Make the Most of Your IT Inventories

If you look at modern information security guidance such as the Center for Internet Security Top 20, the NIST Cybersecurity Framework or MicroSolved’s own 80/20 Rule for Information Security, the first controls they recommend implementing are inventories of hardware and software assets. There are several good reasons for making IT asset inventories job number one.

First and foremost, you can’t protect a network asset that you don’t know exists. I would be hard put to tell you how many times we have compromised network security by exploiting forgotten devices or software applications during penetration testing engagements using this vector.

Second, how can you tell if a device or software application is supposed to be on the network if you don’t have an approved inventory list you can check it against? An employee or service provider could install unauthorized devices or applications on the network and you would be none the wiser.

Another reason I don’t hear much about, but think is at least as important as those mentioned above is that you can leverage your inventories to enable and improve other information security processes on your network. I will cite specifically configuration control and security maintenance programs.

When most people think of configuration control, they immediately think of firewalls, switches and routers. This is understandable, since misconfiguration of these devices can have immediate and far-reaching security implications. But really effective configuration control should extend far beyond networking devices. In fact, we council our clients that all network entities should be securely configured according to an accepted baseline security scheme. For example, we often see applications or devices that are still configured with their default administrative passwords. We also see other configuration problems such as FTP systems that are not configured with proper access controls, systems that are configured to accept the use of weak cryptographic protocols and systems that are configured with verbose error messages just to name a few. But if you tie the configuration control program to your network inventories, you can systematically ensure that each and every device, operating system and software/firmware application is configured correctly and securely.

The same thing applies to the security maintenance program. We are able to exploit out of date or unpatched network entities on a regular basis to compromise network security or elevate our privileges on the network. A lot of organizations now not only use WSUS, but employ some kind of service to help them deal with their security maintenance woes. But we have found that even with such mechanisms in place, there are applications or devices that just slip through the cracks. But if you couple your inventories with the security maintenance system, you can ensure that none of these network “orphans” will come back to bite you.

And think of the other processes you can tie in with network inventories? How about access control and change management for instance? Constructing and properly maintaining full network inventories is a difficult task. Why not get all the benefits you can from all your efforts?

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

IAM: We Should Use All the Factors We Can

There has been a lot of talk recently about getting rid of passwords as a means of user identification. I can certainly understand why this opinion exists, especially with the ever-increasing number of data breaches being reported each year. It’s true that we users make all kinds of mistakes when choosing, protecting and employing passwords. We choose easy to guess passwords, we use the same passwords for business access and for our personnel accounts, we write our passwords down and store them in accessible places, we reveal our passwords during phishing attacks, we reuse our old passwords as often as we can and we exploit every weakness configured into the system password policy. Even users who are very careful with their passwords have lapses sometimes. And these weaknesses are not going to change; humans will continue to mess up and all the training in the world will not solve the problem. However, even knowing this, organizations and systems still rely on passwords as the primary factor necessary for system access.

Continue reading

Zelle…quick, easy, and…problematic?

Measuring risk

With the increasing adoption of PayPal, Venmo, and other instant payment services…it’s no surprise that the financial services industry entered the arena. The concept is simple – P2P payments via phone or email. At least one entity – sender or recipient – needs to have a bank account with a bank that supports Zelle. The other entity can simply link a supported debit card to enable the exchange.

Continue reading

New Attacks Against Misconfigured Amazon S3

Over the past few years we have seen plenty of news about data being stolen from misconfigured Amazon S3 buckets and other cloud based services. Now attackers are figuring out ways to further abuse these systems beyond simply stealing data.

Magecart, a threat actor group involved in a large amount of attacks, has a currently active campaign targeting S3 hosted sites; the attack infected these sites with malicious javascript that steals customer’s credit card data.

Their attack methodology involves specifically looking for buckets that have write permissions enabled for everyone. When one of these buckets is found, it looks for javascript in the bucket – increasing the likelihood that it’s being used to host a site, or serving assets for a site hosted elsewhere. Javascript files are then edited by the attacker and the Magecart malicious javascript is injected into it.

The javascript runs in the customer’s browser, looks for specific forms, and sends that data to another server when it is submitted. Without detailing this further, as there are many other good breakdowns of exactly what this attack entails that are available. The key take away here will be what can you do to make sure a site you have isn’t hosting this code.

Continue reading

State of Security Podcast Episode 17 is Out!

In this episode (~45 minutes), I answer questions from the audience around blockchain and smart contract security considerations. I cover some of the reasons why I think these technologies are important, what their potential impacts are likely to be and how information security teams should prepare. Some of the questions drift into changes around store of value, investment insights and other closely related topics.

This episode is sponsored by MachineTruth™ – a new passive, analytics-based solution for network inventory, traffic analysis and security baselining. Learn more at  http://www.machinetruth.net.

 

Prepping for Incident Response

Prepping? Who wants to prep for incident response?

This particular bit of writing came from a question that I was asked during a speaking engagement recently – paraphrased a bit.

How can a client help the incident team when they’re investigating an incident, or even suspicious activity? 

So, I circulated this to the team, and we tossed around some ideas.

Continue reading

California Consumer Privacy Act

Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.

National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).

Continue reading

People Like to Fish. Statistics Show They Tend to be Phished.

Several paths led me to a blog on this topic. I have a friend and a close relative who are currently going through a home loan process. In addition, in a work-related project, I have been researching mortgage fraud and real estate scams. Statistics reveal about 1% of loan applications contained an element of fraud, and it has been on a general upward trend for the last decade.
Continue reading

State of Security Podcast Episode 16 is Out!

This episode is a tidbit episode, weighing in just under 20 minutes. I sat down last week with Megan Mayer (@Megan__Bytes) in the lobby bar of the Hyatt during the Central Ohio Security Summit. Pardon the background noise, but we riffed on what Megan believes are the top 3 things that every security manager or infosec team should do this week. She had some great insights and I think her points are fantastic.

Give it a listen, and as always, if you have feedback or have someone in mind that you’d like to have interviewed on the podcast or a topic that you’d like to see covered, drop me a line (@lbhuston). 

As always, thanks for listening and stay safe out there!