I have been hearing a lot of questions lately about how to create effective awareness programs inside your organization. To most companies, this is a very difficult task. Here are three strategies to make this easier for everyone and a whole lot more effective than what you are likely using now:

1) Ask your employees. Hold a few round table sessions with various randomly selected employees. Stress to them the importance of information security awareness and ask them what they think would be effective to reach into their peers. You might just be surprised by what they have to say. Incorporate some or all of their ideas into your program, of course, with appropriate metrics and monitoring. Don’t be afraid to embrace these new mechanisms, they are often hidden gems.

2) Think like marketing. Stop thinking of security awareness as a security function. Only the message/content is security, the rest is plain old marketing. Include your marketing department in the process. Actively engage them in the process of selling security to your employees. It makes a world of difference. Also, on this note, make sure you support their efforts to tune and refine the message and profile the employee audience. Those traditional marketing approaches may seem fuzzy to security folks, but they are what clearly separate the wheat from the seed in this undertaking.

3) Embrace new technologies and multi-media. Face it, if posters and such worked so well, the problem would be solved already. The fact of the matter is, you need multiple forms of contact with the employees to cause change and sell them security concepts. The more mixed media and content with common themes, the better. This simply works. Think about it, again from marketing terms – does Coke just use posters to sell sugar water? No, they use a variety of media and messages with a common theme to get people to drink their products. Do what works; don’t be afraid to move beyond posters and meetings to really make awareness work for you and your organization!

For more than a year and a half now we have been traveling the world, talking about HoneyPoints and the fundamental change that this technology represents to providing internal network security and threat detection. What a long road it has been…

Over the last 18 months, we have had an incredible amount of success in capturing emerging theats, helping companies spot compromises and evaluate their attackers. We have learned a lot about internal attack motivations and mechanisms and we have seen first-hand the power of HoneyPoints to really free organizations from the overhead and false-positive nightmares that signature-based Intrusion Detection has come to represent.

Today, we take another step forward. Today, we are proud to announce the availability of the newest version of HoneyPoint Security Server. Based on client feedback and expert security insight, we have evolved the basic HoneyPoint premise to a new level. Today’s release includes a complete re-write of the console and further expands our ability to integrate into existing monitoring and SIM infrastructures as well as offering organizations without SIM a robust and full lifecycle HoneyPoint event management system!

The new console features a back-end database with roles and event management plus it also includes integrated trending and reporting. The new plugin interface, included with the release, allows users and MSI to design new and exciting features for event management, automated responses and alerting without changes to the core code – or the need for upgrades. Centralized ignore host configuration, HoneyPoint inventory and enhanced event clarity are also key points of refinement in the new version.

But, among the most exciting news about this new HoneyPoint release, is the availability of new, deeper HoneyPoints for emulating additional services and applications. New HoneyPoints, console plugins and configurations are planned over the next few weeks as MSI continues to increase the power and flexibility of the product.

Stay tuned for some new information about online resources, newly available tools and other supporting materials as they emerge over time. Our plan is to continue to spread the word, evangelize this change in tactics and to keep telling the world that there is a better way to secure your internal networks – without management overhead and without the false postives that keep you from focusing on your real threats.

To find out more about version 2 of HPSS or more about why we truly believe that we ARE going to “change the world”, simply give us a call or drop us line. We would be happy to share the message with you!

Aren’t laptops great?! They’re small and easy to handle. You can take them anywhere, and they’re fast and powerful enough to do just about anything you want! And how about the other, even more convenient portable devices like PDAs and Internet capable cell phones? Fantastic! You can download files, email people wirelessly, get your work done while waiting to tee off at the golf course, all kinds of wonderful things. But from a business information security standpoint, they are D A N G E R O U S!!!

Now, you might say to me: “But I have a personal firewall and regularly updated anti-virus software on my laptop. I’m very careful about what I upload and download onto it – nothing but approved corporate software applications. And when I communicate business matters on my laptop, I establish my connection securely and use a tunneling transmission protocol that’s strongly encrypted from end to end. You aren’t talking to ME!” And you’re right – all that is very correct and laudable! But is that all you need to do?

A professor at THE Ohio State University just recently had his home burglarized. He lost some jewelry, a shot gun….and two laptops loaded with the personal private information of lots of chemistry students and post graduates! There was federal grant information on there too. This is a MAJOR problem. All of those folks are now subject to identity theft, so they and Ohio State will have to monitor their credit very closely for a long time. And even then, they may never be sure if their information was truly compromised or not. So maybe they get complacent after awhile, and then, years down the road, BAM! They’re nailed! And since they are undoubtedly going to be very angry about this, they are going to do their best to sue you, and if that doesn’t work out, they are at least going to bad mouth your organization to everyone that will listen. And what if the database you lose has the information of tens of thousands or even millions of people on it? You have problems that may never go away. And these kinds of laptop losses occur on an alarmingly regular basis. We’ve all heard about it on the news.

The point of this is, no matter how securely you install and transmit your information on portable devices, you always have to keep physical security in mind. But you might say to me, “Well, I never let my laptop out of my sight when I’m traveling. I have a laptop security cable I use religiously. I don’t leave my laptop in my hotel room, and if anyone gets a hold of it anyway, it takes a password to log onto my computer.” Unfortunately, these kinds of security measures, while essential, are not foolproof or even that difficult to circumvent.

So what is the answer? Encrypt your sensitive data! Encrypt it well, and encrypt it anytime you are not actively using it. A hassle? You bet! But this is the only reliable way I know of to keep thieves from viewing your data. And every year encrypting your data is becoming more of a trivial exercise. Use PGP for example, or encrypt using WinZip – they have 256 AES available. That way, even if attackers get your portable device and bypass the access security all they are left with is a bunch of babble. Then maybe you and your organization might not make the evening news like so many unfortunates organizations have before!

**Editor’s Note: This article was written with a focus on smaller organizations with limited IT resources. Organizations who feel they can support it should also consider options for whole disk encryption, or perhaps research some of the emerging drive specific encryption and access controls just becoming popular. However, in our experience, these controls and tools vary widely in their effectiveness, feature sets and ease of use. In many cases, whole disk encryption and some emerging technology solutions for this problem may be too resource intensive for many smaller organizations to manage.  — The Editor

Over the last few weeks we have measured a fairly slow, but steady increase in the amount of general web site scanning. More and more often, our HoneyPoint systems are identifying PHP scans, scans for older vulnerabilities dating back to Nimda and Code red and a slew of newer scans for specific bulletin board, blog management and other web-based application code.

These scans are appearing from a number of locales and appear to be mostly automated. Their sources appear to be from mostly compromised systems on small to mid-sized company networks.

As these scans increase in frequency and capability, it is essential that organizations ensure that they have secured their web servers against common known vulnerabilities. There are a number of tools such as nikto, Sandcat and others or available services to scan sites for little or no charge. Organizations should utilize these tools or their existing managed vulnerability assessment services to ensure they are protected against these common worm-style attacks.

We have been getting large numbers of requests to try our HPPE and HP:NTA products, but up until no demo versions have been available. This is no longer true, effective today!

Users who would like to try out either or both of these leading edge products can download fully functional versions from our website. Both products will run for fifteen minutes at a time, then pop up a message advising you about how to obtain a key and quit. The products can be restarted as many times as you wish, with each execution running 15 minutes!

We hope this new capability really gives everyone a chance to explore, analyze and play with these amazing tools. The feedback from other users has been so strong that we have been very hard at work to find a way to offer them to everyone.

To check them out and begin securing your workstation with the power of HoneyPoints, click below, then click on the time limited demo link at the bottom of the page (no registration required):

HoneyPoint Personal Edition

HoneyPoint:Network Trust Agent

Our HoneyPoints are still seeing an increase in the overall numbers of attacking systems exploiting the newest **CENSORED** vulnerability. The traffic has a destination port of TCP/4899.

Most sites should be filtering this port by now, but it seems some smaller organizations have not yet gotten the word about the problem.
Eastern Europe seems to be the home of more than a few systems scanning for this issue.

If you have not yet begun blocking this port, and are a **CENSORED** user who has not upgraded to date, then now would likely be a good time to implement blocks and inspect your exposed systems.

PS – I HAVE UPDATED THIS POSTING AS A RESULT OF A LETTER FROM THE VENDOR INVOLVED WHO REQUESTS THAT WE STOP USING THE TRADEMARKED NAME OF THEIR PRODUCT.

With the official release of MetaSploit 3 occurring today, look for a likely increase in scans and probes associated with the tool and it’s 117 exploits. To date, MetaSploit accounts for a large percentage (some 75-80%, we believe) of manual attack traffic to our HoneyPoints.  It is widely adopted and easily used to compromise systems.

If you have not had a vulnerability assessment recently, now might be the time to get one underway and get some mitigations in place. The more publicity this tool gets, the more attack traffic that everyone will likely encounter in the coming few weeks.

This version of MetaSploit looks to be a very powerful upgrade, and there are a lot of tools built in for professional security testers, researchers and others. Modules for host identification, Denial of Service testing and all kinds of goodies are here. How those get used in the future, and whether or not they lead current script kiddies down the path of enlightenment and knowledge, remains to be seen.

In the meantime, get ready for some packet, network stream, log and IDS analysis. As the underground learns the new version, some of us are likely to be caught in the crossfire…

I really think “risk” is emerging to be the next big hype term used to sell security products. Check out my article at ITWorld, and see why I urge everyone to use their instincts more than they listen to vendor’s marketing pushes…

Check it out here.

It’s that time of year where we like to do some spring-cleaning of our various reporting formats and structures. This includes our Vulnerability, Penetration and Risk Assessment reports. A brief survey of reports and sample reports available on the Internets reveals a wide range of depth and style of reporting formats. Everything from HTML-based reports using raw data from a Nessus scan, to reports comprised of 90% prose and a couple of pie charts thrown in for the executives.

Over the years we’ve had the privilege of working with several companies and individuals who take a strong proactive stance in using their reports. As a result, we have developed a number of reporting formats tailored to each client, enabling them to streamline their internal operations and deal with findings in an expedited manner and move on to their other tasks. This process also allows us to develop insights into how to present audit data to the customer in a form and format that is concise and comprehensive. This allows them to act without being overwhelmed.

That’s what we love to do! Our goal is to present the end customer with a report that will enable them to do their jobs more accurately and thoroughly without getting bogged down in reporting that is not conducive to their normal work flow.

So we humbly ask, you the reader, what features of security reporting formats have you found that improved your workflow? What are the most useful features you have encountered? What are the least useful? How do you use your reports? How can reports be structured to improve the remediation of specific issues? How do your executives use the reports? Are there recurring questions that are posed by your executives? How do reports build or destroy your trust in your IT or risk auditors?

We just released a new Manager’s Guide white paper. This one is by John Davis, CISSP, and examines the human side of information security programs, a bit of history and some concrete suggestions for creating an effective information security program inside your organization.

Check it out here.