Three Danger Signs I Look for when Scoping Risk Assessments

Scoping an enterprise-level risk assessment can be a real guessing game. One of the main problems is that it’s much more difficult and time consuming to do competent risk assessments of organizations with shoddy, disorganized information security programs than it is organizations with complete, well organized information security programs. There are many reasons why this is true, but generally it is because attaining accurate information is more difficult and because one must dig more deeply to ascertain the truth. So when I want to quickly judge the state of an organization’s information security program, I look for “danger” signs in three areas.

First, I’ll find out what kinds of network security assessments the organization undertakes. Is external network security assessment limited to vulnerability studies, or are penetration testing and social engineering exercises also performed on occasion? Does the organization also perform regular vulnerability assessments of the internal network? Is internal penetration testing also done? How about software application security testing? Are configuration and network architecture security reviews ever done?

Second, I look to see how complete and well maintained their written information security program is. Does the organization have a complete set of written information security policies that cover all of the business processes, IT processes and equipment used by the organization? Are there detailed network diagrams, inventories and data flow maps in place? Does the organization have written vendor management, incident response and business continuity plans? Are there written procedures in place for all of the above? Are all of these documents updated and refined on a regular basis? 

Third, I’ll look at the organization’s security awareness and training program. Does the organization provide security training to all personnel on a recurring basis? Is this training “real world”? Are security awareness reminders generously provided throughout the year? If asked, will general employees be able to tell you what their information security responsibilities are? Do they know how to keep their work areas, laptops and passwords safe? Do they know how to recognize and resist social engineering tricks like phishing emails? Do they know how to recognize and report a security incident, and do they know their responsibilities in case a disaster of some kind occurs?

I’ve found that if the answer to all of these questions is “yes”, you will have a pretty easy time conducting a thorough risk assessment of the organization in question. All of the information you need will be readily available and employees will be knowledgeable and cooperative. Conversely I’ve found that if the answer to most (or even some) of these questions is “no” you are going to have more problems and delays to deal with. And if the answers to all of these questions is “no”, you should really build in plenty of extra time for the assessment. You will need it!

Thanks to John Davis for this post.

Data Breaches are a Global Problem

For those of you who maybe just thought that data breaches were only happening against US companies, and only by a certain country as the culprit, we wanted to remind you that this certainly isn’t so.

In fact, just in the last several weeks, breaches against major companies in the UK, Australia, Japan, Kenya, Korea, China and others have come to light. Sources of attacks show evidence of criminal groups working from the US, Brazil, Northern Africa, the Middle East, Russia and Asia among others. Just follow the data for a few weeks, and it quickly becomes clear that this is a GLOBAL problem and is multi-directional.

Even loose alliances seem to come and go amongst these criminal groups. They often steal data, talent, techniques, tools and resources from each other. They work together on one deal, while treating each other as competitors in other deals simultaneously. The entire underground is dynamic, shifting in players, goals and techniques on almost moment by moment basis. What works now spreads, and then gets innovated.

This rapidly changing landscape makes it hard for defenders to fight against the bleeding edge. So much so, in fact, that doing the basics of information security and doing them well, seems to be far more effective than trying to keep up with the latest 0-day or social engineering techniques.

That said, next time you read a report that seems to cast the data breach problem as a US issue versus the big red ghost, take a breath. Today, everyone is hacking everyone. That’s the new normal…

Consumers are Changing their Minds about Data Breaches

Per this article in Fast Company, it now seems that some 72% of consumers expressed an impact in their perception of a retail brand following a breach announcement. However, only 12% actually stopped shopping at the breached stores.

This appears to be a rising tide in the mind of consumers, with an increase in both attention and action versus previous polls.

Add to that the feelings of fatigue that we have been following on social media when breaches are announced. TigerTrax often identifies trending terms of frustration around breach announcements, and even some outright hostility toward brands with a breach. Not surprising, given the media hype cycle today.

TigerTrax also found that a high percentage of consumers were concerned to a larger extent about information privacy than in the past. Trending terms often include “opt out”, “delete my data” and various other conversation points concerning the collection and sharing of consumer information by vendors.

Retailers and other service providers should pay careful attention to this rising tide of global concern. Soon, breaches, data theft and illicit data trafficking may show significant increases in consumer awareness and brand damage is very likely to follow…

Ask The Experts: Why Do Security Testing of Internal Computer Networks?

