Chapter 1 Section 1 Risk Management of New Products, Technologies and User Behaviors

New products, as well as new technologies, will always be present and these change the way that user behaves and interact with older, present, and newer technology and products. From a security standpoint, it would make sense to stay with items that are stable and have been here for a while, there is always uncertainty when it comes to newer technologies and newer products. Are these companies here to stay or will they bust in a couple of years? While we can't stay away from using these new products and technologies what we can do is analyze the risk that we are taking by adopting them.

While seemingly related is users' behavior, users could be implementing new behaviors with the tools that are currently at their disposal. Let's say as an example a company has Microsoft or Google office productivity suite which both include email and instant messaging capabilities. It is way more convenient to send someone an instant message than to send them an email, instant messaging applications are a swipe away or even constantly running in the background or open on another screen. If users start relying on instant messaging and move away from the traditional email method for communication this introduces another avenue of risk that must be analyzed. This is why user behavior should be monitored and analyzed, we must put ourselves in the shoes of the users that way we can expect how certain items of technology will be used. Once we have the information we can use this to come up with training materials or even security policies.

Terms: Code Escrow

Code Escrow is, in essence, a third party that will keep source code available in the change that the software vendor goes out of business and is no longer able to keep providing the product and/or support. Clauses in the contract would decide when the code would be handed over to the customer.

New or Changing Business Practices/Strategies 

Not only does technology and products change with time, but the practicices and stratgies that businesses emply change

as well. Those changes in the processes and procedures pose a risk. Changes to these strategies and procedures need

to go through a formal risk analysis process. 

Partnerships would be a reason that these practicies and strategies change over time, not only do busisnesses merge and create 

partneerships other times a demerger occurs and once again practicies and strategies must change. 

TERM: TCA or third-party connect aggrement details the exact secuirty measures that must be taken when handling data exchange between 

these companies. There are other businesses documents that touch on the subject of data exchange between entitines. The 

Expecation is that if there is any form of data exchange a TCA or other type of similar docuemtn will be used. 

Outsourcing

Outsourcing is nothing new in our times and we have all heard of it, we need to treat these outsourcing partners with similar fashion as we do mergers. If there is data that is being exchanged we must ensure that all legal and regulatory requirements are fulfilled when it comes to the data not only on our servers and services but also while the data is in the hands of our partners. Not only do we have to worry about the data while it is the hands of the vendor that we contracted with, but we also need to verify if they are using vendors to subcontract some of their duties. 

While outsourcing we need to keep in mind that if the vendor is in another country then we might not be able to do business with them based on the regulations of the data. Let's take a country that has less stringent rules for privacy, we might not want to do business with that country because of what they would be able to do with our data while it is in their hands. 

Cloud: With AWS being here and GCP and Azure competing for business it is difficult to outweigh the benefits that these platforms bring to the table. With the cloud as an option there are different types of risks that we must analyze and understand.  The cloud operators work on a shared responsability model, which means that they will secure everything up to the point where you take over as a customer. We as a the customer must secure what we build configure and deploy. What it means is that we can not blame the cloud provider for leaving a system unpatched, or for not password protecting a page. 

If there are regulatory requirements that we must meet, if we do decide to go with a cloud or hosted solution we must ensure that the vendor is able to ot only comply but show that they are protecting our data as required. 

These provders are huge and they recycle/reuse resources thrhougth their customer base. Once I shutdown a server a different customer might be able to use the same CPU or the same Hard Drive Sectores that I was previously using, this is dangerious because it would be possible to scrape dta if not properly sanitized after we dispose. 

Terms:

Private Cloud
Public Cloud
Hybrid Cloud

Find Inbox Rules

Connect-ExoPSSession
$domains = Get-AcceptedDomain
$mailboxes = Get-DistributionGroupMember -Identity COM-NetIDRecipients -ResultSize Unlimited|Where {$_.RecipientType -like 'UserMailbox'}|%{get-mailbox -Identity $_.Name}

foreach ($mailbox in $mailboxes) {

    $forwardingRules = $null
    Write-Host "Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)" -foregroundColor Green
    $rules = get-inboxrule -Mailbox $mailbox.primarysmtpaddress
   
    $forwardingRules = $rules | Where-Object {$_.forwardto -or $_.forwardasattachmentto}

    foreach ($rule in $forwardingRules) {
        $recipients = @()
        $recipients = $rule.ForwardTo | Where-Object {$_ -match "SMTP"}
        $recipients += $rule.ForwardAsAttachmentTo | Where-Object {$_ -match "SMTP"}
   
        $externalRecipients = @()

        foreach ($recipient in $recipients) {
            $email = ($recipient -split "SMTP:")[1].Trim("]")
            $domain = ($email -split "@")[1]

            if ($domains.DomainName -notcontains $domain) {
                $externalRecipients += $email
            }   
        }

        if ($externalRecipients) {
            $extRecString = $externalRecipients -join ", "
            Write-Host "$($rule.Name) forwards to $extRecString" -ForegroundColor Yellow

