Ask The Experts: Why Do Security Testing of Internal Computer Networks?

Most organizations have realized the need to have vulnerability assessments of their internet-facing (external) computer networks performed periodically. Maybe they are alarmed by all the data compromises they hear about on the news or perhaps they are subject to regulatory guidance and are required to have vulnerability assessments done. But many organizations draw the line there and never have the security of their internal networks tested. This is a mistake! At least it’s a mistake if your goal is actually to protect your computer systems and the private information they store and process.

It is true that the most attacks against information systems come from external attackers, but that does not mean the internal threat is negligible. About one sixth of data compromises are due to employees and privileged insiders such as service providers and contractors. But there are many other reasons for testing the security of your internal networks besides the internal threat. For one thing, once cyber-criminals find a hole in your external defenses they are suddenly “insiders” too. And if your internal systems are not configured correctly, hardened and monitored, it becomes trivial for these attackers to own your systems and compromise all the private information you have.

The type of testing that gives you the most bang for the buck is internal vulnerability assessment. Doing this type of testing regularly has many benefits. One benefit that people usually don’t associate with internal vulnerability assessment is that it can be used to make maps and inventories of the network. These are essentials of information security. After all, if you don’t know what you have on your network and where it is, how can you protect it? Another benefit is that it allows you to view your internal network with perspective. In other words, it lets you see it the way an attacker would. It will reveal:

  • Access control issues such as default and blank passwords mistakenly left on the network during administration, open files shares or anonymous FTP sites that may contain private data or user accounts that are suspicious or inappropriate.
  • Systems that are missing security patches or that are running out of date software or operating systems that are no longer supported by the vendors.
  • Systems that have been misconfigured or that reveal too much information to unauthorized users.
  • Ports that are inappropriately left open or dangerous services such as Telnet or Terminal Services present on the network.
  • Poor network architecture that fails to properly segment and enclave information assets so that only those with a business need can access them.
  • How well third party systems present on your network are patched, updated and secured.

Also, from a business perspective, performing regular internal vulnerability assessments shows your customers that you are serious about information security; a factor that could influence them to choose your organization over others.

In addition to vulnerability testing, it is also more than just desirable to have penetration testing of the internal network performed occasionally. While vulnerability assessment shows you what flaws are available for attackers to exploit (the width of your security exposure), penetration testing shows you what attackers can actually do with those flaws to compromise your systems and data (the depth of your security exposure). Internal penetration testing can:

  • Reveal how attackers can exploit combinations of seemingly low risk vulnerabilities to compromise whole systems or networks (cascading failures).
  • Show you if the custom software applications you are using are safe from compromise.
  • Show you not only what is bad about your network security measures, but what is working well (this can really save you money and effort by helping you chose only the most effective security controls).

One other type of penetration testing that is well worth the time and expense is social engineering testing. As network perimeters become increasingly secure, social engineering techniques such as Phishing emails or bogus phone calls are being used more and more by attackers to gain a foothold on the internal network. We at MSI are very aware of just how often these techniques work. How well do you think your employees would resist such attacks?

Thanks to John Davis for this post.

Compliance-Based Infosec Vs Threat-Based Infosec

In the world of Information Security (infosec), there are two main philosophies: compliance-based infosec and threat-based infosec. Compliance-based infosec means meeting a set of written security standards designed to fulfill some goal such as the requirements of statute law or financial information privacy requirements. Threat-based infosec, on the other hand, means applying information security controls in reaction to (or anticipation of) threats that organizations currently (or soon will) face. 

Compliance-based infosec is generally applied smoothly across the organization. In other words, all the security controls mandated in the security standard must be put in place by the organization, and the relative effectiveness of each control is largely ignored. In contrast, security controls are applied in a hierarchical manner in threat-based infosec. The most effective or greatly needed security controls are applied first according to the threats that are most likely to occur or that will cause the most damage to the organization if they do occur. 

The difference is sort of like the defensive strategy of the Chinese versus that of the Normans in post-conquest England. The Chinese built very long walls that went from one end of their territory to the other. Their goal was to keep out all invaders everywhere. This is a grand idea, but takes a very large amount of resources to implement and maintain. In practice, it takes tons of men and infrastructure and the defensive capabilities at any one place are spread thin. The Normans in England, on the other hand, built strong castles with many layers of defense in strategic locations where the threats were greatest and where it was easiest to support neighboring castles. In practice, there are fewer defenses at any one point, but the places where defenses are implemented are very strong indeed. Both of these strategies have merit, and are really driven by the particular set of circumstances faced by the defender. But which is better for your organization? Let’s look at compliance-based infosec first.

