Video: Auditing Authentication Mechanisms

Here’s a quick video walkthrough of the presentation around auditing authentication mechanisms. 

We are getting some great feedback on this one, and people are rising to the challenge of doing audits for their organizations. Many folks are finding some quite unexpected results! 

Let me know on Twitter (@lbhuston) what you discover! 


As always, thanks for reading and watching! 

Processes and Benefits of Conducting a CIS Controls Assessment

In my last paper I went over the reasons why conducting a Center for Internet Security (CIS) controls assessment is a good way to build a roadmap for establishing a solid information security program at your organization. This week I’m going to discuss how a CIS controls assessment is conducted, the control categories that make up the current CIS Critical Security Controls (version 8) and the results that you can expect to get from the assessment.

The first step in conducting a CIS controls assessment is determining which CIS implementation group (IG1, IG2 or IG3) your organization should aspire to achieve. For simple organizations that do not have a complex network, and that do not hold sensitive private or regulated data, IG1 may be appropriate. However, for most commercial businesses, implementation groups IG2 and IG3 are recommended. These higher levels of controls offer higher safeguards for private/regulated data and help the organization resist focused cyber-attacks such as ransomware. At this time, the organization also determines the amount of time they wish to allow for reaching their aspirational security goals. This can vary from one organization to the next, but a typical time frame for full implementation is three years.

The next step in the process involves interviewing knowledgeable persons in the organization in order to compare the CIS V8 controls to your current information security measures. The interviewer will question your personnel about each security control and rate your organization’s compliance as:

  • Steady-state operational: these are controls that are already being used by the organization and that are included in written policies and procedures. To assure that these controls are in place, the assessor will ask for proofs such as screen shots or records.
  • Ad-hoc: these are controls that the organization does employ at least somewhat, but that are not documented or applied systematically.
  • Non-existent: these, obviously, are controls that the organization does not employ at all.
  • Non-applicable: these are controls that are recommended by the standard, but do not apply to the technology stack or processes that are in use in the organization.

This interview process will probably take 2 or more sessions to complete as there are currently 18 control categories in version 8 of the controls. These include:

  1. Inventory and control of enterprise assets
  2. Inventory and control of software assets
  3. Data protection
  4. Secure configuration of enterprise assets and software
  5. Account management
  6. Access control management
  7. Continuous vulnerability management
  8. Audit log management
  9. Email and web browser protections
  10. Malware defenses
  11. Data recovery
  12. Network infrastructure management
  13. Network monitoring and defense
  14. Security awareness and skills training
  15. Service provider management
  16. Application software security
  17. Incident response management
  18. Penetration testing

In the next step of the process, the assessors will perform written gap analyses of both the baseline security controls (IG1) and the aspirational security controls (IG2 & IG3). These gap analyses will detail percentages of controls that are compliant, ad-hoc, non-existent and NA, and detail the levels of risk that these gaps pose to the organization.

Finally, the assessors will document a detailed roadmap for closing the gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months).

These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary.

As can be seen from this overview, conducting a CIS security controls assessment will provide your organization with a clear understanding of where you are now, where you need to be in the future and what you need to do to reach your security goals. This will bring an end to much of the confusion and frustration entailed in implementing an information security program. It will also give your organization the comfort of knowing that you are working with cutting edge information security controls that give you the most bang for your buck!

Need an Information Security Program? A CIS Controls Assessment is a Good Way to Start!

No matter what size business or organization you have, in today’s world, the ever-increasing cyber-menace we face affects all of us. To keep our heads above water, all concerns need to have at least a basic documented and monitored information security program in place. For small and medium concerns, how to accomplish this necessary task without breaking the bank can be a truly frustrating and confusing task to undertake.

For one thing, your concern has different information security needs depending on what type of organization you have. Is your network simple or complex? Do you hold or process regulated data such as personal private information, personal health information or financial information? Could compromise of your organization provide a portal for cyber-attackers to gain access to other organizations?

Another point of confusion is provided by the disparate security service organizations, security devices and security applications that are available. How do you know which of these you may need, and how do you pick between the varying offerings? What is the learning curve involved, and will you need extra personnel to handle the increased load? These are all questions that can be very difficult to get a handle on let alone answer decisively.

To help cut the confusion and avoid unnecessary frustration, it seems to me what is needed is a clear path to follow to your security goal. That means finding out where you are now, constructing a roadmap of what needs accomplishing and building a timeline for reaching each step in the process. This is where a Center for Internet Security (CIS) Critical Security Controls assessment comes into play.

