Category Archives: General InfoSec

3 Things Security Vendors Wished CIOs Knew

Posted on by
1

Brent Huston, CEO and Founder of MicroSolved, answered a few questions regarding CIO’s and information security. If Brent could speak to a room full of CIO’s, these are a few things he’d share:

1)  CIOs are often unaware of what assets their organization have and how are they protected.

One problem we continually run into is the CIO folks know what the assets are they have, what’s critical and what isn’t. Often, they don’t have a good feel for the lifecycle of that critical data. Knowing what they have and how they currently protect it is a huge step forward for a CIO.

Does that have to be the ability to whip out a map? In a perfect world, yes. It just means the CIO needs to be able to reiterate to the vendor particularly when we’re talking about nuanced protection. And if we’re talking about penetration testing, why not consider this: instead of talking about penetration testing the whole environment, let’s test the stuff that matters. CIOs need to effectively and clearly communicate where that stuff is that matters. The systems it interacts with and what controls are in place today is what we need to focus on for testing or leverage them to do detection.

2)  A lot of CIOs don’t have any idea of what their real threat profile looks like.

When you talk to a CIO about the threat, their image of a threat is either script kiddies sitting in the basement of their mom’s house, or they’re so deeply entrenched in the cyber-crime thing that they think of it as credit card theft. They haven’t reached the level where they have any measurement or understanding of the different levels of threats that are focused on them — and how their responses would vary. The problem is they then treat all threats as the same. 

You expend the resources at a continual burn rate, so you’re probably using more resources than what you need, and then, when something really bad happens (because they’re used to treating it like a minor thing), they don’t feel like they need to pay attention. I’d love to see a CIO grow their attention to the threat profile and be able to communicate that upwards and to us as a vendor. 

3)  Some CIOs don’t understand the organization’s appetite for risk.

This is probably the hardest one. I love to meet with CIOs who already know their organization’s appetite for risk.  It seems like many organizations, even those who should be far enough along and mature and understand an appetite for risk (I’m talking about critical infrastructures, here), don’t understand it.  They have no way to quantify or qualify risk and decide what is acceptable and what isn’t. There may be complex policies in place and there are exceptions, but many CIO’s don’t have a clear “line in the sand” to help them determine what to respond to.

These kinds of initiatives are growing, but that’s one of those things that separates a mature, security-focused organization, and a risk-focused organization from folks who haven’t moved into more of a risk and threat management interface. Many folks still are managing at a vulnerability layer, i.e. “If X vendor releases a Y patch, and I need the Z team to apply it, then I’ll do it.” They think that’s the extent of their security effort. 

 

To consider your security posture, why not take a look at our “80/20 Rule for Information Security” page? Did you know that 80% of an organizations’ real information security comes from only 20% of the assets and effort put into the program? These 13 security projects will give your organization the most effective information security coverage for the least expenditure of time and resources.

Contact us if you have questions! We’ve seen how these projects have helped our clients and would love to help you!

Smart Grid Security is Getting Better – But Still Has Ways to Improve

Posted on by
1

Our testing lab has spent quite a bit of time over the last several years testing smart grid devices. We are very happy to say that we are seeing strong improvement in the general security controls in this space.

Many of the newer smart grid systems we are testing have implemented good basic controls to prevent many of the attacks we used to see in these devices in the early days of the smart grid movement. Today, for example, most of the devices we test, have implemented at least basic controls for firmware update signing, which was almost unheard of when we first started testing these systems years ago. 

Other improvements in the smart grid systems are also easily identifiable. Cryptographic protocols and hardened system configurations are two more controls that have become pretty well standard in the space. The days of seeing  silly plain-text protocols between the field devices or the field deployments and the upstream controls systems are pretty well gone (there are still SOME, albeit fewer exceptions…).
 
Zigbee and communications of customer premise equipment to the smart grid utility systems is getting somewhat better (still little crypto and a lot of crappy bounds checking), but still has a ways to go. Much of this won’t get fixed until the various protocols are revised and upgraded, but some of the easy, low hanging vulnerability fruit IS starting to get cleaned up and as CPU capability increases on customer devices, we are starting to see more folks using SSL overlays and other forms of basic crypto at the application layer. All of this is pretty much a good thing. 
 
