Category Archives: Information Security Training

The Big Three Part 2: Incident Detection

Posted on by
5

Did you know that less than one out of five security incidents are detected by the organization being affected? Most organizations only find out they’ve experienced an information security incident when law enforcement comes knocking on their door, if they find out about it at all, that is. And what is more, security compromises often go undetected for months and months before they are finally discovered. This gives attackers plenty of time to get the most profit possible out of your stolen information, not to mention increasing their opportunities for further compromising your systems and the third party systems they are connected to.

Of the Big Three strategies for fighting modern cyber-crime, (incident detection, incident response and user education and awareness), incident detection is by far the hardest one to do well. This is because information security incident detection is not a simple process. No one software package or technique, no matter how expensive and sophisticated, is going to detect all security events (or even most of them to be completely honest). To be just adequate to the task, incident detection requires a lot of input from a lot of systems, it requires knowledge of what’s supposed to be on your network and how it works, it requires different types of security incident detection software packages working together harmoniously and, most importantly, it requires human attention and analysis.

First of all, you need complete sources of information. Even though it can seem to be overwhelming, it behooves us to turn on logging for everything on the network that is capable of it. Many organizations don’t log at the workstation level for example. And you can see their point; most of the action happens at the server and database level. But the unfortunate reality is that serious security compromises very often begin with simple hacks of user machines and applications.

Next, you need to be aware of all the software, firmware and hardware that are on your network at any given time. It is very difficult to monitor and detect security incidents against network resources that you aren’t even aware exist. In fact, I’ll go a step further and state that you can improve your chances of detection significantly by removing as much network clutter as possible. Only allow the devices, applications and services that are absolutely necessary for business purposes to exist on your network. The less “stuff” you have, the fewer the attack surfaces cyber-criminals have to work with and the easier it is to detect security anomalies.

The third thing that helps make information security incident detection more manageable is tuning and synchronizing the security software applications and hardware in your environment. We often see organizations that have a number of security tools in place on their networks, but we seldom see one in which all of the output and capabilities of these tools have been explored and made to work together. It is an unfortunate fact that organizations generally buy tools or subscribe to services to address particular problems that have been brought to their attention by auditors or regulators. But then the situation changes and those tools languish on the network without anyone paying much attention to them or exploring their full capabilities. Which brings to the most important factor in security incident detection: human attention and analysis.

No tool or set of tools can equal the organizational skills and anomaly detection capabilities of the human brain. That is why it is so important to have humans involved with and truly interested in information security matters. It takes human involvement to ensure that the security tools that are available are adequate to the task and are configured correctly. It takes human involvement to monitor and interpret the various outputs of those tools. And it takes human involvement to coordinate information security efforts among the other personnel employed by the organization. So if it comes down to spending money on the latest security package or on a trained infosec professional, I suggest hiring the human every time! 

—Thanks to John Davis for this post!

The Big Three

Posted on by
2

Information security techniques certainly are improving. The SANS Top Twenty Critical Controls, for example, are constantly improving and are being adopted by more and more organizations. Also, security hardware devices and software applications are getting better at a steady rate. But the question we have to ask ourselves is: are these improvements outpacing or even keeping up with the competition? I think a strong argument can be made that the answer to that question is NO! Last year there were plenty of high profile data loss incidents such as the Target debacle. Over 800 million records were compromised that we know of, and who knows how many other unreported security breaches of various types occurred?

So how are we going to get on top of this situation? I think the starkly realistic answer to that question is that we arent going to get on top it. The problem is the age old dilemma of defense versus attack; attackers will always have the advantage over entrenched defenders. The attackers know where you are, what you have and how you defend it. All they have to do is figure out one way to get over, under or around your defenses and they are successful. We, on the other hand, dont know who the attackers are, where theyre at or exactly how they will come at us. We have to figure out a way to stop them each and every time a daunting task to say the least! Sure, we as defenders can turn the tables on the information thieves and go on the attack; that is one way we can actually win the fight. But I dont think the current ethical and legal environment will allow that strategy to be broadly implemented.

Despite this gloomy prognosis, I dont think we should just sit on our hands and keep going along as we have been. I think we should start looking at the situation more realistically and shift the focus of our efforts into strategies that have a real chance of improving the situation. And to me those security capabilities that are most likely to bear fruit are incident detection, incident response and user education and awareness; the Big Three. Over the next several months I intend to expand upon these ideas in a series of blog posts that will delve tactics and means, so stay tuned if this piques your interest! 

Thanks to John Davis for writing this entry.

