Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

The First Five Quick Wins

Posted on by
10

The Top 20 Critical Controls for Effective Cyber Defense have been around for half a decade now, and are constantly gaining more praise and acceptance among information security groups and government organizations across the globe. One of the main reasons for this is that all of these controls have been shown to stop or mitigate known, real-world attacks. Another reason for their success is that they are constantly being updated and adjusted to fit the changing threat picture as it emerges. 

One of these recent updates is the delineation of the “First Five” from the other “Quick Wins” category of sub-controls included in the guidance (Quick Wins security controls are those that provide solid risk reduction without major procedural, architectural or technical changes to an environment, or that provide substantial and immediate risk reduction against very common attacks – in other words, these are the controls that give you the most bang for the buck). The First Five Quick Wins controls are those that have been shown to be the most effective means yet to stop the targeted intrusions that are doing the greatest damage to many organizations. They include:

  1. Application white listing: Application white listing technology only allows systems to run software applications that are included in the white list. This control prevents both external and internal attackers from implementing malicious and unwanted applications on the system. One caveat that should be kept in mind is that the organization must strictly control access to and modifications of the white list itself. New software applications should be approved by a change control committee and access/changes to the white list should be strictly monitored.
  2. Secure standard images: Organizations should employ secure standard images for configuring their systems. These standard images should utilize hardened versions of underlying operating systems and applications. It is important to keep in mind that these standard images need to be updated and validated on a regular basis in order to meet the changing threat picture.
  3. Automated patching tools and processes: Automated patching tools, along with appropriate policies and procedures, allow organizations to close vulnerabilities in their systems in a timely manner. The standard for this control is patching of both application and operating system software within 48 hours of release.
  4. Removal or replacement of outdated software applications: Many computer networks we test have outdated or legacy software applications present on the system. Dated software applications may have both known and previously undiscovered vulnerabilities associated with them, and are consequently very useful to cyber attackers. Organizations should have mechanisms in place to identify then remove or replace such vulnerable applications in a timely manner just as is done with the patching process above.
  5. Control of administrative privileges and accounts: One of the most useful mechanisms employed by cyber attackers is elevation of privileges. Attackers can turn simple compromise of one client machine to full domain compromise by this means, simply because administrative access is not well controlled. To thwart this, administrative access should be given to as few users as possible, and administrative privileged functions should be monitored for anomalous behavior. MSI also recommends that administrators use separate credentials for simple network access and administrative access to the system. In addition, multi-part authentication for administrative access should be considered. Attackers can’t do that much damage if they are limited to isolated client machines!

Certainly, the controls detailed above are not the only security controls that organizations should implement to protect their information assets. However, these are the controls that are currently being implemented first by the most security-aware and skilled organizations out there. Perhaps your organization can also benefit from the lessons they have learned.

Thanks to John Davis for writing this post.

Touchdown Task for January: Audit Your News Feeds

Posted on by
Reply

This month, our suggested Touchdown Task is for the security team to do an “audit” of their news/RSS feeds and the other mechanisms by which you get advisories, patch and upgrade alerts, breakout information and details about emerging threats.

Since RSS feeds and account names and such can change, it’s a good idea to review these sources occasionally. Are the feeds you depend on timely and accurate? Have you added new technology to your organization since you last reviewed your advisory feeds? Maybe you might need to add a vendor or regulator feed.

Have a discussion with all of your team members and understand who monitors what. Make sure you have good cross communication, but aren’t struggling with a lot of duplicated efforts.

Once you get your news and threat feeds in order, trace how the information is shared and make sure it is getting to the system and network admins who might need it. Do you have the right people getting the right information? If not, adjust. 

Most teams can do this review in less than an hour. So focus, communicate and create a robust way to handle the flow of information.

As always, thanks for reading and stay safe out there! 

January CMHSecLunch is Monday (1/13)

Posted on by
3

Just a reminder that Monday’s CMHSecLunch is this Monday (1/13/14) at 11:30am Eastern at the Easton Mall food court. Come on out and see your friends. 

If you are unable to attend in person, and you would like to take part in the Google Hangout, bring your lunch to your laptop and ping me (lbhuston (at) gmail -dot- com) or send me a Twitter message at @lbhuston and I will add you. Hope to see you then! 

As always, you can learn more and RSVP (not required, but appreciated) here. 

How Risky is the Endpoint?

Posted on by
3

I found this article quite interesting, as it gives you a heads up about the state of endpoint security, at least according to Ponemon. For those who want to skim, here is a quick summary:

“Maintaining endpoint security is tougher than ever, security professionals say, thanks largely to the huge influx of mobile devices.

According to the annual State of the Endpoint study, conducted by the Ponemon Institute and sponsored by Lumension, 71 percent of security professionals believe that endpoint security threats have become more difficult to stop or mitigate over the past two years.

…More than 75 percent said mobile devices pose the biggest threat in 2014, up from just 9 percent in 2010, according to Ponemon. Some 68 percent say their mobile devices have been targeted by malware in the past 12 months, yet 46 percent of respondents say they do not manage employee-owned mobile devices.

…And unfortunately, 46 percent of our respondents report no efforts are in place to secure them.”

…While 40 percent report they were a victim of a targeted attack in the past year, another 25 percent say they aren’t sure if they have been, which suggests that many organizations don’t have security mechanisms in place to detect such an attack, the study says. For those that have experienced such an attack, spear-phishing emails sent to employees were identified as the No. 1 attack entry point.

…The survey found that 41 percent say they experience more than 50 malware attacks a month, up 15 percent from those that reported that amount three years ago. And malware attacks are costly, with 50 percent saying their operating expenses are increasing and 67 percent saying malware attacks significantly contributed to that rising expense.

…While 65 percent say they prioritize endpoint security, just 29 percent say their budgets have increased in the past 24 months.” — Dark Reading

There are a couple of things I take away from this:

  • Organizations are still struggling with secure architectures and enclaving, and since that is true, BYOD and visiblility/prevention efforts on end-points are a growing area of frustration.
    • Organizations that focus on secure architectures and enclaving will have quicker wins
    • Organizations with the ability to do nuance detection for enclaved systems will have quicker wins
  • Organizations are still focusing on prevention as a primary control, many of them are seriously neglecting detection and response as control families
    • Organizations that embrace a balance of prevention/detection/response control families will have quicker wins
  • Organizations are still struggling in communicating to management and the user population why end-point security is critical to long term success
    • Many organizations continue to struggle with creating marketing-based messaging for socialization of their security mission
If you would like to discuss some or all of these ideas, feel free to ping me on Twitter (@lbhuston) or drop me an email. MSI is working with a variety of companies on solutions to these problems and we can certainly share what we have learned with your organization as well. 

Touchdown Task: Gear Up for Holiday Coverage

Posted on by
1

GlobalDisplay Orig

Just a quick note to remind you that it’s a good time to check your coverage schedule for the holidays. With so many events and vacations, make sure you know who is available to cover important tasks and who can handle security incidents during this busy time.

Many incidents occur during the holiday period, so make sure you have a plan for handing them when you are rushed, short staffed and on the run.

We hope you have a safe and joyous holiday season. MicroSolved is here if you need us, so never hesitate to give us a call or drop us a line.

Seeking Topics for 2014 Webinars

Posted on by
5

Got an idea for a webinar you would like to see us tackle in 2014? If so, drop us a line via the comments or give me a shout on Twitter (@lbhuston) and share it with us. We are looking to build a set of monthly webinars and would love to hear what you want to hear more about.

Currently in the idea hopper are:

  • ICS/SCADA/Smart Grid security topics
  • Online crime trends
  • Use cases for HoneyPoint and ProtoPredator
  • Using free or low cost tools to increase your security team’s capability (Thanks @icxc)
  • Persistent Penetration Testing Strategies
  • Scoping and focusing penetration tests for real world business results
  • Ideas for security intelligence operations
  • Many, many more!

Drop me a line with a topic and I’ll enter you into a drawing to win a free copy of HoneyPoint Personal Edition! 

Thanks for reading and for sharing your interests. We want to 2014 to be your most successful information security year to date!

Update on the ProtoPredator Family of Products

Posted on by
2

Today, I just wanted to provide a quick update on the ProtoPredator family of products. As you may recall, we have released ProtoPredator for Smart Meters (PP4SM) as a commercial product. It became available over one year ago and continues to be a strongly performing tool for validating the optical security of smart meters.

I have gotten several questions from clients and the community about the ProtoPredator family and what was next. I am pleased to say that we are continuing to develop and enhance ProtoPredator for Raw Serial (PP4RS). This is currently a private, in lab tool for our testing. But, we do plan to release it eventually as a commercial tool. The tool is designed to discover serial communications, explore them, adaptively identify protocols and patterns and introduce the ability to fuzz those protocols on demand. The tool has been a long time coming and we are continuing to develop its capabilities. We want to make sure we have it fully functional prior to release.

Additionally, we are working on ProtoPredator tools for ModBus, DNP3 and other ICS protocols. Those versions are behind PP4RS in development and testing, simply due to the “scratch your own itch” workload we are using for testing. Though, DNP3 is quickly rising to the front burner.

