Orlando

SANS 2013 was great, but I'm certainly glad to be back home.  It was a long week of sitting in conference rooms from sun up to sun down listening to some of the brightest instructors in InfoSec.  I really enjoy the quality of the conferences that SANS provides.

GIAC Intrusion Analyst (GCIA) Job Task Analysis (JTA)

It was an honor to be selected to participate in the JTA session.  The JTA is a way for GIAC to double check the correlation of their certification exam scores to the actual job skills that SANS is trying to teach.  I flew in a day early to take part in the exercise. I enjoyed the opportunity and hopefully get to help out again in the future.  And, I got to meet Judy Novak.

 SEC504: Hacker Techniques, Exploits and Incident Handling

This is the fourth class I've taken from SANS, so I pretty well knew what to expect.  SEC504 covered a lot of material, but much of the material felt familiar to me already, just more depth and insight into the attack techniques that are readily available.  For a lot of the attacks out there today, there really aren't very many good defenses.  So I guess numero uno on the list for things I learned at SANS 2013 isn't really something new, but something old and very foundational to InfoSec.  
 - Use common sense to limit who has access to systems and data in your environment.
 - Baseline your environment so that you know what is "normal" in terms of ports being used and processes running on your systems.
 - Don't reuse the same password for local administrator accounts across your organization.
 - Use host-based firewalls to prevent compromised systems from being able to easily pivot to other systems on the same subnet.
 - I also picked up a Teensy to play around with for physical testing.

Now I just have to get busy studying for the GCIH exam... 

APT: It is Not Time to Pray, It is Time to Act - Dr. Eric Cole

Dr. Cole is an excellent speaker and easy for me to pay attention to.  His tone and cadence in his presentations are very academic, but at the same time very candid and realistic.  He doesn't come across as somebody that is trying to wow you with his vast knowledge of InfoSec.  He seems to genuinely care about the material he is presenting and willing to do whatever it takes to make that material interesting and tangible to his audience.  The content of the keynote for SANS 2013 wasn't so much about all of the APT hype as it was a very focused warning of the need to master the basics of InfoSec before we will really be able to win against the attackers.  

Dr. Cole outlined 5 steps to improving security posture and being able to react to indicators of compromise more efficiently.

 1. Identify Critical Data - Align critical assets with threats and vulnerabilities to focus on risk.  Using Risk Based Thinking - What is the risk? Is it the highest priority risk? Is it the most cost effective way of reducing the risk?
2. Align the Defense with the Offense - The areas that defense currently focuses on are not the same as what the offense is focusing on.
3. Know thy Organization - You Cannot Protect What You Do Not Know About.  Organizations need accurate up-to-date network diagrams and network visibility maps, focus on configuration management and change control.
4. Defense in Depth
    a) Inbound Prevention
    b) Outbound Detection
    c) Log Correlation
    d) Anomaly Detection
5. Common Metrics - Use the 20 Critical Controls!

 Vendor Expo

Eh, not much to say here other than some vendors had some boths set up with some trinkets and trash on display.  And now my inbox and voicemail are full of messages that I don't really need.

Social Zombies: Rise of the Mobile Dead - Kevin Johnson

Yeah, I know social media is out to get me.  Really, duck face?

 Introduction to Windows Kernel Exploitation - Stephen Sims

This is one area that I have no experience with.  Stephen did a great job of taking a difficult subject and explaining it so that I could follow along.

How to Become a SANS Instructor - Eric Conrad - Lunch-n-Learn 

 Eric has an interesting story about how getting involved with SANS boosted his career and opened up the door of opportunity.  I've thought about signing up for the Mentor program, maybe this was persuasive enough to get me to send in the application?

 ADHD and Samurai - John Strand and Kevin Johnson

The Active Defense Harbinger Distribution (ADHD) is pretty cool.  It is a Linux distro built around the idea of making life difficult for the bad guys.  It focuses on Annoyance, Attribution and Attack.  Some of the fun features include infinitely recursive directories, seeding honeytokens with call-home commands so that you can locate where your data has be exfiltrated, and setting up the signed Java applet attack in Metasploit to actually exploit the attacker.  There is a great write up of Paul Asadoorian and John Strand's RSA presentation here.

