Security Tips

04/05/2018

Cybersecurity: Let's Get Back to the Basics

Another day, another vulnerability. After a while, it all seems to run together. Who's been compromised today? Who's got my personal data and social security number now? These now seemingly common, everyday occurrences combined with consistent pressure from all sides: including regulators, auditors, customers, and lawmakers can often put a damper on the future and what you should be doing right now

Consequently, this raises the question, "How do I best protect my data?" First and foremost, organization's need to get back to the basics. Not only do we need to apply these fundamentals, they need to be done consistently and effectively. What should you be doing right now? Here are the top three areas you should focus on and excel at:

  1. Patch Management: Sounds easy, right? Not so much. Patch management is single handedly one of the most difficult areas of basic security management in organizations today. While many solutions exist to help in this area, it's not quite as simple as point-and-click. Many patches require secondary steps, often missed by most administrators. Be sure you're not only installing them, but looking for these additional steps, such as registry changes that may need to be implemented prior to the patch becoming effective.
  2. Detection and Response: Do you know what's in or going on within your network? Now be honest… do you REALLY? If you're not aware of or do not have the ability to detect someone who logs into a Dropbox account or exfiltrates large amounts of data to an external site, then you don't have the appropriate amount of visibility into your network. Consequently, if you don't have visibility into your network, how would you know if someone is attacking it, has already compromised it, or exfiltrated data? The answer is: You won't - until it's much too late.
  3. Audit and Remediate: If you're reading this, chances are you've been doing auditing and remediation. But, how committed is your organization to maintaining a good security posture? If you've ever thought "Once we finally get these audit findings implemented, we'll be done," you may be in for a surprise. IT security does not have a finish line. Technology is always changing; new vulnerabilities are always discovered, and improvements must always be made to meet these rising challenges.

Ensuring that these three (3) basic areas are a primary focus within your institution's overall security strategy will go a long way in keeping hackers and data thieves at bay. For more information, check out our blog at http://www.10dsecurity.com/blog.html.

3/29/2018

Your Data . . .Your Responsibility

Anyone following the news lately has likely heard about the Facebook/Cambridge Analytica data privacy issues. There is a lot in this story that could be argued (i.e. Facebook's data privacy policy, end users posting and knowingly or unknowingly providing personal information etc.). The big lesson; however, from a business perspective is this: If you allow vendors or other third-parties access to your data, you are ultimately responsible for what happens to it.

The quick version of this story is that Facebook allowed researchers to create an application that collected certain types of data from some Facebook users. This was a common practice of Facebook, and users were generally made aware that this could happen. The problem began when a certain researcher collected data on not just the voluntary participants but also the participants' Facebook friends, and then turned around and gave the data to a (some would say shady) political data company.

The public outcry and anger is not directed at the company or people that ultimately misused the data, but at Facebook. At the end of the day, it is Facebook's responsibility to protect the data. Facebook entrusted the information of many of its users to a "trusted" third-party that apparently misused the information and now the Facebook CEO may get to go before congress to explain why they let that happen.

Many financial institutions outsource to vendors that have access to view, store, and/or process private customer data. Whether it is backups, email, or server hosting, once you hand that info over, you need to make sure you have the utmost confidence it will be properly utilized and protected. You must know if something bad happens to it, you will be responsible for explaining to your customers what occurred and why.

Gaining such confidence in large part stems from having a quality vendor management program that covers due diligence, selection and continuous monitoring. Although vendor management can be challenging, here are a few things that are considered fundamental to an effective program.

3/22/2018

New Easy Password Standards? Not so Fast!

Passwords… it's no secret; most of us are really bad at creating and maintaining passwords. In fact, 81% of hacking related-breaches leveraged either stolen or weak passwords. But unfortunately, passwords won't be going away any time soon as almost every resource, application, website, and the like requires some form of username and password. Because of this, it's no surprise that almost all of us struggle to follow password standards recommended by many security experts. In June of last year, the National Institute of Standards and Technology (NIST) released Special Publication 800-63, Revision 3 and many sources reported "new, more relaxed password standards from NIST". But is this really the case? To unravel this password complexity knot, check out our latest blog: https://www.10dsecurity.com//blog17.html

3/15/2018

Tainted Well

Supply chain attacks are heating up, as it was discovered that a popular BitTorrent client was pushing out crypto-mining software to its users. A supply chain attack is one where attackers gain access to a software vendor's file distribution site or update mechanism, and inject their payload into installation and update packages. Unsuspecting users then download the tainted versions directly from the official site - and why would they be suspicious? Everything looks normal!

With this recent incident, initial reports indicate the crypto-malware was snuck into the MediaGet BitTorrent client, and was signed with a stolen certificate, allowing it to remain undetected from around February 12, 2018 until March 01, 2018. This incident, along with similar recent attacks to CCleaner and the MacOS Transmission BitTorrent client, serves as a warning that all sectors need to be ready for an attack method that was previously only tied to state level espionage.

Attackers are constantly improving their methods to increase their success, and even trusted software sources can become tainted. Stopping these types of attacks largely depends on software vendors practicing proper security in their environments. In house application teams should work with security, to help protect the integrity of applications. End users should continue to make sure they have up-to-date antivirus and operating systems. Finally, understanding the threat, and knowing it is a possibility, can help you remain alert.

3/8/2018

Buried Treasure

Credential theft is a major risk to institutions, and due to Microsoft's Single Sign On design it is one that is hard to mitigate. When a user logs onto a Windows system, their user id and password are placed into memory and are used when other applications are opened. This Single Sign On process saves the user from having to enter their user id and password for each application they open. As a result, methods to obtain those credentials directly from memory (known as "memory scraping") have been developed by cybercriminals, researchers, and security testing entities.

Memory scraping used to be an involved process; however, a tool emerged within the last five years that has automated many of the steps. Mimikatz is a tool that many attackers utilize as they move from system to system, scavenging as many accounts as possible that are left in memory.

Using experience from our Penetration Testing, we have written a new blog post to cover what credential theft looks like, as well as highlighting some patching and other disciplines you can utilize to protect your important accounts. Check it out https://www.10dsecurity.com//blog16.html .

3/1/2018

The "Madness" of March

As winter finally begins to wind down (in spite of Punxsutawney Phil's February prediction) the time between the end of basketball's regular season and baseball's opening day includes some of the most unproductive work weeks of the year - attributed almost entirely to an event known as college basketball's "March Madness". The "madness" typically begins shortly before Selection Sunday as fans check various online resources for so called expert predictions (i.e., bracketology) in hopes of winning the "unofficial, "non-company sanctioned" bracket contest. Once the teams are decided, it's time to complete an online tournament bracket, or multiple brackets, as by this time, email inboxes are filled with invites from friends, co-workers, hackers, etc. Thanks to great technology some bracket applications will even autofill or select teams just by allowing a little "extra" access to your system or device. The real madness, of course, starts when the games begin conveniently during the work day, this allows fans to live stream multiple games directly to their individual workstation; no longer is it necessary to burn a PTO day sitting at home in front of the TV. As the games progress so does the madness. Fans can continue to monitor their bracket(s) and those of their competitors by visiting various legitimate or fake websites. Some fans may prefer to use a real or malicious mobile application to make sure they stay on top of their progress towards winning their personal March Madness bracket challenge.

As you can see, there is some risk associated with the "madness". And while no security professional wants to take away the fun, someone has to act as a referee to keep things from getting out of hand. If this individual in your organization happens to be you, take some time now to remind staff to enjoy the excitement of the tournament, but also be extra vigilant because other games are being played at the same time with much higher stakes, and with players not concerned with playing by any rules.

2/22/18

"Secure or Not Secure, that is the Question" - Google

Google recently announced beginning in July 2018, with the release of Chrome 68, web pages loaded without HTTPS will be marked as "not secure".

