Don Franke

Welcome to my place on the Internet where I post random musings and content about security, music and coding.

ABI Calculator

June 17, 2018 Coding

To keep my UI skills current, I recreated an ABI Calculator app using vue.js and bootstrap. It's still a little rough but it works, at a good stopping point for now.

Passed the AWS Certified Solutions Architect - Associate exam

May 21, 2018 Certifications
AWS Certification Badge

I passed the AWS Certified Solutions Architect - Associate exam on 5/21 and wanted to share how I prepared:

  • Took these classes:
    • Architecting on AWS
    • Advanced Architecting on AWS
    • Security Operations on AWS
  • Watched all videos and took all practice exams on acloud.guru
  • Took all practice exams on whizlabs.com
  • Read FAQs and some white papers on core services: Lambda, S3, IAM, EC2, VPC, DynamoDB. Elasticity, Scalability
I also took a lot of notes, most of them based on questions I got wrong on practice exams. The cert exam was updated a few months ago and has a lot less gotcha questions; most are scenario based. Preparing for the cert is a great learning opportunity (some people enjoy it even), and I've started getting ready for the Sec Ops one which was released a couple months ago.

Hope this helps. Good luck!

Tell Your Story

December 21, 2017 Writing

I've reached a milestone I didn't think I'd achieve for my first self-published book: 2,500 copies sold. It was a project I started mostly to get experience with creating something that I could put on my shelf. It was also an opportunity to share what I've learned after years of teaching and working in infosec. I want to encourage anyone who has an interest in writing a book to go for it--make it your 2018 goal. Here are a few lessons learned that I'd like to share to help you get started.

Have a solid outline

I created five chapters, and grouped the list of things I wanted to cover into each of those buckets. Going with a textbook format, the first chapter I dedicated to fundamental terms that would be used in the remaining chapters, and ended each chapter with a glossary. The resulting chapters for the book are Introduction, Protect, Detect, Respond (which are based on tenets of the NIST Cybersecurity Framework) and Conclusion. Each chapter also starts with a quote.

Create a goal

Have a target number of words you want your book to have. I went with 20,000 to keep it concise. This also helped me balance out each chapter, and motivated me to keep adding content until I reached that goal. However, be aware that you need a minimum number of pages in order for the book spine to be printable (the spine for mine has no text as a result, which doesn't do much for its bookshelf presence.)

Organize your images

If your book has images, figure out the standard you're going to use ahead of time. I spent a frustrating amount of effort getting the sizing and DPI right so images would display correctly in print and ePub versions. This meant several iterations of converting 27 pictures to different formats and previewing them with various open source tools (not fun). I wish I had hand drawn them instead.

Sell it

Once it's published and available for purchase on the marketplace, don't overlook marketing your new book. Leverage social media, participate in giveaway promotions, and keep tabs on your reviews. There are also promotion options (some are free, some aren't) like having your book show up when someone searches for certain terms. And look at all the marketplaces where your book is listed. I found a few surprises (some nice, some not so much) in UK, IN and EU markets where my book is also sold.

Conclusion

Freely available tools that you can use to self-publish a book have significantly improved over the past couple of year. Now there are Word Add-ins and applications like Kindle Create where you are able to do all of your formatting and previewing within the same tool. Editing ePub XHTML is no longer needed, making the barrier to "published author status" barely a speed bump. So what are you waiting for? Start writing!

Firewall

November 12, 2017 Music
A song about the firewall mythos.

Cyber Security Basics Sales Update

November 4, 2017 Writing Security

Cyber Security BasicsFor a 100 page book I self published using Kindle Direct Publishing, sales have definitely exceeded expectations! I created it more as practice and to share what I knew about information security best practices. I still belive if the fundamentals are done, the majority of risk can be mitigated. That said, I'm now approaching 2,000 books sold (Kindle and paperback) at which point I may start work on a second edition. I had one day where I sold 110 books -- wish I knew to whom. I am guessing it was for a class, or giveaway, or maybe they're being resold somewhere else in the world.

