You backed it up, right?

Yes, folks…we’re back to basics here. Anyone think we’d still be talking about this in 2018? We are…

Our recent incident response work has brought this to the front of my mind. Think for just a minute about a company who has a business vs. technology conflict. They want their backups to be QUICK! So they put their backups on a NAS. Network attached storage.

Key word there – attached. Now, let’s role play that they have been hit by ransomware. They can restore their backups quickly…and now they’ve lost their backups quickly as well. How catastrophic would this be for you?

There are several things to think about when it comes to your backup strategy. First, what do you need to protect against?

  • Natural disasters. Onsite backups are convenient, but not terribly convenient if your whole building burns down. Are you in an earthquake zone? Tornadoes? Hurricanes?What kind of catastrophic happenings could you experience, and how far away do your backups have to be to be protected?
  • Risk from external attackers. Going back to our ransomeware scenario above, what’s the balance between ease of restoring backups vs. protection from harm for your organization?
  • Risk from internal attackers. We all want to trust our sysadmins. What happens if one of them is disgruntled? What safeguards are in place to protect your backups from internal threats?
  • Testing your backups. Periodically perform testing of your backups, both inside and outside of an incident response tabletop. Make sure that your backed up data really IS backed up, and restores in the manner you’d expect. This is a good time to create some baselines on the restore process, as well – what’s your time to restoration if a crisis happens?
  • Hot vs. cold disaster recovery systems. How critical is downtime to your business? If hours means millions, you should have – or seriously consider – a “hot” disaster recovery site to minimize downtime as you pivot over.

Backups are routine, and boring…and when things go well, they should be this way. Prepare yourself for the day things do NOT go well, eh?

What do you think? I’d love to hear what I’ve forgotten – reach out to lwallace@microsolved.com or @TheTokenFemale on Twitter.

Micro Podcast – Office 365

With today’s social engineering threats, every company should be evaluating the configuration and security of their Office 365 presence.
Microsoft has provided many robust feature to secure their Office 365 technology.  Many of these features are not enabled by default or they are not enabled by default or they are not enabled with the optimal settings.
For this reason, we created a podcast about potential issues and remediation strategies for Office 365, enjoy!

Sunshine on a “cloudy” day…

I recently saw an article targeted at non-profits that was a bit frightening. The statement was that small non-profits, and by extension many businesses, could benefit from the ease of deployment of cloud services. The writers presented AWS, Dropbox, DocuSign, et. al. as a great way to increase your infrastructure with very little staff.

While the writers were not wrong….they were not entirely correct, either. It’s incredibly easy and can be cost effective to use a cloud based infrastructure. However, when things go wrong, they can go REALLY wrong. In February of 2018, Fedex had a misconfigured S3 bucket that exposed a preponderance of customer data. That’s simply the first of many notable breaches that have occurred so far in 2018, and the list grows as you travel back in time. Accenture, Time Warner and Uber are a few of the big names with AWS security issues in 2017.

So, if the big guys who have a staff can’t get it right, what can you do? A few things to consider:

  • What, specifically, are you deploying to the cloud? A static website carries less business risk than an application that contains or transfers client data.
  • What are the risks associated with the cloud deployment? Type of data, does it contain PII, etc.? What is the business impact if this data were to be compromised?
  • Are there any regulatory guidelines for your industry that could affect cloud deployment of data?
  • Have you done your due diligence on cloud security in general? The Cloud Security Alliance has a lot of good resources available for best practices. Adam from MSI wrote a good article on some of the permissions issues recently, as well.
  • What resources do you have or can you leverage to make sure that your deployment is secure? If you don’t have internal resources, consider leveraging an external resource like MSI to assist.

Remember – just because you can, doesn’t always mean you should. But cloud infrastructure can be a great resource if you handle it properly.

Questions, comments? I’d love to hear from you. I can be reached at lwallace@microsolved.com, or on Twitter @TheTokenFemale.

 

I’m running out of Post-Its to write down my passwords

We all know to use non-dictionary, complex passwords for our email or online banking or online shopping accounts; whether we put that into practice is another issue. Even less in practice is, using a different password for each of our accounts; that is, never use the same password twice.

Why? The online gaming site that you logon to crush candy may not be as prudent in its security as the financial advisor site that is managing your 401K. The gaming site may store your password in cleartext in their database, or use a weak encryption algorithm. They may not be subject to regulations and policies that require them to have a regular vulnerability assessment. Using the same password for both sites will place either of your accounts vulnerable and at risk.

If a breach occurs and a site’s user data and passwords are unscrambled – as with 3.3 million users of a popular gaming site (article here) – then the hacker can try the discovered password on the user’s other accounts – email, bank, company site logon. And if the user uses the same password across the board, bingo.

You might think unlikely, improbable – how will the hacker know which website to try the discovered credentials? If the email harvested from the gaming site is myemailaddress@gmail.com, they could try the credentials to log into gmail. If the email is @mycompany.com, the hacker would look for a login portal into mycompany.com. The attacker could look for social media accounts registered with that email address. Or any other website that may have an account registered with that email address. The last estimate in 2017 is that there are over 300 million Amazon.com users. The attacker could try the discovered credentials on this popular site; if your favorite password is your birthdate – 12250000 – and you use it for all your logons, the attacker would be on an Amazon shopping spree as you read this blog.

This cross-site password use is not a security issue only through an online data breach; you may have misplaced your trust and shared your password, or entered your credentials on someone else’s computer that had a key logger or you accidentally saved your logon, or browsed the internet using an open wireless hotspot where someone was sniffing the traffic, or through any other instance that your password finds its way to the wrong eyes.

OK, so I need a different password for each different account that I have. I’m gonna need a bigger keyboard to stick all the Post-It notes with the passwords to every account I have underneath it. Or, maybe I could use a password manager.

A password manager is a database program that you can use to store information for each of your online accounts, website, username, password, security questions, etc. They are encrypted, requiring one master password to unlock its contents, all your saved passwords; “Ash nazg durbatulûk” – one ring to rule them all.

Remembering one long, strong, complex, impossible-to-brute-force-or-guess password, you can then gain access to all your other impossible to guess passwords. Almost all password managers also have a feature to generate random, complex passwords that you can use for each of your accounts.

There are many password managers out there, some commercial paid-for programs, some free open-source, with varying features. Some store your data in the cloud, some fill-in the login form automatically in the browser with your account credentials, some you can copy and paste the credentials from the program and the data in the clipboard is erased after a specified time period… You should choose a password manager that is both secure and usable.

Secure in that the encryption used to store the saved credentials and data is impossible to crack. Research what level of encryption your organization requires data to be stored with. When using the password manager, is the data self contained or is it exposed or available for use to other programs, and how. Does the password manager program run in secure memory space or written to a pagefile or swap memory that can be dumped by an attacker.

The password manager should be usable so that the user will be more likely to use it on a daily basis. If it slows down the user too much, it will be ignored and old habits die hard, the user will revert to poor password use behaviors.

An example real-world use of a password manager: Desktop and mobile versions of an open-source password manager can be installed on the Mac, Windows, Linux, Android and iOS operating systems with the one database file containing the credentials data saved in a cloud service. The user can access, view and edit the credentials from any of the devices with the installed program.

Password managers can be an an essential tool in securing your credentials. Do your research; research specifications, read reviews, compare functionality and usability. Also look up which managers have had bugs or vulnerabilities, how quick were the patches released, how was the vendor’s response to the flaws.

Using the same password for even only 2 websites should be a no-no. And forget trying to remember unique passwords to over 20 online accounts (recent research found the average US user has 130 online accounts). Plus, many sites force you to change passwords (rightfully so) on a regular basis. What is my current password to xyz.com that I last logged on 18 months ago?

Password managers can help you use a unique, strong password for each account. A data breach at one website (which seems to be reported on a weekly basis now) should not force you to change your password for any other websites. But protect that ONE master password. It is the one ring that rules them all.

Resources:
https://expandedramblings.com/index.php/amazon-statistics/
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

Enter the game master….disaster recovery tabletops!

I snagged this line from the most excellent Lesley Carhart the other day, and it’s been resonating every since.

“You put your important stuff in a fire safe, have fire drills, maintain fire insurance, and install smoke detectors even though your building doesn’t burn down every year.”

When’s the last time you got out your business continuity/disaster recovery plan, dusted it off, and actually READ it? You have one, so you can check that compliance box…but is it a living document?

It should be.

All of the box checking in the world isn’t going to help you if Step #2 of the plan says to notify Fred in Operations…and Fred retired in 2011. Step #3 is to contact Jason in Physical Security to discuss placement of security resources…and Jason has changed his cell phone number three times since your document was written.

I’ve also seen a disaster recovery plan, fairly recently, that discussed the retrieval and handling of some backup….floppy disks. That’s current and up-do-date?

Now, I am an active tabletop gamer. Once a week I get together with like-minded people to roll the dice and play various board games.

For checking the validity of your disaster recovery plan there is an excellent analog to the tabletop gaming world:

Tabletop DR exercises!

Get BACK here….I see you in the third row, trying to sneak out. I’ll admit, I LOVE doing tabletops. Hello? I get to play game master, throw in all kinds of random real life events, and help people in the process – that’s the trifecta of awesome, right there. If it’s a really good day, I get to use dice, as well!

The bare minimum requirements for an effective tabletop:

  • A copy of  your most recent DR/BC plan
  • Your staff – preferably cooperative. Buy ’em a pizza or three, will you? The good kind. Not the cheap ones.
  • An observer. This person’s job is to review your plan in advance, and observe the tabletop exercise while taking notes. They will note WHAT happens, and what actions your team takes during the exercise. This role is silent, but detail oriented.
  • And the game master. The game master will present the scenario to the team. They will interact with the team during the exercise, and will also be the one who generates the random events that may throw the plan off track. It’s always shocking to me how many people would rather be the observer….to me, game master is where the fun is.

Your scenario, and the random event happenings, should fit your business. I tend to collect these for fun….and class them accordingly. A random happening where all credit card processing is doubling due to an error in the point of sale process is perfect for a retail establishment…but an attorney’s office is going to look at me like I have three heads.

Once the exercise is over, the game master and observer should go over all notes, and generate a report. What did the team do well, what fell off track, what updates does the plan need, and what is missing from the plan entirely?

Get the team together again. Buy ’em donuts – again, the good ones. Good coffee. Or lunch. Never underestimate the power of decent food on technical resources.

Try to start on a high note, and end on a high note. Make plans, as you review – what are the action items, and who owns them? When and how will the updates be done? When will you reconvene to review the updates and make sure they’re clear and correct?

Do this, do it regularly, and do NOT punish for the outcome. It’s an exercise in improvement, always…not something that your staff should dread.

Have a great DR exercise story? Have a REALLY great random event for my collection? I’d love to hear it – reach out. I’m on Twitter @TheTokenFemale, or lwallace@microsolved.com

The hotel wifi is encrypted, it’s all good…No?

One of the modern amenities we always look for when booking a hotel room is that it has wifi. However, there are considerations and issues.

When using the hotel wireless network, you are a part of a network with many hundreds of other hotel guests. Innocent and anonymous, family, corporate, hotel guests. And possibly hackers and generally anyone up to no good. They could potentially snoop and view your unencrypted browsing activity. They could scan your laptop and leverage an existing vulnerability.

Traveling from one hotel to another, it can be tedious to enter the hotel wifi passcode to your 10 wireless devices to get connected each time you book into a new hotel (your devices, your spouse’s, your kids’).

You may think the hotel wifi is encrypted because you had to enter a passcode to get connected, but that is not necessarily true. The wireless network may simply require you to login using your room number and last name in order to be authorized to get connected, but that does not necessarily mean the connection is encrypted.

You could use a VPN to encrypt all your internet activity, but you still have to set up all your devices to connect to the hotel wifi first. And you need to have a VPN subscription/setup.

So, how can we secure our wireless connectivity to the hotel wireless network a little bit more?

One of the easiest solutions is to use a travel router. They range in cost from $30 to several hundred. They could be as small as a matchbox or a pack of cards. They could have all the features of a home router, and more. They can be setup as a router, a bridge, a wireless repeater, an access point, a firewall; some even have a SIM card slot so that you can connect to a cellular network and have multiple devices share the internet connection. Others can be setup as a file server or even have a battery, so it can be a free-standing device with no cable attachments.

On a recent multi city trip, I brought along one of these – a RAVPower FileHub Plus, reviewed in this article. I’d set it up before traveling into bridge mode, with my own non-broadcasting SSID with WPA2 encryption. I connected my laptop, phone and tablet to it, and saved the wireless connection details on each device.

After checking into each hotel, I’d connect my laptop or tablet to the router device, and setup its WAN connection – if I connect the device to the hotel room Ethernet, then there’s no need for this step. Otherwise, I would setup the device to connect its WAN to the hotel wireless. Then immediately, all my other devices would have internet connectivity, through my own router, encrypted.

If the hotel wireless network requires a login first, like you have to enter your room number and name, you would do that once, from a browser on any of the devices, then all the other devices would immediately have internet access. Easy. Secured. (Well, as secure as WPA2 can be.)

Connecting to a hotel wireless connection has some considerations – it may not be encrypted and you are connecting to a network where your device is easily visible to all several hundred others. Take some simple precautionary steps to create an additional layer of security around your devices.

Be safe…

Phishing URLs

How many of us inspect a link before we actually click on it? Be honest now, how many hover your mouse over the link and identify the destination in the status bar or popup, before you actually click? If the link is from a trusted site, say in the middle of a CNN article, very likely you don’t. If it’s a link in an email from your colleague, maybe. And even then, how closely do you look?

In many of MicroSolved’s social engineering exercises, alright, authorized phishing campaigns, creating fake links that appear valid is a tried and true method. To make an email look like it’s from John Glenn, a very familiar name recognized as an American hero, it takes 2 minutes to create an email address JohnGlemn@gmail.com. Or BilllyCrystal@gmail.com. Alright, how many of you actually caught the 3 lower case L’s in Billly? And the misspelling of Glemn in the email address?

Same thing with domains. Not to pick on this domain but why is MICRPSOFT.COM registered? Don’t browse to that domain, it gets forwarded to a suspicious link – which proves the point. An internet search for the string “MICRPSOFT” comes up with nothing for that string, all results are for “MICROSOFT.”

It’s a common technique referred to as URL hijacking or Typosquatting. It counts on the user not paying attention to what they’re typing into the browser address bar. Or it counts on the user not noticing the misspelling even if they were hovering the mouse over a link before they clicked.

Many of you have heard of the Equifax breach earlier this year. They registered and set up a domain for the public – equifaxsecurity2017.com. At this site, you could get more information, as well as enter your SSN (last few digits) to find out if your personal data had been part of the breach. However, a security professional registered securityequifax2017.com – and many legitimate sites actually directed traffic to this fake domain instead. Fortunately, it wasn’t anyone malicious, but someone who wanted to prove the point – and did – that these domain names can easily be abused. Equifax itself tweeted the fake domain, thinking it was their own.

So what are we to do? It’s easy to say, just be vigilant, be cautious, be on the lookout. There are tools, browser plugins, background running processes that can check links or clicks. But here’s an anecdote on relying on an “automated” tool that does things for us. I was pulled over at dusk couple weeks ago (wasn’t night yet, could still see the setting sun), driving my wife’s car that did NOT have daytime running lights. My car does. I have so heavily relied on this automated feature that when I was in a different environment that did not have it, I forgot to check the basics – it’s getting dark, are my lights on? Incidentally, the officer just gave me a warning.

Recommendation is, be vigilant, be cautious, be on the lookout. Check those links or email addresses. Check the spelling. Type in the link instead of clicking on it. Copy the link and paste it into the browser address bar, and verify before pressing Enter to navigate to it.

It’s a jungle out there. Be safe…

Time Warner – 320,000 passwords compromised

Knock knock! Who’s there? The FBI….

This is never the way you’d like your day to play out. Last week, Time Warner was notified by the FBI that a cache of stolen credentials that appear to belong to Time Warner customers had been discovered.

At this point, the origination of the usernames and passwords is a bit of a mystery. Time Warner states: 

“We have not yet determined how the information was obtained, but there are no indications that TWC’s systems were breached.

The emails and passwords were likely previously stolen either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored TWC customer information, including email addresses.

For those customers whose account information was stolen, we are contacting them individually to make them aware and to help them reset their passwords.”

Time Warner customers who have not yet been contacted should still consider changing their  passwords – there is no indication at this point if this is new or previously compromised password data, and a new password is never a bad idea.

Please share with anyone who is using Time Warner systems – friends, co-workers, weird relatives and neighbors as well. Remember that any password that is used twice isn’t a safe password – unique passwords are always the best practice. Password managers (LastPass, KeePass, etc.) are often a good idea to help maintain unique, difficult to decipher passwords.

GRUB2 Authentication Bypass Vulnerability

A vulnerability has been discovered in the GRUB2 boot loader that affects versions dating back to 2009. GRUB2 is the default boot loader for a variety of popular Linux distributions including Ubuntu, Red Hat and Debian. The vulnerability can be exploited by pressing the backspace button 28 times when the boot loader asks for your username. This sequence of keys places the user into a “rescue shell”. An attacker could leverage this shell to access confidential data or install persistent malware.

It’s worth noting that the vulnerability requires access to the system’s console. Even if your organization has proper physical security controls in place, this issue should still be addressed as soon as possible. Ubuntu, RedHat and Debian have already released patches for this vulnerability.

We’re not a target

One of the most frustrating phrases I’ve heard as an IT professional is, “We’re not a target.”

Using HoneyPoint, I have created “fake companies” and observed how they are attacked. These companies appear to have social media profiles, web pages, email servers and all of the infrastructure you would expect to find within their industry. The companies are in a variety of verticals including but not limited to Financial, Energy, Manufacturing and after analyzing the data collected during this process, I can definitively state that if your company has an internet connection, you’re being targeted by attackers.

Within hours of creating a HoneyPoint company, we typically begin to see low-level attacks against common services. These often involve brute-force attacks against SSH or Telnet. Regardless of the fake company’s industry, we’ve noticed that more complicated attacks begin within days of exposing the services and applications to the internet. These have ranged from the attackers attempting to use complicated exploits to the installation of malware.

During our “fake companies” testing, we even “accidentally” exposed critical services such as MSSQL and LDAP to the internet. The attackers were always vigilant, they often attempted to take advantage of these exposures within hours of the change taking place. One of my favorite moments that occurred during this test was watching how quickly attackers started to use an exploit after it was released. In some cases, we noticed the exploit being used within hours of it becoming public. These are both great examples of why it’s worthwhile to have 3rd parties review your infrastructure for vulnerabilities or misconfigurations on a regular basis.

Even if you don’t think your company has anything to “steal”, you still need to take measures to protect your systems. You might not be protecting PHI or Social Security Numbers but you can’t underestimate the bad guys desire to make money. Even if attackers don’t find any data worth stealing, they’ll always find a way to profit from the exploitation of a system. A great example of this occurred last year when it was discovered that attackers were hacking SANs to install software to mine for cryptocurrency. It’s even been reported that attackers are exploiting MySQL servers just to launch Distributed Denial of Service (DDoS) attacks. So, even if your bare metal is worth more than the data it hosts, it doesn’t mean that attackers won’t attempt to use it to their advantage.