Category Archives: Opinion

Thanks for Another Great ICS/SCADA Security Symposium

Posted on by
Reply

 

J0289528

Thanks to all who helped make the ICS/SCADA Security Symposium fantastic again this year. Great conversations, excellent content and such friendly discussions among peers and concerned parties. 

Next year, we plan to open the event to attendees from throughout the midwest and hope to get even more participation from manufacturing and those who support critical infrastructures. 

Thanks again for all of the hard work that Connie, Chris and the rest of the organizers did to make the event possible. Most of all, thank you for attending, participating and trusting us (and each other) to create such an amazing process of open dialogue. You are all heroes in my book!

Thanks to NEOISF & Ohio State Office of the CIO

Posted on by
2

J0289893

Last week we had a great time in Cleveland speaking at the North East Ohio Information Security Summit. Thanks to the folks who came out to hear us speak and to the great staff of NEOISF for making the event such an amazing thing for all who attend. We look forward to next year!

Thanks, as well, to the Ohio State University office of the CIO. We were pleased to participate in the Information Security Day sponsored by the university and Battelle. Thanks to all who attended that event with the threat of Hurricane Sandy looming large. It was a fantastic interaction with some of the next generation of infosec folks and some of the awesome members of the CMH InfoSec community. Thanks for having us participate and especially for asking us to keynote. 

The slide decks for both of these talks are available by request. If you would like to have a copy or set up a time to discuss them, have them presented to your team or engage with us about the content either drop us a line in the comments, reach out on Twitter (@lbhuston) or give your account executive a call at (614) 351-1237 ext 215.

Some pictures from the events are available here:

2012 10oct 25 dsc 0065 smaller

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

NEO Summit – Picture courtesy of Greg Feezel (Thanks Greg!!!)

Ohio State Information Security Day

Ask The Experts: Advice to New InfoSec Folks

Posted on by
Reply

This time our question came from a follow up on our last advice article to new infosec folks (here). Readers might also want to roll back the clock and check out our historic post “So You Wanna Be in InfoSec” from a few years ago. 

Question: “I really want to know what advice the Experts would give to someone looking to get into the information security business. What should they do to get up to speed and what should they do to participate in the infosec community?”

Adam Hostetler replied:

To get up to speed, I think you should start with a good foundation of knowledge. Already working in IT will help, you should then already have a good idea of networking knowledge, protocols, and architecture, as well as good OS administrative skills. Having this knowledge already helped me a lot at the beginning. Then I would move into the infosec world, read and listen to everything you can related to infosec.  There’s much much more security related knowledge online than ever before, so use it to your advantage. You also now have the opportunity to take info sec programs in colleges, which weren’t really available 10 years ago. Social Networking is very important too, and how you would likely land a job in infosec. Go to events, conferences or local infosec meetings. Some of the local infosec meetings here in Columbus are ISSA, OWASP, and Security MBA. Find some in your area, and attend something like Security B-Sides, if you can. Get to know people at these places, let them know you’re interested, and you might just end up with your dream job.

John Davis chimed in:

If you want to get into the risk management side of the information security business, first and above all I recommend that you read, read, read! Read the NIST 800 series,  ISO 27001 & 27002, the PCI DSS, CobiT, the CAG, information security books, magazine articles, and anything else you can find about information security. Risk assessment, ERM, business continuity planning, incident response and other risk management functions are the milieu of the generalist; the broader your knowledge base, the more effective you are going to be. To participate in the infosec community, there are several things you can do. Probably the best and quickest way to get started is to attend (and participate in) meetings of information security professional organizations such as ISSA, ISACA and OWASP. Talk to the attendees, ask questions, see if they know of any entry level positions or internships you might be able to get into. There are also infosec webinars, summits and conferences that you can participate in. Once you get your foot in the door someplace, stick with it! It takes time to get ahead in this business. For example, you need four years of professional infosec experience or three years experience and a pertinent college degree before you can even test for your CISSP certification.

As always, thanks for reading! Drop us line in the comments or tweet us (@lbhuston or @microsolved) with other questions for the Security Experts.

Oracle CSO Online Interview

Posted on by
1

My interview with CSO Online became available over the weekend. It discusses vendor trust and information security implications of the issues with password security in the Oracle database. You can read more about it here. Thanks to CSO Online for thinking of us and including us in the article.

Three Ways to Engage with the InfoSec Community

Posted on by
7

J0289893

Folks who are just coming into infosec often ask me for a few ways to engage with the infosec community and begin to build relationships. Here a few quick words of advice that I give them for making that happen.

1) Join Twitter and engage with people who are also interested in infosec. Talk directly to researchers, security visionaries and leadership. Engage with them personally and professionally to build relationships. Add value to the discussions by researching topics or presenting material that you are familiar with.

2) Join an open source software project. Even if you aren’t a coder, join the project and help with testing, documentation or reviews of some kind. Open source projects (they don’t have to be security projects) can benefit from the help, an extra set of eyes and the energy of new folks contributing to their work. You’ll learn new stuff and build great relationships in the development and likely infosec communities along the way. 

3) The way that most folks go about it works as well. Go to events. Network. Meet infosec people and engage them in discussions about technical and non-technical subjects. Groups like ISSA, ISACA, ISC2, OWASP and other regional security events are good places to meet people, learn stuff and develop relationships with folks working on hard problems. Cons can be good for this too, but often have less chances for building rapport due to the inherent sensory overload of most con environments. Cons are a good place to grow relationships, but may not be the best events for starting them.

That’s my advice. All 3 items are hard work. They offer a chance for you to learn and engage. BUT, you have to work to earn respect and rapport in this community. You have to contribute. You must add value. 

As always, thanks for reading and until next time, stay safe out there! 

Ask The Experts: Online Banking

Posted on by
2

This time we asked the experts one of the most common questions we get when we are out speaking at consumer events:

Q: Hey Security Experts, do you do your banking online? If so, what do you do to make it safe for your family? If not, why not?

John Davis explained:

I’ve been banking online for many years now and have always loved the convenience and ability it gives you to monitor your accounts anywhere and any time. There are a few simple things I do to keep myself secure. I do all the usual stuff like keeping a well configured fire wall and anti-virus software package always running. I also ensure that my wireless network is as secure as possible. I make sure the signal is tuned so as to not leak much from the house, I use a long and strong password and ensure I’m using the strongest encryption protocol available. I also monitor my accounts often and take advantage of my banks free identity theft service. One final tip; instead of using your actual name as your login, why not use something different that is hard to guess and doesn’t reveal anything about your identity? It always pays to make it as tough on the cyber-criminals as possible!

Phil Grimes chimed in with:

I do almost all my banking online. This, however, can be a scary task to undertake and should always be done with caution on the forefront! In order to bank safely on line, the first thing I do is to have one machine that was built in my house for strictly that purpose. My wife doesn’t play facebook games on it. My kids don’t even touch it or know it exists. This machine comes online only to get updated and to handle the “sensitive” family business functions like bill payment or banking.  The next thing I’ve done to protect this surface was to use a strong password. I used a password generator and created a super long password with every combination of alpha, numeric, and special characters included to reduce the risk of a successful brute force attack. This password is set to expire every 30 days and I change it religiously! Then finally, using Firefox, I install the NoScript plugin to help defend against client side attacks.

Adam Hostetler added:

Yes, I do my banking online. I also pay all of my bills online and shop online. I think the biggest thing that you can do for safety is just to be aware of things like phishing emails, and other methods that fraudsters use to try to compromise your credentials. I also always use dual factor authentication when possible, or out of band authentication, most banks and credit unions support one of these methods these days. Checking all of my accounts for suspicious activity is also a regular occurrence. 

There are also the malware threats. These are mostly mitigated by having up to date software (all software, not just the OS), up to date anti-virus software, and treating social networking sites like a dark alley. Be wary of clicking on any links on social networks, especially ones that are apps that claim they will do something fun for you. Social networks are probably the largest growing vector of malware currently, and a lot of times people install it willingly!

If you’re really paranoid, just have a dedicated PC or virtual machine for online banking.

Got a question for the Experts? Send it to us in the comments, or drop us a line on Twitter (@microsolved or @lbhuston). Thanks for reading! 

Quick & Dirty Plan for Critical Infrastructure Security Improvement

Posted on by
5

J0202190

I was recently engaged with some critical infrastructure experts on Twitter. We were discussing a quick and dirty set of basic tasks that could be used an approach methodology for helping better secure the power grid and other utilities.

There was a significant discussion and many views were exchanged. A lot of good points were made over the course of the next day or so.

Later, I was asked by a couple of folks in the power industry to share my top 10 list in a more concise and easy to use manner. So, per their request, here it is:

@LBHuston’s Top 10 Project List to Help Increase Critical Infrastructure “Cyber” Security

1. Identify the assets that critical infrastructure organizations have in play and map them for architecture, data flow and attack surfaces

2. Undertake an initiative to eliminate “low hanging fruit” vulnerabilities in these assets (fix out of date software/firmware, default configurations, default credentials, turn on crypto if available, etc.)

3. Identify attack surfaces that require more than basic hardening to minimize or mitigate vulnerabilities

4. Undertake a deeper hardening initiative against these surfaces where feasible

5. Catalog the surfaces that can’t be hardened effectively and perform fail state analysis and threat modeling for those surfaces

6. Implement detective controls to identify fail state conditions and threat actor campaigns against those surfaces

7. Train an incident investigation and response team to act when anomalous behaviors are detected

8. Socialize the changes in your organization and into the industry (including regulators)

9. Implement an ongoing lessons learned feedback loop that includes peer and regulator knowledge sharing

10. Improve entire process organically through iteration

The outcome would be a significant organic improvement of the safety, security and trust of our critical infrastructures. I know some of the steps are hard. I know some of them are expensive. I know we need to work on them, and we better do it SOON. You know all of that too. The question is – when will WE (as in society) demand that it be done? That’s the 7 billion people question, isn’t it?

Got additional items? Wanna discuss some of the projects? Drop me a line in the comments, give me a call at (614) 351-1237 or tweet with me (@lbhuston). Thanks for reading and until next time, stay safe out there!

PS – Special thanks to @chrisjager for supporting me in the discussion and for helping me get to a coherent top 10 list. Follow him on Twitter, because he rocks!

Disagreement on Password Vault Software Findings

Posted on by
1

Recently, some researchers have been working on comparing password vault software products and have justifiably found some issues. However, many of the vendors are quickly moving to remediate the identified issues, many of which were simply improper use of proprietary cryptography schemes.

I agree that proprietary crypto is a bad thing, but I find fault with articles such as this one where the researchers suggest that using the built in iOS functions are safer than using a password vault tool.

Regardless of OS, platform or device, I fail to see how depending on simple OS embedded tools versus OS embedded tools, plus the additional layers of whatever mechanisms a password vault adds, reduces risk to the user. It would seem that the additional layers of control (regardless of their specific vulnerability to nuanced attacks against each control surface), would still add overall security for the user and complexity for the attacker to manage in a compromise.
 
I would love to see a model on this scenario where the additional controls reduce the overall security of the data. I could be wrong (it happens), but in the models I have run, they all point to the idea that even a flawed password vault wrapped in the OS controls are stronger and safer than the bare OS controls alone.
 
In the meantime, while the vendors work on patching their password vaults and embracing common crypto mechanisms, I’ll continue to use my password vault as is, wrapped in the additional layers of OS controls and added detection mechanisms my systems enjoy. I would suggest you and your organization’s users continue to do the same.

How to Avoid Falling For Social Engineering Attacks

Posted on by
5

I am one of the “end-users” in our organization. I’m not a tech, but over the years have had my eyes opened regarding information security and ways I can safeguard my own private data. My favorite tool is a password vault, which helps tremendously as I belong to dozens of sites. Quite frankly, I can’t remember what I had for dinner yesterday much less recall all the different passwords needed to access all those sites. So a password vault is incredibly helpful.

But what really fascinated me was the discovery of social engineering. Social engineering is when someone uses deceptive methods in order to get you to release confidential information. Sometimes it’s almost obvious, sometimes it’s sneaky. But on most occasions, people don’t realize what’s happening until it’s too late.

I’ll give an example: One time I received several phone messages from my credit union. I was told there was an issue and to return the call. I called my credit union to discover that (surprise, surprise), there was no “issue” and they never called me. So when this shady outfit called me two days later, I was home and answered the phone. After the woman went through some type of script (needing my account number, natch), I blew up.

“For your information, I contacted my credit union and there IS no issue and no need to speak to me. How in the world do you sleep at night, deliberately trying to get people to give you confidential information so you can steal from them? You’ve got a helluva lotta nerve to keep calling!”  The woman was silent. I slammed the phone down. I never heard from them again.

The point of this colorful little story is that thieves and hackers are everywhere. With our information becoming more digitalized, we need to be on guard more than ever before and use the most powerful weapon we’ve got.

QUESTION EVERYTHING.

And follow some of these tips:

  1. If you receive an email from PayPal or a credit card company and they want to “verify” your account, check the URL. If a letter of the company’s name is off or it looks totally different, do NOT click on it. (You can see the URL usually by hovering your mouse over the link.)
  2. Never  click on a link in an email to a financial institution. If you are a member of this institution, call their customer service number. Have them check your account to see if indeed there was a need to contact you.
  3. Always check the identity of anyone who is calling you on the phone to ask for confidential information. Say you’re about to run out the door and get their name and phone number. Then call the organization they represent to verify that this person is legit.
  4. Check to make sure a site is secure before passing on confidential information. Usually this information is either available under a “Privacy” link or an icon (like a lock) is visible in the address bar.
  5. At your workplace, use the same approach. Be friendly, but wary in a good way. If you have a courier who needs to give their package directly to the recipient, casually ask a co-worker if they could accompany the courier to their destination and then ensure they leave promptly afterward. Use this method for any strangers who are visiting your organization such as repairmen, copier salespeople, or phone technicians.

Speaking of copiers, beware of “boiler-room” phone calls. These are attempts to gather information about your copier (i.e., serial number, make and model of copier) so the unscrupulous company can ship expensive supplies to a company and then bill you, as though it was a purchase initiated by your company. These types are scumballs in my book. After I learned what they did, I’d have a bit of fun with them before hanging up. Now I don’t have the patience for it. I just hang up.

You have to be sharper than ever to see through a social engineering attack. The challenge is to retain that sharpness while in the midst of multiple tasks. Most of the time, the attacker will take advantage of a busy receptionist, a chaotic office, or a tired staff when they try their dastardly deed. (Ever notice you hardly get these attempts early in the morning, when you’re awake and alert? And how many happen close to quitting time on a Friday?)

Just a few thoughts to keep you sane and safe. Confound the social engineering attacks so you won’t be the one confounded! Good luck!

Audio Blog with Brent Huston: SpeakerConf 2011 and Developer Awareness

Posted on by
Reply

I recently attended SpeakerConf 2011, which was a fantastic tech conference for developers. We had some great sessions, and I was able to connect more with developers. In this audio blog post, I cover:

    1) Observations from SpeakerConf

    2) What language developers are loving right now

    3) New attack processes

    4) Moving into the next phase of security

This and more. Check it out!

Click to access the entire audio file: DevAwarenessSpeakerCon