Category Archives: Information Security Training

Three Ways to Help Your Security Team Succeed

Posted on by
2

Over the years, I have watched several infosec teams grow from inception to maturity. I have worked with managers, board members and the front line first responders to help them succeed. During that time I have keyed in on three key items that really mean the difference between success and failure when it comes to growing a teams’ capability, maturity and effectiveness. Those three items are:

  • Cooperative relationships with business units – groups that succeed form cooperative, consultative relationships with the lines of business, other groups of stakeholders and the management team. Failing teams create political infighting, rivalry and back stabbing. The other stakeholders have to be able to trust and communicate with the infosec team in order for the security team to gain wisdom, leverage and effective pro-active traction to reform security postures. If the other teams can’t trust the security folks, then they won’t include them in planning, enforce anything beyond the absolute minimum requirements and/or offer them a seat at their table when it comes time to plan and execute new endeavors. Successful teams operate as brethren of the entire business, while failing teams either play the role of the “net cop” or the heavy handed bad guy — helping neither themselves, their users or the business at large.
  • Embracing security automation and simplification – groups that succeed automate as much of the heavy lifting as possible. They continually optimize processes and reduce complex tasks to simplified ones with methodologies, written checklists or other forms of easy to use quality management techniques. Where they can, they replace human tasks with scripting, code, systems or shared responsibility. Failing teams burn out the team members. They engage in sloppy processes, tedious workflows, use the term “we’ve always done it this way” quite a bit and throw human talent and attention at problems that simple hardware and software investments could eliminate or simplify. If you have someone “reading the logs”, for example, after a few days, they are likely getting less and less effective by the moment. Automate the heavy lifting and let your team members work on the output, hunt for the bad guys or do the more fun stuff of information security. Fail to do this and your team will perish under turnover, malaise and a lack of effectiveness. Failing teams find themselves on the chopping block when the business bottom line calls for reform.
  • Mentoring and peer to peer rotation – groups that succeed pay deep attention to skills development and work hard to avoid burn out. They have team members engage in mentoring, not just with other security team members, but with other lines of business, stakeholder groups and management. They act as both mentors and mentees. They also rotate highly complex or tedious tasks among the team members and promote cross training and group problem solving over time. This allows for continuous knowledge transfer, fresh eyes on the problems and ongoing organic problem reduction. When innovation and mentoring are rewarded, people rise to the occasion. Failing groups don’t do any of this. Instead, they tend to lock people to tasks, especially pushing the unsexy tasks to the low person on the totem pole. This causes animosity, a general loss of knowledge transfer and a seriously bad working environment. Failing teams look like security silos with little cross training or co-operative initiatives. This creates a difficult situation for the entire team and reduces the overall effectiveness for the organization at large.

Where does your team fit into the picture? Are you working hard on the three key items or have they ever been addressed? How might you bring these three key items into play in your security team? Give us a shout on Twitter (@microsolved or @lbhuston) and let us know about your successes or failures. 

Thanks for reading, and until next time, stay safe out there! 

SANS ICS Summit & Training in Singapore

Posted on by
3

SANS Asia Pacific ICS Summit and Training 2013 – Singapore

If you have any responsibility for security of control systems – policy, engineering, governance or operations you won’t want to miss the Asia Pacific ICS Security Summit taking place 2-8 December 2013 where you will:

Learn all about the new Global ICS Professional Security Certification

Gain the most current information regarding Industrial Control System threats and learn how to best prepare to defend against them

Hear what works and what does not from peer organizations. 

Network with top individuals in the field of Industrial Control Systems security and return from the Summit with solutions you can immediately put to use in your organization. 

Listen to 15+ speakers from a variety of companies who will cover exceptional content throughout the two-day Summit.

Earn CPE credits for the summit and course you attend

 

ICS410: ICS Cyber Security Essentials, (Brand New course) – 4-8 December taught by SANS Faculty Fellow Dr. Eric Cole will provide a standardized foundational set of skills, knowledge and abilities for Industrial Cyber Security professionals. This course is designed to ensure that the workforce involved in supporting and defending Industrial Control Systems is trained to perform work in a manner that will keep the operational environment safe, secure and resilient against current and emerging cyber threats.

Agenda highlights for the summit include:

A Community Approach to Securing the Cyberspace to Enhance National Resilience

The Good, Bad and the Ugly: Certification of People, Processes and Devices 

SCADA Security Assessment Methodology: The Malaysia Experience  

The State of Critical Control System Security in Japan 

Smart Security : Strengthening Information Protection in Your ICS

 

To learn more about the Summit and Training, or register now and save 5% on your registration with code SANSICS_MSI5, please visit: http://www.sans.org/info/142537


Infosec Tricks & Treats

Posted on by
8

Happy Halloween!

This time around, we thought we’d offer up a couple of infosec tricks and treats for your browsing pleasure. Around MSI, we LOVE Halloween! We dress up like hackers, bees and hippies. Of course, we do that most other days too… 🙂

Here are a couple of tricks for you for this Halloween:

Columbia University gives you some good tricks on how to do common security tasks here.

University of Colorado gives you some password tricks here.

and The Moneypit even provides some tricks on cheap home security here.  

And now for the TREATS!!!!!

Here are some of our favorite free tools from around the web:

Wireshark – the best network sniffer around

Find your web application vulnerabilities with the FREE OWASP ZED Attack Proxy

Crack some Windows passwords to make sure people aren’t being silly on Halloween with Ophcrack

Actually fix some web issues for free with mod_security

Grab our DREAD calculator and figure out how bad it really is.. 🙂

Put those tricks and treats in your bag and smile. They won’t cause cavities and they aren’t even heavy enough to keep you from running from the neighborhood bully looking to steal your goodies! 

Thanks for reading and have a fun, safe and happy Halloween! 

October Touchdown Task: Phone System Review

Posted on by
2

This month’s Touchdown Task is to take an hour and give your phone system security a quick review. PBX hacking, toll fraud and VoIP attacks remain fairly common and many organizations don’t often visit the security of their phone systems. Thus, a quick review might find some really interesting things and go a long way to avoiding waste, fraud and abuse.

If you have a traditional PBX/analog phone system, here are some ideas for you to check out.

If you have a VoIP-based system, here are some checks to consider. (Note that this is a STIG in a  zip file). 

Generally speaking, you want to check passwords on voice mail boxes, give a look over to make sure that the phone system has some general logging/alerting capability and that it is turned on. Pay attention to out going dialing rules and test a few to make sure arbitrary calls can’t be made remotely. On the personnel side, make sure someone is actively monitoring the phone system, auditing the bill against “normal” and adding/deleting entries in the system properly.

Give the phone system a bit of your time. You never know what you might learn, and you might avoid tens to hundreds of thousands of dollars in fraud and abuse.

Thanks for reading and I hope you are enjoying the season! 

Scanning Targets for PHP My Admin Scans

Posted on by
Reply

Another quick update today. This time an updated list of the common locations where web scanning tools in the wild are checking for PHPMyAdmin. As you know, this is one of the most common attacks against PHP sites. You should check to make sure your site does not have a real file in these locations or that if it exists, it is properly secured.

The scanners are checking the following locations these days:

//phpMyAdmin/scripts/setup.php
//phpmyadmin/scripts/setup.php
/Admin/phpMyAdmin/scripts/setup.php
/Admin/phpmyadmin/scripts/setup.php
/_PHPMYADMIN/scripts/setup.php
/_pHpMyAdMiN/scripts/setup.php
/_phpMyAdmin/scripts/setup.php
/_phpmyadmin/scripts/setup.php
/admin/phpmyadmin/scripts/setup.php
/administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php
/apache-default/phpmyadmin/scripts/setup.php
/blog/phpmyadmin/scripts/setup.php
/cpanelphpmyadmin/scripts/setup.php
/cpphpmyadmin/scripts/setup.php
/forum/phpmyadmin/scripts/setup.php
/php/phpmyadmin/scripts/setup.php
/phpMyAdmin-2.10.0.0/scripts/setup.php
/phpMyAdmin-2.10.0.1/scripts/setup.php
/phpMyAdmin-2.10.0.2/scripts/setup.php
/phpMyAdmin-2.10.0/scripts/setup.php
/phpMyAdmin-2.10.1.0/scripts/setup.php
/phpMyAdmin-2.10.2.0/scripts/setup.php
/phpMyAdmin-2.11.0.0/scripts/setup.php
/phpMyAdmin-2.11.1-all-languages/scripts/setup.php
/phpMyAdmin-2.11.1.0/scripts/setup.php
/phpMyAdmin-2.11.1.1/scripts/setup.php
/phpMyAdmin-2.11.1.2/scripts/setup.php
/phpMyAdmin-2.5.5-pl1/index.php
/phpMyAdmin-2.5.5/index.php
/phpMyAdmin-2.6.1-pl2/scripts/setup.php
/phpMyAdmin-2.6.1-pl3/scripts/setup.php
/phpMyAdmin-2.6.4-pl3/scripts/setup.php
/phpMyAdmin-2.6.4-pl4/scripts/setup.php
/phpMyAdmin-2.6.4-rc1/scripts/setup.php
/phpMyAdmin-2.6.5/scripts/setup.php
/phpMyAdmin-2.6.6/scripts/setup.php
/phpMyAdmin-2.6.9/scripts/setup.php
/phpMyAdmin-2.7.0-beta1/scripts/setup.php
/phpMyAdmin-2.7.0-pl1/scripts/setup.php
/phpMyAdmin-2.7.0-pl2/scripts/setup.php
/phpMyAdmin-2.7.0-rc1/scripts/setup.php
/phpMyAdmin-2.7.5/scripts/setup.php
/phpMyAdmin-2.7.6/scripts/setup.php
/phpMyAdmin-2.7.7/scripts/setup.php
/phpMyAdmin-2.8.2.3/scripts/setup.php
/phpMyAdmin-2.8.2/scripts/setup.php
/phpMyAdmin-2.8.3/scripts/setup.php
/phpMyAdmin-2.8.4/scripts/setup.php
/phpMyAdmin-2.8.5/scripts/setup.php
/phpMyAdmin-2.8.6/scripts/setup.php
/phpMyAdmin-2.8.7/scripts/setup.php
/phpMyAdmin-2.8.8/scripts/setup.php
/phpMyAdmin-2.8.9/scripts/setup.php
/phpMyAdmin-2.9.0-rc1/scripts/setup.php
/phpMyAdmin-2.9.0.1/scripts/setup.php
/phpMyAdmin-2.9.0.2/scripts/setup.php
/phpMyAdmin-2.9.0/scripts/setup.php
/phpMyAdmin-2.9.1/scripts/setup.php
/phpMyAdmin-2.9.2/scripts/setup.php
/phpMyAdmin-2/
/phpMyAdmin-2/scripts/setup.php
/phpMyAdmin-3.0.0-rc1-english/scripts/setup.php
/phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php
/phpMyAdmin-3.0.1.0-english/scripts/setup.php
/phpMyAdmin-3.0.1.0/scripts/setup.php
/phpMyAdmin-3.0.1.1/scripts/setup.php
/phpMyAdmin-3.1.0.0-english/scripts/setup.php
/phpMyAdmin-3.1.0.0/scripts/setup.php
/phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php
/phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php
/phpMyAdmin-3.1.2.0-english/scripts/setup.php
/phpMyAdmin-3.1.2.0/scripts/setup.php
/phpMyAdmin-3.4.3.1/scripts/setup.php
/phpMyAdmin/
/phpMyAdmin/scripts/setup.php
/phpMyAdmin/translators.html
/phpMyAdmin2/
/phpMyAdmin2/scripts/setup.php
/phpMyAdmin3/scripts/setup.php
/phpmyadmin/
/phpmyadmin/scripts/setup.php
/phpmyadmin1/scripts/setup.php
/phpmyadmin2/
/phpmyadmin2/scripts/setup.php
/phpmyadmin3/scripts/setup.php
/typo3/phpmyadmin/scripts/setup.php
/web/phpMyAdmin/scripts/setup.php
/xampp/phpmyadmin/scripts/setup.php
<title>phpMyAdmin

Just a Reminder, SIP is a Popular Scanning Target

Posted on by
3

I just wanted to give you a quick reminder that SIP scanning remains quite popular on the Internet. These probes can lead to compromise and fraud against your VoIP systems. Make sure you do not have VoIP systems exposed to the Internet without proper controls. If you review your logs on the Internet perimeter, SIP scans will look similar to this:

This was captured from the HITME using HoneyPoint Personal Edition.

2013-09-30 17:02:18 – HoneyPoint received a probe from 207.127.61.156 on port 23

Input: OPTIONS sip:nm SIP/2.0

Via: SIP/2.0/TCP nm;branch=foo

From: <sip:nm@nm>;tag=root

To: <sip:nm2@nm2>

Call-ID: 50000

CSeq: 42 OPTIONS

Max-Forwards: 70

Content-Length: 0

Contact: <sip:nm@nm>

Accept: application/sdp

Keep an inventory of your VoIP exposures. They remain a high area of interest for attackers.

Three Talks Not To Miss at DerbyCon

Posted on by
4

 

Here are three talks not to miss this year at DerbyCon:

1. Bill Sempf (@sempf) presents a talk about pen-testing from a developer’s point of view. (PS – He has a stable talk too, catch it if you sell stuff in the Windows store) His work is great and he is a good presenter and teacher. Feel free to also ask him questions about lock picking in the hallways. He is a wealth of knowledge and usually friendly after a cup of coffee in the morning. Beware though, if he asks you to pick the lock to get to the pool on the roof… This talk is Saturday at 6pm. 

2. Definitely catch @razoreqx as he talks about how he is going to own your org in just a few days. If you haven’t seen his bald dome steaming while he drops the knowledge about the nasty stuff that malware can do now, you haven’t lived. I hear he also may give us a bit of secret sauce about what to expect from malware in the next 6 months. You might wanna avoid the first couple of rows of seating in this talk. He often asks for “voluntolds” from the audience and you might not look good in the Vanna White dress… His chrome dome presents on Friday at 7pm.

3. Don’t miss the Keynote by @hdmoore. His keynotes are always amazing and this time it appears he is going to teach you how to port scan the entire Internet, all at once and all in an easy to manage tool and timeframe. He probably will astound you with some of his results and the things he has seen in his research. It’s worth it! The Keynote is Friday at 9am. Yes, 9am in the morning. It rolls around twice a day now… I know… 🙂

Lastly, if you want to see me speak, you can find me on Friday at 1pm as I discuss and unveil the Stolen Data Impact Model (SDIM) project. Check it out! 

PS – There will be plenty of hallway talk and shenanigans at the con. Come out and sit down and chat. I can’t wait to talk to YOU and hear what you have to say about infosec, threats, the future or just what your thoughts are on life. Seriously… I love the hang out. So, drop down next to me and have a chat! See you this weekend!

 PSS – Yes, I might wear my “hippy hacker”/”packet hugger” shirt. Don’t scream “Packet Hugger” at me in the hallway, please, it hurts my feelings…. 

Ask The Experts: Favorite HoneyPoint Component

Posted on by
Reply

This time around, we got a question from a client where HoneyPoint was being demoed for the experts.

Q: “What is your favorite component of HoneyPoint and why? How have you used it to catch the bad guys?”

Jim Klun started off with:

My favorite component is the simplest: HoneyPoint Agent. 

It’s ease of deployment and the simple fact that all alerts from an agent are of note – someone really did touch an internal service on a box where no such service legitimately exists – makes it attractive. 
No one will argue with you about meaning. 

I have recently seen it detect a new MSSQL worm (TCP 1433) within a large enterprise – information obtained from my own laptop. The Agent I had deployed on the laptop had a 1433 listener. It captured the payload from an attacking desktop box located in an office in another US state. 

The HoneyPoint Agent info was relayed to a corporate team that managed a global IPS. They confirmed the event and immediately updated their IPS that was – ideally – protecting several hundred thousand internal machines from attack. 

Honeypoint Agent: It’s simple, it works.

Adam Hostetler added his view:

I’m a simple, no frills guy, so I just like the regular old TCP listener component built into Agent. We have stood these up on many engagements and onsite visits and picked up unexpected traffic. Sometimes malware, sometimes a misconfiguration, or sometimes something innocuous (inventory management). I also find it useful for research by exposing it to the Internet.

John Davis closed with a different view:

My favorite HoneyPoint is Wasp. Watching how skilled attackers actually compromise whole networks by initially compromising one user machine gives me the shivers! Especially since most networks we see aren’t properly enclaved and monitored. If I were a CISO, knowing what is on my network at all times would be of primary importance; including what is going on on the client side! Wasp gets you that visibility and without all the traditional overhead and complexity of other end-point monitoring and white listing tools.

Have a question about HoneyPoint? Want to talk about your favorite component or use case scenario? Hit us on Twitter (@lbhuston or @microsolved). We can’t wait to hear from you. Feel free to send us your question for the experts. Readers whose questions we pick for the blog get a little surprise for their contribution. As always, thanks for reading and stay safe out there! 

Infosec, The World & YOU Episode 3 is Out!

Posted on by
3

Our newest episode is out, and this time we are joined by a very special guest, @TSGouge who discuss social engineering for companies and on the nation state scale. Victoria reveals her new plans to take over the world and Brent tries to keep up with these gals, who are straight up geniuses. We also pontificate on Syria and the potential for cyber-fallout from the action going on over there.

Check it out here

Have a global real world/cyber issue you want us to tackle? Observed an odd event that ties to a real world cause in the Internets? Drop us a line ~ we’d love to hear about it or get you on the show! 

You can find Brent on Twitter at @lbhuston and Victoria stars as @gisoboz. Get in touch! 

Ask The Experts: New Device Check Lists

Posted on by
2

This time around on Ask The Experts, we have a question from a reader and it got some great responses from the team:

 

Q: “I need a quick 10 item or less checklist that I can apply to new devices when my company wants to put them on our network. What kinds of things should I do before they get deployed and are in use around the company?”

 

Bill Hagestad started us off with:

The Top 10 checklist items a CISO/or equivalent authority should effectively manage before installing, configuring and managing new devices on a network includes the following;

 

1)Organize your staff and prepare them for the overall task of documenting and diagramming your network infrastructure – give them your commander’s network management intent;

2)Create a physical and logical network map – encourage feedback from your team regarding placement of new hardware and software;

3)Use industry standards for your network including physical and logical security, take a good look at NIST Special Publication SP 800-XX Series;

4)Make certain that you and your team are aware of the requisite compliance standards for your business and industry, it will help to ensure you are within legal guidelines before installing new devices or perhaps you may discover the hardware or software you are considering isn’t necessary after all;

5)Ensure that after you have created the necessary network maps for your infrastructure in Step 2) above, conduct a through inventory of all infrastructure which is both critical and important to your business, then document this baseline;

6)Create a hardware/software configuration change procedure; or if you already have his inlace, have your team review it for accuracy; make certain everyone on the team knows to document all changes/moves/additions on the network;

7)Focus not only on the correlation of newly implemented devices on the internal networks but also look at the dependencies and effects on external infrastructure such as voice/data networks – nothing worse than making an internal change to your network and having your Internet go down unnecessarily;

8)Ensure that new network devices being considered integrate gracefully into your existing logging and alerting mechanisms; no need to install something new only to have to recreate the proverbial wheel in order to monitor it;

9)Consider the second & third order effects of newly installed devices on the infrastructure and their potential impact on remote workers and mobile devices used on the network;

10)Install HoneyPoint Security Server (HPSS) to agentlessly & seamlessly monitor external and potential internal threats to your newly configured network….

 

Of course a very authoritative guide is published by the national Security Agency called appropriately “Manageable Network Plan” and available for download @:

 

http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf


Jim Klun added:

1. Make sure the device is necessary and not just a whim on the part of management.   Explain that each new device increases risk. 

2. If the device’s function can be performed by an existing internal service, use that service instead. 

3. Inventory new devices by name, IP addresses, function and – most importantly – owners.  There should be a device owner and a business owner who can verify continued need for the device.  Email those owners regularly,   querying them about continued need. Make sure that these folks have an acknowledged role to support the application running on the devices and are accountable for its security. 

4. Research the device and the application(s) its support.  Have no black boxes in your datacenter.  Include an abstract of this in the inventory. 

5. Make sure a maintenance program is in place – hold the app and device owner accountable. 

6. Do a security audit of the device wehn fully configured. Hit it with vulnerability scanners and make sure that this happens at least quarterly. 

7. Make sure monitoring is in place and make very sure all support staff are aware of the device and any alerts it may generate. Do not blind-side the operations staff. 

8. If the device can log its activities ( system and application ) to a central log repository, ensure that happens as part of deployment. 

9. Make sure the device is properly placed in your network architecture. Internet-exposed systems should be isolated in an Internet DMZ.  Systems holding sensitive data should similarly be isolated. 

10. Restrict access to the device as narrowly as possible. 

 

Finally.. if you can, for every device in your environment, log its network traffic and create a summary of what is “normal” for that device.  

Your first indication of a compromise is often a change in the way a system “talks”. 

 

Adam Hostetler chimed in with: 

Will vary a lot depending on device, but here are some suggestions

 

1. Ensure any default values are changed. Passwords, SNMP strings, wireless settings etc.

2. Disable any unnecessary services

3. Ensure it’s running the latest firmware/OS/software

4. Add the device to your inventory/map, catalog MAC address, owner/admin, etc.

5. Perform a small risk assessment on the device. What kind of risk does it introduce to your environment? Is it worth it?

6. Test and update the device in a separate dev segment, if you have one.

7. Make sure the device fits in with corporate usage policies

8. Perform a vulnerability assessment against the device. 

9. Search the internet for any known issues, vulnerabilities or exploits that might effect the device.

  1. Configure the device to send logs to your logging server or SEIM, if you have one.

 

And John Davis got the last word by adding: 

From a risk management perspective, the most important thing a CISO needs to ensure is in place before new devices are implemented on the network is a formal, documented Systems Development Life Cycle or Change Management program. Having such a program in place means that all changes to the system are planned and documented, that security requirements and risk have been assessed before devices have purchased and installed, that system configuration and maintenance issues have been addressed, that the new devices are included in business continuity planning, that proper testing of devices (before and after implementation on the network) is undertaken and more. If a good SDLC/Change Management program is not in place, CISOs should ensure that development and implementation of the program is given a high priority among the tasks they wish to accomplish.

 

Whew, that was a great question and there is some amazing advice here from the experts! Thanks for reading, and until next time, stay safe out there! 

 

Got a question for the experts? Give us a shout on Twitter (@microsolved or @lbhuston) and we’ll base a column on your questions!