CMHSecLunch for July is going to be held Monday, July 8 at the Tuttle Mall food court. The time is 11:30am – 1pm. Look for the security geeks in the mall and come hang out with your infosec peeps. FREE and open to the public, you can register and find out more information here.
This time around on Ask The Security Experts, we have a question about holiday coverage for the security team:
Q: “With the upcoming summer holidays and heavy vacation schedules, what are some things I need to pay attention to in order to make sure attackers don’t catch us off guard while we are short on staff?”
Jim Klun weighed in with:
1. Make sure all staff have been reminded of the reality of phishing attacks and what they need to watch out for.
Use real-world examples like this one: http://labs.ft.com/2013/05/a-sobering-day/ ( courtesy of Adam Hostetler )
Its important that staff understand the potential severity of a successful phishing attack.
Such attacks are more likely over holiday periods when attackers can rely on short-staffing.
2. Make sure all systems( both network/OS/application ) are logging and that you are reviewing those logs for anomalies
Make it a particular point to review those logs after the holidays.
Log review can be automated but should not be reduced to a formality. Staff with familiarity with what is normal should be reviewing daily log reports and periodically
examining the raw logs themselves.
3. Consider internal alerting systems such as Microsolved’s “Honeypoint” solution. They can act as tripwires in your network, alerting you to the presence of an intruder.
See: http://www.microsolved.com/honeypoint
Bill Hagestad added:
To prevent surprise cyber attacks the number one focus should be proactive cyber threat intelligence specifically related to your company based upon the following Essential Elements of Information (EEI):
– What are your priorities for intelligence?
– Competitor’s needs/focuses?
– External vendors interests on behalf of competitor?
– Foreign economic interests
– Commercial cyber espionage
– Foreign cyber espionage?
– Potential insider threats?
Once you have prioritized what you consider the information security threats are to your organization MicroSolved can help develop a information a security/assurance strategy.
First step determine a quick list of cyber intelligence targeting baed upon the EEI above;
Second – from the priorities determine your internal High Value Targets that the prioritized list of adversaries might focus on;
Third – install or fine tune your HoneyPoint Security Server to capture attacker and threat vector information; and,
Fourth – focus holiday staffing levels and efforts to mitigate list of potential cyber threats based upon both the EEI and steps 1 -3 above.
John Davis stated:
One of the things to pay particular attention to during vacation season is the security of returning portable devices. Employees will probably be traveling all over the place on their vacations, include foreign countries. And while traveling, people like to let their hair down and take it easy. They also like to keep abreast of their emails or surf the Internet looking for restaurants and places of interest.
Hotel networks and public hot spots are usually open networks and liable to sniffing by enterprising cyber criminals. Because of this, it is relatively easy for these attackers to implant Malware on laptops or other portable devices used by traveling employees. And, as we know, lots of enterprises these days have bring your own device policies in place or tolerate the casual use of company laptops for non-business purposes. To protect the network from this scenario, run anti-virus and other Malware detecting software on these devices, and/or boot them up in a stand alone test environment and look for problems before allowing them onto the production network.
There’s a LOT of good advice here. Hopefully, some of it helps you. Until next time, thanks for reading and have a safe holiday!
One of the less common assessments that MicroSolved performs for our clients is a Network Device Review (NDR). These assessments are aimed at helping clients assess the current state of specific devices or system configurations and improving them.
Common devices assessed via this service include:
This type of assessment is performed using a combination of automated tools and manual time with our security engineers. The methodology leveraged to perform the assessment is very similar to our other assessments, with the engineers doing detailed analysis of attack surfaces and evaluation of relevant controls. Reports follow a more technical path for these services, with a technically focused report set and a small management level summary, keeping the cost of these services significantly less expensive than our deeper pen-testing and fuzzing assessments.
Customers often use these services to perform spot validation or as a part of an overall hardening project to improve their security posture organically. To learn more about the NDR service, get in touch with your account executive or contact us via info (at) micro solved (dot) com for a free conversation about how the NDR can help your organization.
