Feb 14
ISACA North East Presentation

cprethercircle.pngCory Retherford (www.coryretherford.com)

Solutions Engineer, Spirion

Specializing in security architecture and data management.
Twenty years as an IT professional with focus in data security and operational data security risk reduction.
Real world solutions implementation experience in large and complex environments.

Abstract

Will discuss the critical steps and fundamentals in protecting sensitive data against data leaks.  Narrowing the project scope and creating data awareness is critical for a security programs success.  Will discuss an approach to the implementation of a data steward project and implementing technical automation to help drive information worker security awareness and concentrating resources on protecting critical systems with personally identifiable information (PII).

Download the Presentation

TBD_ISACA_Presentation.pdf

Feb 10
Windows Admin Center Required Ports

When accessing a server through Windows Admin Center you receive the following Connection Error.

Open the inbound port TCP 5985.

 

Feb 08
Update Windows Admin Center Certificate

Update Windows Admin Center Certificate

Windows Admin Center provides a self-signed certificate that is valid for 60 days, after that your browser accessing the console ill generate access errors when authenticating. To avoid this you can create a new certificate to enable year-long certificates and also used to install on the desktops accessing the console.

  1. Install IIS on the Windows Admin Server, this will be used to generate a self-signed certificate.
  2. Open IIS and select the Server Name > double click "Server Certificates".
  3. This will open Actions for creating the "Self-Signed Certificate".
  4. Name the certificate "Windows Admin Center" and select "Personal". Click OK and it will create a certificate within the certificate store on the Windows Admin Center server.
  5. From within IIS in the Server Certificates you will see the newly created TLS cert.
  6. Right Click the Name of the certificate and choose "Export" form the menu options.
    1. Export this to your desktop and provide a passphrase, don't lose this passphrase, you will need it to install on the machines accessing the Admin Web Portal.
  7. Double click the same certificate from within the Server Certificates view.
    1. This open the certificate properties, choose "Details".
      1. Scroll down to the field named "Thumprint".
        1. Copy this Value; will use this to update the thumbprint being used by Windows Admin Center.
  8. Open "Apps & features" on the server.
  9. Select "Windows Admin Center" and choose Modify > Next > Change.
    1. Change the Thumbprint appropriately as shown below with the value copied previously.
    2. Click "Change".
      1. This will update the certificate with the newly created certificate.

 

Windows Admin Center Certificate Installation on the Desktop

This process will enable you to browse to the Windows Admin Center with a valid TLS RSA AES-256 bit encryption certificate "HTTPS" connection. This will reduce the number of password prompts and secure your connection.

 

  1. From the desktop right click the "Exported" certificate copied form IIS in step 6 and select "Install PFX".
    1. Choose Local Machine > Next > Next > Supply the password you created in step 6 > Choose "Place all certificates in the following store" > Click Browse and select "Trusted Root Certification Authorities> OK > Next > Finish.
  2. When you browse to the Windows Admin Center you will have a valid TLS certificate "HTTPS" connection. This will reduce the number of password prompts and secure your connection.
Jan 02
Windows Server HTTP/2

In Windows Server 2019, a new set of features is available from within IIS among some I mention here:

  • Improved coalescing of connections to deliver an uninterrupted and properly encrypted browsing experience.
  • Upgraded HTTP/2's server-side cipher suite negotiation for automatic mitigation of connection failures and ease of deployment.
  • Changed our default TCP congestion provider to Cubic to give you more throughput!

HTTP/2

HTTP/2 provides for faster and safer Web browsing as result of new IIS hosting features. Originally, Serer 2016 added support for HTTP/2 in the native HTTP server.  Windows Server 2019 delivers performance and security benefits to your web site deployments with HTTP/2. HTTP/2 is a rework of how HTTP semantics flow over TCP connections for Windows Server 2016. This is a major upgrade after nearly two decades of HTTP/1.1 use and reduces the impact of latency and connection load on web servers. The major advance of HTTP/1.1 was the use of persistent connections to service multiple requests in a row. In HTTP/2, a persistent connection can be used to service multiple simultaneous requests. In the process, HTTP/2 introduces several additional features that improve the efficiency of HTTP over the network.

Using HTTP/1.1 each request required a dedicated TCP connection potentially imposing several round trips to establish that connection. Using HTTP/2 further improves this process by allowing the ability to share a single TCP connection across many requests to the same web site called multiplexing.

From within IIS there is an option to Disable HTTP/2, do not do it!

HTTP exchanges typically employ many HTTP headers which many times represent much more data than the actual payload. HTTP/2 uses HPACK, a header compression scheme built explicitly for HTTP Header compression. This drastically reduces the amount of data that needs to be exchanged between client and server which may also save on round-trip times.

Dec 23
NHS (UK) Number Identity

Everyone registered with the National Health Service (NHS) in England, Wales and the Isle of Man has a unique patient identifier called an NHS Number. The modern style of NHS number was generally introduced in 1996 and one allocated to every newborn since July 1995 and becoming mandatory on 1 April 1997.

The NHS Number helps healthcare staff and service providers identify you correctly and match your details to your health records. The number will appear on most official documents.

Each NHS Number consists of up to 10 digits shown in a 3-3-4 format. Those having NHS numbers following in the format XXXX 999 are no longer valid.

The Validation

In the NHS example above "9434765919" is used for the following below validation.

  • The first digit is 9. This is multiplied by 10.
  • The second digit is 4. This is multiplied by 9.
  • And so on until the ninth digit (1) is multiplied by 2.
  • The result of this calculation is summed. In this example:
    • 9*10+4*9+3*8+4*7+7*6+6*5+5*4+9*3+1*2 = 299.
  • The remainder when dividing this number by 11 is calculated, yielding a number in the range 0–10, which would be 2 in this case.
  • Finally, this number is subtracted from 11 to give the checksum in the range 1–11, in this case 9, which becomes the last digit of the NHS number.
  • A checksum of 11 is represented by 0 in the final NHS number. If the checksum is 10 then the number is not valid.
Dec 23
Passport Numbers Identities

In this blog, I explain the numerous ways to identify sensitive data. The main point in this posting is to articulate the complex nature of identifying sensitive data to comply with regulation, compliance, data governance, and data hygiene practices. In scenarios such as these, the advantages of using automated tools such as "Spirion.com" to augment manual approaches is obvious.

Passports and passport cards have numerous technologies built into the process of validating a subject such as myself "Cory Retherford". Passports use numerous codes, which will discuss in the following paragraphs, watermarks, steganography, RFID technologies similar to that of certificate authorities when validating website TLS certificates "HTTPS" and other approaches ill address.

This information is not at all intended to help you create fake identities but is intended to explain the nature of how identities are secured and to inform you as a Cyber Security Expert "White Hat". For those others use TOR where the DOJ can track your bad habits.

Contexual Validation

The first two numbers indicate which passport office issued your passport or where you applied for the passport.

Pre-Fix

Passport Office

40

New Orleans

1

Washington

15, 20, 21

New Hampshire

60

Military

90

Diplomatic

Z or 70

Temporary

 

The format of the first row

Positions

Length

Characters

Meaning

1

1

alpha

P indicates a passport, C indicates a Passcard

2

1

alpha+<

Type (for countries that distinguish between different types of passports)

3–5

3

alpha+<

Issuing country or organization.

6–44

39

alpha+<

Surname, followed by two random characters, followed by given names.

 

In the name field, spaces, hyphens and other punctuation are represented by <, except apostrophes, which are skipped. If the names are too long, names are abbreviated to their most significant parts. In that case, the last position must contain an alphabetic character to indicate possible truncation, and if there is a given name, the two fillers and at least one character of it must be included.

The format of the second row is:

Positions

Length

Characters

Meaning

1–9

9

alpha+num+<

Passport number

10

1

numeric

Check digit over digits 1–9

11–13

3

alpha+<

Nationality (ISO 3166-1 alpha-3 code with modifications)

14–19

6

numeric

Date of birth (YYMMDD)

20

1

numeric

Check digit over digits 14–19

21

1

alpha+<

Sex (M, F or < for male, female or unspecified)

22–27

6

numeric

Expiration date of passport (YYMMDD)

28

1

numeric

Check digit over digits 22–27

29–42

14

alpha+num+<

Personal number (may be used by the issuing country as it desires)

43

1

numeric+<

Check digit over digits 29–42 (may be < if all characters are <)

44

1

numeric

Check digit over digits 1–10, 14–20, and 22–43

 

U.S. Passport numbers must be between six and nine alphanumeric characters (letters and numbers).