There are still some strong areas for improvement in the smart grid space. We still have more than a few battles to fight over encryption versus encoding, modern development security, JTAG protection, input validation and the usual application security shortcomings that the web and other platforms for app development are still struggling with.
 
Default passwords, crypto keys and configurations still abound. Threat modeling needs to be done in deeper detail and the threat metrics need to be better socialized among the relevant stakeholders. There is still a plethora of policy/process/procedure development to be done. We need better standards, reporting mechanisms, alerting capabilities, analysis of single points of failure, contingency planning and wide variety of devices and applications still need to be thoroughly tested in a security lab. In fact, so many new applications, systems and devices are coming into the smart grid market space, that there is a backlog of stuff to test. That work needs to be done to harden these devices while their footprint is still small enough to manage, mitigate and mature.
 
The good news is that things are getting better in the smart grid security world. Changes are coming through the pipeline of government regulation. Standards are being built. Vendors are doing the hard, gut check work of having devices tested and vulnerabilities mitigated or minimized. All of this, culminates in one of the primary goals of MicroSolved for the last two decades – to make the world and the Internet safer for all of you.
 
As always, thanks for reading and stay safe out there!

Talking to Your Management Rationally About Malware

Posted on by
2
Malware with comparisons to Stuxnet are all the rage these days. CNN and other popular media outlets now run stories about new Trojans, viruses and exploits. Much of what is in the media is either hysteria, hype, confusion or outright wrong.
 
There are often nuggets of truth scattered about in the stories, but few of the fears and scenarios whipped into a frothy story have a rational bearing on reality, let alone your business. Nonetheless, executives and even end-users take this stuff in and start to talk about information security topics (which is usually a good thing), but without a rational view, they may use that information to make decisions without regard to risk or the exposures that truly matter to the organization.
 
This is where YOU come in. As an infosec practitioner, your job is to explain to folks in a rational way about the trends and topics in the news. You need to be able to discuss the new piece of malware they saw last night on the news and explain carefully, truthfully, and rationally how it might impact your organization.
 
You need to discuss the controls you have in place. You need to explain the recovery and response processes you have been honing over the last few years. You also need to carefully walk them through how attacks like this work, how your team would be able to detect it (or not), and what you need to be able to do in the future.
 
You need to do this without breathlessly going into detail about the newest evasion techniques it uses, how cool the new exploits are that it leverages, or otherwise spreading uncertainty or fear to your management team. Now, I am NOT suggesting you tell them you have everything under control if you don’t. However, I am suggesting that this conversation should be rational, fair and flat — and offer to come by their office later to discuss future enhancement capabilities and projects that could be funded to assist your team with defending against these and other threats in the future. Then, do it at a time when they have intellectual and emotional stability. 
 
You must also learn about these threats. Be ready to discuss them in real-world (non-IT geek), business language. You have to be able to explain them clearly and concisely, including their rational impacts. If, for example, CNN is running a story about malware that destroys reactors or deletes records of uranium deposits and your organization doesn’t own a reactor or track uranium, then explain the impacts of the attack are not likely to be anything more than an annoyance to your organization and offer to discuss it with them or present on the topic at a later time. Keep them up to date, but whatever you do, keep them rational and make sure that you precisely explain potential impacts clearly. If the worst outcome of a popular malware infection is that your network traffic would rise 12% for a 48 hour period and then drop back to previous levels when the malware doesn’t find what it’s looking for and deletes itself, explain that to them.
 
If the malware is designed to target and exfiltrate the secret sauce to your chicken nuggets, and that’s how your company derives income, then explain that to them in clear, unemotional terms and tell them what you are doing about it and how they can help. 
 
That’s about it. I think the point is clear, but I will repeat it again. Explain new threats rationally to your management when they ask. Share with them realistic impacts, what you are doing about them and how they can help. Offer to give them a deep dive at a later time when they are emotionally and intellectually stable. Avoid the FUD and stick to the facts. You will be doing yourself, your organization, your profession, and maybe even the world a big favor in doing so.
 
Thanks for reading!

Audio Blog Post: Twitter Favorites

Posted on by
1

We’re kicking off the week by talking about some of our favorite feeds on Twitter!

Brent Huston, CEO and Security Evangelist for Microsolved, Inc., interviews Chris Lay, Account Executive and Mary Rose Maguire, Marketing Communication Specialist, about their favorite kinds of tweets. 

We like Twitter to keep up with other security professionals to discover what’s trending. It’s a great way to exchange quick information and alert others when a security issue arises. Plus, our #HITME stream through our MSI HoneyPoint Feed Twitter account has already helped other organizations by alerting them to suspicious activity caught on various ports.

If you’d like to follow the MSI crew, here we are:

Here are a few of our favorites we mentioned:

Click Here To Listen To The Audio Blog Post!

 

 

Hooray! An Open-Source Password Analyzer Tool!

Posted on by
4

 

 

 

 

 

 

 

I’m one of the resident “Password Hawks” in our office. Our techs consistently tell people to create stronger passwords because it is still one of the most common ways a hacker is able to infiltrate a network.

However, we live in an age where it’s not just hackers who are trying to steal an organization’s data. There are also a variety of malcontents who simply want to hack into someone’s account in order to embarrass them, confirm something negative about them, or be a nuisance by sending spam.

This is why it is important to create a strong password; one that will not be easily cracked.

Enter password analyzer tools. Sophos’ “Naked Security” blog posted a great article today about the often misleading security policies of popular online social sites. Developer Cameron Morris discovered that if he followed one social site’s policy, he actually created a more easily “crackable” password than the one they deemed weak.

About three years ago, developer Cameron Morris had a personal epiphany about passwords, he recently told ZDNet’s John Fontana: The time it takes to crack a password is the only true measure of its worth.

Read the rest of the article here.

There is a free analyzer you can use and I strongly suggest you test the strength of your passwords with it.

Passfault Analyzer

Also, Morris created a tool for administrators that would allow them to configure a password policy based on the time to crack, the possible technology that an attacker might be using (from an everyday computer on up to a $180,000 password attacker), and the password protection technology in use (from Microsoft Windows System security on up to 100,000 rounds of the cryptographic hash function SHA-1/).

OWASP Password Creation Slide-Tool

This is one of the best articles I’ve read on password security, plus it has tools for both the end-user and the administrator. Test them out yourself to see if you have a password that can resist a hacker! 

As for me, I think I need to do a little more strengthening…

Have a great Memorial Day weekend (for our U.S. readers) and stay safe out there!

13 Tips to Secure Your Virtual Machine Environment

Posted on by
5

Virtual environments are becoming more popular, providing advantages such as enabling multiple OS environments to co-exist and providing disaster recovery solutions.

Virtual machines easily tests scenarios, consolidate servers, and can move disk files and some configuration files between physical machines.

Safeguarding your virtual server environment is vital, even though it doesn’t have the same issues as a physical environment. Here are a few tips to keep things running smoothly:

  1. Install only what you need on the host machine. Keep your OS and applications current for both virtual and host machines.
     
  2. Isolate each virtual machine you have by installing a firewall. Only allow approved protocols to be deployed.
     
  3. Ensure that antivirus programs are installed on the virtual machines and kept current with updates. Virtual machines, like physical machines are at risk for viruses and worms.
     
  4. Utilize strong encryption between the host and virtual machines.
     
  5. Avoid internet surfing from the host computer. Spyware and malware could easily infiltrate through the the host computer and spread to the virtual machines.
     
  6. Prevent unauthorized access by securing accounts on the host machine.
     
  7. Only use what you need. If you’re not utilizing a virtual machine, shut it down.
     
  8. If a virtual machine does not need to connect with each other, isolate it. Use a separate network card on a different network range.
     
  9. Monitor the event log and security events on both the host machine and on the virtual machine. These logs need to be stored in your log vault for security and for auditing purposes at a later date.
     
  10. Ensure that any hardware you use is designed for VM usage.
     
  11. Strictly manage remote access to virtual machines and especially to the host machine, this will make exposure less likely.
     
  12. Remember, the host machine represents a single point of failure. Technologies like replication and continuity help with reducing this risk.
     
  13. Avoid sharing IP addresses. Again this is typical of sharing a resource and will attract problems and vulnerabilities.

Using these tips will help you make the most of your physical and virtual environments so if anything interrupts your business, you are prepared.

Twitter Hack! 5 Ways to Avoid Being the Victim of a Phishing Attack

Posted on by
3

Twitter is downplaying a security breach that exposed tens of thousands of user emails and passwords.

The leaked information, comprising 58,978 username and password combinations, appeared Monday on Pastebin. While Twitter said that it’s investigating the breach, it’s also downplayed the supposed size and severity of the data dump.

“We are currently looking into the situation,” said spokeswoman Rachel Bremer via email. “It’s worth noting that, so far, we’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended, and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other).”

Information Week Security article

Whenever you read about such breaches, it is always a good idea to change your password, especially if you’ve not changed it for some time.

The compromised Twitter accounts could have been the result of phishing attacks. A phishing attack is when an attacker acquires personal information by duping the user into revealing it through manipulating their emotions.

Remember how one of your wiser friends told you it’s never a good idea to make a big decision while you’re overly-emotional? The same stands true for avoiding phishing attacks.

Here are some ways to stay safe:

  1. Do not give out your financial information ever through an email appeal. I hope we all know now that you haven’t won the Nigerian lottery or that some prince or princess is willing to give you part of their inheritance if only you’ll keep their money in your bank account. Emails of this nature prey upon people who would love to “win” money or worse, may lose money in their account unless they give out their account information. Never give out your personal information. Instead, call your bank to verify that they need the information. You could also have some fun with the hackers like I did.
  2. Don’t call any phone number or visit a website that is linked in the email. There’s a good chance it will connect you directly to the attacker. Look at the URL associated with the link. Does it contain words, letters, or numbers that seem odd? It’s likely an attempt to masquerade as an organization’s true website address, so don’t click it. You can see the URL by hovering over it or highlighting it with your mouse. Again, if you think it may be a legitimate request for information, verify it by contacting your financial institution directly.
  3. Never fill out forms in an email that asks for personal information. Most organizations like PayPal notify their customers but do not ask for personal information to be placed into forms. Again, verify, verify, verify.
  4. Regularly check your online banking accounts. Don’t allow months to go by before checking in. By frequently monitoring your account, you’ll be able to immediately see suspicious activity.
  5. Patch it! When that annoying “Software Updates Available Now” window pops up, don’t ignore it. (I’m talking mainly to myself, now.) Click to install. Patches fix vulnerabilities and many attackers will jump on the opportunity to hit an un-patched machine. If you’re in doubt about whether your browser system is up-to-date, check by clicking your browser’s info link or your system’s and click “Software Update” or “Check for updates.” (In Firefox, it’s in the “Tools” section.)

Finally, you can report phishing attacks to the following organizations:

  • The Federal Trade Commission at spam@uce.gov.
  • Forward the email to the “abuse” email address to the company that is being spoofed (i.e. “abuse@XYZcompany.com” or “spam@XYZcompany.com”). Make sure to forward the complete email message with the original email header.
  • Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: http://www.ic3.gov/default.aspx There is an excellent selection of tips on the FBI site to help you avoid fraud, so make sure to check it out.

The key to avoid becoming a victim is to stay alert, stay suspicious, and stay on top of changing your passwords.

Stay safe!

Quick Wireless Network Reminders

Posted on by
3

I recently tested a couple of Android network stumblers on a drive around the city and I found that not a lot has changed for consumer wireless networks since I last stumbled.

There are still a TON of unprotected networks, default SSIDs and WEP networks out there. It appears that WPA(x) and WPS have been slower to be adopted than I had expected. I don’t know if that is consumer apathy, ignorance or just a continued use of legacy hardware before the ease of push button WPS. Either way, it was quickly clear that we still have a long way to go to deprive criminals of consumer-based wireless network access.

