Avatar, Know Thyself!: The view of your organization from the Internet

“….(His) Inner eye opened to the stepped scarlet pyramid of the Eastern Seaboard Fission Authority burning beyond the green cubes of Mitsubishi Bank of America, and high and very far away he saw the spiral arms of military systems, forever beyond his reach.”

from “Neuromancer“, William Gibson 

… and off in the corner of that vast array of light and shadow – that brave new world we have created beyond the pixels – sits you and your organization.  Your company, your school, your governmental organization….visible in a way you may have never seen.

 And that’s the problem.  

William Gibson’s protagonist has the ability to “jack into the matrix” and see this new world for what it is: A universe of manipulable interfaces and data constructs that radiates beyond the physical world.  Invisible to those not so gifted. 

My experience over the last few years has made me aware that many organizations that have a face they present to this new world are unaware of what it looks like. 

Attackers do.  They see your presence on the Internet with bright clarity.

Its not the building you drive to everyday. Its not the office, cubicle farm, memos, meetings, and daily internal dramas that occupy so much of our work day.

It’s not these windows an attacker sees:  

building

It’s windows like this one – visible to any Internet attacker: 

office2

 

… or this: 

building04

There’s nothing inherently wrong with having such a “window” on the Internet, just as there’s nothing wrong about having windows in your house.  But – you know ALL the windows in your house.  You make sure they are closed, locked, and in some cases you replace the more vulnerable ones with glass brick, or remove them entirely. 

Do you know the windows your enterprise shows to the Internet?   And if your reaction is, “Well, I don’t, but I’m sure someone does.”  – you may be surprised to find they don’t. Your techs – including your networking techs – may know the exposures they are responsible for – but they may be completely unaware of exposures created 10 years ago by some previous group.  These exposures live on, potentially populated by systems no longer being maintained.   It happens – a lot.

What to do?   How to learn who you are on the Internet? 

  • Talk to your network admins about the Internet ranges assigned to your organization. 
    • They will know what they manage – but that may be all they know.
    • They may be unaware of network ranges that are in use ( or were at one time)  by other portions of your enterprise now or in the past.
    • If your organization has grown as a result of mergers an acquisitions there could very well be ranges in use they are completely unaware of. 
    • Be aware also that “mistakes happen”.  Firewall rules are typo’ed and unintended exposures occur. 
  • Contact your Billing department.
    • Make sure you can account for all payments to Internet Service Providers (ISPs) by your organizations.  Get contact info. 
  • Contact your known ISPs.
    •  Ask them what IP ranges you are assigned.  Be aware that you may be told   a range of IP addresses that is actually larger than what you are assigned – a range that encompasses other organization’s assignments.  You will have to check.
  • Become familiar with ARIN (American Registry for Internet Numbers) and the other “Regional Internet Registries” (RIR). 
    • ARIN handles IP range registration for North America
    • IP ranges may be specifically allocated to your organization, or they may be suballocated by your Internet Service provider (ISP) functioning as a “Local Internet Registry
    • Try a lookup of one of your known IP address at: https://www.arin.net/
    • Be aware that your primary public web site may be at a hosting facility and not at an IP address actually allocated to your own organization.  FTP, VPN and other such services are more likely to be “yours”. 
  • Become familiar with the WHOIS command, available on all Linux variants. 
    • Do WHOIS lookups based on IP addresses you know to be yours. 
    • Various web services provide WHOIS lookup:
    • Depending on the diligence of your ISP ( and that of any upstream providers they in turn use) you may find specific information about your sub-allocation. If not – talk to your ISP 

Verify your new list of Internet IP addresses!  ( as in “trust, but verify“) 

  • FIRST! – Let you ISP know you will be doing checks against your assigned IPs. 
  • Examine each Internet IP address for its service exposure – look for returned banners and check each web server exposure with a browser.  
  • Are they all yours?  – If not ( and it happens) contact your ISP to resolve. 
  • Make a definitive list of your confirmed IP addresses and their services. 
  • Circulate that list within your organization – look for confirmation or objection.
  • Publish the list when finalized – make sure everyone who could remove or create a new exposure knows that they must keep that list current!

Your organization now knows what it looks like on the Internet. 

  • Keep the list updated and disseminated within your organization. 
  • Either perform or commission regular (quarterly?) security assessments against ALL your Internet services.  
  • These assessments will test the security of your services AND inventory them. 
  • You may be surprised when new services appear or old ones disappear. Change management is a great – when it works.  😉
  • Act quickly to resolve any security findings.  No internal excuses for public vulnerabilities!

Following the above steps will help you to know what your organization looks like in the “new” real world and will help ensure that look is a secure and confident one.

Questions?   Email: info@micrsosolved.com

 

 

 

 

 

MSI Contributes to Criminal Underground Report

MSI is proud to announce that a Rand report that we contributed to is now available. The report details the underground economy and provides insights into the operation, intelligence and flow of the underground markets.

You can download a free copy of the report here.

We are happy to support research projects such as these and they represent yet another way that MSI fulfills our promise to give back to the security community. If you have questions about this project or about our other contributions, please reach out to me on Twitter (@lbhuston).

Tool Review: Lynis

Recently, I took a look at Lynis, an open source system and security auditing tool. The tool is a local scanning tool for Linux and is pretty popular.

Here is the description from their site:
Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
– Available authentication methods
– Expired SSL certificates
– Outdated software
– User accounts without password
– Incorrect file permissions
– Configuration errors
– Firewall auditing 

As you can see, it has a wide range of capabilities. It is a pretty handy tool and the reporting is pretty basic, but very useful.

Our testing went well, and overall, we were pleased at the level of detail the tool provides. We wouldn’t use it as our only Linux auditing tool, but is a very handy tool for the toolbox. The runs were of adequate speed and when we tweaked out the configs with common errors, the tool was quick to flag them. 

Overall, we would give it a “not too shabby”. 🙂 The advice is still a bit technical for basic users, but then, do you want basic users administering a production box anyway? For true admins, the tool is perfectly adequate at telling them what to do and how to go about doing it, when it comes to hardening their systems.

Give Lynis a try and let me know what you think. You can give me feedback, kudos or insults on Twitter (@lbhuston). As always, thanks for reading! 

Make Plans Now to Attend Central OH ISSA Security Summit 2014

Brent will be speaking again this year at the ISSA Security Summit in Columbus

This year he has an interesting topic and here is the abstract:

A Guided Tour of the Internet Ghetto :: The Business Value of Tor Hidden Services

Following on the heels of my last set of talks about the underground value chain of crime, this talk will focus on a guided tour of the Internet Ghetto. You may have heard about Tor, the anonymizing network that rides on top of the Internet, but this talk takes you deep inside to visit the slums, brothels & gathering places of today’s online criminals. From porn to crimes against humanity, it is all here.

This talk will discuss Tor hidden services, help the audience understand what they are, how they operate, and most importantly, how to get business and information security value from them. If you think you know the dark side of the net, think again! Not for the feint of heart, we will explain some of the ways that smart companies are using hidden services to their benefit and some of the ways that playing with the dark side can come back to bite you.

Take aways include an understanding of Tor, knowledge of how to access and locate hidden services and underground content, methods for using the data to better focus your business and how to keep an eye on your kids to make sure they aren’t straying into the layers of the onion.

 Come out and see us at the Summit and bring your friends. It’s always interesting and a great event to catch up with peers and learn some amazing new stuff. See ya there!

More on MSI Lab Services Offerings

MSI has built a reputation that spans decades in and around testing hardware and software for information security. Our methodology, experience and capability provides for a unique value to our customers. World-class assessments from the chip and circuit levels all the way through protocol analysis, software design, configuration and implementation are what we bring to the table.

 

Some of the many types of systems that we have tested:

  • consumer electronics
  • home automation systems
  • voice over IP devices
  • home banking solutions
  • wire transfer infrastructures
  • mobile devices
  • mobile applications
  • enterprise networking devices (routers, switches, servers, gateways, firewalls, etc.)
  • entire operating systems
  • ICS and SCADA  devices, networks and implementations
  • smart grid technologies
  • gaming and lottery systems
  • identification management tools
  • security products
  • voting systems
  • industrial automation components
  • intelligence systems
  • weapon systems
  • safety and alerting tools
  • and much much more…

To find out more about our testing processes, lab infrastructure or methodologies, talk to your account executive today. They can schedule a no charge, no commitment, no pressure call with the testing engineer and a project manager to discuss how your organization might be able to benefit from our experience.

 

At A Glance Call Outs:

  • Deep security testing of hardware, software & web applications
  • 20+ year history of testing excellence
  • Committed to responsible vulnerability handling
  • Commercial & proprietary testing tools
  • Available for single test engagements
  • Can integrate fully into product lifecycle
  • Experience testing some of the most sensitive systems on the planet

Key Differentiators:

  • Powerful proprietary tools:
    • Proto-Predator™
    • HoneyPoint™
    • many more solution specific tools
  • Circuit & chip level testing
  • Proprietary protocol evaluation experience
  • Customized honeypot threat intelligence
  • Methodology-based testing for repeatable & defendable results

Other Relevant Content:

Project EVEREST Voting Systems Testing http://stateofsecurity.com/?p=184

Lab Services Blog Post http://stateofsecurity.com/?p=2794

Lab Services Audio Post  http://stateofsecurity.com/?p=2565



Topic Analysis with TigerTrax

Recently, my team was asked to use our TigerTrax platform to observe a body of social media content around a specific topic for 12 hours and extract meaningful data. The topic chosen by the client was “fracking”.

As you might expect, there was quite a bit of conversation on the Internet about fracking during that period. The client wanted specifically to focus on a specific set of data and to identify potential activism or criminal activities that might be gathered from the data set. So, mission in hand, we engaged the TigerTrax platform and after 12 hours of data gathering, began our analysis.

The data we extracted was pretty amazing to the client. They were quite interested in some of the findings. For example, we identified and presented the client with:

  • A word cloud of specific topics found in the data set and their relationships
  • A list and frequency count of the keywords used in the data
  • A ranked list of hash tags used to communicate
  • The top retweeted/reposted posts during the period
  • Profiles and demographics of the most influential posters during the period
  • Analysis of a variety of multimedia content for “virality” and potentially dangerous impacts
  • We identified an emerging damaging PR issue that the client was able to get in front of
  • Details of an organized campaign to damage the reputation and safety of executives
  • Videos and diagrams educating activists in vandalism and other aggressive techniques

The client was able to use this information to help educate their membership, strengthen their security during protest events and to better understand some of the emerging PR concerns around their operations. They also began to work with ISPs and other service providers to begin takedown requests for the more illicit content.

This is just a sample of some of the ways that clients are leveraging the new TigerTrax platform to assist them with business needs. Get in touch and let us know your ideas or specific problems and we will see how we can help. If you want to know what the world is saying and how it affects you, TigerTrax just might be the solution you are looking for.

Topic analysis can be performed with TigerTrax as a single deep dive event with a customized report delivered and open for re-use with other clients, or can be completely customized to the client organization and solely for their use. Ongoing monitoring and analysis of topics and events can also be done as a part of the TigerTrax services. If you would like to hear more about the TigerTrax platform, or Topic Analysis, please give us a call at (614) 351-1237 extension 206. You can also reach out to me on Twitter (@lbhuston), and we can arrange a discussion. 

As always, thanks for reading and until next time, stay safe out there.

Podcast Release: Threats From the Net Feb 2014

The Kluniac is back! This month, the ElderGeek covers more emerging issues in infosec that came calling in February. 

Give it a listen, and touch base with him on Twitter (@pophop) to tell him what you’d like to hear on upcoming episodes. He loves the chatter and really digs listener feedback.

You can get this month’s episode by clicking here.

MSI Announces New Business Focused Security Practice

At MSI, we know security doesn’t exist for its own sake. The world cares about business and so do we. While our professional and managed service offerings easily empower lines of business to work with data more safely, we also offer some very specific business process focused security services.

 

Attackers and criminals go where the money is. They aren’t just aiming to steal your data for no reason, they want it because it has value. As such, we have tailored a specific set of security services around the areas where valuable data tends to congregate and the parts of the business we see the bad guys focus on most.

 

Lastly, we have also found several areas where the experienced eyes of security experts can lend extra value to the business. Sometimes you can truly benefit from a “hacker’s eye view” of things and where it’s a fit, we have extended our insights to empower your business.

 

Here are some of the business focused offerings MSI has developed:

 

  • Mergers & Acquisitions (M&A) practice including:
    • Pre-negotiation intelligence
    • Pre-integration assessments
    • Post purchase threat intelligence
  • Accounting systems fraud testing
  • ACH & wire transfer security validation
  • End-to-end EDI (Electronic Data Interchange) security testing
  • Business partner assessments
  • Supply chain assessments
  • Executive cyber-protection (including at home & while traveling abroad)

MSI knows that your business needs security around the most critical data and the places where bad guys can harm you the worst. We’ve built a wide variety of customized security solutions and offerings to help organizations harden, monitor and protect the most targeted areas of their organization. At MSI, we know that information security means business and with our focused security offerings, we are leading the security community into a new age.

 

At a Glance Call Outs:

Variety of business focused services

M&A offerings

Assessments of systems that move money

Fraud-based real world testing

Business partner & supply chain security

Executive protection

 

Key Differentiators:

Focused on the business, not the technology

Reporting across all levels of stakeholders

Specialized, customizable offerings

Capability to emulate & test emerging threats

Thought leading services across your business


Learn More About TigerTrax Services in Our Webinar

After the powerful launch of TigerTrax last week, we have put together a webinar for those folks looking to learn more about our TigerTrax™ services and offerings. If you want to hear more about social media code of conduct monitoring, passive analysis and assessments, investigation/forensics and threat intelligence enabled by the new platform, please RSVP.

Our webinar will cover why we built TigerTrax, what it does and how it can help you organization. We will discuss real life engagements using the TigerTrax platform across a variety of verticals and looking at social, technological and trust issues. From data mining threat actors to researching supply chain business partners and from helping pro-sports players defend themselves against accusations to monitoring social media content of key executives, the capabilities and examples are wide ranging and deeply compelling.

Register for the webinar by clicking here. Our team will get you registered and on the way to leveraging a new, exciting, powerful tool in understanding and managing reputational risk on a global scale.

The webinar will be held Wednesday, March 12, 2014 at 3 PM Eastern time. Please RSVP for an invitation. Spots are limited, so please RSVP early.

As always, thanks for reading. And, if you would prefer a private briefing or discussion about TigerTrax, give us a call at (614) 351-1237 x206 and we will get a specialist together with you to help identify how MSI can help your organization.

CMHSecLunch for March is 3/10/14

J0289893

March’s CMHSecLunch is scheduled for March 10, 2014. The time is 11:30 to 1pm Eastern. The location this month is the Tuttle Mall food court. We usually meet pretty close to the middle of the place, but a bit away from the giant germ ball fountain. 🙂

I will not personally be able to attend this month, but will be back in full swing for the April edition. So enjoy this month without me and I we can break bread together in a short while.

As usual, you can register for the event (not needed), and find more details here. CMHSecLunch is open to all, free to attend and has been a tradition now in the security community for a couple of years. So, grab a friend, have some food and engage in some great conversation. We can’t wait to see you!