About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

HoneyPoint Security Server ICS/SCADA Deployment Example

Posted on February 19, 2013 by Brent Huston

Recently, there have been several questions about potential deployment scenarios for HoneyPoint Security Server in and around ICS and SCADA organizations. Here is a quick, high level view of what a sample deployment might look like in a utility or other ICS environment. Note that the sample environment has fully embraced enclaveing. The network is fully segmented based on function.

In organizations where segmentation or the use of enclaves has not been established, HPSS can still be used and would be deployed in much the same manner.

Please let us know if you have any questions about this diagram or about deploying HPSS in your environment. We would be happy to set up a free consultation with you to discuss how the tool could aid in your detection program and give you increased visibility throughout your enterprise.

PS – If the graphic is difficult to read, right click on it and select view in new tab. The theme for the site is having trouble with this particular graphic.

HighLevelEnclaves

HoneyPoint Security Server Platform “At A Glance”

Posted on February 18, 2013 by Brent Huston

Many folks have been asking us for an “At a Glance” kind of graphic about HPSS. Here is a first attempt. Please let us know what you think via the comments or on Twitter (@microsolved). Thanks for reading!

HoneyPointPlatformSimple2

New Project: Stolen Data Impact Model (SDIM)

Posted on February 13, 2013 by Brent Huston

This is just a quick announcement about a new project we are starting at MSI. The name of the project is the Stolen Data Impact Model (SDIM).

The goal of the project is to identify a methodology for scoring the impact of data stolen in a breach. We believe the scoring mechanism will be some kind of curve, based on the impact of the loss over time. Currently, we are spreading that loss over four time frames: immediate, short term, intermediate term and long term.

We also believe that there are more than one facet of impact that could be in play and we are currently discussing how to handle the multiple facets.

We are just starting the project, and plan to work through it with the input f the community. We searched for models to address this, but were unable to identify any. If your organization has a model, methodology or process for this and you are open to sharing, please get in touch. You can always contact us in the comments or via Twitter (@lbhuston) or (@microsolved).

Thanks and we hope to present more on this topic shortly.

CMHSecLunch for February

Posted on February 7, 2013 by Brent Huston

J0289893

This month’s CMHSecLunch is February 11th, at the Polaris Mall food court. It starts at 11:30 am Eastern and goes to 1pm Eastern. The Twitter chat runs at the same time if you can’t join in person – use the hashtag #CMHSecLunch to get in on the virtual event.

This is a great opportunity to meet with friends, peers and folks you may not have gotten to hang out with in a while. It is open to the public, there is no cost or registration hassles. You just go to the mall food court for lunch and sit down with friends to talk or maybe even make some new friends.

Turn outs have been great and the group of folks participating is growing. Each month, on the second Monday, we rotate between mall food courts around town so everyone gets a chance to be “close to home”. Seriously, it’s worth coming out. Think of this as the best part of security conferences (the chance to hang out and chat in the hallways), without the con flu or need to travel on an airplane.

Hopefully, the Twitter hashtag will grow as well and we can use it for folks that are/were in our community, but can’t get to the physical event for whatever reason.

As always, thanks for reading StateOfSecurity and engaging with MicroSolved. We love the CMH infosec community and organizing this event is just another way we hope to give back for all you have done for us over the last two decades! Thanks!!!

Kicking Off an Interview Series: Three Tough Questions

Posted on February 5, 2013 by Brent Huston

Beginning in the next few weeks, we will be kicking off a new series of blog posts called 3 Tough Questions. The format will be either text or audio interviews with infosec, ICS/SCADA, government and other experts. We will be asking strong questions about where we are today in infosec, how we got here and we are going tomorrow.

Who would you like to see us interview? Drop me a line on Twitter (@lbhuston) or via email/comments and let me know. If you have a burning question or two as well, send them over!

Thanks for reading and we hope you enjoy the new series!

Event Announcement: ICS/SCADA Security Briefing

Posted on February 1, 2013 by Brent Huston

MSI, along with the teams at NexDefense and Critical Intelligence, will be participating in an online webinar about ICS/SCADA Security. The date of the event is February, 6th and you can learn more about it here.

The event is free to attend, though registration is required. You can earn a CPE for participating!

We hope you will tune in and check us out!

Overview of the event:

Learning Objectives

Significant trends in the threat and vulnerability environment
Relevant trends in ICS technology
What proactive steps you can take
How to leverage security intelligence

Agenda

Introductions
ICS Cyber Security Intelligence Briefing, Michael Assante
ICS Threat Update, Brent Huston
How to Leverage Security Intelligence, Bob Huber
Live Q&A

Who Should View?

Senior Information Security Leaders, CISOs and CTOs
Security and Risk Analysts
Control system security engineers
Security operation leads for ICS reliant organizations

Review: The Bus Pirate

Posted on January 30, 2013 by Brent Huston

We have been playing with the Bus Pirate for a while now in the lab. And, while overall, we love the tool and the functionality it brings, there is one thing we hate about it too. We love the open source architecture and just the fact that it exists, in general. It is quite a useful tool for exploring electronic systems and dumping data from embedded devices.

The tutorials and documentation around the web make it a widely useable device. You can find detailed configuration data and connection scenarios in the forums for the product and in the general documentation as well. We recently spent a good deal of time playing with the Pirate and connecting it up to known and unknown equipment. The wide variety of modes took a lot of the complication out of the manual work that used to be required before the Pirate became available.

There is really only ONE thing NOT to like about the Bus Pirate. That specific thing is the flashing process to upgrade or downgrade the firmware. It requires physically manipulating the device pins with jumper wire and running an application to specifically install the version you desire. Given how easy using the device is normally, we hope to see this mature into something more along the lines of the update process for a router or the like. The main gripe about the current process is the time it takes to do the upgrade/downgrade. In a classroom environment, it takes quite a bit of time to make these changes, though among our team there is currently a discussion about the inherent value of the lessons learned from doing it.

Overall, even with the tedium of the upgrade process in mind, the Bus Pirate is a wonder. Dangerous Prototypes have pulled off an amazing feat to bring this thing to life. It makes hardware hacking so much easier than the “bad old days” and gives more people more access to the circuitry level for hacking. It makes grabbing data from chips and systems significantly easier. At the same time, it means that vendors of products that need to protect data against attacks at this level have to get better too. More eyes and more brains focusing on this level, means the race is on at a heated pace…

What is HPSS? :: HoneyPoint Agent

Posted on January 28, 2013 by Brent Huston

This post builds on the What is HPSS? Series. Previous posts are here and here.

HoneyPoint Agent is the original detection capability of the HoneyPoint Security Server suite. Basically, it allows a system to offer up a variety of “fake services” to the network for the purpose of detection. These services can either be simple port listeners or can be complex, deeper emulations of protocols like SMTP, HTTP, Telnet, FTP, etc. These ports have no real users and no legitimate traffic flows to them. This means that anytime these ports are tampered with, the interactions are “suspicious at best and malicious at worst”.

Because the Agent is designed to be extremely light weight in terms of computing power needed, the Agents can be sprinkled throughout the network environment easily. Many organizations simply add Agent into default server and workstation builds, turning most of the systems in their network into sensors for detection.

Other organizations deploy Agent more sporadically, either using virtual or physical appliances dedicated to HoneyPoint hosting. These organizations often assign multiple physical or virtual interfaces to the devices, allowing them to have a presence on many network segments at the same time.

Still other users leverage an approach called “scattersensing” by deploying HoneyPoint on systems that they move periodically around their environment. This makes for a less dependable detection mechanism, but gives them the capability to get more vision into “hotspots” where targeting is expected or where malware is more likely to pop-up.

The most successful HoneyPoint Agent deployments use a combination of these tactics, along with including strategies like DNS redirection of known command and control sites and other more active forms of getting bad traffic into the HoneyPoint systems.