I am also enjoying decent reviews: 11 stars in the US and 14 stars in the UK. I apprecate the kind words and feedback! It is rewarding to know that I have been able to contribute to the infosec community, and that something I spent hundreds of hours creating is being well-received by hundreds of others who share my interest in information security.

Cyber Security Basics available at Amazon

Vulnerability Management

September 23, 2017 Music
My contribution to the debate surrounding the CISO of Equifax having only a music comp degree: a song about vulnerability management! I don't know what kind of statement it makes, just thought it was an amusing bit of timing when I finished the song at the same time the breach hits the news.

Social Engineering

September 19, 2017 Music

For fun I wrote a song about social engineering

Phishing Protection Best Practices

August 22, 2017 Blog Security

Today Bank Info Security reports that a Ukraine bank warns of a new massive malware campaign about to be launched. Here’s the line that’s most frustrating: “It added that the attacks have been spreading via malicious Microsoft Word documents attached to emails.” So here are some best practices to follow to harden your org against phishing attacks:

  • Use GPO to disable macro execution in office documents
  • Don’t let employees log in as admin
  • Block unnecessary file extensions at email gateway (e.g. do people really send legit .dotm files)?
  • Use an email protection solution that analyzes and blocks malicious attachments before they are delivered to inboxes
  • Preface subject line of externally-sourced email with tag like [EXT]
  • Keep current with patching and updates
  • Train employees to “think before you click” (though don’t count on it as an effective preventative control)

Most of this advice is common sense. But if I’m just preaching to the choir, why are phishing-based attacks against orgs still so damned successful?

References

Ukraine Central Bank Detects Massive Attack Preparation: https://www.bankinfosecurity.com/ukraine-central-bank-detects-massive-attack-preparation-a-10209

List of Microsoft Office file extensions (block most of these): https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions

Alexa skill Security Flashcards

July 25, 2017 Coding Security

I created version 2 of the Alexa skill Security Flashcards. This version uses a JSON file for content (versus having it inline in the code) and has 100 security terms (so far). To use:

  1. Enable the Security Flashcards skill on your Echo device
  2. Visit https://github.com/donfranke/Security-Flashcards for a list of terms that are available.
  3. Launch Security Flashcards
  4. Pick a term, think about what you think the definition is, then ask Alexa to define the term

The goal is to provide a tool to help prepare for security certification exams, as well as understand some concepts that are part of the foundation of information security.

Please let me know if you disagree with any definitions, or have other suggestions for improvement. If you are interested in creating your own Alexa skill, there are plenty of resources available including starter code on Github to get you started. Enjoy!

Android Apps

October 10, 2016 Coding

The two Android apps I created back in 2010 still are alive and kicking. ABI Calculator currently has 563 active installs, and Russian Flashcards has 1,225 active installs.

Russian flashcards ABI Calculator

Really horrible app icons that show up in the Google Play store

I know these are insignificant numbers by most accounts, but for me it’s nice to see something I created being used by other people. And they’ve always been free (which I second guess sometimes.) I would have to completely rewrite the apps to get them updated. Maybe I’ll take some time off to do this.

Machines Training Humans

September 30, 2016 Blog

I was paying for my parking at a ticket machine the other day. As I patiently followed the sequence instructed by the machine, I thought about how machines and software are increasingly training humans. And we're just letting it happen. That same weekend I observed several headlines about Samsung Smart TV exceptional eavesdropping capability. From Samsung: "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” This isn't new news, but it got me thinking. It is another example of how we have to change our behavior to work around devices and software. Again.

We can't live without our multi-sensor devices we still call "phones." We trust software is doing its job and enabling these cameras and microphones only at our request. We also trust that there are no back doors or malware on the device that enable these eavesdropping features without our knowledge. But it comes down to well-behaved software to not facilitate eavesdropping. The hardware is always ready.

