About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

A Reminder About the IoT Future…

Posted on June 15, 2015 by Brent Huston

This article has been making the rounds about a researcher who has developed a tool set that can turn a Mattel toy into a “magic” garage door opener for most garage doors. The uses of opening someone else’s garage doors seem pretty obvious, so we will leave that to the reader….

But, this is an excellent moment to pause and discuss what happens when so many things in and around our lives become Internet connected, remotely managed or “smart”. Today, it seems everything from door locks, to watches and from refrigerators to toilets are getting embedded digital intelligence. That’s a lot of hackable stuff in your life.

I have been doing some research on beacon technology recently, and how they are being used to track consumer behaviors. I have been working with some clients that use TigerTrax™ to track consumer data and some of that work is simply amazing. As vendor knowledge seeps into your home and everyday life, even more impacts, privacy issues (and lets face it…) cool features will emerge. The problem with all of these things is that they are a double edged sword. Attackers can use them too. They can be manipulated, mis-used, invasive, infected and some can be outright dangerous (consider refrigerator malware….).

Once again, technology is becoming ubiquitous. It offers both benefits and some things to consider. My point here is just to consider both sides of that coin the next time you face a buying decision. The world, and you, could benefit from more privacy consideration at the point of purchase… 🙂

The Mixed Up World of Hola VPN

Posted on June 12, 2015 by Brent Huston

Have you heard about, or maybe you use, the “free” services of Hola VPN?

This is, of course, a VPN, in that it routes your traffic over a “protected” network, provides some level of privacy to users and can be used to skirt IP address focused restrictions, such as those imposed by streaming media systems and television suppliers. There are a ton of these out there, but Hola is interesting for another reason.

That other reason is that it turns the client machine into “exit nodes” for a paid service offering by the company:

In May 2015, Hola came under criticism from 8chan founder Frederick Brennan after the site was reportedly attacked by exploiting the Hola network, as confirmed by Hola founder Ofer Vilenski. After Brennan emailed the company, Hola modified its FAQ to include a notice that its users are acting as exit nodes for paid users of Hola’s sister service Luminati. “Adios, Hola!”, a website created by nine security researchers and promoted across 8chan, states: “Hola is harmful to the internet as a whole, and to its users in particular. You might know it as a free VPN or “unblocker”, but in reality it operates like a poorly secured botnet – with serious consequences.”[23]

In this case, you may be getting a whole lot more than you bargained for when you grab and use this “free” VPN client. As always, your paranoia should vary and you should carefully monitor any new software or tools you download – since they may not play nice, be what you thought, or be outright malicious.

I point this whole debacle out, just to remind you, “free” does not always mean without a cost. If you don’t see a product, you are likely THE PRODUCT… Just something to keep in mind as you wander the web…

Until next time, stay safe out there!

Artificial Intelligence – Let’s Let Our Computers Guard Our Privacy For Us!

Posted on June 9, 2015 by Brent Huston

More and more computer devices are designed to act like they are people, not machines. We as consumers demand this of them. We don’t want to have to read and type; we want our computers to talk to us and we want to talk to them. On top of that, we don’t want to have to instruct our computers in every little detail; we want them to anticipate our needs for us. Although this part doesn’t really exist yet, we would pay through the nose to have it. That’s the real driver behind the push to achieve artificial intelligence.

Think for a minute about the effect AI will have on information security and privacy. One of the reasons that computer systems are so insecure now is because nobody wants to put in the time and drudgery to fully monitor their systems. But an AI could not only monitor every miniscule input and output, it could do it 24 X 7 X 365 without getting tired. Once it detected something it could act to correct the problem itself. Not only that, a true intelligence would be able monitor trends and conditions and anticipate problems before they even had a chance to occur. Indeed, once computers have fully matured they should be able to guard themselves more completely than we ever could.

And besides privacy, think of the drudgery and consternation an AI could save you. In a future world created by a great science fiction author, Charles Sheffield, everyone had a number of “facs” protecting their time and privacy. A “facs” is a facsimile of you produced by your AI. These facs would answer the phone for you, sort your messages, schedule your appointments and perform a thousand and one other tasks that use up your time and try your patience. When they run across situations that they can’t handle, they simply bring you into the loop to make the decisions. Makes me wish this world was real and already with us. Hurry up AI! We really need you!

