Monday, 23 May 2016

Passing the CISSP exam and how to do multiple-choice

If any of you have looked at taking the CISSP exam, you might already know that it consists of 250 mostly multiple choice questions and you have 6 hours to complete it. You might also know that test takers sign an NDA to not reveal the questions so I can't tell you what they are, after passing today!

What I can tell you is that in order to pass the CISSP, you need a combination of good general knowledge of the domains, good multiple-choice skills and then the icing is to understand the way that CISSP ask the questions.

If you have the CISSP Common Book of Knowledge (CBK), you will see a range of example questions and these are probably a reasonably fair indication of the types of questions you will see, although too many in the book, in my opinion, are poorly worded and helped feed my sense of fear that I would not be able to answer the questions even when I knew the topic of the question.

So here I go at listing a number of hints and techniques to reduce the fear that you will pay $700 and fail the exam.


  1. The CISSP is a practitioner's exam and is designed for experienced Information Security Professionals. If you are fresh out of college or have just changed career, you will find it VERY hard to learn enough to pass the exam (and you will need 5 years experience to get the title anyway). This is for two reasons. Firstly, you will be helped a lot on the exam if you already have good knowledge of 2 or 3 domains or perhaps in-depth knowledge in one and a good general knowledge of the others. I work in software so the whole areas of network security and software development are reasonably familiar to me, all I have to do is look out for specific words or phrases used in the book.
  2. The CBK is not a novel, it is more like a (poor quality) dictionary. The CBK, sadly, feels quite thrown together, it contains a vast amount of information, some of it out of date, some of it seems overly deep for a high-level accreditation but it is what it is. You are better off skimming the section headings, reading up on concepts you are unfamiliar with (but not too deep to begin with) and then do some test questions and get the feel for how deep to go. Not many of the exam questions required reading the fine detail of each topic.
  3. When you are doing these or other approved test questions, there are two things you can do to help the experience. Firstly, time the test to get a ballpark figure for how long you are taking per question. In the exam, you have a total of about 30 seconds per question, which is fine if you are a fast recaller but otherwise it could go quickly. Secondly, after marking your answers, look at all of them again and decide a) You knew the answer (good) b) You got it right but it was a guess (read up some more on it) c) You got it wrong because you didn't know the topic (read up some more) or d) It is a poorly worded question, which is why you got it wrong. In the case of d), it is really important to try and see where you got the question wrong (more on that later) since it might be something really subtle in the wording that you could have picked up on.
  4. Avoid any unofficial questions you might find on the internet. Are they correct? Possibly, are they useful? Hard to say. You can know the entire CBK and still struggle on the real questions because of their style so it is better to find something official. There are a few official CISSP books and apps around (check they are for the latest edition of the CBK) and I found the Sybex Android App really helpful - the questions weren't exactly the same style but it covered good ground to increase my confidence in taking the exam.
  5. Try to study little and often. Most knowledge takes a while to file in our brains and a few all-nighters will probably not help, especially in a subject with lots of fluffy words and concepts (risk assessment, BIA, threat analysis, vulnerability assessment etc.)
  6. Keep taking the test questions until you can get them mostly correct.
So here is some advice on the style of questions in the exam. I am not authorised or approved by ISC2 so take my advice for what it's worth!

