Security Program: How To Thrive?

From struggling and surviving, to a fully supervised security program..

Every day we see companies are struggling with running an smooth security program. No matter how much you are spending on it, the difference is not that much from zero budget to million dollars security budgets, regardless of how much we are spending on security initiatives, we never really have a chance to step back and see the very positive and reliable result of our investment.

Every single day adversaries are finding new ways to hurt our businesses and we, tech guys, are creating “solutions” to address today’s challenges months, years and sometimes decades later!

We simply are trying to survive, but what could we do better to not only survive the reckless cyberspace but also thrive to a stronger position where the security is not a hassle anymore. let’s look at some practical countermeasures:

* stick to a management system

for a moment forget about technology and tools and get back to basics. A management system could totally fulfill whatever you need in terms of handling processes and not being worried about base of your operation. You can invent the wheel again or you can choose from thousands of management systems, but first ask experts which system fits your needs or bring professional on-board to implement a system fully customized to your work flow from scratch, also believe me, without a management system of any kind and approach, you will be still at the first step after years spending your precious time, which is that “surviving” approach.

* set objectives

any project has a set of goals which are measurable and achievable. Objectives are neither like: having a more secure network…or, setup RDP filtering on firewalls…there are more like reducing current number of entry points to network…or, assessing current remote protocol insecurities…

objectives help you better understand what are trying to get from your management system, and where resources have to be focused. This topic is also related to Risk approach which I think is the fundamental and background of the management system.

* constantly measure

These are checkpoints where you can tell precisely and by evidence if you are on the track, and the more you measure and automate the process, the more you get close to a proactive system and faster accomplishing each of objectives. Through measurement you can tell of direction is write or wrong, or what is wrong or right.

* plan for corrective and preventive actions

with each measurement you need to define corrective actions if the result is not expected or the pace is slow, and the plan to enforce these corrective actions is the key to a smooth security program, otherwise you will be struggling with past actions while new ones arrive.

* be responsive to facts not fictions

computer security industry is full of fictions, and we mostly spend time and money on things which are either not important or can be tackled from root, so let me give you an example:

taking Advil when
you catch flu is just a pain killer, only for passing time without
suffering from flu symptoms, just to survive, because we do not know
how to handle flu virus in 21st century (or maybe we know
but we don’t want to disclose?!), and that is similar to running a
virus scan on your network when you get a virus infection!

Cyber security facts have not been changed since the beginning of this subject in human history, so once you know about the facts you see how it is easy to address them without Advil!

Complexity: The Hidden Monster behind Insecurity

No doubt that companies struggle with information security these days. Today they spend hundreds of thousand dollars, some millions, tomorrow they realize they have done nothing! Security folks do not have a night of peaceful sleep because they know what they have done during the day could easy be compromised!

Regardless of why we are spending money while we are not certain or confident to an expected outcome, why solutions really getting more and more useless and ineffective? The answer is the hidden monster behind all insecurities within information technology: the complexity beast!

Complex systems introduce complex work flows which are more prone to security flaws

Complicated systems (which are also prone to insufficiency) introduce complex work flows and a model which is naturally prone to have more flaws, result of more surface for the attack and more attack vectors with combined magnitude and even unexpected new evolved way of attach. This is not fiction, this is the dynamic of today’s cyber security trend. You hire, you purchase, you train, you consult… you do your best and still you are not confident cause your neighbor company just had a breach and you will be more scared if you have pro visibility and see how malicious actors are already in-house!

Traditions have proven outcome already messaged, although market hesitate to listen, let alone to follow!

Fancy systems are more attractive to adversaries also, and there is reason behind it because they know how the chance of finding a flaw is exponentially higher when they see a fancy colorful IT infrastructure vs a clunky system out there. The worst part of this is that, customers of that fancy information system do not necessarily get better services or goods (products) even they pay more for it, they are also prone to lose more due to a complex system as backend, but that is another story with its own sad ending.

