Category Archives: How To

The First Five Quick Wins

Posted on by
10

The Top 20 Critical Controls for Effective Cyber Defense have been around for half a decade now, and are constantly gaining more praise and acceptance among information security groups and government organizations across the globe. One of the main reasons for this is that all of these controls have been shown to stop or mitigate known, real-world attacks. Another reason for their success is that they are constantly being updated and adjusted to fit the changing threat picture as it emerges. 

One of these recent updates is the delineation of the “First Five” from the other “Quick Wins” category of sub-controls included in the guidance (Quick Wins security controls are those that provide solid risk reduction without major procedural, architectural or technical changes to an environment, or that provide substantial and immediate risk reduction against very common attacks – in other words, these are the controls that give you the most bang for the buck). The First Five Quick Wins controls are those that have been shown to be the most effective means yet to stop the targeted intrusions that are doing the greatest damage to many organizations. They include:

  1. Application white listing: Application white listing technology only allows systems to run software applications that are included in the white list. This control prevents both external and internal attackers from implementing malicious and unwanted applications on the system. One caveat that should be kept in mind is that the organization must strictly control access to and modifications of the white list itself. New software applications should be approved by a change control committee and access/changes to the white list should be strictly monitored.
  2. Secure standard images: Organizations should employ secure standard images for configuring their systems. These standard images should utilize hardened versions of underlying operating systems and applications. It is important to keep in mind that these standard images need to be updated and validated on a regular basis in order to meet the changing threat picture.
  3. Automated patching tools and processes: Automated patching tools, along with appropriate policies and procedures, allow organizations to close vulnerabilities in their systems in a timely manner. The standard for this control is patching of both application and operating system software within 48 hours of release.
  4. Removal or replacement of outdated software applications: Many computer networks we test have outdated or legacy software applications present on the system. Dated software applications may have both known and previously undiscovered vulnerabilities associated with them, and are consequently very useful to cyber attackers. Organizations should have mechanisms in place to identify then remove or replace such vulnerable applications in a timely manner just as is done with the patching process above.
  5. Control of administrative privileges and accounts: One of the most useful mechanisms employed by cyber attackers is elevation of privileges. Attackers can turn simple compromise of one client machine to full domain compromise by this means, simply because administrative access is not well controlled. To thwart this, administrative access should be given to as few users as possible, and administrative privileged functions should be monitored for anomalous behavior. MSI also recommends that administrators use separate credentials for simple network access and administrative access to the system. In addition, multi-part authentication for administrative access should be considered. Attackers can’t do that much damage if they are limited to isolated client machines!

Certainly, the controls detailed above are not the only security controls that organizations should implement to protect their information assets. However, these are the controls that are currently being implemented first by the most security-aware and skilled organizations out there. Perhaps your organization can also benefit from the lessons they have learned.

Thanks to John Davis for writing this post.

Touchdown Task for January: Audit Your News Feeds

Posted on by
Reply

This month, our suggested Touchdown Task is for the security team to do an “audit” of their news/RSS feeds and the other mechanisms by which you get advisories, patch and upgrade alerts, breakout information and details about emerging threats.

Since RSS feeds and account names and such can change, it’s a good idea to review these sources occasionally. Are the feeds you depend on timely and accurate? Have you added new technology to your organization since you last reviewed your advisory feeds? Maybe you might need to add a vendor or regulator feed.

Have a discussion with all of your team members and understand who monitors what. Make sure you have good cross communication, but aren’t struggling with a lot of duplicated efforts.

Once you get your news and threat feeds in order, trace how the information is shared and make sure it is getting to the system and network admins who might need it. Do you have the right people getting the right information? If not, adjust. 

Most teams can do this review in less than an hour. So focus, communicate and create a robust way to handle the flow of information.

As always, thanks for reading and stay safe out there! 

Using HoneyPoint to Inventory Windows Boxes on a Segment

Posted on by
7

For quite some time now, we have been using HoneyPoint Agent and Console to do some passive inventory and mapping exercises for clients, particularly those involved in ICS and SCADA deployments where active scanning to get inventories is often strongly discouraged. We had particular success with a specific client in this space a couple of weeks ago, and I wanted to discuss it here, since it has proven itself to be a useful tool and is on the top of my mind at the moment.

To get an inventory of the Windows systems on a collision domain, you simply install the Agent on a Linux box (or I suggest using the virtual appliance we already have built for your ease) and implement it and the Console. Once HoneyPoint is operational, you configure a UDP listener on port 138. From there, all of the NETBios speaking Windows systems will begin to send traffic to the host, as per the usual behavior of those systems. In this case, however, HoneyPoint will capture each source IP and log it to the Console. It will also capture the UDP datagrams from that conversation and place them as event data in the logs. By reviewing the source IPs, you can quickly and easily take stock of the Windows systems on the collision domain without sending any traffic at all to the systems. As a bonus, if you dig into the datagram data, you will also see the names of the hosts and other information.

