Discovering an information security breach can be a shock! Picture it: you are enjoying a regular work day and WHAM! Suddenly you are at the center of an incident that could possibly affect the future of the company and perhaps your own future as well. It’s easy to panic. You know if you don’t do the right thing, right now, bad things are sure to rain down on you. So, what is the very first thing that you should do?
Go immediately to your incident response plan, of course! After all, that is the reason your company has put together an IR plan and team in the first place; to plan for contingencies so that personnel don’t go off half-cocked and lose vital data and evidence.
But is your plan clear enough that regular system users or even help desk personnel know what to do first without having to thumb through a hundred pages of plan? If not, perhaps a simple little trick we use in our incident response plans will work for you.
The very first thing you see when you open one of our incident response plans are employee and incident response team Quick Response Guides (see the example of an employee guide below-the IRT guide is similar, but more complex).
I know from my military experience that having checklists such as the Quick Response Guides in place truly cuts down on mistakes and helps calm personnel during difficult situations. Why not see if they can also improve your response quality?
You can download the pocket guide here.
Thanks to John Davis for this post.
Here is just a quick list, off the top of my head, of some of the topics I would like to see someone do talks about at security events this summer. If you are in need of a research topic, or something to dig into for a deep dive, give one of these a try. Who knows, maybe you will see me in the audience. If so, then feel free to sit down for a cup of coffee and a chat!
Here’s the list, in no particular order:
- machine learning, analytics in infosec
- detection capabilities with nuance visibility at scale
- decision support from security analytics & automated systems based on situational awareness
- rational controls and how to apply them to different industries
- crowdsourcing of policies and processes – wiki-based approaches
- internal knowledge management for security teams
- tools for incident response beyond the basics
- tools and processes for business continuity after a breach – show us your guide to “Ouchies!”
- attacker research that is actually meaningful and that does NOT revolve around IOCs
- skills and capability mapping techniques for security teams and their management
- new mechanisms for log management and aggregation beyond Splunk & SEIM – how would the death star handle logs?
- near-real time detection at a meaningful level – even better if admins can make decisions and take actions from their iPhone/iWatch, 😛
- extrusion/exfiltration testing capabilities & metrics-focused assessment approaches for testing exfil robustness
- network mapping and asset discovery techniques and tools – how would the death star map their IT networks?
We are proud to announce the release of State Of Security, the podcast, Episode 4. This time around I am hosting John Davis, who riffs on policy development for modern users, crowdsourcing policy and process management, rational risk assessment and a bit of history.
Give it a listen and let us know what you think!
Thanks for supporting the podcast!
I just wanted to drop 3 books here that I think infosec folks should check out this spring. As always, reading current material is an excellent way to keep your skills moving forward and allows you new perspectives on business and security matters. Even books from outside the security domain are useful for insights, new perspectives or indirect references.
Here’s what I suggest you check out this spring:
1. Antifragile by Taleb – This book will set your mind on fire if you are a traditional risk assessment person. It is astounding, though often difficult to read, but the ideas are a logical conclusion of all the previous Taleb theories from the Black Swan series. Beware, though, the ideas in this book may change the way you look at risk assessment, prediction and threat modeling in some radical ways! Long and tedious in spots, but worth it!
2. Linked: The New Science of Networks by Barabasi & Frangos – This book is an excellent mathematical and scientific discussion of networks, both logical and physical. It describes the sciences of graph theory, link analysis and relational mapping through easy to read and quite entertaining story telling. Given the rise of Internet of Things environments, social networks and other new takes on old-school linked networks, this is a great refresher for those who want to re-cover this territory with modern insights.
3. Hacking Exposed 6 by Scambray – That’s right, go old-school and go back and learn how penetration techniques from some of the best general hacking books in the industry. HE6 is an excellent book for covering the basics, and if there is anything all infosec folks need, it is a strong grasp of the basics. Learn and master these techniques in your lab. Work through the examples. Go ahead, we’ll wait. Have fun, and learn more about how bad guys still pwn stuff. Lots of these techniques or variants of them, are still in use today!
There you go, now get reading!
Risk assessment and treatment is something we all do, consciously or unconsciously, every day. For example, when you look out the window in the morning before you leave for work, see the sky is gray and decide to take your umbrella with you, you have just assessed and treated the risk of getting wet in the rain. In effect, you have identified a threat (rain) and a vulnerability (you are subject to getting wet), you have analyzed the possibility of occurrence (likely) and the impact of threat realization (having to sit soggy at your desk), and you have decided to treat that risk (taking your umbrella) – risk assessment.
However, this kind of risk assessment is what is called “ad hoc”. All of the analysis and decision making you just made was informal and done on the fly. Pertinent information wasn’t gathered and factored in, other consequences such as the bother of carrying the umbrella around wasn’t properly considered, other treatment options weren’t considered, etc. What business concerns and government agencies have learned from long experience is that if you investigate, write down and consider such factors rationally and holistically, you end up with a more realistic idea of what you are really letting yourself in for, and therefore you are making better risk decisions – formal risk assessment.
So why not apply this more formal risk assessment technique to important matters in your own life such as securing your home? It’s not really difficult, but you do have to know how to go about it. Here are the steps:
1. System characterization: For home security, the system you are considering is your house, its contents, the people who live there, the activities that take place there, etc. Although, you know these things intimately it never hurts to write them down. Something about viewing information on the written page helps clarify it in our minds.
Threat identification: In this step you imagine all the things that could threaten the security of your home and family. These would be such things as fire, bad weather, intruders, broken pipes, etc. For this (and other steps in the process), you can go beyond your own experience and see what threats other people have identified (i.e. google inquiries, insurance publications).
Vulnerability identification: This is where you pair up the threats you have just identified with weaknesses in your home and its use. For example, perhaps your house is located on low ground that is subject to flooding, or you live in a neighborhood where burglaries may occur, or you have old ungrounded electrical wiring that may short and cause a fire. These are all vulnerabilities.
Controls analysis: Controls analysis is simply listing the security mechanisms you already have in place. For example, security controls used around your home would be such things as locks on the doors and windows, alarm systems, motion-detecting lighting, etc.
Likelihood determination: In this step you decide how likely it is that the threat/vulnerability will actually occur. There are really two ways you can make this determination. One is to make your best guess based on knowledge and experience (qualitative judgement). The second is to do some research and calculation and try to come up with actual percentage numbers (quantitative judgement). For home purposes I definitely recommend qualitative judgement. You can simply rate the likelihood of occurrence as high, medium or low risk.
Impact analysis: In this step you decide what the consequences of threat/vulnerability realization will be. As with likelihood determination, this can be judged quantitatively or qualitatively, but for home purposes I recommend looking at worst-case scenarios. For example, if someone broke into your home, it could result in something as low impact as minor theft or vandalism, or it could result in very high impact such as serious injury or death. You should keep these more dire extremes in mind when you decide how you are going to treat the risks you find.
Risk determination: Risk is determined by factoring in how likely threat/vulnerability realizations is with the magnitude of the impact that could occur and the effectiveness of the controls you already have in place. For example you could rate the possibility of home invasion occurring as low, and the impact of the occurrence as high. This would make your initial risk rating a medium. Then you factor in the fact that you have an alarm system and un- pickable door locks in place, which would lower your final risk rating to low. That final rating is known as residual risk.
Risk treatment: That’s it! Once you have determined the level of residual risk, it is time to decide how to proceed from there. Is the risk of home invasion low enough that you think you don’t need to apply any other controls? That is called accepting risk. Is the risk high enough that you feel you need to add more security controls to bring it down? That is called risk limitation or remediation. Do you think that the overall risk of home invasion is just so great that you have to move away? That is called risk avoidance. Do you not want to treat the risk yourself at all, and so you get extra insurance and hire a security company? That is called risk transference.
So, next time you have to make a serious decision in your life such as changing jobs or buying a new house, why not apply the risk assessment process? It will allow you to make a more rational and informed decision, and you will have the comfort of knowing you did your best in making the decision.
Thanks to John Davis for this post.
Spring is here in the US, and that brings with it the need to do some spring cleaning. So, here are some ideas of some things I would like to see the infosec community clean out with the fresh spring air!
1. The white male majority in infosec. Yes, I am a white male, also middle aged…. But, seriously, infosec needs more brains with differing views and perspectives. We need a mix of conservative, liberal and radical thought. We need different nationalities and cultures. We need both sexes in equity. We need balance and a more organic talent pool to draw from. Let’s get more people involved, and open our hearts and minds to alternatives. We will benefit from the new approaches!
2. The echo chamber. It needs some fresh air. There are a lot of dropped ideas and poor choices laying around in there, so let’s sweep that out and start again. I believe echo chamber effects are unavoidable in small focused groups, but honestly, can’t we set aside our self-referential shouting, inside jokes, rock star egos and hubris for just one day? Can’t we open a window and sweep some of the aged and now decomposing junk outside. Then, maybe, we can start again with some fresh ideas and return to loving/hating each other in the same breath. As a stop gap, I am nominating May 1, a Friday this year, as Global Infosec Folks Talk to Someone You Don’t Already Know Day (GIFTTSYDAKD). On this day, ignore your peers in the echo chamber on social media and actually go out and talk to some non-security people who don’t have any idea what you do for a living. Take them to lunch. Discuss their lives, what they do when they aren’t working, how security and technology impacts their day to day. Just for one day, drop out of the echo chamber, celebrate GIFTTSYDAKD, and see what happens. If you don’t like it, the echo chamber can come back online with a little fresh air on May 2 at 12:01 AM EST. How’s that? Deal?
3. The focus on compliance over threats. Everyone knows in their hearts that this is wrong. It just feels good. We all want a gold star, a good report card or a measuring stick to say when we got to the goal. The problem is, crime is an organic thing. Organic, natural things don’t really follow policy, don’t stick to the script and don’t usually care about your gold star. Compliant organizations get pwned – A LOT (read the news). Let’s spring clean the idea of compliance. Let’s get back to the rational idea that compliance is the starting point. It is the level of mutually assured minimal controls, then you have to build on top of it, holistically and completely custom to your environment. You have to tune, tweak, experiment, fail, succeed, re-vamp and continually invest in your security posture. FOREVER. There is no “end game”. There is no “Done!”. The next “bad thing” that visits the world will be either entirely new, or a new variant, and it will be capable of subverting some subset or an entire set of controls. That means new controls. Lather, rinse, repeat… That’s how life works.. To think otherwise is irrational and likely dangerous.
That’s it. That’s my spring cleaning list for infosec. What do you want to see changed around the infosec world? Drop me a line on Twitter (@lbhuston) and let me know your thoughts. Thanks for reading, and I hope you have a safe, joyous and completely empowered Spring season!
If you have exposed IIS servers or internal ones as well, pay attention to MS15-034.
Accelerate this patch to immediate. Don’t wait for patching windows, SLAs or maintenance periods. Test the patch, sure, but get it applied ASAP.
This is a remotely executable vulnerability without authentication. It affects a wide range of Windows systems. It offers trivial denial of service exploitation and the bad guys are hard at work building click and drool tools for remote code execution. The clock is ticking, so please, accelerate this patch if possible.
For any additional information or assistance, please contact your account executive or drop us a line via email@example.com.
Thanks and stay safe out there!
OK folks, here is a quick poll around some of the classes we are considering teaching later this year. We would like your input as to which topics interest you the most.
If you would like to share your opinions, and tell us your areas of interest, please feel free to either email us the top 3 choices of classes and content you would like to see us focus on, to firstname.lastname@example.org or via Twitter (@lbhuston). The numbers of your choices will suffice.
If you have other ideas you would like to see, please let us know.
Our idea list:
- Honeypots for ICS/SCADA
- Basic honeypots for detection
- Tampering with active attackers
- Tracing international attackers
- Social media investigations
- Pen-testing REST APIs with Xojo
- Mapping business processes to technology & security
- Passive assessment techniques
- Deep dive research techniques
- Mapping TOR hidden sites
Thanks for reading and for sharing your opinions!
We are proud to announce the immediate availability of an entirely new service offering in our security tool kit, made possible by TigerTrax™.
This service offering leverages the power of MSI’s proprietary TigerTrax analytics platform to parse, correlate and visualize the configurations (and packet logs (if desired)) from the routers, switches and firewalls of your network “en masse”.
Our security and analytics teams then create detailed maps of the network as seen from the eyes of the machines, document the various network segments and their relationships, build a hierarchy of powerful machines and segments, identify hardening techniques that could help your organization better secure your network and provide insights into the gap between your organization’s “common wisdom” versus the real environment.
We can even teach “Close The Gap” sessions to help re-align your team’s “common wisdom” with “machine truth” and to help socialize the new knowledge to other groups.
How it works:
- The client delivers the configuration and log files as needed for the service. MSI can assist with this step, if needed, at an additional hourly consulting fee.
- The offering uses TigerTrax to perform automated analysis of the configuration and log files as needed – holistically, systemically and “en masse”.
- Various data points are delivered to the analysts and security team who then create the documentation, maps and reports. Visualized data is also generated using the TigerTrax platform where appropriate.
- Any professional services, such as interviews/questionnaires, gap analysis and training are provided by MSI team members using our proprietary delivery methodologies.
- Completely passive, offline analysis is perfect for critical networks.