3 Things Security Vendors Wished CIOs Knew

Posted on by
1

Brent Huston, CEO and Founder of MicroSolved, answered a few questions regarding CIO’s and information security. If Brent could speak to a room full of CIO’s, these are a few things he’d share:

1)  CIOs are often unaware of what assets their organization have and how are they protected.

One problem we continually run into is the CIO folks know what the assets are they have, what’s critical and what isn’t. Often, they don’t have a good feel for the lifecycle of that critical data. Knowing what they have and how they currently protect it is a huge step forward for a CIO.

Does that have to be the ability to whip out a map? In a perfect world, yes. It just means the CIO needs to be able to reiterate to the vendor particularly when we’re talking about nuanced protection. And if we’re talking about penetration testing, why not consider this: instead of talking about penetration testing the whole environment, let’s test the stuff that matters. CIOs need to effectively and clearly communicate where that stuff is that matters. The systems it interacts with and what controls are in place today is what we need to focus on for testing or leverage them to do detection.

2)  A lot of CIOs don’t have any idea of what their real threat profile looks like.

When you talk to a CIO about the threat, their image of a threat is either script kiddies sitting in the basement of their mom’s house, or they’re so deeply entrenched in the cyber-crime thing that they think of it as credit card theft. They haven’t reached the level where they have any measurement or understanding of the different levels of threats that are focused on them — and how their responses would vary. The problem is they then treat all threats as the same. 

You expend the resources at a continual burn rate, so you’re probably using more resources than what you need, and then, when something really bad happens (because they’re used to treating it like a minor thing), they don’t feel like they need to pay attention. I’d love to see a CIO grow their attention to the threat profile and be able to communicate that upwards and to us as a vendor. 

3)  Some CIOs don’t understand the organization’s appetite for risk.

This is probably the hardest one. I love to meet with CIOs who already know their organization’s appetite for risk.  It seems like many organizations, even those who should be far enough along and mature and understand an appetite for risk (I’m talking about critical infrastructures, here), don’t understand it.  They have no way to quantify or qualify risk and decide what is acceptable and what isn’t. There may be complex policies in place and there are exceptions, but many CIO’s don’t have a clear “line in the sand” to help them determine what to respond to.

These kinds of initiatives are growing, but that’s one of those things that separates a mature, security-focused organization, and a risk-focused organization from folks who haven’t moved into more of a risk and threat management interface. Many folks still are managing at a vulnerability layer, i.e. “If X vendor releases a Y patch, and I need the Z team to apply it, then I’ll do it.” They think that’s the extent of their security effort. 

 

To consider your security posture, why not take a look at our “80/20 Rule for Information Security” page? Did you know that 80% of an organizations’ real information security comes from only 20% of the assets and effort put into the program? These 13 security projects will give your organization the most effective information security coverage for the least expenditure of time and resources.

Contact us if you have questions! We’ve seen how these projects have helped our clients and would love to help you!

“Ask the Information Security Experts” Series

Posted on by
2

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst

Our question:

There’s been a lot of attention lately about the leaking of passwords from sites like LinkedIn, Yahoo, Match.com, last.fm and others. What is the ONE THING that users of a site should do when these kinds of leaks happen? Each of you has such a wide variety of skills and focus, so what would you tell your Mom to do if she asked about this?

Adam: 
Figure out which sites you are using the same password on. Go to these sites and change them, use a unique password for each site. Keep these passwords in a password vault, such as KeePass or LastPass, with a strong master password.

Phil: 
Well, since NONE of our users should be reusing passwords, they should use their password vault tool to generate a new, strong password for the site(s) in question, change the password in their password manager, then change the password in the site itself. Also, take advantage of the password aging features of the password vault to remind you to change passwords on a regular basis. But changing the password of the affected site is the most critical thing, closely followed by NOT reusing passwords on multiple sites. 

There you have it! The bad guys will always try to find ways to cause trouble. Don’t make it easy for them. Use the tools mentioned and keep your data safe!

Smart Grid Security is Getting Better – But Still Has Ways to Improve

Posted on by
1

Our testing lab has spent quite a bit of time over the last several years testing smart grid devices. We are very happy to say that we are seeing strong improvement in the general security controls in this space.

Many of the newer smart grid systems we are testing have implemented good basic controls to prevent many of the attacks we used to see in these devices in the early days of the smart grid movement. Today, for example, most of the devices we test, have implemented at least basic controls for firmware update signing, which was almost unheard of when we first started testing these systems years ago. 

Other improvements in the smart grid systems are also easily identifiable. Cryptographic protocols and hardened system configurations are two more controls that have become pretty well standard in the space. The days of seeing  silly plain-text protocols between the field devices or the field deployments and the upstream controls systems are pretty well gone (there are still SOME, albeit fewer exceptions…).
 
