Tag: script

I may not test often, but when I do it's in production

The thrill of testing in production

if ($testing_in_production == true) {
RTFM();
}
else {
$Move=fast;
$Break=Shit;
}

 

I’ve been spending a lot of time hopefully making something better for a customer. They recently had an au

ditor c

ome in and tell them they were doing the most basic layers of security (i.e. Antivirus) all wrong and it needed to be redone. And the organization was given a deadline about a month away for 40 PCs and a dozen servers.

This is not a significant issue except the 13-hour timezone difference makes anything that gets messed up a little more precarious to go fix. My first

real sysadmin job allowed me the luxury of driving across town if I broke something.

In all cases I’m lucky that I have experience deploying the tools in a much larger environment. That environment was also under pressure. They had just been pwn’d and didn’t really know it until I stumbled across that. Really didn’t know what I was dealing with… at that time in 2008 I really had no clue what real information security was about. I learned quickly.

What I have also learned through many years of work, is that if you’re going to have to test in production, I recommend that you take a deep breath, slow down, and read the manual first. Knowing what the heck you are doing is only the first step. You really have to know *why* you are doing a thing. There’s no shortage of opportunity to move fast and break stuff, but with each instance there’s also an opportunity for learning and growth.

I may not test often, but when I do it's in production

With the amount of chaos in the world, inability for many OPSEC teams to focus on actually securing all the things, and the continual drive to still give customers what they want, there’s also no shortage of opportunities to learn-on-the-fly, be creative, and solve problems. Even in production.

AirWatch REST API Script : change Self-Service Portal role for users

Here’s several scripts that may be very helpful for anyone that needs to change the self-service portal role for their users in AirWatch. AirWatch is becoming more robust and mature with every new release, but they still have a long way to go towards overall usability for administrators.


 

#******************************************
### AirWatch API Connection
###
### Template from https://support.air-watch.com/posts/94020718-REST-API-Authentication-in-PowerShell
###
### 2015-11-15 Brian Deyo www.briandeyo.us
#*******************************************

write-output ” __ ___ __ ”
write-output ” /\ | |__) | | /\ | / “ |__| ”
write-output ” /~~\ | | \ |/\| /~~\ | \__, | | ”
write-output ” ”

###############################
###
### BEGIN CONFIGURATION SECTION
###
###############################

###Insert AirWatch API Key here
###Consider it best practice to create an API Key for every account that needs API access. Easier to manage access that way.
###
$APIKEY = “blahblahblahAPIKey”

###Insert AirWatch Application Server URL
###The Server is the “Application Server” component of the AirWatch environment.
###
$AWHost = “xxyyy.awmdm.com/API/v1”

###Pop up to get username and password, and then encodes U & P to string
###
$Credential = Get-Credential
$EncodedUsernamePassword = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($(‘{0}:{1}’ -f $Credential.UserName,$Credential.GetNetworkCredential().Password)))

###Define Headers to send with each API access
###Switch Basic to Directory if using AD integrated account
###
$Headers = @{‘Authorization’ = “Basic $($EncodedUsernamePassword)”;’aw-tenant-code’ = “$APIKey”;’Content-type’ = ‘application/json’}

###Define output folder for Rest Logs when the out-file cmdlet is used
###
$RestLogPath = “\\fileshare\log\location”

###############################
###
### END CONFIGURATION SECTION
###
###############################

#***********************************
# List devices for a specific user
#***********************************
#
#write-output “Type User’s email address”
#$UserEmail = Read-Host
#Invoke-RestMethod -Method Get -Uri https://$AWHost/mdm/devices/search?user=$UserEmail -Headers $Headers

#***********************************
# Set Enrollment User’s SSP Access
#***********************************
#
# Define the JSON in the $body variable. Then the Invoke-RestMethod converts to JSON on the fly
#
#$Role = “SSP ROLE NAME”
#$user = “userID”
#$body = @{
# Role = $Role
# }
#Invoke-RestMethod -Method Post -Uri https://$AWHost/system/users/$user/update -Body (ConvertTo-Json $body) -Headers $Headers

#***********************************
# Get Enrollment User Details
#***********************************
#$user = Read-Host
#$Filename = “UserDetails.txt”
#Invoke-RestMethod -Method Get -Uri https://$AWHost/system/users/$user -Headers $Headers | Out-File -Append $RestLogPath$Filename

#***********************************
# Change a single Users SSP Role
#***********************************

#$User = Read-Host
#$NewRole = “SSP ROLE NAME”
#$body = @{
# Role = $NewRole
# }
#Invoke-RestMethod -Method Post -Uri https://$AWHost/system/users/$User/update -Body (ConvertTo-Json $body) -Headers $Headers