  1. As you've probably noticed, there are various questions based on lists of answers. The steps in a Disaster Recovery or in a Risk Assessment or perhaps the ISC canons. In many of these questions, you will find each of the 3 wrong answers will contain a specific phrase that is either obviously wrong (e.g. will increase costs for something that would obviously decrease costs) or perhaps is wrong in a more subtle way (is risk assessment a step in the Business Continuity process?). Looking for the wrong answers is often easier than picking the correct one!
  2. The core principles of CIA are really important. Sometimes if you don't know the correct answer, you can work out which one(s) make or break the principles. The answer to a problem on a "critical" system is probably related to not interfere with availability. One answer that looks good but does not relate to a core principle is likely to be wrong compared to a CIA answer. Various questions on reacting to incidents fall into this camp.
  3. Lots of questions understandably relate to risk, threat and vulnerability. You should understand these concepts in order to tell the correct answer from what are sometimes 4 very similar answers.
  4. A trick question I have seen relates to "which of the core principles of CIA...." and then it lists the 3 principles and also a 4th answer. Although the 4th answer looks like the obvious fit and is the closest to the real answer, because it is NOT a core principle, it cannot be the correct answer! You have to be careful, these are not primary school questions about 10 + 4 but are looking to see that you understand the subtleties of Information Security and the concepts that don't necessarily match up to traditional "good engineering".
  5. Some questions that are to do with authorisation or reporting mention Line Managers. Again, in the real world, Line Managers are heavily involved in day-to-day operations but in Information Security, they do not automatically possess any involvement with any IS process or procedure.
  6. There are various questions (fortunately many more in the test questions than my real exam) that have confusing case statements e.g. Which of the following statements is NOT true followed by statements that begin with something like such and such is NOT something. Talk about confusing but, again, carefulness wins the day here. I had to read one question about 5 times to get it!
  7. If you are confused by the question (there was an exam one that was very vague), skip it and carry on. You might find some clue in a later question. In this instance, it was a scenario question with 2 or 3 sub-questions and reading all 3 sub-questions eventually made me understand what the original question was asking!
  8. Be careful with questions about 'which of these is NOT...' because in some cases, the answer is one that looks like a read one but it isn't quite. One test question listed "principle of least permission", which is NOT actually correct. Another listed Disclosure but it should have been Information Disclosure. Tricky but not impossible to spot.
  9. It's useful to know the various access control systems like MAC, DAC etc and what their strengths and weaknesses are.
  10. There are lots of questions about what is the first or what is the best or the primary. This immediately implies that more than one answer is correct so be careful not just to grab the one that jumps out at you - again, the primary one is probably related to CIA.
  11. Some questions relate to Business Continuity and Disaster Recovery. I got quite confused while training about the distinctions so it would be useful to spend some time and get these linked up correctly in your head.
  12. Some questions will have 2 answers that are obviously wrong and sometimes the two answers that are left are 50/50 in your head, other times, because you recognise one, you think that it must be correct. For example, you recognise Bell LaPadula but not Clark-Wilson. Don't just choose it without considering the ones you don't recognise but at the end of the day, it is better to choose one that might be right i.e. it is a model question and this is a model rather than one that you don't know is a model and therefore might well be wrong.
  13. Use acronyms or acrostics to remember lists (you could invent one for symmetric algorithms or the OSI 7-layer model). I thought of a way to remember the classes of fire extinguisher as simple as Solid, Liquid, Gas (for electrical fires), Metal.
  14. Use the hints in the answers to the CBK questions to try and get into the head of why certain answers are right or wrong. It will often explain that e.g. B and C are correct but are not the first thing or e.g. B is a stronger answer but is only sometimes correct but C is always correct
The main thing with this accreditation is to realise it is based in practice. In reality, you should not presume that you can obtain it without good quality work experience. You will need 5 years of experience to qualify for it so try and make those hours add up before taking the exam. By applying as many principles as you can and even asking for placements in areas outside of your normal expertise, then hopefully you can approach the exam and CISSP in general with confidence.

Wednesday, 18 May 2016

Windows 10 is a pain for developers

User Account Control: Microsoft's largely pitiful attempt to make their system secure. Every time an application wants to do something important, it pops a dialog and you press OK or cancel. Sounds fine in theory except that normal users have no idea whether an application should do these things anyway.

It was manageable because in Windows 7, you could easily disable it completely. I need to do this as a developer. I need to run the browser as Administrator when I access certain sites that use Client Certificates, otherwise the browser does not have permission to access the private keys and in most cases, it doesn't show you a useful error, it just doesn't work. (Hint: Use Chrome- it gives the most useful error codes)

But I also need to run Visual Studio, Powershell, Command Prompt, mmc.exe and other programs like most developers do and many of these won't work as non-administrator (or they pretend to work and then produce esoteric errors).

So what? Well he's the rub. In Windows 10, you cannot disable UAC without also disabling any Metro applications, which are obviously super secure and couldn't possibly work without UAC.

So what can you do now? You have to leave UAC at a low level (which is not disabled) and then set the advanced properties of each of your shortcuts to "Run as Administrator". Woe betide if you double-click a Solution from Explorer, which opens Visual Studio normally.

Of course, the real problem is that most of the "important" changes that these programs are making should not be important but are because many apps require access to the registry or c:\windows. In reality, they should have their own private registries and private file access and then they can do whatever they want inside their sandboxes without any admin prompts.