            $ruleHash = $null
            $ruleHash = [ordered]@{
                PrimarySmtpAddress = $mailbox.PrimarySmtpAddress
                DisplayName        = $mailbox.DisplayName
                RuleId             = $rule.Identity
                RuleName           = $rule.Name
                RuleDescription    = $rule.Description
                ExternalRecipients = $extRecString
            }
            $ruleObject = New-Object PSObject -Property $ruleHash
            $ruleObject | Export-Csv C:\temp\externalrules.csv -NoTypeInformation -Append
        }
    }
}

Orphaned DB SQL USERS

USE DatabaseName
EXEC sp_change_users_login 'Auto_Fix', 'DatabseUser'

POWERSHELL: LIST ALL MAILBOX FOLDER DELEGATE ACCESS FOR A MAILBOX

$ErrorActionPreference="SilentlyContinue"
Stop-Transcript | out-null
$ErrorActionPreference = "Continue"
Start-Transcript -path C:\users\__amariouribe\desktop\output.txt -append

$mbx = "sgoldschmid"
$permissions = @()
$Folders = Get-MailboxFolderStatistics $mbx | % {$_.folderpath} | % {$_.replace(“/”,”\”)}
$list = ForEach ($F in $Folders)
   {
    $FolderKey = $mbx + ":" + $F
    $Permissions += Get-MailboxFolderPermission -identity $FolderKey -ErrorAction SilentlyContinue | Where-Object {$_.User -notlike “Default” -and $_.User -notlike “Anonymous” -and $_.AccessRights -notlike “None”}
   }
$permissions

# Do some stuff
Stop-Transcript

Exchange CU11 Install Issue

TLDR: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}

Error:
The following error was generated when “$error.Clear();
$auditLogMbxName = “SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}”;
$auditLogMbxLastName = “SystemMailbox 8cc370d3-822a-4ab8-a926-bb94bd0641a9”;
Write-ExchangeSetupLog -Info (“Retrieving users with LastName=$auditLogMbxLastName.”);
$auditLogUser = @(Get-User -Filter {LastName -eq $auditLogMbxLastName} -IgnoreDefaultScope -ResultSize 1);
if ($auditLogUser.Length -eq 0)
{
Write-ExchangeSetupLog -Info (“Retrieving audit log users with LastName=$auditLogMbxLastName.”);
$auditLogUser = @(Get-User -AuditLog -Filter {LastName -eq $auditLogMbxLastName} -IgnoreDefaultScope -ResultSize 1);
}

if ($auditLogUser.Length -eq 0)
{
Write-ExchangeSetupLog -Info (“Installing user account with Name=$auditLogMbxName and LastName=$auditLogMbxLastName.”);
Install-UserAccount -Name $auditLogMbxName -LastName $auditLogMbxLastName;
}
else
{
Write-ExchangeSetupLog -Info (“Audit log user $auditLogMbxName already exists.”);
}
” was run: “Microsoft.Exchange.Data.Directory.ADConstraintViolationException: An Active Directory Constraint Violation error occurred on NCGADC2.ncga.state.nc.us. Additional information: The operation failed because UPN value provided for addition/modification is not unique forest-wide.
Active directory response: 000021C8: AtrErr: DSID-03200BD2, #1:
0: 000021C8: DSID-03200BD2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)
—> System.DirectoryServices.Protocols.DirectoryOperationException: A value in the request is invalid.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action, Int64& concurrency)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.GuardedSendRequest(String forestName, GuardedDirectoryExecution guardedDirectoryExecution, DirectoryRequest request, TimeSpan timeout, Func`3 sendRequestDelegate, Int64& concurrency)
at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext, Boolean shouldLogLastFilter)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
— End of inner exception stack trace —
at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer, String callerFilePath, Int32 callerFileLine, String memberName)
at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientObjectSession.Save(ADRecipient instanceToSave, String callerFilePath, Int32 callerFileLine, String memberName)
at Microsoft.Exchange.Management.Deployment.InstallUserAccount.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

Exchange 2016 CU12 Install Issues

Microsoft recently released Exchange Cumulative Update 12, which included a patch for a zero day vulnerability  that was discovered a couple of weeks prior. This post has nothing to do with the exploit but the upgrade process. I've installed all of the CU updates without any major issues. This time around the installation process barfed an error on step 5 of 17, I clicked OK to continue and I was back at the Windows Screen, with a non functional DAG Member. 

I panicked for a bit, like I always do. Long story short I restarted the installer and everything ran fine the second time around. I wish that I had a screenshot of the error but I did not think to take one at the time. 

HAM Radio Technician

Operating System Hardening

I've been asked this question at a couple of interviews and I figured that I would post some information that I have found in my travels on how to answer this question.

In short hardening is making a system or an application more secure that it's starting or default configuration.