Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

866.430.2595
Request a Consultation
banner

TOWER DEFENSE: BASIC CIS CONTROLS FROM THE ATTACKER’S PERSPECTIVE Transcript Watch On-Demand Now

Lisa Remsa [00:00:07] Good morning, everyone and welcome to today's true top webinar. Thank you for joining us. My name is Lisa Remsa, and I am the marketing manager here at true digital security and I have the pleasure of being today's webinar host. Today. We are presenting Tower Defense basic CIS controls from the Attacker’s Perspective and it's going to be presented by Josh Bozarth our security testing services manager and Aaron Moss a True Security consultant. 

Lisa Remsa [00:00:33] So just a little housekeeping before we get started. If you have any questions during the presentation, please type them into the question box in your Go To Webinar control panel will try to address all questions at the end of the webinar. So stick around to hear those if we don't get to all the questions will make sure to respond by email post Weber. There will also be a recorded version of this webinar available on demand and you can view that at TrueDigitalSecurity.com forward slash webinars as well. Now without further ado. 

Lisa Remsa [00:01:02] Turn the time over to Josh and Aaron. 

Aaron Moss [00:01:40] Good morning, everybody. This is Aaron Moss. And Josh Bozarth are True Digital Security Consultants. Today. We want to talk to you about the basics is controls from our perspective, the attacker’s perspective, and kind of what that means for what it looks like for your organization's when you don't have these implemented and why you should implement them. Josh you have anything to add to that? 

Josh Bozarth [00:02:08] No, we're going to have some fun today, hopefully and basically we're going to try to give you an idea of how we look at that from a penetration testing standpoint how we would attack things and how these controls can help hopefully mitigate or defeat some of those things that we would run into.

Aaron Moss [00:02:28] Now. Let me just apologize up front. You guys are actually getting the practice version of this webinar today. So kind of like Microsoft We Roll stuff out. 

Aaron Moss [00:02:38] Possibly before it's ready, but I think we're pretty much good to go. We will see. 

Josh Bozarth [00:02:46] Alright, so as you heard, I'm Josh Bozarth on the security testing services manager here at True Digital Security. So I manage the group. I helped with all the scheduling and getting the projects going. I still do the work as well and I had a varied history and technology and it so starting with a journalism degree because every IT person he's a journalism degree.

Aaron Moss [00:02:53] helps with writing report. 

Josh Bozarth [00:02:58] It does and editing as well.

Josh Bozarth [00:03:17] Any PowerPoint presentations apparently and then you know going through the motions of through the sysadmin ranks. 

Josh Bozarth [00:03:24] I was an engineer at one point day to Datacenter jockey transition to Consulting and auditing and now I get to tell Aaron what to do.

Aaron Moss [00:03:36] so I'm Aaron Moss started at Blockbuster on the Twitter's started in help desk work my way into it and network system via the administration stuff like that, became an IT director eventually for about four years and then I started here they screwed up and hired me as a security consultant and now they can't get rid of me and we're doing this. Also, I'm one of the B-Sides coordinators for B-Sides Oklahoma, and we're having that on April 10th, so get registered and come see me. 

Aaron Moss [00:04:04] We at B-Sides ok.com. So today's discussion. We're basically covering. Like I said beginning the basic CIS controls. It's the first six controls of the center for Internet Security. 

Aaron Moss [00:04:23] What used to be the Sans top 20 critical security controls rolled over to the CIS security controls now and so the basic of the verse 6, and these are the things that you To do as an organization to stop probably I'd say a good 70% of the attacks that we can pull off on your network, whether that be internal or external and even helps with some social engineering attacks from a technical perspective as well. And so this goes over is it says how we use these that we use the lack of these controls to basically cause complete havoc on your network and sometimes do it silently as you'll see in control 6 and some implication in implementation. 

Aaron Moss [00:05:04] Ideas that hopefully will make it harder for us whenever we do a tech your network. And of course this doesn't just pertain to us. This also pertains to the real bad guys who are out there that you may or may not know are attacking your network. Of course, it covers everywhere from retail technology. You can read the list there, but we have a pretty heavy focus on Healthtech, hospitals, oil and gas anything that really you guys need help with we can help with let's move on. 

Aaron Moss [00:05:34] So this is a basically this is a picture of what the controls look like. When we took this directly from the CIS website again, if the formerly the top 20 CSC, they're currently at version 7.1. Some things have shifted around a little bit here and there over the years, but the basics are still the same. Go ahead. So, the ones we're covering today, of course inventory and control of hardware. 

Aaron Moss [00:06:03] We're and software assets. We're rolling both of those into kind of one control in the slides because they have a lot in common. They're very similar on both sides of that the next one be continuous vulnerability management how you as an organization. Once you implement continuous vulnerability management using patching and stuff like that as well as killing some services that don't need to be there and everything can help secure your network, of course controlled use of administrative privileges. 

Aaron Moss [00:06:31] The short answer is don't give anybody, admin privileges unless absolutely needed security configuration for hardware and software on everything and then maintenance monitoring and analysis of audit logs. This is what helps you know, if somebody is on your network that shouldn't be or if something just goes sideways with a server. It's helpful to have that information. 

Josh Bozarth [00:06:56] So if you're familiar with these controls, you know, if you looked at the top 20 in the past or if you've had to you know do this with your organization. I wanted to make a quick aside about these implementation groups that have been kind of listed of late. So each the six controls we're looking at have sub controls underneath them. 

Josh Bozarth [00:07:19] And so there's like 47 for the first 6. 71 for all 20, you know, we're talking to, we're talking about and we're looking at it from the you know, the actual objective control and so what the CIS has done is create these implementation groups which are basically like organization complexities or you know organizations what their ability to do, their maturity levels, their maturity models and whatnot. So we've got we're not talking about the different implementation groups and we look at this. 

Josh Bozarth [00:07:50] So we're when we look at these six controls, we're looking at them holistically, but when your going through about implementing these you may want to slot yourself in one of these organization, these groups, and look at the controls sub controls, you know as needed in planting them. Yeah, sure. Why not? 

Aaron Moss [00:08:15] You wrote that slide I can't do it. 

Josh Bozarth [00:08:18] alright. So we're going to we're going to talk about inventories. I kind of merged one and two together.

Aaron Moss [00:08:25] Fully just move on Josh. 

Josh Bozarth [00:08:30] All right, I want to put an aside here is like he's groaning when all his jokes are going to be grown. 

Aaron Moss [00:08:35] Oh, yeah. Well mine were intentionally grown inducing. So I apologize in advance for all the shameless marketing. 

Josh Bozarth [00:08:43] This we go along. We're not going to read these controls directly because we only have so much time. But if we think you can read and yes, you're very more than capable of reading but these are the actual definitions and I highlighted the differences between these two controls other than some slight phrasing. So we're really talking about hardware and software and so these are the actual definitions from CIS. 

Aaron Moss [00:09:07] So you've got basically your old standards of course of servers workstations network devices stuff like this, which is router thin clients actual, you know, big client your desktops, you're all your servers whether your physical or virtual whatever generally speaking most organizations have a pretty good idea of what's wear what we're going to be looking at is whatever you forget that you have something on your network and also, okay. We'll move on to the new hotness here. Thanks Josh mobile. So this is this is a course about forgetting things. 

Aaron Moss [00:09:41] So I deserve I didn't forget this Is the next slide okay. Phones tablets, IoT devices are in particular something. We really love is attackers on a network and this also I include on here copiers and printers, because before there was an IoT like braised quote-unquote there was copiers and printers and they were a part of your network cameras have also kind of started getting into that particular realm now as well because as we move to IP cameras and everything they've obviously become part of your network. 

Aaron Moss [00:10:13] Work whenever they're no longer closed circuit. So now we also have stuff like smart assistance Google home. What Echo? Yeah, Alexa all that different stuff that you can do like literally just talking to your network. Well, if you could talk to the network attackers can talk to it and it's so what does that weird little box in this server for perriman? What oh the weird little box of service repair me. 

Aaron Moss [00:10:43] I told them the corner. I love that. Yeah. Yeah. Yeah, if you see any devices like that, you might want to get with it or just unplug it and see.

Josh Bozarth [00:10:50] If anybody screens first over on the screen. There are various networking plants that you can purchase that you know, some are more discreet than others. 

Aaron Moss [00:10:58] I see a packet squirrel. 

Josh Bozarth [00:11:02] I see these are all hak5 except for the one that yeah. It's know what that red one that looks like sushi is just the standard case from a right rasberry Pi zero. 

Josh Bozarth [00:11:14] Raspberry Pi 0 W. 

Aaron Moss [00:11:20] So, you know, we have the new stuff. We're fixing to play with. Yeah, and that's that is the new hotness right there. 

Josh Bozarth [00:11:25] So those are things that could be connected to your network via a wire Ethernet or it could be Wireless or even Bluetooth. So there's all kinds of fun stuff. Right? 

Aaron Moss [00:11:35] So we're also going to be looking at medical devices your infusion pumps. This is more for obviously for medical for Hospital environments and other health services environments, but at your infusion pumps MRI machine CT machines the Pyxis machines Pi C. 

Aaron Moss [00:11:44] First gay the HMI is plc's pids Artie use EIEIO. That's again. I'm sorry. That was one of my really grown inducing jokes. Hopefully you laughed. I don't know I can't tell from here because we can't see you. The big one that we actually had are seeing here is I mean you I'm assuming you added that the X-ray I think that's pretty cool. Actually pretty good. Yeah. It's a why seem that you added? 

Aaron Moss [00:12:11] It's more like what I'm saying is we've I've actually seen in testing environments. We've actually been able to attack certain machines where we've been able to gain access to Patient data through X Services just by logging into an ex-con Soul not even logging in having it actually send it to us and we can actually see Cats cans and all sorts of patient data and stuff like that. So this stuff is up there. If you're not aware of it. You don't know what other people are aware of. 

Josh Bozarth [00:12:44] And you know, sometimes it can be just you know standard fun, but I thought yeah, I mean there's no there's always some truth behind that then

Aaron Moss [00:12:50] yeah, there's a reason fud exists. All right. So again, this is what we're going to do this software assets of things. But the thing is they all kind of roll together actually again, it's why we have operating systems virtualizations, your server software for like SQL Server any kind of HTTP servers. I put Jira on there, because I see that quite a bit obviously exchange you get into work. 

Aaron Moss [00:13:13] Stations and this is where it really gets kind of hairy. So you've got of course your operating systems how many of you know that if you're still running Windows 2000 out there. I know there's some people who are that you may not know it yet. So you're any kind of document software office Google Docs, Adobe Reader, and Adobe Acrobat Pro, OneNote ever know. 

Aaron Moss [00:13:37] I literally had this list go down and it disappeared off the screen, because that's how much software is out there that people. Just aren't aware of and if you're not keeping track of all of it, you may not know what is and is not patched out there which will lead into continues for Mobility management here at bit. 

Josh Bozarth [00:13:52] Well in the whole point of inventory in this is that you know, what is on your the assets that are part of your organization where some of the stuff people other people that are is not it are installing this and that obviously what can change into other these other controls that we talked about who has certain privileges on desktops at what not. But in the end you're like what are you allowing? Most people are allowing things like Microsoft teams. It's going to happen at worth maybe a separate Wing a separate browser, but other things like, you know, Adobe Creative Cloud or even Dropbox, those are all prime opportunities A.) for data exfiltration how man but it's also a prime issue for you know, any other vulnerabilities that aren't being identified by your team.

Aaron Moss [00:14:35] Flash has a big one, right? 

Josh Bozarth [00:14:40] Yeah flashes. Yeah. It's going to be there for a little longer. 

Aaron Moss [00:14:43] It's long time I saw I haven't seen flash in the wild, but it's still on systems. And if you don't know about it again, somebody else can find it. I don't know what that was. So yeah, this is going to be basically from an attacker viewpoint now is where we start getting into the weeds. Did you forget that server existed got that Windows 2003 server out there that I forgot that was there. Actually we have an inventory of everything else, but somehow we missed that we found it. 

Aaron Moss [00:15:13] It we exploited it, because it wasn't patched and we just basically use that to compromise your entire network, because you had a really bad password on there that was still a youth on several other systems that you forgot about too.

Josh Bozarth [00:15:20] We combine these controls because from an attackers perspective there. They don't they do there's no differentiation between us between them for us. 

Josh Bozarth [00:15:37] If you've got outdated or hardware you're not keeping track of we will take advantage of that if you've got software you keeping track over keep updated. We will take advantage of that. So these we lump them together from our perspective because it makes no difference. 

