The NTT Security Global Threat Intelligence Center (GTIC)

Global visibility, leadership and roadmap empowering detection capabilities

Rob Kraus

April 11, 2017 - Posted by Rob Kraus to Threat Intelligence

Threat Intelligence

In a recent press release, NTT Security announced the formation of the Global Threat Intelligence Center (GTIC) as a natural evolution of the previously established Security Engineering and Research Team (SERT). As a founding member of the legacy SERT, and current director within the GTIC organization, I am excited to be part of this next great step.

This move marks a significant point in the future of NTT Security in its ability to address security threats, as NTT Security must bring together its international threat intelligence assets, to further enhance our global capabilities.

The GTIC’s mission, under the leadership of Steven Bullitt (VP Global Threat Intelligence), is to apply actionable and detailed insight with a focus on reducing risk for clients and customers. GTIC will... read more >

The Culture of Security Awareness and Corporate Benefits

Rob Kraus

October 13, 2016 - Posted by Rob Kraus to Security Insight

Cybersecurity in the workplace

The age old problem of determining how to identify and mitigate risk has certainly been something organizations have struggled with for many years.

How do you protect your organization? What tools are the best in the marketplace? What tools are good enough and work with my budget? What is my long term plan and how do I get there?

All the above questions are something we deal with every day, but there is also another constant that we often overlook, our people — education about threats and how to address them on the front line.

Let’s face it, people are vulnerable and will always be. So much so, that the National Cyber Security Alliance dedicated a whole week to educating everyone on the culture of cyber security in the workplace during National Cyber Security Awareness Month (NCSAM).

We need to invest in technologies to help overcome our compulsive... read more >

Introducing the 2016 Global Threat Intelligence Report

Observations of the Trends and Statistics that Shaped Cybersecurity in 2015

Rob Kraus

April 19, 2016 - Posted by Rob Kraus to Security Insight

2016 Global Threat Intelligence Report

Now in its fourth year of publication, the 2016 Global Threat Intelligence Report (GTIR) highlights observations and details about global threats. In this year’s report we continue tracking trends that have affected our clients over the last few years, as well as identify the new threats that presented themselves in 2015.

This year’s GTIR provides actionable intelligence, guidance about what attackers are doing, and comprehensive security controls designed to disrupt attacks. Controls recommended in this report will contribute to an organization’s survivability and resiliency in the face of an attack.

To develop this year’s annual report, we collaborated with several well-respected organizations, including Lockheed Martin, Recorded Future, Wapack Labs, and the Center for Internet Security. These contributors provided key feedback and observations from their unique perspectives of the cyber... read more >

Checklist for 2016 Incident Response Planning

Closing the books on the threats of 2015

Rob Kraus

December 30, 2015 - Posted by Rob Kraus to Security Insight

2016 Goals

It is hard to believe that the year is already coming to an end, and we are preparing to face the challenges that 2016 will surely bring. 2015 was a big year in cyber security (think OPM, Ashley Madison, countless out-of-cycle zero day patches). Instead of reliving all the incidents of 2015, let’s look at what we can do to make our environments more secure and better prepared for the challenges ahead.

Managing risk and mitigating impact to your organization should be your number one goal for the upcoming year. Here is the Solutionary 2016 security planning checklist that’ll help reach this goal:

  • Prepare for and schedule your annual risk assessment. If you’re already doing this, great! If not, now is the best time to start.
  • Review your existing incident response procedures, identify gaps, and make it a goal to fill those gaps in 2016.
  • Update your network architecture, data flow, and storage architecture diagrams. Keeping...
read more >

Mapping the Critical Security Controls to the Cyber Kill Chain

Rob Kraus

October 22, 2015 - Posted by Rob Kraus to Security Insight

Webinar Ad

Last month, I had the pleasure of presenting an ISMG webinar with Jeremy Scott on the benefits of mapping the Center for Internet Security Critical Security Controls (formerly known as the SANS 20 Critical Security Controls) with the  Cyber Kill Chain® (as defined by Lockheed Martin), abbreviated as kill chain.

The webinar is based on the “Defense Strategies for Advanced Threats – Mapping the SANS 20 Critical Security Controls to the Cyber Kill Chain“ white paper published by Solutionary.

