Methodology For System Trust State Management

A lot of folks have written in asking for a simple methodology overview of how to use the spreadsheet we published in a previous post. Here is a quick and dirty overview of the methodology we use to manage the security trust state of systems in our work. Check out the diagram and let us know if you have any questions or feedback.

Thanks for reading and we hope this helps your team in a meaningful way! Click to enlarge image. Click here to downlaod the PDF.

MSI Strategy & Tactics Talk Episode 7: Security By Popular Demand!

“It is imperative that during times like this, we step back, analyze the situation, identify the solutions, and then evaluate which of those solutions best fits our needs.” – Phil Grimes, Security Analyst for MSI

Listen in as our tech team tackles the frequent requests from other organizational departments on “how to do security,” including:

  • How are some of the ways a company can be influenced in their infosec initiatives by departments other than IT?
  •  How does Mass Media affect information security?
  •  When a CEO goes into panic mode after a splashy news story, what is the best response from the IT department?
  •  Can you share some stories about what happens when an organization goes into “panic mode?” What are the results of such an approach?
  •  What are some guidelines you can give to organizations to prevent security initiatives by being dominated by popular demand?

Panelists:

Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Quick Tool: System Trust Tracking Sheet

 

 

While working incidents and also during daily operations of a network environment, it is often useful to track the trust you have in components. For that reason, we frequently use a spreadsheet to contain the various elements. It also serves as a basic record of what has happened on a system or component. I usually track my trust in a system to three levels: trusted (I believe it has security), semi-trusted (it is recovering from an event or is acting funny but investigation did not yield results (I usually leave it in this state with additional ongoing monitoring for ~90 days at least), untrusted (I believe it is suffering an insecure state, is “acting funny” and is under investigation, etc.).

I hope this spreadsheet helps folks looking for an easy way to do this. Complex tools like databases and such are out there too, but this might serve as a quick and dirty tool to get you what you need if you need to undertake this exercise (and I suggest you do…. ). Hope it helps you and your team. Thanks for reading and take care of each other out there.

Click here to download the tracking sheet.

What Is A Trust Map?

For about a year now we have been getting questions from folks about basic trust maps, what they are and how they are used. After answering several times person to person, we thought it might be time for a simple blog post to refer folks to.

The purpose of a trust map is to graphically demonstrate trust between components of your organization or business process. It is a graphic map of how authentication occurs, what systems share accounts and what systems trust what other systems in an environment.

Trust maps are very useful for explaining your organization to new IT folks, helping auditors understand your authentication and security models, and especially for using as reference in incident response. Done properly, they become a powerful tool with a real payoff. For example, when an attack occurs and some mechanism gets compromised in your environment, you can use your trust map to quickly examine how to isolate the affected portions of the authentication model and learn what additional systems the attacker may have been able to trivially leverage given the access they gained. It really makes incident response much more effective and truly helps your teams respond to problems in a more intelligent and effective way.

It might take a little time to map complex organizations. If that proves to be a challenge, try starting with key business processes until you get to a point where you can create a holistic map with drill down process maps. This has proven to be an effective approach for larger/more complex organizations. If you need assistance with gathering the data or getting some additional political alliances to help the project along, our experience has been that the Disaster Recovery and Business Continuity folks usually have good starting data and are often easy to get engaged pushing the project through, especially since, in the long run, they get value from the maps too!

Here is an example map for you to use. It is pretty simple, but should give you the idea.

For more information or help creating your own trust maps, drop us a line or give us a call. We’d be happy to help or even get engaged to make the maps for you as a part of other security testing and projects. As always, thanks for reading and stay safe out there!

The 5 Big C’s Of Fail

From Brent Huston’s recent webinar, “How To Create A Threat-Centric Focus For Your Information Security Initiatives”:

Want to know why many information security programs are failing today? Yesterday, on our webinar, we got a lot of feedback on these issues and most folks agreed on these causes. A few said it was high time some one said what we did. For those of you who want to know why the attackers are winning, here is quick summary of the slide that caused all of the rukus on the webinar. Wanna see what all of the fuss was about? Drop us a line if you would like to be in the next session or stay tuned for a video of the talk in the next couple of weeks!

As always, thanks for the feedback. We are glad you enjoyed the talk and we look forward to giving it more often. It’s time we all started talking candidly about the problems we face and the real reasons that attackers are winning the race!

Audio Blog Post: Surface Mapping and Security

Brent Huston, CEO and Security Evangelist for MicroSolved, Inc. interviews Phil Grimes, Security Analyst.

Surface mapping is a highly useful strategy for evaluating a security environment. In this audio blog post, we talk about:

    • What Surface Mapping is
    • How MSI does it
    • Mobile platforms and the similarities and differences with testing them vs. other platforms
    • How to avoid becomeing complacent with your environment

Click here to listen for more!

MSI Strategy & Tactics Talk Episode 6: Fall-out From Anti-Sec and “Hactivism”

“The fall-out from these types of attacks are going to cause an undue amount of stress with new requirements.” – Brent Huston, CEO and Security Evangelist for MSI

Listen in as our tech team discusses the recent rash of “hactivism,” including:

  • What is a hacktivist?
  • How has hacktivism matured over the last several years?
  • What do you make of the anti-sec movement and the motives of groups like Anonymous, Lulzsec, etc.?
  • What do corporate security teams need to know about the antisec movement?
  • What is the likely fallout from all of the recent breaches and media attention to such attacks?

Panelists:

Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Moderator, Marketing Communication Specialist, MicroSolved, Inc.

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Audio Blog Post: Interview With Teresa West, Project Manager

Brent Huston, CEO and Security Evangelist for MicroSolved, Inc. interviews Teresa West, MSI’s Project Manager.

Project Management is integral to MSI’s successful relationships with our clients. Some of the highlights include:

  • Tools for keeping clients up-to-date
  • How MSI uses customization to drive extreme flexibility
  • How MSI delivers exactly what the customer wants

Click here to listen for more!