Table Top Testing Your Incident Response Process

Here is a slide deck for a presentation I gave today about a cheap, easy and effective way to test your incident response process.

It is a lot like a corporate game of Dungeons and Dragons (IT Manager needs food badly!), except that you get to actually see what your team knows and needs training on about your environment, the process itself and/or other specifics that could be useful during a real information security event.

If your interested in the topic and would like to schedule a presentation or the like, just let me know. Enjoy the slides and take a stab at role playing as a mechanism for testing business processes. Our experiences have shown it to be a worthwhile investment, and of course, let me know if you need me to be the “Dungeon Master”… 🙂

Testing your Incident Response Team

If the above link does not work, try this one.

HoneyPoint Managed Service Now Available

The initial private launch is complete, and the public launch has begun. HoneyPoint Security Server is now available as a managed service!

HoneyPoints can be deployed as software on your internal existing servers and workstations or on our VMWare virtual appliance. We manage the console and deliver real time email alerts, support and advice on security incidents. Incident response consulting and handling help is also available at a reduced hourly rate to HP Managed Service clients.

In addition to leveraging the power of HoneyPoints and HornetPoints, you also get easy, automated monthly reporting to make your life as an IT administrator or security team member easier.

As a special introductory price for readers of the blog, our newsletter and friends of the firm, you can sign up now for HoneyPoint Managed Services for as low as $99.00 (US) per month. Plus, for being a supporter of MicroSolved and our efforts, we will waive the setup fee ($195.00 normally) if you join the program before the end of July, 2009!

Interested in putting the power of the HoneyPoint Hive to work for your organization? Give us a call (614-351-1237 x206) or drop us a line (info@microsolved.com) and learn more about how to get more security with the least amount of effort. We’ll be happy to share our success stories with you. We look forward to working with your team!

Thoughts on Increasing Security in the Smart Grid

There has been a lot of attention lately on the “smart grid” and the coming evolution of the US (and global) power grid into a more robust, information and data-centric environment. Much press has been generated around the security and insecurity of these changes.

Currently, NIST and various other concerned parties, are hard at work on formalizing the standards around this particular environment and the products that will eventually make up this public spectrum of life. In the MSI lab, we have researched and reviewed much of this data and would like to offer forth some general recommendations for both the consideration of the various standards bodies and the particular vendors developing products in this area. Here they are, in no particular order:

First, we would ask that you design your products and the underlying standards with industry standard best practices for information security in mind. The security practices for IT are well established, mature and offer a large amount of protection against common security issues. Please include them in your designs.

Next, we would offer the following bullet items for your consideration:

  • Please take steps to minimize the attack surfaces of all products throughout the system to reduce the chances that attackers have to interact with the system components. Many of the products we have looked at offer far too wide and too many attack surfaces. This should definitely include reducing the attack surfaces available to system processes and thus, by implication, malware.
  • Please ensure that your system includes the ability to update the components in a meaningful way. As the smart grid system evolves, security issues are bound to arise and being able to patch, upgrade and mitigate them where possible will be a powerful feature.
  • Please implement end-to-end detective controls that include the ability to monitor the components for fraud, tampering, etc. Please include not just operational detective controls, but also logging, reporting and support for forensic hashing and other incident analysis capabilities.
  • You MUST be prepared to implement these systems with strongly authenticated, role-based access controls. Implementations that rely solely on single factor authentication are not strong enough for banking applications, so they should not be considered strong enough for the power grid either.
  • Please take every opportunity to prevent and restrict data leaks. Reducing the information available to the casual attacker does help prevent casual compromise. While these reductions might not prevent the determined, focused attacker, the exposure of these attack surfaces to the casual attacker is much more probable and thus should be controlled for in your security equation.
  • When you implement encryption into your products and systems, please choose appropriate, strongly peer-reviewed encryption. Proprietary encryption is too large of a risk for the public infrastructure. Also, please ensure effective, yet low resource requirement key management. Complicated key managed approaches do not differentiate your product in a good way, nor do they usually enhance security in any meaningful way. Proper key management technologies and encryption exist, please use them.
  • The same goes for protocols as encryption. We have standard protocols defined that are mature, stable, understood and effective. Please leverage these protocols and standards wherever possible and reduce or eliminate proprietary protocols. Again, the risk is just too large for the world to take a chance on unproven, non-peer reviewed math and algorithms.
  • Please design these systems with defense in depth in mind. You must provide multiple controls for confidentiality, integrity and availability. Failure to do this at a meaningful level creates substantial risk for you, your clients and the public.
  • Please ensure that your allow for rational processes for risk assessment, risk management and mitigation. If systems require high complexity or resources to perform these tasks, they simply are not likely to get done in the longer term of the smart grid when the shiny newness rubs off.
  • Please apply the same care and attention to consumer privacy and protection as you do to managing waste, fraud and abuse. This helps you design more secure components and protects both you and the public in a myriad of ways.
  • Please ensure that your product or system includes appropriate training materials, documentation and ongoing support for handling security and operational issues. Very little of the smart grid technology is likely to be “fire and forget” over the long haul. Please make sure your organization continues to create appropriate materials to educate and inform your users.

Largely, the rewards of the smart grid are incredible. Energy savings and reduced ecological impact are both key components of why the smart grid is in the public eye and is achieving so much momentum. However, like all change, the public is right to fear some facets. If done right, this will become the largest, most technological network ever created. Done wrong, it represents a significant risk for privacy, safety and national security. At MSI, we believe that the project can and will be done right! Thus, we want to contribute as much as possible to the right outcome.

Thanks for reading and please, take some time and educate yourself about the smart grid technologies. Your voice is very important and we all need to lend a hand and mind to the effort!

MicroSolved’s CEO and Security Evangelist Interview With [IN]SECURE Magazine

issue-main-21

[IN]SECURE Magazine, the fresh and innovative online magazine from Help Net Security (HNS), interviewed Brent for their June issue. Mirko Zorz, Editor-In-Chief, caught up with Brent to pose some great questions that allow the readers a glimpse into a “different kind” of CEO. Brent shares his insights about his role within MSI, future security threats, and developments within the information security field.

You may download the interview here.

Help Net Security is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. For the entire June issue of [IN]SECURE Magazine, you can download it here. Great reading!

Interview with Syhunt CEO

This week I got a chance to ask a couple of questions about Syhunt SandCat and the future of web application security. Here is the exchange with some great insights into where the web and attackers are heading!

Quick Interview with Felipe Aragon, CEO of Syhunt.

Q: The 3.8 release represents a significant step forward in application security scanning, especially around Javascript. What are the key features that application testers should know about in the 3.8 product?

R: Browsers and the web evolved significantly over the past years. Sandcat has evolved together with the new advancements and now has a lot in common with modern web browsers. This is essential because if you want to seriously hunt security breaches in web 2.0 applications you have to emulate modern Web technologies. So, naturally Sandcat evolved to understand JavaScript, AJAX and PHP and is now what is known as a hybrid web application security scanner. We also implemented multi-thread sessions, making each host scan a different process (Google Chrome, for example, employ a similar technique, making each tab a different process). Other important features we got working in Sandcat is the ability to simulate user interaction and multi-layer defense evasion. Sometimes, after evading a WAF (web application firewall), the last layer of defense against exploitation is a regular expression filter, which can also be bypassed by using many different techniques, so we got this working in Sandcat. Unfortunately weak filters were popularized and today many websites are vulnerable to this attack.

Q: How are Javascript threats influencing the state of application security today?

R: Thanks to JavaScript, Web applications are becoming increasingly more sophisticated, so next-generation web applications must be handled like desktop applications. Browsers like Opera, Firefox, Safari, Chrome are now adding faster JavaScript VMs each release because this is where the Web is going. Increased usage of JavaScript changes everything. It changes the way web developers build web sites, and the way hackers search for vulnerabilities or take advantage of weak spots in web applications. It makes more difficult for web developers to build secure web applications and, of course, for pen-testers that are unskilled web programmers to fit in in this new world. JavaScript can be used to steal cookies, spread worms, launch XSRF attacks and many other malicious purposes. The attacks are limited only by the attacker’s imagination.

Q: Where do you see application security heading in the next 12 months? What types of attacks should we be paying attention to that are slipping below our radar right now?

R: Right now we are monitoring the emergence of new web platforms (such as the recently announced Google Wave) that will make the 3.0 version of the Web possible. I believe we are heading towards the end of an era for the Web, a Web OS is materializing. These web 3.0 platforms and extensions built for these platforms will be a major target for cybercriminals. We have a set of new vulnerability classes and combined attacks (using both old and new classes) on the horizon. It will take a lot of time for web developers to understand how certain lines of code, client-side or server-side, translate to some serious security issues and how to avoid them. It might actually never happen because the Web and attack methods will continue to evolve faster. Without innovation, there is no future for the web, but I hope organizations will do whatever they can to understand and minimize security risks within their Web systems and not allow the cyberspace to become more insecure than it is today.

Check out SandCat’s new release at http://www.syhunt.com.

PS – In fair disclosure, MSI has a business relationship with Syhunt.

New Web Scanner Patterns

The HITME has begun to pick up a new web scanning pattern from sources primarily in Europe. The pattern is assuming the spread and slow increase as usual with these simple PHP or web application scans.

Here is the list of targets that the scanner is checking for:

//phpMyAdmin/main.php

//phpmyadmin/main.php

//pma/main.php

//admin/main.php

//dbadmin/main.php

//mysql/main.php

//php-my-admin/main.php

//myadmin/main.php

//PHPMYADMIN/main.php

Note that this scanner does not have the big two scanning signatures that we are used to seeing from Toata and Morfeus. No scanner name or identifier is sent during the probes.

Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like. (FREE) I will publish a brain file for this as soon as possible, or you can cut and paste the signatures from this page.

Lessons from an Almost Lost Laptop

I ran into this article this morning on my daily web run and thought it was a fantastic set of insights into what you should be doing to protect your laptops.

It also shows that even security folks can make mistakes (it’s human nature!) and potentially expose themselves and data to loss.

Even though the article is Mac-centric, the basics at the core apply across all platforms. You might need a different set of applications, but the underlying principles are all the same.

Check it out here.

Super Secret Squirrel Pics of the New HoneyPoint Appliance

Here is a super secret picture of the soon to be released HoneyPoint appliance. The worker bees are hovering all around the hive and making last minute adjustments to the initial release.

I managed to snap this quick pic with my camera before they began to sting me. I hope you enjoy the preview.

The HoneyPoint appliance will likely be available late summer. Stay tuned for more info the details settle.

Tiny isn’t it?!!!

IMG_0376.JPG