Complex software and hardware build complex systems

Complex systems are built around complex software, hardware and literally a complex IT setup where a given goal is accomplished through a complicated workflow, and this is either result of poor design, or just excess resource assignment where it is not needed at all. There are millions of examples you look around, or better, start by your own business or department you are managing:

  • Do you think all businesses need Windows platform to run applications?
  • Do you think you use even 20% of Outlook features and capabilities?
  • Do you think most website owners need PHP vs simple HTML?
  • Have you ever walked to your company server room and ask your IT guy why things are setup like that?
  • Have you ever tried simpler software vs the one with more features?
  • Have you ever shopped based on what you need vs what has higher score reviews?

Those are just goofy questions just to fire up the real flame inside you which makes you as yourself: should I really totally trust people that are running my IT infrastructure, or I could use my common sense and just question why I need these complex system? What workflow my business really need and then what simple system is out there to support my workflow regardless of what market is pushing me to buy.

Complex system setup puts us in more trouble when we start securing it with the consistent complicated mindset, and that’s where we could end up having more insecurities after spending and relying on sophisticated security solutions. Experience has shown and proven that the simplest way to address security is designing and implementing a simple system, an straightforward workflow is naturally secure, or easier to secure with even free or cheap security solutions which are easier to maintain, manage and run, so the outcome is more secure and cheaper and more reliable and efficient.

Tips To Buy And Implement A SIEM Solution

Use following checklist to make sure you are on the right track to choose the SIEM solution. The whole process takes 1-4 weeks based on your dedication and vendor availability. Remember the worst thing is being in rush in five four steps:

  • Write a plan

Write down all the steps you anticipate and maintain documentation and progress during all stages. Put rough deadlines and start communicating to stakeholders.

  • Justify the need

This will help you have a better understanding of criteria later but generally, i would recommend this for any type of information security project. This step will assure you are not going to have SIEM just because it’s out there or even just because you have some spare money and other resources to spend.

You would ask yourself or your IT team, even your manager who has assigned you with the task: why we need SIEM? What type of problem is going to be resolved? What our world will look like after SIEM? Is this for sake of compliance, customer expectation, market urge, or as an enhancement to visibility of your environment.

  • Scope

Scoping gives you more understanding of the environment. Specifically with a concept like SIEM, the moment you start thinking about scope, you realize how much you might be behind the preparation of your environment.

  • Budget based on Risk

Budgeting based on your pocket is like overeating by intention when you know it’s bad for you. Budgeting without risk consideration will neutralize all the other steps. I consider this step so fundamental and ignoring it shows there is no understanding of the whole subject of information security within an organization.

A simple risk assessment can give you the right budget, but unfortunately that assessment most of the time does not exist so you have to create something from scratch just to support SIEM budgeting. We need to assess risk of not having enough visibility and detection in certain areas of IT operation and evaluate the risk factors. Once you start this process you will realize how most SIEM solutions in the market right now are naive and designed with a narrow vision.

  • Define criteria

During previous steps you should be able to compile criteria list. The more precise criteria, the easier to choose vendors initially. Without criteria there is no meaning to even browser a vendor website. With having criteria in hand, you easily check them in and out in next step.

You should compile a list of things like what is the primary objective, compliance, risk or threat management, architectural things like is it going to be managed or self, on-premises or cloud, interface and performance, type of log and data collection, integration considerations, correlation capabilities, intelligence feed, how about remediation and response and…

  • Identify targeted platforms

First you need to list SIEM vendors, there are tons of them out there and don’t think that good SIEM is a matter of how long a company has been doing this or how the brand is known, although this could be part of your criteria because vendor reputation is somehow a big factor, but do not confuse it with brand, not all know brands are necessarily better. Research and learn from vendors, we need to read all the white papers they provide and if they are not willing to share via website, it is not a good sign but don’ be discouraged and go for a meetup. Here is an staring list of vendors/solutions:

AlienVault, Cygilant, EventTracker, HP, IBM, LogRhythm, McAfee, NetIQ, Proficio, Rapid7, RSA, Solarwinds, Stratozen, Splunk…

…remember all are good and all are bad, it depends to your criteria.