The good news is that it appears from this non-comprehensive sample that the businesses in our area ARE taking WiFi security seriously. Most networks easily coordinated with a business were using modern security mechanisms, though we did not perform any penetration testing and can’t speak to their password policies or detection capabilities. But for the most part, their SSIDs made sense, they used effective crypto and in most cases were even paying attention to channel spread to maximize the reliability of the network. This is good news for most organizations and shows that much of the corporate awareness and focus on WiFi security by vendors seems to be working. It makes the business risk of these easy-to-deploy systems more acceptable.
 
I also noted that it was apparent on the consumer side that some folks deploying WiFi networks are paying attention. We saw SSIDs like “DontHackMe”, “DontLeechMeN3rds”,”Secured”, “StayOut”., etc. Sadly, we also saw plenty of SSIDs that were people’s names, addresses, children’s names and in one case “PasswordIsPassword1”. Clearly, some installers or consumers still haven’t seen the dangers of social engineering that some of these names can bring. So, while we have seen some improvement in SSID selection, there is still work to be done to educate folks that they need to pick non-identifiable information for broadcast.
 
That said, how can we better teach consumers about the basics of WiFi security? What additional things could we do as an industry to make their data safer at home?
 
 

How to Save Your Photos From a BYOD Security Policy

Posted on by
1

Many companies have adopted a BYOD policy regarding mobile devices. Realizing that it’s unrealistic to require employees to leave their iPhones or tablets at home, they’ve accepted mobile technology; albeit, with a few rules.

One of the more common rules is to enable the remote wipe and lock feature. This means that if your device was ever stolen or compromised, the IT department can remotely lock the device and then wipe any data from it. And yes, that would include all of your photos as well as other items.

One CEO recently experienced personal data loss as a result of his own company’s policy that he himself helped establish. (Ouch!) While on vacation, his five-year old daughter tried to use his smartphone. After several failed attempts of entering the passcode, the corporate-installed remote wipe was triggered and the CEO lost all of the photos he had taken during the first half of their vacation. (Double ouch!)

If you have an iPhone with the latest iOS 5, you can sign up for the free iCloud, which will sync your devices and store everything on Apple’s servers. But first, you have to enable it. After installing the iCloud feature, tap Settings/iCloud and then choose “On.” Click on the “Back Up Now” and you’re good to go. This way, if your device is wiped clean because of a security breach, you’ll still have your photos. 

Again, you’ll have to remember to do this frequently if you are using your smartphone to take vacation photos. It may be a good idea to back up your data during dinner or before you go to bed.

If you have an Android phone, make sure you have a Gmail address in order to take advantage of storing your data in the cloud. Titanium Backup and MyBackup Pro are also two apps that can back up your entire phone and transfer the data to your PC’s hard drive.

Whatever device you use, make sure you have a back up plan. Know well your company’s BYOD policy. It will give you peace of mind the next time you’re taking a bunch of photos at an event that will never happen again.

Stay safe and enjoy the ride!

Are You Attending the 2012 ISSA Central Ohio InfoSec Summit?

Posted on by
1

 

If you are in the midwest and can make it to Columbus for the ISSA Summit this year, you owe it to yourself to do so. Great speakers, great content, an amazing location and some of the best folks from around the world, for two days focused on infosec. It’s been amazing the past several years. You can find info online about it here

Some of the things I am looking forward to are getting to hear more from Richard Clarke (I might not always agree with his view, but he is an excellent speaker and a very good man.), and the rest of the speakers. In fact, there is not a speaker on the docket that I don’t think is amazing. We have developer insights, business folks, techno geeks, hackers, auditors and even a few MSI folks. 
 
So, if you can come to town and be here May 17th and 18th, do so. If not, you’ll miss out on what is sure to be an amazing event.
 
Special thanks to the Columbus ISSA team for putting the event together. These folks work really hard to pull it off, and the volunteers on the day of the event go above and beyond to make it all happen. Please take a moment at the event and give them a pat on the back. If something would happen to go wrong, or could be done better, drop them a line in email and they will look at improving it next year. Thank them, in person, for all of the things that go right. Seriously, it helps. Even better, volunteer for the Summit and help them and the community out. It’s a great way to give back for all that the community does for all of us, all year long. 
 
Thanks for reading and we’ll see you at the Summit!