SDIM Project Update

Just a quick update on the Stolen Data Impact Model project for today. Basically, we have reached a point where have created an idea that the impact of stolen data should be a curve. We have decided to implement that curve across two axis measured in the following:

Risk to the organization – 0 – 10, obviously subjective.

Those values will be plotted across four time segments: Immediate, Short Term, Intermediate Term and Long Term. Some folks are still discussing if we need a Residual catch all for things that don’t ever go away. If you have thoughts on it, please weigh in.

Thus far, we are leaving the term definitions to the consumer. But we are generally working with them as variable as we run scenarios with variety.

The next step will be to build and publish a couple of quick and dirty sample curves for some common stolen data scenarios. Then, we will begin to generate the scoring mechanism and perhaps a questionnaire for doing the scoring on a more repeatable basis.

If you have thoughts, please weigh in via the comments or touch base with us on Twitter. I will be the main conduit for feedback (@lbhuston). 

Thanks for reading and this process is already proving helpful for some folks, so we enjoy working on it.

Ask The Experts: Malware Infection Mitigation

This time, we have a question from a reader:

Dear Experts, I’ve been fighting with my help desk team about the proper response to a malware infection. Once we know a workstation or server has been infected, what should we do to make sure that machine is clean before we put it back in service? We have heard a variety of stories about cleanup versus rebuild. What is the MSI security expert’s take on the proper response to malware infection?

John Davis replied:

It would be nice to be able to eliminate Malware without having to totally rebuild your computer. I wish I had some good news for folks on that score. But unfortunately, the only way to be sure that a malware infection has been totally eliminated is to do just that: rebuild your computer completely from reliable backups. This illustrates the importance of making frequent backups and storing those backups securely!

Adam Hostetler also added:

The only proper response is complete wipe and reinstall. It’s impossible to say it’s clean after it has a known infection, one part might be gone but the malware may have installed or downloaded other components that weren’t detected. I recommend having a good image to use on workstations, and store as little data on them as possible, so a quick turn around is likely. It’s also a good idea to implement strong egress controls on your firewalls and monitor them. This helps in preventing malware from doing damage, and aids in finding infections. 

Got a question for the Experts? Get in touch on Twitter (@lbhuston or @microsolved) or via the comments. Thanks for reading!

PS – Chris Jager (@ChrisJager) points out on Twitter: Also to consider: Closing vuln that allowed the malware onto the host & refreshing backups & build docs w/said updates.

Thanks Chris! We just ASSUMED (yeah, we know…) that was already in scope, but good to mention that it should be pointed out. Clearly, making sure the bad guys lose their foothold from being re-exploited is CRITICAL.

Threat Update: Wide Scale Phishing in Progress

GlobalDisplay Orig

Just a quick update about the ongoing threat from malware dropped by phishing attacks. There are a lot of phishing attacks currently in progress. Fishing has been a leading form of compromise for quite some time and indicators appear to point to an increasing amount of phishing attacks and a larger amounts of damage from successful exploitation.

Many organizations are reporting wide spread phishing using recycled, older malware including Zeus, Tepfer and other common remote access tools. In some cases, these malware are repackaged or otherwise modified to evade anti-virus detection. Attackers are showing medium to high levels of success with these attacks.

Once compromised, the normal bot installation and exfiltration of data occurs. For most organizations that don’t play a role in critical infrastructure, this likely means credentials, customer information and other commercially valuable data will be targeted. For critical infrastrcuture organizations, more specific  design, future state and architectural data is being targeted along with credentials, etc.

Organizations should be carefully and vigilantly reviewing their egress traffic. They should also be paying careful attention to user desktop space and the ingress/egress from the user workstation DMZ or enclaves (You DO have your user systems segregated from your core operations, correct???). Remember, you CAN NOT depend on AV or email filtering to rebuff these attacks at a meaningful level. Detection and response are key, in order to limit the length of time the attacker has access to your environment. Anything short of full eradication of their malware and tools is likely to end with them still maintaining some level of access and potentially, control.

Now is a good time to consider having a phishing penetration test performed, or to consider using MSISimplePhish to perform some phishing for yourself. Awareness alerts and training are also encouraged. This is going to be a long term threat, so we must begin to implement ongoing controls over the entire technology/ppolicy & process/awareness stack. 

