About Mary Rose Maguire

Mary Rose Maguire was the Marketing Communication Specialist for MicroSolved, Inc. and the content curator for the State of Security blog, MSI's website, and social media.

Which Application Testing is Right for Your Organization?

Millions of people worldwide bank, shop, buy airline tickets, and perform research using the World Wide Web. Each transaction usually includes sharing private information such as names, addresses, phone numbers, credit card numbers, and passwords. They’re routinely transferred and stored in a variety of locations. Billions of dollars and millions of personal identities are at stake every day. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough to protect websites from hackers. Today, we know better.

Whatever your industry — you should have a consistent testing schedule completed by a security team. Scalable technology allows them to quickly and effectively identify your critical vulnerabilities and their root causes in nearly any type of system, application, device or implementation.

At MSI, our reporting presents clear, concise, action-oriented mitigation strategies that allows your organization to address the identified risks at the technical, management and executive levels.

There are several ways to strengthen your security posture. These strategies can help: application scanning, application security assessments, application penetration testing, and risk assessments.

Application scanning can provide an excellent and affordable way for organizations to meet the requirements of due diligence; especially for secondary, internal, well-controlled or non-critical applications.

Application security assessments can identify security problems, catalog their exposures, measure risk, and develop mitigation strategies that strengthen your applications for your customers. This is a more complete solution than a scan since it goes deeper into the architecture.

Application penetration testing uses tools and scripts to mine your systems for data and examine underlying session management and cryptography. Risk assessments include all policies and processes associated with the specific application, and will be reviewed depending on the complexity of your organization.

In order to protect your organization against security breaches (which are only increasing in frequency), consider conducting an application scan, application  assessment, application penetration test, or risk assessment on a regular basis. If you need help deciding which choice is best for you, let us know. We’re here to help!

Ask the Security Experts: Facebook Security For Teenagers

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst
  • John Davis, Risk Management Engineer

Our Question

What should I tell my teenage children about privacy and security on Facebook?

Adam Hostetler:

Teach them how to use Facebook privacy settings. Go into the settings
and explain how it works, and that they should only post updates and
photos to their friends and not in public. Also, how to set their
account so they can only be found by friends of friends. As for apps, be
very careful about what Facebook apps they use, and pay attention to the
permissions they request. For their account, always use a strong
password. Do not give out account information to anyone (except
parents). Lastly, they should always log out of the account when they
are done. Never close the browser with the account still logged in.

Phil Grimes:

I fight this battle daily. I constantly remind my kids that what goes online now stays online forever. I have discussed privacy settings with them and give them little reminders that help them think about security and privacy online — at least in terms of posting info and pictures. It never hurts to remind them who I am and what I do for a living, they tend to always think twice before posting.

As for the games, however, this is something that is almost impossible to combat in my house. I think I am the only person who does NOT play Facebook games. The keys here are simple. Accept the machines that play these games as lost assets. I image the disks so I can restore them quickly and easily, then cordon them off on their own network segment so WHEN they get popped, I can “turn and burn” to get them back online. This really works well for me, but another important factor is to NOT do anything sensitive from these machines. Luckily, my kids don’t do any online banking or anything like that. I have my wife conduct sensitive tasks through another machine.

John Davis:

I would say to watch the scams and traps that are strewn like land mines throughout the site. Watch the free give-aways, be wary of clicking on pictures and videos and look carefully at any messages that contain links or suggest web sites to visit. Also, be VERY careful about ‘friends’ of friends and other strangers that want to friend you or communicate with you. You very well may not be communicating with who you think you are. Finally, if you’re on Facebook frequently and have not been wary, chances are you have malware on your computer that hides itself and runs in the background where you are not aware of it. So be careful when using the site and scan your system frequently.

Ask The Information Security Experts: Management and Rational Decisions About Security

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst
  • John Davis, Risk Management Engineer

Our Question

How can organizations (whose management may be concerned about hyped-up zero day exploits) make rational decisions about what and how to protect their assets? 

John Davis:

I think you should start to bring management perspective by reiterating to them that there is no such thing as 100% security. You cannot be entirely sure of your network or information protection mechanisms. Tell them yes, zero day exploits are probably going to get past traditional AV, IDS and IPS. But emphasize that there are security measures that are effective in zero day situations. These include such controls as anomaly based detection mechanisms, system user security training, and incident response programs. If you can detect these attacks early and respond to them quickly and correctly, you can effectively limit the damage from zero day attacks.

