Why I Think Your Awarness Program is Broken…

Posted on October 1, 2009 by Brent Huston

Security awareness. I know, I know… This is one of the worst parts of being an infosec person. We all seem to have problems with it. Not so much because the content creation is hard, but because effective content creation is nearly impossible.

For almost 20 years, we in the infosec business have been harping at you about awareness. The story often goes something along the lines of “If only we could teach the users to be more careful and attentive, then we protect them better.” The truth of the matter is though, that the average user either doesn’t care about information security (until it’s too late) or they simply don’t have enough technology skills to protect themselves in a meaningful way. But, and I promise you THIS – the answer is absolutely NOT another poster in the lunch room about not clicking on the dancing gnome or opening emails from people you don’t know…..

I think we are going about this in the wrong way. In fact, I believe that the only prevention focused message you should be sending to your staff on a repeated basis is about laptop theft. I think if you focus all of your prevention awareness on laptop theft, you might accomplish a little bit more, since laptop theft is a pretty personal crime. So, if you must print up some posters – make it about not leaving your laptop in the back of your car, or skip the posters all together!

What do I propose instead? What then will we do with all of that awareness budget???

I propose this. I suggest that you skip prevention awareness and instead focus your staff on being better “net cops”. Yep, you heard me, NET COPS. Why the heck would you do that, you might be saying? Well, the main reason is, according to recent data that profiled data compromises, your team members (as in humans) are twice as likely to notice strange attacker behaviors, security issues and other anomalies versus automated systems like IDS and log monitoring. Plus, people already love to play net cop. Your customer service people love it, your sales people love it and face it, most infosec people love it too. There is a reason why there are so many crime shows on TV. Since people love the idea of being a net cop, let’s focus on teaching them, giving them incentives and helping them help us protect our data more effectively.

This month, as you may know, is security awareness month. As such, throughout the month, we, like other blogs and security companies will be talking a lot about awareness. BUT, on this blog and at MSI, we are going to talk more about teaching your users to be detectives. We think new focus on from “what not to do” to “help us patrol the network” just might work! We’ll never know, unless we try!

Give it some thought and as the month goes on, don’t be shy. Let us know what you think about the idea. Thanks for reading!

3 Browser Security Tips for End-Users

Posted on September 30, 2009 by Mary Rose Maguire

Browser security continues to be an absolutely vital part of providing safety and privacy to end-users and their systems. Browser-based attacks are easily the most common threat on the Internet today. Attacks range from old-style traditional exploits like buffer-overflows to modern, sophisticated attacks like Active-X injection, drive-by downloads of malware and exploitation of cross-site scripting attacks and other web applications issues to steal user credentials or even install arbitrary code. Users want Web 2.0 features and often choose performance and user-friendly functionality over safety and privacy.

Here are a few tips for end-users to make their browsers as secure as possible.

1. Keep your browser up to date.

This is the easiest of all the steps. It is also the one that removes the easiest of exploits from the attacker’s arsenal. Keep your browser up to date. They are issued periodically by all the major browser programmers and often close a number of known security issues. Many of the browsers have built auto-update capabilities, so if your browser has this, make sure it is turned on. If you are a user of Internet Explorer, the updates are delivered as a part of the regular Windows Update process. This can be configured to automatically execute as well. Modify your current settings using the same Control Panel interface as the firewall configuration.

2. Harden your browser against common attacks.

This is a very powerful process as well. It will make you safer by an exponential amount. However, the side effect will be that some web sites may not work properly. Generally though, there is a fantastic guide to making these configuration changes here. It was created by CERT and walks users through browser hardening, step by step. Follow their instructions and you will get a much safer browsing experience.

3. Be aware of social engineering tactics.

Even if you do follow the other two steps, social engineering will still be a possibility. Attackers use social engineering to trick users into doing things that they should not do, like opening a file, divulging their passwords, etc. You should always remain aware of social engineering tactics and strategies. Many of them are covered in the definition page linked above. Another good place to keep current on emerging social engineering attacks he the SANS incident center. They routinely cover emerging threats against both corporate and end-user systems.

So, there you have it. Three tips, that once enacted and followed, will make browser security a much more attainable process.

Resources to Prepare Your Organization for the H1N1 Virus

Posted on September 28, 2009 by Mary Rose Maguire

This month, we decided to share with you resources that can help you better prepare your organization for the H1N1 Virus. They are:

Protecting Your Business in a Pandemic: Plans, Tools, and Advice for Maintaining Business Continuity by Geary W. Sikich.

Pandemic Influenza Planning: A Step-by-Step Guide For Businesses and Local GovernmentsP by Vernon Dorisson

Tamiflu® Office Preparation for Influenza Season

Tamiflu® Flu Tracker

Centers for Disease Control and Prevention: 2009 H1N1 Flu

CDC: Novel H1N1 Flu (Swine Flu) and You

Association of American Family Physicians: Preparing Your Office for an Infectious Disease Epidemic

HR Issues and Answers: Preparing Your Workplace for an Influenza Pandemic

Most of these articles emphasize the same thing: create a plan for employees who will be absent due to illness, avoid getting sick by using caution and appropriate measures, if infected, stay home and avoid contact with others.
If you have a supervisory role, you may want to review your staff’s responsibilities individually, especially those who are the only ones who know how to complete a task, such as rebooting the server or opening a locked area. A little cross-training could save you any confusion down the road.

