Anyone with a computer knows that vulnerability is inevitable when using a network. Software Restriction Policy is a clear-cut concept that is comprehensible even to the least tech savvy. When you use a computer, you risk exposing your files to a potential attacker. You may be even revealing more about yourself than you want to let on.

There exist built in steps that will protect your identity and activities on the internet. It comes in standard account user on Windows Vista, 7 and 8. You will be able to improve your security by setting up a Software Restriction Policy or Parental Controls.

These functions provide an arbitrary protection from malicious attacks on the system. These are different from antivirus software in that they do not need updates. They do not slow down the computer system much, plus they cost nothing. They are also able to add more security to your defense from attacks.

Unlike other programs, Software Restriction Policy operates on the principle of stopping software from running automatically. It lists some dangerous file types like .exe. These files will only run if located in an approved location. Such locations could be C:\Windows directories and C:\Program Files.

User accounts not included in the Administrative accounts will not be able to add new files to these folders. There are exceptions, but that is a discussion for later. You can also override this function if you have to.

Software Restriction Policy

Parent Controls, another simple method, creates a white list of .exe files installed in the system found in standard locations. You have full control over what software runs on a specified user. You can also add more to the whitelist whenever you need it.

Working with Software Restriction Policy:

  1. Firstly, you need to create a Software Restriction Policy. To do this, type in from the Run or Search bar gpedit.msc. As it appears above, right-click on it and choose the Run As Administrator. This opens the Local Policy Group editor.

Software Restriction Policy

  1. From the drop-down choices on the right toolbar, choose Computer Configuration, down to Window Settings. Then, click Security Settings. From the drop-down, select Software Restriction Policies.

Software Restriction Policy

  1. Double click Enforcement from the Object Type that appears. An Enforcement dialogue box appears. Choose “All software files” and “All users except local administrators.” Click OK.

You can choose to apply Software Restriction Policies to Administrator, but you risk your processing speed. You may experience random hangups when removing or installing software.  There is a significant lag if also applied for local administrators.

Enforcing SRP on all files may cause web browsers to stop responding due to Adobe Flash Player. You can work around this by imposing SRP on all files except libraries (such as DLLs). Imposing SRP could get done until the Flash version is obsolete or Adobe fixes it.

Software Restriction Policy

  1. Double click Designated File Types found in the right panel. Double-clicking opens another dialogue box. Scroll through the list to find LNK. Choose it and press Delete button. Deleting will allow you to use LNK file types such as Quick Launch icons and Desktop shortcuts.

Software Restriction Policy

  1. From the left-hand side of the panel, choose the Security Levels folder. Right click the Disallowed and choose “Set as default.” Setting as default makes the policy effective. A prompt will appear, just press OK.

Software Restriction Policy

Software Restriction Policy

*If you want to turn SRP off, you can just choose and right-click Unrestricted.

  1. There is an extra directory in the Program Files of 64-bit versions of Windows, named C:\Program Files (x68). Choose Additional Rules, right-click on the space in the right panel and select New Path Rule. Create the new path that makes the directory Unrestricted. Software installed in that directory will then be allowed to run.

Software Restriction Policy

Software Restriction Policy

An additional Path Rule should also get created in Windows 8. Mark C:\Program Files\WindowsApps as Unrestricted. Marking it will solve issues where Windows Apps cannot launch from Window Store.

  1. SRPs should be able to block Write permissions from users (and those that exploit them) other than Administrators. However, there are loopholes in Windows installations. You can fix this through Disallowed path rules for the unwanted folders.

Download AccessChk, extract the .exe file from the zip folder and save the file to C:\Windows\System32. Run accesschk –w –s –q –u group path. Run it once for each unrestricted path and non-Administrators. Make some necessary Disallowed paths as you run your check.

Software Restriction Policy

Be careful in setting Disallowed paths. Disallowed rule in a folder will cover all its subfolders, too. In the C:\Windows\32\spool folder, applying the Disallowed rule will block printing function. To make sure this does not happen, create the path rules one by one.

*Checking your SRP after installing new software or printers is essential for continuous protection from some loopholes. You may encounter loopholes from programs that need to be Disallowed. The Run As Administrator option should do the trick if you ever need to run the files.

  1. Overriding SRP is necessary when installing software from a disc. To remedy this, choose the file and either right click to Run As Administrator. Or, you can transfer the setup file to an Unrestricted folder such as C:\Program Files.

There are instances when you need to make SRP exemptions for a program. If you want to install a Remote Assitance app, you have to exempt the web browser to run the file temporarily. To do this, start the web browser by right clicking to Run As Administrator. Running as admin will lift restrictions on the browser until you close it.

If you need to disable SRP due to misconfiguration, right click on Local Computer Policy. Select Properties. Check the Disabled Computer Configuration settings from the dialogue box that appears. You can then set the behavior to Unrestricted that you can find in the Security Levels folder.

Software Restriction Policy

  1. Confirm that the SRP you set is up and working. Copy a .exe file to your desktop and try to run it. A prompt should appear like this:

Software Restriction Policy


Meanwhile, click here to check my other post on bypassing restricted environments.



The best aspect of going digital lies ín the convenience of having a computer that replaces physical activity. Some say remote administration tool is counterproductive to the human function. However, remote administration tool has more pros than cons. Being connected is one such advantage. You can have access to any computer, and distance may not matter.

