Credential Stuffing a Thorny Problem

Every week I read about websites, companies or institutions that have had their authentication databases hacked revealing the email addresses, user names and passwords employed by their users. This happens so often that people have become inured and hardly give it a thought. But the rise in successful credential stuffing attacks shows that this is a dangerous attitude to take.

Credential stuffing is different than brute force and password spraying attacks. In a brute force attack, hackers try a large number of passwords against a specific user account hoping for a valid match. Similarly, password spraying attacks try a large number of passwords against a whole list of users hoping for the same result. In credential stuffing attacks, however, hackers try valid user name/password pairs that have been previously compromised against different services, websites or institutions.

In a perfect world, credential stuffing wouldn’t work. All of us would use a unique user name/password pair for access to each of our user accounts across the board. Unfortunately, the world and we who live in it, are far less than perfect. People almost always have a few passwords that they use for multiple accounts. And this is not merely laziness on the part of the user. It is because people become overwhelmed. Most of us have dozens if not hundreds of websites or services we need to access; some on a daily basis and some only irregularly. And we are supposed to memorize (and not write down) unique credentials for each one?! Add to that the fact that we are prompted to change many of these passwords at least several times a year and the mind boggles.

Fighting credential stuffing is difficult for people. One of the simpler methods is to use a password manager. These tools encrypt and record your passwords in a form that you can access easily. Some provide other services and even help generate new passwords. However, using a password manager adds another step to logging in and other overhead. Also, several password managers have themselves been compromised by hackers.

Multi-factor authentication is another tool that makes credential stuffing more difficult for the attacker. It is a great tool for protecting authentication and should be use by everyone in my opinion. However, there are ways around MFA as well so it is only an imperfect solution to the problem. CAPTCHA puzzles can be used to spot bots and ensure that a human is trying the credentials, but cybercriminals employ click farms to get around this mechanism.

Behavioral biometrics is one of the newer methods used to help spot and prevent credential stuffing attacks. These tools build up a picture of how individual users interact with their computers; a picture that can be as unique as a fingerprint. They also have the advantage of being invisible to the user and don’t require any action on the user’s part. Using these along with other anomaly detection tools seems like a good bet to me.

As always, I personally recommend using all three factors that can be used to identify an individual to an authentication system: something you know, something you have and something you are. Of course, this method too adds overhead and complexity to the user experience. Sigh! I think the person who comes up with an infallible method for identifying an individual to an electronic system would probably end up as rich as Bill Gates!

RTF Releases a Comprehensive Framework for Combating Ransomware

Ransomware is a modern-day offshoot of a crime that has plagued humanity for thousands of years: kidnapping for ransom. Cybercriminals simply replaced the theft of a human being with the theft of information. Both are precious, both are fragile and the destruction of either one will lead to the suffering of many. And to avoid such suffering, it is a long-proven fact that people will pay through the nose! The high probability of a payoff is the reason ransomware works.

Although ransomware has been around since at least 1989, the last few years have seen a real explosion in the problem. I have written several blogs about the growing problem of ransomware in the last year, and there is at least one group out there that is not only just as concerned about the problem as I am, they have done something about it.

The Ransomware Task Force (RTF) is an international group of more than 60 experts from organizations and disciplines that include governments, law enforcement agencies, computer security experts, researchers and academics that are backed by Microsoft, Amazon, the FBI and the UK’s National Crime Agency. Together, they have developed and recently released a considered and comprehensive framework for addressing the ransomware problem entitled Combating Ransomware. It is available for free download on the Internet.

One of the main posits of this group is that ransomware has moved past being a mere crime of financial extortion into the realm of a national security issue. Their reasoning behind this is that ransomware has “disproportionately impacted the healthcare industry during the COVID pandemic, and has shut down schools, hospitals, police stations, city governments, and U.S. military facilities. It is also a crime that funnels both private funds and tax dollars toward global criminal organizations.” I couldn’t agree more with view, especially in light of the more modern practice of exposing the “kidnapped” and deciphered information of the victims on public websites, sometime even after the ransom has been paid.

The framework begins with five high-level priority recommendations that include (paraphrased):

  1. Coordinating international diplomatic efforts to fight ransomware employing a comprehensive resourced strategy, including a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.
  2. The United States should lead the efforts by example. They should execute a sustained, whole government, intelligence driven anti-ransomware campaign coordinated by the White House.
  3. Governments should establish funds for fighting ransomware, and should require organization to consider alternatives before making payments.
  4. There should be a an internationally accepted framework to help organizations prepare for, respond to and recover from ransomware attacks.
  5. The cryptocurrency sector that enables ransomware crime should be more closely regulated.

Next, the framework dissects the ransomware problem, discussing history, threats/threat actors, impacts to society and business, cyber-insurance and ransomware, the role of cryptocurrency plays in the ransomware problem and more. This information gives the reader a broad picture of ransomware and its effects around the globe.

Next, the comprehensive framework for action is detailed. This framework is based on four basic goals:

  1. Deter ransomware attacks.
  2. Disrupt the ransomware business model.
  3. Help organizations prepare.
  4. Respond to ransomware attacks more effectively.

These basic goals are then divided into a series of objectives and action items (a total of 48 of these). The RTF Points out that these recommendations need to be wholly implemented to have any chance of being effective, and that the real challenge will come in the actual implementation of the framework. I agree with this assessment as well. Ransomware, indeed modern state-driven cybercrime in general cannot be addressed piecemeal; we all must work together in a coordinated fashion if we are ever to effectively address these ever-worsening problems.

New CISA and NIST Joint Document Helps Organization Understand and Defend Against Software Supply Chain Attacks

Although it was far from the first one, the software supply chain attack against SolarWinds was truly devastating. We are still suffering from related attacks, and no one yet knows what the full consequences of the compromise will be. Since the attack, organizations of all sorts have been scrambling to prepare themselves for similar attacks and to find ways to prevent them from affecting them. The good news for these organizations is that now there is new authoritative guidance just published to help them.

This month, the CISA and NIST released a joint paper entitled “Defending Against Software Supply Chain Attacks.” This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

The paper begins by explaining what the larger information and communications technology (ICT) supply chain framework is, how the software supply chain fits into it and what the six phases of the ICT Supply Chain Lifecycle are. They illustrate how vulnerabilities can creep into each phase of this life cycle and give examples of past compromises. They explain some particular reasons why software supply chain attacks are so attractive to cyber-criminals, who is most likely to be behind such attacks and some of the most common attack vectors used by these criminals.

One of the big points they make is how difficult it is for network defenders to quickly mitigate the consequences of a software supply chain attack after it has occurred. They emphasize that only by being prepared for software supply chain attacks before they occur can organizations hope to properly prevent and effectively respond to these attacks. They recommend that a formal C-SCRM approach should be employed across the organization, business and system tiers of the organization.

NIST includes a list of eight key practices for customers for establishing a C-SCRM approach which include:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal C-SCRM program.
  3. Know and manage critical components and suppliers.
  1. Understand the organization’s supply chain.
  2. Closely collaborate with key suppliers.
  3. Include key suppliers in resilience and improvement activities.
  1. Assess and monitor throughout the supplier relationship.
  2. Plan for the full lifecycle.

The paper then goes into actions customers can take to prevent acquiring malicious or vulnerable software, actions customers can take to mitigate deployed malicious or vulnerable software and actions customers can take to increase resilience measures to help mitigate the impact of a successful attack. The paper then provides valuable recommendations for software vendors themselves to take in fighting this problem.

I highly recommend that organizations at risk from software supply chain attacks download this guidance and take it to heart. Only an organized, prepared and resilient information security program has any hope of helping organizations fight software supply chain attacks. Happily, instituting a proper infosec program such as described will also help you protect your organization from the other types of cyber-attacks that currently plague us.

Multi-Factor Authentication More Important Than Ever

Every week while I am reviewing the infosec news I read about more and bigger compromises of user account information. If users themselves are not falling for phishing attacks and entering their user name and passwords into bogus webpages, then their user name and passwords are being compromised when some company database gets hacked. The danger becomes much greater when we consider that most of us use just a few different passwords for all of our accounts. Savvy hackers could take advantage of this and clean you out before you even realized that your secrets had been compromised.

The easiest and most effective way that you personally can help protect yourself in this horrible online environment is to implement multi-factor authentication (MFA) for everything you access. This includes email, online banking, social media, online shopping and everything else that you can think of. And, believe me, I know what a pain it can be to always be hassling with MFA mechanisms! You often have to get a code from another device or carry a dongle with you. It takes time, and you keep having to do it over and over again. It gets old very quickly.

But wait! There are more problems involved than just the hassle of using MFA. Once you have implemented it, you also have to worry about being locked out of your account. Say for example you are trying to get a code to enter into your laptop but your phone is dead or out of range. You are left high and dry. Having at least two options for authentication can help you here.

Another thing to consider is the danger of using SMS for sending MFA authentication codes. The main weakness here is depending on the cell phone providers themselves. These providers are susceptible to the same weaknesses as the rest of us and are vulnerable to phishing, spoofing, malware and social engineering. Also, providers can be tricked into porting a phone number into a new device; a hack called SIM swapping.

There is a better alternative available in the form of authentication apps such as Google Authenticator. The advantage here is that to get a code, you are not relying on your carrier. The codes stay with the app, and hackers can’t get them even if they manage to move your number to a different phone.

Once again, you have to be careful that using MFA doesn’t cause you to be locked out of your own account. Google Authenticator provides you with a number of recovery codes when you first sign up that allow you to access your account if there is a problem. But these codes now need to be protected from hacker access. Make sure you have a good way to store these codes that hackers are not likely to be able to get at. If not, you have just lost all the security advantages you have just instituted.

Side Channel Attacks: Another Cyber-Danger to Worry About!

Governments, businesses, private organizations and people in general are doing more each year to address the dangers of cyberattacks. The big problem is, we are always playing catchup! Every time we address one vulnerability in cyber-systems, attackers come up with a fresh way to attack them. One of these vulnerabilities that is enjoying increased attention by the bad guys in recent years is side channel attacks.

In side channel attacks, attackers analyze signals or metadata or video or other kinds of emanations made by devices to deduce what users are typing or what their mouse movements are or what crypto key is being used or lots of other things. It is absolutely fascinating what can be learned by these techniques! In a recent example, a research team from Texas found that they could analyze video calls and deduce what people are typing by mapping their shoulder movements. If you were on a conference call, you might be able to use this technique to determine what people on the other end are chatting about while you talk. Quite a business advantage!

There are many types of side channel attacks, but a lot of them rely on the propensity of electromagnetic signals to propagate. People think that it is easy to stop an electromagnetic signal, but it really is not. Even though signals from keyboards, mice, power systems and the like might be very weak, they can be recovered and amplified easily if you are in the right position. Signals can also go through things like walls and windows, as evinced by cell phone signals.

IoT devices are among the juiciest vectors for side channel attacks. They almost all emit electromagnetic signals, they are connected to the Internet and they are often not properly isolated from internal computer networks. They also often use light weight cryptographic techniques and old, vulnerable operating systems. This makes these devices very tempting targets for cyber-criminals.

So how do we protect our networks and information from side channel attacks? There are many methods that can be employed. One method is stop or dampen electromagnetic signals emitted from the devices, such as by use of a Faraday cage or ultra-low power source. You can also make sure that your private and work areas are protected from peeping and eavesdropping. Another method is to use power line conditioning and filtering to help stop power-monitoring attacks. For cryptographic side channel attacks, you can blur the relationship between the information emitted and the secret data you are trying to protect. My personal advice is to keep yourself abreast of the new side channels and side channel attacks that are emerging and to react immediately and appropriately to protect yourself and your business.

Exchange Server Zero-Day Attack Sign of More to Come

Another sophisticated and widespread cyber attack just made the news last week. This attack, dubbed ProxyLogon, strings together four zero-day vulnerabilities in Microsoft Exchange Server that allow attackers to take over servers, compromise email and implant a web shell that gives them the ability to execute code on the servers from anywhere without authentication. Microsoft immediately released emergency patches for the identified vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

These attacks, initially attributed to the China-backed group Hafnium, were first noticed in early January and reported to Microsoft on March 2. It has since been determined that multiple advanced persistent threat groups have also been using this same exploit since about the same time of the Microsoft patch release (March 2), and that hundreds of thousands of servers around the world have already been attacked.

News of the attack caused immediate panic on multiple levels of government and industry. The CISA recommended immediately patching these issues or unplugging Exchange servers until they are patched. They also recommended that all possibly affected organizations should immediately take steps to determine if their systems have already been compromised. The word everyone is using here is “immediate.”

This Exchange Server attack surely does remind me of the way the devastating supply chain attacks we are still dealing with. Here we have highly enabled, state backed hacking groups systematically identifying cyber-vulnerabilities of every type, developing a group of exploits designed to take advantage of these vulnerabilities, identifying lots of fat targets to hit and then striking all of those targets at once. That is evidently the same thing that is happening with the Exchange Server attacks. And curiously, both these attacks and the supply chain attacks exploited flaws that had been present in the code for ten years or more. What’s more, if these Exchange Server attacks follow the same program, we can expect follow up exploits to be waiting in the eaves to further exploit the vulnerabilities and the panic they fomented.

What this tells me is that we are presently in the first stages of a global cyberwar whether we recognize it or not. So far, we are just taking the hit and scrambling around playing catch up while we try to figure out how to effectively address the problem. However, the enemy does not seem to be giving us time to sort things out. What would you like to bet that another, similarly devastating attack will hit us in no more than six months from now? I would put a nice chunk of change on that bet!

Another thing that these attacks show me is that we have gotten distributed network security wrong from the very beginning. The basic code that still lies at the very core of the Internet was never designed with security in mind and is basically flawed. We adopted it anyway and by the time security problems started to manifest themselves, it was too late; the paradigm was set. Going back and revamping it will prove to be impossible. You might as well try to get Americans to drive on the left side of the road, say “ahoy” instead of “hello” when answering the telephone and to use Metric measurements rather than Standard.

So how are we going to keep our riches and information safe from the Cyber Scourge? I certainly don’t have an answer that has any chance of actually being implemented. However, I would venture to guess that whatever solutions appear in the near future, they will probably be Draconian! Time for everyone to plan on expending a bigger chunk of their resources on cyber-security.

Financial Institutions Should Start to Embrace the Zero Trust Security Model

Another consequence of the supply chain attacks of 2020 is the big push to adopt the Zero Trust security model. This security model isn’t really a new set of security controls per se; it is more a way of implementing and coordinating existing control types. Another apt name for the Zero Trust security model would be the “Paranoids’ Delight” security model. Zero Trust assumes that internal and external attackers are there, that security breaches are inevitable, and that system compromises have probably already occurred.

The National Security Agency (NSA) defines Zero Trust as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. … . Zero Trust embeds comprehensive security monitoring; granular, dynamic, and risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus specifically on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.”

Implementing Zero Trust into your security program is no easy task. It takes time, it takes resources and it takes a willingness on the part of company personnel to adopt and participate in a stricter security regimen. It means that gaining access to critical resources will be more difficult, and it means that access to nonbusiness-related resources on business networks will be curtailed. Getting buy-in for these processes will be an uphill battle at best.

The very first step in the process is knowing your entire network, including trusted partner/service provider/vendor connections and privileges. You need to be able to identify the criticality of all your network assets, how data flows, what trusts what, who has access to what resources and more. A good way to start collecting such information is by conducting a detailed Business Impact Analysis (BIA) if one is not already in placer.

Once you understand these processes, you can start defining “tuples.” A tuple is the combination of a user, device, and any other security-related contextual information to be used in making an access decision. For information in a tuple to be reliable, you must ensure explicit authentication of both the user and device. Once tuples have been constructed, you need to implement a Zero Trust decision engine. This engine examines the tuple in the access request and compares it to a pre-established security policy for the data or resources being requested. It then makes a risk-informed decision on whether to allow access and sends a log entry of that access request and decision to be part of future suspicious activity analytics. You need to do this for every access request to each sensitive resource.

This is an intimidating goal, and I’m sure that most of you don’t know how to proceed. Besides doing a thorough BIA, I also recommend starting by validating and coordinating your present information security program. Ensure that you have complete inventories of all network assets, that you have fully implemented access control, change control, configuration management, security maintenance, incident response and security monitoring practices in place.

The next step is to ensure that all of these processes work as a whole and are coordinated. People and departments need to communicate freely and without reservation. There is no room in an advanced information security program for squabbling and “rice bowl” mentality. Zero Trust will not work unless the entire organization pulls together as one.

Organizations Should Harden their Networks Against Supply Chain Attacks

Many people are a little shaky on just what a supply chain attack is. A supply chain attack occurs when a trusted vendor or service provider with access to your network is compromised by an attacker, who then uses this exposure to attack your network. This can be either through service providers that have direct access to your network, or through compromised third-party software applications that you use on your network. These kinds of vulnerabilities have been plaguing networks for years, but we’ve never seen the level and complexity of supply chain attacks we experienced last fall. And the problem is far from over; NIST expects these attacks are only likely to grow due to insufficient protection of software development and distribution channels, combined with the fact that other cyberattack paths are becoming more difficult to exploit.

So, what can you do now to get ready for more supply chain attacks? The first thing is to ensure that you have a strong vendor management program in place. You should perform due diligence when choosing and implementing service providers and software providers / applications. Review their history to see if there any past security incidents with their services or applications, review their information security program and ensure that they have strong controls in place, review results of vulnerability assessments, code reviews and penetration tests to see if problems were detected and what was done to remediate those problems, and perform these checks on a regular basis; not just once.

When dealing with software providers, look into their code development, sharing and storage practices if possible. Are they checking the integrity of their code by scanning for malware before each build is released? Do they use multifactor authentication to sign on to machines that have access to their codebase? Is access to coding projects based on least privilege / need-to-know, or does the whole development team have access? If a vendor’s code development process is strong, they should have no problem sharing this information with you. It’s important to remember that when you hire a service provider or use a developer’s code on your network, you are essentially making them an integral part of your business, just like one of your regular employees. If your private information is compromised because of a vendor security failure, the ultimate responsibility for that information compromise is on your shoulders, not theirs.

You should also ensure that you and your vendors have strong security monitoring and incident response programs in place. Logging on your network should be verbose, and enabled on all devices and programs that are capable of it. In addition, those logs need to be aggregated, parsed and examined by qualified human analysts. And if a compromise of the supply chain occurs, you should have incident response plans in place so you can react quickly and correctly. Practice the plan and be sure to incorporate lessons-learned so that improvement is constant. Doing all of these things is not the whole answer, but will give your organization a good start in dealing with supply chain security problem.

Fight Email Spoofing with DMARC

Ransomware reached an all-time high in 2020, and ransomware usually begins with phishing or spoofing emails. In fact, more than 90% of all cyber-attacks worldwide begin with a bogus email message of one type or another. One of the most common types of bogus email messages you will encounter is the spoofed email message. Spoofing emails contain a forged sender address that makes them appear to be from a colleague or legitimate business. Naturally, people are more liable to trust such a spoofed email message than even a clever alternate phishing email scam. Luckily there is a good way to fight spoofed emails at your organization and it’s called DMARC.

Domain-based message authentication, reporting and conformance (DMARC) is an email protocol that was designed to protect email domains from email spoofing. It was created by PayPal together with Google, Microsoft and Yahoo and was first published in 2012. DMARC extends two existing email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain, how to check the “From” field presented to end users, how the receiver should deal with failures and a reporting mechanism for actions performed under those policies.

Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected. For example, one email forwarding service delivers the mail, but as “From: no-reply@<forwarding service>”.

However, even using DMARC your organization can still get spoofed. Businesses often relax their security settings to accommodate partners and third parties whose email security may not be as good as their own. It’s important to configure SPF, DKIM and DMARC with the strictest settings your organization can tolerate. It is also important to monitor and review the DMARC reports that are produced by the protocol. This allows you to see what the deliverability rate is for outbound emails, and also allows you to verify who is sending email messages using your organizations name. This can not only help you prevent spoofed emails from reaching your personnel, it helps boost your business reputation when communicating with customers and business partners.

Virtual CISOs & Small Utilities Often a Good Fit

Cybercrime has reached a new level and can certainly now be categorized as an epidemic; maybe not the same kind of epidemic as COVID-19, but sharing many of the same characteristics. Like a plague, cybercrime spreads from victim to victim, gaining traction as it goes. And also like a plague, it requires draconian efforts and plenty of resources to thwart. This can be a particular burden on smaller organizations such as utility co-ops with small IT departments and limited budgets. In this kind of threat environment, such companies need to maximize the effectiveness of every dollar they spend.

So how do you ensure that you are getting the biggest bang possible for cybersecurity buck? Well, the first thing is to have a sound cybersecurity strategy in place, one that fits your organization’s needs specifically. And for that task, you need a person with the skills of a good Chief Information Security Officer, more commonly known as a CISO. The first job of a CISO is to gain an understanding of your business environment, goals, strategies and resources. From there the CISO can work with you to construct or improve your cybersecurity program and strategy. Other tasks that CISOs regularly undertake include threat monitoring and analysis, risk and security assessment planning, risk remediation planning and incident response program oversight just to name a few.

However, CISOs are much in demand and rate high salaries. In addition, for years now, there has simply not been enough qualified CISOs out there to meet the demand. This puts smaller organizations in a real bind. If they spend the money to salary a full time CISO they are using up an inordinate amount of their security budget, thereby negating much of the benefit to be gained by the CISO’s services. Happily, the computer age has gifted us with an answer to this dilemma: the virtual CISO.

Don’t be fooled. Virtual CISOs are not a software packages or AIs. They are actual CISOs that provide services to several organizations instead of just one. They often conduct meetings and conferences with your personnel remotely, which saves the lost work time and expense entailed with traveling for in-person meetings. In addition, reputable virtual CISOs have real-world experience that has been derived by serving many differing organizations. This gives them both perspective over the current information security problem as a whole, and the specific knowledge needed to recommend various technical and operational controls that will fit your organization like a glove.