State of Security Podcast Episode 5 Available

Posted on May 28, 2015 by Brent Huston

This is one of my favorite episodes so far! I spend about 45 minutes with Josh Anderson, who riffs on IT and ICS/SCADA security threats, career advice, how he compares his life to characters on TV’s “24” and a whole lot more. Very relaxed, generous in time and content, this interview with one of America’s Premier ICS Security Gurus (I just gave him that title…) is fun and lively.

Special shout out to Kent King for his mentorship in this episode, as well.

Let us know what you think Twitter. Thanks for listening!

Should MAD Make its Way Into the National Cyber-Security Strategy?

Posted on May 25, 2015 by Brent Huston

Arguably, Mutually Assured Destruction (MAD) has kept us safe from nuclear holocaust for more than half a century. Although we have been on the brink of nuclear war more than once and the Doomsday clock currently has us at three minutes ‘til midnight, nobody ever seems ready to actually push the button – and there have been some shaky fingers indeed on those buttons!

Today, the Sword of Damocles hanging over our heads isn’t just the threat of nuclear annihilation; now we have to include the very real threat of cyber Armageddon. Imagine hundreds of coordinated cyber-attackers using dozens of zero-day exploits and other attack mechanisms all at once. The consequences could be staggering! GPS systems failing, power outages popping up, banking software failing, ICS systems going haywire, distributed denial of service attacks on hundreds of web sites, contradictory commands everywhere, bogus information popping up and web-based communications failures could be just a handful of the likely consequences. The populous would be hysterical!

So, keeping these factors in mind, shouldn’t we be working diligently on developing a cyber-MAD capability to protect ourselves from this very real threat vector? It has a proven track record and we already have decades of experience in running, controlling and protecting such a system. That would ease the public’s very justifiable fear of creating a Frankenstein that may be misused to destroy ourselves.

Plus think of the security implications of developing cyber-MAD. So far in America there are no national cyber-security laws, and the current security mechanisms used in the country are varied and less than effective at best. Creating cyber-war capabilities would teach us lessons we can learn no other way. To the extent we become the masters of subverting and destroying cyber-systems, we would reciprocally become the masters of protecting them. When it comes right down to it, I guess I truly believe in the old adage “the best defense is a good offense”.

Thanks to John Davis for this post.

Involved in M&A Activity? MSI has a full M&A Practice

Posted on May 21, 2015 by Brent Huston

MSI’s specialized offerings around Mergers & Acquisitions are designed to augment other business practices that are common in this phase of business. In addition to general security consulting and intelligence about a company from a “hacker’s eye view”, we also offer deeply integrated, methodology-driven processes around:

Pre-negotiation intelligence

This offering is designed to help the purchasing organization do recon on their prospect for purchase. Leveraging techniques like passive assessment, restricted individual tracing, supply chain analysis, key stakeholder profiling and history of compromise research, the potential purchasing company can get deep insights into the security posture and intellectual property integrity of the company they are considering for acquisition. All of this can be done passively and prior to a purchasing approach or offer. Insights from this service can be a useful tool in assessing approach and potential valuation.

Pre-integration assessments

Once the ink on the paperwork is dry, the organizations have to learn to live and work together. One of the most critical links, is the joining of the two IT infrastructures. In this service, our experts can perform assessments to analyze the new company’s security posture against the baseline standards of the purchasing organization. A gap analysis and road map for compliance can be provided, and if desired, MSI can serve as oversight for ensuring that the mitigations are completed as a condition for network interconnection and integration. Our team has performed these services across a variety of M&A completions, including multi-national and global Fortune 500 organizations.

Post-purchase threat intelligence

MSI can also create mechanisms post-purchase to identify and respond to potential threats from inside the newly acquired organization. Our counter-intelligence and operational security techniques can help organizations identify potential internal bad actors or disgruntled new employees that could be seeking to damage the acquirer. We have created these solutions across a myriad of verticals and are quite capable of working in international and other highly complex environments.

To learn more about these specific offerings, click on the links above. To discuss these offerings in more detail, please contact your account executive for a free consultation.

Plus, we also just added some new capabilities for asset discovery, network mapping and traffic baselining. Check this out for some amazing new ways we can help you!

Operation Hardened Buckeye

Posted on May 15, 2015 by Brent Huston

MSI is pleased to announce the immediate formation and availability of Operation Hardened Buckeye!

This special program is dedicated to assisting Ohio’s Rural Electrical Cooperatives.

