Security Assessments

Student Guest Post – Ysa Love Rowland

Another timely post from one of our cybersecurity students

Some new and exciting things are coming to the world of hackers, and one of them is a bug bounty offered by Microsoft.   Microsoft is offering hackers up to $100,000 if they can break the security of their new compact and custom version of Linux OS.   You won’t know your own limits unless you push them, so if you think you have what it takes, check out the information below.

Security Assessments

BU Participates in Hack-a-Sat CTF

Expanding on the activities of our National Cyber League team three BU students and two faculty members joined forces with a Colorado based space technology company to compete in the Department of Defense sponsored DEFCON Hack-a-Sat capture the flag (CTF) competition. Over the course of the Memorial Day weekend players were presented with multiple challenges centered around exploiting the various technologies utilized in communicating with and securing satellite ground stations, communication links, and on orbit satellites. All entities were simulated but the technology was real. The purpose of the competition was to select ten teams to move on to the finals at virtual DEFCON where players would be exposed to more virtual and some live entities to discover security flaws for the DoD. The ultimate bug bounty program! BU’s team did not make it to the final 10 but did place 68th out of 1,268 teams.

Concepts, Security Assessments, Security Education, Security Management

What to do about Malware?

Viruses on our computers are about as prevalent as the common cold.  It’s not a matter of if you’ll get infected (or a cold), but when.  Cold remedies are a multi-billion dollar industry.  Anti-Virus (A/V) and malicious software (aka malware) defense and clean-up is quickly catching up.  There are a few good sources on A/V products that may help you decide the one that’s best for you (note: these are all for PC):

The things with colds is that they usually go away on their own given 3-10 days (taking zinc early on helps, btw).  That’s often not true with computer viruses.  Anti-virus solutions aren’t 100% effective against all types of malware.

What can you do if your PC gets infected and your A/V product isn’t taking care of it?  Below is an email from a student who’s grandparent’s computer got infected along with my response.  It’s not intended to single-out this student or his grandparents, but to use it as a case on how to respond when the inevitable infection hits.

From the student:

We shouldn’t get tunnel vision when protecting our homes and with all the emerging methods to breach security (e.g. bash bug), we have to stay diligent. Indeed the low hanging fruit is the one to get plucked. I talked with my fiance’s grandparents this week and they have unfortunately fallen victim to a classic social engineering scam. Someone called the grandmother claiming to be a technician from her anti-virus software company. He then asked for various sensitive information from her (i.e. passwords, credit card numbers, etc.) and she naively gave up the information trusting this gentleman, when he told her that something was wrong with her computer.

Now every time she connects to the internet, this d%&$ has remote control over her PC. He contacts her saying that he will not give up control of the PC unless she pays him more money. I’m planning on doing some serious overhaul on their laptop the next time I visit.

My response:

This is a classic case of ransomeware.   Re-imaging the PC and starting with a clean slate is the only sure-fire way to get rid of the problem(s).  Most companies now don’t even spend time trying to remove malware.  They’ll just save any important files first and then re-image.  This person should be able to boot to safe mode to grab any local files on the PC before they re-image it.

If the you have time and wants to experiment, she/he can use SysInternals Suite tools to try to manually remove it.  Have her/him watch the video, “Malware Hunting with Mark Russinovich and the Sysinternals Tools.”   It’s a great tool to learn how to effectively use the SysInternals Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. He makes it look easy.

Of course, there’s always Malwarebytes, Junkware Removal Tool, and Malicious Software Removal Tool. These may also remove the offending files.

(I’m assuming this is a Windows PC.)

What tools / techniques do you like to use for malware defense and removal?  Please comment and share your ideas.

Security Assessments, Security Management

What’s in Your [Security] Wallet?

No, this isn’t a blog about the credit card you use or identity theft. This is about the tools you have on hand as a security professional.

Like any tradecraft, Security Professionals should have a set of tools, in this case applications, that they keep handy for when they need them. Fortunately, there are many security tools readily and freely available that fit nicely on a 2-4Gb USB thumb drive. These tools have a variety of purposes to help the IT or Security professional diagnose and troubleshoot problems. A quick note before I dive into my tools of choice, contains an almost complete set of security apps that should be known by all security professionals.

  • Windows SysInternals ( – This is the toolbox for Windows. Maintained by Mark Russinovich, these are the applications not included with the Windows Operating Systems, but should be. The tools that I use most are Process Explorer, Autoruns, and Zoomit.
  • Wireshark ( – Wireshark is an open-source network analyzer that works on many platforms. You can use it to look into network packets for both security and troubleshooting.
  • Firecat ( – This is a collection of add-ons for Firefox that allow you to (A) safely browse and (B) test the security of a web application.
  • NMap ( – Nmap is the network scanning and security auditing tool. Often featured in movies, this open-source application is used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
  • Backtrack / Kali ( – This is a Linux-based operating system that comes complete with most security tools. You need to install it on a clean thumb drive and boot from it.

A couple of quick notes:

  • These are just a small handful of good tools, but there are many others out there. If there’s one you think I missed, please reply to this post with your favorite. A caveat is that the tool must have a useful, free or open-source version readily available. It also must be small enough to fit on a thumb drive.
  • Neither I nor my employer are directly associated with these sites and tools. As always, use at your own risk.

What’s in your (security) wallet? Do you have a favorite tool that you keep in your security tool belt? Let us know.

Concepts, Security Assessments, Threat Modeling

Threat Modeling – What’s the worst that can happen?

A threat is defined as “a person or thing likely to cause damage or danger.”  Threats are all around us, but we shouldn’t treat all threats as equal.  Too often we fail to identify threats because they aren’t readily apparent or we consider them to be too small.

Threats and vulnerabilities are both part of the overall risk equation.  While organizations are getting better at identifying and fixing weaknesses, many still don’t understand the potential threat landscape.  We’ve all heard, “Oh no one would ever want to attack us. We’re so small and our systems have no value.”  I can hear Target saying that about their HVAC systems. Malicious hackers can use anything connected to a production network in order to gain access.  It shouldn’t be assumed that a small target means it can’t be hit.

All organizations should conduct assessments to understand the multitude of threats they face both in and out of their cybersystems. Threat modeling is still a new arena in security, but it’s gaining in prevalence.  In CSOOnline (, George V. Hulme has an article, “Can threat modeling keep security a step ahead of the risks?” where he makes a case for more effective threat modeling. He references how a CISO uses threat modeling to understand the organization’s risks, prioritize security spending, and focus security efforts.

Adam Shostack is also calling for increased threat awareness.  In his book coming out on Feb 17 called, “Threat Modeling: Designing for Security”  he explores various threat modeling approaches, explains how to test system designs against threats, and learn effective ways to address threats that have been validated at many top companies.

What does this mean for you?  As security professionals, we conduct threat modeling throughout our career.  That’s why we take the time to study threat modeling and apply it.

Physcial Security, Security Assessments, Security Management

Security Convergence – Ready or not, it is here!

The security industry has been talking about the convergence of physical and information security functions for years.  Many act as if it’s a big deal or that it’s a difficult endeavor to accomplish.  I say, ready or not, it’s already here.  Security functions and technology has merged right under our eyes.  Let me explain.

First, let’s define “Security Convergence”.  According to ASIS, it’s, “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”  The key words are risks, interdependencies, and solutions.  It’s critical to review the risks to the business and determine the best methods for mitigation.  Notice that this definition contains no reference to information security or physical security.

Traditional practices have caused many large organizations to create security silos to solve individual problems rather than looking at the best solution to reduce risk.  They separate physical from logical (or information) security without realizing that these groups serve the same purpose: mitigating risks.  More progressive organizations have their security converged and are thus better able to handle common risks.  These organizations are addressing the reality of risk management, which looks at methods to address risks regardless of the form.

Many new or small organizations lack a separate physical security force that is seen in established firms. They will often outsource physical security functions as part of their lease.  They believe it covers all types of risks and ignore others that they cannot address due to time or money constraints.  These businesses would be better served with a converged security function under a single employee who’s responsibility is to address all types of security risks: both physical and logical.  With this, the company is better positioned to manage their security risks in a consolidated function.