I propose getting back to basics. There should be physically controls in place to disable these cameras and microphones. Similar to the plastic tab you pull out of a newly-purchased device to enable battery contact, or the plastic key you can yank out of a treadmill if the speed of its ad infinitum path gets too much for you. With this would be the manufacturer's certification that these keys, tabs, lens covers…whatever form they take…absolutely block or allow these sensors from being accessible by any software running on the device.

Software has gotten to be too complicated. It's time to reintroduce physical controls. For now there is electrical tape.

Unpatchable is Unusable

September 24, 2016 Blog Security

I read an interesting article pn Computerworld.com titled "Worm may create an Internet of Harmful Things." It discusses how, as our world becomes filled with Internet-connected devices, concerns over security grow. There is one quote from the article that stands out for me: "Security expert Bruce Schneier…is concerned about the broader risks to the Internet of Things. In many cases, IoT connected systems are using firmware that can be hard to patch. In fact, ‘in many cases, [it’s] unpatchable,' he said." Unpatchable.

When it comes to software security, if it cannot be updated, it should not be used.

This reminds me of an interesting (perhaps unrealistic) software development methodology called "cleanroom engineering". With this approach the focus is on preventing bugs or vulnerabilities from ever making it into production code. The SDLC is heavily weighted on all phases before actual coding begins, because (per this methodology) all you have to do is code to the design, since it should be defect free.

This approach to software development seems like an analogy for vendors who release products that cannot be updated. There three reasonings that I can see for this. The vendor

  • assumes its product is truly 100% secure, and no vulnerabilities will ever be discovered
  • hopes that significant security issues with its product will not be discovered within a reasonable (or obligatory) timeframe
  • does not offer patchable products, but offers to sell replacement products that address the security vulnerabilities found in "last year’s model."

Replacing products used in production is costly and disruptive, and I can't see the news of any unpatchable security vulnerability endearing a vendor to a customer. In our rush to Internet-ize everything, security may take a back seat again, just like the early days of the Internet or smart phones. As a result, weaknesses will be exposed that attackers the opportunity to do embarrassing, destructive or even dangerous things.

Vendors should operate under the assumption that something will not go according to plan. At some point, a security vulnerability will be discovered in a product even if the vendor did not find it pre-release. And when that vulnerability is found, the vendor should be able to fix (patch) that vulnerability ASAP. Any other approach, such as selling software products that cannot be patched, is downright irresponsible.

Cyber Security Basics

September 24, 2016 Writing Security

Finally taking the time to figure out how to properly sell the book Cyber Security Basics. I have updated the pricing and updated the Kindle version, and started paying attention to the sales dashboard. To date I’ve sold 215 copies of the physical books and 58 of the Kindle ones.

Kindle Sales for 2016

There has recently been an upward trend that I hope will continue as I dig more into the as-of-yet untapped marketing options available to self-published authors. And there are a lot! Thank you to everyone who has purchased a copy. Please review it in Amazon if you have a spare minute–it would be a huge help.

Splunk Certified

September 4, 2016 Certifications

Splunk Certified Architect BadgeIt’s official — I got my Splunk Certified Architect 6.3 badge today. It was a lot more work than I though it would be; it’s definitely not just symbolic. Six classes at about 55 hours total (not including studying) capped off by a final lab that we had 24 hours to complete (I think I took about 8 hours, the first day running well past midnight.)

The best way to learn about many technologies, I feel, is to get certified. Preparing for a certification forces you to study and learn the details and a lot of things that you might not have used before, but after learning them, may come in handy later. These classes and tests helped me understand how Splunk works and the depth of the tools and options it offers. It’s really a massive solution, and now I have a better handle on how to apply its various features for almost any type of environment.

The classes were very good as well as their instructors. The education program shows that it cares as much about the quality of their training materials and delivery as the engineers who built and support Splunk products. I always appreciated how Splunk was created and designed–it just felt like it made sense. Now that I demonstrably know a bit more, my instinct has been validated.