Most of the time, this technique captures only Windows boxes, but if you have other devices out there running NETBios, they will likely get detected as well. This can include embedded systems, Unix systems running SAMBA, printers and copiers, Windows CE systems (often seen in many field equipment deployments), etc. You might be surprised what you can find.

Try this with a laptop, and move the laptop around your environment. You can pretty quickly and easily get an inventory by collision domain. You can also try dialing other NETBios ports and see if you get traffic that is routed across your switching fabric. Depending on your configuration, you might be able to gather a great deal of inventory data from a single location (especially if your network is flat and switches are poorly configured).

Give this a shot or get in touch if you would like us to come onsite and perform the inventory for you. We think it is a pretty useful technique and one that many folks are enjoying the benefits of. Let us know what you think when you give it a run in your network!

As always, thanks for reading, and until next time, stay safe out there!

PS – You can also do this with HoneyPoint Personal Edition on a Linux system, which makes it very easy and cheap to do if you don’t want to invest in a full blown HoneyPoint Security Server implementation. (You should invest though, it is a FANTASTIC detection tool!)

**(The link above is for HPPE on Windows, but if you purchase a license and contact us, we will send you the Linux build right away. You can’t easily capture port 138/UDP traffic in Windows HPPE because Windows has those ports in use…)

Brent Huston to Lead ICS/SCADA Honeypot Webinar with SANS

Posted on by
5

Our Founder and CEO, Brent Huston (@lbhuston) will be leading a SANS webinar on ICS/SCADA honeypots. The webinar is scheduled for November, 25th, 2013 and you can find more information and register by visiting this page.

The webinar will cover when honeypots are and are not useful, basic deployment strategies and insights into using them for detection in field deployments and control environments. 

Check it out, tune in and give Brent a shout out on Twitter. Thanks for reading and we hope you enjoy the webinar.

Infosec Tricks & Treats

Posted on by
8

Happy Halloween!

This time around, we thought we’d offer up a couple of infosec tricks and treats for your browsing pleasure. Around MSI, we LOVE Halloween! We dress up like hackers, bees and hippies. Of course, we do that most other days too… 🙂

Here are a couple of tricks for you for this Halloween:

Columbia University gives you some good tricks on how to do common security tasks here.

University of Colorado gives you some password tricks here.

and The Moneypit even provides some tricks on cheap home security here.  

And now for the TREATS!!!!!

Here are some of our favorite free tools from around the web:

Wireshark – the best network sniffer around

Find your web application vulnerabilities with the FREE OWASP ZED Attack Proxy

Crack some Windows passwords to make sure people aren’t being silly on Halloween with Ophcrack

Actually fix some web issues for free with mod_security

Grab our DREAD calculator and figure out how bad it really is.. 🙂

Put those tricks and treats in your bag and smile. They won’t cause cavities and they aren’t even heavy enough to keep you from running from the neighborhood bully looking to steal your goodies! 

Thanks for reading and have a fun, safe and happy Halloween! 

September TouchDown Task: Policy Quick Review

Posted on by
2

This month’s touchdown task is to review your information security related policies and procedures. Whether you, your team, or human resources are responsible for updating and maintaining information security policies, we suggest you review these documents every quarter, or at least every six months to ensure your policies keep pace with legislation, pertinent guidance and ever-changing technology. Even if your organization utilizes a company wide revision process, we suggest you carve out a few hours this month to begin to review the infosec policies.

Start by reading all the policies related to information security. Note those that require significant updates.
Next, research changes in legislation or technology that might affect your policies. Note the pertinent changes.
Seek feedback from your colleagues and managers.
Using the information gained, revise the necessary policies or document your suggestions for the company-wide revision process.
Either obtain necessary approvals for your updates or provide your draft revisions to those responsible for maintaining updated policies and procedures.
Until next month, stay safe out there!

Special Thanks to Teresa West for the help on this one! — Brent

Using HoneyPoint as a Nuance Detection System in Utility Companies

Posted on by
Reply

I often get asked about how utility companies deploy HoneyPoint in an average implementation. To help folks with that, I whipped up this quick graphic that shows a sample high level deployment. 

Thanks for reading! Let me know what you think, or if you have an interest in discussing an implementation in your environment.

August Touchdown Task: Change Management Audit

Posted on by
2

This month’s touchdown task is to take a quick audit of your organization’s change management process. Give it a quick walkthrough.