Remote Access Control or RAT is a software. It allows a certain user to control any system even without physical access to it. Thus, the remote “operator” gains full control over the device.

Although RAT and desktop sharing has legal uses, this type of software is often used in malicious activity. The operator can control RAT through a network connection. This is more so because it hides from detection by security software.

RATs can take on a number of activities when activated in a “client” computer. Apart from gathering login and account information, RATs can also format drives. Additionally, RATs can install applications silently. They can also run and operate without the victim’s knowledge.

Guide to set up Remote Administration Tool (RAT) Zeus BotNet:

This guide will help in setting up Remote Administration Tool (RAT) Zeus BotNet. However, the guide requires download of the software. We also need a database server and web server for this task.

Zeus or Zbot is the infamous Trojan horse that was spread through phishing schemes and drive-by downloads. It installs itself and uses form grabbing and keystroke logging to steal banking information. In 2009, Zeus compromised over 74,000 FTP accounts in company websites. Such companies included the Bank of America and NASA.

In 2010, Internet security providers claimed the creator of Zeus was retiring. As a result, he was to sell the code to his competitor, SpyEye Trojan creator. Experts later retracted this statement. They said that it was a ruse and that the developer might come back with new tricks. Binaries and source code are on GitHub since 2011.

How to setup Zeus Botnet RAT:

  1. The first thing to do is have a database server and web server running. Download XAMPP here to use for this task. Make sure that you have it up and running, as well as your MySQL service.
  2. In your internet browser, type http://localhost/phpmyadmin. Next, enter the username and password. Afterward, key in the default username root and leave the password blank. Create a database after that. Use the database name earlier created to setup Remote Administration Tool later.

remote administration tool

  1. Download the RAT file and extract it. There are three main folders in the archive: builder, server (PHP) and other. On your XAMPP files, locate the htdocs folder (C:\xampp\htdocs) and create a new folder inside it (you can use <bot> as folder name). Finally, copy the contents of server[php] to C:\xampp\htdocs\bot.

remote administration tool

  1. Next, go back to your web browser and search http://localhost/install/bot. Supply the correct details in each of the fields.

remote administration tool

Your database server IP address will fill the host address in MySQL server. This is your IP address in XAMPP. Supply the database name in step 2, and fill the encryption key with any characters 1-255 in length. Afterward, proceed by clicking Install.

You might encounter an error while doing this step. The error says “Failed to connect to MySQL server: Host ‘myusername’ is not allowed to connect to this MySQL server.” Do the following to remedy this:

  1. First, open http://localhost/phpmyadmin. Click the Privileges tab where you will find an edit button. Next, click the button to modify the user root privileges.

remote administration tool

  1. Clicking the button will, as a result, lead you to the edit user page. Scroll down to see the login information. Click the Host to any host from localhost and then press the “Go” button. A dialogue box opens when it successfully installs.

remote administration tool


  1. You need to create and configure the Zeus bot client. On the builder folder, open the configuration file named config.txt. Change the url_server, url_loader, and url_config to match your settings. Also, remember to edit the path of webinjects.txt.

remote administration tool

  1. At this point, open the zsb.exe file. This opens a dialogue box. Follow the steps as numbered in the image. This will build your bot executable.

remote administration tool

  1. Bot executable and Bot config enables adding new files after step 6. These are the bot.exe and config.bin. Copy these files to the htdocs folder that we configured earlier (C:\xampp\htdocs\bot).


remote administration tool

  1. The way to test this is to send the bot.exe to the target victim. Say the victim executes the file, we can see and check through the attack server. Open your browser and key in http://localhost/bot/cp.php. Afterward, type your username and password.

remote administration tool

  1. Finally, you gain entry to the newly infected victim as seen from your browser. It has all the information. You can view right from your web interface. You can even see a screenshot of the desktop view of the victim.

remote administration tool


  • Zbot is very forward when it comes to attacks. The attacker can collect data and information of the infected victim. It can also obtain some very private and sensitive information of the victim. It can also monitor internet activities of the victim.
  • Zbot acts as a keylogger. Thus, it can capture login information. This means that it can save usernames and passwords entered in websites.
  • Since Zbot is a persistent Trojan, having an up-to-date internet security is key. Even then, this malware uses stealth technique and therefore it is tough to detect. Antivirus software might only manage to prevent some infection attempts.
  • The best form of protection against Zbot is vigilance about suspicious links from email and websites. Security experts advise users to avoid clicking anything that looks hostile. Staying on top of your pop-up settings can also help prevent Zbot infection.


Here is another interesting article on Firefox Plug-ins.



Plug-ins, additional features in a browser, enhance the user experience. Firefox is one browser that supports a variety of plug-ins. These could include video scripts, animations, and other elements. Browsers alone do not typically support these.

Understanding how plug-ins work and interact with browsers is important. This is because most malicious attacks use plug-ins as a cyber-trespassing and theft tool. Moreover, we will secure our systems properly by understanding how plugins work.

Plug-ins have a multitude of purpose. These are used to ensure safe browsing, information grabbing, entertainment purposes, among other uses. Below are useful plug-ins one can use to gather information and carry out penetration testing.

FoxyProxy Standard

This add-on is a proxy management. It improves the browser’s proxy capabilities as well as providing analysis of URL patterns. It also switches the network connection transversely among different proxy servers. One sees an animated icon on the browser when a proxy is in use.

