5 Fun-tastic Fall Activities for Information Security Teams

 

Fall is in the air, and along with pumpkin spice lattes and cozy sweaters, it’s also the perfect time for information security teams to step out of their digital shells and engage with other departments in their organizations. While security is serious business, there’s no harm in adding a dash of fun to foster better collaboration and understanding. Here are five light-hearted yet factual activities to spice up your information security team’s fall:

1. Cybersecurity Pumpkin Carving Contest

Unleash your inner artist and host a cybersecurity-themed pumpkin carving contest. Encourage teams from all departments to carve out their favorite security tools, icons, or even infamous cyber villains. Not only does this activity tap into everyone’s creative side, but it also sparks conversations about the importance of protecting the digital realm while having a gourd time!

2. “Escape the Phishing” Maze

Turn the concept of an escape room into an interactive cybersecurity challenge. Create a “phishing” maze where participants need to navigate through a series of puzzles and scenarios related to online security. This activity not only educates participants about the dangers of phishing attacks but also gets them working together to solve problems, fostering team spirit.

3. Crypto Treasure Hunt

Transform your office space into a treasure hunting ground by organizing a crypto-themed treasure hunt. Provide clues related to encryption, decryption, and security best practices that lead teams from one clue to another. Not only does this activity promote learning about cryptography, but it also encourages friendly competition among departments.

4. Security Awareness Fair

Set up a “Security Awareness Fair” in your office’s common area. Each department can have its own booth showcasing their approach to security. From IT’s “Spot the Vulnerability” game to HR’s “Password Strength Analyzer,” everyone gets to display their security prowess in a fun and informative way. This fair promotes cross-departmental engagement and ensures that everyone learns a thing or two about cybersecurity.

5. Cyber Movie Night

Host a cybersecurity-themed movie night with popcorn and cozy blankets. Screen movies like “Hackers,” “WarGames,” or even cybersecurity documentaries. After the movie, encourage lively discussions about what’s accurate and what’s exaggerated in the portrayal of hacking and security. It’s a laid-back way to bridge the gap between tech-savvy and non-technical teams.

Remember, the goal of these activities isn’t just to have fun, but to build bridges between information security teams and other departments. By approaching cybersecurity engagement with a light-hearted touch, you’re more likely to break down barriers, share knowledge, and create a culture of collaboration that lasts beyond the fall season. So, gear up for a season of learning, laughter, and interdepartmental camaraderie!

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

New Book Launch: We Need To Talk: 52 Weeks To Better Cyber-Security

I have released a new e-book titled “We Need To Talk: 52 Weeks To Better Cyber-Security.” I self-published through PublishDrive and MSI. It has been quite an interesting project, and I learned a lot in both writing/editing (with an AI), and in the publishing aspects.

The book provides a comprehensive approach to discussing cyber-security, addressing topics such as risk management, configuration management, vulnerability management, policy, threat intelligence, and incident response. The discussions that are sparked will lead to helping your team strengthen and mature your organization’s security posture.

The book is designed for information security professionals and their teams looking for a structured way to improve their organization’s cyber-security posture over one year. It is an ideal resource for those teams who wish to develop a well-rounded understanding of cyber-security and gain insight into the various elements that are needed for a successful program.

The book is 111 pages and sells for $9.99 in most of the ebook stores below:

Amazon

Apple

Barnes & Noble

Check it out, and please leave a review if you don’t mind taking the time. It will be much appreciated.

Print-on-demand options and other stores will be coming shortly. Hopefully, the book helps folks build better infosec programs. As always, thanks for reading, and stay safe out there! 

Supply Chain Security Insights

Supply chain attacks are one of the most common cyber threats faced by organizations. They are costly and disruptive, often resulting in lost revenue and customer trust.

In this article, we’ll discuss five insights about supply chain attacks that all supply chain management and information security teams should be aware of.

#1. Supply Chains Can Be Vulnerable

Supply chains are complex networks of companies, suppliers, customers, and partners that provide goods and services to each other.

They include manufacturers, distributors, retailers, service providers, logistics providers, and others.

These entities may interact directly or indirectly via intermediaries such as banks, insurance companies, payment processors, freight forwarders, customs brokers, etc.

Supply chains are vulnerable to attack because they involve multiple parties and interactions between them. Each organization in the chain will have its own risk profile, security posture, and business model. This creates a complex environment for security risks. Attackers can target any part of the supply chain, and often focus on the weakest link, including manufacturing facilities, distribution centers, warehouses, transportation hubs, retail stores, etc.

Attackers can disrupt operations, steal intellectual property, damage reputation, and cause losses in revenue and profits.

#2. Supply Chain Security Must Include All Stakeholders

Supply chain security involves protecting against threats across the entire value stream. This means securing data, processes, systems, physical assets, personnel, and technology.

It also requires integrating security practices and technologies across the entire organization.

This includes ensuring that information sharing occurs among stakeholders, that employees understand their roles and responsibilities, and that policies and procedures are followed.

Security professionals should collaborate closely with executives, managers, and staff members to ensure that everyone understands the importance of security and has ownership over its implementation.

#3. Supply Chain Security Requires Ongoing Monitoring and Maintenance

Supply chain security requires ongoing monitoring and maintenance.

An effective approach is to continuously monitor the status of key indicators, assess risks, identify vulnerabilities, and implement countermeasures.

For example, an attacker could attempt to compromise sensitive data stored in databases, websites, mobile apps, and other locations.

To prevent these incidents, security teams should regularly review logs, audit reports, and other intelligence sources to detect suspicious activity.

They should also perform penetration tests, vulnerability scans, and other assessments to uncover potential weaknesses.

#4. Supply Chain Security Requires Collaboration Across Organizations

A single department cannot manage supply chain security within an organization.

Instead, it requires collaboration across departments and functional areas, including IT, finance, procurement, human resources, legal, marketing, sales, and others.

Each stakeholder must be responsible for maintaining security, understanding what constitutes acceptable behavior, and implementing appropriate controls.

Collaborating across organizational boundaries helps avoid silos of knowledge and expertise that can lead to gaps in security awareness and training.

#5. Supply Chain Security Is Critical to Organizational Success

Organizations that fail to protect their supply chains face significant financial penalties.

A recent study found that supply chain breaches cost United States businesses $6 trillion annually.

That’s equivalent to nearly 10% of the annual global GDP.

Supply chain attacks can result in lost revenues, damaged reputations, and increased costs.

Companies that invest in supply chain security can significantly improve operational efficiency, productivity, profitability, and brand image.

How to Rotate Your SSH Keys

SSH keys are used to secure access to and authenticate authorized users to remote servers. They are stored locally on the client machine and are encrypted using public-key cryptography. These keys are used to encrypt communications between the client and server and provide secure remote access.

When you log into a remote machine, you must provide a valid private key to decrypt the traffic. As long as the private key remains secret, only you can access the server. However, if someone obtains your private key, they can impersonate you on the network.

SSH key rotation helps prevent this type of unauthorized access. It reduces the risk that someone has access to your private key, and helps prevent malicious users from being able to impersonate you on your network.

Most security policies and best practices call for rotating your key files on a periodic basis, ranging from yearly to quarterly, depending on the sensitivity of the data on the system. Such policies go a long way to ensuring the security of authentication credentials and the authentication process for sensitive machines.

There are two ways to rotate your keys: manually, and automatically.

Manually

To manually perform key rotation, you need to generate a new pair of keys. Each time you do this, you create a new key pair. You then upload the public key file to the server you wish to connect to. Once uploaded, the server uses the public key to verify that you are who you say you are.

Automatically

An alternative approach is to use automatic key rotation. With automatic rotation, you don’t need to generate a new key pair each time you change your password. Instead, you simply update the permissions on your existing key file.

The following steps show how to configure automatic rotation.

1. Generate a new keypair

2. Upload the public key to the remote server

3. Configure the remote server to use the new keypair

4. Update the permissions on the old keypair file

5. Delete the old keypair

6. Logout from the remote server

More Information

On Linux systems, use the “man” command to learn more about the following:

    • ssh-keygen command
    • ssh-public-key command
    • upload-ssh-public-key command

The examples should provide options for command parameters and sample command output for your operating system.

For more information about the SSH protocol, you can review the Wikipedia article here.

 

Four Uses for the Raspberry Pi in Small Business Security

With Raspberry Pi systems now available fully decked out for under $100, there are many uses that small business security teams can find for these versatile devices. Here are four of our favorites for using them in security roles.

1. Honeypot for Detecting Attackers on Your Network

Our HoneyPoint™ Agent runs on the Pi. It allows you to monitor for potential network compromises and attempts to breach your network by offering a fake system for attackers to target. Since the system has no real use, any interaction with it is suspicious at best, and malicious at worst. This allows for an easy-to-manage detection tool for your business.

2. Nessus Scanning Engine for Vulnerability Management

Nessus now supports running on the Pi 4 with 8 Gigs of RAM. Nessus is a very popular and powerful vulnerability scanner. With it, you can scan your network for vulnerabilities and find out what software needs updating.

3. Run Pi-Hole for Content Filtering

Pi-Hole is one of the best open-source security tools on the Internet. It provides enterprise-quality content filtering for free. Drop this on your network and implement it following the online instructions, and you’ve got affordable protection against malicious advertising, bad content, and many types of malware that inject via the browser.

4. Build a Cheap VPN Server

PiVPN makes setting a VPN for your small business needs incredibly simple. You can use this feature to access systems while you’re away or just to stay safer on public wireless networks. Most folks can deploy this in under an hour, and it can save you an immense amount of risk.

Using a Pi for some other risk management or security purpose? We’d love to hear about it. Drop me a line on Twitter (@lbhuston) and let me know what you’re up to. We’ll feature any ground breaking ideas in future posts.

 

3 Essential Raspberry Pi Hardening Steps

Raspberry Pi hardening is essential for securing your device against attacks.

Here are three essential Raspberry Pi hardening steps:

1. Disable SSH If You Don’t Need It

Disable SSH access to your Raspberry Pi using the following command:

sudo raspi-config

Choose “Advanced Options” and then choose “No ssh”.

2. Change Your Password

Change your password to something secure. You can use the following command:

passwd

3. Update Raspbian

Update your Raspberry Pi’s operating system to the latest version available. This ensures that your device is up to date with security patches and bug fixes.

To update your Raspberry Pi, follow these instructions:

sudo apt-get update

sudo apt-get upgrade

In summary, hardening your device by following these steps will help you protect your Pi from attacks. Making these three basic steps a part of every Pi install you do will go a long way to giving you a safer, more dependable, and more private experience.

 

 

Saved By Ransomware Presentation Now Available

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 

Deck: https://media.microsolved.com/SavedByRansomware.pdf

MP3: https://media.microsolved.com/SavedByRansomware.mp3

PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it! 

After Nearly 30 Years in CyberSecurity, I Still Learn Something Every Day

Cybersecurity Playtime Today:

Today, while searching through some web logs and reviewing some of the data from our HoneyPoint deployments, I found an interesting scan. The payload was pretty common, something we see, nearly every day – but the source, a pretty mature organization with a reputation for being tightly managed and capable, was what caught my eye. The scans went on for several days across a couple of weeks – sourced from a web server that clearly was not as securely managed as their reputation might insist. So, I notified them, of course, and played in the data a while, fascinated by some of the nuances of it. 

Good Days Versus Bad Days:

This is pretty much a daily occurrence for me – on the good days, at least. I get to play with data, learn something new, experiment, hypothesize and test myself. Those are the good days of being an infosec entrepreneur, CEO and researcher. The bad days are the ones when I have to struggle with sales efforts, manage difficult resources/projects or solve the same security problems as I tackled in the 90s. Those are the days when I am less happy about what I do. But, fortunately, those days are pretty few and far between. 

Fighting the Cybersecurity Good Fight:

After 30+ years in technology and “cybersecurity”, I still find a wealth of things to learn and play with. I never seem to get to the point where I feel like I know stuff. I try and remain intellectually curious and mentally humble at all times. I also try to believe in the magic of technology and fight the cynicism of doing infosec for 30 years. That keeps me making new things, and investing in new solutions, like our new ClawBack data leak detection tool

I try to keep fighting the good fight, so to speak. I’ve spent a lot of time learning about attackers – what motivates them, how they operate and how tools evolve. I’ve learned a lot about the economics of cyber-crime and the information security industry, as well. I’ve grown my understanding and world view around the day to day of infosec. I try to add value to someone every single day. Those things keep me going and keep me engaged. They help minimize the burnout and maximize my patience with the often challenging task of being an infosec person and an entrepreneur. Sometimes, living to fight another day is all you can ask for, and some days it seems like you can’t wait to jump back into the fray. Such is the infosec (“cybersecurity”) life.

Advice for New Cybersecurity Practitioners:

If you’re new to cybersecurity or considering joining us, my advice to you is simple and a gut check. Be sure that you are ready for a career that requires life long learning and life long change. If you want to have a repeatable, 9-5 job that you can master and forget when you walk out the door, this probably isn’t for you. Attackers are amazingly dynamic, and thus, infosec must be just as dynamic as well. This isn’t an industry built for mastery – it’s an industry built for being a life long student. While that’s not always easy, it can be fun and rewarding. Got what it takes? I sure hope so – because we need help and we need it for today and the years to come…

MicroSolved vCISO for Credit Unions

I recently asked MicroSolved COO, Dave Rose, to share his thoughts with all of us about the vCISO program. He has been leading the effort this last year across several credit unions and regional banks around the US. I asked him for the 3 biggest benefits an organization can expect and here is what he said:

“MicroSolved has been providing vCISO services to Credit Unions for over 20 years. Whether you are a corporate or a natural person CU, hiring MSI for vCISO Services will allow you to:

  • Obtain CISO expertise without having to incur the expense of finding and hiring a CISO. This is an affordable solution that will help keep the risk budget under control.
  • MSI vCISO program comes with the benefit of a focus towards financial expertise and compliance. MSI has had extensive experience working with banks and credit unions on their risk programs, and have spent time educating regulators on risk events and controls.
  • MSI is in the business of mitigating risk. We live it everyday and our clients benefit from that experience. Our clients get to pick the risk work they want resolved and the issues they want remediated. 

You will be hard pressed to find a more efficient and cost effective way to address risk issues and move the regulatory needle. Don’t bear the burden of mitigating risk alone, let MSI be a partner to help you solve your risk needs!”

—Dave Rose

For more information, give us a call at 614-351-1237 or email us at info@microsolved.com. 

ClawBack Insights :: A Conversation with MicroSolved, CEO, Brent Huston

I recently got interviewed over email by one of my mentees. I thought their questions were pretty interesting and worth sharing with the community. This session focused on ClawBack™ and was done for a college media class assignment. I hope you enjoy the interview as much as I did giving it. 

Q: What is ClawBack?

ClawBack is a platform for helping organizations detect data leaks. It’s a cloud-based engine focused on three specific kinds of leaked data – source code, device and application configurations and credentials. It systematizes many of the manual efforts which mature organizations had been doing either partially, or in an ad hoc fashion, and makes them ongoing, dependable and available to organizations of any size and technical capability.

The engine lets the customer pick monitoring terms, and yes, we have a very nice guide available in the online help to guide them. Once the terms are chosen, the engine goes to work and begins to scour the sites most commonly associated with these types of leaks. At first, it does historical searches to catch the client up to the moment, and then, periodically, it provides ongoing searching for signs of leaked data.

Once a leaked dataset is found, the user is alerted and can view the findings in the web portal. They can take immediate action from the takedown advice we provide in online help, or they can choose to archive the alert or mark it as a false positive to be ignored in the future. Email alerts, team accounts and alert exports for SEIM/SOAR integration are also available to customers at the advanced levels.

Basically, ClawBack is a tool to help developers find code that accidentally slipped to the Internet, network admins and security teams find configurations and credentials that have escaped into the wild. We wanted to make this easy, and raise the maturity level of data leak detection for all organizations. We think we hit the mark with ClawBack, and we hope you do too.

Q: Why did your team create ClawBack and why now?

This is a great question! For many years now, we have been working a variety of security incidents that all tie back to attackers exploiting leaked data. They routinely comb the Internet looking in these common repositories and posting locations for code, configs and credentials. Once they find them, they are pretty quick to take advantage.

Take for example, a leaked device configuration from a router. The global paste bins, code repositories and forums are full of these kinds of leaks. In many cases, these leaked files contain not just the insights the attacker can gain from the configuration, but often, logins and passwords that they can use to compromise the device. Many also give up cryptographic secrets, network management credentials and other significantly dangerous information. The attackers just harvest it, use it and then spread into other parts of the network – stealing as they go.

At MSI, we just got tired of seeing organizations compromised the same way, over and over again. Time after time, the clients would say they had no idea the data had been exposed. Some had ad hoc processes they ran to search for them, and others had tools that just weren’t getting the job done. We knew we had to make something that could help everyone solve this problem and it had to be easy to use, flexible and affordable. Nothing like that was on the market, so we built it instead.

Q: How does ClawBack address the issues of leaked critical data?

As you read above, we wanted to focus on the things that hurt the most – leaked code, configs and credentials. These three types of leaks are at the core of more than 90% of the leak-related incidents we’ve worked over the last several years. We didn’t try to solve every problem with this new tool – or make it a swiss army knife. We focused only on those 3 kinds of leaks.

Today, ClawBack monitors the most common sites where these leaks often occur. It monitors many of the global pastebins associated with leaks, forums and support sites where folks often accidentally expose data while getting or giving help and work repositories where many of these items often end up from inadvertent user errors or via misconfigured tools.

ClawBack provides the dependable process and ongoing vigilance that the most mature firms have access to – and it brings that capability to everyone for less than a fancy cup of coffee a day.

Q: How is it different than DLP solutions?

For starters, there’s no hardware, software or agents to deploy and manage. The cloud-based platform is so simple to use that most customers are up and monitoring in less than 5 minutes. You simply register, select your subscription, input monitoring terms and ClawBack is off and running. It’s literally that easy!

Now, DLP is a great tool. When it’s properly configured and managed, it’s very capable. Most of our ClawBack clients have DLP solutions of some sort in place. The problem is, most of these data leaks occur in ways that render the DLP unable to assist. In most cases, the data leaks in the incidents we have worked have occurred outside of the corporate network that the DLP is monitoring. When we traced back the root of the incident, most of them came from workers who were not using the corporate network when they made their grave mistake.

Additionally, of those that did use the corporate network, often the DLP was either misconfigured, the alert was missed or the transaction was protected by cryptography that circumvented the DLP solution. A few of the incidents came from users who routinely handle code and configuration files, so the anomaly-based DLP tools assumed the leak was normal, usual traffic.

Sadly, the last group of incidents that had DLP in place went undetected, simply because the DLP solution was configured to meet some regulatory baseline like HIPAA, PCI or the like and was only searching for leaked PII that matched those specific kinds of patterns. In those cases, source code, configurations and even dumped credentials were far outside of the protection provided by the DLP.

ClawBack takes a different approach. It lets users know when this type of data turns up and lets them respond. It’s easy, plain language monitoring term management makes it trivial to define proper terms to tackle the 3 critical types of leaks. We provide a very detailed set of suggested terms for customers in our online help, which most folks master in moments.

Q: If an organization doesn’t have any in-house development or code, what can ClawBack do for them? Same question for organizations that outsource their device management – how can they get help from ClawBack?

