One of the most frustrating phrases I’ve heard as an IT professional is, “We’re not a target.”
Using HoneyPoint, I have created “fake companies” and observed how they are attacked. These companies appear to have social media profiles, web pages, email servers and all of the infrastructure you would expect to find within their industry. The companies are in a variety of verticals including but not limited to Financial, Energy, Manufacturing and after analyzing the data collected during this process, I can definitively state that if your company has an internet connection, you’re being targeted by attackers.
Within hours of creating a HoneyPoint company, we typically begin to see low-level attacks against common services. These often involve brute-force attacks against SSH or Telnet. Regardless of the fake company’s industry, we’ve noticed that more complicated attacks begin within days of exposing the services and applications to the internet. These have ranged from the attackers attempting to use complicated exploits to the installation of malware.
During our “fake companies” testing, we even “accidentally” exposed critical services such as MSSQL and LDAP to the internet. The attackers were always vigilant, they often attempted to take advantage of these exposures within hours of the change taking place. One of my favorite moments that occurred during this test was watching how quickly attackers started to use an exploit after it was released. In some cases, we noticed the exploit being used within hours of it becoming public. These are both great examples of why it’s worthwhile to have 3rd parties review your infrastructure for vulnerabilities or misconfigurations on a regular basis.
Even if you don’t think your company has anything to “steal”, you still need to take measures to protect your systems. You might not be protecting PHI or Social Security Numbers but you can’t underestimate the bad guys desire to make money. Even if attackers don’t find any data worth stealing, they’ll always find a way to profit from the exploitation of a system. A great example of this occurred last year when it was discovered that attackers were hacking SANs to install software to mine for cryptocurrency. It’s even been reported that attackers are exploiting MySQL servers just to launch Distributed Denial of Service (DDoS) attacks. So, even if your bare metal is worth more than the data it hosts, it doesn’t mean that attackers won’t attempt to use it to their advantage.
It’s the holidays! Everyone is busy shopping, getting ready for parties, meeting folks for a cup of good cheer, and all manner of other fun activities. Yes, it is safe to say that the holidays generally fill people with feelings of warmth and good cheer.
It’s also a great time of year for hackers! The fact that people are busy, distracted and even a little bit tipsy is what fills them with good cheer. What better time to break into a network and get your hands on some private information or to set up a blackmail scheme?
That is why it is most important for you not to neglect your log monitoring and other information security duties during the silly season. Make sure you don’t turn off alerting on your systems, look for activity at odd times of the day, and make sure you are monitoring what leaves the network and where it’s going. If you neglect these tasks now you just might not have any happy holidays at all!
I saw in the intelligence and threat briefing the other day that police body cameras pre-infected with the dangerous Conficker worm had been discovered. Once these cameras were connected to a computer, the worm attempted to spread to other machines on the network and to communicate with a command and control system. Great! Lots of juicy, salable information on a police network to be harvested. How about offering to sell informants to the criminals they are informing on? Bet the bad guys would pay plenty! Or, if you become well entrenched in the network, how about starting an intelligence service? You could keep the bad guys well informed about what the police are up to. Bet the bad guys would pay plenty for that too!
This isn’t the first time something like this has happened by any means. Every now and again we hear stories about phones, networking switches, computers, mother boards and lots of other products that come pre-infected with some kind of Malware. Unfortunately, it seems that this is happening more and more often and shows no signs of slowing down.
The big reason behind this trend is that it works. How many of us ever even think that our new toys may not be safe? After all, they are brand new from the factory, and the boxes they are packed in have never been opened before. And it’s not just cyber-equipment that may be infected. Increasingly, just about everything we buy or use has a computer in it, and many of these products are made to run over a network as well.
So, say you buy a new smart TV and it has come complete with some kind of Malware installed. Chances are you have a wireless network in your home, and all the family’s computers, smart phones and other devices hook up to it. Even people that come to visit probably log onto your wireless network. You do home banking, write emails, chat, do all kinds of private things on this network. But, thanks to your new TV, all that is secret no more!
The point is, it’s time we start paying more attention to this attack vector and begin doing something about it. We should ensure that we have mechanisms in place to test new products before we hook them into our systems. We should also put regulations and processes in place to ensure that manufacturers test their products for computer bugs before they are allowed to ship them.
I’ve previously written about the fact that I was MicroSolved customer prior to joining the company as an employee in 2014. Despite the fact my team was running our own vulnerability assessments and penetration tests, I felt it was important that I occasionally hired a MSI to perform these services as well. As sharp as my team was, MSI always was able to provide us with actionable intelligence that we could use to improve our risk posture. Now that I have performed these assessments as a consultant, I have seen first-hand the importance of hiring a 3rd party to assess your network.
When you support a production network, you can inadvertently grow a set of blinders towards certain portions of the infrastructure. This could be something as simple as forgetting about a subnet or inadvertently ignoring a legacy system. When you bring in a 3rd party to assess your network, you’re going to deal with a team that has no preconceived notions about the systems and can truly look at the infrastructure holistically. As funny as it sounds, their lack of institutional knowledge can be an asset.
Both as a consultant and as an employee, I’ve seen Managers and Executives that are absolutely shocked by the results of a 3rd party assessment. Despite the fact that they were assured that mechanisms were in place to limit the risk and effectiveness of an attack, the 3rd party identified significant areas of concern. This doesn’t necessarily indicate that the employee was intentionally withholding information. It could be something as simple as them being unaware that a certain system or portion of the network exists.
As an IT Manager or Executive, you’re forced to place a high level of trust in your team. You can’t monitor and oversee everything. You have to take their word that networks are properly segmented and that systems are being patched. I’m not necessarily stating that you can’t trust your employees. However, I do think that it’s worthwhile to occasionally bring in someone to watch the watchers.
Every week in our daily threat and intelligence briefings I read about government and business computer systems that are hacked. And many, many times the stated reason is that a user name and password was revealed, hacked or stolen and the cyber criminals were able to use it to log into the system. But I don’t think this is the real reason at all; the real reason is that we are not properly establishing the identity of whoever is trying to access the system.
I know how inconvenient computer security can be for everyone. I not only see it every day in my profession, I also suffer from it myself as an individual. And the last thing most of us want is to make the task even more inconvenient and frustrating. But the fact is that identifying one’s self to a computer system by simply inputting a user name and password is just not good enough. We must increase the reliability of identity verification systems if we are to have any real hope of preventing illicit access.
To establish the identity of any person there are only three factors that can be employed. You can identify a person by something that they know, by something that they have or by something that they are. Obviously, a user name and password is something that a person knows, and we waste all kinds of time and effort in the futile hope that we can keep this special knowledge secret. I say futile because, as we all know, secrets have a frustrating habit of not lasting very long.
Something we have can be a physical object such as an RSA token or smart card, or it can be a “soft token” such as a digital certificate. An example of using something you have and something you know in tandem is a debit card and PIN. Something we are can be a number of things: fingerprints, retinal patterns, DNA, body features, etc.
Every time you add another “factor” to your user identification scheme, you more than double the amount of real security you are adding to the access control system. That is why, despite the inconvenience, I am a big proponent of using all three types of identification factors at once, especially for privileged or high-risk access. As far as I’m concerned, it’s time to bite the bullet, live with the inconvenience and just get the job done!
Over the last seven years, the amount of fraud from stolen credit card data has doubled in the U.S. This has been the primary driver pushing American credit card companies and retailers into adopting the use of credit cards with computer chips in them. The problem with the old magnetic stripe credit cards we are so familiar with is that the data on the magnetic stripe is static – it never changes. Because of this, fraudsters have been able to simply copy the magnetic stripe data from your card to a blank one, and then use the new card to make purchases. The computer chips in Europay, MasterCard and Visa (EMV) cards, on the other hand, set up a one-time transaction code that is useless to intercept or copy. If a thief attempts to make another transaction using this information, the transaction will simply be denied.
These kinds of credit and debit cards have been used in Europe for decades, and have greatly reduced the amount of credit card fraud there. But the American versions of these cards are going to be different for some years to come. For one thing, EMV cards issued to Americans are still going to have the magnetic stripe on them until at least 2017. This is to give retailers a chance to install the necessary (and expensive) equipment needed to process EMV cards. Also, even though most retailers are supposed to have EMV card reader hardware in place as of October this year, gasoline retailers are not required to change their pump card readers until 2017.
Another difference is the use of a PIN with the cards. In Europe, they have found that requiring a 4 to 6 digit PIN number when cards are used greatly adds to the security of the transaction (just like inputting a PIN when you use your debit card here does). But most companies in America are just going to require a signature, and are not going to allow the use of PINs with these cards for a while. This is not only to spread out the cost of re-equipping for the merchant, but is also to allow American consumers to get used to the new cards. Eventually, America will probably be using the same setup they currently use in Europe, but until then, remember that your cards will still suffer from some of the same old vulnerabilities as always.
I just wanted to give everyone a quick example of why you should always exercise caution when modifying an application’s privacy settings.
Facebook is rolling out a feature in the US that allows people to automatically identify and share things they’re listening to or watching. It’s important to keep in mind that this leveraging this feature requires that you grant Facebook access to your iPhone’s microphone. This means that Facebook will turn on your microphone every time you write a status update. It is worth considering the sacrifice in privacy compared to the convenience that you gain by leveraging this feature. Is it really worth allowing an organization to hear your conversations just so you can gain the ability to easily share what TV show you’re watching?
Facebook has stated that they do not record or archive these transmissions. However, using this feature requires that you trust that a 3rd-party (Facebook) will handle your data appropriately. Do you really need to provide them with this data? Does it really save you that much time to have your background noise automatically analyzed? These are questions you should ask yourself prior to providing Facebook with this level of access.
As a risk management guy, I’m often asked why I think information security programs fail or are less effective than they should be. There are certainly a number of answers to that question, but I think one of the main causes is lack of management participation in the program.
First, it should be recognized that these programs are driven from the top down. Upper management must demonstrate real interest in the infosec program to make it work. Right or wrong, people take all their main cues from upper management, and an apathetic CIO or CEO is a death knell for an infosec program.
Once you have achieved high level buy-in, it is very important to ensure that mid and operational level management are also properly involved in the program. Managers on these levels need to demonstrate their interest in the infosec program just as upper management does. However, beyond that, these individuals should also be involved in the program in a much more direct way.
It isn’t enough that information security policies and procedures have been established and communicated to all appropriate personnel. There also needs to be regular documented processes in place for management oversight of the information security program. Managers sometimes tend to become complacent about the information security program; they don’t really demonstrate interest in it and don’t seem to check up much. And if managers become complacent about infosec, you are safe to bet that the personnel in their purview will as well.