Solutionary Blog

Solutionary Blog and Bloggers

Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog is a place to learn about, and discuss, a wide variety of security and compliance topics.

For more information about Solutionary, click here.

To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers:

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security  Mike Hrabik, President and CTO             Don Gray, Chief Security Strategist       Court Little, Director of Strategic Security Joseph Blankenship, Director of Marketing 
Doug Picotte, Regional Technical Manager
Rob Kraus, Director of Research               Erik Barnett, Regional Technical Manager Jose Hernandez, Security Consultant
Jozef Krakora, Sr Product Manager      Robert Jeffries, Research Analyst, Security Engineering Research Team (SERT)

Subscribe to our blog

Your email:

Browse by Tag

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

When It Comes to Security Monitoring, Domain Controllers Aren’t Just Another Server!

Posted by Jozef Krakora on Wed, May 09, 2012 @ 09:41 AM
  
  
  
  

At Solutionary, I wake up every day thinking about how else we can help our customers be more secure.  We want to bring our customers peace of mind, so they can focus on their business and worry more about the things that will bring them success in their markets.  

One area I’ve been focusing on lately is the risk associated with Microsoft’s Active Directory and how employees’ access is provisioned through its framework.   What I’ve discovered is that often, companies wrongly assume the risks associated with their domain controllers (servers that run Active Directory) are equivalent to the risks posed by other internal servers.  This is a dangerous myth.

Domain controllers allow users to log in daily, whether in the office or remote, and determine what internal domain assets the users have access to.  I can best describe this as “managed chaos”.  The risk here is very high.  Domain controllers are a single point of access to all domain assets for all internal employees (think border firewall, it’s just inside).  Security activities relevant to monitoring include user and group creation, privilege management, user authorizations, logins (success/fail), domain access (success/fail) and many others.  So, domain controllers can produce large volumes of logs, but they include high quality information.
The value of monitoring users’ access to all domain assets is high.  In addition, we find the cross device correlation value to be very high with this kind of data, especially when ActiveGuard® automatically ties user identity to millions of other devices logs’ reported activity.  

Servers, on the other hand, generally have specific applications running on them, and typically manage those applications’ access, not internal users’ access privileges.  Application behavior is usually much more predictable than user behavior.  The risk here is generally lower since a server is generally a single point of access to only its own assets and applications, not to the entire domain (think host based firewall).  Relevant activities to monitor can include access to the server and its application, and server administration.  

The value of monitoring this server is often much lower, and unfortunately often driven by a compliance check box that needs to be checked.   Further, the cross device correlation that ActiveGuard® automatically performs is often limited to the server IP address and to administrators that are accessing it, as opposed to the entire company’s employee data when ActiveGuard® correlates logs from domain controllers.

As a last bit of evidence, in our Security Operations Center (SOC), we investigate an order of magnitude (10x) more potential incidents originating from domain controllers than average servers.  (By the way, a humble thanks to the intelligence of ActiveGuard® people, processes and technology for making automatic cross device correlations and escalations possible!)
I hope this article supports an improved understanding of how domain controllers and servers differ from a security monitoring and risk perspective.  Finally, as always, with an improved prioritization of what to monitor and worry about, we hope peace of mind is delivered, so our customers succeed!

0 Comments Click here to read/write comments

Mac Flashback

Posted by Doug Picotte on Mon, May 07, 2012 @ 08:45 AM
  
  
  
  
Tags: , ,

Recently I received a Solutionary Security Engineering Research Team (SERT) Emerging Threat Advisory notice regarding a Trojan specifically targeting the Mac called “Flashback”. This Trojan appeared to be an Adobe Flash update when in reality malicious software was installed on the client machine. Once installed, personal information from the users’ web browser sessions can be sent to remote servers. I found this somewhat amusing, because I have heard die hard Mac users (I won’t mention any names) boldly confess that the Mac is virtually immune to these types of vulnerabilities often seen in the wild. This is obviously not the case, and it got me wondering just how many Macs are out there compared to PC based platforms? Market share varies on who you ask, but is generally around 85-90% for Microsoft platforms, and about 5-10% for all MacOS systems. If there are something on the order of 30 million Mac systems in the real-world, that means that with as many as 600,000 systems infected with Flashback we saw a 2% infection rate. While your first thought may be “that’s not many”, you should consider that this was a platform that, for years, people have been preaching how safe Macs were.

Macs are Targets

I think one of the reasons you don’t hear about Mac specific vulnerabilities very often is simply because there are so many more PC based platforms out there that serve as “low hanging fruit” for would be hackers. That is changing however. For example, Gartner has estimated the Mac US market share to be about 10%. Security nerds have been saying for years that the main reason we have not seen as many Mac viruses as we have PC viruses is that there are just so many fewer Mac systems around. Perhaps we have a combination of events here, as critical mass of Mac volume combines with relative security complacency of Mac users and creating a perfect storm.

Keep your Mac Protected

SERT provided links in the Threat Advisory for additional information about Flashback that you may find helpful. I will also include a link where you can check to see if your machine has been infected.

Additional References:

http://www.pcworld.com/article/253361/apple_hits_flashback_trojan_with_second_java_update.html

http://news.cnet.com/8301-27076_3-57410050-248/mac-flashback-malware-what-it-is-and-how-to-get-rid-of-it-faq/

http://mashable.com/2012/04/05/mac-flashback-trojan-check/

Until Next Time

Special thanks to SERT and Jon Heimerl for additional technical consultation. Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the tunes, and stay secure!

0 Comments Click here to read/write comments

Effective Security Requires Context

Posted by Jon Heimerl on Mon, Apr 23, 2012 @ 09:14 AM
  
  
  
  
Tags: ,

Adding Context Around Data Can Make a Huge Difference in How you Manage and Protect Information.

Why is context important? Because without context, information is not really information; it is just data. Data is just “stuff”, while information is what that stuff means.

Would you like some plain language context for my point?

42.
African or European?
What are you, some kind of Pyjak?

My short list above just has “stuff”, unless you know how the data is used – unless you have context. Is “42” simply 6x7, or is it really the answer to life, the universe and everything? And if that is still insufficient, you will need the context of Douglas Adams (just Google “42”). If “African or European” are just words to you, you will need to the context of Monty Python. (Google “African or European”). “Pyjak” is probably the most obscure, and you won’t know it unless you know what video game I am currently playing (Google Pyjak).

Read the rest of my article at Security Week

0 Comments Click here to read/write comments

Network and Application Security Scope Creep

Posted by Rob Kraus on Tue, Apr 17, 2012 @ 08:00 AM
  
  
  
  
“I’m given her all she’s got, Captain!”, the words were made famous by Scotty in the movie Star Trek. For the circumstances encountered in the movie it was certainly a wise choice to make and probably saved the U.S.S. Enterprise from demise.

Networks today are often very complex, and too often, in a state of disarray from years of piling on more software, hardware and “solutions” as our business grows.

Complexity may not be something we were expecting or envisioned as we expanded our network’s capabilities, but nonetheless many IT shops continue to implement “the next best thing” to solve “the next big problem.”

As humans, it is natural for us to have the mindset of “there’s an app for that” when looking for solutions (a product of years of marketing brainwashing I assume). However, sometimes fixes to problems are over-engineered and provide “too much” of a solution. Or, at the least, they bring additional complexity by adding features that are beyond what was actually needed to solve “the problem”. Adding complexity is rarely the answer. In many cases, viable solutions may already exist in an organization’s current infrastructure, but the desire to “throw hardware or software at the problem” is the default choice for problem solving.

Compliance initiatives help organizations by providing a roadmap for achieving a certain level of security and assurance that due-diligence has been performed to help protect data. However, in many cases, these initiatives cause panic and make us think we have to add more software and hardware to be compliant. This is a large misconception. In most cases, compliance initiatives mandate certain controls should be in place to protect data; however, you should remember this does not mean to spend a lot of money if you have existing controls you can refine to achieve compliance.

What we should be looking at is the use of technology to aid our efforts in becoming more secure and the products and techniques used should provide real value. Ultimately, we should strive to help our organizations meet their goals without having the solution inject complexity resulting in more problems. Remember, we want to solve security problems, not transfer risks to other parts of our network for us to fix later, or worse, for someone else to fix.

In the face of an incident, complexity of your environment can lead to complexity in identification, isolation, mitigation and disaster recovery. Keep it simple where you can, but apply enhanced controls where it makes sense.

