Follow Up to Out of Band Authentication Post

Posted on by
2

(This is a commentary follow up to my earlier post, located here.)

A couple of folks have commented on Twitter that they have a fear of using SMS for any sort of security operations. There have been discussions about the insecurity of SMS and the lack of attention to protecting the cellular network by carriers around the world. I generally disagree with blanket statements, and I would push for organizations considering SMS as a means of authentication to undertake a real risk assessment of the process before they jump in.
 
However, if the controls in place in the cell networks meet their appetite for risk, then I think it is a perfectly acceptable business case. It certainly beats in-band simple authentication mechanisms like “pictures of trust” and traditional login/password as a security control.
 
At least in SMS authentication, the attacker would usually need to have control over or access to more than one device belonging to the user. I think this helps make the risk model more acceptable for my views.
 
Other folks discussed how Out of Band Authentication (OOBA) has been done now successfully in many places. I agree with this. We know how to do it. There are a LOT of vendors out there who can successfully integrate, deploy and manage a solution for you. Sadly, though, there are still more than a few who are struggling to get it right or done at all. As with most things in life, it helps to do a little research. Organizations should perform due diligence on their vendors and factor vendor risks into the equation of purchases and project planning. 
 
Lastly, a few folks commented on the fact that they, too, are running into speed bumps with deployments and logistics. Several folks echoed the sentiments of the original challenges and few offered suggestions beyond simply “doing more homework” and looking for “quickly scalable solutions”. The good news with this is that you are not alone out there. Other folks are facing AND BEATING challenges. Feel free to reach out to your peers and discuss what is and what isn’t working for them.
 
As per the original post, the more communication and discussion we can have amongst the community about these topics, the better off we all will be. So, discuss, seriously…
 
##Special thanks to the vendors that replied with case studies, references or stories about how they have done integration and deployment. There are a lot of good vendors out there with knowledge in this area. Careful review of their capabilities will help you sort them out from the less capable. Communication is key.
 
Thanks for reading! 

Are You Attending the 2012 ISSA Central Ohio InfoSec Summit?

Posted on by
1

 

If you are in the midwest and can make it to Columbus for the ISSA Summit this year, you owe it to yourself to do so. Great speakers, great content, an amazing location and some of the best folks from around the world, for two days focused on infosec. It’s been amazing the past several years. You can find info online about it here

Some of the things I am looking forward to are getting to hear more from Richard Clarke (I might not always agree with his view, but he is an excellent speaker and a very good man.), and the rest of the speakers. In fact, there is not a speaker on the docket that I don’t think is amazing. We have developer insights, business folks, techno geeks, hackers, auditors and even a few MSI folks. 
 
So, if you can come to town and be here May 17th and 18th, do so. If not, you’ll miss out on what is sure to be an amazing event.
 
Special thanks to the Columbus ISSA team for putting the event together. These folks work really hard to pull it off, and the volunteers on the day of the event go above and beyond to make it all happen. Please take a moment at the event and give them a pat on the back. If something would happen to go wrong, or could be done better, drop them a line in email and they will look at improving it next year. Thank them, in person, for all of the things that go right. Seriously, it helps. Even better, volunteer for the Summit and help them and the community out. It’s a great way to give back for all that the community does for all of us, all year long. 
 
Thanks for reading and we’ll see you at the Summit! 

HoneyPoint Internet Threat Monitoring Environment: An Easy Way to Pinpoint Known Attacker IPs

Posted on by
2

One of the least understood parts of MicroSolved is how the HoneyPoint Internet Threat Monitoring Environment (#HITME) data is used to better protect our customers.

If you don’t know about the #HITME, it is a set of deployed HoneyPoints that gather real world, real time attacker data from around the Internet. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. You can even follow the real time updates of attacker IPs and target ports on Twitter by following @honeypoint or the #HITME hash tag. MSI licenses the data under Creative Commons, non-commercial and FREE as a public service to the security community.

That said, how does the #HITME help MSI better protect their customers? First, it allows folks to use the #HITME feed of known attacker IPs in a blacklist to block known scanners at their borders. This prevents the scanning tools and malware probes from ever reaching you to start with.

Next, the data from the #HITME is analyzed daily and the newest, bleeding edge attack signatures get added to the MSI assessment platform. That means that customers with ongoing assessments and vulnerability management services from MSI get continually tested against the most current forms of attack being used on the Internet. The #HITME data also gets updated into the MSI pen-testing and risk assessment methodologies, focusing our testing on real world attack patterns much more than vendors who rely on typical scanning tools and backdated threats from their last “yearly bootcamp”.

The #HITME data even flows back to the software vendors through a variety of means. MSI shares new attacks and possible vulnerabilities with the vendors, plus, open source projects targeted by attackers. Often MSI teaches those developers about the vulnerability, the possibilities for mitigation, and how to perform secure coding techniques like proper input validation. The data from the #HITME is used to provide the attack metrics and pattern information that MSI presents in its public speaking, the blog, and other educational efforts. Lastly, but certainly not least, MSI provides an ongoing alerting function for organizations whose machines are compromised. MSI contacts critical infrastructure organizations whose machines turn up in the #HITME data and works with them to mitigate the compromise and manage the threat. These data-centric services are provided, pro- bono, in 99% of all of the cases!

If your organization would be interested in donating an Internet facing system to the #HITME project to further these goals, please contact us. Our hope is that the next time you hear about the #HITME, you’ll get a smile on your face knowing that the members of our team are working hard day and night to protect MSI customers and the world at large. You can count on us, we’ve got your back!

Financial Organizations Struggle with Out of Band Authentication

Posted on by
4

Many of our client financial organizations have been working on implementing out of band authentication (OOBA) mechanisms for specific kinds of money transfers such as ACH and wires.

 A few have even looked into performing OOBA for all home and mobile banking access. While this authentication method does add some security to the process, effectively raising the bar for credential theft by the bad guys, it does not come without its challenges.

For starters, the implementation and integration of some of the software designed for this purpose has been a little more difficult than expected by many of the teams working on the projects. We are hearing that in some cases, the vendors are having difficulty integrating into some of the site platforms, particularly those not using .NET. Other platforms have been successful, but over time (and many over budget), the lesson learned is this: communicate clearly about the platforms in use when discussing implementations with potential vendors.
 
Other problems we have been hearing about include: availability issues with the number of outbound phone connections during peak use periods, issues with cellular carriers “losing” SMS messages (particularly a few non-top tier carriers), and integrating solutions into VoIP networks and old-style traditional PBX systems.
 
In many cases, these telephonic and cellular issues have caused the systems to be withdrawn during pilot, even turned off for peak periods during use and other “fit and start” approaches as the rough patches were worked out. The lesson in this area seems to be to design for peak use as a consideration, or at least understand and communicate acceptable delays, outages or round-robin processes, and make sure that your systems properly communicate these parameters to the user.
 
In the long run, proper communication to the users will lower the impact of the onslaught some of these systems call to the customer support and help desk folks.
 
It is getting better though. Vendors are learning to more easily and effectively develop and implement these solutions. The impact on account theft has been strong so far and customers seem to have a rapid adjustment curve. In fact, a few of our clients have shared that they have received kudos from their members/customers for implementing these new tools when they were announced, documented, and explained properly to the user base.
 
If your organization is considering this technology and has struggled with it, or has emerged victorious in the mastery of it; please drop me a line on Twitter (@lbhuston) and let me know your thoughts. The more we share about these tools, the better we can all get at making the road less bumpy for the public.
 
As always, thanks for reading and stay safe out there!

Audio Blog Post: How to Safeguard Your Data From Credit Card Theft

Posted on by
2

Cybercriminals continue to seek new opportunities to steal credit card data, highlighted recently in the largest credit card theft seen in two years — a 1.5 million loss from Global Payments, a third-party processor of transactions for Visa and Mastercard.

What can companies do? Also, what can you do to protect your credit card data?

I sat down with Brent Huston, CEO and Security Evangelist with MicroSolved, Inc. to discuss such questions. In this audio blog post, you’ll hear:

  1. The current state of identity theft
  2. Two primary ways credit cards get stolen
  3. Skimming as a preferred model for theft and how to prevent it
  4. Why being PCI-compliant is not a silver bullet

And more!

Click here to listen.

Take a listen to this informative 15-minute interview and learn how you can protect your organization from data theft!

Resources:

 

Remember Public Cellular Networks in Smart Meter Adoption

Posted on by
3

One of the biggest discussion points at the recent MEA Summit was the reliance of Smart Meter technology on the public cellular networks for communication.

There seemed to be a great deal of confusion about negotiating private cellular communications versus dependence on fully public networks. Many folks also described putting in their own femtocell and microcell deployments to greatly reduce the dependence on communication assets that they did not own. However, as you might expect, the purchase, install, management, and maintenance of private cellular infrastructure is expensive, requires skilled personnel, and often bumps into regulatory issues with frequency control and saturation.

Other considerations than cost also emerged with several ICS/SCADA owners discussing prioritization of repair issues versus consumer deployments, problems with negotiating effective, acceptable Service Level Agreements with the cell network vendors and a lack of understanding on the cell vendors’ part about ICS/SCADA deployments/integration/criticality in general.
 
Clearly, more analysis, study, and communication needs to occur between ICS/SCADA researchers/owners/developers and the relevant cellular network engineers/implementation teams to grow mutual knowledge and understanding between the parties. In the meantime, ICS/SCADA owners must strive to clearly identify their needs around cellular technologies, clearly demarcate the requirements for private/segmented/public cellular network use and understand the benefits/issues and threats of what they are utilizing. Cellular communications has a clear role to play in the future of ICS/SCADA, but the waters of how it will be managed, how it will be secured and how smaller organizations can obtain it affordably remain a bit muddy for now.
 
If your organization has winning strategies or has concerns that have arisen with the use of cellular networks, we would love to hear about them in the comments. The more ICS/SCADA owners work together to bring this knowledge forward, the more quickly and effectively we can resolve many of the issues that utilities and other organizations are encountering.

Getting Your ICS/SCADA Components Security Tested

Posted on by
1

Recently, at the MEA Summit, I had the opportunity to engage in a great discussion with a number of SCADA owners about security testing of their devices. Given all of the big changes underway concerning SCADA equipment, connectivity and the greater focus on these systems by attackers; the crowd had a number of questions about how they could get their new components tested in a lab environment prior to production deployment.

Device and application testing is something that MicroSolved has done for more than a decade. We have tested hundreds of IT hardware products, commercial software loads, web/mobile applications, consumer products, and for the last several years, ICS/SCADA and Smart Grid components. Our lab environments are suitable for a wide variety of testing scenarios and are used by utility companies, manufacturers and software developers from around the world as a trusted source for rational security testing and relevant threat analysis. We have a firm non-disclosure policy for client systems tested and the relevant vulnerabilities discovered and we often work hand in hand with the developers/design engineers to work through both mitigation and/or compensating control development.
 
ICS/SCADA owners should have any new designs assessed prior to implementation, they should have some form of ongoing security assessment (analysis – NOT scanning…) performed against current deployments/threats, plus they should be engaged in testing all new hardware and software platforms before production adoption. Developers, designers and manufacturers of ICS/SCADA/Smart Grid components should be engaging in a full set of product assessments, attack surface analysis, threat modeling and penetration testing prior to the release of the products to market. This will be a value-add to your customers, and ultimately, to the consumer. 
 
If your organization would like to have a device or software analysis performed, or would like to discuss how to engage with MicroSolved to have new equipment or ICS/SCADA deployment ideas modeled, tested and assessed, please contact us. 

Presentations Given at Midwest Energy Association Summit

Posted on by
13

On April 11, 2012, both Phil Grimes and Brent Huston were honored to present on the ICS/SCADA security topics at the Spring Gas Operations Summit in Indianapolis held by the Midwest Energy Association (MEA).

Phil covered the process of scoping security assessments for ICS/SCADA deployments and spent a lot of time with the crowd analyzing various scenarios for how to pick an assessment partner, how often to perform vulnerability assessments, how to closely control and properly use penetration testing and a variety of other topics specific to the crowd’s concerns.

Brent followed that presentation with a talk focused on honeypots in ICS/SCADA. He covered the history of honeypots in ICS deployments, the NIST guidance for honeypots (“canaries”) and the relevant locations and approaches to gathering attack data with them. The crowd also asked great questions about how to use the data from the systems, how to work together to leverage honeypot data as an industry and how to manage data anonymity for detected events. 
 
Further discussions followed, with the MSI team sitting in the crowd as a round table, which went really well. They had excellent conversations about the state of the threat, the reliance on public infrastructures, cellular communication threats, network enclaving, detection techniques and the safety of Internet exposed HMIs.
 
MSI would like to thank MEA for allowing us to come in and engage with their attendees. It was a very interesting show and we think everyone learned a lot about where ICS/SCADA security is going in the next 1-3 years.

Poll: An Opportunity to Tell Us Which Content You Like Most!

Posted on by
3

We always strive to bring you the best information security content, complete with thoughtful analysis and relevant resources. Would you take a few minutes to participate in our poll? We’d appreciate it because it will help us deliver the most useful content. Thank you!

 

Create your free online surveys with SurveyMonkey, the world’s leading questionnaire tool.

Don’t Forget About VoIP Exposures and PBX Hacking

Posted on by
6

 

 

 

 

 

 

I was browsing my usual data alerts for the day and ran into this set of data. It motivated me to write a quick blog post to remind folks that VoIP scans and probes are still going on out there in the wild.

These days, with all of the attention to mass compromises, infected web sites and stolen credit card data, voice systems can sometimes slip out of sight.

VoIP compromises and intrusions remain a threat. There are now a variety of tools, exploits and frameworks built for attacking VoIP installations and they are a target for both automated tools and manual hacking. Access to VoIP systems can provide a great platform for intelligence, recon, industrial espionage and traditional toll fraud.
 
While VoIP might be the state of the art for phone systems today, there are still plenty of traditional PBX, auto-attendant and dial-up voicemail systems around too. Now might be a good time to review when those systems were last reviewed, audited or pen-tested. Traditional toll fraud is still painful to manage and recover from, so it’s probably worth spending a few cycles on reviewing these devices and their security postures. 
 
Let us know if your organization could use assistance with these items or with hardening voice systems, implementing detection techniques for them or otherwise increasing voice system security.