Compliance-based infosec, when implemented correctly, is really the best kind of defense there is. The problem is, the only place I’ve ever seen it really done right is in the military. In military information security, failure to protect private information can lead to death and disaster. Because of this, no expense or inconvenience is spared when protecting this information. Everything is compartmentalized and access is strictly based on need to know. Every system and connection is monitored, and there are people watching your every move. There are rules and checklists for everything and failure to comply is severely punished. In addition, finding better ways to protect information are sought after, and those that come up with valuable ideas are generously rewarded.

This is not the way compliance-base infosec works in the private sector, or even in non-military government agencies. First, statute law is tremendously vague when discussing implementing information security. Laws make broad statements such as “personal health information will be protected from unauthorized access or modification”. Fine. So a group of people get together and write up a body of regulations to further spell out the requirements organizations need to meet to comply with the law. Unfortunately, you are still dealing with pretty broad brush strokes here. To try to get a handle on things, agencies and auditors rely on information security standards and guidelines such as are documented in NIST or ISO. From these, baseline standards and requirements are set down. The problems here are many. First, baseline standards are minimums. They are not saying “it’s best if you do this”, they are saying “you will at least do this”. However, typical organizations, (which generally have very limited infosec budgets), take these baseline standards as goals to be strived for, not starting points. They very rarely meet baseline standards, let alone exceed them. Also, NIST and ISO standards are not very timely. The standards are only updated occasionally, and they are not very useful for countering new and rapidly developing threats. So, unless your organization is really serious about information security and has the money and manpower to make it work, I would say compliance-based infosec is not for you. I know that many organizations (such as health care and financial institutions) are required to meet baseline standards, but remember what happened to Target last year. They were found to be compliant with the PCI DSS, but still had tens of millions of financial records compromised.

Now let’s look at threat-based infosec. To implement a threat-based information security program, the organization first looks at the information assets they need to protect, the threats and vulnerabilities that menace them and the consequences that will ensue if those information assets are actually compromised (basic asset inventory and risk assessment). They then prioritize the risks they face and decide how to implement security controls in the most effective and efficient way to counter those particular risks. That might mean implementing strong egress filtering and log monitoring as opposed to buying the fanciest firewall. Or it might mean doing something simple like ensuring that system admins use separate access credentials for simple network access and administrative access to the system. Whatever controls are applied, they are chosen to solve particular problems, not to meet some broad baseline that is designed to meet generally defined problems. Also, threat-based infosec programs are much better at anticipating and preparing for emerging threats, since reassessments of the security program are made whenever there are significant changes in the system or threat picture.

These are the reasons that I think most of us in non-military organizations should go with threat-based infosec programs. Even those organizations that must meet regulatory requirements can ensure that they are spending the bulk of their infosec money and effort on the effective controls, and are minimizing efforts spent on those controls that don’t directly counter real-world threats. After all, the laws and regulations themselves are pretty vague. What counts in the long run is real information security, not blind compliance with inadequate and antiquated baselines. 

Thanks to John Davis for this post.

Tor Video from Derbycon 4 Available

Thanks to Iron Geek and the Derbycon staff for making my presentation from this year available. 

The talk covered discussions about Tor Hidden Nodes and how crime works inside of the Tor network. Check the talk out here.

There is a lot of good stuff here, and they turned people away from the talk because we over-filled the room. Now, you can actually sit comfortably and watch it. :)

Message me on Twitter (@lbhuston) if you want to discuss. Thanks for reading and for watching!

A TigerTrax Success Story

I wanted to share a recent success story from our TigerTrax work with you. The TigerTrax platform is opening a wide-variety of new opportunities for MSI. We are building entirely new suites of services around the platform and the unique capabilities it provides for us.

Recently, we were asked by a client to use TigerTrax to perform investigations on a foreign bank run attack that occurred a few months ago. The client wanted to use the research to fully understand how the attack was performed, what mechanisms were used to influence the  public decisions to cause the bank run and to identify the possible motives of the attackers involved.

The MSI Intelligence Team, now staffed with 3 full time dedicated analysts, deconstructed the events and used a variety of analytics to investigate the attacks. The team identified a variety of possible motives, ranked them by probability and provided them to the client. They also built a step by step time line of the attack details, provided sample social media and traditional media examples, wrote a detailed scenario testing process for the client to use to test their own financial management mechanisms against the threats and briefed the client on their findings.

The client was amazed at how quickly, concisely and clearly the data was analyzed. The Intelligence Team rose past their expectations and gave them actionable intelligence that they could use to not only better understand the attack, but also test their exposures to such an attack in the future!

The success stories around TigerTrax are continuing to pile up, and I look forward to sharing more of them in the near future. In the coming months, you will hear even more about our new spin-off company, called The Bodhi Foundry, which we have built to hold all of the non-security products that the TigerTrax platform is powering. That company is focusing in on branding intelligence, competitive analysis, product innovation research and a wide variety of specialized business data analytics. But, never fear, the core use care of TigerTrax remains information security, threat intelligence, studying cyber-crime and helping our clients use data analytics in new ways to solve old-school security problems.

As always, thanks for reading and until next time, stay safe out there! 

Save The Date: 2014 ICS/SCADA Security Symposium Dec. 11

This year’s ICS/SCADA Security Symposium will be held on Thursday, December 11, 2014. This year’s event will be a little different, in that we are opening it up to any organizations who are asset owners or manufacturers of ICS/SCADA components. That includes utilities, manufacturing companies, pharma, etc. If you are interested in ICS security, you can sign up for the event.

This year’s event will also be virtual. It will be a series of Webinars held on the same day in 45 minute blocks, with time for follow-on questions. We will also hold a Twitter Q&A Hour from 1pm – 2pm Eastern, and we will attempt to make all speakers available for the Q&A!

In addition, we plan to stand up a supporting website for the event, and release a number of materials, including podcasts, interviews and other surprises the day of the event!

We will be tracking attendance in the webinars and providing notes of attestation for attendees for the purpose of CPE credits. We hope this new format will allow folks who wanted to attend in the past, but either couldn’t make the physical trip to Columbus or couldn’t leave their positions to attend training the ability to join us.

More details, including speakers and topics, as well as schedules, hashtags and other info will be released shortly. Thanks for reading, and we hope to see you on 12/11/14!

Twitter Games from MicroSolved

If you haven’t followed us on Twitter (@microsolved) yet, be sure to do so. Here are a few reasons why you should look to our Twitter feed for more great content from MSI:

  • Ongoing curated news feeds of some of the most interesting and best information security news & event coverage
  • Discussions of emerging threats and significant issues around InfoSec
  • Pointers to free tools & resources to help your team protect your data & systems
  • Easy way to talk to us & engage in pro-bono Q&A sessions
  • AND NOW – 2 New Games a week:
    • Mondays will feature the “Hacker Challenge” – a weekly technically-focused fun activity or challenge (decrypt a secret, solve a puzzle, find something specific  across the net, etc.)
    • Thursdays will feature the “Throw Back Thursday Hacker Trivia” – weekly trivia contest focused on hacker, InfoSec and technology; with occasional prizes for the winners!

So, grab an account on Twitter or follow us there, and don’t just keep up to date, but talk to us. We want to hear your thoughts, the security challenges you are facing and anything that will help us serve your information security needs. Plus, we know reading log files and patching systems can get tedious, so we will try to mix in a little fun along the way! See you there!

MSI Risk Assessments and Policy/Process Reviews

MSI still has a few engagement slots open for Enterprise or Application-focused Risk Assessments for the 4th quarter. Avoid the end of the year rush, and give Allan Bergen (513-300-0194, abergen (at) microsolved<dot>com) a call today to discuss booking risk engagements with the team before the end of the year. We have some special incentives for clients who book these engagement slots, so touch base with Allan to hear about them.

Our team has had a wonderfully successful year doing application focused risk assessments. We can tear into the policy/processes and exposures of systems like accounting, CRM, EDI processing and/or industrial control. These assessments can be performed with or without technical components such as vulnerability assessment and penetration testing.

If you would like to close the year with a close look at one of your specific systems or critical processes, give Allan and a call and arrange for a scoping discussion with our risk team. As always, thanks for reading, and we appreciate you choosing MSI as your security partner!

Book Review: Ghost in the Wires

I just finished reading Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker and I would have to say that I was impressed. There is a lot of good history and information in the book about Kevin’s exploits, his life on the run and what it was like to live on the razor’s edge of hacking.

The technical content is enough to keep a techie reading, while the story, in general is a real life thrill ride. I found the reading to be easily digestible and the tone to be spellbinding.

If you have any interest in information security, or the history of hacking, then give Ghost in the Wires a read. You won’t be disappointed!

Accepting Identity Theft

I can recall a time when I wasn’t concerned about data theft. Eventually, buzz words such as “breach” and “identity theft” became a regular part of my vocabulary.  I began to wonder if I would ever be affected by a data breach. In 2003, I received a letter in the mail informing me that my personal data had been stolen. I remember asking myself, “when will this happen next?” In 2004, I once again became a victim of a data breach. Despite my young age at the time, I had already started to think of identity theft in the cynical terms of “not if but when”. It then became apparent to me that I could no longer think in terms of “if” or “when” but I should focus on “how often”.

I find it helpful to compare identity theft to personal health care. Eating the right foods, taking all the trendy vitamins and getting the recommended amount of exercise isn’t enough to guarantee perfect health. You are still susceptible to diseases that you can’t detect on your own. This is why you typically see a doctor for checkups on a regular basis. You should use the same thought process when considering the possibility of identity theft. Regardless of how much effort you put into securing your identity, your personal data will be stolen. This is why I feel strongly that we should focus on monitoring and preparing for identity theft with the same time and energy that we devote to trying to prevent it.

Just like your health care, it’s also worthwhile to take a proactive approach to handling identity theft. It’s important to have multiple methods of discovering if you are a victim of fraud. This can be as simple as checking your debit/credit card statements and using an automated solution (such as LifeLock) to monitor for irregularities in your credit report. Don’t just wait to receive a notice in the mail or find out about the latest hack on the news. It can take the companies that handle your personal data and process your credit cards months before they realize that they have been hacked. This gives the attackers ample time to take advantage of your stolen data.

It’s also worthwhile to prepare yourself for how to handle an incident when it occurs. This can be as simple as keeping a list of the contact information for all of your financial institutions so that you can notify them as soon as you detect suspicious activity. Also, a majority of the aforementioned credit monitoring solutions include assistance services in the event that a criminal begins using your identity. Be sure to take advantage of these resources as these organizations have the necessary institutional knowledge to help assist you.

In short, continue doing what you can to prevent your identity from being stolen. Simple things like setting complex passwords and avoiding the reuse of your passwords between different services can go a long way to prevent you from becoming a victim of identity theft. However, the next time you’re configuring a lengthy password, be sure to ask yourself “Am I prepared for identity theft?”

This article courtesy of Adam Luck – @adamjluck.

Shellshock: Got Inventory?

Im sure youve all heard of Shellshock by now? If not, its a security flaw in Bash that allows attackers to take control of systems. Bash is really an acronym/pun meaning Bourne-again shellthat was written as a free software replacement for the Bourne shell that preceded it. It is a UNIX shell that acts as a command processor and also reads commands from scripts. The problem is that Bash is present in all kinds of things including Web servers and operating systems. This is a very serious flaw! Worse than any other code vulnerability I can name off hand. There are several serious exploits already extant in the wild. Hundreds of millions of devices and credit cards are at immediate risk of compromise across the globe. Institutions are strongly recommending that people not use their credit cards to make Internet purchases for at least the next several days. Imagine the loss in revenue and buyer confidence this is going to cause! Productivity may well go down and prices may well go up as a consequence of this flaw.

Luckily there are good patches already available to combat this glitch, and I’m sure additional fixes and tweaks are in the offing. But to have any level of safety you need to patch everything on your network that is vulnerable, and you need to do it quickly. Do you know exactly what devices are a part of your network and exactly what operating systems, software and firmware versions are installed on them? Specifically, do you know where Bash is running? If you dont, you may install patches furiously over the next few days and still end up being vulnerable without knowing it. Can you in all good conscience assure your Web customers that their transactions and private information are safe?

Shellshock may have one hidden benefit though; it may be the cold dose of reality that causes organizations to finally get serious about information security and adopt best practices security recommendations, especially where inventories of devices and software are concerned. There is a reason why guidance such as the MSI 80/20 Rule of Information Security and the Top 20 Critical Controls for Effective Cyber-Security list making inventories their number one information security project. If you dont know what you have, how can you possibly secure it?!

Right now, if you are among the prescient few who do keep complete dynamic inventories, ensure that input to all available software fields is validated and have configured each device on your network with a unique admin password, you are sitting pretty! You have the knowledge and time necessary to deal with this problem, and will probably earn kudos and market share from you customers. Isnt that kind of assurance worth spending some time and money on America? 

This blog post contributed by John Davis.