In this episode of the MSI podcast, we discuss recent issues involving AWS misconfigurations that led to incidents, common problems, the importance of proper configurations to avoid these issues and how we can help you identify them in your environment.
What isn’t an Internet of Things device these days?! Companies are literally flooding the consumer market with smart chip-equipped devices you can control with your iPhone or Android (which themselves are equipped with smart chips – sigh!). Smart bike locks, smart egg trays, smart water bottles, smart dental floss dispensers, smart baby-changing pads!! These are all real devices.
We’ve talked about development servers, and the perils of internet facing development environments. Now, let’s talk about what is IN your development environment.
Another issue we run into fairly often with dev environments,…they are set up to use production data, and sometimes this data is piped in directly at night with no modification. This introduces a risk of not only exposing this data through vulnerabilities within the development environment but could allow a contractor or unauthorized employee to view sensitive information.
Development: the act, process, or result of developing, the development of new ideas. This is one of the Merriam-Webster definitions of development.
It doesn’t really matter what you call it…dev, development, stage, test. Software applications tend to be in flux, and the developers, programmers, testers, and ancillary staff need a place to work on them.
Should that place be out on the internet? Let’s think about that for a minute. By their very nature, dev environments aren’t complete. Do you want a work in progress, with unknown holes, to be externally facing? This doesn’t strike me as the best idea.
But, security peeps, we HAVE to have it facing the internet – because REASONS! (Development types…tell me what your valid reasons are?)
And it will be fine – no one will find it, we won’t give it a domain name!
Security through obscurity will not be your friend here…with the advent of Shodan, Censys.io, and other venues…they WILL find it. Ideally, you should only allow access via VPN or other secure connection.
What could possibly go wrong? Well, here’s a short list of SOME of the things that MSI has found or used to compromise a system, from an internet facing development server:
- A test.txt file with sensitive information about the application, configuration, and credentials.
- Log files with similar sensitive information.
- .git directories that exposed keys, passwords, and other key development information.
- A development application that had weak credentials was compromised – the compromise allowed inspection of the application, and revealed an access control issue. This issue was also present in the production application, and allowed the team to compromise the production environment.
- An unprotected directory that contained a number of files including a network config file. The plain text credentials in the file allowed the team to compromise the internet facing network devices.
And the list keeps going.
But, security peeps – our developers are better than that. This won’t happen to us!
The HealthCare.Gov breach https://www.csoonline.com/article/2602964/data-protection/configuration-errors-lead-to-healthcare-gov-breach.html in 2014 was the result of a development server that was improperly connected to the internet. “Exact details on how the breach occurred were not shared with the public, but sources close to the investigation said that the development server was poorly configured and used default credentials.”
Another notable breach occurred in 2016 – an outsourcing company named Capgemini https://motherboard.vice.com/en_us/article/vv7qp8/open-database-exposes-millions-of-job-seekers-personal-information exposed the personal information of millions of job seekers when their IT provider connected a development server to the internet.
The State of Vermont also saw their health care exchange – Vermont Connected – compromised in 2014 https://www.databreachtoday.asia/hackers-are-targeting-health-data-a-7024 when a development server was accessed. The state indicates this was not a breach, because the development server didn’t contain any production data.
So, the case is pretty strongly on the side of – internet facing development servers is a bad idea.
In the not too-distant past I was involved in helping secure the information infrastructure of a major EDI “VAN”.
How’s that for gibberish? Some definitions are in order:
EDI = “Electronic Data Interchange”. Effectively, a collection of standards for the encoding of documents such as invoices, purchase orders, bills of lading, medical information, and – it seems – information pertaining to the business of buying, selling and moving natural gas.
EDI dates from the 1970’s. It took advantage of pre-Internet communication mechanisms but quickly was adapted to the Internet and likely will be to blockchain.
EDI “trading partners” can communicate directly, but often they rely on third-party EDI specialists to handle communication with their various trading partners. These are the EDI “Value Added Networks” (VAN).
EDI is the unsung hero of modern commerce.
Everything we buy or sell has a secret life as an EDI document. Usually a number of them.
Not surprisingly, natural gas pipeline companies use EDI in the running of their business, communicating information about availability and pricing to their customers and government. A few months ago, the business of some natural gas pipeline companies was disrupted by the sudden unavailability of those EDI services.
The attack, in March 2018, was directed against a central provider of EDI services to several major natural gas pipeline operators. Although it did not affect actual in-field operations, it did stop all normal business traffic for several days, causing confusion and a fall-back to alternate communication mechanisms.
Of greater concern was the loss of potentially sensitive information about internal business structure, all of which can be inferred from the ebb and flow of EDI data. Such information can be invaluable to an attacker and in this case can be an aid in eventually attacking actual pipeline operations.
The point here is that it is easy to view such operations as strictly an ICS security concern, and that with proper segmentation of business from ICS infrastructure all will be well.
I’ve had some experience in that ICS world over the last few years and know that segmentation is often incomplete at best. Even when segmentation is present, your business can still be vulnerable to attacks on exposed business systems that have process flow links to ICS.
What to do?
- Know how you use EDI and what your supporting infrastructure is.
- Know who your EDI providers are and what security measures they employ
- Do a business impact analysis of your EDI environment. What happens if it goes away?
- Ensure you really do have segmentation of your business and ICS worlds. Make sure the places they touch are known, secured, and monitored.
Natural Gas Industry Usage of EDI:
Quote: “The NAESB wholesale natural gas cybersecurity standards facilitate an infrastructure of secure electronic communications under which the electronic transmission of data via EDI or browser based transactions is protected. There are more than fifty separate transactions identified for nominations, confirmations, scheduling of natural gas; flowing gas transactions including measurement, allocations, and imbalances; invoicing related transactions including invoices, remittances, statement of account; and capacity release transactions.”
Quote: “EDI security appears at several interrelated stages:
- The user/application interface,
- EDI applications and value added services,
- The processing (both batch and interactive) and storage of EDI messages,
- The communication of these messages in an open systems environment”
Healthcare from United States, come on down! Welcome to “They Price It Right!” There goes the industry, high-fiving all the other industries in the studio as it rushes towards Drew Carrey and the stage. And pays the ransom.
In 2017, healthcare organizations accounted for 15% of all security incidents and data breaches, second only to financial institutions (from Verizon’s 2017 DBIR). 66% of malware was installed through either email links or attachments. The healthcare industry has also been hard hit with ransomware in recent years.
* The above images captured from Verizon’s 2017 Data Breach Investigations Report
The last several years have seen a dramatic increase in ransomware within healthcare. To quote the CEO of an organization that DID pay out the ransom demand, “These folks have an interesting business model. They make it just easy enough. They price it right.” Symantec’s ISTR on Ransomware 2017 reports the average ransom demand “appears to have stabilized at US$544 indicating attackers may have found their sweet spot.” Ahhh…can just picture the blackmailer getting a notification that their target had succumbed and paid up…that hit the sweet spot.
However, a reminder; a $500 ransom may not seem much to an organization with millions or billions in revenue, but that’s per infection (sorry, pun not intended as we’re discussing the healthcare industry). Dozens or hundreds of infection can easily tally up the ransom to total in the tens or hundreds of thousands.
Furthermore, paying the sweet spot ransom does not guarantee even a bittersweet outcome. SentinelOne’s 2018 Ransomware Study shows 42% of ransom payments did not result in data recovery. 58% demanded a second payment.
* The above image captured from SentinelOne’s Global Ransomware Study 2018
Most ransomware is delivered through email. Phishing. Spearphishing. Targeted targets. Email addresses for an organization can easily be harvested using readily available open source tools. 15 minutes to create a phishing campaign with the newly found targets with a link or malicious attachment. The context of the email can be social media related, user needs to reset their password, they have a package that was undelivered, the CEO has attached a memo addressed to all staff. The recent Russian indictments – regardless of the reader’s political leanings – are proof that PHISHING WORKS! (Also blogged here in stateofsecurity.com)
Technology has come a long way – email filters, domain verification, Sender Policy Framework, malware and link scanners – plus many more help in filtering out the 50-70% of the email traffic that is spam. But they still get through. I know for one my Inbox is not spam-free or devoid of any phishing messages.
Since technology is not at the point where it’s able to stop all phishing email, it is up to the user to NOT click on that link or attachment. Sure, there are technologies that prevent bad things from happening if a user DOES click on a phishing link or malicious attachment. But then again, technology is not at the point where they are 100% effective.
Businesses with big budgets buy all kinds of hardware and software solutions to try to counter phishing. But they ignore a big piece of the phishing attack model, and that is the end user. And here, education and training is imperative.
Repeating phishing exercises should be conducted on all or selected groups of employees. These campaigns should be at not-too-regular intervals, so as not to evoke an anticipation from the employees – alright, here come some vaguely suspicious email on the first day of each quarter; I’ll just delete them. Then the rest of the year, they blatantly open, view and click on any and all email links. The simulated campaigns should be randomized and as unexpected as possible.
These campaigns should also be followed up with some education, either some static web pages, training video or live in person session. Phishers are always coming up with new tricks and methods. As a result, end users should be brought up to speed with their new tricks. A couple academic research papers on the efficacy of phishing training demonstrate that EDUCATION WORKS! (links under Resources below)
Then there needs to be a culture of non-retribution. Phishing exercises should be conducted with learning as the objective. Employees should come away with a heightened awareness of phishing and the social engineering tricks used by phishers that make you just want to click that link/attachment.
Employees should be encouraged to report any suspicious email so that word gets around. Homeland Security’s “See something, say something” campaign applies here too; someone is perhaps targeting your firm, alert your fellow colleagues.
What’s a bit of spam and a bit of phishing, right? It’s all the cost of doing business…until you look at what it really CAN cost your business.
The latest statistics from the Internet Crime Complaint Center (IC3) are enlightening – taken directly from the IC3 site:
The following BEC/EAC statistics were reported to the IC3 and are derived from multiple sources, including IC3 and international law enforcement complaint data and filings from financial institutions between October 2013 and May 2018:
Domestic and international incidents: 78,617
Domestic and international exposed dollar loss: $12,536,948,299
The following BEC/EAC statistics were reported in victim complaints where a country was identified to the IC3 from October 2013 to May 2018:
Total U.S. victims: 41,058
Total U.S. victims: $2,935,161,457
Total non-U.S. victims: 2,565
Total non-U.S. exposed dollar loss: $671,915,009
The following BEC/EAC statistics were reported by victims via the financial transaction component of the IC3 complaint form, which became available in June 20163. The following statistics were reported in victim complaints to the IC3 from June 2016 to May 2018:
Total U.S. financial recipients: 19,335
Total U.S. financial recipients: $1,629,975,562
Total non-U.S. financial recipients: 11,452
Total non-U.S. financial recipients exposed dollar loss: $1,690,788,278
That’s billions with a B…and the dollars and cents cannot measure the intangible costs like reputation, consumer confidence, etc.
What are the growing targets, and vectors of compromise? Financial transactions of all kinds tend to be the low hanging fruit. Real estate transactions, wire transfers, anything with a routine methodology of process, where information requests are constant, and a change of source or target would not be unusual. What’s another call from the bank, asking to verify your account information for payment? Another wire transfer request from the CFO?
There are also information breaches to consider. Let’s look at DocuSign for a moment – their own statement admits that email addresses were compromised, but indicates that additional personal information was not at risk. This statement is a bit misleading. A threat actor could collate the additional info to make an attack appear legitimate through other sources – and the fact that these emails came from DocuSign means that they would legitimately expect to receive email FROM DocuSign! In sales, that’s a pre-qualified lead, and it’s no less valuable to an attacker.
Another high-profile incident is the indictment of Russian operatives in the DCCC and DNC compromise – MSI has written about that here.
Add the preponderance of mobile devices, webmail, and online portals to your business of all kinds…it’s a risk. And any breach of your business data, client/customer data, and/or employee data is high profile as a risk to YOU. MSI has had a number of clients this year with compromises of Office 365 email accounts, administrative accounts that were externally facing, wire transfer issues, etc. On a personal level, individuals have had fraudulent tax returns filed under their SSN, etc. Size is irrelevant when it’s your data (and money) at risk.
So, what can you do to protect yourself, and your company? Email filtering, mobile device management, and other security measures can help – but the one measure that is consistently most effective against these attacks is MFA – multi-factor authentication. MFA is, at its core, something you know and something you have.
Often, this is an SMS code, or something physical like an RSA hard or soft token. However, do not rule out MFA for less technical transactions. In a situation where the CFO emails in a wire transfer, also add a vocal component – the individual must call and answer a challenge response question.
Are there challenges to implementing MFA? Of course. One of the primary challenges is user resistance – one of my favorite sayings is…change is inevitable, except in vending machines. But humans are wired to see their consistent patterns as a comfort, and you’re asking them to leave their comfort zone.
Another challenge is the technology gap. NIST is no longer recommending SMS as a component of MFA – but if that is all your organization is capable of leveraging, is it better than nothing? That’s a question for your technical and risk staff to consider.
The solution you choose will always NOT work for someone or something in your organization – someone will have a device that is too old, or incompatible, and they’re high enough up the corporate ladder that allowances will be considered. If you use a hardware token, someone will break it at a critical moment – or the USB token won’t work with their new whizz bang device.
And once you begin implementation, your organization won’t go from zero to 100% compliant immediately – in addition to dealing with the outliers, you’ll need a transition plan while implementation is underway.
Documented policies and procedures will need to be present – create these as you go, it will be a less onerous task than after the fact. In the case of our verbal challenge and response for a wire transfer example, where will those procedures be kept and how will they be protected – they should be safe from easy compromise, but not invalidate the solution when the primary person is out of the office?
Then there’s the issue of critical software that may need to be externally facing, but doesn’t support MFA. What do you do when the developers cannot implement this in a manner to protect your company? “The program wouldn’t do it” will be of little comfort when you’ve been compromised.
Are the challenges overwhelming? We cannot LET them be, folks. Scroll back up to those numbers – that’s billions with a B. Consider the challenges as things to rise up and meet, in the best way for your organization – rather than mountains that you simply cannot climb.
The Target? You. Image Source: Wikimedia Commons
- “….<the Russian operatives> were dedicated to targeting military, political, governmental, and non-governmental organizations with spearphishing emails and other computer intrusion activity.”
- “….used various online personas, including “Kate S. Milton,” “James McMorgans,” and “Karen W. Millen,”
- “….sent spearphishing emails to members of the
Clinton Campaign and affiliated individuals, including the chairman of the Clinton Campaign”
- “….. altered the appearance of the sender email address in order to make it look like the email was a security notification from Google (a technique known as “spoofing”), instructing the user to change his password by clicking the embedded link. Those instructions were followed. On or about March 21, 2016, LUKASHEV, YERMAKOV, and their co-conspirators stole the contents of the chairman’s email account, which consisted of over 50,000 emails.“
- “… created an email account in the name (with a one-letter deviation from the actual spelling) of a known member of the Clinton Campaign. The Conspirators then used that account to send spearphishing emails to the work accounts of more than thirty different Clinton Campaign employees. In the spearphishing emails, LUKASHEV and his co-conspirators embedded a link purporting to direct the recipient to a document titled “hillary-clinton-favorable-rating.xlsx.” In fact, this link directed the recipients’ computers to a GRU-created website“
- “…used an email account designed to look like a Vendor 1 email address to send over 100 spearphishing emails to organizations and personnel involved in administering elections in numerous Florida counties. The spearphishing emails contained malware that the Conspirators embedded into Word documents bearing Vendor 1’s logo.
That last one strikes close to home for me as it is a technique I have used successfully when conducting “white-hat” phishing exercises for MSI’s clients.
The indictment makes it clear that we are very much in a “cyberwar” right now and that the targets of greatest opportunity in that war are not information infrastructure – but people. You and I, feverishly pounding away at a keyboard in an attempt to meet some deadline (like writing a blog post?). Or, even better and more dangerous, responding to emails with a mobile device while we sit waiting at a stoplight. None of us, of course.
Many of you likely regard yourselves as targets of little interest in any cyberwar attack. And that may be true for you specifically, but is it true of your family members and friends as well?
Perhaps one of them works for an HVAC vendor that does work for government?
The point is that everyone is connected via some device and everyone shares infrastructure (cloud storage?) with others. Any person in that chain of connectedness is a potential stepping stone to items of real interest to an attacker.
Phishing has become the primary attack vector and the target can be anyone who is connected to someone else with access to sensitive information. It’s low cost and relies on information about us that we and those who know us have freely given up,
And… it just works. Those Russian operatives know that, and so should you.
Everyone is now a potential target in this new type of warfare
What to do?
- Make sure you, your family members, and your co-workers have a basic understanding of phishing and what to look out for.
- If your company provides training on phishing awareness, take it seriously. If it has none, lobby for it.
- If you are in management, realize that your employees are the new attack surface. Make sure they are trained to detect phishing and are willing to report it – even if they think they may have been successfully phished. That last is important. Your company will be the real loser if employees are afraid to speak out. Do not rely on magic-bullet technology alone to address what is fundamentally a problem in human behavior. . Conduct periodic tests to see how aware your people really are. No punishment – education!
- Use Multifactor Factor Authentication (MFA)! If an attacker obtains your traditional login credentials (login/password) and that’s all you use, they have you. Multifactor authentication requires the addition of “something you know” or “something you have”. Typical examples involve login sequences that require you enter a one-time code texted to your phone (“something you have”). Adding that extra factor complicates the whole phishing process and may even render it futile. All modern infrastructure supports some form of MFA.
- Keep your work environment separate from your home environment. Consider segmenting your home network. A unique “work” wifi environment, with separate IP addressing, used only for your work (no family members, guests, or IOT devices) may be a good place to start.
- https://blog.google/technology/families/be-internet-awesome-helping-kids-make-smart-decisions-online/ – phishing training for kids
- https://en.wikipedia.org/wiki/Multi-factor_authentication – Multifactor
- https://support.google.com/accounts/answer/1085463?hl=en – Google MFA
How many of us have been on Facebook, and laughed when a friend’s child posts “Child is my favorite!” after their parent left the table with their phone unlocked?
