Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode #19 - Diagram Delight!

This week the guys discuss why it's vital for an organization to have a Network Architecture Diagrams, Network Configuration Diagrams, discuss best practices for building them (scotch can help), and explain why a little effort now will make your work life so much better.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe! 

Transcript

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals  and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome  to cyber ants podcast this is your co-host zach  
fuller joined by mike rotondo and lauro chavez and  this is the podcast where we answer your deepest  
questions about cyber security and compliance  while we solve some of the world's biggest  
problems or something like that today we are  talking about a another topic that is especially  
important and has tremendously beneficial but it's  another one of those things that a lot of people  
don't do so before we dive into that laurel we're  going to switch it up a little bit today why don't  
you kick us off with the exploits cool thanks zach  i don't really want to dive in but if you've got  
if you haven't seen the zero day from uh microsoft  exchange make sure you google zero day exchange  
and deploy those four patches that are out for  that i'm pretty sure that the seriousness of  
that most most of the organizations that have at  least are using the exchange have become aware of  
that something you're probably not aware of those  if you're using zen cart in any capacity uh which  
has been out for a while it's uh kind of a cots  product that you can you used to be able to go  
buy it best buy in a little box with a cd kind  of like aol um anyways but zen cart is sort of a  
e-commerce kind of shopping cart for your website  if you're gonna you know host some stuff you're  
gonna sell some merch anyways really really really  cool remote code execution um has been written and  
validated for medisplay pretty awesome stuff it's  it's a very simple python script but it deploys a  
it deploys a server-side script to the  database that calls back and gives you  
a remote command pretty awesome stuff so  make sure you're patching the cve for that  
is from 2021 of this month so make  sure you look into that it's 32.91  
and um yeah awesome stuff coming out of the uh  some of the metallic teams so very very cool mike  
you know change can be good uh so we switched  it up today so here we go with the headlines  
um nsa and microsoft promote a zero trust  approach to cyber security uh they're really  
pushing the combination of user and device data  with security relevant information uh in order to  
do authentication it's the admission that simple  password isn't enough mfa has been exploited  
so we gotta do something else from i'm calling bs  on this pile and this is just my personal opinion  
intern cause solarwinds 123 password leak from  solarwinds for former solarwinds ceo says i have a  
real problem there should have been productions in  place protections in place to keep an intern from  
creating an admin password so blame the  intern someone had to burn poor kid man  
i bet he was wearing a red shirt yeah as  i was gonna say is this an episode of star  
trek we have the unnamed crewman going down to  the planet jimmy's never making it back yeah  
it's his first trip he's never coming back  kirk will mourn you for the rest of his days  
and sometimes you just pull the  short straw you know just like  
yes you'll be mentioned in  the captain's log forever
ensign what is what's his name got crushed by  a boulder anyway and from the i didn't know  
they still existed files aol phishing email states  your account will be closed i wasn't aware aol was  
still a thing but you know tell you know granny  and pop pop and uh you know me ma and grampy that  
you know they need to stop using aol or they need  to not click on this email so my brother has an  
aol account from 1992 i believe still i find my  my aol account works best with my dial-up modem
yeah it's so hard to get 9 600 baud these days  my password's private post exposed in hack of gab  
so gab has been hacked there's some ddos stuff in  there and uh so be careful with your social media  
uh malicious npm packages target amazon slack  with new dependency attacks this is another attack  
creating you know hitting high profile  cyber security or high profile attack so  
microsoft accuses china over email cyber attacks  um everybody that's surprised please raise your  
hand that china is attacking our infrastructure  telemarketing biz exposes 114 000 in cloud  
config error so if telemarketers aren't bad  enough they're now exposing your data firm  
counts lending marketplace lending tree liberty  mutual insurance and smart security vendor vivinet  
among its customers so if you're a customer of one  of those if you have a telemarketer reaching out  
to you your data may have been exposed microsoft  rushes out patches for exchange zero day attacks i  
didn't realize i still had this in there um but  yeah there's uh there's it's a mess go get it  
fixed uh palo alto has also released some patches  for it as well so you can stop it at the at the uh  
perimeter cyber analyst finds links between  suncrypt and q a crypt ransomware this is a  
russian cyber criminal group called full of deep  i'm sure that translates to something really scary  
in russian uh but anyway that's a new cyber a  new uh new ransomware that's out there there's  
a now fixed linux kernel vulnerabilities enabled  local privilege escalations so cve 2021-26708 it  
appeared in linux kernel version 5.5 in november  2019 and uh basically allowed for local privilege  
exclamation escalation ransomware as a service  is a new big problem for businesses much like the  
ever-evolving legitimate tech industry apparently  cyber criminals are now evolving to provide  
