Category Archives: General InfoSec

OCIE Cites Current Risks Facing Wealth Management Firms

Posted on by

As I discussed in my last blog concerning wealth management firms, the Securities and Exchange Commission (SEC) and their Office of Compliance Inspections and Examinations (OCIE) has placed a strong emphasis on information security and privacy practices. As 2020 began, the focus of OCIE examinations seemed to be concentrating on cyber governance, cyber resilience, privacy and data security, and outsourcing risks. Although these considerations still exist, the advent of the COVID-19 crisis has prompted the SEC to augment their thinking on current risks for brokers/dealers and investment advisors. Pursuant to this effort, they released a Risk Alert entitled Select COVID-19 Compliance Risks and Considerations for Brokers-Dealers and Investment Advisers (https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf). The OCIE’s observations and recommendations have been grouped into a number of categories. These are discussed below:

Protection of Investor Assets: The OCIE is encouraging firms to review their operating practices surrounding collecting and processing investor checks and transfer requests to ensure social distancing practices and remote working are not impacting the security of these practices. As well as updating policies to reflect these changes, the OCIE is recommending implementing additional steps to validate the identity of investors and the authenticity of their disbursement instructions.

Supervision of Personnel: The OCIE is recommending that firms should review and adjust their personnel supervision policies and procedures to ensure that the current situation does not seriously impact brokers/dealers’ ability to provide sound advice in a volatile market, and to communicate with their customers effectively.

Fees, Expenses and Financial Transactions: Recent market volatility has put pressure on both investors and wealth management firms. It is thought that this increased pressure may have increased the potential for misconduct among brokers/dealers. Because of this, OCIE recommends that firms should review and adjust their policies and procedures surrounding fees and expenses.

Investment Fraud: Volatile times and business situations can increase the risk of investment fraud through fraudulent offerings. The OCIE recommends that firms should be aware of these risks and take them into consideration when conducting due diligence reviews on investments to ensure that said investments are actually in the best interest of the investors. They solicit firms and investors that suspect fraud to contact the SEC.

Business Continuity: The OCIE is recommending that firms should consider their ability to operate critical business functions during the emergency situation and review their business continuity plans. They cite the fact that working from remote sites could raise compliance issues. They specifically state that compliance policies and procedures used under normal operating conditions may need to be modified to address risks and conflicts of interest present in remote operations. They also state that security and support for facilities and remote sites may need to be modified or enhanced.

Protection of Sensitive Information: The current emergency has forced firms to employ video conferencing and other electronic means to communicate while working remotely. Often personnel are using personal devices and web-based applications as a part of this process. The OCIE points out that employing these means increases the risk that investor PII or private company information may be compromised. These practices also increase email/phone phishing risks. To help fight this, the OCIE recommends that firms enhance their identity protection practices, provide additional training for users and investors, conduct heightened reviews of access rights and privileges, use encrypted communications, ensure patching and updating is well undertaken, consider enhancements such as multi-factor authentication, and address risk issues related to partners and third parties.

MSI points out that the best way to ensure that all your information security practices are effective and compliant with guidance such as that listed above is to conduct regular security reviews and testing. These include risk assessments, application security assessments, network vulnerability and penetration testing and other security testing such as Wi-Fi security testing and social engineering exercises.

All About FINRA Risk Assessments

Posted on by
Reply

FINRA (Financial Industry Regulatory Authority) requires an enterprise risk assessment once per year for all member firms. This risk assessment should be completed using the NIST Cyber-Security Framework, if appropriate for the size of the organization. At MSI, we fully embrace the NIST framework and use it routinely for our approach to information security and risk management.

Who Performs the FINRA Risk Assessment?

The FINRA requirements for risk assessment include that it be completed by independent third-party assessors, if possible, or otherwise by internal information security experts (if qualified and available). MSI’s approach is to work WITH our client’s internal team members, including them in the process, and leveraging their deep knowledge of the firm’s operations, while still maintaining our independence. In our experience, this provides the best return on investment for the risk assessment, and allows granular analysis without draining critical internal client resources.

What Analysis Does the FINRA Risk Assessment Require?