If you have any questions about ProtoPredator, or any of the products we are working on, please let us know. We are always happy to discuss our work under NDA with folks in the ICS security field. As always, rest assured that just like PP4SM, while the products are commercially available with support and upgrades, WE DO NOT RELEASE THEM TO UNVETTED PARTIES. We think smart meter testing belongs in the hands of the professionals, as does testing other ICS protocols, so we don’t release our tools to folks not involved with utilities, manufacturing of the devices or other testing groups. If you are such a stakeholder and have an interest in the tools, please get in touch.

Thanks for reading and as always, stay safe out there! 

What Do You Want from InfoSec Next Year?

Posted on by
Reply

Given that so many firms will spend the end of the year issuing their opinions and predictions for next year, we thought we’d go against the grain, so to speak, and instead ASK YOU what you want the next year to bring?

What do you hope the information security community accomplishes or changes in a major way next year?

What new services or changes to service offerings would you most like to see?

If you could wake up on the first morning of the new year and have a brand new security product on your door step, what would it do for you? How would you like it to operate? What do you most fantasize about accomplishing?

What projects would you like to see grow in 2014? What terms, techniques or technologies would you like to see left behind in 2013?

Drop us a line via Twitter (@microsolved or @lbhuston) or via our Facebook page (http://facebook.com/microsolved) and let us know what you dream about. We’ll work hard to see if we can make your holiday season wishes come true! 

CMHSecLunch is Monday & a Quick Question

Posted on by
2

Just a reminder that CMHSecLunch is Monday, December 9th at North Market. The party starts at 11:30am Eastern and will run through about 1pm Eastern. Come on out and hang with us! 

We usually eat upstairs on the side nearest High Street and the end near the elevator. Look for a group of security geeks hanging out in that area and sit down for a snack and a chat.

Hope to see you then!

And now for the quick question. What would you think of also having a webex during the same period of time for those who are unable to attend physically or who are friends who have moved away? If that would interest you and you might enjoy it, drop me a line on Twitter and let me know (@lbhuston). I am considering this, but I won’t pouch forward unless at least 10 people ping me on Twitter or some other way. 

Thanks for reading and I hope to see you on the 9th!

** You can find out more about the event or RSVP by visiting our eventbrite site here

Using HoneyPoint to Inventory Windows Boxes on a Segment

Posted on by
7

For quite some time now, we have been using HoneyPoint Agent and Console to do some passive inventory and mapping exercises for clients, particularly those involved in ICS and SCADA deployments where active scanning to get inventories is often strongly discouraged. We had particular success with a specific client in this space a couple of weeks ago, and I wanted to discuss it here, since it has proven itself to be a useful tool and is on the top of my mind at the moment.

To get an inventory of the Windows systems on a collision domain, you simply install the Agent on a Linux box (or I suggest using the virtual appliance we already have built for your ease) and implement it and the Console. Once HoneyPoint is operational, you configure a UDP listener on port 138. From there, all of the NETBios speaking Windows systems will begin to send traffic to the host, as per the usual behavior of those systems. In this case, however, HoneyPoint will capture each source IP and log it to the Console. It will also capture the UDP datagrams from that conversation and place them as event data in the logs. By reviewing the source IPs, you can quickly and easily take stock of the Windows systems on the collision domain without sending any traffic at all to the systems. As a bonus, if you dig into the datagram data, you will also see the names of the hosts and other information.

Most of the time, this technique captures only Windows boxes, but if you have other devices out there running NETBios, they will likely get detected as well. This can include embedded systems, Unix systems running SAMBA, printers and copiers, Windows CE systems (often seen in many field equipment deployments), etc. You might be surprised what you can find.

Try this with a laptop, and move the laptop around your environment. You can pretty quickly and easily get an inventory by collision domain. You can also try dialing other NETBios ports and see if you get traffic that is routed across your switching fabric. Depending on your configuration, you might be able to gather a great deal of inventory data from a single location (especially if your network is flat and switches are poorly configured).

Give this a shot or get in touch if you would like us to come onsite and perform the inventory for you. We think it is a pretty useful technique and one that many folks are enjoying the benefits of. Let us know what you think when you give it a run in your network!

As always, thanks for reading, and until next time, stay safe out there!

PS – You can also do this with HoneyPoint Personal Edition on a Linux system, which makes it very easy and cheap to do if you don’t want to invest in a full blown HoneyPoint Security Server implementation. (You should invest though, it is a FANTASTIC detection tool!)

**(The link above is for HPPE on Windows, but if you purchase a license and contact us, we will send you the Linux build right away. You can’t easily capture port 138/UDP traffic in Windows HPPE because Windows has those ports in use…)