3 Quick Thoughts for Small Utilities and Co-Ops

Recently I was asked to help some very small utilities and co-ops come up with some low cost/free ideas around detection. The group was very nice about explaining their issues, and here is a quick summary of some of the ideas we discussed.

1) Dump external router, firewall, AD and any remote access logs weekly to text and use simple parsers in python/perl or shell script to identify any high risk issues. Sure, this isn’t the same as having robust log monitoring tools (which none of these folks had), but even if you detect something really awful a week after it happens, you will still be ahead of the average curve of attackers having access for a month or more. You can build your scripts using some basis analytics, they will get better over time, and here are some ideas to get you started. You don’t need a lot of money to quickly handle dumped logs. Do the basics and improve.

2) Take advantage of cheap hardware, like the Raspberry Pi for easy to learn/use Linux boxes for scripting, log parsing or setting up cron jobs to automate tasks. For less than 50 bucks, you can have a powerful machine to do a lot of work for you and serve as a monitoring platform for a variety of tools. The group was all tied up in getting budget to buy server and workstation hardware – but had never taken the Pi seriously as a work platform. It’s mature enough to do a lot of non-mission critical (and some very important) work. It’s fantastic if you’re looking for a quick and dirty way to gain some Linux capabilities in confined Windows world.

3) One of the best bang for the buck services we have at MSI is device configuration reviews. For significantly less money than a penetration test, we can review your external routers, firewall and VPN for configuration issues, improper rules/ACLs and insecure settings. If you combine this with an exercise like attack surface mapping and threat modeling, you can get a significant amount of insight without resorting to (and paying for) vulnerability assessments and penetration testing. Sure, the data might not be as granular, and we still have to do some level of port scanning and service ID, but we have a variety of safe ways to do that work – and you get some great information. You can then make risk-based decisions about the data and decide what you want to act on and pay attention to. If your budget is tight – get in touch and discuss this approach with us.

I love to talk with utilities and especially smaller organizations that want to do the right thing, but might face budget constraints. If they’re willing to have an open, honest conversation, I am more than willing to get creative and engage to help them solve problems within their needs. We’d rather get creative and solve an issue to protect the infrastructure than have them get compromised by threat actors looking to do harm.

If you want to discuss this or any security or risk management issue, get in touch here.  

3 Things You Should Be Reading About

Just a quick post today to point to 3 things infosec pros should be watching from the last few days. While there will be a lot of news coming out of Derbycon, keep your eyes on these issues too:

1. Chinese PLA Hacking Unit with a SE Asia Focus Emerges – This is an excellent article about a new focused hacking unit that has emerged from shared threat intelligence. 

2. Free Tool to Hunt Down SYNful Knock – If you aren’t aware of the issues in Cisco Routers, check out the SYNful Knock details here. This has already been widely observed in the wild.

3. Microsoft Revokes Leaked D-Link Certs – This is what happens when certificates get leaked into the public. Very dangerous situation, since it could allow signing of malicious code/firmware, etc.

Happy reading! 

ATM Attacks are WEIRD

So this week, while doing some TigerTrax research for a client, I ran into something that was “new to me”, but apparently is old hat for the folks focused on ATM security. The attacks against ATMs run from the comical, like when would-be thieves leave behind cell phones, license plates or get knocked out by their own sledge hammers during their capers to the extremely violent – attacks with explosives, firearms and dangerous chemicals. But, this week, my attention caught on an attack called “Plofkraak”. 

In this attack, which is apparently spreading around the world from its birth in Eastern Europe, an ATM is injected with high levels of flammable gas. The attackers basically tape up all of the areas where the gas could easily leak out, and then fill the empty spaces inside the ATM with a common flammable gas. Once the injection is completed, the gas is fired by the attacker, causing an explosion that emanates from INSIDE the ATM.

The force of the explosion tears the ATM apart, and if the attackers are lucky, cracks open the safe that holds the money, allowing them to make off with the cash and deposits. Not all attackers are lucky though, and some get injured in the blast, fail to open the safe and even torch the money they were seeking. However, the attack is cheap, fast, and if the ATM doesn’t have adequate safeguards, effective.

The collateral damage from an attack of this type can be pretty dangerous. Fires, other explosions and structural damages have been linked to the attack. Here is an example of what one instance looked like upon discovery. 

Some ATM vendors have developed counter measures for the attack, including gas sensors/neutralizing chemical systems, additional controls to prevent injection into the core of the machine, hardening techniques for the safe against explosions and other tricks of the trade. However, given the age of ATM machines in the field and their widespread international deployment, it is obvious that a number of vulnerable systems are likely to be available for the criminals to exploit.

While this is a weird and interesting technique, it did give me some reminders about just how creative and ambitious criminals can be. Even extending that into Information Security, it never ceases to amaze me how creative people will get to steal. Spend some time today thinking about that. What areas of your organization might be vulnerable to novel attacks? Where are the areas that a single failure of a security control could cause immense harm? Make a note of those, and include them in your next risk assessment, pen-test or threat modeling exercise.

Don’t forget, that just like the inventors of Plofkraa”, attackers around the world are working on the odd, novel and unexpected attack vector. Vigilance is a necessary skill, and one we need more of, in infosec. As always, thanks for reading, and stay safe out there! 

MSI Launches New Threat Modeling Offering & Process

Yesterday, we were proud to announce a new service offering and process from MSI. This is a new approach to threat modeling that allows organizations to proactively model their threat exposures and the changes in their risk posture, before an infrastructure change is made, a new business operation is launched, a new application is deployed or other IT risk impacts occur.

Using our HoneyPoint technology, organizations can effectively model new business processes, applications or infrastructure changes and then deploy the emulated services in their real world risk environments. Now, for the first time ever, organizations can establish real-world threat models and risk conditions BEFORE they invest in application development, new products or make changes to their firewalls and other security tools.

Even more impressive is that the process generates real-world risk metrics that include frequency of interaction with services, frequency of interaction with various controls, frequency of interaction with emulated vulnerabilities, human attackers versus automated tools, insight into attacker capabilities, focus and intent! No longer will organizations be forced to guess at their threat models, now they can establish them with defendable, real world values!

Much of the data created by this process can be plugged directly into existing risk management systems, risk assessment tools and methodologies. Real-world values can be established for many of the variables and other metrics, that in the past have been decided by “estimation”.

Truly, if RISK = THREAT X VULNERABILITY, then this new process can establish that THREAT variable for you, even before typical security tools like scanners, code reviews and penetration testing have a rough implementation to work against to measure VULNERABILITY. Our new process can be used to model threats, even before a single line of real code has been written – while the project is still in the decision or concept phases!

We presented this material at the local ISSA chapter meeting yesterday. The slides are available here:

Threat Modeling Slides

Give us a call and schedule a time to discuss this new capability with an engineer. If your organization is ready to add some maturity and true insight into its risk management and risk assessment processes, then this just might be what you have been waiting for.