FoxyProxy Standard has a history tab that logs the servers used. It is possible to set the plug-in for use when necessary based on the URL’s nature. This, as a result, makes the add-on more efficient than other proxy management plug-ins.

Firefox plug-ins


This is a Firefox web development tool embedded into the browser function. It enables the editing of HTML, JavaScript or CSS directly from the live page. The changes thereafter directly seen after saving.

This plugin helps in pinpointing web application and web page vulnerabilities. It opens a window to launch a penetration attack and can collect a user’s data. It also enables inspection of HTML elements in the page.

The CSS tab functions to check and edit the style of the page. It is a convenient way to edit the look of the page and consequently view the changes immediately. Copying of Codes is further possible for further development outside the browser. It also enables scaling and margin setup to align text and images. Additionally, it can monitor network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug also has a powerful JavaScript debugger that identifies errors and measures performance of a script.

Furthermore, Firebug monitors network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug has a powerful JavaScript debugger that identifies errors and measures performance of a script.

The DOM tab found in the Firebug panel helps identify code tags and edit them. This plugin also allows the easy management of cookies. All accepted cookies are reviewed as they are listed according to value.

Firefox plug-ins

Firefox plug-ins

Live HTTP Headers

Live HTTP headers are effective penetration tools used for troubleshooting, tuning and analyzing a website. This plug-in contains data such as language, caching, authorization, and character set. Normally, these data are invisible. This plugin, however, enables access to this information.

To obtain header information, right-click on the page and select “View Page Info.” Next, click the header tab on the new pop up window to view page information. Press ‘”Ctrl+Shift+A” to replay the header.

Firefox plug-ins

This plug-in is considered as a sniffer application. That is because it can view HTTP header exchanging. You can see what is happening and analyze it, and stop packet capture. To change header or URL values, you only need to highlight, edit and replay a packet. Finally, this works on both Windows and Linux.


Hackbar is another penetration testing tool. It appears as an extension of the address bar. Hackbar is capable of performing POST data manipulation, encryption, and encoding. This helps test XSS holes, web security, and SQL injections. Moreover, one can work on Hash algorithms, Base64 Decoding, and other data types with Hackbar.


Firesheep gives you the capability to attack HTTP sessions of other users accessing the same network. This plugin shows all accounts found in the network. This uses the cookie unique to a logged in account. This a result of websites protecting initial log-ins but leaving the rest of the log-ins unprotected.

These cookies are readily available for use by attackers in any open network. Firesheep captures users visiting an unsecured page. Double clicking a seized item, logs you in as that user.

Tamper Data

Tamper Data is used to edit and view HTTP requests. This add-on records ongoing requests for display on a particular website. The window shows details such as time, total duration, size and other information. Most noteworthy is that the data is copied to an external file for future reference.

Firefox plug-ins


CryptoFox is an encryption-decryption plug-in. It appears as an extension of the address bar. Moreover, it has two fields. The first one corresponds to the text that needs encryption. The next field is a selection of the desired encryption method.

CryptoFox performs over 40 techniques. Furthermore, it has a dictionary attack reference for MD5 passwords. To test this plug-in, here is an AES128-bit encryption. Let’s use the AES 128-bit decrypt method for this.

Firefox plug-ins

Type “helloworld!” in the text field. Next, select AES 128-bit encryption and later on press the decode button. Thereafter, enter the “passwd” when asked to enter a password. This password will also be utilized for the decryption later. Especially relevant is the that we will use this password for decryption later.

Firefox plug-ins

After entering your password, Click OK. Afterward, this encrypts the text which is later displayed in the first field. For cross checking purposes, select the AES128-bit Decrypt and use the same password.

Firefox plug-ins


Anonymox is a useful plug-in that enables anonymous browsing in Firefox. This plugin creates a virtual identity. That is so because it protects you, giving access to commonly banned sites on your network. It also helps one in changing their IP address.

In addition, one can tweak Anonymox’s customizable settings per every website. Bypassing GeoIP blocks is also possible through this add-on. This is possible as it changes your origin location. This, as a result, gives you access to banned sites in your country.

The Anonymox acts as a middle ground. The request is sent to the plug-in and later, the plug-in itself replies to the web host. It enables you to select proxy identities.

Firefox plug-ins

SQL Inject Me<

This penetration testing plug-in identifies vulnerabilities in SQL injection. It looks for database errors and loopholes. This, in turn, helps to carry out an attack through sending escape strings in the database. A completed test result shows errors and the options.

Firefox plug-ins

Certificate Patrol

Certificate Patrol helps pinpoint man-in-the-middle attacks. This is done by checking SSL certificates. It shows whether anything within the certificate is modified during an exchange. This add-on uses pop-ups to inform you SSL details and lets you choose to save or not. If saved, the plug-in can cross-check for disparities.

To verify a certificate, the plug-in shows old and new versions of the SSL. You must be cautious in finding and comparing for errors. Click the Reject button should you find anything suspicious.

Firefox plug-ins


Web crawlers are useful. FoxySpider in Firefox is one such add-on that organizes a website. It displays and arranges videos, music, images, etc. according to file types. It is useful in gathering information about a website.

