Wednesday, July 30, 2014

Logging Like a Lumber Jack

Turn on any news outlet or visit any news site and you will most likely see an announcement of yet another data breach.  On the DTR podcast we discuss breaches in the news during almost every episode.  There is a push to put more of an emphasis on identifying and reacting to a breach or security incident rather than just focusing on preventing the event from happening to begin with.  We want to prevent as much as possible, however the reality is that breaches appear to be inevitible and if that is the case, we should put some focus on properly reacting and identification.

Logging is a key element to any security program.  It provides the capability to see what is currently happening as well as what has happened in the past.  In the event of a breach, the logs become critical in determining what happened, what data may have been effected, etc.

Current Logging...

Over the years I have found that many developers do incorporate logging into their applications, but it is not for security purposes.  Most of the time the logs are strictly for troubleshooting.  This makes sense because that is where a developer focuses their time once an application has been released.  Without debug logs, it can be really difficult to fix a problem.  The issue here is that while this works for debugging, it doesn't really help from a security standpoint.   In the event of a  breach, it is doubtful that a log full of stack traces is going to be the help that is needed to determine what happened.

What Should I Log?

There is no exact formula for what needs to be logged in a system.  There are of course some starting points that are consistent across many platforms.  The following are a few examples of events that should be logged.

  • Failed Authentication Attempts
  • Successful Authentication Attempts
  • Account Lockouts
  • Sensitive Transactions
  • Access of Sensitive Data
  • Application Feature Changes - Logging Disabled/Enabled, System/Application Shutdown
Unfortunately, the hard part comes in when you are trying to determine the key elements to log.  You have to have a solid understanding of your business and what is important to it.  Take the time to identify the key data the application uses, the key transactions that must be recorded, and why you are logging to begin with.  

Don't Forget Monitoring

Logging doesn't do a whole lot of good if there is nothing monitoring it.  All too often we hear of breaches that happened more than a year ago and the Incident Response team shows the evidence from a log file.  If only someone had been looking, it would have been identified much more quickly.  Make sure that you have some method for reviewing the logs regularly.  There are lots of packages available to help with this process.  I know, manually looking at logs all day is not much fun at all.

The monitoring should be more then just looking for attack requests, but have the ability to identify when a brute force attack is happening so an alert can be sent to a technician.  As you spend more time logging and reviewing those logs you will be able to identify more events you want to monitor to help secure the site.

What To Do?

Develop a plan for any items that could appear in the log that are of concern.  Just like any response plan, you want to know what steps to take in the event of a security alert.  For example, brute force attempts may be met with blocking an IP address.  The identification of a compromised server with malware may mean taking that server offline immediately.  Know what procedures exist so proper reactions can be performed as soon as possible.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at or visit the Secure Ideas - Professionally Evil site for services provided.

Tuesday, July 22, 2014

Policy Gap Analysis: Filling the Gaps

 In today's world, something never seems to be true unless it is written down, and even then it is a guideline.  In the business world there are policies that define how employees should present themselves as well as how company equipment can be used.  The policies are important because they provide a written definition of the individual's responsibilities.  For example, a company may have a policy regarding the use of social media on company owned equipment.  Password complexity is another example of a policy that should be found at most businesses.

When starting a new job, often times the company policies are provided for your review and signature that you have received and understand them.  You are expected to be held to these standards, unfortunately you only see them maybe once a year so you have probably forgotten every little detail.  It is encouraged to be very familiar with the policies for your company.  Many of these may be similar across organizations, however some may be very specific to that company.

As a security consulting firm, Secure Ideas spends a fair amount of time looking at company policies, providing feedback and gap analysis.  It is recommended to get someone that specializes in the topic to review the policies to see if there are any items that just don't work, or that are possibly missing.  For example, if your password policy is still 8 characters with upper, lower, special character and number requirements, it might be a good idea to update that to a more secure standard.

Performing a gap analysis is important because it helps make you aware of the policies that you may need, but are missing.  I haven't been to a company yet that didn't have at least one policy in place.  Often times this starts off slowly and then, if no one is assigned to it, drops off.   Things change rapidly in technology and the policies have to evolve with it.  This change and evolution causes the organization to miss policies that are needed or not update existing ones to take into account the changing environment.

For example, the proliferation of mobile devices requires policies to help identify how those devices can be used at the enterprise, and with its data.  The release of Google Glass and other wearables also adds some new twists to the idea of mobile data or video camera capabilities.  Social media has become so mainstream that many employees need to get access from company computers.   How do they present themselves and how much time they spend on it is very important for the business.  Without a policy stating that you are limited in the time spent on social media, can we assume that we can just not work and play on the computer all day?  It is up for interpretation.

When creating the policies you want them to be clear in their meaning.  I know in the legal world, you want it vague so it covers more, but at the same time that makes it harder to show it is an actual violation.  You don't want to leave it up to the judges.  Make sure that you are thinking of all the things that need to be said to an employee regarding DONT'S with a company computer or on company property and write them down.   Educate the employees on what the policies mean and how they are enforced.

All too often we see companies that have policies that are just assumed and not written down.  This is a bad idea.  You want to have them formalized and distributed so employees understand their rules of engagement with the business.

If you are not sure about that status of your policies, Secure Ideas can perform a gap analysis of your existing policies to help provide recommendations on what could be added to make it more robust. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at, @jardinesoftware on Twitter, or visit the Secure Ideas - Professionally Evil site for services provided.

Wednesday, July 09, 2014

New Data Security Breach Laws in Florida

Since many organizations are collecting what many would consider personal, non-public, information, it is very important that they protect this information since it is considered sensitive.   Almost every state has specific laws around what happens if that information is breached.  Florida just passed a new law that outlines what is considered sensitive information and the thresholds regarding when and what to report to the state.  The full bill can be found at

Personal Information according to the Florida law is described in summary below:
  • First name or first initial with last name in combination with at least one of:
    • Social Security Number
    • Driver License Number
    • Passport Number
    • Military Number
    • Financial Account Number (Including Credit or Debit Card)  in combination with security code, access code ore password to account
    • Any Medical History
    • Health Insurance Policy Number or Subscriber ID
  • Username  or E-mail Address in combination with:
    • Password
    • Security Question and Answer
Data that is not covered are items made publicly available by the government or data that is protected using encryption, is secured or modified to be unusable. (Interestingly, they don't define "is secured".)

In the event more than 500 instances of this data are breached, the organization is required to provide notice to the state within 30 days of identifying the breach.  There are also many details about what information needs to be provided in that notice within the text of the new law.  One interesting thing that you can be required to provide is a copy of your policies in place regarding breaches.  I don't know if going with "We don't have any" is going to be the right answer here.  If you don't have solid policies in place and ways to show you are performing them, this might be where you want to get started. 

The law replaces the previous one and is broad in its declaration.  It is imperative that businesses pay attention to the laws that exist for their area to ensure that they are meeting the requirements.  It is bad enough to suffer a breach and all the reputation and monetary damage that it brings.  You don't want to add on the fines or other issues that may be involved by not properly reporting the breach when it occurs. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at or visit the Secure Ideas - Professionally Evil site for services provided.

Wednesday, June 25, 2014

Too Small to Hack: Small Business and Security

If you are paying attention to the news, security is a big topic.  At least that's what CNN and the Wall Street Journal think.  And I would happen to agree. (I may be a bit biased!)  But even with things like Heartbleed and 0-day flaws in IE, we still commonly hear from small businesses that they just aren't focusing on security.

For many, the issue we find is that they don't believe they can afford security.  And in many cases, this has been true. Security testing can be expensive and with the fast-pace of changes in IT and security, companies need to be able to test their security on a regular basis.  This can be overwhelming.

So Secure Ideas has attempted to fix this with the availability of Secure Ideas' Scout!  Secure Ideas Scout is a multi-pronged service that focuses on testing an organization's security in the places that attackers focus - networks, web applications and users.

The first service available is PassiveScout.  PassiveScout is a free service that performs a non-intrusive assessment of the infrastructure running an organization's web application.  PassiveScout then returns a quick report of concerns around the application infrastructure.

The next service is NetworkScout.  NetworkScout focuses on the network services offered either externally to the Internet and/or internally.  Secure Ideas' analysts perform a network security assessment.  But instead of just providing a report that often overwhelms the recipient, Secure Ideas evaluates the findings based on an attacker's perspective.  This allows us to provide a report that explains the risks associated with issues and includes the issues that are important.

WebScout focuses on the web applications that an organization makes use of.  Since these are often the focus of attackers as they often have the most critical data.  WebScout focuses on testing the applications to find various security issues and logic flaws.  As with NetworkScout, Secure Ideas' analysts will evaluate the assessment results to provide a report that focuses on the important issues related to the application.

Finally, Secure Ideas has created UserScout to assess the organization's employees' awareness of security.  Using phishing emails or phone calls, Secure Ideas analysts will assess how responsive an organization's staff are to various social engineering attacks.  Then a report will be generated to allow the organization to focus their training efforts.

All of these services are designed to be affordable to small and medium size businesses.  Organizations can subscribe to one or more of these services and get a handle on their security concerns!

Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at or visit the Secure Ideas - Professionally Evil site for services provided.

Tuesday, June 10, 2014

What Do You Expect From A PenTest?

There are many reasons that a company has a penetration test performed.  Maybe it is due to regulatory compliance, like HIPAA, or they are just take security seriously.  No matter what the reason is, you want to get the most from a penetration test.  Any of you that have had a good penetration test done know that it is usually not cheap.  If you are going to make the investment, make sure you get as much from the engagement as possible.

So what should you expect from a penetration test?  Many people view a penetration test as an assessment that has a simple, direct goal in mind: How far into my network can you go?  While this is absolutely a necessary part of the assessment, it is only a minor part.  The point of determining how far an attacker can go is to help the target company (client) start to better understand the risk of the vulnerabilities they have. 

Do you just want to know how far someone can get?   What about the details of how they did it?  What about information about what you can do to fix or decrease the risk of it?   Did you think about analyzing how your defensive procedures work during the assessment? 

Secure Ideas does a lot of security consulting and penetration testing for clients.  The part of the job I enjoy the most is talking with the client about what is going on, how their systems are set up and giving them good information to help build up their security program.  Sure, it is great to get Domain Admin on a network, or pull millions of credit card numbers, but that isn't the best part.  Maybe it is the most exhilarating, I won't deny that.

Communication during the engagement is the key to success.  When done properly, the client will understand the weaknesses they have and have some ideas of what they can, or should, be doing to create a better security posture.  Don't expect to just get a report with details of how cool of an attack was just pulled off.  Expect that you will get useful information to help defend your information.  Expect that you will have a better understanding of the security controls that are implemented and how they can be adjusted to provide better protection or monitoring.  Expect that you will have learned something from the experience that makes you more aware of the security risks and how you can mitigate them.

Different tests have different goals and not everything fits into the same mold.  Understand your needs before you start an assessment and make sure that you are getting what you expect.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at, @jardinesoftware or visit the Secure Ideas - Professionally Evil site for services provided.

Thursday, May 22, 2014

Ebay Falls Victim to Breach: Source Forge Updates Password Storage

 It was just recently announced that eBay suffered a breach that led to the compromise of user details including:
  • username
  • encrypted password
  • email address
  • physical address
  • date of birth
  • phone number
 Their announcement indicates that there was no other data (financial or otherwise) that was compromised.  Financial data is believed to be stored separately.  The good news is that they appear to have separation and it was only credentials retrieved.  The bad news is that it is another victim to the loss of credentials.

EBay mentions that the passwords were encrypted, but they do not indicate how they are encrypted.  We have seen a lot of different definitions for encryption and even between valid ones, some techniques are better than others.  Were they hashed, or encrypted?  If hashed, were they salted?  Were there iterations?   We don't get these types of details when a breach like this happens, but the answers to those questions can give an indication of how the passwords may stand up to attacks of brute forcing them.  We can only hope that they were using "Good" techniques for storing passwords.

It is recommended that you change your eBay password and the password for any other site you may use that same password on.  Even with the best password protection out there, once there is a compromise, let's just assume it is cracked.  This may be a good time to go through and update some of your other passwords too. 

Here is a great article on creating stronger passwords:

In other news, Source Forge has announced that users will have to change their passwords upon next login.  They have stated that they have changed how they store passwords to increase the security of them.  It is great to see a company that is actively looking at their controls and updating them.  Of course, they don't provide any details on how they will be storing and protecting the passwords, so we can only assume that they are doing "Good" protection. 

There is a lot of buzz around password security, and there has been for a while.   I don't see that changing any time soon.  Help raise awareness to others about how to manage passwords securely. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at, @jardinesoftware or visit the Secure Ideas - Professionally Evil site for services provided.

Tuesday, May 20, 2014

Is that a Shark? -- Common Security Mistakes Organizations Make

At Secure Ideas, we work with a large number of organizations. These range from small mom-and-pop businesses to international corporations and government agencies. In any of these examples, we find that CIOs and management make the same mistakes when it comes to dealing with their security issues.

When people talk about security and risk, we often see people making decisions based on their gut-feeling instead of looking at the issue and trying to understand the why behind what is going on. This is often compared to the idea that vending machines kill more people then sharks, yet there is not a Snack Machine Week on Discovery Channel. While this factoid makes sense when you hear it, especially if you look at the numbers, it misses the idea of actually understanding the basis of the statistic. I think a fun article about this looking at the basis is on the blog. But let’s focus on the problems that Secure Ideas and other security consultants find in organizations, and try to come up with ways to fix them.

The first issue that we often see is that many organizations do not truly understanding security. We find that many people are focusing on the shark, even though they are a land-bound organization. Organizations will panic about the latest news about Heartbleed or APT, while ignoring the fact that their users are clicking whatever link arrives in email. It’s this distraction that attackers love. While you are moving your efforts to prevent that nation-state from compromising your coffee shop, the real threats you face are wandering around your network freely.

The easiest and hardest (at the same time) way to fix this is to learn more. Now this doesn't mean that every CIO should take a web penetration testing course (even though we would love to see you at ours). But the IT operators and developers could learn more, and CIO’s should watch their presentations about security. Another successful tactic is to have security staff provide regular news bites or topics around security issues that affect the organization.

The second main issue that we find with organizations is focusing on compliance instead of security. This is a common mistake because people often confuse the two. Compliant means you met some checklist; secure means you are protected against attacks (at least to the best of your ability to be secure.) We are not saying that compliance is not important, but if you work on being secure, compliance will often be the secondary result. As a matter of fact, if you look at what PCI is doing with the PCI-DSS 3.0, a major change they are pushing is to make security business as usual. So instead of just worrying about it right before the QSA comes in, organizations will make it part of their workflow.

This brings us to the third problem we see -- silo-ization of security.  How many organizations have security teams that treat security as something that they alone can do?  How many policies prevent IT or developers from testing their own security? This idea of a silo prevents most of the easy wins we should be able to accomplish as security becomes part of the entire organization. We can work with all parts of a company to take part in security. From having IT to scanning and testing and empowering a customer service rep to recognize a social engineering attack, this can only improve our security.

The final mistake we see is the vendor extravaganza that is common in organizations. You can't buy your way into being secure. Contrary to that salesperson, there is no silver bullet and in many cases, this complex mix of solutions open other security holes that did not exist before. Organizations need to focus on educating and training their people.

We aren’t saying vendors can't help, but businesses need to focus on working with vendors that improve upon current resources or build skills within the organization.

Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at or visit the Secure Ideas - Professionally Evil site for services provided.