Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

3 Reasons I Believe in #CMHSecLunch

Posted on by
4

Around a year ago, (I know, it is hard to believe it has been a year), I started a quick and informal meet up group in Columbus, called #CMHSecLunch. The idea was simple:

  • Re-Create the “Hallway Con” effect on a monthly basis.

In this scenario, the Hallway Con is the best part of security events. It’s the one where you see old friends, make new ones and have great, warm and personal connections with them. I believe this is the core of why security events and conferences are so valuable. Beyond the skills training, marketing hype and presentations ~ the value of friendship, camaraderie and personal relationships remain.

Thus, I thought, what better way to encourage that part, than organizing events that focus on those goals. And thus, #CMHSecLunch was born. We have been meeting on the second Monday of each month at a rotating mall food court around the city. Response has been great! Sometimes there are a few of us (4 has been the smallest) and sometimes many of us (around 20 have been the largest meetings). But, people have gotten new jobs, found solutions to difficult security problems, met some new friends and saw people they missed.

Overall, it has been fun, entertaining and worthwhile.

We will be continuing the process into 2014 and here are at least three reasons I believe this approach and the #CMHSecLunch events are worth doing:

  1. I have gotten to see people connect, smile and re-unite for a quick bite of food, some laughs and great conversation. Since I am often referred to as the “Hippy Hacker”, you have to know that this alone makes me happy and makes me believe that the events are worthwhile. Whenever we connect with another and share with the community, good things happen! 
  2. New threats have been discussed that brought to light attacker motives, techniques and the width of their activity. If we don’t have lunch and discuss what we are seeing, then the bad guys win. They win even less, if we also have coffee and dessert afterwards. Nuff said! 🙂
  3. New projects have originated from the #CMHSecLunch discussions. In fact, several new projects. People have aligned, worked out some of their ideas and started working together to build talks, mathematical models, risk documents and various other useful tools. When a bunch of smart people eat and play together, often the outcome is stuff that helps all of us. So, being the origin of projects and stuff that helps the community is a fantastic thing. 

Why haven’t you attended (again)? 🙂

If I still haven’t persuaded you to check out the next #CMHSecLunch, (which you can find by clicking here), how about these quotes from people who have attended the event?

@TSGouge: Interaction with real live human beings, no screens involved! Food, jokes (that only another geek would get), getting my butt out of the office chair, and dialogue more rich than any conference or lecture…these are people who will now reach out and collaborate on problems or projects. To sum it all up: connections with people who get it.

@Cahnee: CMHSecLunch is a great way to get away from the craziness of work and spend time with infosec peers to talk about whats on everyones mind. We talk about current events and what each of us see as challenges facing us both professionally and personaly from an infosec perspectice.  Talk about encryption, mobile devices, NSA, DOD, etc.

@gisobiz: CMHSecLunch is a great thing! You meet with the like-minded people, or like-minded people wannabes and enjoy the food (great or not), but most importantly, the awesome conversation. You will get to know better people you already know, or make new friends.  Talking in an informal friendly environment takes the pressure off “being right” or “saying the right thing” which one encounters in a professional environment. Nobody will laugh at you or criticize you; in fact everyone is interested in your fresh (or stale) perspective on InfoSec or current events related to cyber security or anything else you care to share. And the really best thing is you get to learn from your colleagues, something you may not have an opportunity to learn otherwise.  It is like a miniature “geek” party in the best sense of the word. Or if you like – a mini-Black Hat conference. With food.

So, come on out next month and support the community. Have fun, grab a bite and engage with us, we are waiting for the view and insight that ONLY YOU can provide. Join us! 

Infosec, The World & YOU Episode 3 is Out!

Posted on by
3

Our newest episode is out, and this time we are joined by a very special guest, @TSGouge who discuss social engineering for companies and on the nation state scale. Victoria reveals her new plans to take over the world and Brent tries to keep up with these gals, who are straight up geniuses. We also pontificate on Syria and the potential for cyber-fallout from the action going on over there.

Check it out here

Have a global real world/cyber issue you want us to tackle? Observed an odd event that ties to a real world cause in the Internets? Drop us a line ~ we’d love to hear about it or get you on the show! 

You can find Brent on Twitter at @lbhuston and Victoria stars as @gisoboz. Get in touch! 

CMHSecLunch is Monday August 9th

Posted on by
Reply

This month’s CMHSecLunch is Monday, August 9th, 2013 at 11:30am. The location for this month is the Easton Mall food court. You can register here, or just show up. ADMISSION IS FREE!!!!!