Josh Bozarth [00:15:50] But from you know, Defenders perspective, they are separate and there are some slight differences that you have to deal with because obviously creating an inventory is not a hey let's get out a spreadsheet and just type up what we've got. It's a hard effort that is not easy to do and we recognize that and so if yeah, the goal is from our perspective is to help educate you. Know the organization when we're doing our work. Like hey, we found this you might want to figure out how you capturing your assets, you know, say if we find a server that's under the table that you didn't know about. You want to know how you can go about detecting that stuff going forward or maybe you need to revamp your processes, but that's the whole point is educating and creating an opportunity to become more mature, right? 

Aaron Moss [00:16:39] Let's see. Oh, yeah, so he's winners. You don't put that in their internal network. So this is fun Harden Windows environment. All right, and as it says here, we hate these networks for real tests. We really do because they're so hard to penetrate whenever you've got it really well configured which is a control V and you like responder doesn't work several other tools don't work. It's kind of not fun for us to be perfectly honest with you. Not that that's why we do this job. 

Aaron Moss [00:17:08] It is a part of it. I'd be lying. If I said it wasn't but our tools didn't work. Nothing worked except for one Windows 2000 server. That hadn't been patched since 2007 and was vulnerable to the ma so eight. Oh six seven right? There is a in our world if you will is a very popular remote code execution exploit. That's very reliable to get us a system shell on anything. 

Aaron Moss [00:17:35] And of course once you have a system shell you have complete and total access to the to the entire computer whatever that may be. It's basically, you know root superuser god mode and so we were able to get the local admin hash off of it and crack that weak password. 

Aaron Moss [00:17:52] This is what I was talking about a while ago and then that password was the same on several other servers and so we were able to basically use that password log into some other servers find a domain admin and then become domain admin within a matter of minutes, after that so. This is the reason why these having these controls in place having an inventory knowing what I was on your network and shutting it down when it was no longer needed is so important.

Josh Bozarth [00:17:59] This is a great example of how you have a different type of advantages of depending on your viewpoint. So from an attackers viewpoint, we have the advantage of all we have to do is find one system whereas from a defender. 

Josh Bozarth [00:18:38] A point they have the disadvantage there. They have to kind of you have to inventory everything, which is almost an impossible task based on large networks, but that's the idea of these controls the kind of help balance out that disadvantage that an attacker would have by providing the most information to you as a defender, so that you can identify things like a Windows 2000 box on your network.

Josh Bozarth [00:19:05] Oh, I think Anderson wrote this one, but this was this Fairly recent. Yeah, this is a, we had a test fairly recently that where they had its external standard external pen-test expose services are pretty minimal, you know, again, we to standard type of attack tools that we would use are not really going to be applicable here. 

Josh Bozarth [00:19:27] But they did find a web service on a private court, but a non-standard port.

Aaron Moss [00:19:35] It was like a high number like in the 30 thousands or 40,000 something like that something. We don't normally see it was supposed to be quote unquote hidden. So it's with the old for a security by obscurity. 

Josh Bozarth [00:19:45] Well and I think whether this was intentional or not, I don't remember we'd have to ask our teammate, but so yeah a browse to that port in your like oh this is management software for desktops, you know, like remote management software for desktops, like third party stuff. Not like RTP or things like that and you're like, oh no, this is bad. 

Aaron Moss [00:20:08] Can we get and so that says I've got a bad feeling about this, but what he actually meant was I have a really awesome feeling about this. 

Josh Bozarth [00:20:18] Yes, let's be honest. So, you know, he's trying a lot. He looks at the you know authentication scheme. It is tied to an actual active directory domain. So like okay. 

Aaron Moss [00:20:22] Whoa. Yeah. It says great that was close. What we actually meant was then what happened as sucks. 

Josh Bozarth [00:20:35] So, you know and on a whim he's like, well, I'm going to just see if I can just get in with admin, you know. 

Josh Bozarth [00:20:38] As a local user, because you can switch the authentication schemes and yeah you got in it was a default cred and red alert means he had full access to the you know, the internal Network and all those desktops of all the remote desktops. And basically, this is kind of ties into where we want you as a defenders as, what would you do with this information? That's what the point of these inventories are. Right. 

Josh Bozarth [00:21:03] So if you were to have a good comprehensive inventory, whether it's, hardware, software, and you hand it over to us, what would we be looking for? Well, he immediately started looking for systems that were out of date since this was a, you know, Remote Management kind of a patching tool kind of thing. It had all this information that he could look at and say well what can I leverage from here to maybe pivot more into the internal Network? And so that's why I want you to take that into your and put that in the back of your mind. It's like we want to level these Playing Fields as much as possible. 

Josh Bozarth [00:21:36] And so this is an opportunity like for you as a Defender if that's what your role is to take the to take the information about asset inventory and then say what would a bad guy do with this and that's kind of what we do from a day-to-day stand by. So going to the next one here. Okay. 

Aaron Moss [00:22:00] So this was fun actually that an FTP server on an external network princess. 

Aaron Moss [00:22:06] We have a lot of external network dentist when you quite a few Internal Network pen test. What we like to do is form or physical Pen Test. So if you have anything like that that you want come see me at B-Sides or just give us a call but the vulnerability there was an FTP server that had a documented vulnerability no exploit code. And so we knew that there was something there but when we weren't sure if it was going to be available explore anything the server fortunately this FTP server was freely available the open source. It was all online. 

Aaron Moss [00:22:37] So you literally are you had to go download it well after a bit, I have a little bit of expertise in in figuring out how to fuzz and how to write my own exploits for stuff like this. 

Aaron Moss [00:22:48] So I was able to figure out exactly where the vulnerabilities that mind you this exploit code is not available still because I don't want it to be but we rolled our own exploit essentially and then we were able to access the server through this because it was a remote code execution Barn buddy the problem with a lot of remote code execution vulnerabilities, if you do them wrong, they become denial service vulnerabilities and we don't like that, but this was fully tested. And so just another quick shameless plug you can find out how you can start rolling your own exploits at B-Sides, Oklahoma 2020. I am teaching and exploit development class on April 8th and 9th register at B-Sides ok.com training seats are limited. So hurry. 

Aaron Moss [00:23:30] And that's not the end of the plug. 

Josh Bozarth [00:23:40] Sorry, I threw up a little bit. 

Aaron Moss [00:23:55] Yeah. Hey, you know, I mean I think is generally speaking full scope full scope is physical internal/external Wireless phishing, which is social engineering over phishing. 

Aaron Moss [00:24:00] Is email of course in addition is phone call and so but everything we tried the organization was a lockdown completely like down we couldn't we couldn't get in externally, of course, we didn't have access to the internal Network because we couldn't get in externally and so since voice social engineering was part of this we decided to start making some phone calls and what I found out from this is that sales teams are really great to talk to especially for social engineering purposes. 

