How to Choose a Security Vendor: Beware of “Free InfoSec”

Posted on by
Reply

In your search for security vendors, be aware of those who offer assessments on the “we find holes or it’s free” basis.  Below are a few points to consider when evaluating your choices.

  1. Security testing choices should not be based on price. They should be based on riskThe goal is to reduce the risk that any given operation (application, network, system, process, etc.) presents to the organization to a level that is manageable.

    Trust me, I have been in the security business for 20 years and all vendor processes are NOT created equal. Many variations exist in depth, skill level, scope, reporting capability, experience, etc. As such, selecting security testing vendors based upon price is a really bad idea. Matching vendors specific experience, reporting styles and technical capabilities to your environment and needs is a far better solution for too many reasons to expound upon here.
     

  2. The “find vulnerabilities or it’s free” mentality can backfire.It’s hard enough for developers and technical teams to take their lumps from a security test when holes emerge, but to also tie that to price makes it doubly difficult — “Great, I pay now because Tom made some silly mistake!” is just one possibility. How do you think management may handle that? What about Tom?

    Believe me, there can be long term side effects for Tom’s career, especially if he is also blamed for breaking the team’s budget in addition to causing them to fail an audit.
     

  3. It actually encourages the security assessment team to make mountains out of mole hills.Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically built on severity (it’s human nature), then it certainly behooves the security team to note even small issues as serious security holes.

    In our experience, this can drastically impact the perceived risk of identified security issues in both technicians and management and has even been known to cause knee-jerk reactions and unneeded panic when reports arrive that show things like simple information leakage as “critical vulnerabilities”. Clearly, if the vendor is not extremely careful and mindful of ethical behavior among their teams, you can get seriously skewed views between perceived risk and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.

In my opinion, let’s stick to plain old value. We can help you find and manage your risk. We focus on specific technical vulnerabilities in networks, systems, applications and operations that attackers could exploit to cause you damage. The damages we prevent from occurring saves your company money. Look for a service vendor that provides this type of value and realize in the long run, you’ll be coming out ahead.

MSI Strategy & Tactics Talk Ep. 18: Vulnerability Assessment vs. Penetration Testing

Posted on by
Reply

A vulnerability is the process of identifying and quantifying vulnerabilities on your network systems. A penetration test is a goal-oriented exercise — it can be to get data on the system or to cause as much damage as you can in order to test the system. – Adam Hostetler, MSI Network Engineer and Security Analyst

What is the best security assessment for you? A vulnerability assessment or a penetration test? Are’t they the same? In this episode of MSI Strategy & Tactics, the techs discuss the differences between the two and how to know which one is best for you. Take a listen! Discussion questions include:

  • The difference between a vulnerability assessment and a penetration test
  • The width versus depth analogy
  • When an organization should use a vulnerability assessment and when to use a penetration test
  • How an organization can make sure they are asking for and getting the right fit

Panelists:
Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Want Rapid Feedback? Try a Web Application Security Scan!

Posted on by
1

A web application security scan is a great way to get rapid feedback on the security and health of your web-based applications.

You can think of the web application scan as a sort of vulnerability assessment “lite”. It leverages the power and flexibility of automated application scanning tools to do a quick and effective baseline test of your application. It is very good at finding web server configuration issues, information leakage issues and the basic SQL injection and cross-site scripting vulnerabilities so common with attackers today. 

This service fits particularly well for non-critical web applications that don’t process private information or for internal-facing applications with little access to private data. It is a quick and inexpensive way to perform due diligence on these applications that aren’t key operational focal points.

Many of our clients have been using the application scanning service for testing second-line applications to ensure that they don’t have injection or XSS issues that could impact PCI compliance or other regulatory standings. This gives them a less costly method for testing the basics than a full blown application assessment or penetration test.

While this service finds a number of issues and potential holes, we caution against using it in place of a full application assessment or penetration test if the web application in question processes critical or highly sensitive information. Certainly, these deeper offerings find a great deal more vulnerabilities and they also often reveal subtle issues that automated scans will not identify.

If you are interested in learning more about the applications scanning service, please fill out the contact form and put in the “Questions” box: Web App Scan. We can help you identify if these services are a good fit for your needs and are more than happy to provide more detail, pricing and other information about web application scans.

MSI Strategy & Tactics Ep. 17: Thoughts On The SCADA Breach In Springfield, Illinois

Posted on by
Reply

What happened with the water facility SCADA breach in Springfield Illinois? ICS-SCADA security has been on our radar for a few months, now. The recent attack on a water plant in Illinois has highlighted existing vulnerabilities that open the door to malware. In this special edition of MSI Strategy & Tactics, Chris Lay, Account Executive, interviews MSI CEO, Brent Huston on the breach. Take a listen! Discussion questions include:

  • Breaking down the nuts and bolts of the attack
  • The similarities and differences of the attack vs. the Stuxnet worm
  • What ICS-SCADA organizations can learn from this attack

Panelists:
Brent Huston, CEO, Founder, and Security Evangelist
Chris Lay, Account Executive
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Business of Security Webcast Featuring Brent Huston: December 7

Posted on by
Reply

Join the Business of Security to hear from Brent Huston, recent winner of (ISC)2 Information Security Leadership Award, who will lay out the need for and principles of performing detection in depth. Brent, CEO and Security Evangelist of MicroSolved, will share his research and hands-on experience that validates the leading approach for detecting threats against your most precious assets.

When: Wednesday, December 7th, Noon EDT
Where: GoToWebinar
Cost: Complimentary Register to attend live or to receive the event archive information for on-demand viewing at: http://www.businessofsecurity.com/

You’ll learn:

  • Huston’s postulate and why location matters
  • The detection in depth maturity model
  • The detection in depth focus model
  • Tools and approaches for doing detection in depth

Brent’s contribution to the community was recognized by (ISC)2 for employing the HoneyPoint Internet Threat Monitoring Environment (HITME) to alert critical infrastructure organizations whose machines are compromised. MSI provides pro-bono services to help them to mitigate the compromise and manage the threat.

Earn (1) CPE Group A credit for the CISSP and SSCP: This event meets the criteria for a Continuing Professional Education (CPE) activity for the Information Security and Risk Management domain.

MSI Strategy & Tactics Talk Ep. 15: Information Security for Credit Unions

Posted on by
Reply

Credit Unions have become popular over the past few weeks as societal trends have placed greater pressure on bank policies. What’s the scoop on Credit Unions and information security? Take a listen! Discussion questions include:

  • Supporting Credit Union swap through infosec
  • The “hactivist” group Anonymous and “Dump Your Bank Day”
  • Is infosec strong at Credit Unions?
  • Our approaching toward testing Credit Unions and banking apps

Panelists:
Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

The Detection in Depth Focus Model & Example

Posted on by
2

Furthering the discussion on how detection in depth works, here is an example that folks have been asking me to demonstrate. This is a diagram that shows an asset, in this case PII in a database that is accessed via a PHP web application. The diagram shows the various controls around detection in place to protect the data at the various focus levels for detection. As explained in the maturity model post before, the closer the detection control is to the asset, the higher the signal to noise ratio it should be and the higher the relevance o the data should be to the asset being protected (Huston’s Postulate). 

Hopefully, this diagram helps folks see a working example of how detection in depth can be done and why it is not only important, but increasingly needed if we are going to turn the tide on cyber-crime.
 
As always, thanks for reading and feel free to engage with ideas in comments or seek me out on Twitter (@lbhuston) and let me know what you think. 

Detection in Depth Maturity Model

Posted on by
3

I have been discussing the idea of doing detection depth pretty heavily lately. One of the biggest questions I have been getting is about maturity of detection efforts and the effectiveness of various types of controls. Here is a quick diagram I have created to help discuss the various tools and where they fit into the framework of detection capability versus maturity/effectiveness.

The simple truth is this, the higher the signal to noise ratio a detection initiative has, the better the chance of catching the bad event. Detections layered together into various spots work better than single layer controls. In most cases, the closer you get to an asset, the more nuanced and focus (also higher signal to noise ratio) the detection mechanisms should become.
 
That is, for example – a tool like a script detecting new files with “base64decode()” in them on a web server is much higher signal than a generic IDS at the perimeter capturing packets and parsing them against heuristics.
 
When the close controls fire an alert, there better be a clear and present danger. When the distant controls alert, there is likely to be more and more noise as the controls gain distance from the asset. Technology, detection focus and configuration also matter A LOT. 
All of that said, detection only works if you can actually DO something with the data. Alarms that fire and nothing happens are pretty much useless tools. Response is what makes detection in depth a worthwhile, and necessary, investment.