About Mary Rose Maguire

Mary Rose Maguire was the Marketing Communication Specialist for MicroSolved, Inc. and the content curator for the State of Security blog, MSI's website, and social media.

4 Tips for Teaching Your Staff About Social Engineering

If there is one thing that is tough to prevent, it is a person whose curiosity overrides their better judgement. Human nature leans toward discovery. If someone believes a valuable piece of information is available, there’s a very good chance she will satisfy her curiosity.

Social engineering, the process of obtaining confidential information through tricking people to do things they should not do; is on the rise. So how can you help your staff recognize social engineering before it’s too late?

Here are a few tips:

1. Create a process for validating outside inquiries.

Often, an attacker has done their homework in obtaining certain pieces of information such as having another employee’s name or their calendar to establish credibility. Create a process for inquiries, making someone the gatekeeper for such calls. Tell staff to not give out confidential information before checking with the gatekeeper.

2. Secure access into the organization.

Does your organization have guards? If not, it is the job of every employee to be alert to outsiders.

Name badges are another way to do this and require everyone to keep it visible. Explain to staff that it is perfectly legitimate to say, “I’m sorry, who did you say you were with again?” Teach awareness through fun exercises and safety posters.

3. Train staff to resist picking up strange USB keys.

This is difficult because it is where a person’s curiosity can get the best of them. However, a person has no idea what is on a found USB key. Would they eat food left on the floor of the kitchen? (Some, unfortunately, might!) Why would anyone take a found USB key and plug it into their computer? Curiosity. Create an incentive program for employees to return found keys to an IT administrator.

4. Fine tune a sense of good customer service.

Most people are helpful. This helpful nature is especially nurtured by organizations who want to provide good customer service to both internal staff and external contacts. Attackers take advantage of this by insisting that it would “be very helpful” if they could get someone’s confidential information in order to do their job. Train your staff to stick to the plan of verifying all inquiries by going through the proper channels. Help employees understand that this approach is truly the most “helpful” since they’ll be saving the company countless dollars if it’s an attack.

Consistent awareness is the key to resisting social engineering attacks. Use these tips and decrease your probability of an attack. Stay safe!

MSI Strategy & Tactics Talk Ep. 25: An Introduction to Cloud Computing – What to Choose and Why

Cloud computing has become a buzzword over the past few years. Some organizations wonder if it would benefit them or not. What are some of the questions an organization should be asking?  In this episode of MSI Strategy & Tactics, Adam Hostetler and Phil Grimes discuss the various aspects of “the cloud” and how it can affect an organization.  If you are considering transitioning your data to the cloud, you’ll want to listen! Discussion questions include:

  • How can you determine which cloud computing model is right for you?
  • What are some of the security issues with cloud deployment?
  • How can moving data to the cloud help an organization’s overall efficiency? 
Resources:
 
Panelists:
Adam Hostetler, Network Engineer, Security Analyst
Phil Grimes, Security Analyst
Mary Rose Maguire, Marketing Communication Specialist and moderator
 

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

MSI Strategy & Tactics Talk Ep. 24: When Outsourcing Security Tasks Goes Wrong

Outsourcing security tasks can be beneficial to a busy organization. But is there a possible downside? What questions should that organization ask when outsourcing part of their information security tasks?  In this episode of MSI Strategy & Tactics, the techs discuss an incident that happened when an organization outsourced a part of their system administration tasks to an outside consulting firm.  If you are considering outsourcing part of your security tasks, you’ll want to listen! Discussion questions include:

  • How important is it for vendors to vet employees before sending them into the field?
  • How important is it for organizations to be able to see that the vendors have thoroughly done this?
 
Panelists:
Brent Huston, CEO and Security Evangelist
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator
 

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

MSI Strategy & Tactics Talk Ep. 22: 3 Tasks a Security Administrator Hates To Do (But Needs To Do)

It’s an understatement to say a security administrator is busy. In the quest to achieve POLA (Principle of Least Access), it’s easy to overlook other tasks that can make a huge difference in your overall security strategy.  In this episode of MSI Strategy & Tactics, the techs discuss three tasks that if consistently put on hold, will eventually cause havoc in your world. If you’re a security administrator, take a listen! Discussion questions include:

  • Password Management: Why is this an issue and what can a security administrator do that will make it easier?
  • Log Reviews: How can this task be better organized?
  • Why is documentation often overlooked and what can a security administrator do to change it?
Tools mentioned:
 
Panelists:
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

MicroSolved, Inc. Releases Free Tool To Expose Phishing

MSI’s new tool helps organizations run their own phishing tests from the inside.

We’re excited to release a new, free tool that provides a simple, safe and effective mechanism for security teams and administrators to run their own phishing tests inside their organization. They simply install the application on a server or workstation and create a url email/sms/etc. campaign to entice users to visit the site. They can encode the URLs, mask them, or shorten them to obfuscate the structures if they like. 

The application is a fully self contained web mechanism, so no additional applications are required. There is no need to install and configure IIS, Apache and a database to manage the logs. All of the tools needed are built into the simple executable, which is capable of being run on virtually any Microsoft Windows workstation or server.

If a user visits the tool’s site, their session will create a log entry as a “bite”, with their IP address in the log. Visitors who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and the first 3 characters of the password they used.

Only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged.

“Organizations can now easily, quickly and safely run their own ongoing phishing campaigns. Instead of worrying about the safety of gathering passwords or the budget impacts of hiring a vendor to do it for them, they can simply ‘click and phish’ their way to higher security awareness.”, said Brent Huston, CEO & Security Evangelist of MicroSolved. “After all, give someone a phish and they’re secure for a day, but teach someone to phish and they might be secure for a lifetime…”, Mr. Huston laughed.

The tool can be downloaded by visiting this link or by visiting MSI’s website.

MSI Strategy & Tactics Talk Ep. 21: The Penetration Testing Execution Standard

Penetration Tests have been done for years but yet there has often been confusion regarding what a penetration test should deliver. Enter the beta release of the Penetration Testing Execution Standard (PTES). What does it mean?  In this episode of MSI Strategy & Tactics, the techs discuss the current state of penetration tests and how PTES is a good idea that will benefit many organizations. Take a listen! Discussion questions include:

  • What is PTES? How does it differ from the current state of the industry?
  • What is the importance of industry standardization? Is it a good thing or a bad thing?
  • What does it mean for the future of vulerability and penetration testing?
Panelists:
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

MSI Strategy & Tactics Talk Ep. 20: Denial of Service Attacks

We haven’t seen anywhere near the thresholds that could happen with massive scale bot-nets. I think it’s clear that bot-nets are the future weapon of DoS and we’ll continue to see that until somebody takes away the capability. In addition, mobile devices are going to experience an increase in DoS attacks. – Brent Huston, MSI CEO and Security Evangelist

Denial of Service attacks were alive and well in 2011 as seen with WordPress and MasterCard. What have we learned from these types of attacks?  In this episode of MSI Strategy & Tactics, the techs discuss what DoS attacks and how organizations can respond. Take a listen! Discussion questions include:

  • Organizations have been dealing with denial of service attacks for a while now, what lessons should they have learned?
  • What about this new hashdos attack against web sites?
  • How should they create and test dos detection and response plans?
  • What is the future of denial of service attacks?
Panelists:
Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Interview with Brent Huston: Meet “Paul,” An Attacker — Up Close and Personal

Many organizations we talk to still vastly underestimate the capability of the threat. They still think of the attackers and the hackers as folks who are trying to use canned exploits or use the latest version of metasploits to pop a bunch of boxes — that’s just frankly not true. “Paul” is proficient in eight different coding languages. [He’s skilled and learning.] That needs to become the mindset of the defender. – Brent Huston, CEO and Security Evangelist, MicroSolved, Inc.

What would you do if you met an attacker online? Give him a piece of your mind? Or dig a little deeper to find out what motivates him and how he operates? In this special interview, Brent Huston discusses a recent incident where he had such an opportunity.  In this fascinating conversation, Brent described how he met Paul and his attitude toward meeting another “up and coming” hacker. Take a listen! Discussion questions include:

  • How Brent tracked Paul down
  • What was Paul’s attitude toward Brent and his questions
  • A little about Paul and his skills
  • What does Paul use his compromised systems for?
  • What lessons can organizations draw from this encounter?

Interview Participants:
Brent Huston, CEO, Founder, and Security Evangelist
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!