Clients Finding New Ways to Leverage MSI Testing Labs

Posted on by
2

Just a reminder that MSI testing labs are seeing a LOT more usage lately. If you haven’t heard about some of the work we do in the labs, check it out here.

One of the ways that new clients are leveraging the labs is to have us mock up changes to their environments or new applications in HoneyPoint and publish them out to the web. We then monitor those fake implementations and measure the ways that attackers, malware and Internet background radiation interacts with them.

The clients use these insights to identify areas to focus on in their security testing, risk management and monitoring. A few clients have even done A/B testing using this approach, looking for the differences in risk and threat exposures via different options for deployment or development.

Let us know if you would like to discuss such an approach. The labs are a quickly growing and very powerful part of the many services and capabilities that we offer our clients around the world! 

MachineTruth As a Validation of Segmentation/Enclaving

Posted on by
1

If you haven’t heard about our MachineTruth™ offering yet, check it out here. It is a fantastic way for organizations to perform offline asset discovery, network mapping and architecture reviews. We also are using it heavily in our work with ICS/SCADA organizations to segment/enclave their networks.

Recently, one of our clients approached us with some ideas about using MachineTruth to PROVE that they had segmented their network. They wanted to reduce the impacts of several pieces of compliance regulation (CIP/PCI/etc.) and be able to prove that they had successfully implemented segmentation to their auditors.

The project is moving forward and we have discussed this use case with several other organizations to date. If you would like to talk with us about it, and learn more about MachineTruth and our new bleeding edge capabilities, give us a call at 614-351-1237 or drop us a line via info <at> microsolved <dot> com.  

CMHSecLunch is Monday Oct 12

Posted on by
1

Remember: ‪#‎CMHSecLunch‬ is tomorrow. 11:30, Polaris.

Come out and hang with some of your friends. This free form event is open to the public and often includes hacking stuff, lock picking, deep technical discussions, projects, etc.

Check it out at the link below & bring a friend!  

http://cmhseclunch.eventbrite.com

 

Ashley Madison Hack – A New Level of Impact

Posted on by
4

Real computer information security is highly dependent on the awareness and concern of individual computer device users. But people don’t view the security of their computers, pads and smart phones the same way they view the security of their cars, or houses or kids. On the whole, we are apathetic about the subject.
I have often tried to figure out why this is true, and I’ve heard several reasons such as: “Computers and technology are just too complicated and technical. I feel inadequate to the task.” Or “I have too many things to worry about already. I don’t need anything else to take a bite out of my quality time.” Or “So what if I get hacked!? The worst that can happen is that I’ll be embarrassed a bit or lose some of my money – I’ll still have my health, my family and my life!” Of all these mistaken ideas I think the last one is the most dangerous; not believing that anything really bad will happen to me and mine because of a hack.
For years my compatriots and I have discussed the idea that what will truly shock society awake is a hacking incident so severe that nobody can just ignore the subject anymore; a kind of cyber-Pearl Harbor. But none of us actually want to see “the big one” occur. We are hoping that smaller but still significant incidents will get the ball rolling.
The Ashley Madison hack is a small step in this direction that I hope people will embrace and learn from, because the consequences of this hack are a cut above what has been experienced by the everyday user in the past. Think of the marital unrest this has caused – think of the divorces, the tears, the kids that no longer feel safe and secure. Then there are the legal entanglements and lost jobs (both present and future) to consider. Awful!
But the biggest consequence of all is the loss of human life that has (and will in my opinion) come about because of this exposure. There have been a number of suicides already that are directly attributable to the Ashley Madison debacle, and I would be amazed if there weren’t some murders to accompany them as well. Is it worth human lives to be apathetic and unaware!? Let’s hope that folks decide it isn’t and take steps to protect themselves.

3 Things You Should Be Reading About

Posted on by
3

Just a quick post today to point to 3 things infosec pros should be watching from the last few days. While there will be a lot of news coming out of Derbycon, keep your eyes on these issues too:

1. Chinese PLA Hacking Unit with a SE Asia Focus Emerges – This is an excellent article about a new focused hacking unit that has emerged from shared threat intelligence. 

2. Free Tool to Hunt Down SYNful Knock – If you aren’t aware of the issues in Cisco Routers, check out the SYNful Knock details here. This has already been widely observed in the wild.

3. Microsoft Revokes Leaked D-Link Certs – This is what happens when certificates get leaked into the public. Very dangerous situation, since it could allow signing of malicious code/firmware, etc.

Happy reading! 

How to pick your next employee

Posted on by
2

MSI seems to be growing every day. As we bring on new staff, we are working hard to make sure that we maintain our existing corporate culture. It can be difficult to identify whether or not an individual has the necessary traits to be a successful employee. However, it’s important to think of the hiring process as an opportunity rather than a challenge.

The first thing I look for in a new employee is curiosity. To me, this is far more important than intelligence. An employee can always learn about how to support a specific system or perform a process. I think it’s much more important to find an individual that wants to understand WHY we use a specific process or HOW a system works. This is a trait that can’t be taught.

The next thing I look for is the ability to adapt. The Information Technology field changes rapidly. The latest and greatest piece of technology seems to be obsolete soon after it is published. It’s worthwhile to identify an individual that can handle these changes well.

IT professionals typically have to wear many hats. In my short career, I’ve served as an Information Security Officer, Help Desk Manager, Systems Administrator, Penetration Tester, Security Consultant, Infrastructure Manager, Intelligence Engineer and Pre-Sales Engineer. Typically those roles weren’t assigned until after I accepted a position. Due to the frequent shift in responsibilities, an IT professional must be flexible.

You may be wondering how you can spot these traits in an during an interview or by viewing the individual’s resume and LinkedIn profile. To discover a potential employee that is curious, look to see if they list diverse interests. If you’re attempting to identify an employee who has the ability to adapt to changes and remain flexible, look and see if they’ve supported a wide variety of systems and processes during their career.

Finally, it’s important to consider whether or not you enjoy spending time with this person. In some cases, you’ll spend more time with them than your own family. You could discover an employee with all the right traits and skills but will be in a difficult situation if your personalities clash. In short, take some extra time to look past someone’s employment history and discover whether or not they have the skills that can’t be taught.

Podcast Episode 8 is Out

Posted on by
1

This time around we riff on Ashley Madison (minus the morals of the site), online privacy, OPSec and the younger generation with @AdamJLuck. Following that, is a short with John Davis. Check it out and let us know your thoughts via Twitter – @lbhuston. Thanks for listening! 

You can listen below:

Recently Discovered ICS Vulnerability

Posted on by
2
Earlier this week, ICS-CERT announced that a new vulnerability was discovered in ICS products made by Endress+Hauser. The vulnerability affects the DTM library used by Endress+Hauser HART-based field devices in the FDT/DTM Frame Application. If a specially crafted packet manages to exploit the vulnerability, the DTM Frame Application will become unresponsive as result of a buffer overflow. Endress+Hauser has released a security update addressing this issue. Despite the fact that we haven’t observed this vulnerability being exploited in the wild, we highly recommend applying the patch by Endress+Hauser as soon as possible.
To minimize the risk of an ICS device being compromised by an attacker, be sure to consider the following general recommendations:
  • Discover and document – You can’t protect a system if you don’t know it exists. Take some time to identify and document all of the legacy and unsupported operating systems in your network.
  • Isolate  Segmenting the ICS system will reduce the risk of it being compromised by an attacker. Take some time to verify that it is inaccessible from any unnecessary business/ user networks.
  • Update and secure – Install all available patches and updates. Be sure that you are notified of any updates to the operating system, firmware and any installed applications.
  • Perform thorough log analysis – Implement some sort of centralized logging platform to ensure you have the ability to detect any anomalies that occur within these systems.
  • Leverage the use of an ICS honeypot – Creating a HoneyPot ICS device will help you discover suspicious activity within your network before it affects a production system.

Just a Quick Thought & Mini Rant…

Posted on by
4

Today, I ran across this article, and I found it interesting that many folks are discussing how “white hat hackers” could go about helping people by disclosing vulnerabilities before bad things happen. 

There are so many things wrong with this idea, I will just riff on a few here, but I am sure you have your own list….

First off, the idea of a corp of benevolent hackers combing the web for leaks and vulnerabilities is mostly fiction. It’s impractical in terms of scale, scope and legality at best. All 3 of those issues are immediate faults.

But, let’s assume that we have a group of folks doing that. They face a significant issue – what do they do when they discover a leak or vulnerability? For DECADES, the security and hacking communities have been debating and riffing on disclosure mechanisms and notifications. There remains NO SINGLE UNIFIED MECHANISM for this. For example, let’s say you find a vulnerability in a US retail web site. You can try to report it to the site owners (who may not be friendly and may try to prosecute you…), you can try to find a responsible CERT or ISAC for that vertical (who may also not be overly friendly or responsive…) or you can go public with the issue (which is really likely to be unfriendly and may lead to prosecution…). How exactly, do these honorable “white hat hackers” win in this scenario? What is their incentive? What if that web site is outside of the US, say in Thailand, how does the picture change? What if it is in the “dark web”, who exactly do they notify (not likely to be law enforcement, again given the history of unfriendly responses…) and how? What if it is a critical infrastructure site – like let’s say it is an exposed Russian nuclear materials storage center – how do they report and handle that? How can they be assured that the problem will be fixed and not leveraged for some nation-state activity before it is reported or mitigated? 

Sound complicated? IT IS… And, risky for most parties. Engaging in vulnerability hunting has it’s dangers and turning more folks loose on the Internet to hunt bugs and security issues also ups the risks for machines, companies and software already exposed to the Internet, since scan and probe traffic is likely to rise, and the skill sets of those hunting may not be commiserate with the complexity of the applications and deployments online. In other words, bad things may rise in frequency and severity, even as we seek to minimize them. Unintended consequences are certainly likely to emerge. This is a very complex system, so it is highly likely to be fragile in nature…

Another issue is the idea of “before bad things happen”. This is often a fallacy. Just because someone brings a vulnerability to you doesn’t mean they are the only ones who know about it. Proof of this? Many times during our penetration testing, we find severe vulnerabilities exposed to the Internet, and when we exploit them – someone else already has and the box has been pwned for a long long time before us. Usually, completely unknown to the owners of the systems and their monitoring tools. At best, “before bad things happen” is wishful thinking. At worst, it’s another chance for organizations, governments and law enforcement to shoot the messenger. 

Sadly, I don’t have the answers for these scenarios. But, I think it is fair for the community to discuss the questions. It’s not just Ashley Madison, it’s all of the past and future security issues out there. Someday, we are going to have to come up with some mechanism to make it easier for those who know of security issues. We also have to be very careful about calling for “white hat assistance” for the public at large. Like most things, we might simply be biting off more than we can chew… 

Got thoughts on this? Let me know. You can find me on Twitter at @lbhuston.

Ransomware

Posted on by
1

As many of you may have heard, businesses throughout the world have seen an increase in ransomware being used against them. What should businesses do to help prevent these sort of extortions from happening to them? This is what we will attempt to answer with this posting.

We have all heard the old adage “an ounce of prevention is worth a pound of cure”, nothing could be truer, especially for this particular situation! So lets go over some of the preventative steps that your organization may follow before you become infected with ransomware:

  • User education and training! Start off with end-user education, you know the people who are actually going to see these sort of attacks. Lets not focus on just select few like your sys-admins, but rather the entire organization. Everyone has a part in keeping your business secure and education is the key.
  • As part of the education of the end-users, let them know who to contact if they see something suspicious, whether that is your help desk or someone who is designated for your organization to help guide them through the process of what to do. The end-users have to be able recognize that something has occurred in order for them to report it in the first place.
  • Organizations should enforce the least privileged methodology. This is a way to grant the minimum amount of access to files as the person needs to perform their job-related duties. If a person does not need read/write access to certain files don’t grant it. This will help keep the ransomware from doing the same since they work based on the privileges of the person who is logged in at the time and encrypt files that the person has read/ write access to.
  • Most organizations now configure their email servers to prohibit them from sending or receiving executable files. Make sure yours does too. The real issue here are macros that are enabled when sent with a document. As this is a potential attack vector for this and other types of malware.
  • Patch your software to the most current version. By not doing so you may be leaving the door open for a variety of malware to take advantage of your company. The malware will exploit flaws in the older versions of software that your company uses. We have seen time and time again where businesses aren’t aggressively keeping their software updated to the latest version and they are targeted by threat actors as a result.
  • If possible restrict the execution of programs from temp folders in a user’s profile. For example, “c:\users\<username>\folder\temp”. What do I mean by this? If a virus or ransomware in this case, were to attempt to use a temp folder as the first execution point it would be blocked from being allowed to do so by Group Policy Objects. So you effectively nix the ransomware before it has had a chance to infect your computer!
  • Organizations should consider implementing some sort of web filtering such as keeping track of blacklisted IP addresses or domains.
  • Whatever antivirus solution your company employs please ensure that they are updated with the latest virus definitions to increase their effectiveness. A company could even consider having different antivirus products for different purposes, such as having one product for desktops and another for email. That way the company is ensuring that there is some degree of overlap in their antivirus coverage!
  • Adobe’s Flash should be disabled at this point, as it really has been a very popular infection vector for ransomware. Disabling it would greatly reduce the amount of infection vectors available to would-be attackers.
  • Lastly, backups are really the only way to restore functionality to the affected systems once they have been compromised, providing a backup process already exists in your organization and that the backups are checked for completeness. This way if you do need to use your backups, they will get you back on your feet as soon as possible with the least amount of downtime.

As always the education of all of your employees is key to this or any other sort of security related incident before it happens. As is effective communication both before a security incident starts and during the response/ recovery process.