 The Samurai Web Testing Framework (WTF) is also a nifty Linux distro with a series of tools to assist in web app pen testing.

 Hacking You Friends and Neighbors For Fun - Joshua Wright 

Very entertaining.  If you haven't seen this talk yet, check out the slides here.

 InfoSec in the Financial World: War Stories and Lessons Learned - Bryan Simon

Bryan make the case for improving the information sharing of financial institutions with regards to adversaries, attacks and defense strategies.  Ironically, on his way to the conference, half his slides were yanked by his legal department so that he wasn't able to share some of the stories he wanted to.  The best part about this session were all of the conversations that started up afterwards.

NetWars Tournament

 Wow, this was my first time at Netwars.  I wasn't really sure what to expect here.  All I can say is, there are some wicked smart people at SANS and I need some more practice.
Posted by at No comments:
Labels: , , , , , ,

Wednesday, March 20, 2013

Surprising Results Improving Weak Passwords

Last year I saw a presentation by John Strand of Black Hills Information Security titled "Everything They Told Me About Security Was Wrong" during which he talked about how ridiculously easy it is to crack most people's passwords.  John gave several examples about how the typical alpha-numeric-special-character complexity requirements mandated by most security frameworks or regulations are actually making it easier to break into and harder on users to remember their passwords. 


Then along came correct horse battery staple.  Just for reference, here are a few examples from the Brute Force Calculator (these examples are based on a system running an Intel i7-2600K CPU @ 3.40GHz).

Password
Length		 Password
Type		 Character Set Total Key Space
(password combinations)		 Time Required
to Brute Force
7NT MD4Mixed Alpha Numeric All6.5545E+13 15 days
8NTLMv2Mixed Alpha Space6.3456E+1315 days
8NT MD4Mixed Alpha Numeric All6.16123E+154 years
15NT MD4Mixed Alpha Space7.45436E+25 50 billion years
15NTLMv2Mixed Alpha Space7.45436E+252 trillion years
18NTLMv2Mixed Alpha Space1.10978E+31357 quadrillion years
19NTLMv2Mixed Alpha Space5.88185E+3219 quintillion years
20NTLMv2Mixed Alpha Space3.11738E+341 sextillion years

 Implementing the Changes

 So, I decided to see if I could get my organization to go along with the idea of much longer but less complex passwords.  There were two parts to implementation, the first was the social/political side of things, getting the right approvals internally to change the policy, explaining to users why the change was good for them and the company, and convincing the auditors that this change actually improves security.

 The second part was configuring Windows Group Policy to enforce the new policy.  This turned out to be not as straight forward as I expected.  Using the Windows GPO Editor to set passwords minimum length stops at 14.


Some Google-fu netted me this result that provides a couple of examples for fixing Microsoft's shortsightedness for improving password security.

Joeware's ADMod tool makes it easy to modify the Default Domain Policy, here's the command to set the minimum length to 15 characters

    admod -default minpwdlength::15


Then to see if it worked...



Dealing With Auditors

 You know you are going to have a fun time when an IT auditor asks a question like, "Can you explain how to read this network diagram?" Another point John made during his prezi, was that no organization is ever 100% compliant with every applicable regulation or security requirement.  No one.  So what happens when your organization doesn't meet the specific letter of the law for a particular requirement?  You implement a compensating control.  After walking through a few examples of password cracking tools, such as John the Ripper and Cain/Abel, it wasn't as tough a sell as I was expecting.

 Results

 The auditors signed off for the changes to the password policy without too much trouble. The auditors weren't the only concern I had about changing the policy.  My guess was that these changes were going to create a problem for users as well as IT having to do account unlocks all the time.  After having this policy in place for several months now, one of the biggest surprises I found from going through this exercise is that account lockouts are currently at an all time low across the entire company.  That is what you call a Win-Win!
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)