As we continuously look at ways to better approach security challenges,... read more >

Defining Intelligence for Your Organization

Diversifying valuable information and intelligence for your organization

Rob Kraus

August 13, 2015 - Posted by Rob Kraus to Threat Intelligence

Threat Intelligence

Although the security world is talking about the value of “threat intelligence” with much verbosity, many consumers are very unsure what “threat intelligence” actually means to them. Information and threat intelligence offerings are typically broken down into a few different areas of focus:

  • Global intelligence provides value from the perspective of what is going on around the globe and how those events can directly or indirectly impact organizations. Global influencers and events can have impacts on specific vertical markets and even against individual organizations.
  • Vertical market intelligence supports the information and intelligence needs of a specific area of interest, such as Financial, Energy, Healthcare and Retail sectors. It can also combine the global view of threats for those specific sectors.
  • Targeted Threat...
read more >

The Infosec Playlist

Rock n’ Roll Anthems for the Security World

Rob Kraus

July 02, 2015 - Posted by Rob Kraus to Security Insight

Rock n' Roll

Even security practitioners need to take a break and have a little fun. As they say, all work and no play makes Jack a dull boy. Without a little musical diversion, the security world would be even more daunting as we attempt to keep up with crazy patch cycles, defining security roadmaps, handling emerging threats and keeping the security budgets alive.

In 2012, fellow Solutionary blogger Joseph Blankenship and I put together a tongue-in-cheek blog identifying songs to represent common types of security threats. We decided it was about time for a refresh!

This time, we cover not just some of the threats, but also some of the hot topics in the infosec industry today (sort of a different spin on buzzword bingo, no?).

Here are a few rock anthems (and some not so rock anthems) we thought would be fun for your infosec playlist:

  • APT threats, “Sabotage”, Beastie Boys
  • Credential...
read more >

Three Steps to Help Change the Security Paradigm

Why Organizations are Failing to Secure Their Data

Rob Kraus

April 09, 2015 - Posted by Rob Kraus to Security Insight

Solutionary, as a Managed Security Services Provider (MSSP), not only has insight into the types of events that occur in our clients' environments, but also sees how the CSOs, CISOs, and CIOs responsible for protecting those assets respond. From our unique position, we are able to evaluate what works for different organizations and what doesn’t. 

We are able to observe how these leaders approach data and asset protection from a very operational perspective. Seeing these different approaches on a day-to-day basis gives us a unique understanding of what technologies and roadmaps actually work and, just as importantly, which do not. 

One consistent observation is clear, “if you do not plan it, it will not happen, or it will not happen with great success.”

What do I mean?

One of the greatest failures we see is that organizations do not realize that securing their data requires both tactical... read more >

Incident Response

A Sobering Experience

Rob Kraus

May 13, 2014 - Posted by Rob Kraus to Security Insight

Not a week goes by where the Solutionary SERT is asked to support clients who were the unfortunate target of cyberfraud, SQL injection, DDoS or website defacement attacks. This often presents the opportunity for leadership at those organizations to learn if their incident response planning is well architected or not. Post incident review activities usually uncover some very interesting problems.

Are your problems on this list?

  • You immediately realize your organization’s incident response plan is non-existent and struggle to effectively respond to an incident.
  • Your incident response plan is not documented at all.
  • You realize your incident response team is not trained, or does not understand today’s threats or how to respond to them.
  • When under attack, do you have to convince executive leadership to allow emergency budget to...
read more >

Introducing the 2014 Global Threat Intelligence Report

Key Findings, Statistics and Case Studies to Help Reduce the Threat Mitigation Timeline

Rob Kraus

March 27, 2014 - Posted by Rob Kraus to Threat Intelligence

NTT Group 2014 Global Threat Intelligence Report

It is hard to believe a year has already passed since our last report, and we have officially released the brand-new NTT Group 2014 Global Threat Intelligence Report (GTIR).

A key improvement in this year’s report is that Solutionary leveraged our new relationship with the other NTT Group security companies (1,300 security experts, 16 Security Operation Centers and seven R&D centers) and used it to supercharge our analysis that included over three billion attacks. Additional visibility to the data has helped us paint an even broader, and more accurate, picture of what the real global threat landscape looks like.

As with the release of last year’s GTIR, we have packed this valuable resource with great content, statistics, recommendations, case studies and both executive and operational guidance.

We focus on the operational aspects of network security and highlight capabilities that separate organizations that just “do... read more >

Amazing Tricks You Can Use to Protect Network In Under 10 Minutes

Rob Kraus

March 25, 2014 - Posted by Rob Kraus to Security Insight

Now that I have your attention, there are none. Securing networks is one of the most complicated endeavors organizations face today. Those organizations that prove to be the most successful in protecting assets do not have a magic wand and certainly do not make quick decisions on security solutions that help them meet their goals.

This year, a large part of the 2014 Global Threat Intelligence Report  will focus on the ability to rapidly detect AND respond to threats. Well-planned detection capabilities will allow you to quickly and accurately address attacks as they unfold. The efficiency with which you respond to attacks after they are identified directly affects the impact of the attack. Increasing efficiency reduces attack impact.

Missing key parts in either the “detect” or “respond” parts of this equation will surely lead your organization into troubled times. This shouldn’t come as... read more >

A Secure Start to a New Holiday Season

Rob Kraus

November 21, 2013 - Posted by Rob Kraus to Security Insight

Santa Kraus

As we gear up for the 2013 holiday season we have a lot of things to consider: building shopping lists, inviting friends and family over for dinner, roasting USB sticks on an open fire…a lot to consider for sure. We cannot forget to mention that the Solutionary elves on the Security Engineering Research Team (SERT) are working hard on the 2014 Global Threat Intelligence Report also!

In the hustle and bustle of getting everything done, we often forget this is also a very busy time for people who thrive on their own malicious intent. We should prepare and make good decisions so our spirit in the holiday season does not sour prematurely.  

Online malicious activity escalates around this time of year. It is no doubt due to the many great retail deals we see during the holidays. I personally think many consumers become hypersensitive to... read more >

Effective DDoS Mitigation: It's All About The Planning

Rob Kraus

October 08, 2013 - Posted by Rob Kraus to Security Insight

DDoS Mitigation Big Gig

In October of 2013, the Solutionary Security Engineering Research Team (SERT) spoke at the Hacker Halted Conference held in Atlanta, GA. Jeremy Scott, Senior Research Analyst at Solutionary and a fellow blogger, and I spoke about “How Effective CSOs Prepare for DDoS Attacks.” Both the reception and feedback were great.

Why was it so great? It appears many organizations today do not understand how to handle DDoS attacks effectively, so there is a genuine “thirst” for knowledge on how to plan, prepare for and successfully mitigate the attacks.

First, nothing good comes of a response effort if there is not a plan. Kind of like when a rock band shows up on stage, but does not have a “set list” of songs they want to play, or even better yet, like not rehearsing the songs they come up with. Doesn’t sound like a fun time to me,... read more >

National Cybersecurity Awareness Month: Lessons To Use Every Day

Rob Kraus

October 01, 2013 - Posted by Rob Kraus to Security Insight

cybersecurity awereness and self defense

It is hard to believe that summer has come and gone, kids are back in school and football season is upon us again. In addition to these annual milestones, the Solutionary team prepares for another annual Cybersecurity Awareness Month starting today.

As Director of Research for the Solutionary Security Engineering Research Team (SERT), it is my responsibility, as well as a goal for Solutionary and the SERT, to constantly share experiences we have by reaching out to our clients, fellow practitioners and the public as often as we can.

Since SERT responds to incidents on a daily basis, it is important for us to communicate what works well from a preparation and response perspective, allowing organizations to prepare so they do not end up being in a tough spot when targeted during an attack. The better educated... read more >

Budgeting for Security Incidents Alleviates Finding Money Later

Rob Kraus

August 27, 2013 - Posted by Rob Kraus to Security Insight

Incident resonders can act a bomb squad.

The Solutionary Security Engineering Research Team (SERT) provides incident response support for our clients who encounter security incidents, (such as DDoS, SQL Injection, Site defacements, etc.). While identifying the focus of the attack, resources to support mitigation efforts, and ways to return organizations back to “normal” operations, these attacks often have a funny way of forcing organizations to “find” money to mitigate the attacks.

The key word being “find”. It's as if it’s a surprise that bad people do bad things on the Internet. Yet most organizations still don’t react appropriately, or even efficiently, in response to the attacks.

Kind of funny, huh? Organizations are aware they will indeed encounter a cyberattack at some point, aren’t they? Don’t... read more >

Incident Response Plan Guidelines

Say 'what' again. I triple dog dare you!

Rob Kraus

July 16, 2013 - Posted by Rob Kraus to Security Insight

In the movie “Pulp Fiction”, the character Jules, played by Samuel L. Jackson, is trying to get information from another character, Brett, in a...shall we say...stressful situation. Jules finds Brett's communication abilities to be… lacking.

After noting Brett's intelligence ("Look at the big brain on Brett!"), Jules asks Brett a series of questions. In response, Brett stammers "What?" several times. The response from Jules is priceless:

Jules: What country you from?
Brett: What?
Jules: 'What' ain't no country I ever heard of, do they speak English in 'What'?
Brett: What?
Jules: English...do you speak it?
Brett: What? What?

Jules now points a .45 to Brett's head in an attempt to motivate him.

Jules: Say 'What' again! C'mon say 'What' again. I dare ya. I double dare ya...!

Needless to say, communications between Jules and Brett have broken... read more >

Measuring the Success of Your IT Security Program

Rob Kraus

May 30, 2013 - Posted by Rob Kraus to Security Insight

How well is your security program operating?

Are the security controls you funded effective?

Have you applied some methodology to determine if you are achieving a return on investment (ROI) for your security initiatives?

Often the biggest battle faced when defining the security vision of an organization is budget; a six-letter word that keeps our hands tied and can impact effectiveness and robustness of an organization’s ability to thwart attacks. 

However, in some cases you may obtain the appropriate budget and be able to implement your security vision. With this in mind, how does your organization realize the value of that investment?

Security controls are often intangible and hard to prove ROI. Organizations must define the terms in which they deem a security initiative and deployment to be a success. This can apply to a single component within the security vision, or the vision in its entirety.

Examples of... read more >

A Security Incident is Not Over…Even When It’s Over

Rob Kraus

April 02, 2013 - Posted by Rob Kraus to Security Insight

In the past few months, Solutionary has seen a great increase in the number of clients taking advantage of our Security Engineering Research Team (SERT) incident response support. Mitigating an active attack is certainly enough to keep organizations entertained for quite a bit of time, but when the attacks are over is it time to relax? 

If you are doing this correctly, your answer should be “no.”

Preparing for and mitigating attacks when they materialize is just the start. Many organizations fail to realize that after the attacks are over, a lot more work is still required. As an example, let’s say your organization identified a successful SQL injection attack allowing attackers to steal your data. You’ve found the vulnerability, patched it, and are ready to move on with your day-to-day organizational agenda,... read more >

It’s Alive! – The Solutionary Global Threat Intelligence Report

Rob Kraus

March 12, 2013 - Posted by Rob Kraus to Threat Intelligence

“It isn't the mountains ahead to climb that wear you out; it's the pebble in your shoe.”

- Muhammad Ali

One cannot appreciate the sheer effort it takes to create a report of this nature until it has been experienced first hand. After many months and thousands of hours of research, data mining, collaboration, layouts, editing sessions and sleepless nights it is hard to believe the time has come for Solutionary to release its first Global Threat Intelligence Report (GTIR).

GTIR coverThe GTIR is packed full of great usable information including:

  • Real-world findings and statistics
  • Threat overview and mitigation recommendations
  • Tips...
read more >

New Year’s Resolutions – Security Frameworks

Rob Kraus

February 05, 2013 - Posted by Rob Kraus to Threat Intelligence

As we have now fully ushered in the New Year and many of us have already broken our New Year's resolutions, it is important to consider what a resolution is all about.

In the simplest terms, a resolution marks the thought or concept of making a significant change in the way we approach things, however, having a great idea is not enough.

For instance, for those of us who have determined it is time to drop a couple pounds and get back into shape, it is an exciting time and is bound to be full of challenges. If we do not foresee the challenges and have a solid plan to achieve our goals (losing weight in this case) we have a diminished chance of actually accomplishing them.

I fall back to my military training and one key memory. In basic training it was engrained in our minds as new soldiers that, “If you fail to plan, then plan to fail.” Drill sergeants had a funny way of reinforcing this with what felt like a million pushups.

The... read more >

Vulnerabilities: Plug the Hole or Fix the Problem?

Rob Kraus

December 06, 2012 - Posted by Rob Kraus to Security Insight

One thing I was taught during first-aid training in the military is that applying a BAND-AID® is not an effective treatment for compound fractures. Sure, it may keep the wound clean, but it does not address the bigger issue.

Earlier this year I discussed the difference between tactical and strategic planning when it comes to securing your organization’s network and addressing threats. To revisit this strategy, let’s consider threats from the low-level bits and bytes, and then back our focus out to the 32,000 foot view.

I work with many great organizations, and I recently spoke with some decision makers regarding the implementation of controls to defend against threats. However, it quickly appeared that the focus of the conversation, and the organization’s strategy, was solely focused on protecting against... read more >

Cyber War – Wake up folks…it is (has been) here

Rob Kraus

October 25, 2012 - Posted by Rob Kraus to Security Insight

“Can you imagine what cyber war may look like in the future?” I usually respond, “Similar to the past…but worse.”

“The past?” most people reply.

That’s right folks, cyber war is not a futuristic hypothesis. It's already happened, is currently happening and will more than likely continue to appear in the news for the foreseeable future.

In 1997, the U.S. Government held one of the most notable “war games,” dubbed “Eligible Receiver,” in which the National Security Agency (NSA) acted as aggressors against other US Government organizations in order to identify weaknesses in the government’s cyber security posture. To shorten an otherwise long and depressing story, it did not turn out well for many government organizations. The NSA was able to penetrate and compromise many systems and... read more >

A Blip on the Radar, Sir - UFO!

Rob Kraus

August 28, 2012 - Posted by Rob Kraus to Security Insight

Last week I enjoyed reading an article I ran across on AINonline. The article explained that security researchers had identified a potential vulnerability in the Federal Aviation Administration’s (FAA) Air Traffic Controller (ATC) Automatic Dependent Surveillance – Broadcast (ADS-B) program being deployed as part of the ATC NextGen modernization project.

Security researchers indicated that it is possible to spoof the presence of a fake aircraft by transmitting unencrypted and unauthenticated ADS-B signals on the frequencies used by the ADS-B system. A demonstration of the vulnerability was presented at this year’s DefCon conference in Las Vegas, Nevada. The researchers who identified and reported the vulnerabilities are well-known in the wireless communication vulnerability research space.

Given the amount of press I see on the nightly news about near-miss... read more >

Amazon.com Themed Phishing Attacks

Rob Kraus

July 12, 2012 - Posted by Rob Kraus to Threat Intelligence


The Solutionary Security Engineering Research Team has been busy analyzing malware this week. Here is an example of a piece of malware we received yesterday, masquerading as an Amazon.com shipping notification.

__

Email Title: Your Amazon.com order of "Casio Men's EEDN7D-1 G-Shock Solar Atomic Digital Sports Watch" has shipped!

Hello,

Shipping Confirmation
Order # 889-2623316-0593748

Your estimated delivery date is:
Friday, July 13 2012

Track your package. Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visitYour Orders on Amazon.com.

Shipment Details
... read more >

Tactical vs. Strategic Security Program Planning

Rob Kraus

June 12, 2012 - Posted by Rob Kraus to Security Insight

While helping organizations develop a security program, we often come to a point where we need to determine what security controls, processes and policies provide the greatest value with the smallest investment. I mean, we all have budgets to monitor right?

I usually walk clients through an exercise to identify significant gaps in the organization's posture and then determine what controls make sense, based on the organization's goals. Goals? “What, you mean we are supposed to set goals for our security program?” you ask.

Of course!

As Solutionary’s Chief Security Strategist, Don Gray often says: “You won't make it to your destination if you don’t have your trip planned out.”

How do we accomplish this?

• Identify your organization's weaknesses and greatest risks
• Define the controls, process and procedures you need to address and mitigate those risks... read more >

Network and Application Security Scope Creep

Rob Kraus

April 17, 2012 - Posted by Rob Kraus to Security Insight

“I’m given her all she’s got, Captain!”, the words were made famous by Scotty in the movie Star Trek. For the circumstances encountered in the movie it was certainly a wise choice to make and probably saved the U.S.S. Enterprise from demise.

