In the last couple of days, there have been a couple of interesting pieces of bot-net news.
Author Archives: Brent Huston
Broken Window Economics and Being “Type B”
I am actually quite glad that this article was written. I agree with its premise and I am very glad that MicroSolved is a “type B” security vendor. I am OK with that. It fits my world view. I am OK with not being a member of the “PCI in crowd” or doing infosec “just like all of the other vendors.” In fact, I STRIVE for MSI to do it differently. I PUSH my organization to serve our clients at a higher level. I STRAIN to help them achieve leverage. I think being “type B” makes MicroSolved INVALUABLE as a security partner.
That, in my book, is worth far more than being popular, one of the crowd or getting industry trophies and certificates. Those things might be nice for some, but helping OUR CLIENTS serve their customers in a safer way is just more our focus at MSI.
New Emerging Web Scans from the HITME
We started picking up a few very low intensity scans last night. The pace of them are increasing. They appear to be aimed at cataloging users of the ANT tool. You can find a list of the scanning targets and a link to BrainWebScan here, if you would like to check for them yourself.
If you are a MicroSolved Managed Assessment (GuardDog) client, your systems will be tested during your next scheduled assessment.
If you have any questions or would like to know more about our ongoing assessment services, threat management or application security testing, feel free to email us at info [at] microsolved [dot] C O M or give us a shout at 1-877-351-1237. We would love to discuss it with you!
InfoSec Cheat Sheets, A Collection!
I don’t know about you, but I LOVE cheat sheets. I absolutely use the crap out of them.
Today, someone (I lost the email since then), sent me this page that has a boatload of cheat sheets in one locale. Thanks to whoever sent it, you know who you are. ๐
I hope you find something useful there. I know I did!
Is IE Still on the Desktop at Your Organization?
I know that the IE infection is hard to kick. The most common argument I hear, many sites just don’t work with anything but Internet Explorer.
Is this a true issue, or merely an excuse for inaction? I know a few organizations that have installed alternative browsers (OK, Firefox, in all cases), and blocked all external access to IE users. They then take the help desk calls, check the sites that the users say won’t work with anything but IE, make sure they meet a business need, and then one by one add them into the proxy to be allowed out with IE.
Sure, this is a lot of work on the front end. Here’s the rub, though. 30 days out, the work drops like a hot stone in the hands of a yeti. Basically, the ongoing need to add sites become so infrequent as to be non-existant and handled with a one-off approval process. In terms of risk, the few who have taken this approach claim such a huge reduction in spyware cleanup, infections and basic break/fix calls that they say the longer term savings paid for the work of the 30 day period in less than 3 months. Thats a 90 day, 100% ROI for a 120 day project!!!! In business terms, this is a NO BRAINER.
Given the oddity of Aurora, the history of IE vulnerabilities and the ease at which new users of Firefox, Opera, Chrome, Safari, et all become proficient, the deck begins to stack in favor of replacing IE for Internet-bound traffic in all but a limited set of cases. Sure, use IE for that odd website, for those internal legacy apps where code-rewrite is not feasible. Heck, in this case, maybe even allow IE 6 to live on for internal use only (pray for no internal malware or xss attacks). We all know the real attack surface for IE is overwhelmingly the Internet.
Maybe this approach will work for you. Consider it. It works even better when combined with proper egress filtering, enclaving and role-based access controls.
Let me know what you think!
Why Web-Application Security is Important
After the discussion about my last post and my omission of appsec, I wanted to make up for it not being in the list. Certainly, application security is important and as pointed out, I should have added it to the list of primary concerns for organizations.
By now, I hope everyone understands that attacks like SQL injection, cross-site scripting and the rest of the OWASP top 10 can have devastating effects. Often, when these vulnerabilities come into play, data loss soon follows. Sometimes, the attacker is able to gain direct access to the data targets they are seeking. For example, if SQL injection grants them access to a database that contains credit card information or identity data, then the initial compromise may be all that the attacker needs to obtain their goal.
But, even when the initial compromise does not directly yield them the data they seek, the initial SQL injection compromise often allows them access to and/or control over other systems and components. They then use a variety of technologies and techniques (from keylogging to sniffing and from pivot attacks to trojans) to leverage the initial problem into the compromise of the data they seek. In many cases, the attackers prove themselves to be both creative and patient as they slowly crawl towards their goals.
Even if your site does not have the targets they want, the SQL injection can be quite damaging for your organization. Not only do you have the compromise itself, but quite often, the application or web server with the vulnerability is manipulated to propagate malware that infects the visitors to your site, turning their machines into victims as well. As a client recently told me, “You don’t want to have to explain to upper management why your web site is responsible for infecting your customer’s computers with a virus. It is not really good for your career.”
These are just a few of the reasons that your organizations should take web application security seriously. If you have some more you would like to share, please leave a comment below.
New Year, Old Threats
Welcome to 2010. A new decade, for sure, but one likely to contain many of the traditional security problems that we have grown used to.
How would I rate the top three things you should be paying attention to as we begin the new year? Glad you asked. ๐
1. Malware – malware is the current serious scourge of infosec. It is becoming increasingly clear that prevention is a losing battle. Detection is often not even up to par, so personally, I would be thinking about response. How can we leverage egress filtering, data leak protection and other controls in depth to limit the amount of damage that an infected machine can do? Can we perform alternative forms of detection, like HoneyPoints and HoneyBees to identify when things are “not quite right” in our environment? These approaches have a proven track record for helping. Check out the SANS CAG for more tips down this line of thinking.
2. Partner network connections – Are you sure they are secure? Do you treat them (and their traffic) like a DMZ? If not, get a move on, because the statistics show this is a major source of issues and data loss.
3. Do you have “production blinders” on? – Are all of your systems in scope for your ongoing assessments? You need at least monthly ongoing vulnerability assessments of every machine in your environment. Not just from the Internet, but also from the internal network(s). Why the inside too? Review point number 1. The inside is the new outside….. Give us a call to discuss assessments if you need help. Our GuardDog appliance can provide you with ongoing assessments that are affordable and results focused. Together, we can help you get to a comfort point where security is a manageable task.
Those are the big three. They are what I would focus on if I were a CIO or network manager. Welcome to 2010, where everything is different, except the things that aren’t. ๐
PS – I hope you had a wonderful holiday season!
Got Internet? Read This….
http://is.gd/5xnBP I wish all consumers could read these 5 myths about cyber-security. Well spoken, Ms. Hathaway. Got Internet? Read this….
Creative Uses of Video for Quick and Easy Awareness
Are you looking for an effective mechanism to help your staff stay alert against laptop theft during the holidays and such? Here is a quick suggestion.
Take an iPhone, iPod or other video and shoot a quick 30 second piece about a laptop getting stolen. Have your own team star in it. Keep it quick, light and humorous. Maybe show your CEO in a panic when she realizes her laptop is missing, or a shot of your IT manager in a hoodie grabbing a laptop from the lunchroom and running. Make it over the top and funny, then close with a serious message about how quickly laptops can be stolen, how you should never leave them in a car or such without locking them in the trunk and other stuff you want the users to know.
Close with how they should tell you if they have lost a laptop and who they should call.
That’s it. Keep it home video looking, don’t worry about production quality or any of that. Quick and dirty videos are the way of the new web, so think more YouTube than MGM.
Now, send your video out, or a link to it, and let your employees make suggestions for future episodes. Everyone who submits a suggestion gets entered into a drawing for movie tickets. Easy, affordable and effective.
Who knows, you may not get an Oscar, but you might just save yourself from a data breach. Either way, it will be fun and educational.
Enjoy and don’t hesitate to call us if you need help with the video, ideas or need more information about laptop encryption or other security measures. We are here to help and can get you through most laptop security issues with ease!
Don’t Forget Hacktivism as a Threat to Model
I loved this story. The idea that some “hackers” hack for political or social causes is not new. This idea stems back several years and has evolved from simple web defacements with social and political messages to the “new breed” of information theft, data disclosure and possibly even sabotage to further one’s views.
Today, all of the experts in the security field, myself included spend a great deal of time teaching people that the primary data theft threat is more organized crime than teenage vandalism. But, that said, we certainly can’t forget the idea that hacktivism is still alive and well. In fact, given the explosive growth of the Internet, the continually expanding dependence on technology for everyday life and the common availability of so much data and access, hacktivism is likely to gain in popularity, not shrink.
That brings us to a huge issue. How do we know where some of the data that hacktivists would be interested in lives? Given that people are involved today in a myriad of social activities, use of social networks and such, how do we know who might have information that a hacktivist would want and who doesn’t? The answer of course, is that we have to assume that someone in our organization might have data that is relevant to this threat, so we have to account for it when we create our threat models. If we happen to be a philanthropic organization, a government agency or a federal group, we definitely can’t overlook hacktivism as a threat, because our very existence yields reputational risk for us and a reputational trophy for many hacktivists if they make us a poster child.
While the hacktivism threat model is likely more one of opportunistic nature than dedicated, focused attacks against a given organization, that may not always hold true. One day it may not be all about what data YOU have and hold, but what data the people who WORK FOR YOU have and what roles they play in their personal lives. While this is not necessarily true today, the idea that hacktivists might one day target individuals to achieve social goals is not out of the question.
So, all of that said, how much thought have you given hacktivism? Does your risk assessment cover that as a threat? Have you done any threat models around politically or socially motivated attackers? If not, it might be a good idea to take a look at this threat vector. Their aims and goals may be different than what you had in mind when you last updated your threat models.
 
			