Another weird one relates to HTTP 2, which is available in Windows 10, even though it doesn't seem to support any secure HTTP2 approved cipher suites, which means that local hosted sites don't work. The solution there is to disable HTTP2!

I think I have ironed out most of the problems but I fail to see how MS wouldn't have seen these issues during testing. Maybe they did and thought, ah what the hell!

.Net Core - Publishing from Visual Studio 2015 - It's a pain

tldr; Install .Net Core SDK RC2, run dnvm upgrade to setup dnu.exe if its not visible to the console, install bower and gulp using npm, run dnu publish against your project, copy files across to server, install HttpPlatformhandler on the server, setup site manually, set app pool to not use managed code

.Net Core

So Microsoft's big announcement of the last few years is making ASP .Net better. When I say better, it means having much more pluggable functionality in the web pipeline. You no longer have to include everything that you might need, just what you do need. That has to be good for memory usage and page load times and makes cross-platform porting much more doable compared to the massive beast that is System.Web.dll

You've heard of OWIN, the pluggable web server system. That is basically the pattern for .Net Core. You can use .Net on any server and any host, each layer being abstracted from the next. With traditional .Net, everything had a dependency on IIS i.e. Windows only, which meant that to port .Net, you had to write the entire stack for another platform.

There are a whole load of features and differences between MVC5/Web Forms and .Net Core but for now, just imagine it is more modular and allows you to write MVC or Web API as well as anything else you want to write OWIN middleware for.

Your First Project

If you have Visual Studio 2015, Update 2, you should already have the templates for .Net Core. Depending on what exactly you have installed, they will either appear in the list underneath "ASP  .Net Web Application" in the Web folder as "ASP .Net Core Web Application" or if you don't have the Core SDK, they will appear in the list after you select "ASP .Net Web Application" as ASP .Net 5 templates (.Net 5 was the old name for Core). Do not confuse .Net 5 with MVC 5 which was .Net 4!

Publishing

My reason for learning about Core was to look at some basic performance tests as an indication as to whether to start developing on Core now or wait a year or so. For this reason, I didn't want to modify the default code, just publish it and fire some load tests at it.

Right-click the project and choose "Publish", I can see a publish dialog with only one option - "File system". Hmmm. Visual Studio apparently doesn't understand this project type and also doesn't know how to publish it. If you try, nothing gets published. As is often the case with new technology, there are lots of articles about doing things manually to fix it, from the previous betas and release candidates. I tried a few but no dice.

Well, you can publish it from the command line using dnu.exe apparently (no idea what all these tools are). Tried that. dnu.exe is not recognised as an internal or external command... Apparently you have to run "dnvm upgrade" first to install it and setup the paths correctly. Done.

Try again. "Bower" unknown command. I know what Bower is, I don't know why it is not installed. Maybe I need something else for Visual Studio. Oh, here is the installer for .Net Core for Visual Studio 2015. Not sure why I already had the templates but no supporting tools installed. Anyway, installed it. dnu.exe still doesn't work - same error.

One article said that if you run the tools from Visual Studio, it sorts all the paths out. The problem is, I can't - publish now doesn't work at all. If I select it, nothing happens. If I choose it from the Build menu, I get some weird dll error referencing an interface name that doesn't even exist on Google!

Maybe I need to install bower manually. npm install bower. Great. 'Gulp' unknown command. Hmm. npm install gulp -g. OK. Ignore all the millions of errors but now - O dear - the dreaded npm on Windows bug - path too long. This is due to npm's incredibly sensible but completely rubbish idea to nest dependencies to avoid package conflicts. This leads to dependencies that are 10s deep.

Groan. OK, move the project from Visual Studio Projects down into a lower level directory and try again. Now it seems to work and the project is published. What a ballache. Surely this should all happen automatically from Visual Studio. Version 1 of Core is supposed to drop in a month!

OK. Now you have to copy the files to the web server manually (of course you do!). Web Deploy is supposed to work but doesn't seem to do anything at all. Setup your IIS web site as normal, point it at the wwwroot folder of your files and, importantly, set your application pool to NOT use managed code.

