About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Twitter Games from MicroSolved

Posted on October 15, 2014 by Brent Huston

If you haven’t followed us on Twitter (@microsolved) yet, be sure to do so. Here are a few reasons why you should look to our Twitter feed for more great content from MSI:

Ongoing curated news feeds of some of the most interesting and best information security news & event coverage
Discussions of emerging threats and significant issues around InfoSec
Pointers to free tools & resources to help your team protect your data & systems
Easy way to talk to us & engage in pro-bono Q&A sessions
AND NOW – 2 New Games a week:

Mondays will feature the “Hacker Challenge” – a weekly technically-focused fun activity or challenge (decrypt a secret, solve a puzzle, find something specific across the net, etc.)
Thursdays will feature the “Throw Back Thursday Hacker Trivia” – weekly trivia contest focused on hacker, InfoSec and technology; with occasional prizes for the winners!

So, grab an account on Twitter or follow us there, and don’t just keep up to date, but talk to us. We want to hear your thoughts, the security challenges you are facing and anything that will help us serve your information security needs. Plus, we know reading log files and patching systems can get tedious, so we will try to mix in a little fun along the way! See you there!

MSI Risk Assessments and Policy/Process Reviews

Posted on October 9, 2014 by Brent Huston

MSI still has a few engagement slots open for Enterprise or Application-focused Risk Assessments for the 4th quarter. Avoid the end of the year rush, and give Allan Bergen (513-300-0194, abergen (at) microsolved<dot>com) a call today to discuss booking risk engagements with the team before the end of the year. We have some special incentives for clients who book these engagement slots, so touch base with Allan to hear about them.

Our team has had a wonderfully successful year doing application focused risk assessments. We can tear into the policy/processes and exposures of systems like accounting, CRM, EDI processing and/or industrial control. These assessments can be performed with or without technical components such as vulnerability assessment and penetration testing.

If you would like to close the year with a close look at one of your specific systems or critical processes, give Allan and a call and arrange for a scoping discussion with our risk team. As always, thanks for reading, and we appreciate you choosing MSI as your security partner!

Book Review: Ghost in the Wires

Posted on October 7, 2014 by Brent Huston

I just finished reading Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker and I would have to say that I was impressed. There is a lot of good history and information in the book about Kevin’s exploits, his life on the run and what it was like to live on the razor’s edge of hacking.

The technical content is enough to keep a techie reading, while the story, in general is a real life thrill ride. I found the reading to be easily digestible and the tone to be spellbinding.

If you have any interest in information security, or the history of hacking, then give Ghost in the Wires a read. You won’t be disappointed!

Accepting Identity Theft

Posted on October 3, 2014 by Brent Huston

I can recall a time when I wasn’t concerned about data theft. Eventually, buzz words such as “breach” and “identity theft” became a regular part of my vocabulary. I began to wonder if I would ever be affected by a data breach. In 2003, I received a letter in the mail informing me that my personal data had been stolen. I remember asking myself, “when will this happen next?” In 2004, I once again became a victim of a data breach. Despite my young age at the time, I had already started to think of identity theft in the cynical terms of “not if but when”. It then became apparent to me that I could no longer think in terms of “if” or “when” but I should focus on “how often”.

I find it helpful to compare identity theft to personal health care. Eating the right foods, taking all the trendy vitamins and getting the recommended amount of exercise isn’t enough to guarantee perfect health. You are still susceptible to diseases that you can’t detect on your own. This is why you typically see a doctor for checkups on a regular basis. You should use the same thought process when considering the possibility of identity theft. Regardless of how much effort you put into securing your identity, your personal data will be stolen. This is why I feel strongly that we should focus on monitoring and preparing for identity theft with the same time and energy that we devote to trying to prevent it.

Just like your health care, it’s also worthwhile to take a proactive approach to handling identity theft. It’s important to have multiple methods of discovering if you are a victim of fraud. This can be as simple as checking your debit/credit card statements and using an automated solution (such as LifeLock) to monitor for irregularities in your credit report. Don’t just wait to receive a notice in the mail or find out about the latest hack on the news. It can take the companies that handle your personal data and process your credit cards months before they realize that they have been hacked. This gives the attackers ample time to take advantage of your stolen data.

