Keeping Track of Your Attack Surfaces

In the modern, digitally connected realm, the phrase “out of sight, out of mind” could have calamitous implications for organizations. As cyber adversaries incessantly evolve in their nefarious techniques, staying ahead in the cybersecurity arms race is imperative. One robust strategy that has emerged on the horizon is Continuous Threat Exposure Management (CTEM) programs. These programs are pivotal in enabling organizations to meticulously understand and manage their attack surface, thus forming a resilient shield against malicious onslaughts such as ransomware attacks.

A deeper dive into CTEM unveils its essence: it’s an ongoing vigilance protocol rather than a one-off checklist. CTEM programs provide a lucid view of the potential vulnerabilities and exposures that adversaries could exploit by continuously scanning, analyzing, and evaluating the organization’s digital footprint. This proactive approach transcends the conventional reactive models, paving the way for a fortified cybersecurity posture.

Linking the dots between CTEM and ransomware mitigation reveals a compelling narrative. Ransomware attacks have metamorphosed into a menace that spares no industry. The grim repercussions of these attacks underscore the urgency for proactive threat management. As elucidated in our previous blog post on preventing and mitigating ransomware attacks, a proactive stance is worth its weight in digital gold. Continuous Threat Exposure Management acts as a linchpin in this endeavor by offering a dynamic, real-time insight into the organization’s attack surface, enabling timely identification and remediation of vulnerabilities.

MicroSolved (MSI) stands at the forefront in championing the cause of proactive cybersecurity through its avant-garde CTEM solutions. Our offerings are meticulously crafted to provide a panoramic view of your attack surface, ensuring no stone is left unturned in identifying and mitigating potential threats. The amalgamation of cutting-edge technology with seasoned expertise empowers organizations to stay several strides ahead of cyber adversaries.

As cyber threats loom larger, embracing Continuous Threat Exposure Management is not just an option but a quintessential necessity. The journey towards a robust cybersecurity posture begins with a single step: understanding your attack surface through a lens of continuous vigilance.

We invite you to contact MicroSolved (MSI) to explore how our CTEM solutions can be the cornerstone in your quest for cyber resilience. Our adept team is poised to guide you through a tailored roadmap that aligns with your unique organizational needs and objectives. The digital realm is fraught with peril, but with MicroSolved by your side, you can navigate through it with confidence and assurance.

Contact us today and embark on a journey towards transcending the conventional boundaries of cybersecurity, ensuring a safe and secure digital sojourn for your organization.

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

FAQ for Enterprise Authentication Inventory

Q: What is authentication inventory?

A: Authentication inventory is the process of identifying and documenting all of the systems and applications that require remote access within an organization, as well as the types of authentication used for each system and any additional security measures or policies related to remote access.

Q: Why is authentication inventory important?

A: Authentication inventory is important because it helps organizations protect themselves from credential stuffing and phishing attacks. By having a complete and accurate inventory of all points of authentication, organizations can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

Q: What steps should I take to properly inventory and secure my authentication points?

A: To properly inventory and secure your authentication points, you should: 1) Identify the different types of authentication used by the organization for remote access; 2) List all of the systems and applications that require remote access; 3) Document the type of authentication used for each system/application and any additional security measures or policies related to remote access; 4) Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely; 5) Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication; 6) Regularly review and update existing remote access authentication processes as necessary to ensure accurate data.

All About FINRA Risk Assessments

FINRA (Financial Industry Regulatory Authority) requires an enterprise risk assessment once per year for all member firms. This risk assessment should be completed using the NIST Cyber-Security Framework, if appropriate for the size of the organization. At MSI, we fully embrace the NIST framework and use it routinely for our approach to information security and risk management.

Who Performs the FINRA Risk Assessment?

The FINRA requirements for risk assessment include that it be completed by independent third-party assessors, if possible, or otherwise by internal information security experts (if qualified and available). MSI’s approach is to work WITH our client’s internal team members, including them in the process, and leveraging their deep knowledge of the firm’s operations, while still maintaining our independence. In our experience, this provides the best return on investment for the risk assessment, and allows granular analysis without draining critical internal client resources.

What Analysis Does the FINRA Risk Assessment Require?

Each FINRA risk assessment should include an inventory of all critical data, PII and other sensitive information. Then, each asset should be reviewed for its impact on the business and identification of relevant controls, risks, mitigations and residual risks should occur. This process requires deeper knowledge of cyber security than most firms are comfortable with, and the experience and attention to detail of the assessor can make or break the value of the assessment.

Is the FINRA Risk Assessment Affordable?

Since the workload of a risk assessment varies greatly based on the size and complexity of the organization being assessed, smaller firms are naturally more affordable than larger firms. Risk assessments are affordable for nearly every firm today, and the work plans can be easily customized to fit even the tightest of budgets. In addition, when working with experienced and knowledgable assessors, the cost can be even lower and the results even more valuable. At MSI, our assessment team has more than 15 years of experience, across a wide variety of size, type and operational styles of client firms. You won’t find any “on the job training” here, our experts are among the best and most recognized in the world. We are excellent at what we do, and we can help your firm get the best ROI on a risk assessment in the industry.

