One of the tasks I perform at MicroSolved is working on our Daily Threat Briefing. We use our TigerTrax™ threat intelligence gathering platform to pull in security information from all over the web and social media sphere. And one of the things I notice constantly is data breaches and other security compromises that are caused not by poor security at the affected organizations, but by security failures in their supply chain. This week’s example is the Bizmatics hack that exposed the private health information of patients from institutions such as the Pain Treatment Centers of America and the Interventional Surgery Institute. It is still unclear if the hacker actually collected this information, but it is sure he had access to it. Since this information is protected under HIPAA and HITECH, there could be regulatory and legal consequences from the breach. And, ultimately, the responsibility for protecting this patient health information lies with the medical organizations affected, not Bizmatics. The name of the game here is performing “Due Diligence” when you chose and maintain relationships with a third party service provider or vendor. Did you examine their information security policies and assessment results? Did you check out their financial standing? Did you check their history to see if they have had problems in the past? Did you check with other users of their services to see if they have experienced any difficulties with the provider? Have you been performing such checks not just once, but on a recurring basis? If you have been performing due diligence in these matters, chances are you will fare well legally. If you haven’t, chances are your organization will suffer for it. Despite this, many organizations do not perform proper due diligence. They find it is difficult to get the information needed, and even if the information is available, they find accessing it uses up lots of man hours. This is an area where the new MicroSolved passive assessment platform can help. The platform employs the powerful TigerTrax™ platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of organizations. And best of all, it performs these tasks very quickly and without touching the target’s network or systems directly in any way. So if yours is one of the organizations out there that is having trouble performing proper due diligence in choosing and maintaining supply chain relationships, try doing it the easy and effective way. Contact MicroSolved today and see how we can help.
Many networks employ Cisco Adaptive Security Appliances (ASA) as firewalls or to set up Virtual Private Networks, etc. Those of you that are among this group should be aware that Cisco published a critical security advisory on February 10 concerning a glitch in their ASA software. It seems that there is a vulnerability in the Internet Key Exchange (IKE) code of Cisco ASA Software that could potentially allow an unauthenticated attacker to gain full control of the system, or to cause a reload of the system.
This vulnerability is due to a buffer overflow condition in the function that processes fragmented IKE payloads. Attackers could exploit the flaw by sending crafted UDP packets to the affected system. It should be noted that this vulnerability is bad enough that it was given a maximum CVSS score of 10.
The ASA software on the following products may be affected by this vulnerability:
• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500-X Series Next-Generation Firewalls
• Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Cisco ASA 1000V Cloud Firewall
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Cisco Firepower 9300 ASA Security Module
• Cisco ISA 3000 Industrial Security Appliance
Patches are now available for this flaw. We recommend that vulnerable users of this software apply these patches as soon as possible. For more information see:
For the last couple of decades industrial concerns, including public utilities such as power and gas providers, have been incorporating IP networks into their industrial control systems; apparently with very little awareness of the security problems this could cause. One of the reasons for this is that ICS/SCADA systems had always been fairly safe from tampering. They were “dumb” systems that had their own protocols, and were not connected to public networks. System administrators never had to think in terms of hackers and remote attacks. They were more concerned with things like physical break-ins and theft at that time, and hackers were mainly computer-savvy kids that weren’t really out to hurt anyone.
Another reason is that security almost always takes a back seat to greater efficiency and profitability. Couple this with the fact that public utilities were increasingly strapped with budgetary cutbacks, and it’s a no-brainer from their point of view. IP protocols were already in place and off-the-shelf hardware and software applications were relatively cheap.
Embracing expediency in this way is really costing the industry now, though. Public utilities are often guilty of failing to adequately segregate their control networks from their business networks, and even if they do, it is very difficult to fend off a persistent and talented attacker. Malware and social engineering techniques become more clever every day.
Factors such as these have made the security industry increasingly antsy for years. We have been warning that these vulnerabilities exist, and have been expecting a concrete example to crop up – and now it has!
Late last month, hackers caused what is believed to be the world’s first power outage using malware. It occurred in the Ukraine and knocked out regional power for several hours. The malware family used to perpetrate this outage is known as “BlackEnergy” and has been on the radar for some time.
Luckily, this was a relatively minor, short lived incident, and nothing like this has occurred (yet) in the United States. However, the fact that this outage was possible should be a wake-up call for all of us. Hopefully, the industry will pay attention to this incident and redouble their efforts to update, secure and monitor their systems.
It seems like every year there is another phishing scam using the name of the Internal Revenue Service. Well, this year is no exception. This version claims to be a refund notification and contains an attachment for the unwary to click on. Don’t do it! For one thing, you should be aware that the IRS never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information.
This scam and other, similar scams also are perpetrated by telephone. Callers may say you have a refund due and try and get you to disclose private information to them. They may also call, say you owe them money, and demand immediate payment; they may even threaten to send the police to your home! Don’t panic. The more serious and immediate their demands seem, the more likely they are to be fakes. It will never hurt you to take the time to call the IRS and see if the call, text or email you have received is legitimate. Also, if you do happen to lose money to one of these scams, you can file a complaint with the Treasury Inspector General for Tax Administration.
The IRS website has resources in place to help taxpayers with this problem. This information is not particularly easy to find, but is accessible in a couple of areas of the website. If you click on the “News & Events” tab of the website there is a hyperlink to “Tax Scams”. This will get you started. You can also go to the “Help & Resources” tab. This area has links for reporting suspicious emails and scams, as well as a link to report tax fraud activity. For more information about past scams of this type, there is a page entitled “Phishing and Other Schemes Using the IRS Name.”
The important thing to take away from this is that Phishing and other types of social engineering techniques are becoming more prevalent every day, and are not about to go away. This is because as firewalls, SIEM solutions and other information security mechanism have become more effective, cyber criminals have had to find new ways to worm their way into your networks. So stay wary and avoid being credulous. Never open an attachment or click on a link anywhere without checking it out first. Also, never give unsolicited or suspicious callers any kind of private information. The old adage “Look Before You Leap” has never been more true and appropriate than it is right now!
It’s the holidays! Everyone is busy shopping, getting ready for parties, meeting folks for a cup of good cheer, and all manner of other fun activities. Yes, it is safe to say that the holidays generally fill people with feelings of warmth and good cheer.
It’s also a great time of year for hackers! The fact that people are busy, distracted and even a little bit tipsy is what fills them with good cheer. What better time to break into a network and get your hands on some private information or to set up a blackmail scheme?
That is why it is most important for you not to neglect your log monitoring and other information security duties during the silly season. Make sure you don’t turn off alerting on your systems, look for activity at odd times of the day, and make sure you are monitoring what leaves the network and where it’s going. If you neglect these tasks now you just might not have any happy holidays at all!
I saw in the intelligence and threat briefing the other day that police body cameras pre-infected with the dangerous Conficker worm had been discovered. Once these cameras were connected to a computer, the worm attempted to spread to other machines on the network and to communicate with a command and control system. Great! Lots of juicy, salable information on a police network to be harvested. How about offering to sell informants to the criminals they are informing on? Bet the bad guys would pay plenty! Or, if you become well entrenched in the network, how about starting an intelligence service? You could keep the bad guys well informed about what the police are up to. Bet the bad guys would pay plenty for that too!
This isn’t the first time something like this has happened by any means. Every now and again we hear stories about phones, networking switches, computers, mother boards and lots of other products that come pre-infected with some kind of Malware. Unfortunately, it seems that this is happening more and more often and shows no signs of slowing down.
The big reason behind this trend is that it works. How many of us ever even think that our new toys may not be safe? After all, they are brand new from the factory, and the boxes they are packed in have never been opened before. And it’s not just cyber-equipment that may be infected. Increasingly, just about everything we buy or use has a computer in it, and many of these products are made to run over a network as well.
So, say you buy a new smart TV and it has come complete with some kind of Malware installed. Chances are you have a wireless network in your home, and all the family’s computers, smart phones and other devices hook up to it. Even people that come to visit probably log onto your wireless network. You do home banking, write emails, chat, do all kinds of private things on this network. But, thanks to your new TV, all that is secret no more!
The point is, it’s time we start paying more attention to this attack vector and begin doing something about it. We should ensure that we have mechanisms in place to test new products before we hook them into our systems. We should also put regulations and processes in place to ensure that manufacturers test their products for computer bugs before they are allowed to ship them.
Every week in our daily threat and intelligence briefings I read about government and business computer systems that are hacked. And many, many times the stated reason is that a user name and password was revealed, hacked or stolen and the cyber criminals were able to use it to log into the system. But I don’t think this is the real reason at all; the real reason is that we are not properly establishing the identity of whoever is trying to access the system.
I know how inconvenient computer security can be for everyone. I not only see it every day in my profession, I also suffer from it myself as an individual. And the last thing most of us want is to make the task even more inconvenient and frustrating. But the fact is that identifying one’s self to a computer system by simply inputting a user name and password is just not good enough. We must increase the reliability of identity verification systems if we are to have any real hope of preventing illicit access.
To establish the identity of any person there are only three factors that can be employed. You can identify a person by something that they know, by something that they have or by something that they are. Obviously, a user name and password is something that a person knows, and we waste all kinds of time and effort in the futile hope that we can keep this special knowledge secret. I say futile because, as we all know, secrets have a frustrating habit of not lasting very long.
Something we have can be a physical object such as an RSA token or smart card, or it can be a “soft token” such as a digital certificate. An example of using something you have and something you know in tandem is a debit card and PIN. Something we are can be a number of things: fingerprints, retinal patterns, DNA, body features, etc.
Every time you add another “factor” to your user identification scheme, you more than double the amount of real security you are adding to the access control system. That is why, despite the inconvenience, I am a big proponent of using all three types of identification factors at once, especially for privileged or high-risk access. As far as I’m concerned, it’s time to bite the bullet, live with the inconvenience and just get the job done!
Over the last seven years, the amount of fraud from stolen credit card data has doubled in the U.S. This has been the primary driver pushing American credit card companies and retailers into adopting the use of credit cards with computer chips in them. The problem with the old magnetic stripe credit cards we are so familiar with is that the data on the magnetic stripe is static – it never changes. Because of this, fraudsters have been able to simply copy the magnetic stripe data from your card to a blank one, and then use the new card to make purchases. The computer chips in Europay, MasterCard and Visa (EMV) cards, on the other hand, set up a one-time transaction code that is useless to intercept or copy. If a thief attempts to make another transaction using this information, the transaction will simply be denied.
These kinds of credit and debit cards have been used in Europe for decades, and have greatly reduced the amount of credit card fraud there. But the American versions of these cards are going to be different for some years to come. For one thing, EMV cards issued to Americans are still going to have the magnetic stripe on them until at least 2017. This is to give retailers a chance to install the necessary (and expensive) equipment needed to process EMV cards. Also, even though most retailers are supposed to have EMV card reader hardware in place as of October this year, gasoline retailers are not required to change their pump card readers until 2017.
Another difference is the use of a PIN with the cards. In Europe, they have found that requiring a 4 to 6 digit PIN number when cards are used greatly adds to the security of the transaction (just like inputting a PIN when you use your debit card here does). But most companies in America are just going to require a signature, and are not going to allow the use of PINs with these cards for a while. This is not only to spread out the cost of re-equipping for the merchant, but is also to allow American consumers to get used to the new cards. Eventually, America will probably be using the same setup they currently use in Europe, but until then, remember that your cards will still suffer from some of the same old vulnerabilities as always.
As a risk management guy, I’m often asked why I think information security programs fail or are less effective than they should be. There are certainly a number of answers to that question, but I think one of the main causes is lack of management participation in the program.
First, it should be recognized that these programs are driven from the top down. Upper management must demonstrate real interest in the infosec program to make it work. Right or wrong, people take all their main cues from upper management, and an apathetic CIO or CEO is a death knell for an infosec program.
Once you have achieved high level buy-in, it is very important to ensure that mid and operational level management are also properly involved in the program. Managers on these levels need to demonstrate their interest in the infosec program just as upper management does. However, beyond that, these individuals should also be involved in the program in a much more direct way.
It isn’t enough that information security policies and procedures have been established and communicated to all appropriate personnel. There also needs to be regular documented processes in place for management oversight of the information security program. Managers sometimes tend to become complacent about the information security program; they don’t really demonstrate interest in it and don’t seem to check up much. And if managers become complacent about infosec, you are safe to bet that the personnel in their purview will as well.
Real computer information security is highly dependent on the awareness and concern of individual computer device users. But people don’t view the security of their computers, pads and smart phones the same way they view the security of their cars, or houses or kids. On the whole, we are apathetic about the subject.
I have often tried to figure out why this is true, and I’ve heard several reasons such as: “Computers and technology are just too complicated and technical. I feel inadequate to the task.” Or “I have too many things to worry about already. I don’t need anything else to take a bite out of my quality time.” Or “So what if I get hacked!? The worst that can happen is that I’ll be embarrassed a bit or lose some of my money – I’ll still have my health, my family and my life!” Of all these mistaken ideas I think the last one is the most dangerous; not believing that anything really bad will happen to me and mine because of a hack.
For years my compatriots and I have discussed the idea that what will truly shock society awake is a hacking incident so severe that nobody can just ignore the subject anymore; a kind of cyber-Pearl Harbor. But none of us actually want to see “the big one” occur. We are hoping that smaller but still significant incidents will get the ball rolling.
The Ashley Madison hack is a small step in this direction that I hope people will embrace and learn from, because the consequences of this hack are a cut above what has been experienced by the everyday user in the past. Think of the marital unrest this has caused – think of the divorces, the tears, the kids that no longer feel safe and secure. Then there are the legal entanglements and lost jobs (both present and future) to consider. Awful!
But the biggest consequence of all is the loss of human life that has (and will in my opinion) come about because of this exposure. There have been a number of suicides already that are directly attributable to the Ashley Madison debacle, and I would be amazed if there weren’t some murders to accompany them as well. Is it worth human lives to be apathetic and unaware!? Let’s hope that folks decide it isn’t and take steps to protect themselves.