Category Archives: Information Security Training

US Government Urges Offensive Right to Cyber Self-Protection

Posted on by
3

Good day from AusCERT!

If you haven’t heard the latest regarding the People’s Republic of Hacking and countering cyber espionage and the significant loss of intellectual property you should be aware of the New York Times story today… “As Chinese Leader’s Visit Nears, U.S. Urged to Allow Retaliation for Cyberattacks”….folks we have reached a critical inflection point as US Government Urges Offensive Right to Cyber Self-Protection for commercial enterprises to defeat and disrupt the loss of key American inventions and ideas to the People’s Republic of China…this all stated in advance of China’s President Xi Jinping set to meet with President Obama in the next few weeks on US soil…

Read the full New York Times story here:

http://www.nytimes.com/2013/05/22/world/asia/as-chinese-leaders-visit-nears-us-urged-to-allow-retaliation-for-cyberattacks.html?

May’s Touchdown Task: Egress Audit

Posted on by
4

The touchdown task for May is a quick and dirty egress filtering audit. Take a look at your firewalls and make sure they are performing egress filtering (you do this, right? If not, make it happen now ~ it’s the single most effective defense against bot-nets). Once you know egress is in place, give a once over to the firewall rules that enforce it. Make sure they are effective at blocking arbitrary ports, outbound SSH, outbound VPN connections, etc. Verify that any exposed egress ports are to specific IPs or ranges. If you find any short comings, fix them.

Also take a look and make sure that violations of the firewall rules are being alerted on, so your team can investigate those alerts as potential infection sites. 

Lastly, check to make sure that you have egress controls for outbound web traffic. You should be using an egress proxy for all HTTP and HTTPS traffic. Yes, you should be terminating SSL and watching that traffic for signs of infection or exfiltration of sensitive data. Take a few moments and make sure you have visibility into the web traffic of your users. If not, take that as an immediate project. 

That’s it. This review should take a couple of hours or so to complete. But, the insights and security enhancements it can bring are HUGE. 

Until next month, thanks for reading and run for the goal line!

Latest People’s Republic of China Cyber Conflict News….中華人民共和國 信 息战争

Posted on by
2

Latest People’s Republic of China Cyber Conflict News….中華人民共和國 信 息战争

Pentagon Continues Use of People’s Republic of China Satellite in New Lease – Bloomberg
…AFRICOM renews lease with People’s Republic of China’s APT Satellite Holdings Ltd.!

People’s Republic of China’s software industry growth quickens – Xinhua | English.news.cn
The growth of China’s software industry quickened last year despite sluggish market demand caused by an economic slump at home and abroad, showed official data revealed on Wednesday.

India’s NSC points to Huawei, ZTE’s links with Chinese military project PLA-863 http://articles.economictimes.indiatimes.com/2013-05-15/news/39282046_1_huawei-and-zte-telecom-equipment-nsc

Beijing’s ‘Bitskrieg’ – 中國人民解放 總參謀部…信 息战争
http://www.foreignpolicy.com/articles/2013/05/13/beijings_bitskrieg?page=full

US Intelligence & Military fears after People’s Republic of China missile test – Telegraph
http://www.telegraph.co.uk/news/worldnews/asia/china/10063455/US-fears-after-Chinese-missile-test.html

Aaron Bedra on Building Security Culture

Posted on by
9

Our good friend, Aaron Bedra, posted a fantastic piece at the Braintree Blog this morning about building a security culture. I thought the piece was so well done that I wanted to share it with you.

Click here to go to the post.

The best part of the article, for me, was the content about finding creative ways to say yes. IMHO, all too often, infosec folks get caught up in saying no. We are the nay sayers, the paranoid brethren and the net cops. But, it doesn’t have to be that way. It might take a little (or even a LOT) of extra work, but in many cases ~ a yes is possible ~ IF you can work on it and negotiate to a win/win point with the stakeholders.

Take a few minutes and think about that. Think about how you might be able to get creative with controls, dig deeper into detection, build better isolation for risky processes or even make entirely new architectures to contain risk ~ even as you enable business in new ways.

In the future, this had better be the way we think about working with and protecting businesses. If not, we could find ourselves on the sideline, well outside of the mainstream (if you aren’t there already in some orgs). 

Great work Aaron and thanks for the insights.

Welcome Red Dragon Rising

Posted on by
Reply

J0289893

Please join me in welcoming Red Dragon Rising to the fold. The Dragon team will be posting a variety of international threat intelligence information, cyber warfare research and engaging commentary. Stay tuned here for a new strain of content on the site, which will be meshed in with the traditional content we have been bringing you throughout the years. 

