Category Archives: General InfoSec

2 Ways to Get the Most Out of Security Awareness Training

Posted on by
Reply

A good security training and awareness program is one of, if not the most important part of any effective information security program. After all, people are the ones that cause security problems in the first place and, ultimately, people are the ones that have to deal with them. Not to mention the fact that people are twice as likely to detect security problems and breaches as any automated system. Doesn’t it make sense that you should do everything in your power to ensure that all of your people are behind you in your security efforts? That they are provided with the knowledge and the tools they need to understand information security and what their responsibilities are towards it? That they are aware of how devastating an information security incident can be to the company, and consequently, how devastating it can be to them personally? Well, you’re not going to get that from having them read the policy book as new hires and then hold a two hour class six or twelve months later!

And that is traditionally how information security is dealt with in most companies. All enthusiasm for the process is absent, too. They don’t want to do this training! It costs them time and money! The only reason most companies provide any security training outside of the very basics is because of their need to comply with some regulation or another. So what you end up with is a whole group of undertrained and unenthusiastic employees. And these employees become, in turn, the very kind of security liabilities that you are trying to avoid in the first place! So why not turn them into security assets instead? You have to provide them with some security training anyway, so why not give it that extra little “oomph” you need to make it worth your while to do?

How do you go about that you may ask? Here are some tips:

    1. Make sure that they understand what an information security incident or anomaly looks like. Make sure that they know all about social engineering techniques and how Malware is spread. Give them some tips on how to recognize bogus websites, phishing emails and bogus phone calls. Let them know some of the things they can expect to see if there is a virus present on their machines. And don’t use just one format to provide them with this information. Use every method you can think of! There are many formats for security and awareness training to choose from. Group assemblies with speakers and PowerPoint presentations, lunch and learns, training days, self directed web based learning, directed webinars, security documents, email reminders, posters and pamphlets, podcasts, departmental meetings, discussion groups and many more. And make sure that management personnel, especially top management personnel, make it clear how important this task is and how much it means to them and the company. Without this support, your efforts will go nowhere.

    2. Give your people incentives that make them want to participate in the information security program. One method is to simply ask for their help. Make sure your employees understand how important the participation of each and every one of them is to the effort. People often respond very favorably to such requests. Whereas if they are simply told that they must do it, they are much more likely to be unconcerned and uncooperative. Another way is to provide them with rewards for active participation in the program. Put the names of employees who have reported security issues in a hat and have a monthly drawing for a prize or a day off. Give these people a free lunch. Give them the best parking spot in the lot for a month. I’m sure you can think of a dozen other ways to reward your employees for participating in the program. Or simply post the picture of the employee on a bulletin board or internal web page or recognize their accomplishments at group meetings. Everybody really likes to be recognized for doing a good job!

The whole idea is to turn your personnel into “net cops”. If you can do that, you can turn your own people into the best IDS system there is, and for a lot less money than you would spend on machines or hosted services…or for cleaning up a security incident!

Using Honeypots to Track Attackers: Eric Romang’s FileAve.com Report

Posted on by
Reply

One of MSI’s Twitter friends, Eric Romang, recently wrote a deep dive about PHP RFI attacks that used the fileave.com service. The write-up was based on a large set of honeypot data that dates back several years!

The data is interesting and compelling and goes a long way to show value derived from the use of honeypots to track attackers and reveal information and trends about their behaviors. Check out this article here.

We were quite impressed with the data visualizations and are excited to see the level of effort put forth. Thanks for the dedication and hard work! We hope that, you, our readers, enjoy pointers to great data like this.

Have you seen or done other honeypot research or visualizations on your networks and threats? If you care to share tips, results or the like, drop us a line below in the comments or via Twitter (@lbhuston, @mrmaguire). We would love to hear more about them!

As always, thanks for reading!

Review of Puppy Linux 5.0

Posted on by
Reply

Lucid Puppy Linux 5.0 was released back in May of 2010, but as one of my favorite distros, I have been playing with it heavily since then. I have been so impressed with the new version that I wanted to take a moment and write a quick review of this release.

You can find the official release page here, along with download information.

First, let me say that I have really come to love Puppy Linux over the last several years. I use it as a LiveCD/USB platform for secure on the go browsing, a Linux OS for old hardware that I donate to a variety of folks and causes, and as a platform for using HoneyPoint as a scattersensor. I like the ease of use, wide range of hardware support, and small footprint. All of these make this a very workable Linux distro.

This version especially seems to be stable, fast, and capable. I have taken to running it from a bootable USB drive and the performance has been very nice. Being able to drop these onto untrusted systems and use them as a browser, VPN client, and productivity tool has been handy. Using HoneyPoint Personal Edition, the nmap plugins and some other Puppy installs of security tools gives me a great platform for working incidents, gaining visibility and catching rogue scans, probes and malware that are in circulation when I pull in to help a client. Over and over again, the distro has proven itself to be a very powerful tool for me.

I suggest you take a look at the distro, LiveCD or USB and see how it can help you. I think you’ll find it fun, easy to use, and quite addicting. The pictures of the puppies don’t hurt either. 🙂

Check it out!

Fighting Second Stage Compromises

Posted on by
Reply

Right now, most organizations are fighting a losing battle against initial stage compromises. Malware, bots and client side attacks are eating many security programs alive. The security team is having a nearly impossible time keeping up with the onslaught and end-user systems are falling left and right in many organizations. Worse, security teams that are focused on traditional perimeter security postures and the idea of “keeping the bad guys outside the walls” are likely unaware that these threats are already active inside their networks.

There are a number of ways that second stage compromises occur. Usually, a compromised mobile device or system comes into the environment via remote access, VPN or by being hand carried in by an employee or consultant. These systems, along with systems that have been exploited by client-side vulnerabilities in the day to day network represent the initial stage compromise. The machines are already under attacker control and the data on these machines should already be considered as compromised.

However, attackers are not content with these machines and their data load. In most cases, they want to use the initial stage victims to compromise additional workstations and servers in whatever environment or environments they can ride those systems into. This threat is the “second stage compromise”. The attackers use the initial stage victims as “pivot points” or bots to attack other systems and networks that are visible from their initial victim.

Commonly, the attacker will install bot-net software capable of scanning other systems and exploiting a few key vulnerabilities and bad passwords. These flaws are all too common and are likely to get the attacker quite a bit of success. The attacker then commands the bot victim to scan on new connections or at designated times, thus spreading the attacker’s presence and leading to deeper and deeper compromise of systems and data.

This pattern can be combated in a number of ways. Obviously, organizations can fight the initial stage compromise. Headway has been made in many organizations, but the majority are still falling quite short when it comes to protecting against a growing diverse set of attack vectors that the bot herders and cyber-criminals use. Every day, the attackers get more and more sophisticated in their campaigns, targeting and approach. That said, what can we do if we can’t prevent such attacks? Perhaps, if we can’t prevent them easily, we can strengthen our defenses in other ways. Here are a couple if ideas:

One approach is to begin to embrace enclave computing. This is network and system trust segregation at the core. It is an approach whereby organizations build their trust models carefully, allowing for initial stage compromises and being focused on minimizing the damage that an attacker can do with a compromised workstation. While you can’t prevent compromise, the goal is to create enough defensive posture to give your team time to detect, isolate and respond to the attack. You can read more about this approach in our 80/20 rule of Information Security.

A second idea is to use HoneyPoint decoy hosts on network segments where exposures and initial stage compromise risks are high. These decoy hosts should be dropped where they can be easily scanned and probed by infected hosts. VPN segments, user segments, DMZs and other high exposure areas are likely candidates for the decoy placement. The idea is that the systems are designed to receive the scans. They offer up services that are fake and implemented just for this purpose. The decoy systems have no other use and purpose than to detect scans and probes, making any interaction with them suspicious or malicious. Decoy services, called HoneyPoints, can also be implemented on the servers and other systems present in these network segments. Each deployed HoneyPoint Agent ups the odds of catching bots and other tools deployed by the attacker in the initial stage compromise.

Both of these strategies can be combined and leveraged for even more defense in depth against initial stage compromises. If you would like to learn more about how these tools and techniques can help, drop us a line or give us a call. We would be happy to discuss them with you.

In the meantime, take a look at how your team is prepared to fight initial stage compromises. What you find may be interesting, especially if your team’s security focus has been on the firewall and other perimeter controls.

Adobe Emergency Patch for 17 Holes

Posted on by
Reply

Just a quick heads up post that Adobe has just released an “emergency patch” for at least 17 holes in Reader and Acrobat. This is likely worth rushing into testing and ultimately production as PDF attacks have become all the rage lately. You can find more information about the patch here: http://www.theregister.co.uk/2010/06/29/adobe_emergency_patch/

HoneyPoint Decoy Host Pays Off

Posted on by
Reply

Just talked to a client who had dropped a HoneyPoint decoy host in their VPN termination segment a couple of weeks ago. Yesterday, it paid off.

They caught a machine that had passed the anti-virus and patching requirements of the NAC for the VPN. The machine was AV scanned clean. But, immediately upon connection the machine began to port probe hosts around it. This triggered the decoy machine’s HoneyPoints, causing the security team to investigate. The machine was brought in and examined. Closer inspection found it infected with a bot tool that escaped AV detection, but was capable of scanning for bad passwords and a couple of common vulns on surrounding machines. The machine is currently being imaged and rebuilt.

This is an excellent example of how HoneyPoint can help catch bots and malware, even when other controls fail. Defense is depth pays off and the leverage that HoneyPoint provides is often quite powerful, as in this case.

Have you thought about using decoy hosts? If so, how?

Join Us! June 24, 2-3 PM EST, Webinar: WordPress and Security

Posted on by
Reply

Note: This webinar is being rescheduled for July. Date and time to be announced.

This Thursday, June 24, at 2:00 PM – 3:00 PM EST, Phil Grimes, Security Analyst with MicroSolved, Inc., will be presenting a slideshow on DimDim. Join us to learn how to harden a WordPress site! Time will be left at the end for questions.

Send an email to register and we’ll send you the sign-in credentials.

See you there!

Review of darkjumper v5.7

Posted on by
2

In continuing our research and experimentation with PHP and the threat of Remote File Inclusion (RFI), our team has been seeking out and testing various tools that have been made available to help identify web sites that are vulnerable to RFI during our penetration tests. Because we’re constantly finding more tools to add to the list, we’ve started the evaluation this week with the release of darkjumper v5.7. This python tool prides itself on being cross platform, and at first glance, seems rather easy to use. After downloading the tarball and extracting the files, simply calling the script from the command line brings it to life.

Running again with the –help or -h switches will print the options to the menu. This tool has several helpful options that could help expedite the discovery of various attack vectors against the web site. The injection switch incorporates a full barrage of SQLi and blind SQLi attempts against every web site identified on the target server. We did not use this option for this evaluation but intend to thoroughly test it in the future.

Using the inclusion switch will test for both local file inclusion (LFI) and RFI, again on every website identified on the target. This is our main focus for the evaluation since we’ve seen an incredible number of RFI attacks in the recent HITME data from around the globe. Selection of the full switch will attack the target server with the previously mentioned checks, in addition to scanning cgi directories, user enumeration, port scanning, header snatching, and several other possibly useful options. While a full review of this tool will be written eventually, we’re focusing on the RFI capabilities this time, so we’re using this test only against our test target. The test appears quite comprehensive. Another seemingly useful function of this tool is its ability to discover virtual hosts the live on the target server. After a short wait, darkjumper works it’s magic and spits out several files with various information for us to review. After pouring through these files, our team was disappointed to realize that there were URLs that pointed to this server which seem to have been missed by the tools scans. Even more disappointing is the fact that of the 12 target sites identified by the tool, none were the target that we had suspected of being vulnerable to RFI.

File inclusion is a real threat in the wild today. We are seeing newly vulnerable and compromised hosts on a regular basis from the HITME data, and seeing that Apache ships with a default configuration that is vulnerable to these attacks and the fact that PHP is inherently insecure, makes the battle even more intense. It is absolutely critical in this environment that we are hardening our servers before bringing them online. Those of us developing our web applications are validating every bit of information that is submitted to us by our users! Allowing our servers to execute code from an unknown source is one of the most popular attack vectors today from SQL injection, to XSS and XSRF, to RFI. The Internet continues to be a digital equivalent to the wild, wild west, where outlaws abound. There is no guarantee that the users who interface with our sites are who they say they are or that they have the best of intentions. It is up to us to control how our applications and servers are handling this data.

How Cloud Computing Will Leak Into Your Enterprise

Posted on by
1

“Consumer use of the cloud”; in a phrase, is how the cloud will leak into your enterprise, whether you like it or not. Already, IT is struggling with how to manage the consumer use of devices and services in the enterprise. Skype/VoIP and WIFI were the warning shots, but the BlackBerry, iPhone, iPad and other consumer devices are the death nail for centralized IT (and IS) control.

Consumer electronics, backed by a wide array of free or low cost cloud services, are a new frontier for your organization. Services like MobileMe, DropBox, various file sharing tools and remote access services like GoToMyPC, et al. have arrived. Likely, they are in use in your environment today. Consumers use and leverage these services as a part of their increasingly de-centralized online life. Even with sites like Twitter and FaceBook growing in capability and attention, consumers grow their use, both personally and professionally of services “in the cloud”. Make no mistake, despite your controls at the corporate firewalls, consumers are using their mobile and pocket devices and a variety of these services. Unless you are searching them at the door and blocking cell phone use in your business, they are there.

This might not be “the cloud” that your server admins are worrying about. It might not represent all of the off-site system, database and other hosting tools they are focused on right now, but make no mistake, this consumer version of the cloud has all, if not more, of the same issues and concerns. Questions about your data is managed, secured and maintained all abound.

Given the “gadget posture” of most organizations and their user communities, this is not likely to be something that technical controls can adequately respond to. The consumer cloud services are too dynamic and widespread for black listing approaches to contain them. Plus, they obviously lack centralized choke points like in the old days of “network perimeter security”. The new solution, however, is familiar. Organizations must embrace policies and processes to cover these technologies and their issues. They also have to embrace education and awareness training around these topics with their user base. Those who think that denial and black listing can solve this problem are gravely mistaken. The backdoor cloud consumer movement into your organization is already present, strong and embedded. Teaching users to be focused on safe use of these services will hopefully reduce your risk, and theirs.