Planned Site Maintenance
Due to scheduled maintenance, account creation for new Community users will be unavailable 11 a.m. Eastern October 23, 2020 – October 24, 2020. We apologize for any inconvenience.
Every birthday for years I have requested Sour Cherry Pie for my birthday. Yum! Don't give me cake. Blech. LOL My sweet G.ma used to make Sour Cheery pie from her own cherry tree in the spring. I love pie.
I also like Pi. Especially Raspberry Pi. Great little computers on a small footprint that allow you to run multiple OS's with the switch of a memory card. Boots fast. Low power consumption and it doesn't break the bank when you want to buy more of them.
Now it's been recently reported that JPL was attacked through a rogue Raspberry Pi on their network. You can't make these things up. I can already think of 3 or 4 different monitoring systems that should have had their sensors go off alerting the SOC that something was wrong, but ...
Do read the article. There is some fairly damning language in there and I just chuckle at the complete ineptness that organization exhibited.
The Pi was one of the devices I used to test our NAC. The ability to boot into unusual OSs simply by swapping the SD card was one of the reasons it was so useful. I got as far as the Citrix logon before being thrown out. Since we used X.509 end point certs of SSH keys in a hidden partition on thin client terminals the purpose was in part to see if the NAC could identify what had been plugged in, where so we would know what type of rogue device we were looking for.
----------------------------------------------------------- Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Just read the report. I have to say that while HMM may look good on paper, few companies have the means to advance it to the degree that actually makes sense.
"The severity of an incident often depends on the length of time an intruder is able to maintain a foothold within an organization’s network, so round-the-clock availability of incident responders is critical to timely containment of suspicious activity and improvement of JPL’s incident response capability. "
Most of the companies with single country presence cannot possibly afford 24/7 coverage. It is effectively a requirement to triple or at least double their information security staff. And as to Splunk, I see more often than not, as it or other SIEMs simply becoming a log dumping destinations that are useless without someone performing data analysis work on them and at best are useful for forensics after the fact.