Savage Security October 2017 Newsletter
Savage Deeds
Savage Security News
October was another busy month for us, but we love busy! We kicked off the month joining our friends Jake and Tori on “The Morning After” to once again bring security education to the masses. I think it’s almost safe to say that we are regulars on the show by now. We also attended EC Council’s Hacker Halted conference in Atlanta, GA and presented at the EDGE Security Conference in Knoxville, TN. We’ve also got a new offering that our customers say are “extremely valuable” and might just kill the need for a pentest (well, unless you’re bound by regulation to have a pentest).
Security Training
Savage Security has begun to put together training programs. The goal of these are not only to educate on best practices for keeping the organization safe, but also on how to secure your personal assets. Although many organizations choose to use phishing campaigns as a means of training, email is just one aspect of security that should be covered: for example, data privacy, security, and sensitive data handling. If you feel that your organization would benefit from a custom tailored security training program, contact us for a free consultation.
Update on our Breach Simulation Assessment Offering
We previously called it a Breach Impact Assessment, but decided that co-opting the BIA (business impact analysis) would just confuse everyone. We’ve been performing and refining this assessment, and it has exceeded our expectations. We’re beginning to think that for most organizations, it may be a much better bang for the buck than a pentest. We’re confident that if you give us just an hour or two, we can give you a good idea of how your organization would fare if hit by multiple types of breaches:
- Ransomware — San Francisco Metro, UK National Health Services
- ‘Smash and Grab’ — This type of attack includes some of the best known breaches — Target, Home Depot, TJX…
- ‘Smash and Stab’ — These attacks are just out to cause damage — e.g. Sony Pictures, Ashley Madison, Hacking Team and Saudi Aramco are a few examples.
In one example, we found that a customers managed SOC alerted on only 1 out of 14 tests. In other words, 93% of the things we simulated (WannaCry, data exfiltration, malware beaconing, etc.) got through their defenses successfully and unnoticed. Along with our report, we work with you to close the gaps and we re-evaluate over time to ensure that your defenses stay strong. We really think this helps shine a light on security holes in a more efficient, less expensive manner.
We can’t say that we’re going to replace penetration tests yet, but let’s say that we’re close to a solution that will be a much more effective use of security budget, while returning more actionable and relevant results!
This offering is designed to act as a quick and easy baseline that can help focus an organization on where cybersecurity priorities should be. Our primary long-term offering continues to be our monthly subscription services, where our clients get a number of hours of our time every month. This allows us to constantly engage with our clients, helping them get better at security on a regular basis. We’ve found that we talk with each of our clients on a weekly basis and convinced that having an active consultant and adviser available is the most effective way to affect long-term improvements in security programs.
Savage Security Advisories
Savage Security subscribers receive advisories when potentially serious vulnerabilities or events hit the news. It’s not that everything that the mainstream media picks up is critical — it’s often quite the contrary. The reason we do this is because these vulnerabilities often have a marketing campaign wrapped around them that can obscure the real relevance of the issue (if any).
Our advisories cut through any logos and other marketing fluff to focus on what matters: is this a big deal, and if so what should we be doing about it? We saw a record number of these in October, with four on the same day! On October 24th, information about KRACK, ROCA, DUHK and a critical Flash vulnerability (CVE-2017–11292) were announced. There was not enough coffee in the world on October 24th…
Market News
We often wonder if we’ll run out of things to talk about in our market news section — after all, a month is just 30 days! It’s not been a problem so far. We continue to hear about an average of 6 new startups every month, a new security category every 3 months and, to our dismay, at least one new Gartner term each week.
New Trends
Back in our August newsletter, we mentioned Awake Security as a new vendor looking to do a more effective job at accurately identifying devices on the corporate network. It seems the entire IoT security space has the same idea. Nearly every IoT security vendor we talk to describes a similar design: passive device identification using a network tap. We get it — most SCADA, industrial and medical devices are fragile — a network scan might be enough to knock them offline. The natural response is to try to determine the type of device by monitoring the digital ‘exhuast’ it gives off.
We appreciate that traditional network scanning will never be 100% effective. The response to that was to create host-based agents that provide the same information as a credentialed scan. However, installing an agent isn’t always an option, especially in the case of specialized IoT devices. This is where passive monitoring and analysis comes in.
Overwhelmingly, we’ve been seeing passive monitoring as a key approach used by newer security and IoT security startups. Attempting to identify the devices on the corporate network by looking at patterns and fingerprints in its network communications. One of the concerns with this approach is the difficulty of getting full visibility of the internal network into a single hardware appliance or other collection point. Especially in medical and industrial IoT cases, there might be dozens of physical building or manufacturing centers that have to be accounted for, requiring a large number of physical appliances to be installed.
The chances that the cost of these appliances or the labor necessary to manage them exceeds the available labor gets very high, very quickly. Perhaps there are some tricks with modern managed switches we’re not aware of? We’re running a poll on Twitter and contacting the network admins we know. Please, let us know if you have any insight on this challenge.
Random Friendly Advice
If you have an iPhone or iPad, make sure you make regular backups to iCloud or iTunes. This should already be clear from the FBI’s repeated attempts to get into iPhones over the years, but Apple’s security is solid. Depending on the situation, annoyingly so. If you ever get locked out of your device or someone else needs to get into it, just be aware that anyone — even a professional forensics firm is going to be out of luck unless: 1) someone knows the passcode or 2) you’ve made a backup that you or they can access.
And yes, this is coming from some recent experience with a client!
Upcoming Events
December 12 @ 7p — Adrian will be presenting “Under Press(ure)” to the WordPress Knoxville group. RSVP on MeetUp.
A Note on Timing
We typically try to get our newsletters out mid-month, but October was a challenge for us. Adrian was attending multiple conferences, and filled in for me when I couldn’t speak at EDGE. I, on the other hand, have been dealing with more personal matters. In the middle of the month, my father passed away. I was named executor of the estate in his will, which is a pretty burdensome task when things aren’t what you’d call “in order.”
I mention this because it’s given me a lot to think about in regards to personal accounts and digital footprints. It’s taken me a lot of time to uncover and get into my father’s multiple email accounts, and I’m sure that I’ve just scratched the surface as to what is out there. I was able to get into one account after the other by answering password reset questions, going through old desktops and laptops, chaining together accounts with recovery email addresses, and even working with Google.
Throughout this process, it made me realize that if I were to pass away today, my loved ones would never know what my digital footprint looked like. They wouldn’t be able to perform forensics on my laptop or desktop because of the encrypted drives, and it would be very difficult for them to recover my accounts due to the fact that my wife and I don’t share passwords, and our accounts are always MFA when possible. So… the question is, how do you balance privacy, security, and also ensure your loved ones won’t have a mess on their hands when you pass? That will be part of another blog I’ll be writing in dealing with all of this.
About Savage Security
Savage Security is a cybersecurity research and consulting firm, founded by industry experts with over 30 years of combined experience. We are trusted advisors for our customers, whether providing market services to improve their products, or building defensive strategies to secure their environments.
Interested in any of our consulting, market or subscription services? Drop us an email (info at SavageSec dot com) or go old school and give us a call at (844) 572–8243.
Our website and brochures go into more detail on how Savage Security can help you with your security needs or research project.