Most organizations have realized the need to have vulnerability assessments of their internet-facing (external) computer networks performed periodically. Maybe they are alarmed by all the data compromises they hear about on the news or perhaps they are subject to regulatory guidance and are required to have vulnerability assessments done. But many organizations draw the line there and never have the security of their internal networks tested. This is a mistake! At least it’s a mistake if your goal is actually to protect your computer systems and the private information they store and process.

It is true that the most attacks against information systems come from external attackers, but that does not mean the internal threat is negligible. About one sixth of data compromises are due to employees and privileged insiders such as service providers and contractors. But there are many other reasons for testing the security of your internal networks besides the internal threat. For one thing, once cyber-criminals find a hole in your external defenses they are suddenly “insiders” too. And if your internal systems are not configured correctly, hardened and monitored, it becomes trivial for these attackers to own your systems and compromise all the private information you have.

The type of testing that gives you the most bang for the buck is internal vulnerability assessment. Doing this type of testing regularly has many benefits. One benefit that people usually don’t associate with internal vulnerability assessment is that it can be used to make maps and inventories of the network. These are essentials of information security. After all, if you don’t know what you have on your network and where it is, how can you protect it? Another benefit is that it allows you to view your internal network with perspective. In other words, it lets you see it the way an attacker would. It will reveal:

  • Access control issues such as default and blank passwords mistakenly left on the network during administration, open files shares or anonymous FTP sites that may contain private data or user accounts that are suspicious or inappropriate.
  • Systems that are missing security patches or that are running out of date software or operating systems that are no longer supported by the vendors.
  • Systems that have been misconfigured or that reveal too much information to unauthorized users.
  • Ports that are inappropriately left open or dangerous services such as Telnet or Terminal Services present on the network.
  • Poor network architecture that fails to properly segment and enclave information assets so that only those with a business need can access them.
  • How well third party systems present on your network are patched, updated and secured.

Also, from a business perspective, performing regular internal vulnerability assessments shows your customers that you are serious about information security; a factor that could influence them to choose your organization over others.

In addition to vulnerability testing, it is also more than just desirable to have penetration testing of the internal network performed occasionally. While vulnerability assessment shows you what flaws are available for attackers to exploit (the width of your security exposure), penetration testing shows you what attackers can actually do with those flaws to compromise your systems and data (the depth of your security exposure). Internal penetration testing can:

  • Reveal how attackers can exploit combinations of seemingly low risk vulnerabilities to compromise whole systems or networks (cascading failures).
  • Show you if the custom software applications you are using are safe from compromise.
  • Show you not only what is bad about your network security measures, but what is working well (this can really save you money and effort by helping you chose only the most effective security controls).

One other type of penetration testing that is well worth the time and expense is social engineering testing. As network perimeters become increasingly secure, social engineering techniques such as Phishing emails or bogus phone calls are being used more and more by attackers to gain a foothold on the internal network. We at MSI are very aware of just how often these techniques work. How well do you think your employees would resist such attacks?

Thanks to John Davis for this post.

Compliance-Based Infosec Vs Threat-Based Infosec

In the world of Information Security (infosec), there are two main philosophies: compliance-based infosec and threat-based infosec. Compliance-based infosec means meeting a set of written security standards designed to fulfill some goal such as the requirements of statute law or financial information privacy requirements. Threat-based infosec, on the other hand, means applying information security controls in reaction to (or anticipation of) threats that organizations currently (or soon will) face. 

Compliance-based infosec is generally applied smoothly across the organization. In other words, all the security controls mandated in the security standard must be put in place by the organization, and the relative effectiveness of each control is largely ignored. In contrast, security controls are applied in a hierarchical manner in threat-based infosec. The most effective or greatly needed security controls are applied first according to the threats that are most likely to occur or that will cause the most damage to the organization if they do occur. 

The difference is sort of like the defensive strategy of the Chinese versus that of the Normans in post-conquest England. The Chinese built very long walls that went from one end of their territory to the other. Their goal was to keep out all invaders everywhere. This is a grand idea, but takes a very large amount of resources to implement and maintain. In practice, it takes tons of men and infrastructure and the defensive capabilities at any one place are spread thin. The Normans in England, on the other hand, built strong castles with many layers of defense in strategic locations where the threats were greatest and where it was easiest to support neighboring castles. In practice, there are fewer defenses at any one point, but the places where defenses are implemented are very strong indeed. Both of these strategies have merit, and are really driven by the particular set of circumstances faced by the defender. But which is better for your organization? Let’s look at compliance-based infosec first.