HoneyPoint Agent has proven to be very useful in identifying scanning and malware outbreaks. Customers with supposedly secure networks have found malware that had been missed for years by their traditional internal security tools. These were detected when the ongoing slow and low scanning triggered HoneyPoint deployments, particularly for SQL, Terminal Server and other commonly targeted ports.

HoneyPoint Agent can be configured through the command line or via a GUI application, making it easy to manage and deploy. Once installed, it is a “deploy and forget” style tool which doesn’t require ongoing tuning or signature updates. Generally speaking, customers deploy Agent and it runs for years without feeding and care.

HoneyPoint Agent also features MSI’s patented “defensive fuzzing” capabilities (previously known as HornetPoint mode), which can create self-defending services that attempt to take down attacker tools during their probing to interfere with propagation. Still other users automate defense with Agent using it as a means for black holing hosts that probe their environment. In these optional, more active roles, Agent can help organizations strengthen their posture with a “one strike and you’re out” kind of approach.

HoneyPoint Agent runs in Linux, Windows and OS X. It communicates securely with the HoneyPoint Console. It also features user configurable services, a known scanning host ignore list (for ongoing vulnerability assessment clients) and a wide variety of common service emulation templates (available through support).

To learn more about HoneyPoint Security Server or to get a demo, please contact us. We would be happy to walk you through the product and discuss how it might fit into your environment. There is even a free for personal use “Community Edition” available to get you started or to let you experience the power, ease and flexibility of the platform yourself. Just give us a call to learn more about HoneyPoint Security Server and HoneyPoint Agent. You’ll be glad you did!

Malware in Many Places

Posted on January 25, 2013 by Brent Huston

GlobalDisplay Orig

Just a quick reminder that malware can come in many forms and from many places. These days, it isn’t just phishing, drive-by downloads and stray email attachments that you have to worry about. USB drives, digital picture frames, wireless devices, watches with USB plugs, exercise equipment with public “charge and data monitoring ports” and whole variety of other things.

Basically, today, if it can plug into your systems or talk to your network and has any kind of processing, memory or storage – it can likely carry malware. That’s certainly something to keep in mind as the “Internet of Things” becomes more and more a part of our daily lives.

All of the usual defenses still apply, but today we need more than just anti-virus to keep us safe. We have to be using a variety of security controls from throughout the spectrum of prevention, detection and response. Since malware can be everywhere, so too must our vigilance against it.

PS – Those of you with teens and older parents who use/depend on electronics and computers should discuss malware and safer computing with them. They likely have an entirely different risk profile than you do, and they may not be paying as much attention to the impacts that these attacks can have or where they can come from. They may be doing risky things without even knowing it. Talk to them about malware and help keep them safer in the online world.

Come Grow with MicroSolved

Posted on January 22, 2013 by Brent Huston

MSI is currently seeking two full time team members to help grow our information security offerings to our clients.

We are seeking a sales person to assist current customers with their needs, conduct campaigns to identify new prospects, work directly with the security engineers to scope engagements and complete the process by closing engagements and working with the project managers to complete the work plan. The successful sales person will be detail oriented, friendly, self motivated and willing to engage with customers with a high level of passion and energy. Our sales process is mature, transparent and client focused and that has helped us become one of the oldest information security firms in the country. The sales position can be filled by someone located anywhere in the mid-west, as long as they are open to some travel to visit clients and occasional travel back to Columbus as needed.

The other position is a security team member. This is a technical position, with the primary duties being penetration testing of networks, applications and electronic devices. Security team members also back up the risk assessment team, perform consulting duties and help with development of products and services across the MSI offerings. Some security experience is required, along with expected proficiency with operating systems, networking and some basics of coding/scripting. The security team member position should live in Central OH. We need physical presence for much of the work in our lab, so this person has to be close to HQ.

To apply for either of these positions, please drop us an email with a resume, a short bio and few paragraphs that explain exactly what you bring to the table and why we should add you to our team. Email us at INFO(at sign)microsolved.com. Thanks for reading and we look forward to hearing from you!

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston