Operation Hardened Buckeye

MSI is pleased to announce the immediate formation and availability of Operation Hardened Buckeye!

This special program is dedicated to assisting Ohio’s Rural Electrical Cooperatives.

MSI will set up aggregated groups of Electrical Cooperatives and perform services and offer tools to the groups en-masse at discounted rates, as if they were one large company. Essentially, this allows the co-ops to leverage group buying, while still receiving individual reports, software licenses and overall group-level intelligence & metrics.

MSI will offer a package consisting of the following:

  • External Vulnerability Assessment with aggregated executive level reports/metrics & individual technical detail reports
  • An aggregated Targeted Threat Intelligence engagement with individual notifications of critical findings and an aggregated intelligence report for the group
  • 3 HoneyPoint Agent licenses and a console license per co-op that participates
  • Deep discounts to individual co-ops who desire application assessment, internal vulnerability assessments, wireless assessments or other MSI professional services (including MSI::Vigilance & ICS Network Segregation Services)
  • Deep discounts for ongoing assessments and targeted threat intelligence as a service

Caveats: All assessments will be performed at the same time. Co-ops must each sign onto a common MSA. Each co-op will be billed for the total of the package divided by the number of participating co-ops. Co-ops must provide accurate IP address ranges for their external assessment.

This enables the co-ops to have a security baseline of their security posture performed, including aligning their current status against that of their peers. It also allows for each of the co-ops to deploy a HoneyPoint Agent in their DMZ, business network and control network for detection capabilities. The targeted threat intelligence will provide them with an overall threat assessment, as well as identifying individual targets that have either already been attacked or are likely to provide easy/attention raising targets for future attacks.

We will be holding a webinar for those interested in participating on Thursday, May 21, 2015. You can register for this event here. You can also download the flyer about the program here.

For more information, please contact Allan Bergen via the email below or call (513) 300-0194 today! 

Email: sales@microsolved.com

Co-Op & Municipal Utilities Get Discounts in July

Attention Co-Op & Municipal utilities — MSI is offering discounts to your organizations on professional services (policy/process, assessments, pen-testing, etc.), lab services (device & AMR/AMI assessments, threat assessments, etc.) and HoneyPoint Security Server for the month of July. Book the business before July 31’st and have the work/implementation completed before December 31st of 2014 and you receive a discount up to 30% off!

Do you need pen-testing against your business network? Need web app assessments on billing or payment systems? Have a call for risk assessments, smart grid device testing or fraud testing against your meters and field gear? All of this and more qualifies!

Check out our ICS/SCADA specific services by clicking here!

Give Allan Bergen a call today at 513-300-0194 to learn more about our program. We truly appreciate the hard work and dedication that Co-op and Municipal utility teams do, and we look forward to working with you! 

Using HoneyPoint as a Nuance Detection System in Utility Companies

I often get asked about how utility companies deploy HoneyPoint in an average implementation. To help folks with that, I whipped up this quick graphic that shows a sample high level deployment. 

Thanks for reading! Let me know what you think, or if you have an interest in discussing an implementation in your environment.

See You At EPRI Event in Chicago

Next Monday, June 17th, I’ll be presenting at the EPRI conference in Chicago. My topic is a threat update on what attackers are targeting and what kind of value future state designs and other research/planning data has on the attacker market. If you’re going to be at the event, please join me for my presentation. If you’d like to grab a coffee or the like, let me know. I’ll be around all day. 

Thanks for reading and I hope to see you there! 

Coming to Grips with DDoS – Response

In our first two blogs concerning Distributed Denial of Service (DDoS) attacks and small service industries, we presented measures organizations can take to prepare for and defend against DDoS attacks. In this final installment on the subject, we will discuss methods of response to these incidents.

The first thing to do when you think you are under DDoS attack is to not panic. Calm and considered responses are always more effective than immediately jumping in and possibly cutting off legitimate connection requests. An ill-considered response on your part could cause the very denial of service your attacker intended in the first place. The best thing you can do is to immediately access your incident response plans and begin to implement those pre-planned procedures you worked so hard on. We are constantly amazed at how many organizations fail to follow their own response planning in the heat of a real incident! 

