Puppet introduction

Puppet is currently being deployed in the environment where I work, so I thought it would be a good idea to get at least slightly up to speed around how it works.  Like I am sure quite a few of you I am familiar with Puppet in terms of what it is and what it is commonly used for, in terms of it being an IT automation tool written in Ruby that can manage both *nix and Windows systems.

I didn’t however know much of the detail around exactly how it works and can be configured.  Given that there are probably others in a similar position who either need or want to learn a bit more about Puppet and system management and automation I thought I’d share a couple of the better introductory resources I found.

If you are completely new to Puppet and want to find out what it does the ‘What is Puppet page is an excellent starting point;


The next link is a good introduction to coding with Puppet and nicely covers the fact Puppet is Declarative.  This can be a challenge for some people especially those with coding experience as most languages are Imperative which is quite a different style of explaining what you want the application to do.  Read on to find out more;


I also found this three part series that covers what you need to set up and get running with Puppet with the minimum of extra information.  This is great if you need to get up and running quickly as much of the full documentation is more book like;

Part 1;


Part 2;


Part 3;


Finally if you want a full understanding of Puppet and have the time the Puppet Labs documentation is excellent and should remove any need to buy a reference book;




Phishing; what is phishing and how to protect against it.

Phishing continues to be one of the key attack vectors against both individuals and corporations.

At a personal level it’s one of the most successful ways malicious individuals and groups have for stealing credit card details and identities.

At a corporate level it is one of the most if not the most common entry points into an organisation.  This is true even for the majority of the Advanced Persistent Threat type attacks that are discovered; while they may use many clever techniques to avoid detection once they are established the usual entry point is via some form of social engineering with Phishing being the most common social engineering attack.

It is due to this that I was recently asked to create a brief overview of Phishing covering what it is, why it is so prevalent, and what can be done to reduce the risk.  I’m sure most of you are aware what Phishing is, but I thought I would share some of the content of my recent presentation.

I started with a brief overview of what Phishing is;

•Phishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish.

•Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.

•In order for Internet criminals to successfully “phish” your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.

Wikipedia has a longer version providing an overview of Phishing;


This is actually a pretty good article covering a brief history of Phishing, various Phishing techniques, and some prevention / anti-Phishing tools and techniques.

I then went onto cover some further terminology around different types or developments of Phishing that have dramatically improved its effectiveness;

Phishing began as very generic, spam like emails.  These have over time become much more realistic and targeted in order to improve the chances of success for the attacker.  Various terms have been coined to describe these more targeted attacks;

•Spear Phishing refers to attacks targeted at specific individuals or groups of individuals such as employees of a company.  Attackers will gather personal and / or company specific information in order to improve their chances of success.

•Clone Phishing is where a legitimate email that contains attachments or links is cloned / copied, but with malicious attachments or links.  This exploits the trust that may be inferred from the email coming from a seemingly legitimate source.

•Whaling is a term for phishing attacks specifically targeting only very senior company executives.

•A further term recently coined in a blog post by Bruce Schneier was ‘laser guided precision phishing’ when describing some recent advanced phishing attacks.  The clear message is that these are getting better and harder to spot all the time, and these attacks are seldom stopped by technical means;

–“Only amateurs attack machines; professionals target people”

Basically Phishing continues to evolve with attackers spending time to do recognisance on higher value targets to make the attacks look as realistic as possible in order to increase their success rate.

The final part of the presentation covered some of the methods that can be employed to reduce the risk from Phishing attacks;

•Security / Phishing awareness and training.

–Phishme (or similar service) – this has a great success rate with figures such as 60% of users clicking on Phishme email links reducing to <10% after a few cycles.

–Broader training – regular communications from our department around security awareness and things to look out for.

•Make emails from external sources more obvious, such as by changing the display name on internal emails.

–This helps improve vigilance, however so many emails are received from external sources the benefit it likely limited.

•Disable links and attachments in emails from external sources

–Likely impacts many business processes, is a white list of all ‘trusted’ email sources feasible or maintainable?

•Ensure any heuristic and zero day type protections are functioning as designed to provide maximum protection from bespoke and new attacks.

•Enforce ‘least privilege’ – no users log onto any machine with administrative or root privileges, always use ‘Run As’ or Sudo for any actions requiring elevated privileges

•Ensure any browsers in use are kept up to date with any anti-phishing add ins / tool bars installed and functioning

•Black / White listing of acceptable sending domains.  White listing is more cumbersome, but more effective, black listing is easier (as with most security technologies) but less effective as it can only block known bad sites / domains.  Neither of these techniques will stop spoofed emails or emails from compromised ‘good’ sites / domains.

•Become involved with organisations / forums such as the Anti Phishing Working Group; http://www.antiphishing.org/

In conclusion I would wholly recommend a solid defence in depth strategy for your organisation when it comes to security tools and strategy, but I would also say that user training is a key component of reducing the risk from Phishing; if not the most critical component.

A great way to learn more, and help improve anti-phishing techniques is to get involved with organisations such as the Anti Phishing Working Group (link above).  They also offer some useful anti-phishing training.

It would be great to hear your thoughts on Phishing, and the user training vs. technical controls debate.


Gone to the dark side..

Of companies and operating systems..  As a long term Window and Linux user with very little experience of Macs I recently made the move to the word of Apple.  While this is outside of the scope of my usual posts that tend to relate to enterprise security and architecture, I thought I would share as this is a pretty fundamental shift in my personal computing world.

I’m still not a fan of Apple as a company as I’m fundamentally against the whole ethos of locking people into a specific ecosystem with the clear intention of letting you only use that companies products and making it very hard to shift away once all your music etc is in iTunes / iWhatever.

However as a piece of hardware I totally love the Mac Book Pro, and the retina screen is amazing.

First impressions of the O/S are that it is OK, I seem to be getting around alright, and the ability to drop to a Linux command line is a great help.  The multi touch mouse pad is excellent, as is the ability to use it to ‘right click’ on links etc.  which is a great help!

So far I’ve installed Chrome, M$ office for Mac, Parallels, VLC, a few utilities and photo editing software.

I’m also pleasantly surprised by the battery life, given that this is a fairly powerful i7 CPU, Nvidia graphics (with automatic switching to Intel) etc.  even with the screen reasonably bright, and running a couple of virtual machines it still lasts several hours on the battery.

Overall so far very impressed, amazing screen, excellent battery life, great performance even when running multiple VMs, I think in part due to the decent SSD, and all in a lovely, relatively light weight aluminium package.  As mentioned still not really a fan of Apple as a company, but then how many large profit driven businesses really care about anything other than maximising profit? But I am a convert to the Mac Book as a useful and great to use tool.

I’ll likely post the odd update during the year as I get more used to the O/S and start exploring the performance and features of the device.