Imagine hanging out with your infosec bestys, or meeting a new infosec connection that takes your career to the next level. Ever wondered what infosec experts eat, drink or why some of them only wear pastel shirts? This is YOUR chance to find out! 

We hope to see you there! 

Ask The Experts: New Device Check Lists

Posted on by
2

This time around on Ask The Experts, we have a question from a reader and it got some great responses from the team:

 

Q: “I need a quick 10 item or less checklist that I can apply to new devices when my company wants to put them on our network. What kinds of things should I do before they get deployed and are in use around the company?”

 

Bill Hagestad started us off with:

The Top 10 checklist items a CISO/or equivalent authority should effectively manage before installing, configuring and managing new devices on a network includes the following;

 

1)Organize your staff and prepare them for the overall task of documenting and diagramming your network infrastructure – give them your commander’s network management intent;

2)Create a physical and logical network map – encourage feedback from your team regarding placement of new hardware and software;

3)Use industry standards for your network including physical and logical security, take a good look at NIST Special Publication SP 800-XX Series;

4)Make certain that you and your team are aware of the requisite compliance standards for your business and industry, it will help to ensure you are within legal guidelines before installing new devices or perhaps you may discover the hardware or software you are considering isn’t necessary after all;

5)Ensure that after you have created the necessary network maps for your infrastructure in Step 2) above, conduct a through inventory of all infrastructure which is both critical and important to your business, then document this baseline;

6)Create a hardware/software configuration change procedure; or if you already have his inlace, have your team review it for accuracy; make certain everyone on the team knows to document all changes/moves/additions on the network;

7)Focus not only on the correlation of newly implemented devices on the internal networks but also look at the dependencies and effects on external infrastructure such as voice/data networks – nothing worse than making an internal change to your network and having your Internet go down unnecessarily;

8)Ensure that new network devices being considered integrate gracefully into your existing logging and alerting mechanisms; no need to install something new only to have to recreate the proverbial wheel in order to monitor it;

9)Consider the second & third order effects of newly installed devices on the infrastructure and their potential impact on remote workers and mobile devices used on the network;

10)Install HoneyPoint Security Server (HPSS) to agentlessly & seamlessly monitor external and potential internal threats to your newly configured network….

 

Of course a very authoritative guide is published by the national Security Agency called appropriately “Manageable Network Plan” and available for download @:

 

http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf


Jim Klun added:

1. Make sure the device is necessary and not just a whim on the part of management.   Explain that each new device increases risk. 

2. If the device’s function can be performed by an existing internal service, use that service instead. 

3. Inventory new devices by name, IP addresses, function and – most importantly – owners.  There should be a device owner and a business owner who can verify continued need for the device.  Email those owners regularly,   querying them about continued need. Make sure that these folks have an acknowledged role to support the application running on the devices and are accountable for its security. 

4. Research the device and the application(s) its support.  Have no black boxes in your datacenter.  Include an abstract of this in the inventory. 

5. Make sure a maintenance program is in place – hold the app and device owner accountable. 

6. Do a security audit of the device wehn fully configured. Hit it with vulnerability scanners and make sure that this happens at least quarterly. 

7. Make sure monitoring is in place and make very sure all support staff are aware of the device and any alerts it may generate. Do not blind-side the operations staff. 

8. If the device can log its activities ( system and application ) to a central log repository, ensure that happens as part of deployment. 

9. Make sure the device is properly placed in your network architecture. Internet-exposed systems should be isolated in an Internet DMZ.  Systems holding sensitive data should similarly be isolated. 

10. Restrict access to the device as narrowly as possible. 

 

Finally.. if you can, for every device in your environment, log its network traffic and create a summary of what is “normal” for that device.  

Your first indication of a compromise is often a change in the way a system “talks”. 

 

Adam Hostetler chimed in with: 

Will vary a lot depending on device, but here are some suggestions

 

1. Ensure any default values are changed. Passwords, SNMP strings, wireless settings etc.

2. Disable any unnecessary services

3. Ensure it’s running the latest firmware/OS/software

4. Add the device to your inventory/map, catalog MAC address, owner/admin, etc.

5. Perform a small risk assessment on the device. What kind of risk does it introduce to your environment? Is it worth it?

