Application Risk: Speed Kills!

We are at the end of the second decade of the 21st century now, and we are still suffering from poor application coding security practices of all sorts. This is costing us big-time in dollars, intellectual property, privacy, security, apprehension and consternation!

As individual consumers, we tend to think of things like identity theft, invasion of privacy and loss of services when we consider the problem of poorly secured applications. But the problem is much broader and deeper than that. Holes in application coding security can also be used to attack communications systems, utility and industrial control systems, supply chains and transportation systems, and military command and control and weapons systems. These kinds of failures can lead to wide-scale confusion, outages, disasters and the deaths of innocents; possibly lots of innocents.

So why is this still such a problem? I think one of the most prominent reason is the virtually universal desire for speed to market. The concern that gets their product or service in front of the consumer first is the one that is most likely to reap the biggest rewards. That is what developers and providers want most; market share and profits. Add to this the fact that the things that application consumers want most are originality, functionality and convenience. Coding-in proper security mechanisms affect all of these aspects of application development. It takes more time and effort to code securely, and security mechanisms often affect the functionality and convenience of applications.

With the deck stacked against application security like this, how are we supposed to solve this problem? Unfortunately, I think we are going to need to regulate application coding security into some kind of assurance program. For a domestic or foreign concern to introduce applications into the American market, those applications should first be analyzed, tested and certified. This is probably not going to sit well with a variety of different consumers, especially at first. But hopefully it won’t take too long to get used to it. After all, in the 20th Century we regulated safety testing and assurance for a whole array of products, and people not only got used to it, they now demand that such assurance processes are in place.

However, all of this is not going to be easy. For one thing, some group is going to have to set the standards and develop the testing paradigms. This can be problematic with applications because they are complex and new vulnerabilities and exploits emerge regularly. This will probably mean that applications will need to undergo periodic re-certification testing. In addition, another group will also be needed to actually perform the testing and authorize the release of the applications.

All of this will amount to a whole new industry, and an expensive one at that. But something must be done about the problem. The possible severity of the consequences of not assuring application coding security are just too terrible to contemplate or countenance.

Microsoft May 2019 – Urgent Patch

On May 14, 2019 Microsoft announced a vulnerability in RDP – Remote Desktop Services…formerly known as Terminal Services. The vulnerability is significant enough that Microsoft has chosen to publish a patch for Windows XP and Windows 2003 on May 15th – operating systems that have been out of support for a few years now.

Why is this important? The vulnerability is similar to the one that WannaCry leveraged, and allows an attacker to “worm” through the network. Reports say that there is a proof-of-concept exploit; as of this writing on May 19th, the MSI lab hasn’t laid hands on one to test and our research is ongoing.

To quote Microsoft:

This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

So what? So…early this morning, a search on shodan.io for “rdp” showed 1058 exposures indexed. A few HOURS later, that number increased to 1062. Externally facing RDP is a very bad idea, and attackers considered it to be low hanging fruit before this vulnerability came to light…now, the stakes are higher.

“My patching is automated” – we’re all good, right? Well…I contacted a friend in a small office yesterday, and suggested that they check. When she inventoried the 4 computers that were set to update automatically…3 of them had not received this update. Due diligence is your friend here, don’t assume.

Patch. Patch now. Share with your friends and colleagues, particularly those who are less than technically savvy. Friends don’t let friends have RDP as an externally facing service!

(Let’s not leave Adobe out of the mix. Adobe’s Patch Tuesday covers 82 CVE’s. EIGHTY TWO? People, we have to do better…)

And remember…is it really paranoia if they ARE out to get you?

Questions? Comments? Are you patched? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

 

 

 

IoT. Is one called an Internet of Thing?

In several recent engagements, we came across some IoT (Internet of Things) devices within client networks. There’s a growing presence of these ubiquitous devices within corporate environments. They measure, they detect, they capture, they sense. Then they send the info to some app on your phone.

These devices make life easier. Safer. More convenient. Many times, just simply accessible when it was not possible before.

But there can be risks. I’ve always held the belief that security has an inverse relationship with accessibility. The more doors you have to enter a building, the more accessible it is to get inside. But with this accessibility to authorized persons with keys to the doors, likewise, the risk for a burglar to pick the locks to break in increases.
Continue reading

Phishing: It Takes Humans to Fight It!

For more than 20 years now, hackers and cyber-criminals have been breaking into computer systems and networks. And for just as long a period of time, manufacturers, networking folk and cyber-security personnel have been developing devices, controls and processes to prevent these people from getting in and raising havoc. The “bad guys” come up with new ways to compromise system security, and then the “good guys” come up with new ways to protect it. Back and forth, forth and back, back and forth… it never seems to stop!

