Podcast Episode 1 is Now Available

Posted on February 7, 2015 by Brent Huston

This episode is about 45 minutes in length and features an interview with Dave Rose (@drose0120) and Helen Patton (@OSUCISOHelen) about ethics in security, women in STEM roles and career advice for young folks considering Infosec as a career. Have feedback, let me know via Twitter (@lbhuston).

As always, thanks for listening and reading stateofsecurity.com!

Listen here:

PS – We decided to restart the episode numbers, move to pod bean.com as a hosting company and make the podcast available through iTunes. We felt all of those changes, plus the informal date-based episode titles we were using before made the change a good idea.

Recently Observed Attacks By Compromised QNAP Devices

Posted on January 30, 2015 by Adam Luck

Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit. For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices. If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system. If your device has not been affected, be sure to patch it immediately.

Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices. The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system. These changes include: adding a user account, changing the device’s DNS server to 8.8.8.8, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.

The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems. If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.

How to Avoid Getting Phished

Posted on January 13, 2015 by Brent Huston

It’s much easier for an attacker to “hack a human” than “hack a machine”. This is why complicated attacks against organizations often begin with the end user. Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company. Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.

I recently had the opportunity to give a presentation during one of our client’s all-staff meeting. Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year. Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user. A majority of these attacks were caused by an employee opening a malicious e-mail. I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.

Verify link URL: If the e-mail you received contains a link, does the website URL match up with the content of the message? For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com? A common tactic used by attackers is to direct a user to a similar URL or IP address. An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.

Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address? It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor. Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.

Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender. Would you provide your checking account number or password to a random person that you saw on the street? If not, then don’t provide confidential information to unknown senders.

Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call. Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection. Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions. Always be sure to use a number that you found from another source outside of the e-mail.

Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error. Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.

Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further. Typically these attachments or links are the actual mechanism for delivering malware to your machine.

This blog post by Adam Luck.

Young IT Professionals, Cybercrime, Script Kiddies & CyberWarriors, OH MY!

Posted on January 9, 2015 by Brent Huston

Recently I came across a couple of articles that both centered on the potential roles that young people entering into the IT Security field may face. Some of them, for example, may be lured away from legitimate IT security jobs and into the world of cybercrime. Others may follow the entrepreneurial role and fight cybercrime alongside myself and other professionals.

I suppose such dichotomies have existed in other professions for quite some time. Chemists could enter the commercial or academic world or become underground drug cartel members, ala Breaking Bad. Accountants could build CPA tax practices or help bad guys launder money. Doctors could work in emergency rooms or perform illegal operations to help war lords recover from battle. I suppose it is an age old balancing act.

I am reminded of Gladwell’s Outliers though, in that we are experiencing a certain time window when IT security skills are valuable to both good and bad efforts, and a war for talent may well be waging just beyond the common boundary of society. Gladwell’s position that someone like Steve Jobs and Bill Gates could only emerge within a specific time line of conditions seems to apply here. Have we seen our IT security Bill Gates yet? Maybe, maybe not….

It is certainly an interesting and pivotal time isn’t it? These articles further solidified my resolve to close a set of podcast interviews that I have been working on. In the next couple of months I will be posting podcast interviews with teams of IT and Infosec leaders to discuss their advice to young people just entering our profession. I hope you will join me for them. More importantly, I hope you will help me by sharing them with young people you know who are considering IT security as a career. Together, maybe we can help keep more of the talent on the non-criminal side. Maybe… I can always hope, can’t I? 🙂

Until next time, thanks for reading, and stay safe out there! If you have questions or insights about advice for young security professionals, hit me up on Twitter (@lbhuston). I’ll add them to the questions for the podcast guests or do some email interviews if there is enough interest from the community.

Benefits of using TigerTrax to Monitor Your Industry

Posted on December 26, 2014 by Brent Huston

Have you ever wanted to know what is being said in regards to your business or product line on social media? How about getting the scoop on a company prior to your big merger or acquisition? Perhaps you have a need for continual code of conduct monitoring for your business or franchise. These are but a few of the things that we at MicroSolved, Inc can provide for you and your company! MicroSolved has a whole host of proprietary software including TigerTrax, that will give your company an edge over your competition!

With our TigerTrax platform we can help provide you with a competitive advantage by receiving actionable intelligence about your product line from the social media hemisphere. Imagine scouring the entire population of Twitter, which boasts some 645 million registered users with over 115 million active users monthly. That is an enormous market that you can tap into with our help. A market where you can see where you think that your product line may be heading versus what people are actually talking about in regards to your product line. Imagine being able to fine-tune your marketing campaign based on our intelligence gathering ability!

In every business there are times whether for a short duration or a long term one where you may want us to provide you with code of conduct information about your employees. Perhaps their contracts clearly state what sort of things they may or may not post on social media and the internet; but also and more importantly you may want to know what everyone else is posting about them. We can help provide you that information. Our TigerTrax platform does in minutes what takes a roomful of employees days or weeks to do and in a very short time you can have actionable information that may be used to help protect your companies brand!

As you can see TigerTrax is a wonderful tool in your arsenal for providing actionable data that will enable you to adjust your marketing campaign or perform ongoing code of conduct monitoring. We can also perform threat intelligence, assess whether your intellectual property has been leaked online, and of course perform brand intelligence. As you can imagine we are only scratching the surface of what we at MicroSolved, Inc and the TigerTrax platform can do for you. So please if you need any assistance for your company feel free to contact us by sending an email to: info@microsolved.com.

This post by Preston Kershner.

My Time as a HoneyPoint Client

Posted on December 10, 2014 by Brent Huston

Prior to joining MicroSolved as an Intelligence Engineer, I was the Information Security Officer and Infrastructure Manager for a medical management company. My company provided medical care and disease management services to over 2 million individuals. Throughout my tenure at the medical management organization, I kept a piece of paper on my bulletin board that said “$100,000,000”.

Why “$100,000,000”? At the time, several studies demonstrated that the average “street value” of a stolen medical identity was $50. If each record was worth $50, that meant I was responsible for protecting $100,000,000 worth of information from attackers. Clearly, this wasn’t a task I could accomplish alone.

Enter: MicroSolved & HoneyPoint

Through my membership with the Central Ohio Information Systems Security Association, I met several members of the MicroSolved team. I engaged them to see if they could help me protect my organization from the aforementioned attackers. They guided me through HIPPA/HITECH laws and helped me gain a further understanding of how I could protect our customers. We worked together to come up with innovative solutions that helped my team mitigate a lot of the risks associated with handling/processing 2 million health care records.

A core part of our solution was to leverage the use of HoneyPoint Security Server. By using HoneyPoint, I was able to quickly gain visibility into areas of our network that I was often logically and physically separated from. I couldn’t possibly defend our company against every 0-day attack. However, with HoneyPoint, I knew I could quickly identify any attackers that had penetrated our network.

Working for a SMB, I wore many hats. This meant that I didn’t have time to manage another appliance that required signature updates. I quickly found out that HoneyPoint didn’t require much upkeep at all. A majority of my administrative tasks surrounding HoneyPoint were completed when I deployed agents throughout our LAN segments that mimicked existing applications and services. I quickly gained the real-time threat analysis that I was looking for.

If you need any assistance securing your environment or if you have any questions about HoneyPoint Security Server, feel free to contact us by sending an email to: info@microsolved.com.

This post contributed by Adam Luck.

Using TigerTrax to Analyze Device Configurations & Discover Networks

Posted on November 21, 2014 by Brent Huston

One of the biggest challenges that our M&A clients face is discovering what networks look like, how they are interconnected and what assets are priorities in their newly acquired environments. Sure, you bought the company and the ink is drying on the contracts — but now you have to fold their network into yours, make sure they meet your security standards and double check to make sure you know what’s out there.

That’s where the trouble begins. Because, in many cases, the result is “ask the IT folks”. You know, the already overworked, newly acquired, untrusted and now very nervous IT staff of the company you just bought. Even if they are honest and expedient, they often forget some parts of the environment or don’t know themselves that parts exist…

Thus, we get brought in, as a part of our Information Security Mergers & Acquisitions practice. Our job is usually to discover assets, map the networks and perform security assessments to identify gaps that don’t meet the acquiring company’s policies. Given that we have had to do this so often, we have designed a great new technique for performing these type of mapping and asset identification engagements. For us, instead of asking the humans, we simply ask the machines. We accumulate the router, switch, firewall and other device configurations and then leverage TigerTrax’s unique analytics capabilities to quickly establish network instances, interconnections, prioritized network hosts & segments, common configuration mistakes, etc. “en masse”. TigerTrax then outputs that data for the MSI analysts, who can quickly perform their assessments, device reviews and inventories — armed with real-world data about the environment!

This approach has been winning us client kudos again and again!

Want to discuss our M&A practice and the unique ways that TigerTrax and MSI can help you before, during and after a merger or acquisition? Give us a call at (614) 351-1237 or drop us a line at info (at) microsolved /dot/ com. We’d be happy to schedule a FREE, no commitment & no pressure call with our Customer Champions & our security engineers.

Centralization: The Hidden Trap

Posted on November 19, 2014 by Brent Huston

Everything is about efficiency and economies of scale now days. That’s all we seem to care about. We build vast power generation plants and happily pay the electrical resistance price to push energy across great distances. We establish large central natural gas pipelines that carry most of the gas that is eventually distributed to our homes and factories. And we establish giant data centers that hold and process enormous amounts of our private and business information; information that if lost or altered could produce immediate adverse impacts on our everyday lives.

Centralization like this has obvious benefits. It allows us to provide more products and services while employing less people. It allows us to build and maintain less facilities and infrastructure while keeping our service levels high. It is simply more efficient and “cost effective”. But the “cost” that is more “effective” here is purely rated in dollars. How about the hidden “cost” in these systems that nobody seems to talk about?

What I am referring to here is the vulnerability centralization brings to any system. It is great to pay less for electricity and to avoid some of the local blackouts we used to experience, but how many power plants and transmission towers would an enemy have to take out to cripple the whole grid? How many pipeline segments and pumping stations would an enemy have to destroy to widely interrupt gas delivery? And how many data centers would an enemy need to compromise to gain access to the bulk of our important records? The answer to these questions is: not as many as yesterday, and the number becomes smaller every year.

However, I am not advocating eschewing efficiency and economies of scale; they make life in this overcrowded world better for everyone. What I am saying is that we need to realize the dangers we are putting ourselves in and make plans and infrastructure alterations to cope with attacks and disasters when they come. These kinds of systems need to have built-in redundancies and effective disaster recovery plans if we are to avoid crisis.

Common wisdom tells us that “you shouldn’t put all your eggs in one basket”, and Murphy’s Law tells us that “anything that can go wrong eventually will go wrong”. Let’s remember these gems of wisdom. That way our progeny cannot say of us: “those that ignore history are doomed to repeat it”!

Thanks to John Davis for this post.

Mergers and Acquisitions: Look Before You Leap!

Posted on November 17, 2014 by Brent Huston

Mergers and acquisitions are taking place constantly. Companies combine with other companies (either amicably or forcibly) to fill some perceived strategic business need or to gain a foothold in a new market. M&As are most often driven by individual high ranking company executives, not by the company as a whole. If successful, such deals can be the highpoint in a CEO’s career. If unsuccessful, they can lead to ignominy and professional doom.

Of course this level of risk/reward is irresistible to many at the top, and executives are constantly on the lookout for companies to take over or merge with. And the competition is fierce! So when they do spot a likely candidate, these individuals are naturally loath to hesitate or over question. They want to pull the trigger right away before conditions change or someone else beats them to the draw. Because of this, deal-drivers often limit their research of the target company to surface information that lacks depth and scope, but that can be gathered relatively quickly.

However, it is an unfortunate fact that just over half of all M&As fail. And one of the reasons this is true is that companies fail to gain adequate information about their acquisitions, the people that are really responsible for their successes and the current state of the marketplace they operate in before they negotiate terms and complete deals. Today more than ever, knowledge truly is power; power that can spell the difference between success and failure.

Fortunately, technology and innovation continues to march forward. MSI’s TigerTraxTM intelligence engine can provide the information and analysis you need to make informed decisions, and they can get it to you fast. TigerTraxTM can quickly sift through and analyze multiple sources and billions of records to provide insights into the security posture and intellectual property integrity of the company in question. It can also be used to provide restricted individual tracing, supply chain analysis, key stakeholder profiling, history of compromise research and a myriad of other services. So why not take advantage of this boon and “look” before you leap into your next M&A?

This post courtesy of John Davis.

Tips for Writing Good Security Policies

Posted on November 13, 2014 by Brent Huston

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they don’t know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information.
If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organization’s security policy.
You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security “policy” really includes policies, standards, guidelines and procedures. I’ve found it a very good idea to write “policy” in just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you won’t have to go through the whole process again!