I had an interesting and odd conversation with some folks today who were trying to determine how fast NIDS would identify potential attacker traffic that was innocent appearing. When I entered the debate, they were deep in conversation that centered around threshold settings in various IDS/IPS products and their recognition of port scanning. They seemed to be engrossed in how many connection attempts in a second should be considered malicious.

Eventually, they asked me about HoneyPoint and how many connections it takes for it to decide that traffic is malicious. I simply responded “One.” Finally, I explained that since HoneyPoints are psuedo-services and have no real reason for any traffic at all – that ANY CONNECTION to a HoneyPoint was by nature suspicious and we would alert. After about 15 minutes of discussion and further debate, I think I made believers out of them and they have all requested to demo the product for 90 days in their environment.

This is simply another way that HoneyPoint changes the IDS/IPS paradigm. It doesn’t really matter how MANY connections an attacker makes per second unless they are causing DoS on the network. IT REALLY MATTERS WHAT THEY ARE CONNECTING TO!

HoneyPoint can help you determine the criticality of even a single connection to a pseudo-service. You could take action then, or wait to see how things develop. If the attacker hits multiple HoneyPoints on a single host or multiple HoneyPoints on multiple hosts, you can determine what to do based on the risk of the behavior you see. If they begin to probe the HoneyPoints, you can likely very quickly determine what tools they are using, what they seem to be focusing on, etc. All of that helps you make better decisions and to craft smarter, more effective responses.

So, the bottom line is this: As wierd a metric for comparison as port scanning thresholding may be, HoneyPoint can help you drop that number to 1. Using HoneyPoint smartly and effictively – you can secure your environment more rapidly, easily and with greater insight than other technologies. How is that for an unusual metric?

Please pardon the overt marketing interruption.

You can now get your very own HoneyPoint Swag from Cafe Press. If you are interested in showing the world you are helping to change the way Intrusion Detection is done, please feel free to order your merchandise from here.

http://www.cafepress.com/honeypoint

Also, while we are overtly promoting this morning, please don’t forget to use the HoneyPoint forum if you have interest in learning more about HoneyPoint, strategies or the like. Real users, a real community. Up and coming – for sure! But check it out if you are a fan of HoneyPoint or honeypots in general. Registration is required.

http://www.honeypoint.net 

Sorry for the overt marketing interruption and we now return you to your regularly scheduled blog.

After a discussion today, I wanted to post about a couple of ideas for helping managers keep their security teams engaged in the process.

Burn out is a very common thing in infosec, as it is in a lot of IT – especially in organizations today, when there is so much going on and so few resources to aim at the problems. Here are 3 quick ideas to help you fight burn out amongst the security team.

1. Training or Cross Training – Few things engage people more than learning a new skill, especially one that is new and interesting or that can really help them solve their work problems. Consider teaching a new skill like Perl scripting (or any other language) that might help them automate some of their tasks. If they embrace it, it can mean less work for them and more quality, repeatable results for the team. That is a pretty cool win/win. You might also consider swapping your team around and rotating their responsibilities where possible. Encourage large scale cross-training as way to keep things fresh and to keep new eyes on your common duties. Often times, this plays out well and can lead to some big new ideas or mechanisms that can have huge paybacks!

2. Engage in some branding – Create a team image that exudes confidence. Brand the team members with special events, shirts or other items. Let them name the team and encourage a few group events that establish trust and reinforce rapport. If appropriate, let them build an image around themselves as being “elite” or such. Those images are good for morale and good for building the internal image of you and your group – just make sure it stays realistic and doesn’t go to far.

3. Let some of your team rotate on pet projects – Has your team been bugging you about a new tool or process they need? Have they been asking to build a wiki to maintain their documentation or a new Intranet site for communication with other teams? If so, add it as a project, but communicate that they must rotate who works on it and set a maximum of 2 hours per week. Let them choose a project leader and have that person schedule the work on the pet project and report monthly status updates to the whole team. You just might be suprised how much they get done, and how much such a simple indulgence might reenergize some or all of them!

Leverage these 3 quick ideas to keep your team engaged and running on all cylinders. Got some other ideas you might have had success with? Post them as a comment and I will make sure they get added!

How much is it worth to know that a new vulnerability has been found in your organization’s favorite application or operating system? Would you pay $50,000.00 a year for alerts to new exploits or attacker trends? Does knowing that these issues exist give your organization a measurable heads up to prevent damages that you don’t have from your regular scanning and assessments? Would that knowledge actually spark action that reduced your risks?

Many other security firms are hoping you say “Yes!” to the above. And, with prices for those alerting mechanisms ranging from that 50K to nearly 200K per year, you had better be pretty sure of the value of those alerts.

At MSI, we believe that such knowledge is valuable. We believe that properly acted upon, such data could help many organizations prepare for security issues, tune their protective postures and increase vigilance around possible weaknesses. However, we just don’t believe that most organizations are willing to spend that 50K per year for such insights, nor do we believe they should. For several years now, we have offerred such a service, called WatchDog for FREE. That’s right, FREE per year.

Our organization does this to give back to the community. We do this because we already have to do the major work anyway to stay current and serve our clients at the level of excellence we are committed to, so why not aggregate that knowledge and give back to the world?

If you are not a WatchDog user yet, or you are considering how you might integrate an intelligence product into your security posture, feel free to give us a try. You can download the product here.

Oh, and if you like it, or the data we provide, please feel free to donate $50,000 or more to your favorite charity. They will thank you and the world will be a better place, just as it should be.

We are hearing more and more rumblings these days about making PCI the default standard for infosec, and a lot more legal rumblings of making their standards enforceable as state laws. Already Minnesota has passed the standards into law and Texas seems to be next.

While I see the PCI standards as a step forward for credit card companies, I am not so sure that enforcing it as law is a good thing. Over legislation has done little to secure the Internet thus far (remember the “Can Spam Act”) and in some cases has caused so much legal confusion that small rebellions have broken out (See the DMCA for this one!). I am not sure that organizations will become compliant just because it is law, as opposed to just being a rule from their card processors. After all, does the amount of “large fines and penalties” really matter? Does it really change behavior? I just don’t believe it does.

Nonetheless, PCI has certainly gained momentum and public recognition. Many of our clients who don’t even process credit cards have begun asking about it, siting it as a standard and asking for gap analysis between their processes and the DSS standards. Many of them believe that in the not too distant future, courts may see PCI DSS as the defacto security baseline that helps them determine the difference between liability and negligence for just about all organizations, not just credit card dependant ones. One thing is certain, now would likely be a good time to become familiar with the PCI rules because your management may be asking you sooner rather than later.

Our HoneyPoint sensors have been picking up quite a large number of scans for open proxies lately. As usual, much of this traffic is originating in China, where open proxies are used for a number of reasons from spam to political activity to simple uncensored Internet access.

Interestingly, we are seeing a pretty decent increase in the number of probes for open web proxies using a site called www.loanscandyloans.com as the target. This site, owned by a person in China and hosted in the US seems to be a front site with the main purpose of simply hosting a set of PHP scripts used to verify open proxies and other connections.

Quick Google searches about LoansCandy reveal a short history of scans, probes and semi-malicious activity. Likely, the site is used simply as a collection point for the data and offers little else in real terms. However, it might be wise for organizations to consider blocking any connections to the site, just in case open relays or proxies might be present in their environment.

HoneyPoint has been an essential part of MSI’s infosec intelligence program and continues to prove itself an amazing tool for threat analysis on Internet or internal networks. We continually monitor several HoneyPoint deployments around the world for interesting activity and attacker trends. Look for us to share more data from our captures in the future.

As I write this, I am sending my final weekly column over to ITWorld.

After more than six years, ITWorld and I decided to make some changes to the column and site and as a part of those changes, I will be moving my writing over to the blog and focusing on it more in the future.

ITWorld and MSI will continue to work together, and I will likely pop in on the security site from time to time with an occasional article, whitepaper or multi-media presentation. We will also continue to work together on other items as well. They are a great team, and we truly enjoy working with them on a regular basis.

Part of these changes are based on a new direction for the ITWorld site, and part of it is to allow me to focus more on new media work, like blogging and creating richer materials and content to further evangelize MSI and HoneyPoint technologies.

Look for more content here on the blog, more coverage and maybe even some site enhancements as I switch my focal point to be more centered on StateOfSecurity.com. In the meantime, thanks for your patience, and if you are just coming over from the traditional column, please let me extend a big WELCOME and to point you to the archives. There are a lot of good topics there, and I can assure you a lot more to come.

As always, thanks for reading, in the past and in all of the days to come! You folks really make all of this possible, so Thank You!!!

One of the questions I get from clients is how I stay on top of so much stuff all the time. If you read this blog, you know we track emerging threats, identify new vulnerabilities, develop software, oversee our HoneyPoint deployments and run the whole security services company. That can be a lot of detail to manage, but it is doable with a system of methodologies, careful attention to detail and some good tools.

Today, I wanted to talk about a couple of the most useful tools that I use every day. They are very powerful and common, but they combine to be one of the most useful tools in my security management arsenal. Are you ready for the secret?

The big secret weapons are my cell phone (a Treo 650) and Jott.com!

That’s right. My cell phone is a smart phone that is integrated into my management process. I can use it to send and receive email, keep my schedule and to even write blog entries like this one on the go. Often I use it to do quite a bit of writing, from emails to articles. It is a very powerful tool indeed. But, when you combine it with Jott.com – it makes a world of difference.

For those of you not familiar with Jott.com yet, it is a free service that lets you register a cell phone and obtain a number that you can call. When you call the service, you can “Jott” to yourself, or others if you share your address book with the service. (Hint: Read the Privacy Policy carefully before you share your addresses!)  Jotting to yourself or someone else converts your voice message or content to text and then emails both a digital recording of your message AND the associated text to the email you assign to yourself or the member of your shared address book! What makes this so powerful is that the ease of communication and style make it a very useful and rapid way to communicate.

Jotts can be long, short or pretty much anything in between. You can dictate a quick blog post, an email or just an idea to be pursued later. At MSI, we use these tools to quickly write content for WatchDog, the blog and email communications with clients. I use it to rapidly outline agendas for meetings or to establish on the fly scope of work documents that the technical or sales team can use to do business. Overall, used together, these tools really help me communicate and manage ideas, multiple forms of media and my team in a more rapid and easy fashion. Used carefully, (again, read the privacy policy), the tools can be leveraged for some amazing things. Don’t be afraid to give them a try, or to think outside the box for how to apply them to your own tasks.

MSI continues to see increasing scans for vulnerabilities associated with port 4899/TCP. These scans are attempting to identify a particular product and gain access to the system through a known exploit.

Please verify that you have eliminated all traffic from the public Internet destined for this port. The original vulnerability has been around a while, but increasing blocks of IP addresses in EMEA are propogating the malicious traffic.

I have been toying with lock bumping since it became a national hot item a few months back. If you have not heard about it yet, check out the basics here.

OK, so a lot of this is overblown and the hype is pretty high to cause Mom and Pop to panic and buy some new locksmith services and products. I get it. I really do.

I also realize that the actual threat has been around a long time, and that criminals have known the technique for a while. I too have read that there has been little significant increase in break-ins since the lock bumping technique made headlines…

That said, I have been focusing on the long beloved friend of accounting folks everywhere – the venerable locking file cabinet. Best-practices for securing offices and accounting departments have long held that locking a file cabinet or desk drawer was a pretty decent layer of protection for the contents. Unfortunately, lock bumping very much changes that perspective.

I have attempted to bump quite a few file cabinets and desk drawers over the last few months. I am averaging in the 90th percentile in terms of gaining access. In many cases, it takes just about the same time as using the real key and I easily gain access to the contents to do with as I may.

How serious is this? Well, it makes much of the physical security associated with open cubicle environments suspect. Public access to receptionist desks and the like have proven pretty fruitful – including the usual suspects of phone lists, password lists and other generally attacker friendly items. Not to mention the items available for outright theft – often including just plain money…

The old rules of physical access trumping many security mechanisms still exist. Lock bumping techniques are just the newest way to reinforce the lesson. If you have not taken a good look at your file cabinets, desk drawers and the availability they might have to an intruder with a simple bump key – it might be time to at least think about it. Especially sensitive materials like regulatory data, personnel data and the like may have to be given some other special protections if your relying on rows of locked filing cabinets to secure it.