Search This Blog

Thursday, April 25, 2013

(F) Funny Ellen segment on password management

Clearly this is how NOT to manage passwords, but grandma and grandpa might have actually bought this solution from a late night Infomercial.

Thanks Ellen for the spoof!

Link to Ellen show clip on password management

Use LastPass! As I have stated before, the easiest way to manage passwords across all your computers and smart devices. Free Two-Factor Auth too!!!

LastPass website

#InfoSec #Ellen

Tuesday, April 23, 2013

(I) Time to dump AV as Endpoint Protection? Not yet

I read an article by Robert Lemos on Dark Reading and thought, 'He missed some points'. So I emailed him and shared, now I'm sharing here too.

I think many things about Anti-Virus or Anti-Malware solutions, mostly that they suck at detecting anything new or unique. Sophos states 70% of malware is unique to one company and 80% to ten or less. But they are good for the 20% of malware that is not unique like BlackHole and other wide spread malware. AV is also good for the older lingering pestware, cracks, keygens and other undesirable known applications.

So is AV dead as Endpoint Protection? Not by a long shot. I would recommend to anyone asking me, don't go spending a ton of $$$ on an AV solution, or replace one vendor with another, maybe consider a free version, or cheaper solution. Unless of course you are already using a product like McAfee EPO where you have multiple solutions integrated into one console like database, data loss prevention, encryption, etc. But I sure wouldn't spend much to maintain AV.

If you really want to maximize the security bang for your buck, consider detection solutions like BigFix or Tanium that can do analysis that you craft to look for new files in WBEM for example where malware likes to inject. Or tweak Tripwire to send email alerts on changes to the WBEM directory. You will need agents deployed on every client you want to manage, but this is no different from AV.

What about Log Management? I mean real log management with alerting to nefarious behavior like 'net use', 'cscript', PSExec, RDP, successful logins, etc. and email your admins when their accounts are used successfully so logging is actually useful. Don't forget to enable the proper logging on your Windows systems (advanced logging) and proper logs and auditing on UX systems. Yes, you will need storage, but the data you can alert on with a log management solution or SIEM solution is going to do more with your security budget then AV $$$$.

Just read the Verizon DBIR and Trustwave reports and look at 'Time to Detection after Compromise' figures... If you are not in the 'within an hour' region, you are doing it wrong. Also referred to as Mean Time to Detection (MTTD). A dump term as mean time should not be calculated as you are only as good as your maximum time to detection, the mean is irrelevant.

Spend your security budget on detection items as "Prevention is DEAD" (you read me right) as far as a reliant way to protect your ASSets. Just accept you will get p0wned and work towards a detect, respond and erradicate mentality as Time Based Security suggests. Refine and improve your detection so that you are in the minutes and hours column and laughing at how fast you caught and stopped the malefactors the next day.

And NEVER trust your default security tools installations, they will fail you! Test, test and test again using attack scenarios and a Pen Test if needed to prove they do what you expect and paid for. Implement a "Malware Management Framework" and you CAN get a leg up on the ne’er-do-wellers.

Robert Lemos Dark Reading article on Dumping AV


(I) Funny video blog on Log Management

Take a watch of this video blog on log management... Sums it up.

Video Blog on Log Management

#InfoSec #LogManagement

Wednesday, April 10, 2013

(I) We are all doing it wrong, well you are according to the stats

At this years BSides Austin, Ian and discussed a new method for malware analysis and detection. In the presentation was a slide that indicated from the Verizon 2012 DBIR report and Trustwave's 2012 report that the industry is STOOPID slow at detecting a compromise, as the following images show.
Verizon 2012 DBIR report

Trustwave's 2013 Global Security Report

HP sent me an email with the following tag line.

I don't know where HP got 416 days, as Verizon and Trustwave both indicate around 200+ days. Nevertheless these numbers are proof InfoSec and the security vendors selling us defenses are failing us all. Or is it us using the tools?

In the presentation Ian and showed red boxes around the two images above indicating we can detect a compromise within hours or less, not weeks, months or longer. A 180 degree change from the report findings. Why? Because we tweak our security tools to do more. We do not rely on default installations of security tools and expect them to work. We heavily use the analysis feature of BigFix (Fracking AWESOME BTW) to watch areas on the systems that have been and are regularly used for malware. We also have a methodology known as the "Malware Analysis Framework" that we use to keep up and defend our networks, and analyze what we find.

For 2013 I give you the following challenge, be honest about it to, where do you sit on the Verizon and Trustwave Detection of a Compromise timeline? Here is the challenge - Do a 180 turnaround as we have done and place your origination in the minutes to hours detection and containment area that is currently at 0%-5% according to the two reports, or worse HP's number of 416 days.

It can be done! If you need help, I guess we are available to do some simple consulting to help you figure it out, but you CAN do it !!!


Monday, April 1, 2013

National “Take Your Computer to Work” Day


Today marks the inaugural “Take Your Computer to Work Day”. First conceived by security researchers Michael Gough and Ian Robertson (the Thoughtful Hackers), this day has exploded in popularity and has now become a world-wide national phenomenon.

Says Mr. Robertson of its introduction, “We always hear stories of how much productivity people gain by using their own mobile phones and tablets at work – by some studies, as much as 110%. We thought, wow, that is so smart and has absolutely no downsides. The next logical extension of that is to offer all our workers to bring in any of their computers, so we did.”

“The results were absolutely astonishing”, said Mr. Gough. “We were seeing user productivity up at least 0.5 times with Commodore 64’s alone. Our database searches got faster with home-built white-box servers, and our janitorial staff was able to clean the restrooms twice as fast thanks to their TRS-80’s.”
The duo said that they had to share their results with others. “We really can’t take full credit for this. We’re just building on the success of others.”
What’s next up for this duo? “We seem to have a lot of malware recently, so we’re working to figure out what that’s all about.”