Category Archives: General InfoSec

Incident Response: Practice Makes Perfect

Posted on by
2

 

Is it possible to keep information secure? Read on to find out.

IF there is only one person that knows the information, IF that person never writes that information down or records it electronically, and IF that person is lucky enough not to blurt out the information while they are sleeping, drugged or injured, then the answer is yes…probably. Under any other conditions, then the answer is an emphatic NO! It is an unfortunate truth that no system ever developed to protect the security of information is perfect; they all can be breached one way or another. That is why it is so important to have a good incident response program in place at your organization.

And most of you out there, I’m sure, have an incident response plan in place. All information security standards organizations such as ISO and NIST include incident response in their guidance, and many of you are required to have incident response programs in place in order to comply with regulation. But how many of you practice responding to incidents to make sure your planning actually works? At MicroSolved, we’ve been involved in reviewing, developing and testing information security incident response programs for many years. And we have found that no matter how good response plans looks on paper, they’re just not effective if you don’t practice them. Practicing doesn’t have to be a big chore, either. We’ve helped many organizations conduct table top incident response exercises and they usually only last a few hours. They’ve never failed to produce valuable returns.

Unfortunately, there are no good incident response exercise frameworks available out there – we’ve looked. But it is not hard to create your own. Simply pick a type of incident you want to practice – a malware attack for example. You imagine what such an attack would look like to your help desk personnel, system administrators, security personnel, etc. and construct a scenario from that. You just need a basic outline since the details of the response will construct themselves as you proceed with the exercise.

What we have found from conducting and observing these exercises is that problems with the written plan are always exposed. Sure, maybe the plan says that this group of people should be contacted, but is there a procedure for ensuring that list is always kept current in place? Have you made pre-arrangements with a forensic specialist in case you need one? Are the help desk personnel and desk top administrators trained in how to recognize the signs of an attack in process? These are the types of issues performing simple table top incident response exercises will reveal.

Perhaps you will be lucky and never experience a bad information security incident. But if you do, you will be very glad indeed if you have a well practiced information security incident response program in place!

What To Do When Your Identity Gets Stolen

Posted on by
Reply

OK, so it happens. A lot. Companies and people don’t always do the right things and sometimes, criminals win. They steal identity data and get the chance to commit massive fraud. We all know about it. We hear the stories and we hear people talking, but we don’t think it will happen to us, until it does.

What now? What should you do when such an event occurs in your life? Well, this great article from our friends over at Help Net Security summarizes best practices for identify theft victims and their support systems as described by the Consumer Federation of America (CFA). I thought the article was not only good content, but an excellent point of reference for folks who might be impacted by identity theft. You should check it out here. Here are some more tips:

  1. You should also be well aware of your legal rights and responsibilities and not be afraid to engage with your state Attorney General’s office if you suspect vendors are not playing by the rules. You can find a list of state Attorney General contacts here: http://www.consumerfraudreporting.org/stateattorneygenerallist.php
  2. Legal representation may also be of assistance if the fraud you face is large enough to warrant the cost of representation. Don’t be afraid to engage with an attorney if the fraud costs are large or the legal complexity you face is astounding. Contact your state bar association for information on finding reputable consumer law attorneys in your area.
  3. If you are considering something like one of these consumer data/life “locking” services or the like, please check out a DIY approach here.

We hope you never have to use this information, but if you do, these are a few quick tidbits to get you started while avoiding further scams, fraud and abuse. As always, thanks for reading and stay safe out there!

Quick Pointer to a Very Cool Tool

Posted on by
Reply

I recently was made aware of a very cool tool for analyzing netflow data that may you may be collecting from around your network. I’d seen netflow and visual analysis tools like this before, but in this case, the product performed very nicely, was very robust and starts at the low price of FREE for real time analysis. The tool is called Scrutinizer and you can find it for download and purchase here.

The free version works well for real time analysis and is nice complement to your health checks and the like if you have a network monitoring team. It is also pretty useful in digging into real-time netflow data to identify compromised hosts and components of bot nets in your network. With some careful attention, the low hanging bot net zombies will stand out from the data streams. Pretty useful to find the easy pickings…

With the commercial version, you can also add historical netflow data analysis, which opens the tool up to being very useful for over time analysis, forensics and deep anomaly detection, not to mention the network monitoring work the tool was originally designed for. MicroSolved has no relationship with the company who makes the product, but we thought it was worth it to point out a useful tool when we saw it.

Super Secret Squirrel Preview Shot of the New HoneyPoint Console

Posted on by
Reply

They say a picture is worth a thousand words, so here is a picture for you to consider. This is a super secret screen shot of the new HoneyPoint Console (version 3.50) that is currently in development in the lab. If you haven’t seen HoneyPoint Console since the 2.xx days, the Console is now a whole new thing. Feedback from the alpha testing teams has been fabulous. And yes, those tabs expand, we compressed them to hide the info in the columns. And, yes, one of the new features is now persitent placement of the columns, window locations, sizes and sort routines between instances. We heard you and we love your ideas on the product, so keep them coming!

You can give us feedback via email to your account executive, blog comment below or hit us up on Twitter via @lbhuston or @microsolved. We look forward to hearing what you think!

Thanks for reading!

3 Things Good Security Processes Won’t Do

Posted on by
Reply

We hear a lot of talk about needing good information security processes, but why are they so important? Well, besides being the basis for a strong security program and compliance with regulatory guidance, they also represent the best way to get consistency across the security initiative and between silos of knowledge. Done right, good security processes halt infosec by “cult of personality”, but they aren’t infallible. Here are three things that having good information security processes won’t do:

1. Defense Without Funding – Even the best security teams often struggle to convince upper management of proper budget needs. While good security processes might help you generate metrics and real world threat insights that you can use to explain risk to your management, as the old saying goes, if they spend more on coffee than infosec, they will get hacked and they will deserve it. Even good processes can’t save you if your security team is resource starved.

2. Pet Project Sink Holes – We’ve all been there, a manager or executive has this idea that steam rolls into a project and yet is just a doomed thing to start with. IT and other parts of the business, including security, can get drawn into the vision and throw a seemingly never ending set of resources down the gullet of this project that never seems to progress, but just won’t die. Unfortunately, this another place where strong processes just don’t help. Once the project steals the imagination of the executive team, the game is pretty much over. You ride along or die. Where you can win here with strong processes though, is by defining good minimum levels of resources that your policy forbids being switched to other tasks. Then, at least, you have a base to stick to when one of the hurricanes of fail comes over the horizon.

3. Zombie Apocalypse – Nope, they won’t help you here either. Good processes tend to break down when the zombies are munching on the brains of your teams as a snack. Yeah, we know, we saw the screenplay too, but we still think that whole Charlie Sheen in grubby clothes and grey make up thing is just another tacky grab for more attention. 🙂

Seriously, other than these, good processes help with infosec. Get started on them right away, before the zombies reach the data center….

Tales From the Tweetstream: AV Detection with Brent Huston

Posted on by
Reply

Recently, I had an interesting discovery regarding AV detection. Follow them below, and let me know what you think!

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41156624727031808″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41158471889977345″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41159738955665408″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41160629037441025″]

[blackbirdpie url=”https://twitter.com/#!/lbhuston/status/41161521144795136″]

Beware of Drive Erasure Problems on SSD Drives

Posted on by
Reply

There is a lot of interesting research going on right now with the processes and tools that may be useful in erasing the new solid state drives that many laptops and other systems are using. The traditional methods of magnetic cleansing (degaussing), and even file over-write tools that have been in use now for decades in many organizations, have little to no effect on removing sensitive data on these solid state drives.

Here is a nice article explaining some of the problems.

As described in the article, it seems that many of our current data management and cleansing techniques simply do not apply to these solid state memory-based devices. This makes drive encryption all the more urgent, as these systems are beginning to pop up in many organizations that are starting their hardware refresh processes after delaying them due to economic conditions.

If you are an information security team, or an IT team considering such purchases, please make appropriate cryptography a part of your solution. Many solutions exist by a variety of vendors today with pricing ranging from near zero to the cost of full-scale commercial enterprise implementations in the hundreds of thousands of dollars. Complexity also ranges from trivial and built into the operating system to quite high, depending on centralized management and remote assistance capabilities.

No matter how you to choose to address the problem, the key factor is that you are aware that SSD systems are a different animal with unique challenges versus traditional hard disks. Knowing that will at least put you on the right path toward investigating a solution and updating your processes.

Learn a Scripting Language to Make Security Work Easier

Posted on by
Reply

One of the most common complaints I hear from folks working in information security is that they are overwhelmed with data, alerts, log files and all of the other information sources they deal with on a daily basis. Often, this is a problem that can be solved with an adjustment to the level of data they are looking at and investment in some processes and tools to help gain some leverage. You may not need or be able to afford a full SEIM implementation, but with a couple of basic tools and a little bit of creativity, you can likely get a bit more leverage than you are today.

The first thing I often advise folks to do is to embrace a scripting language. You don’t need to become a master coder, but to get some leverage from systematizing your work, you will have to create some tools that are specific to your work. These scripts or tools should replicate much of the repetitive work you are doing today and can be a simple front end to handle the most common issues without your personal interaction, thus saving you time and resources.

Specifically, let’s say you have to comb log entries for a specific message that is pretty routine and then email the help desk when you see that message with the relevant details. In our example, with some basic scripting skills in python/ruby/perl, this becomes an easy to automate task. Pull the data in, parse through it with some scripting logic, segregate out the events you need and then drop them into an email and send it out. A quick script that runs in a scheduler or cron and your new virtual assistant just took over one of your daily tasks.

Do this enough, and you knock out much of the repetitive work you face today. That frees up your cycles to dive deeper, do additional research or grow your skills.

Scripting helps in other ways too. Understanding programming logic basics is a huge plus for security folks who might have a more network/systems-centric background. It will help you understand a lot more about how applications work in your environment and how to best interact with them in ways to protect them. It also gives you some empathy when working with developers and other folks who are heads down in code. Scripting can also be a very valuable skill in just solving complex problems and the security world is full of those.

How to get started in mastering the basics of a scripting language? Well, identify how you learn best. Are you a classroom learner, then take a class or use online universities and training that are common today. Learn by reading? Then get yourself a good book from Amazon or the mall and get started. Learn by doing? This is the easiest on of all. Just do it. Choose one language. Stick with it. Learn the basics. Looping, variables, basic syntax, file access, etc. Then grow your skills over time by actually scripting your tasks.

I challenge you to try this for 90 days. Give it a shot. If, after 90 days, this is not helping you free up more time at work, learn more about things you don’t know today and making your job in security easier, then write me a nasty email and stop doing it. I have made this challenge before and haven’t gotten one email in more than a decade that said it was horrible and that it didn’t help. 90 days. Give it, and yourself, a break and make it happen. The first step is committing to actually do it. Make the commitment and follow through. You won’t be sorry.

How to Avoid Falling For Social Engineering Attacks

Posted on by
5

I am one of the “end-users” in our organization. I’m not a tech, but over the years have had my eyes opened regarding information security and ways I can safeguard my own private data. My favorite tool is a password vault, which helps tremendously as I belong to dozens of sites. Quite frankly, I can’t remember what I had for dinner yesterday much less recall all the different passwords needed to access all those sites. So a password vault is incredibly helpful.

But what really fascinated me was the discovery of social engineering. Social engineering is when someone uses deceptive methods in order to get you to release confidential information. Sometimes it’s almost obvious, sometimes it’s sneaky. But on most occasions, people don’t realize what’s happening until it’s too late.

I’ll give an example: One time I received several phone messages from my credit union. I was told there was an issue and to return the call. I called my credit union to discover that (surprise, surprise), there was no “issue” and they never called me. So when this shady outfit called me two days later, I was home and answered the phone. After the woman went through some type of script (needing my account number, natch), I blew up.

“For your information, I contacted my credit union and there IS no issue and no need to speak to me. How in the world do you sleep at night, deliberately trying to get people to give you confidential information so you can steal from them? You’ve got a helluva lotta nerve to keep calling!”  The woman was silent. I slammed the phone down. I never heard from them again.

The point of this colorful little story is that thieves and hackers are everywhere. With our information becoming more digitalized, we need to be on guard more than ever before and use the most powerful weapon we’ve got.

QUESTION EVERYTHING.

And follow some of these tips:

  1. If you receive an email from PayPal or a credit card company and they want to “verify” your account, check the URL. If a letter of the company’s name is off or it looks totally different, do NOT click on it. (You can see the URL usually by hovering your mouse over the link.)
  2. Never  click on a link in an email to a financial institution. If you are a member of this institution, call their customer service number. Have them check your account to see if indeed there was a need to contact you.
  3. Always check the identity of anyone who is calling you on the phone to ask for confidential information. Say you’re about to run out the door and get their name and phone number. Then call the organization they represent to verify that this person is legit.
  4. Check to make sure a site is secure before passing on confidential information. Usually this information is either available under a “Privacy” link or an icon (like a lock) is visible in the address bar.
  5. At your workplace, use the same approach. Be friendly, but wary in a good way. If you have a courier who needs to give their package directly to the recipient, casually ask a co-worker if they could accompany the courier to their destination and then ensure they leave promptly afterward. Use this method for any strangers who are visiting your organization such as repairmen, copier salespeople, or phone technicians.

Speaking of copiers, beware of “boiler-room” phone calls. These are attempts to gather information about your copier (i.e., serial number, make and model of copier) so the unscrupulous company can ship expensive supplies to a company and then bill you, as though it was a purchase initiated by your company. These types are scumballs in my book. After I learned what they did, I’d have a bit of fun with them before hanging up. Now I don’t have the patience for it. I just hang up.

You have to be sharper than ever to see through a social engineering attack. The challenge is to retain that sharpness while in the midst of multiple tasks. Most of the time, the attacker will take advantage of a busy receptionist, a chaotic office, or a tired staff when they try their dastardly deed. (Ever notice you hardly get these attempts early in the morning, when you’re awake and alert? And how many happen close to quitting time on a Friday?)

Just a few thoughts to keep you sane and safe. Confound the social engineering attacks so you won’t be the one confounded! Good luck!

InfoSec Insights: Getting Indexed Via Twitter – Good & Bad

Posted on by
1

Earlier this week, I did a quick experiment in the MSI Threat Lab. I wanted to see what happened when someone mentioned a URL on Twitter. I took a HoneyPoint Agent and stood it up exposed it to the Internet on port 80.

I then mapped the HoneyPoint to a URL using a dynamic IP service and tweeted the URL via a test account.

Interestingly, for the good, within about 30 seconds, the HoneyPoint had been touched by 9 different source IP addresses. The search engines, it seems, quickly picked the URL out of the stream, did some basic traffic and I assume queued the site for crawling and indexing in the near future. A few actually indexed the sites immediately. The HoneyPoint cataloged touches from 4 different Amazon hosts, Yahoo, Twitter itself, Google, PSINet/Cogent and NTT America. It took less than an hour for the site to be searchable in many of the engines. It seems that this might be an easier approach to getting a site indexed then the old visit each engine and register approach, or even using a basic register tool. Simply tweet the URL and get the ball rolling for the major engines. 🙂

On the bummer side, it only took about 10 minutes for the HoneyPoint to be probed by attacker scanning tools. We can’t tie cause to the tweeting, but it did target that specific URL and did not touch other HoneyPoints deployed in the range which certainly seems correlative. Clearly, search engines aren’t the only types of automated applications watching the Twitter stream. My guess is that scanning engines watch it too, to some extent, and queue up hosts in a similar manner. Just like all things, there are good and bad nuances to the tweet to get indexed approach.

Further research is needed in what happens when a URL is tweeted, but I thought this was an interesting enough topic to share. Perhaps you’ll find it useful, or perhaps it will explain where some of that index traffic (and scanner probes) come from. As always, your mileage and paranoia may vary. Thanks for reading!