Aaron Moss [00:24:30] This because they like to keep you on the phone to and talk to you as long as possible because they think they're making a sale. So after I talk to him for a bit, we said you know what I'm going to shoot you an email with some my requirements and just give me a couple days to have to figure out how to put all this together for this blah wah. 

Aaron Moss [00:24:49] Well, of course the email was lace PDF, but what they didn't know is while I was talking to them essentially I was asking them questions about how their software interacted with certain other softwares, like Adobe Acrobat or Microsoft Word and all this other stuff and I was asking him questions about you know, what version of Adobe Acrobat are you using right now? Because like that's we're using this version, but I want to make sure that this is you know, it's all compatible blah blah blah. 

Aaron Moss [00:25:15] And so using these techniques I was able to actually social engineer this poor sales person and it tells me the exact version of several different kinds of software that they had and fortunately their acrobat was vulnerable to remote code execution and we sent them a lace PDF a couple of days later that has some vulnerable had some exploit code in it. We wanted to make sure it would bypass AV and stuff like that. So we had to take a couple of days to do that, but they open the PDF while we were on the phone. Hey, did you get that PDF? Yeah, I did you go ahead and open that and make sure that it opens real quick and soon as they did. We got the shell. It's not showing up its blank dadgummit. I knew that was going to happen. All right, I tell you what, let me work on some stuff here. I'll give you a call. 

Aaron Moss [00:26:00] Tomorrow, of course. We never called back. We already had the shell and so, because there was no inventory or there was, but it hadn't been updated in a while. IT didn't know that this system had been patched in a couple of years and we were able to take advantage of that. 

Aaron Moss [00:26:21] And so basically the whole point of this is where we start getting a more of a blue team type situation. We're trying to give you information on how you can take advantage of these controls to basically put us at a disadvantage. So managing a full inventory hardware and software is a full hard full-time job and depending on the organization at least one person. If not more and a lot of times that one person is just a person who's running the IT for. 

Aaron Moss [00:26:50] Organization so it really sucks. And so what about Bob? I mean BYOD bring your own device. Yeah, I wrote that in there. That was me. You're welcome. BYOD is hard in and of itself have a separate network. If you can for any kind of BYOD devices that is not attached to your internal Network whatsoever. Just we'll get into that later start with a full physical inventory. So you want full physical of every kind of system that you have on the network server. 

Aaron Moss [00:27:20] Work stations, etc. Get Mac addresses, because that is physical as well. And then there are tools out there that can help keep your inventory accurate, spiceworks, was really good back in the day. I think it probably still is a couple other like million sweeper open on it. 

Aaron Moss [00:27:36] We personally use in map for our inventory stuff like that or Oh wait. I thought that there was another so okay the other big thing you read your slides that you're right what did but I thought that when I think I got these two backwards because this is the next slide or you can call True Digital Security. Yep. We're get to that in a second key box. 

Aaron Moss [00:27:58] So the other big thing having a policy is key for all of these controls and you're going to see that that's going to be repeated over and over and over again having a living breathing policy to basically enforce policies have to be enforced. I know we're really tight. Yeah, so organizational policy as well as technical policy. You can read up on acceptable use policies and you want to basically say hey, here's what it's allowed on the network as far as your servers workstations and stuff like that anything that's not in the policy should not be allowed on the network and you can use technical controls as well technical policies to enforce the different kinds of software and different kind of hardware stuff like that on the network as well. 

Aaron Moss [00:28:42] More information can be found later through the slides also at the CIS controls. Let's move on again, or you can call us and we can do inventory for you and we can help you, help your organization really understand how to do this better and you I missed you. 

Josh Bozarth [00:28:53] All right, so we got we got to controls down. I mean I did is continuous for its. 

Aaron Moss [00:28: 55] Yeah, I get it in me right around. 

Josh Bozarth [00:29:00] Okay. So if you haven't figured this out Aaron's sense of humor is not my sense of humor now, he's okay. 

Josh Bozarth [00:29:12] Right here at the stuff you're laughing at is what I wrote. Uh-huh, man and the stuff that you're not laughing at is what he wrote. 

Aaron Moss [00:29:22] That's because I have a really terrible sense of humor. 

Aaron Moss [00:29: 25] Yeah continues one more really management. Essentially you're constantly watching out for vulnerabilities. You're constantly scanning. You're constantly patching and I believe then no it's not the next slide. 

Aaron Moss [00:29:31] I cannot man probably gonna be a few slides out at this point actually take several forms, but most importantly you've got service management at so you're identifying and disabling and uninstalling as needed unneeded services and software. If you're not if you don't have a need to run is on a server. Why is it installed and running? It's just a default page. We see that a lot. Now, there's sometimes we see default pages, but with virtual host most of the time we see it internally. It's like why is this here? Oh, we just forgot to turn it off. He might want to think about doing that vulnerability scanning. 

Aaron Moss [00:30:10] This is scans to find out what patches are missing and again. This is a service that we offer here at TRUE, not to throw that out there, but I'm throwing it out there patching is of course just updates of software on the system. And so that's any system. There's always patches the stuff that needs to be updated find your window get it updated as soon as possible. 

Aaron Moss [00:30:29] There it is. Leather rinse repeat again. This is a constant cycle and I will never beat this you spend constant round baby a cycle. That's right. You spin me right round baby. You spin me right there. Didn't ya thing? They got they got I can sing. I have a pretty voice. I'm sitting in a microphone. Yeah. This is important guys if one patch is missing and it's critical. This is where the oh eight. Oh, six seven MS70 no 10. 

Aaron Moss [00:30:55] If you've seen these in your reports, you know how dangerous they are for your or if you've got an actual attacker on your network, and they see this stuff they're going to take full advantage and they don't have a scope. 

Josh Bozarth [00:31:00] And again, this is also going back to that disadvantage you have versus the advantage and attacker has like we're just looking for that one patch you're missing and you have to see everything out. I would gather everything which as unfortunate, but that's why tools exist to help kind of meet that need and but we also needed we're going to talk about this here in a minute. We also need to talk about the Cadence. 

Josh Bozarth [00:31:28] Of the vulnerability management. Yeah, and we say it's a cycle. So that means is everyone wants to say, okay. 

Aaron Moss [00:31:35] Well, that's a monthly thing lather rinse and repeat always repeat. 

Aaron Moss [00:31:40] So why is it important vulnerability management? It's just simply vulnerabilities inventory and I do not the difference is unlike vulnerable, you know other inventories with Hardware software. We want this size to decrease like we want these vulnerabilities to go away which is why it's so important for you know continuous that's reason. It's continuous. It's a cycle. It's constantly going you have to constantly be monitoring this stuff because these things happen over and over and over again. 

Aaron Moss [00:32:09] And this is why it says broken record time. Literally. We're trying to be a broken record at this point and it's the same thing over and over and over again. We want to take advantage of unpatched software. We watch for these new cve, we watch for new exploits. We specifically look for the software. We're targeting like that FTP server a while ago. There wasn't one. There is one now. 

Josh Bozarth [00:32:31] It's a process that can be overwhelming. So one of the things that we like to emphasize is not to get buried in the in this in the cycle. 

Josh Bozarth [00:32:42] So the cycle exists, you know, there's a patch cycle that exists, but you always need to be flexible and think about in terms of what an attacker is going to do an attacker is going to look at it from what can I do immediately now. So this is a tweet by somebody who decided they wanted to be a security researcher kind of I think they're more official now than they were back then but they just dropped a node a on a on a scale Windows task scheduler API bug that you know, it was basically a mid-cycle of Microsoft's it was end of end of August, you know, August 27th, and then they patched it like September 11th two weeks later. So there's a two-week window where there's a whole flurry of activity. They posted on Twitter everybody in their dogs aware of this. 

Josh Bozarth [00:33:30] Are you being notified about this kind of stuff? That's what I want you to take away and think about it won't really management is more than clicking a scanner button and looking at the results and maybe patches and stuff. It's it is it needs to be more holistic than that so, that you can gain that advantage back from the attackers that are looking for that one little Notch to get in and so these types of scenarios where Microsoft may give you a mitigation or in the second scenario is about Citrix. 

Josh Bozarth [00:33:58] Citrix is fairly recent. Yeah, we've used it and we've actually taken advantage of this. So, but in this case think about this like December 17th Citrix disclose that remote code execution vulnerability. That's all they did. 

Josh Bozarth [00:34:11] They what they did do though is that they provided some mitigation steps that everyone's security researchers are looking at like wait, I think we can tell what's going on here and we can recreate this exploit and they do three weeks pass in between that and there's underground exploits that existed between now and then but on the 10th of January, you know, just what the NSA he just wants to say the NSA probably had exploits and I don't say that. They're my friends. I'll say it this. Hi guys this we love you. They've been listening for a while. I'm sure that they probably are listening. They probably up they bug my computer at Apple right now move on. So January 10th, you know, three weeks later a POC is published by Third parties and then Citrix doesn't release a fix until another two weeks. 

Josh Bozarth [00:34:55] So this you know the skeleton window have two weeks between a public proof of concept versus, you know, the dark web proof of concept. I'm going to assume during the three-week window, this two-week window is a nightmare, and I don't know which one to call mode with the underground and that's two weeks that you could be vulnerable especially, because these are these controllers, these gateways are usually hanging off the internet, and facing the internet many of you could still be vulnerable and yeah, you might you might be that proof of concept we've used after January. 

Aaron Moss [00:35:27] Or 2020 I can't say anything else but we have used it after that the after the permanent fix watch your stuff. 

Josh Bozarth [00:35:33] Yeah, and it's really just about making yourself more aware of what's going on out there. It's like if you know what's on your network or what you're using product wise, then you should be able to you know, snack the next step after you have that somewhat comprehensive inventory is to okay. I need to be notified about issues with these products. Right? 

Aaron Moss [00:35:57] And so that kind of dives into this, you know this vulnerability management the thing is the vulnerability management much like hardware and software inventory is still a full-time job fortunately, if you're doing it, right you can possibly roll it all into one job and then have it patched fairly quickly, but then you have to monitor stuff that can't be monitored by, you know, Windows wsus server and stuff like that

Josh Bozarth [00:36:12] And I would suggest not waiting until you think you have a perfect solution down start now something and you know, even if you got just a you go and get the you know pay for Nessus license and you're kicking ass can off that's step one and then you're going to say okay. I'm going to look at those results. What can I do with that? Right? We want you to just take action and not just you know, lay back and let it roll over you. 

Aaron Moss [00:36:40] So now we're getting to the point where we're talking about Again The Blue Team side of things. 

Aaron Moss [00:36:45] So this control takes place before during and after controls wanted to so you before you actually roll something out on the network if you can you want to try to turn off some of the services you want to try to make sure that any These that make be existing on whatever, you know, whatever server or device before you roll it out that you roll it up without it being vulnerable. So you take care of the stuff beforehand, before it's actually, you know deployed in production continuous of course is subjective. It depends on these several factors, you know available resources again, it's a full-time gig if you've got one person and they're sharing multiple responsibilities. It's going to take a lot longer. Network size is a huge factor. 

Aaron Moss [00:37:27] Are the more devices the more pieces of equipment that you have the longer this is going to take for you to actually figure out what's vulnerable and different locations. And so again this goes to network size and available resources. If you've got several different locations, maybe you might try to have one person in each location or several depending on the size of your organization. But generally, we would like to see scans taking a place at least every couple of weeks. If not much sooner. 

Aaron Moss [00:37:56] I mean it's all dependent on the size of your organization. But you have to remember all of this rolls into one thing vulnerability remediation is a team sport. Everybody has to be involved in it and everybody should be a part of it. Just like what Dawkins always says infosec is a team sport or something along those lines. I forget, but that was the idea of move on. 

Aaron Moss [00:38:23] so whenever it comes to your vulnerability management prioritizing you gotta run your scan, you patch what's available, and then you run your scans after the patching right or you scan see what passes are available at cetera what you want to do the most high priority the most critical vulnerabilities first if there's a patch available for install it and if you don't need the service again, disable it and then uninstall it you disable it for a week or two if nobody screams, uninstall it and then you don't have to ever worry about it again. And after you get the highest level ones done, don't forget about the lower level ones, because these are the ones that we actually can chain together to get big critical level exploits so we can change several lower level vulnerabilities together to make big things happen. So what about configuration management? This is where stuff like responder comes into play with LM and R and netbios over tcp/ip. If you saw our last presentation, those are a big one. They'll come up again here in a minute. 

Aaron Moss [00:39:23] So you control 5 for that because that's configuration management. But this all rolls into again policy is a major factor in this if you have policies in place that you can enforce then you can actually say hey we have policies, but we don't have the resources to be able to do this properly. We need these resources. 