In closing, I offer the following advice:

1.    Implement security controls when and where they make sense and provide real value
2.    Review your defensive posture on a regular basis
3.    Consider compliance requirements when selecting and implementing security controls
4.    Aim to reduce complexity of your network environment when implementing new solutions, not increase them
5.    Solicit help from third party network architects to obtain an outsider’s view on where your organization’s blind spots may be

May 8, 2012 I have the pleasure of being invited to speak at TakeDownCon in Dallas, Texas, where I will be covering more on this topic. The presentation is titled “404: Basic Security Not Found” and will start at 11:10AM. Please feel free to link up with me after the presentation if you want to talk shop or just grab a coffee.

See how Solutionary managed security services based on the patented ActiveGuard® Security & Compliance Platform combine security intelligence and expertise to provide visibility, threat detection and event response.

0 Comments Click here to read/write comments

Tax Man Cometh

Posted by Jon Heimerl on Thu, Apr 12, 2012 @ 08:41 AM
  
  
  
  
Tags: ,

It’s mid-April and it is one of my favorite times of the year: tax time (it is hard to write in a sarcastic tone…). Since I pay every year I always use it as an excuse to exercise my own security paranoia. Here are some tricks I use to protect my sensitive information:

1.    I prioritize my data, and identify my tax data as some of my most important. My tax forms include my income, interest, dividends, full address and Social Security Number. Since I e-file, they also include bank account information for my payments for that mythological thing called a “refund”. I am beginning to suspect that it is an urban legend, but if I ever get one I will still have my bank account information for that deposit.  I don’t know about your priorities, but to me, that type of data all ranks near the top of my list when I think about data I want to protect.

2.    I segregate my tax data from the rest of my environment. I store my tax files on an external drive. I make sure my tax software is updated while online, as well as my anti-malware and anti-virus software. I then remove the Ethernet cable from the back of my computer and do full system scans for viruses and malware. I connect my external drive, and do dedicated scans of the external drive. Only then do I open my tax form – so I have no network connectivity while my taxes are open. I don’t actually have my “tax-enabled” computer connected to the rest of my internal network until it is time to e-file.

3.    My “tax” folder on the external drive is encrypted. I also store a backup of my tax file on an encrypted thumb drive, which I actually store in my home safe. But, the most important point here is the word “encrypted.”

Excessive? Maybe so, but tax time emphasizes my own personal security program:
1.    Prioritize your data and identify your cool data.
2.    Segregate sensitive systems and information to the extent possible/practical.
3.    Encrypt – especially your cool data.

If your own security program, both personal and business, uses these three principles as drivers, you have already won the bulk of the battle. I guess I think it is a good thing to practice what I preach.

0 Comments Click here to read/write comments

1.5 Million Records Stolen...What does that even mean?

Posted by Robert Jeffries on Mon, Apr 09, 2012 @ 08:40 AM
  
  
  
  

1.5 million is a pretty a big number, wouldn’t you agree? Unfortunately, this is not a number we pulled out of a hat… quite the contrary.  On March 30, 2012, news hit mainstream media detailing a breach of Visa and MasterCard data where an estimated 1.5 million financial records were reported stolen from Atlanta-based ‘third-party’ payment card data processor, Global Payments, Inc.  If you’ve never heard of Global Payments, Inc. or ‘third-party’ payment processing, it might be easy to think this has little chance of affecting you, and you might be right.  Then again, chances are very good your financial dadescribe the imageta has been processed at one point or another by a payment processor. Loosely defined, third party payment processers act as intermediaries between banks, retailers, and money-access systems.  Such a definition might fall short of academic, but examination of such a system might bear striking resemblance to any other sort of digital infrastructure (the details could be enough to make your head hurt).  Upon recognizing they experienced a breach, Global Payments is said to have immediately contacted Visa and MasterCard, who in-turn began notifying banks potentially impacted.

It can be difficult to appreciate the size of such a number, which is where a comparison can come in handy. 

Depending on the type of sand, 1.5 million grains can weigh somewhere around 200 pounds, which is about what you might find in a typical sandbox.

Still that’s pretty hard to imagine, so how about this?

1.5 million miles is about six times the average distance between the earth and the moon. 

No, still not much help?

Although one might find it interesting, such a number (1.5 million) takes on a whole new meaning when the context changes, especially when considering the very real impact experienced by a very large number of people.  Even then, it’s still hard to imagine, and it wouldn’t likely get any clearer if we estimated this was about twenty-one times the number of those who attended Super Bowl XLVI (approx. 68,658).  No, that won’t do.  This is such a big number we have to consider it on the scale of city populations. When compared to U.S Census data, we find this number represents a little more than half the population of Chicago, Illinois, and about a little less than three-quarters the size of Houston, Texas.  Happened to have traveled to Philadelphia or Phoenix lately? That’s getting a bit closer to the number of records we’re talking about here.

To be fair, this isn’t the only breach to have occurred, and is by far not the largest on record. However, with numbers like this involving such a complex and vital infrastructure, and with the frequency of breaches on the rise, it’s hard not to consider if more could be done to mitigate exposure to such cyber threats. At the end of the day, no matter how secure one institution is, the risk is still there, and when you get down to it, little else beats careful monitoring of activity on your accounts, and careful and regular review of your credit report(s).

0 Comments Click here to read/write comments

Data Data Everywhere and Not a Bit to Think

Posted by Joseph Blankenship on Wed, Apr 04, 2012 @ 09:12 AM
  
  
  
  

The title for this blog paraphrases a line from Samuel Taylor Coleridge's famous poem,  "Rime of the Ancient Mariner" (which, despite being an English major, I probably wouldn't know if it weren't for Iron Maiden), where the main character bemoans the fact that the ship holding him and his crewmates is becalmed at sea. Although there is plentiful water in the ocean surrounding them, it is salt water and will not quench their insatiable thirst.
What, you may be thinking, does this have to do with data?

Big Data. Big Deal?

The IT industry as a whole is all abuzz about the latest computing buzzword, "Big Data". When I first heard the term, I thought to myself, "that's the best term we can come up with?" It sort of reminded me of one of my favorite childhood toys, the Big Wheel. That's obvious branding for you, right? What do we call the thing with 2 small wheels and one big wheel? Hmmm. How about the "Big Wheel?"

For those of you born before 1980 or so, that reference probably brought to mind a bright red and yellow plastic toy. For the rest of you, just Google “Big Wheel”, and you'll see what I'm talking about.

I don't get any kind of mental image when I hear "Big Data". In fact, it took some research and a few conversations with colleagues for me to figure out what it was and why I should care.

Big data is defined by Webopedia as, “A buzzword, or catch-phrase, used to describe a massive volume of both structured and unstructured data that is so large that it's difficult to process with traditional database and software techniques.”

From a security standpoint, there are two basic, high-level concerns for big data:

  1. How do we handle big data? How can we glean intelligence from all of the logs being generated by applications, databases, firewalls, hosts, network devices and security appliances?

  2. How do we secure big data? With all of this voluminous information now available for analysis, how do we secure and monitor this data for compliance?

While both of these are important questions, I'm only addressing question one for the purpose of this blog. My colleague Rob Kraus posed this question in a recent blog post, "how much of this information is actionable intelligence, and how much is really just white-noise?" As enterprises monitor more devices and device types, moving from traditional security devices (firewalls, IDS, IPS, WAF, etc.) to applications, databases and endpoints - the amount of log data being generated increases rapidly.

To make that data useful, enterprises need a way to examine the data and look for the important pieces of information that can make it useful to them. Further, making it useful may require examining disparate pieces of information and finding patterns in them that indicate something of security significance.

Over 1 Trillion Served

The Solutionary ActiveGuard® 4 service platform recently surpassed the milestone of 1 trillion log lines (that’s 10 to the 12th power for those of you counting at home) processed. While that is a huge number, it would be virtually meaningless if we were unable to glean intelligence from that data and provide actionable security intelligence for our clients. Solutionary processed and stored (Solutionary retains 100% of the logs received for 1 year) each of those trillion log lines for our clients.

ActiveGuard was purpose-built for handling large volumes of disparate data of this type. While much of the security industry is thinking about how to handle big data, Solutionary is enhancing the analytics and capabilities of ActiveGuard to take the capabilities even further.

See how Solutionary managed security services, based on the patented ActiveGuard Security & Compliance Platform, combine security intelligence and expertise to provide complete solutions for your organization.

0 Comments Click here to read/write comments

Blog Series – Pt 1: Security Tips You Should Do But Don't!

Posted by Court Little on Tue, Apr 03, 2012 @ 12:23 PM
  
  
  
  

Instead of the usual Top 5 security tips, such as “use a strong password,” my goal with this blog series is to list and breakdown the basics of what you should be doing, but probably are not, and are exposing yourself because you’re not.

Part 1 will look at passwords...probably the easiest mistake. 

1.) Mnemonic Passwords – Actually, let's start off with using strong passwords. Everyone knows to use a strong password, and they should use a unique password for each site they visit. However, few people do this. And those few that do typically use a password manager tied to their desktop with a browser plug-in to make submitting those complex passwords easier, or they keep them stored in an associated password storage application on their smart phone. But there is a simpler solution, and its mnemonic passwords. Mnemonic is a technique used to aid memory. Since complex passwords are hard to remember creating a mnemonic password can help ensure you have strong passwords unique to each site you visit. There are many good sites that will help you teach you to create a mnemonic password. Druid has a really good presentation that can show you how to get as complex as you want with the topic at: http://druid.caughq.org/presentations/Mnemonic-Password-Formulas.pdf

My advice is to take thirty minutes to create your own mnemonic password formula, create a formula based on the site you are visiting and reap the rewards of secure passwords forever. Basing it on the site you are visiting ensures you can reverse engineer the mnemonic password quickly. For instance you could take the site name, count up the letters in the name, use that number as the first digit in the password, then spell the site name backwards, followed by the number in special character format plus whatever else is in your formula, like a salt or whatever you want to ensure you have a sufficiently long password. So visiting eBay would become: 4yabe$fr@k where fr@k is my own added salt.

Stay tuned for the next part of this blog series on security basics that you should be doing! 

0 Comments Click here to read/write comments

The Future Is Now

Posted by Jose Hernandez on Fri, Mar 30, 2012 @ 10:43 AM
  
  
  
  
For the past couple of years, the security industry has predicted that smartphones would be the future favorite attack platform for attackers.  Well it looks like the future is now.  Well-known hacktivist th3j35t3r described a new attack in his blog, outlining how he utilizes webkit vulnerability and his twitter account to compromise the phones of his targets.  th3j35t3r has over 30,000 followers on twitter and leveraged his following to collect information on his enemies.  Here is a quick run down of the attack.

1.    Th3j35t3r switched his twitter account profile picture to a QR Code
2.    QR Code once scanned would sent curios victims to a malicious site
3.    Malicious site contained javascript code that exploited a webkit vulnerability (CVE-2010-1807) affecting both chrome for android and safari for the iPhone
4.    If the device were vulnerable to the exploit, the smartphone would connect back to a server controlled by the Th3j35t3r
5.    Once a victim connected to the malicious server, the server would scan the mobile device for a twitter client
6.    If the victims twitter client ID matched an ID from a list of targets selected by the th3j35t3r, he then extracted SMS logs, call logs, phonebooks and emails

The possibilities are endless for this type of attack, especially if the attacker is looking for banking information or other sensitive information.  This is a wake up call to the whole security industry to keep up with the times because new creative attacks are on the way.  Attackers are not limited by our rules and will use all available venues to compromise a system.

Link for more information on the attack http://th3j35t3r.wordpress.com/

0 Comments Click here to read/write comments

Phone Hacking - Who will it be this week?

Posted by Jon Heimerl on Mon, Mar 26, 2012 @ 12:30 PM
  
  
  
  
Tags: 

I mean, whose nude photos will be released online after their phone is hacked? Hacking a phone is one thing, but hacking voicemail is something else, and while your voicemail does have some protection, breaking into it is probably not complicated. Let’s get real here - the single best security for your voicemail is your voicemail PIN – which is basically just a numerical password – and we should all have a great sense for just how effective passwords are. We should definitely look at hacking voicemail and hacking your phone as two completely different things.

Setting the PIN
Getting to your voicemail normally requires knowing your PIN. Your phone company installed a default PIN for your account – probably 0000, or 1111, or the last four digits of your phone number. For most cellular services, this number can be from four to seven numbers. If you leave the PIN on the default setting, anyone can get into your voicemail by dialing the wireless carrier’s voicemail line, or by dialing your own phone and escaping into voicemail. On my service, you do this by simply pressing # to interrupt your outgoing greeting, enter your password, and you can retrieve your voicemail. Worst case, someone could guess the default PIN in probably three tries or less.

Read the rest of my article at SecurityWeek.com. 

0 Comments Click here to read/write comments

All Posts | Next Page