MSI will set up aggregated groups of Electrical Cooperatives and perform services and offer tools to the groups en-masse at discounted rates, as if they were one large company. Essentially, this allows the co-ops to leverage group buying, while still receiving individual reports, software licenses and overall group-level intelligence & metrics.

MSI will offer a package consisting of the following:

External Vulnerability Assessment with aggregated executive level reports/metrics & individual technical detail reports
An aggregated Targeted Threat Intelligence engagement with individual notifications of critical findings and an aggregated intelligence report for the group
3 HoneyPoint Agent licenses and a console license per co-op that participates
Deep discounts to individual co-ops who desire application assessment, internal vulnerability assessments, wireless assessments or other MSI professional services (including MSI::Vigilance & ICS Network Segregation Services)
Deep discounts for ongoing assessments and targeted threat intelligence as a service

Caveats: All assessments will be performed at the same time. Co-ops must each sign onto a common MSA. Each co-op will be billed for the total of the package divided by the number of participating co-ops. Co-ops must provide accurate IP address ranges for their external assessment.

This enables the co-ops to have a security baseline of their security posture performed, including aligning their current status against that of their peers. It also allows for each of the co-ops to deploy a HoneyPoint Agent in their DMZ, business network and control network for detection capabilities. The targeted threat intelligence will provide them with an overall threat assessment, as well as identifying individual targets that have either already been attacked or are likely to provide easy/attention raising targets for future attacks.

We will be holding a webinar for those interested in participating on Thursday, May 21, 2015. You can register for this event here. You can also download the flyer about the program here.

For more information, please contact Allan Bergen via the email below or call (513) 300-0194 today!

Email: sales@microsolved.com

First Step After Breach

Posted on May 8, 2015 by Brent Huston

Discovering an information security breach can be a shock! Picture it: you are enjoying a regular work day and WHAM! Suddenly you are at the center of an incident that could possibly affect the future of the company and perhaps your own future as well. It’s easy to panic. You know if you don’t do the right thing, right now, bad things are sure to rain down on you. So, what is the very first thing that you should do?

Go immediately to your incident response plan, of course! After all, that is the reason your company has put together an IR plan and team in the first place; to plan for contingencies so that personnel don’t go off half-cocked and lose vital data and evidence.

But is your plan clear enough that regular system users or even help desk personnel know what to do first without having to thumb through a hundred pages of plan? If not, perhaps a simple little trick we use in our incident response plans will work for you.

The very first thing you see when you open one of our incident response plans are employee and incident response team Quick Response Guides (see the example of an employee guide below-the IRT guide is similar, but more complex).

I know from my military experience that having checklists such as the Quick Response Guides in place truly cuts down on mistakes and helps calm personnel during difficult situations. Why not see if they can also improve your response quality?

Chart

You can download the pocket guide here.

Thanks to John Davis for this post.

14 Talks I Would Like to Attend This Summer

Posted on May 4, 2015 by Brent Huston

Here is just a quick list, off the top of my head, of some of the topics I would like to see someone do talks about at security events this summer. If you are in need of a research topic, or something to dig into for a deep dive, give one of these a try. Who knows, maybe you will see me in the audience. If so, then feel free to sit down for a cup of coffee and a chat!

Here’s the list, in no particular order:

machine learning, analytics in infosec
detection capabilities with nuance visibility at scale
decision support from security analytics & automated systems based on situational awareness
rational controls and how to apply them to different industries
crowdsourcing of policies and processes – wiki-based approaches
internal knowledge management for security teams
tools for incident response beyond the basics
tools and processes for business continuity after a breach – show us your guide to “Ouchies!”
attacker research that is actually meaningful and that does NOT revolve around IOCs
skills and capability mapping techniques for security teams and their management
new mechanisms for log management and aggregation beyond Splunk & SEIM – how would the death star handle logs?
near-real time detection at a meaningful level – even better if admins can make decisions and take actions from their iPhone/iWatch, 😛
extrusion/exfiltration testing capabilities & metrics-focused assessment approaches for testing exfil robustness
network mapping and asset discovery techniques and tools – how would the death star map their IT networks? 🙂

Give me a shout on Twitter if you want to explore these together – @lbhuston.

State Of Security Podcast Episode 4

Posted on April 30, 2015 by Brent Huston

We are proud to announce the release of State Of Security, the podcast, Episode 4. This time around I am hosting John Davis, who riffs on policy development for modern users, crowdsourcing policy and process management, rational risk assessment and a bit of history.

Give it a listen and let us know what you think!

Thanks for supporting the podcast!

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston