Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

Change the Way You Use (and Pay For) Penetration Testing

Posted on by
Reply

For a couple of years now, we have been offering our managed service and menu-based service clients flat rate options for all kinds of penetration testing, assessments and application security. By far, though, the best received and most popular service is our focal point penetration testing service. Let me share with you a situation I had with a client we’ll call “Joe”.

Joe is a 38 year old IT manager for a financial services company. He has been with the organization for more than 6 years and is a hard worker who is known around the company as a “get things done” kind of guy. Joe, like all IT managers today, is facing a cutback in his security staff and is struggling to keep up with the ever-changing threats, vulnerabilities and regulatory landscape that his company faces. He has been a MicroSolved client for several years and we have great rapport.

Joe’s problem is that his once a year penetration testing is just not working. The huge snapshot of his environment doesn’t maintain relevance for long as his staff struggles to respond to the findings and attack the problems that are identified in an overall manner. That’s when Joe comes to me to discuss his issues.

Joe and I spend a couple of hours talking about the problems he is facing and we quickly find a HUGE solution to his problem. Joe and the MSI team break up his IT environment into 4 functional slices. Instead of doing one big penetration test, once per year, we begin to test 1/4 of his environment every quarter. That allows his team to focus on a specific set of his environment for improvement during a given quarter and makes it very easy for him to create measurable security improvements in those targets. This gives him the ammunition he needs to provide continual improvement metrics to his upper management. From the MSI side, it makes the task smaller and faster for our team, and while the human engineer factor is slightly higher since we have to do setup and manual parts 4x, the difference is not really large. We extend terms to Joe’s company that allows him to pay for this service in low monthly payments over the term of the agreement. This makes the security bill from MSI easy to plan for and manage.

This was a couple of years ago. Joe is now approaching the big 4-0 and has been with his company more than 8 years. When we talked last week, Joe renewed his agreement with MSI for FIVE YEARS! He could not say enough about the work that we do with them, how the subscription approach to penetration testing has helped him and how grateful his board is for us letting them create a menu of services (including subscriptions for assessments and pen-testing) and split the cost INTEREST FREE over the five year term!

Joe is one happy client and at MSI that is exactly what we are all about. I love that our team has worked with clients to “get creative” about security problems. We deliver quality reports, do a lot of the heavy lifting for our clients and are always looking for new ways to help them be more successful with our services. Joe has learned just what that can mean to an organization and how my team can even “think outside the box” when it comes to payment terms and contracts. All around, Joe and MSI both have found a win-win relationship doing business together.

Subscription-based, line of business or segment of IT environment, focused penetration testing. It truly, in my opinion, is the future of security assessments. If you would like to discuss just such a solution, drop me a comment, email or tweet (@lbhuston) or feel free to call 614-351-1237 and talk to one of our account managers. We would love to help you get more from your security budget and find creative ways to make security better and more affordable for your organization too!

Breaches Often Stem from Unknown Data? Wow!

Posted on by
Reply

While doing some work on Operation Anaconda, I have been spending some time analyzing some of the various known metrics and statistics around the insider threat. One of the findings that I found absolutely amazing is this one from the Verizon report, that 66% of the 500 breaches studied in the report revolved around data that the organization DID NOT EVEN KNOW THEY HAD or DID NOT KNOW WHERE IT WAS in their own IT environment!

That’s ~330 breaches where the victim did not even know either that they had the data in question or did not realize where in the network that data was supposed to be.

This, to me, is alarming. How on Earth can an organization secure what they do not know about? How can a security team possibly be tasked with securing what they don’t know they have? The fact is, they can’t. Thus, the first condition would be for the security teams in these organizations to KNOW WHAT DATA THE ORGANIZATION HAS AND WHERE IT LIVES.

If you are still trying to create security based on perimeters, architectures or anything else that is not data-centric, then this should serve as a wake up call. You must identify all of the data that is in your organization that is at risk. You must know what it is, how it is created/stored/processed/used/destroyed and YOU MUST BUILD SECURITY AROUND IT.

Let me say that again to be clear. You must focus on identifying the data and then on defining security around it!

Please, use this statistic to change your security focus from architecture and IT environment protection to protecting the data. To focus on anything other than securing the data is to fail. Attackers will find the weakest point and when they do, they will attack the confidentiality, integrity and/or availability of the DATA.

As security folks, it is easy to get caught up in the day to day. It is easy to spend way too much time focused on management goals, content filtering, “playing net cop” and all of the other stuff that goes on. BUT, it is critical that we retain the daily focus on knowing what our organization has that needs protected and on where and how we have to protect it. Focus on that and all will be well, fail at it and you’ll eventually be one of the 66% referenced above.

MSI is Currently Seeking Resellers for Services and HoneyPoint

Posted on by
Reply

We are currently seeking resellers for our HoneyPoint line of products and our professional services. We are open to discussing this with any firms interested in creating a virtual security practice and helping us present our HoneyPoint products to their markets.

We have a strong interest in working with partners in South America, Europe and Asia.

If your firm is interested in joining a reseller program that has been performing well for more than a decade and has members from the Fortune 100 to regional specialists, then please read more about the program here and contact us to arrange a discussion.

Our recent expansion of technical staff has created a limited opportunity to bring on new partner relationships. Does your organization have the will and capability to be among the group that leverages our two decades of excellence?

On Vendors Offering Discounts on VA/PT Services “Due to Financial Crisis”

Posted on by
1

I have a bone to pick with the idea of vendors suddenly offering price drops on their assessments and such “in response to the financial crisis.” In my opinion, this is nothing more than a gimmick. A cheap come-on to win more business while the times are tough and the chips are down. If you can offer these discounts today without it impacting your margins at a serious level or making it tough on you to do business, then why couldn’t you do it last week, last month or last year? I’ll tell you why, because you were caught up in that extra margin and extra charge to your clients and in making that extra profit.

At MicroSolved, I have refused to play these games with our customers for 20 years. I strive every day to keep our prices as low as possible for the work we do, to pay our team fairly and to keep us in business. We contribute to the community, support the Credit Union movement, engage with companies and organizations all around the world that are dedicated to “doing the right thing.” We continually strive to focus on increasing our value to clients and keeping our costs as low as possible. Here are a few examples of some of the steps we have taken and are taking to do so:

Consultant presence. Years ago, our onsite presence for assessments and pen-testing was a high cost item for clients. Travel, lodging and per diem were and are high ticket items. Several years ago, in an effort to lessen the financial impact on our clients and staff, we began using VPN connectivity and shipping appliance computers instead of people. The cost of shipping this hardware remains expensive today, but nothing like airfare and hotels for a security team. In 2009, our team is moving to create and deploy stable, trustworthy virtual machine images that we can move over the Internet to bring these costs to near zero. Developing these tools and testing them takes time, resources and money, but we are dedicated to continuing to bring the most value to our clients for the least amount of dollars possible. This is just one more way we can work with clients to improve their security and reduce their cost to minimize risk.

Simplified reporting for VA/PT. Our clients tell us all of the time that our reports are the best they have seen and are provided in the most useable format they can imagine. We long ago (several years) stopped shipping HTML reports and the like. Today, our typical reporting is an easy to read executive summary with a one page dashboard for the engagement findings, a technical manager report that identifies and ranks root causes of the security issues we identify and a technical details report that is provided as a detailed Excel spreadsheet so you can change, sort, import or manage the data as you see fit. Our reports have received positive comments from auditors, regulators and clients from around the world. This year, we will again be undertaking a special project to continue to refine our reporting structures. For us, leading the industry is not enough, we want to establish even more value for our clients and help them manage the reporting data in ways that reduce their heavy lifting. As always, if you have ideas on this, let us know.

Real humans to talk to. We don’t have a web portal for your reports. We don’t have an automated system for requesting assessments or the like. We do have a technical project manager that is assigned to your account. They have access to the actual engineers doing your assessments and pen-testing, and so do you. We don’t believe that dealing with some complicated web application that also might have exposures to vulnerabilities and other issues makes our clients more productive OR more secure. MSI clients talk to real humans. We talk to clients routinely during their engagements and keep them up to date as they desire on the testing and work as it moves forward. You can communicate with your technical project manager on the phone, via email or via SMS if you like. You can have a call with the engineers to clarify issues or to get answers to technical questions about the engagement. We even support our engagements for one year, allowing you to ask questions, interact with the security team and get answers up to 12 months after the engagement!

Approaches like HoneyPoint. HoneyPoint is our leading-edge software for managing the insider threat. It was designed from the ground up with the idea of “deploy and forget” (SM) in mind. We created it so you could have security visibility around your environment in a powerful way that eliminates false positives, signature updates and tuning. Long before the current “financial crisis” we wanted to help organizations get better security with less resources, and we have. Today, organizations are using HoneyPoint along with tools like OSSEC to replace IDS/IPS systems and finding the total cost of ownership to be 1/2 and the total resource costs to manage the solutions to be 1/10 of their older, less evolved solutions. In fact, many small and home-based organizations have begun using our “scattersensing” approach with HoneyPoint Personal Edition to identify bot-net infections and malware breakouts, as well as suspicious insider activities for a total software cost of ~$30.00 US!

There you have it. I have “put my money where my mouth is”. At MSI, we know the financial stress is real. We know you have significant security AND budget challenges. We are striving to help you with both, BUT, NOT JUST TODAY and NOT JUST FOR A WIN FOR US. We can’t just knock arbitrary costs out of our prices because we spend EVERY DAY focused on keeping those prices low and our value high for our clients. That has been our focus for 20 years and as long as I am the CEO, it will continue to be our focus. We believe that our engineers, sales and marketing teams and other employees support our efforts. They have shown time and time again to be committed to VALUE for our clients. We may not always be the cheapest security vendor. I know our services cost more in some cases than the “scan and forget” vendors out there. I am OK with that. For 20 years I have enjoyed doing business with clients who appreciate honesty, trust, better communication and the MSI work ethic. Our clients love the work we do for them and many tell me repeatedly how much value we bring. That, in the end, I believe, is the measure of true success.

So, if you are looking for a security vendor to help you find the most value for your security budget, give us a call. We will be happy to talk to you about your needs and how MSI may be able to help. We will put together flexible payment plans, menus of services and subscriptions for engagements if you desire. We hope to talk to you soon about how we can help you be more secure with less time and money. That’s our commitment today and long after the current “financial crisis” has passed.

MicroSolved, Inc. (614) 351-1237 x206

info < at > microsolved <dot> com for more information via email

So, You Wanna Be in InfoSec?

Posted on by
3

One of the most common questions I get asked is “How can I become an information security professional?”. These days, it seems that a ton more people want to be in the “business” of information security. I get the question so often, I thought I would write this post as a quick and easy way to respond.

Are You Serious?

The first response is a “gut check”. Are you serious that you want to be an infosec person? Do you even know what you are asking? My suggestion is 2 steps. Number 1, read a basic information security guide (not Hacking Exposed or something on an aspect, but something more general like the ISO standards). Number 2, invest in your career option enough to buy a few coffees or beers and ask a couple of security folks you know of and trust to sit down, one on one with you for an hour chat. Talk about that person’s career, what day to day security work is like in their experience and what they think about your ideas for moving forward. If you can’t or won’t invest in these basic steps, then quit now and choose another career path. Security work is all about research, reading, guidance, networking and conversations with other humans. If you can’t do these toddler steps, then forget running with the big dogs and find another pack.

Get Serious, Quick!

Step 1: Knowledge boost: Start to read every single security book you can find. Listen to podcasts, read web sites, subscribe to mailing lists. Read RSS feeds.

Step 2: Find a way to contribute: Work on an open source security project. If you can’t code, then write the documentation or contribute to testing. Start a website/blog and start to aggregate or gather other security news. Wax poetic on what you think of certain topics. Think of this part as turning knowledge into wisdom. It is where the rubber meets the road and where you will encounter some pain, humiliation and grief, but it is another form of “gut check” to make sure you are ready to be in infosec.

Step 3: Build a lab & practice security skills: Build a lab. Make it out of old hardware, virtualization systems, Live CD’s, etc. Then hack stuff. Secure stuff. Apply settings, scenarios, access controls. Shop at eBay, garage sales, thrift stores or Walmart to cut the cost down. Be creative and pragmatic, both are essential security skills.

Step 4: Brand yourself: Once you have some wisdom and insight, then update your resume. Build a personal brand. Read books by Seth Godin and Guy Kawasaki to learn to do this. Learn how to separate yourself from Joe Six-Pack and how to turn your security experiences with the above projects into valuable differentiators that open doors for you to get that job you wanted. Is it work? Yes. Is it hard work? Yes. Does it take time? Heck, yes. Is it worth it? If you get what you really want, heck yeah!!!!

It’s OK to Turn Back

If, at any point during the above steps, you decide you are not interested enough to continue, then don’t. Security is tedious, hard work. Most of it is COMPLETELY NOT SEXY and has nothing to do with Swordfish, Hackers or the Matrix, no matter how much you want to be Neo, Cereal Killer or Angelina Jolie. Security is mundane, boring, full of science, analysis and research. If you want to be great at it, you also need to understand business, marketing, math, human resources, education, more marketing, sales, basic programming, public speaking, more marketing and oh, yeah, more marketing. Why so much marketing? Because, believe it or not, people need to be sold on being secure. That is the largest irony of the job. You have to not just identify how to make them secure AND teach them how to be secure, BUT you ALSO have to SELL them on the idea that security is worth their investment of time, energy and resources. It’s not that they don’t want to be secure, it’s that humans are REALLY BAD AT MAKING RISK DECISIONS. Keep this in mind as your security career progresses. It is a handy meme.

Are there Shortcuts?

Maybe, if you wanna be average. More than likely not, if you wanna be truly GREAT at what you do. Everything in life has a price. The good, the bad and the security career. Paying that price is a part of the reward, you just might not know it yet. Pay the price. This is one system you really don’t wanna “hack” to get at the “easy way”, it makes for a lot of pain down the road when you look foolish.

What About Certifications?

I am not a believer in certs. I have never made any secret about my position. I DO NOT HAVE MY CISSP NOR AM I LOOKING TO EVER HAVE ONE. Certs are NOT a good measure of experience, work ethic or intelligence. They represent all that I hate about the security industry and the idea of doing the minimum. This is not to say that you should not pursue them or that they are not valuable, it is just my belief that the IT industry puts way too much stock in certs. They believe that most every CISSP is a real “security person” and knows their stuff. I have met plenty who do not. I have met plenty who I would not let manage my security. I have met some that I would, as well. The same goes for all certs (MCSE, CSA, etc.). Certs are just a BASIC qualification mechanism, no more, no less. Experience and what you have done in the past speak volumes more to me, and anyone I would want to work for or with, than a cert. Period.

I hope this answers those basic questions about how I think you should move toward being a security professional. I hope you do choose security as a career, if you are willing to invest in being great at it. The world needs more great security people, but we also need less inadequate security professionals. The industry has its charlatans and fakes, but it also has some of the best people on the planet. This industry has been good to me for almost two decades. I have met and made friends with some of the most talented, fascinating and warm people in the world. I am very blessed and very grateful. I hope you will be too. Buy me a cup of coffee if you want to talk more about it. I promise to try and help you figure out if this is the way you want to go, if you are willing to invest in yourself first BEFORE you seek my input. More than likely, you will find the same to be true for other security experts too. They just might like cheaper coffee than I do…. 🙂


DShield Launches Web Honeypot to Gather Attack Pattern Data

Posted on by
Reply

SANS and Dshield today announced the public availability of a new honeypot project for gathering web application attack patterns and trends. The tool is available at no charge and will feed into the ongoing DShield project data stream.

This is a great project and I am very happy to hear that more public attention will be on the use of honeypots to gather real metrics for attacks. This is something I have long stressed as a strength of our HoneyPoint products. I love the fact that they are doing it on a widely distributed basis. I know what kind of data we get from our HITME and I really hope they have much success in gathering that level of insight from a global view. I think the community as a whole will benefit.

Have we entered the age of the honeypot? Are we finally ready to accept the idea that “fake stuff can make us more secure”? I am not sure the public is there yet, but I think this another step closer. What do you think?

The Economics of Insecurity

Posted on by
2

Wanna be bad at information security? Can you afford it?

Various sources, metrics and industry studies put a variety of numbers to data loss, but the general range is around $200-$250 per compromised customer/client/credit card, etc.

How many pieces of identity data does you company protect? How many clients do you have? How many employees are in your payroll and HR systems?

Information security is expensive. Software, services, assessments, policies, awareness and a myriad of other things all cost money. But, the next time you are asking yourself or upper management about your security budget, remember that $250 number. It may just give you, or someone else, some perspective on just what it all means.

Twitter Smurfing or Amplified Twitter Spamming

Posted on by
2

Last night, @mubix pointed out a certain phrase that would result in a re-tweet of the attached content on Twitter. The interesting thing that got me going on this was that the folks in question had established an application to watch the Twitter stream and forward any content that mentioned the phrase to their followers.

Tweet-bots are not new, and I have written about code that could be adapted for this purpose in the past. Bots exist on Twitter for a variety of actions, but thus far, seem to have been relegated to auto-following folks or sending simple data streams to the service.

However, this new type of bot (which there may be others, some even older, of which I was unaware) opens Twitter and its users to a new type of spam. The obvious issue is that you could bait spam content with bot-friendly phrases and get your message sent to a MUCH BROADER coverage of followers than your own. Malicious and rowdy behavior could follow and lot of harassment and criminal activity could be shared by all. Sure, as @mubix said, “this is the open relay of Web 2.0”. I agree, it is just a matter of moments before this is a widely used abuse pattern made all the more powerful by the underlying architecture of trust that is Twitter.

But, while new forms of spam mildly interesting to me, what was interesting was that as I toyed with the bot, I would get MULTIPLE COPIES OF MY MESSAGE RETWEETED. That’s right, sometimes it would take my single message and retweet it multiple times. I could not determine if this was a bug in their implementation or a desired behavior, but it happened. That led me to the idea that you could use these bots as amplifiers. You could, essentially, identify a list of retweeting bots and cascade them to create the modern day version of the smurf attack!

Scanning the Twitter stream for these bots could be pretty easy. You could quickly script and API-enabled tool to tweet dictionary terms or brute force character groups into you found a catalog of retweet terms, then cascade them to cause a “retweet storm” of some sort. Some controls over the process are implicit due to the 140 character max for tweets, but it is likely an interesting experiment. Properly tuned, it might also be a denial of service style attack or a way to spread very small spam messages far and wide.

It should be noted that much of this is theoretical. I did not, nor do I intend, to engage in this type behavior. But, to me, it certainly seems possible. I can see it being used as a platform for spam and social engineering. I also don’t see a lot of controls that could be put in place to stop it.

Let me know your thoughts on this possibility and feel free to leave a comment and disagree or explain why I am wrong. I think there will be some interesting and dangerous times ahead for all social networks and I don’t think Twitter will be an exception.

Thanks to @mubix of Hak5 for the pointer and discussion!

“Scattersensing” on the Cheap for Insider Threats

Posted on by
Reply

I have been working with several clients to create a new process for combating insider threats. This new approach we have been calling “scattersensing”. Using this technique (or a variation of it), you can cheaply, effectively and efficiently identify overt insider threats that may be occurring around your organization’s network.

Scattersensing, when done with this method, costs less than $130 per scattersensor! Here’s what you need to do one scattersensing point of security visibility:

One older laptop or desktop system with a CDRom and a network card:

I use an old Gateway Solo like the ones found on this EBay page. None of the laptops on this page cost $100 and many are under $50. My scattersensor laptop that I use in the lab is a Pentium II 300 MHz with a small amount of RAM. The CD drive is built into the machine. The battery is long dead, but the rest of the hardware works. I bought the 100 Mbit PCMCIA card at a garage sale for $5, but they are also available on the cheap from EBay and a lot of other places. We don’t even really care about the hard disk, since we can run the entire system from a LiveCD if we need to, or if you have a working hard drive, you can do a hard disk install and make it even easier to use as you move it from place to place. You could also do this with just about any standard desktop, workstation or old PC you have laying around anywhere or can obtain at a garage sale or thrift store.

Now that you have the hardware, you need the operating system. For our approach, we suggest Puppy Linux. It has been tested to work as desired and can be easily hardened with a password change. You can read more about it and download the ISO image from here. Download it and burn it to a CD. You can then do the optional hard disk install if you like, simply follow the directions from the Puppy Linux site and/or from the included installer. (You may need to wipe the disk first if an NTFS partition is present). Cost of the operating system: FREE

Next, we need a copy of HoneyPoint Personal Edition from MicroSolved. You can get the zip file from here for Linux. To have the application run longer than 15 minutes at a time, you need to purchase a license for $29.95 from the online store here. Digital River will send you a license key via email. Use that license key when you first start HPPE and it will unlock the application for that system. You can use the license key over and over again on the same system if you are using a LiveCD (so keep it handy) or it will be maintained by HPPE if you did a hard disk install. Now, install, start, configure and license HPPE on your scattersensor.

Here is a picture of a scattersensor I use routinely in the lab and in the field for training/exercises. It is the Gateway Solo I referred to above.

IMG_0253.JPG

OK, so now that you have a scattersensor built, what next? Next you deploy it. You place it in your network environment, using it to detect overt insider threats like scanning, malware probes, bot-net activity and anyone looking around the environment. Since the services that are being offered by the HPPE deployment aren’t real, there is absolutely NO REASON you should see any activity at all. Any activity you do see, should be treated as suspicious at best and malicious at worst. Investigate any activity you see, period. Many organizations find things like misconfigured software, holes in ACL’s or the like and of course, the variety of attacks previously described.

Using scattersensor(s), you can easily move them from network segment to network segment on a semi-random schedule. Move them to the DMZ for a week or so, then on to the server network segment, then to a partner network, then to workstation segments. Build more than one and cover a lot of areas easily. For small to mid-size organizations, a couple of scattersensors with HPPE may be more than enough to give you good security visibility and coverage. Many organizations have used the scattersensing approach for a while and then moved up to use the full blown HoneyPoint Security Server enterprise product.

There you go, a first light touch on the subject from Operation Anaconda. A way to easily (and incredibly cheaply!) get security visibility in a powerful and evolutionary way. Give it a try and let us know how you fair. You can report your updates and progress in the comments or via the #anaconda hash tag on Twitter. Good luck out there!