At first, a change like this can seem like another way for Google to earn more money. The safer you feel on the web, the more time you'll spend interacting with Google services and advertisements. While probably true in this case, it doesn't diminish the fact that this is a very good change for everyone using Chrome. All users can benefit from a better visual representation showing the site they are currently visiting may not be secure.

HTTPS offers two major security benefits when compared to HTTP.

While Google has made a major change to protect its user's it is still crucial to understand that HTTPS browsing is not a silver bullet. Malicious content CAN and often IS hosted via HTTPS websites.

What does this change mean for you? If you are a Chrome user, you can feel happy knowing that you will have a better visual representation that the site you are on is not secure. If your organization has a website that uses HTTP, you may want to migrate to HTTPS. Otherwise, Chrome users that visit your site will see an ominous sign indicating that your website is "not secure" and may navigate to a competitor's site.

For more information, see the Google announcement included at this link https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html.

2/15/18

Don't Share That!

You're telling the bad guys useful information, and you might not even realize it, or understand the implications.

Isn't social media great? It allows you to interact with long lost friends and family, not to mention your business network. "What's the big deal? I posted my maiden name so my old friends can find me! Oh, and I've also helped my mom set hers up the same way. I even marked her as my mom, I also marked my aunt, cousins, kids, etc. as relatives." Perhaps you took one of those fun surveys that ask you for personal information to share. Now everyone knows your favorite: store to shop, vacation destination, workplace, restaurant, teacher's name, street you grew up on, first telephone number, color, as well as your dog's name. Not to mention, you can easily boast about your excitement before boarding a flight to your awesome vacation and tag yourself when you get there!

Consider the treasure trove of information you've given the bad guys. You've given away a common security question's answer; your mother's maiden name. Additionally, you've also given someone trying to gain access to your personal data a good bit of telltale answers to likely security questions. Does everyone really need to know your favorite teacher's name was Mr. Franklin, or your street was Farmington Ave.? No. Regarding that big trip; most of your friends will 'like' your vacation statuses and photos just as much after you arrive home as well. Do you really want to tack up a big sign on the Internet that basically says: "I'm going to be 1,300 miles from home for the next 5 days…" for thieves to see? No.

It's best to avoid sharing too much personal information with everyone, even if it appears as a harmless survey. Read closely, there's usually something personally identifiable innocuously hidden amongst questions about your favorite food or color. Avoiding that "harmless repost" just might save your bank account from being compromised. Resist that temptation to tell everyone you're just about to head to the Bahamas too. That excitement isn't worth coming home from that vacation to find your personal property stolen, damaged and ransacked.

2/8/18

Log Everything

Device logging can easily be overlooked in an environment, but always proves to be an invaluable tool for troubleshooting, stopping attacks and forensics. There are many log management solutions available (free and paid), that can collect logs from all of your devices.

A common misconception with log management is that once all devices are sending logs to the logging device, no more work needs to be done. However, a little daily log administration can pay big dividends. At a minimum, logs should be reviewed each day for suspicious activity. Log parsing and alerts will expedite this process and take log management to the next level. Once established, admins are alerted to attacks as they are occurring.

Some logging recommendations are below:

2/1/18

Critical Cisco ASA SSL VPN Vulnerability

For those of you running Cisco ASA firewalls and using the SSL VPN functionality, be aware that Cisco has released updates that address a critical vulnerability in the ASA's implementation of SSL VPN connections. The vulnerability allows for remote code execution and denial of service exploitation.

In plain terms, if you have an ASA using SSL VPN, a bad person can exploit your firewall. See the Cisco announcement here: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

Cisco has released updates for supported ASA Software versions. Those using ASA's and SSL VPN's should apply the fixed software ASAP. Those with a third-party managing your ASA firewalls should contact them immediately to determine if they are affected and if so, make sure the fix is scheduled.

For those of you who are not affected by this latest fun, this can serve as a good reminder that even common, hardened services that have been around forever can be found to contain serious vulnerabilities. Something that was fine yesterday can be a liability tomorrow, so expose services and ports to the outside world carefully, and after a thorough risk assessment. Perform quarterly firewall reviews to evaluate what you have open, if it is still needed, and if risk levels have changed.

1/25/18

NetBIOS Making it Super Easy for Hackers

Something from the 1980's is still hanging around on your network, and 'bad' just doesn't have the same meaning nowadays…

We're talking about NetBIOS. NetBIOS was originally designed to allow computers to communicate over IBM PC Network LAN technology. As networks evolved, NetBIOS was along for the ride. It was implemented into various network technologies such as Token-Ring, IPX/SPX, and Ethernet. Today, NetBIOS (as NetBIOS over TCP/IP or NBT) still lives on, primarily as a failback for name resolution in case DNS is not functioning. However, it's not secure, and is in most cases is NOT needed.

Your computer supporting NetBIOS will eagerly supply your user credentials (in hash form) to every local resource it tries to connect to, including an attacker spoofing a trusted resource name on your network. Yes, that's bad… It hands credentials out like candy and the bad guys love it.

The good news is, it can be disabled! Read the following blog post to learn more. https://www.10dsecurity.com/blog15.html

1/18/18

BCP - Beyond Your Business (or, "No one expects the Spanish Inquisition…")

Waking at 6 AM to a light chill in the air and the sound of sirens in the distance, it was quieter than usual. The power was out and, so too, the heat. The winter storm had produced more precipitation and lower temperatures than forecasters had expected; fourteen degrees with wind chills near zero, and roads and power lines with up to an inch of ice. Roadways are closed throughout the region. Homeowners are dealing with frozen water and even sewer lines. What's the big deal? Well, this is along the Gulf Coast where they've never had a storm like the one that occurred this week.

Similarly, a few weeks ago southern California was dealing with wildfires like they had never experienced, and now mud slides. Some states now experience periodic earthquakes, where those too were extreme rarities in the not-too-distant past. When planning for business continuity, is there such a thing as thinking TOO outside the box?

Businesses near the coast know how to plan for hurricanes and floods, but things like "ice storm" are omitted or warrant only a few lonely lines in the Business Continuity Plan. It's practical to plan for the most common scenarios, but expanding to include infrequent contingencies could raise important considerations that may not have received prior attention. A few examples:

Take advantage of the moments Mother Nature, and life, throw in your way, and adjust your BCP accordingly.

1/11/18

2018 Security & Compliance Check List

Yep, another year has flown by and 2018 is here. Now is a great time to take a close look at your 2018 schedule to make sure the critical elements of your information security & compliance programs are mapped out.

Items you may want to schedule:

Other items that may need attention:

1/4/18

Compromising customer data? There is an app for that!

Let's play a game. First, ask yourself this question: How many employees at your institution are allowed to access their work email from a personal device, like a cell phone? Next, look in any old email inbox and see how long it takes you to find sensitive or customer data. In many organizations, email winds up containing a treasure trove of sensitive information. From passwords to big spreadsheets containing customer info, you can wind up finding a lot if you take a peek. Now, consider the fact that this information is synchronized to the personal devices of all employees who have that privilege. At a minimum, you are enforcing (hopefully!) the use of device encryption and PIN codes, but a lost or stolen device isn't the only threat to this data.

On tablets and cell phones, OS permissions protect data from being accessed and abused by other installed apps. These vary between Android and iOS, and in the case of most portable devices, the user grants these permissions. So… any app that asks for access to data can be granted it, such as by installing that new free "Candy Crushing with Flappy Friends" game. To reinforce the point, here is a list of the permissions requested by a very popular Android "messenger" app (which shall remain nameless):

Identity

Contacts

Location

SMS

Phone

Photos/Media/Files

Storage

Camera

Microphone

Wi-Fi connection information

Devic ID & call information

Other

These permissions allow this messenger app to do just about anything with a phone and anything on it. Do you know what apps your users install on their phone with access to work email and what permissions those users are granting? Would you know if a user installed an app from a 3rd party app store that came from a less than reputable source? When allowing users to access email, it is ultimately still the responsibility of the institution to ensure any customer data stored on their personal devices is protected. How do you do this? Here are some suggestions: