How to Make InfoSec Infographics

Infographics are everywhere! And people either love them or hate them.

That said, many security teams have been asking about building infographics for awareness or communicating threat data to upper management in quick easily-digestible bites. To help with that, we thought we would tell you what we have learned about how to make infographics – as a best practice – so you won’t have to suffer through the mistakes we and others in the security field have already made. 🙂

So, at a high level, here is what you need to know about making infographics on security topics:

What are infographics & why are they useful?

Infographics are a visual representation of data and information; it is a quick way to look at a lot of in-depth information and get a clear understanding of it. They are used to communicate data in a way that is compact and easy to comprehend and also provide an easy view of cause and effect relationships. Infographics are visually appealing and are composed of three elements:
– visual (color, graphics, reference icons)
– content (time frame, statistics, references)
– knowledge (facts)

Best practices for building infographics: 

– Simplicity: clean design that is compact and concise with well organized information
– Layout: Maximum of 3 different fonts
– Colors: choose colors that match the emotions you are trying to convey. The background should blend with the illustrations
– Boundaries: limit the scope of your information. Attention span is short so try to answer only one question per infographic

The main best practice we have learned is: Keep It Simple! Focus on just a few salient points and present them in interesting tidbits. Use templates, they are available all over the web for your publishing or office platform. Remember, the purpose of infographics is to peak interest in a discussion, not serve as the end-all, be-all of presenting data to the audience.

Let us know your success stories or tell us what you have learned about infographics on Twitter (@lbhuston or @microsolved). Thanks for reading!

3 Things I Learned While Responding to Security Incidents

Unfortunately, if you work in IT long enough, you’re likely to encounter a security incident. Having experienced these incidents as a Systems Administrator and as a consultant, I felt that it would benefit others if I shared 3 things that I learned while responding to security issues.

  1. Stay calm – If you’ve noticed malicious activity on your network, your first reaction might be to panic. While time is of the essence, you don’t want stress to negatively impact your decision making. If you need to, give yourself a minute to collect your thoughts prior to proceeding with resolving the issue. Once you’re ready to start working on the problem, begin by attempting to gain an understanding of the type and severity of the attack. This information will go a long way towards mitigating the issue.
  2. Don’t be shortsighted – Whether you’re dealing with a targeted attack or a random malware infection, it’s important to consider the long term effects of your decisions. It is likely that you will receive pressure from various business units to bring systems back online as soon as possible. While it’s important that staff regains access to their applications, it could lead to larger problems down the line if that access is restored prematurely. For example, removing network connectivity or isolating affected systems is obviously going to upset some staff members due to the loss of productivity. However, it’s possible that the malware or attacks could become more widespread if the affected systems are not properly isolated.
  3. Hindsight is 20/20 – I’ve seen individuals waste time during incidents pointing fingers at other team members. I’ve also witnessed individuals procrastinate resolving the issue while they agonize over ways they could have prevented the incident from occurring. After the issue has been resolved, it’s important to have a post mortem meeting to take the proper steps to make sure that history does not repeat itself. However, those conversations can wait until the incident has been fully resolved.

I sincerely hope you don’t have to deal with any security incidents.  However, if you need help resolving an issue involving a malware outbreak or targeted attack, do not hesitate to contact us for assistance.

Telnet!? Really!?

I was recently analyzing data from the HITME project that was collected during the month of January. I noticed a significant spike in the observed attacks against Telnet. I was surprised to see that Telnet was being targeted at such a high rate. After all, there can’t be that many devices left with Telnet exposed to the internet, right?

Wrong. Very wrong. I discovered that there are still MILLIONS of devices with Telnet ports exposed to the internet. Due to Telnet’s lack of security, be sure to use SSH as opposed to Telnet whenever possible. If you absolutely must control a device via Telnet, at least place it behind a firewall. If you need to access the device remotely, leverage the use of a VPN. Finally, be sure to restrict access to the device to the smallest possible IP range.

The map below shows the geographical locations and number of attacks against Telnet that we observed last month. If you need any help isolating Telnet exposures, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-02-10 at 11.28.10 AM

 

RansomWeb Attacks Observed in HITME

Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse.  A new technique called RansomWeb is affecting production web-based applications.  I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications.  I can only assume the frequency of these attacks will increase throughout the year.  As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware.  Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.

The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application.  Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files.  Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files.  Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.

To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:

  • Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
  • Audit your application and system logs for any irregular entries.
  • Verify that you are performing regular application and system backups.
  • Be sure to test the backup/ restore process for your applications and systems on a regular basis.  After all, your backup/ DR process is only as effective as your last successful restore.

If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com

Recently Observed Attacks By Compromised QNAP Devices

Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit.  For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices.  If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system.  If your device has not been affected, be sure to patch it immediately.

Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices.  The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system.  These changes include: adding a user account, changing the device’s DNS server to 8.8.8.8, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.

The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems.  If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-01-27 at 1.41.31 PM

How to Avoid Getting Phished

It’s much easier for an attacker to “hack a human” than “hack a machine”.  This is why complicated attacks against organizations often begin with the end user.  Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company.  Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
 
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting.  Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year.  Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user.  A majority of these attacks were caused by an employee opening a malicious e-mail.  I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
 
Verify link URL:  If the e-mail you received contains a link, does the website URL match up with the content of the message?  For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com?  A common tactic used by attackers is to direct a user to a similar URL or IP address.  An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
 
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address?  It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor.  Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
 
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender.  Would you provide your checking account number or password to a random person that you saw on the street?  If not, then don’t provide confidential information to unknown senders.
 
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call.  Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection.  Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions.  Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error.  Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
 
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further.  Typically these attachments or links are the actual mechanism for delivering malware to your machine.
 
This blog post by Adam Luck.

Computer Security is Your Own Responsibility

All of us know that our homes may be burglarized, and we take steps to help keep that from happening. We lock our doors and windows, we install motion detector lights outside, we put in alarm systems and some of us even install cameras. The same goes for the other stuff we do and own. We lock our cars, we put our valuables in safe deposit boxes and we avoid dangerous areas of the city late at night. We even watch what we say when we are talking on the phone, because we worry someone might be listening in. We all know that we ourselves are responsible for looking after these things. So why do we all seem to think that it is somebody else’s job to make sure we are safe while we are using our computers to surf the net or catch up on Facebook? We do, though. I’ve seen it happen and I’ve been guilty of it myself, I’m sorry to say.

For some reason, we don’t think a thing about using our kid’s name and age as our email password. It doesn’t enter our minds that it may not be a good idea to do our home banking while we are sipping a latte at Starbucks. And it doesn’t bother us a whit that our home wireless network doesn’t require a password – they’re a lot of trouble, after all! But when we get hacked, the first thing we do is blame everybody from our ISPs to the companies that built our devices. I think part of the reason is that we think the whole computer thing is too technical and there is really nothing that we can do ourselves. But that simply isn’t true. The biggest part of computer security is just mundane, common sense stuff.

The most important thing is to understand what is really going on when you are on the Internet, and it can be summed up in on phrase; you are communicating in public. You might as well be standing in the town square shouting back and forth at each other. One of the only real differences is that a lot of what you’re doing is not only public, it’s being recorded as well! So, thinking with that mindset, how would you go about keeping your privacy?

First, you wouldn’t trust anyone to keep quiet and protect your secrets for you, would you? So, when you are on the Internet, always be suspicious. Make sure that that email from your bank or your co-worker is legit, don’t just click on the link. Be very suspicious of anything with attachments, and don’t just blithely open any document that is sent to you unsolicited. And if you get an urge to go to that neat looking gambling site or you hanker to click on that link that says they will show you your favorite celebrity with their pants down, suppress it! Also, take a look every once and awhile and see what has really been happening on your computer. Your machines are usually keeping really good logs. Look them over and see if anything seems funny to you. You don’t have to be an expert, just curious.

Next, be leery if your machine starts acting funny. Maybe it gets really slow once in a while. Perhaps you turn it on and a message says “Download Complete”, but you don’t remember downloading anything. Lots of different things like that can occur. But when they do, and then your computer starts acting normally again, don’t just blow it off; check into it!

And change your passwords! It’s easy and fast, and it can save your bacon. If you have been at a hotel or have connected to the Internet from a coffee shop or airport, change your passwords as soon as you get home. If something funny happens or you think you may have done the wrong thing while you were web surfing, change your passwords. Use a password vault so you only have to remember one password. Then if something funny happens, you simply reset all your passwords and change the main one. And make it a good password, too. Make sure that nobody can guess your passwords or security questions just by reading your Facebook page.

Also, if you were out in public and wanted to keep what you are saying private, you could use a code couldn’t you? Then, even if you were overheard, what you said wouldn’t make any sense to anyone but you and the person you are trying to communicate with. Why not apply that to your computer, as well? Use cryptography to store your private stuff in memory and for sending private communications whenever possible. You don’t have to be any kind of computer expert. Disc encryption tools are free and easy to use, and you can buy email certificates very inexpensively. The main thing is, though, take responsibility for your own computer safety like you would anything else you own. I’ll bet you can think of plenty of other common sense ways to protect yourselves that I haven’t touched on here. 

This post by John Davis.

The Big Three Part 4: Awareness

Cyber-attacks are a simply a part of reality now, and are very much like home burglaries. We can install locks and lights, cameras and alarm systems, and despite our best efforts at protection and prevention, a certain number of robberies are still bound to happen. That is the reason we need to steel ourselves to this fact and prepare ourselves to resist cyber-attacks the best way that we can. And the Big Three; incident detection, incident response and user security education and awareness are some of our best tools for meeting this problem.

The importance of user education and awareness to information security cannot be over emphasized. Of all the firewalls, IPS systems and other security sensors available, none can compare to human beings in their ability to detect cyber-attacks and security risks. But to take advantage of this resource, it is necessary that users know how to recognize security problems and it is necessary that they want to be engaged in the security process. To accomplish this, companies need to do several things.

First, they should provide all of their personnel with information security training both as new hires, and then periodically thereafter. This training should include the company information security policies that apply to all, plus information security training that is specific to each user’s particular role in the organization. Providing extra information security training for individuals such as code developers, system administrators and help desk personnel is particularly beneficial.

Next, it is also very important to provide all company personnel with information security awareness reminders. These serve two purposes. First, they help keep the need for good security practices fresh in users’ minds. But more importantly than that, good security awareness tips let your personnel know exactly what kind of attacks are out there and how they take place. That’s why it is important to base your awareness reminders on cutting-edge, real-world information security threats. For example, perhaps your employees gets a perfectly legitimate-looking email message from one of their co-workers that solicit them to check out a certain website and give an opinion on it. So they innocently click on the embedded link and wham! Suddenly their machines have been infected with malware and they don’t have a clue that anything is wrong. Awareness reminders can help keep such things from happening.

On top of good information security training and awareness, we think that there is one more element that is needed to really make the process pay off. It is important to engage the interest of your employees and make them feel that they are an essential part of the information security effort. This

isn’t really hard or expensive to do either. Explain their importance in the program to your personnel and ask for their help. Most everyone really likes to help out, and it makes them feel good inside. In addition, recognize those that have contributed to the information security cause and give them some kind of reward. This can be as simple as a little praise at the weekly staff meeting, or can include things like days off or preferred parking spaces. It doesn’t have to be big, just visible. One thing is sure, it makes better business sense to utilize this free and effective security resource to the hilt than spend a million dollars on a vaunted new IDS/IPS system! 

This post by John Davis.

Spend Your First Hour Back the Right Way – Go Malware Hunting!

So, you’ve been out of the office for a quick holiday break or vacation. Now you face a mountain of emails and whole ton of back-logged tasks. Trust me, put them aside for one hour.

Instead of smashing through emails and working trouble tickets, spend an hour and take a look around your environment – go hunting – target malware, bots and backdoors. At a macro level, not a micro level. Were there an abnormal number of trouble tickets, outbound connections, AV alerts, IDS and log entries while you were gone? What does egress look like during that period? Were there any abnormal net flows, DNS anomalies or network issues that would indicate scans, probes or tampering on a larger scale?

Spend an hour and look for high level issues before you dig into the micro. Read some logs. See what might be getting lost in your return to work overwhelm. It is not all that uncommon for attackers to use holidays and vacations as windows of opportunity to do their nasty business.

Don’t fall victim to the expected overwhelm. Instead, use it as a lens to look for items or areas that correlate to deeper concerns. You might just find that hour invested to be the one that makes (or breaks) your career in infosec.

Good luck and happy hunting!

PS – Thanks to Lee C. for the quick edits on 7/4/14.

Federal Hacking Laws – Some Pointers

We wanted to close out this series by pulling together some information for clients on the federal laws (US) surrounding computer intrusion and hacking. Here are some pointers for your consideration:

Internet crime is among the newest and most constantly evolving areas of American law. Although the Internet itself is more than three decades old, greater public usage began in the late 1980s with widespread adoption only following in the 1990s. During that decade the Net was transformed from its modest military and academic roots into a global economic tool, used daily by over 100 million Americans and generating upwards of $100 billion in domestic revenue annually. But as many aspects of business, social, political, and cultural life moved online, so did crime, creating new challenges for lawmakers and law enforcement. 

Crime on the Net takes both old and new forms. The medium has facilitated such traditional offenses as fraud and child pornography. But it has also given rise to unique technological crimes, such as electronic intrusion in the form of hacking and computer viruses. High-speed Internet accounts helped fuel a proliferation of copyright infringement in software, music, and movie piracy. National security is also threatened by the Internet’s potential usefulness for terrorism. Taken together, these crimes have earned a new name: when FBI Director Louis J. Freeh addressed the U.S. Senate in 2000, he used the widely-accepted term “cybercrime. 

Source

Great explanation (dated though – 2006) of Section 18 of the US code and their relevant sections to cybercrime.

The main hacking laws are in the US Computer Fraud and Abuse Act passed in 1986 and has undergone several amendments. 


Based on the history of hacking, computer problems caused as a result of hacking were continuously increasing and like recent times ethical hacking became unpopular because of the notoriety of black hats. What do you think? If these laws weren’t there, ha! Imagine what would have been happening. I like the efforts of the US government on hacking. 

Hacking laws according to the US laws(Computer Fraud and Abuse Act) states, 

Hacking Law 1 

1.Whoever having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; 

Hacking Law 2 

2.Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains– 

Information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); 

B.Information from any department or agency of the United States; or 

C. Information from any protected computer if the conduct involved an interstate or foreign communication;

Hacking law 3 

3. Intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States; 

hacking law 4 

4 Knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; 

A.Knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; 

B. Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or 

C. Intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;

Source

Reporting Cyber-Crimes:

Every day, criminals are invading countless homes and offices across the nation—not by breaking down windows and doors, but by breaking into laptops, personal computers, and wireless devices via hacks and bits of malicious code. 

The collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 services around the country. 

Who is behind such attacks? It runs the gamut—from computer geeks looking for bragging rights…to businesses trying to gain an upper hand in the marketplace by hacking competitor websites, from rings of criminals wanting to steal your personal information and sell it on black markets…to spies and terrorists looking to rob our nation of vital information or launch cyber strikes. 

Today, these computer intrusion cases—counterterrorism, counterintelligence, and criminal—are the paramount priorities of our cyber program because of their potential relationship to national security. 

Combating the threat. In recent years, we’ve built a whole new set of technological and investigative capabilities and partnerships—so we’re as comfortable chasing outlaws in cyberspace as we are down back alleys and across continents. That includes: 

A Cyber Division at FBI Headquarters “to address cyber crime in a coordinated and cohesive manner”; 

Specially trained cyber squads at FBI headquarters and in each of our 56 field offices, staffed with “agents and analysts who protect against investigate computer intrusions, theft of intellectual property and personal information, child pornography and exploitation, and online fraud”; 

New Cyber Action Teams that “travel around the world on a moment’s notice to assist in computer intrusion cases” and that “gather vital intelligence that helps us identify the cyber crimes that are most dangerous to our national security and to our economy;” 

Our 93 Computer Crimes Task Forces nationwide that “combine state-of-the-art technology and the resources of our federal, state, and local counterparts”; 

A growing partnership with other federal agencies, including the Department of Defense, the Department of Homeland Security, and others—which share similar concerns and resolve in combating cyber crime.

Source

How to Report Computer Hackers 

Many computer users fall prey to hackers and the crimes they perpetrate on unsuspecting individuals and companies. If a crime occurs in your home or business, it’s not difficult to report the computer hacker. 

Determine which agency has jurisdiction over the crime. This will depend upon whether the crime was committed at your home or at your business, and the address of that particular location. If you live within city limits, the proper agency will generally be a police department in your town. If you live outside the city limits, within the county, contact your local sheriff’s office. 

Call the non-emergency phone number for your local police department or sheriff’s office to report the crime. Ask to speak with someone in the detective’s division about an Internet crime.

Source

Reporting Computer Hacking, Fraud and Other Internet-Related Crime 

The primary federal law enforcement agencies that investigate domestic crime on the Internet include: the Federal Bureau of Investigation (FBI), the United States Secret Service, the United States Immigration and Customs Enforcement (ICE) , the United States Postal Inspection Service, and the Bureau of Alcohol, Tobacco and Firearms (ATF) . Each of these agencies has offices conveniently located in every state to which crimes may be reported. Contact information regarding these local offices may be found in local telephone directories. In general, federal crime may be reported to the local office of an appropriate law enforcement agency by a telephone call and by requesting the “Duty Complaint Agent.” 
Each law enforcement agency also has a headquarters (HQ) in Washington, D.C., which has agents who specialize in particular areas. For example, the FBI and the U.S. Secret Service both have headquarters-based specialists in computer intrusion (i.e., computer hacker) cases.