create a service industry called ransomware as  a service be aware of that just like every other  
piece of ransomware out there all your computers  are belong to us exactly microsoft we're cracking  
down on excel macro malware according to them  um okay we'll see it when it happens another  
chrome zero day exploit so get that update done  yep that's chrome is under attack i think this  
is probably there's been a bunch of these in the  last couple weeks and lastly copycon msp confirms  
ongoing outage following malware and snip this is  a something we touch on the book actually about  
concerns about msps how they can you know one on  msp being taken down can take down a whole lot of  
uh other customers so a lot of the customers  so beware watch your msp make sure they're  
up to date on security maybe get a security  company to validate what they're actually doing  
um and ensure your company can maintain its focus  and function all right from there zach do you want  
to introduce or you want me to introduce i'll  dive in just a minute i'm updating chrome here  
no really today we are talking about um something  that um non-technical people or without a people  
without a background in this would talk about  those pictures with the um the circle thingies  
connected to the square thingies and the lines  and there's some numbers and letters and such  
and oftentimes that's how they're recognized and  they can be extremely confusing to people but our  
assumption is that if you're listening to this  podcast you probably have some level of technical  
background and so for this uh purposes of this  podcast we are talking about network architecture  
diagrams and um we'll start out by before diving  into how they should be made what should be  
included and such i think it's most important  to share a little bit about our thoughts on why  
they're important you know so why why should an  organization have architecture diagrams in place  
up to date um and to add to that question why do  are so many companies missing those well i think  
what's happening is it's becoming a compliance  requirement first of all but it is a best practice  
more importantly and i think what we what you need  is not only network but you need infrastructure  
you need data flow diagrams in order to be able  to track your data sufficiently and understand  
have a visual picture of how your infrastructure  actually works but it's also critical for your  
dr disaster recovery ir instant response  your business continuity uh to be able to re  
recreate your existing environment you know if you  if something government happens is that there's  
a lot out there that you know if you're a big  company you probably already got this right but  
for the small to medium size or emerging market  companies these things are critical you need to be  
able to put the pieces back together when humpty  dumpty falls off the wall and visual diagrams  
will help you do that now there's two types of  diagrams there's the machine generated diagram  
and then there's the infrastructure diagram that  you actually hand draw i think everybody in this  
call would lean towards the one that you hand draw  not because it's great billable hours that you do  
while listening to music and drinking scotch but  because it is something that you can be more in  
depth it's more effective and it certainly is a  lot cleaner so that's my soapbox moment lordy i'm  
assuming you have comments or zach i had a friend  of mine that got himself promoted up into uh you  
know i t management we were out at lunch one day  and he said you know i'm i knew this role you know  
is there is there any advice that you know you'd  give me that you know that i could really kind of  
take with me and i just kind of thought i'm in  it and i said you know always remember well that  
that's it there's there's no punchline i mean it  was just general advice i always remember right so  
um just because it's a it's good to not forget  things and then you walked away yeah and then  
he walked away there's no always remember  this was the intern you were talking to
so no always remember solarwinds123 is a great  password that is always remember like yeah yeah  
you don't want to forget stuff anyways so i could  say never forget i almost told him that too but  
then he would ask me the same thing never forget  what i'm like no just never forget anything ever  
part of that joke is enter into the the  network diagram right the infrastructure  
diagram the architecture diagram the drawing with  the pretty colors that needs to be very detailed  
you know mike i think everything you said  is is absolutely true and necessary and  
i think you know if we look at civil  engineering how they you know can't  
build things without permits and you know  you you have to have these blueprints  
that you know really you know i'm sure that there  are a lot of really smart civil engineers who  
could just go build a house right but to do it  right when they want to do it right they build  
the they build the diagram first the blueprint and  they lock out where everything's going to go the  
electrical outlets or the plumbing they know how  many feet of everything they need right it's all  
all in the building materials right on the  bomb and we can so benefit from that from that  
method of thinking as we go into infrastructure  and um and and technology with software and  
everything else because those diagrams have to be  that source of truth and like you said when when  
humpty dumpty falls off the wall you better have  some some method that's you know i can't tell you  
how many companies that we've worked with recently  that only were taking snapshots they had no real  
backup plan and the snapshots weren't complete  and so it was a it was a you know when you have to  
rebuild in a bad time it's a lot better when you  have everything that you you can can have around  
