Recently Discovered ICS Vulnerability

Earlier this week, ICS-CERT announced that a new vulnerability was discovered in ICS products made by Endress+Hauser. The vulnerability affects the DTM library used by Endress+Hauser HART-based field devices in the FDT/DTM Frame Application. If a specially crafted packet manages to exploit the vulnerability, the DTM Frame Application will become unresponsive as result of a buffer overflow. Endress+Hauser has released a security update addressing this issue. Despite the fact that we haven’t observed this vulnerability being exploited in the wild, we highly recommend applying the patch by Endress+Hauser as soon as possible.
To minimize the risk of an ICS device being compromised by an attacker, be sure to consider the following general recommendations:
  • Discover and document – You can’t protect a system if you don’t know it exists. Take some time to identify and document all of the legacy and unsupported operating systems in your network.
  • Isolate  Segmenting the ICS system will reduce the risk of it being compromised by an attacker. Take some time to verify that it is inaccessible from any unnecessary business/ user networks.
  • Update and secure – Install all available patches and updates. Be sure that you are notified of any updates to the operating system, firmware and any installed applications.
  • Perform thorough log analysis – Implement some sort of centralized logging platform to ensure you have the ability to detect any anomalies that occur within these systems.
  • Leverage the use of an ICS honeypot – Creating a HoneyPot ICS device will help you discover suspicious activity within your network before it affects a production system.

Keep it Simple: Creating an Incident Response Policy

Drafting an Incident Response Policy can seem overwhelming. At the beginning, it doesn’t seem feasible that a single document can help you maintain order during a breach. You may ask yourself if it’s even possible to prepare your team for responding to all of the latest Tactics, Techniques and Procedures (TTP) that attackers are leveraging. It’s not possible to craft a document that addresses every possible threat individually. However, you can create an effective policy that covers each major threat category as opposed to each individual attack.

If you’re not sure which categories to focus on, I recommend taking a look at Microsoft’s STRIDE Threat Model. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. By leveraging the STRIDE model (or any other threat model), you can create a policy that will be relevant for years to come. This “one size fits all” approach will not only make your policy more efficient, it will be much more effective.

After you’ve crafted your policy, be sure to take the time to walk through a few scenarios. It’s even worthwhile to bring in a 3rd party to help you simulate a computer security incident on a regular basis. This exercise can help you identify any gaps that exist within your policies and procedures. It will also demonstrate how a simple policy will help your company respond to the even the most complicated security issues.

Providing Security to a Grumpy End-user

Working in IT, one of my biggest challenges has been to convince end-users that it is worthwhile to forego a convenience in the name of security. Regardless of whether it’s requiring the use of multi-factor authentication or forcing a computer to auto-lock after a certain amount of idle time, it often boils down to the end-user facing some sort of hinderance to their productivity. I completely understand their frustrations. I’ve managed Active Directory networks that served around 15,000 people and still managed to lock out my account. Was I annoyed? Absolutely, but I understood the need for the control. If you take the time to explain security to the end-user, they’ll be more likely to understand your decisions.

Here are some tips I’ve found to be helpful when convincing an end-user to implement a security control:

  1. Remind – Remind them that you’re not making this change just for fun. It’s being completed to reduce the likelihood that your organization’s systems will be compromised by an attacker.
  2. Example – Give an example of a high-profile breach that could have been prevented by implementing this control. It’s likely that they’ve had their personal information exposed as a result of a breach within the last few years. Even if they (somehow) haven’t personally been affected by a data breach, they have a friend or family member who has. Using an example of something that has affected them personally will go a long way to helping them understand why it is worthwhile to implement a security control that could have an adverse affect on their productivity.
  3. Analogy – Still having trouble rationalizing why you’re implementing a new security system? Try to use an analogy to describe how the new control will help prevent an issue. For example, if they are upset that they can’t reuse a password across multiple systems, remind them that the key to their Ford vehicle won’t work on ALL Ford vehicles.
  4. Describe –  Take some time to describe why you’re implementing the new security control. It’s important to make the effort to explain the task in terms that the end-user will understand. Don’t use the complexity of the topic as an excuse. If you can’t explain the issue to a non-technical employee, chances are, you don’t understand it yourself.

