5 Ways My Medical Background Makes Me a Better Intelligence Analyst

Posted on December 22, 2014 by Brent Huston

When I first started for MicroSolved, Inc.(MSI), I wasn’t sure what to think, but now that I have been here for nearly three months I feel I am starting to get the hang of what it is to be an intelligence analyst. At least a little bit anyhow. Now mind you I am not your typical intelligence analyst, nor am I a new college graduate, but rather I am coming to MSI from the health care industry with over twenty years of work experience in that industry. This was a completely different mindset, with a whole host of new things for me to experience and learn. For me this was totally refreshing and exactly what I wanted and more importantly, needed! There are a few things that I have noticed in my short time here that could be considered pearls of wisdom rather than actual characteristics of a good employee that I feel make me a good intelligence analyst for MSI. Perhaps they are one and the same. At least that is my hope 😉

First, while I am not a seasoned IT professional like so many others that I work with, I am not naive to the fact that there are deadlines and expectations thrust upon all of us. This in my opinion is no different than in being in the hospital setting where people expect you to act quickly and in the best interests of your patient at all times. Couldn’t we say the same is true working for a company like MSI? In that it is the expectation to be professional, performing your best at all times, and the like? I would like to think that is what I strive for.

After thinking a bit longer perhaps it is that we share a tenacity for getting to the bottom of whatever mystery that we are looking at. Whether it is a series of questions that we may be asking our patients in an effort to try to figure out what ailment they be suffering from. This is not unlike when we are looking for a key bit of code for an algorithm to help us do our work more efficiently. Regardless, it is this mentality of never giving up! To keep fighting, keep looking, to keep trying. Just keep chipping away at it.

I think the next characteristic would have to be patience. Something that we all have often heard from our grandparents growing up as children. Something that in my mind and in my experience has played a provocative role in both my dealings with patients, their families and with challenging projects in the IT world. Now while as I previously stated in the above paragraph that tenacity plays a role, I also think having a measure of patience does too. There are times in the medical world where even the most experienced physician stands there for a moment and scratches his or her head and says “I don’t know”. Now to a patient that is the last thing that they want to here, but sometimes we truly have to “wait and see”. Sometimes grandma was right! There have been times while working on projects with MSI, where sitting back even if it’s just a few moments, allowed me to gain a better “bird’s eye view” of a given project and really helped me figure out what it was that I was looking for and ultimately aided the project.

Another area that I think gives me an edge would be that I am willing to go the extra mile and I am not afraid to work hard to attain my goals. It isn’t enough to just punch a clock or be mediocre! I have told this to my children, my patients and my friends. Never give up, always work your butt off for what you want in life! It may take time for what you want to come to fruition, but if you’re willing to put the time, energy and effort into it, then it will come! It takes sacrifice to get to your goals. Others will recognize your efforts and aid you in your path. That’s what I feel MSI has done and is continuing to do for me!

Lastly, laugh! I have not laughed so hard in any of my previous work experiences as compared to working for MSI these past few months. Don’t get me wrong there were plenty of wonderful times, but here at MSI it is a whole new animal! Yes, we work hard, but I think having a healthy sense of humor and a desire to see others laugh is what really sets MSI apart. If you are down, they help pick you up! So often we spend our work lives with people that aren’t our family for hours on end. Shouldn’t we have some fun while we work? If you are lucky enough you do. Then, by choice those people that aren’t your family start to become them and find a place in your heart. Then, your work doesn’t seem like work anymore.

Yes it’s true that I am new to the world of information technology as a career choice, but that doesn’t mean that I don’t have some very real life experiences to draw upon. Remember, it is a combination of work ethic, tenacity, patience, a sense of humor and ultimately a willingness to never give up. These are the things that will make you successful, not only in your career path, but in life as well. These are my little pearls of wisdom, just a few tidbits of information to help you get to where you want to be in life. Who knows it might even be right here at MSI.

This post by Preston Kershner.

Compliance-Based Infosec Vs Threat-Based Infosec

Posted on October 27, 2014 by Brent Huston

In the world of Information Security (infosec), there are two main philosophies: compliance-based infosec and threat-based infosec. Compliance-based infosec means meeting a set of written security standards designed to fulfill some goal such as the requirements of statute law or financial information privacy requirements. Threat-based infosec, on the other hand, means applying information security controls in reaction to (or anticipation of) threats that organizations currently (or soon will) face.

Compliance-based infosec is generally applied smoothly across the organization. In other words, all the security controls mandated in the security standard must be put in place by the organization, and the relative effectiveness of each control is largely ignored. In contrast, security controls are applied in a hierarchical manner in threat-based infosec. The most effective or greatly needed security controls are applied first according to the threats that are most likely to occur or that will cause the most damage to the organization if they do occur.

The difference is sort of like the defensive strategy of the Chinese versus that of the Normans in post-conquest England. The Chinese built very long walls that went from one end of their territory to the other. Their goal was to keep out all invaders everywhere. This is a grand idea, but takes a very large amount of resources to implement and maintain. In practice, it takes tons of men and infrastructure and the defensive capabilities at any one place are spread thin. The Normans in England, on the other hand, built strong castles with many layers of defense in strategic locations where the threats were greatest and where it was easiest to support neighboring castles. In practice, there are fewer defenses at any one point, but the places where defenses are implemented are very strong indeed. Both of these strategies have merit, and are really driven by the particular set of circumstances faced by the defender. But which is better for your organization? Let’s look at compliance-based infosec first.

Compliance-based infosec, when implemented correctly, is really the best kind of defense there is. The problem is, the only place I’ve ever seen it really done right is in the military. In military information security, failure to protect private information can lead to death and disaster. Because of this, no expense or inconvenience is spared when protecting this information. Everything is compartmentalized and access is strictly based on need to know. Every system and connection is monitored, and there are people watching your every move. There are rules and checklists for everything and failure to comply is severely punished. In addition, finding better ways to protect information are sought after, and those that come up with valuable ideas are generously rewarded.

This is not the way compliance-base infosec works in the private sector, or even in non-military government agencies. First, statute law is tremendously vague when discussing implementing information security. Laws make broad statements such as “personal health information will be protected from unauthorized access or modification”. Fine. So a group of people get together and write up a body of regulations to further spell out the requirements organizations need to meet to comply with the law. Unfortunately, you are still dealing with pretty broad brush strokes here. To try to get a handle on things, agencies and auditors rely on information security standards and guidelines such as are documented in NIST or ISO. From these, baseline standards and requirements are set down. The problems here are many. First, baseline standards are minimums. They are not saying “it’s best if you do this”, they are saying “you will at least do this”. However, typical organizations, (which generally have very limited infosec budgets), take these baseline standards as goals to be strived for, not starting points. They very rarely meet baseline standards, let alone exceed them. Also, NIST and ISO standards are not very timely. The standards are only updated occasionally, and they are not very useful for countering new and rapidly developing threats. So, unless your organization is really serious about information security and has the money and manpower to make it work, I would say compliance-based infosec is not for you. I know that many organizations (such as health care and financial institutions) are required to meet baseline standards, but remember what happened to Target last year. They were found to be compliant with the PCI DSS, but still had tens of millions of financial records compromised.

Now let’s look at threat-based infosec. To implement a threat-based information security program, the organization first looks at the information assets they need to protect, the threats and vulnerabilities that menace them and the consequences that will ensue if those information assets are actually compromised (basic asset inventory and risk assessment). They then prioritize the risks they face and decide how to implement security controls in the most effective and efficient way to counter those particular risks. That might mean implementing strong egress filtering and log monitoring as opposed to buying the fanciest firewall. Or it might mean doing something simple like ensuring that system admins use separate access credentials for simple network access and administrative access to the system. Whatever controls are applied, they are chosen to solve particular problems, not to meet some broad baseline that is designed to meet generally defined problems. Also, threat-based infosec programs are much better at anticipating and preparing for emerging threats, since reassessments of the security program are made whenever there are significant changes in the system or threat picture.

These are the reasons that I think most of us in non-military organizations should go with threat-based infosec programs. Even those organizations that must meet regulatory requirements can ensure that they are spending the bulk of their infosec money and effort on the effective controls, and are minimizing efforts spent on those controls that don’t directly counter real-world threats. After all, the laws and regulations themselves are pretty vague. What counts in the long run is real information security, not blind compliance with inadequate and antiquated baselines.

Thanks to John Davis for this post.

Tor Video from Derbycon 4 Available

Posted on October 23, 2014 by Brent Huston

Thanks to Iron Geek and the Derbycon staff for making my presentation from this year available.

The talk covered discussions about Tor Hidden Nodes and how crime works inside of the Tor network. Check the talk out here.

There is a lot of good stuff here, and they turned people away from the talk because we over-filled the room. Now, you can actually sit comfortably and watch it. 🙂

Message me on Twitter (@lbhuston) if you want to discuss. Thanks for reading and for watching!

Shellshock: Got Inventory?

Posted on October 1, 2014 by Brent Huston

I’m sure you’ve all heard of Shellshock by now? If not, it’s a security flaw in Bash that allows attackers to take control of systems. Bash is really an acronym/pun meaning “Bourne-again shell” that was written as a free software replacement for the Bourne shell that preceded it. It is a UNIX shell that acts as a command processor and also reads commands from scripts. The problem is that Bash is present in all kinds of things including Web servers and operating systems. This is a very serious flaw! Worse than any other code vulnerability I can name off hand. There are several serious exploits already extant in the wild. Hundreds of millions of devices and credit cards are at immediate risk of compromise across the globe. Institutions are strongly recommending that people not use their credit cards to make Internet purchases for at least the next several days. Imagine the loss in revenue and buyer confidence this is going to cause! Productivity may well go down and prices may well go up as a consequence of this flaw.

Luckily there are good patches already available to combat this glitch, and I’m sure additional fixes and tweaks are in the offing. But to have any level of safety you need to patch everything on your network that is vulnerable, and you need to do it quickly. Do you know exactly what devices are a part of your network and exactly what operating systems, software and firmware versions are installed on them? Specifically, do you know where Bash is running? If you don’t, you may install patches furiously over the next few days and still end up being vulnerable without knowing it. Can you in all good conscience assure your Web customers that their transactions and private information are safe?

Shellshock may have one hidden benefit though; it may be the cold dose of reality that causes organizations to finally get serious about information security and adopt best practices security recommendations, especially where inventories of devices and software are concerned. There is a reason why guidance such as the MSI 80/20 Rule of Information Security and the Top 20 Critical Controls for Effective Cyber-Security list making inventories their number one information security project. If you don’t know what you have, how can you possibly secure it?!

Right now, if you are among the prescient few who do keep complete dynamic inventories, ensure that input to all available software fields is validated and have configured each device on your network with a unique admin password, you are sitting pretty! You have the knowledge and time necessary to deal with this problem, and will probably earn kudos and market share from you customers. Isn’t that kind of assurance worth spending some time and money on America?

This blog post contributed by John Davis.

Patch for ShellShock ASAP!

Posted on September 30, 2014 by Brent Huston

If you haven’t paid attention to the Bash Shellshock vulnerability – NOW IS THE TIME!

Source IPs for probes looking for the vulnerability are growing slowly in number and scope of scans. (As of 9/30/14, 10am Eastern).

There are many vulnerable devices and systems available to exploit and a variety of exploitation vectors exist – including web CGIs, DHCP clients, OpenVPN, SSH, etc. It is highly likely that a wide variety of embedded systems are also vulnerable that meet these capabilities. So far, we have seen attack traffic in the HITME coming from a few SOHO routers and a couple of other embedded network devices. Items like printers, some routers & managed switches, home gadgets, cameras, etc. are likely targets as well.

In the industrial control world, there are a variety of embedded devices leveraging Linux at the core, and many with exposed CGI mechanisms for remote management and monitoring. These need to be inspected as well, as they may also prove vulnerable and potentially exploitable via one or more vectors. Patching may require firmware upgrades in some cases. Contact the vendor for more information.

But, no matter what systems you use and manage, NOW IS THE TIME. Pay attention to this issue and get moving on patching, adding compensating controls and rolling forward with enhanced detection mechanisms. GET BUSY!

As always, if we can assist, feel free to give us a call or drop us a line. We have HoneyPoint emulations for HPSS clients that can help identify sources of traffic and we have assessment signatures for up to the moment known attack vectors. Let us know if we can help!

Thanks for reading, and stay safe out there!

UPDATE: Good news on Shellshock for embedded devices: If it runs BusyBox, it’s likely NOT vulnerable.

Are You Using STIX?

Posted on August 8, 2014 by Brent Huston

In the last several weeks, we have been working on a new iteration of our threat intelligence offering for some of our clients. In many of the cases, we expected to hear that folks have embraced the STIX project from MITRE as the basis for sharing such data.

Sadly, however, many customers don’t seem to be aware of the STIX project. As such, can you please take a moment and review it, via the link and then let us know via email, Twitter of comments if you or your chosen security products currently support it?

Thanks for your help and insight! As always, we appreciate the feedback.

Email: info <at> microsolved [dot] com

Twitter: @microsolved or @lbhuston

Thanks again!

Crypto Locker Down, but NOT Out

Posted on July 21, 2014 by Brent Huston

So, the US govt and law enforcement claim to have managed the disruption of crypto locker. And officials are either touting it as a total victory or a more realistic slowdown of the criminals leveraging the malware and bot-nets.