It’s also worthwhile to prepare yourself for how to handle an incident when it occurs. This can be as simple as keeping a list of the contact information for all of your financial institutions so that you can notify them as soon as you detect suspicious activity. Also, a majority of the aforementioned credit monitoring solutions include assistance services in the event that a criminal begins using your identity. Be sure to take advantage of these resources as these organizations have the necessary institutional knowledge to help assist you.

In short, continue doing what you can to prevent your identity from being stolen. Simple things like setting complex passwords and avoiding the reuse of your passwords between different services can go a long way to prevent you from becoming a victim of identity theft. However, the next time you’re configuring a lengthy password, be sure to ask yourself “Am I prepared for identity theft?”

This article courtesy of Adam Luck – @adamjluck.

Shellshock: Got Inventory?

Posted on October 1, 2014 by Brent Huston

I’m sure you’ve all heard of Shellshock by now? If not, it’s a security flaw in Bash that allows attackers to take control of systems. Bash is really an acronym/pun meaning “Bourne-again shell” that was written as a free software replacement for the Bourne shell that preceded it. It is a UNIX shell that acts as a command processor and also reads commands from scripts. The problem is that Bash is present in all kinds of things including Web servers and operating systems. This is a very serious flaw! Worse than any other code vulnerability I can name off hand. There are several serious exploits already extant in the wild. Hundreds of millions of devices and credit cards are at immediate risk of compromise across the globe. Institutions are strongly recommending that people not use their credit cards to make Internet purchases for at least the next several days. Imagine the loss in revenue and buyer confidence this is going to cause! Productivity may well go down and prices may well go up as a consequence of this flaw.

Luckily there are good patches already available to combat this glitch, and I’m sure additional fixes and tweaks are in the offing. But to have any level of safety you need to patch everything on your network that is vulnerable, and you need to do it quickly. Do you know exactly what devices are a part of your network and exactly what operating systems, software and firmware versions are installed on them? Specifically, do you know where Bash is running? If you don’t, you may install patches furiously over the next few days and still end up being vulnerable without knowing it. Can you in all good conscience assure your Web customers that their transactions and private information are safe?

Shellshock may have one hidden benefit though; it may be the cold dose of reality that causes organizations to finally get serious about information security and adopt best practices security recommendations, especially where inventories of devices and software are concerned. There is a reason why guidance such as the MSI 80/20 Rule of Information Security and the Top 20 Critical Controls for Effective Cyber-Security list making inventories their number one information security project. If you don’t know what you have, how can you possibly secure it?!

Right now, if you are among the prescient few who do keep complete dynamic inventories, ensure that input to all available software fields is validated and have configured each device on your network with a unique admin password, you are sitting pretty! You have the knowledge and time necessary to deal with this problem, and will probably earn kudos and market share from you customers. Isn’t that kind of assurance worth spending some time and money on America?

This blog post contributed by John Davis.

Patch for ShellShock ASAP!

Posted on September 30, 2014 by Brent Huston

If you haven’t paid attention to the Bash Shellshock vulnerability – NOW IS THE TIME!

Source IPs for probes looking for the vulnerability are growing slowly in number and scope of scans. (As of 9/30/14, 10am Eastern).

There are many vulnerable devices and systems available to exploit and a variety of exploitation vectors exist – including web CGIs, DHCP clients, OpenVPN, SSH, etc. It is highly likely that a wide variety of embedded systems are also vulnerable that meet these capabilities. So far, we have seen attack traffic in the HITME coming from a few SOHO routers and a couple of other embedded network devices. Items like printers, some routers & managed switches, home gadgets, cameras, etc. are likely targets as well.

In the industrial control world, there are a variety of embedded devices leveraging Linux at the core, and many with exposed CGI mechanisms for remote management and monitoring. These need to be inspected as well, as they may also prove vulnerable and potentially exploitable via one or more vectors. Patching may require firmware upgrades in some cases. Contact the vendor for more information.

But, no matter what systems you use and manage, NOW IS THE TIME. Pay attention to this issue and get moving on patching, adding compensating controls and rolling forward with enhanced detection mechanisms. GET BUSY!

As always, if we can assist, feel free to give us a call or drop us a line. We have HoneyPoint emulations for HPSS clients that can help identify sources of traffic and we have assessment signatures for up to the moment known attack vectors. Let us know if we can help!

Thanks for reading, and stay safe out there!

UPDATE: Good news on Shellshock for embedded devices: If it runs BusyBox, it’s likely NOT vulnerable.

Home Depot Data Breach; a Good Argument for Best Practices-Based Infosec

Posted on September 29, 2014 by Brent Huston

There are two big philosophies of how to implement information security at organizations; “standards – based” and “best practices-based” infosec programs. The vast majority of America’s companies and agencies follow a standards-based approach, and most of these only strive to achieve a baseline level of standards adherence.

When you hear the word “baseline” you should think of the words “at least” or “at a minimum”. For example, you should “at least” implement physical and logical access controls. Or, you should at “at a minimum” employ a firewall at your network perimeter. That sort of thing. Because that is what “baseline” standards are. They are the minimum level of controls recommended by standards organizations such as NIST and ISO. They were never meant to be ideals. They are only intended to function as starting points.

The problem is that a large number of commercial and public organizations are having trouble reaching even a baseline level of information security. They complain that complying with baseline standards is too expensive; that it takes too much dedicated manpower and interferes with customer service and other business processes. And what they are saying is true in its way; information security is expensive and it does take the cooperation of everyone in the business. But what they are really saying is that infosec is just not a priority and they truly don’t care much about it. This seems to me to be what was behind the Home Depot data breach.

Former company employees have stated that Home Depot had told them to only go for a “C” level of information security. They weren’t to concern themselves with implementing “B” or “A” level security at the organization. And Home Depot keeps credit card information! The Payment Card Industry Data Security Standard (PCI DSS) demands about the strongest level of baseline security out there. And Home Depot reputably was handling unencrypted credit card information on their computer networks?! How did they pass their PCI security assessments? I don’t understand the particulars here. But however this situation came about, the fact is that once again the private financial information of millions of citizens has been compromised. Shouldn’t we be outraged and demanding a higher standard of security for our private information?

That is why everyone should be urging their government agencies and the retailers they do business with to implement information security at the best practices level. Industry standard best practices for information security are just that; they are the best means currently known for protecting IT systems and the information they process. Examples of best practices guidance are the MSI 80/20rule for information security and the Top 20 Critical Controls for Effective Cyber-Security. Sure, it may add 10 cents to the cost of a package of light bulbs to implement best practices, but isn’t worth it? I don’t hear people complaining about the banks buying a bunch of new physical security systems all the time to better protect their money. And really, what is the difference between the two?

This blog post was contributed by John Davis.

Computer Security is Your Own Responsibility

Posted on September 19, 2014 by Brent Huston

All of us know that our homes may be burglarized, and we take steps to help keep that from happening. We lock our doors and windows, we install motion detector lights outside, we put in alarm systems and some of us even install cameras. The same goes for the other stuff we do and own. We lock our cars, we put our valuables in safe deposit boxes and we avoid dangerous areas of the city late at night. We even watch what we say when we are talking on the phone, because we worry someone might be listening in. We all know that we ourselves are responsible for looking after these things. So why do we all seem to think that it is somebody else’s job to make sure we are safe while we are using our computers to surf the net or catch up on Facebook? We do, though. I’ve seen it happen and I’ve been guilty of it myself, I’m sorry to say.

For some reason, we don’t think a thing about using our kid’s name and age as our email password. It doesn’t enter our minds that it may not be a good idea to do our home banking while we are sipping a latte at Starbucks. And it doesn’t bother us a whit that our home wireless network doesn’t require a password – they’re a lot of trouble, after all! But when we get hacked, the first thing we do is blame everybody from our ISPs to the companies that built our devices. I think part of the reason is that we think the whole computer thing is too technical and there is really nothing that we can do ourselves. But that simply isn’t true. The biggest part of computer security is just mundane, common sense stuff.