You can also find the Dragon team on Twitter @RedDragon1949.

As always, thanks for reading and let us know what you think of the new content and some of the intelligence we will be sharing.

OpUSA:: Feint or Fail?

Posted on by
5

So, yesterday was the date of the much awaited OpUSA, originally proclaimed to be a decisive attack on the US banking and government infrastructures. Thankfully, there seemed to be little impact on US banking or government, and while some commercial and even government sites did get attacked, the sustained impact seemed to be fairly well contained.

Below are a few thoughts on OpUSA and observations made from the data we saw around the Internet (in no particular order):

  • Anonymous groups seemed to be alluding to some infighting, with some groups mocking others and some fragments calling the entire operation a fake. There does seem to be some form of power struggle or competition going on inside the loose alignment of cells, at least from what conversations could be reviewed on Twitter, other social media and the paste bin releases.
  • Many of our team considered the possibility that OpUSA was a feint, designed to attract media attention and recruit new talent, even as primary groups and forces remained on the side lines. From a strategic point, this might make sense, though the in-fighting argument above seems more likely.
  • There seemed to be a large focus on attacking sites primarily powered by PHP. Certainly there are groups and cells inside the movement where their primary focus is PHP attacks and their exploits and tools are solely geared to PHP compromises. Other platforms are likely to remain in scope and within reach, but the majority of the attacks and compromises released yesterday seemed to revolve around PHP.
  • The 10,000 credit card release was MOSTLY a bust. All of the cards we saw were already expired. HOWEVER, it should be noted that SSNs, security questions and other PII was included in that release, so the impacts are broader than just credit card information.
  • Lots of released account credentials, software licenses and such also came out with associated tag lines during the operation. Additionally, many of the folks posting released data to the paste bins and on Twitter also usually release a good deal of pirated software, media and music from what we could tell. It is likely that some of the actors involved in the movement also participate in software and media piracy.
  • At least 3 credit unions were included in the released target lists. This was interesting, especially given the previous Anonymous stance that citizens should replace banks with credit unions. One has to wonder why these three particular CUs were targeted or if they were merely tokens. 

Other than the usual chatter and jeers, there seemed to be little unique about OpUSA and the efforts identified with the campaign. The media is picking up on some additional items here and there, but largely, the operation was seen as being a smaller or less successful campaign than previous attack sets.

Save the Date for CMHSecLunch – May 13th

Posted on by
4

It’s almost time for another CMHSecLunch! This month, the event is May 13th, 11:30a – 1pm at Easton Mall food court. As always, it is FREE and open to anyone interested in infosec and IT to attend. You can find out more, track the event and RSVP all one page by clicking here.

We hope to see you there! 

SDIM Project Update

Posted on by
2

Just a quick update on the Stolen Data Impact Model (SDIM) Project for today.

We are prepping to do the first beta unveiling of the project at the local ISSA chapter. It looks like that might be the June meeting, but we are still finalizing dates. Stay tuned for more on this one so you can get your first glimpse of the work as it is unveiled. We also submitted a talk at the ISSA International meeting for the year, later in the summer on the SDIM. We’ll let you know if we get accepted for presenting the project in Nashville.

The work is progressing. We have created several of the curve models now and are beginning to put them out to the beta group for review. This step continues for the next couple of weeks and we will be incorporating the feedback into the models and then releasing them publicly.

Work on phase 2 – that is the framework of questions designed to aid in the scoring of the impacts to generate the curve models has begun. This week, the proof of concept framework is being developed and then that will flow to the alpha group to build upon. Later, the same beta group will get to review and add commentary to the framework prior to its initial release to the public.

Generally speaking, the work on the project is going along as expected. We will have something to show you and a presentation to discuss the outcomes of the project shortly. Thanks to those who volunteered to work on the project and to review the framework. We appreciate your help, and thanks to those who have been asking about the project – your interest is what has kept us going and working on this problem.

As always, thanks for reading, and until next time – stay safe out there! 

3 Tough Questions with Bill Sempf

Posted on by
2

Recently, I caught up over email with Bill Sempf. He had some interesting thoughts on software security, so we decided to do a 3 Tough Questions with him. Check this out! :

 

A short biography of Bill Sempf: In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with inter-networking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio. Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.

 

Question #1: Infosec folks have been talking about securing the SDLC for almost a decade, if that is truly the solution, why haven’t we gotten it done yet?

For the same reason that there are still bugs in software – the time and money necessary to fix things. Software development is hard, and it takes a long time and lots of money to write secure software. Building security in to the lifecycle, rather than just waiting and adding it to the test phase, is just prohibitively expensive.

