#_SHELLNTEL

In penetration testing, it’s important to have an accurate scope and even more important to stick to it. This can be simple when the scope is limited to a company’s internet service provider (ISP) or ARIN provided IP ranges. But in many cases, our client’s public systems have grown to include multiple cloud hosted servers, applications, and services. It may seem obvious to say that anything owned or managed by the company should be in-scope for testing, but how do we know what is “owned" or "managed”? Ideally, we’d test everything that creates risk to an organization, but that isn’t always possible.

I led this article by stating that an accurate scope is critical to penetration testing. If the scope only includes the IP blocks provided by your ISP, you’re probably missing systems that should be tested. Alternately, pentesting a system that you don’t have permission to test could land you in hot water. The good news is that hosting providers like Amazon Web Services (AWS) and Azure allow penetration testing of systems within your account. In other words, because you manage them, you have the right to pentest them. In these environments, pentesting your individual servers (or services) does not affect “neighboring” systems or the cloud host’s infrastructure.

What risks are there?

In addition to the many compute and storage providers, you may also have websites and applications that are hosted and managed by a 3rd party. These still create risk to your company, but the hosting provider has complete control over who has permission to perform testing. When there is custom code or sensitive data at play, you should be seeking (written) permission to pentest/assess these systems and applications. If the host is unable or unwilling to allow testing, they should provide evidence of their own independent testing.

There are also going to be cloud systems that, despite creating risk to your organization, can’t be tested at all. This includes software as a service (SaaS) applications like SalesForce, SAP,  and DocuSign. 

And you guessed it… there are also systems like Azure AD, Microsoft 365, and CloudFlare that are not explicitly in-scope, but their controls may not be avoidable during external pentests. MS 365 uses Azure AD which is basically a public extension of your on-premise (internal) Active Directory; complete with extremely high-performance authentication services. Most authentication attacks today take place directly against Azure AD due to its performance and public accessibility. In other words, an attacker could have your passwords before they ever touch a system on your network. Likewise, if your company uses CloudFlare to protect your websites and web applications, it inherently becomes part of the scope because testing of these apps should force you through their proxy/control.

Next steps

Hopefully this information will help you plan for your next pentest or assessment. If your company maintains an accurate inventory of external systems that includes all of your data center and cloud systems, you’re already off to a great start. Still, there is always value in doing regular searches and discoveries for systems you may be missing. One method involves reviewing your external DNS to obtain a list of A and CNAME records for your domains.  (For ALL of your domains…)  By resolving all of your domains and subdomains you can easily come up with a pretty large list of IP addresses that are in some way tied to your company. Now all you need to do is lookup each IP to see what it’s hosting and who owns it. Easy right?

If you don’t already have a tool for looking up bulk lists of IP addresses or you prefer not to paste a list of your company’s IP addresses into someone else’s website, we’ve got a solution. Whodat.py was written to take very large lists of IP addresses and perform a series of whois and geoip lookups. If the IP address is owned by Amazon or Microsoft, additional details on the service or data center get added based the host’s online documentation. This tool was designed for regular use by our penetration testers, but its concepts and capabilities are a core functionality of our CASM Engine™ and our suite of Continuous Attack Surface Management and Continuous Penetration Testing subscriptions.

One of the things I have noticed while working at SynerComm over the years is that while most companies have employees on staff who possess the necessary technical knowledge to complete their projects, many organizations lack the logistics knowledge that large‐scale deployments require. As such, many companies typically rely on their project managers to handle these deployments. While project managers possess a wide variety of skills, few have extensive experience handling the logistics of large, complex deployments and could benefit from some expert advice and assistance.

To fill this knowledge gap and help our partners succeed, SynerComm created ImplementIT, a production‐readiness approach that offers smooth deployments for IT organizations looking to scale their operations.

Handling the Logistics of Large-Scale Deployments: Tips for IT Personnel & Project Managers

Experts like the team at SynerComm can help you define, model, and analyze your options when it comes to procurement, staging, testing, coordination, shipping, installation, and support. Even if you ultimately decide not to partner with an external logistics team, your organization can still benefit from their advice and learn how to avoid many of the common pitfalls associated with large, complex deployments that unprepared teams are more likely to encounter.

The SynerComm team is always happy to help and appreciates the opportunity to help organizations consider all their options and plan their approach to any large, complicated deployment. Though each project has unique factors that need to be considered, many deployment projects share at least some similarities. An impact and approach analysis conducted with help from the experts is a small investment that can save your organization time and money while minimizing frustrating delays and other challenges.

The Benefits of ImplementIT

ImplementIT has been specifically designed to help set project managers, and their projects, up for success by offering advice as well as practical assistance.

To help ensure each deployment goes smoothly, all ImplementIT customers are assigned their own SynerComm project manager. All of our project managers are trained to blend well with your PMO requirements while bringing recent and relevant logistics experience to the table. They also have extensive experience managing and mitigating the common risks and issues frequently associated with shipping (particularly international shipping), as well as the skills required for country‐specific installation and support.

