Category Archives: How To

Ask The Experts: Daily Tasks

Posted on by
3

This time around, we get a great question from a reader:

Q: “I’m a one man infosec team at a small financial company, and as such, I stay overtasked. Can you give me a few examples of some key tasks I should make sure I am doing daily/weekly/monthly to make sure I am hitting them all and to help me better structure my schedule?”

Bill Hagestad answered with:

Daily Tasks: 

– Keep self and staff educated about latest cyber threats to your business – read the MSI Blog @ State of Securityhttps://stateofsecurity.com/;
– Review what Federal Law Enforcement considers top cyber threats are base on current cases:
– Compromise of account holder credentials leading to legitimate account compromise;
-Via  phasing attack vectors; unauthorized ACH transfers; 
– Compromise of Third Party Payment Processors;
 
Source: FBI Threat To Financial Sector
 
-Insider attacks – perhaps the largest threat to any commercial enterprise – especially given the recent NSA dilemma via a US contractor
 
– Have staff follow all account verification standing operating procedures – covering all types of customer interaction, including but not limited to; phone, Internet, and in-person account interactions;
– Information Security/Assurance infrastructure configuration changes should be reviewed daily and approved/counter-approved internally to eliminate potential administrative abuses;
– Hold weekly Information Security/Assurance infrastructure team meetings – invite MicroSolved to participate as a credible resource for staff to ask questions of and make sound recommendations.
 
Weekly Tasks:
 
– Stay ahead of international financial sector threat intelligence – read the MSI Blog @ State of Securityhttps://stateofsecurity.com/;
– Ensure account access lists are secure and validated both for external customers (most importantly) and also internal employee need to access/right to access customer account information;
  
Monthly Tasks:
 
– Participate in professional cyber/information assurance mailing lists – if not sure who or what these are contact MSI Cyber Threat Intelligence;
– Be certain to review the US Government Hearing Notes: Cybersecurity: Threats to the Financial Sector downloadable @ http://www.gpo.gov/fdsys/pkg/CHRG-112hhrg72601/pdf/CHRG-112hhrg72601.pdf
– Review or create a cyber threat identification strategy involving key staff and MicroSolved – install HoneyPoint Security Server to capture knowledge about who truly is probing your network, eliminate the proverbial network noise and focus on specific threat actors – e.g.; Russian Cyber Crimianls, Chinese entities using government cyber espionage tools for crime purposes
 
Adam Hostetler added:
It’s hard to answer exactly what you should be doing on a timely basis
without reviewing your current requirements, tools, processes, and
infrastructure. However, If you go to www.microsolved.com and look at
our 80/20 white paper, you can use that as a guideline to give you some
ideas to help build out your security program.

Examples of some things you could/should be doing.

Daily:
Log reviews. Not necessary for all logs, but if you have
IDS/IPS/Honeypots etc, they should be reviewed and investigated if needed
Spend a bit of time following up on the latest security news/threats.
That includes things like new vulnerabilities or exploits, and then
following up if it would affect you.

Weekly:
Check and verify backups and processes

Monthly:
Update software/OS patches.

 
Finally, Jim Klun weighed in with: 
1. Make sure your subscribed to security news-feeds/alerting services that apply to your environment. Review those daily.

2. Make sure you are reviewing your logs daily.  You should know every day about successful and unsuccessful logins. You should also be paying attention to your firewall logs for inbound activity and outbound activity.

3 If you have a local help desk, talk to them at least monthly. They are often in a position to see things that are in fact security problems.

4. Automate your patching program if that is not true already, then review patch reports monthly.

5. If you have Internet exposures, check them monthly. Make absolutely sure at the end of each month you are absolutely sure of what services your organization offers to the Internet – and why.

As always, thanks for reading and if you have a question for the experts, either leave it in the comments, email us or drop us a line on Twitter at (@lbhuston). 

Ask The Security Experts: Holiday Coverage

Posted on by
3

This time around on Ask The Security Experts, we have a question about holiday coverage for the security team:

Q: “With the upcoming summer holidays and heavy vacation schedules, what are some things I need to pay attention to in order to make sure attackers don’t catch us off guard while we are short on staff?”

Jim Klun weighed in with:

1. Make sure all staff have been reminded of the reality of phishing attacks and what they need to watch out for.
   Use real-world examples like this one: http://labs.ft.com/2013/05/a-sobering-day/ ( courtesy of Adam Hostetler )
   Its important that staff understand the potential severity of a successful phishing attack.
   Such attacks are more likely over holiday periods when attackers can rely on short-staffing.

2. Make sure all systems( both network/OS/application ) are logging and that you are reviewing those logs for anomalies
   Make it a particular point to review those logs after the holidays.
   Log review can be automated but should not be reduced to a formality.  Staff with familiarity with what is normal should be reviewing daily log reports and periodically
   examining the raw logs themselves.