6. Test and update the device in a separate dev segment, if you have one.

7. Make sure the device fits in with corporate usage policies

8. Perform a vulnerability assessment against the device. 

9. Search the internet for any known issues, vulnerabilities or exploits that might effect the device.

  1. Configure the device to send logs to your logging server or SEIM, if you have one.

 

And John Davis got the last word by adding: 

From a risk management perspective, the most important thing a CISO needs to ensure is in place before new devices are implemented on the network is a formal, documented Systems Development Life Cycle or Change Management program. Having such a program in place means that all changes to the system are planned and documented, that security requirements and risk have been assessed before devices have purchased and installed, that system configuration and maintenance issues have been addressed, that the new devices are included in business continuity planning, that proper testing of devices (before and after implementation on the network) is undertaken and more. If a good SDLC/Change Management program is not in place, CISOs should ensure that development and implementation of the program is given a high priority among the tasks they wish to accomplish.

 

Whew, that was a great question and there is some amazing advice here from the experts! Thanks for reading, and until next time, stay safe out there! 

 

Got a question for the experts? Give us a shout on Twitter (@microsolved or @lbhuston) and we’ll base a column on your questions!

Yo, MSI Raps Podcast Episode 1

Posted on by
Reply

This is the latest version of Yo, MSI Raps. We have decided to make these episodes open to public finally, so we will start with this one.

This is an open round table discussion between members of the MSI Technical Team. It is candid, friendly and, we hope, interesting. 🙂

This time around, the team talks about privacy, the news around the NSA collection of data and impacts of surveillance on liberty. 

You can check out the podcast here!

Look for these sessions to be released more frequently and on topics that are in the news. We hope you enjoy them, and feel free to give us feedback via Twitter (@lbhuston or @microsolved) and/or via the comments section.

Thanks for listening!

Using HoneyPoint as a Nuance Detection System in Utility Companies

Posted on by
Reply

I often get asked about how utility companies deploy HoneyPoint in an average implementation. To help folks with that, I whipped up this quick graphic that shows a sample high level deployment. 

Thanks for reading! Let me know what you think, or if you have an interest in discussing an implementation in your environment.

More on Persistent Penetration Testing from MSI

Posted on by
11

MicroSolved has been offering Persistent Penetration Testing (PPT) to select clients now for a couple of years. We have been testing and refining our processes to make sure we had a scalable, value driven, process to offer our full client base. We have decided to open the PPT program up to another round of clients, effective immediately. We will be open to adding three additional clients to the PPT group. In order to qualify, your organization must have an appetite for these services and meet the criteria below:

The services:

  • MSI will actively emulate a focused team of attackers for either a 6 or 12  month period, depending on complexity, pricing and goals
  • During that time, MSI will actively and passively target your organization seeking to reach a desired and negotiated set of goals (usually fraud or theft of IP related data, deeper than traditional pen testing)
  • Full spectrum attacks will be expressed against your organization’s defenses in red team mode, across the time window 
  • Once an initial compromise occurs and the appropriate data has been identified and targeted, we will switch to table top exercises with the appropriate team members to discuss exploitation and exfiltration, prior to action
  • If, and only if, your organization approves and desires, then exploitation and exfiltration will occur (note that this can be pivoted from real world systems to test/QA environments at this point)
  • Reporting and socialization of the findings occurs, along with mitigation strategies, awareness training and executive level briefings
  • The process then repeats, as desired, through the terms and sets of goals

The criteria for qualification; Your organization must:

  • Have full executive support for the initiative, all the way to the C-level and/or Board of Directors
  • Have a mature detection and egress process in place (otherwise, the test will simply identify the needs for these components)
  • Have the will to emulate real world threat activity without applying compliance-based thinking and other unnatural restraints to the process
  • Have a capable security team for MSI to work with that has the capability to interface with the targeted lines of business in a rapid, rational and safe manner
  • If desired, have the capability to construct testing/QA platforms and networks to model real world deployments in a rapid and accurate fashion (requires rapid VM capability)
  • Be open to engaging in an exercise with an emulated aggressive adversary to establish real world risk and threat profiles
  • Be located in the US (sorry, we are not currently accepting non-US organizations for this service at this point)

If your organization meets these requirements and you are interested in discussing PPT services, please drop me a line (Twitter: @lbhuston), or via email at Info at microsolved dot com. You can also reach me via phone at (614) 351-1237 x 201.

August Touchdown Task: Change Management Audit

Posted on by
2

This month’s touchdown task is to take a quick audit of your organization’s change management process. Give it a quick walkthrough.

  • Make sure that you are tracking when admins make changes to machine configurations or network device configs
  • Are proper peer review and approval processes being followed?
  • Check to make sure that the proper folks are in the loop for various kinds of communication, error handling and reporting
  • Review risk acceptance for changes and make sure it meets your expected processes
  • Examine a couple of changes and walk them through the entire process to see if things are falling through the cracks
  • Update any change management documentation to reflect new processes or technologies that may be in place now

Give this a quick review this month and you can rest assured for a while that change management is working strongly. With the coming fall and holiday rush ahead, you’ll know you have this base covered and can depend on it as a good foundation for the rest of your security initiatives. 

Until next time, as always, thanks for reading and stay safe out there! 

Always Remember the Business, InfoSec Folks

Posted on by
8

I just got out of yet another meeting with a big company partner for whom we act as an information security and threat advisor. In that meeting, I listened to a keyed-up,  hypercaffinated group of good guy security geeks tell their senior executives about the latest set of DLP controls they were putting in place. They spent 45 minutes describing packet-level checking, data flows, architecture diagrams and the technology of their solution set in painful (even for me) detail. Many of the executives were dosing lightly, while the geeks spun their techno-web. That’s when things took a turn for the worse…

The COO asked them one single question, interrupting a slide about email data flows ~ “How will this impact the business of ‘Dan’s’ group and the ‘Singularity’ project we have been working on since 2011? Doesn’t it depend on some of that data?” (**Names changed to protect the innocent and the guilty…)

Then, NOTHING HAPPENED. You could have heard a pin drop. Dead silence for close to two minutes. Finally, the COO repeated the question. Still nothing. He asked the lead geek if he knew who Dan was, and the geek said yes. He asked if Dan had been interviewed by the geeks prior to this. They said, no. The COO erupted in a rage, railing about how Singularity was the largest new line of business launch in the history of the company and how the projected income from the business would change the landscape of the firm. There were a LOT of apologies and some amount of notes taken to immediately consult with Dan. Much geek cred was lost. It will be a while before they get to present to the executives again like that. 

I tell you this story simply to remind all infosec folks about something I see all too often. It’s about the business. We are about the business. We are there to secure the business, nurture it, protect it, empower it to succeed. If that’s not where you or your team are, then you are doing it wrong. Get it right. Talk to the business. Speak their language. Give up on the “beauty of the baud” approach. Your packets and technology stack may be gorgeous to you, but if they don’t align with the business, then they won’t do anyone, including you, any good at all. Keep that in mind at all times. Also, remember to always talk to Dan ~ he’s a nice guy and he appreciates it. He can give you the answers you need and usually, he desperately wants to understand what you can do to make his project a success. Get to know all the Dan’s in your organization. They drive the world, you support them, together you build business and all of you will succeed!

Three Tough Questions with Aaron Bedra

Posted on by
4

This time I interviewed Aaron Bedra about his newest creation ~ RepSheet. Check it out here:


Aaron’s Bio:

Aaron is the Application Security Lead at Braintree Payments. He is the co-author of Programming Clojure, 2nd Edition as well as a frequent contributor to the Clojure language. He is also the creator of Repsheet, a reputation based intelligence and security tool for web applications.


Question #1:  You created a tool called Repsheet that takes a reputational approach to web application security. How does it work and why is it important to approach the problem differently than traditional web application firewalling?

I built Repsheet after finding lots of gaps in traditional web application security. Simply put, it is a web server module that records data about requests, and either blocks traffic or notifies downstream applications of what is going on. It also has a backend to process information over time and outside the request cycle, and a visualization component that lets you see the current state of the world. If you break down the different critical pieces that are involved in protecting a web application, you will find several parts:

* Solid and secure programming practices

* Identity and access management

* Visibility (what’s happening right now)

* Response (make the bad actors go away)

* HELP!!!! (DDoS and other upstream based ideas)

* A way to manage all of the information in a usable way

This is a pretty big list. There are certainly some things on this list that I haven’t mentioned as well (crypto management, etc), but this covers the high level. Coordinating all of this can be difficult. There are a lot of tools out there that help with pieces of this, but don’t really help solve the problem at large.

The other problem I have is that although I think having a WAF is important, I don’t necessarily believe in using it to block traffic. There are just too many false positives and things that can go wrong. I want to be certain about a situation before I act aggressively towards it. This being the case, I decided to start by simply making a system that records activity and listens to ModSecurity. It stores what has happened and provides an interface that lets the user manually act based on the information. You can think of it as a half baked SIEM.

That alone actually proved to be useful, but there are many more things I wanted to do with it. The issue was doing so in a manner that didn’t add overhead to the request. This is when I created the Repsheet backend. It takes in the recorded information and acts on it based on additional observation. This can be done in any form and it is completely pluggable. If you have other systems that detect bad behavior, you can plug them into Repsheet to help manage bad actors.  

The visualization component gives you the detailed and granular view of offenses in progress, and gives you the power to blacklist with the click of a button. There is also a global view that lets you see patterns of data based on GeoIP information. This has proven to be extremely useful in detecting localized botnet behavior.

So, with all of this, I am now able to manage the bottom part of my list. One of the pieces that was recently added was upstream integration with Cloudflare, where the backend will automatically blacklist via the Cloudflare API, so any actors that trigger blacklisting will be dealt with by upstream resources. This helps shed attack traffic in a meaningful way.

The piece that was left unanswered is the top part of my list. I don’t want to automate good programming practices. That is a culture thing. You can, of course, use automated tools to help make it better, but you need to buy in. The identity and access management piece was still interesting to me, though. Once I realized that I already had data on bad actors, I saw a way to start to integrate this data that I was using in a defensive manner all the way down to the application layer itself. It became obvious that with a little more effort, I could start to create situations where security controls were dynamic based on what I know or don’t know about an actor. This is where the idea of increased security and decreased friction really set it and I saw Repsheet become more than just a tool for defending web applications.

All of Repsheet is open sourced with a friendly license. You can find it on Github at:

https://github.com/repsheet

There are multiple projects that represent the different layers that Repsheet offers. There is also a brochureware site at http://getrepsheet.com that will soon include tutorial information and additional implementation examples.

Question #2: What is the future of reputational interactions with users? How far do you see reputational interaction going in an enterprise environment?

For me, the future of reputation based tooling is not strictly bound to defending against attacks. I think once the tooling matures and we start to understand how to derive intent from behavior, we can start to create much more dynamic security for our applications. If we compare web security maturity to the state of web application techniques, we would be sitting right around the late 90s. I’m not strictly talking about our approach to preventing breaches (although we haven’t progressed much there either), I’m talking about the static nature of security and the impact it has on the users of our systems. For me the holy grail is an increase in security and a decrease in friction.

A very common example is the captcha. Why do we always show it? Shouldn’t we be able to conditionally show it based on what we know or don’t know about an actor? Going deeper, why do we force users to log in? Why can’t we provide a more seamless experience if we have enough information about devices, IP address history, behavior, etc? There has to be a way to have our security be as dynamic as our applications have become. I don’t think this is an easy problem to solve, but I do think that the companies that do this will be the ones that succeed in the future.

Tools like Repsheet aim to provide this information so that we can help defend against attacks, but also build up the knowledge needed to move toward this kind of dynamic security. Repsheet is by no means there yet, but I am focusing a lot of attention on trying to derive intent through behavior and make these types of ideas easier to accomplish.

Question #3: What are the challenges of using something like Repsheet? Do you think it’s a fit for all web sites or only specific content?

I would like to say yes, but realistically I would say no. The first group that this doesn’t make sense for are sites without a lot of exposure or potential loss. If you have nothing to protect, then there is no reason to go through the trouble of setting up these kinds of systems. They basically become a part of your application infrastructure and it takes dedicated time to make them work properly. Along those lines, static sites with no users and no real security restrictions don’t necessarily see the full benefit. That being said, there is still a benefit from visibility into what is going on from a security standpoint and can help spot events in progress or even pending attacks. I have seen lots of interesting things since I started deploying Repsheet, even botnets sizing up a site before launching an attack. Now that I have seen that, I have started to turn it into an early warning system of sorts to help prepare.

The target audience for Repsheet are companies that have already done the web security basics and want to take the next step forward. A full Repsheet deployment involves WAF and GeoIP based tools as well as changes to the application under the hood. All of this requires time and people to make it work properly, so it is a significant investment. That being said, the benefits of visibility, response to attacks, and dynamic security are a huge advantage. Like every good investment into infrastructure, it can set a company apart from others if done properly.

Thanks to Aaron for his work and for spending time with us! Check him out on Twitter, @abedra, for more great insights!