Three Things That Need Spring Cleaning in InfoSec

Posted on by
Reply

Spring is here in the US, and that brings with it the need to do some spring cleaning. So, here are some ideas of some things I would like to see the infosec community clean out with the fresh spring air!

1. The white male majority in infosec. Yes, I am a white male, also middle aged…. But, seriously, infosec needs more brains with differing views and perspectives. We need a mix of conservative, liberal and radical thought. We need different nationalities and cultures. We need both sexes in equity. We need balance and a more organic talent pool to draw from. Let’s get more people involved, and open our hearts and minds to alternatives. We will benefit from the new approaches!

2. The echo chamber. It needs some fresh air. There are a lot of dropped ideas and poor choices laying around in there, so let’s sweep that out and start again. I believe echo chamber effects are unavoidable in small focused groups, but honestly, can’t we set aside our self-referential shouting, inside jokes, rock star egos and hubris for just one day? Can’t we open a window and sweep some of the aged and now decomposing junk outside. Then, maybe, we can start again with some fresh ideas and return to loving/hating each other in the same breath. As a stop gap, I am nominating May 1, a Friday this year, as Global Infosec Folks Talk to Someone You Don’t Already Know Day (GIFTTSYDAKD). On this day, ignore your peers in the echo chamber on social media and actually go out and talk to some non-security people who don’t have any idea what you do for a living. Take them to lunch. Discuss their lives, what they do when they aren’t working, how security and technology impacts their day to day. Just for one day, drop out of the echo chamber, celebrate GIFTTSYDAKD, and see what happens. If you don’t like it, the echo chamber can come back online with a little fresh air on May 2 at 12:01 AM EST. How’s that? Deal? 🙂

3. The focus on compliance over threats. Everyone knows in their hearts that this is wrong. It just feels good. We all want a gold star, a good report card or a measuring stick to say when we got to the goal. The problem is, crime is an organic thing. Organic, natural things don’t really follow policy, don’t stick to the script and don’t usually care about your gold star. Compliant organizations get pwned  – A LOT (read the news). Let’s spring clean the idea of compliance. Let’s get back to the rational idea that compliance is the starting point. It is the level of mutually assured minimal controls, then you have to build on top of it, holistically and completely custom to your environment. You have to tune, tweak, experiment, fail, succeed, re-vamp and continually invest in your security posture. FOREVER. There is no “end game”. There is no “Done!”. The next “bad thing” that visits the world will be either entirely new, or a new variant, and it will be capable of subverting some subset or an entire set of controls. That means new controls. Lather, rinse, repeat… That’s how life works.. To think otherwise is irrational and likely dangerous.

That’s it. That’s my spring cleaning list for infosec. What do you want to see changed around the infosec world? Drop me a line on Twitter (@lbhuston) and let me know your thoughts. Thanks for reading, and I hope you have a safe, joyous and completely empowered Spring season!

Patch for MS15-034 RIGHT NOW!

Posted on by
Reply

If you have exposed IIS servers or internal ones as well, pay attention to MS15-034.

Accelerate this patch to immediate. Don’t wait for patching windows, SLAs or maintenance periods. Test the patch, sure, but get it applied ASAP.

This is a remotely executable vulnerability without authentication. It affects a wide range of Windows systems. It offers trivial denial of service exploitation and the bad guys are hard at work building click and drool tools for remote code execution. The clock is ticking, so please, accelerate this patch if possible.

For any additional information or assistance, please contact your account executive or drop us a line via info@microsolved.com.

Thanks and stay safe out there! 

Ideas for New MSI Classes, A Poll…

Posted on by
Reply

OK folks, here is a quick poll around some of the classes we are considering teaching later this year. We would like your input as to which topics interest you the most. 

If you would like to share your opinions, and tell us your areas of interest, please feel free to either email us the top 3 choices of classes and content you would like to see us focus on, to info@microsolved.com or via Twitter (@lbhuston). The numbers of your choices will suffice.

If you have other ideas you would like to see, please let us know. 

Our idea list:

  1. Honeypots for ICS/SCADA
  2. Basic honeypots for detection
  3. Tampering with active attackers
  4. Tracing international attackers
  5. Social media investigations
  6. Pen-testing REST APIs with Xojo
  7. Mapping business processes to technology & security
  8. Passive assessment techniques
  9. Deep dive research techniques
  10. Mapping TOR hidden sites

Thanks for reading and for sharing your opinions! 

HoneyPoint as a Tool for Device Inventory

Posted on by
Reply

Another clever use for HoneyPoint™ Agent, running on a Linux system without SMB components, is to have the system listen on the Windows SMB ports (135-139 & 445). The HoneyPoint will then inventory the Windows machines and other SMB speaking tools that attempt to contact it. Since this traffic is pretty routine, it will serve as an inventory mechanism for these types of systems on the local collision domain, or other “same-as-on-the-LAN” segments.

Running HoneyPoint in this fashion has been very useful to several of our ICS customers and has allowed them a quick, and most importantly, passive way to identify hosts on the same segment. No probes or scans needed! 

Give us a call today at (614) 351-1237 or email us at info@microsolved.com if you want to discuss how HoneyPoint might be used in your environment. We look forward to talking with you, and as always, thanks for reading! 

MSI Launches TigerTrax Network Discovery, Mapping & Analysis Service

Posted on by
Reply

We are proud to announce the immediate availability of an entirely new service offering in our security tool kit, made possible by TigerTrax™.

This service offering leverages the power of MSI’s proprietary TigerTrax analytics platform to parse, correlate and visualize the configurations (and packet logs (if desired)) from the routers, switches and firewalls of your network “en masse”. 

Our security and analytics teams then create detailed maps of the network as seen from the eyes of the machines, document the various network segments and their relationships, build a hierarchy of powerful machines and segments, identify hardening techniques that could help your organization better secure your network and provide insights into the gap between your organization’s “common wisdom” versus the real environment.

We can even teach “Close The Gap” sessions to help re-align your team’s “common wisdom” with “machine truth” and to help socialize the new knowledge to other groups.

How it works:

  • The client delivers the configuration and log files as needed for the service. MSI can assist with this step, if needed, at an additional hourly consulting fee.
  • The offering uses TigerTrax to perform automated analysis of the configuration and log files as needed – holistically, systemically and “en masse”. 
  • Various data points are delivered to the analysts and security team who then create the documentation, maps and reports. Visualized data is also generated using the TigerTrax platform where appropriate.
  • Any professional services, such as interviews/questionnaires, gap analysis and training are provided by MSI team members using our proprietary delivery methodologies.
  • Completely passive, offline analysis is perfect for critical networks.
Three different levels of service are available, as is single – one time engagements (perfect for M&A activities, and new IT management) or ongoing subscriptions that allow organizations to track changes and maintain knowledge over time. The highest level of service also includes 30 days worth of packet analytics to identify overtly compromised hosts and to determine “normal operating conditions”, which is often quite useful for incident response activities in the future.
 
Give is a call today at (614) 351-1237 or email us at info@microsolved.com to start a conversation about how we can help you know the truth about your network!

State Of Security Podcast Episode 3 is Now Available

Posted on by
Reply

Episode 3 of the podcast is now available!

In this edition, I sit down with Bill @Sempf to discuss application security, working with development teams and how to get security and dev folks on the same page. Bill goes so far as to recommend a simple 2 step process that you simply have to hear!

Check it out:

And give us feedback on Twitter (@lbhuston) about this and all other episodes or ideas you have about what you would like us to cover. Thanks for listening!  

NanoCore RAT

Posted on by
Reply
It’s been discovered that a Remote Access Trojan (RAT) named NanoCore has been cracked again. These cracked copies are being heavily distributed via the deep and dark web. Due to the fact that malicious actors are now able to obtain this RAT for free, there has been a spike of observed NanoCore infections. For example, it was recently reported that the cracked copies are being leveraged in phishing attacks against energy companies. Unfortunately, we anticipate that the attempted use of this RAT will increase over the next few weeks.
However, there is some good news regarding the spread of NanoCore. First, the observed methods for deploying this malware do not seem to be very complicated. The attacks appear to be leveraging basic e-mail phishing which can be prevented by tuning spam filters and performing security awareness training with staff. Second, the attacks appear to be attempting to exploit vulnerabilities that are 2-3 years old. Your organization’s workstations should already have patches installed that will prevent the malware from being deployed. Finally, several commercial IDS/IPS systems are already able to detect this RAT. To ensure that your organization is protected, be sure to verify that your IDS/IPS/AV signatures are up to date.
We are more than happy to answer any questions that you might have about this RAT. Feel free to contact us by emailing <info> at microsolved.com

3 Things I Learned Talking to InfoSec People About Crime

Posted on by
Reply

Over the last several years, I have given many many talks about the behavior of criminal rings, how the criminal underground operates and black market economics. I wanted to share with my audiences some of the lessons I have learned about crime. Many people responded well and were interested in the content. Some replied with the predictable, “So what does this have to do with my firewall?” kind of response. One older security auditor even went so far as to ask me point blank “Why do you pay attention to the criminals? Shouldn’t you be working on helping people secure their networks?”  I tried to explain that understanding bad actors was a part of securing systems, but she wouldn’t hear of it…

That’s OK. I expected some of that kind of push back. Often, when I ask people what they want to hear about, or where my research should go, the responses I get back fall into two categories: “more of the same stuff” and “make x cheaper”, where x is some security product or tool. Neither is what I had in mind… 🙂 

Recently, I announced that I was taking this year off from most public speaking. I don’t think I will be attending as many events or speaking beyond my podcast and webinars. Mostly, this is to help me recover some of my energy and spend more time focused on new research and new projects at MicroSolved. However, I do want to close out the previous chapter of my focus on Operation Aikido and crime with 3 distinct lessons I think infosec folks should focus on and think about.

1. Real world – i.e.” “offline” crime – is something that few infosec professionals pay much attention to. Many of them are unaware of how fraud and black markets work, how criminals launder money/data around the world. They should pay attention to this, because “offline” crime and “online” crime are often strongly correlated and highly related in many cases. Sadly, when approached with this information – much of the response was – “I don’t have time for this, I have 156,926 other things to do right now.”

2. Infosec practitioners still do not understand their foes. There is a complete disconnect between the way most bad guys think and operate and the way many infosec folks think and operate. So much so, that there is often a “reality gap” between them. In a world of so many logs, honeypots, new techniques and data analysis, the problem seems to be getting worse instead of better. Threat intelligence has been reduced to lists of IOCs by most vendors, which makes it seem like knowledge of a web site URL, hash value or IP address is “knowing your enemy”. NOTHING could be farther from the truth….

3. Few infosec practitioners can appreciate a global view of crime and see larger-scale impacts in a meaningful way. Even those infosec practitioners who do get a deeper view of crime seem unable to formulate global-level impacts or nuance influences. When asked how geo-political changes would impact various forms of crime around the world, more than 93% of those I polled could only identify “increases in crime” as an impact. Only around 7% of those polled could identify specific shifts in the types of crime or criminal actors when asked about changes in the geo-political or economic landscapes. Less than 2% of the respondents could identify or correlate accurate trends in response to a geo-political situation like the conflict in Ukraine. Clearly, most infosec folks are focused heavily ON THIER OWN STUFF and not on the world and threats around them.

I’m not slamming infosec folks. I love them. I want them to succeed and have devoted more than 20 years of my life to helping them. I will continue to do so. But, before I close my own chapter on this particular research focus, I think it is essential to level set. This is a part of that. I hope the conversation continues. I hope folks learn more and more about bad actors and crime. I hope to see more people doing this research. I hope to dig even deeper into it in the future.

Until then, thanks for reading, stay safe out there, and I will see you soon – even if I won’t be on stage at most events for a while. 😉

PS _ Thanks to all of the wonderful audiences I have had the pleasure to present to over the years. I appreciate and love each and every one of you! Thanks for all the applause, questions and, most of all, thanks for being there!  

How to Make InfoSec Infographics

Posted on by
Reply

Infographics are everywhere! And people either love them or hate them.

That said, many security teams have been asking about building infographics for awareness or communicating threat data to upper management in quick easily-digestible bites. To help with that, we thought we would tell you what we have learned about how to make infographics – as a best practice – so you won’t have to suffer through the mistakes we and others in the security field have already made. 🙂

So, at a high level, here is what you need to know about making infographics on security topics:

What are infographics & why are they useful?

Infographics are a visual representation of data and information; it is a quick way to look at a lot of in-depth information and get a clear understanding of it. They are used to communicate data in a way that is compact and easy to comprehend and also provide an easy view of cause and effect relationships. Infographics are visually appealing and are composed of three elements:
– visual (color, graphics, reference icons)
– content (time frame, statistics, references)
– knowledge (facts)

Best practices for building infographics: 

– Simplicity: clean design that is compact and concise with well organized information
– Layout: Maximum of 3 different fonts
– Colors: choose colors that match the emotions you are trying to convey. The background should blend with the illustrations
– Boundaries: limit the scope of your information. Attention span is short so try to answer only one question per infographic

The main best practice we have learned is: Keep It Simple! Focus on just a few salient points and present them in interesting tidbits. Use templates, they are available all over the web for your publishing or office platform. Remember, the purpose of infographics is to peak interest in a discussion, not serve as the end-all, be-all of presenting data to the audience.

Let us know your success stories or tell us what you have learned about infographics on Twitter (@lbhuston or @microsolved). Thanks for reading!

Using TigerTrax During the Pre-Negotiation Phase of an M&A

Posted on by
Reply

Throughout my career, I have worked for organizations that have purchased and integrated 4 companies. The acquired companies ranged from an organization with revenues of less than $3 million per year to a publicly traded company with annualized revenues of almost $1 billion. While the acquisitions all carried their own set of challenges, they remain among the highlights of my career.

Unfortunately, TigerTrax did not exist while I was working to integrate the IT systems of the aforementioned organizations. However, if it did, the entire process would have been significantly easier to manage. Our clients frequently leverage TigerTrax during each phase of the M&A process. However, I think they find the most value during the pre-negotiation phase. TigerTrax has helped our clients identify everything from an organization’s breach history to employee morale. All of this valuable intelligence can be obtained before an offer is made.

Here are a few other ways that TigerTrax is commonly used during the pre-negotiation phase of an M&A:

  • Using data obtained during a passive network assessment to help understand the security posture and technology footprint of the organization
  • Identifying whether the organization has been recently targeted by attackers or is demonstrating any indicators of compromise
  • Obtaining a list of key players associated with the company along with determining whether or not they are affiliated with any organizations or activities that could harm your company’s reputation
  • Discovering any legal, reputational, financial or operational risks associated with the prospective company

If you have any questions about how you can levere TigerTrax to gather intelligence to help reduce the risk associated the M&A lifecycle, feel free to contact us by emailing <info> at microsolved.com.