MSI :: State of Security

Are You Attending the 2012 Central Ohio InfoSec Summit?

Mary Rose Maguire — Wed, 16 May 2012 13:37:03 +0000

We’re excited to be a part of this year’s 5th Annual 2012 Central Ohio InfoSec Summit! Each year it keeps getting better and better, and this year is no different.

MicroSolved’s CEO and founder, Brent Huston will be presenting “Detection in Depth: Changing the PDR Focus.” Phil Grimes will also present “Attacking Mobile Devices” in the Advanced Technical Track.

There are other great speakers lined up. Included are:

Bill Hagestad, author of 21st Century Chinese Cyber Warfare
Jay Jacobs, a Principal with Verizon’s RISK Intelligence team, will focus on cyber crime
Curtis Levinson, who has served two sitting Presidents of the United States, two Chairman of the Joint Chiefs of Staff and the Chief Justice of the United States, who will be presenting on a balanced approach for survivability and sustainability in the cyber realm

There are more great speakers, plus over thirty vendors who help businesses stay secure. We hope to see you at the event! It promises to be a great time re-connecting with old friends, making new connections, and learning new approaches toward a proactive information security strategy.

See you there!

Twitter Hack! 5 Ways to Avoid Being the Victim of a Phishing Attack

Mary Rose Maguire — Thu, 10 May 2012 15:20:35 +0000

Twitter is downplaying a security breach that exposed tens of thousands of user emails and passwords.

The leaked information, comprising 58,978 username and password combinations, appeared Monday on Pastebin. While Twitter said that it’s investigating the breach, it’s also downplayed the supposed size and severity of the data dump.

“We are currently looking into the situation,” said spokeswoman Rachel Bremer via email. “It’s worth noting that, so far, we’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended, and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other).”

Information Week Security article

Whenever you read about such breaches, it is always a good idea to change your password, especially if you’ve not changed it for some time.

The compromised Twitter accounts could have been the result of phishing attacks. A phishing attack is when an attacker acquires personal information by duping the user into revealing it through manipulating their emotions.

Remember how one of your wiser friends told you it’s never a good idea to make a big decision while you’re overly-emotional? The same stands true for avoiding phishing attacks.

Here are some ways to stay safe:

Do not give out your financial information ever through an email appeal. I hope we all know now that you haven’t won the Nigerian lottery or that some prince or princess is willing to give you part of their inheritance if only you’ll keep their money in your bank account. Emails of this nature prey upon people who would love to “win” money or worse, may lose money in their account unless they give out their account information. Never give out your personal information. Instead, call your bank to verify that they need the information. You could also have some fun with the hackers like I did.
Don’t call any phone number or visit a website that is linked in the email. There’s a good chance it will connect you directly to the attacker. Look at the URL associated with the link. Does it contain words, letters, or numbers that seem odd? It’s likely an attempt to masquerade as an organization’s true website address, so don’t click it. You can see the URL by hovering over it or highlighting it with your mouse. Again, if you think it may be a legitimate request for information, verify it by contacting your financial institution directly.
Never fill out forms in an email that asks for personal information. Most organizations like PayPal notify their customers but do not ask for personal information to be placed into forms. Again, verify, verify, verify.
Regularly check your online banking accounts. Don’t allow months to go by before checking in. By frequently monitoring your account, you’ll be able to immediately see suspicious activity.
Patch it! When that annoying “Software Updates Available Now” window pops up, don’t ignore it. (I’m talking mainly to myself, now.) Click to install. Patches fix vulnerabilities and many attackers will jump on the opportunity to hit an un-patched machine. If you’re in doubt about whether your browser system is up-to-date, check by clicking your browser’s info link or your system’s and click “Software Update” or “Check for updates.” (In Firefox, it’s in the “Tools” section.)

Finally, you can report phishing attacks to the following organizations:

The Federal Trade Commission at spam@uce.gov.
Forward the email to the “abuse” email address to the company that is being spoofed (i.e. “abuse@XYZcompany.com” or “spam@XYZcompany.com”). Make sure to forward the complete email message with the original email header.
Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: http://www.ic3.gov/default.aspx There is an excellent selection of tips on the FBI site to help you avoid fraud, so make sure to check it out.

The key to avoid becoming a victim is to stay alert, stay suspicious, and stay on top of changing your passwords.

Stay safe!

Resources for Mobile Application Security

Mary Rose Maguire — Tue, 08 May 2012 18:37:35 +0000

Mobile application security continues to be a hot topic within the information security community. With more and more employees expecting to use their own devices at their workplaces, IT departments are scrambling to develop the right approach for securing their data.

If you’re working on developing security policies or seeking ways to secure your mobile applications, you may find some of these resources helpful. Stay safe out there!