Even as the govt was touting their takedown, threat intelligence companies around the world (including MSI), were already noticing that the attackers were mutating, adapting and re-building a new platform to continue their attacks. The attackers involved aren’t likely to stay down for long, especially given how lucrative the crypto locker malware has been. Many estimates exist for the number of infections, and the amount of payments received, but most of them are, in a word, staggering. With that much money on the line, you can expect a return of the nastiness and you can expect it rather quickly.

Takedowns are effective for short term management of specific threats, and they make great PR, but they do little, in most cases, to actually turn the tide. The criminals, who often escape prosecution or real penalties, usually just re-focus and rebuild.

This is just another reminder that even older malware remains a profit center. Mutations, variants and enhancements can turn old problems like Zeus, back into new problems. Expect that with crypto locker and its ilk. This is not a problem that is likely to go away soon and not a problem that a simple takedown can solve.

ATM Attacks are WEIRD

Posted on July 15, 2014 by Brent Huston

So this week, while doing some TigerTrax research for a client, I ran into something that was “new to me”, but apparently is old hat for the folks focused on ATM security. The attacks against ATMs run from the comical, like when would-be thieves leave behind cell phones, license plates or get knocked out by their own sledge hammers during their capers to the extremely violent – attacks with explosives, firearms and dangerous chemicals. But, this week, my attention caught on an attack called “Plofkraak”.

In this attack, which is apparently spreading around the world from its birth in Eastern Europe, an ATM is injected with high levels of flammable gas. The attackers basically tape up all of the areas where the gas could easily leak out, and then fill the empty spaces inside the ATM with a common flammable gas. Once the injection is completed, the gas is fired by the attacker, causing an explosion that emanates from INSIDE the ATM.

The force of the explosion tears the ATM apart, and if the attackers are lucky, cracks open the safe that holds the money, allowing them to make off with the cash and deposits. Not all attackers are lucky though, and some get injured in the blast, fail to open the safe and even torch the money they were seeking. However, the attack is cheap, fast, and if the ATM doesn’t have adequate safeguards, effective.

The collateral damage from an attack of this type can be pretty dangerous. Fires, other explosions and structural damages have been linked to the attack. Here is an example of what one instance looked like upon discovery.

Some ATM vendors have developed counter measures for the attack, including gas sensors/neutralizing chemical systems, additional controls to prevent injection into the core of the machine, hardening techniques for the safe against explosions and other tricks of the trade. However, given the age of ATM machines in the field and their widespread international deployment, it is obvious that a number of vulnerable systems are likely to be available for the criminals to exploit.

While this is a weird and interesting technique, it did give me some reminders about just how creative and ambitious criminals can be. Even extending that into Information Security, it never ceases to amaze me how creative people will get to steal. Spend some time today thinking about that. What areas of your organization might be vulnerable to novel attacks? Where are the areas that a single failure of a security control could cause immense harm? Make a note of those, and include them in your next risk assessment, pen-test or threat modeling exercise.

Don’t forget, that just like the inventors of Plofkraa”, attackers around the world are working on the odd, novel and unexpected attack vector. Vigilance is a necessary skill, and one we need more of, in infosec. As always, thanks for reading, and stay safe out there!

Spend Your First Hour Back the Right Way – Go Malware Hunting!

Posted on July 4, 2014 by Brent Huston

So, you’ve been out of the office for a quick holiday break or vacation. Now you face a mountain of emails and whole ton of back-logged tasks. Trust me, put them aside for one hour.

Instead of smashing through emails and working trouble tickets, spend an hour and take a look around your environment – go hunting – target malware, bots and backdoors. At a macro level, not a micro level. Were there an abnormal number of trouble tickets, outbound connections, AV alerts, IDS and log entries while you were gone? What does egress look like during that period? Were there any abnormal net flows, DNS anomalies or network issues that would indicate scans, probes or tampering on a larger scale?

Spend an hour and look for high level issues before you dig into the micro. Read some logs. See what might be getting lost in your return to work overwhelm. It is not all that uncommon for attackers to use holidays and vacations as windows of opportunity to do their nasty business.

Don’t fall victim to the expected overwhelm. Instead, use it as a lens to look for items or areas that correlate to deeper concerns. You might just find that hour invested to be the one that makes (or breaks) your career in infosec.

Good luck and happy hunting!

PS – Thanks to Lee C. for the quick edits on 7/4/14.

SoS Video Post Number 1: TigerTrax M&A & Threat Intel

Posted on May 28, 2014 by Brent Huston

Today, we started trying to record our first attempt at a video blog post. Check it out and let us know what you think.

You can download it from here.

As always, thanks for reading, listening or watching… Stay safe out there!

You can give us feedback, jeers or encouragement on Twitter (@lbhuston or @microsolved).

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Threat Intelligence