If you have any questions on phishing attacks, malware or incident response, please let us know. Our teams are used to working with these attacks and their subsequent compromises. We also have wide experience with designing enclaved architectures and implementing nuance detection mechanisms that focus on your critical assets. Feel free to touch base with us for a free 30 minute call to discuss your options for increasing security postures.

Audio Blog Post – IT History: An Interview with Brent’s Mom

Today, I got to do something pretty cool! I got to record a quick interview about the history of IT and what some of today’s technologies look like through the eyes of someone who has done IT for the last 40 years. Even cooler than that, I got to interview MY MOM! 

Check this out; as she discusses mainframes, punch cards and tape vaults, insights about mainframe authentication and even quality control in the mainframe environment. She even gives advice to IT folks approaching retirement age and her thoughts on the cloud. 

She closes with a humorous insight into what she thinks of my career and when she knew I might be a hacker. 🙂

It’s good stuff, and you can download the audio file (m4a format) by clicking here

Thanks for listening and let me know if you have other IT folks, past or present, you think we should be talking to. I’m on Twitter (@lbhuston) , or you can respond in the comments.

CMHSecLunch for February

J0289893

This month’s CMHSecLunch is February 11th, at the Polaris Mall food court. It starts at 11:30 am Eastern and goes to 1pm Eastern. The Twitter chat runs at the same time if you can’t join in person – use the hashtag #CMHSecLunch to get in on the virtual event.

This is a great opportunity to meet with friends, peers and folks you may not have gotten to hang out with in a while. It is open to the public, there is no cost or registration hassles. You just go to the mall food court for lunch and sit down with friends to talk or maybe even make some new friends.

Turn outs have been great and the group of folks participating is growing. Each month, on the second Monday, we rotate between mall food courts around town so everyone gets a chance to be “close to home”. Seriously, it’s worth coming out. Think of this as the best part of security conferences (the chance to hang out and chat in the hallways), without the con flu or need to travel on an airplane.

Hopefully, the Twitter hashtag will grow as well and we can use it for folks that are/were in our community, but can’t get to the physical event for whatever reason. 

As always, thanks for reading StateOfSecurity and engaging with MicroSolved. We love the CMH infosec community and organizing this event is just another way we hope to give back for all you have done for us over the last two decades! Thanks!!! 

Kicking Off an Interview Series: Three Tough Questions

Beginning in the next few weeks, we will be kicking off a new series of blog posts called 3 Tough Questions. The format will be either text or audio interviews with infosec, ICS/SCADA, government and other experts. We will be asking strong questions about where we are today in infosec, how we got here and we are going tomorrow. 

Who would you like to see us interview? Drop me a line on Twitter (@lbhuston) or via email/comments and let me know. If you have a burning question or two as well, send them over! 

Thanks for reading and we hope you enjoy the new series! 

Event Announcement: ICS/SCADA Security Briefing

MSI, along with the teams at NexDefense and Critical Intelligence, will be participating in an online webinar about ICS/SCADA Security. The date of the event is February, 6th and you can learn more about it here

The event is free to attend, though registration is required. You can earn a CPE for participating! 

We hope you will tune in and check us out!

Overview of the event: 

Learning Objectives

  • Significant trends in the threat and vulnerability environment
  • Relevant trends in ICS technology
  • What proactive steps you can take
  • How to leverage security intelligence

Agenda

  • Introductions
  • ICS Cyber Security Intelligence Briefing, Michael Assante
  • ICS Threat Update, Brent Huston
  • How to Leverage Security Intelligence, Bob Huber
  • Live Q&A

Who Should View?

  • Senior Information Security Leaders, CISOs and CTOs
  • Security and Risk Analysts
  • Control system security engineers
  • Security operation leads for ICS reliant organizations

Review: The Bus Pirate

We have been playing with the Bus Pirate for a while now in the lab. And, while overall, we love the tool and the functionality it brings, there is one thing we hate about it too. We love the open source architecture and just the fact that it exists, in general. It is quite a useful tool for exploring electronic systems and dumping data from embedded devices.

The tutorials and documentation around the web make it a widely useable device. You can find detailed configuration data and connection scenarios in the forums for the product and in the general documentation as well. We recently spent a good deal of time playing with the Pirate and connecting it up to known and unknown equipment. The wide variety of modes took a lot of the complication out of the manual work that used to be required before the Pirate became available.

There is really only ONE thing NOT to like about the Bus Pirate. That specific thing is the flashing process to upgrade or downgrade the firmware. It requires physically manipulating the device pins with jumper wire and running an application to specifically install the version you desire. Given how easy using the device is normally, we hope to see this mature into something more along the lines of the update process for a router or the like. The main gripe about the current process is the time it takes to do the upgrade/downgrade. In a classroom environment, it takes quite a bit of time to make these changes, though among our team there is currently a discussion about the inherent value of the lessons learned from doing it. 

Overall, even with the tedium of the upgrade process in mind, the Bus Pirate is a wonder. Dangerous Prototypes have pulled off an amazing feat to bring this thing to life. It makes hardware hacking so much easier than the “bad old days” and gives more people more access to the circuitry level for hacking. It makes grabbing data from chips and systems significantly easier. At the same time, it means that vendors of products that need to protect data against attacks at this level have to get better too. More eyes and more brains focusing on this level, means the race is on at a heated pace…

Malware in Many Places

 

GlobalDisplay Orig

Just a quick reminder that malware can come in many forms and from many places. These days, it isn’t just phishing, drive-by downloads and stray email attachments that you have to worry about. USB drives, digital picture frames, wireless devices, watches with USB plugs, exercise equipment with public “charge and data monitoring ports” and whole variety of other things.

Basically, today, if it can plug into your systems or talk to your network and has any kind of processing, memory or storage – it can likely carry malware. That’s certainly something to keep in mind as the “Internet of Things” becomes more and more a part of our daily lives. 

All of the usual defenses still apply, but today we need more than just anti-virus to keep us safe. We have to be using a variety of security controls from throughout the spectrum of prevention, detection and response. Since malware can be everywhere, so too must our vigilance against it. 

PS – Those of you with teens and older parents who use/depend on electronics and computers should discuss malware and safer computing with them. They likely have an entirely different risk profile than you do, and they may not be paying as much attention to the impacts that these attacks can have or where they can come from. They may be doing risky things without even knowing it. Talk to them about malware and help keep them safer in the online world.

Tool Review: Synalyze It! Pro for OS X

Rounding out this week with another tool review for the Mac under OS X. Earlier this week, we reviewed our favorite disassembler, Hopper for OS X. Synalyze It! Pro is another invaluable tool that we depend on. This tool is a hex editor with some very very useful features in the GUI. Namely, it lets you “lasso” different bits of text and highlight them in different colors. While this might sound basic, it is amazingly useful for performing reverse engineering of protocols and other deep-level analysis tasks of textual data.

Recently, we have been doing quite a bit of protocol testing in the lab and this tool has proven itself again and again as invaluable. My favorite feature of the tool is available by highlighting some piece of data and right clicking to bring up a menu, then selecting “compare code pages”. This brings up a window in which the highlighted data is run through a bunch of encoding/decoding schemes and presented to you both as ASCII and as hex. This makes reversing simple encoding on text as easy pie and as quick as swatting a fly. In my recent protocol work, this was a feature I used over and over again to identify various components of the data stream and figure out how each was encoded as a part of a bigger puzzle.

Another feature we have come to love is the “Show Checksums” feature. This feature displays a wide variety of checksums for the data that is highlighted and updates the checksums in realtime. This makes it pretty easy to figure out if different fields are included in the protocol’s checksum activities and leads to faster, cleaner reversing. However, I do have a couple of things I would like to see as future features for this capability. For one, I would like to see additional checksum mechanisms added and perhaps even an interface for creating your checksum scripts or equations. Additionally, I would really like it if you could get realtime updates, but with a mechanism for selecting multiple data elements and not just single strings. I really thought this would work, but could not seem to selections to “stick” so that I could add multiples. 

The real power of the tool is in the creation of the “grammar files”. This is an easy to use, intuitive and powerful mechanism for reversing. I still need to practice a bit more with the grammar definition mechanisms, but I can see where this will grow the product’s usefulness rapidly. The grammar definition could lend itself to a better toolbox in the GUI. It might be easier for beginners to learn to master this capability if an set of quick and easy tools were easily available without a bunch of menu navigation. However, the feature is still excellent and the tool remains a very powerful addition to our toolbox. 

The link to the App Store has a variety of screenshots of the product if you want to check it out. The product retails for $25 in the App Store and a non-Pro version is available for $5 – however, note that it lacks many features of the Pro version that make it such a useful tool. 

PS – MSI has no affiliation or relationship with the product and/or the developers.