you to make that process simpler and and happen  faster because not only is you're going to be on  
the wire to build it all back but you're going  to have people looking at you and sitting over  
your shoulder watching you recover this waiting  right like like i wait for the guy at the dairy  
queen to make my smoothie actually it's not it's  not a smoothie i lied it's it's one of the ones  
with candy in it what do they call that concrete  blizzard a blizzard thank you sir yeah but i still  
do i stand there at the counter anxiously waiting  i prefer the peanut buster parfait that's my  
parfait this show is not sponsored in  any part by dairy queen any subsidiary  
it's a dairy queen how do we recommend the  consumption of meat dairy products that might  
include lactose exactly you know obviously  when something breaks it helps to have  
a blueprint to understand how to fix it right  so that's that's critical now let's talk about  
you know what are your thoughts from an incident  response perspective what happens if you don't  
have good diagrams and something happens that's  potentially malicious in nature screaming i mean  
yeah panic gnashing of teeth pulling a pair  flaming pointing the fingers at the intern
instant bilbo it's paul he had the password yeah  one two three we entrusted you you had one job
password you were the password vault  you're not supposed to put it online  
um you know what happens is that you don't  necessarily know how everything goes back  
together again right i mean you you don't know  what device goes on what what you know for  
taking example esx host right you don't know what  vm's going what server necessarily you don't know  
what connectivity is required you don't know what  ports are required to be open you do not know  
what's encrypted what's not encrypted you you know  you may have a vague idea but it would be better  
to have a blueprint right it would be better to  have a map that shows you where to go right i mean  
google maps is a thing for a reason because we  don't want to know how to get to some place right  
um yeah when you have hardware security modules  that you've deployed like maybe in like almost  
2 million dollars worth yeah and then somebody  leaves and you put somebody in charge that doesn't  
know what they're doing and they have to figure  out how to update them and configure them and what  
what communication is required how they're  deployed today what that looks like i mean  
that that's just like a such a helpful  handoff right for somebody coming on  
that doesn't happen just hypothetically speaking  you're saying right yeah like you know just in  
case just that that was a totally hypothetical  scenario totally hypothetical scenario
hypothetical you know and it could be anything  right i mean it could be you know it could be  
another like an antibiotic solution you know  what i mean but there are a lot more components  
that just you're gonna you know you're gonna  worry about your main things like exchange  
um right an active directory you're going to  want to get that going so everybody can get  
onto the network right you're going to if you're  microsoft you're going to believe that that is  
establishing that is the number one step  back to normaldom so you'll go you'll go  
that route but then you'll have ancillary  things that are out there your web apps  
internal applications that are running for people  your hardware security modules maybe there's  
you know now firewalls need to be redeployed or  re-architected because of changes the more data  
you have on what that port protocol and  everything else looks like coming in and  
out of those tech is going to help you rebuild  that infrastructure quicker better and stronger  
so it ties back into your business continuity plan  as well um capacity planning right i mean and it  
should be integral to your change management  yep and vendor vetting yeah for tech vendors so  
so it's you know it's critical for a lot of  reasons um you know obviously the basically to  
run the operations of your and security measures  around your technologies um what would you say  
so when you're going into an organization  so let's let's say an organization has no  
architecture diagrams or maybe they have some  kind of automated you know stuff that was just  
made with a tool and and and isn't very accurate  or helpful what are your steps or what is your  
approach to building these for in case somebody  wants to go in and and take this on yourself  
what advice would you give them to start building  out their their diagrams for their organization  
oh i got one i got two this is this is my method  i know mikey might have growth i think we've done  
this like first off you got to get a room with  a big white board yeah you got dry erase markers  
the squirt stuff that cleans the board really nice  and a good a good set of wipes and then then you  
got to make sure there's food on site okay because  you're not getting any information out of anybody  
without the nibbles on site um so make sure  you you invest in those two things first  
don't keep on the bagels get the good bagels  don't you know pay the extra five dollars and  
go to a good deli and get good bagels you want  good data you gotta have good bagels exactly  
and get get the cream cheese with  the locks in it if you really  
you know what i mean like come on now um  ask for capers on the side it'll make a  
world of difference to the individuals that are  going in there and then here's the thing is it  
let everybody eat first okay let them have  their bagel and get down let them at least get  
four bites in before you start grilling them on  the board but start start on the board little  
simple things as they eat write some things down  some you know objectives you want to accomplish  
right it's an information gathering session right  with with picture drawing and then you've got to  