The most important thing is to understand what is really going on when you are on the Internet, and it can be summed up in on phrase; you are communicating in public. You might as well be standing in the town square shouting back and forth at each other. One of the only real differences is that a lot of what you’re doing is not only public, it’s being recorded as well! So, thinking with that mindset, how would you go about keeping your privacy?

First, you wouldn’t trust anyone to keep quiet and protect your secrets for you, would you? So, when you are on the Internet, always be suspicious. Make sure that that email from your bank or your co-worker is legit, don’t just click on the link. Be very suspicious of anything with attachments, and don’t just blithely open any document that is sent to you unsolicited. And if you get an urge to go to that neat looking gambling site or you hanker to click on that link that says they will show you your favorite celebrity with their pants down, suppress it! Also, take a look every once and awhile and see what has really been happening on your computer. Your machines are usually keeping really good logs. Look them over and see if anything seems funny to you. You don’t have to be an expert, just curious.

Next, be leery if your machine starts acting funny. Maybe it gets really slow once in a while. Perhaps you turn it on and a message says “Download Complete”, but you don’t remember downloading anything. Lots of different things like that can occur. But when they do, and then your computer starts acting normally again, don’t just blow it off; check into it!

And change your passwords! It’s easy and fast, and it can save your bacon. If you have been at a hotel or have connected to the Internet from a coffee shop or airport, change your passwords as soon as you get home. If something funny happens or you think you may have done the wrong thing while you were web surfing, change your passwords. Use a password vault so you only have to remember one password. Then if something funny happens, you simply reset all your passwords and change the main one. And make it a good password, too. Make sure that nobody can guess your passwords or security questions just by reading your Facebook page.

Also, if you were out in public and wanted to keep what you are saying private, you could use a code couldn’t you? Then, even if you were overheard, what you said wouldn’t make any sense to anyone but you and the person you are trying to communicate with. Why not apply that to your computer, as well? Use cryptography to store your private stuff in memory and for sending private communications whenever possible. You don’t have to be any kind of computer expert. Disc encryption tools are free and easy to use, and you can buy email certificates very inexpensively. The main thing is, though, take responsibility for your own computer safety like you would anything else you own. I’ll bet you can think of plenty of other common sense ways to protect yourselves that I haven’t touched on here.

This post by John Davis.

The Big Three Part 4: Awareness

Posted on September 17, 2014 by Brent Huston

Cyber-attacks are a simply a part of reality now, and are very much like home burglaries. We can install locks and lights, cameras and alarm systems, and despite our best efforts at protection and prevention, a certain number of robberies are still bound to happen. That is the reason we need to steel ourselves to this fact and prepare ourselves to resist cyber-attacks the best way that we can. And the Big Three; incident detection, incident response and user security education and awareness are some of our best tools for meeting this problem.

The importance of user education and awareness to information security cannot be over emphasized. Of all the firewalls, IPS systems and other security sensors available, none can compare to human beings in their ability to detect cyber-attacks and security risks. But to take advantage of this resource, it is necessary that users know how to recognize security problems and it is necessary that they want to be engaged in the security process. To accomplish this, companies need to do several things.

First, they should provide all of their personnel with information security training both as new hires, and then periodically thereafter. This training should include the company information security policies that apply to all, plus information security training that is specific to each user’s particular role in the organization. Providing extra information security training for individuals such as code developers, system administrators and help desk personnel is particularly beneficial.

Next, it is also very important to provide all company personnel with information security awareness reminders. These serve two purposes. First, they help keep the need for good security practices fresh in users’ minds. But more importantly than that, good security awareness tips let your personnel know exactly what kind of attacks are out there and how they take place. That’s why it is important to base your awareness reminders on cutting-edge, real-world information security threats. For example, perhaps your employees gets a perfectly legitimate-looking email message from one of their co-workers that solicit them to check out a certain website and give an opinion on it. So they innocently click on the embedded link and wham! Suddenly their machines have been infected with malware and they don’t have a clue that anything is wrong. Awareness reminders can help keep such things from happening.

On top of good information security training and awareness, we think that there is one more element that is needed to really make the process pay off. It is important to engage the interest of your employees and make them feel that they are an essential part of the information security effort. This

isn’t really hard or expensive to do either. Explain their importance in the program to your personnel and ask for their help. Most everyone really likes to help out, and it makes them feel good inside. In addition, recognize those that have contributed to the information security cause and give them some kind of reward. This can be as simple as a little praise at the weekly staff meeting, or can include things like days off or preferred parking spaces. It doesn’t have to be big, just visible. One thing is sure, it makes better business sense to utilize this free and effective security resource to the hilt than spend a million dollars on a vaunted new IDS/IPS system!

This post by John Davis.

The Big Three Part 3: Incident Response

Posted on September 15, 2014 by Brent Huston

It’s been a couple of busy months since we posted parts one and two of this series, so I’ll recap briefly here. Part one talked about the failure of information security programs to protect private data and systems from compromise. It showed that despite tighter controls and better security applications, there are more data security compromises now than ever. This was the basis for suggesting an increased emphasis on incident detection, incident response and user education and awareness; the Big Three.

Part two in the series discussed information security incident detection and how difficult it is to implement effectively. It related the sad statistic that less than one out of five serious data breaches is detected by the organization affected, and that a disturbing number of breaches go undetected for months before finally being uncovered. Part two also touted a combination of well configured security tools coupled with human monitoring and analysis as one of the best solutions to the problem. In this installment, we’ll discuss the importance of accompanying incident detection with an effective, well-practiced incident response plan.

Say that an ongoing malware attack on your systems is detected, would your staff know just what to do to stop it in its tracks? If they don’t do everything quickly, correctly and in the right order, what could happen? I can think of a number of possibilities right off the bat. Perhaps all of your private customer information is compromised instead of just a portion of it. Maybe your customer facing systems will become inoperable instead of just running slow for a while. Possibly your company will face legal and regulatory sanctions instead of just having to clean up and reimage the system. Maybe evidence of the event is not collected and preserved correctly and the perpetrator can’t be sued or punished. Horrible consequences like these are the reason effective incident response is increasingly important in today’s dangerous computing environment.

Developing and implementing an incident response plan is very much like the fire drills that schools carry out or the lifeboat drills everyone has to go through as part of a holiday cruise. It is really just a way to prepare in case some adverse event occurs. It is deconstructing all the pieces-parts that make up security incidents and making sure you have a way to deal with each one of them.

When constructing your own incident response plan, it is wise to go about it systematically and to tailor it to your own organization and situation. First, consider the threats your business is menaced by. If you have been conducting risk assessments, those threats should already be listed for you. Then pick the threats that seem the most realistic and think about the types of information security incidents they could cause at your organization. These will be the events that you plan for.

Next, look over incident response plans that similar organizations employ and read the guidance that is readily available our there (just plug “information security incident response guidelines” into a web browser and see what you get – templates and implementation advice just jump off the page at you!). Once you have a good idea of what a proper incident response plan looks like, pick the parts that fit your situation best and start writing. This process produces the incident response policies needed for your plan.

After your policies are set, the next step I like to tackle is putting together the incident response team. These individuals are the ones that will have most of the responsibility for developing, updating and practicing the incident response procedures that are the meat of any incident response plan. Armed with the written policies that were developed, they should be an integral part of deciding who does what, when it gets done, where they will meet, how evidence is stored, etc. Typically, an incident response team is made up of management personnel, security personnel, IT personnel, representative business unit personnel, legal representatives and sometimes expert consultants (such as computer forensics specialists).

Once all the policies, personnel and procedures are in place, the next (and most overlooked part of the plan) is regular practice sessions. Just like the fire drills mentioned above, if you don’t actually practice the plan you have put together and learn from the results, it will never work right when you actually need it. In all my time doing this sort of work, I have never seen an incident response practice exercise that didn’t expose flaws in the plan. We recommend picking real-world scenarios when planning your practice exercises and surprising the team with the exercise just as they would be in an actual event.

In the fourth and final installment of this series, we will discuss user education and awareness – another vital component in recognizing and fighting data breaches and system security compromises.

Thanks to John Davis for this post.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston