Security Tips

9/21/17

If You Don't Use It, You Should Lose It.

When's the last time your IT administrator mentioned BOOTP, RIP, NetBIOS, or mDNS/Bonjour as being critical to the function of your network infrastructure? Chances are, they're probably not needed. On devices such as printers, IP cameras, HVAC sensors, and the myriad of IoT (Internet of Things) being attached to your networks, many obsolete or unnecessary functions, application programing interfaces, or protocols are enabled by default out-the-box and left that way until they cause noticeable issues or become the focus of a high-profile breach.

As we often advise our clients regarding users having local PC administrative rights, it's not about what has happened, but what could happen if an issue is left unchecked. A strong information security program isn't just about locking a door; it also means ensuring your protected assets remain in their expected state and available to those that need them. Allowing unnecessary functions to remain enabled within your network may not only present attack vectors, or in some cases, remote access backdoors, but can also flood your seemingly clean network with broadcast traffic which could result in slowness or data loss.

Administratively, keeping your network pipes clean and safe should be governed with descriptive hardening standards for all newly-introduced and existing hardware or services. In support of your information security program, hardening standards checklists should exist and be updated periodically for servers, workstations, and any other device that is connected to your network. For any significant changes that occur in your infrastructure, ensure that a rollback plan is ready in case problems occur. (This should be part of your change control process for IT admins.)

Knowing your technical environment is half the battle, and discovering the obscure functions that may need to be cleaned-up are a task best performed with network plumbing tools such as internal vulnerability scans and network protocol analyzers (sniffers such as Wireshark.) Such tools can alert administrators to vulnerable or unnecessary protocols and provide insight into what's currently eating up your network bandwidth. If you're unsure about a communication statement from a log or the nature of a vulnerability, research it, study its sources/destinations, and track its behavior over time with repeated scans to determine its legitimacy before disabling.

9/14/17

It's Still Warm Out, But it May be Time for a Freeze

We won't belabor the news you have probably already heard about the recent Equifax breach. There is undoubtedly a lot of fallout yet to occur (read: lawsuits), and unfortunately it will probably include an up-tick in ID theft and credit accounts opened fraudulently. Many people will sign up for credit alerting services, but that's an alarm that only goes off AFTER the theft has occurred and an account has been opened. But there is a proactive alternative.

The three major credit reporting agencies (Experian, Transunion, and, ahem, Equifax) are required to offer "Security Freeze" protection. That is a service where the credit reporting agency will not provide your credit file information to a creditor without it first being "thawed" by the account owner. Since few, if any, creditors will extend credit without first reviewing a credit file, having your information frozen should prevent fraudsters from successfully opening new lines of credit using your stolen information. If you sign up for Security Freeze service and then want a creditor to view your information for legitimate reasons, you first have to "thaw" the information via the credit reporting agency for their access.

The credit reporting agencies may be able to charge a fee for the freezing and thawing services, and you have to set it up individually with each agency. State regulations usually dictate what fees can be charged. If you have been a victim of ID theft (not just the theft of the information, but an attempt at using the stolen info), then most states' rules prevent the credit reporting agencies from charging to place a freeze. For the rest of us, the fee may range from $0 to around $10 for each freeze/thaw request PER agency. As an example, if you wanted to freeze your credit information in the state of Hawaii (maximum of $5 per freeze transaction) then it would be $15 to freeze your information at all three agencies. (Giving in to public pressure, Equifax announced on Sept. 12th they would offer "freeze" service for free through Nov. 21st. Hey Equifax, if you are reading this, you should offer freeze/thaw services for free to everyone affected for at least a year if not permanently. Just saying…)

To find out more about the service and fees for each state go to: http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection-2/

To find out if you are one of the lucky folk that Equifax may have leaked data about go to: https://www.equifaxsecurity2017.com/potential-impact/ (BTW, if you checked it earlier and were told your info wasn't compromised you might want to check again. Their list is reported to have changed.)

