Author Archives: Mary Rose Maguire

About Mary Rose Maguire

Mary Rose Maguire was the Marketing Communication Specialist for MicroSolved, Inc. and the content curator for the State of Security blog, MSI's website, and social media.

Tales From a Non-Security Professional, An End-User’s View

Posted on by
Reply

I’ve been working in the information security business for two years and have been amazed by what I’ve learned during this time. I remember when I thought, “Information security? Sure. A bunch of geeks patrolling their networks.” I had seen the movie Hackers, after all.

But I had no idea of the breadth and depth of information security. Basically, if you’re using technology, your data is at risk. Any piece of technology that you use that has sensitive data stored can be stolen. It is up to an individual to be proactive when it comes to information security instead of assuming “The IT Team” will take care of it.

Case in point: This morning I read an article from Dark Reading about Intel’s workers thwarting a malicious email virus. Pretty cool. Those workers took the initiative. They didn’t say to themselves, “Hmm. this email looks a little dicey, but I’m sure IT has it covered..”

Instead, each worker who recognized the malicious email immediately contacted the IT department. Because of such quick action, the IT department was able to contain the potential risk and take care of it. This type of response doesn’t happen overnight (And hopefully won’t take two years, either.) but was the result of consistent education.

For me, I’ve tightened up my own personal security posture as a result of hearing what happens when you don’t pay attention. Here are a few precautions I’ve taken:

1) Never leave a laptop in the front seat of your car.

      This may seem basic, but many workers who have a company-owned laptop will often put it on the passenger’s side of the car, or on the floor. It is easy to assume that when you stop to get gas and take a quick detour into the convenience store to grab a drink, that no one will bother your car. Don’t bet on it.

According to a CSI/FBI Computer Crime and Security Survey

      , data loss from laptop theft came in third and fourth behind virus attacks and unauthorized access. Make a habit of placing your laptop in your trunk, away from prying eyes. And if you really want to protect it, carry it around with you. I’ve been known to carry my laptop inside a CVS, and restaurants. I usually say to myself, “How inconvenient/annoying/scary would it be if this laptop was stolen?” Yep. It’s going with me.

2) Passwords, smashwords! We all belong to probably way too many websites that require a password to access it. That’s not even counting the passwords we need to remember for our work email, database, or access to the intranet. We’re also told by our friendly IT team that we need to change those passwords on a regular basis. If you have trouble remembering what you had to eat for breakfast yesterday, much less trying to remember a password you created three months ago, I have the solution: a password vault. I can’t tell you how much this has alleviated the stress of remembering and revising passwords. I use KeePassX, an open-source password vault application.

Whenever I change my password, I immediately open the app and update my entry. Whenever I join a new site that requires a password, I’ll add a new entry. It’s simple and quick, and will protect me from some joker trying to hack into my sites. Once you get into a habit of changing your passwords, it becomes easier. Believe me, this is a heckuva lot easier than scratching out various passwords and usernames on a scrap piece of paper, throwing it into your desk drawer and then trying to find it three months later.

3) Delete stupid emails. This goes back to the “Here You Have” virus that the Intel employees avoided opening. They immediately saw the risk and reported it. Don’t open emails from people or groups that you don’t recognize. In fact, I created a spam folder and just move those types of emails into it if the regular spam filter doesn’t catch them. I empty the folder on a regular basis. No matter how enticing an email header is, if you don’t recognize the sender, trash it. For those who are detail-oriented, you really don’t have to open every email you receive. Really. You probably didn’t win that lottery, anyway.

4) Be suspicious. This one is probably the most difficult for me. I’m a friendly person. I like people. I was raised by two very outgoing parents and hence, I have a soft spot for striking up conversations with perfect strangers. I find I’m a magnet for some of them, too. When you’re in your office, this can be used against you by a clever attacker. If you’re an IT staff person, you may get a call from someone who is in some type of a bad spot and needs access to “their” data at work and gosh, could we just skip the authentication process? Because most of us are wired to help others (thank you very much, customer service training), we obviously try to be of assistance. Meanwhile, the attacker is counting on this and will press an employee to give them information without checking their credentials. If anyone calls me and starts asking a bunch of nosy questions, I’ll start asking mine right back: “What company do you represent? What is your name? What is your phone number? Why do you need to know this information?”

Sometimes asking such questions may feel awkward, but remember, we’re protecting our company’s data. We’re on the front line and a little discomfort can go a long way in winning the battle of security.

These are a few things I’ve learned over time. Information security isn’t only the IT department’s job or the CISO/CTO/CIO’s. It’s a job that belongs to everyone. If I could sum it up, I’d say this: Be aware. Be aware of your surroundings, aware of your technology, aware of access points. Keeping your eyes and ears open will not only save you a bunch of headaches (and perhaps your job) but will save your company money. And in today’s economy, that is a very, very good thing.

Stories of Hacking the Human #security

Posted on by
1

He stood before the receptionist, patiently waiting until she was finished with the phone call. He fiddled around with his fake badge while glancing at the security door that led into the main office area, waiting to see if someone would exit or enter soon.

Finally, two employees engaged in conversation exited the door while a small group headed toward it. He darted to join the group while the receptionist continued to look down at her list of R.S.V.P.’s, searching for the business’ name.

As the group entering the office area quickly glanced his way, he shot them an easy grin. “Phone lines,” he quipped as he showed them the badge. “Just upgraded on our end and we want to make sure you don’t miss your phone calls!”

As the group laughed and joked about not really missing calls if they had the opportunity, he scanned the cubicle areas to make a note of which ones were empty. In a few minutes, he’d double-back , slip into one, hack into the network and start snooping around.

In larger corporations, that is how social engineering can happen. Employees are trusting and often distracted by their own sense of security. They see the same people in the office but realize every once in awhile, there is “the new girl” or “new guy.” They trust this person has gone through the proper channels that authorized their presence. And that’s their mistake. Very few ask questions.

Many times, employees find that their desire to be helpful is exploited. What is usually portrayed as good customer service (“Is there anything else you need?”), can be cleverly manipulated by attackers. Often a hacker will appear to be IT staff who needs to verify an employee’s password. When the unsuspecting victim is presented with a plausible reason for taking shortcuts (“I’m so sorry, but it could really help me if you just gave me the password instead of having to bother my supervisor…”), they often comply.

How can employers prevent social engineering attacks? The quick answer is, they can’t. Hackers are becoming more resourceful as organizations initiate more complex security measures. But employers can still take precautions that will help employees recognize that a potential threat exists. Here are some tips:

  • Be aware of your surroundings. Know who is in charge of vetting outside service people so when a strange face appears, they know who to call. Tell employees that entering a secured area means using their badges to gain entry and to make sure everyone follows procedure.

  • Be suspicious. When callers ask for personal information, ask if there is a number you could return their call and then verify their credentials with an internal source.
  • Pay attention to the URL of a website. The page may look the same but the URL will expose it as a fake. Contact the company when in doubt.

    • Using these tips will help your organization avoid becoming a victim. Be alert and you’ll keep your data safe!

    Tips for Input Validation

    Posted on by
    2

    Input validation is the single best defense against injection and XSS vulnerabilities. Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done incorrectly, they end up bringing little more than a false sense of security. The bad news is that input validation is difficult. “White listing,” or identifying all possible strings accepted as input, is nearly impossible for all but the simplest of applications. “Black listing,” that is parsing the input for bad characters (such as ‘, ;,–, etc.) and dangerous strings, can be challenging as well. Though this is the most common method, it is often the subject of a great deal of challenges as attackers work through various encoding mechanisms, translations and other avoidance tricks to bypass such filters.

    Over the last few years, a single source has emerged for best practices around input validation and other web security issues. The working group OWASP has some great techniques for various languages and server environments. Further, vendors such as Sun, Microsoft and others have created best practice articles and sample code for doing input validation for their servers and products. Check with their knowledge base or support teams for specific information about their platform and the security controls they recommend.

    While application frameworks and web application firewalls are evolving as tools to help with these security problems, proper developer education and ongoing training of your development team about input validation remains the best solution.

    Join Us! June 24, 2-3 PM EST, Webinar: WordPress and Security

    Posted on by
    Reply

    Note: This webinar is being rescheduled for July. Date and time to be announced.

    This Thursday, June 24, at 2:00 PM – 3:00 PM EST, Phil Grimes, Security Analyst with MicroSolved, Inc., will be presenting a slideshow on DimDim. Join us to learn how to harden a WordPress site! Time will be left at the end for questions.

    Send an email to register and we’ll send you the sign-in credentials.

    See you there!

    Using WordPress In the Corporate Environment

    Posted on by
    Reply

    WordPress (WP) has become the dominant force in blogging platforms for a very good reason. Because it’s open source, creative developers are constantly looking for ways to improve the product to meet the needs of both personal and business bloggers. Consider that WordPress can be hosted on your own server (or hosted by whichever service you use), has an army of theme designers (both free and premium), and attracts traffic by a variety of add-ons.

    A quick list of the competition: TypePad, which costs $14.95 a month for the “pro” version. You’ll need to learn a specific TypePad programming language to customize your blog. Tumblr does not allow comments so if you used it, you would have to embed Disqus to enable comments. Movable Type offers customization, but requires a license for business use, which ranges from $50 to $1,000, depending on how many people will require access to make updates.

    WP is a free download but many themes have a cost attached. You can find some great free themes, but be sure to look for support. If a theme designer’s website has a forum, that’s a very good sign. It means they’re open to questions and helping you when needed.

    Once you set up your WP blog, avoid spammers by activating the “Akismet” plug-in. What this plug-in does is protect your blog comment section from being spammed. There are many great plugins for business blogs. Search Engine Journal has a few here and a helpful article with more plugin recommendations from Better Business Blogging.

    One of the reasons WP is loved by businesses is because it is SEO-friendly. Google and other search engines play very nicely with WP. Once you create a powerful header and add keywords within your post, a search engine will notice. Searching for relevant keywords? Try Google’s search-based keyword tool. It will give you ideas of what people are searching for in your industry and you can adopt a few of those keywords to drive traffic.

    WP also allows multiple users to contribute to the blog. You can also schedule blog posts to be published at a later date. If you have multiple users, it may be a good idea to filter the posts through a gatekeeper (such as HR or marketing) before posting, to ensure a consistent message for the organization.

    WP has updates, like any software. Install an automatic update plugin to help you stay on track. Use strong passwords for logins and have strong file permissions set.

    Another way to secure your blog is by using a secret key. In WordPress, the wp-config.php file is the file that stores the database information that WordPress needs to connect: name, address and password of the MySQL database. Go here and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.

    Blogging can be an excellent way for your organization to stay current in its industry. By consistently posting relevant blog posts for your audience, you have the opportunity to inform them and stay connected. Using some of these tips will help make the most of your blog.

    The 80/20 Rule of #Security: Threat Modeling

    Posted on by
    Reply

    Threat modeling is a powerful technique that helps characterize higher level threats and separates them into more manageable sub-threats that can be addressed. Threat modeling can help an organization discover the core issue that lies beneath a high level threat, such as a denial of service (DoS).

    There are different approaches toward threat modeling. One is to examine an existing application. The other is to evaluate a threat during every stage of the software development lifecycle (SDLC). With our 80/20 Rule of Information Security” project list, we tackle what regulations apply to your company and assess the risks.

    For instance, let’s say a regulation requires strong access control measures to be in place. A high-level threat would be when a malicious user escalates privileges. In order to do this, the user would need to bypass the authentication process. With a Risk Management Threat Modeling Project, MSI would analyze the applications to find alternate entry points in order to harden them and ensure that only authorized users have access.

    What is important is discovering where threats exist and then developing security solutions to address them. MSI also examines data flow diagrams that charts the system. Once we see the data flows, we can then start looking for vulnerabilities.

    We use the STRIDE approach, which stands for: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. With each phase, we carefully examine all of the loopholes that could leave your company’s data exposed. For instance, “spoofing” is pretending to be something you’re not. Many attackers use email to send notices to individuals that may look as though it was coming from a reputable source (like PayPal) but a quick look at the link address would prove otherwise. These attacks now have a name: phishing.

    No business wants a Denial of Service. This happens when an attack overloads your server with fake requests so that it crashes the system. MSI’s HoneyPoint Security Server is an excellent way to prevent such attacks from happening.

    Tampering attacks can be directed against static data files or network packets. Most developers don’t think about tampering attacks. When reading an XML configuration file, for example, do you carefully check for valid input? Would your program behave badly if that configuration file contained malformed data? These are some of the questions to consider when analyzing for risk.

    MSI can help you achieve a more secure posture. Why not give us a call today?

    Mind Map Your Way to Information Security

    Posted on by
    Reply

    In order to know what your organization needs for security, you first need to define what you have. Many times, this task of defining and organizing can be intimidating, especially if it has been a long time since someone did it. However, with a mind mapping tool, such as Inspiration or the free tool, XMind – pulling together your assets will come together quickly.

    It is important to define a “Who, What, Where” when assessing your environment. Who has access? What programs are running and on which machines are they running? Where does the data reside that could be compromised? How is the environment secured?

    Creating a map will allow you to easily follow relationships so you will then be able to assign tasks accordingly. Also, when you create a map, it will visibly reveal relationships that previously were unseen or unnoticed.

    As the various network relationships are mapped out, it will be easier to see what would be affected in your enterprise should a data breach occur.

    If Server A is compromised, incident responders can quickly assess what other components may have been affected by reviewing its trust relationships. Having a clear depiction of component dependencies eases the re-architecture process allowing for faster, more efficient upgrades. Creating a physical map in accordance with data flow and trust relationships ensures that components are not forgotten.

    Finally, categorizing system functions eases the enslaving process. So mind map your way to security and reach your destination of a safer enterprise.

    PCI Scope Reduction — Why not?

    Posted on by
    Reply

    Bill Mathews, our Guest Blogger, is co-founder and CTO of Hurricane Labs (www.hurricanelabs.com), an information security services firm.

    Limiting your PCI compliance scope can be beneficial in several ways. First it minimizes the amount of assets where PCI is applicable, but primarily it limits the number of places you can find credit card data on your network. The latter is the most important. PCI isn’t some huge, scary thing you should run away from and scope reduction won’t solve all your problems – but it can get you to a point where you understand what is really happening on your network. There are a few caveats and “gotchas” you will encounter along the way but the journey is worth it.

    In order to reduce your PCI scope you must first classify your assets. This is much harder than it sounds for most organizations. You have to figure out what data goes where and how it flows. This mapping is crucial for proper scope reduction.  This type of awareness not only helps you with reducing your PCI scope but also helps you with general troubleshooting. Ultimately it will improve your process, It’s a win-win. If you don’t know where the data is then the bad guys will help you find it.

    After you’ve happily mapped out your data flow and understand where things are and why; then you can move  to segmentation. Segmentation essentially allows you to split up your network into smaller chunks. This splitting up of your network makes implementing our next goal that much easier. Our next goal is implementing the principle of least privilege which essentially says, “if you don’t need access, you don’t get access.” I’ve often argued that proper implementation of least privilege will not only solve nearly all your compliance issues but goes a long way in solving all your security woes as well. Notice I said “proper implementation.” Many implementations of it are flawed. Following up this segmentation with a good access control test is very important, it’s one thing to have controls. It’s quite another to have them properly implemented.

    By no means are these the only things you should do; but in my opinion they are crucial for reducing your risk. Accomplish these few things and you’ll be well on your way to both reducing your PCI scope and having a well-balanced security posture on your network. Overall it is worth the effort it takes.