IoT Privacy Concerns

Lately, I’ve been amazed at how quickly the Internet of Things (IoT) has become a part of my life. Everything from speakers to a Crock-Pot (yes, a Crock-Pot) has been connected to my home wireless network at some point. As much as I enjoy all the conveniences that these devices provide me, I always consider the security implications prior to purchasing an Internet-connected device. It’s worthwhile to weigh the convenience of installing new Internet-connected equipment vs. the privacy issues that can occur if the device is compromised.

There have already been a variety of security issues stemming from the widespread adoption of IoT devices. Last fall, a website published links to over 73,000 unsecured camera throughout the world. These cameras monitored everything from shopping malls to people’s bedrooms. Without implementing proper controls around IoT devices, we will continue to see similar issues arise.

I don’t intend for this blog to scare people away from purchasing IoT devices. In fact, I will provide you with a few simple changes you can make to your IoT configurations that will reduce the privacy issues that can occur by installing an IoT system. These changes won’t necessarily diminish the conveniences you can gain by buying an Internet-connected thermostat or installing the latest IoT security camera. However, they will significantly reduce the risk associated with installing an IoT system.

A few recommendations for your new gadget:

  • Change the default password  – A majority of the aforementioned cameras were compromised because the owners did not change the system’s default password. By simply setting the password to something that will be difficult for an attacker to guess, you can reduce the risk of someone compromising your device.
  • Segment – Try to isolate your IoT devices from the rest of your home network. It is very possible that an attacker would use an IoT system as an entry-point to gain access to other systems.
  • Check for software updates – Make a routine to check for software/firmware updates for all of your IoT devices. These updates will often contain a security patch that can protect your system from being exploited.
  • Do not expose the device directly to the Internet – There shouldn’t be a need to expose an IoT device directly to the Internet. This will provide an attacker a much larger surface to attempt to exploit your device. If the system requires that configuration, it is worthwhile to consider another option.

Windows Server 2003 – End of Life

Windows Server 2003 has officially reached it’s end-of-life date. Does this mean that all of your Windows Server 2003 servers will be hacked on July 16th? Probably not. However, it is worthwhile to ensure that your organization has a plan in place to migrate all of your applications and services off of this legacy operating system. This is especially true if you have any Windows Server 2003 systems that are exposed to the internet. It is only a matter of time until a new vulnerability is discovered that affects this operating system.

As a former Windows Systems Administrator, I understand how difficult it can be to convince an application owner to invest the time and resources into migrating a system or service to a new operating system. Despite the fact that these systems have a heightened risk of being compromised, it’s very possible that your organization doesn’t have the financial resources to migrate your applications and services to a new operating system. You’re not alone. I found over 1.3 million servers running IIS 6.0 in Shodan. Over 688,000 of these servers are in the United States. However, there are still ways to reduce the risk of hosting these legacy operating systems until a migration plan is put into place.

A few ways to reduce the risk of hosting an application on a legacy operating system are:

  • Discover and document – You can’t protect a system if you don’t know it exists. Take some time to identify and document all of the legacy and unsupported operating systems in your network.
  • Learn about the application – Take some time to learn some details about the application. Is it still even being accessed? Who uses it? Why is it still hosted on an unsupported operating system? Are there other options available?
  • Educate the business users – If financial resources are an issue, take some time to explain the risks of hosting this application to the business users. Once they gain an understanding of the risk associated with hosting their application on a legacy OS, they can help secure funding to ensure that the application is upgraded.
  • Isolate – Segmenting the legacy system can reduce the risk that it is accessed by an attacker. It also can decrease the likelihood that a compromise of the legacy system will spread to other servers.
  • Update and secure – Install all available patches and updates. Not only for the operating system, but the hosted applications as well.
  • Perform thorough log analysis – Implement some sort of centralized logging platform to ensure you have the ability to detect any anomalies that occur within these systems.
  • Plan for the worst – Be prepared. Have a plan in place for responding to an incident involving these systems.

Are you hacking!? There’s no hacking in baseball!

My Dad called me earlier this week to ask if I heard about the FBI’s investigation of the St. Louis Cardinals. My initial reaction was that the investigation must be related to some sort of steroid scandal or gambling allegations. I was wrong. The Cardinals are being investigated for allegedly hacking into the network of a rival team to steal confidential information. Could the same team that my Grandparents took me to see play as a kid really be responsible for this crime?

After I had time to read a few articles about the alleged hack, I called my Dad back. He immediately asked me if the Astros could have prevented it. From what I have read, this issue could have been prevented (or at least detected) by implementing a few basic information security controls around the Astros’ proprietary application. Unfortunately, it appears the attack was not discovered until confidential information was leaked onto a pastebin site.

The aforementioned controls include but are not limited to:

  1. Change passwords on a regular basis – It has been alleged that Astros system was accessed by using the same password that was used when a similar system was deployed within the St. Louis Cardinals’ network. Passwords should be changed on a regular basis.
  2. Do not share passwords between individuals – Despite the fact that creating separate usernames and passwords for each individual with access to a system can be inconvenient, it reduces a lot of risk associated with deploying an application. For example, if each member of the Astros front office was required to have a separate password to their proprietary application, the Cardinals staff would not have been able to successfully use the legacy password from when the application was deployed in St. Louis. The Astros would also have gained the ability to log and track each individual user’s actions within the application.
  3. Review logs for anomalies on a regular basis – Most likely, the Astros were not reviewing any kind of security logs surrounding this application. If they were, they might have noticed failed login attempts into the application prior to the Cardinals’ alleged successful attempt. They also might have noticed that the application was accessed by an unknown or suspicious IP address.
  4. Leverage the use of honeypot technology – By implementing HoneyPot technology, the Astros could have deployed a fake version of this application. This could have allowed them to detect suspicious activity from within their network prior to the attackers gaining access to their confidential information. This strategy could have included leveraging MSI’s HoneyPoint Security Server to stand up a fake version of their proprietary application along with deploying a variety of fake documents within the Astros’ network. If an attacker accessed the fake application or document, the Astros would have been provided with actionable intelligence which could have allowed them to prevent the breach of one of their critical systems.
  5. Do not expose unnecessary applications or services to the internet – At this point, I do not know whether or not the Astros deployed this system within their internal network or exposed it to the internet. Either way, it’s always important to consider whether or not it is necessary to expose a system or service to the internet. Something as simple as requiring a VPN to access an application can go a long way to securing the confidential data.
  6. Leverage the use of network segmentation or IP address filtering – If the application was deployed from within the Astros internal network, was it necessary that all internal systems had access to the application? It’s always worthwhile to limit network access to a particular system or network segment as much as possible.

Honestly, I hope these allegations aren’t true. I have fond memories of watching the Cardinals win the World Series in 2006 and 2011. I would really hate to see those victories tarnished by the actions of a few individuals. However, it’s important that we all learn a lesson from this..whether it’s your email or favorite team’s playbook…don’t overlook the basic steps when attempting to secure confidential information.

Privacy vs. Convenience

I’ve lost track of how many useful cloud-based services I have signed up for within the last few years. I can’t picture my life without products like Uber, FancyHands and Gmail. It often surprises people to find out that these products are free or very inexpensive. If they’re giving the service away for free or at a very low cost, how can the companies make money?

Typically, a service provider is able to gain a substantial profit based on the fact that they are able to harvest your data. Imagine what an advertiser could gain just by learning information about your latest Uber ride. When using a service provider, it’s important to ask yourself, is the convenience worth the sacrifice of your privacy? While it’s possible that not all of these service providers are harvesting or selling your data, it’s worthwhile to at least consider your loss of control.

Personally, I have found that there are circumstances in which I am willing to sacrifice my privacy for a cheaper and more effective product. I feel that the convenience of being able to order a cab with the touch of a button on my phone is worth the risk of another corporation learning details about my trip. Another circumstance in which I am willing to forgo a bit of my privacy to gain a convenience would be my use of a “savings card” at my local grocery store. I have no doubt that they are tracking and analyzing my purchases. However, I have always felt that it is worthwhile to share my purchase history with the grocery store due to the discounts that they provide for using the “savings card”.

Despite the fact that I am often willing to forgo my privacy in an attempt to gain access to a service offering, there are products that I do not feel that the offered convenience warrants the loss of control over my personal information. For example, I recently looked into leveraging a service that could automatically unsubscribe me from a number of subscription emails. As annoying as those emails can be, I didn’t feel that the convenience of this service was worth letting a 3rd party parse through all of my emails.

Each time my personally identifiable information (PII) is exposed to attackers as a part of a data breach, I become more likely to voluntarily share my personal information with a 3rd party in an effort to gain a convenience. Next time you prepare to sign up for a free or discounted service, be sure to take a few extra moments to decide whether or not you are willing to expose your private information to gain access to the service. After all, there’s no such thing as a free lunch.