Phil Grimes:

Read the available data in the 2012 Verizon Data Breach Investigations Report. This will help to show that zero day fears are mostly unwarranted. While the threat exists, statistics show that most events occur because of “low hanging fruit”, or issues attackers leverage that don’t need super elite skills and can often be mitigated easily on the victim’s side. The best things to do in this regard are to focus on being fundamentally secure (do the basics), and realize that detection and response are going to be the best tools to help recover from a zero day attack scenario. 

Adam Hostetler:

With the data we have (Verizon report, etc), it shows that zero day threats are not as dangerous as one might think. Explain to them that the threat exists, but is somewhat exaggerated due to some high profile cases. And if they have controls that could help combat any zero day threats, it would likely ease management’s fears.

3 Things Security Vendors Wished CIOs Knew

Brent Huston, CEO and Founder of MicroSolved, answered a few questions regarding CIO’s and information security. If Brent could speak to a room full of CIO’s, these are a few things he’d share:

1)  CIOs are often unaware of what assets their organization have and how are they protected.

One problem we continually run into is the CIO folks know what the assets are they have, what’s critical and what isn’t. Often, they don’t have a good feel for the lifecycle of that critical data. Knowing what they have and how they currently protect it is a huge step forward for a CIO.

Does that have to be the ability to whip out a map? In a perfect world, yes. It just means the CIO needs to be able to reiterate to the vendor particularly when we’re talking about nuanced protection. And if we’re talking about penetration testing, why not consider this: instead of talking about penetration testing the whole environment, let’s test the stuff that matters. CIOs need to effectively and clearly communicate where that stuff is that matters. The systems it interacts with and what controls are in place today is what we need to focus on for testing or leverage them to do detection.

2)  A lot of CIOs don’t have any idea of what their real threat profile looks like.

When you talk to a CIO about the threat, their image of a threat is either script kiddies sitting in the basement of their mom’s house, or they’re so deeply entrenched in the cyber-crime thing that they think of it as credit card theft. They haven’t reached the level where they have any measurement or understanding of the different levels of threats that are focused on them — and how their responses would vary. The problem is they then treat all threats as the same. 

You expend the resources at a continual burn rate, so you’re probably using more resources than what you need, and then, when something really bad happens (because they’re used to treating it like a minor thing), they don’t feel like they need to pay attention. I’d love to see a CIO grow their attention to the threat profile and be able to communicate that upwards and to us as a vendor. 

3)  Some CIOs don’t understand the organization’s appetite for risk.

This is probably the hardest one. I love to meet with CIOs who already know their organization’s appetite for risk.  It seems like many organizations, even those who should be far enough along and mature and understand an appetite for risk (I’m talking about critical infrastructures, here), don’t understand it.  They have no way to quantify or qualify risk and decide what is acceptable and what isn’t. There may be complex policies in place and there are exceptions, but many CIO’s don’t have a clear “line in the sand” to help them determine what to respond to.

These kinds of initiatives are growing, but that’s one of those things that separates a mature, security-focused organization, and a risk-focused organization from folks who haven’t moved into more of a risk and threat management interface. Many folks still are managing at a vulnerability layer, i.e. “If X vendor releases a Y patch, and I need the Z team to apply it, then I’ll do it.” They think that’s the extent of their security effort. 

 

To consider your security posture, why not take a look at our “80/20 Rule for Information Security” page? Did you know that 80% of an organizations’ real information security comes from only 20% of the assets and effort put into the program? These 13 security projects will give your organization the most effective information security coverage for the least expenditure of time and resources.

Contact us if you have questions! We’ve seen how these projects have helped our clients and would love to help you!

“Ask the Information Security Experts” Series

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst

Our question:

There’s been a lot of attention lately about the leaking of passwords from sites like LinkedIn, Yahoo, Match.com, last.fm and others. What is the ONE THING that users of a site should do when these kinds of leaks happen? Each of you has such a wide variety of skills and focus, so what would you tell your Mom to do if she asked about this?

Adam: 
Figure out which sites you are using the same password on. Go to these sites and change them, use a unique password for each site. Keep these passwords in a password vault, such as KeePass or LastPass, with a strong master password.

Phil: 
Well, since NONE of our users should be reusing passwords, they should use their password vault tool to generate a new, strong password for the site(s) in question, change the password in their password manager, then change the password in the site itself. Also, take advantage of the password aging features of the password vault to remind you to change passwords on a regular basis. But changing the password of the affected site is the most critical thing, closely followed by NOT reusing passwords on multiple sites. 

There you have it! The bad guys will always try to find ways to cause trouble. Don’t make it easy for them. Use the tools mentioned and keep your data safe!