The CIS was formed in 2000 with the goal of “making the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” To accomplish this goal, they publish a list of the most effective security controls available, which are arrived at through a consensus decision-making process of the cybersecurity community. These controls are constantly under scrutiny and are updated regularly. Currently, the CIS Security Controls are in version 8. In this version there are 18 safeguard categories, each with a varying number of individual information security controls to be implemented. These controls are further divided into three implementation groups (IG1, IG2 and IG3).

IG1 controls are those that provide “the basic cyber security hygiene that all organizations, regardless of size, complexity, and regulatory requirements should meet to resist basic attacks and breaches.”

IG2 controls are those at “the maturity level which is designed for distributed organizations with multiple sites, networks, and complex data structures but without regulatory concerns and a significant amount of sensitive data to protect…”

IG3Controls are at “the highest level of maturity, designed for complex environments with access to significant amounts of sensitive data who need to resist focused, well-resourced attacks.”

There are two basic factors that makes this type of information security controls paradigm most suitable for roadmapping the security needs of disparate organizations: The first factor is the effectiveness of the controls, especially when employed as a group. These are the controls that do the job and give your organization the most bang for your buck. The second factor is the granularity of the controls. The three implementation groups allow your concern to plan and implement your information security program in easy bites over a reasonable period of time.

In addition, knowing what you need to accomplish over a period of time allows your organization to choose how you want to implement your program with the end game in sight. This allows you to choose security service providers, devices and application wisely, avoiding unnecessary duplication and waste of resources. The fewer the number of these types of security assets you have, the easier they are to update and protect. This is in addition to the money savings you will incur.

In my next blog, I will describe what a CIS controls assessment entails and the different control categories that are included.

FAQ for the End of SMS Authentication

Q: What is the end of SMS authentication?

A: SMS authentication verifies user identity by sending a one-time code via text message to a user’s mobile phone number. With the rise of potential security risks, many financial websites, applications, and phone apps are phasing out SMS-based authentication and transitioning to authenticator apps that reside on user devices and smartphones.

Q: What are some of the potential security risks associated with SMS authentication?

A: Attackers have a variety of means of intercepting SMS text messages, thus defeating this type of authentication. This increases the risk of interception and misuse of the codes in question and decreases the security of the user’s account with the financial institution.

Q: What is an authenticator app?

A: An authenticator app is an application that resides in encrypted storage on the user’s device and, when prompted, provides a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is set up and the settings configured, it doesn’t need to communicate with the financial platform and thus is significantly more difficult for attackers to compromise.

Q: What are the steps for organizations to switch from SMS authentication to authenticator apps?

A: Here is a quick overview of what is needed:

1. Research and decide on an authenticator app that meets your organization’s needs. Most of the time, users can select their own apps, and the firm selects the libraries needed to support them. Open source and commercial solutions abound in this space now.

2. Update user accounts in each application and authentication point with the new authentication protocol and provide instructions for downloading and setting up the authenticator app.

3. Educate users on using the authenticator app, including generating one-time passwords (OTPs), scanning QR codes, etc.

4. Monitor user feedback and usage data over time to ensure a successful switch from SMS authentication to an authenticator app.


PS – Need a process for cataloging all of your authentication points? Here you go.

Inventorying Organization Authentication Points

Are you looking for threat-proactive ways to secure your enterprise? One of the best ways to do this is by inventorying all of the points of authentication within your organization. In this blog post, we’ll discuss the steps you need to take to properly inventory and secure your Internet-facing authentication points. While you should have a complete and accurate inventory of these exposures, starting the process with a focus on critical systems is a common approach.

Inventory Process

1. Identify the different types of authentication used by the organization for remote access (e.g. passwords, two-factor authentication). If possible, use vendor data to include cloud-based critical services as well.

2. List all of the systems and applications that require remote access within the organization. External vulnerability scanning data and Shodan are both useful sources for this information.

3. For each system/application, document the type of authentication used and any additional security measures or policies related to remote access (e.g., password complexity requirements). Vendor management risk data can be useful here, if available.

4. Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely.

5. Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication.

6. Regularly review and update existing remote access authentication processes as necessary to ensure the continued security of organizational resources over the Internet.

Why This Is Important – Credential Stuffing & Phishing

Inventorying all of the points of authentication within an enterprise is essential as protection against credential stuffing and phishing attacks. Credential stuffing is a type of attack where malicious actors use stolen credentials to gain access to different accounts, while phishing attacks are attempts to acquire confidential information through deceptive emails or websites. In both cases, it is important that organizations have proper authentication measures in place to prevent unauthorized access. Inventorying all of the points of authentication within an organization can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

In addition, having a detailed inventory of all points of authentication can help organizations identify any weak spots in their security measures. This allows them to take steps to strengthen those areas and further protect themselves from potential credential stuffing or phishing attacks. By regularly reviewing and updating their authentication processes, organizations can ensure that their resources remain secure and protected from any malicious actors.

Lastly, ensure that you feed this inventory and the knowledge gained into your enterprise risk assessment processes, incident response team, and other security control inventories. Make a note of any security gaps identified during the inventory process and ensure complete coverage of the logs and other intrusion detection systems at each potential point of authentication. By following these steps, you can ensure that your enterprise remains secure and protected from any potential threats associated with credential stuffing and credential theft associated with common phishing attacks.


Vendor Risk Assessment for Small and Medium Concerns

In my last paper I discussed the high level of risk that third-party service providers and vendors pose to organizations. If vendors have a connection to your internal network, or are trusted implicitly by organizational staff, they are a potential risk to private information and services at your business. Because of this danger, it is becoming increasingly important to conduct vendor risk assessments. In addition, vendor risk assessments will produce information valuable to increasing the accuracy of the organization’s business impact analysis. For small to medium size businesses, the goal is producing a useful vendor risk assessment without expending inordinate amounts of time and resources. I will outline below the basic methodology for conducting such a risk assessment.

The first step is formulating questionnaires for both internal employees and for the services providers being assessed. For the internal questionnaires, it is best to question application/vendor owners and subject matter experts. It is also valuable to have the input of IT and security personnel. Some of the information you may want to gain from this effort includes:

  • What data and systems does the vendor have access to? How critical to the business are these systems and data? Is the data regulated or sensitive (i.e. PPI, PHI)?
  • How does the vendor access these assets (i.e. via VPN, 2FA, simple user name/password)? Is access automatic or must it be enabled before access is granted? Is vendor access logged and monitored? Is there a shared access account used to communicate with the vendor, or is access individual to the employee?
  • How critical is the availability of this vendor to business processes? Is the vendor really necessary (Are there other vendors used by the organization that provide similar services to other lines of business, and is it possible to a number of vendors with just one)?
  • Has a review of vendor contracts and agreements been performed to see if they meet the organizations security policy and functional requirements?
  • Are there periodic reviews of the vendor performed to check on their status in the industry (i.e. financial status, reputation)?

For the external questionnaires, the goal is to gain information about and from the vendor. This information can be gleaned from publicly available sources, user groups, the Better Business Bureau, or you can contact the vendor itself. Some of the information you may wish to collect includes:

  • Does the vendor have a SOC 2, PCI DSS, ISO certification in place, or is there other evidence of a risk management program in place?
  • Does the vendor support multi-factor authentication mechanisms such as hard tokens, Okta, etc.?
  • Is the vendor financially sound?
  • Does the vendor have a good reputation in the industry and among users of the vendor service or application?
  • Does the vendor have a documented information security program in place that is compliant with the organization security program? Does the vendor perform logging and monitoring of their systems? Do they have an incident response program in place? Etc.
  • Does the vendor have a history of security compromises or data breaches?

Once you have the information about the vendors you need, you can apply the regular risk assessment paradigm to them; what threats may menace the vendor, what impacts would the business suffer if the vendor were compromised, how likely is compromise of the vendor? From this you assign the vendor a risk rating, usually stated as high, medium or low.

After the risk ratings have been assigned to all of the organization’s vendors, the risk treatment process can be undertaken. For example:

  • Should additional security controls be put in place around the vendor?
  • Should a replacement be found for the vendor?
  • Is there a way to avoid the risk posed by the vendor to the organization?
  • Does the benefit derived from using the vendor outweigh the risk posed to the organization by the vendor?
  • Can agreements with the vendor be renegotiated in order to meet the organization’s security and functionality needs?

Although this process is relatively simple, the organization can derive great benefit from undertaking it. In the present business climate, information security cannot be taken too seriously.

Don’t Trust Third Party Apps and Services to Provide Perfect Security

We all are a little overwhelmed by the complexity and difficulty of securing our private information against attackers such as cybercriminals and nefarious nation states. It seems that attacks come at us from all sides on a regular basis. One way we cope with this is to outsource our cybersecurity needs to third-party organizations that have staff who perform such services as network monitoring or security patching for a number of client organizations. Another way is to employ third-party security applications that provide such services as email security and data loss protection. We trade our money for their time and expertise.

And there is nothing wrong with that in a lot of ways. The people that form and work for these organizations are able to concentrate their efforts on specific aspects of information security, and often have a great depth of understanding of their particular subjects. Using them or their applications certainly will save you time and can also save you money. However, it is ironic that the very act of allowing such organizations and applications to connect to your networks is a great risk to your private information and systems in and of itself. So, in a way, by trying to simplify your risk management problems, you are actually increasing the attack surface available to cybercriminals, thereby making your cybersecurity problems even more complex and unwieldy.

A big problem is that, despite our best efforts, risk can never be totally eradicated; risk can only be lessened. This is the result of Order and Chaos and the very nature of reality. So even when a cyber-service provider is conscientious and diligent in their security efforts, they can still be compromised. And when they are, there is a good chance that their clients will be compromised as well. Unfortunately, no matter who was responsible for the compromise, you or your organization have the ultimate responsibility for the security of your own information or assets. This creates a no-win situation; you lose, your customers lose, and the service provider loses.

A current example of this is the LastPass hack that occurred sometime in August according to the company. Although details are sketchy, the latest information shows that the breach was massive and exposed encrypted password vaults as well as other user data. The company announced that hackers were able to copy a backup of customer vault data from the encrypted storage container. This means that these hackers have had months to try to guess the master passwords for these vaults. With time, cracking these passwords becomes more and more likely. This creates a huge hassle for clients who now have to change all their passwords and ensure that two-factor authentication is enabled wherever possible. It also has created a huge reputational hit for LastPass. Many information security professionals are even recommending that their clients dump LastPass.

So, what can we do to protect ourselves from the dangers of service provider compromise? The answer is that there is no perfect solution. The best thing we can do is be constantly aware of the situation and put no trust in our hope that the service providers we employ will not be compromised. We need to examine each service provider we use and ask ourselves if we really need the app or service. If we can get by without, then dump that provider. The less service providers we have, the smaller the attack surface we present to the outside world. We also need to do risk assessment of our current and prospective service providers to see how competent and stable they are, and to determine the impact we would experience if compromise did occur. In addition, we need to develop incident response procedures to help us minimize negative impacts that we can foresee, and practice our responses so that we are quick and competent if the incident occurs. Forewarned is forearmed!

What Is a Honeypot?

What is a Honeypot in Cyber Security?

A honeypot is a security system that creates a fake trap to attract attackers so that organizations can detect and protect against harmful digital activity.

How Does a Honeypot Work?

A honeypot acts as a decoy system or server that is deployed alongside production systems within a network. It is designed to look attractive to attackers by containing vulnerable data, luring them in, and then detecting their attempts, providing organizations with valuable insights into the threats they face.

What Are the Benefits of Using a Honeypot?

Honeypots can provide an organization with real-time information about the threats they face, including the techniques used by attackers and the types of attacks they are targeting. Additionally, honeypots can act as an early warning system by alerting an organization when an attack is detected.

What Are Some Examples of Different Types of Honeypots?

There are different types of honeypots available, such as low-interaction honeypots, which simulate vulnerable services but are not actually connected to networks; high-interaction honeypots, which contain full operating systems; and virtual honeypots, which use virtual machines to simulate the behavior of real systems.

Does MSI Make a Honeypot Product?

We sure do! We have a unique, patented platform for creating, managing, and monitoring distributed honeypots across your environment or in the cloud. You can learn more about it here. To schedule a discussion about the platform and its capabilities, drop us an email or give us a call.

Seek Out and Remove End-Of-Life Components

Just a quick reminder, at some point during each quarter, it is a good idea to enact a process to seek out and remove any end-of-life products in your environment. This is not only a best practice but a significant risk reduction measure as well. Make it an ongoing periodic process, and you’ve got a powerful weapon against threats and emerging issues stemming from end-of-life hardware, firmware, and software in your networks.

How to Search for End-Of-Life Products In Your Environment

The first step is to identify the devices, applications, and firmware that are no longer supported by their vendors. You can do this manually or with a tool. The next step is to determine which of those devices have been deployed in your network. Once you know where they are, you need to find them. There are several ways to search for these devices:

Use Network Inventory Tools

Network inventory tools such as Nmap and Nessus will allow you to scan your entire network to locate all of the devices on your network. These tools will also tell you what operating systems and versions of software/firmware are running on the device. If you’re using a vendor-specific tool, you’ll be able to see if there are any known vulnerabilities associated with the product in many cases.

Talk to Device and Application Owners

If you don’t already have a relationship with the owners of the devices and applications, then you should start building one now. It’s important to get to know the people who own the devices and applications so that you can ask questions about how they use the devices and applications. You may even want to consider getting an end-of-life security policy together for the organization so that you can make sure everyone understands the risks of end-of-life components.

Once you have discussed the issues with the owner, remove the component if possible. Otherwise, add it to a list of components to look for workarounds or replacements. Many organizations that can’t manage to replace an end-of-life component either place it in a low trust network zone, front-end it with firewalls or ACLs, and increase monitoring and detection of the assets involved. Of course, the component should be reviewed quarterly until it can be removed from service.

Doing this process every quarter will increase your networks’ overall stability and trust worthiness, plus reduce risk and management headaches. It’s well worth your time and an effective part of an overall risk management strategy.