Networks today are often very complex, and too often, in a state of disarray from years of piling on more software, hardware and “solutions” as our business grows.

Complexity may not be something we were expecting or envisioned as we expanded our network’s capabilities, but nonetheless many IT shops continue to implement “the next best thing” to solve “the next big problem.”

As humans, it is natural for us to have the mindset of “there’s an app for that” when looking for solutions (a product of years of marketing brainwashing I assume). However, sometimes fixes to problems are over-engineered and provide “too... read more >

Can You Ever Have Too Much Security Information?

Rob Kraus

March 09, 2012 - Posted by Rob Kraus to Security Insight

Sometimes having too much information can be detrimental to security efforts. “But, Rob,” you ask,  “Haven’t you been saying we need visibility to know what’s going on within our environments?”

Yes, I must confess, those have been and will continue to be my words. However, sometimes having too much information can cause bottlenecks and can prevent you from making appropriate and effective decisions. Have you ever heard the saying, “you can’t see the forest for the trees?” 

There is a lot to be said for having many information sources, logged devices, log feeds, health statuses, alerts, and events being captured and analyzed by your organization, but how much of this information is actionable intelligence, and how much is really just white-noise?

As experienced by the ... read more >

bash_history=-dev-null - not the droids you need

Rob Kraus

February 07, 2012 - Posted by Rob Kraus to Security Insight

Recently I was reviewing exploit code we had identified as part of a privilege escalation attack against a UNIX-based server. There were certainly a lot of interesting things in the exploit code, including shellcode, assembly language instructions and funny hacker “l33t sp3ak” comments, but one thing that always sticks out for me is, the attacker hiding their tracks.

In particular, the following code caught my eye:
if(pid == 0) {
char *args[] = {"/bin/sh", "-i", NULL};
char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0", "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
execve("/bin/sh", args, envp);
    }

The above code is run as part of the exploit. In short, it sets the environmental variables for commands executed on the UNIX command line to go to /dev/null.

/dev/null is a *nix... read more >

Application Patch Management

Rob Kraus

December 28, 2011 - Posted by Rob Kraus to Security Insight

A war you will not win, but have to fight.

Often overlooked by organization patch management programs, a lack of awareness and proactive identification of application vulnerabilities can expose organizations to significant risk. Networks today often contain multiple operating system platforms, a mish-mash of backbone router and switch products, and hundreds of individual desktop and server applications. Keeping up with the latest security patches for all these systems can be a nightmare for any organization. Additionally, focusing all of an organizations’ effort on operating system patch management alone can be a foolish and risky decision.

Solutionary recently started releasing vulnerabilities identified by our Solutionary Engineering Research Team (SERT) which provides us a few examples to work with. Let’s look at an example of application vulnerability, and see what... read more >

New Toys...New Vulnerabilities

Rob Kraus

December 22, 2011 - Posted by Rob Kraus to Security Insight

During this holiday season many of us will likely exchange really cool gifts with friends, co-workers, and family. Some of us will be lucky to receive some of the latest advances in technology, such as iPads, smart phones, computers, and anything else you can think of with blinking lights and promise of hours of enjoyment. Let’s face it, it’s a time of giving and a great time to reward ourselves and each other for all the great work we did in 2011.

If you’re like me, there is nothing more fun than ripping off the wrapping paper and getting right into playing with some of these fun electronic wonderlands. However, I am cursed with always thinking:

“Cool new iPad; wonder what version of iOS it is running?”

I guess it is just part of being in the information security industry and part what keeps me diligent about staying secure.

I can’t help but think how many people around the world will be opening brand new... read more >

Hardening Applications Is Not That Hard

Rob Kraus

November 18, 2011 - Posted by Rob Kraus to Security Insight

Recently, I had the pleasure of working with an organization doing a terrific job at hardening their network against attacks.

Servers locked down. Check!

Routers and switches secured. Check!

Clear-text protocols disabled. Check!

Applications secured. Whoops!

Company policies dictated strict adherence to National Institute of Standards and Technology (NIST) guidelines for hardening infrastructure, operating systems, and effective and secure use of protocols. This is a good start and helped the organization build secure software images for many of their desktop and server deployments.

However, after closer review, the organization had issues with deploying applications with the same amount of rigor.


Why?

Perhaps they did not pay as much attention to build and deployment standards for the critical... read more >

SQL Injection – Interpreting the Metrics

Rob Kraus

October 04, 2011 - Posted by Rob Kraus to Security Insight

In my last post on SQL Injection, we discussed why this form of attack can be devastating and lead to loss of confidentiality, integrity and availability.

As a Managed Security Service Provider (MSSP) with an information security consulting practice, Solutionary is able to visualize both the types of attack and the defenses implemented to prevent them. This provides Solutionary and our clients with intelligence on not only the current attack trends, but also the mitigating controls that are effective in preventing them from being successful.

Our Solutionary Engineering Research Team (SERT) uses this valuable... read more >

Day of Vengence

Rob Kraus

September 23, 2011 - Posted by Rob Kraus to Security Insight

The hacking group “Anonymous” has issued several statements about its intent to launch cyber attacks against multiple corporate and civil services organizations on Saturday, September 24, 2011 “at high noon.”

The attacks are fueled by the events occurring last week during the “Day of Rage” (a.k.a. “Occupy Wall Street”) protests at Wall Street in the Financial District of New York City.

Specific targets of attack according to Anonymous statements include Wall Street and multiple banking institutions, as well as the New York City Police Department. However, Anonymous also mentioned attacks will occur in dozens of other cities around the United States as part of its campaign.

The following link is the pastbin.com message posted by Anonymous and provides a... read more >

Morto Worm – Weak Passwords in the Spotlight Again

Rob Kraus

September 09, 2011 - Posted by Rob Kraus to Security Insight

Recently, another worm has been discovered and is making its way through the Internet. “Morto” is a little different then previous worms we have seen as far as propagation is concerned. The Morto worm leverages poorly provisioned usernames and passwords to log into Microsoft Remote Desktop Protocol (MSRDP) enabled systems.

Once a system is infected, the worm will attempt to propagate to other systems on the network running MSRDP. The worm utilizes approximately 25 different common
usernames and 37 common passwords to attempt gaining access to systems running the MSRDP service. Once a system is compromised, the worm also modifies several registry keys and creates several new files on the infected system.
The propagation of this worm is 100% preventable by ensuring organizations are not using weak passwords and limiting exposure of MSRDP interfaces.

Some preventative tips to help keep this worm from spreading... read more >

CWE Software Error Series - CWE-89 – SQL Injection

Rob Kraus

August 02, 2011 - Posted by Rob Kraus to

As Jose Hernandez mentioned in his introduction post on our “New Blog Series - Top 25 Most Dangerous Software”, we will start off our exploration of the list with “CWE-89 - Improper Neutralization of Special Elements used in an SQL Command” or more commonly known as “SQL injection”.

Not only is this number one on the CWE software error list, it also shares this prominent spot as number one on the Open Web Application Security Project (OWASP) Top 10 Application Security Risks – 2010 report. This class of vulnerability certainly deserves its position on the... read more >

Taking the Gloves Off

Rob Kraus

June 15, 2011 - Posted by Rob Kraus to Security Insight

So, you really want to know the answers to questions you were afraid to ask about your organizations security posture?

“Can my company be the next hot story on the evening news due to data being compromised?”

“Is my organization doing enough to protect our customers and data?”

“Wow...so that’s what a APT looks like?”

Red Team exercises are one of the most effective ways to answer these complicated and sometimes scary questions.

What is “Red Teaming”? Well, in short, it is where controlled penetration testing activities go off the tracks and break all the rules “traditional” penetration tests have in place. It provides the penetration testing team (the Red Team) with the flexibility of leveraging multiple attack vectors to crack into your organization and steal the crown jewels…without you even knowing.

Perhaps you are... read more >

Client-Side Attacks and Exploitation

Rob Kraus

April 06, 2011 - Posted by Rob Kraus to Security Insight

With all the recent buzz about Advanced Persistent Threats (APT) and client-side attacks, now may be a great time to talk about what client-side attacks are and some examples of attacks commonly used to leverage client-side application vulnerabilities.


What are client-side attacks?

First, client-side attacks are nothing new, but the tools and techniques to execute them are getting better every day. This means the attacks are becoming easier to perform successfully and the increased success rate will fuel the desire for malicious attackers to continue using them for quite some time.