ImplementIT project managers are able to integrate seamlessly with your organization, expanding your team’s capabilities when it comes to large‐scale, geographically diverse, and complex deployments. Your ImplementIT project manager is there to help you make decisions and avoid potentially costly and time‐consuming issues. Our culture of collaboration and transparency means we gladly share our knowledge freely, setting PMOs up for success and teaching them the skills they need to handle future deployments on their own while also offering ongoing support and advice as requested.

The ImplementIT Process

The first thing we do before we begin any logistically challenging IT project is sit down with your project managers to ensure we understand your schedule and your outcome requirements. Once we are certain we are all striving towards the same goal, we identify atomic units for the project, including sites, systems, and milestones, and define the high‐level breakdown structure required to manage the deployment of those units. During this phase, we also take into account all related activities, communications, and deliverable to help ensure the deployment goes as smoothly as possible.

Once all parties are on the same page regarding those higher‐level concepts, our team begins codifying these concepts into a working model. This includes layering in details and assumptions based on our extensive experience and capturing the supporting variables for common decision sets. This model allows our team to work closely with your team so we can effectively communicate and explain cost, quality, and schedule expectations based on our expert assumptions.

Working together, we begin changing the variable decision points in order to gain an immediate understanding of what the impact of various decisions might be. By working together through the options using real‐time impact information, the two teams can co‐author an approach that is mindful of your project's unique considerations. We also work to create a solid rapport and establish open lines of communication between both teams early on in the project. This helps minimize the chance of unwelcome surprises, ensuring we consider all possible options and setting the project up for success. In an effort to avoid unpleasant surprises and ensure the deployment goes as smoothly and seamlessly as possible, we try to ensure all assumptions, risk, deliverables, schedules, measures, and metrics are clearly understood on both sides upfront.

Why Risk & Issue Management is Vital to Project Success

As an IT and logistics professional, I can never emphasize enough the value of a solid approach to risk and issue management. Most large‐scale deployments need to be deployed to hundreds or even thousands of sites and require the coordinated cooperation of dozens of teams and individuals. As such, no deployment is ever completely issue‐free.

Common issues I have encountered over the course of my career include:

• Installers being turned away by site managers
• Recently discovered facility issues delaying installations
• Unexpected customs delays
• Design and configuration requirements changing mid‐project
• Unforeseen post‐deployment technical issues

The key to keeping any project on track and progressing smoothly is complete visibility. We have achieved this by creating a single secure portal that handles all tracking, reporting, documentation, testing, and communication. By ensuring all critical information and communication occurs through a single, centralized portal such as the one ImplementIT leverages, we can help ensure that all key stakeholders are on the same page at all times and have total visibility into all aspects of the project.

By leveraging SynerComm’s full team of highly qualified IT and logistics staff, you don’t need to redeploy valuable, internal IT staff to handle “rinse and repeat” style deployments. This means that your internal IT professionals can continue to focus on higher‐impact projects and activities designed to grow and safeguard your business.

ImplementIT combines the indispensable technical knowledge of qualified IT professionals with the critical skills required to smoothly and seamlessly handle large‐scale, complex deployments, allowing you and your team to focus on what matters most: your business.

For more information about ImplementIT, or to get started on your next large‐scale deployment, please contact us today.

Why Trust is Essential

Our valuable experience is both deep and broad. We have extensive experience with IT infrastructure, security, operations, management, and logistics, allowing us to serve our customers' entire spectrum of IT lifecycle needs.

Our customers know they can count on us for sound advice and concrete, value‐added solutions. They have come to expect consistently careful, time‐appropriate approaches to each project that allow them to maximize their chances of success regardless of project size or complexity. From large, complicated projects with many moving parts to small but vital support activities, our customers know that we are there for them every step of the way.

Our team has worked hard to cultivate this culture, and it has benefited us in many ways, driving us to earn the status of trusted advisor to every customer with whom we are lucky enough to partner. Our team continues to be grateful to our customers, who allow us to grow through their continued business as well as sincere, unsolicited referrals.

How SynerComm Builds Trusting Relationships

Our team begins every project by listening to our customers carefully and hearing their asks. This listen‐first approach allows us to work with purpose, seeking and confirming our understanding of our customer's challenges by bringing questions and ideas to the table. Our customer interactions are guided by and benefit from the depth and breadth of our knowledge in both the IT infrastructure and logistics spheres. We have extensive experience designing, building, and supporting IT infrastructure and operations for customers in a wide variety of industries and verticals.

Instead of spending our time "selling" ourselves to our customers and prospects, we focus our energies on investing in the right solutions for our customers and letting our excellent work speak for itself.

We apply this same customer‐focused approach to our new ImplementIT service, which allows us to use SynerComm's technology, infrastructure, security, operations, and logistics expertise on our customer's behalf. We create and implement innovative solutions for their unique and challenging problems. We learn as we execute and are always ready to adapt quickly to changing circumstances.

There is no such thing as a one‐size‐fits‐all deployment, which is why we don't offer one‐size‐fits‐all solutions. To create your perfect, custom solution, we adapt our efficient, knowledgeable, experienced approaches to address your project's unique requirements. Our ability to consistently apply our broad and deep expertise when working with our customers to plan, execute, and manage large‐scale deployment projects successfully has allowed SynerComm to become a trusted advisor to our valued customers. Our unique ability to effectively combine our experience, expertise, and detail‐orientated approach to business sets us apart from the competition.

The SynerComm Approach

Our ability to combine our extensive IT knowledge with our logistics experience makes SynerComm unique and gives us the tools we need to handle even the most challenging deployment. This expertise, paired with our dedication to white‐glove service, offers an unparalleled customer experience.

White-Glove Service: So Much More than Just a Checklist

Many companies claim to offer "white‐glove service," offering a rigid set of one‐size‐fits‐all processes and procedures that allow them to check off items on a checklist. Our approach is different. We value our customer relationships immensely and think of our customers as part of the team. We are driven by a deeply seeded and pervasive culture that drives us to always do right by each and every customer. White‐glove is more than a checklist; it's a way of conducting business that governs every aspect of our company. Our white‐glove philosophy guides our selection, development, and retention employee processes. It allows us to best leverage our team's critical skills and expertise as well as those of our trusted technology partners.

Our white‐glove philosophy determines how we structure, motivate, and manage our teams, as well as how we advocate on behalf of our customers and maintain high levels of communication. This philosophy is fueled by our passion for freely and transparently sharing our knowledge and expertise.

All of our ImplementIT customers benefit from the same white‐glove approach for which SynerComm is known. Like all the work we do, all ImplementIT projects are built on collaboration and transparency, from development to implementation. We pride ourselves on making sure our ImplementIT customers never have to wonder how their project is progressing. We provide continual updates via real‐time and scheduled interactions, which are supported by a combination of detailed and summarized graphical and tabular reporting. This ensures our customers always know our team is on top of the project's risks and issues. If we do encounter obstacles or challenges, we will actively work to get the project back on track and ensure a successful outcome. We work hard to efficiently handle every task and create affordablevalue‐added solutions on reasonable timelines by leveraging our company culture built on communication, collaboration, and healthy relationships.

Specialized Logistics & IT Knowledge

Our extensive and specialized knowledge of IT infrastructure benefits our customers in many ways, including allowing us to optimize schedules and improve our accuracy. SynerComm has a history of developing automation solutions for large projects that dramatically improves the speed, consistency, and accuracy of both testing and validation. Our familiarity with a wide variety of vendors and technologies helps us minimize errors and helps ensure the right equipment has been processed and shipped. This familiarity, along with our attention to detail, is critical because sometimes there are only subtle differences in part numbers between vastly different pieces of equipment.

We also have a great deal of experience shipping and supporting technology all over the world. Our work has allowed us to build up an extensive experience and knowledge base and develop healthy and strategic partnerships with companies worldwide, which we can leverage to best help our customers. Though few of our customers already had strong international shipping capabilities before partnering with us and rely on us for validation and confidence. However, most of our customers rarely need to ship equipment internationally, allowing them to access our wealth of experience whenever international shipping is required.

Our concerted effort to build trusting relationships with our customers and partners has served us well. Here are four scenarios where that trust was integral to getting the job done, maximizing efficiency, minimizing costs, and getting it done right.

Case Study One: The Difference Trust Makes

One of our customers, a large retail chain, had experienced a multitude of challenges in the past whenever they tried to deploy new technologies in their retail locations and distribution centers. These challenges, including problems with communication and coordination between the head office and retail locations, hardware that arrived in an unusable state, and a variety of lost shipments, had made deployments a headache for this customer. A better approach was needed.

Issues such as these are one of the most common reasons deployments experience significant delays and unnecessarily high hardware costs and create conflict between the corporate and retail location teams. Frustrated with their current approach and impressed by our previous successes with similar projects, this client decided to approach SynerComm for help.

We were able to model our ImplementIT approach and collaborate closely with the customer, creating a detailed proposal. By listening carefully to the customer's past challenges, we developed specific processes, procedures, and communication plans designed to overcome these challenges and deploy the project smoothly. Given the client's previously poor deployment experiences, we also took additional measures to account for any possible delays or issues; this included purchasing 7% more equipment than was necessary and budgeting twice as much time to complete the project as we usually would.

With our plan in place, SynerComm was able to successfully deploy the new network infrastructure across approximately 2100 retail locations in both north and central America. The entire deployment took only five months, and no equipment was lost or damaged. Our customer ultimately recovered cost by returning the extra gear they purchased and repurposing staff to other projects. Like all projects, there were challenges. No large project is ever completely free of risks and issues. However, our team remained accountable to the client and shouldered the responsibility of identifying and addressing potential risks and issues so they could be mitigated and minimized.

As a company, we don't believe in finger‐pointing, just solutions. Our professional, white‐glove approach made a measurable difference for this large retailer and has raised their expectations and standards for all future deployment projects.

Case Study Two: When Building a Trusting Relationship is Challenging

Building a relationship built on trust takes both time and dedication and isn't always easy. One example of a time it was difficult for us to gain a customer's trust involved working with a large, international manufacturing organization. This organization needed help with a global deployment of an IPS (intrusion prevention system) solution and solicited bids from several companies. Though SynerComm was not one of the initial companies invited to submit a proposal, we had a strong existing relationship with this customer that had developed over time as they leverage other SynerComm services. Because of our existing relationship, we learned of their need and asked to join the bidding process. Though the customer permitted it, they warned us that they were also considering many long‐standing deployment services partners, so our chance of winning the contract was slim.

While the other companies' bids relied on proposals based solely on what the customer had asked for, we decided to take a different approach. We developed a solution model in a spreadsheet format that allowed for variables to be changed and gave the customer immediate insight into how those changes would impact the project's cost, quality, and schedule. By collaborating within the solution model, our team built a rapport with the customer by showing them, interactively and in real‐time, how they could change potential solution options and deliverables and gain immediate insight into how those changes would affect the project.

The customer was incredibly impressed and immediately saw the value of our approach and process, which allowed them to learn, develop, and evaluate potential alternative approaches to communications, coordination, shipping, tracking, reporting, and managing international technology deployments.

Our unique and insightful approach meant SynerComm went from being a long‐shot to being the front runner and caused the client to rethink their approach to the project. In light of the insight and flexibility that SynerComm demonstrated, our customer asked all of the other bidders to resubmit proposals. The proposals were to be reworked to align with the approach the customer and our team had developed together.

SynerComm ended up winning the contract, but in the end, both SynerComm and the customer were winners. We were able to help the customer save time and money while eliminating most of the fear, uncertainty, and doubt that frequently accompanies large‐scale technology deployments. Because of the innovative, flexible, and responsive solution we brought to the table, SynerComm is now on the shortlist of partners this customer trusts to deliver projects at this scale. Since completing that first ImplementIT engagement, this customer has called upon our team to assist them with a variety of different international deployment and support projects.

Case Studies Three and Four: Having a Trusted Advisor is a Huge Asset for Any Organization

Our customers rely on us for more than just IT solutions; many also consider us trusted advisors. Knowing we have their best interests at heart, many customers seek our advice on logistics and IT. Our assistance helps customers assess potential improvements to their approach and handling of projects and tasks.

One customer had traditionally purchased all equipment for each project in the country the solution was to be deployed. While this strategy's goal was to offset the perceived expense of international shipping, tariffs, and related costs, this approach caused expensive inconsistencies, necessitated reorders, and created a need for multiple site visits by IT resources. With help from SynerComm, this customer now purchases all of their equipment from American manufacturers, relying on our experienced team for staging, validation, and coordination of field deployments. This new approach has reduced the customer's costs and allowed them to benefit from deterministic outcomes.

Another customer who operates, administers, and maintains equipment in hundreds of field offices across the United States. Historically this customer received all field office equipment upgrades at their headquarters. A team of IT professionals then managed the configuration, staging, testing, storing, and shipping process on a project‐by‐project basis. This process caused a variety of inconsistencies and problems with communication, inventory management, and field rework. To help streamline their deployments, this company now relies on SynerComm to manage and maintain all of their inventory, staging, and shipping processes so that they can focus their attention on value‐adding communication and coordination activities between their headquarters and field offices.

Both logistics and IT can be challenging, and having the right partner can mean the difference between a smooth, successful deployment and a deployment riddled with problems and delays. No matter how large or small your deployment is, you need to know that you can trust your logistics and IT partner to provide you with tailored solutions, sound advice, and trustworthy white‐glove service. For more information about how ImplementIT can make your next deployment stress‐free or get started on your next project, please visit our page.

SynerComm partnered with ChannelBytes to present 60 minute session where we discuss what it means to do quality, modern penetration testing in 2020.

---

Penetration testing is a core part of the networking security toolset, but few people outside of industry specialists understand what penetration testing is, when to make use of it, and most importantly, what to do with the information it provides. This 60-minute session will answer those questions, dispel pentesting myths, and outline clear use cases.

We will be chatting live, fielding your questions, and doing our best to jam as much pen testing value into an hour as possible.

ChannelBytes

Video created by channelbytes.com

Participating in Black Hat USA 2020, we sat down with Dark Reading where our own Brian Judd, VP Information Assurance discusses how we are innovating and evolving penetration testing.

See more at www.darkreading.com

Although contingency planning has a healthy focus on technology, it still requires people to interface with that technology, configure and program the technology so that it will perform some productive task, as well as a number of other roles. In truth, due to the ubiquity of technology within any business, contingency planning is a company-wide effort. Not only the planning, but the execution of the plan at any level will require the cooperation of business managers and technology managers. What needs to be understood is that contingency planning, from a business perspective, is a vital part of COOP. Within COOP and information security contingency planning is where the procedures on addressing a pandemic should be placed. Information system contingency plans, as well as COOP, cannot be created in a vacuum, as their scope impacts the entire organization. This is a primary driver for the need to ensure these plans are officially recognized and distributed to all parts of the company. A good source of information on how to address contingency planning can be found in the National Institute of Standards and Technology (NIST) publications, which is where much of the following guidance can be found.

Pandemic Contingency Plan

Pandemic contingency actions, as it may appear obvious now, focus on protecting the workforce while still conducting some form of business operations. When an incident occurs that impacts organization’s personnel, it likely will impact the information system operations. A prime example of this, seen with COVID-19, was the sudden, immediate need for staff to work remotely. This step is clearly linked to proper considerations for the safety, security, and well-being of personnel during a disruptive event, which is a goal of contingency planning. Organizations should also have in place methods and standards for sending out responsive messages to personnel, as well as considerations for responding to media inquiries on the topic of staff safety and ongoing operations. Considering the heightened awareness of these issues due to COVID-19 and general increased security throughout our society, personnel considerations for staff warrant discussion in all contingency planning related areas.

The organization’s COOP and contingency plan should contain the steps and details to address how the organization will:

1. Protect employees wellbeing during a pandemic
2. Sustain essential business functions during significant times of absenteeism
3. Support the overall national and global response during a pandemic
4. Communicate guidance and support to stakeholders during a pandemic

Pandemic Unique Considerations

As we have seen with the COVID-19 response, common strategies to protect personnel health during a pandemic outbreak include more strict hygiene precautions and a reduction in the number of personnel working in close contact with one another through the implementation of “social distancing.” To address this challenge, organizations need to have in place approved telework arrangements to facilitate social distancing through working at home while sustaining productivity.

In some situations, organizations may need to use personnel from associated organizations or contract with vendors or consultants if staff are unavailable or unable to fulfill responsibilities. Preparations should be made during contingency planning development for this possibility to ensure that the vendors or consultants can achieve the same access as staff in the event of a pandemic. Once personnel are ready to return to work, if the facility is unsafe or unavailable for use, arrangements should be made for them to work at an alternate site or at home. This should be an alternate space in addition to the alternate site for information system recovery. Personnel with home computers or laptops should be given instruction, if appropriate, on how to access the organization’s network from home.

Significant events like COVID-19 take a heavy psychological toll on personnel. Employee Assistance Programs (EAP) should be considered as a useful and confidential resource to address these issues. Nonprofit organizations, such as the American Red Cross, also provide referrals for counseling services as well as food, clothing, and other assistance programs. Personnel generally will be most interested in the status of the health benefits and payroll. It is very important that the organization communicate this status.

The Key – Prior Planning

In addition to the above, the best way to prepare for a possible pandemic health crisis really comes down to planning carefully. Once a plan has been assembled, not only do you want to be sure that it is stored in a secure location, but also have copies appropriately distributed. A crucial component of these contingency plans is that they are reviewed on an annual basis to address changes that occur over time. Be sure that your contingency plan includes:

1. Reviewing relevant policies and practices from authoritative sources, such as government agencies. In the case of COVID, reviewing information from the Centers for Disease Control and Prevention (CDC), would be pertinent.
2. Developing human resources management strategies to deal with circumstances that may arise during a pandemic health crisis.
3. Testing plans of action and telecommunication systems to ensure readiness.
4. Communicating with employees, managers, and other stakeholders prior to, during, and after the pandemic health crisis.

When planning, one of the first, and an important element that can be difficult to get your arms around, is “who will be responsible for what?”. Generally speaking, organizations should rely on their business unit structure to help identify where specific tasks should fall. This straight-forward approach should be a first step and will likely identify that most operations will remain within the same unit – it will be critical to review those operations to ensure that inter-departmental support from other areas are not required. There are additional overarching principles for roles and responsibilities that will need to be clearly defined for this plan. When planning for overall roles and responsibilities, areas to consider here are:

Organization Roles and Responsibilities

1. Provide resources for training and testing
2. Ensure communication systems work
3. Develop guidance on protecting sensitive information and providing for contingency hiring

Supervisory Roles and Responsibilities

1. Plan for short and long-term disruptions
2. Stay in constant touch with employees and leadership
3. Develop guidance on protecting sensitive information and providing for contingency hiring

Employee Roles and Responsibilities

1. Be ready for alternative work arrangements
2. Protect sensitive information
3. Stay in constant touch with management

If these considerations are not part of your overall contingency plan for pandemic response, review and see where they might fit best in the existing framework. If you were one of the many organizations that were caught off-guard by the needed actions to address COVID-19, this should help as a starting point for structuring future plans. What can not be over-stated is that the time to act and produce a relevant contingency plan and COOP is now.

