Ask The Information Security Experts: Management and Rational Decisions About Security

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst
  • John Davis, Risk Management Engineer

Our Question

How can organizations (whose management may be concerned about hyped-up zero day exploits) make rational decisions about what and how to protect their assets? 

John Davis:

I think you should start to bring management perspective by reiterating to them that there is no such thing as 100% security. You cannot be entirely sure of your network or information protection mechanisms. Tell them yes, zero day exploits are probably going to get past traditional AV, IDS and IPS. But emphasize that there are security measures that are effective in zero day situations. These include such controls as anomaly based detection mechanisms, system user security training, and incident response programs. If you can detect these attacks early and respond to them quickly and correctly, you can effectively limit the damage from zero day attacks.

Phil Grimes:

Read the available data in the 2012 Verizon Data Breach Investigations Report. This will help to show that zero day fears are mostly unwarranted. While the threat exists, statistics show that most events occur because of “low hanging fruit”, or issues attackers leverage that don’t need super elite skills and can often be mitigated easily on the victim’s side. The best things to do in this regard are to focus on being fundamentally secure (do the basics), and realize that detection and response are going to be the best tools to help recover from a zero day attack scenario. 

Adam Hostetler:

With the data we have (Verizon report, etc), it shows that zero day threats are not as dangerous as one might think. Explain to them that the threat exists, but is somewhat exaggerated due to some high profile cases. And if they have controls that could help combat any zero day threats, it would likely ease management’s fears.

Security Experimentation with HoneyPoint

One of the best uses of HoneyPoint is using it to test your assumptions, model risk or otherwise perform experimentation.

If your management team would benefit from understanding how quickly a new web application will be targeted and attacked when deployed, a quick mock up with HoneyPoint can give them that data. If you want to prove to the development team that attackers will find XSS vulnerable apps, a quick publish of a HoneyPoint web app with the XSS vulnerability enabled will get you metrics to support your assertion.

That’s one of my favorite uses of HoneyPoint: to quickly, easily and safely build real world metrics that answer my questions. Sure, it’s a great tool for defense and detection. But I really love using it to scratch my own itch for real world data. 

Don’t Freak Out, It’s Only Defcon

It’s that time of year again. The time of year when the hype cycle gets its yearly injection of fear and hysteria from overheated, overstimulated, dehydrated journalists baking in the Las Vegas summer heat. It happens every year around this time, the journalists and bloggers flock to the desert to hear stories of emerging hacks, security researcher data, marketing spin and a ton of first person encounters with party goers and the followers of the chaos that has become Defcon.

It is, after all, one of the largest, oldest and most attended events in the hacker community. It mixes technology, business, hacking, marketing, drinking, oddity and a sprinkle of carnival into an extreme-flavored cocktail fed to the public in a biggie-sized martini glass that could only be made in the playground that is Las Vegas.

There are a ton of legitimate researchers there, to be sure. There are an army of folks who represent a large part of the core of the infosec hacker world brain trust. They will be consistently demonstrating their points throughout the events of BlackHat and Defcon. You can tell them apart from the crowd and scene mongers by the rational approaches they take. You can find them throughout the year, presenting, writing, coding and educating the world on information security, risk and other relevant topics. Extending from them, you can also find all of the extremes that such events attract. These are the “hackers” with green hair, destroying casino equipment, throwing dye and shampoo into the fountains, breaking glass in the pool and otherwise acting as if they have never been to outside of the jungle before. These are the ones that the journalists LOVE to talk about. Extreme views within the community, the irrational party goer who offers a single tech tidbit along with a smorgasbord of rhetoric. These interviews spin up the hype cycle. These interviews sell subscriptions, papers and advertising. Sadly, they also represent a tiny percentage of the truth and value of the gatherings in Vegas.
 
Over the next week or so, you’ll see many stories aimed at telling you how weak the security is on everything from hotel door locks to the power grid. The press will spin up a bunch of hype about the latest hacks, zero day exploits and other fearsome “cyber stuff”. Then, when the conference is over and the journalists and circus leave Las Vegas, everyone will come back and have to continue to make the same rational, risk based decisions about what to do about this issue and that issue. 
 
I mention this, not to disparage the events in Vegas or the participants. I think the world of them and call many my personal friends and partners. However, I do want to prep folks for the press cycle ahead. Take the over the top stories and breathless zero-day announcements in the coming weeks with a grain of salt. Disregard the tales of drunken hackers menacing Vegas hotels, changing signs and doing social engineering attacks in front of audiences as human interest stories. They are good for amusement and awareness, maybe even at piquing the interest of line management folks to get a first hand view, but they are NOT really useful as a lens for viewing your organization’s risk or the steps you should be taking to protect your data. Instead, stick to the basics. Do them well. Stay aware, but rational when the hype cycle spins up and hacks of all sorts are on the front page of papers and running as headlines at the bottom of TV screen news channels. Rational responses and analysis are your best defense against whatever comes out of the hacker gathering in the desert, or wherever they happen to meet up in the future.
 
Until next time, stay safe out there, and if you happen to be in Vegas, stay hydrated. The desert winds are like a furnace and they will bake you in no time!

3 Things Security Vendors Wished CIOs Knew

Brent Huston, CEO and Founder of MicroSolved, answered a few questions regarding CIO’s and information security. If Brent could speak to a room full of CIO’s, these are a few things he’d share:

1)  CIOs are often unaware of what assets their organization have and how are they protected.

One problem we continually run into is the CIO folks know what the assets are they have, what’s critical and what isn’t. Often, they don’t have a good feel for the lifecycle of that critical data. Knowing what they have and how they currently protect it is a huge step forward for a CIO.

Does that have to be the ability to whip out a map? In a perfect world, yes. It just means the CIO needs to be able to reiterate to the vendor particularly when we’re talking about nuanced protection. And if we’re talking about penetration testing, why not consider this: instead of talking about penetration testing the whole environment, let’s test the stuff that matters. CIOs need to effectively and clearly communicate where that stuff is that matters. The systems it interacts with and what controls are in place today is what we need to focus on for testing or leverage them to do detection.

2)  A lot of CIOs don’t have any idea of what their real threat profile looks like.

When you talk to a CIO about the threat, their image of a threat is either script kiddies sitting in the basement of their mom’s house, or they’re so deeply entrenched in the cyber-crime thing that they think of it as credit card theft. They haven’t reached the level where they have any measurement or understanding of the different levels of threats that are focused on them — and how their responses would vary. The problem is they then treat all threats as the same. 

You expend the resources at a continual burn rate, so you’re probably using more resources than what you need, and then, when something really bad happens (because they’re used to treating it like a minor thing), they don’t feel like they need to pay attention. I’d love to see a CIO grow their attention to the threat profile and be able to communicate that upwards and to us as a vendor. 

3)  Some CIOs don’t understand the organization’s appetite for risk.

This is probably the hardest one. I love to meet with CIOs who already know their organization’s appetite for risk.  It seems like many organizations, even those who should be far enough along and mature and understand an appetite for risk (I’m talking about critical infrastructures, here), don’t understand it.  They have no way to quantify or qualify risk and decide what is acceptable and what isn’t. There may be complex policies in place and there are exceptions, but many CIO’s don’t have a clear “line in the sand” to help them determine what to respond to.

These kinds of initiatives are growing, but that’s one of those things that separates a mature, security-focused organization, and a risk-focused organization from folks who haven’t moved into more of a risk and threat management interface. Many folks still are managing at a vulnerability layer, i.e. “If X vendor releases a Y patch, and I need the Z team to apply it, then I’ll do it.” They think that’s the extent of their security effort. 

 

To consider your security posture, why not take a look at our “80/20 Rule for Information Security” page? Did you know that 80% of an organizations’ real information security comes from only 20% of the assets and effort put into the program? These 13 security projects will give your organization the most effective information security coverage for the least expenditure of time and resources.

Contact us if you have questions! We’ve seen how these projects have helped our clients and would love to help you!

“Ask the Information Security Experts” Series

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst

Our question:

There’s been a lot of attention lately about the leaking of passwords from sites like LinkedIn, Yahoo, Match.com, last.fm and others. What is the ONE THING that users of a site should do when these kinds of leaks happen? Each of you has such a wide variety of skills and focus, so what would you tell your Mom to do if she asked about this?

Adam: 
Figure out which sites you are using the same password on. Go to these sites and change them, use a unique password for each site. Keep these passwords in a password vault, such as KeePass or LastPass, with a strong master password.