Each FINRA risk assessment should include an inventory of all critical data, PII and other sensitive information. Then, each asset should be reviewed for its impact on the business and identification of relevant controls, risks, mitigations and residual risks should occur. This process requires deeper knowledge of cyber security than most firms are comfortable with, and the experience and attention to detail of the assessor can make or break the value of the assessment.

Is the FINRA Risk Assessment Affordable?

Since the workload of a risk assessment varies greatly based on the size and complexity of the organization being assessed, smaller firms are naturally more affordable than larger firms. Risk assessments are affordable for nearly every firm today, and the work plans can be easily customized to fit even the tightest of budgets. In addition, when working with experienced and knowledgable assessors, the cost can be even lower and the results even more valuable. At MSI, our assessment team has more than 15 years of experience, across a wide variety of size, type and operational styles of client firms. You won’t find any “on the job training” here, our experts are among the best and most recognized in the world. We are excellent at what we do, and we can help your firm get the best ROI on a risk assessment in the industry.

How Do I Get Started on a FINRA Risk Assessment from MSI?

Simply drop us a line via this web form, or give us a call at (614) 351-1237 to arrange for a free, no hassle call with our team. We’ll explain how our process works, gather some basic information and provide you with a proposal. We’d love the chance to talk with you, and be of service to your firm. At MSI, we build long-term client relationships and we truly want to partner to help your firm be more successful, safer and manage the risks of the online world more easily. Give us a call today! 

Car Dealership Threat Scenario – Wireless Printer Hacking AP Fraud

Posted on by
Reply

Today, I wanted to talk about a threat scenario that we have modeled recently. In the scenario, the victim was a car dealership, and the target was to commit accounts payable fraud. The testing scenario is a penetration test against a large group of car dealerships, but our research shows the threat to be valid against any number of organizations. 

Here’s the basics of the scenario:

  • The team found a car dealership with an extensive wireless network. Though the network was encrypted and not available to the public, the team was able to compromise the wireless credentials using a wifi pineapple in a backpack, while pretending to shop for a new car.
  • The team used the credentials to return later, appearing to wait for a service visit and working from the customer lounge. (The coffee and snacks were great! )
  • The team logged into the wireless network and quickly identified many devices, workstations and such available. Rather than focus on the workstations or attempt an attack on the users – the team instead focused on the shared printers.
  • One printer was identified with the name “BackOffice”, and access to the print spool was easily obtained through known default passwords which hadn’t been changed on the device.
  • Our team made notes of attack their recon attack path, and left the dealership.
  • Once away from the dealership a couple of simple social engineering calls were made to the accounts payable folks, pretending to be a vendor that we had observed at work at the facility. Without any real information, the accounts payable team member explained when we could expect payment, because accounts payable checks were processed every Thursday morning. The social engineer thanked them and completed the call.
  • On Thursday morning, the team showed up at the dealership again, pretending to wait for a service appointment. While in the lounge, they accessed the compromised network and printer. This time, taking deeper control of the printer’s file buffer.
  • The team waited for the accounts payable staff to submit their weekly check printing to the printer. Indeed, around 10:45, the printer file showed up in the printer spool, where our penetration testing team intercepted it. 
  • The team quickly edited the file, changing one of the checks in amount (increasing the amount by several thousand dollars) and the payee (making the check payable to a fictional company of our choosing). They also edited the mailing address to come to our office instead of the original vendor. (PS – we alerted the manager to this issue, so that the bill could be paid later — never harm a client while doing testing!!!)
  • The file was then re-sent to the printer and released. The whole process occurred in under 3 minutes, so the AP person never even noticed the issue.
  • One expected control was that perhaps the AP staff would manually reconcile the checks against their expected checks, but this control was not in place and the fake check was mailed to us (we returned it, of course!).

This is a pretty simple attack, against a very commonly exploitable platform. Poor wireless network security and default installs of printer systems are common issues, and often not given much thought in most dealerships. Even when organizations have firewalls and ongoing vulnerability scanning, desktop controls, Anti-Virus, etc. – this type of attack is likely to work. Most organizations ignore their printers – and this is an example of how that can bite you.

