Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Network Segmentation: A Best Practice We Should All be Using

Posted on by
Reply

It would be nice to be able to say that we are winning the war; that network security efforts are slowly getting the better of the bad guys. But I cant do that. Despite all the money being thrown at security tools and hosted services, the cyber-thugs are improving their game at a faster rate than we are. The ten worst known cyber security breaches of this century have all taken place since 2008, and 2013 and 2014 are notorious for their information security incidents.

I think there are a multitude of reasons for this state of affairs to exist. One is confusion, indecisiveness and slow reaction times among regulatory bodies and standards providers. Another is the check the boxcompliance mentality that exists both in government agencies and in the private sector. A third is simply the insane rate of innovation in the information technology realm. There are many more. But despite the reasons, one thing is clear: we have to stop rigidly complying with baseline standards and move into the more flexible and effective world of best practices. And today the best practice I want to touch on is network segmentation.

In our business we see a lot of computer networks that are just flat. There is little or no network segmentation and anyone on the inside can pretty much see everything. I cant begin to tell you how easy this kind of setup makes it for us during penetration testing success is virtually assured! And its amazing how even just basic network segmentation can slow us down or stop us all together.

A good reason to start with network segmentation is that you can go at in easy stages. Maybe you can begin by segmenting off a separate development or test network. Those are pretty basic and can give your networking team some valuable experience for more difficult efforts to come. Then you can ensure that user spaceis separated from server space. Doing just that much can have an amazing effect – it really helps to thwart successful cyber-attacks.

As the team gains confidence in their abilities, they can move onto the next step: real enclaving of the network. This is anything but a trivial effort, and it requires detailed knowledge of the various functions of the different business departments and how information moves into and out of each one of them (a task made very much easier if the company has a good business continuity program and business impact analysis in place). But in the long run these efforts will be well worth the trouble. It is very difficult indeed to gain access to or exfiltrate information from a well enclaved network especially from the Internet.

This blog post by John Davis.


How to Avoid Getting Phished

Posted on by
Reply
It’s much easier for an attacker to “hack a human” than “hack a machine”.  This is why complicated attacks against organizations often begin with the end user.  Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company.  Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
 
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting.  Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year.  Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user.  A majority of these attacks were caused by an employee opening a malicious e-mail.  I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
 
Verify link URL:  If the e-mail you received contains a link, does the website URL match up with the content of the message?  For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com?  A common tactic used by attackers is to direct a user to a similar URL or IP address.  An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
 
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address?  It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor.  Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
 
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender.  Would you provide your checking account number or password to a random person that you saw on the street?  If not, then don’t provide confidential information to unknown senders.
 
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call.  Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection.  Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions.  Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error.  Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
 
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further.  Typically these attachments or links are the actual mechanism for delivering malware to your machine.
 
This blog post by Adam Luck.

Young IT Professionals, Cybercrime, Script Kiddies & CyberWarriors, OH MY!

Posted on by
Reply

Recently I came across a couple of articles that both centered on the potential roles that young people entering into the IT Security field may face. Some of them, for example, may be lured away from legitimate IT security jobs and into the world of cybercrime. Others may follow the entrepreneurial role and fight cybercrime alongside myself and other professionals.

I suppose such dichotomies have existed in other professions for quite some time. Chemists could enter the commercial or academic world or become underground drug cartel members, ala Breaking Bad. Accountants could build CPA tax practices or help bad guys launder money. Doctors could work in emergency rooms or perform illegal operations to help war lords recover from battle. I suppose it is an age old balancing act.

I am reminded of Gladwell’s Outliers though, in that we are experiencing a certain time window when IT security skills are valuable to both good and bad efforts, and a war for talent may well be waging just beyond the common boundary of society. Gladwell’s position that someone like Steve Jobs and Bill Gates could only emerge within a specific time line of conditions seems to apply here. Have we seen our IT security Bill Gates yet? Maybe, maybe not….

It is certainly an interesting and pivotal time isn’t it? These articles further solidified my resolve to close a set of podcast interviews that I have been working on. In the next couple of months I will be posting podcast interviews with teams of IT and Infosec leaders to discuss their advice to young people just entering our profession. I hope you will join me for them. More importantly, I hope you will help me by sharing them with young people you know who are considering IT security as a career. Together, maybe we can help keep more of the talent on the non-criminal side. Maybe… I can always hope, can’t I? 🙂

Until next time, thanks for reading, and stay safe out there! If you have questions or insights about advice for young security professionals, hit me up on Twitter (@lbhuston). I’ll add them to the questions for the podcast guests or do some email interviews if there is enough interest from the community.

Spike in HITME NTP Probes Following Recent Exploits

Posted on by
Reply
For those of you that are unfamiliar with the HITME project, it is a set of deployed HoneyPoints that gather real-world, real-time attacker data from around the world. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. We frequently feed these attack signatures into our vulnerability management service to ensure that our customers are tested against the most current forms of attacks being used on the Internet.
 
On a monthly basis, we have been taking a step back and looking at our HITME data from a bird’s eye view to find common attack patterns.  Throughout December, we observed a significant increase in attacks against Port 123 (NTP).  This is due to the recent discovery of a vulnerability within NTP.
 
A majority of the attacks we observed against Port 123 appeared to originate out of the United States of America, Germany, Switzerland, Russia, and China. 
 
PastedGraphic 2
This vulnerability should be addressed as soon as possible as exploits are publicly available.  All NTP Version 4 releases prior to Version 4.2.8 are vulnerable and need to be updated to Version 4.2.8.  Do not hesitate to contact us at info@microsolved.com if you require any assistance in responding to this vulnerability.

This blog post by Adam Luck.

Benefits of using TigerTrax to Monitor Your Industry

Posted on by
Reply

Have you ever wanted to know what is being said in regards to your business or product line on social media? How about getting the scoop on a company prior to your big merger or acquisition? Perhaps you have a need for continual code of conduct monitoring for your business or franchise. These are but a few of the things that we at MicroSolved, Inc can provide for you and your company! MicroSolved has a whole host of proprietary software including TigerTrax, that will give your company an edge over your competition!

With our TigerTrax platform we can help provide you with a competitive advantage by receiving actionable intelligence about your product line from the social media hemisphere. Imagine scouring the entire population of Twitter, which boasts some 645 million registered users with over 115 million active users monthly. That is an enormous market that you can tap into with our help. A market where you can see where you think that your product line may be heading versus what people are actually talking about in regards to your product line. Imagine being able to fine-tune your marketing campaign based on our intelligence gathering ability!

In every business there are times whether for a short duration or a long term one where you may want us to provide you with code of conduct information about your employees. Perhaps their contracts clearly state what sort of things they may or may not post on social media and the internet; but also and more importantly you may want to know what everyone else is posting about them. We can help provide you that information. Our TigerTrax platform does in minutes what takes a roomful of employees days or weeks to do and in a very short time you can have actionable information that may be used to help protect your companies brand!

As you can see TigerTrax is a wonderful tool in your arsenal for providing actionable data that will enable you to adjust your marketing campaign or perform ongoing code of conduct monitoring. We can also perform threat intelligence, assess whether your intellectual property has been leaked online, and of course perform brand intelligence. As you can imagine we are only scratching the surface of what we at MicroSolved, Inc and the TigerTrax platform can do for you. So please if you need any assistance for your company feel free to contact us by sending an email to: info@microsolved.com.

This post by Preston Kershner.

5 Ways My Medical Background Makes Me a Better Intelligence Analyst

Posted on by
Reply

When I first started for MicroSolved, Inc.(MSI), I wasn’t sure what to think, but now that I have been here for nearly three months I feel I am starting to get the hang of  what it is to be an intelligence analyst. At least a little bit anyhow. Now mind you I am not your typical intelligence analyst, nor am I a new college graduate, but rather I am coming to MSI from the health care industry with over twenty years of work experience in that industry. This was a completely different mindset, with a whole host of new things for me to experience and learn. For me this was totally refreshing and exactly what I wanted and more importantly, needed! There are a few things that I have noticed in my short time here that could be considered pearls of wisdom rather than actual characteristics of a good employee that I feel make me a good intelligence analyst for MSI. Perhaps they are one and the same. At least that is my hope 😉

First, while I am not a seasoned IT professional like so many others that I work with, I am not naive to the fact that there are deadlines and expectations thrust upon all of us. This in my opinion is no different than in being in the hospital setting where people expect you to act quickly and in the best interests of your patient at all times. Couldn’t we say the same is true working for a company like MSI?  In that it is the expectation to be professional, performing your best at all times, and the like? I would like to think that is what I strive for.

After thinking a bit longer perhaps it is that we share a tenacity for getting to the bottom of whatever mystery that we are looking at. Whether it is a series of questions that we may be asking our patients in an effort to try to figure out what ailment they be suffering from. This is not unlike when we are looking for a key bit of code for an algorithm to help us do our work more efficiently. Regardless, it is this mentality of never giving up! To keep fighting, keep looking, to keep trying. Just keep chipping away at it. 