How Do I Get Started on a FINRA Risk Assessment from MSI?

Simply drop us a line via this web form, or give us a call at (614) 351-1237 to arrange for a free, no hassle call with our team. We’ll explain how our process works, gather some basic information and provide you with a proposal. We’d love the chance to talk with you, and be of service to your firm. At MSI, we build long-term client relationships and we truly want to partner to help your firm be more successful, safer and manage the risks of the online world more easily. Give us a call today! 

Network Segmentation with MachineTruth

network segmentation with MachineTruth

About MachineTruthTM

We’ve just released a white paper on the topic of leveraging MachineTruth™, our proprietary network and device analytics platform, to segment or separate network environments.

Why Network Segmentation?

The paper covers the reasons to consider network segmentation, including the various drivers across clients and industries that we’ve worked with to date. It also includes a sample work flow to guide you through the process of performing segmentation with an analytics and modeling-focused solution, as opposed to the traditional plug and pray method, many organizations are using today.

Lastly, the paper covers how MachineTruthTM is different than traditional approaches and what you can expect from such a work plan.

To find out more:

If you’re considering network segmentation, analysis, inventory or mapping, then MachineTruthTM is likely a good fit for your organization. Download the white paper today and learn more about how to make segmentation easier, safer, faster and more affordable than ever before!

Interested? Download the paper here:

https://signup.microsolved.com/machinetruth-segmentation-wp/

As always, thanks for reading and we look forward to working with you. If you have any questions, please drop us a line (info@microsolved.com) or give us a call (614-351-1237) to learn more.

MachineTruth As a Validation of Segmentation/Enclaving

If you haven’t heard about our MachineTruth™ offering yet, check it out here. It is a fantastic way for organizations to perform offline asset discovery, network mapping and architecture reviews. We also are using it heavily in our work with ICS/SCADA organizations to segment/enclave their networks.

Recently, one of our clients approached us with some ideas about using MachineTruth to PROVE that they had segmented their network. They wanted to reduce the impacts of several pieces of compliance regulation (CIP/PCI/etc.) and be able to prove that they had successfully implemented segmentation to their auditors.

The project is moving forward and we have discussed this use case with several other organizations to date. If you would like to talk with us about it, and learn more about MachineTruth and our new bleeding edge capabilities, give us a call at 614-351-1237 or drop us a line via info <at> microsolved <dot> com.  

Windows Server 2003 – End of Life

Windows Server 2003 has officially reached it’s end-of-life date. Does this mean that all of your Windows Server 2003 servers will be hacked on July 16th? Probably not. However, it is worthwhile to ensure that your organization has a plan in place to migrate all of your applications and services off of this legacy operating system. This is especially true if you have any Windows Server 2003 systems that are exposed to the internet. It is only a matter of time until a new vulnerability is discovered that affects this operating system.

As a former Windows Systems Administrator, I understand how difficult it can be to convince an application owner to invest the time and resources into migrating a system or service to a new operating system. Despite the fact that these systems have a heightened risk of being compromised, it’s very possible that your organization doesn’t have the financial resources to migrate your applications and services to a new operating system. You’re not alone. I found over 1.3 million servers running IIS 6.0 in Shodan. Over 688,000 of these servers are in the United States. However, there are still ways to reduce the risk of hosting these legacy operating systems until a migration plan is put into place.

A few ways to reduce the risk of hosting an application on a legacy operating system are:

  • Discover and document – You can’t protect a system if you don’t know it exists. Take some time to identify and document all of the legacy and unsupported operating systems in your network.
  • Learn about the application – Take some time to learn some details about the application. Is it still even being accessed? Who uses it? Why is it still hosted on an unsupported operating system? Are there other options available?
  • Educate the business users – If financial resources are an issue, take some time to explain the risks of hosting this application to the business users. Once they gain an understanding of the risk associated with hosting their application on a legacy OS, they can help secure funding to ensure that the application is upgraded.
  • Isolate – Segmenting the legacy system can reduce the risk that it is accessed by an attacker. It also can decrease the likelihood that a compromise of the legacy system will spread to other servers.
  • Update and secure – Install all available patches and updates. Not only for the operating system, but the hosted applications as well.
  • Perform thorough log analysis – Implement some sort of centralized logging platform to ensure you have the ability to detect any anomalies that occur within these systems.
  • Plan for the worst – Be prepared. Have a plan in place for responding to an incident involving these systems.

Are you hacking!? There’s no hacking in baseball!

My Dad called me earlier this week to ask if I heard about the FBI’s investigation of the St. Louis Cardinals. My initial reaction was that the investigation must be related to some sort of steroid scandal or gambling allegations. I was wrong. The Cardinals are being investigated for allegedly hacking into the network of a rival team to steal confidential information. Could the same team that my Grandparents took me to see play as a kid really be responsible for this crime?

After I had time to read a few articles about the alleged hack, I called my Dad back. He immediately asked me if the Astros could have prevented it. From what I have read, this issue could have been prevented (or at least detected) by implementing a few basic information security controls around the Astros’ proprietary application. Unfortunately, it appears the attack was not discovered until confidential information was leaked onto a pastebin site.