Aaron Moss [00:39:39] Let's throw a little bit of money at this again organizational and technical and also again one more time call us if you need help with this, because we're actually experts at vulnerability management, risk assessments, and all sorts of stuff like that. So that's another Shameless plug. I think we got probably what three more of those to go know we have zero plugs to go. We got several more plugs doing up looks lots of plugs. That's this is a marketing webinar. So we have to put some shameless marketing plugs in there 19 minutes to be plugging.

Josh Bozarth [00:40:10] you we're going to go to control for now. We're close were close. We're going to try to split halfway there people. We're going to speed this process up. So stop interrupting. 

Aaron Moss [00:40:22] I kind of like that the requested action requires a Ministry, but please just please enter your administrator password to continue you forgot administrative password there. That's okay. So like it's just implied. So this is the definition you can go back to the CIS website read that and we're going to give you enough time to read it now and moving on too bad. That's great. All right, so, you know, that's the definition is what it was. 

Aaron Moss [00:40:52] Now, what is it? Well, it's not allowing everyone to have local admin privileges on their system. 

Aaron Moss [00:40:59] I've been harping on this for a year or two now and that's because I've been seeing it since I've been here and I love it personally as an attacker, but I hate writing it up in a report, because like this is something that quite frankly you everybody yall already know this so don't give anybody administrative privileges and then includes domain admin and he kind of network admin and always change your stinking passwords for any kind of defaults on your copiers your printers your switches your router's your devices from admin password. Admin Cisco. I'm in my room forever. 

Aaron Moss [00:41:35] Again policies are key policies have to be in place so that they can be enforced in short don't give everyone especially not everyone really anyone if you can help it admin privileges. So you ask simple questions who needs the access what kind of access whether it's access needed. Why is the axis need it and how long until it is no longer needed. 

Aaron Moss [00:41:57] These questions right here can help you kind of accommodate who people use your resources who do need those kinds of privileges and then others down who don't need those privileges. Because nobody needs it really on a daily basis. And if they do figure out some way to automate that maybe your attacker review. This is a made-up statistic, but I'll be honest. It may be higher you're over 80 percent of organizations have some form of shared administrative credentials and that includes servers network devices workstations laptops. How often do we see the same password on all of the above? 

Josh Bozarth [00:42:32] Well, you know, you have a made-up statistic, but we actually found something legitimate and that's what they'll graph here is to the right is from the data breach investigation report and organized try our value. So it's funny. It's like so you see on the graph. It says 2017. The next year's is 2018, because this is between nineteen report. But showing organized crime is going down, you know from number of issues or attacks, I guess and state-affiliated attacks are going up. I got a feeling that's probably turkey. 

Josh Bozarth [00:43:05] I love turkey. It's great on sandwiches. Maybe it's ham so system admins. Oh is actually been trending up since 2016 and they in the report. They specifically say it's not it doesn't really have to do with any like malicious administrators out there like, you know doing logic bombs and whatnot. 

Josh Bozarth [00:43:24] It really has to do with misconfigurations, which is control V, but it also with you know, those privileges that are given a little too much on the network those admin privileges are Role as well as they could. Yeah, and we see it all the time. 

Josh Bozarth [00:43:39] So what's happening and it's getting worse? Yeah, I mean they can read that local. Admin can easily lead to network-wide admins domain admin Enterprise admin and we can get your password for all your other stuff. We really need to and we talk about change of password. I want you to talk about laps. 

Aaron Moss [00:43:50] Oh, yeah. So there's a blog post out there that I wrote a couple years ago defend against pass the hash we can send out these slides to anybody. 

Aaron Moss [00:44:00] But if you check out true digital security / blog and then look up laughs you'll see it but laughs essentially is a way that Microsoft has Minutes a software that Microsoft has that you can basically install on your domain controllers and then it will shift out or it will ship out that software just it's a dll essentially that you apply to all your desktops all of your servers and everything else and what it does is it changes your local admin password for whatever account that you give it to a random password for each particular system that it uses is stores that password in your active directory inside of an active directory. 

Aaron Moss [00:44:39] Attribute that only specific A specific group has access to most of the times just domain admins. And so you can have all these different passwords across your network and only your domain admin has access to get to that local admin password and it's different for every individual system. So none of the passwords work and you can't you can't use the same password hash like for pass the hash and stuff like that to break into different systems. 

Aaron Moss [00:45:08] It's basically even if get a local admin hash that maybe only be good for however long. Well, it's the only good for that system. Yeah, and also it changes as often as you want it to do if you wanted to change every 15 minutes. I think you could probably do that. Most people probably said it like 24 hours. And so the trick is most people don't need your local admin passwords all the time. And if you do well you probably doing something wrong. So this is as a just in case as a backup, because Microsoft knows that most people don't know. 

Aaron Moss [00:45:39] Need all your local admin passwords all the time. So implement laps check out the blog post there and it can tell you much more about how to implement that on a step-by-step basis. And of course marketing plug number three. I told you there was more we can help you find all your users find all your passwords and probably tell you what over 75% of those passwords are for all users. I love it. We tried turning it off and on again. 

Josh Bozarth [00:46:06] Control 5 is all about your configs and its really specifically about servers workstations mobile devices laptops There's an actual separate control. That's all about network devices. I think it's like it's in the foundational group. I don't know what the number is. So this really is going to be about the kind of the end user and servers kind of computing configurations. 

Aaron Moss [00:46:39] By the way. Just watch The IT Crowd there's a character named moss on their to. He's fantastic. 

Josh Bozarth [00:46:42] He's funnier than you are. 

Aaron Moss [00:46:48] Well, he's getting he's paid to be funny. 

Aaron Moss [00:46:50] I get paid to hack stuff so really what is it? This is where the controls do get a little bit harder configurations are hard configurations are really difficult because there's so many different facets to it. So many different switches. You have to flip in order to make a system more secure and

Josh Bozarth [00:46:55] We've got some resources to give you at the end of this control will help kind of meet those needs right? Because I don't think anybody needs to reinvent. 

Josh Bozarth [00:47:09] The wheel know we've got organizations out there like see is the spend a lot of time figuring out what are good defaults for you know, a Windows system whether it's a desktop or server that mean that's what they exist for. And so yeah, like, you know, we have this, you know, you're eating an elephant one bite at a time. 

Aaron Moss [00:47:29] They're right and I want to quote Paul acid Dorian here who says basically that security good system security is just essentially good system administrative practices. 

Aaron Moss [00:47:37] So if you're doing things correctly, Lately and that's I mean subjective of course, but if you're doing things correctly, you're going to mitigate a lot of the vulnerabilities that you have in your systems just from secure configurations in the first place, but this not only is about system configurations. It's about storing those configurations and managing those configurations. So constantly updating them with new data that you may have and mind you. This is not an exhaustive list here for the secure configurations, but you know disabling uninstalling services, which is from the last control or to control. 

Aaron Moss [00:48:09] Ago, I can't remember two controls. Go mobile encryption on your laptop full disk encryption, right? You want to change your default passwords? This has been on a bunch of those different controls configuring software to disallow certain instant cure functionality. So like yeah, it says here think office with macros if you got and that grows enabled an office there better be a damn good reason for it because attackers can take full advantage of that to that's how people used to break in with word docs and everything. 

Aaron Moss [00:48:39] Secure configurations for remote desktop, remote desktops kind of secured to a degree by default, but there's a lot of things that you can do to make it better, especially if it's like externally implemented for some reason. Network devices with secure or insecure SNMP Community strings. If you're still using public or private or your company name for read and/or write access on an SMP SNMP device, this is bad. 

Aaron Moss [00:49:07] Stop doing that same for wireless keys. If you're still using wep. I don't know anybody who's still wep him up. I think I may have seen it like a around a neighborhood somewhere because people just aren't aware. But you know, if you're still using WEP somewhere, that's really bad WPA2 with that passwords. If you're using your company name again or something that's easy to guess or the word internet for your WPA2 passwords. 

Aaron Moss [00:49:35] That's not a good idea, because we could probably break that fairly quickly. 

Aaron Moss [00:49:42] So why is this important. The core configurations of course can't stop a lot of attacks threats get threats. Core is always changing fortunately secure configuration is really don't you're looking at overall you start with the secure config before you roll the system out. 

Aaron Moss [00:50:01] You're probably going to have a secure config the entire time that if there unless you make really severe changes to something, but hopefully if you're doing this from the beginning you're going to bake in the security to the process again. This goes back to the Simply Good system administration practices. 

Aaron Moss [00:50:18] If you try to implement after a system has been installed you can you do something wrong for instance the stig's if you apply a Stig wrong on here, it can totally shut down your system or at least shut down specific access to your system that you may have needed access to and cause some real problems maintenance over time is it says least a more successful security maturity model And so the more you do this the better you get at it. It's like he says, you know the old adage practice makes perfect. You've got one hole somewhere and it may be what a 2-meter hole somewhere that that you can use to, but it's in a giant. What is that a moon? That's right at star map. That's a moon, right? 

Josh Bozarth [00:50:40] That's no moon. 

Aaron Moss [00:50:42] What is it? 

Josh Bozarth [00:50:48] It's a death star. So space to there. It is my God. 

Aaron Moss [00:50:55] I was trying to hand that one to you. 

Aaron Moss [00:51:09] Just was wondering Yeah, I was trying to this is supposed to be a gift that it explodes and obviously it didn't workout, but I think it actually is effective here. You know what that is, its explodes in a second from what it's like a 2-meter hole in it. 

Josh Bozarth [00:51:13] This is from Return of the Jedi. How is it? 

Aaron Moss [00:51:18] Yeah, see, I don't know. Yeah, because that's only partially built. 

Josh Bozarth [00:51:25] Okay, you should watch the movies. 

Aaron Moss [00:51:28] You know, I'm a horror movie guy. If you didn't see that at the beginning of the slide show

Josh Bozarth [00:51:33] Horror that you don't know Star Wars. 

Aaron Moss [00:51:38] Yeah, whatever. So this is this is again where we get into the attacker. 

Aaron Moss [00:51:41] The attacks here. So we use system commits configurations. This is one of my favorites actually more than exploits believe it or not exploits are far and few between with a lot of stuff that we do as far as attacking a network most often. We exploit default functionality and windows or in different software's that are available responder is a fantastic example again, we're using link layer multicast Network resolution LMR try to say that five times fast. 

Aaron Moss [00:52:10] Find so that 2 times fast and wants is once hard enough in be TNS and that's your netbios over tcp/ip, name resolution, and we use these misconfigurations on a Windows Network particularly on an internal Windows Network so that we can get password hashes left and right some of the credentials that we've captured in the past have been administrator level we can use that once we crack the password log into a system and go from there. 

Josh Bozarth [00:52:35] So he's got an example here about mobile devices without full disk encryption and you know, yeah. 

Josh Bozarth [00:52:40] Yeah, it's probably considered in this day and age in this configuration. 

Josh Bozarth [00:52:43] So like if the device is stolen or lost if you have physical access to a machine and it doesn't have disk encryption, it usually is getting trivial for somebody to extract what they need off that discount and go with any a so we've had various engagements where they've had you know pieces of laptops that are mobile all laptops or mobile, but you know what, I mean, they're rugged and maybe designed for out in the field and they're like, hey, can you do some tests on this and we The desktop and it's not encrypted. So it's almost like the test is over at that point. Right? 

Aaron Moss [00:53:10] The thing is the reason it's considered a misconfiguration anymore is because it's it used to be much harder to do full disk encryption on laptops and other systems Microsoft has it built in Linux has it built in there's I mean, it's Apple has it built in very easily with filevault. There's no reason why there should be any kind of no full disk encryption on any kind of mobile devices as far as laptops. 

Aaron Moss [00:53:40] Ren even phones and stuff like that your SNMP Community strings again. If I have write access with a private string a string called private or something similar that's really easy for me to guess then I can actually rewrite your configurations and do whatever I want to do with your network device. 

Josh Bozarth [00:53:55] All right, you got five minutes. 

Aaron Moss [00:54:05] Okay. So this is where it gets important right here. It's not the simplest control, but it's also not the most difficult. It just takes a lot of time and it's very resource intensive. 

Aaron Moss [00:54:12] The time and effort is the big part of all these configurations as so like inventory though. Once you do the first configuration, it should be much simpler and much easier to continue on with these configurations over time. We're gonna go to the next slide so they can see the resources. You keep talkin. Yeah. So these are the different resources. You got your nice checklist, which it also CIS  benchmarks. The CRS hardened images are specific for cloud-based like AWS Azure and Google Cloud. 

Aaron Moss [00:54:40] The Department of Defense digs are publicly available. The open scap is actually an open source version of the scaf and I can't remember what this like secure configuration something. I can't remember off the top of my head, but it's a Department of Defense think configuration, but there's an open version that's available to the public now for open scab dot-org check that out if that's something that you'd be interested in or of course, you can call us here at True Digital Security. Yep, and there's one more of those. 

Aaron Moss [00:55:10] So insert Lumberjack joke for audits. I like that. You did good. That's way better than the other thing. Let's move on. I'm not happy with it. I think that actually worked out. Okay, I like so yeah taking the kids to the pool. No, that was not the one I'm talking about. I loved it. There's your definition. We got like five minutes left three minutes three minutes two and a half minutes left. So let's move through this real quick because we still want to get some questions father. 

Josh Bozarth [00:55:39] This data is critical. You're probably You've got logs out there whether you're monitoring them or not. You know that's on you. We would suggest that you do that. Now how you going to go about that? There's lots of ways. There's SIEM. There's no manual logs. But these are these are a great for forensics, but they're also just great from like knowing when things bat when bad things happen.

Aaron Moss [00:55:50] Not only applies to like attacks. But when a system goes down for some reason you want to be able to kind of keep an eye on what's happening when an attack happens. Do you know what it looks like in the log? 

Josh Bozarth [00:56:10] We have a screenshot here of when we run one of our tools that basically tries to enumerate folders within a web server. And so this is a you know, just as an Apache log that's shown its run under be right and it's just running through it. So when you see something like that, you're like, well that's clearly not a person just browsing for fun. Nope. So then that's a very rudimentary example, we have other examples of what that you could talk about with telluric vulnerabilities. 

Josh Bozarth [00:56:38] I mean that kind of stuff you need to be able to least have of the means by which to see that in your logs, because you have that visibility and that a that's your advantage getting that Vantage back as that's what this is all about. 

Aaron Moss [00:56:50] The important thing is to keep track of the logs and also to monitor the logs, but if you don't have somebody monitoring logs, well, you don't know what's happening in the first place. So the biggest problem is finding the resources to manage the large properly if again, you got to have somebody who's keeping an eye on all this stuff and making sure a larger coming in, but also they can do some analysis a little bit later once they NC some log correlation. 

Aaron Moss [00:57:10] Enter the SIEM, security information and event management platform to centralize log management platform that essentially takes all these different logs in you just point all your different systems to it. And it says, okay, we're going to start looking for different patterns in these logs to see what's going on. So it's a full-time job like a lot of this other stuff, but it's probably one of the more important ones so that you can actually keep an eye on what's happening on your network. It's your Viewpoint into the environment right? 

Aaron Moss [00:57:39] So you got your maintenance you Enter storage Vlogs you got they shouldn't be alterable. They shouldn't be changed or deleted one minute left. Really? Yep. Oh man. We'll get you these slides later. If you want to talk more about this. You can hit us up at Aaron dot Moss at True Digital Security or Josh dot Bozarth at True Digital security.com or hit us up a B-Sides. The control is not focused on attacks. We don't have a whole lot of attacks in here because we're not really looking at attacking the logs. 

Aaron Moss [00:58:06] This is early, but we want to show that from Integrity from the What an attack does in the logs and so you want to be able to detect dr. Eric Cole says prevention is ideal but detection is a must and so if you're not detecting a text and you don't even know what's happening on your network, I think the debe IR a couple of years ago said that most breaches most people don't know about braces for months. And so, you know your control you want to basically install a SIEM tune the SIEM to the network. So you want to get all your devices to talk to the SIEM and know the logs over there. 

Aaron Moss [00:58:40] Doing the same again because it gets too much data in there and you have to figure out how to tune out some of the it's not going to always something to be done overnight Force either rinse repeat always repeat which is why that's in there again, because hey always repeat and then whenever the logs come in you want to notice something you want to watch for those patterns if something looks suspicious maybe I need to check into that it probably is and so this is where True Digital Security comes in yet. 

Aaron Moss [00:59:06] Once again, we actually have a sock is here the Operation Center that All these logs 24/7 including all kinds of audits logging audit logs lot it logging audit logs and logging audit logs for a lot at logging. 

Josh Bozarth [00:59:22] All right. So the last thing before we wrap up as like, you know, we only talk about the first six controls, but the very last control is number 20 and it's about pain tests and Red Team exercises, but maybe you're already at that point. Maybe you've kind of gone through all these controls yawning. I'm good. Well, hey our official responses. 

Josh Bozarth [00:59:37] We'd be glad to help you meet those control objectives are Unofficial responses. Yes, please, we would love to help you in terms of red team exercises just standard penetration test. We're always up for a interesting challenge. 

Josh Bozarth [00:59:53] Yeah, and you know, that's kind of that's the quick run through those first six controls pleased if it's not going to be easy, but we were hope we made it a little more standardized and clear that would exist otherwise, and if not, you know, we're Always entertain questions. I know there were some that may be given in the talk and we'll try to address those offline separately follow up with, you know through the mail system that we use and but we want to give you already two minutes over so we want to be conscious of that and I will somebody is s question what tools are recommended for developing an active inventory. 

Josh Bozarth [01:00:33] We actually answered that back in the slides earlier so we can send you a copy of the slides to Anyway, I told her we talk about that offline. That's a question. It's right here. It's really easy to either way. You just had another minute to this. Okay. I'm going to turn it back over to Lisa and thanks for joining us and yeah reach out to us. If you like any assistance or have any other questions, we'll be glad to help you. Again Aaron dot Moss at True Digital Security dot com and Josh dot Bozarth at true digital security.com. Thanks guys. 

Lisa Remsa [01:01:05] Hey guys. Thank you everyone for joining us today. Thank you. Josh. And Aaron. We appreciate everyone being here. If you would like to access the recorded version of this webinar, please visit True Digital Security.com forward slash webinars or use the link you used to register for this live version. Of course, we would love it. 

Lisa Remsa [01:01:20] If you would share it with colleagues or friends that you think might be interested in this content also to keep up to date on all true events, visit traditional security.com forward slash events, if you have any additional questions on today's content as Aaron, Mentioned, please. Feel free to reach out to Josh or Aaron or email us at info at true digital security.com, or of course as always feel free to communicate with your existing true contact. Thanks again for joining us today, and we will see you all next time. 

Contact Us Today!

Let us know your business needs and we will make sure to get back with you promptly!

Contact Information

  • HEADQUARTERS
    6900 E. Camelback Rd., Suite 900
    Scottsdale, AZ 85251
  • Oklahoma Office
    1350 South Boulder Avenue, Suite 1100
    Tulsa, OK 74119
  • Region Metropolitana
    Chile
  • 480-389-3444