Heads Up, ICS & SCADA Folks, Especially!

Remotely exploitable vulnerabilities have been identified & published in NTP (network time protocol). This is often a CRITICAL protocol/instance for ICS environments and can be widely located in many control networks. 

The fix currently appears to be an upgrade to 4.2.8 or later.

This should be considered a HIGH PRIORITY for critical infrastructure networks. Exploits are expected as this is an unauthenticated remotely triggered buffer overflow, which should be easily implemented into existing exploit kits.

Please let us know if we can assist you in any way. Stay safe out there! 

Update: 12/19/14 2pm Eastern – According to this article, exploits are now publicly available.

My Thoughts of Raising Teenagers While Protecting Their Online Privacy

As a parent, who has teenagers, it can be a somewhat complicated and mortifying world when it comes to trying to allow a teenager a small level of personal “freedom” of expression and allowing them to be curious and discover new things while also satisfying the need to protect their online privacy from those who may do them harm. In this blog segment we will discuss some of my thoughts on what we as parents can do to aid our child in this ever evolving world that is the internet.

To start of with I suppose we need to first look at the child’s age and I’m not speaking to their numeric age, but rather to their level of maturity. And so when my wife and I decide what applications (apps) our children may download, it depends heavily on the content of the application, but also to the child’s maturity level. Who would want a scary game or a very provocative application to be seen or played by a minor, especially if it is something that you fundamentally don’t agree with as a parent. Let alone a game or app with overtones of sexuality that is going to be played by your teenager for hours on end. Now I am not saying that they don’t hear it and see it in the world that we live in, I am not naive, but why put it on a silver platter and feed it to them. Those things can wait a bit longer, especially if we are talking the difference between a thirteen year old versus a seventeen year old. True it is only four years, but developmentally and cognitively there are vast differences between them. Particularly in their ability to make intelligent decisions as I am sure many of you would agree!

So lets start with the basics, remember that you are the parent and a good dose of common sense goes a long way. With that we all need to be able to reach our children and so perhaps you want be able to track where your child is and more importantly they are where they say they are. Have no fear there are apps for that, but most if not all smartphones have GPS built right in. However, apps like Find My iPhone and Find My Friends can be quite helpful. Perhaps you want to limit the amount of time that a child spends online or limit the sites that they can have access to there are apps for that too. Apps such as Screentime and DinnerTime Parental Control offer you the ability to not only limit their screen time, but also limit how much they are texting and playing games. All in an effort to help them refocus on working on homework, chores or spending quality time with the family. Some parents may elect to take it a step further and want to track who their child is communicating with, read emails, see all the pictures that are sent, received and perhaps more importantly deleted. Well they can do so with an app called Teensafe. I know this one sounds a bit like big brother, but if your child is being bullied, abused, or dating without your knowledge, some parents want the ability to intervene more quickly. Especially, if the child isn’t as forth coming as the parent feels they should be.

Next, comes the security of the websites and the apps themselves. I think we as parents have a responsibility to protect our children and that responsibility should include a healthy dose of cynicism. To that end, make sure you go through each setting on an app or website that you load or your child loads onto their device(s). Making sure that you turn on or off the security settings that you feel are appropriate for your child. Lets say we allow our child to use a social media website or app, we certainly wouldn’t want a thirteen year old exposed to the entire world, when all they want to do is connect with their friends. This would potentially expose them to threats that you may not recognize as a threat until it was too late. So lets go through those settings and turn off some of those features and lock it down to a level where you as a parent are comfortable with. It may seem like just a simple click of a button, but believe me it is a very important step in ensuring your child’s online safety.

Finally, remember that you may not want to give your child the ability to download or change the settings of their devices, so maybe keeping a log of all of their passwords. Perhaps in a password vault such as 1Password would be in order. You would do this for two reasons. One to make sure that they are using a strong password, and where possible to also turn on two-step verification, but also to make sure that they don’t forget the password that they just created, because a good password should be challenging, otherwise it’s pointless. Please remember you are in charge and ultimately responsible for the safety of your child both at home and online. Secure as much as you can, where you can. So let’s be safe out there!

It should be noted that some of the apps mentioned above are free and some are open source and some are at a cost to the consumer. It is up to you to research these applications and see what best fits your security needs. 

In no way do we endorse the applications that were presented in this article we are simply stating that they may be an option for you to consider for your device. Your particular security needs for your device are up to you to decide. Be safe out there.

This post by Preston Kershner.

Daily Log Monitoring and Increased Third Party Security Responsibilities: Here They Come!

For years now we at MSI have extoled the security benefits of daily log monitoring and reciprocal security practices between primary and third party entities present on computer networks. It is constantly being proven true that security incidents could be prevented, or at least quickly detected, if system logs were properly monitored and interpreted. It is also true that many serious information security incidents are the result of cyber criminals compromising third party service provider systems to gain indirect access to private networks. 

I think that most large-network CISOs are well aware of these facts. So why aren’t these common security practices right now? The problem is that implementing effective log monitoring and third party security practices is plagued with difficulties. In fact, implementation has proven to be so difficult that organizations would rather suffer the security consequences than put these security controls in place. After all, it is cheaper and easier – usually – unless you are one of the companies that get pwned! Right now, organizations are gambling that they won’t be among the unfortunate – like Target. A fools’ paradise at best! 

But there are higher concerns in play here than mere money and efficiency. What really is at stake is the privacy and security of all the system users – which one way or another means each and every one of us. None of us likes to know our private financial or medical or personal information has been exposed to public scrutiny or compromise, not to mention identity theft and ruined credit ratings. And what about utilities and manufacturing concerns? Failure to implement the best security measures among power concerns, for example, can easily lead to real disasters and even loss of human life. Which all means that it behooves us to implement controls like effective monitoring and vendor security management. There is no doubt about it. Sooner or later we are going to have to bite the bullet. 

Unfortunately, private concerns are not going to change without prodding. That is where private and governmental regulatory bodies are going to come into play. They are going to have to force us to implement better information security. And it looks like one of the first steps in this process is being taken by the PCI Security Standards Council. Topics for their special interest group projects in 2015 are going to be daily log monitoring and shared security responsibilities for third party service providers.

That means that all those organizations out there that foster the use of or process credit cards are going to see new requirements in these fields in the next couple of years. Undoubtedly similar requirements for increased security measures will be seen in the governmental levels as well. So why wait until the last minute? If you start now implementing not only effective monitoring and 3rd party security, but other “best practices” security measures, it will be much less painful and more cost effective for you. You will also be helping us all by coming up with new ways to practically and effectively detect security incidents through system monitoring. How about increasing the use of low noise anomaly detectors such as honey pots? What about concentrating more on monitoring information leaving the network than what comes in? How about breaking massive networks into smaller parts that are easier monitor and secure? What ideas can you come up with to explore?

This post written by John Davis.

Tips for Writing Security Policy

Almost all organizations dread writing security policies. When I ask people why this process is so intimidating, the answer I get most often is that the task just seems overwhelming and they dont know where to start. But this chore does not have to be as onerous or difficult as most people think. The key is pre-planning and taking one step at a time.

First you should outline all the policies you are going to need for your particular organization. Now this step itself is what I think intimidates people most. How are they supposed to ensure that they have all the policies they should have without going overboard and burdening the organization with too many and too restrictive policies? There are a few steps you can take to answer these questions:

  • Examine existing information security policies used by other, similar organizations and open source information security policy templates such as those available at SANS. You can find these easily online. However, you should resist simply copying such policies and adopting them as your own. Just use them for ideas. Every organization is unique and security policies should always reflect the culture of the organization and be pertinent, usable and enforceable across the board.
  • In reality, you should have information security policies for all of the business processes, facilities and equipment used by the organization. A good way to find out what these are is to look at the organizations business impact analysis (BIA). This most valuable of risk management studies will include all essential business processes and equipment needed to maintain business continuity. If the organization does not have a current BIA, you may have to interview personnel from all of the different business departments to get this information.
  • If the organization is subject to information security or privacy regulation, such as financial institutions or health care concerns, you can easily download all of the information security policies mandated by these regulations and ensure that you include them in the organizations security policy.
  • You should also familiarize yourself with the available information security guidance such as ISO 27002, NIST 800-35, the Critical Security Controls for Effective Cyber Defense, etc. This guidance will give you a pool of available security controls that you can apply to fit your particular security needs and organizational culture.
 

Once you have the outline of your security needs in front of you it is time to start writing. You should begin with broad brush stroke, high level policies first and then add detail as you go along. Remember information security policyreally includes policies, standards, guidelines and procedures. Ive found it a very good idea to write policyin just that order.

Remember to constantly refer back to your outline and to consult with the business departments and users as you go along. It will take some adjustments and rewrites to make your policy complete and useable. Once you reach that stage, however, it is just a matter of keeping your policy current. Review and amend your security policy regularly to ensure it remains useable and enforceable. That way you wont have to go through the whole process again! 

This post by John Davis.

My Time as a HoneyPoint Client

Prior to joining MicroSolved as an Intelligence Engineer, I was the Information Security Officer and Infrastructure Manager for a medical management company.  My company provided medical care and disease management services to over 2 million individuals.  Throughout my tenure at the medical management organization, I kept a piece of paper on my bulletin board that said “$100,000,000”.

 

Why “$100,000,000”?  At the time, several studies demonstrated that the average “street value” of a stolen medical identity was $50.  If each record was worth $50, that meant I was responsible for protecting $100,000,000 worth of information from attackers.  Clearly, this wasn’t a task I could accomplish alone.

 

Enter: MicroSolved & HoneyPoint

 

Through my membership with the Central Ohio Information Systems Security Association, I met several members of the MicroSolved team.  I engaged them to see if they could help me protect my organization from the aforementioned attackers.  They guided me through HIPPA/HITECH laws and helped me gain a further understanding of how I could protect our customers.  We worked together to come up with innovative solutions that helped my team mitigate a lot of the risks associated with handling/processing 2 million health care records.

 

A core part of our solution was to leverage the use of HoneyPoint Security Server.  By using HoneyPoint, I was able to quickly gain visibility into areas of our network that I was often logically and physically separated from.  I couldn’t possibly defend our company against every 0-day attack.  However, with HoneyPoint, I knew I could quickly identify any attackers that had penetrated our network.

 

Working for a SMB, I wore many hats.  This meant that I didn’t have time to manage another appliance that required signature updates.  I quickly found out that HoneyPoint didn’t require much upkeep at all.  A majority of my administrative tasks surrounding HoneyPoint were completed when I deployed agents throughout our LAN segments that mimicked existing applications and services.  I quickly gained the real-time threat analysis that I was looking for.

 

If you need any assistance securing your environment or if you have any questions about HoneyPoint Security Server, feel free to contact us by sending an email to: info@microsolved.com.

 

This post contributed by Adam Luck.

Here’s Why You Don’t Want RDP on the Internet

For those of you that are unfamiliar with the HITME project, it is a set of deployed HoneyPoints that gather real-world, real-time attacker data from around the world. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. We frequently feed these attack signatures into our vulnerability management service to ensure that our customers are tested against the most current forms of attacks being used on the Internet.

It’s also important that we take a step back and look at our HITME data from a bird’s-eye view to find common attack patterns. This allows us to give our customers a preemptive warning in the event that we identify a significant increase in a specific threat activity. We recently analyzed  some of the data that we collected during the month of November. We found that over 47% of the observed attacks in the public data set were against the Remote Desktop Protocol (RDP)(often also known as Microsoft Terminal Services). This was more than attacks against web servers, telnet servers and FTP servers combined!

Be sure that all recommended security measures are applied to RDP systems. This should include requiring the use of RDP clients that leverage high levels of encryption. If you need any assistance verifying that you are protected against attacks against your terminal servers, feel free to contact us by sending an email to info(at)microsolved(dot)com.

This post by Adam Luck.

Hacktivism on the Rise

With all of the attention to the Ferguson case and the new issues around the public response to the New York Police Department Grand Jury verdict, your organization should expect to be extra vigilant if you have any connection to these events. This could include supply chain/vendor relationships, locations or even staff members speaking out publicly about the issues. 

Pay careful attention to remote access logs, egress traffic and malware detections during the ongoing social focus on these issues and press coverage.

As always, if MSI can be of assistance to you in any security incident, please don’t hesitate to let us know! 

Remember, Log Analysis is Important, Especially Now

Remember, during the holiday season, attacks tend to increase and so do compromises. With vacations and staff parties, monitoring the logs and investigating anomalies can quickly get forgotten. Please make sure you remain vigilant during this time and pay close attention to logs during and just after holiday breaks.

As always, thanks for reading and we wish you a safe and happy holiday season!

Newsletter Issues for November’s Take Five

Dear readers of Take Five with MSI,

Due to a problem with the mail delivery system for the newsletter, we are unable to send out the monthly newsletter before the end of the month. We have opened a trouble ticket with the provider, but they will not be available to assist us until next week, due to the holiday. 

We apologize for the inconvenience and thank you, in advance, for you patience. We love that you enjoy our newsletter and we hope to have it delivered to you shortly.

Please feel free to follow us on Twitter (@microsolved) for the latest security news, blog announcements and conversations.

Thanks again!