Organizations that don’t do any development or have any source code are few and far between, but they still gain immense capability from ClawBack. Nearly every organization has device and application configurations and credentials that they need to monitor for exposure. Even if you outsource network management, you should still use ClawBack as a sanity check to watch for data leaks. We’ve seen significant numbers of leak-related security breaches from networks managed by third parties.

Requesting the key device configurations from your vendor and inputting identifying data into ClawBack is easy and makes sure that those configurations don’t end up somewhere they shouldn’t – causing you pain. Identifying unique account names and such, and using those as ClawBack monitoring terms can give you early warning when attackers dump credentials, hashes or other secrets that could cause you harm. Being able to change those passwords, kill accounts, increase monitoring and claw back those files through takedown efforts can mean the difference between a simple security incident and a complete data breach with full legal, regulatory and reputational impacts.

Q: Several people have said you are leaving money on the table with your pricing model – why is the pricing so affordable?

The main reason that the product costs under $200 per month at the highest level, currently, is that I wanted not-for-profit firms to be able to afford to protect themselves. Credit unions, charities, co-op utilities and the like have been huge supporters of MicroSolved for the last 30 years, and I wanted to build a solution that didn’t leave them out – simply because they have limited funds. Sure, we could charge larger fees and only target the Fortune 500 or the like, and make a lot of money doing it. The problem is, the security incidents we built this to help eliminate happen to small, mid-size and less than Fortune 500 companies too and there are a LOT MORE of those firms than 500. They need help, and they need to be able to afford the help they require.

Secondly, we were able to get to such an affordable price point by really focusing on the specific problem. We didn’t build a bunch of unneeded features or spend years coding capabilities to address other security problems. ClawBack detects leaks of critical data. That’s it. It provides basic alerting and reporting. We based the monitoring technology off our existing machine learning platform and re-used much of the know how we have developing past products and services like TigerTrax™ and SilentTiger™. What saves us money and resources, saves our clients money and resources.

Lastly, at MSI, we believe in making more value than we harvest. We want to provide significant levels of value to our clients that way over scales what they pay for it. We can do that using technology, our expertise and by building solutions that focus on significant problems that many feel are untenable. We’ve been doing it for almost 30 years now, so we must be getting something right…

Q: What’s next for ClawBack? Is there a road map?

We are talking about adding some forms of risk determination to the findings. We are currently in discussion with clients and experts about how best to do that and communicate it. We are discussing using some additional machine learning techniques that we developed for our social media monitoring and threat intelligence platforms. That’s the next step for us, that we can see.

We’re also looking at user feedback and curating what folks are asking about and thinking about when using the product. That feedback is being ranked and added to the road map as we create it. We’ve got some ideas of where we want to go with ClawBack, but honestly, the tool addresses the problem we built it to help with. That’s the core mission, and anything outside of that is likely to fall out of the mix.

Q: You have a history of designing interesting products – what is on the horizon or what are you playing with in the lab these days?

I wish I could tell you about the things we are playing with, because it is fascinating. We are exploring a lot of new capabilities in TigerTrax with different machine learning models and predictive techniques. We’re working on updates to HoneyPoint™ and SilentTiger that will bring some very cool new features to those capabilities.

We’re also continuing to gather, analyze and deliver specific types of threat intelligence and data analytics of hostile data sets. We’re studying adversarial use of machine learning techniques, attacks against different AI, IoT and cloud platforms and we’re diving deep into cyber-economics and other factors related to breaches. I’m also working on a pretty interesting project with some of my mentees, where we are studying the evolution, use and capability growth of various phishing kits in use today. The mentees are learning a lot and I’m getting to apply significant amounts of machine learning techniques to new data and in new ways that I haven’t explored before. All in all, pretty cool stuff!

I’ll let you know what we come up with. Thanks for interviewing me, and thanks to the readers for checking this out. Give me a shout out on Twitter – @lbhuston and let me know if you have questions or feedback on ClawBack. I’d love to hear your thoughts!