Security Tips

7/20/17

Protect all the things!!

There have been several high profile cases of 'ransomware' attacks recently. Unfortunately, ransomware authors are getting better at their tradecraft, creating more automated malware, which is quicker and better at spreading and encrypting as much data as possible. This only increases their profit, as the more files the malware can encrypt, the more damaging to a company the attack can be, thus upping the chances of the ransom being paid.

Aside from standard security practices such as good antivirus software, security awareness, and removing local administrative rights for users, a big step you can take to protect against ransomware or any destructive malware is fairly straightforward: limit what files users can access. Ransomware generally runs with the same permissions as the infected user, so what they cannot access, the ransomware cannot destroy.

The concept of 'least privilege' (allowing a user to access only what is needed for their job) is as old as information security itself, but it is not always easy to implement. And even once you do, over time access control lists (ACLs) get modified, and by the very nature of things, generally get more permissive, not less. 'Least privilege' and ACL management is a big area, but here are some common pitfalls and recommendations:

7/13/17

Evolution of the ISO Role

In a time not too long ago if you knew how to turn on a computer you were a candidate for the Information Security Officer (ISO) role. In today's financial world that is no longer the case, with the ISO Role receiving more and more responsibility and functional duties. Business continuity, log management, anomaly detection, incident response and vendor management are just some of the areas having increased in depth and complexity for the ISO. In addition, expanding federal and state regulations and advancing cybersecurity threats seem to never let up increasing the stakes for failure. So much so that management and regulators are starting to put more emphasis on the skill, experience and general qualifications of individuals in this role.

Current FFIEC guidelines include the following:

This is being echoed by state regulators with some including New York going a few steps further.

Recommendations:
  1. Develop a specific ISO Job Description. We have a free template, let us know if you would like a copy.
  2. Send your ISO to training, or better yet how does "Certified Banking ISO" sound? See 10-D Academy at https://www.10dsecurity.com/opencarta/index.php for details.
  3. Consider Outsourcing the ISO Role to save time and money. See Applied Compliance at http://www.appliedcs.com/ for details.

7/6/17

Thin client patch management - a summer refresher

"Summer School"- a term most kids dread hearing aside from college students trying to knock out a few easy credit hours or brush up on a forgotten lesson. Assuming the readers of this tip fall into the latter category, we'll take this opportunity to revisit a previous "lesson" on thin client patch management. This topic has come frequently of late as more organizations have moved towards Virtual Desktop Infrastructures (VDI). Unfortunately, one common benefit and misconception associated with VDI is "I don't have to patch thin clients because they are immune from exploits and that's why I bought them!". The cold hard truth (even in the heat of summer) is that you definitely need to patch and harden thin clients. Whether the thin clients run the Wyse, Linux, or Microsoft operating system, they all are capable of being updated and have mechanisms for such tasks. The vast majority if thin clients we see in operation are Microsoft based, and they generally have at least a handful of exploitable issues present during our assessments. One misconception we often hear is that because the thin clients PC device is "read-only" it cannot be exploited; however, this simply isn't true. In general, for most remote exploits to work an attacker just needs a live (vulnerable) machine that is connected to the network. Once an attacker gains control of a thin clients PC, they will retain control until that device is rebooted. Rebooting the affected device will return it to its pre-exploited state until it is exploited again. One other thing to note is that the device needs to be hardened as well, if the default credentials are used (or the use of weak credentials) the attacker can unlock the device and make permanent changes allowing persistence across reboots. Each operating system has a different mechanism for obtaining patches so be sure to research your platform and pick the appropriate method to ensure your thin clients are not your weakest links.

That's all for this condensed summer school session, now back to your summer vacation!

6/29/17

Are you done with that?

How many old computers are you storing, waiting to find a day that you will get around to cleaning that closet out? How did I know you have that old pile of computers? Because EVERYONE has a closet/basement/office that has a pile of old equipment they need to get rid of.

Data Concerns - You don't want to be the subject of the evening news, so before you throw out your equipment make sure old hard drives are securely wiped of data or physically destroyed. That includes hard drives (and now "solid state disks") in not just computers and storage arrays, but also multifunction copiers, printers, fax machines (remember those?!?), etc. Many shredding companies will destroy hard drives for a small fee and can provide a certification of destruction. For those deer hunters, a hard drive makes for a nice target to help you zero in that rifle.

For the frugal minded some drives can be salvaged. For ATA devices NIST recommends erasing the disk or physically destroying the disk. NIST Standard 800-88 describes what is required: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf

Some BIOS'es have the ability to invoke a "secure erase" from the BIOS, and several drive vendors have software that will also do this as well.

Free "secure erase" software from CMRR: http://cmrr.ucsd.edu/people/Hughes/secure-erase.html

Caution: It is not a good idea to erase or overwrite a SCSI Drive as it may not destroy all of the readable data. Also, if the drive has stopped working don't assume data cannot be retrieved, so have those drives physically destroyed.

Environment Concerns - Old technology is full of components that aren't good for the environment, such as lead and other hazardous materials that can get into ground water or are toxic if burned. So just throwing it in the dumpster is not a good idea. Make sure to check state and local regulations on the disposal of computer equipment.

Documentation Requirements - From our friends at the FFIEC: "Management should log the disposal of sensitive media. Logs should record the party responsible for disposal, as well as the date, media type, hardware serial number, and method of disposal." (FFIEC IT Handbook, Information Security, II.C.13(c)).

Donations - After you have sanitized any customer information, consider donating old workstations to local schools or libraries.

Recycling - After you have sanitized any customer information, consider recycling your old technology. If you have a Best Buy or Staples store nearby you might ask them if they participate in their company's technology recycling program. If they do, they may take your equipment off your hands for free (don't load up an entire pickup truck and expect them to take it all, they usually have daily limits how much they will accept). Search the internet for a local recycler in your area. Some of these recyclers have fees for taking your old items. EPA Site: http://www.epa.gov/osw/conserve/materials/ecycling/donate.htm

6/22/17

Now you see me, now you don't!

When it comes to purchasing a domain the premise is pretty straight forward, you choose a vendor, pick your great new domain name (if it wasn't taken in 1996) and you're off and away to begin staging your website. But, hidden in the marketing and domain registration information is an often overlooked but effective option. The Privatized Domain Feature can be added to help obfuscate useful information from a motivated attacker. For a nominal fee, often less than ten dollars a year, Domain Registrars offer the ability to privatize the Domain Registration Information.

The following shows a privatized domain entry for the Admin Field:

 Privatized domain entry.

The key points an attacker could use to assist them in social engineering would be the Name, Phone, and Email address have all been hidden. Now let's compare this to an example of what an entry would look like on a non-privatized registration:

 Non-privatized domain entry.

As seen in this example, the email address, phone number and name of someone that is highly probable to be in an Admin or IT role at the institution is viewable through a simple command or web search. If you have not already, 10 D Security recommends privatizing your domain registration to provide a cheap and easy security boost!

6/15/17

Where did that come from?

Last week's Weekly Security Tip put the "Aw-shoot Spotlight" on the data breach that recently occurred at Chipotle and Pizzeria Locale restaurants. They are hardly alone. Everyone knows breaches are occurring, but do you really know the recent trends and targets? (Hint: Does your organization use DocuSign?...) When investigating fraudulent card usage it is commonplace to ask the question "How did this debit/credit card get compromised?" or you may simply wonder if there were other breaches that had occurred that hadn't hit the nightly news.

There is a public source where you can research data breach information, the "Privacy Rights Clearinghouse." The organization's website has a search capability to look for specific companies, time periods, type of breach, and more. Yeah, it can be a bit disturbing (e.g., 243 breaches so far in 2017…), but it is better to be informed about what has occurred so you can defend against fraud, spear-phishing, malware, hacking, scams, etc. The information found at the site can also be useful in vendor management reviews, as well as in educating employees and customers (Did you know 132 of the 243 breaches in 2017 were related to medical/healthcare?).

Go ahead, take a deep breath and see what you find: https://www.privacyrights.org/data-breaches

6/13/17

Cat Tool Update

By now you may have heard there is an update to the Cybersecurity Assessment Tool (CAT) from FFIEC. While there were no material changes in the assessments questions, there is a change in how you can answer the questions. Instead of "Yes", "No" or "N/A" institutions can now respond with "Yes with Compensating Controls" to the assessment questions. This is designed take into consideration risk that has been mitigated by controls not directly associated to the question. While this move may help some institutions with a few of the assessment responses, it will also allow for imaginative interpretation and creative reasoning in applying this answer. In other words, the use of "Yes with Compensating Controls" should be the exception not the rule.

Appendix A of the CAT was updated and is a valuable resource for getting to the root cause of the question being asked.

Our CAT Reporting Tool is now on version 1.6. Let us know if you would like a complimentary copy.

6/8/17

Vacation!

The kids are out of school, the inflatable pool is warming up in the back yard, and the mosquitos are stopping by in the evening to say hello! Yes, it is finally Summer! That means it is time for the exodus to the pools and beaches. But before you hit the road for Wally World, you might take a moment to think about home and family security.

Social media is a great place to post vacation photos, but don't post them until AFTER you return home. Posting photos or comments like "We are having a great time wrastling crocs and sampling the fried gopher here in St. Oakmite, and glad we won't be back at work for another week!" might as well tell criminals "Hey, we won't be home for a few more days so help yourself to our belongings." I know, you wouldn't do that, but will your kids? If you use an "out of office" notification in your email or voicemail, you might consider not referencing vacation plans there either.

Before you hit the road, you may also consider taking all the credit cards, membership cards, i.d.'s, etc. out of your purse or wallet and take inventory. In the event your purse or wallet is lost or stolen it will be a lot easier to notify all the credit card companies and such if you know who to contact. A quick and easy way to do this is to take a photocopy of them (or a photo with your phone, IF you don't keep your phone inside your purse). Get images of both sides, since the contact info is usually on the reverse side.

Remove garage door opener remotes from vehicles parked outside or at airport lots. Most people have their home addresses somewhere in their vehicle (look in the glove compartment and see if you find your home address), and if you have a removable remote control in your car it is a simple matter for a criminal to break into the car and find your home address, then take the remote that will let them into your home.

If you have any hidden keys under a mat, behind a planter, under a rock, etc. then remove it. Most hiding spots are not as clever as we all want to believe, and a practiced criminal will find it.

Finally, do what you can to make your home look inhabited. Have a friend put out the trash, take in the newspaper (tell your kids what that is), have lights on timers, and maybe have a radio playing inside the house.

And don't forget the bug spray. Have a great trip, and send us your worst vacation photos!

6/1/17

That's an expensive burrito bowl…

While most of us were preparing for a well-deserved holiday weekend, another restaurant announced credit card data had been stolen. Chipotle determined that between the middle of March and the middle of April, most of their Chipotle locations, and many of their Pizzeria Locale stores, had credit card data stolen from them. Specific locations and dates of compromise can be found on Chipotle's website. The breach itself is fairly routine - point of sale (POS) devices were infected with malware that allowed the attackers to obtain credit card data as the information traveled through the device.

If you, like many of us, enjoyed a meal at a Chipotle or Pizzeria Locale restaurant during the affected timeframe, keep an eye on your bank statement and immediately report any fraudulent charges. It would be a shame if a bite to eat cost thousands more than the price of a burrito.

5/25/17

Always Be Skeptical

So you're sitting at your desk, doing your work. The phone rings, and a person on the other end says "This is Dave in IT. We are having issues with the network at your location, and I need you to help us figure out what's going on by running a tool on your system." Now, depending on the size of your organization, you may be familiar with all the people in the IT department, and if there is a "Dave" you may even recognize the voice. But what if you work for a big company, or otherwise aren't familiar with the IT team at all? What if the caller is representing themselves as an outside vendor, and they say that they're "helping IT?"

Your default position should always be skeptical, and here are a couple questions to help with that:

  1. Can you positively identify the person on the other end?
  2. Does it make sense for you to get an unsolicited call asking you to help with technical issues?

If the answer is "no" to either, you are empowered to SAY "no" in the moment. Offer to call them back at a known internal number, such as company helpdesk line. If they are persistent, and you still have doubt, refuse whatever they are asking until you can positively verify that the request is legitimate. The IT team (indeed, the entire company!) would rather you err on the side of caution, than to give a bad guy access to your system because you ran that "tool" to be helpful.

Sadly, Caller ID is simple to spoof - there are numerous services out there that can alter what shows up on the target's phone to suit the needs of an attacker. The reason attackers do this is obvious - to make the call feel more authentic and put you at ease.

Lastly, make sure that you report ANY suspicious calls immediately. Someone else at your company may be getting the same call, and they may not be as skeptical.

5/18/17

Network Security Fundamentals Can Save the Day

This weekend as the internet literally burned to the ground, I was reminded once again of the importance of following and implementing the fundamental concepts of network security. Instead of worrying if any of my servers would fall prey to the dreaded WannaCry worm, I slept soundly in the knowledge that basic "block and tackle" fundamentals are effective at stopping most threats, including WannaCry. I was also relieved to find many of our customers reported no issues as well in regards to the latest worm to devour the internet at large. As many organizations scramble to get their networks back online, customers that followed basic best practice (and 10-D recommended!) guidelines went about their business as usual, content with the knowledge that their networks were configured to block not just the latest worm-of-the-day, but most network worms in general.

The US-CERT released a publication (Alert (TA17-132A) Indicators Associated with WannaCry Ransomware) that contained a section that was all too familiar. The "Recommended Steps for Prevention" are the same basic recommendation we recommend almost every day to our customers, and they are a tried and true approach to fighting off the majority of internet based attacks. It reminds me of what my old football coach continually drilled into our heads as young players, "It's mastery of the fundamentals that win the game, basic blocking and tackling, no more no less".

Per US-CERT TA17-132A: Recommended Steps for Prevention

5/11/17

Time: It is a-tickin' BSA/AML Changes Coming!

Do you hear that sound? Is it the sound of children's laughter as the school year starts winding down and summer vacation is just around the corner? Or is it the sound of groans from BSA Officers and the clock winding down to May 11, 2018, when the requirements of Beneficial Ownership become mandatory? Sadly, it is the latter - and we all remember how fast summer vacation goes and how quickly another year flies by.

Are you ready for the requirements of Beneficial Ownership - or do you at least have it on your radar? As outlined in the new regulation, covered financial institutions are required to establish and maintain written procedures reasonably designed to 1) identify and 2) verify beneficial owners of legal entity customers. These procedures are required to be part of the financial institution's existing AML program - so this means the program must be updated and submitted to your Board of Directors for approval.

The identity of each beneficial owner of the legal entity must be known at the time a new account is opened, unless the customer is otherwise excluded (this is the regulators' way of getting you to read the fine print!) A beneficial owner is defined as an individual (not another legal entity) who directly, or indirectly, owns 25% or more of the legal entity, as well as a single individual who has significant responsibility to control, manage or direct the legal entity. This includes an executive officer or senior manager, or any other individual who regularly performs similar functions. Once you have identified the beneficial owners, you need to verify their identity according to your risk-based CIP procedures, which at a minimum, should contain those elements already covered by regulation and used to verify any other individual that opens an account with your institution.

Appendix A of the regulation includes a Certification Form that financial institutions can use to obtain beneficial ownership information. You are allowed to rely on the information supplied by the legal entity client to obtain this information, provided you have no knowledge of facts that would call into question the reliability of this information. Is your head spinning yet? Don't worry - 10-D Security is here to help you through this regulatory change. We'll post more updates and tips over the next 12 months, and are available to help with any of your BSA audit needs - just give us a call!

Interpretative guidance with respect to beneficial ownership and the new CDD rule can be found at: https://www.fincen.gov/sites/default/files/2016-09/FAQs_for_CDD_Final_Rule_%287_15_16%29.pdf

5/4/17

Vampires, Permissions, and Lessons Learned in a Google Phishing Attack

Most have probably seen the news from this week about the Google Docs phishing messages. This attack took advantage of several technical mechanisms but most notably, they relied on just asking for full access to a user's email, and the user granting permission. Bad apps are like vampires at your front door; you have to invite them in. And a lot of people opened their doors this week.

This illustrates the reason so many attacks utilize social engineering. You can have layer after layer of security in place, but if the attacker can just ask a user to let them in, and they accept, then the proverbial drawbridge gets lowered and all that security is moot. The attacker is inside.

This week's Google attack shows the dangers of giving permissions to apps, whether they be browser apps or mobile apps. Think about the apps you have installed that integrate with your Gmail or other email accounts. What are they doing with the permissions you granted them? Did that app really need to send and receive email on your behalf? Does that game really need to access your contacts list? When you mix business content with personal apps on the same device, these questions become even more important. It is one thing for an app to read your personal email, but what if you have work email on your phone as well…can the app read that as well?

Some essential lessons to be learned from this week's phishing attacks are:

4/27/17

Information Security-Keep Your Eye on the Ball!

Like a batter at the plate, Information Security Professionals must always keep their eye on the ball. Whether facing off against the other team's ace pitcher (Hacker) who has a vast number of pitches (attack methods) available, or a rookie with a limited arsenal, the batter must be ready for every pitch being thrown to him. Sometimes this requires a last-minute swing adjustment in order to make contact and send the ball over the fence - or the pitch will "penetrate" the batter's defenses for a strike.

InfoSec Professionals cannot strive for a success rate similar to the best hitters in baseball - while .300 is a great batting average, it's a terrible rate of stopping attacks. The opposing pitcher does not always need to get three strikes, just one. And unfortunately, InfoSec Professionals do not generally get winters off and a spring training to shake the rust off.

One lesson that can be taken from the best hitters is that they are ALL studying their opponents. For you, this means researching the latest attack vectors and figuring out how they may apply to your institution. Look at the KB articles posted by Microsoft and other vendors, and see if there are any patches that need to bypass your normal patching process and be applied immediately. Above all, keep grinding out at-bats day after day. Keeping your network secure may feel like a chore, but would you rather be writing a breach report?

It is the bottom of the ninth; we hope we did not intentionally walk you away from this article with all the puns. But following these steps can have you hitting for the cycle against would be attackers.

4/20/17

"Skimm'y Dippers spotted in KC Metro Area"

Exactly a week ago news came out that three bank ATMs in the KC metro area had been compromised with a skimming device. The estimation was over one hundred accounts were affected, and thousands were stolen before the culprits were arrested.

Skimmers pose a serious threat as they don't need to be installed long to be effective, and they are easily obtained from dark web store fronts. The Kansas City Star reported one ATM only had the device installed for two hours, but was still able to steal information from 44 customers.

In light of this news 10-D Security wanted to send out a refresher for some tips on securing ATM devices.

Recommendations for protecting your ATMs from Skimming devices:

4/12/17

Protect Those Eggs!

Easter is here. Soon many children will be searching high and low for Easter Eggs and collecting their treats in colorful baskets. If you have ever tried to get a child to part with their basket full o' goodies, you generally have learned that that is not a task without peril. They will guard that basket like their life depends on it. Seriously…take their candy and they will mess you up.

Virtual Server technologies is like that proverbial concept of "All your eggs in one basket." You take many of your most valuable assets (servers), and put them all in a small number of special baskets (Virtual Hosts.) Once you have all these servers in one place, you need to guard them carefully. Virtual Hosts, like VMware and Hyper-V servers, need care and feeding, even more so because they have all the "eggs." They do their job quietly, so often it is easy to overlook them. Some important things to remember are:

Remember, having all your eggs in one basket can simplify things and make it easier to secure your servers. Just make sure you guard that basket with the intensity of a 3 year old protecting their favorite candy!

4/6/17

Golden Tickets that don't come with a candy bar.

As attackers, our goals are often defined as "getting domain admin" as this is recognized as gaining access to the highest levels of an institution's Active Directory infrastructure. During an engagement we will often create a new "Domain Admin" account to prove that we have gained unrestricted control of the domain, often we do this just to see if an organization will detect this activity in a realistic time frame. But as attackers our methodologies change often as new techniques are discovered and new tools are created. When encountering an organization that we feel has a mature security model we will often forego the creation (noisy and leaves lots of log entries) of a new "Domain Admin" account and opt to instead create a "Golden Ticket". This "Golden Ticket" is a forged Kerberos "ticket granting ticket" and allows an attacker to use any AD account to gain administrative access to resources. So instead of creating a new "Domain Admin" account we just use any regular user account to do basically whatever we want, with very few traces of activity. The really scary part about having a "Golden Ticket" is that as attackers we can come back over and over to re-compromise the domain, even if ALL user accounts have been reset, we just issue ourselves a new Kerberos access token as anyone we want.

Microsoft has acknowledged this issue and stated that it is not really a flaw, it's just how Kerberos works. No patches can be applied to prevent this but regularly changing the password for the built-in KRBTGT account on a regular basis will render any existing tickets null and void. Microsoft has very good documentation of this and has released a script for changing the KRBTGT account password, they recommend changing it often.

You can download the script and read more about mitigating the "Golden Ticket" issue here:

https://blogs.microsoft.com/microsoftsecure/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/

3/30/17

A Hack of 500 Million Yahoo Accounts Starts with a Single Click

In 2014, hackers associated with Russia succeeded in breaching Yahoo's network and gaining unfettered access to the entire Yahoo user base. Over 500 million users' data was exposed and it took almost two years for the full extent of the breach to become apparent. According to FBI documents, the attacker's access began with a single click on a phishing email sent to a Yahoo employee. From that one workstation, attackers moved inside the network and found the tools that granted them access to customer data and the rest, as they say, is now history.

This very public story, and its roots in a single user falling for an email attack, starkly demonstrates the ease with which attackers gain breach a network. With all the media hype about "zero-day" vulnerabilities and secret government hacking tools, the reality is that simple social engineering/phishing tactics generally open any doors an attacker needs.

The one bright side to this fact is that the defenses against this type of attack is well known, though not always easy to implement.



Older Security Tips can be requested at info@10dsecurity.com