Phil: 
Well, since NONE of our users should be reusing passwords, they should use their password vault tool to generate a new, strong password for the site(s) in question, change the password in their password manager, then change the password in the site itself. Also, take advantage of the password aging features of the password vault to remind you to change passwords on a regular basis. But changing the password of the affected site is the most critical thing, closely followed by NOT reusing passwords on multiple sites. 

There you have it! The bad guys will always try to find ways to cause trouble. Don’t make it easy for them. Use the tools mentioned and keep your data safe!

Smart Grid Security is Getting Better – But Still Has Ways to Improve

Our testing lab has spent quite a bit of time over the last several years testing smart grid devices. We are very happy to say that we are seeing strong improvement in the general security controls in this space.

Many of the newer smart grid systems we are testing have implemented good basic controls to prevent many of the attacks we used to see in these devices in the early days of the smart grid movement. Today, for example, most of the devices we test, have implemented at least basic controls for firmware update signing, which was almost unheard of when we first started testing these systems years ago. 

Other improvements in the smart grid systems are also easily identifiable. Cryptographic protocols and hardened system configurations are two more controls that have become pretty well standard in the space. The days of seeing  silly plain-text protocols between the field devices or the field deployments and the upstream controls systems are pretty well gone (there are still SOME, albeit fewer exceptions…).
 
Zigbee and communications of customer premise equipment to the smart grid utility systems is getting somewhat better (still little crypto and a lot of crappy bounds checking), but still has a ways to go. Much of this won’t get fixed until the various protocols are revised and upgraded, but some of the easy, low hanging vulnerability fruit IS starting to get cleaned up and as CPU capability increases on customer devices, we are starting to see more folks using SSL overlays and other forms of basic crypto at the application layer. All of this is pretty much a good thing. 
 
There are still some strong areas for improvement in the smart grid space. We still have more than a few battles to fight over encryption versus encoding, modern development security, JTAG protection, input validation and the usual application security shortcomings that the web and other platforms for app development are still struggling with.
 
Default passwords, crypto keys and configurations still abound. Threat modeling needs to be done in deeper detail and the threat metrics need to be better socialized among the relevant stakeholders. There is still a plethora of policy/process/procedure development to be done. We need better standards, reporting mechanisms, alerting capabilities, analysis of single points of failure, contingency planning and wide variety of devices and applications still need to be thoroughly tested in a security lab. In fact, so many new applications, systems and devices are coming into the smart grid market space, that there is a backlog of stuff to test. That work needs to be done to harden these devices while their footprint is still small enough to manage, mitigate and mature.
 
The good news is that things are getting better in the smart grid security world. Changes are coming through the pipeline of government regulation. Standards are being built. Vendors are doing the hard, gut check work of having devices tested and vulnerabilities mitigated or minimized. All of this, culminates in one of the primary goals of MicroSolved for the last two decades – to make the world and the Internet safer for all of you.
 
As always, thanks for reading and stay safe out there!

3 Ways to Minimize Reputational Risk With Social Media

You have employees who are addicted to social media, updating their status, sharing everything from discovering a helpful business link to where they went for lunch. However, they also may be broadcasting information not intended for public consumption.

One of the most difficult tasks for an organization is conveying the importance of discretion for employees who use social media. Not only are organizations at risk from having their networks attacked, but they must protect their reputation and proprietary ideas. What makes these two areas difficult to protect is their mobile nature. Ideas are invisible and have a habit of popping into conversations – and not always with the people who should be hearing them. They can get lost or stolen without anyone knowing they’re even gone. Suddenly, you find your competitor releasing a great product to your market that you thought was yours alone.

If you want to decrease reputational risk, you have a few options. Initiate some guidelines for employees. Send friendly reminders from newsworthy “social-media-gone-bad” stories. The more employees know where an organization stands in regard to safe social media use, the more they can be smart about using it. Here are three basic rules to help them interact safely:

1. Don’t announce interviews, raises, new jobs, or new projects.

Talking about any of these sensitive topics on social networking sites can be damaging. If an employee suddenly announces to the world that they’re working on a new project with XYZ Company, there’s a good chance the news will be seen by a competitor. You may see them in the waiting room of your client on your next visit. One caveat: If you’re hiring, it’s a good thing. Your organization will be seen as successful and growing. However, those types of updates are usually best left to the HR department.

2. Don’t badmouth current or previous employers.

It’s good to remember what mom used to say, “If you don’t have anything positive to say, then say nothing at all.” The Internet never forgets. When an employee rants about either their past employer, or worse – their current one, it can poison a customer’s view of the organization. Nothing can kill the possibility of a new sale than hearing an employee broadcast sour grapes. If this is a common occurrence, it can give the image of a badly managed company. This isn’t the message to send to either customers or future employees.

3. Stay professional. Represent the organization’s values well.

Employees are often tempted to mix their personal and work information together when using social media. Although many times, such information can be benign, you don’t want to hear about an employee’s wild night at the local strip club. There are mixed opinions among experts whether an employee should establish a personal account, separate from their work life.

Emphasize your organization’s values and mission. Ask employees to TBP (Think Before Posting). Social media can be a good experience as long as its done responsibly. With some timely reminders, reputational risk will be drastically reduced.

Malware Alert: Will You Lose Your Internet Access On Monday?

We’re always keeping our eyes and ears open when it comes to malware. If you’ve not heard of this report before now, it would be good to check your computer to see if it has been infected with a nasty piece of malware whose creators were finally caught and shut down by the FBI late in 2011.

From AllThingsD:

Next week, the Internet connections of about a quarter-million people will stop working because years ago their computers became infected with malware.

The malware is called DNSChanger, and it was the centerpiece of an Internet crime spree that came to an end last November when the FBI arrested and charged seven Eastern European men with 27 counts of wire fraud and other computer crimes. At one point, the DNSChanger malware had hijacked the Internet traffic of about a half-million PCs around the world by redirecting the victims’ Web browsers to Web sites owned by the criminals. They then cashed in on ads on those sites and racked up $14 million from the scheme. When the crackdown came, it was hailed as one of the biggest computer crime busts in history.

Complete Article

The listed site for checking if you have the malware is (not surprising) getting slammed. Try to refresh the address a few times and it will show you if your system is infected or not, plus will give you a link for how to fix your site.

Here’s to seeing “green” for everyone!

Got Disaster Recovery?

As the recent heavy storms in the Midwest has brought to my attention in a personal way — even the best laid plans can have weaknesses. In my case, it was an inconvenience, but a good lesson.

I got a reminder about cascading failures in complex systems via the AT&T data network collapse (thanks to a crushed datacenter), as well as a frontline wake-up call about the importance of calculating generator gasoline supplies properly. 

So, while you read this, I am probably out adding 30 gallons to my reserve. Plus, working on a “lessons learned” document with my family to more easily remember the things we continually have to re-invent every time there is a power outage of any duration. 

I share with you these personal lessons for a couple of reasons. First, I hope you’ll take a few moments and update/review your own personal home plans for emergencies. I hope you’ll never need them, but knowing how to handle the basics is a good thing. Then move on to how you’ll manage trivialities of personal comfort like bandwidth, coffee & beer. 🙂

Lastly, I hope you take time and review your company’s DR/BC plans as well. Now might be a good time to do exactly what I hope AT&T, Amazon, Netflix, Instagram, etc. are doing and get those plans back in line with attention to the idea that failures can and often do, cascade. This wasn’t an earthquake, tsunami or hurricane (though we did have 80+ mph winds) – it was a thunderstorm. Albeit, a big thunderstorm, but a thunderstorm nonetheless. We can do better. We should expect better. I hope we all will get better at such planning. 

As always. thanks for reading and until next time, stay safe out there. 

PS – The outpouring of personal kindness and support from friends, acquaintances and family members has been amazing. Thank you so much to all of the wonderful folks who offered to help. You are all spectacular! Thank you!

Audio Blog Post: Defensive Fuzzing and MSI’s Patent

What goes into getting a patent? The answer would be: a lot of work! Brent Huston, CEO and Founder of MicroSolved, Inc., talks with Chris Lay, Account Executive, about MSI’s first patent for HoneyPoint’s defensive fuzzing capability. In this audio blog post, you’ll learn:

  • What is the patent about?
  • What is defensive fuzzing?
  • What went into the patent process?

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!