Election Hacking

There has been a lot of talk in the news lately about election hacking, especially about the Russia government possibly attempting to subvert the upcoming presidential election. And I think that in a lot of ways it is good that this has come up. After all, voting systems are based on networked computer systems. Private election and campaign information is stored and transmitted on networked computer systems. That means that hacking can indeed be a factor in elections, and the public should be made well aware of it. We are always being told by ‘authorities’ and ‘pundits’ what is and is not possible. And generally we are gullible enough to swallow it. But history has a lot of lessons to teach us, and one of the most important is that the ‘impossible’ has a nasty way of just happening.

Authorities are saying now that because of the distributed nature of voting systems and redundancies in voting record-keeping that it would be virtually impossible for an outside party to rig the numbers in the election. But that is just a direct method of affecting an election. What about the indirect methods? What would happen, for instance, if hackers could just cause delays and confusion on Election Day? If they could cause long lines in certain voting districts and smooth sailing in other voting districts, couldn’t they affect the number of Democratic Votes versus Republican votes? We all know that if there is a hassle at the polls that a lot of people will just give up and go back home again. And this is just one way that elections could be affected by hacking. There are bound to be plenty of others.

With this in mind, isn’t it wise to err on the side of caution? Shouldn’t we as a people insist that our voting systems are secured as well as is possible? Don’t we want to consider these systems to be ‘vital infrastructure’? These are the reasons I advocate instituting best practices as the guidance to be used when securing electronic voting systems. Systems should be configured as securely as possible, associated communications systems should be robust and highly encrypted, risk should be assessed and addressed before the election, monitoring efforts should be strictly followed and incident response plans should be practiced and ready to go. These efforts would be one good way to help ensure a fair and ‘hacker free’ election.

MSI is Hiring Again, Do You Want to Work with Our Amazing Team?

MSI is hiring for an immediate Full Time position in Columbus. The successful new team member will have basic network knowledge (routers, able to read packets, etc.), Linux command line use – especially text parsing, will love spending time reading and writing about interesting topics and must be a world-class communicator.

The initial position is coordinating and assisting on a large scale network migration project as a member of our Intelligence and Analytics practice. MSI will mentor the team member in growing their data analysis, intelligence analyst and security subject matter expertise. The growth path for this position has two different opportunities – 1. Focus on intelligence and analytics to develop deep engagement with our TigerTrax™ line of products and services. OR 2. Develop deeper information security expertise and join our security team in performing assessments and professional services. 

If you have an interest in analytics and/or information security and have been looking to move from basic networking into a field of specialization – this may be your opportunity.

Drop us a line on Twitter – @microsolved – or get in touch with us in some other way. The position will be filled shortly – so act fast. 

Applicants should get in touch. We will then discuss sending us a resume, cover letter and a ~300 word essay on why we should consider you as a team member. We hope to see you soon and we look forward to adding another amazing professional to our team.

Sadly, for this position, we need the professional to be in Columbus, Ohio. While we offer work from home capabilities, the specifics of this particular position requires a physical presence in the Columbus area.

Thanks, and get in touch! 

How to Build an Information Security Program

Organizations have a lot of trouble with information security programs:

  • They don’t really understand the reasons why modern concerns must have effective information security programs or how to properly integrate them into their present business models.
  • They don’t truly understand the complexities of modern computer and communications systems and so have no gut instinct how to properly secure them. They therefore must trust information security pundits and service providers even though they get lots of contradictory and confusing advice.
  • They spend a lot of money buying all kinds of security devices and services and they find that their information security program is still full of holes and problems.
  • And after all of this, they find that they are constantly being asked for even more money to buy even more devices and services.

Sound familiar? Who wouldn’t become frustrated and cynical?! So my advice is: whenever a problem becomes seemingly too complex to tackle, go back to the beginning and start from first principles.

What exactly are you trying to protect? Have you identified and prioritized the business functions, information, devices and infrastructure that you need in order to run smoothly as an organization? If not, that should be your first priority. You should record and prioritize every business function needed to run your organization. You should also ensure that you keep accurate inventories of critical software applications and hardware devices. In addition, you should know exactly how information flows into, out of and around your network and what trusts what. If you don’t know exactly what you have, how can you protect it effectively, and what is more, economically?

Do you have effective mechanisms in place to limit access to your systems and information? You need to limit access to only those individuals who have a real need for that access (something you have just quantified by taking care of the first step outlined above). That means that you must configure your systems correctly to require user authentication, you must properly enroll and disenroll users correctly, you must properly identify those seeking access and you must have access management plans in place to oversee the whole process.

Have you leveraged your most valuable information security asset: your employees? Machines can only aid people in information security matters, they can never replace them. If you properly train, and what is even more important, enfranchise your employee personnel in the information security program, the return will astound you. Make them understand how valuable they are to the organization and ask for their help in security matters. Make information security training a fun thing and pass out kudos and small rewards to those who help the program. This can save you big money on automated security systems that just don’t perform as advertised.

Are you storing and transmitting information securely? For most organizations, information is their most valuable asset. If this is true of your organization, you should ensure that you properly protect it when it is moving or just sitting in storage. You should classify information for type and sensitivity and protect it accordingly. Spare no expense in protecting the really important info, but why waste time and money encrypting or otherwise protecting minor information that is of little consequence if revealed?

Do you know what is happening on your systems? Computer networks and the processes and people controlling them must be effectively monitored. Organizations should employ effective tools to monitor, parse and consolidate events and log data on their networks. But these should only be tools to aid humans in making this task manageable; they can never actually replace the human element. In addition, management personnel at all levels of the organization should have processes in place to ensure that security policies and procedures are current, effective and enforced. If you perform these tasks correctly, the most difficult part of incident response – incident identification – is also taken care of.

Do you test your security measures? You can never really tell how effective an information security program is without testing it. There are many tools available that test your network for security vulnerabilities such as configuration errors, access holes and out of date systems. You should employ these mechanisms regularly and patch the holes they uncover in a logical and hierarchical manner. You should also consider other kinds of security tests such as penetration testing, application testing and social engineering exercises. These will help you understand not only where the holes are, but how well your systems and personnel are coping with them.

These processes are the foundation of an effective information security program. If you build these strongly, other information security processes such as incident response, business continuity and vendor management will be well supported. If you skimp on these most basic steps, then your information security program will likely collapse of its own weight.

Incident Response & Business Continuity – Planning and Practice Make Perfect

Computer systems and networks are irrevocably woven into the fabric of business practices around the world; we quite literally cannot do without them. What’s more, our lives and our business practices become more dependent on these devices every day. Unfortunately, this makes computer networks the number one criminal playground in the modern world.

Although computer security technology and processes are becoming increasingly effective, cyber-criminals have more than kept pace. Every year the number of computer security compromises is increasing. Cyber-attacks are becoming more sophisticated and can originate from anywhere that has Internet connectivity. It should also be remembered that cyber-criminals only have to be successful in one of their attacks to win, while businesses must successfully defend against every attack, every time to win the game. The upshot of all this is that every business is increasingly liable to experience some kind of cyber-attack. That is the reason why regulators and security professionals have been pushing businesses to increase the scope and effectiveness of their incident response capabilities in recent years.

To help counter modern cyber-incidents effectively, organizations must respond to them quickly and in an accurate, pre-determined manner. IR teams must determine and document specific actions to be taken in the event common information security events occur. Responsibilities for performing these incident response “procedures” should be assigned to specific team members. Once detailed procedures for addressing common security incidents have been completed, the IR team should review them and role play response scenarios on a recurring basis (at least twice annually is recommended). It is an unfortunate truth that incident response is a perishable skill and must be regularly practiced to be effective.

This same advice also applies to business continuity/disaster recovery plans – functionally, they are really the same thing as incident response. Whether your business is facing a flood, a tornado, a cyber-attack or even an employee error, they all have negative effects that can be lessened if you have effective, pre-planned responses in place that everyone involved is familiar with and has practiced regularly. So why not practice IR and BC/DR together? It can minimize the time personnel are away from their regular business duties and maximize the effectiveness of their training.

Hurricane Matthew Should Remind You to Check Your DR/BC Plans

The news is full of tragedy from Hurricane Matthew at the moment, and our heart goes out to those being impacted by the storm and its aftermath.