The aforementioned controls include but are not limited to:

  1. Change passwords on a regular basis – It has been alleged that Astros system was accessed by using the same password that was used when a similar system was deployed within the St. Louis Cardinals’ network. Passwords should be changed on a regular basis.
  2. Do not share passwords between individuals – Despite the fact that creating separate usernames and passwords for each individual with access to a system can be inconvenient, it reduces a lot of risk associated with deploying an application. For example, if each member of the Astros front office was required to have a separate password to their proprietary application, the Cardinals staff would not have been able to successfully use the legacy password from when the application was deployed in St. Louis. The Astros would also have gained the ability to log and track each individual user’s actions within the application.
  3. Review logs for anomalies on a regular basis – Most likely, the Astros were not reviewing any kind of security logs surrounding this application. If they were, they might have noticed failed login attempts into the application prior to the Cardinals’ alleged successful attempt. They also might have noticed that the application was accessed by an unknown or suspicious IP address.
  4. Leverage the use of honeypot technology – By implementing HoneyPot technology, the Astros could have deployed a fake version of this application. This could have allowed them to detect suspicious activity from within their network prior to the attackers gaining access to their confidential information. This strategy could have included leveraging MSI’s HoneyPoint Security Server to stand up a fake version of their proprietary application along with deploying a variety of fake documents within the Astros’ network. If an attacker accessed the fake application or document, the Astros would have been provided with actionable intelligence which could have allowed them to prevent the breach of one of their critical systems.
  5. Do not expose unnecessary applications or services to the internet – At this point, I do not know whether or not the Astros deployed this system within their internal network or exposed it to the internet. Either way, it’s always important to consider whether or not it is necessary to expose a system or service to the internet. Something as simple as requiring a VPN to access an application can go a long way to securing the confidential data.
  6. Leverage the use of network segmentation or IP address filtering – If the application was deployed from within the Astros internal network, was it necessary that all internal systems had access to the application? It’s always worthwhile to limit network access to a particular system or network segment as much as possible.

Honestly, I hope these allegations aren’t true. I have fond memories of watching the Cardinals win the World Series in 2006 and 2011. I would really hate to see those victories tarnished by the actions of a few individuals. However, it’s important that we all learn a lesson from this..whether it’s your email or favorite team’s playbook…don’t overlook the basic steps when attempting to secure confidential information.

HoneyPoint as a Tool for Device Inventory

Another clever use for HoneyPoint™ Agent, running on a Linux system without SMB components, is to have the system listen on the Windows SMB ports (135-139 & 445). The HoneyPoint will then inventory the Windows machines and other SMB speaking tools that attempt to contact it. Since this traffic is pretty routine, it will serve as an inventory mechanism for these types of systems on the local collision domain, or other “same-as-on-the-LAN” segments.

Running HoneyPoint in this fashion has been very useful to several of our ICS customers and has allowed them a quick, and most importantly, passive way to identify hosts on the same segment. No probes or scans needed! 

Give us a call today at (614) 351-1237 or email us at info@microsolved.com if you want to discuss how HoneyPoint might be used in your environment. We look forward to talking with you, and as always, thanks for reading! 

MSI Launches TigerTrax Network Discovery, Mapping & Analysis Service

We are proud to announce the immediate availability of an entirely new service offering in our security tool kit, made possible by TigerTrax™.

This service offering leverages the power of MSI’s proprietary TigerTrax analytics platform to parse, correlate and visualize the configurations (and packet logs (if desired)) from the routers, switches and firewalls of your network “en masse”. 

Our security and analytics teams then create detailed maps of the network as seen from the eyes of the machines, document the various network segments and their relationships, build a hierarchy of powerful machines and segments, identify hardening techniques that could help your organization better secure your network and provide insights into the gap between your organization’s “common wisdom” versus the real environment.

We can even teach “Close The Gap” sessions to help re-align your team’s “common wisdom” with “machine truth” and to help socialize the new knowledge to other groups.

How it works:

  • The client delivers the configuration and log files as needed for the service. MSI can assist with this step, if needed, at an additional hourly consulting fee.
  • The offering uses TigerTrax to perform automated analysis of the configuration and log files as needed – holistically, systemically and “en masse”. 
  • Various data points are delivered to the analysts and security team who then create the documentation, maps and reports. Visualized data is also generated using the TigerTrax platform where appropriate.
  • Any professional services, such as interviews/questionnaires, gap analysis and training are provided by MSI team members using our proprietary delivery methodologies.
  • Completely passive, offline analysis is perfect for critical networks.
Three different levels of service are available, as is single – one time engagements (perfect for M&A activities, and new IT management) or ongoing subscriptions that allow organizations to track changes and maintain knowledge over time. The highest level of service also includes 30 days worth of packet analytics to identify overtly compromised hosts and to determine “normal operating conditions”, which is often quite useful for incident response activities in the future.
 
Give is a call today at (614) 351-1237 or email us at info@microsolved.com to start a conversation about how we can help you know the truth about your network!