have a camera on site because you're going to need  to remember what you drew on the whiteboard that  
then you can then take back to vizio or um edraw  or some other program right where you're gonna  
cad where you're gonna put where you can put the  powerpoint yeah and if you start before you let  
them eat a little bit though they're gonna be  thinking about is damn i got this great bagel  
in front of me exactly yeah after i've had about  three or four bites i'm all i'm all yours that's  
fine just just let me let me have like half of  it half a cup of coffee you know so ease into  
that meeting but you know you have to run it like  a um i mean you really have to do a whiteboarding  
session and you know now with with covet and  everything you can you know you can use um google  
or anything else with whiteboard sessions but it  it's helpful to get the right people in the room  
and i think that's the the next most important  thing besides the the good food and the white  
board and the um the colorful markers like  how do you how do you think is the best to get  
the right people because we see a lot where we've  been we'll be in there we'll ask questions and  
the individual will know maybe two things of  the 40 things we need to know i think it shows  
that sometimes management doesn't know who the  right people are so you really actually need to  
talk to the smes because they'll be like oh that's  fred that does that it's not you know it's not me  
he's the guy that knows all that stuff or you know  this guy has all the travel knowledge or she's the  
one that you know does the you know it's created  the database schema and the set and the other  
thing so it's a lot of times it's like the initial  the pre-meeting is what's going to tell you  
how to get the right people into there writing  people into the whiteboard meeting yeah so just  
yeah so i mean you bring everybody in for you know  just a big one a big you know one-time meeting to  
talk about what the initiatives are and then out  of that have the breakout sessions um and then i  
think i've always benefited by you know doing it  by the layers right meeting with the network team  
understanding what they've got going on and then  bringing in the tools teams there you know as well  
as they're needed to have those kind  of breakout sessions so that you can  
start putting that that kind of  like a holistic diagram set together  
yeah but you can tell you what not to do before  those meetings i remember the time when we were  
traveling and uh one of the consultants we were  traveling with decided that he wanted to uh  
drink a lot the night before slammed a couple  bakers which as you know is 130 proof bourbon  
um and uh proceeded to actually get up in the  middle of a meeting and leave and we looked  
out the window and he was working in a parking  space just outside the window which was great in  
front of the client i thought that was not me for  people no no no it's nobody on this call some of  
you on this call or some of you listening to this  podcast may know exactly what i'm talking about  
but no names to have no place here no no  no what there's more to that story i just  
gave you the highlights but yeah don't be  flammable when you walk to the meeting room
so you have your data collection  session and hopefully nobody walks out  
growing up but once you once you've done that what  do you guys find as far as back and forth goes  
once you're sitting down in front of your machine  and actually on vizio drawing these out then what  
well i i find and you know we joked about it but  you know you get your pictures out if you have a  
couple monitors that'll help because you can  keep a picture up and then look at the vizio  
but you know create a relaxing environment  for you it's hard as hell to do in a cubicle  
i'm gonna be honest with you i mean the  best drawings that i do just like the best  
writing i do is at night you have my music  on i'm in a relaxed you know area my space  
and star drawing you know in the  nude no no we're not going to do that  
let's go oh i was talking about me my bag but yes  well you have a stand-up desk i have a sit down so  
you know it's true toucher but yes find someplace  relaxing and you're absolutely right you know that  
the easiest thing to do is to whiteboard  it out with everybody in a room make it a  
fun thing right try to make it fun because it's  it's you know people are going to have different  
opinions on why this information is being yanked  out of them right so make sure you make it fun  
make make sure everybody's involved and take  pictures with your camera phone and um make  
sure you take those pictures home if you've been  in a relaxed place however you prefer robe silky  
um and uh slippers aromatherapy candles uh peach  peaches and bourbon burning in the background  
sometimes some naga chamba maybe just a little  um yeah but what's important is that you take  
that data that you got from those sessions and  that you can then accurately report it back to  
you know whatever you know i guess application  you're going to keep it in right vizio or  
yi draw i think those are probably two  main ones i think cad's kind of unrealistic  
although microsoft word or powerpoint are going  to be sufficient at first i think what's important  
to talk about now is probably the data that you  need to include and that's probably one of the  
things that i think gets missed in a lot of the  drawings we see wouldn't you say mike i think  
i don't want to talk bad about people's artwork  right i think any having anything is great  
but you should be looking to improve  always right um personal philosophy anyways  
the data that that exists on there needs  to really be detailed um and i mean what  
yeah and relevant and so it not only does the data  need to be accurate it needs to be um it means  
to be a part of the change process so that you're  looking at the document when when the architecture  