You wouldn’t think it would continue to be that way. After all, the good guys have made real progress over the years. Perimeter security that was so easily compromised in the 90’s is truly robust now, and there are lots of products and services out there to help prevent, detect and respond to compromises. Companies, institutions and government entities are becoming increasingly aware of the importance of computer and network security, and they are devoting more resources to the problem on a continuing basis.

But despite all these efforts, there are more data breaches and denial of service attacks than ever! Why is this happening? How can we have all these great techniques in place and still be losing the race? I have become firmly convinced that it is because we continue to throw machines and technology at the problem, and refuse to understand that information security is human problem, not a technological problem. In fact, the technology has very little to do with it. If the bad guys can’t find a technological way to compromise systems, they just find human ways to get around the problem.

That is why the number one root vector for computer and network comprise today is the use of social engineering techniques, especially phishing attacks. The fact is that computer and network resources must be available for legitimate users, and that those users must be allowed to access those resources. This means that if the bad guys can emulate legitimate users well enough, they can gain access to those resources too.

Although you can employ some technological techniques to counter this such as using multi-factor authentication and strict configuration control, your most effective recourse is to use your own employees to deal with phishing. And how to do you get humans to perform effectively? You use incentives.

Incentives can be either negative or positive. Negative incentives include penalties for poor performance such as fines, loss of rank, termination of employment or legal prosecution. The military is big on these kinds of negative incentives. Positive incentives include public recognition, bonuses, promotions, vacation time… even a primo parking spot or your picture on the wall of fame will do. For most organizations I definitely recommend going the positive incentives route. Give your employees a tangible and desirable reason to help in your security efforts and you can save a lot of money on products and services that won’t work nearly as well.

Network Segmentation with MachineTruth

network segmentation with MachineTruth

About MachineTruthTM

We’ve just released a white paper on the topic of leveraging MachineTruth™, our proprietary network and device analytics platform, to segment or separate network environments.

Why Network Segmentation?

The paper covers the reasons to consider network segmentation, including the various drivers across clients and industries that we’ve worked with to date. It also includes a sample work flow to guide you through the process of performing segmentation with an analytics and modeling-focused solution, as opposed to the traditional plug and pray method, many organizations are using today.

Lastly, the paper covers how MachineTruthTM is different than traditional approaches and what you can expect from such a work plan.

To find out more:

If you’re considering network segmentation, analysis, inventory or mapping, then MachineTruthTM is likely a good fit for your organization. Download the white paper today and learn more about how to make segmentation easier, safer, faster and more affordable than ever before!

Interested? Download the paper here:

https://signup.microsolved.com/machinetruth-segmentation-wp/

As always, thanks for reading and we look forward to working with you. If you have any questions, please drop us a line (info@microsolved.com) or give us a call (614-351-1237) to learn more.

State Of Security Podcast Episode 15 is out!

In this episode, the tables get turned on me and I become the one being interviewed. The focus is on honeypots, intrusion deception and bounces from technology to industry and to overall trends.

This is a great conversation with an amazing young man, Vale Tolpegin, a student from Georgia Tech with an amazing style and a fantastic set of insights. He really asks some great questions and clarifying follow ups. This young man has a bright future ahead!

Tune in and check it out! Let me know on Twitter (@lbhuston) what you liked, hated or what stuck with you.

Vendor Printer Management and Security

Over the past couple years we’ve encountered increasing numbers of customers using various print management vendors. Many that we have encountered are using the same application suite to manage the printers, and by default it has a blank admin password. In most of the instances we’ve observed this parameter has not been changed, or a strong password set. Likewise most of the managed printers also are not configured to use authentication or are using the default credentials.

When we encounter this one of the “benefits” this application affords us, due to the fact that it keeps a fairly detailed inventory with model number, is that it allows us to pinpoint areas of attack and compromise. Printers that we know have issues, or printers with functionality such as saving to network shares, SNMP etc. can be leveraged without doing activities that would be easily detectible on the network.

Continue reading

Insurers Take Note: Ohio Senate Bill 273 is Now in Effect

Have you ever heard of the New York State Department of Financial Services regulation requiring financial services companies to adopt cybersecurity measures that “match relevant risks and keep pace with technological advancements” (23 NYCRR 500)? If you haven’t, you should take a look, even if you don’t do business in the State of New York. This regulation is having a snowball effect that is affecting financial institutions across the nation.

Continue reading