In traditional Client/Server architecture, the “client” is usually an operating system the corporate end-user (employee) interacts with on a daily basis. These are often one of the various flavors of Microsoft’s... read more >

“We Meant to Turn that Off.”

Rob Kraus

February 18, 2011 - Posted by Rob Kraus to Security Insight

A phrase I hear uttered far too often. 

During the delivery of penetration testing services, we often have the opportunity to work with many great administrators and security professionals; so many, in fact, it is hard to keep count (I only count in binary, so that may be part of the problem).

During exit briefings, we usually provide an overview of how privileged access is gained to the network and what we were able to do once we were in. In many cases, access is not gained by way of some glamorous attack, but as a result of poor deployment and change management policies and procedures.

Example 1:
During an internal assessment, I was able to identify a Cisco device with easily guessable and default public and private SNMP community strings enabled. Using the snmpset application, I was able to transfer the router configuration file to a TFTP server I had set up internally. Within the... read more >

Solutionary Vulnerability Disclosure Program Goes Live

Rob Kraus

December 10, 2010 - Posted by Rob Kraus to Security Insight

Solutionary is dedicated to protecting our clients from new threats and providing exceptional value through our thorough security analysis. During our regular delivery of services, we often discover previously unpublished vulnerabilities in applications. This leads us to communicate with vendors to provide remediation guidance and help them better secure their software. Although Solutionary has performed vulnerability research and application assessments for quite some time, we have decided to share our research and findings with our clients and the general public.

Frequent visitors to our web site may have noticed the recent addition of a “Research” navigation tab. The content found in this part of our web site is dedicated to our ongoing research efforts and responsible disclosure of vulnerabilities discovered by our Solutionary Engineering Research Team (SERT).

A few of our initial vulnerability releases can be viewed by visiting the... read more >

Clear-text is Fine…It’s Internal.

Rob Kraus

November 24, 2010 - Posted by Rob Kraus to Security Insight

When providing report results to clients, the age-old debate of whether clear-text network and administration protocols are appropriate is unavoidable. The general consensus of many IT professionals is that it is okay to implement clear-text protocols internally with a few common justifications: 

1.    “We trust our employees.” (Big mistake, review insider attacks and statistics at www.datalossdb.org)
2.    “That segment is internal only; no outsiders can get to it.” (Wrong again, ever hear of ‘client-side attacks’?)
3.    “Those systems aren’t critical; clear-text is okay.” (If they are not critical or support business operations, then why are they implemented in the first place?)
4.    “The vendor does not offer... read more >

Something Old, Something New...Stuxnet Worm, Security and You

Rob Kraus

October 11, 2010 - Posted by Rob Kraus to Security Insight

The Stuxnet worm is attacking power plants and “OMG the world is coming to an end!” If blaring media reports about the potential damage Stuxnet could cause doesn’t make you pucker, then likely little else will faze you.


Sadly, it takes this kind of media coverage to open the eyes of the people and the government to the real threats propagating in the wild today. What makes Stuxnet so popular? Is it that the perceived targets right now are countries who are attempting to bring nuclear power online? Could it be because the worm specifically targets SCADA systems and could have a significant impact on the national infrastructure of ANY country that uses nuclear power? Some say current attacks are purely coincidence; however, others will lead you to believe it is the result of a political agenda, covert operations, and government sponsored cyber warfare. But, what happens when/if it strikes closer to home?

Now that I have your attention,... read more >

404 Error: Security Training Not Found

Rob Kraus

August 30, 2010 - Posted by Rob Kraus to Security Insight

One of the greatest issues I see affecting organizations today is the lack of corporate support for developer and administrator security education. So, I would like to provide you some useful information about security training and events to help supercharge your learning and keep your teams up-to-date with news about new threats and attack methodologies.


Unfortunately, training budgets are often the first area considered when attempting to reduce spending. This is nothing new in business, and is not simply due to the effects of “poor economic conditions”; it’s just a fact of life. I include below a few training considerations and several cost effective options (some are even FREE – we like free). But before we get there, why are many organizations not familiar with secure coding practices and common vulnerabilities, and why is proper training important?

Higher education such as traditional and online universities are often not... read more >

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS