Once again, Victoria Lowengart (@gisobiz) and I team up to discuss events in the real world and how they impact cyber threats. This time around we talk North Korea, Anonymous and touch on Industrial Control Systems. We also give a quick preview of Op Petrol. Check it out here:
Thanks for listening and until next time, stay safe out there!
With the addition of RedDragon Rising (@RedDragon1949) to the blog, we are now pushing forth a new stream of threat data and insights about the growing problem of international threats. Since we added that content to the site, many of you have written in or asked me on Twitter, what is it that YOU can do about these threats? I wanted to take a few minutes and expand on my responses.
First of all, you can remain aware and vigilant. Much of the information we post here isn’t directly actionable. It isn’t designed to be a roadmap of actions for you to take. It’s designed to be a continual source of data that slowly helps you see a clearer picture of the threat, the actors and their capability. It’s designed to keep you AWAKE. It’s custom made to help you understand your adversary. Knowledge is power and insight is key. We make this content to give you both!
Second, you can communicate the threat and knowledge to your management. This helps them remain aware. It also presents to them that you are monitoring the threats and keeping your eye on the rising tides, even as you help them steer the ship through safe waters. You can use this information to build rapport with them, to give them new insights into your decisions when you explain to them various risks and to help them understand the changing nature of the interconnected world.
You can use the information here as an impetus to get the basics of information security right. While there aren’t any panaceas to fight off the threat and there isn’t a single thing you can buy to make it better ~ we do know that focusing on the basics of infosec and getting them done efficiently, effectively and well is the best defense against a variety of threats. That said, consider doing a quick and dirty review of your security initiatives against our 80/20 Rule for Information Security. This is a set of simple projects that represent the basics of information security and map easily to other standards and baselines. Simply judging your maturity in these areas and following the roadmap to improvement will go a long way to getting the basics done right in your organization.
Invest in detection and response. If your organization is doing the basics of prevention, that is you have hardening in place and are performing ongoing assessment and mitigation of your attack surfaces, then the next thing to do is invest in detection and response capabilities. Today, one of the largest advantages that attackers enjoy is the lack of visibility and effective response capabilities in our organizations. You should have some visibility into every segment and at every layer of your environment. You should be able to identify compromises in a timely manner and move to isolate, investigate and recover from any breaches LONG BEFORE they have become widespread and heavily leveraged against you. If you can’t do that today, make it your next major infosec goal. Need help?Ask us about it.
Lastly, share information with your peers. The bad guys are good at information sharing. They have excellent metrics. They openly share their experiences, successes, failures and new techniques. Much of crime and espionage (not all, but MUCH) is “open source” in nature. The cells of attackers free float in conglomerations of opportunity. They barter with experience, tools, data and money. They share. The more we begin to share and emulate their “open source” approaches, the better off we can be at defending. If knowledge is power, more brains with more knowledge and experience equals MORE POWER. Be a part of the solution.
That’s it for now. Just remain calm, get better at the basics, improve your visibility and stay vigilant. As always, thanks for reading State of Security and for choosing MicroSolved as your information security partner. We are striving to dig deeper, to think differently and to give you truly actionable intelligence and threat data that is personalized, relevant to your organization and meaningful. If you’d like to hear more about our approach and what it can mean for your organization, get in touch via Twitter (@lbhuston), email (info(at)microsolved/dot/com) or phone (614-351-1237 ext 250).
The touchdown task for May is a quick and dirty egress filtering audit. Take a look at your firewalls and make sure they are performing egress filtering (you do this, right? If not, make it happen now ~ it’s the single most effective defense against bot-nets). Once you know egress is in place, give a once over to the firewall rules that enforce it. Make sure they are effective at blocking arbitrary ports, outbound SSH, outbound VPN connections, etc. Verify that any exposed egress ports are to specific IPs or ranges. If you find any short comings, fix them.
Also take a look and make sure that violations of the firewall rules are being alerted on, so your team can investigate those alerts as potential infection sites.
Lastly, check to make sure that you have egress controls for outbound web traffic. You should be using an egress proxy for all HTTP and HTTPS traffic. Yes, you should be terminating SSL and watching that traffic for signs of infection or exfiltration of sensitive data. Take a few moments and make sure you have visibility into the web traffic of your users. If not, take that as an immediate project.
That’s it. This review should take a couple of hours or so to complete. But, the insights and security enhancements it can bring are HUGE.
Until next month, thanks for reading and run for the goal line!
Our good friend, Aaron Bedra, posted a fantastic piece at the Braintree Blog this morning about building a security culture. I thought the piece was so well done that I wanted to share it with you.
The best part of the article, for me, was the content about finding creative ways to say yes. IMHO, all too often, infosec folks get caught up in saying no. We are the nay sayers, the paranoid brethren and the net cops. But, it doesn’t have to be that way. It might take a little (or even a LOT) of extra work, but in many cases ~ a yes is possible ~ IF you can work on it and negotiate to a win/win point with the stakeholders.
Take a few minutes and think about that. Think about how you might be able to get creative with controls, dig deeper into detection, build better isolation for risky processes or even make entirely new architectures to contain risk ~ even as you enable business in new ways.
In the future, this had better be the way we think about working with and protecting businesses. If not, we could find ourselves on the sideline, well outside of the mainstream (if you aren’t there already in some orgs).
Great work Aaron and thanks for the insights.
This month’s Touchdown Task is to help you with detection and response. For March, we suggest you do a quick controls review on your firewall logs. Here’s some questions to begin with:
Undertaking a different quick and dirty Touchdown Task each month helps increase vigilance without huge amounts of impact on schedules and resources. Thanks for reading!
Victoria Loewengart (@gisobiz) from AKOTA Technologies and myself (@lbhuston) decided we would start a podcast series to discuss correlation between real world actions and cyber-activity of an illicit nature (“attacks”). This is the first episode which discusses why we think this is a worthy topic for exploration, how it might lead to predictive information security posture improvement and how we got here.
This episode also covers a real time event that occurred while we were recording that may (or may not) relate to attacks experienced in the time between recording sessions.
We hope to keep working on it, but this is a first rough attempt, so don’t expect CNN podcast polish. This is a chance for you to stay in touch with a new movement that represents a clear line of evolution for the information security problems of today.
Stay tuned. We hope to record more episodes as the project progresses.
With all of the attention to the last few Java 0-days and the market value for them falling them (which many folks believe indicate there are more out there and more coming), we are starting to hear some organizations change their policies around Java, in general.
It seems some clients have removed it from their default workstation images, restricting it to the pile of as-needed installs. A few have reported requiring more frequent Java update settings and a couple have talked about switching in-house development away from Java to different languages.
Is your organization changing the way you view Java? How are things changing around the IT shops you work with?
Drop us a line in the comments or via Twitter (@microsolved or @lbhuston) and let us know what YOU think!
Don’t forget, the #CMHSecLunch is TODAY, January 14th, 2013. The time is 11:30 and the location this month is at the Easton Mall food court inside the indoor portion of the mall.
We hope to see you there and bring a friend! No admission, no cost (you can buy food if you want) and open to the public. December had a great turn out and some fantastic conversations!
Just a quick note to remind you that now is a good time to double check the on-call, vacation and coverage schedules for your infosec team members, all of the key members of your incident response team and the critical managers and department liaisons. It’s a good time to review and update your contact lists for these folks and to identify anyone who might be unavailable during the holidays double check that you have a secondary contact.
While we certainly hope that your team doesn’t have to respond to an incident during the holidays, it is not unheard of. So, a few moments of careful attention now, may save you some stress during an already stressful period.
Thanks for reading, have a great holiday season and stay safe out there!