Access the site. No dice, Internal Server Error 500.19. Why? Well, the documentation that I followed that made me install some exe on the server was obviously not what I needed to install. I think I read that MS changed it but, again, documentation is out of date (but not marked as such) so I needed to install the HttpPlatformHandler, which I then did. Didn't need to restart and the site now works.

Conclusion

Apart from all the promises of this great new technology stack, the tools are still woefully poor and the documentation is all over the place. They are probably scrambling to get things working but MS have succeeded quite well because most people can install, develop and publish without doing anything weird. Using Node Package Manager to install things that should work automatically in Visual Studio is just weird.

At some point, I might even load test my new site!


Thursday, 12 May 2016

Windows 10 Broke my https web site

Broken Web Apps

This is really a follow up to yesterdays post. I am a developer and do a lot of local debugging of web sites. IIS absolutely has to work for me and after upgrading to Windows 10, it stopped working. I could not get ANY local https site to work. http worked fine but it didn't work at all.

Opera and Edge told me the site was down and Chrome gave me the security error: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

One thing that really annoys me about this latest push to put TLS on all web sites and to set up the cipher suites and everything else is that the tools are hopelessly unusable. You get Windows where everything is in the registry and you have to use something like IIS Crypto which doesn't really help you that much (and you have to reboot!). You then get openssl on the command line with all its complexity and command line switches but most of all you get really terse unhelpful errors both in all of the browsers (some don't even give you a proper error!) and even in the command line, they are things like "connection reset", which doesn't really mean anything useful.

With errors like those, you have a whole pile of things to try before you even know you have a TLS setup problem. Things like upgrading to Windows 10 also gives you the assumption that "everything is where you left it" which is a half-truth because sites that used to work no longer do and this is on a machine where I DO have my SSL cipher suites set up to use secure versions.

What is the problem?

The problem is HTTP2 and/or SPDY, a precursor to HTTP2 which parallels up some of the loading of a web site, reuses connections etc to make the site load faster. It is implemented on various web servers and probably all new browsers, so that you don't need to write anything that differently on your web app to make it work - it just does (or doesn't in my case).

The actual problem is that the HTTP2 spec says that TLS1.2 should blacklist a load of cipher suites that are considered insecure. If they are blacklisted, however, Chrome appears to be the only browser (haven't tried Firefox) that actually shows a specific message to the user, the rest just fail in the same way as 100 other types of web site problems. Fortunately I know a little bit about IIS setup.

So you run up the fantastic Fiddler tool to see what errors you are getting back and, guess what? The site now works. This is one feature of Fiddler that I do not think is helpful but basically it runs as a proxy and sets up its own SSL connection to the server using a DIFFERENT protocol from the browser (or at least it forces the browser to use the lower protocols). In this case, SSLv3 and HTTP/1.1 which means everything is happy and the site loads.

Try it with openssl and firstly, you have to point it to a certificate bundle and then you just get the usual no peer certificate found, again, not helpful.

What did I try?

I thought, if the ciphers are blacklisted, surely I can just disable the blacklisted ones in the registry (and reboot), and this involved removing some relatively modern suites like the AES/GCM flavours but after a reboot, the site doesn't seem to support any ciphers at all and the app is now completely busted. So HTTP2 requires a set of cipher suites that Windows 10 doesn't seem to support at all causing this problem. I can't believe that Microsoft didn't spot this when they built IIS 10.

Workaround

I didn't really want to disable HTTP2 because it is a good thing for web site performance but this seemed the only fix for Windows. Opened the registry and added two new parameters:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Cleartext DWORD 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Tls DWORD 0

And now the site works fine - and it has only taken me a day!

Wednesday, 11 May 2016

Thanks everyone for breaking my site!

So the pains of Windows 10 continue although to be fair, this is a combination of Windows 10, SPDY/HTTP2 and the latest browsers trying to be nice and secure!

The problem is related to the selection of SSL cipher suites and if you have ever looked into it, there are LOADS of combinations but HTTP2 have decided in their wisdom that certain suites MAY be blacklisted by browsers. The list is here

Unfortunately, most browsers seem to do nothing except show a blank screen, Chrome at least gives a clue with ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY but Opera does nothing and Edge says that it can't reach the site.

FFS

I have tried quite religiously to keep my cipher suite a good mix of secure with a little backwards compatibility but this has broken all of my sites.