or something in the architecture changes and  to review the document before you make a change  
to make sure you're not modifying any of the  architecture that may require other departments  
or other changes they need to be a source of  truth almost like your policy documentation right  
mike i mean oh yeah yeah you know supports and  protocols right um we do colors right so reds are  
our secured uh transmission so if you're running  tls uh from uh from a database to uh to a web app  
um you know um is an example right uh it's gonna  be you know red um if you're running just plain  
old sql it's gonna be black right or you can make  database connections another color right i mean  
but they need to include everything that that  application needs and you're going to find that  
by rtfm right right you're going to need to read  the manuals right go to the vendor find out what  
portion protocols are being used put your names  on there what what are you calling it is this  
you know did you give it some weird  name from you know the constellations  
you know it's going to make you look at your  naming convention also in your organization  
like because these servers and you have you know  fqdns right so they can operate internally and  
then you'd have an ip address you probably don't  need the mac on there but it might be helpful  
but you run into space issues with mac but  yeah i mean the ip the memory the disk the  
os the os version you know all those kind of  things need to be on every server yeah because  
if you've got to rebuild a vm and you didn't  know how much resources it had at first you may  
you know may have problems and not be aware that  you're not given enough memory right so that that  
stuff that would have all been sorted out in real  time operations that could have been reflected  
into the diagram you would have that truth right  someplace other than a technology that could be  
turned down right yeah and then you  know what data cluster connects to what  
ports obviously what you touched on what inbound  ports are open to it you know does you know  
you know that uh i mean that's that's the big ones  right i mean yeah inbound ports always and then  
that's going to help you with pci and other types  of initiatives that are asking you to understand  
what what inbound you know connections you require  versus outbound and authorize the whole authorized  
ports and protocols conversation right it'll help  you understand that and this may be big drawing  
right it may take up multiple pages there's really  no wrong way to do it i think as long as you  
approach it from a data science perspective and  just try to record everything accurately as and as  
it exists today so that you could you could build  it back right well you again especially i was  
just thinking about vlans right i mean what ports  are allowed to access through what vlan what you  
know what what firewall contacts is allowing what  ports to get into what area what traffic you know  
if you're if you have that much of a networks you  know segmentation yeah actually i think we have a  
example um up in our resources for the cyber  ants oh yeah i think we do very good i believe so  
well it's um and is it okay to use emojis for  poorly configured or well-configured systems  
no that's not allowed i need to stop  doing that then i didn't know that mike
damn i thought that meant it was good i gotta stop  yeah i miss clippy i could just ask it a question
that was a that was a good uh good talk on  something that uh people need but oftentimes  
hate to do anything throwing the caveat that we  are actually doing this at nine o'clock in the  
morning not five o'clock at night at a bar so just  just so you're aware yep that's right i did have a  
cup of black tea which does have some caffeine so  yeah i put almond milk in my coffee this morning  
any final comments or smart remarks about  uh architecture diagrams uh you know just  
do them you know yeah it's like washing  your armpits you just gotta do it  
change your underwear you know yeah yeah it's  just it's good hygiene like you wouldn't run with  
lice would you i mean maybe you would i don't  know if you tie it into your change management  
process it becomes i mean it's initially it's  a heavy lift but once you tie it in your change  
management process it becomes just minor  you know 15 20 minutes here there you know  
depending on the amount of change you actually  have in your environment so just like everything  
else we do from a compliance standpoint  right it's compliance spreadsheets that  
look massive and scary and then you go through  it and you only got and you're probably 60  
done just by doing best practices one you know it  makes it much simpler you just kind of get over  
that initial hurdle that initial big lift get the  diagrams done and then just integrate it into your  
operational behavior and it makes life easier that  way keep it all it's easier keep it up up to date  
don't get it don't let it get old and broken or  yeah or um and as as the the old army saying goes  
if it ain't broke fix it until it is them  going yeah i think key takeaways from today um  
first one build your architecture diagrams or get  somebody in there to do it for you but either way  
it should be done um critical and will make your  life a lot easier moving forward and then second  
takeaway of course is always blame the intern  so thank you very much for joining us today  
please rate our podcast reach out let us know  your comments ideas thoughts things that you  
want us to talk about and we will address  those in future episodes have a great day  
pick up your copy of the cyber ants book  on amazon today and if you're looking to  
take your cybersecurity program to the next  level visit us online at www.silentsector.com  
join us next time for another  edition of the cyber rants podcast