Compliance-based infosec, when implemented correctly, is really the best kind of defense there is. The problem is, the only place I’ve ever seen it really done right is in the military. In military information security, failure to protect private information can lead to death and disaster. Because of this, no expense or inconvenience is spared when protecting this information. Everything is compartmentalized and access is strictly based on need to know. Every system and connection is monitored, and there are people watching your every move. There are rules and checklists for everything and failure to comply is severely punished. In addition, finding better ways to protect information are sought after, and those that come up with valuable ideas are generously rewarded.

This is not the way compliance-base infosec works in the private sector, or even in non-military government agencies. First, statute law is tremendously vague when discussing implementing information security. Laws make broad statements such as “personal health information will be protected from unauthorized access or modification”. Fine. So a group of people get together and write up a body of regulations to further spell out the requirements organizations need to meet to comply with the law. Unfortunately, you are still dealing with pretty broad brush strokes here. To try to get a handle on things, agencies and auditors rely on information security standards and guidelines such as are documented in NIST or ISO. From these, baseline standards and requirements are set down. The problems here are many. First, baseline standards are minimums. They are not saying “it’s best if you do this”, they are saying “you will at least do this”. However, typical organizations, (which generally have very limited infosec budgets), take these baseline standards as goals to be strived for, not starting points. They very rarely meet baseline standards, let alone exceed them. Also, NIST and ISO standards are not very timely. The standards are only updated occasionally, and they are not very useful for countering new and rapidly developing threats. So, unless your organization is really serious about information security and has the money and manpower to make it work, I would say compliance-based infosec is not for you. I know that many organizations (such as health care and financial institutions) are required to meet baseline standards, but remember what happened to Target last year. They were found to be compliant with the PCI DSS, but still had tens of millions of financial records compromised.

Now let’s look at threat-based infosec. To implement a threat-based information security program, the organization first looks at the information assets they need to protect, the threats and vulnerabilities that menace them and the consequences that will ensue if those information assets are actually compromised (basic asset inventory and risk assessment). They then prioritize the risks they face and decide how to implement security controls in the most effective and efficient way to counter those particular risks. That might mean implementing strong egress filtering and log monitoring as opposed to buying the fanciest firewall. Or it might mean doing something simple like ensuring that system admins use separate access credentials for simple network access and administrative access to the system. Whatever controls are applied, they are chosen to solve particular problems, not to meet some broad baseline that is designed to meet generally defined problems. Also, threat-based infosec programs are much better at anticipating and preparing for emerging threats, since reassessments of the security program are made whenever there are significant changes in the system or threat picture.

These are the reasons that I think most of us in non-military organizations should go with threat-based infosec programs. Even those organizations that must meet regulatory requirements can ensure that they are spending the bulk of their infosec money and effort on the effective controls, and are minimizing efforts spent on those controls that don’t directly counter real-world threats. After all, the laws and regulations themselves are pretty vague. What counts in the long run is real information security, not blind compliance with inadequate and antiquated baselines. 

Thanks to John Davis for this post.

Tor Video from Derbycon 4 Available

Thanks to Iron Geek and the Derbycon staff for making my presentation from this year available. 

The talk covered discussions about Tor Hidden Nodes and how crime works inside of the Tor network. Check the talk out here.

There is a lot of good stuff here, and they turned people away from the talk because we over-filled the room. Now, you can actually sit comfortably and watch it. :)

Message me on Twitter (@lbhuston) if you want to discuss. Thanks for reading and for watching!

A TigerTrax Success Story

I wanted to share a recent success story from our TigerTrax work with you. The TigerTrax platform is opening a wide-variety of new opportunities for MSI. We are building entirely new suites of services around the platform and the unique capabilities it provides for us.

Recently, we were asked by a client to use TigerTrax to perform investigations on a foreign bank run attack that occurred a few months ago. The client wanted to use the research to fully understand how the attack was performed, what mechanisms were used to influence the  public decisions to cause the bank run and to identify the possible motives of the attackers involved.

The MSI Intelligence Team, now staffed with 3 full time dedicated analysts, deconstructed the events and used a variety of analytics to investigate the attacks. The team identified a variety of possible motives, ranked them by probability and provided them to the client. They also built a step by step time line of the attack details, provided sample social media and traditional media examples, wrote a detailed scenario testing process for the client to use to test their own financial management mechanisms against the threats and briefed the client on their findings.

The client was amazed at how quickly, concisely and clearly the data was analyzed. The Intelligence Team rose past their expectations and gave them actionable intelligence that they could use to not only better understand the attack, but also test their exposures to such an attack in the future!

The success stories around TigerTrax are continuing to pile up, and I look forward to sharing more of them in the near future. In the coming months, you will hear even more about our new spin-off company, called The Bodhi Foundry, which we have built to hold all of the non-security products that the TigerTrax platform is powering. That company is focusing in on branding intelligence, competitive analysis, product innovation research and a wide variety of specialized business data analytics. But, never fear, the core use care of TigerTrax remains information security, threat intelligence, studying cyber-crime and helping our clients use data analytics in new ways to solve old-school security problems.

As always, thanks for reading and until next time, stay safe out there! 

Save The Date: 2014 ICS/SCADA Security Symposium Dec. 11

This year’s ICS/SCADA Security Symposium will be held on Thursday, December 11, 2014. This year’s event will be a little different, in that we are opening it up to any organizations who are asset owners or manufacturers of ICS/SCADA components. That includes utilities, manufacturing companies, pharma, etc. If you are interested in ICS security, you can sign up for the event.

This year’s event will also be virtual. It will be a series of Webinars held on the same day in 45 minute blocks, with time for follow-on questions. We will also hold a Twitter Q&A Hour from 1pm – 2pm Eastern, and we will attempt to make all speakers available for the Q&A!

In addition, we plan to stand up a supporting website for the event, and release a number of materials, including podcasts, interviews and other surprises the day of the event!

We will be tracking attendance in the webinars and providing notes of attestation for attendees for the purpose of CPE credits. We hope this new format will allow folks who wanted to attend in the past, but either couldn’t make the physical trip to Columbus or couldn’t leave their positions to attend training the ability to join us.

More details, including speakers and topics, as well as schedules, hashtags and other info will be released shortly. Thanks for reading, and we hope to see you on 12/11/14!

Twitter Games from MicroSolved

If you haven’t followed us on Twitter (@microsolved) yet, be sure to do so. Here are a few reasons why you should look to our Twitter feed for more great content from MSI:

  • Ongoing curated news feeds of some of the most interesting and best information security news & event coverage
  • Discussions of emerging threats and significant issues around InfoSec
  • Pointers to free tools & resources to help your team protect your data & systems
  • Easy way to talk to us & engage in pro-bono Q&A sessions
  • AND NOW – 2 New Games a week:
    • Mondays will feature the “Hacker Challenge” – a weekly technically-focused fun activity or challenge (decrypt a secret, solve a puzzle, find something specific  across the net, etc.)
    • Thursdays will feature the “Throw Back Thursday Hacker Trivia” – weekly trivia contest focused on hacker, InfoSec and technology; with occasional prizes for the winners!

So, grab an account on Twitter or follow us there, and don’t just keep up to date, but talk to us. We want to hear your thoughts, the security challenges you are facing and anything that will help us serve your information security needs. Plus, we know reading log files and patching systems can get tedious, so we will try to mix in a little fun along the way! See you there!

MSI Risk Assessments and Policy/Process Reviews

MSI still has a few engagement slots open for Enterprise or Application-focused Risk Assessments for the 4th quarter. Avoid the end of the year rush, and give Allan Bergen (513-300-0194, abergen (at) microsolved<dot>com) a call today to discuss booking risk engagements with the team before the end of the year. We have some special incentives for clients who book these engagement slots, so touch base with Allan to hear about them.

Our team has had a wonderfully successful year doing application focused risk assessments. We can tear into the policy/processes and exposures of systems like accounting, CRM, EDI processing and/or industrial control. These assessments can be performed with or without technical components such as vulnerability assessment and penetration testing.

If you would like to close the year with a close look at one of your specific systems or critical processes, give Allan and a call and arrange for a scoping discussion with our risk team. As always, thanks for reading, and we appreciate you choosing MSI as your security partner!