That said, some companies have successfully done it. Take Microsoft for instance. For a significant portion of their history, Microsoft was the butt of nearly every joke in the security industry. Then they created and implemented the MSDL and now Microsoft products don’t even show up on the top 10 lists anymore. It is possible and it should be done. It’s just very expensive, and companies would rather take on the risk than spend the money up front.

Question #2: How can infosec professionals learn to better communicate with developers? How can we explain how critical things like SQL injections, XSS and CSRF have become in a way that makes developers want to engage?

There are two fronts to this war: the social and the technical. I think both have to be implemented in good measure to extract any success.

On the social side, infosec pros need to get out of the lab, and start talking at developer conferences. I have been doing this as a good measure since 2010, and have encouraged other community members to do the same. It is starting to work. This year at CodeMash, Rob Gillen and myself gave a day long training on everything from malware analysis to Wi-Fi to data protection. The talk was so popular that we needed to be moved into a bigger room. Security is starting to creep into the developers scope of vision.

Technically, though, security flaws need to be treated just like any other defect. The application security test team needs to be part of QA, treated just like anyone else in QA, given access to the defect tracking system, and post defects against the system as part of the QA process. Until something like the Microsoft SDL is implemented in an organization, integrating security testing with QA is the next best thing.

Question #3: What do you think happens in the future as technology dependencies and complexities ramp up? How will every day life be impacted by information security and poor development/implementations?

More and more applications and devices are using a loosely connected model to support fast UIs and easy functional development. This means more and more business functionality exposed in the form of SOAP and REST services. These endpoints are often formerly internal services that were used to provide the web server with functionality, but are gradually being exposed in order to support mobile applications. Rarely are they fully tested. In the short term future, this is going to be the most significant challenge to application security. In the long term, I have no idea. Things change so fast, it is nearly impossible to keep up.

 

Thanks to Bill for sharing his insights. You can discuss them with him on Twitter, where he is @sempf. As always, thanks for reading!

Coming to Grips with DDoS – Prepare

Posted on by
3

This post introduces a 3 part series we are doing covering distributed denial of service attacks (DDoS) and helping organizations prepare for them. The series will cover 3 parts, Prepare, Defend and Respond. 

Part 1 of 3 – Prepare.

Distributed Denial of Service (DDoS) attacks use networks of compromised computers (botnets) or web servers (brobots) to flood organization websites with so much traffic that it causes them to fail. This is especially worrying for financial institutions and utilities which rely so very heavily on the availability of their services and controls. DDoS attacks are also mounted by attackers to hide fraud or other hacking activities being perpetrated on networks. Although these types of attacks are not new, they are presently increasing in frequency and especially in sophistication. Application layer DDoS attacks do a good job of mimicking normal network traffic and recent DDoS attacks have been measured at a huge 65 Gb (nearly 10 times the previous high point). The purpose of this blog is to discuss some methods small organizations can employ to properly prepare for DDoS attacks. (Later articles in this series will discuss means for defending against and responding to these attacks).

The first thing any organization should do in this effort is proper pre-planning. Ensure that DDoS is included in your risk assessment and controls planning efforts. Include reacting to these attacks in your incident response and business continuity plans. And as with all such plans, conduct practice exercises and adjust your plans according to their results. In all our years in business, MSI has never participated in a table top incident responce or disaster recovery exercise that didn’t expose planning flaws and produce valuable lessons learned.

Next, your organization should consider DDoS when choosing an ISP. It helps immensely to have an Internet provider that has enough resources and expertise to properly assist if your organization is targeted for one of these attacks. Ensure that you develop a close relationship with your ISP too – communicate your needs and expectations clearly, and find out from them exactly what their capabilities and services really are. 

Finally on the preparation side of the problem, make sure that you keep well informed about DDoS and the actual threat level it poses to your organization. Keep active in user groups and professional organizations. Use the net to gather intelligence. The Financial Service Information Sharing and Analysis Center (FS-ISAC) has plenty of useful and up to date information on DDoS. You can even turn the World Wide Web against the enemy and use it to gather intelligence on them!

–This article series is written by John Davis of MSI. 

PS – This is NOT a problem you can “purchase your way out” of. Organizations can’t and should not buy huge amounts of bandwidth as a preparation for DDoS. The cost impacts of such purchases are not effective, nor is bandwidth size an effective control in most cases. Note that some technology solutions for packet scrubbing and the like do exist. Your milage may vary with these solutions. MSI has not reviewed or tested any of the DDoS technology products as a part of this series.