My choices include disabling SPDY/HTTP2 on Windows 10, which seems a bit backwards, or otherwise going through the 100 or so cipher suites on the list and attempting to check them against the suites that I have configured locally to try and get some that work properly.

This has taken AGES to debug thanks to crappy browsers that couldn't at least do something like Chrome does and show the error and it was even weirder that when running Fiddler, the sites run absolutely fine because Fiddler uses its own SSL handshake using some other kind of HTTP version or SSL version.

Client Certificates and Windows 10

I thought that my upgrade from Windows 7 to Windows 10 was all smooth and everything seemed pretty sweet but it was annoying that some things were not retained when upgrading.

For instance, all the User Account Control was turned back on which is a real pain for a Developer, having to remember to run things as Administrator otherwise all kinds of weird things happen.

I also found that certain of my sites had stopped working when debugging them. This was a real pain to debug.

What had happened when I had upgraded Windows was both that I needed to run the browser as an Admin but that didn't explain why I couldn't access a web service on a test server (although I could using SvcUtil.exe!). This was because the permissions on the private key for the client certificate were reset somehow during the upgrade so although it should have been sent to the other site automatically, it wasn't permitted but without any error.

I had to open mmc.exe, right-click the certificate and choose Tasks->Manage private keys and then add IIS_IUSRS read permission on the private key.

I still have a problem with calling the web service from a web site, but I will have to try and fix that separately!

Tuesday, 10 May 2016

There was an error attaching the debugger to the role instance

Another great Azure error when debugging on my local machine. I tried clean, rebuild, restart windows etc. and I knew that I had not changed anything in the project that was previously debugging OK to make it break - what gives?

When trying to debug, the azure emulator would start up and then you see the weird error above (plus extra stuff) and it shuts down again.

Thanks to this article, I saw a hint that you can look into the iis configurator log and look for errors:

Just type %UserProfile%\AppData\Local\dftmp\IISConfiguratorLogs\IISConfigurator.log into your explorer bar and press enter.

Inside mine, I saw the line: Adding access to users IUSR and NT AUTHORITY\NETWORK SERVICE to path C:\Users\luke\Documents\Visual Studio 2013\Projects\etc immediately followed by Exception:System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.

Weird error, basically some kind of permission thing obviously. I think it means that the permissions on the project directory are not the same across all of the sub-folders, which must have happened due to some crash or other.

I went to the folder in question, edited the security settings in the properties and applied them to the folder. At this point, I had an error with an aspnet_client folder that was denied permission to update settings, despite being a local admin (thanks Microsoft)! I found the folder, manually deleted it, giving my "consent" to the process and after that, it all ran up OK. Obviously, if the folder is important, you might have to do something more long-winded to reset its permissions but you get the idea.

Monday, 9 May 2016

Project could not be opened because the Microsoft Visual C# 2010 compiler could not be created. An item with the same key....

I got this error after opening an existing VS2015 project after upgrading to Windows 10. I had definitely used this successfully before the upgrade and as usual, it's a very unhelpful message.

All the projects loaded apart from one and clicking "reload project" made the error display.

The issue is that User Account Control, which was previously disabled in Windows 7 was re-enabled. This meant that Visual Studio was not being opened as Administrator and rather than having a useful error, it shows this instead. I looked in the window at the bottom and something else was displayed about IIS that was more specific to the access permission problem.

I need to disable UAC again since giving permission every time you open VS is a pain!

Monday, 2 May 2016

Annoying trailing double slash (at end of URL)

So sometimes, when people visit my web site, they seem to get https://fleetcamps.org.uk// (note the double slash) and which returns a 404. Annoying.

Why? The rewrite rule for Yii in .htaccess looked good and even though I have seen it myself, I cannot seem to recreate the bug.

Another example of the browser being really helpful and hiding what is really happening. Nice for the user (usually) but not for the developer.

The issue? I had a redirect all http to https in my Apache config. This was the problem. I had the line

RewriteRule .+ https://fleetcamps.org.uk/$0 [R=301,QSA,L]

But note that it appends the request to the end of the domain that already has a trailing slash - silly boy. The browser remembers the 301 and so you never see the problem again.

The problem is that there are soooo many examples of how to do everything in rewrite/htaccess and some examples are even 20 lines long and people like me who are not very expert on the matter don't know which example to copy in our own sites.