3 Ways to Minimize Reputational Risk With Social Media

You have employees who are addicted to social media, updating their status, sharing everything from discovering a helpful business link to where they went for lunch. However, they also may be broadcasting information not intended for public consumption.

One of the most difficult tasks for an organization is conveying the importance of discretion for employees who use social media. Not only are organizations at risk from having their networks attacked, but they must protect their reputation and proprietary ideas. What makes these two areas difficult to protect is their mobile nature. Ideas are invisible and have a habit of popping into conversations – and not always with the people who should be hearing them. They can get lost or stolen without anyone knowing they’re even gone. Suddenly, you find your competitor releasing a great product to your market that you thought was yours alone.

If you want to decrease reputational risk, you have a few options. Initiate some guidelines for employees. Send friendly reminders from newsworthy “social-media-gone-bad” stories. The more employees know where an organization stands in regard to safe social media use, the more they can be smart about using it. Here are three basic rules to help them interact safely:

1. Don’t announce interviews, raises, new jobs, or new projects.

Talking about any of these sensitive topics on social networking sites can be damaging. If an employee suddenly announces to the world that they’re working on a new project with XYZ Company, there’s a good chance the news will be seen by a competitor. You may see them in the waiting room of your client on your next visit. One caveat: If you’re hiring, it’s a good thing. Your organization will be seen as successful and growing. However, those types of updates are usually best left to the HR department.

2. Don’t badmouth current or previous employers.

It’s good to remember what mom used to say, “If you don’t have anything positive to say, then say nothing at all.” The Internet never forgets. When an employee rants about either their past employer, or worse – their current one, it can poison a customer’s view of the organization. Nothing can kill the possibility of a new sale than hearing an employee broadcast sour grapes. If this is a common occurrence, it can give the image of a badly managed company. This isn’t the message to send to either customers or future employees.

3. Stay professional. Represent the organization’s values well.

Employees are often tempted to mix their personal and work information together when using social media. Although many times, such information can be benign, you don’t want to hear about an employee’s wild night at the local strip club. There are mixed opinions among experts whether an employee should establish a personal account, separate from their work life.

Emphasize your organization’s values and mission. Ask employees to TBP (Think Before Posting). Social media can be a good experience as long as its done responsibly. With some timely reminders, reputational risk will be drastically reduced.

Malware Alert: Will You Lose Your Internet Access On Monday?

We’re always keeping our eyes and ears open when it comes to malware. If you’ve not heard of this report before now, it would be good to check your computer to see if it has been infected with a nasty piece of malware whose creators were finally caught and shut down by the FBI late in 2011.

From AllThingsD:

Next week, the Internet connections of about a quarter-million people will stop working because years ago their computers became infected with malware.

The malware is called DNSChanger, and it was the centerpiece of an Internet crime spree that came to an end last November when the FBI arrested and charged seven Eastern European men with 27 counts of wire fraud and other computer crimes. At one point, the DNSChanger malware had hijacked the Internet traffic of about a half-million PCs around the world by redirecting the victims’ Web browsers to Web sites owned by the criminals. They then cashed in on ads on those sites and racked up $14 million from the scheme. When the crackdown came, it was hailed as one of the biggest computer crime busts in history.

Complete Article

The listed site for checking if you have the malware is (not surprising) getting slammed. Try to refresh the address a few times and it will show you if your system is infected or not, plus will give you a link for how to fix your site.

Here’s to seeing “green” for everyone!

Audio Blog Post: Defensive Fuzzing and MSI’s Patent

What goes into getting a patent? The answer would be: a lot of work! Brent Huston, CEO and Founder of MicroSolved, Inc., talks with Chris Lay, Account Executive, about MSI’s first patent for HoneyPoint’s defensive fuzzing capability. In this audio blog post, you’ll learn:

  • What is the patent about?
  • What is defensive fuzzing?
  • What went into the patent process?

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!

Audio Blog Post: MicroSolved Inc. Labs

Brent Huston, CEO and Founder of MicroSolved, Inc., talks with Chris Lay, Account Executive, about MicroSolved’s lab. In this audio blog post, you’ll learn:

  • Some of the things we’re testing now
  • The types of operating systems we’re testing
  • Brent’s favorite “testing” story

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!

Audio Blog Post: Malware Trends

Brent Huston, CEO and Founder of MicroSolved, Inc., discusses with Chris Lay, Account Executive, the new malware trends and a new perspective needed in dealing with attacks. In this audio blog post, you’ll learn:

  • How language is making a difference
  • How the attackers are getting more clever
  • What infected USB keys are now doing
  • What is ‘Flame’?
  • What to do when you identify malware in your organization

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!