Category Archives: Information Security Training

Quick & Dirty Plan for Critical Infrastructure Security Improvement

Posted on by
5

J0202190

I was recently engaged with some critical infrastructure experts on Twitter. We were discussing a quick and dirty set of basic tasks that could be used an approach methodology for helping better secure the power grid and other utilities.

There was a significant discussion and many views were exchanged. A lot of good points were made over the course of the next day or so.

Later, I was asked by a couple of folks in the power industry to share my top 10 list in a more concise and easy to use manner. So, per their request, here it is:

@LBHuston’s Top 10 Project List to Help Increase Critical Infrastructure “Cyber” Security

1. Identify the assets that critical infrastructure organizations have in play and map them for architecture, data flow and attack surfaces

2. Undertake an initiative to eliminate “low hanging fruit” vulnerabilities in these assets (fix out of date software/firmware, default configurations, default credentials, turn on crypto if available, etc.)

3. Identify attack surfaces that require more than basic hardening to minimize or mitigate vulnerabilities

4. Undertake a deeper hardening initiative against these surfaces where feasible

5. Catalog the surfaces that can’t be hardened effectively and perform fail state analysis and threat modeling for those surfaces

6. Implement detective controls to identify fail state conditions and threat actor campaigns against those surfaces

7. Train an incident investigation and response team to act when anomalous behaviors are detected

8. Socialize the changes in your organization and into the industry (including regulators)

9. Implement an ongoing lessons learned feedback loop that includes peer and regulator knowledge sharing

10. Improve entire process organically through iteration

The outcome would be a significant organic improvement of the safety, security and trust of our critical infrastructures. I know some of the steps are hard. I know some of them are expensive. I know we need to work on them, and we better do it SOON. You know all of that too. The question is – when will WE (as in society) demand that it be done? That’s the 7 billion people question, isn’t it?

Got additional items? Wanna discuss some of the projects? Drop me a line in the comments, give me a call at (614) 351-1237 or tweet with me (@lbhuston). Thanks for reading and until next time, stay safe out there!

PS – Special thanks to @chrisjager for supporting me in the discussion and for helping me get to a coherent top 10 list. Follow him on Twitter, because he rocks!

Terminal Services Attack Reductions Redux

Posted on by
3

Last week, we published a post about the high frequency of probes, scans and attacks against exposed Windows Terminal Services from the Internet. Many folks commented on Twitter to me about some of the things that can be done to minimize the risk of these exposures. As we indicated in the previous post, the best suggestions are to eliminate them altogether by placing Terminal Services exposures behind VPN connections or through the implementation of tokens/multi-factor authentication. 

Another idea is to implement specific firewall rules that block access to all but a specific set of IP addresses (such as the home IP address range of your admins or that of a specific jump host, etc.) This can go a long way to minimizing the frequency of interaction with the attack surfaces by random attacker tools, probes and scans. It also raises the bar slightly for more focused attackers by forcing them to target specific systems (where you can deploy increased monitoring).

In addition, a new tool for auditing the configuration of Terminal Services implementations came to our attention. This tool, called “rdp-sec-check”, was written by Portcullis Security and is available to the public. Our testing of the tool showed it to be quite useful in determining the configuration of exposed Terminal Services and in creating a path for hardening them wherever deployed. (Keep in mind, it is likely useful to harden the Terminal Services implementations internally to critical systems as well…)

Note that we particularly loved that the tool could be used REMOTELY. This makes it useful to audit multiple customer implementations, as well as to check RDP exposures during penetration testing engagements. 

Thanks to Portcullis for making this tool available. Hopefully between this tool to harden your deployments and our advice to minimize the exposures, we can all drive down some of the compromises and breaches that result from poor RDP implementations.

If you would like to create some threat metrics for what port 3389 Terminal Services exposures might look like for your organization, get in touch and we can discuss either metrics from the HITME or how to use HoneyPoint to gather such metrics for yourself

PS – Special thanks to @SecRunner for pointing out that many cloud hosting providers make Terminal Server available with default configurations when provisioning cloud systems in an ad-hoc manner. This is likely a HUGE cause for concern and may be what is keeping scans and probes for 3389/TCP so active, particularly amongst cloud-hosted HITME end points.

PSS – We also thought you might enjoy seeing a sample of the videos that show entry level attackers exactly how to crack weak passwords via Terminal Services using tools easily available on the Internet. These kinds of videos are common for low hanging fruit attack vectors. This video was randomly pulled from the Twitter stream with a search. We did not make it and are not responsible for its content. It may not be safe for work (NSFW), depending on your organization’s policies. 

 

MicroSolved, Inc. Releases Free Tool To Expose Phishing

Posted on by
4

MSI’s new tool helps organizations run their own phishing tests from the inside.

