Saturday, May 25, 2013

Securing big data: Architecture tips for building security within

Since “big data” is a hot topic these days, there’s no question an increasing number of enterprise infosec teams are going to be asked about the security-related ramifications of big data projects. There are many issues to look into, but here are a few tips for making big data security efforts more secure during architecture and implementation phases:
  1. Create data controls as close to the data as possible, since much of this data isn’t “owned” by the security team. The risk of having big data traversing your network is that you have large amounts of confidential data – such as credit card data, Social Security numbers, personally identifiable information (PII), etc. -- that’s residing in new places and being used in new ways. Also, you’re usually not going to see terabytes of data siphoned from an organization, but the search for patterns to find the content in these databases is something to be concerned about. Keep the security as close to the data as possible and don’t rely on firewalls, IPS, DLP or other systems to protect the data. 
  2. Verify that sensitive fields are indeed protected by using encryption so when the data is analyzed, manipulated or sent to other areas of the organization, you’re limiting risk of exposure. All sensitive information needs to be encrypted once you have control over it.
  3. After you’ve made the move to encrypt data, the next logical step is to concern yourself with key management. There are a few new ways to perform key management, including creating keys on an as-needed basis so you don’t have to store them.
Read the rest of my article here:

Friday, May 24, 2013

What Java's installer should really say (Funny)

How to build C-level support for the benefits of penetration testing

Performing an external penetration test is extremely valuable. At the same time, it can also be difficult to develop C-level support when talking up the benefits of penetration testing  -- especially if the company hasn’t experienced a public breach.

However, before trying to cross that chasm, it’s important to determine what type of external penetration test you’d like to have performed. For example, if you’re at an e-commerce company, I would favor a Web application assessment over a network assessment. If you’re at a public company or under some type of regulation, like Sarbanes-Oxley (SOX) or the Payment Card Industry Data Security Standard (PCI DSS), you’ll most likely be able to leverage these regulations to get a penetration test against your infrastructure in order to meet compliance requirements. I’ve seen many security-related budget items pass simply because an auditor told the company it needed the items to stay compliant. Pen tests are expensive, but are done by professionals in the field and are considered a third-party view.

If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:
  • Exposure Factor: The percent of loss that occurs if a breach were realized on a system.
  • Single Loss Expectancy (SLE): The amount of money that is assigned to one event. This is calculated by multiplying the Exposure Factor by the assets value in dollars.
  • Annualized Rate of Occurrence (ARO): The estimated number of times the event or breach could occur on the asset.
  • Annualized Loss Expectancy (ALE): The sum of the overall dollar value of the SLE multiplied by the ARO.
This might seem like quite a bit of work, but it’s a good way to get a better idea of what you need to do to help protect your company’s network and show the executives your view in dollars and cents. If you want to give the executives a more eye-opening number, let them know it would cost the company an average of $194 per record lost as a result of a breach. Considering most breaches involve thousands of lost records, the numbers add up quickly.

Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.

Read the rest of my article here:

Thursday, May 23, 2013

"Interview with a Blackhat" by Whitehat Security

This past week Whitehat Security, the leader in web application vulnerability assessment, released a series of interview's their Director of Product Management (Richard Hansen) held with a self professed blackhat. In this three part series Richard Hansen and his blackhat interviewee helps us get into the mind of the underground.

I found these interviews a fascinating insight into the  psychology of the blackhat. Why they do what they do, how they feel about fraud, the tools of the underground trade, what security methods work and what doesn't.  

Please do yourself a favor and read the following three part series from Whitehat Security:

Tuesday, May 21, 2013

Practical Tips to Improve Network Security with What You Already Have: Part 1 of 2

I think we as security experts need to stop focusing on who or what will attack us and start acting like we’re already owned. If we just started thinking in terms of “I’m already compromised” the security and monitoring of your network and systems would improve drastically. The initial fear of security experts was of being hacked or compromised, but in reality this is happening everyday while you’re on the clock. If you’ve ever had malware infect a workstation you’ve been breached. This is just a small example, but it’s true. There are two types of security professionals:
  1. Those that know they’ve been breached.
  2. Those who’ve been breached, but don’t know it.
With this being said, we need to start focusing on extrusion detection (coined by Richard Bejtlich, @taosecurity) as well as intrusion detection. We speak about security in layers a lot and this is just another way to detect threats. The problem is that often we immediately jump to shiny new objects out there such as Data Loss Prevention (DLP), Next-Generation Firewalls, SIEM, etc. to get the job done. While these are all helpful tools that can certainly improve your ability to monitor for the exfiltration of nefarious traffic, there are things you can do immediately to improve your security posture.

Log for Certain Alerts
There are certain alerts on your domain or network that you know right off the bat are bad news. These alerts should be caught and notified on right away. There are many tools that will do this for you, like SIEM,  but you still need to know what you’re looking for. If you don’t currently have a SIEM, you can setup similar alerts to warn you of malicious behavior. Here some examples:
  • Setup an alert every time the “Domain Admin Group” has a change made to it. If you’re a smaller company there should be a darn good reason this group’s just experienced a change. One of the things a bad guy want’s is complete control, and if he’s already gotten this far it may be too late, but it might give you the time needed to shut things down and save your data from leaving.
  • Setup fake accounts that you think hackers will try and access. An example of this is an account named “administrator” in Active Directory. I’m assuming and hoping that you’ve already renamed the original one. On this account you can set the lockout threshold really low and alert every time someone logs into it improperly. In this example if a bad guys looking for low hanging fruit he’s going to tip you off right away.
Read the rest of the article, including other tips, here at Algosec:

Network perimeter security: How to audit remote access services

There are a few ways to audit your domain for Internet-facing remote access services. If you’re looking to audit your network perimeter with free tools, then something like Nmap would be the way to go. Do your research before firing away at your perimeter with a port scanner, though; you don’t want to inadvertently create a denial of service by pummeling the network with port scans (obviously make sure you have permission from your superiors as well). Also, when using Nmap, make sure you fingerprint the open ports you find on the network to determine what’s running behind them. Using the Nmap –sV command on a port will often times show you the application listening on the port. This comes in handy when someone is running software on a non-standard port to exit your firewall.

Another tool that’s recommended when looking to audit remote access services is Nessus. There are multiple plug-ins available that can scan your port and determine if you are running particular remote access services. However, unlike Nmap, Nessus will let you know if a particular vulnerability will allow remote access into your organization unintentionally. This tool looks for vulnerabilities, whereas Nmap gives you hard facts as to what’s listening in your environment. There are many other tools that could be used, but these two are common and come at no charge.

Another way to prevent rogue services from listening on your network is by locking down what’s allowed to leave your organization. Many people still don’t perform egress filtering on their firewalls; this is a common way to prevent botnets, misconfigurations and malicious insiders from allowing remote connections into your network. Also, filtering traffic leaving the network with an IPS or next-gen firewall (NGFW) will enable you to inspect the allowed firewall traffic for malicious use. Many times, attackers take advantage of normally open ports, such as port 80, port 443, etc., to transmit data out of your network without you noticing.

Read the rest of the article here:

Monday, May 13, 2013

How Facebook Updates Would Look in Real Life [Funny]

If we all thought of privacy like this we'd be a little more cautious on social media sites. Very funny.

Sunday, May 12, 2013

Two-Factor Authentication for Social Media Sites

Over the past couple weeks there's been a lot of talk about social media accounts being compromised and the legal aspects of a company having their accounts owned. I for one don't think there needs to be regulation on how companies secure their social media accounts. Increased regulation doesn't assume better security. Ever.

With that being said, I think we need to start looking at how easy it is for an attacker to compromise social media credentials (Key loggers, malware, XSS, phishing, etc.). I read a stat today which said, if you've had a social media account longer than 5 years there's a 50% chance you've had your credentials compromised. That's a pretty scary statistic.

One way to limit the risk of social media accounts being compromised is by using two-factor authentication. Two-factor authentication takes both something you know (your password) and something you have (a token of some sort) and applies both of them to your login. So if an attacker is able to easily steal your credentials  it's unlikely that they'll have your token. These tokens can be generated by many systems, but in the case of social media we're going to use the free Google Authenticator app.

Google Authenticator is a free download that uses the Time-based One Time Password (TOTP) that allows you to generate codes/tokens from the Google app and input them into variety of sites that use the protocol for a second factor of authentication. A few sites/software that Google Authenticator can be used for are,, Google Apps, Wordpress, Microsoft, etc. the list goes one. This isn't a silver-bullet when it comes to securing logins, but it does limit the risk that both the password and the token will be stolen.

After seeing the mini-market crash with the Associated Press's (AP) Twitter account compromise I started thinking about ways to secure social media accounts in an enterprise and was reminded that this technology could be placed on multiple sites (like Facebook), but that Twitter was still behind the eight-ball on this feature. I'm sure the $136 million dollar market crash might have pushed this Twitter feature to the top of QA's list.

So if you're using social media in anyway, especially from a corporate standpoint, I would highly recommend setting up two factor authentication with Google Authenticator (details can be found here), unless you're using Twitter. Which in that case you'll have to wait with the rest of us.

Thursday, May 9, 2013

8 charged in $45 million cybertheft bank heist

NSA's Manual on Hacking the Internet

So it seems that the NSA has literally wrote the book on how to perform reconnaissance on the internet. You can read their little 643 page book called “Untangling the Web: A Guide to Internet Research” and see the steps the government uses to search the web.  There are some very interesting methods they focus on when using Google, nothing new, but still enlightening.

Download the book here.

Sunday, May 5, 2013

iFrame drive-by attack demo [Anatomy of Attack online]

Great educational video, by Sophos, on how iFrames are being used for attack. These types of attacks have exploded in popularity over the past couple months. In Microsoft's Security Intelligence Report, released a few weeks ago, they mention iFrame drive-by attacks as the following:
Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12. 
Take a look at this video and become more aware of this growing threat vector.

Wednesday, May 1, 2013

The PR Implications Of Cyber Security

Here's a great new article by SteamFeed on the unforeseen consequences of a security breach. Jayme Soulati gives sound advice on how to prepare and manage a breach from a PR perspective.

Here are a few suggestions (read the entire blog post here):

Tips to Insulate Before A PR Crisis

1. A crisis communications plan has always been a necessity for companies. When was the last time it was dusted off and reviewed for cyber security?

2. PR needs to be involved during corporate crisis at all times; a company in crisis needs outward-thinking experts who put the customer top of mind.

3. While strategists are monitoring the situation moment to moment, the PR team needs to be preparing statements for media and customers in parallel.

4. Twice a year, the entire marketing team along with IT should meet for a dry run to determine the chain of events should a cyber attack occur in a company. In this case, “cyber attack” can also include the swiping of credit information and personal data; if it’s electronic information, then it’s a breach of cyber security.

5. Annually, meet with the C-suite to review the cyber crisis plan and ensure everyone is on board and ready to hit send when and if a crisis occurs.