9/6/17

This Time, Procrastination Won't Pay Off

Conducting an exercise and training on your bank's Incident Response & Reporting program is one of those tasks that is easy to keep on the back burner. Then it becomes time for your exam and you realize you don't have a good response for the examiner when asked "How do you test your Incident Response program?" The solution to save yourself from that stressful moment is by conducting a tabletop exercise that has a scenario built around testing the program, or participate in an externally-facilitated exercise that is designed to evaluate your cybersecurity program.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) conducts an annual "Cyber Attack Against Payments Services" (CAPS) exercise. CAPS is a virtual tabletop exercise that allows you to participate from your own location, without disclosing any confidential information to anyone outside the bank. The CAPS exercise is conducted two times in September each year, and is free for financial services organizations to participate. This year's CAPS exercise will be conducted September 10-11 and then repeated on September 17-18. Yes, those dates are just a few days away so if your organization wishes to participate don't put it off. For more information on this year's CAPS exercise, or to register, go to: http://www2.fsisac.com/l/134411/2017-03-12/26px8j

Free, confidential, and minimal effort to participate. Really, there aren't many good excuses for not participating. That is, unless you are just looking for an effective way of testing your blood pressure come exam time.

8/31/17

PowerShell Gets Enhanced Logging

Microsoft is putting more attention into PowerShell security. Before PowerShell 5.0 for the most part you were limited to event logs showing that PowerShell was executed. With the 5.0 release, Microsoft has added enhanced logging to allow recording of executed PowerShell, scripts, de-obfuscated code, output, and transcripts of activity. This is huge for the blue team defenders out there.

On the flip side, malicious users and red teams have been using PowerShell more and more, as seen in recent ransomware attacks and attack frameworks. PowerShell is included in all recent Windows operating systems, it's easy to use, and until recently leaves very little logging behind. All this may amount to a shift in methods and tactics as PowerShell attacks will be less effective in the future.

Recommendation

Most modern versions of Microsoft windows can take advantage of the new enhanced logging features. Check out this Microsoft blog for detailed usage https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

8/24/17

Elite Membership Comes With Risk! (Privileged Groups)

While auditing Active Directory for proper group membership, the focus is usually on the Domain Admin group. That is great, but there is much more to be concerned with when auditing group membership. There are several privileged groups in Active Directory that are super dangerous in the wrong hands.

When auditing group membership, ensure user accounts added to the privileged groups, mentioned below, are separate from a user's primary account that is used for day-to-day activities such as internet browsing and email access. Privileged administrative accounts should be used only for their intended purpose; only administrative tasks.

Administrators Group Overview

Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group.

Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it's a member of the Administrators group by default.

Enterprise Admins is a group which has administrative control over all the computers in a domain tree or forest because it's a member of the Administrators group by default.

Schema Admins is a universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory.

Groups Used by Operators

Users in these operator groups have privileges to perform very specific administrative tasks across the domain and forest of Active Directory. While somewhat limited in overall ability, these types of permissions can be devastating if bad actors get ahold of an account with this level of control.

Account Operators Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers.

Backup Operators is a local group that enables a user to back up and restore files and directories on workstations and servers in a Windows domain. Members of this group can log on to a computer, back up or restore files, and shut down the computer. Because of how the account is set up, they can back up files regardless of whether they have read/write access to the files. On a good note, they can't change access permissions of the files or perform other administrative tasks.

Print Operators is a local group for managing network printers. Members of this group can manage printers running in a Windows domain. Print Operators can also log on to a server locally and shut it down.

Server Operators is a local group that allows a user to perform general administrator tasks. These tasks include sharing server resources, performing file backup and recovery, and much more. Server Operators can perform most common server administration tasks.

Replicator, which is a special group account, is used with the directory replication service. Administrators and operators can set up this service to manage the replication of files and directories in a domain.

Note: the specific access/rights these groups have may vary with the flavor (generation) and mode of Active Directory deployed.

8/17/17

Go Off-Script and Help Stop Malware

For all its faults, the Windows operating system generally just works, even running old software and ancient system tools. One of the ways that Microsoft has maintained compatibility with almost everything is that it maintains backwards compatibility with arcane file types, to its own detriment. We all know about dangerous executables, such as .EXE files, .BAT files, etc. But do you know them all? Attackers love to find old scripting languages like .HTA (HTML Application) and .SVG (Vector Graphic format that can contain embedded code). By default, these files and many others will just execute if opened, but it doesn't have to be that way. Network administrators can restrict the running of these and other file types using various methods. One of the easiest ways is to use Group Policy to associate these file types with notepad.exe, so if a user runs it, it will harmlessly open in Notepad instead. The nice thing about this is that you can use Active Directory groups and only allow scripts to be executed by certain users, like administrators. The file types you should block vary depending on the environment, but consider restricting the following: .HTA, .JS, .VBS, .SVG.

8/10/17

Dangerous Office Docs - Now Without Macros!

One of the most common attack vectors we see is the use of tainted Microsoft Office documents. Usually using Word, Excel, or PowerPoint, these documents almost always contain an exploit that will, if executed, give an attacker some sort of foothold into your environment. Fortunately, documents created by these programs that originate from outside your organization should open in Protected View. This will remove most of the teeth from any exploit that may be lurking in them, as the user has to actively remove Protected View for the exploit to take effect.

Research done by Matt Nelson has found a way around this. Using Publisher and OneNote files, exploits can be embedded that will not be caught (initially) by most antivirus and email filters. The effects of these exploits are limited only by the attacker's imagination. 10-D's team of engineers have used this technique during its Penetration Tests and can testify to its effectiveness. Even services like Gmail will allow the attachments to be sent, where attachments with macros in them are blocked.

What can be done to protect against this? Prevent Publisher (.pub) and OneNote (.one) files from being allowed into your network is a great start if you do not use those programs. If you do, user training on the dangers of opening files sent to them from the Internet is the best defense. For a deeper dive into the technical details of this attack vector, see Matt Nelson's post at enigma0x3.net.

8/3/17

Is There a Draft in Here?

Yes there is! Someone left a window into the network open! From the Target data breach in 2014 to the recent Anthem data breach - both involving the compromising of third party vendor accounts - I think it is safe to say that user access and accountability is a critical aspect to properly securing an organization. IT administrators are usually great at giving access to authorized personnel in a timely manner (who wants to wait forever for logins when you are needing to get work done?), but issues arise when admins give out too much access or don't remove accounts after the employee/vendor is no longer working for the organization. It is common that admins are just worried about getting someone access or getting something to work instead of doing it in a secure manner, thus opening security holes in an organization.

Here are some tips for reducing these types of issues:

7/28/17

Website Compliance (Drive by Demand Letters)

Reports are rolling in now from all over the country about banks receiving Americans with Disabilities Act (ADA) demand letters from law firms. These letters are being delivered even though the Department of Justice has delayed proposed website accessibility standards until 2018. If your institution receives such a letter, it's a common reaction to hear alarm bells; however, don't panic, relax. The majority of today's demand letters appear to be boilerplate letters that are based principally on automatic test results and not by expert testing.

So what do you do if you get such a letter?

Recommendations:

If you're interested in reading more about the rise in these claims, an informative post from Sept 2016 can be found on the Community Bankers of Iowa website at http://www.cbiaonline.org/community-banking-news-blog/plaintiffs-law-firm-again-targeting-community-banks

7/20/17

Protect all the things!!

There have been several high profile cases of 'ransomware' attacks recently. Unfortunately, ransomware authors are getting better at their tradecraft, creating more automated malware, which is quicker and better at spreading and encrypting as much data as possible. This only increases their profit, as the more files the malware can encrypt, the more damaging to a company the attack can be, thus upping the chances of the ransom being paid.

Aside from standard security practices such as good antivirus software, security awareness, and removing local administrative rights for users, a big step you can take to protect against ransomware or any destructive malware is fairly straightforward: limit what files users can access. Ransomware generally runs with the same permissions as the infected user, so what they cannot access, the ransomware cannot destroy.

The concept of 'least privilege' (allowing a user to access only what is needed for their job) is as old as information security itself, but it is not always easy to implement. And even once you do, over time access control lists (ACLs) get modified, and by the very nature of things, generally get more permissive, not less. 'Least privilege' and ACL management is a big area, but here are some common pitfalls and recommendations:

7/13/17

Evolution of the ISO Role

In a time not too long ago if you knew how to turn on a computer you were a candidate for the Information Security Officer (ISO) role. In today's financial world that is no longer the case, with the ISO Role receiving more and more responsibility and functional duties. Business continuity, log management, anomaly detection, incident response and vendor management are just some of the areas having increased in depth and complexity for the ISO. In addition, expanding federal and state regulations and advancing cybersecurity threats seem to never let up increasing the stakes for failure. So much so that management and regulators are starting to put more emphasis on the skill, experience and general qualifications of individuals in this role.

Current FFIEC guidelines include the following:

This is being echoed by state regulators with some including New York going a few steps further.

Recommendations:
  1. Develop a specific ISO Job Description. We have a free template, let us know if you would like a copy.
  2. Send your ISO to training, or better yet how does "Certified Banking ISO" sound? See 10-D Academy at https://www.10dsecurity.com/opencarta/index.php for details.
  3. Consider Outsourcing the ISO Role to save time and money. See Applied Compliance at http://www.appliedcs.com/ for details.

7/6/17

Thin client patch management - a summer refresher

"Summer School"- a term most kids dread hearing aside from college students trying to knock out a few easy credit hours or brush up on a forgotten lesson. Assuming the readers of this tip fall into the latter category, we'll take this opportunity to revisit a previous "lesson" on thin client patch management. This topic has come frequently of late as more organizations have moved towards Virtual Desktop Infrastructures (VDI). Unfortunately, one common benefit and misconception associated with VDI is "I don't have to patch thin clients because they are immune from exploits and that's why I bought them!". The cold hard truth (even in the heat of summer) is that you definitely need to patch and harden thin clients. Whether the thin clients run the Wyse, Linux, or Microsoft operating system, they all are capable of being updated and have mechanisms for such tasks. The vast majority if thin clients we see in operation are Microsoft based, and they generally have at least a handful of exploitable issues present during our assessments. One misconception we often hear is that because the thin clients PC device is "read-only" it cannot be exploited; however, this simply isn't true. In general, for most remote exploits to work an attacker just needs a live (vulnerable) machine that is connected to the network. Once an attacker gains control of a thin clients PC, they will retain control until that device is rebooted. Rebooting the affected device will return it to its pre-exploited state until it is exploited again. One other thing to note is that the device needs to be hardened as well, if the default credentials are used (or the use of weak credentials) the attacker can unlock the device and make permanent changes allowing persistence across reboots. Each operating system has a different mechanism for obtaining patches so be sure to research your platform and pick the appropriate method to ensure your thin clients are not your weakest links.

That's all for this condensed summer school session, now back to your summer vacation!

6/29/17

Are you done with that?

How many old computers are you storing, waiting to find a day that you will get around to cleaning that closet out? How did I know you have that old pile of computers? Because EVERYONE has a closet/basement/office that has a pile of old equipment they need to get rid of.

Data Concerns - You don't want to be the subject of the evening news, so before you throw out your equipment make sure old hard drives are securely wiped of data or physically destroyed. That includes hard drives (and now "solid state disks") in not just computers and storage arrays, but also multifunction copiers, printers, fax machines (remember those?!?), etc. Many shredding companies will destroy hard drives for a small fee and can provide a certification of destruction. For those deer hunters, a hard drive makes for a nice target to help you zero in that rifle.

For the frugal minded some drives can be salvaged. For ATA devices NIST recommends erasing the disk or physically destroying the disk. NIST Standard 800-88 describes what is required: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf

Some BIOS'es have the ability to invoke a "secure erase" from the BIOS, and several drive vendors have software that will also do this as well.

Free "secure erase" software from CMRR: http://cmrr.ucsd.edu/people/Hughes/secure-erase.html

Caution: It is not a good idea to erase or overwrite a SCSI Drive as it may not destroy all of the readable data. Also, if the drive has stopped working don't assume data cannot be retrieved, so have those drives physically destroyed.

Environment Concerns - Old technology is full of components that aren't good for the environment, such as lead and other hazardous materials that can get into ground water or are toxic if burned. So just throwing it in the dumpster is not a good idea. Make sure to check state and local regulations on the disposal of computer equipment.

Documentation Requirements - From our friends at the FFIEC: "Management should log the disposal of sensitive media. Logs should record the party responsible for disposal, as well as the date, media type, hardware serial number, and method of disposal." (FFIEC IT Handbook, Information Security, II.C.13(c)).

Donations - After you have sanitized any customer information, consider donating old workstations to local schools or libraries.

Recycling - After you have sanitized any customer information, consider recycling your old technology. If you have a Best Buy or Staples store nearby you might ask them if they participate in their company's technology recycling program. If they do, they may take your equipment off your hands for free (don't load up an entire pickup truck and expect them to take it all, they usually have daily limits how much they will accept). Search the internet for a local recycler in your area. Some of these recyclers have fees for taking your old items. EPA Site: http://www.epa.gov/osw/conserve/materials/ecycling/donate.htm

6/22/17

Now you see me, now you don't!

When it comes to purchasing a domain the premise is pretty straight forward, you choose a vendor, pick your great new domain name (if it wasn't taken in 1996) and you're off and away to begin staging your website. But, hidden in the marketing and domain registration information is an often overlooked but effective option. The Privatized Domain Feature can be added to help obfuscate useful information from a motivated attacker. For a nominal fee, often less than ten dollars a year, Domain Registrars offer the ability to privatize the Domain Registration Information.

The following shows a privatized domain entry for the Admin Field:

 Privatized domain entry.

The key points an attacker could use to assist them in social engineering would be the Name, Phone, and Email address have all been hidden. Now let's compare this to an example of what an entry would look like on a non-privatized registration:

 Non-privatized domain entry.

As seen in this example, the email address, phone number and name of someone that is highly probable to be in an Admin or IT role at the institution is viewable through a simple command or web search. If you have not already, 10 D Security recommends privatizing your domain registration to provide a cheap and easy security boost!

6/15/17

Where did that come from?

Last week's Weekly Security Tip put the "Aw-shoot Spotlight" on the data breach that recently occurred at Chipotle and Pizzeria Locale restaurants. They are hardly alone. Everyone knows breaches are occurring, but do you really know the recent trends and targets? (Hint: Does your organization use DocuSign?...) When investigating fraudulent card usage it is commonplace to ask the question "How did this debit/credit card get compromised?" or you may simply wonder if there were other breaches that had occurred that hadn't hit the nightly news.

There is a public source where you can research data breach information, the "Privacy Rights Clearinghouse." The organization's website has a search capability to look for specific companies, time periods, type of breach, and more. Yeah, it can be a bit disturbing (e.g., 243 breaches so far in 2017…), but it is better to be informed about what has occurred so you can defend against fraud, spear-phishing, malware, hacking, scams, etc. The information found at the site can also be useful in vendor management reviews, as well as in educating employees and customers (Did you know 132 of the 243 breaches in 2017 were related to medical/healthcare?).

Go ahead, take a deep breath and see what you find: https://www.privacyrights.org/data-breaches

6/13/17

Cat Tool Update

By now you may have heard there is an update to the Cybersecurity Assessment Tool (CAT) from FFIEC. While there were no material changes in the assessments questions, there is a change in how you can answer the questions. Instead of "Yes", "No" or "N/A" institutions can now respond with "Yes with Compensating Controls" to the assessment questions. This is designed take into consideration risk that has been mitigated by controls not directly associated to the question. While this move may help some institutions with a few of the assessment responses, it will also allow for imaginative interpretation and creative reasoning in applying this answer. In other words, the use of "Yes with Compensating Controls" should be the exception not the rule.

Appendix A of the CAT was updated and is a valuable resource for getting to the root cause of the question being asked.

Our CAT Reporting Tool is now on version 1.6. Let us know if you would like a complimentary copy.



Older Security Tips can be requested at info@10dsecurity.com