Programming Mobile Devices: In Introduction for Practitioners by Tommi Mikkonen
Embedded Java Security: Security for Mobile Devices by Mourad Debbabi, Mohamed Salah, Chamseddiing Talhi, Sami Zhioua
Advances in Security and Payment Methods for Mobile Commerce by Wen-Chen Hu, Chung-wei Lee, Weidong Kou
Construction and Analysis of Safe, Secure, and Interoperable Smart Devices: International Workshop CASSIS 2004, by Gilles Barthe (Editor)
Anti-Virus Software for Smartphones (CNET)
Guidelines for Security Mobile Computing Devices (Stanford University)
Mobile Security Definition and Solutions (CIO Magazine)
Five Steps to Protect Mobile Devices Anywhere, Anytime (TechRepublic)
Mobile Device Security Through Virtualization (EDN)
Mobile Device Protection (SC Magazine)

Quick Wireless Network Reminders

Brent Huston — Fri, 04 May 2012 13:35:10 +0000

I recently tested a couple of Android network stumblers on a drive around the city and I found that not a lot has changed for consumer wireless networks since I last stumbled.

There are still a TON of unprotected networks, default SSIDs and WEP networks out there. It appears that WPA(x) and WPS have been slower to be adopted than I had expected. I don’t know if that is consumer apathy, ignorance or just a continued use of legacy hardware before the ease of push button WPS. Either way, it was quickly clear that we still have a long way to go to deprive criminals of consumer-based wireless network access.

The good news is that it appears from this non-comprehensive sample that the businesses in our area ARE taking WiFi security seriously. Most networks easily coordinated with a business were using modern security mechanisms, though we did not perform any penetration testing and can’t speak to their password policies or detection capabilities. But for the most part, their SSIDs made sense, they used effective crypto and in most cases were even paying attention to channel spread to maximize the reliability of the network. This is good news for most organizations and shows that much of the corporate awareness and focus on WiFi security by vendors seems to be working. It makes the business risk of these easy-to-deploy systems more acceptable.

I also noted that it was apparent on the consumer side that some folks deploying WiFi networks are paying attention. We saw SSIDs like “DontHackMe”, “DontLeechMeN3rds”,”Secured”, “StayOut”., etc. Sadly, we also saw plenty of SSIDs that were people’s names, addresses, children’s names and in one case “PasswordIsPassword1″. Clearly, some installers or consumers still haven’t seen the dangers of social engineering that some of these names can bring. So, while we have seen some improvement in SSID selection, there is still work to be done to educate folks that they need to pick non-identifiable information for broadcast.

That said, how can we better teach consumers about the basics of WiFi security? What additional things could we do as an industry to make their data safer at home?

How to Save Your Photos From a BYOD Security Policy

Mary Rose Maguire — Wed, 02 May 2012 16:21:07 +0000

Many companies have adopted a BYOD policy regarding mobile devices. Realizing that it’s unrealistic to require employees to leave their iPhones or tablets at home, they’ve accepted mobile technology; albeit, with a few rules.

One of the more common rules is to enable the remote wipe and lock feature. This means that if your device was ever stolen or compromised, the IT department can remotely lock the device and then wipe any data from it. And yes, that would include all of your photos as well as other items.

One CEO recently experienced personal data loss as a result of his own company’s policy that he himself helped establish. (Ouch!) While on vacation, his five-year old daughter tried to use his smartphone. After several failed attempts of entering the passcode, the corporate-installed remote wipe was triggered and the CEO lost all of the photos he had taken during the first half of their vacation. (Double ouch!)

If you have an iPhone with the latest iOS 5, you can sign up for the free iCloud, which will sync your devices and store everything on Apple’s servers. But first, you have to enable it. After installing the iCloud feature, tap Settings/iCloud and then choose “On.” Click on the “Back Up Now” and you’re good to go. This way, if your device is wiped clean because of a security breach, you’ll still have your photos.

Again, you’ll have to remember to do this frequently if you are using your smartphone to take vacation photos. It may be a good idea to back up your data during dinner or before you go to bed.

If you have an Android phone, make sure you have a Gmail address in order to take advantage of storing your data in the cloud. Titanium Backup and MyBackup Pro are also two apps that can back up your entire phone and transfer the data to your PC’s hard drive.

Whatever device you use, make sure you have a back up plan. Know well your company’s BYOD policy. It will give you peace of mind the next time you’re taking a bunch of photos at an event that will never happen again.

Stay safe and enjoy the ride!

Discuss Detection in Depth at CMH ISSA Summit

Brent Huston — Mon, 30 Apr 2012 18:59:18 +0000

On May 18th, I will be presenting on detection in depth at the CMH ISSA Summit. I look forward to a good discussion of the ideals, organizational needs, and maturity models. Given all of the focus on re-allocating resources from “prevention only” strategies to an equal spread across the core values of prevention, detection and response, this is likely to be a useful discussion to many organizations.

Come ready with good questions. I will also be available throughout the Summit for break-out discussions, one-on-ones, and small team meetings. Please reach out via email, phone or Twitter to schedule a sit down. Otherwise, feel free to approach me in the halls and we can have an ad-hoc discussion if you want to learn more about specific detection in depth approaches.

I speak on Friday, May 18th at 11:15 am. I hope to see you there!

Follow Up to Out of Band Authentication Post

Brent Huston — Fri, 27 Apr 2012 10:00:59 +0000

(This is a commentary follow up to my earlier post, located here.)

A couple of folks have commented on Twitter that they have a fear of using SMS for any sort of security operations. There have been discussions about the insecurity of SMS and the lack of attention to protecting the cellular network by carriers around the world. I generally disagree with blanket statements, and I would push for organizations considering SMS as a means of authentication to undertake a real risk assessment of the process before they jump in.

However, if the controls in place in the cell networks meet their appetite for risk, then I think it is a perfectly acceptable business case. It certainly beats in-band simple authentication mechanisms like “pictures of trust” and traditional login/password as a security control.

At least in SMS authentication, the attacker would usually need to have control over or access to more than one device belonging to the user. I think this helps make the risk model more acceptable for my views.

Other folks discussed how Out of Band Authentication (OOBA) has been done now successfully in many places. I agree with this. We know how to do it. There are a LOT of vendors out there who can successfully integrate, deploy and manage a solution for you. Sadly, though, there are still more than a few who are struggling to get it right or done at all. As with most things in life, it helps to do a little research. Organizations should perform due diligence on their vendors and factor vendor risks into the equation of purchases and project planning.

Lastly, a few folks commented on the fact that they, too, are running into speed bumps with deployments and logistics. Several folks echoed the sentiments of the original challenges and few offered suggestions beyond simply “doing more homework” and looking for “quickly scalable solutions”. The good news with this is that you are not alone out there. Other folks are facing AND BEATING challenges. Feel free to reach out to your peers and discuss what is and what isn’t working for them.

As per the original post, the more communication and discussion we can have amongst the community about these topics, the better off we all will be. So, discuss, seriously…

##Special thanks to the vendors that replied with case studies, references or stories about how they have done integration and deployment. There are a lot of good vendors out there with knowledge in this area. Careful review of their capabilities will help you sort them out from the less capable. Communication is key.

Thanks for reading!

Are You Attending the 2012 ISSA Central Ohio InfoSec Summit?

Brent Huston — Wed, 25 Apr 2012 17:42:11 +0000

If you are in the midwest and can make it to Columbus for the ISSA Summit this year, you owe it to yourself to do so. Great speakers, great content, an amazing location and some of the best folks from around the world, for two days focused on infosec. It’s been amazing the past several years. You can find info online about it here.

Some of the things I am looking forward to are getting to hear more from Richard Clarke (I might not always agree with his view, but he is an excellent speaker and a very good man.), and the rest of the speakers. In fact, there is not a speaker on the docket that I don’t think is amazing. We have developer insights, business folks, techno geeks, hackers, auditors and even a few MSI folks.

So, if you can come to town and be here May 17th and 18th, do so. If not, you’ll miss out on what is sure to be an amazing event.

Special thanks to the Columbus ISSA team for putting the event together. These folks work really hard to pull it off, and the volunteers on the day of the event go above and beyond to make it all happen. Please take a moment at the event and give them a pat on the back. If something would happen to go wrong, or could be done better, drop them a line in email and they will look at improving it next year. Thank them, in person, for all of the things that go right. Seriously, it helps. Even better, volunteer for the Summit and help them and the community out. It’s a great way to give back for all that the community does for all of us, all year long.

Thanks for reading and we’ll see you at the Summit!

HoneyPoint Internet Threat Monitoring Environment: An Easy Way to Pinpoint Known Attacker IPs

Mary Rose Maguire — Tue, 24 Apr 2012 15:19:25 +0000

One of the least understood parts of MicroSolved is how the HoneyPoint Internet Threat Monitoring Environment (#HITME) data is used to better protect our customers.

If you don’t know about the #HITME, it is a set of deployed HoneyPoints that gather real world, real time attacker data from around the Internet. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. You can even follow the real time updates of attacker IPs and target ports on Twitter by following @honeypoint or the #HITME hash tag. MSI licenses the data under Creative Commons, non-commercial and FREE as a public service to the security community.

That said, how does the #HITME help MSI better protect their customers? First, it allows folks to use the #HITME feed of known attacker IPs in a blacklist to block known scanners at their borders. This prevents the scanning tools and malware probes from ever reaching you to start with.

Next, the data from the #HITME is analyzed daily and the newest, bleeding edge attack signatures get added to the MSI assessment platform. That means that customers with ongoing assessments and vulnerability management services from MSI get continually tested against the most current forms of attack being used on the Internet. The #HITME data also gets updated into the MSI pen-testing and risk assessment methodologies, focusing our testing on real world attack patterns much more than vendors who rely on typical scanning tools and backdated threats from their last “yearly bootcamp”.

The #HITME data even flows back to the software vendors through a variety of means. MSI shares new attacks and possible vulnerabilities with the vendors, plus, open source projects targeted by attackers. Often MSI teaches those developers about the vulnerability, the possibilities for mitigation, and how to perform secure coding techniques like proper input validation. The data from the #HITME is used to provide the attack metrics and pattern information that MSI presents in its public speaking, the blog, and other educational efforts. Lastly, but certainly not least, MSI provides an ongoing alerting function for organizations whose machines are compromised. MSI contacts critical infrastructure organizations whose machines turn up in the #HITME data and works with them to mitigate the compromise and manage the threat. These data-centric services are provided, pro- bono, in 99% of all of the cases!

If your organization would be interested in donating an Internet facing system to the #HITME project to further these goals, please contact us. Our hope is that the next time you hear about the #HITME, you’ll get a smile on your face knowing that the members of our team are working hard day and night to protect MSI customers and the world at large. You can count on us, we’ve got your back!

Financial Organizations Struggle with Out of Band Authentication

Brent Huston — Fri, 20 Apr 2012 16:51:45 +0000

Many of our client financial organizations have been working on implementing out of band authentication (OOBA) mechanisms for specific kinds of money transfers such as ACH and wires.

A few have even looked into performing OOBA for all home and mobile banking access. While this authentication method does add some security to the process, effectively raising the bar for credential theft by the bad guys, it does not come without its challenges.

For starters, the implementation and integration of some of the software designed for this purpose has been a little more difficult than expected by many of the teams working on the projects. We are hearing that in some cases, the vendors are having difficulty integrating into some of the site platforms, particularly those not using .NET. Other platforms have been successful, but over time (and many over budget), the lesson learned is this: communicate clearly about the platforms in use when discussing implementations with potential vendors.

Other problems we have been hearing about include: availability issues with the number of outbound phone connections during peak use periods, issues with cellular carriers “losing” SMS messages (particularly a few non-top tier carriers), and integrating solutions into VoIP networks and old-style traditional PBX systems.

In many cases, these telephonic and cellular issues have caused the systems to be withdrawn during pilot, even turned off for peak periods during use and other “fit and start” approaches as the rough patches were worked out. The lesson in this area seems to be to design for peak use as a consideration, or at least understand and communicate acceptable delays, outages or round-robin processes, and make sure that your systems properly communicate these parameters to the user.

In the long run, proper communication to the users will lower the impact of the onslaught some of these systems call to the customer support and help desk folks.

It is getting better though. Vendors are learning to more easily and effectively develop and implement these solutions. The impact on account theft has been strong so far and customers seem to have a rapid adjustment curve. In fact, a few of our clients have shared that they have received kudos from their members/customers for implementing these new tools when they were announced, documented, and explained properly to the user base.

If your organization is considering this technology and has struggled with it, or has emerged victorious in the mastery of it; please drop me a line on Twitter (@lbhuston) and let me know your thoughts. The more we share about these tools, the better we can all get at making the road less bumpy for the public.

As always, thanks for reading and stay safe out there!

Audio Blog Post: How to Safeguard Your Data From Credit Card Theft

Mary Rose Maguire — Wed, 18 Apr 2012 10:00:24 +0000

Cybercriminals continue to seek new opportunities to steal credit card data, highlighted recently in the largest credit card theft seen in two years — a 1.5 million loss from Global Payments, a third-party processor of transactions for Visa and Mastercard.

What can companies do? Also, what can you do to protect your credit card data?

I sat down with Brent Huston, CEO and Security Evangelist with MicroSolved, Inc. to discuss such questions. In this audio blog post, you’ll hear:

The current state of identity theft
Two primary ways credit cards get stolen
Skimming as a preferred model for theft and how to prevent it
Why being PCI-compliant is not a silver bullet

And more!

Click here to listen.

Take a listen to this informative 15-minute interview and learn how you can protect your organization from data theft!

