Finding Conficker with HoneyPoint

Posted on by
Reply

With so much press attention to the conficker worm, it is very likely that you have heard of it. What you may not know is that it is a very very advanced piece of code. It is quite capable, able to optimize itself to concentrate its attacks and is being updated fairly routinely by its programmers/owners. Hundreds of thousands of compromised systems are thought to still be online, making for a very risky situation when/if the handlers of the worm decide to put those infected systems to use. Even while we wait for the “other shoe to drop”, these infected systems are likely to continue propagating the worm and present a clear and present danger to other systems that are not under the attacker’s control.

The worm is capable of propagating via several methods, but the most common one is via exploitation of a vulnerability over port 445/TCP. HoneyPoint (Security Server and/or Personal Edition) users can establish HoneyPoints on this port to detect scanning/probing hosts using non-Windows systems. Linux and OS X systems can dilate this port (which can’t be done effectively on Windows without major work and impact on the system) to detect the source IP addresses of infected hosts on the network. Using approaches such as “scattersensing” has proven to be highly effective in identifying compromised hosts around the globe. These infected hosts should be removed from use immediately and should be treated as compromised using your existing incident response/security processes.

As we have said before, scattersensing is an easy, effective and cheap mechanism to gain security insight using older systems, laptops or desktops, a LiveCD (such as PuppyLinux or gOS) and HoneyPoints. You can quickly build a scatter sensor or several and move them around your environment trivially. This makes for a powerful solution to detect malware and insider threats of a myriad of natures.

Please feel free to give us a call to discuss this solution and enterprise HoneyPoint deployments further should you have any questions. Happy hunting!

Change the Way You Use (and Pay For) Penetration Testing

Posted on by
Reply

For a couple of years now, we have been offering our managed service and menu-based service clients flat rate options for all kinds of penetration testing, assessments and application security. By far, though, the best received and most popular service is our focal point penetration testing service. Let me share with you a situation I had with a client we’ll call “Joe”.

Joe is a 38 year old IT manager for a financial services company. He has been with the organization for more than 6 years and is a hard worker who is known around the company as a “get things done” kind of guy. Joe, like all IT managers today, is facing a cutback in his security staff and is struggling to keep up with the ever-changing threats, vulnerabilities and regulatory landscape that his company faces. He has been a MicroSolved client for several years and we have great rapport.

Joe’s problem is that his once a year penetration testing is just not working. The huge snapshot of his environment doesn’t maintain relevance for long as his staff struggles to respond to the findings and attack the problems that are identified in an overall manner. That’s when Joe comes to me to discuss his issues.

Joe and I spend a couple of hours talking about the problems he is facing and we quickly find a HUGE solution to his problem. Joe and the MSI team break up his IT environment into 4 functional slices. Instead of doing one big penetration test, once per year, we begin to test 1/4 of his environment every quarter. That allows his team to focus on a specific set of his environment for improvement during a given quarter and makes it very easy for him to create measurable security improvements in those targets. This gives him the ammunition he needs to provide continual improvement metrics to his upper management. From the MSI side, it makes the task smaller and faster for our team, and while the human engineer factor is slightly higher since we have to do setup and manual parts 4x, the difference is not really large. We extend terms to Joe’s company that allows him to pay for this service in low monthly payments over the term of the agreement. This makes the security bill from MSI easy to plan for and manage.

This was a couple of years ago. Joe is now approaching the big 4-0 and has been with his company more than 8 years. When we talked last week, Joe renewed his agreement with MSI for FIVE YEARS! He could not say enough about the work that we do with them, how the subscription approach to penetration testing has helped him and how grateful his board is for us letting them create a menu of services (including subscriptions for assessments and pen-testing) and split the cost INTEREST FREE over the five year term!

Joe is one happy client and at MSI that is exactly what we are all about. I love that our team has worked with clients to “get creative” about security problems. We deliver quality reports, do a lot of the heavy lifting for our clients and are always looking for new ways to help them be more successful with our services. Joe has learned just what that can mean to an organization and how my team can even “think outside the box” when it comes to payment terms and contracts. All around, Joe and MSI both have found a win-win relationship doing business together.

