Network Knowledge and Segmentation

If you look at most cutting-edge network information security guidance, job #1 can be paraphrased as “Know Thy Network.” It is firmly recommended (and in much regulatory guidance demanded) that organizations keep up-to-date inventories of hardware and software assets present on their computer networks. In fact, the most current recommendation is that organizations utilize software suites that not only keep track of inventories, but monitor all critical network entities with the aim of detecting any hardware or software applications that should not be there.

Another part of network knowledge is mapping data flows and trust relationships on networks, and mapping which business entities use which IT resources and information. For this knowledge, I like to go to my favorite risk management tool: the Business Impact Analysis (BIA). In this process, input comes from personnel across the enterprise detailing what they do, how they do it, what resources they need, what input they need, what output they produce and more (see MSI blog archives for more information about BIA and what it can do for your information security program).

About now, you are probably asking what all this has to do with network segmentation. The answer is that you simply must know where all your network assets are, who needs access to them and how they move before you can segment the network intelligently and effectively. It can all be summed up with one phrase: Need to Know. Need to know is the very basis of access control, and access control is what network segmentation is all about. You do not want anyone on your network to “see” information assets that they do not need to see in order to properly perform their business functions. And by the same token, you do not want network personnel to be cut off from information assets that they do need to perform their jobs. These are the reasons network knowledge and network segmentation go hand-in-hand.

Proper network knowledge becomes even more important when you take the next step in network segmentation: enclaving. I will discuss segmentation versus enclaving in my next blog later this month.

Why Segment Your Network?

Network segmentation is the practice of splitting your computer network into subnetworks or network segments (also known as zoning). This is typically done using combinations of firewalls, VLANs, access controls and policies & procedures. Implementing network segmentation requires planning and effort, and it can entail some teething problems along the way as well. So why should it be done?

The number one reason is to protect the security of your network resources and information. When people first started to defend their homes and enterprises from attack, they built perimeter walls and made sure everything important was inside of those walls. They figured doing this would keep their enemies outside where they couldn’t possibly do any damage. This was a great idea, but unfortunately it had problems in the real world.

People found that the enemy only had to make one small hole in their perimeter defenses to be able to get at all of their valuables. They also realized that their perimeter defense didn’t stop evil insiders from wreaking havoc on their valuables. To deal with these problems, people started to add additional layers of protection inside of their outer walls. They walled off enclaves inside the outer defenses and added locks and guards to their individual buildings to thwart attacks.

This same situation exists now in the world of network protection. As network security assessors and advisors, we see that most networks we deal with are still “flat;” they are not really segmented and access controls alone are left to prevent successful attacks from occurring. But in the real world, hacking into a computer network is all about gaining a tiny foothold on the network, then leveraging that access to navigate around the network. The harder it is for these attackers to see the resources they want and navigate to them, the safer those resources are. In addition, the more protections that hackers need to circumvent during their attacks, the more likely they are to be detected. It should also be noted that network segmentation works just as well against the internal threat; it is just as difficult for an employee to gain access to a forbidden network segment as it is for an Internet-based attacker.

Increased security is not the only advantage of network segmentation. Instead of making network congestions worse, well implemented segmentation can actually reduce network congestion. This is because there are fewer hosts, thus less local traffic per segment. In addition, segmentation can help you contain network problems by limiting the effects of local failures that occur on other parts of the network.

The business reasons for implementing network segmentation are becoming more apparent every day. Increasingly, customers are demanding better information security from the businesses they employ. If the customer has a choice between two very similar companies, they will almost assuredly pick the company with better security. Simply being able to say to your customers that your network is fully segmented and controlled can improve your chances of success radically.

Election Hacking

There has been a lot of talk in the news lately about election hacking, especially about the Russia government possibly attempting to subvert the upcoming presidential election. And I think that in a lot of ways it is good that this has come up. After all, voting systems are based on networked computer systems. Private election and campaign information is stored and transmitted on networked computer systems. That means that hacking can indeed be a factor in elections, and the public should be made well aware of it. We are always being told by ‘authorities’ and ‘pundits’ what is and is not possible. And generally we are gullible enough to swallow it. But history has a lot of lessons to teach us, and one of the most important is that the ‘impossible’ has a nasty way of just happening.

Authorities are saying now that because of the distributed nature of voting systems and redundancies in voting record-keeping that it would be virtually impossible for an outside party to rig the numbers in the election. But that is just a direct method of affecting an election. What about the indirect methods? What would happen, for instance, if hackers could just cause delays and confusion on Election Day? If they could cause long lines in certain voting districts and smooth sailing in other voting districts, couldn’t they affect the number of Democratic Votes versus Republican votes? We all know that if there is a hassle at the polls that a lot of people will just give up and go back home again. And this is just one way that elections could be affected by hacking. There are bound to be plenty of others.

With this in mind, isn’t it wise to err on the side of caution? Shouldn’t we as a people insist that our voting systems are secured as well as is possible? Don’t we want to consider these systems to be ‘vital infrastructure’? These are the reasons I advocate instituting best practices as the guidance to be used when securing electronic voting systems. Systems should be configured as securely as possible, associated communications systems should be robust and highly encrypted, risk should be assessed and addressed before the election, monitoring efforts should be strictly followed and incident response plans should be practiced and ready to go. These efforts would be one good way to help ensure a fair and ‘hacker free’ election.

How to Build an Information Security Program

Organizations have a lot of trouble with information security programs:

  • They don’t really understand the reasons why modern concerns must have effective information security programs or how to properly integrate them into their present business models.
  • They don’t truly understand the complexities of modern computer and communications systems and so have no gut instinct how to properly secure them. They therefore must trust information security pundits and service providers even though they get lots of contradictory and confusing advice.
  • They spend a lot of money buying all kinds of security devices and services and they find that their information security program is still full of holes and problems.
  • And after all of this, they find that they are constantly being asked for even more money to buy even more devices and services.

Sound familiar? Who wouldn’t become frustrated and cynical?! So my advice is: whenever a problem becomes seemingly too complex to tackle, go back to the beginning and start from first principles.

What exactly are you trying to protect? Have you identified and prioritized the business functions, information, devices and infrastructure that you need in order to run smoothly as an organization? If not, that should be your first priority. You should record and prioritize every business function needed to run your organization. You should also ensure that you keep accurate inventories of critical software applications and hardware devices. In addition, you should know exactly how information flows into, out of and around your network and what trusts what. If you don’t know exactly what you have, how can you protect it effectively, and what is more, economically?

Do you have effective mechanisms in place to limit access to your systems and information? You need to limit access to only those individuals who have a real need for that access (something you have just quantified by taking care of the first step outlined above). That means that you must configure your systems correctly to require user authentication, you must properly enroll and disenroll users correctly, you must properly identify those seeking access and you must have access management plans in place to oversee the whole process.

Have you leveraged your most valuable information security asset: your employees? Machines can only aid people in information security matters, they can never replace them. If you properly train, and what is even more important, enfranchise your employee personnel in the information security program, the return will astound you. Make them understand how valuable they are to the organization and ask for their help in security matters. Make information security training a fun thing and pass out kudos and small rewards to those who help the program. This can save you big money on automated security systems that just don’t perform as advertised.

Are you storing and transmitting information securely? For most organizations, information is their most valuable asset. If this is true of your organization, you should ensure that you properly protect it when it is moving or just sitting in storage. You should classify information for type and sensitivity and protect it accordingly. Spare no expense in protecting the really important info, but why waste time and money encrypting or otherwise protecting minor information that is of little consequence if revealed?

Do you know what is happening on your systems? Computer networks and the processes and people controlling them must be effectively monitored. Organizations should employ effective tools to monitor, parse and consolidate events and log data on their networks. But these should only be tools to aid humans in making this task manageable; they can never actually replace the human element. In addition, management personnel at all levels of the organization should have processes in place to ensure that security policies and procedures are current, effective and enforced. If you perform these tasks correctly, the most difficult part of incident response – incident identification – is also taken care of.

Do you test your security measures? You can never really tell how effective an information security program is without testing it. There are many tools available that test your network for security vulnerabilities such as configuration errors, access holes and out of date systems. You should employ these mechanisms regularly and patch the holes they uncover in a logical and hierarchical manner. You should also consider other kinds of security tests such as penetration testing, application testing and social engineering exercises. These will help you understand not only where the holes are, but how well your systems and personnel are coping with them.

These processes are the foundation of an effective information security program. If you build these strongly, other information security processes such as incident response, business continuity and vendor management will be well supported. If you skimp on these most basic steps, then your information security program will likely collapse of its own weight.

Incident Response & Business Continuity – Planning and Practice Make Perfect

Computer systems and networks are irrevocably woven into the fabric of business practices around the world; we quite literally cannot do without them. What’s more, our lives and our business practices become more dependent on these devices every day. Unfortunately, this makes computer networks the number one criminal playground in the modern world.

Although computer security technology and processes are becoming increasingly effective, cyber-criminals have more than kept pace. Every year the number of computer security compromises is increasing. Cyber-attacks are becoming more sophisticated and can originate from anywhere that has Internet connectivity. It should also be remembered that cyber-criminals only have to be successful in one of their attacks to win, while businesses must successfully defend against every attack, every time to win the game. The upshot of all this is that every business is increasingly liable to experience some kind of cyber-attack. That is the reason why regulators and security professionals have been pushing businesses to increase the scope and effectiveness of their incident response capabilities in recent years.

To help counter modern cyber-incidents effectively, organizations must respond to them quickly and in an accurate, pre-determined manner. IR teams must determine and document specific actions to be taken in the event common information security events occur. Responsibilities for performing these incident response “procedures” should be assigned to specific team members. Once detailed procedures for addressing common security incidents have been completed, the IR team should review them and role play response scenarios on a recurring basis (at least twice annually is recommended). It is an unfortunate truth that incident response is a perishable skill and must be regularly practiced to be effective.

This same advice also applies to business continuity/disaster recovery plans – functionally, they are really the same thing as incident response. Whether your business is facing a flood, a tornado, a cyber-attack or even an employee error, they all have negative effects that can be lessened if you have effective, pre-planned responses in place that everyone involved is familiar with and has practiced regularly. So why not practice IR and BC/DR together? It can minimize the time personnel are away from their regular business duties and maximize the effectiveness of their training.

Business Size Affects Security Flexibility

In the realm of cyber-security, all of the advantages are with the attacker. To be successful, defenders have to guard against and defeat all possible attack types all of the time; attackers only need to find one hole in those defenses to win the game. That is why information security programs need to be dynamic and flexible in order to work properly.

I have worked with all types and sizes of organizations during my years in the information security field including government agencies, regulatory bodies, retail concerns, service providers, financial institutions and medical organizations. No matter what kind of organization I am working with, I have found it to be an immutable truth that the larger and more complex the organization, the more difficult and time consuming it is to make changes and to their information security program. It’s not really anybody’s fault, it’s just the nature of the beast. Bigger organizations have more checks and balances to deal with, more personality clashes to arbitrate, more committees to wrestle with and more ‘rice bowls’ to protect. However, this is no reason to throw up our hands and admit defeat. Now is the time to recognize that we have a problem and try to find ways to work around it.

One idea I wish to propose in this regard is the ‘top-down, bottom-up’ approach to information security. First, the people in top positions in large organizations need to be made fully aware that a real problem exists and how serious it is. They also need to be made aware of the business advantages of a flexible and effective information security program. Most important of all, they need to be willing to visibly show their full support for the program and the changes that are to come. After all, no organizational security initiative can get very far without full buy-in at the Board Room level.

Another part is the ‘bottom up’ part of the process. Some years ago I worked with a software suite that allowed anyone in the organization to easily access and view security policy on the company intranet. Not only could personnel view the policy, they could make suggestions to improve and change it, propose new techniques, recommend ways to streamline the process, etc. Nobody in an organization knows more about business processes and how to protect them than the people that work with them every day. Why not encourage them to make suggestions and report problems? All it takes is a little encouragement and minor reward. In fact, I’ve found that simply recognizing personnel for their security efforts is enough. Praise them in group meetings, put their pictures up on the wall, that sort of thing. Why should the organization hire expensive consultants to tell them the same things that they can learn from their own personnel?

The last part is acting upon the suggestions produced by management encouragement. Once valid suggestions have been made, the initiative needs to flow through the normally recalcitrant and obstructionist mid-levels of the organization to make it back to the top. Can this group be made to set aside their differences and encourage the adoption of rational and workable suggestions for change? If they can, then large organizations can truly improve the flexibility and effectiveness of their information security program, and save money doing it.

Ransomware: Bigger and More Sophisticated than Ever

Ransomware has been around for decades. In 1989 the AIDS Trojan was used to hide directories and encrypt all files on the C drive of infected computers. Users were then asked to “’renew the license” which involved sending $189.00 to a Panama P.O. box. This is an example of “crypto-ransomware.” Then around 10 years ago, other families of crypto-ransomware such as Cryzip, Krotten and Gpcode appeared on the scene.

Crypto-ransomware is particularly dangerous because it encrypts files on computer systems using strong and often unique encryption algorithms. This means that if these files were not properly backed up, users could lose this information forever unless they agreed to pay the price asked by the extortionists. And even if proper backups were extant, users still faced the hassle of rebuilding their machines; a time-consuming task that many would happily pay to avoid.

Another type of ransomware (that has been with us for more than 15 years) uses “blockers” to render computers unusable. Blockers are windows that cover all other windows on your desktop. These blocker windows usually contain a message from the extortionists telling users how and where to send the ransom in order to get their computer screens or browsers unlocked. This type of ransomware was the first to reach “epidemic” proportions back in 2010. Both of these ransomware types were originally used to attack mostly user machines, but now attacks on businesses are increasing rapidly.

Recently, especially within the last 6 to 10 months, things have changed. In April of this year, Kaspersky Lab noted that more than half of all ransomware is now crypto-ransomware; a figure up from barely 10% just a year earlier. In addition, there are new, more insidious types of crypto-ransomware appearing on the scene.

In January of this year the first JavaScript ransomware, “Ransom32” was noted. This ransomware uses the NW.js framework to infect computers, and so can probably be used to attack not only Windows OS, but Linux and Mac OS as well. This type of ransomware is being sold on the dark web as ransomware-as-a-service in exchange for a 25% cut in the ransom profits.

Another recently noted ransomware is called “Cerber.” Cerber encrypts user files using AES encryption, and costs the victim 1.24 bitcoins ($500.00) in ransom. Cerber itself is easy to remove, but encrypted files that have not been backed up will be lost if users fail to pay.

Now, there are even more dangerous ransomware types appearing. ZCryptor acts like a worm and can be spread from machine to machine. It is distributed through spam and email infection vectors, but can also be spread through Macro malware, removable/network drives or fake installers. It encrypts a number of different file types on infected computers using strong AES encryption algorithms, and changes the file extension to “.zcrypt.”

The sophistication and variety of these newer ransomware types shows that cyber criminals are investing plenty of resources on this malware. Users (and businesses) should expect more and more of these types of attacks in the future, and should protect themselves accordingly. Suggestions include:

  • Backup your important files very regularly. You will still lose any files/documents created after the last backup, so adjust your backup frequency accordingly.
  • Ensure that all of your systems and software are current for security maintenance and are configured in a secure manner.
  • Train your personnel about ransomware and how it spreads.
  • Keep your security software up to date and employ pop-up blocker software.
  • Monitor file system activity and extensions.
  • Employ Honeypots (such as MSI HoneyPoint software) on your systems.
  • Employ User Behavior Analytics (UBA) on your network.
  • Employ anti-ransomware products and mechanisms.
  • Ensure your Incident Response and Disaster Recovery plans are up to date and well-practiced.

Supply Chain Security: Another Data Breach Blamed on 3rd Party Vendor

One of the tasks I perform at MicroSolved is working on our Daily Threat Briefing. We use our TigerTrax™ threat intelligence gathering platform to pull in security information from all over the web and social media sphere. And one of the things I notice constantly is data breaches and other security compromises that are caused not by poor security at the affected organizations, but by security failures in their supply chain. This week’s example is the Bizmatics hack that exposed the private health information of patients from institutions such as the Pain Treatment Centers of America and the Interventional Surgery Institute. It is still unclear if the hacker actually collected this information, but it is sure he had access to it. Since this information is protected under HIPAA and HITECH, there could be regulatory and legal consequences from the breach. And, ultimately, the responsibility for protecting this patient health information lies with the medical organizations affected, not Bizmatics. The name of the game here is performing “Due Diligence” when you chose and maintain relationships with a third party service provider or vendor. Did you examine their information security policies and assessment results? Did you check out their financial standing? Did you check their history to see if they have had problems in the past? Did you check with other users of their services to see if they have experienced any difficulties with the provider? Have you been performing such checks not just once, but on a recurring basis? If you have been performing due diligence in these matters, chances are you will fare well legally. If you haven’t, chances are your organization will suffer for it. Despite this, many organizations do not perform proper due diligence. They find it is difficult to get the information needed, and even if the information is available, they find accessing it uses up lots of man hours. This is an area where the new MicroSolved passive assessment platform can help. The platform employs the powerful TigerTrax™ platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of organizations. And best of all, it performs these tasks very quickly and without touching the target’s network or systems directly in any way. So if yours is one of the organizations out there that is having trouble performing proper due diligence in choosing and maintaining supply chain relationships, try doing it the easy and effective way. Contact MicroSolved today and see how we can help.

Patch Your Cisco ASA’s ASAP!

Many networks employ Cisco Adaptive Security Appliances (ASA) as firewalls or to set up Virtual Private Networks, etc. Those of you that are among this group should be aware that Cisco published a critical security advisory on February 10 concerning a glitch in their ASA software. It seems that there is a vulnerability in the Internet Key Exchange (IKE) code of Cisco ASA Software that could potentially allow an unauthenticated attacker to gain full control of the system, or to cause a reload of the system.
This vulnerability is due to a buffer overflow condition in the function that processes fragmented IKE payloads. Attackers could exploit the flaw by sending crafted UDP packets to the affected system. It should be noted that this vulnerability is bad enough that it was given a maximum CVSS score of 10.
The ASA software on the following products may be affected by this vulnerability:
• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500-X Series Next-Generation Firewalls
• Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Cisco ASA 1000V Cloud Firewall
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Cisco Firepower 9300 ASA Security Module
• Cisco ISA 3000 Industrial Security Appliance
Patches are now available for this flaw. We recommend that vulnerable users of this software apply these patches as soon as possible. For more information see:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

First Power Outage Ever Caused by Malware

For the last couple of decades industrial concerns, including public utilities such as power and gas providers, have been incorporating IP networks into their industrial control systems; apparently with very little awareness of the security problems this could cause. One of the reasons for this is that ICS/SCADA systems had always been fairly safe from tampering. They were “dumb” systems that had their own protocols, and were not connected to public networks. System administrators never had to think in terms of hackers and remote attacks. They were more concerned with things like physical break-ins and theft at that time, and hackers were mainly computer-savvy kids that weren’t really out to hurt anyone.

Another reason is that security almost always takes a back seat to greater efficiency and profitability. Couple this with the fact that public utilities were increasingly strapped with budgetary cutbacks, and it’s a no-brainer from their point of view. IP protocols were already in place and off-the-shelf hardware and software applications were relatively cheap.

Embracing expediency in this way is really costing the industry now, though. Public utilities are often guilty of failing to adequately segregate their control networks from their business networks, and even if they do, it is very difficult to fend off a persistent and talented attacker. Malware and social engineering techniques become more clever every day.

Factors such as these have made the security industry increasingly antsy for years. We have been warning that these vulnerabilities exist, and have been expecting a concrete example to crop up – and now it has!

Late last month, hackers caused what is believed to be the world’s first power outage using malware. It occurred in the Ukraine and knocked out regional power for several hours. The malware family used to perpetrate this outage is known as “BlackEnergy” and has been on the radar for some time.

Luckily, this was a relatively minor, short lived incident, and nothing like this has occurred (yet) in the United States. However, the fact that this outage was possible should be a wake-up call for all of us. Hopefully, the industry will pay attention to this incident and redouble their efforts to update, secure and monitor their systems.