As always, thanks for reading and stay safe out there!
The touchdown task for June is to perform a quick and dirty check of your ongoing external vulnerability assessment. By now, you should have your Internet facing systems assessed each month, with weekly or daily checks applied to critical systems. If you aren’t having your systems assessed for vulnerabilities in an ongoing manner, get that process started. MSI can assist you with this, of course.
But, the task for June is to check and make sure that ALL of your public Internet facing systems, interfaces and devices are being assessed. Sometimes new systems might get added to the public IP space without making it into your assessment plan. Take an hour and check to make sure all the devices you know of are covered by the assessment. Do some quick ping/port scanning to make sure you are getting coverage and nothing has snuck in that is being missed. Give your assessment process a quick review and make sure that it is running on the proper IP spaces or lists and that the reports are as you expect.
Until next month, stay safe out there!
Next Monday, June 17th, I’ll be presenting at the EPRI conference in Chicago. My topic is a threat update on what attackers are targeting and what kind of value future state designs and other research/planning data has on the attacker market. If you’re going to be at the event, please join me for my presentation. If you’d like to grab a coffee or the like, let me know. I’ll be around all day.
Thanks for reading and I hope to see you there!
By: Mick Douglas (@bettersafetynet)
The client looked at us from across the table, grimacing as they gulped the foul coffee (sure it’s awful, but hey it’s a free perk!). They leaned in and said conspiratorially “So can you… umm… sort of… help us get the inside scoop on how we can pass this pentest?”
About the Author:
Mick Douglas (twitter.com/bettersafetynet) does R&D, PenTesting, and profesional services for Diebold Inc. When he’s not doing tech stuff, he’s off in the woods somewhere hiking or trying — mostly in vain — to improve his photography chops.
Thanks to Mick for contributing. I think he’s right on with what we need to do as penetration testers. — Brent Huston
Once again, Victoria Lowengart (@gisobiz) and I team up to discuss events in the real world and how they impact cyber threats. This time around we talk North Korea, Anonymous and touch on Industrial Control Systems. We also give a quick preview of Op Petrol. Check it out here:
Thanks for listening and until next time, stay safe out there!
This time around, a reader wrote in with a very common question:
Q: “A member of my management team is about to go on a business trip to a country with known cyber-spying capabilities. She wants to take her phone, tablet and laptop so she can be productive on the road. What can I do to make this safer for her and our organization without restricting her work capability on the road in an unreasonable manner?”
Adam Hostetler opened with:
The standard here is don’t bring anything electronic, if you can help it. In most cases, that’s not probable so don’t bring your normal personal phones or laptops, no smartphone at all is advisable. Bring loaner devices that have only exactly what they need and can be burned when they get back. Only connect through a VPN, and have that account monitored on the other end. Don’t leave phone or laptop in a hotel room, even in the safe, and don’t talk business there either.
Jim Klun added:
There is likely no way to do this without restricting – or at least significantly changing – the way she works.
It has to be assumed that any information on her personal devices will be compromised.
It also can be assumed that any information flowing between her devices and the outside world will be compromised.
I would recommend two things:
1. Take only what you can afford to lose. Communicate only what you can afford to lose.
So – take a small number of devices (e.g. phone, laptop) minimally configured with only that information absolutely required for this trip.
Better to have corporate staff respond to email requests from her rather than to allow access to critical corporate resources from suspect location.
If internal connectivity to corporate resources must be allowed ( e.g VPN) it should be ideally require 2-factor auth of some sort, use strong encryption, and grant access only to a limited subset of resources.
All credentials can be assumed to be lost – hence the utility of two-factor. All of the employees credentials should be changed on return.
All devices brought back should be assumed to be compromised and will need complete re-imaging.
2. Consider creating “go-kits” and well-defined repeatable processes for employees who travel to such locations.
A special set of devices ( laptop, phone, etc) that are minimally configured and can be wiped on return. No personally owned devices should be allowed.
Connectivity for those devices – if absolutely needed – that allows access only to a tightly restricted and monitored subset of internal corporate resources.
Most importantly – training for employees who make these trips. The employee must understand the special risks being incurred and be aware of their responsibility to protect the company and the companies existing customers.
As above – all of the employees credentials should be changed on return.
Bill Hagestad summed it up with this:
This one is near and dear to my heart…I call these rules of counter cyber espionage the 李侃如的中國旅遊規則 (Lieberthal’s China Travel Rules)
Cellphone and laptop @ home brings “loaner” devices, erased before he leaves home country & wiped clean immediately upon returns;
In China, disable Bluetooth & Wi-Fi, phone never out of his sight;
In meetings, not only turn off his phone but also remove battery, microphone could be turned on remotely;
Connect to the Internet only via encrypted, password-protected channel, copies & pastes his password from a USB thumb drive;
Never type in a password directly, “the Chinese are very good at installing key-logging software on your laptop.”
The article can be found @ http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?pagewanted=all
Brent Huston closed with:
Any electronic items they do take on the road with them should be current on patches, AV signatures and detection capabilities. All data, drives, systems, etc. should be strongly encrypted when possible to do so (Pay special attention to export restrictions on crypto depending on where they are going.) Also, turn and burn EVERYTHING when they come back. Treat all media and data obtained during the travel as suspicious or malicious in nature. Trojans of data and documents are common (and usually they scan as clean with common tools). This is especially true for high value targets and critical infrastructure clients. Trust us! Safe travels!
(Lieberthal’s China Travel Rules)
Last week, several sources were talking about the indexing of URLs that happen inside supposedly secure and private Skype sessions. There was a bit of press about it and we thought it would be fun to test it out and easy to do with HoneyPoint Personal Edition. Here’s how we did it:
2013-05-22 01:09:45 – HoneyPoint received a probe from 65.52.100.214 on port 80 Input: HEAD /vixennixie.htm HTTP/1.1 Host: target_ip Connection: Keep-Alive
A whois of 65.52.100.214 shows:
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# “n 65.52.100.214”
#
# Use “?” to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=65.52.100.214?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 65.52.0.0 – 65.55.255.255
CIDR: 65.52.0.0/14
OriginAS:
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
RegDate: 2001-02-14
Updated: 2012-03-20
Ref: http://whois.arin.net/rest/net/NET-65-52-0-0-1
OrgName: Microsoft Corp
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2011-04-26
Ref: http://whois.arin.net/rest/org/MSFT
OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: noc@microsoft.com
OrgNOCRef: http://whois.arin.net/rest/poc/ZM23-ARIN
OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: iprrms@microsoft.com
OrgTechRef: http://whois.arin.net/rest/poc/MSFTP-ARIN
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@hotmail.com
OrgAbuseRef: http://whois.arin.net/rest/poc/HOTMA-ARIN
OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@hotmail.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE231-ARIN
OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: abuse@msn.com
OrgAbuseRef: http://whois.arin.net/rest/poc/MSNAB-ARIN
RTechHandle: ZM23-ARIN
RTechName: Microsoft Corporation
RTechPhone: +1-425-882-8080
RTechEmail: noc@microsoft.com
RTechRef: http://whois.arin.net/rest/poc/ZM23-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
I’ll leave it to the reader to decide what they think about the data. You can draw your own conclusions. We just appreciated yet another use for HoneyPoint and a quick and dirty project to play with. Thanks for reading!
Save the date of June 10th for the next CMHSecLunch. This month’s event is at the Polaris Mall food court. It’s 11:30 to 1pm.
As usual, you can sign up here. You can also talk to @cahnee about it on Twitter if you would prefer. She can help you find folks wherever we meet.
The event is FREE, open to anyone interested in IT and InfoSec. You can brown bag it, or get food from the vendors. But, the conversations are amazing. You get to see old friends and make some new ones. Check it out!