Contact SynerComm to find out how our consultants can assist with not only the pandemic contingency planning, but with technical support and guidance in the areas of hardware, software and networking.

The COVID-19 event, obviously, has had a wide-reaching negative impact for the entire country. Despite this, even in the face of the trauma linked to the loss of loved ones, we will eventually prevail and see the other side of this event. When that happens, a return to more normalized business operations will closely follow (if not already underway). There is a unique, somewhat limited, opportunity to position your organization for a far better response to this kind of event in the future. The primary method to achieve this is from an investigative effort, or what is more commonly referred to as a “lessons learned” exercise. In this case, the focus will be on the organization’s continuity planning, or contingency planning, approach and execution.

One way of viewing this exercise is from the phrase “Those who do not learn from history are condemned to repeat it.” Essentially, when mistakes happen, learn from them or you’ll be likely to encounter the same failures. The approach of a “lessons learned” exercise is a method of continuous improvement that is based on a singular event (COVID-19) or similarly related events. The entire goal should be to find areas where business unit operations or actions had difficulty or issues with the event under review. Generally speaking, a “lessons learned” exercise should be applied to all projects and, where it makes sense, to any smaller efforts made by an individual or handful of staff. This goes to its general principle of increasing efficiency and effectiveness in similar future events.

Lessons Learned Steps

For guidance, here are some suggested steps for carrying out a “lessons learned” exercise:

1. Establish a person and team (tiger team) to manage the exercise. Dedicate time for meetings (and hold them, with an agenda)
2. Ask questions, request feedback from business units and meet with managers to get direct feedback as to challenges encountered
3. Consolidate feedback and information within documentation – have a dedicated role for maintaining minutes and records
4. Based on data gathered and tiger team determinations, make recommendations for changes to existing plans or launch initiatives for new plans as needed, via a Plan of Action and Milestones (POAM). Ensure completion of the POAM
5. The team should look to move to a quarterly or annual meeting to track progress on POAMs and provide historical knowledge to the exercise outcome. Store plans for future reference and use as a guideline for any other areas needing improvement

As with most things that address improvement, the first step is to set aside dedicated time to organize and focus on the effort. This will involve identifying the staff and lead manager that will be needed for the team that tackles this important undertaking. The staff will need to dedicate time to focus on the task at hand – this may not be very not easy depending on how recovery efforts are running. A notable challenge can be the need for accurate recall, in the absence of on-going issue tracking during the event. Regarding how much time to dedicate, have as many sessions as needed, but be aware of scope creep. A good method to guard against scope creep is for the team to set specific goals at the outset of the exercise. If other more significant issues arise, it may be best to have a separate investigation, so that proper focus and resources can be dedicated to each. A primary goal at this first stage should be the understanding that these meetings are to be kept (take attendance if needed) to get things kicked off and so the team can leverage the time-frame where staff still can readily recall details of their issues. Hopefully, some of the issues were already being noted during the crisis. If not already part of your contingency procedures, consider adding an “active event issues” list, as well as coordinating that data via check-ins with higher management. For the lessons learned, gather that information and data. The entire organization should understand that this exercise is underway and to provide any assistance needed to help the company be more successful in the future.

Key Questions

Once meetings have been established and are running, the effort will involve information gathering, where feedback should be openly asked for. Consider soliciting information from the entire organization, if appropriate and acceptable. In general, be sure to capture the following:

1. What worked? These are things that you wish you had more of, that provided some level of assistance (even if small) and were successful, even if only deployed right before the end of the event.
2. What didn’t work? Obviously, this goes to areas where weakness was seen. What gaps were noted? And are any currently being worked on for a solution? Assess the potential need for that solution in the future and be sure to keep it moving forward to closure.
   • If this step results in long lists of issues being presented, consider asking for a “top 3” or “If you had to pick only 1 item, what were you most frustrated with during the crisis?”

Once the information has been gathered, it will need to be organized, condensed and reviewed for actionable issues. The staff to conduct those reviews should follow the business unit structure, where finance issues are reviewed by the finance department, technology issues reviewed by the Information Technology department, and so on. The information learned from these issue reviews must be captured in documentation and then collected for the group and team lead to review. Therefore, there is a need for a recognized keeper of documentation, including meeting minutes. All those on the team will coordinate with the records keeper to ensure full and accurate data is maintained on the issues being addressed. The minutes are generally distributed to the team for review and coordination of efforts on any “asks” from those meetings.

After there is confidence from the team that pertinent issues have been identified, start the hunt for solutions. Some problems will be easier than others and don’t forget to leverage the organization for ideas on how to address those problems. In the case of COVID-19, everyone has been impacted and likely will have some general idea as to what potential solutions could address the myriad of identified issues or gaps. Take those ideas and formulate a plan to address the issue and review solutions to ensure that they will indeed address the problem identified. A recognized method for implementing a fix is the Plan of Action and Milestones (POAM), which can be found in great detail within the National Institute of Standards and Technology (NIST) publications. After that, take corrective action following the POAM to resolve the gaps, adjusting as needed along the way.