The "C" that precedes a U.S. Passport Card number is no longer case sensitive.

RFID Verification process.

If you have ever been to the airport or through customs, TSA first visually and/or scans the MRZ of the passport. This printed info contains the basic access control keys needed to "unlock" the embedded chip.

  • The scanning device then sends this info to the chip via RFID.
  • The chip responds with all pertinent data verification which includes a cryptographic signature.
  • The verification process verifies the public keys belonging to the US State Department maintained by ICAO.
  • This process also includes checking the revocation list, also maintained by ICAO.
  • The passport is then verified as it would be when verifying any secure website (HTTPS) using a TLS certificate by a CA.

Other nations such as India and the Maldives for example first digit is alphabetic and the remaining seven digits are numbers.

Many organizations can verify Passports using services such as - https://protect.hooyu.com/document/verify/passport

Dec 23
Social Security Number Identity

In this blog, I explain the numerous ways to identify sensitive data. The main point in this posting is to articulate the complex nature of identifying sensitive data to comply with regulation, compliance, data governance, and data hygiene practices. In scenarios such as these, the advantages of using automated tools such as "Spirion.com" to augment manual approaches is obvious.

The Social Security Number (SSN) is divided into three parts consisting of 9 digits.

  • The first three digits are the State or territory where the SSN is assigned, the remaining they are randomly assigned.
  • The second set of two numbers are the "group numbers".
  • The third set of four numbers is a numerical sequence of digits 0001 to 9999.

Notes

  • Effective June 25, 2011, the SSA began a new randomized assignment methodology, called "SSN Randomization", in an effort to extend the longevity of the nine-digit SSN nationwide as well as for security since randomization makes the newly assigned SSN's more difficult to reconstruct using public information. Unused area numbers previously assigned to states, as well as previously unassigned area numbers, will now be available in the new randomization system.
  • 700-728 issuance of these numbers to railroad employees was discontinued July 1, 1963.

Social Security Number "Area Code" Number Chart    

The first three digits of a Social Security Number correspond to locations as follows:

Pre-Fix

State

 

Pre-Fix

State

001-003

New Hampshire

 

531-539

Washington

449-467

Texas

 

268-302

Ohio

627-645

  

540-544

Oregon

004-007

Maine

 

303-317

Indiana

468-477

Minnesota

 

545-573

California

008-009

Vermont

 

602-626

 

478-485

Iowa

 

318-361

Illinois

010-034

Massachusetts

 

574

Alaska

486-500

Missouri

 

362-386

Michigan

035-039

Rhode Island

 

575-576

Hawaii

501-502

North Dakota

 

750-751

 

040-049

Connecticut

 

387-399

Wisconsin

503-504

South Dakota

 

577-579

District of Columbia

050-134

New York

 

400-407

Kentucky

505-508

Nebraska

 

580

Virgin Islands

135-158

New Jersey

 

408-415

Tennessee

509-515

Kansas

 

756-763

 

159-211

Pennsylvania

 

580-584

Puerto Rico

516-517

Montana

 

596-599

 

212-220

Maryland

 

416-424

Alabama

518-519

Idaho

 

586

Guam

221-222

Delaware

 

425-428

Mississippi

520

Wyoming

 

587-588

 

223-231

Virginia

 

752-755

 

691-699

  

586

American Samoa

521-524

Colorado

 

429-432

Arkansas

650-653

  

676-679

 

232-236

West Virginia

 

586

Philippine Islands

525, 585

New Mexico

 

433-439

Louisiana

648-649

  

659-665

 

232

North Carolina

 

700-728

Railroad Board

237-246

  

440-448

Oklahoma

681-690

  

729-733

Enumeration at Entry

526-527

Arizona

 

237-246

Officially: Not Issued

600-601

  

587-665

 

764-765

  

667-679

 

247-251

South Carolina

 

681-699

 

654-658

  

750-772

 

528-529

Utah

 

734-749

Unknown

646-647

Georgia

 

773-899

 

252-260

  

0

Never valid numbers

667-675

  

666

 

530, 680

Nevada

 

900-999

 

261-267

Florida

   

589-595

    

766-772

    
Oct 30
Spirion Searching USB Devices

USB Devices

A USB would be handled the same way as if it were a local workstation drive or file server location.  When its inserted it will create a mount which Spirion can then scan as a local drive.  A user can then perform various remediation actions such as Redact, Shred, Encrypt, etc. which you can see here in the client set of actions.