Sources for Tor Access Tools

Posted on by
3

As a follow up to my last couple of weeks posting around Tor and the research I am doing within the Tor network, I presented at the Central Ohio ISSA Security Summit around the topic of Tor Hidden Services. The audience asked some great questions, and today I wanted to post some links for folks to explore the Tor network on their own in as safe a manner as possible.

The following is a set of links for gaining access to the Tor network and a couple of links to get people started exploring Tor Hidden Services.  (Note: Be careful out there, remember, this is the ghetto of the Internet and your paranoia may vary…)

 Once you get into the Tor network, here are a couple of hidden service URLs to get you started:

http://kpvz7ki2v5agwt35.onion – Original hidden wiki site

http://3g2upl4pq6kufc4m.onion/ – Duck Duck Go search engine

http://kbhpodhnfxl3clb4.onion – “Tor Search” search engine

As always, thanks for reading and stay safe out there! 

Great explanation of Tor in Less than 2 Minutes

Posted on by
3

Ever need to explain Tor to a management team? Yeah, us too. That’s why we wanted to share this YouTube video we found. It does a great job of explaining Tor in less than two minutes to non-technical folks.

The video is from Bloomberg Business Week and is located here.

Check it out and circulate it amongst your management team when asked about what this “Tor” thing is and why they should care.

As always, thanks for reading and we hope these free awareness tools help your organization out.

See You at the Columbus ISSA InfoSec Summit

Posted on by
1

Remember, the Columbus InfoSec Summit is this week. It starts Monday afternoon and runs through Tuesday.

I will be speaking on Monday at 5:30 in Track 1 and my topic is a deep dive into Tor hidden nodes, including how to get business intelligence from them.

Come and say hello. Have a cup of coffee or just a chat. We look forward to seeing you and wish the ISSA a great event!

Child Pornography Resource Materials for Businesses

Posted on by
3

Sadly, as an information security professional, we are sometimes engaged with clients who either suspect or have discovered the presence of child pornography in their computing environment. Another way that such materials come to our attention, is during pen-testing or incident response work, we may discover the materials on a system and be forced to bring the materials to the attention of law enforcement.

In many cases, clients ask us why we are required to notify law enforcement, and/or why they are required to notify law enforcement about this material. Perhaps your organization has struggled with this in the past. In any case, we hope the following information helps organizations understand the US legal requirements for handling such materials. (If you live outside of the US, please consult local legal assistance for your laws and procedures.)(NOTE: MSI is not providing legal advice of any kind, consult your attorney or council for legal advice. This material is simply meant to be a pointer for education. MSI is NOT qualified to offer legal advice under any circumstance.)

The Department of Justice lists the following federal statutes for online child pornography:

  • 18 U.S.C. § 2251- Sexual Exploitation of Children (Production of child pornography)
  • 18 U.S.C. § 2251A- Selling and Buying of Children
  • 18 U.S.C. § 2252- Certain activities relating to material involving the sexual exploitation of minors(Possession, distribution and receipt of child pornography)
  • 18 U.S.C. § 2252A- certain activities relating to material constituting or containing child pornography
  • 18 U.S.C. § 2256- Definitions
  • 18 U.S.C. § 2258A- Reporting requirements of electronic communication service providers and remote computing service providers
  • 18 U.S.C. § 2260- Production of sexually explicit depictions of a minor for importation into the United States

A summary of these laws is that it is the federal law that mandates this duty to report specifically requires that “electronic communication service providers” report child pornography. (18 USC § 2258A. Reporting requirements of electronic communication service providers and remote computing service providers.) An “electronic communications service” means “any service which provides to users the ability to send or receive wire or electronic communications.” The term “electronic communication,” for purposes of the reporting requirement, means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” All of which is to say that both the business/employer that provides the computer or phone system over which the data is communicated, as well as the IT company that helps the employer maintain those systems, are covered by this law. A business or IT service company ignores child porn at its peril. Failing to report the information to the National Center for Missing and Exploited Children violates the Section 2258A reporting requirements. Deleting the material might make the company an accessory to the underlying crime of possessing the information in the first place. Making copies of the material and then transmitting the copies, except at the direction of law enforcement officials or as required by section 2258A, also runs afoul of the laws proscribing possession of child pornography. A first violation of Section 2258A carries a penalty of up to a $150,000 fine. A second violation can be penalized by up to $300,000.

A full summary of other elements of Child Pornography laws from the Department of Justice website is here.