Wrap up

Finally, keep an archive of the lessons learned activities for review and tracking. At the end of the exercise, it will be apparent that focused effort was expended to obtain results and the successful methods used should be repeated. Conducting this exercise will bring forward skill sets that can be re-engaged to address problems that trouble the organization elsewhere. As a last step, if not already part of the overall exercise, a summary report should be assembled to show the results from the team’s efforts. Send the report up the management tree for review, including executive management. Given the scope and impact of this event, and in order to prevent history from repeating itself, this should be a report of interest.

We will next look at the outline for a pandemic response and what should be considered for contingency planning, in the event that COVID-19, or something similar, comes knocking again.

---

What is a Pwnagotchi?

From the Website:

Pwnagotchi is an A2C-based “AI” powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures (either through passive sniffing or by performing deauthentication and association attacks). This material is collected on disk as PCAP files containing any form of handshake supported by hashcat, including full and half WPA handshakes as well as PMKIDs.

https://pwnagotchi.ai/intro/

Sound Familiar?

In case you're curious about the name: Pwnagotchi (ポーナゴッチ) is a portmanteau of pwn and -gotchi. It is a nostalgic reference made in homage to a very popular children's toy from the 1990s called the Tamagotchi. The Tamagotchi (たまごっち, derived from tamago (たまご) "egg" + uotchi (ウオッチ) "watch") is a cultural touchstone for many Millennial hackers as a formative electronic toy from our collective childhoods.

---

Legal

• I am not an attorney.
• Attacking wireless devices without permission is likely a violation of the Computer Fraud and Abuse Act (CFAA).

• Each state and country has their own laws pertaining to the unauthorized access and collection of data.

---

Cost

• Completed Build - $92.96
• Minimum Build - $26.48
  • Pi Zero With Headers - $14
  • 32GB MicroSD - $7.49
  • USB 2.0 A-Male to Micro B Cable - $4.99
• Extras - $66.48
  • Waveshare 2.13 inch e-Paper Display Hat 250x122 - $25.99
  • Battery - $38.99
  • Case - $1.50

Notes

• No soldering required if you buy the Raspberry Pi Zero with the preinstalled headers.
• Cases can be printed, the one used in this build: (https://www.thingiverse.com/thing:3920904).

---

Unboxing

Side B

---

Flashing an Image

From https://pwnagotchi.ai/installation/#flashing-an-image:

The easiest way to create a new Pwnagotchi is downloading the latest stable image from our release page and writing it to your SD card.

Once you have downloaded the latest Pwnagotchi image, you will need to use an image writing tool to install that image on your SD card. We recommend using balenaEtcher, a graphical SD card writing tool that works on Mac OS, Linux, and Windows; it is the easiest option for most users. (balenaEtcher also supports writing images directly from the ZIP file, without any unzipping required!)

To write your Pwnagotchi image with balenaEtcher:

• Download the latest Pwnagotchi .img file.
  • Verify the SHA-256 checksum of the .img
• Download balenaEtcher and install it.
• Connect an SD card reader with the SD card inside.
• Open balenaEtcher and select from your hard drive the Raspberry Pi .img or .zip file you wish to write to the SD card.
• Select the SD card you wish to write your image to.
• Review your selections, then click Flash! to begin writing data to the SD card.

As an alternative you can use dd on GNU/Linux or macOS:

Change the path to your image file, /dev/sdcard is the path to you SD card device.dd if=path/to/pwnagotchi-raspbian-lite-XXX.img of=/dev/sdcard bs=1M

Wait before removing the SD card as you will need to create one last file on it with the initial configuration.

https://pwnagotchi.ai/installation

Connect Your USB Micro to the Data Port and Wait for the Pwnagotchi to Boot

Configure Your Newly Found Ethernet Adapter

Connect to the Terminal via Putty

---

Words of Caution

• Pwngrid is enabled by default (Pwngrid is a cloud database controlled by ¯\_(ツ)_/¯)
• Whitelist networks, like your own, before connecting it to the internet
• Whitelisting alone will not prevent the handshake from being passively captured
• YML is very picky about syntax
• YML errors will cause screen not to function even when the logs look fine

---

Example Config

Edit the config located in /etc/pwnagotchi/config.yml, restart, and you should be good-to-go.

# Add your configuration overrides on this file any configuration changes done to default.yml will be lost!
# Example:
#
# ui:
#   display:
#     type: 'inkyphat'
#     color: 'black'
#
main:
  name: '<NAMEOFPWNAGOTCHI>'
  whitelist:
    - '<YOURNETWORK>'
  plugins:
    grid:
      enabled: false
      report: false
      exclude:
        - '<YOURNETWORK>'
ui:
    display:
      enabled: true
      type: 'waveshare_2'
      color: 'black'
    web:
        username: pi
        password: <YOURPASSWORD>

---

Anatomy of a Pwnagotchi Screen (https://pwnagotchi.ai/usage)

---

Completed Build

---

References

• https://pwnagotchi.ai
• https://www.reddit.com/r/pwnagotchi
• https://github.com/evilsocket/pwnagotchi
• https://community.pwnagotchi.ai
• Pwnagotchi Slack
• Fatmann66's YouTube Channel

---

- @TheL0singEdge

“So, let’s say we fix all of the vulnerabilities that the pentest discovers… How do we know tomorrow that we’re not vulnerable to something new?”

~Customer

Bridging the Gap Between Point-in-Time Penetration Tests

Having been part of the penetration testing industry for over 15 years, I’ve been challenged by many clients with this very question. The fact is that they are right, a penetration test is a point-in-time assessment and new vulnerabilities are discovered every day. We hope that our patch and vulnerability management processes along with our defensive controls (firewalls, etc.) keep our systems secure. Over the past 5 years, we’ve experienced a rise in the number of clients moving towards quarterly penetration testing and seeing the value of rotating through different penetration testers.

In 2017, SynerComm’s penetration testers decided to put their heads together to develop an even better solution. (Honestly, one of our top guys had been nudging me for two years with an idea already…) We agreed that nothing replaces the need for regular human-led penetration testing. As of today, no amount of automation or AI can come close to replicating the intuition and capabilities of an actual penetration tester. That said, if we can be confident that nothing (ok, very little) has changed since the last penetration test, we can be significantly more confident that new vulnerabilities are not present. Building on this idea, the continuous pentest was born.

Continuous Pentesting

Continuous pentesting combines the best of both worlds by using automation to continually monitor for changes, and human pentesters to react to those changes quickly. Computers are great at monitoring IP addresses, services, websites, and DNS. They can also monitor breaches and data dumps for names, email addresses, and passwords. What makes continuous pentesting successful, is taking actions based on changes and using orchestration to determine if additional scans can be run and if a pentester should be alerted.

There is no replacement for the validation provided by a thorough, skilled, and human-led penetration test. External and internal pentests with social engineering demonstrate precisely how a determined and skilled intruder could breach your company’s systems and data. Continuous Penetration Testing focuses on public systems and online exposures and should always follow a full, human-led, external penetration test. Partner with SynerComm and we’ll keep an eye on your perimeter security year-round.

Trying to find qualified IT infrastructure and security people?

We at SynerComm help companies successfully overcome that challenge every day, and so I suppose I suffer from the old adage: “to a hammer, everything looks like a nail.” While SynerComm heavily invests in facilitating the free exchange of information (e.g. this blog site, annual IT Summit events, free best practice and strategy analyses), sometimes you just need skilled, innovative expertise to solve nagging problems or to just get the job done. If that is not you right now, I invite you to join us at our many information-exchange events. If, on the other hand, you would like to read about how other companies are overcoming their staffing challenges, please read on.

Many organizations are struggling to plan, build, implement, and support wide-scale remote access in support of social distancing and isolation. These projects are urgent and vital, but they are not your only projects planned or in flight. You are still researching new and more efficient business solutions, developing new revenue-generating applications, and building out more revenue-supporting capacity. On top of that, you are continuously and simultaneously operating, administering, maintaining, supporting, and securing everything that is already in production! 

IT organizations were overloaded; do we stand a chance today? Failure is not an option, and we can all use some help now and then; many organizations need help right now! SynerComm has a long history of partnering with customers to overcome these challenges. Unlike traditional Staff Augmentation, where you get one person, full-time, for some number of months, SynerComm offers a refreshing alternative: FlexIT. 

Flex IT

With FlexIT, you get a pool of hours from SynerComm that provides primary highly qualified, full-time resources who are backed up and augmented by secondary highly skilled resources as needed. FlexIT ensures that your projects and support demands are met, even in the face of PTO, unexpected illnesses, and demand bursts. When the project completes, or the need for support subsides, the “flex” in FlexIT kicks in again:  you terminate the engagement when the time is right for you. When and if you need more help, SynerComm will be there for you.

Our customers leverage FlexIT to build out network and security infrastructure (on-premises and in the cloud, complex and simple, large and small). They use FlexIT to implement and validate security controls, including SIEM, Endpoint Detection & Response, Secure Anywhere Access, and Identity & Access Management. SynerComm’s customers benefit from FlexIT to build information security programs and validate the effectiveness of deployed controls. Perhaps most importantly, our customers have relied on FlexIT to ensure Continuity of Operations when faced with the short or long-term loss of critical staff.

Let’s face it, the fact is that you do not always need a full complement of IT solutions and security architects, consultants, and engineers. However, occasionally everyone needs a little help. When those needs arise, when failure is not an option, contact SynerComm. We can match you up with the right FlexIT team from among our diverse and experienced technology and security experts, and for exactly as long as you need. SynerComm can also assist you with flexible, part-time ongoing administration and maintenance support, and even with finding full-time employees. We love being part of the solution for our customers, turning seemingly insurmountable problems into wild successes!