3. Consider internal alerting systems such as Microsolved’s “Honeypoint” solution.  They can act as tripwires in your network, alerting you to the presence of an intruder.
   See: http://www.microsolved.com/honeypoint

Bill Hagestad added:

To prevent surprise cyber attacks the number one focus should be proactive cyber threat intelligence specifically related to your company based upon the following Essential Elements of Information (EEI):

– What are your priorities for intelligence?
– Competitor’s needs/focuses?
– External vendors interests on behalf of competitor?
– Foreign economic interests
– Commercial cyber espionage
– Foreign cyber espionage?
– Potential insider threats?

Once you have prioritized what you consider the information security threats are to your organization MicroSolved can help develop a information a security/assurance strategy.
First step determine a quick list of cyber intelligence targeting baed upon the EEI above;
Second – from the priorities determine your internal High Value Targets that the prioritized list of adversaries might focus on;
Third – install or fine tune your HoneyPoint Security Server to capture attacker and threat vector information; and,
Fourth – focus holiday staffing levels and efforts to mitigate list of potential cyber threats based upon both the EEI and steps 1 -3 above.

John Davis stated:

One of the things to pay particular attention to during vacation season is the security of returning portable devices. Employees will probably be traveling all over the place on their vacations, include foreign countries. And while traveling, people like to let their hair down and take it easy. They also like to keep abreast of their emails or surf the Internet looking for restaurants and places of interest.
Hotel networks and public hot spots are usually open networks and liable to sniffing by enterprising cyber criminals. Because of this, it is relatively easy for these attackers to implant Malware on laptops or other portable devices used by traveling employees. And, as we know, lots of enterprises these days have bring your own device policies in place or tolerate the casual use of company laptops for non-business purposes. To protect the network from this scenario, run anti-virus and other Malware detecting software on these devices, and/or boot them up in a stand alone test environment and look for problems before allowing them onto the production network.

There’s a LOT of good advice here. Hopefully, some of it helps you. Until next time, thanks for reading and have a safe holiday!

64 Bit OS Reminder for HoneyPoint

Posted on by
2

Just a quick note to help folks who are using HoneyPoint, regardless of version. If you are having trouble with execution on a 64 bit operating system, remember that HoneyPoint binaries are 32 bit. To run them on 64 bit OS’s, you need ensure that you have the 32 bit compatibility tools installed.

For Windows, read this.

For Ubuntu, read this.

For other operating systems, please consult your operating system vendors’ documentation. If we can be of any assistance, please contact your HoneyPoint support person.

Thanks!

Go Phish :: How To Self Test with MSI SimplePhish

Posted on by
5

Depending on who you listen to, phishing (especially spear phishing), is either on the increase or the decrease. While the pundits continue to spin marketing hype, MSI will tell you that phishing and spearphishing are involved in 99% of all of the incidents that we work. Make no mistake, it is the attack of choice for getting malware into networks and environments.

That said, about a year ago or more, MSI introduced a free tool called MSI SimplePhish, which acts as a simplified “catch” for phishing campaigns. The application, which is available for Windows and can run on workstations or even old machines, makes it quite easy to stand up a site to do your own free phishing tests to help users stay aware of this threat.

To conduct such a campaign, follow these steps:

PreCursor: Obtain permission from your security management to perform these activities and to do phishing testing. Make sure your management team supports this testing BEFORE you engage in it.

1.  Obtain the MSI SimplePhish application by clicking here.

2. Unzip the file on a the Windows system and review the README.TXT file for additional information.

3. Execute application and note the IP address of the machine you are using. The application will open a listening web server on port 8080/TCP. Remember to allow that port through any host-based firewalls or the like.

4. The application should now be ready to catch phishing attempts and log activity when the following URL structure is clicked on: http://<ip address of the windows system>:8080/ and when that URL is accessed, a generic login screen should be displayed.

5. Create an email message (or SMS, voice mail, etc.) that you intend to deliver to your victims. This message should attempt to get them to visit the site and enter their login information. An example:

Dear Bob,

This message is to inform you that an update to your W-2 tax form is required by human resources. Given the approaching tax deadline, entering this information will help us to determine if an error was made on your 2012 W-2. To access the application and complete the update process, please visit the online application by clicking here. (You would then link the clicking here text to your target URL obtained in step 4.)

6. Deliver the messages to your intended targets.

7. Watch and review the log file MSISimplePhishLog.txt (located in the same directory as the binary). Users who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and **the first 3 characters** of the password they used.  Users who visit the page, but do not login, will be recorded as a “bite”, including their IP address.

** Note that only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged. **

8. Let the exercise run for several days, in order to catch stragglers. Once complete, analyze the logs and report the information to the security stakeholders in your organization. Don’t forget to approach the users who use successfully phished and give them some tips and information about how they should have detected this type of attack and what they should do to better manage such threats in the future.

That’s it – lather, rinse and repeat as you like!

If you would like to do more advanced phishing testing and social engineering exercises, please get in touch with an MSI account executive who can help put together a proposal and a work plan for performing deep penetration testing and/or ongoing persistent penetration testing using this and other common attack methods. As always, thanks for reading and until next time, stay safe out there!