About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

HoneyPoint Maturity Model

Posted on September 22, 2011 by Brent Huston

Many folks have asked for a quick review of the way HoneyPoint users progress as they grow their confidence in the product suite and in their capability to manage threat data. To help answer those questions and to give folks a quick way to check out how some folks use HoneyPoint beyond simple scan/probe detection, we put together this quick maturity model to act as a roadmap.

If you are interested in hearing more about a specific set of functions or capabilities, give us a call or drop us a line. We would be happy to walk you through the model or any of the specific items. HoneyPoint users, feel free to engage with support if some of this sparks a new idea for how your organization can deepen your own HoneyPoint use cases. Thanks for reading and stay safe out there!

Audio Blog Post: How to Choose the Best Security Partner

Posted on September 19, 2011 by Brent Huston

In this audio post, Brent Huston, CEO and Security Evangelist, interviews MSI’s Constance Matthews and Chris Lay about choosing the right security partner. Also discussed is MicroSolved’s backstory with the State of Ohio’s voting system and how clients benefit from MSI’s partnership philosophy.

Click here to listen: How to Choose the Best Security Partner

A Framework For Managing Mobile Devices For Security

Posted on September 16, 2011 by Brent Huston

After several discussions the last few days with a number of folks around mobile technologies and the security risks they pose to organizations, I thought I might be able to help folks by putting forth a quick a dirty (“back of the napkin”) framework diagram.

This should easily demonstrate a high level strategy and give you some thinking points about how your organization manages mobile devices and data interactions from them.

As always, thanks for reading and feel free to engage with me via twitter (@lbhuston), phone or email if you want to discuss the framework or any of the components. My team is always available to help and willing to engage with readers for help with creating the components or reviewing what you have so far. I hope this helps some folks!

Click this link to access the PDF: MobileTechSecFramework

Yet Another Lesson on the Basics from DigiNotar

Posted on September 6, 2011 by Brent Huston

This time it was a Certificate Authority (again). Not just any CA, either, but an official CA that manages the “PKIOverheid” for the government of the Netherlands. In other words, a really important CA, even in a league where most, if not all, CA’s are important.

What happened? They got breached. They got breached in a way that allowed attackers to create at least 531 rogue certificates with their trust models. How did they get breached? It seems to stem from a combination of attackers exploiting basic issues to gain access, then leveraging more advanced custom skills to get the certificates generated and extrude them. I am basing that opinion on the Fox-IT report located here. (The report itself is well worth a read).

The critical issues identified?

Lack of a secure architecture for CA servers (1 Windows domain, connectivity from management network)
Missing patches
Lack of basic controls (AV, in this case) which allowed exploitation by basic attacker tools such as Cain/Abel
Poor password policies, logging and management of detective controls

If you follow our blog, attend our talks or listen to our podcasts, you should be seeing this as another reminder of just how critical it is to do the basics. Having powerful tools that no one watches, engaging vendors to do assessments that you ignore and spending money on controls that don’t matter won’t create an effective information security program. Getting the basic controls and processes in place might not protect you from breaches against resourced, skilled attackers completely, either, but it will go a long way toward giving you some protection from the most common threat models. In this case, it might have helped a CA know when they were under attack and take action against their threat sources to mitigate the breach before they got to the crown jewels or in this case, the crown certificates.

The attacker has been posting to Pastebin, (presumably the attacker), that they have access to other CA providers. If you are a CA or run a certificate system, now might be a good time to have someone take an independent third-party look around. It might be a good time to spend a few extra cycles on “just checking things out”.

If your organization is still stuck chasing vulnerabilities and hasn’t done a holistic review of their overall program, this would be a good impetus to do so. It should become an action item to look at your program through the lens of something like the SANS CAG or our 80/20 of Information Security lens and ensure that you have the basics covered in an effective manner. If you have questions or want to discuss the impacts or issues some of these recent breaches have against your organization, give us a call. As aways, thanks for reading and stay safe out there.

MicroSolved Releases HoneyPoint Special Edition: Morto

Posted on August 29, 2011 by Brent Huston

We are pleased to announce the immediate availability of a special edition of HoneyPoint that is designed to help organizations identify hosts infected with the Morto worm that is currently circulating.

HPMorto works like this: It opens a TCP listener HoneyPoint on port 3389/TCP (check to make sure that port is NOT in use before running HPMorto). Once in place, the tool will report the source IP of any systems who attempt to connect to it. Identified sources should be investigated as possible infected hosts.

This version will only listen for 3389 connections and will only function through February 28, 2012.

Versions of HPMorto are available for FREE download for:
Windows
Linux
Mac OSX

Give it a try and we hope that this tool help folks manage the problems being caused by Morto around the world.

McAfee: 65 Million Malware Samples — And That’s Just the Tip of the Iceberg

Posted on August 24, 2011 by Brent Huston

I was fascinated by this article that came across my newsfeed earlier this week. In it, McAfee says that they have hit 65 million malware samples in the 2nd quarter of 2011. I have heard similar stories in my frequent conversations with other AV vendors this year. It seems, that the malware cat, truly is out of the bag. I don’t know about you, but it seems like someone forgot to warn the crimeware world about opening Pandora’s box.

One of the things that I think is still interesting about the number of signatures that AV vendors are creating are that they are still hitting only a small portion of the overall mountain of malware. For example, many of the AV vendors do not cover very many of the current PHP and ASP malware that is making the rounds. If you follow me on twitter (@LBHuston), then you have likely seen some of the examples I have been posting for the last year or so about this missing coverage. In addition, in many of the public talks I have been giving, many folks have had wide discussions about whether or not AV vendors should be including such coverage. Many people continue to be amazed at just how difficult the role of the AV vendor has become. With so much malware available, and so many kits on the market, the problem just continues to get worse and worse. Additionally, many vendors are still dealing with even the most simple evasion techniques. With all of that in mind, the role and work of AV vendors is truly becoming a nightmare.

Hopefully, this report will give some folks insight into the challenges that the AV teams are facing. AV is a good baseline solution. However, it is critical that administrators and network security teams understand the limitations of this solution. Simple heuristics will not do in a malware world where code entropy, encoding and new evasion techniques are running wild. AV vendors and the rest of us must begin to embrace the idea of anomaly detection. We must find new ways to identify code, and its behavior mechanisms that are potentially damaging. In our case, we have tried to take such steps forward in our HoneyPoint line of products and our WASP product in particular. While not a panacea, it is a new way of looking at the problem and it brings new visibility and new capability to security teams.

I enjoyed this article and I really hope it creates a new level of discussion around the complexities of malware and the controls that are required by most organizations to manage malware threats. If you still believe that simple AV or no malware controls at all are any kind of a solution, quite frankly, you’re simply doing it wrong. As always, thanks for reading and stay safe out there.

Methodology For System Trust State Management

Posted on July 29, 2011 by Brent Huston

A lot of folks have written in asking for a simple methodology overview of how to use the spreadsheet we published in a previous post. Here is a quick and dirty overview of the methodology we use to manage the security trust state of systems in our work. Check out the diagram and let us know if you have any questions or feedback.

Thanks for reading and we hope this helps your team in a meaningful way! Click to enlarge image. Click here to downlaod the PDF.

Quick Tool: System Trust Tracking Sheet

Posted on July 25, 2011 by Brent Huston

While working incidents and also during daily operations of a network environment, it is often useful to track the trust you have in components. For that reason, we frequently use a spreadsheet to contain the various elements. It also serves as a basic record of what has happened on a system or component. I usually track my trust in a system to three levels: trusted (I believe it has security), semi-trusted (it is recovering from an event or is acting funny but investigation did not yield results (I usually leave it in this state with additional ongoing monitoring for ~90 days at least), untrusted (I believe it is suffering an insecure state, is “acting funny” and is under investigation, etc.).

I hope this spreadsheet helps folks looking for an easy way to do this. Complex tools like databases and such are out there too, but this might serve as a quick and dirty tool to get you what you need if you need to undertake this exercise (and I suggest you do…. ). Hope it helps you and your team. Thanks for reading and take care of each other out there.

Click here to download the tracking sheet.

What Is A Trust Map?

Posted on July 21, 2011 by Brent Huston

For about a year now we have been getting questions from folks about basic trust maps, what they are and how they are used. After answering several times person to person, we thought it might be time for a simple blog post to refer folks to.

The purpose of a trust map is to graphically demonstrate trust between components of your organization or business process. It is a graphic map of how authentication occurs, what systems share accounts and what systems trust what other systems in an environment.

Trust maps are very useful for explaining your organization to new IT folks, helping auditors understand your authentication and security models, and especially for using as reference in incident response. Done properly, they become a powerful tool with a real payoff. For example, when an attack occurs and some mechanism gets compromised in your environment, you can use your trust map to quickly examine how to isolate the affected portions of the authentication model and learn what additional systems the attacker may have been able to trivially leverage given the access they gained. It really makes incident response much more effective and truly helps your teams respond to problems in a more intelligent and effective way.

It might take a little time to map complex organizations. If that proves to be a challenge, try starting with key business processes until you get to a point where you can create a holistic map with drill down process maps. This has proven to be an effective approach for larger/more complex organizations. If you need assistance with gathering the data or getting some additional political alliances to help the project along, our experience has been that the Disaster Recovery and Business Continuity folks usually have good starting data and are often easy to get engaged pushing the project through, especially since, in the long run, they get value from the maps too!

Here is an example map for you to use. It is pretty simple, but should give you the idea.

For more information or help creating your own trust maps, drop us a line or give us a call. We’d be happy to help or even get engaged to make the maps for you as a part of other security testing and projects. As always, thanks for reading and stay safe out there!

The 5 Big C’s Of Fail

Posted on July 19, 2011 by Brent Huston

From Brent Huston’s recent webinar, “How To Create A Threat-Centric Focus For Your Information Security Initiatives”:

Want to know why many information security programs are failing today? Yesterday, on our webinar, we got a lot of feedback on these issues and most folks agreed on these causes. A few said it was high time some one said what we did. For those of you who want to know why the attackers are winning, here is quick summary of the slide that caused all of the rukus on the webinar. Wanna see what all of the fuss was about? Drop us a line if you would like to be in the next session or stay tuned for a video of the talk in the next couple of weeks!

As always, thanks for the feedback. We are glad you enjoyed the talk and we look forward to giving it more often. It’s time we all started talking candidly about the problems we face and the real reasons that attackers are winning the race!

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston