The Big Three Part 4: Awareness

Cyber-attacks are a simply a part of reality now, and are very much like home burglaries. We can install locks and lights, cameras and alarm systems, and despite our best efforts at protection and prevention, a certain number of robberies are still bound to happen. That is the reason we need to steel ourselves to this fact and prepare ourselves to resist cyber-attacks the best way that we can. And the Big Three; incident detection, incident response and user security education and awareness are some of our best tools for meeting this problem.

The importance of user education and awareness to information security cannot be over emphasized. Of all the firewalls, IPS systems and other security sensors available, none can compare to human beings in their ability to detect cyber-attacks and security risks. But to take advantage of this resource, it is necessary that users know how to recognize security problems and it is necessary that they want to be engaged in the security process. To accomplish this, companies need to do several things.

First, they should provide all of their personnel with information security training both as new hires, and then periodically thereafter. This training should include the company information security policies that apply to all, plus information security training that is specific to each users particular role in the organization. Providing extra information security training for individuals such as code developers, system administrators and help desk personnel is particularly beneficial.

Next, it is also very important to provide all company personnel with information security awareness reminders. These serve two purposes. First, they help keep the need for good security practices fresh in usersminds. But more importantly than that, good security awareness tips let your personnel know exactly what kind of attacks are out there and how they take place. Thats why it is important to base your awareness reminders on cutting-edge, real-world information security threats. For example, perhaps your employees gets a perfectly legitimate-looking email message from one of their co-workers that solicit them to check out a certain website and give an opinion on it. So they innocently click on the embedded link and wham! Suddenly their machines have been infected with malware and they dont have a clue that anything is wrong. Awareness reminders can help keep such things from happening.

On top of good information security training and awareness, we think that there is one more element that is needed to really make the process pay off. It is important to engage the interest of your employees and make them feel that they are an essential part of the information security effort. This

isnt really hard or expensive to do either. Explain their importance in the program to your personnel and ask for their help. Most everyone really likes to help out, and it makes them feel good inside. In addition, recognize those that have contributed to the information security cause and give them some kind of reward. This can be as simple as a little praise at the weekly staff meeting, or can include things like days off or preferred parking spaces. It doesnt have to be big, just visible. One thing is sure, it makes better business sense to utilize this free and effective security resource to the hilt than spend a million dollars on a vaunted new IDS/IPS system! 

This post by John Davis.

The Big Three Part 3: Incident Response

Its been a couple of busy months since we posted parts one and two of this series, so Ill recap briefly here. Part one talked about the failure of information security programs to protect private data and systems from compromise. It showed that despite tighter controls and better security applications, there are more data security compromises now than ever. This was the basis for suggesting an increased emphasis on incident detection, incident response and user education and awareness; the Big Three.

Part two in the series discussed information security incident detection and how difficult it is to implement effectively. It related the sad statistic that less than one out of five serious data breaches is detected by the organization affected, and that a disturbing number of breaches go undetected for months before finally being uncovered. Part two also touted a combination of well configured security tools coupled with human monitoring and analysis as one of the best solutions to the problem. In this installment, we’ll discuss the importance of accompanying incident detection with an effective, well-practiced incident response plan.

Say that an ongoing malware attack on your systems is detected, would your staff know just what to do to stop it in its tracks? If they dont do everything quickly, correctly and in the right order, what could happen? I can think of a number of possibilities right off the bat. Perhaps all of your private customer information is compromised instead of just a portion of it. Maybe your customer facing systems will become inoperable instead of just running slow for a while. Possibly your company will face legal and regulatory sanctions instead of just having to clean up and reimage the system. Maybe evidence of the event is not collected and preserved correctly and the perpetrator cant be sued or punished. Horrible consequences like these are the reason effective incident response is increasingly important in todays dangerous computing environment.

Developing and implementing an incident response plan is very much like the fire drills that schools carry out or the lifeboat drills everyone has to go through as part of a holiday cruise. It is really just a way to prepare in case some adverse event occurs. It is deconstructing all the pieces-parts that make up security incidents and making sure you have a way to deal with each one of them.

When constructing your own incident response plan, it is wise to go about it systematically and to tailor it to your own organization and situation. First, consider the threats your business is menaced by. If you have been conducting risk assessments, those threats should already be listed for you. Then pick the threats that seem the most realistic and think about the types of information security incidents they could cause at your organization. These will be the events that you plan for.

Next, look over incident response plans that similar organizations employ and read the guidance that is readily available our there (just plug information security incident response guidelinesinto a web browser and see what you get templates and implementation advice just jump off the page at you!). Once you have a good idea of what a proper incident response plan looks like, pick the parts that fit your situation best and start writing. This process produces the incident response policies needed for your plan.

After your policies are set, the next step I like to tackle is putting together the incident response team. These individuals are the ones that will have most of the responsibility for developing, updating and practicing the incident response procedures that are the meat of any incident response plan. Armed with the written policies that were developed, they should be an integral part of deciding who does what, when it gets done, where they will meet, how evidence is stored, etc. Typically, an incident response team is made up of management personnel, security personnel, IT personnel, representative business unit personnel, legal representatives and sometimes expert consultants (such as computer forensics specialists).

Once all the policies, personnel and procedures are in place, the next (and most overlooked part of the plan) is regular practice sessions. Just like the fire drills mentioned above, if you dont actually practice the plan you have put together and learn from the results, it will never work right when you actually need it. In all my time doing this sort of work, I have never seen an incident response practice exercise that didnt expose flaws in the plan. We recommend picking real-world scenarios when planning your practice exercises and surprising the team with the exercise just as they would be in an actual event.

In the fourth and final installment of this series, we will discuss user education and awareness another vital component in recognizing and fighting data breaches and system security compromises. 

Thanks to John Davis for this post.

Never Store Anything on the Cloud that You Wouldn’t Want Your Mamma to See

It’s great now days, isn’t it?

You carry around devices with you that can do just about anything! You can get on the Internet and check your email, do your banking, find out what is new on Facebook, send a Tweet or a million other things. You can also take a picture, record a conversation, make a movie or store your work papers – and the storage space is virtually unlimited! And all this is just great as long as you understand what kind of risks this freedom poses to your privacy.

Remember that much of this stuff is getting stored on the cloud, and the only thing that separates your stuff from the general public is a user name, password and sometimes a security question. Just recently, a number of celebrities have complained that their photos (some of them explicit) have been stolen by hackers. These photos were stored in iCloud digital vaults, and were really very well defended by Apple security measures. But Apple wasn’t at fault here – it turns out that the celebrities themselves revealed the means to access their private stuff.

It’s called Phishing, and there are a million types of bait being used out there to fool or entice you. By clicking on a link in an innocent-looking email or answering a few simple questions, you can give away the keys to the kingdom. And even if you realize your mistake a couple of hours later, it is probably already too late to do anything about it. That naughty movie you made with your spouse during your romantic visit to Niagara Falls is already available from Peking to Panama!

Apple announced that they will soon start sending people alerts when attempts are made to change passwords, restore iCloud data to new devices or when someone logs in for the first time from new Apple devices. These are valuable controls, but really are only detective in nature and won’t actually prevent many data losses. That is why we recommend giving yourselves some real protection.

First, you should ensure that you educate yourself and your family about the dangers hackers and social engineers pose, and the techniques they use to get at your stuff. Second, it is really a lot better to store important or sensitive data on local devices if possible. But, if you must store your private data in the cloud, be sure it is well encrypted. Best of all, use some sort of good multi-part authentication technique to protect your stuff from being accessed easily by hackers. By that I mean something like a digital certificate or an RSA hard token – something you have or something you are, not just something you know.

If you do these things, then it’s a good bet your “special moments” won’t end up in your Momma’s inbox!

Thanks to John Davis for this post.

Touchdown Task for August – Change Management Audit

This month, we urge all infosec teams to engage in a quick 30 minute audit of your change management processes.

Here are some quick win questions to ask of the change management team:

  • How often does the change management team meet & what is the time frame for turning around a change order?
  • What percentage of actual changes to the environment went through the change process in the last 12 months?
  • Where can we locate the documents that specifically describe the change management process and when were they last revised?
  • Please describe how exceptions to the change management process are handled.
  • How are changes to the environment audited against what was provided to the change management team?
  • What happens if a change is identified that did NOT go through the change management process?

There are plenty of online guidance sources for additional questions and audit processes, but these quick wins will get you started. As always, thanks for reading and keep working on your monthly touchdown tasks. Be sure to touch base with us on Twitter (@microsolved) should you have any questions about the work plans.

Do You Browse From a Virtual Machine?

Configure 256

This article brings to mind an interesting trend we see going on among our financial and highly regulated clients – using a virtual machine for all Internet browsing. Several of our clients have begun using this technique in testing and small production groups. Often they are using ChromeOS images with VirtualBox or some other dedicated browser appliance and a light VM manager. 

Have you or your organization considered, tried or implemented this yet? Give us a shout on Twitter (@lbhuston, @microsolved) and let us know your thoughts. Thanks for reading!

Three Security People You Should Be Following on Twitter

Network 256

There are a lot of security people on Twitter. There are a lot of people people on Twitter. That said, finding great people to follow on Twitter is often a difficult task, especially around something as noisy as Information Security.

That said, I wanted to take a quick moment and post three people I think you should be following on Twitter in the Infosec space and might not be.

Here they are, in no particular order:

@sempf – A great person (and a personal friend), his posts rock the mic with content ranging from locksport (lock picking as a sport/hobby), deep coding tips, application security and even parenting advice. It’s fun! 

@abedra – Deep knowledge, deep code advice (ask him about Clojure…we’ll wait…). The inventor of RepSheet and whole bunch of other cool tools. His day gig is pretty fun and he is widely known for embracing the idea of tampering with attackers and their expectations. Check him out for a unique view. Do remind him to change hats occasionally, he often forgets… :)

@NocturnalCM – Hidden deep in the brain of the person behind this account is an incredible wealth of knowledge about cellular infrastructures, mobile code, security, devops and whole lot more. Don’t let the “Code Monkey” name fool you, there’s a LOT of grey matter behind the keyboard. If nothing else, the occasional humor, comic strips and geek culture references make them a worthwhile follow!

So, there you go. 3 amazing people to follow on Twitter. PS – they also know some stuff about infosec. Of course, you can always follow me (@lbhuston) and our team (@microsolved) on Twitter as well. As always, thanks for reading and get back to keeping the inter-tubes safe for all mankind!

Are You Using STIX?

In the last several weeks, we have been working on a new iteration of our threat intelligence offering for some of our clients. In many of the cases, we expected to hear that folks have embraced the STIX project from MITRE as the basis for sharing such data.

Sadly, however, many customers don’t seem to be aware of the STIX project. As such, can you please take a moment and review it, via the link and then let us know via email, Twitter of comments if you or your chosen security products currently support it?

Thanks for your help and insight! As always, we appreciate the feedback. 

Email: info <at> microsolved [dot] com

Twitter: @microsolved or @lbhuston

Thanks again!

Client Calls HoneyPoint a “No Lose” Deployment

One of the clients we were working with recently wanted me to share their thoughts on deploying HoneyPoint Security Server with the blog audience.

His company recently installed the HoneyPoint Security Server suite into their network. Their management teams were a little nervous, at first, that offering a honeypot to attackers might attract bad people to their networks. But, when the security team explained that these were going to be simply deployed on the INTERNAL networks and not visible from the Internet, so someone would already have to be inside the network to see them, they gained approval. The security team explained that they planned to use HoneyPoint as a supplement to their existing perimeter network IDS, and their log monitoring tools.

The security team convinced their immediate manager of the HoneyPoint product by describing it as a “No Lose” product to deploy. If they dropped in the HoneyPoint Agents and captured bad actors or malware moving in the network, they would win by identifying existing compromises. If they dropped in HoneyPoint and never got a hit at all, they would win, and could tell the management that even upon closer examination with the new detection tools, the network seemed to be clean of malware and overt attacker activity. This, in combination with the other forms of detection and reporting they were doing would further strengthen their position with management that the security team was remaining vigilant. 

In the end, the team observed a few pieces of malware within the first 90 days and quickly eliminated the infections. They then began to plan on deploying HoneyPoint Agent into a malware black hole, in coordination with their internal DNS team. As of this writing, the deployment in the new position should go live within 30 days. In most cases, teams using HoneyPoint in this fashion quickly identify other more deeply hidden malware. The security team looks forward to leveraging the data from the HoneyPoint black hole to clean the environment more aggressively.

So, there you have it. Another client strikes a win with HoneyPoint. You can learn more about this “No Lose” product by getting in touch with your MSI account executive. You can also find more information by clicking here. 

Best Practices for DNS Security

I wanted to share with you a great FREE resource that I found on the Cisco web site that details a great deal of information about DNS and the best practices around securing it. While, obviously, the content is heavy on Cisco products and commands, the general information, overview and many of the ideas contained in the article are very useful for network and security admins getting used to the basics of DNS.

Additionally, there are great resources listed, including several free/open source tools that can be used to manage and monitor DNS servers. 

If you are interested in learning more about DNS or need a quick refresher, check this article out. 

You can find it here.

Several other resources are available around the web, but this seems to be one of the best summaries I have seen. As always, thanks for reading and let me know on Twitter (@lbhuston) if you have other favorite resources that you would like to share.

Guest Post: More on BYOD

As the world of computers, mobile devices, and technology in general, continue to exponentially evolve, so too must our need and desire to secure our communications, our data, and to that end our privacy. There is hardly a day that goes by anymore that we don’t hear of some major security breach of a large corporation, but this also directly impacts the individual. We have to make a concerted effort to protect our information – particularly on our mobile devices. Our mobile devices are inherently difficult to secure because they send their data over WiFi, which is susceptible to man-in-the middle attacks. We must pursue the security of our data on our mobile devices passionately. People nowadays carry so much private and more importantly valuable information on them that we just absolutely have to protect it. Particularly in this age of BYOD (bring your own device) to work. An even more difficult realm for the infosecurity folks trying to protect their networks. How does one protect a device on a network from malicious intent? How does one keep viruses, Trojans and worms off of the networks when everyone seems to be plugged in to their devices? This article intends to describe some steps that one can take to protect their mobile device both locally by encrypting the mobile device itself and also by utilizing apps that help to secure their email and telemobile device conversations from malevolence.  

 

As noted on the previous article on State of Security released on June 17, 2014, Brent recently discussed 3 tips for BYOD, which were to get these devices off of the production networks, teach people about mobile device security, and finally use what you already have to your advantage when it comes to your own architecture when developing BYOD policies and processes.

 

There are numerous steps that the IT folks can take to help secure their networks in this age of BYOD as mentioned in our previous article, but there are also some very simple and usefultips that we can all follow that will help us in protecting our mobile devices too.

 

Every company should have policies in place regarding the use and misuse of BYOD devices. This must include encryption of the data and remote wiping of the data if the device is lost or stolen, (such as Find my iMobile device, Android Lost, Mobile Security, and Autowipe,). Assuming the BYOD device is under the company’s control.  If not then as  mentioned in the previous article getting these devices off of the production network is a must. Every  company should at least require authentication and hopefully two-factor authentication of the device.  This would allow the organization some degree of control when it comes to resetting passwords, locking the device when it’s not in use, logging, etc. If it’s not, then asking employees to adhere and sign a code of conduct with regard to their device is a must, as well as periodic employee education. A quick Google search will reveal apps that can help with two-factor authentication too. Such as RSA Secure Alternative, SMS passcode, and Duosecurity.

 

The next step is to encrypt the mobile device itself upon ending your session. Thereby protecting your information from even the apps that you currently having running on the mobile device itself. All apps go through an approval process where they are tested, validated and checked for security, but there have been times where an app passed through such a process and still contained malicious code that sent back stolen personal information to the attacker. This is a particular issue in the Android market. Companies such as Cryptanium and Arxan offer integrity protection, jailbreak detection, anti-debug detection and reverse engineering protection. So if a attacker does manage to get ahold of your device it makes it much more tamper resistant. 

 

Apps that offer encrypted communication such as voice, video, text and/or file transfers are also a consideration. Silent Circle, Redmobile device and Whisper Systems offer such encrypted communication for a fee. Wickr and Cryptocat do this too, but are free. If you are just interested in encrypted text messages (SMS) then perhaps Babel, Whisper, or Akario is for you.

 

In today’s mobile device market there are a plethora of apps many of which do what they describe when it comes to helping to protect our information. Yet as with anything else if there is a will, there is a way, this is particularly true for those that mean to steal our information. If they have a desire to acquire your information they will make a concerted effort to try to extract it from your device. It is up to us to make it as difficult as possible for them to ever get it. For now there does’t seem to be a lot of apps that actually encrypt all of your information locally to the mobile device. Or if it does offer some degree of encryption then it does so over a potentially vulnerable, networked platform. In short there is no single magic bullet that will encrypt all of your mobile devices data and communications for free, but there are some out there for a fee will offer to do so. The other issue that arises is if you use said company do they have access to the information that you were trying to protect in the first place. What’s to keep a rogue employee from accessing your data? All of this can make your head spin. The moral of the story is to make good choices, use your common sense and don’t put anything on a mobile device that you aren’t willing to share with others. Be safe out there.

 

About Preston:

Preston Kershner is new to the info-security family, where he has a variety of lateral interests in topics such as cybersecurity, information security, incident handling and response, computer forensics and malware analysis. Preston has been in the medical field for over 20 years and is currently transitioning into the infosec community. When not being an information junkie, Preston enoys spending time with his family. He also enjoys learning everything he can about astrobiology (the search for exoplanets that have a potential to habour life). You can follow Preston as he continues to expand his knowledge and experience in these realms at http://www.linkedin.com/pub/preston-kershner/3a/493/965/ & follow him on Twitter (@redman7373).

 

About Brent:

Brent Huston is the Security Evangelist and CEO of MicroSolved, Inc. He spends a LOT of time breaking things, including the tools/techniques and actors of crime. When he is not focusing his energies on chaos & entropy, he sets his mind to the order side of the universe where he helps organizations create better security processes, policies and technologies. He is a well recognized author, surfer, inventor, sailor, trickster, entrepreneur and international speaker. He has spent the last 20+ years dedicated to information security on a global scale. He likes honeypots, obscure vulnerabilities, a touch of code & a wealth of data. He also does a lot of things that start with the letter “s”. You can learn more about his professional background here: http://www.linkedin.com/in/lbhuston & follow him on Twitter (@lbhuston).

 

Disclaimer:

It should be noted that some of the apps are free, some apps are cloud-based, some are open source and some are at a cost to the consumer. In no way do we endorse the applications in this article.