According to the Department of Justice website, to report an incident involving the production, possession, distribution, or receipt of child pornography, file a report on the National Center for Missing & Exploited Children (NCMEC)’s website or call 1-800-843-5678. Your report will be forwarded to a law enforcement agency for investigation and action as detailed here.

It may be required or optional to report to local law enforcement as well, and is dependent on state and local laws and statutes.

According to the National Conference of State Legislatures website, the state of Ohio does not have explicit state policies requiring businesses to report the incident, as detailed here (as of Sept 2013), though again, local statutes may vary by location.

We also found this article, which might be helpful in understanding risks from a legal perspective for businesses who might find child pornography on their server, as it lays out a process for organizations to follow.

Lastly, this white paper from the American Bar Association may also prove useful for organizations.

Tool Review: Lynis

Posted on by
1

Recently, I took a look at Lynis, an open source system and security auditing tool. The tool is a local scanning tool for Linux and is pretty popular.

Here is the description from their site:
Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
– Available authentication methods
– Expired SSL certificates
– Outdated software
– User accounts without password
– Incorrect file permissions
– Configuration errors
– Firewall auditing 

As you can see, it has a wide range of capabilities. It is a pretty handy tool and the reporting is pretty basic, but very useful.

Our testing went well, and overall, we were pleased at the level of detail the tool provides. We wouldn’t use it as our only Linux auditing tool, but is a very handy tool for the toolbox. The runs were of adequate speed and when we tweaked out the configs with common errors, the tool was quick to flag them. 

Overall, we would give it a “not too shabby”. 🙂 The advice is still a bit technical for basic users, but then, do you want basic users administering a production box anyway? For true admins, the tool is perfectly adequate at telling them what to do and how to go about doing it, when it comes to hardening their systems.

Give Lynis a try and let me know what you think. You can give me feedback, kudos or insults on Twitter (@lbhuston). As always, thanks for reading! 

Make Plans Now to Attend Central OH ISSA Security Summit 2014

Posted on by
2

Brent will be speaking again this year at the ISSA Security Summit in Columbus

This year he has an interesting topic and here is the abstract:

A Guided Tour of the Internet Ghetto :: The Business Value of Tor Hidden Services

Following on the heels of my last set of talks about the underground value chain of crime, this talk will focus on a guided tour of the Internet Ghetto. You may have heard about Tor, the anonymizing network that rides on top of the Internet, but this talk takes you deep inside to visit the slums, brothels & gathering places of today’s online criminals. From porn to crimes against humanity, it is all here.

This talk will discuss Tor hidden services, help the audience understand what they are, how they operate, and most importantly, how to get business and information security value from them. If you think you know the dark side of the net, think again! Not for the feint of heart, we will explain some of the ways that smart companies are using hidden services to their benefit and some of the ways that playing with the dark side can come back to bite you.

Take aways include an understanding of Tor, knowledge of how to access and locate hidden services and underground content, methods for using the data to better focus your business and how to keep an eye on your kids to make sure they aren’t straying into the layers of the onion.

 Come out and see us at the Summit and bring your friends. It’s always interesting and a great event to catch up with peers and learn some amazing new stuff. See ya there!

CMHSecLunch for March is 3/10/14

Posted on by
5

J0289893

March’s CMHSecLunch is scheduled for March 10, 2014. The time is 11:30 to 1pm Eastern. The location this month is the Tuttle Mall food court. We usually meet pretty close to the middle of the place, but a bit away from the giant germ ball fountain. 🙂

I will not personally be able to attend this month, but will be back in full swing for the April edition. So enjoy this month without me and I we can break bread together in a short while.

As usual, you can register for the event (not needed), and find more details here. CMHSecLunch is open to all, free to attend and has been a tradition now in the security community for a couple of years. So, grab a friend, have some food and engage in some great conversation. We can’t wait to see you! 

Touchdown Task for Feb: Table Top an Incident

Posted on by
5

J0289377

This month, the touchdown task that we recommend is for you to scramble your incident response team and have a pizza lunch with them. Once you get them fed, role play a table top version of a security incident. Does everyone know what to do? Does everyone know who does what and how to report their findings?

Think of this as adult Dungeons and Dragons. Make a game of it. But, be sure to use it as a teaching moment. A bit of light hearted practice now will pay off big in the event of a real incident.

Give it a shot. Even if they hate the game, just about everyone loves pizza! 🙂

If you would like help with a more formal table top exercise, or want to have us validate it or run it for you, get in touch with your account executive. We can do these events live or over webex and clients seem to love the approach and the insights they get from them. 

As always, thanks for reading. Have a great month and stay safe out there!