This storm is a powerful hit on much of the South East US, and should serve as a poignant reminder to practice, review and triple check your organization’s DR and BC plans. You should have a process and procedure review yearly, with an update at least quarterly and anytime major changes to your operations or environment occur. Most organization’s seem to practice these events on a quarterly or at least 2x per year cycle. They often use a full test once a year, and table top exercises for the others. 

This seems to be an effective cycle and approach. 

We hope that everyone stays safe from the hurricane and we are hoping for minimal impacts, but we also hope that organizations take a look at their plans and give them a once over. You never know when you just might need to be better prepared.

Yahoo Claims of Nation State Attackers are Refuted

A security vendor claims that the Yahoo breach was performed by criminals and not a nation state.

This is yet more evidence that in many cases, focusing on the who is the wrong approach. Instead of trying to identify a specific set of attacker identities, organizations should focus on the what and how. This is far more productive, in most cases.

If, down the road, as a part of recovery, the who matters to some extent (for example, if you are trying to establish a loss impact or if you are trying to create economic defenses against the conversion of your stolen data), then might focus on the who at that point. But, even then, performing a spectrum analysis of potential attackers, based on risk assessment is far more likely to produce results that are meaningful for your efforts. 

Attribution is often very difficult and can be quite misleading. Effective incident response should clearly focus on the what and how, so as to best minimize impacts and ensure mitigation. Clues accumulated around the who at this stage should be archived for later analysis during recovery. Obviously, this data should be handled and stored carefully, but nonetheless, that data shouldn’t derail or delay the investigation and mitigation work in nearly every case.

How does your organization handle the who evidence in an incident? Let us know on Twitter (@microsolved) and we will share the high points in a future post.

Pay Attention to Egress Anomalies on Weekends

Just a quick note to pay careful attention to egress anomalies when the majority of your employees are not likely to be using the network. Most organizations, even those that are 24/7, experience reduced network egress to the Internet during nights and weekends. This is the perfect time to look for anomalies and to take advantage of the reduced traffic levels to perform deeper analysis such as a traffic level monitoring, average session/connection sizes, anomalies in levels of blocked egress ports, new and never before seen DNS resolutions, etc. 

If you can baseline traffic, even using something abstract like net flow, you may find some amazing stuff. Check it out! 

State of Security Podcast Episode 11 is Out!

“Hey, I heard you missed us. We’re back! … I brought my pencil, give me something to write on, man!” — Van Halen

That’s right – we heard you and we’re back. It took 7 months to rework the podcast format, find a new audio post processor to partner with, close the deal, do some work on the Honorary Michael Radigan Studios and bring the whole thing back to you in a new audio package. Whew! 🙂 

That said, check out the new episode of the podcast as Lisa Wallace tears into malware history, discusses why she loves infosec and gives some advice to women working in the industry. There’s a lot of great stuff here, packed into ~40 minutes.

Look for new episodes coming soon, and hopefully with an increased pace. Hit me up on Twitter and let me know what you think! (@lbhuston). Enjoy the audio goodness and thanks for listening!

 

Password Breach Mining is a Major Threat on the Horizon

Just a quick note today to get you thinking about a very big issue that is just over the security horizon.

As machine learning capabilities grow rapidly and mass storage pricing drops to close to zero, we will see a collision that will easily benefit common criminals. That is, they will begin to apply machine learning correlation and prediction capabilities to breach data – particularly passwords, in my opinion.

Millions of passwords are often breached at a time these days. Compiling these stolen password is quite easy, and with each added set, the idea of tracking and tracing individual users and their password selection patterns becomes trivial. Learning systems could be used to turn that raw data into insights about particular user patterns. For example, if a user continually creates passwords based on a season and a number (ex: Summer16) and several breaches show that same pattern as being associated with that particular user (ex: Summer16 on one site, Autumn12 on another and so on…) then the criminals can use prediction algorithms to create a custom dictionary to target that user. The dictionary set will be concise and is likely to be highly effective.

Hopefully, we have been teaching users not to use the same password in multiple locations – but a quick review of breach data sets show that these patterns are common. I believe they may well become the next evolution of bad password choices.

Now might be the time to add this to your awareness programs. Talk to users about password randomization, password vaults and the impacts that machine learning and AI are likely to have on crime. If we can change user behavior today, we may be able to prevent the breaches of tomorrow!