Searching Removable Drives

The Removable Drives button specifies that Spirion will search the currently mounted USB drives and devices.  These drives are typically flash drives, thumb drives, even mp3 players.  If this option is selected, the Removable Drives button on the Locations ribbon will be highlighted.

Encrypting Personal Information

When a location has sensitive data match information in it and you wish to keep the item and securely keep the personal information, you can utilize the Encrypt feature.  

The Encrypt button is located on the Main ribbon.  When Spirion locates a Data Match in any of the following location types, you will be able use the Encrypt feature with encryption to protect your data such as Microsoft Office Files, Microsoft Access Databases, Compressed Files, Adobe Acrobat PDF Files, Outlook, Cloud repositories, and many other file types.

Searching File Locations

File Locations are enabled if you enable searching for Files.  You may select whether you want to search within your My Computer (which includes all of your hard drives), your My Documents (including User Settings), your removable drives (any drive connected to your computer via USB), your Cloud Folders (the local storage location for folders synchronized with cloud storage services such as Dropbox or Microsoft OneDrive), Custom Folders of your choice, or entire other Remote Machines.  Once specified, Spirion will search for files (for example Common File Types or a Custom file type list) and optionally Compressed Files within those drives or folders and all of their subfolders.  Your currently selected option will be highlighted.

Sep 28
Cyber Security Summit New York 2018 - PANEL 3: Protecting your Enterprise from the Human Element: Your Employees and Corporate Spies

Cory Retherford is an experienced information security practitioner and information technology thought leader with more than 20 years of experience. He has led many large data access and security stewardship projects through successful adoption.

As a Solutions Engineer for Spirion, Cory provides architectural expertise to augment and expand upon data stewardship using Spirion to meet compliance and reduce the risk of data loss by implementing controls such as data classifications and user awareness.

Prior to Spirion, Retherford spent 17 years in Higher Education in management and as an architect. His vast real world operational data security experiences in varied environments will bring insight to the discussion around the complex process to secure data.

Specializing in security architecture and data management. Twenty years as an IT professional with focus in data security and operational data security risk reduction. Real world solutions implementation experience in large and complex environments.

PANEL 3: Protecting your Enterprise from the Human Element: Your Employees and Corporate Spies https://cybersummitusa.com/newyork18/


With 90% of organizations feeling vulnerable to insider attacks and a majority of organizations confirming insider attacks against their organizations in the past 12 months, insider threat proves to be even more virulent than malicious attacks by actors beyond your network walls. On your payroll in one way or another, these dissatisfied employees, corporate spies and the like, have the means to harm your business. These insiders also have the ability to cause harm without meaning to! This panel will enlighten you on what insider threat & corporate espionage put at risk in your business. You will learn how identify threats inside your business (malicious and accidental) and leave with strong takeaways that will allow you to fortify your company defenses.

Moderated by Sean O'Brien, President & CEO, @RISK Technologies, Inc.

 ​

Aug 14
Explorer.exe Verbose Logging

If Explorer.exe is crashing and you are unable to identify the root cause, you can implement Explorer verbose logging by adding the following to the Windows registry. When explorer.exe crashes it will create a DMP file at C:\CrashDumps.

 

  1. Copy and paste the following in Notepad and save as a .reg file

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\explorer.exe]

    "DumpFolder"=hex(2):43,00,3a,00,5c,00,43,00,72,00,61,00,73,00,68,00,44,00,75,\

    00,6d,00,70,00,73,00,00,00

  2. Right-click the .reg file and select "Merge" to add to the registry
  3. Replicate the process to cause Explorer to crash and review the .dmp file located in the C:\CrashDumps folder.

 

You can use this information to debug the Explorer.exe crash(s) further.

 

1 - 10Next
Copyright © | CoryRetherford, LLC | Contact MeNetwork Storage and Security Solutions, LLC, Rights Reserved.®
TLS 1.2, AES with 256 bit encryption

 ‭(Hidden)‬ Blog Tools