  • Make sure that you are tracking when admins make changes to machine configurations or network device configs
  • Are proper peer review and approval processes being followed?
  • Check to make sure that the proper folks are in the loop for various kinds of communication, error handling and reporting
  • Review risk acceptance for changes and make sure it meets your expected processes
  • Examine a couple of changes and walk them through the entire process to see if things are falling through the cracks
  • Update any change management documentation to reflect new processes or technologies that may be in place now

Give this a quick review this month and you can rest assured for a while that change management is working strongly. With the coming fall and holiday rush ahead, you’ll know you have this base covered and can depend on it as a good foundation for the rest of your security initiatives. 

Until next time, as always, thanks for reading and stay safe out there! 

YAPT: Yet Another Phishing Template

Posted on by
4

Earlier this week, we gave you the touchdown task for July, which was to go phishing. In that post, we described a common scam email. I wanted to post an example, since some folks reached out on Twitter and asked about it. Here is a sample of the email I was discussing.

<paste>

Hi My name is Mrs. Hilda Abdul , widow to late Dr. Abdul A. Osman, former owner of Petroleum & Gas Company, here in Kuwait. I am 67 years old, suffering from long time Cancer of the breast.

From all indications my condition is really deteriorating and it’s quite obvious that I won’t live more than 3 months according to my doctors. This is because the cancer stage has gotten to a very bad stage.

I don’t want your pity but I need your trust. My late husband died early last year from Heart attack, and during the period of our marriage we couldn’t produce any child. My late husband was very wealthy and after his death, I inherited all his businesses and wealth .The doctor has advised me that I will not live for more than 3 months ,so I have now decided to spread all my wealth, to contribute mainly to the development of charity in Africa, America,

Asia and Europe .Am sorry if you are embarrassed by my mail. I found your e-mail address in the web directory, and I have decided to contact you, but if for any reason  you find this mail offensive, you can ignore it and please accept my apology. Before my late husband died he was major oil tycoon in Kuwait and (Eighteen Million Dollars)was deposited  in a Bank in cote d ivoire some years ago, that’s  all I have left now,

I need you to collect this funds and distribute it yourself to charity .so that when I die my soul can rest in peace. The funds will be entirely in hands and management. I hope God gives you the wisdom to touch very many lives that is my main concern. 20% of this money will be for your time and effort includin any expensese,while 80% goes to charity. You can get back to me via my private e-mail: (hilda.abdul@yahoo.com) God bless you.
1. Full name :
2. Current Address :
3. Telephone N° :
4. Occupation :
5. Age :
6. Country :

MRS. Hilda Abdul

<end paste>

As you can see, this is a common format of a phishing scam. In this case, you might want to edit the targeting mechanism a bit, so that they have to click through to a web page to answer or maybe even include a URL as supposed proof of the claim. That way you would have two ways to catch them, one by email reply and two by click through to the simple phish application.

As always your milage and paranoia may vary, but it is still pretty easy to get people to click or reply ~ even with age old spam phish attacks like this. What kind of return percentages did you get? What lessons did you learn? Drop us a line on Twitter (@lbhuston) and let us know. 

July’s Touchdown Task: Go Phish Yourself!

Posted on by
5

This month’s touchdown task is to spend about an hour doing some phishing. Phish your user base, executives and other likely targets. Use the process as a basis for ongoing awareness and security training.

Phishing is a LOT easier and more effective than you might think. We’ve made it easy for you to do, with a free tool called MSI SimplePhish. You can learn exactly how to do it by clicking here.

Pay special attention to this step:

PreCursor: Obtain permission from your security management to perform these activities and to do phishing testing. Make sure your management team supports this testing BEFORE you engage in it.

You might need a couple more ideas for some phishing templates, so here are a couple of the most simple examples from real phishing going on right now:

1. Simply send a non-sensical subject line and the entire body of the message is the phishing url. You might encode this to make it more fun using something like a URL shortener.

2. Copy one of those spam messages that go around where the target inherits 40 million dollars from an oil company exec in the Congo or somewhere. Check your spam folder for examples. Replace the URLs with your phish site URL and click send.

3.  Send a simple music trivia question, which is common knowledge, and tell them to click on the target URL to answer. Make it appear to be from a local radio station and if they answer correctly, they win a prize (movie tickets, concert tickets, etc.)

As a bonus, simply do what many testing vendors do ~ open your gmail spam folder and pick and choose any of the spam templates collected there. Lots to pick from. 

The exercise should be fun, easy and likely effective. If you need any help, drop us a line or give us a call. Until next month, stay safe out there!