Subscription-based, line of business or segment of IT environment, focused penetration testing. It truly, in my opinion, is the future of security assessments. If you would like to discuss just such a solution, drop me a comment, email or tweet (@lbhuston) or feel free to call 614-351-1237 and talk to one of our account managers. We would love to help you get more from your security budget and find creative ways to make security better and more affordable for your organization too!

Breaches Often Stem from Unknown Data? Wow!

Posted on by
Reply

While doing some work on Operation Anaconda, I have been spending some time analyzing some of the various known metrics and statistics around the insider threat. One of the findings that I found absolutely amazing is this one from the Verizon report, that 66% of the 500 breaches studied in the report revolved around data that the organization DID NOT EVEN KNOW THEY HAD or DID NOT KNOW WHERE IT WAS in their own IT environment!

That’s ~330 breaches where the victim did not even know either that they had the data in question or did not realize where in the network that data was supposed to be.

This, to me, is alarming. How on Earth can an organization secure what they do not know about? How can a security team possibly be tasked with securing what they don’t know they have? The fact is, they can’t. Thus, the first condition would be for the security teams in these organizations to KNOW WHAT DATA THE ORGANIZATION HAS AND WHERE IT LIVES.

If you are still trying to create security based on perimeters, architectures or anything else that is not data-centric, then this should serve as a wake up call. You must identify all of the data that is in your organization that is at risk. You must know what it is, how it is created/stored/processed/used/destroyed and YOU MUST BUILD SECURITY AROUND IT.

Let me say that again to be clear. You must focus on identifying the data and then on defining security around it!

Please, use this statistic to change your security focus from architecture and IT environment protection to protecting the data. To focus on anything other than securing the data is to fail. Attackers will find the weakest point and when they do, they will attack the confidentiality, integrity and/or availability of the DATA.

As security folks, it is easy to get caught up in the day to day. It is easy to spend way too much time focused on management goals, content filtering, “playing net cop” and all of the other stuff that goes on. BUT, it is critical that we retain the daily focus on knowing what our organization has that needs protected and on where and how we have to protect it. Focus on that and all will be well, fail at it and you’ll eventually be one of the 66% referenced above.

HoneyPoint Helps You Do More With Less

Posted on by
Reply

audit-advice

We all know the economy is struggling right now. Budgets are tighter than ever and many companies are forced to find ways to do more with less. Even though cybercrime is on the rise, it doesn’t mean your organization has to suffer. Here are two ways HoneyPoint Products can help you increase efficiency in an economical way.

1) Avoid heavy customization tools – HoneyPoint comes “ready-to-go.” It can be customized but it isn’t necessary for it to work. It’s a great “plug-and-play” product. Once the HoneyPoint Security Server is deployed, attacks are tracked. The HoneyPoint strategy is simple, yet powerfully effective. HoneyPoints are flexible pseudo-server applications that are able to emulate thousands of real services such as web, email, database systems and others. Since these pseudo-services are not real applications, there is no reason for anyone to interact with them in any way. Thus, once deployed, any activity to a HoneyPoint is, by default, suspicious. Since attackers do their work by scanning for and examining services looking for vulnerabilities, the HoneyPoints lie in wait, trapping the attacker in the act of doing the exact thing that attackers seek to do – find vulnerable services!

2) Allow others to do the heavy lifting – Certain security tasks can be outsourced or automated. Sometimes an organization can decrease the total cost of ownership by having someone else do it. Why not allow MicroSolved, Inc. handle some of these security functions such as vulnerability assessment and penetration testing? Our experts can assess your policies, processes and network infrastructure against a variety of baselines including PCI DSS, FFIEC/NCUA/FDIC, NIST, ISO and other industry standard best practices. We routinely provide deep level penetration testing for clients who wish to get a real world view of their IT, network and physical security mechanisms. From blue team assessments to red team testing leveraging the latest techniques in social engineering and simulated attack, MSI’s experience and capabilities clearly separate us from our competition.

With a little creativity, we can all work smarter to not just survive, but thrive during these challenging days!

Book Review: Hardware Based Computer Security Techniques to Defeat Hackers

Posted on by
Reply

193396_cover.indd

Hardware Based Computer Security Techniques to Defeat Hackers (Wiley) by Roger Dube, maps out solutions for hardware devices used by the Intelligence and Defense communities. Dube begins with an overview of the basic elements of computer security and then covers areas such as cryptography, bootstrap loading, and biometrics. 

   Chapter Twelve does a good job of covering “tokens,” such as a key card or photo ID. The computer security mantra, “something you have and something you know” is true with securing tokens. Issues such as cost, usability and lockout must be evaluated when considering the use of tokens as part of the user-authentication process.

   The book not only discusses the solutions but devotes a chapter at the end to explain how to implement them. A good investment for the CIO and IT Administrator. Available through Amazon for the sale price of $71.96. (retail $89.95)

MSI is Currently Seeking Resellers for Services and HoneyPoint

Posted on by
Reply

We are currently seeking resellers for our HoneyPoint line of products and our professional services. We are open to discussing this with any firms interested in creating a virtual security practice and helping us present our HoneyPoint products to their markets.

We have a strong interest in working with partners in South America, Europe and Asia.

If your firm is interested in joining a reseller program that has been performing well for more than a decade and has members from the Fortune 100 to regional specialists, then please read more about the program here and contact us to arrange a discussion.

Our recent expansion of technical staff has created a limited opportunity to bring on new partner relationships. Does your organization have the will and capability to be among the group that leverages our two decades of excellence?

On Vendors Offering Discounts on VA/PT Services “Due to Financial Crisis”

Posted on by
1

I have a bone to pick with the idea of vendors suddenly offering price drops on their assessments and such “in response to the financial crisis.” In my opinion, this is nothing more than a gimmick. A cheap come-on to win more business while the times are tough and the chips are down. If you can offer these discounts today without it impacting your margins at a serious level or making it tough on you to do business, then why couldn’t you do it last week, last month or last year? I’ll tell you why, because you were caught up in that extra margin and extra charge to your clients and in making that extra profit.

At MicroSolved, I have refused to play these games with our customers for 20 years. I strive every day to keep our prices as low as possible for the work we do, to pay our team fairly and to keep us in business. We contribute to the community, support the Credit Union movement, engage with companies and organizations all around the world that are dedicated to “doing the right thing.” We continually strive to focus on increasing our value to clients and keeping our costs as low as possible. Here are a few examples of some of the steps we have taken and are taking to do so:

Consultant presence. Years ago, our onsite presence for assessments and pen-testing was a high cost item for clients. Travel, lodging and per diem were and are high ticket items. Several years ago, in an effort to lessen the financial impact on our clients and staff, we began using VPN connectivity and shipping appliance computers instead of people. The cost of shipping this hardware remains expensive today, but nothing like airfare and hotels for a security team. In 2009, our team is moving to create and deploy stable, trustworthy virtual machine images that we can move over the Internet to bring these costs to near zero. Developing these tools and testing them takes time, resources and money, but we are dedicated to continuing to bring the most value to our clients for the least amount of dollars possible. This is just one more way we can work with clients to improve their security and reduce their cost to minimize risk.

Simplified reporting for VA/PT. Our clients tell us all of the time that our reports are the best they have seen and are provided in the most useable format they can imagine. We long ago (several years) stopped shipping HTML reports and the like. Today, our typical reporting is an easy to read executive summary with a one page dashboard for the engagement findings, a technical manager report that identifies and ranks root causes of the security issues we identify and a technical details report that is provided as a detailed Excel spreadsheet so you can change, sort, import or manage the data as you see fit. Our reports have received positive comments from auditors, regulators and clients from around the world. This year, we will again be undertaking a special project to continue to refine our reporting structures. For us, leading the industry is not enough, we want to establish even more value for our clients and help them manage the reporting data in ways that reduce their heavy lifting. As always, if you have ideas on this, let us know.

Real humans to talk to. We don’t have a web portal for your reports. We don’t have an automated system for requesting assessments or the like. We do have a technical project manager that is assigned to your account. They have access to the actual engineers doing your assessments and pen-testing, and so do you. We don’t believe that dealing with some complicated web application that also might have exposures to vulnerabilities and other issues makes our clients more productive OR more secure. MSI clients talk to real humans. We talk to clients routinely during their engagements and keep them up to date as they desire on the testing and work as it moves forward. You can communicate with your technical project manager on the phone, via email or via SMS if you like. You can have a call with the engineers to clarify issues or to get answers to technical questions about the engagement. We even support our engagements for one year, allowing you to ask questions, interact with the security team and get answers up to 12 months after the engagement!

Approaches like HoneyPoint. HoneyPoint is our leading-edge software for managing the insider threat. It was designed from the ground up with the idea of “deploy and forget” (SM) in mind. We created it so you could have security visibility around your environment in a powerful way that eliminates false positives, signature updates and tuning. Long before the current “financial crisis” we wanted to help organizations get better security with less resources, and we have. Today, organizations are using HoneyPoint along with tools like OSSEC to replace IDS/IPS systems and finding the total cost of ownership to be 1/2 and the total resource costs to manage the solutions to be 1/10 of their older, less evolved solutions. In fact, many small and home-based organizations have begun using our “scattersensing” approach with HoneyPoint Personal Edition to identify bot-net infections and malware breakouts, as well as suspicious insider activities for a total software cost of ~$30.00 US!

There you have it. I have “put my money where my mouth is”. At MSI, we know the financial stress is real. We know you have significant security AND budget challenges. We are striving to help you with both, BUT, NOT JUST TODAY and NOT JUST FOR A WIN FOR US. We can’t just knock arbitrary costs out of our prices because we spend EVERY DAY focused on keeping those prices low and our value high for our clients. That has been our focus for 20 years and as long as I am the CEO, it will continue to be our focus. We believe that our engineers, sales and marketing teams and other employees support our efforts. They have shown time and time again to be committed to VALUE for our clients. We may not always be the cheapest security vendor. I know our services cost more in some cases than the “scan and forget” vendors out there. I am OK with that. For 20 years I have enjoyed doing business with clients who appreciate honesty, trust, better communication and the MSI work ethic. Our clients love the work we do for them and many tell me repeatedly how much value we bring. That, in the end, I believe, is the measure of true success.

So, if you are looking for a security vendor to help you find the most value for your security budget, give us a call. We will be happy to talk to you about your needs and how MSI may be able to help. We will put together flexible payment plans, menus of services and subscriptions for engagements if you desire. We hope to talk to you soon about how we can help you be more secure with less time and money. That’s our commitment today and long after the current “financial crisis” has passed.

MicroSolved, Inc. (614) 351-1237 x206

info < at > microsolved <dot> com for more information via email

So, You Wanna Be in InfoSec?

Posted on by
3

One of the most common questions I get asked is “How can I become an information security professional?”. These days, it seems that a ton more people want to be in the “business” of information security. I get the question so often, I thought I would write this post as a quick and easy way to respond.

Are You Serious?

The first response is a “gut check”. Are you serious that you want to be an infosec person? Do you even know what you are asking? My suggestion is 2 steps. Number 1, read a basic information security guide (not Hacking Exposed or something on an aspect, but something more general like the ISO standards). Number 2, invest in your career option enough to buy a few coffees or beers and ask a couple of security folks you know of and trust to sit down, one on one with you for an hour chat. Talk about that person’s career, what day to day security work is like in their experience and what they think about your ideas for moving forward. If you can’t or won’t invest in these basic steps, then quit now and choose another career path. Security work is all about research, reading, guidance, networking and conversations with other humans. If you can’t do these toddler steps, then forget running with the big dogs and find another pack.

Get Serious, Quick!

Step 1: Knowledge boost: Start to read every single security book you can find. Listen to podcasts, read web sites, subscribe to mailing lists. Read RSS feeds.

Step 2: Find a way to contribute: Work on an open source security project. If you can’t code, then write the documentation or contribute to testing. Start a website/blog and start to aggregate or gather other security news. Wax poetic on what you think of certain topics. Think of this part as turning knowledge into wisdom. It is where the rubber meets the road and where you will encounter some pain, humiliation and grief, but it is another form of “gut check” to make sure you are ready to be in infosec.

Step 3: Build a lab & practice security skills: Build a lab. Make it out of old hardware, virtualization systems, Live CD’s, etc. Then hack stuff. Secure stuff. Apply settings, scenarios, access controls. Shop at eBay, garage sales, thrift stores or Walmart to cut the cost down. Be creative and pragmatic, both are essential security skills.

Step 4: Brand yourself: Once you have some wisdom and insight, then update your resume. Build a personal brand. Read books by Seth Godin and Guy Kawasaki to learn to do this. Learn how to separate yourself from Joe Six-Pack and how to turn your security experiences with the above projects into valuable differentiators that open doors for you to get that job you wanted. Is it work? Yes. Is it hard work? Yes. Does it take time? Heck, yes. Is it worth it? If you get what you really want, heck yeah!!!!

It’s OK to Turn Back

If, at any point during the above steps, you decide you are not interested enough to continue, then don’t. Security is tedious, hard work. Most of it is COMPLETELY NOT SEXY and has nothing to do with Swordfish, Hackers or the Matrix, no matter how much you want to be Neo, Cereal Killer or Angelina Jolie. Security is mundane, boring, full of science, analysis and research. If you want to be great at it, you also need to understand business, marketing, math, human resources, education, more marketing, sales, basic programming, public speaking, more marketing and oh, yeah, more marketing. Why so much marketing? Because, believe it or not, people need to be sold on being secure. That is the largest irony of the job. You have to not just identify how to make them secure AND teach them how to be secure, BUT you ALSO have to SELL them on the idea that security is worth their investment of time, energy and resources. It’s not that they don’t want to be secure, it’s that humans are REALLY BAD AT MAKING RISK DECISIONS. Keep this in mind as your security career progresses. It is a handy meme.

Are there Shortcuts?

Maybe, if you wanna be average. More than likely not, if you wanna be truly GREAT at what you do. Everything in life has a price. The good, the bad and the security career. Paying that price is a part of the reward, you just might not know it yet. Pay the price. This is one system you really don’t wanna “hack” to get at the “easy way”, it makes for a lot of pain down the road when you look foolish.

What About Certifications?

I am not a believer in certs. I have never made any secret about my position. I DO NOT HAVE MY CISSP NOR AM I LOOKING TO EVER HAVE ONE. Certs are NOT a good measure of experience, work ethic or intelligence. They represent all that I hate about the security industry and the idea of doing the minimum. This is not to say that you should not pursue them or that they are not valuable, it is just my belief that the IT industry puts way too much stock in certs. They believe that most every CISSP is a real “security person” and knows their stuff. I have met plenty who do not. I have met plenty who I would not let manage my security. I have met some that I would, as well. The same goes for all certs (MCSE, CSA, etc.). Certs are just a BASIC qualification mechanism, no more, no less. Experience and what you have done in the past speak volumes more to me, and anyone I would want to work for or with, than a cert. Period.

I hope this answers those basic questions about how I think you should move toward being a security professional. I hope you do choose security as a career, if you are willing to invest in being great at it. The world needs more great security people, but we also need less inadequate security professionals. The industry has its charlatans and fakes, but it also has some of the best people on the planet. This industry has been good to me for almost two decades. I have met and made friends with some of the most talented, fascinating and warm people in the world. I am very blessed and very grateful. I hope you will be too. Buy me a cup of coffee if you want to talk more about it. I promise to try and help you figure out if this is the way you want to go, if you are willing to invest in yourself first BEFORE you seek my input. More than likely, you will find the same to be true for other security experts too. They just might like cheaper coffee than I do…. 🙂


DShield Launches Web Honeypot to Gather Attack Pattern Data

Posted on by
Reply

SANS and Dshield today announced the public availability of a new honeypot project for gathering web application attack patterns and trends. The tool is available at no charge and will feed into the ongoing DShield project data stream.

This is a great project and I am very happy to hear that more public attention will be on the use of honeypots to gather real metrics for attacks. This is something I have long stressed as a strength of our HoneyPoint products. I love the fact that they are doing it on a widely distributed basis. I know what kind of data we get from our HITME and I really hope they have much success in gathering that level of insight from a global view. I think the community as a whole will benefit.

Have we entered the age of the honeypot? Are we finally ready to accept the idea that “fake stuff can make us more secure”? I am not sure the public is there yet, but I think this another step closer. What do you think?

The Economics of Insecurity

Posted on by
2

Wanna be bad at information security? Can you afford it?

Various sources, metrics and industry studies put a variety of numbers to data loss, but the general range is around $200-$250 per compromised customer/client/credit card, etc.

How many pieces of identity data does you company protect? How many clients do you have? How many employees are in your payroll and HR systems?

Information security is expensive. Software, services, assessments, policies, awareness and a myriad of other things all cost money. But, the next time you are asking yourself or upper management about your security budget, remember that $250 number. It may just give you, or someone else, some perspective on just what it all means.