Resources:

The 80/20 Rule of Information Security
HoneyPoint Security Server (a superior detection product)
PCI Security Standards Council

Remember Public Cellular Networks in Smart Meter Adoption

Brent Huston — Mon, 16 Apr 2012 14:22:28 +0000

One of the biggest discussion points at the recent MEA Summit was the reliance of Smart Meter technology on the public cellular networks for communication.

There seemed to be a great deal of confusion about negotiating private cellular communications versus dependence on fully public networks. Many folks also described putting in their own femtocell and microcell deployments to greatly reduce the dependence on communication assets that they did not own. However, as you might expect, the purchase, install, management, and maintenance of private cellular infrastructure is expensive, requires skilled personnel, and often bumps into regulatory issues with frequency control and saturation.

Other considerations than cost also emerged with several ICS/SCADA owners discussing prioritization of repair issues versus consumer deployments, problems with negotiating effective, acceptable Service Level Agreements with the cell network vendors and a lack of understanding on the cell vendors’ part about ICS/SCADA deployments/integration/criticality in general.

Clearly, more analysis, study, and communication needs to occur between ICS/SCADA researchers/owners/developers and the relevant cellular network engineers/implementation teams to grow mutual knowledge and understanding between the parties. In the meantime, ICS/SCADA owners must strive to clearly identify their needs around cellular technologies, clearly demarcate the requirements for private/segmented/public cellular network use and understand the benefits/issues and threats of what they are utilizing. Cellular communications has a clear role to play in the future of ICS/SCADA, but the waters of how it will be managed, how it will be secured and how smaller organizations can obtain it affordably remain a bit muddy for now.

If your organization has winning strategies or has concerns that have arisen with the use of cellular networks, we would love to hear about them in the comments. The more ICS/SCADA owners work together to bring this knowledge forward, the more quickly and effectively we can resolve many of the issues that utilities and other organizations are encountering.

Getting Your ICS/SCADA Components Security Tested

Brent Huston — Fri, 13 Apr 2012 18:57:11 +0000

Recently, at the MEA Summit, I had the opportunity to engage in a great discussion with a number of SCADA owners about security testing of their devices. Given all of the big changes underway concerning SCADA equipment, connectivity and the greater focus on these systems by attackers; the crowd had a number of questions about how they could get their new components tested in a lab environment prior to production deployment.

Device and application testing is something that MicroSolved has done for more than a decade. We have tested hundreds of IT hardware products, commercial software loads, web/mobile applications, consumer products, and for the last several years, ICS/SCADA and Smart Grid components. Our lab environments are suitable for a wide variety of testing scenarios and are used by utility companies, manufacturers and software developers from around the world as a trusted source for rational security testing and relevant threat analysis. We have a firm non-disclosure policy for client systems tested and the relevant vulnerabilities discovered and we often work hand in hand with the developers/design engineers to work through both mitigation and/or compensating control development.

ICS/SCADA owners should have any new designs assessed prior to implementation, they should have some form of ongoing security assessment (analysis – NOT scanning…) performed against current deployments/threats, plus they should be engaged in testing all new hardware and software platforms before production adoption. Developers, designers and manufacturers of ICS/SCADA/Smart Grid components should be engaging in a full set of product assessments, attack surface analysis, threat modeling and penetration testing prior to the release of the products to market. This will be a value-add to your customers, and ultimately, to the consumer.

If your organization would like to have a device or software analysis performed, or would like to discuss how to engage with MicroSolved to have new equipment or ICS/SCADA deployment ideas modeled, tested and assessed, please contact us.

Presentations Given at Midwest Energy Association Summit

Mary Rose Maguire — Thu, 12 Apr 2012 17:35:20 +0000

On April 11, 2012, both Phil Grimes and Brent Huston were honored to present on the ICS/SCADA security topics at the Spring Gas Operations Summit in Indianapolis held by the Midwest Energy Association (MEA).

Phil covered the process of scoping security assessments for ICS/SCADA deployments and spent a lot of time with the crowd analyzing various scenarios for how to pick an assessment partner, how often to perform vulnerability assessments, how to closely control and properly use penetration testing and a variety of other topics specific to the crowd’s concerns.

Brent followed that presentation with a talk focused on honeypots in ICS/SCADA. He covered the history of honeypots in ICS deployments, the NIST guidance for honeypots (“canaries”) and the relevant locations and approaches to gathering attack data with them. The crowd also asked great questions about how to use the data from the systems, how to work together to leverage honeypot data as an industry and how to manage data anonymity for detected events.

Further discussions followed, with the MSI team sitting in the crowd as a round table, which went really well. They had excellent conversations about the state of the threat, the reliance on public infrastructures, cellular communication threats, network enclaving, detection techniques and the safety of Internet exposed HMIs.

MSI would like to thank MEA for allowing us to come in and engage with their attendees. It was a very interesting show and we think everyone learned a lot about where ICS/SCADA security is going in the next 1-3 years.

Poll: An Opportunity to Tell Us Which Content You Like Most!

Mary Rose Maguire — Tue, 10 Apr 2012 21:13:32 +0000

We always strive to bring you the best information security content, complete with thoughtful analysis and relevant resources. Would you take a few minutes to participate in our poll? We’d appreciate it because it will help us deliver the most useful content. Thank you!

Create your free online surveys with SurveyMonkey, the world’s leading questionnaire tool.

Don’t Forget About VoIP Exposures and PBX Hacking

Brent Huston — Fri, 06 Apr 2012 15:52:50 +0000

I was browsing my usual data alerts for the day and ran into this set of data. It motivated me to write a quick blog post to remind folks that VoIP scans and probes are still going on out there in the wild.

These days, with all of the attention to mass compromises, infected web sites and stolen credit card data, voice systems can sometimes slip out of sight.

VoIP compromises and intrusions remain a threat. There are now a variety of tools, exploits and frameworks built for attacking VoIP installations and they are a target for both automated tools and manual hacking. Access to VoIP systems can provide a great platform for intelligence, recon, industrial espionage and traditional toll fraud.

While VoIP might be the state of the art for phone systems today, there are still plenty of traditional PBX, auto-attendant and dial-up voicemail systems around too. Now might be a good time to review when those systems were last reviewed, audited or pen-tested. Traditional toll fraud is still painful to manage and recover from, so it’s probably worth spending a few cycles on reviewing these devices and their security postures.

Let us know if your organization could use assistance with these items or with hardening voice systems, implementing detection techniques for them or otherwise increasing voice system security.

HoneyPoint and HITME Helps Clients Take Out Malware

Brent Huston — Thu, 05 Apr 2012 12:41:08 +0000

I wanted to share some great feedback we received this week from a couple of sources. Both are regarding HoneyPoint — our product for creating a platform of nuance detection and visibility.

The first came from a critical infrastructure team. We notified them of an attack from their environment which was detected on the HITME (HoneyPoint Internet Threat Monitoring Environment). Using our alert, they quickly identified, investigated and isolated a specific machine that been infected with a piece of malware and was now scanning the Internet for other potential victims. They thanked us for the notification and said they truly appreciated our efforts and the work of the HITME team to help protect US critical infrastructures.

The second bit of feedback came from a long-time user of HoneyPoint Wasp, who suddenly began to see a piece of code propagate across a few machines in their workstation space. The code was rapidly identified as a piece of malware that had successfully evaded their anti-virus, but triggered the Wasp white list detection mechanism. Their team traced the infection back to a single USB key, which they impounded and sanitized. Thankfully, they found this infection before it was able to be leveraged by an attacker against them. They were very supportive of HoneyPoint and thanked us for assisting them in their investigation and for teaching them how to use Wasp through our installation services.

Together, these represent just a couple of the stories where HoneyPoint has helped security teams. Some of the people who receive the benefit of our work are not even users of the product or MicroSolved clients at all. It’s just another way that we engage every single day to help make a difference in the security and safety of peoples’ lives.

At MSI, we don’t just make great tools and perform great services, we have spent the last 20 years working hard to help people with information security. It continues to be both our pleasure and our passion.

Thanks for reading!

Three Sources to Help You Understand Cybercrime

Brent Huston — Tue, 03 Apr 2012 20:29:50 +0000

Cybercrime is a growing threat. I thought I would take a few moments and point you to three recent news articles that discuss U.S. Government views on just how information security is proceeding, how we are doing, and how we should think about the future of infosec. They are all three interesting points of view and represent a wide variety of data seen at high levels:

FBI Director Mueller on cybercrime (RSA Conference, March 2012)

Perspectives on intellectual property theft

How the U.S. is outgunned in cyber-defense

These three links are interesting perspectives on how infosec is changing from a focus on compliance and prevention techniques to fully embracing the need for cross-platform, security-focused initiatives. In addition, more emphasis is on threats and risk while balancing prevention, detection capability, and effective responses when things go wrong.

Long term, this change is an important one if we are to protect ourselves and the data of our customers in the future. Cybercrime won’t go away, but if we can approach security with proactive strategies, we may minimize its effectiveness.

MSI Strategy & Tactics Talk Ep. 27: The 2012 Verizon Data Breach Investigations Report

Mary Rose Maguire — Fri, 30 Mar 2012 18:42:10 +0000

The 2012 Verizon Data Breach Investigations Report is out! In this episode of MSI Strategy & Tactics, Adam, Phil, and John discuss the newest report’s discoveries and some of the more interesting discoveries. Discussion questions include:

1. What was the most surprising finding?
2. What is different from the past, any trends?

Listen in and let us know what you think!

Resource:

The Verizon Data Breach Investigations Report

Panelists:

Adam Hostetler, Network Engineer, Security Analyst

Phil Grimes, Security Analyst

John Davis, Risk Management Engineer

Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Mobile Apps Shouldn’t Roll Their Own Security

Brent Huston — Thu, 29 Mar 2012 13:50:51 +0000

An interesting problem is occurring in the mobile development space. Many of the applications being designed are being done so by scrappy, product oriented developers. This is not a bad thing for innovation (in fact just the opposite), but it can be a bad thing for safety, privacy and security.

Right now, we are hearing from several cross platform mobile developers that the API sets across iOS, Android and others are so complex, that they are often skipping some of the APIs and rolling their own code methods for doing some of this work. For example, take crypto from a set of data on the device. In many cases, rather than using standard peer-reviewed routines and leveraging the strength of the OS and its controls, they are saying the job is too complex for them to manage across platforms so they’ll embed their own code routines for doing what they feel is basic in-app crypto.

Problems (like those with the password vault applications), are likely to emerge from this approach toward mobile apps. There is a reason crypto controls require peer review. They are difficult and often complex mechanisms where mistakes in the logic or data flows can have huge impacts on the security of the data. We learned these lessons long ago. Home-rolled crypto and other common security routines were a big problem in the desktop days and still remain so for many web applications, as well. Sadly, it looks like we might be learning those lessons again at the mobile application development layer as well.

Basically, the bottom line is this; if you are coding a mobile application, or buying one to access critical data for your organization, make sure the developers use the API code for privacy, trust and security functions. Stay away from mobile apps where “roll your own/proprietary security code” is in use. The likelihood of getting it right is a LOT less than using the APIs, methods and code that the mobile OS vendors have made accessible. It’s likely that the OS vendors are using peer-reviewed, strongly tested code. Sadly, we can’t say that for all of the mobile app developer code we have seen.

As always, thanks for reading and stay safe out there!

Disagreement on Password Vault Software Findings

Brent Huston — Mon, 26 Mar 2012 14:08:08 +0000

Recently, some researchers have been working on comparing password vault software products and have justifiably found some issues. However, many of the vendors are quickly moving to remediate the identified issues, many of which were simply improper use of proprietary cryptography schemes.

I agree that proprietary crypto is a bad thing, but I find fault with articles such as this one where the researchers suggest that using the built in iOS functions are safer than using a password vault tool.

Regardless of OS, platform or device, I fail to see how depending on simple OS embedded tools versus OS embedded tools, plus the additional layers of whatever mechanisms a password vault adds, reduces risk to the user. It would seem that the additional layers of control (regardless of their specific vulnerability to nuanced attacks against each control surface), would still add overall security for the user and complexity for the attacker to manage in a compromise.

I would love to see a model on this scenario where the additional controls reduce the overall security of the data. I could be wrong (it happens), but in the models I have run, they all point to the idea that even a flawed password vault wrapped in the OS controls are stronger and safer than the bare OS controls alone.

In the meantime, while the vendors work on patching their password vaults and embracing common crypto mechanisms, I’ll continue to use my password vault as is, wrapped in the additional layers of OS controls and added detection mechanisms my systems enjoy. I would suggest you and your organization’s users continue to do the same.

Information Security Is More Than Prevention

Brent Huston — Fri, 23 Mar 2012 09:45:48 +0000

One of the biggest signs that an organization’s information security program is immature is when they have an obsessive focus on prevention and they equate it specifically with security.

The big signs of this issue are knee-jerk reactions to vulnerabilities, a never-ending set of emergency patching situations and continual fire-fighting mode of reactions to “incidents”. The security team (or usually the IT team) is overworked, under-communicates, is highly stressed, and lacks both resources and tools to adequately mature the process. Rarely does the security folks actually LIKE this environment, since it feeds their inner super hero complex.

However, time and time again, organizations that balance prevention efforts with rational detection and practiced, effective response programs perform better against today’s threats. Evidence from vendor reports like Verizon DBIR/Ponemon, law enforcement data, DHS studies, etc. have all supported that balanced program work much better. The current state of the threat easily demonstrates that you can’t prevent everything. Accidents and incidents do happen.

When bad things do come knocking, no matter how much you have patched and scanned, it’s the preparation you have done that matters. It’s whether or not you have additional controls like enclaving in place. Do you have visibility at various layers for detection in depth? Does your team know how to investigate, isolate and mitigate the threats? Will they do so in a timely manner that reduces the impact of the attacker or will they panic, knee-jerk their way through the process, often stumbling and leaving behind footholds of the attacker?

How you perform in the future is largely up to you and your team. Raise your vision, embrace a balanced approach to security and step back from fighting fires. It’s a much nicer view from here.

Secure Networks: Remember the DMZ in 2012

Brent Huston — Wed, 21 Mar 2012 17:53:40 +0000

Just a quick post to readers to make sure that everyone (and I mean everyone), who reads this blog should be using a DMZ, enclaved, network segmentation approach for any and all Internet exposed systems today. This has been true for several years, if not a decade. Just this week, I have talked to two companies who have been hit by malicious activity that compromised a web application and gave the attacker complete control over a box sitting INSIDE their primary business network with essentially unfettered access to the environment.

Folks, within IT network design, DMZ architectures are not just for best practices and regulatory requirements, but an essential survival tool for IT systems. Punching a hole from the Internet to your primary IT environment is not smart, safe, or in many cases, legal.

Today, enclaving the internal network is becoming best practice to secure networks. Enclaving/DMZ segmentation of Internet exposed systems is simply assumed. So, take an hour, review your perimeter, and if you find internally exposed systems — make a plan and execute it. In the meantime, I’d investigate those systems as if they were compromised, regardless of what you have seen from them. At least check them over with a cursory review and get them out of the business network ASAP.

This should go without saying, but this especially applies to folks that have SCADA systems and critical infrastructure architectures.

If you have any questions regarding how you can maintain secure networks with enclaving and network segmentation, let us know. We’d love to help!

10 Ways to Handle Insider Threats

Mary Rose Maguire — Mon, 19 Mar 2012 22:13:33 +0000

As the economic crisis continues, the possibility of an insider threat occurring within a company increases. Close to 50% of all companies have been hit by insider attacks, according to a recent study by Carnegie Mellon’s CERT Insider Threat Center. (Click here to access the page that has the PDF download, “Insider Threat Study.”)

It doesn’t help when companies are restructuring and handing out pink slips. The result of leaner departments means that often there are less employees to notice when someone is doing something wrong. Tough economic times may also make it tempting for an employee to switch his ‘white hat’ to a black one for financial gain. Insider threats include employees, contractors, auditors, and anyone who has authorized access to an organization’s computers. How can you minimize the risk? Here are a few tips:

1. Monitor and enforce security policies. Update the controls and oversee implementation.

2. Initiate employee awareness programs. Educate the staff about security awareness and the possibility of them being coerced into malicious activities.

3. Start paying attention to new hires. Keep an eye out for repeated violations that may be laying the groundwork for more serious criminal activity.

4. Work with human resources to monitor negative employee issues. Most insider IT sabotage attacks occur following a termination.

5. Carefully distribute resources. Only give employees what they need to do their jobs.

6. If your organization develops software, monitor the process. Pay attention to the service providers and vendors.

7. Approach privileged users with extra care. Use the two-man rule for critical projects. Those who know technology are more likely to use technological means for revenge if they perceive they’ve been wronged.

8. Monitor employees’ online activity, especially around the time an employee is terminated. There is a good chance the employee isn’t satisfied and may be tempted to engage in an attack.

9. Go deep in your defense plan to counter remote attacks. If employees know they are being monitored, there is a good possibility an unhappy worker will use remote control to gain access.

10. Deactivate computer access once the employee is terminated. This will immediately end any malicious activity such as copying files or sabotaging the network.

Be vigilant with your security backup plan. There is no approach that will guarantee a complete defense against insider attacks, but if you continue to practice secure backup, you can decrease the damage. Stay safe!

MSI Strategy & Tactics Talk Ep. 26: Hacking Back or Strikeback Technologies

Mary Rose Maguire — Fri, 16 Mar 2012 16:25:25 +0000

Hacking back or strikeback technologies is a system engineering term that could occur in a situation with a positive loop, whereby each component responds with an increased reaction to the response of the other component, and so the problem gets worse and worse. (The Information Security Dictionary: Defining the Terms That Define Security, by Urs E. Gattiker) Recently, a honey pot was created with some strikeback technology in the code. In this episode of MSI Strategy & Tactics, Brent Huston and the techs discuss the various aspects of this technology and how it would affect you. Discussion questions include:

What is the history of strike back, hacking back and how does it apply to today when you have major teams working to take down bot nets and such?
HoneyPoint has a type of technology called “defensive fuzzing” which does something that has been compared to strikeback. How it is different than other technologies?
What is the current take on the legality of strikeback/hacking back? Are organizations being put at risk if they attack their attackers or if their security teams go on offense?