Pandemic Planning Update: Consider 10 Day Minimums for Sick Time

Posted on September 15, 2009 by Brent Huston

Having just read this article, and participated in several discussions around Pandemic Planning, I am of the belief that folks might want to consider mandatory 10 day sick times/work from home times for H1N1 infected employees.

Research shows that infected folks may be contagious for up to 10 days from the onset of their symptoms, even after they “feel better”. The problem with this is that as they “feel better” they may return to work or school, thus exposing others to the virus, albeit, inadvertently. Many people simply think that if they “feel better”, then they must be over the infection and not contagious anymore.

So, as you consider your pandemic plans, please think about the idea of a 10 day work from home program or the like for folks that are symptomatic. Explanation and education of folks carrying the virus can only help, so take the time to explain this cycle to your team.

Thanks for reading and please let us know if you have any questions about pandemic planning or remote working issues. My team and I have been doing quite a bit of consulting lately reviewing pandemic plans and helping organizations make sure that they are prepared and that their remote access systems are robust enough to handle the load and secure enough to be trusted. If we can be of any help to your organization along these lines, please do not hesitate to call or drop us a line!

MicroSolved’s Brent Huston Interviewed by [IN]SECURE Magazine

Posted on September 2, 2009 by Mary Rose Maguire

[IN]SECURE Magazine, the fresh and innovative online magazine from Help Net Security (HNS), features a great article from Brent Huston, “How ‘Fake Stuff’ Can Make You More Secure.” Brent presents a compelling reason why organizations would benefit from utilizing honeypot techniques to protect their data.

You may download the article here.

Help Net Security is an online portal that covers all the major information security happenings. The portal has been online since 1998 and caters a large number of Information Technology readers specifically interested in computer security. For the entire September issue of [IN]SECURE Magazine, you can download it here. Great reading!

President of Colombia Has Swine Flu and So Might Other Leaders

Posted on August 31, 2009 by Brent Huston

This article pointed out the recent diagnosis of President Alvaro Uribe, of Colombia, with swine flu. Even worse, the leaders of Colombia have alerted the other leaders that were involved in a regional South American summit last week. While President Uribe is not considered high risk for death from the disease, this is a new turn in the pandemic and public awareness. To date, Colombia has reported 621 cases with 34 deaths, making the mortality rate .05%.

Meanwhile, in the US and UK, school has just resumed and health officials are closely monitoring schools. Plans for handling outbreaks in the schools vary by district, but several are known to be testing plans for tele-education and remote teaching.

Once again, organizations are urged to undertake some form of pandemic planning and testing, as a “just in case” measure for H1N1 and the possibility of a strong flu season this year. SANS has just launched a site dedicated to pandemic planning and news. Check it out for more information, or give us a call and arrange a time to chat.

Flu Pandemic Begins Early in Japan and Could Accellerate US Season

Posted on August 28, 2009 by Brent Huston

According to this article, just published, the flu season has unexpectedly begun early in Japan.

The WHO has fears that this outbreak could also hasten the beginning of flu season here in the US. This puts additional pressure on the health systems to prepare for vaccinations and on the producers of the vaccines to push forward as quickly as possible.

As we have previously mentioned, it is a good idea for organizations to prepare a pandemic plan to handle outages of staff or remote working arrangements in preparation for the H1N1 flu and other natural emergencies of similar scope. Please, take the time to review your plans, test them effectively or create these plans as soon as practical.

Keep an eye on the WHO and CDC news channels to stay abreast of flu trends and any patterns or new developments. Here are links to their sites.

WHO and the CDC sites.

Thanks for reading!

When The System Works, It Really Works! :)

Posted on August 28, 2009 by Brent Huston

OK gang, so here is our part of the story.

As many of you may now know, the NCUA issued a fraud alert this week based on a social engineering test we were doing for a client natural person Credit Union. You can find some of the materials at the following URLS:

NCUA Media Release

SANS Storm Center

NetworkWorld

Once we saw the alert from the NCUA, we immediately contacted our Credit Union client about the situation. The client had received the letter and CD set in the mail, just as intended and called for in their testing agreement. However, on their side, the person responsible for the penetration test was out the day the letter arrived. The receiver of the letter followed their incident response process and reported the suspicious activity to the NCUA Fraud Hotline, just as they are supposed to do.

Upon our contact with the CU, the entire situation became apparent and we quickly identified how the process had proceeded. The employee of the CU had followed the process, just as they should, and alerted the proper authorities to the potential for fraud. We immediately contacted the NCUA Fraud hotline and explained that the process was a part of a standard penetration test. Eventually, we talked with executive management of NCUA and offered them any information they desired, including the source code to the tools on the CDs. The NCUA was wonderful to work with, understood the situation and seemed appreciative of our efforts to help ensure that their members were meeting the requirements of NCUA 748, which calls for the protection of member data against illicit access, including social engineering attacks like these.

During our discussion with NCUA executive management, we discussed me reaching out to SANS and such to clarify the situation and to explain that the “attack” was simply a part of a penetration test. I did this as soon as I hung up the phone with NCUA. The handlers at SANS and I traded emails and phone calls and they amended their release to include the penetration testing scenario. The whole point of this was to add clarification and to prevent people from getting “spun up”, since there really was no ongoing attack in progress.

However, in typical Internet fashion, the story had already taken on a life of it’s own. The next thing we know, the press is picking up the story, there’s an article on slashdot and people are in alert mode. We then set about trying to calm folks down and such on Twitter, through email and such.

The bottom line here is this. This was a controlled exercise in which the process worked. The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement. The NCUA did a great job of getting the word out that such an attack had occurred and the media and security folks did a great job in spreading the word to prevent further exposures to this threat vector. Everyone, and I do mean everyone, is to be congratulated here for their efforts!

The system worked. Had we been bad guys, we would have been busted. The world was protected, once more, thanks to the vigilance and attention of the NCUA and the security community.

Now, about the testing. MicroSolved, Inc. does, indeed, test social engineering attack vectors as a part of our standard assessments. The social engineering threat is a powerful and valid attack vector that often leads to compromise. Our process for testing these engagements is well scoped, well organized and intensely controlled. The threats we emulate are very real (in this case, we even included typos and such in the fake letter). The simulated malware we use is a custom application, developed in house by my team of engineers and does not propagate in any way. It is safe, effective, tested and has been in use with ongoing revision and testing for more than five years. The entire process for testing social engineering has been performed thousands of times for thousands of clients and will continue to be a part of our testing methodology. We truly believe that information security starts and ends with the people involved in protecting the data.

I hope this answers any questions you may have about the process or the alert. If not, drop me a line at bhuston@microsolved.com and I will try and assist you, if I can. I would really like to thank the NCUA, SANS, my technical team and the customer CU for their help and attention on this project. Thanks also, to all of the security folks and CU folks who helped spread the word about this attack vector. Though the awareness campaign was unintended, it certainly has raised the bar for would be attackers if they hope to exploit this in the future. Thanks for all of your hard work and attention!

Oh, and lastly, no, it is not us sending the laptops to governors of the states. It might not even be us sending the next round of CDs, USB keys or whatever new fraud schemes emerge in the future. But, regardless of whether or not it is us doing a test for your organization, or real criminals attempting to exploit you, don’t fall for it! Report these events to the authorities and let’s make use of the process that we have clearly established!

Thanks for reading and make it a great day!

Update: Thanks to NetworkWorld for their help on getting the word out. Thanks to @alexhutton as well for this article.

Announcing A Special InfoSec Community Site: InfoSec Junkyard Dogs!

Posted on August 26, 2009 by Mary Rose Maguire

We are excited to announce a special, online community we’ve developed especially for you. This site will be open for a limited time and will provide a great place to connect with other security professionals both from here and around the world. We also have a “Gas Card Giveaway!” Sign up early and have a chance to win either a $50, $25, $15, or $10 Gas Card. We’ll be giving away one gas card per day, for the next four business days: Wednesday August 26, Thursday August 27, Friday August 28, and Monday August 31.

Enjoy the last “dog days” of the summer by joining our new community! Click here to view the details in a PDF. See you online!

Yay! A Winning Anti-Virus Check! Or Not…

Posted on August 25, 2009 by Brent Huston

So today on my RSS feeds, I saw that a new version of the Sub7 trojan has been released. This new version, called “legends” has some new features and such for exploitation and maintaining control over infected systems.

Being curious, I uploaded the installer to VirusTotal to see what kind of hit ratio I would get. To my surprise, ~96% of the AV software there detected Sub7!

There are two ways to look at this, I suppose. It sure seems like a victory when you get such a high hit rate, but on the other hand there are likely some elements of this extremely well known code that haven’t changed since it first emerged on the scene in the 90’s. So, I would hope that we could detect it with a high accuracy rate. In fact, I had really hoped we could detect it at 100%, but it seems that some AV vendors still miss it. Still 96% is far better than the ~15% detection rate I got on another test like this, just a little bit ago.

The second way to look at it is that we still have long known malware that is not detected by some AV products. Now, given, that is a small percentage, but after all of this time, they can not detect Sub7? That would be pretty horrible if you happen to be a customer of theirs and your data is at risk. Compound this with the data from the breach reports that show increases in custom malware being used in attacks and you can see the problem from a new perspective. If we can’t detect malware from the 90’s across the board, then how can AV hope to continue to be seen as the magic bullet defense against increasingly complex and dynamic attack code in the future? Of course, the answer is, it can not. It NEVER HAS BEEN THE MAGIC BULLET THAT MANY IT FOLKS AND MANAGEMENT FOLKS BELIEVE IT IS.

Where does that leave us? Somewhere between victory and defeat? Right where we have always been, but maybe, just maybe, with a little more argument and knowledge for those “magic bullet” folks!

PS – Here is my VirusTotal submission if you want to check it out.

MSI :: State of Security

Insight from the Information Security Experts