An icon on the left side of the address bar indicates that FoxySpider is installed. There are three settings for this tool. Left clicking organizes the files, while right-clicking opens a search configuration window. Middle clicking on the icon, on the other hand, pops up a window to set requirements such as keywords or specified URLs.

Firefox plug-insFirefox plug-ins

Firefox plug-ins

Firefox plug-ins

Firefox has a 35% user rating. With plugins such as these, security engineers can find it convenience in performing their tasks. Testing and gathering information is made easier with these add-ons. We encourage you to download these plug-ins to try it out yourself.


Elsewhere, Click here to have a look at another cool post about Dridex malware.



Users download and execute Malware into their systems through a number of ways. However, attachments are one of the most common ways. Users are easily tricked into clicking and downloading attachments. Furthermore, we use email for many transactions including online banking and as a result, emails make us vulnerable to criminal and fraudulent activity.

Dridex belongs to the banking Trojan type of malware that specializes in stealing bank account information. It is also known as the Bugat or Cridex.

This malware primarily targets Windows users. Dridex is disguised as an email attachment in Excel or Word file. As a result, it prompts the activation of macro which in turn downloads the Dridex malware opening the user to theft.

The primary goal of Dridex is to steal banking details. It steals details such as account names, numbers, and passwords. Additionally, it allows attackers to perform fraudulent transactions by illegally stealing identities. The software carries out injection attacks and installs a keyboard listener to the infected unit.

This malware stole an estimated £20 million in the UK. Similarly, it stole $10 million in the US  in 2015. Since then, Dridex has infiltrated more than 20 countries. In Septemeber 2016, experts said that the banking Trojan would target crypto-currency wallets such as Bitcoin and other forms.

You may be in danger of opening malware if you receive an email containing remittance advice for BACS. BACS refers to Banker’s Automated Clearing Services and it electronically processes financial transactions in the United Kingdom. Most victims come from the United Kingdom.


The email comes with an Excel attachment named BAC_296422H.xls. This runs automatically once opened. However, that is usually the case when macros are enabled in Microsoft Office. The malicious document is detected as X97M/DownldExe.A.

The macro downloads and executes a WinPE file that is named “test.exe” coming from The downloaded executable is usually W32/DridLd.A.

W32/DridLd.A is a component downloader of the Dridex malware. It belongs to the Cridex family. W32/DridLd.A is arguably the heir of banking Trojans. W32/DridLd.A steals banking account information through HTML injections.

The W32/DridLd.A Masks as a Windows component thus making it a suspicious component. Upon closer inspection, one sees that the original and internal filename is a DLL type. The file type is specified as an in32 EXE.


A debugger reveals a compressed executable. It is stored and encrypted in the .data section. Unpacking the executable further opens to a compressed server config.



The unpacked .data section contains a list of the servers. The malware component, Dridex, is downloadable there.


Dridex collects some information before performing a POST to any of the listed servers. This system information includes the Computer name, Username, Windows version, Installation date, Application version, and finally the names. These applications are enumerated from HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall.

Next, the malware builds a data buffer in XML:

<loader><get_module unique=”v1″ botnet=”v2″ system=”v3″ name=”bot” bit=”v4″/><soft><![CDATA[v5]]></soft></loader>



v1 = %ComputerName%_%MD5 of the checksum of UserName and InstallDate%

v2 = %Numeric Botnet ID% (125 in this case)

v3 = %Checksum(MajorVersion|MinorVersion|ServicePackMinor|ServicePackMinor|SuiteMask)%

v4 = %List of applications enumerated from Uninstall key delimited by “;”%


The malware sends a POST request to a server in the server config. This is done using the stolen data contained in an encrypted XML data. Encryption simply uses an X0R operation with “x” as key.


The contacted BotNet server then sends a reply to the request. This response is in the form of an encrypted XML data. One can decrypt the response using the exact X0R operation.

The response is the decoded information including the main DLL component of the malware Dridex. It is then saved in the directory where the downloader XX.tmp was executed. The XX can have varying characters, as in the example 15.tmp. W32/Dridex.A poses as one Microsoft Library with filename MFC110CHS.DLL.


The W32/Dridex.A downloader component is packed through the same compression technique. The unpacked .sdata section contains compressed data as well. However, the data is compressed with a public key this time.


Rundll32.exe loads the main component. One can call it using the following syntax calls:

Rundll32.exe%path to Dridex DLL%NotifierInit


NotifierInit injects another copy of itself to explorer.exe. This happens after calling the main component with its exported function. Later, it deletes its file to avoid further detection from security scans

From there, the malware can perform malicious activities while injecting itself to the explorer.exe. It can monitor browser activities. Such browsers include Chrome, Firefox and Internet Explorer.

The malware then performs spyware functions. It grabs screenshots of the infected user’s desktop. Similarly, it also acts as a keylogger that saves account information.


Dealing with emails and documents entails being vigilant to suspicious attachments. Particularly, the Dridex malware attachment seems inconspicuous. However, it is very harmful once opened as its chain of infection is based on social engineering. Observant handling of such emails, therefore, prevents this malware.

Delete any email that you find suspicious or hostile and if possible, do not open the email. Emails originating from legitimate organizations should also be verified.

To prevent this malware, an antimalware solution with email coverage is essential. The software screens your emails. That way, one doesn’t have to worry about accidentally opening suspicious emails.

Contact your bank forthwith once infected with Dridex. Change your banking information and update your passwords as soon as possible. Apply this for any account you have input on the infected system.

One can prevent this malware by always enabling Macro settings in Microsoft. The possibility of it harming the system is significantly less when security is in place. This is because Dridex is a macro-based malware. I.T admins can also enforce group policies that push these settings.

Banking theft is a serious crime. Therefore, we always need to be on top of security when it comes to malware. Emails need heavy guarding as they are personal. Security breaches easily happen when people care less about their online activity.



Besides, click here to view my other article on DoD 8570.



Encrypting data at rest is essential in ensuring the protection of sensitive data stored on disks. Similarly, it is essential for regulatory compliance. It should have a valid key for use before readability of data. HIPAA and PCI DSS are compliance regulations that require encryption for data at rest, throughout its data lifecycle.
Amazon web services supply options for data-at-rest and key management to sustain the encryption process. Similarly, Amazon enables encryption of EBS volumes and configures its S3 buckets for SSE or server side encryption using AES-256 Encryption. Amazon also supports the TDE or Transparent Data Encryption.

Further, instance storage temporarily stores Amazon EC2 instances in its block level storage. The storage exists on physical disks attached to the host computer. Most noteworthy, instance storage allows for temporary storage of frequently changing data. These include caches, buffers, and scratch data. By default, however, these data contains non-encrypted files.
This section shows the encryption method applied on the Linux EC2 instances. Additionally, it does transparent encryption that effectively protects confidential information. Applications that use the data cannot detect the disk-level encryption.

File system and Disk Encryption

In summary, there are two encryption methods for instance stores. One of them is the File-system-level encryption where only files and the directories are encrypted. It is portable across OS and operates above the file system.
Next, we have the Disk encryption. Disk encryption encrypts a block of the disk or the entire disk itself using one or several encryption keys. This approach, on the other hand, operates below the file system and hides file and directory information such as name and size. It is also OS-agnostic.

Linux dm-crypt Infrastructure

The Linux kernel-level encryption method features the dm-crypt that gives users permission to mount the encrypted file system. Mounting file systems is done by attaching to a mount point or directory that makes it available to the OS. Next, the file systems are made available to applications and do not require added interactions. Such files are encrypted when stored on the disk.

Moving on, Device Mapper found in the Linux 2.6 and Linux 3.x kernel is an infrastructure that creates a way to develop block devices into layers. The crypt target of this infrastructure makes a transparent encryption using kernel crypto API. Arguably, Dm-crypt combined with the disk backup file system is the solution of choice, mapped to the Logical Volume Manager (LVM).
The diagram, for this purpose, shows the Amazon dm-crypt relationship with application and file system. It sits between the file system and the physical disk. Furthermore, data written from the OS to the disk is encrypted.

Most of all, the application cannot detect the disk-level encryption because it is not made aware. When applications are using a directory or mount point to retrieve files, storing files into disk makes them encrypted. This, for that reason, renders the files useless if the drive is stolen or lost.


Meanwhile, try to create a new file system that is dm-crypt encrypted and name it “secretfs.” The file uses LVM and LUKS or Linux Unified Key Setup to encrypt it. The EC2 instance disk storage contains the file system.

A diagram traces the newly encrypted file is located in the EC2 internal disk storage. Applications that need to save confidential data will use “secretfs” as the mount point temporarily (‘/mnt/secretfs’)to save the sratch file.



Especially relevant, this solution requires three sets of actions for it to work. Firstly, perform the EC2 Launch Config on boot because the file is created at boot time. Full control over every step should be granted and revoked by an administrator. This, specifically, is to aid in file system creation or to access keys.
Next, log every decryption and encryption request using the AWS CloudTrail. This is rather critical when creating keys. It is also critical when seeking to unlock an encrypted file system.

Lastly, integrate other AWS services to the solution. There are four services included. This section describes each of them.
First, the AWS Key Management Service or KMS enables the creation of encryption keys and controlling keys in encrypting data. This service uses envelope encryption which has a master key on top of a data key. Most noteworthy, the master key can decrypt and encrypt up to 4 KB of data.
Second, the AWS CloudTrail records and logs request back and forth the KMS. This data is used for auditing in the future. Similarly, it helps to monitor API calls for the account.
Amazon S3 is a storage feature of the AWS. It saves the password for the encrypted file system.
Next, AWS IAM or Identity and Access Management enables control on the secure access to AWS services. It allows access to S3 bucket (reading encrypted password) and KMS (decrypt password).

To implement the solution:

1. Initially, create an S3 bucket. Doing this stores the file that contains the encrypted password. This password is used to encrypt the chosen file system.
Next, sign into the s3 Console, and click Create Bucket. Afterward, type your chosen Bucket name in the box and press Create. As a result, the right pane will show the new bucket you created.

2. Next, configure the IAM policy to grant permission to the S3 bucket. Configuration is done in the bucket name you created that stores the encrypted password. To start, you need to create an IAM policy.


Subsequently, choose IAM console and select Roles, and select Create New Role. Type the Role Name and hit Next Step. Then, click Next Step for Established Trust. In the Attach Policy, choose the IAM policy you set up.

Certainly, launching EC2 instances requires the use of the newly created IAM role. This grants the permission for accessing the encrypted password in the S3 bucket. The newly setup role should display on the Roles page.


3. At this point, Use the KMS to encrypt a password. Encrypting a text with KMS must have AWS CLI. Use AWSCLI that is installed by default in the EC2 Linux Instances. This is compatible with Windows, Mac and Linux OS.
AWS –region us-east-one kms encrypt –key-id ‘alias/EncFSForEC2InternalStorageKey’ –plaintext “ThisIs-a-SecretPassword” –query CiphertextBlob –output text | base64 –decode > LuksInternalStorageKey.

aws s3 cp LuksInternalStorageKey s3:///LuksInternalStorageKey.

Next, type this command in the AWS CLI and replace — region with your region name. Ensure you have the right permissions to make keys and save in the S3 bucket. The file generated by the command is then copied to the S3 bucket. The alias key that makes it unique is EncFSForEC2InternalStorageKey.

4. Now, choose Encryption keys from the navigating pane of IAM Console. Select the key alias generated earlier add a new role that can access key. Later, scroll down to the Key Policy and choose Add.


Select the new role you created earlier. Next, click on Attach. This role is granted permission to use the key.

5. Finally, Launch a new instance in the EC2 console. On the Configure Instance Details, choose the IAM Role earlier.


You will see an Advanced Details section on the bottom pane. Paste this code in the User Data and choose As Text. This will execute at boot time of the EC2. #!/bin/bash

## Initial setup to execute on boot.

# Create an empty file. This file is used to host the file system.
# In this example we create a 2 GB file called secretfs (Secret File System).
dd of=secretfs bs=1G count=0 seek=2.
# Lock down normal access to the file.
chmod 600 secretfs.
# Associate a loopback device with the file.
losetup /dev/loop0 secretfs.
#Copy encrypted password file from S3. The password is used to configure LUKE later on.
aws s3 cp s3://an-internalstoragekeybucket/LuksInternalStorageKey.
# Decrypt the password from the file with KMS, save the secret password in.

LuksClearTextKeyLuksClearTextKey=$(aws –region us-east-1 kms decrypt –ciphertext-blob. fileb://LuksInternalStorageKey –output text –query Plaintext | base64 –decode).

# Encrypt storage in the device. cryptsetup will use the Linux.
# device mapper to create, in this case, /dev/mapper/secretfs.
# Initialize the volume and set an initial key.
echo “$LuksClearTextKey” | cryptsetup -y luksFormat /dev/loop0.
# Open the partition, and create a mapping to /dev/mapper/secretfs.
echo “$LuksClearTextKey” | cryptsetup luksOpen /dev/loop0 secretfs.
# Clear the LuksClearTextKey variable because we don’t need it anymore.
unset LuksClearTextKey.

# Check its status (optional).
cryptsetup status secretfs.
# Zero out the new encrypted device.
dd if=/dev/zero of=/dev/mapper/secretfs.
# Create a file system and verify its status.
mke2fs -j -O dir_index /dev/mapper/secretfs
# List file system configuration (optional).
tune2fs -l /dev/mapper/secretfs.
# Mount the new file system to /mnt/secretfs.
mkdir /mnt/secretfs.
mount /dev/mapper/secretfs /mnt/secretfs.

Remember to enable CloudTrail. This will help you monitor and audit accessibility to the KMS key. Launch the EC2 Instance. This copies the password file to S3 and then decrypted by the KMS. It then configures the encrypted file system mounted in mnt/secretfs.
Every file saved on the mount point will be encrypted when stored on the disk. Applications handling sensitive data will need to access the mount point to be able to use the encrypted file system. The rest of the file system other than of the mount is not encrypted.

Elsewhere, here is another article about Using APT tactics and techniques in your pentests.

What is DoD 8570, who does it apply to, and how it works

What is DoD 8570, who does it apply to, and how it works

In the 21st century, cyberspace gradually transformed into a battlefield in which DoD assets are the epicenter for success. As a result, DoD 8570 is a necessary certification. It is especially relevant for any commercial contractor and military/civilian or personal requirements for the Information Assurance professionals.

What is DoD 8570?

Department of Defense Directive 8570 is more of a policy than a certification. One earns DoD 8570 compliance after earning several certifications. Therefore, there is no single certification known as “8570”. Further, you will find a description of the certifications essential for DoD 8570 compliance. Specifically, DoD IT employees pursue CCNA Security and A Network+ CE.

DoD 8570

Who Does 8570 Apply to?

8570 applies to some people notwithstanding their job and occupational series. Mostly, participants include local nationals, full-time or part-time military service members. These are people with access to the DoD information system. Additionally, these individuals are actively engaged in conducting information security functions. In short, contractors and government employees need DoD 8570.

The Department of Defense has a five-year plan as stated in the 8570.01 manual. This plan will integrate into their system Information Assurance professionals. The Defense Information Assurance Program further splits its Information Assurance profession into six categories. The manual further makes it clear about the credentials that qualify for any of these categories.

DoD 8570

The Past and Future of DoD 8570

DoD 8570 was particularly published to deal with the fear of unqualified personnel continually taking up cyber-security roles. That was in 2005; little over a decade ago. The directive touched on all persons with access to information systems. Similarly. it conducted vital security functions.

The targets for the publication included:

  • help desk technicians,
  • computer repair technicians,
  • information security managers and
  • system administrators

The guideline brought significant changes in the government. Furthermore, units received the privilege to request for resources to up the skills of the current staff. There was a change in the kind of training done as well. Additionally, new military personnel was assigned Information Assurance (IA) jobs. This move ascertained that new recruits were at their best before deployment into the battlefield. Most noteworthy, 8570 introduced categorization and certifications further defining the necessary standards needed for a long time.

What lies ahead for DoD 8570? All things considered, with the directive converting to DoD 8140, additional high standard requirements are expected. Certainly, things will remain as they are; at least for the next three years. All organizations and contractors will, as a result, remain bound to follow the guidelines enlisted in 8570 manual. Similarly, they ought to have a certification for the same.

How DoD 8570 works

DoD 8570 is clear that all persons in charge of information assurance for department systems must meet the certifications for them to handle the job. Moreover, the Defense Department Directive issued a manual that describes the different job categories, both technical and managerial positions.

Furthermore, DoD trains and certifies its employees under its own bill. Check out the following commercial certifications approved by DoD. This section has cost information, as well as a detailed description of the certifications:

Job Category Example Certification Provider Time and Cost
Incident Responder CERT Carnegie Mellon Software Engineering Institute Three course training with each course lasting for 5 days

Exam costs $200

Information Assurance Technical A+ CompTIA Is a five-day course

CompTIA members pay $132

Non-members pay $168

Computer Network Defense Auditor Certified Information Systems Auditor Information Systems Audit and Control Association 2 ½ hour per week for 14 weeks

Members pay $300

Non-members pay $325

DoD employees pay $400 for the exam

Certifications Required for DoD 8570 Compliance

Meanwhile, we have created a classification table to help you have a better view of the required certifications. This table guides what certification commensurate with personal job duties.

The certifications can be categorized into:

  • Technical-level certifications that require the Information Assurance Technical (IAT) certifications.
  • Management-level certifications that require the Information Assurance Management (IAM) Certifications

DoD 8570

The following tiers and certifications are necessary for technical-level personnel
IAT Level I




IAT Level II










The following tiers and certifications are necessary for Management-level personnel
IAM Level I




IAM Level II



CISSP (or Associate)





CISSP (or Associate)

However, CAP applies to individuals actively involved in formalizing risk-assessing processes and creating security requirements. They establish a balance between the information systems security and the potential risk and damage.


Security+ certification handles the vital network security principles. It is a significant boost to a career in IT security. The certification is approved by the Department of Defense as it meets the Directive 8570 requirements. Additionally, it complies with government regulations through the Federal Information Security Management Act (FISMA).

Security+ certification has global recognition. This is most of all because it is developed and maintained by top IT experts. The exam is also designed after detailed consultation and feedback from the industry-wide survey. Areas covered by the Security+ exam include network security, data and host security, threats and vulnerabilities.

Conclusively, DoD 8570 integrates this certification as it proves ones’ qualification to secure a network and detect hacker activities.

Certified Authorization Professional (CAP)

CAP certification objectively measures one’s knowledge and skills in authorizing and maintaining information systems. Specifically, individuals in charge of making formal processes and assessing risk for security assurance are the main pursuers of this credential. They make decisions that determine whether or whether not the IS commensurate with the risks and threats.

The Department of Defense (DoD) considers CAP as a vital consideration to prove one’s skills. Similarly, other U.S. Federal government wings and State Departments value its worthiness. Besides, Local governments, civilians, and commercial markets are the most appropriate candidates for these credentials.

Meanwhile, vital skills to possess before enrolling include IT security, systems administration, and information security policy and information assurance.


Elsewhere, the Network+ certification validates that you have what it takes to troubleshoot, design, manage and configure networks. Additionally, the certification covers both wired and wireless. At this point, there is an increased demand for Network+ certified personnel worldwide.

Trainees for this program are subjected to dynamic networks, software and hardware activities to up their skills. This particularly allows them to integrate their talent with IT requirements. The certification gives an in-depth analysis of the modern technologies.

Even so, there are no prerequisites set for any person wishing to take the Network+ certification exam. However, meeting the following requirements before the course is of great importance. Some of these may become acquired as the study proceeds.

  • Basic PC operation knowledge
  • Understanding the basics of networking technology
  • Experience of one or more of the following operating systems – Linux, Novel; Netware or Windows


DoD 8570

Next, the A+ certification validates that PC service personnel has a deeper understanding of the following: operating, installing, customizing and maintaining the personal computers. Initially, A+ certification was a lifetime award. However, as from 2011, the A+ certificate is renewed every three years by taking a test. The other alternative is to pay Continuing Education Units fee to maintain the certificate.

The A+ exam covers identification, traditional and situational type of questions. Trainees are provided with multiple-choice questions from which only one answer is correct. Besides, anybody can take the exam. However, it is most recommended for service technicians with six months of experience.

Systems Security Certified Practitioner (SSCP)

Every organization values systems security and strives to hire the right people. The SSCP certification, for this reason, helps information security staff to stand out as the best in the market. It is a necessary certification for personnel with proven technical skills in IT roles.

Moreover, SSCP assists professionals in different scenarios. It lets you demonstrate technical ability earned from hands-on technical roles. Similarly, it confirms in-depth knowledge on security testing; incident response, intrusion detection, authentication, attacks and countermeasures and most of all code countermeasures.

For the organization, SSCP helps bolster security posture through the implementation of standard procedures. As a result, it enhances security coherence all over the organization since practitioners have a common security language. Additionally, it ups organizational integrity as viewed by clients and stakeholders.

The following is the best fit for SSCP but the certification is not limited to them:

  • Systems Engineer
  • Security Analyst
  • Security Consultant
  • Systems Analyst
  • Network Security Engineer
  • Systems Administrator
  • Database Administrator

Security Certified Network Professional (SCNP)

On the other hand, the SCNP certification offers networks administrator with hands-on skills necessary for advanced organization protection. Enrolled students are taken through prevention techniques, risk analysis as well as policy creation in a technology-intensive environment. The certification ensures professionals are up-to-par with real-world security threats using the latest security lessons

Furthermore, SCNP handles the elements that ensure a network is safe. These include protecting the commercial operating systems like Linux and Windows. Foundational skills validated include ethical hacking, hardening the OS, securing the Internet and creating organization security policy.

However, candidates are required to complete SCNS before enrolling for SCNP. This is because the latter picks from where SCNS left off.


Moving forward, the GSEC certification is necessary for IT Security Professionals who want to validate their hands-on ability when it comes to security tasks. The enrolled students have to prove a deeper understanding of IS just beyond the general concepts and terminology. The exam tests various areas including the network protocol, IP packets, IPv6, DNS, UDP among others.

Additionally, candidates must demonstrate their versatility in detecting a malicious code and its propagation. Also, they should be capable of giving a detailed description of how to avert its expensive effects.

GSEC certifications are renewable after every four years. Thus, candidates are required to accumulate 36 CPEs so as to renew.

Certified Information Systems Auditor (CISA)

Further, CISA is a worldwide recognized certification for professionals who can monitor, control, and audit and assess business systems and information technology. Candidates can use the CISA certification to showcase their audit skills, experience and knowledge to assess vulnerabilities.

As a result, any person interested in information systems security, audit and control is invited to take the CISA examination. Successful exam applicants receive the relevant information they need regarding the passing score. Moreover, CISA Exam Review Courses has all the resources one may require for preparation.

Candidates submit their CISA application for certification upon completing the exam and meeting all the requirements. Even more, one needs a minimum of 5years experience in auditing, security, and control of information systems.


The program advances one’s security and technological skills required in building trusted networks. SCNA fosters skills and knowledge such as Wireless Securing, Biometrics, Forensics, Digital Signatures, Digital Certificates, Strong Authentication, as well as Cryptography. Candidates get a chance to experience applications in a teaching environment courtesy of the hands-on labs.

Networks continue to evolve, thus, making it necessary to develop trusted networks. Professionals with the ambition to remain the best in the market must have knowledge of these changes. These are the kinds of professionals with the understanding that IDS and firewall protection is not enough.

Also, an exam is mandatory for one to attain the SCNA certification. The program is split into two exams for which candidates must meet the minimal pass mark. These exams include Enterprise Security Implementation Exam and TSE exam that touches on SCNP and SCNA facets.

Certified Information Systems Security Professional (CISSP)

CISSP is one of the main prerequisites for any person with ambitions of advancing a career in information security will certainly. CISSP offers IS professionals global recognition of their competence measured on the most standard basis. Suitable candidates for this program include both middle and senior managers.

5 years’ experience in the IS field is one major qualification requirement for the CISSP certification. Similarly, candidates must pass the CISSP exam and continually maintain this certification through CPE credits.

Most noteworthy, CISSP examinations entail class intensive training. The course is designated to ensure smooth following throughout the study period. Information security professionals also have to complete an essential manual. The manual prepares them for the examination.


Any person with interest in keeping their information security skills high must consider the GIAC GSE certification. GIAC GSE is not just an ordinary test. This is because one must have three GIAC tests to qualify for the certification. The prerequisite certs are HCIH, GCIA, and GSEC.

A multiple choice examination precedes the GSE exam. One will only seat for the final test upon passing the multiple choice one. The different aspects tested are IDS tools, capture, analyze and interpret traffic. Candidates are also taken through malware, common attacks, IH process and preserving evidence.

GIAC Security Leadership Essentials for Managers (GSLC)

GIAC GSLC certification qualifies one’s skills in security systems from a manager’s or a supervisor’s perspective. The GSLC exam is particularly your pathway into managerial roles within the security industry.

GSLC does not enlist specific pre requisites for Qualification to join. But as much as such pre requisites are non-existent, it is significant that a candidate has hands-on experience in security management and deeper insight in information security.

The examination includes 115 questions with a time frame of 3 hours’ time. The minimum passing score is 68 seconds. The certification is also not for a lifetime. It is renewed after every four years.


If you are interested in security management, then this certification will fulfill your dream. Enrolling demands that you satisfy the following requirements:

  • Pass the CISM exam
  • Follow the ISACA Code of Ethics
  • Follow the CEP at workplace
  • Meet the minimum field work experience
  • Apply for the CISM certification

On passing the CISM exam, the score is valid for a maximum of 5 years. If one does not meet the other CISM certification requirements before this period ends, then, the score becomes invalid.

Individual employers must independently verify all the enlisted experience. Moreover, it must be experience garnered within the ten years preceding the date for applying or within five years of CISM exam.

However, there is room for appealing if the certification application is denied.


Elsewhere, please take a look at my other post on PCI and MFA.