How Honeypots Can Help You

Posted on by
Reply

A honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.

It is important to note that honeypots are not a solution in themselves. They are a tool. How much they can help you depends upon what you are trying to achieve.

There are two different types of honeypots: production and research. Production honeypots are typically used by companies and corporations. They’re easy to use and capture only limited information.

Research honeypots are more complex. They capture extensive information, and used primarily by research, military, or government organizations.

The purpose of a production honeypot is to mitigate risk to an organization. It’s part of the larger security strategy to detect threats. The purpose of a research honeypot is to collect data on the blackhat community. They are used to gather the general threats against an organization, enabling the organization to strategize their response and protect their data.

The value of honeypots lies in its simplicity. It’s technology that is intended to be compromised. There is little or no production traffic going to or from the device. This means that any time a connection is sent to the honeypot, it is most likely to be a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As we say about our HoneyPoint Security Server, any traffic going to or from the honeypot is, by definition, suspicious at best, malicious at worst. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity. What are the advantages to using honeypots?

  1. Honeypots collect very little data. What they do collect is normally of high value. This eliminates the noise, making  it much easier to collect and archive data. One of the greatest problems in security is sifting through gigabytes of useless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format.
  2. Many security tools can drown in bandwidth usage  or activity. NIDs (Network Intrusion Detection devices)  may not be able to handle network activity, and important data can fall through the cracks. Centralized log servers may not be able to collect all the system logs, potentially dropping logs. The beauty of honeypots is that they only capture that which comes to them.

Many of our clients swear by our HoneyPoint family of products to help save resources. With its advantages, it’s easy to see why! Leveraging the power of honeypots is an excellent way to safeguard your data.

Beware: Fraudulent W-2 Emails Ahead

Posted on by
Reply

Tax season is upon us and spammers are taking full advantage of the situation. Reports of fraudulent emails that appear to come from the IRS are popping up. The email states that all employers need to complete the attached W-2 update form. Unfortunately, the attachment contains a remote administration tool that allows the attacker to execute commands on the system.

The malicious file is named W2-Form and has various file extensions including .rtf, .pdf, and ,.doc.

While this attack targets employers, I suspect that the next wave will target employees. Possible scenarios include malicious attachments as described above and directing employees to fake corporate websites.
Employers should notify their employees of how W-2 information will be delivered and warm them of possible fraudulent emails. For more information on reporting these types of malicious emails visit

http://www.irs.gov/privacy/article/0,,id=179820,00.html

Mobile Directory scanning efforts

Posted on by
Reply

The HITME has been abuzz with alerts from around the globe of scans attempting to find various mobile directories on HoneyPoint hosts. Here is a list of targets that are being checked for:

/iphone
/m
/mobi
/mobile

While no scanner signatures or identifiers are being sent with the probes, it’s still cause for concern over the recent surge in interest of these directories. Web Admins should check their servers for these signatures. You can do so using our BrainWebScan tool if you would like (FREE). You can copy and paste the signatures from this page into the brain file and scan your environments for these targets.

Why Web-Application Security is Important

Posted on by
1

After the discussion about my last post and my omission of appsec, I wanted to make up for it not being in the list. Certainly, application security is important and as pointed out, I should have added it to the list of primary concerns for organizations.

By now, I hope everyone understands that attacks like SQL injection, cross-site scripting and the rest of the OWASP top 10 can have devastating effects. Often, when these vulnerabilities come into play, data loss soon follows. Sometimes, the attacker is able to gain direct access to the data targets they are seeking. For example, if SQL injection grants them access to a database that contains credit card information or identity data, then the initial compromise may be all that the attacker needs to obtain their goal.

But, even when the initial compromise does not directly yield them the data they seek, the initial SQL injection compromise often allows them access to and/or control over other systems and components. They then use a variety of technologies and techniques (from keylogging to sniffing and from pivot attacks to trojans) to leverage the initial problem into the compromise of the data they seek. In many cases, the attackers prove themselves to be both creative and patient as they slowly crawl towards their goals.

Even if your site does not have the targets they want, the SQL injection can be quite damaging for your organization. Not only do you have the compromise itself, but quite often, the application or web server with the vulnerability is manipulated to propagate malware that infects the visitors to your site, turning their machines into victims as well. As a client recently told me, “You don’t want to have to explain to upper management why your web site is responsible for infecting your customer’s computers with a virus. It is not really good for your career.”

These are just a few of the reasons that your organizations should take web application security seriously. If you have some more you would like to share, please leave a comment below.

New Year, Old Threats

Posted on by
2

Welcome to 2010. A new decade, for sure, but one likely to contain many of the traditional security problems that we have grown used to.

How would I rate the top three things you should be paying attention to as we begin the new year? Glad you asked. 🙂

1. Malware – malware is the current serious scourge of infosec. It is becoming increasingly clear that prevention is a losing battle. Detection is often not even up to par, so personally, I would be thinking about response. How can we leverage egress filtering, data leak protection and other controls in depth to limit the amount of damage that an infected machine can do? Can we perform alternative forms of detection, like HoneyPoints and HoneyBees to identify when things are “not quite right” in our environment? These approaches have a proven track record for helping. Check out the SANS CAG for more tips down this line of thinking.

2. Partner network connections – Are you sure they are secure? Do you treat them (and their traffic) like a DMZ? If not, get a move on, because the statistics show this is a major source of issues and data loss.

3. Do you have “production blinders” on? – Are all of your systems in scope for your ongoing assessments? You need at least monthly ongoing vulnerability assessments of every machine in your environment. Not just from the Internet, but also from the internal network(s). Why the inside too? Review point number 1. The inside is the new outside….. Give us a call to discuss assessments if you need help. Our GuardDog appliance can provide you with ongoing assessments that are affordable and results focused. Together, we can help you get to a comfort point where security is a manageable task.

Those are the big three. They are what I would focus on if I were a CIO or network manager. Welcome to 2010, where everything is different, except the things that aren’t. 🙂

PS – I hope you had a wonderful holiday season!

KeePass Password Safe

Posted on by
Reply

Are you looking for a free and easy to use password safe? Be sure to check out KeePass. It’s a great open source product that will place all of your passwords in a database which is locked with a secure key or key file.

The result? You only need to remember one password instead of hundreds.

Some key features include:

  • Full database encryption; not just the passwords
  • Portability- It can be placed on a USB stick
  • Multiple key support- A key file can be used (which can be carried with you), a password can be used, or a combination of both!
  • It’s not just for Windows. Ports are available for Linux, OS X, Blackberry, PalmOS, and many more

Want to learn more? Check out their site at http://keepass.info/

Project Honey Pot Finds Malware – And So Does MicroSolved’s HoneyPoint #Security Server

Posted on by
Reply

Project Honey Pot, a non-profit grassroots community of IT professionals founded in 2004 to capture and analyze malicious traffic, just captured its one billionth spam message. It is marking the opportunity by releasing its findings. They discovered that the number of computers co-opted as part of botnet operations has experienced a yearly average increase of 378%.

“Fortunately, Project Honey Pot’s coverage of active botnets has grown over time at an even faster rate. In 2006, we saw less than 20% of the active bots on any given day. Today we see more than 80%”, the Project said. Project Honey Pot is on a quest to find where spammers hide. They used the fact that botnet computers are primarily utilized for sending spam to do data analysis. It took the number of infected PCs in a country, divided by the number of Project Honey Pot members in the country, to create a ratio showing how friendly that country was to spam originating within its borders.

The Project also found that different types of spam campaign used harvested messages with varying speed. Product-based spam campaigns would build up a collection of harvested addresses for as long as a month before mailing them. On the other hand, they found that ‘fraud’ spammers who commit phishing scams, tended to send to and discard harvested addresses almost immediately.

We’re aware of these issues and have a potent weapon against such threats. Our HoneyPoint Security Server has been praised by our clients in helping them by providing more direct, targeted information on threats than anything they’ve experienced. HoneyPoint Security Server was born out of a three year initiative to break the attacker cycle. Its power and flexibility come from the underlying realization that attackers have a need for confidentiality, integrity and availability too. HoneyPoint leverages these needs and turns the tables on attackers at every opportunity.

While HoneyPoints seek to remove the confidentiality of attackers, we wanted to go beyond that basic approach. To accomplish this, MSI invented HornetPoints and HoneyPoint Trojans. HornetPoints also emulate typical services, but when they are probed, they don’t just alert – they engage in a patent- pending technique called “defensive fuzzing” that actively tampers with the attack results. In many cases, this actually breaks attacker tools and confuses all but the most focused of cyber-criminals.

HoneyPoint Trojans also make assaults on attacker integrity. These common appearing documents and files look just like any other juicy bits of target data, except these files hold a special secret – a sting. HoneyPoint Trojans alert security teams when they are interacted with, allowing you to find the source of illicit behavior and even track who is doing what as the Trojan is passed through the attacker underground. Imagine the impact that HoneyPoint Trojans have when attackers are afraid to read captured documents, unable to sort out what is real and what is a trap.

HoneyPoint Security Server can even target attacker availability. Using the incredibly flexible plugin architecture, it can easily be integrated with existing defense-in-depth tools such as routers, switches, firewalls and SEIM products. It can alert administrators for human responses or be a part of a fully automated security solution. Many of our clients depend on HoneyPoints and HornetPoints to drastically reduce their risk levels. Wouldn’t you love to stop wasting time by chasing ghosts and instead chase the real thing? Why not contact us today and let us help you do the same? Hackers aren’t waiting. Neither should you.

Creative Uses of Video for Quick and Easy Awareness

Posted on by
Reply

Are you looking for an effective mechanism to help your staff stay alert against laptop theft during the holidays and such? Here is a quick suggestion.

Take an iPhone, iPod or other video and shoot a quick 30 second piece about a laptop getting stolen. Have your own team star in it. Keep it quick, light and humorous. Maybe show your CEO in a panic when she realizes her laptop is missing, or a shot of your IT manager in a hoodie grabbing a laptop from the lunchroom and running. Make it over the top and funny, then close with a serious message about how quickly laptops can be stolen, how you should never leave them in a car or such without locking them in the trunk and other stuff you want the users to know.

Close with how they should tell you if they have lost a laptop and who they should call.

That’s it. Keep it home video looking, don’t worry about production quality or any of that. Quick and dirty videos are the way of the new web, so think more YouTube than MGM.

Now, send your video out, or a link to it, and let your employees make suggestions for future episodes. Everyone who submits a suggestion gets entered into a drawing for movie tickets. Easy, affordable and effective.

Who knows, you may not get an Oscar, but you might just save yourself from a data breach. Either way, it will be fun and educational.

Enjoy and don’t hesitate to call us if you need help with the video, ideas or need more information about laptop encryption or other security measures. We are here to help and can get you through most laptop security issues with ease!

5 Tips to Secure Mobile Devices #security

Posted on by
Reply

Security with mobile devices, starts before they are added to an organization’s assets. Although it may take extra time, it will pay off in the long run if an organization researches mobile devices before purchasing. Not all devices are equal. Some, such as MP3 players, are built for a general consumer base and won’t have such security safeguards as a “smart phone.”

Here are some tips that can help decrease the possibility of a security breach:

1. Use encryption and authentication features. Create policies that will ensure encryption features are accessed and launched. Many people do not use the password function but what would happen if a smartphone fell into a stranger’s hands? Why make it easy for someone to access private data? Set up a password.

2. Create remote wipe capabilities and set up a “lost item” process. If a mobile device is lost or stolen, the IT department could remotely remove any sensitive information. Not everyone turns in a lost cell phone. Remotely wiping it of sales forecasts or strategy diagrams will keep your organization’s plans safe. Having a quick hotline for lost items will help IT staff confront a problem quickly and efficiently.

3. Be careful about third-party applications. Although some seem to be harmless, they can possibly be a back-door for attackers to access your internal network. By limiting unsigned third-party applications, an organization can close one more opportunity for data theft.

4. Create unique firewall policies. Those who have smartphones do not need to have access to all the databases in the network. Only allow access to the data that would most commonly be used.

5. Start considering software. As smartphones become more common, hackers will start to target them more often. Adding precautions such as equipping devices with intrusion prevention software is another good way to provide security. And although anti-virus software for smartphones aren’t common, it’s a good idea to keep watching for it. This type of software is bound to develop and be plentiful as more organizations use highly sophisticated smartphones, which are really small computing platforms.

IT managers may be reluctant to tackle the issue of securing mobile devices, they realize mobile devices aren’t going anywhere. Supporting a limited number of mobile devices may be the answer. Creating and enforcing a consistent review process, together with awareness programs, will help keep your company’s business, your business.