Security is a Think Globally, Act Locally Proposition

Before RSA expanded to take up the entire Moscone, before Blackhat grew to amazing proportions, before even Defcon became a big time event, there were local meetups to talk about security. Often looked at as a gathering of mistfit ‘hacker’ types, these gatherings many moons ago were all about sharing knowledge about vulnerabilities, techniques, new tech, and more. And as often as the group met in person, there were the listserv groups that allowed them to all keep in touch and continue to grow a community. Security, no matter how much marketing buzz is created, is still all about the community.

It’s simple when you break it down into psychology. People create communities based on two primary factors:

  1. A common location or regional area;
  2. A common interest;

In the case of infosec it was often both of these elements working in congruence to generate a strong community base. This is how events like DerbyCon get their shape (it’s top of mind since it just happened last week). A cool group of people in Louisville get together to talk about security and help each other, some sponsors help to keep the lights on, and a few years later it’s still an awesome gathering of people more akin to a family reunion than a conference. Watching the live DerbyCon feed via YouTube it was obvious how much learning and sharing was happening amongst the people, and it is exactly this concept of community building, or acting locally, that will help us to then transition into thinking globally.

 

Building Security Communities in Your Own Backyard

Community matters in security, and it is what will help us continue to fight the battles being waged online, but it always starts at home. One example really struck me recently when the Pwnie dev team, many of whom reside in the great state of Vermont, signed back up to sponsor two upcoming Vermont security cons; vtTA (Vermont Technology Alliance) and HackVT, a 24-hour hackathon. Both are great orgs that are focused on continuously building this burgeoning community in their backyards.

When we talk about security companies we often get blinded by enormous funding announcements and valuations, marketing-fed FUD clouding up the environment, or the creation of the rockstar hacker grabbing yet another keynote. But the work, the real work, is being done at the local level, where practice becomes code. Without this mentality there are no big security companies, because most of them started locally, often in a garage (or basement as the Pwnie team did), and often surrounded by friends who weren’t getting together because of dreams of riches years down the road.
Instead, they dreamt of creating a group of people who would create some cool stuff that could help people be more secure throughout the globe. Act locally, think globally.

GSA Contract Vehicle Provides Government Agencies Continuous Cyber Detection

Homeland Security Today.us

October 27, 2015

GSA Contract Vehicle Provides Government Agencies Continuous Cyber Detection

A a first-of-its-kind General Services Administration (GSA) contract award announced today will provide government agencies continuous detection and fingerprinting of devices – from phones to drones – that are open pathways for attackers into critical government networks.

The GSA contract vehicle allows Pwnie Express, a company that provides threat detection of the billions of devices in and around the workplace, to provide its Pwn Pulse solution and subsequent partnership with gvTechSolutions to protect US government facilities from security threats presented by unrecognized and currently undetectable devices.

US Government Workplaces must “see all the things” and Detect the Threats Posed by BYOD/IoT

Every day, tens of thousands of undetected – and often unauthorized – devices move through government worksites and military bases throughout the world. These devices run the gamut from seemingly innocuous employee-owned smartphones to potentially malicious planted devices, or even a wifi-enabled drone. Sure, government agencies have strict policies in place to ‘regulate’ BYOD because security pros know these devices can be gateways for threats to get inside the network, but it is becoming increasingly clear that policies cannot be enforced when these devices cannot even be detected in the first place. This was underscored by a recent industry study of 1,000 Federal government employees that revealed that:

  • 50% of government employees use their personal devices to access email.
  • 49% use personal devices to download work documents.
  • Of employees at agencies with rules against the use of personal devices, 40% said the restrictions “have little to no impact on their behavior” – and as a result, they are unknowingly providing open pathways into critical government infrastructure.

Government agencies, with hundreds of thousands of people flowing through sites each day, recognize this problem is something that must be addressed – and quickly.

 

Pwn Plus on GSA Schedule

Today, we’re proud to announce that Pwn Pulse is now available via the US GSA schedule, as well as our new strategic partner  gvTechSolutions. Pwn Plus is used by  government agencies at the local, state and federal level continuously detect and fingerprint the billions of devices in and around their workplaces. Much like surveillance cameras brought much-needed visibility for physical workplace security, the Pwn Pulse platform continuously detects the devices that are open pathways for attackers. The assessment and analysis of any BYOD or rogue device gives government agencies the full visibility needed to prioritize security response, reduce alert fatigue and provide situational intelligence to implement real-time remediation.

You can read full details about our new partnership here – but here’s what our CEO Paul Paget had to say about the news:

“Adversaries know that organizations, both in the private and public sector, spend most of their security budgets on physical and network security. These organizations have limited, if not zero-capability, to monitor the presence and behavior of wireless devices from the ubiquitous smartphone to the world of other smart devices now being deployed. With this explosion of devices, coupled with ever-present wireless access points, the devices in and around your network are open pathways to your most sensitive data. Pwn Pulse is a unique platform purpose-built to deploy in minutes and provide security teams the ability to remotely, securely, and effectively monitor and assess their security risk against all of these previously undetectable devices.”

To learn more about how Pwnie Express is uniquely positioned to help federal, state and local government departments achieve their critical security mission, please visit: http://store.pwnieexpress.com/pulse-overview/.

Pwnie Express GSA Award Means Threat Detection of Billions of Devices in and Around US Government Workplaces

New Partnership and GSA Contract Vehicle Provides Government Agencies Continuous Detection and Fingerprinting of Devices — From Phones to Drones — That Are Open Pathways for Attackers Into Critical Government Networks

BOSTON, MA–(Marketwired – Oct 27, 2015) – Pwnie Express, a company providing threat detection of the billions of devices in and around the workplace, today announced its US General Services Administration (GSA) contract award for its Pwn Pulse solution and subsequent partnership with gvTechSolutions to protect US government facilities from security threats presented by unrecognized and currently undetectable devices.

Today, US government workplaces are under constant attack as malicious actors increasingly target the devices in and around offices — from large federal buildings in Washington, D.C., to remote bases throughout the world — to infiltrate critical agency networks. From phones and ‘smart devices’ to drones, these devices are often brought into the workplace by employees who might not know they are providing an open pathway into critical government infrastructure. A recent industry survey of 1,000 federal government employees revealed that half of respondents use their personal devices at work to access email and 49 percent use them to download work documents, despite stringent workplace restrictions on personal device use. Much like surveillance cameras brought much needed visibility for physical workplace security, Pwnie Express is now providing full visibility into all of the devices in and around federal government workplaces.

With recent GSA approval and a strategic partnership with gvTechSolutions, Pwnie Express is uniquely positioned to help federal, state, and local government departments achieve their critical security mission. By automating wireless and wired device detection, Pwnie Express solutions continuously detect the devices on or around government networks that are open pathways for attackers. The assessment and analysis of any bring your own device (BYOD) or rogue device gives government agencies the full visibility needed to prioritize security response, reduce alert fatigue, and provide situational intelligence to implement real-time remediation.

Pwnie CEO, “Devices in and around your network are open pathways to your most sensitive data.”

“Adversaries know that organizations, both in the private and public sector, spend most of their security budgets on physical and network security,” said Paul Paget, chief executive officer, Pwnie Express. “These organizations have limited, if not zero-capability, to monitor the presence and behavior of wireless devices from the ubiquitous smartphone to the world of other smart devices now being deployed. With this explosion of devices, coupled with ever-present wireless access points, the devices in and around your network are open pathways to your most sensitive data. Pwn Pulse is a unique platform purpose-built to deploy in minutes and provide security teams the ability to remotely, securely, and effectively monitor and assess their security risk against all of these previously undetectable devices.”

Government Technology Solutions (gvTechSolutions) CEO, “The Internet of Evil Things is real…”

“Since our founding in 1997 to focus on emerging security threats, we have been in front of most threats and their defenses,” said Robert Deitz, chief executive officer, gvTechSolutions. “Today’s market is saturated with overlay and multi-purpose tools targeted at the same issue. However every few years a market leader emerges to address what no one else has — or how to do it better. Pwnie Express reminds me of a few security innovators over the last two decades that have actually defined the solution. The Internet of Evil Things is real and not a single customer we have has a handle on this today.”

For more information about GSA pricing for Pwn Pulse visit here.

About Pwnie Express
Pwnie Express provides threat detection of the billions of devices in and around your workplace. By automating wireless and wired device detection, Pwnie solutions continuously detect the devices on or around your network that are open pathways for attackers. Pwnie arms your security team to win the BYOD battle with the ability to detect and fingerprint any device, from phone to thermostat, in order to prioritize your security response, reduce alert fatigue, and provide situational intelligence. See all the things you’re missing at pwnieexpress.com or @PwnieExpress.

Submarine Thinking Will Save Your Network

Even our terminology reflects what we think about security. Case in point; the very name of what we call the first line of perimeter defense – a firewall – shows our antiquated thinking regarding the defensive postures of the network. Somehow, we are still in the realm of thinking about moats and castle walls while we have people paratrooping from a jet.

In a similar analogy, the way I like to design networks is to take out the aspect of it being a “building” and start thinking about it as a submarine. Submarines are designed to take a hit, withstand a certain amount of attack damage even in the deep sea, and it takes into account the high possibility of being breached. A sub may be breached by uncharted depths, or by being torpedoed or attacked, but it is designed to ensure that not everything will fail in case of a breach.

Submarines are designed to acknowledge the fact that a breach may happen, and operates on the idea that the breach must be contained. A submarine crew understands, “this part of our environment is compromised. We have to sacrifice this part so that the submarine stays functional, so that it survives. We need to quarantine the area until we can make it habitable again.”

So why don’t we acknowledge that in InfoSec? For example, wouldn’t it make sense to have the accounting department compartmentalized from the rest of the company? Why not have certain channels with chokepoints? This is a practice savvy security folks have accomplished, but looking at it from the submarine perspective allows you to design a network with the same mentality.

Stop using firewalls as the external perimeter that “can’t be breached,” and start using airlock doors which can be sealed off within a submarine.

 

Implementing the Submarine Mentality

We have to start evolving – and understanding. I think people have really shied away from treating their networks as untrusted or potentially untrusted because human nature tells you to believe that bad things aren’t gonna happen to you. But we need to start looking within and thinking: what would happen if this part of the network was compromised or contaminated? How I would I be able to stop them from getting the keys to the kingdom?

I’m not saying that I don’t trust my defenses – I just recognize that defenses get breached. Every network I’ve designed in the last decade is not just: how do I find the breach? It’s: how do I contain it?

There’s something great about this being on the Pwnie Express blog, because it’s absolutely vital to look at indicator warnings. A device detection technology like Pwn Pulse will help you detect when a breach is imminent, when something is off or might be faulty. Using your Intrusion Detection Systems or looking at the loads on your system can help with detection as well. You have to look not just at what is on your network or is coming onto your network – take more time to inspect what’s leaving your network. If you don’t know your submarine is leaking, how do you contain it? How do you stop it before you’ve sunk?

In addition, there are a lot of technologies out there (though I won’t get vendor specific), but I think most application-level firewalls have Domain User Role Access. Otherwise, based on how you’ve logged in to the network and logged in to the domain you have lots more access.
Granted, this is not a cheap solution, but it is a secured solution. It’s one of those things I recommend you use internally first for your biggest assets. In security, it’s vital to think to yourself: what do you need to protect the most? Once you’ve figured that out, you protect it not only from the outside world, but from your internal network as well.

Social Engineering Attacks: Common Techniques & How to Prevent an Attack

Digital Guardian
October 22, 2015
Social Engineering Attacks: Common Techniques & How to Prevent an Attack
Social engineering attacks are not only becoming more common against enterprises and SMBs, but they’re also increasingly sophisticated. With hackers devising ever-more clever methods for fooling employees and individuals into handing over valuable company data, enterprises must use due diligence in an effort to stay two steps ahead of cyber criminals.

IoT security threats and how to handle them

CSO

October 21, 2015

IoT security threats and how to handle them

By Preston Gralla

Smart TVs in conference rooms. Brainy heating and air-conditioning systems. Internet-connected light bulbs. Intelligent devices controlling manufacturing processes. Smart watches and fitness devices everywhere.

These are just a few of the things you’ll find in the enterprise Internet of Things (IoT) landscape, a landscape in which almost every physical object, it seems, has plenty of smarts and connects to networks — and leaves enterprises vulnerable to hacks and data breaches.

When The Meat Scale Betrays You

Remember in December 2013 when news started filtering out about the Target data breach? Ultimately this attack would take 40M customer debit/credit card numbers, along with untold and still fully unaccountable costs for the company themselves. For months after the announcement the news was full of stories around the attack, centering on a HVAC company in Pennsylvania, contracting with Target, who had suffered their own breach via email-delivered malware. Slowly the news focused on other attacks, because that is the nature of our business, while every single vendor at RSA 2014 had some “Target-breach demo” set up in their booth to show how their tech would have stopped the attack.

As we all focused our eyes elsewhere (looking at you Sony) Target was still cleaning up after this breach, and preparing themselves for possible lawsuits from banks hurt by the breach. The intersection between banking, insurance, and data breaches is getting very much intertwined, and that is forcing organizations like Target to take a much deeper incident response dive than in previous breaches. In fact, organizations are doing a lot of pre-IR work currently to ensure they are covered from both an insurance-level and future litigation-level when a breach occurs. But this necessitates understanding, and seeing, every possible threat to your network…and I’m not talking malware here.

Let’s play some acronym bingo: BYOD, IOT, BYOT, BYOE…the list seemingly goes on and on. Yet nobody is seemingly marketing to the “BYOMS (Bring Your Own Meat Scale)” set, and according to reports it might be that connected piece of equipment that finally tipped the scale in the Target breach (sorry, had to use the pun). Although fun to talk about connected meat scales being an entry point, the larger picture here is that you can throw all the acronyms you want into a data sheet or product video, but the fact is that workplaces know they have billions of devices floating around, at least one of which might be the open pathway for an attack.

 

If You Think Meat Scales Are Scary, What About Drones?

Meat scales are one thing, and certainly being able to simply see they are connected or even around your network is critical, there are so many other devices to consider. The printer someone installed that is also transmitting wifi. The drones, equipped with wifi, flying above your building. The Roku someone put in the far conference room so they could watch a World Cup match…last summer. The Amazon Echo in the corner office so the boss can control the glare on those fancy lights.

Are these BYOD or IOT? WHO CARES. The fact is they are there, either on or near your network, and you just need to see them and then make a call. Too often we get bogged down into the ‘what and why’, when we should be focused purely on the ‘how’. As we come full circle and approach the 2-year anniversary — Cotton is the gift, FYI — of the Target breach we continue to see more and more devices on or around our network. The question isn’t what to call those, the question is what are you doing to see them now.
Oh, and in case you were wondering, you can NOT buy a meat scale on Target.com.

2015 Vermont Tech Jam features jobs, student projects, talks hosted by former Reddit staffer

vermontbiz

October 8, 2015

2015 Vermont Tech Jam features jobs, student projects, talks hosted by former Reddit staffer

Vermont Business Magazine Former Reddit staffer Victoria Taylor is among the speakers at the ninth Vermont Tech Jam, a free job fair and tech expo which takes place Friday and Saturday, October 23 and 24, 2015, at the Sheraton Burlington Hotel and Conference Center. Taylor, former Reddit talent manager and coordinator of its popular Ask Me Anything series, will emcee a series of short talks called the Tech Tank. Her appearance is made possible by Vermont PBS, which has tapped her to host a new series of tech-themed “digital shorts.” At the Tech Jam, Taylor will facilitate audience Q&As with local innovators, including: Barry Finette, UVM College of Medicine Professor and founder of THINKmd; Dave Porcello, founder of cybersecurity startup Pwnie Express; Logic Supply Product Manager JP Ishaq and Content Marketing Manager Darek Fanton; Josh Castonguay, director of generation and renewable innovation at Green Mountain Power; and Middlebury College student Terrance Goguen, ’16, CEO and founder of JoyRyde, an app that deters users from using their smartphones while driving.

1M/1M Deal Radar 2015: Pwnie Express, Boston, MA

One Million by One Million Blog

October 14, 2015
1M/1M Deal Radar 2015: Pwnie Express, Boston, MA

About 90% of workers in the United States use their personal smartphones for work purposes without knowing the potential security threats they bring to the enterprise and themselves. According to the Identity Theft Resource Center, there were 783 data breaches in 2014, a 27.5% increase over the same period the previous year. As wireless and Bring Your Own Device become even more prevalent, detecting rogue and unauthorized devices within the enterprise will become a necessary part of an organization’s information security system. Pwnie Express is focused on this fast-growing, emerging problem.