One last point on the physical/logical security convergence is that most of the equipment used by physical security, such as cameras and monitoring, badge systems, etc. is already on the network.  The camera system in your facility is most likely on your corporate IP network.  There’s also a strong possibility that’s also true with your badge system.  They are network servers, but are usually managed outside of IT.  This is another case where a converged security function can better maintain critical company services.

Security isn’t something you bolt on and hope it works.  It needs to be incorporated into the fiber of the organization.  A converged security function allows this to occur in the most cost-effective way.

What do you think?  Feel free to comment below.

Cyberwar, Security Assessments

Major cyber security events of 2011

I just read an article in the Financial Post (a Canadian paper) highlighting some of the major cyber security events of 2011.  Clearly these are not all the events and perhaps they are not even the most significant in some cases…but they serve to remind us of the pervasive and ubiquitous nature of the threats we face.  “Shields up, Mr. Spock.”


  Dec 28, 2011 – 8:29 AM ET

Early January — Canadian Department of Finance/Treasury Board
Hackers believed to have been based in China breached the security of Canada’s two primary economic nerve centres, gaining access to classified data before they were discovered. The same hackers were also believed to be responsible for failed attempts made against the systems of several noted Bay Street law firms several months later.

Early February — Nasdaq Stock Exchange
America’s largest electronic stock exchange was revealed to have been repeatedly penetrated by computer hackers over 12 months. While the trading platform itself was never breached, subsequent investigations found relatively lax security allowed hackers to gain access to other Nasdaq systems.

February/March — Online dating and travel advice sites
Plenty of Fish and eHarmony, among the world’s two largest sources of people digitally searching for dates, had some of their user accounts exposed over a two-week period, allegedly by the same hacker. Weeks later, TripAdvisor, the world’s largest travel Website, had email addresses belonging to some of its 20 million-strong user base stolen.

April/May — Sony PlayStation Network
More than 100 million users of Sony Corp.’s online gaming platform had their accounts breached in what remains the most widespread cyber attack of the year. The potential cost to Sony has been estimated to range as high as US$24-billion.

Late May — Weapons producers
Lockheed Martin Corp., the world’s largest producer of military-grade weaponry, narrowly managed to thwart what it described as a “significant and tenacious” attack on its systems. Other major defence contractors such as General Dynamics Corp, Northrop Grumman Corp and Raytheon Co. were also targeted.

May 26 — U.S.-Stuxnet connection made
William Lynn, deputy Secretary of Defence of the United States, refused to deny U.S. involvement in the creation of the Stuxnet worm used against the Iranian nuclear program in 2010 during an interview on CNBC.

Early June — International Monetary Fund
A cyber attack described as “sophisticated” and “very major” by senior IMF officials struck the global economic stabilizer at some point over the last several months, the New York Times first reported on June 12. The Washington D.C.-based fund contains a treasure trove of highly sensitive economic data.

Early August — Operation Shady RAT exposed
McAfee Labs uncovered details of a coordinated five-year cyber warfare campaign against the networks of 72 organizations including the United Nations, governments and companies around the world. Dubbed ‘Operation Shady RAT’, the company called it the ‘biggest series of cyber attacks’ in history and many fingers pointed to China as the culprit.

Late October — “Nitro Attacks” revealed
Symantec Corp. released details on a series of attacks launched against “multiple” Fortune 100 companies involved in the industrial chemical production sector. A total of 48 companies around the world were believed to have been victimized by that single coordinated attack. The world’s largest maker of security software also revealed a survey finding controllers of critical infrastructure were growing complacent with their own security procedures.

Early November — Biggest cyber criminal takedown in history
Working with members of the Estonian police, the U.S. Federal Bureau of Investigation executed what has since become known as the rgest single takedown of a cybercrime syndicate in the history of the Internet, arresting the alleged ringleaders of a US$14-million cyber crime spree. Known as ‘Operation Ghost Click’, the victory was heralded as a sign law enforcement was finally beginning to overcome a key obstacle in digital crime investigations: Actually tracking down the perpetrators in the real world.

Mid-November — Canada commits nearly half-a-billion to cyber defence
Recognizing the growing digital threat, made clear and brought close to home by the attacks against two federal departments in early 2011, Ottawa earmarked $477-million for access to U.S. cyber defence capabilities. Known as Global Mercury, the new capabilities are expected to come into force before the start of 2012.