About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Time to Play Some Offense…

Posted on June 2, 2008 by Brent Huston

To quote, Allan Bergen, it sure looks like it might be “time to play some offense”…

Not surprising to me, I read today that the primary security concern of IT managers is the inside threat. It doesn’t surprise me because I have been working on educating organizations for several years about the seriousness of the insider threat. In fact, I would suggest that there are very very few threats that are NOT insider threats. Why? Because there really is no inside or outside. Thanks to disruptive technologies and evolved attacker capabilities – just about everything is exposed to attack. Just ask some of the recent vendors who were compromised in high profile “PCI-related” cases how well they feel that their “perimeter security” protected them…

The truth is, there are three powerful things that can be done to combat modern attacks, whether internal-based or executed by attackers half a world away.

1. Implement and enforce data classification – Know where your critical assets are, how they move around your environment throughout their lifecycle and then use tools like access controls, encryption and integrity verification to make sure that they are protected. Use logging analysis and event management to detect issues and make sure all of the controls, including role-based access controls, are HEAVILY and PERIODICALLY tested.

2. Embrace enclaving – Enclaving is like defense in depth throughout the whole network. Establish proper need to know boundaries, then build enclaves of security mechanisms around the data. Don’t build networks that trust user workstations with access to databases and other servers, segregate them with firewalls, detection mechanisms and access controls. Build as much security for the users as makes sense, but design the environment so that if users make bad decisions (which they will) and get popped – so what! Client side exploits and malware are only a concern if users have access to inordinate amounts of data. The problem is making sure that you get your controls and practices tight enough to limit the exposure that user compromise presents. That alone should go a LONG way toward minimizing your risk if done properly.

3. Move up the security stack to Threat Management and Risk Assessment – Use processes like risk assessment as a factor in business decision making. Security can truly empower business, but you have to let security teams stop being the “patch patrol” and “net cop” and let them get to actually helping you manage risk. They have to be able to identify threats, model threats and understand attacks and exposures. That requires education, dependable tools and upper management support. Encourage your security team to mature and begin to take real-world risk into consideration. Help them to resist the cult of the arcane technical security issue…

Of course, MicroSolved can help you with all three of these areas. We have the experience, insight and expertise to help you build effective enclaves and design data classification systems that make sense. We can help your team find security assessment goals that make more sense and provide ongoing assessment to keep them focused on the real-world risks. Our HoneyPoint products can help them model threats, frequency of attacks, understand the capability and intent of attackers and even give them deep insight into proactive risk metrics that they can leverage for “more science than academic” metrics of risk measurement. All of these things help your organization protect against the insider threat. All of them are available today.

The bottom line is this – if you are an IT manager looking to defend against the insider threat – give us a call. Together we can apply these strategies and others that your organization may need to effectively manage their risk and protect their assets.

At MicroSolved, we think differently about information security. So should you.

Snort Issues In Case You Missed Them and Malicious SWF

Posted on May 27, 2008 by Brent Huston

In case you missed it last week, Snort seems to be suffering from a problem with odd TTL values, which could allow an attack to get by Snort without detection. 2.8.1 has been released and includes the fix for the issue. Users of Snort should upgrade as soon as possible or apply the following workaround until they can update:

/From iDefense/

In the snort.conf file, set the ttl_limit configuration value to 255 as shown below.

preprocessor frag3_engine: ttl_limit 255

This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped.

/End iDefense Content/

Also, SANS is talking about malicious SWF files that have been found online. Looks like they are using some encoded images that can cause some issues with what may be a previously known flash player vulnerability. Advise your users to be wary of flash enabled sites that they would consider “untrusted”. Of course, your milage may vary with this one, but at least awareness might help….

Lastly, as refresher, if you are a Notes/Domino user, it might be a good idea to check out patches that have been released lately. There have been a number of issues in the last few weeks and we are seeing an increase in Domino fingerprinting on some of our non-US HoneyPoints. Looks like quick scans for names.nsf and a couple of other common Notes files. So far though, we have not seen any attacker activity out of the norm, but it may be the precursor to an attack or other activity. Just an FYI…

What is “Defensive Fuzzing”?

Posted on May 27, 2008 by Brent Huston

Since the release of HornetPoints with the newest version of HoneyPoint Security Server, I have been getting a lot of mail asking about “defensive fuzzing”. I thought I would take a moment and talk a little bit about it and explain a bit about its uses.

Defensive fuzzing is a patent-pending approach to network, system and application defense. It is based on the idea of using techniques from “fuzz testing”, but applying them against incoming connections in a defensive manner rather than as a test mechanism for known software. The idea is that attacker tools and malware probably fail to meet established best practices for software development and thus, are likely to have issues with unexpected input just as normal professionally developed software does. Further, “defensive fuzzing” lends itself to using fuzzing techniques as a protective mechanism to cause attacker tools, malware and other illicit code to abnormally terminate. Basically, by fuzzing incoming connections to a HornetPoint (which should have no real world use, thus all incoming connections are illicit) we can terminate scans, probes, exploits, worms, etc. and reduce the risk that our organization (and other organizations) face from these attacks.

For those of you who might not be familiar with fuzzing, you can read more about the basics of it here. However, keep in mind, that defensive fuzzing applies these techniques in new ways and for a protective purpose rather than a software testing process.

HornetPoints simply embody this process. They can be configured to fuzz many types of existing connections, emulating varying protocols and applications. For example, targeting spam and relay scanners can be done by implementing the SMTP HornetPoint. It listens on the SMTP port and appears to be a valid email relay. Instead, however, it not only captures the source and traffic from the spammers, but also fuzzes the connection as the spam is sent, attempting to terminate the spammer scanning tool, bot-net client or other form of malware that is generating the traffic. Obviously, success rates vary, but our testing has shown the process to be quite effective against a number of tools and code bases used by attackers today.

That is just one example and many more are possible. For more information about defensive fuzzing or HornetPoints, please leave us a comment or contact us. We would be happy to discuss this evolution in security with you!

HoneyPoint Security Server Creates Proactive Protection

Posted on May 19, 2008 by Brent Huston

Columbus, Ohio; May 19, 2008 – MicroSolved, Inc. is pleased to announce the general availability of HoneyPoint™ Security Server version 2.50.

This latest release of their best-of-breed corporate honeypot product expands its capabilities to include new types of bleeding-edge protection in the form of HornetPoints and HoneyPoint Trojans. HornetPoints introduce a pioneering and patent-pending approach called “defensive fuzzing” that identifies and stops attacker activity in its earliest stage of reconnaissance, in some cases, literally eliminating bot-net and zero-day attacks before they have a chance to begin and propagate. HoneyPoint Trojans, modeled after the counter-intelligence efforts of nation states, enables organizations to create pockets of “dis-information” that, once touched, create a forensic tracking capability that follows it’s movement inside the network or out. Imagine the ability to literally turn the tables on attackers as you follow how this data is spread and used as it moves around the world.

“The addition of HornetPoints to the product really takes things to a new level. For the first time, organizations can proactively create protection that is robust, effective and capable of automatically defending them against many forms of attack.”, declared Brent Huston, CEO of MicroSolved. “Add the HoneyPoint Trojans to that mix and you finally have organizations that are capable of removing the layers of confidentiality, integrity and availability from attackers. Used properly and creatively, the product lends itself well to the creation of a corporate counter intelligence program.”, Huston added.

“Any organization that wants to improve their traditional security approach from a “defense-only” posture to a new and pro-active mode of protection, simply must have a look at HoneyPoint. I don’t care how many layers of defense you have… it’s time to play some offense.”, said Allan Bergen, Business Development Director of MicroSolved.

For details on obtaining the 2.50 upgrades and/or to discuss the product or its new features, please contact a MicroSolved account executive. For more information, please visit www.microsolved.com/honeypoint

About MicroSolved, Inc.

MicroSolved, Inc. was founded in 1992, making it one of the most experienced information security services companies in the world. Providing risk assessment, ethical hacking, penetration testing and security intelligence to organizations of all sizes has been their passion for more than a decade. Today, they secure businesses on a global scale and still provide expertise close to home. From governments to the Fortune 500 and from small business to your business, they are the security experts you can trust.

Press Contacts

Brent Huston
CEO & Security Evangelist
(614) 351-1237 x201
Info@microsolved.com

Allan Bergen
Business Development Director
(614) 351-1237 x 250
Info@microsolved.com

Fear Renewed: The Cisco Router Rootkit

Posted on May 15, 2008 by Brent Huston

The media is all abuzz about a possible Cisco router rootkit that may be part of a presentation at a near future security conference.

While various issues with Cisco gear have emerged over the years and there has been at least one really public overreaction on the part of Cisco to vulnerability disclosure talks, there is probably little to really get spun up about here for the average corporate manager or infosec person.

The big news is that hostile, difficult to detect code could be introduced to routers at any point in their lifespan if an attacker has access to introduce images onto the router. This is a common problem with almost every type of device. There have been a number of trojan horse loads for everything from home firewalls to other forms of network gear for a number of years. Sure, the Cisco router is almost ubiquitous, and sure, it powers a lot of the Internet at large, but I think we pretty much always assumed that attackers with physical access and opportunity could introduce bad things to a device if they gained opportunity.

So before you give in to the hype or fear mongering, consider how this is different than any other form of software/firmware or the like. Likely, you already have a process in place for blowing new firmware onto all devices you purchase before putting them into use (right???). If not, it might be time to think about writing one…

April Virtual Event MP3 Available – Selling Security to Upper Management

Posted on May 15, 2008 by Brent Huston

We are pleased to announce the availability of the MP3 from last month’s virtual event that covered the selling of security to upper management.

We got great feedback on the event and plan to continue our monthly virtual presentations. If there are topics you would like to see us cover or want us to dig into, please drop us a line or comment.

The slides for this presentation are available here.

The MP3 is available here.

Thanks again for spending time with us. We really love working with each and every one of you!

Microsoft Patches Released for May

Posted on May 13, 2008 by Brent Huston

Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.

Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.

Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.

MSI Announces May Virtual Event – Corporate Counterintelligence

Posted on May 9, 2008 by Brent Huston

Corporate Counter Intelligence: Ancient Strategy,Bleeding-Edge Protection

Abstract:

The message is very clear. What we have been doing to secure information has not been working. Attackers are on the rise, the number of successful compromises is higher than before and all of the legislation and regulations just make things more complicated. Attackers continue to grow in number capability and sophistication.

The principles of corporate counterintelligence are rooted in the history of warfare. This presentation will explain how organizations can improve, simplify and increase the effectiveness of their information security programs. Using ancient principles and techniques based on the art of counter intelligence information security teams can become more strategic, focused their resources where they will achieve the highest return and reduce the risk that their organizations face.

MSI security visionary, Brent Huston, will explain how these techniques can be applied to your business and introduce specific strageties and tactics that you can deploy today. Explanations of how these evolutions in security thought can truly translate into faster, safer and more powerful protection for your organization will be revealed.

For more information, access to the visual and audio content for the presentation, simply email info@microsolved.com.

The virtual event will be conducted Tuesday, May 20, 2008 at 4pm Eastern.

Beware of Myanmar Aid Scams & Trojans

Posted on May 8, 2008 by Brent Huston

Nothing like a disaster to bring out the crimeware.

Keep your eyes open for disaster and aid oriented phishing and trojan scams. There is likely to be the same types of attacks that we have seen with other disasters. We can expect everything from Trojan horses designed to look like headline update tools, phishing schemes asking for donations, basic client-side exploits from web and HTML emails and the usual myriad of outright fraud.

Basically, if you really want to help folks, drop by known and trusted organizations such as the Red Cross, etc.

Be on the look out for strange network activity as this is likely going to be a basis for growing the bot-nets by yet another expansion.

Here We Grow Again! — MSI is Hiring!

Posted on April 22, 2008 by Brent Huston

MSI is seeking a technical leader with an understanding of Linux, networking and an interest in information security. The main focus of this position is project/engagement management, but the successful candidate will also need to be able to participate in security testing as a member of our team. They should have excellent written and verbal communication skills and not be afraid of dynamic environments. Public speaking, customer presentations and technical writing definitely go in the “plus” column.

The position is full time, located in Columbus, Ohio and has excellent benefits, a friendly and casual working environment and minimal travel. It also includes working with our team and being the best that the security industry has to offer.

If you would like more information about this position, please send your resume to bhuston**AT**microsolved.com.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Brent Huston