We’re excited to release a new, free tool that provides a simple, safe and effective mechanism for security teams and administrators to run their own phishing tests inside their organization. They simply install the application on a server or workstation and create a url email/sms/etc. campaign to entice users to visit the site. They can encode the URLs, mask them, or shorten them to obfuscate the structures if they like. 

The application is a fully self contained web mechanism, so no additional applications are required. There is no need to install and configure IIS, Apache and a database to manage the logs. All of the tools needed are built into the simple executable, which is capable of being run on virtually any Microsoft Windows workstation or server.

If a user visits the tool’s site, their session will create a log entry as a “bite”, with their IP address in the log. Visitors who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and the first 3 characters of the password they used.

Only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged.

“Organizations can now easily, quickly and safely run their own ongoing phishing campaigns. Instead of worrying about the safety of gathering passwords or the budget impacts of hiring a vendor to do it for them, they can simply ‘click and phish’ their way to higher security awareness.”, said Brent Huston, CEO & Security Evangelist of MicroSolved. “After all, give someone a phish and they’re secure for a day, but teach someone to phish and they might be secure for a lifetime…”, Mr. Huston laughed.

The tool can be downloaded by visiting this link or by visiting MSI’s website.

Looking For More Info on SEIM Best Practices?

Posted on by
Reply

I know we get a lot of questions on SEIM tools, their use and the best practices around their deployment and I have talked heavily to some of the folks involved in this SANS webcast tomorrow. If you have an interest in SEIM, I urge you to tune in.

You can find the details here.

They got some excellent folks to participate and the content should be quite strong. As always, if you have questions on SEIM deployments, products or use, drop me a line. Always happy to give my 2 cents.

PS – Special thanks to Scott Gordon for putting this together. I am sorry I could’t personally participate, but it is a very cool thing to bring to the community!

2 Ways to Get the Most Out of Security Awareness Training

Posted on by
Reply

A good security training and awareness program is one of, if not the most important part of any effective information security program. After all, people are the ones that cause security problems in the first place and, ultimately, people are the ones that have to deal with them. Not to mention the fact that people are twice as likely to detect security problems and breaches as any automated system. Doesn’t it make sense that you should do everything in your power to ensure that all of your people are behind you in your security efforts? That they are provided with the knowledge and the tools they need to understand information security and what their responsibilities are towards it? That they are aware of how devastating an information security incident can be to the company, and consequently, how devastating it can be to them personally? Well, you’re not going to get that from having them read the policy book as new hires and then hold a two hour class six or twelve months later!

And that is traditionally how information security is dealt with in most companies. All enthusiasm for the process is absent, too. They don’t want to do this training! It costs them time and money! The only reason most companies provide any security training outside of the very basics is because of their need to comply with some regulation or another. So what you end up with is a whole group of undertrained and unenthusiastic employees. And these employees become, in turn, the very kind of security liabilities that you are trying to avoid in the first place! So why not turn them into security assets instead? You have to provide them with some security training anyway, so why not give it that extra little “oomph” you need to make it worth your while to do?

How do you go about that you may ask? Here are some tips:

    1. Make sure that they understand what an information security incident or anomaly looks like. Make sure that they know all about social engineering techniques and how Malware is spread. Give them some tips on how to recognize bogus websites, phishing emails and bogus phone calls. Let them know some of the things they can expect to see if there is a virus present on their machines. And don’t use just one format to provide them with this information. Use every method you can think of! There are many formats for security and awareness training to choose from. Group assemblies with speakers and PowerPoint presentations, lunch and learns, training days, self directed web based learning, directed webinars, security documents, email reminders, posters and pamphlets, podcasts, departmental meetings, discussion groups and many more. And make sure that management personnel, especially top management personnel, make it clear how important this task is and how much it means to them and the company. Without this support, your efforts will go nowhere.

    2. Give your people incentives that make them want to participate in the information security program. One method is to simply ask for their help. Make sure your employees understand how important the participation of each and every one of them is to the effort. People often respond very favorably to such requests. Whereas if they are simply told that they must do it, they are much more likely to be unconcerned and uncooperative. Another way is to provide them with rewards for active participation in the program. Put the names of employees who have reported security issues in a hat and have a monthly drawing for a prize or a day off. Give these people a free lunch. Give them the best parking spot in the lot for a month. I’m sure you can think of a dozen other ways to reward your employees for participating in the program. Or simply post the picture of the employee on a bulletin board or internal web page or recognize their accomplishments at group meetings. Everybody really likes to be recognized for doing a good job!

The whole idea is to turn your personnel into “net cops”. If you can do that, you can turn your own people into the best IDS system there is, and for a lot less money than you would spend on machines or hosted services…or for cleaning up a security incident!