NanoCore RAT

It’s been discovered that a Remote Access Trojan (RAT) named NanoCore has been cracked again. These cracked copies are being heavily distributed via the deep and dark web. Due to the fact that malicious actors are now able to obtain this RAT for free, there has been a spike of observed NanoCore infections. For example, it was recently reported that the cracked copies are being leveraged in phishing attacks against energy companies. Unfortunately, we anticipate that the attempted use of this RAT will increase over the next few weeks.
However, there is some good news regarding the spread of NanoCore. First, the observed methods for deploying this malware do not seem to be very complicated. The attacks appear to be leveraging basic e-mail phishing which can be prevented by tuning spam filters and performing security awareness training with staff. Second, the attacks appear to be attempting to exploit vulnerabilities that are 2-3 years old. Your organization’s workstations should already have patches installed that will prevent the malware from being deployed. Finally, several commercial IDS/IPS systems are already able to detect this RAT. To ensure that your organization is protected, be sure to verify that your IDS/IPS/AV signatures are up to date.
We are more than happy to answer any questions that you might have about this RAT. Feel free to contact us by emailing <info> at microsolved.com

Using TigerTrax During the Pre-Negotiation Phase of an M&A

Throughout my career, I have worked for organizations that have purchased and integrated 4 companies. The acquired companies ranged from an organization with revenues of less than $3 million per year to a publicly traded company with annualized revenues of almost $1 billion. While the acquisitions all carried their own set of challenges, they remain among the highlights of my career.

Unfortunately, TigerTrax did not exist while I was working to integrate the IT systems of the aforementioned organizations. However, if it did, the entire process would have been significantly easier to manage. Our clients frequently leverage TigerTrax during each phase of the M&A process. However, I think they find the most value during the pre-negotiation phase. TigerTrax has helped our clients identify everything from an organization’s breach history to employee morale. All of this valuable intelligence can be obtained before an offer is made.

Here are a few other ways that TigerTrax is commonly used during the pre-negotiation phase of an M&A:

  • Using data obtained during a passive network assessment to help understand the security posture and technology footprint of the organization
  • Identifying whether the organization has been recently targeted by attackers or is demonstrating any indicators of compromise
  • Obtaining a list of key players associated with the company along with determining whether or not they are affiliated with any organizations or activities that could harm your company’s reputation
  • Discovering any legal, reputational, financial or operational risks associated with the prospective company

If you have any questions about how you can levere TigerTrax to gather intelligence to help reduce the risk associated the M&A lifecycle, feel free to contact us by emailing <info> at microsolved.com.

3 Things I Learned While Responding to Security Incidents

Unfortunately, if you work in IT long enough, you’re likely to encounter a security incident. Having experienced these incidents as a Systems Administrator and as a consultant, I felt that it would benefit others if I shared 3 things that I learned while responding to security issues.

  1. Stay calm – If you’ve noticed malicious activity on your network, your first reaction might be to panic. While time is of the essence, you don’t want stress to negatively impact your decision making. If you need to, give yourself a minute to collect your thoughts prior to proceeding with resolving the issue. Once you’re ready to start working on the problem, begin by attempting to gain an understanding of the type and severity of the attack. This information will go a long way towards mitigating the issue.
  2. Don’t be shortsighted – Whether you’re dealing with a targeted attack or a random malware infection, it’s important to consider the long term effects of your decisions. It is likely that you will receive pressure from various business units to bring systems back online as soon as possible. While it’s important that staff regains access to their applications, it could lead to larger problems down the line if that access is restored prematurely. For example, removing network connectivity or isolating affected systems is obviously going to upset some staff members due to the loss of productivity. However, it’s possible that the malware or attacks could become more widespread if the affected systems are not properly isolated.
  3. Hindsight is 20/20 – I’ve seen individuals waste time during incidents pointing fingers at other team members. I’ve also witnessed individuals procrastinate resolving the issue while they agonize over ways they could have prevented the incident from occurring. After the issue has been resolved, it’s important to have a post mortem meeting to take the proper steps to make sure that history does not repeat itself. However, those conversations can wait until the incident has been fully resolved.

I sincerely hope you don’t have to deal with any security incidents.  However, if you need help resolving an issue involving a malware outbreak or targeted attack, do not hesitate to contact us for assistance.