The next step in the process is traffic (log) analysis. You need to be able to identify what type of attack is being perpetrated and the kinds of bogus requests that are being made. This is where large log capacities and log aggregation tools come in very handy. Being able to view a large amount of data from a central console truly helps you recognize patterns in the attack. Since application layer attacks that employ IP spoofing are presently being used, pattern and type recognition are often the only means you have to discern good traffic from bad.

Once you are able to get a handle on what the bad traffic looks like, you can start filtering it out. This is best done by appliances as close to the network edge as possible. You can also work with your ISP which may be able to assist with filtering as well as other mechanisms such as rate and connection limiting.

After the attack is under control, don’t forget to work with law enforcement agencies such as the FBI and US-CERT. They are interested in these events and may be able to assist you in finding and dealing with the perpetrators. Reporting incidents is important because it is crucial to know the number and types of DDoS attacks that are really taking place out there in order to effectively respond to them. Reporting ends up being good for everybody!

Finally, it is very important to conduct lessons learned meetings and to adjust your incident response and business continuity planning. Table top exercises and other incident preparation techniques are helpful, but nothing helps you learn the hard lessons like a real incident. Why waste the only valuable thing to come out of the whole mess!

This series is written by John Davis, MicroSolved, Inc.

Coming to Grips with DDoS – Prepare

This post introduces a 3 part series we are doing covering distributed denial of service attacks (DDoS) and helping organizations prepare for them. The series will cover 3 parts, Prepare, Defend and Respond. 

Part 1 of 3 – Prepare.

Distributed Denial of Service (DDoS) attacks use networks of compromised computers (botnets) or web servers (brobots) to flood organization websites with so much traffic that it causes them to fail. This is especially worrying for financial institutions and utilities which rely so very heavily on the availability of their services and controls. DDoS attacks are also mounted by attackers to hide fraud or other hacking activities being perpetrated on networks. Although these types of attacks are not new, they are presently increasing in frequency and especially in sophistication. Application layer DDoS attacks do a good job of mimicking normal network traffic and recent DDoS attacks have been measured at a huge 65 Gb (nearly 10 times the previous high point). The purpose of this blog is to discuss some methods small organizations can employ to properly prepare for DDoS attacks. (Later articles in this series will discuss means for defending against and responding to these attacks).

The first thing any organization should do in this effort is proper pre-planning. Ensure that DDoS is included in your risk assessment and controls planning efforts. Include reacting to these attacks in your incident response and business continuity plans. And as with all such plans, conduct practice exercises and adjust your plans according to their results. In all our years in business, MSI has never participated in a table top incident responce or disaster recovery exercise that didn’t expose planning flaws and produce valuable lessons learned.

Next, your organization should consider DDoS when choosing an ISP. It helps immensely to have an Internet provider that has enough resources and expertise to properly assist if your organization is targeted for one of these attacks. Ensure that you develop a close relationship with your ISP too – communicate your needs and expectations clearly, and find out from them exactly what their capabilities and services really are. 

Finally on the preparation side of the problem, make sure that you keep well informed about DDoS and the actual threat level it poses to your organization. Keep active in user groups and professional organizations. Use the net to gather intelligence. The Financial Service Information Sharing and Analysis Center (FS-ISAC) has plenty of useful and up to date information on DDoS. You can even turn the World Wide Web against the enemy and use it to gather intelligence on them!

–This article series is written by John Davis of MSI. 

PS – This is NOT a problem you can “purchase your way out” of. Organizations can’t and should not buy huge amounts of bandwidth as a preparation for DDoS. The cost impacts of such purchases are not effective, nor is bandwidth size an effective control in most cases. Note that some technology solutions for packet scrubbing and the like do exist. Your milage may vary with these solutions. MSI has not reviewed or tested any of the DDoS technology products as a part of this series.