  • Meetup with vendor

Nothing is better than a short call, if you get the signal, go for a video presentation and have them demo. Never direct vendor, let them manage the meeting and content, listen to their question and start your evaluation from first call. Most vendors do not reveal anything alerting with email or regular phone calls so insist to have a demo and meet their technical team. Ask about your criteria but in the meantime listen to what and how they reveal. Based on your situation you may be more focused on how they execute or help you setup and run on-premises.

  • Lunch trials

Trials are best time and tool for evaluation, also it’s a sign of how much a vendor is comfortable and confident. I personally would not even thinking a solution if they are not willing to give a chance to try. Trials are not just for finding glitches, they are mainly to refine your criteria and turn expectations to real world scenarios. Always let vendor know if you go for a different one, you will never know what is going to be the next time to call them so be professional and respect marketing manners.

  • Evaluate

Now it is time to evaluate. Materials, meetings and trials, most of the times you get the answer by first 3-4 days of trial. Justify if you need to compromised any predefined criteria and never hesitate to re-define and refine new one but never forget justification. You have to sometimes re-assess a risk if you need to revise your criteria.

  • Prepare environment

Jumping in implementation without preparing your environment is not a good idea. Now it is time to go for all details and technical requirements which you should have planned for during scoping. Prepare VMs, Cloud apps and smallest things like SNMP and Windows Event Forwarding, this is the time for your technical team to show off. You should not have any problem if scoping was rational, but most companies have multiple issues in this stage because of lack of scoping in early stage.

  • Implement

Meet the deadline and kick off, this is going to be a big milestone with your IT Security operation.

  • Tune

Noise is the nature of SIEM so consider tune up based on size of the company and/or scope of system. This should be part of your baselining process anyway (if you have), without proper baselines your team will be confused and stresses for a longer time.

  • Leverage

What is going to happen after this is what you should have seen and anticipated during your planning phase. Whether your team is going to tackle other tasks by adding SIEM, or it is going to be independent or… all depends on your plan. Never accept something from a solution/vendor as a ‘want’ or good to have, unless there is an actual ‘need’ for it.

Stay tuned for explanation of a fully native free SIEM, security information and event management system, a solution for 80% of environments!

Three Reasons To Trust SECURE TARGET

Articles will be revealing in many aspect of information security and information technology in general, but why would you trust SECURE TARGET?
Being blunt by default and straightforward about root causes of tech insecurities is not common at all. You will soon experience (if have not already) how the Computer Security business is not different from any other market. This is a business, why would you think market leaders do not want more profit and how they are able to make more profit without compromising some aspects of Real Security and pushing something to the market, not as a real ‘Need’ but more as a fake ‘Want’?
This has been one of the challenges of security products’ market in terms of customer acquisition, and the conflict between stakeholders and market drivers will always have its dark shadow over Security Initiatives, making consumer doubtful and uncertain about right solution.
Here you will be told about how to simply and effectively forever take care of the security of your computers and other information technology elements. You will realize which part of the market is real and which part is fake (and only for sake of making more money), but you should not be shocked as this is the reality of almost all businesses. Also it does not mean market is pushing something useless or necessarily insecure, it just might not necessary be what you need at the moment, it may be a waste of money, or may not be what your security program really demands, and yes sometimes it may totally put your security program in an insecure posture! Hence, jeopardizing Security with security!
In the other words, considering rule of “Complexity Equal Insecurity”, you generally pay more for something which not only is not more secure, but also downgrades your current quality of your security posture!
With many years of experience, transparency has been my first byproduct of IT business: I did not sell a single PC while it was possible to tune up the old one better than the current one, and I revealed all security details of a given IT element during my dedicated-focused-professional training without fear of having an student better than teacher! In the meantime, Questioning every aspect of computer technology without affiliation to any product or even any specific Trend put me in a neutral position where the metric would be measuring effectiveness, not what is possible at the moment according to market. So here’s why you can trust my judgment:

1) Member of both communities
I am an advocate to both communities of security and hackers. In order to stop Cybercrime we have to be virtually undercover and there is no way we can feel the heat of this battle unless being a front liner in security side.
Active learning from both communities is the key to help maintaining a healthy and secure cyberspace, something that is prone to turn to a myth! Defending a society is not possible unless knowing your enemy, and I am not talking about ridiculous hands-on training courses on ethical hacking. This is about social engineering of hackers community, that’s what they do with us every single minute of interaction. In opposite side, secure community, the most secluded introvert group of people who think that they can conquer a land before knowing the location of in on the map!

2) Research
knowing what is happening with the fastest-pace-industry-of -all -times (IT) is crucial but it is not enough for handling the unleashed horse of Cyber insecurities. Continuous Research is the key to maintain a level of balance between different individual cyber world entities: what is entering (or better say Penetrating) into world of cyber will bring its own insecurities to the equation which may totally change the current state of insecurities or magnitude of catastrophic outcome of other entities which were totally secure before introducing the new entity! It means we need to constantly research the current equation of cyber elements and assess different factors to manage ongoing changes in a secure manner. This requires research on all aspect of cyberspace not just those topics compiled with the word ‘security’.

3) Result oriented
Judge based on result and outcome not personal preferences, that’s the basic tool and logic of evaluation. Whether you prefer hot or cold coffee, does not change the state of hot and cold coffee! Simply every single security solution is good as long as the result is convincing and satisfying, and every single security solution is a waste of time and money as long as the outcome is not favorable. You could use this analogy with what SECURE TARGET offers as well: if the result is not superior and significantly positive then there is no reason to back up a solution.

Commitment: The Sole Reason Behind Hackers’ Community Supremacy

Are hackers ahead of IT security? Why the balance between two parties of hackers and security folks (it is hard to consider them a Community!) has been lost for a long time? What made a big gap when there was not such a huge difference in 90’s?
Many factors are involved: knowledge, intelligence, team work with genuine sense of community, operation outcome (destructive vs constructive), originality of source code… but I have noticed there is only one effective factor as significant driver, something that takes hackers’ community to a totally different level of control, and changes the balance between Jedi and Sith forever: Commitment! Hackers are simply more committed to do the job!
We send our top IT talents to learn hands-on hacking techniques, IT administration to deep dive into dark web, and all company crews to learn security essentials, and still it takes one man to bring the entire company tech down to knees, all because the mechanic of hacking is blurry to typical IT guru. Here is an analogy to human body:
…it is like consuming more and more vitamins and hope to have a healthier cells physiologically, while body is creating cancerous cells…
…put more complex firewall rules when internal setup of nodes is initially vulnerable…setup more and more security tools while setting up more and more insecure nodes at the same time…
Software with every piece of code is the foundation of any modern computerized system (basic ha?) and that’s where we have problem: creating vulnerable code at the first place, and that’s where “Commitment” comes to equation: software community wants to release, in rush, with limited to zero knowledge of security, dealing with very high-level and complex API, no test, immature or illogical software development process, no code review…but hackers are committed to review developers code for them, and they find those cancerous cells inside body of the software! And even worse, while hackers are committed to find and Exploit those software flaws, developers are committed to release newer versions with more focus on functionality rather than fixing the foundation. No doubt it is tedious and sometimes impossible, because if the flaw is within the design, there is no time for developer to step back and fix something natively insecure, to the point that sometimes developers prefer to completely leave the insecure code behind and go for a brand new baby code, where they fall into same illogical development process, or even they may use some boilerplate codes from previous practice (more likely insecure artifacts).
Code Review is the best way to get ahead of hackers and of course that’s software developers’ mission to culturize and popularize the practice in earliest stage of coding, and for IT administration, they need to fully understand the mechanic of software they are using. Remember that today’s IT crew are more like software operators, so it is reasonable to have operators fully aware of the machine they are driving.

Five signs IT is overwhelmed with operations

There are signs before your IT department faces a disaster or worse, jeopardize your business by affecting tech operations in different departments. Those are signs of an overwhelmed IT so let’s take a look at common signs and symptoms:
1) Lack of resources
Whenever your IT staff are always talking about lack of resources be aware that lack of resourcefulness is the main case. IT supposed to create and generate virtual resources, right? We do not use shovel with help of our muscles to search within a haystack of zeros and ones, IT does not touch 0s and 1s anymore. IT creates or simple buys solutions so what is this lack of resources concept? IT does talk about lack of resources because they are overwhelmed with time and resource management, that’s a sign of being unfamiliar with tools and technique so they got frustrated and that’s not good for your business operations.

2) Tool oriented
Tools are good but tools obsession and jumping from one tool to another is a sign of overwhelmed IT. Of course IT uses tools with almost every piece of tech operation and regardless of how they are ignoring native accessible tools and always asking for more and more commercial tools, the fact that they jump from one solution to another without fully understand it, or even shopping with no clue at the first place, is totally a sign of unorganized IT which finally ends up with overwhelming and frustration.

3) Deadlines
No deadline is met, no surprise? You are not alone but imaging the most logical, supposedly organized people in a company become the most unreliable people in terms of meeting deadlines and project management. Regardless of the reason which is IT typical helplessness to time management, not being able to meet multiple, sometime any of deadlines is a sign of overwhelming by subjects which are either unknown to IT, or just out of the scope of their expertise. So what is happening is that they push and push and push to the moment that you are overwhelmed and give up.

4) Fading real IT mission
This has been a global issue within almost all non-tech companies’ IT department. IT main mission is supposed to be supportive to business and for that reason IT needs to understand business needs and flow, but they ignore this and main mission simply fades away from list to-dos.
You could eliminate all these overwhelming factors from IT operations with very simple techniques which I am going to explain later in a different article.

Five Reasons to Start Your SIEM Initiative Today

Regardless of how SIEM in today’s cybersecurity marketing campaign is driven mainly by Compliance, which solutions is the best, and whether it should be managed or on-premises, Security Information and Event Management is conceptually accepted among security professionals so here’s my top reasons to consider SIEM implementation as one of your cybersecurity initiatives:

  1. Another tool for Management
    Seems obvious but not many realize SIEM is a management tool at the first place. It means it does not have and does not need to have active o pro-active capabilities. All it has to be capable of, is ability to deliver right Security Information from the right Security Event to the management, even not necessarily security management.
  2. It is all about visibility
    Remember SIEM itself does not provide visibility but it is a technique to take “Visibility” to a different level. So if you already do have Visibility over your network and systems, then SIEM is like an interface to enhance the way you see events, not really more revealing facts about security of your systems.
  3. Correlation is heart of the matter
    The main purpose behind a functional SIEM is ability to correlate events, otherwise the main purpose is ignored by solution designer or you. any security program knows in real word, there is no meaning behind each security event unless being correlated and overlapped with other events, and for that matter, SIEM is where you should be able to harmonize your flow of security information; needless to say, it is the job of SIEM solution provider to make sure system is capable to direct you.
  4. Combining older systems
    Not all users of the SIEM are genuinely looking for this management system just because of its native features. One of the main drivers to upgrade to SIEM has been presence of older SIM and SEM. So whether you are forced or just want to combine two management systems, SIEM is the most popular way of SIM and SEM integration.
  5. Intrusion comprehension
    This is totally different than intrusion Detection, Response or Correlation capability and it is about origination of incident and the level of intelligence behind root causes and indirect role of systems to shape the final tangible incident. This is absolutely one of the hidden benefits of a well-designed SIEM within a well-managed security operation.
    There are other benefits like Auditing, Policy enforcement validation, security certification…which could be addressed potentially and based on how you are going to execute your SIEM. But remember the main essence of your SIEM is in the details of operation, and none of the benefits would come out of the box with any solution in the market.

Microsoft Windows Huge Text Processing Instability

SECURE TARGET (Security Advisory October 17, 2004)

Topic: Microsoft Windows Huge Text Processing Instability
Discovery Date: October 14, 2004
Original Advisory
External Links: Full-Disclosure, BugTraq, SICHERHEITSLüCKEN, Addict3d, Ls, Der Keiler, Seifried, NetSys, Mail Archive, SecLists, Neohapsis, Checksum, Network Security, Virus, DoddsNet, ReadList, Mega Security, Security Trap, Virovvch, DevArchives

Affected applications and platforms:
Notepad, NotePad2 and MetaPad (Seems like all Text Processing Apps) / Microsoft Windows (All Versions)

Introduction:
It is not important, the limitation of opening large text file with “notepad” or similar products like NotePad2 (http://www.flos-freeware.ch) and MetaPad (http://liquidninja.com/metapad/); the point is just the way these tiny text processing apps open and handle large text files (talking about over the 200MB).
The way they handle huge text files, it is near possible for a fast modern PC to be completely unstable. This Instability may path to process injection because you cannot even kill the processes of these apps and they will remain “up and running” even when you logged off. So, it’s possible for a unprivileged user to simply hook to the remaining process of a privilege user and this lead to information disclosure (simply reading the content of the memory before swapping a large file which happens time after time, based on the file size) but may even lead to running privileged tasks based on the app they used for processing text.

Exploit:
It is different to exploit based on the application you choose for text processing; for windows default notepad.exe, it’ll be some like a huge DoS but for NotePad2.exe and MetaPad.exe it is possible to doing process injection (information disclosure and/or running privileged tasks).

Workaround:
The best way to work around this situation is just not to open large text files in windows! or wait a long time for completion of task.

Tested on:
Microsoft Windows XP SP1/SP2RC2/SP2 on Intel P4 2.4 with 1GB of RAM

Feedback:
Kaveh Mofidi [ Admin (at) SecureTarget [dot] net ]
Head of Secure Target Network

PerfectNav Crashes IE

Secure Target Network (Security Advisory February 25, 2004)

Topic: PerfectNav Crashes IE
Discovery Date: February 24, 2004
Original Advisory
External: Full-Disclosure, BugTraq, Security Tracker, xforce, SANS

Affected applications and platforms:
Microsoft Internet Explorer 6 Service Pack 1 and older versions

Introduction:
PerfectNav is designed to redirect your URL typing errors to PerfectNav’s web page. Bundled with the Free Ad Supported version of Kazaa Media Desktop 2.6. Likely to be found in software supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com. Likely to slow performance of Internet Explorer. Can download and execute arbitrary code as directed by its controlling server, as an update feature.
All of us knew about Hijackers/Browser Helper Objects; some of them may hijack your sessions but do you care crashing your web browser by a single blink?
When you use PerfectNav it is easy to crash your Internet Explorer (iexplore.exe) by any malformed URL like any thing you like: ? /? …
Run “iexplore.exe ?” or type “?” in your IE address bar and simply get the error message:
“An error has occurred in Internet Explorer. Internet Explorer will now close. If you continue to experience problems, please restart your computer.”

Exploit:
Easier to exploit than this bug? Just point out any malformed URL on your target and it will be crashing her/his IE.

Workaround:
The easiest way to work around this vulnerability is just removing PerfectNav from your computer. For information that may help you prevent this problem from reoccurring, click on the link below.
http://www.pestpatrol.com/msperfectnavsupport.asp
If the problem persists, please contact eUniverse.com Inc. and alert them of the problem.
Note: To have PestPatrol automatically detect and remove PerfectNav and its components from your computer, you have to buy PestPatrol!

Tested on:
Internet Explorer 6 Service Pack 1 (6.0.2800.1106) on Windows XP Service Pack 1a

Feedback:
Kaveh Mofidi ( Admin (at) SecureTarget [dot] net)
Secure Target Network (Security Consulting/Training Group)