#*************************************************************
# Search for All Users that have specific role and change it
#*************************************************************
#$CurrentRole = “SSP ROLE NAME”
#$Filename = “SSP ROLE NAME.txt”
#$UserList = Invoke-RestMethod -Method Get -Uri https://$AWHost/system/users/search?role=$CurrentRole -Headers $Headers
#$list = $UserList.Users.Id
###Save output of every UserID getting changed
#$list.value | Out-File $RestLogPath$Filename
#
### Loop to change all the roles from the dumped list
#
#$NewRole = “SSP ROLE NAME”
#foreach ($User in $list)
#{
# $UserToUpdate = $User.value
#
# $body = @
# {
# Role = $NewRole
# }
# Invoke-RestMethod -Method Post -Uri https://$AWHost/system/users/$UserToUpdate/update -Body (ConvertTo-Json $body) -Headers $Headers
#}

#************************************
# List Number of Users in Each Role
#************************************
#$RolesToCheck = @(“Basic Access”,”External Access”,”Full Access”)
#Foreach ($Role in $RolesToCheck)
#{
# $Filename = “$Role – TOTALS.txt”
# $UserList = Invoke-RestMethod -Method Get -Uri https://$AWHost/system/users/search?role=$Role -Headers $Headers
# $list = $UserList.Users.Id
# ###Save output of every UserID getting changed
# $UserList | Tee-Object $RestLogPath$Filename
#}

 

Time to make the backups. It’s always time.

Photo of Ransomware on an Android Tablet

 

I ran through a quick pen & paper exercise and I came up with no fewer than 14 ways my data (aka my digital life… yours too) is constantly threatened. There are some protections available of course, number one strategy there is to always keep offsite and offline backup copies of everything important. Rotate the backups on a reasonable basis. Moving away from HDDs backup DVDs are also sensitive to heat, so don’t leave them in your car. And it turns out Solid State Drives lose their contents if not plugged into a computer every so often.

Even with the backup strategy in mind, I recognized that there are really two classifications of threats to a digital life.

A. Data Loss – An event without a malicious human initiator

B. Data Breach – Direct or indirect action taken by a human often with malicious intent

 

In what is likely not an exhaustive list, I decided there are only three of the fourteen items that actually fall in category A.

  1. House Fire
  2. Natural Disaster
  3. Mistakes

The issues in category A can be remedied by a good backup strategy, and of course actually executing that strategy. Saying you will backup isn’t the same as actually doing it.

Breaches on the other hand are myriad and growing. And the truth about the increased threat landscape has been taking a significant amount of time in my brain lately. I like most IT folks routinely spend more time talking about security than implementing new ideas and making change. I am worried that this list is only going to continue to grow.

  1. Botnet – Also just about any random run of the mill malware that will be picked up from being negligent.
  2. Pissed off hacker(s) – What they call “Advanced Persistent Threat (APT) in the biz. This can be either an individual, a group, even a government that wants to dox you or maybe steal or decimate your data.
  3. Random 3rd Party Service – This is generally what happens when an APT takes on a service or entity that also has your data. Last year over 5.6 million fingerprints were stolen from the OPM. Experian just got hacked. If you live or have visited the US, someone you have data stored with has been hacked. And therefore your data is compromised.
  4. Script kiddies – People like to stuff all sorts of garbage into Zip files and other archives. This is pretty close to the Botnet entry, but I think the initiator isn’t good enough to be an APT but likely some kid that is trying to break into your WiFi.
  5. Your employer – Similar to #3 but this hits much closer to home than if your Facebook account was hacked. Your employer knows everything about you. Even if your employer isn’t hacked, there’s always the mysterious “insider threat!” Be nice to everyone at your work.
  6. Petty theft – Sometimes people just steal stuff. I lost a brand new laptop and $1000 worth of tech when someone broke into a locked car. I made the original “mistake” as outlined above by leaving it outside of my control. But…. sometimes people just steal stuff anyway. If you are worried about people stealing your stuff, remember you need an OFFSITE backup. It’s pretty often that people leave their backup drives sitting on the desk plugged into their computer.  Do you have a passcode on your phone?
  7. Corruption – Drives have a Mean Time Between Failure. This is not particularly intentional, but I vote malicious simply because there are a lot of really crappy hard driveson the market. I have been burned by several drive manufacturers for drives that last less than a year.
  8. Piracy – What good is downloading the latest episode of whatever if that all lands you in court! If you are like every other person on the Internet, then you have pirated something somewhere on your computer. And that makes your whole drive something to be confiscated should you get to torrent happy.
  9. Family and friends – What? What do they have to do with this? Aside from their capacity to make mistakes, they are also compelling reasons to be paranoid about your data’s security. If your friends have pwned laptops and connect to your network and you’re not wearing your tin foil hat… so it’s not malicious on your friend’s part, but there’s definitely a person in the loop.
  10. Blanket Surveillance – It’s nothing personal, and if you have nothing to hide then you have nothing to be afraid of. The truth is all of us are connecting to the Internet for one reason or another, and those reasons are being monitored, tracked, analyzed, reported on, and many times sold. This may not be the same as my hard drive being compromised, but it is still a breach of the old digital self.

 

I welcome feedback. I’m sure there are other better ways to categorize this, and I’m not coming up with anything radically new here. But this may be good for just one of my friends or family members to know. Not everyone in my life is really tech savvy, but everyone is concerned about his or her computer and the data that makes up their digital lives.