And who has had a friend – or been the friend – who left their phone at the table? Don’t laugh – try being the one who did that WITH the security team. (Guilty…)
Amusing anecdotes? Absolutely. Now, let’s imagine that mobile device is unlocked when it’s left unattended, and contains your corporate data…now what?
That’s where MDM – mobile device management – comes into play. There are a few things to consider when you’re planning your deployment:
- Who will have access to corporate information on the device?
- Will you allow people to use personal devices – BYOD – or restrict this to corporate assets?
- What will you allow, and what do you want to prevent, with device access? Email only? Other resources? Will you allow attachments to be downloaded and stored on the device?
- How important are remote wipe capabilities – think of the worst case scenario with a disgruntled employee at all levels, with access to your data?
- What about geolocation capability? Do you want the ability to block access from certain areas of the world – and how easy will it be to fix this when the VP is in Hong Kong, and you’ve blocked APNIC? Do you want to be able to pinpoint the device’s location if it has been lost or stolen?
- What platforms will you support? Android, iOS, others? Yes, there are other platforms…
- Consider whether it makes sense to only allow mobile devices to access corporate data via a VPN? Depending on the sensitivity of your data, this may make sense for your scenario.
The majority of MDM vendors will support some or all of the feature set that you desire. Once you’ve weighed out your desired list, and chosen your vendor, there are a number of other factors to look at when considering your actual deployment. A few things to consider:
- Back to the basics. Passwords – require devices, whether corporate or BYOD, to have a password and to change that password regularly.
- Encryption. Again, another basic – devices that carry your corporate data should be encrypted.
- Jailbroken, rooted, and otherwise compromised phones should not be allowed to access corporate data.
- Require virus/malware protection, particularly for Android devices. Free solutions from well regarded vendors exist, so this is not an onerous requirement for employees.
- Have valid, documented procedures for geolocation features – whether blocking access or locating devices. Include removal as well as deployment in those procedures – when the VP is back, you will want to remove the access to Hong Kong. And when an employee leaves your company, so should your ability to track their BYOD device.
- Another item to have documented is your remote wipe or content removal process when a user leaves the company – willingly or not – or when a device is lost or stolen.
- Decide what you will and will not allow in terms of software on a corporate device. Will you allow users to install Waze? Their favorite game? Define that line in advance, rather than closing the loop later.
- Regularly audit your configuration, the device compliance, and any exceptions that have been granted. Are there changes that need to be made in light of emerging threats? Are there exceptions that are no longer required?
And remember to take a real vacation occasionally, and put that mobile device down, folks. Those nice people? They’re your family, friends, or others in your life outside of work.
Maintaining current inventories of all hardware devices, software applications, operating systems and firmware applications on your networks is listed as Job #1 in cutting-edge information security guidance. This is true for a number of reasons, but today I want to discuss the paramount importance of good inventory control processes in mounting trackable and effective security maintenance and configuration control programs.
In a recent Threatpost report on top threats for2018, it was reported that exploit kits were still the top web-based threat. Exploit kits are very good at uncovering missing patches, misconfigurations, default passwords and the like, and they are most assuredly not limited to Windows systems only.
In the work we do, it is very common for us find networks that are obviously being generally well administered. We see that most systems are well configured, that Windows patching is very good and that most access controls are strong. But on these same networks, we almost always find glaring anomalies that don’t fit the overall picture. Maybe we’ll find a couple of hosts with factory default credentials in place, or a firewall that is running an exploitable firmware version, or maybe it will virtual machine software that is missing security patches. The list is extensive. But they all have one thing in common; these are systems and hosts that have somehow fallen through the cracks.
This is where good inventory control comes in. Most of the organizations I referred to above have inventories in place, but they are just there to be there; nobody seems to use them for anything. I think this is mainly because most infosec programs are driven by compliance, and compliance means you have to be able to check the “inventories in place” box. What a mistake! Those inventories are useful!
Inventories should be central to all security maintenance and configuration control efforts. All hardware devices, software applications, operating systems and firmware applications should be included in IT inventories. Security maintenance and configuration control administrators should ensure that all entities on these lists are included in their efforts. Those in charge of these processes should also always ensure that they are communicating and coordinating their efforts, and that everything is kept up-to-date. In fact, I’ll go one step further.
An effective information security program, although made up of many different processes, needs to work together like a single entity. It’s very much like our own bodies. We have a brain, a heart, limbs, bones, eyes, skin and numerous other individual parts, but they all cooperate together to function as a single entity. If you don’t leverage each part of your infosec program to feed and enable all of the other parts, then you are wasting a lot of time and money!