Zigbee and communications of customer premise equipment to the smart grid utility systems is getting somewhat better (still little crypto and a lot of crappy bounds checking), but still has a ways to go. Much of this won’t get fixed until the various protocols are revised and upgraded, but some of the easy, low hanging vulnerability fruit IS starting to get cleaned up and as CPU capability increases on customer devices, we are starting to see more folks using SSL overlays and other forms of basic crypto at the application layer. All of this is pretty much a good thing. 
 
There are still some strong areas for improvement in the smart grid space. We still have more than a few battles to fight over encryption versus encoding, modern development security, JTAG protection, input validation and the usual application security shortcomings that the web and other platforms for app development are still struggling with.
 
Default passwords, crypto keys and configurations still abound. Threat modeling needs to be done in deeper detail and the threat metrics need to be better socialized among the relevant stakeholders. There is still a plethora of policy/process/procedure development to be done. We need better standards, reporting mechanisms, alerting capabilities, analysis of single points of failure, contingency planning and wide variety of devices and applications still need to be thoroughly tested in a security lab. In fact, so many new applications, systems and devices are coming into the smart grid market space, that there is a backlog of stuff to test. That work needs to be done to harden these devices while their footprint is still small enough to manage, mitigate and mature.
 
The good news is that things are getting better in the smart grid security world. Changes are coming through the pipeline of government regulation. Standards are being built. Vendors are doing the hard, gut check work of having devices tested and vulnerabilities mitigated or minimized. All of this, culminates in one of the primary goals of MicroSolved for the last two decades – to make the world and the Internet safer for all of you.
 
As always, thanks for reading and stay safe out there!

3 Ways to Minimize Reputational Risk With Social Media

Posted on by
1

You have employees who are addicted to social media, updating their status, sharing everything from discovering a helpful business link to where they went for lunch. However, they also may be broadcasting information not intended for public consumption.

One of the most difficult tasks for an organization is conveying the importance of discretion for employees who use social media. Not only are organizations at risk from having their networks attacked, but they must protect their reputation and proprietary ideas. What makes these two areas difficult to protect is their mobile nature. Ideas are invisible and have a habit of popping into conversations – and not always with the people who should be hearing them. They can get lost or stolen without anyone knowing they’re even gone. Suddenly, you find your competitor releasing a great product to your market that you thought was yours alone.

If you want to decrease reputational risk, you have a few options. Initiate some guidelines for employees. Send friendly reminders from newsworthy “social-media-gone-bad” stories. The more employees know where an organization stands in regard to safe social media use, the more they can be smart about using it. Here are three basic rules to help them interact safely:

1. Don’t announce interviews, raises, new jobs, or new projects.

Talking about any of these sensitive topics on social networking sites can be damaging. If an employee suddenly announces to the world that they’re working on a new project with XYZ Company, there’s a good chance the news will be seen by a competitor. You may see them in the waiting room of your client on your next visit. One caveat: If you’re hiring, it’s a good thing. Your organization will be seen as successful and growing. However, those types of updates are usually best left to the HR department.

2. Don’t badmouth current or previous employers.

It’s good to remember what mom used to say, “If you don’t have anything positive to say, then say nothing at all.” The Internet never forgets. When an employee rants about either their past employer, or worse – their current one, it can poison a customer’s view of the organization. Nothing can kill the possibility of a new sale than hearing an employee broadcast sour grapes. If this is a common occurrence, it can give the image of a badly managed company. This isn’t the message to send to either customers or future employees.

3. Stay professional. Represent the organization’s values well.

Employees are often tempted to mix their personal and work information together when using social media. Although many times, such information can be benign, you don’t want to hear about an employee’s wild night at the local strip club. There are mixed opinions among experts whether an employee should establish a personal account, separate from their work life.

Emphasize your organization’s values and mission. Ask employees to TBP (Think Before Posting). Social media can be a good experience as long as its done responsibly. With some timely reminders, reputational risk will be drastically reduced.

Malware Alert: Will You Lose Your Internet Access On Monday?

Posted on by
1

We’re always keeping our eyes and ears open when it comes to malware. If you’ve not heard of this report before now, it would be good to check your computer to see if it has been infected with a nasty piece of malware whose creators were finally caught and shut down by the FBI late in 2011.

From AllThingsD:

Next week, the Internet connections of about a quarter-million people will stop working because years ago their computers became infected with malware.

The malware is called DNSChanger, and it was the centerpiece of an Internet crime spree that came to an end last November when the FBI arrested and charged seven Eastern European men with 27 counts of wire fraud and other computer crimes. At one point, the DNSChanger malware had hijacked the Internet traffic of about a half-million PCs around the world by redirecting the victims’ Web browsers to Web sites owned by the criminals. They then cashed in on ads on those sites and racked up $14 million from the scheme. When the crackdown came, it was hailed as one of the biggest computer crime busts in history.

Complete Article

The listed site for checking if you have the malware is (not surprising) getting slammed. Try to refresh the address a few times and it will show you if your system is infected or not, plus will give you a link for how to fix your site.

Here’s to seeing “green” for everyone!

Got Disaster Recovery?

Posted on by
Reply

As the recent heavy storms in the Midwest has brought to my attention in a personal way — even the best laid plans can have weaknesses. In my case, it was an inconvenience, but a good lesson.

I got a reminder about cascading failures in complex systems via the AT&T data network collapse (thanks to a crushed datacenter), as well as a frontline wake-up call about the importance of calculating generator gasoline supplies properly. 

So, while you read this, I am probably out adding 30 gallons to my reserve. Plus, working on a “lessons learned” document with my family to more easily remember the things we continually have to re-invent every time there is a power outage of any duration. 

I share with you these personal lessons for a couple of reasons. First, I hope you’ll take a few moments and update/review your own personal home plans for emergencies. I hope you’ll never need them, but knowing how to handle the basics is a good thing. Then move on to how you’ll manage trivialities of personal comfort like bandwidth, coffee & beer. 🙂

Lastly, I hope you take time and review your company’s DR/BC plans as well. Now might be a good time to do exactly what I hope AT&T, Amazon, Netflix, Instagram, etc. are doing and get those plans back in line with attention to the idea that failures can and often do, cascade. This wasn’t an earthquake, tsunami or hurricane (though we did have 80+ mph winds) – it was a thunderstorm. Albeit, a big thunderstorm, but a thunderstorm nonetheless. We can do better. We should expect better. I hope we all will get better at such planning. 

As always. thanks for reading and until next time, stay safe out there. 

PS – The outpouring of personal kindness and support from friends, acquaintances and family members has been amazing. Thank you so much to all of the wonderful folks who offered to help. You are all spectacular! Thank you!

Audio Blog Post: Defensive Fuzzing and MSI’s Patent

Posted on by
1

What goes into getting a patent? The answer would be: a lot of work! Brent Huston, CEO and Founder of MicroSolved, Inc., talks with Chris Lay, Account Executive, about MSI’s first patent for HoneyPoint’s defensive fuzzing capability. In this audio blog post, you’ll learn:

  • What is the patent about?
  • What is defensive fuzzing?
  • What went into the patent process?

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!

Audio Blog Post: MicroSolved Inc. Labs

Posted on by
1

Brent Huston, CEO and Founder of MicroSolved, Inc., talks with Chris Lay, Account Executive, about MicroSolved’s lab. In this audio blog post, you’ll learn:

  • Some of the things we’re testing now
  • The types of operating systems we’re testing
  • Brent’s favorite “testing” story

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!

Audio Blog Post: Malware Trends

Posted on by
1

Brent Huston, CEO and Founder of MicroSolved, Inc., discusses with Chris Lay, Account Executive, the new malware trends and a new perspective needed in dealing with attacks. In this audio blog post, you’ll learn:

  • How language is making a difference
  • How the attackers are getting more clever
  • What infected USB keys are now doing
  • What is ‘Flame’?
  • What to do when you identify malware in your organization

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

And don’t forget, you can follow Brent Huston on Twitter at @lbhuston and Chris Lay at @getinfosechere!

MicroSolved, Inc. Receives U.S. Patent For HoneyPoint Defensive Fuzzing InfoSec Tool

Posted on by
1

MicroSolved, Inc. is pleased to announce that they have received a U.S. Patent (8,196,204 B2) on June 5, 2012, on technology components of their product HoneyPoint Security Server. This technology, known as “defensive fuzzing,” and the improvement mechanisms associated with it are a core component of creating self-defending implementations with HoneyPoint. 

The defensive fuzzing mechanism allows a computer network’s HoneyPoints to listen for an incoming connection from an attacker, and then disrupt that connection by tampering with the expected responses — in essence “fuzzing” the conversation. In many cases, this can confuse or crash the attacker’s tools or malware, limiting their capability to perform further attacks or damage.

The patent also covers a quality improvement technique for HoneyPoint technology. As the defensive fuzzing occurs, HoneyPoint tracks how successful it was with a given fuzzing technique. It has the ability to share that knowledge among various HoneyPoints so that as the system gets better with defensive fuzzing, the entire distributed system gets better at protecting the user’s environment.

This feature of MSI’s HoneyPoint detection system takes a passive defense and turns it into an active defense that can protect itself without human intervention.

“At MSI, we are truly committed to helping organizations protect their information assets, and we see this patent on defensive fuzzing as the next logical extension in helping organizations achieve high levels of protection with lower levels of resource requirements,” said Brent Huston, CEO and Founder of MicroSolved, Inc. “We are truly dedicated to extending even further in the future, the capability for organizations to defend their intellectual property.”

For more information about HoneyPoint, please visit our HoneyPoint webpage. To learn more about MicroSolved, Inc., visit wwww.microsolved.com.