I think the next characteristic would have to be patience. Something that we all have often heard from our grandparents growing up as children. Something that in my mind and in my experience has played a provocative role in both my dealings with patients, their families and with challenging projects in the IT world. Now while as I previously stated in the above paragraph that tenacity plays a role, I also think having a measure of patience does too. There are times in the medical world where even the most experienced physician stands there for a moment and scratches his or her head and says “I don’t know”. Now to a patient that is the last thing that they want to here, but sometimes we truly have to “wait and see”. Sometimes grandma was right! There have been times while working on projects with MSI, where sitting back even if it’s just a few moments, allowed me to gain a better “bird’s eye view” of a given project and really helped me figure out what it was that I was looking for and ultimately aided the project.

Another area that I think gives me an edge would be that I am willing to go the extra mile and I am not afraid to work hard to attain my goals. It isn’t enough to just punch a clock or be mediocre! I have told this to my children, my patients and my friends. Never give up, always work your butt off for what you want in life! It may take time for what you want to come to fruition, but if you’re willing to put the time, energy and effort into it, then it will come!  It takes sacrifice to get to your goals. Others will recognize your efforts and aid you in your path. That’s what I feel MSI has done and is continuing to do for me!

Lastly, laugh! I have not laughed so hard in any of my previous work experiences as compared to working for MSI these past few months. Don’t get me wrong there were plenty of wonderful times, but here at MSI it is a whole new animal! Yes, we work hard, but I think having a healthy sense of humor and a desire to see others laugh is what really sets MSI apart. If you are down, they help pick you up! So often we spend our work lives with people that aren’t our family for hours on end. Shouldn’t we have some fun while we work? If you are lucky enough you do. Then, by choice those people that aren’t your family start to become them and find a place in your heart. Then, your work doesn’t seem like work anymore. 

Yes it’s true that I am new to the world of information technology as a career choice, but that doesn’t mean that I don’t have some very real life experiences to draw upon. Remember, it is a combination of work ethic, tenacity, patience, a sense of humor and ultimately a willingness to never give up. These are the things that will make you successful, not only in your career path, but in life as well. These are my little pearls of wisdom, just a few tidbits of information to help you get to where you want to be in life. Who knows it might even be right here at MSI.

This post by Preston Kershner.

Heads Up, ICS & SCADA Folks, Especially!

Posted on by
Reply

Remotely exploitable vulnerabilities have been identified & published in NTP (network time protocol). This is often a CRITICAL protocol/instance for ICS environments and can be widely located in many control networks. 

The fix currently appears to be an upgrade to 4.2.8 or later.

This should be considered a HIGH PRIORITY for critical infrastructure networks. Exploits are expected as this is an unauthenticated remotely triggered buffer overflow, which should be easily implemented into existing exploit kits.

Please let us know if we can assist you in any way. Stay safe out there! 

Update: 12/19/14 2pm Eastern – According to this article, exploits are now publicly available.

My Thoughts of Raising Teenagers While Protecting Their Online Privacy

Posted on by
Reply

As a parent, who has teenagers, it can be a somewhat complicated and mortifying world when it comes to trying to allow a teenager a small level of personal “freedom” of expression and allowing them to be curious and discover new things while also satisfying the need to protect their online privacy from those who may do them harm. In this blog segment we will discuss some of my thoughts on what we as parents can do to aid our child in this ever evolving world that is the internet.

To start of with I suppose we need to first look at the child’s age and I’m not speaking to their numeric age, but rather to their level of maturity. And so when my wife and I decide what applications (apps) our children may download, it depends heavily on the content of the application, but also to the child’s maturity level. Who would want a scary game or a very provocative application to be seen or played by a minor, especially if it is something that you fundamentally don’t agree with as a parent. Let alone a game or app with overtones of sexuality that is going to be played by your teenager for hours on end. Now I am not saying that they don’t hear it and see it in the world that we live in, I am not naive, but why put it on a silver platter and feed it to them. Those things can wait a bit longer, especially if we are talking the difference between a thirteen year old versus a seventeen year old. True it is only four years, but developmentally and cognitively there are vast differences between them. Particularly in their ability to make intelligent decisions as I am sure many of you would agree!

So lets start with the basics, remember that you are the parent and a good dose of common sense goes a long way. With that we all need to be able to reach our children and so perhaps you want be able to track where your child is and more importantly they are where they say they are. Have no fear there are apps for that, but most if not all smartphones have GPS built right in. However, apps like Find My iPhone and Find My Friends can be quite helpful. Perhaps you want to limit the amount of time that a child spends online or limit the sites that they can have access to there are apps for that too. Apps such as Screentime and DinnerTime Parental Control offer you the ability to not only limit their screen time, but also limit how much they are texting and playing games. All in an effort to help them refocus on working on homework, chores or spending quality time with the family. Some parents may elect to take it a step further and want to track who their child is communicating with, read emails, see all the pictures that are sent, received and perhaps more importantly deleted. Well they can do so with an app called Teensafe. I know this one sounds a bit like big brother, but if your child is being bullied, abused, or dating without your knowledge, some parents want the ability to intervene more quickly. Especially, if the child isn’t as forth coming as the parent feels they should be.

Next, comes the security of the websites and the apps themselves. I think we as parents have a responsibility to protect our children and that responsibility should include a healthy dose of cynicism. To that end, make sure you go through each setting on an app or website that you load or your child loads onto their device(s). Making sure that you turn on or off the security settings that you feel are appropriate for your child. Lets say we allow our child to use a social media website or app, we certainly wouldn’t want a thirteen year old exposed to the entire world, when all they want to do is connect with their friends. This would potentially expose them to threats that you may not recognize as a threat until it was too late. So lets go through those settings and turn off some of those features and lock it down to a level where you as a parent are comfortable with. It may seem like just a simple click of a button, but believe me it is a very important step in ensuring your child’s online safety.

Finally, remember that you may not want to give your child the ability to download or change the settings of their devices, so maybe keeping a log of all of their passwords. Perhaps in a password vault such as 1Password would be in order. You would do this for two reasons. One to make sure that they are using a strong password, and where possible to also turn on two-step verification, but also to make sure that they don’t forget the password that they just created, because a good password should be challenging, otherwise it’s pointless. Please remember you are in charge and ultimately responsible for the safety of your child both at home and online. Secure as much as you can, where you can. So let’s be safe out there!

It should be noted that some of the apps mentioned above are free and some are open source and some are at a cost to the consumer. It is up to you to research these applications and see what best fits your security needs. 

In no way do we endorse the applications that were presented in this article we are simply stating that they may be an option for you to consider for your device. Your particular security needs for your device are up to you to decide. Be safe out there.

This post by Preston Kershner.

Daily Log Monitoring and Increased Third Party Security Responsibilities: Here They Come!

Posted on by
Reply

For years now we at MSI have extoled the security benefits of daily log monitoring and reciprocal security practices between primary and third party entities present on computer networks. It is constantly being proven true that security incidents could be prevented, or at least quickly detected, if system logs were properly monitored and interpreted. It is also true that many serious information security incidents are the result of cyber criminals compromising third party service provider systems to gain indirect access to private networks. 

I think that most large-network CISOs are well aware of these facts. So why aren’t these common security practices right now? The problem is that implementing effective log monitoring and third party security practices is plagued with difficulties. In fact, implementation has proven to be so difficult that organizations would rather suffer the security consequences than put these security controls in place. After all, it is cheaper and easier – usually – unless you are one of the companies that get pwned! Right now, organizations are gambling that they won’t be among the unfortunate – like Target. A fools’ paradise at best! 

But there are higher concerns in play here than mere money and efficiency. What really is at stake is the privacy and security of all the system users – which one way or another means each and every one of us. None of us likes to know our private financial or medical or personal information has been exposed to public scrutiny or compromise, not to mention identity theft and ruined credit ratings. And what about utilities and manufacturing concerns? Failure to implement the best security measures among power concerns, for example, can easily lead to real disasters and even loss of human life. Which all means that it behooves us to implement controls like effective monitoring and vendor security management. There is no doubt about it. Sooner or later we are going to have to bite the bullet. 

Unfortunately, private concerns are not going to change without prodding. That is where private and governmental regulatory bodies are going to come into play. They are going to have to force us to implement better information security. And it looks like one of the first steps in this process is being taken by the PCI Security Standards Council. Topics for their special interest group projects in 2015 are going to be daily log monitoring and shared security responsibilities for third party service providers.

That means that all those organizations out there that foster the use of or process credit cards are going to see new requirements in these fields in the next couple of years. Undoubtedly similar requirements for increased security measures will be seen in the governmental levels as well. So why wait until the last minute? If you start now implementing not only effective monitoring and 3rd party security, but other “best practices” security measures, it will be much less painful and more cost effective for you. You will also be helping us all by coming up with new ways to practically and effectively detect security incidents through system monitoring. How about increasing the use of low noise anomaly detectors such as honey pots? What about concentrating more on monitoring information leaving the network than what comes in? How about breaking massive networks into smaller parts that are easier monitor and secure? What ideas can you come up with to explore?

This post written by John Davis.