These types of threat scenarios are great examples of our services and the threat modeling, fraud testing and penetration testing available. If you’d like to learn more about these kinds of activities, or discuss how to have them performed for your organization – get in touch. You can contact us via web form or give us a call at (614) 351-1237. You can also learn more about our role and services specific to car dealerships here.

Thanks for reading and let me know if you have any questions – @lbhuston on Twitter.

Business Email Compromise Attacks on Dealerships

Posted on by
Reply

Business email compromise attacks are a significant threat to car dealerships.

Among the car dealerships we work with, two large threats represent the most significant risks at the moment. The first is ransomware, which we have covered extensively on this blog. The second, business email compromise, we’ve also talked a lot about, but mostly in terms of traditional financial services firms. However, business email compromise is one of the most common cybersecurity attacks today and, according to the FBI’s Internet Crime Complaint Center, costs American firms $1.7 billion in 2019, while worldwide losses might well have reached over $5 billion!

How big is the risk of a business email compromise in a dealership?

Business email compromise attacks occur every single day across a variety of industries. Business email compromises typically occur via two specific attack vectors: phishing and stolen credential reuse. Most of our dealerships have significant controls around phishing, with those detection systems reporting tens to hundreds of attempts per day. While the phishing tools are good enough to stop the vast majority of common phishing attacks, there are some that make it through the network and computer-based defenses. When this happens, it is up to the humans in the dealership to be aware enough of the issue, be paying enough attention and have good enough training to prevent the phishing message from becoming a compromise.

In the second attack vector for business email compromise, attackers reuse stolen or leaked credentials (logins and passwords) that have become available on the Internet. There are several common forums and pastebin-type sites where these credentials are dumped, traded or sold (if you want to learn about a common tool to help monitor for these issues, check out ClawBack) and attackers monitor these sites with various tools. Once they see a leaked set of credentials, they try and use it on the web mail logins of their targets. If the user has the same login and password across many sites (many do), then the attacker may compromise the web mail account and be logged into the corporate email system as the user.

What happens in a typical business email compromise in a dealership?

Once the attacker has access to the email system, they will often spend a little time reading the emails and browsing through any files that the email server maintains. If the system includes chat capabilities, they often read those as well. They do this to learn about the user, their position and what the attacker may be able to use the compromised account to do. If any valuable information is in the email archive or on exposed files, they often steal that data right away for resale.

It’s not uncommon for attackers to set a forwarding address for compromised mail accounts, redirecting copies of emails to themselves so that they can monitor the email activity of the user without logging back into the server – thus reducing their chances of being discovered. If the compromised account doesn’t seem useful to the attacker, they will often use it to send phishing emails to other people in the address book, including other internal users, business partners, customers and the like. These phishing attacks are often highly successful, given that they come from a trusted contact and the attacker can tailor the language and tone of the email to match usual conversations.

Once the attacker gets access to an account that they feel is capable of either gaining them network access (think executives who can make requests of subordinates) or allow them to move money (think about accounts payable, wire, ACH and other banking fraud), they will use the email account to send messages, forms (if available) or other requests to get what they want. Again, these attacks are often highly successful, because the attacker comes from a known account, can tailor the language and tone of the messages, and can use social engineering techniques to apply pressure to the victims in order to get them to do things they might not ordinarily do.

What can dealerships do to prevent business email compromises?

Dealerships can combat business email comprise attacks by ensuring that their phishing and authentication defenses are up to par. They can train their team members to be on guard for messages that apply pressure, declare urgency or ask for unusual activities. The dealership can implement training and protocols for voice validation checks for unusual requests and perform ongoing testing of these types of scenarios to educate and keep their staff on guard.

Dealerships can also be vigilant about their email systems, configuring them to apply controls, ensure that logging and other security measures are in place. They can implement multi-factor authentication. They can have ongoing assessments and penetration testing – including business email comprise-based scenarios.

Reducing the risk is doable, but it does require work, investment and continued vigilance. Attackers only have to be right once, while the security controls and your team have to be right every single time to prevent losses. With incidents ranging from tens of thousands of dollars to hundreds of thousands of dollars in losses – paying attention to business email compromises is critical for dealerships of all sizes.

To learn more about tools, techniques and testing to help your organization prevent, detect and respond to business email compromise attacks, get in touch with our team at SecureDrive Alliance for more information and a free risk discussion today.

Calculating Cyber Risk

Posted on by

Calculating cyber risk is at best an imperfect science. There are a number of factors that need to be calculated to determine risk, and the accuracy and completeness of each of these factors determine the overall accuracy of your risk determination.

There are two different types of risk assessments commonly used: qualitative risk assessment and quantitative risk assessment. A qualitative risk assessment does not try to assign a specific dollar amount or number value to the possibility of occurrence, impact or risk rating. Rather, these factors are expressed as severity ratings such as high, medium or low (or very high, high, medium, low and very low if you want to be more granular).

For whatever cyber asset you are assessing, you begin with determining threats to the asset paired with vulnerabilities that could be exploited by attackers to adversely affect that asset. These are called threat / vulnerability pairs. For each threat / vulnerability pair, you then determine the possibility that that threat may be realized (likelihood determination) coupled with the probable impact to the asset / organization if the threat is realized. You then subtract from this calculation the effectiveness of the security controls you have in place to prevent the threat actor from exploiting the vulnerability.

You can express this as a formula such as: (threat / vulnerability) x possibility of occurrence x impact – control effectiveness = risk (or residual risk). Although this is expressed mathematically, it should be understood that this is really a mind model rather than an actual quantifiable formula when performing qualitative risk assessment.

The same factors are also in play in a quantitative risk assessment. However, in quantitative risk assessment you try to assign actual numbers and dollar amounts to some factors. In other words, you might determine that the possibility of occurrence is 50% for a given period of time and that the impact of an occurrence will cost you $150, 000.

Although quantitative risk assessments give you harder data, they are best used for individual processes, applications or systems. Quantitative risk assessments are very hard to perform for complex systems such as are found in an enterprise level risk assessment. The number of factors to assess and the manner in which threats and vulnerabilities intermingle render actual dollar amounts, time spent, etc. simply too difficult to determine with any accuracy. That is why the vast majority of risk assessments carried out by organizations are qualitative in nature.

However, whether qualitative or quantitative risk assessments are performed, the key to their overall usefulness is the accuracy you achieve in uncovering valid threats, finding all vulnerabilities, determining the true likelihood of occurrence and accurately calculating the impact to the organization. Garbage in then garbage out no matter which method you use.

ClawBack For Credit Unions

Posted on by
Reply

I got a question recently from one of our Credit Union clients about ClawBack™. They explained that they don’t really do any internal development, so leaking source code was not a concern for them. Based on that, they wondered, would ClawBack still be a useful tool for them?

I pointed out that most larger Credit Unions do some form of development, or at the very least, that their systems admin folks often write (and potentially expose) scripts and other management tools that would be of use to an attacker. However, even if they didn’t do any development at all, leveraging something like the Professional level of ClawBack as a DIY tool ($149.00 per month) is still a good idea.

Further, I explained that source code leaks are only one third of the focus of the ClawBack tool. It also searches for leaked device/application configurations and leaked credentials. Every Credit Union with a network needs to think about leaked device and application configurations. These are the most commonly found items in ClawBack’s history. Whether by accident, or misunderstanding or malicious intent, thousands of leaked configuration files wind up on the Internet in repositories, support forums, answer sites, social media and paste bins. When found, they can provide significant amounts of damaging information to attackers, ranging from logins and passwords to sensitive cryptography and API keys. In some cases, they can be a nearly complete map of the internal network.

Thirdly, ClawBack also focuses on leaked credentials. It can help identify stolen and compromised passwords belonging to members of your organization. Many times, these credentials contain the same or similar passwords as Internet exposed applications, webmail or email access and potentially even weakly secured VPN instances. Stolen and leaked credentials are among the most significant root causes of breaches, business email compromise and a variety of other fraud.

Your CU Security team can add ClawBack to their toolkit for less than $150 per month. It’s simple to use, flexible and an incredibly powerful capability to minimize the damage from data leaks. Check out this less than 8 minute video for more information. If you’d like to discuss ClawBack or our ClawBack Managed and Professional Services, please drop us a line, or give us a call at (614) 351-1237 today. 

Closing the CUSO Security Loop Hole

Posted on by
Reply

The CUSO Security Loop Hole

The NCUA Inspector General (IG) suggested this week that the agency have regulatory oversight of Credit Union Service Organizations (CUSOs) to reduce the overall risk to the system. CUSOs have long been seen as a separate firm from the credit unions, though they may have an ownership stake in them. To date, many of these organizations have been outside the regulatory and oversight controls that are applied to the very credit unions they serve. In terms of information security, that often means they aren’t held to the same level of security and risk management controls as required by NCUA 748 and other guidance.

DigitalMoneyCUSO Security Oversight Challenges

The NCUA IG suggests that NCUA guidance and regulatory oversight be directly applied to CUSOs, instead of through vendor or partner risk management programs of the CUSO customers. This would provide for more direct regulation of the security controls and risk management processes in use at the CUSOs themselves. However, this introduces several challenges for some CUSOs, who may be more focused on agility, market speeds and innovation – areas where regulatory guidance can be especially impactful and can create significant budgetary challenges. This gets even more complicated when regulatory guidance is vague, or can be inflexible – the very opposite of the needs of organizations focused on innovation and market speed adaptation. An excellent example of this is CUSOs working on financial technologies, crypto currencies, blockchain and other exciting new areas. Regulatory guidance lags or lacks in most of those areas and hasn’t caught up to these new, and in some cases, experimental technologies.

One Approach – Best Practices CUSO Security and Third Party Attestation

One approach that might work, is for CUSOs to work with independent third-party assessors who could then measure the CUSO against industry standard best practices that apply to their specific lines of business, research or innovation. These vendors could then help the CUSO build a relevant and respectable CUSO security and risk management program – which they could attest to the NCUA. If this attestation were required on a yearly basis, along with some basic guidance, like ongoing risk management reviews, ongoing vulnerability management, etc – this could go a long way to mitigating the risks that concern the NCUA IG, while still maintaining independence and control by the CUSOs – thus, empowering their mission. Programs like these have been very successful in other industries and don’t have to add the overhead and bureaucracy of full regulatory compliance or programs like PCI-DSS. 

If you’d like to build such a program for your CUSO, please get in touch with us. We’d love to work on creating this process with a handful of CUSOs around the US, and are more than capable of applying our 30 years of experience in information security to each organization’s independent needs. Drop us a line or give us a call at (614) 351-1237 and let’s work together to close the CUSO Security loop hole in a way that reduces risk but doesn’t destroy the power and flexibility of the CUSO ecosystem.

ClawBack Professional and Managed Services Launched

Posted on by
Reply

Clawback small

ClawBack™, our data leak detection engine which we released last fall, is a cloud-based SaaS tool focused on helping organizations detect leaked source code, device/application configurations and credentials. You can learn more about the product and why we made it in this quick 8 minute video by clicking here.

While ClawBack has been a very successful product in its own right, the SaaS platform is primarily “Do It Yourself” in terms of operations. It’s easy to use and manage, but the customer does the work of reviewing the alerts and managing the responses. Over the last several months, some clients have asked for a managed service option, where MSI will manage the ClawBack product, review the alerts and work with the customer to issue take downs or provide mitigation advice. Today, we are proud to announce the immediate availability of the ClawBack Managed Service. Now you can get the power and vigilance of ClawBack without the overhead of managing and monitoring the product directly, reviewing the alerts and issuing appropriate take down requests.

Several clients have also asked us about other professional services associated with ClawBack and with Data Leak Prevent/Protection (DLP) capabilities in general. MSI is also proud to announce the immediate availability of the following associated professional services:

  • Monitoring term identification, optimization and improvement
  • Watermark implementation in source code and device configurations
  • Data leak awareness training, especially focused on source code, configurations and credentials
  • Data leak impact modeling and table top simulations
  • 30/60/90 day data leak assessments
  • Exfiltration testing and Data Loss Prevention (DLP) assessments and optimization
  • Data classification and data leak policy and process development and reviews

Additionally, we are launching multiple year packages that combine these services in 3 and 5 year plans, allowing our clients to create long term solutions to the problems of data leakage, intellectual property risk management and compromises stemming from leaked source code, configs and credentials. To learn more about these services or create a package that fits your firm’s needs, give us a call at 614-351-1237 or drop us a line (info@microsolved.com).

WARNING: Migrate Windows Server 2003 Immediately

Posted on by
Reply

Believe it or not, we still get queries from a few utility companies that have operational processes locked on Windows Server 2003 as a platform. Most of the time, these are legacy applications associated with some form of ICS device or data management system that they have not been able to afford to replace.

Windows 2003 Server end-of-life searches are still among the most popular searches on our StateOfSecurity.com blog, receiving more than 200 queries most months. Keep in mind, this is an operating system that patches haven’t been released for since 2015. According to Spiceworks, an online community for IT professionals, the Windows 2003 Server operating system still enjoys a market share of 17.9%, though we could not validate the time frames of their claim.

But, just in the last year or so, we have seen it alive and well in natural gas, energy and the communications infrastructures, both foreign and domestic. So, we know it is still out there, and still being used in seemingly essential roles.

I’m not going to lecture you about using a system that is unmatched for 5 years. That’s just common sense. Instead, what I am going to do is make three quick suggestions for those of you who can’t get rid of this zombie OS. Here they are:

1. Install a firewall or other filtering device between the legacy system and the rest of your environment. This firewall should reduce the network traffic allowed to the system down to only specifically required ports and source addresses. It should also restrict all unneeded outbound traffic from the device to anything else in the network or the world. The device should be monitored for anomalies and security IOCs.

2. If the hardware is becoming an issue, as well, consider virtualizing the system using a modern virtualization solution. Then apply the firewalling above. Server 2003 seems to be easily virtualized and most modern solutions can handle it trivially.Hardware failure of many of these aging systems is their largest risk in terms of availability.

3. Eliminate the need AS SOON AS POSSIBLE. Even with the firewalling and filtering, these systems have high risk. You might also consider if you can migrate portions of the services from Windows 2003 to a more recent system or platform. This isn’t always possible, but everything you can move from Windows 2003 to a supported OS is likely to let you crank down your filtering even more.

Lastly, if you’re still trapped on Windows 2003, make sure you review this every quarter with the application owners and management. Keep it on their mind and on the front burner. The sooner you can resolve it, the better. 

If you need more help or advice on risk mitigation or minimization, get in touch. We’d love to help! Just email us at info@microsolved.com and we can connect.

EDI – The Often Overlooked Critical Process in Utilities

Posted on by
Reply

EDI (Electronic Data Interchange) is an often forgotten underpinning of many utility companies, even though many of its functions are likely to be critical to the operation. In many states, EDI is a mandated operation for commercial bill pay and meter reading data exchange with third party services. In fact, between the Gas Industry (GISB) and North American Energy (NAESB) Standards Boards, a substantial set of requirements exist for industry use of EDI.

Data

While EDI exists as a specific set of functions for exchanging digital data, it is often managed through third party applications and networks. These operations carry several different threat models, from disruption of service and outages that impact the data availability, to tampering and compromise of the data in transit. As such, it is essential that utilities have performed business function and application specific risk assessment on EDI implementations.

Additionally, many of our clients have performed EDI-focused penetration testing and technical application assessments of their EDI translators and network interconnects. Some clients still utilize a Value Added Network (VAN) or other service provider for EDI transmissions, and MSI can work with your VAN to review their security program and the configuration of your interconnections to ensure maximum security and regulatory compliance.

Lastly, our team has been very successful doing tabletop incident response and disaster recovery/business continuity exercises involving modeling EDI outages, failures and data corruption. Impacts identified in these role playing exercises have ranged from critical outages to loss of revenue.

If you’d like to learn more about our EDI services and capabilities, give us a call at 614-351-1237 or drop us a line at info@microsolved.com. We’d love to talk with you about our nearly 30 years of experience in EDI, information security and critical infrastructure.