In the not-so-distant past, organizations let service providers connect to their internal networks without a great deal of concern. At that time, attackers could generally find a more direct route into business networks, and although the security vulnerabilities inherent in 3^rd party connections to networks were known, they received much less attention by users and regulators alike than they do today.

Now, networks are very much better protected, especially those segments that directly face the Internet. Their improved outer armor has forced attackers to come at networks in more indirect ways, such as through trusted service provider connections. Attackers reasoned that if your target’s outer security is just too good, maybe concerns such as the company that hosts their operating software suite is not so robust. Their reasoning proved to be correct. In fact, this attack vector worked so well, that governing bodies have had to tighten security requirements accordingly.

In the present environment, organizations such as financial institutions and medical concerns must be able to demonstrate due-diligence in their establishment and maintenance of vendor/3^rd party relationships. They should always remember that they, as the parent organization, are ultimately responsible for the security of their client information; it doesn’t matter if the security breach originated with the service provider or not. Without mechanisms such as documented due-diligence processes, contractual security agreements and cyber-insurance policies, organizations can be left to shoulder the burden alone.

This trend toward vendor management security, and indeed toward more stringent information security regulation across the board, shows no signs of slowing. Quite the opposite. In 2017, 240 cybersecurity-related bills or resolutions were introduced in 42 states. In 2016, 28 states introduced cybersecurity-related legislation; 15 of these states actually enacted the legislation. In 2015, the numbers were 26 states and eight pieces of legislation enacted. Quite an increase in just a few years.

All of this regulation is having a direct effect on not only hosting organizations, but the businesses that provide services to them. Vendors are increasingly being asked to demonstrate the security of their cyber-systems and processes by both present and prospective clients. They must be able to show that their information security program is just as effective as that of the parent organization or no job.

The upshot of all of this is that NOW is the time ensure that your vendor management program meets all of the recommendations and regulations that are currently emerging. Playing catch-up is never a good idea.

First of all, the program should be based on risk. An assessment should be performed to identify risks to the organization associated with the use of 3^rd party providers. Once that information is in place, a framework of policies and procedures designed to address these risks should be developed and implemented. Responsibilities for undertaking these tasks should be assigned to individuals, and of course, the whole program should be fully documented and maintained. Senior management should monitor the program to ensure that it is being implemented as designed, and that it is effective in its operation.

Companies should ensure that contracts with service providers are clear, comprehensive and that information security requirements and responsibilities are fully defined for all parties concerned. Results of IT audits and security assessments should be accessible and reviewed at least annually. Any significant weaknesses or security problems uncovered by these assessments should be addressed, and the effectiveness of their remediation should be monitored.

So, don’t wait. Review your own vendor management program today and see if it meets all of the current and likely future requirements. Having a compliant program in place is not only good information security, but may even be the differentiator that gets your company a few extra clients.

Many of our clients come to us looking for direction on the right cadence for implementing security initiatives; what’s first, what’s next and how should I space these services out to best fit our budget and needs?. These are questions that many of our clients struggle with.

As with any initiative, it is imperative to allocate resources towards activities that not only get the job done, but that also provide the “most bang for the buck.” We have found that, in many ways, information security initiatives will stack in a logical order of what we like to call the “rhythm of risk.”

We suggest that a good place to start the conversation is with the “must haves,” which means understanding compliance with regulation and all that implies. Many organizations must be able to positively check certain questionnaire boxes in order to maintain their ability to operate in regulated industries or to partner with certain companies. In these cases, achieving and maintaining specific security benchmarks is like giving companies a “hunting license” for certain types of partnerships.

This process really starts with understanding the gap between where companies are and where they need to be. This is the basis of formulating effective compliance strategies. The idea is to come to a complete understanding of the organization’s security posture and needs up front; an approach that helps ensure that security dollars are spent wisely and achieve the desired effects. Many times we see organizations rush through this step, spinning their wheels on the path to compliance by either misappropriating resources or by simply over spending. Each client and situation is a bit different; a successful approach leverages understanding what needs to be done in the cadence that stacks logically for that particular client.

Another pivotal factor guiding our recommendation starts with the maturity level of the organization’s security program. For a security program that is less mature, it is important to focus on not only those security mechanisms that most effectively address the risk, but also those that are the least expensive and easiest to implement.

We gauge maturity based on the NIST Cybersecurity Framework as it applies to the particular organization’s security posture. The core of the NIST framework sets out five functions: Identify, Protect, Detect, Respond and Recover. Within each function are related categories with activities to be rated and applied. For example, under Identity are Asset Management, Business Environment, Governance, Risk Assessment and Risk Management Strategy. These blocks stack on top of each other and layout a path based on a hierarchy of risk; what is most likely to occur weighted against the impact to the organization.

In addition to an organization’s maturity, it is important to consider the cyber-economic value of the content they manage. This usually correlates with proprietary or sensitive personal information held by companies. The higher the value of the data held by an organization, the greater the lengths hackers will go to attain it. As usual the market will drive the velocity and veracity of breach attempts along with the level of criminal attracted to them. Therefore, the value of your organization’s information should have a direct correlation with the amount of time, energy and investments needed to protect it.

A friend on a road-trip recently had an experience using hotel wifi that was a little surprising.  For several hours, while on the hotel’s wifi, her machine was effectively on the open Internet with no intervening firewall,

Her laptop was instrumented with one of MSI’s “honeypoints“, a lightweight honeypot that emulates various services and reports back to a central console when these “fake” services are interacted with, possibly by an attacker.

Over the several hour period while on wifi, the following Internet probes (and in some cases clear attacks) were seen.

The attacker IP and the port probed are in bold below:

• Jan 15 18:03:43 HPSS012 HPSS Agent: Tarsus.local received an alert from: 198.20.87.98 on port 443 at 2018-01-15 18:03:42 Alert Data: Connection Received  ==> https probe
• Jan 15 18:03:49 HPSS012 HPSS Agent: Tarsus.local received an alert from: 198.20.87.98 on port 443 at 2018-01-15 18:03:48 Alert Data: GET / HTTP/1.1#015#012Host: 63.140.158.108#015#012#015
• Jan 15 18:03:49 HPSS012 HPSS Agent: Tarsus.local received an alert from: 198.20.87.98 on port 443 at 2018-01-15 18:03:48 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2215.txt
• Jan 15 18:23:02 HPSS012 HPSS Agent: Tarsus.local received an alert from: 181.214.87.7 on port 3389 at 2018-01-15 18:23:02 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2216.txt  ==> Terminal services probe from Sweden
• Jan 15 20:06:21 HPSS012 HPSS Agent: Tarsus.local received an alert from: 209.126.136.7 on port 443 at 2018-01-15 20:06:20 Alert Data: Connection Received
• Jan 15 20:06:29 HPSS012 HPSS Agent: Tarsus.local received an alert from: 209.126.136.7 on port 443 at 2018-01-15 20:06:28 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2217.txt
• Jan 15 20:20:36 HPSS012 HPSS Agent: Tarsus.local received an alert from: 189.219.71.36 on port 23 at 2018-01-15 20:20:35 Alert Data: cat /proc/mounts; (/bin/busybox BBFMC || )  ==> Port 23 (telnet) IOT attack from Mexico. Likely from a Mirai botnet variant.
  
• Jan 15 20:26:22 HPSS012 HPSS Agent: Tarsus.local received an alert from: 8.3.123.42 on port 1433 at 2018-01-15 20:26:21 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2218.txt  ==> Microsoft SQL Server probe from Guam
• Jan 15 20:26:22 HPSS012 HPSS Agent: Tarsus.local received an alert from: 8.3.123.42 on port 1433 at 2018-01-15 20:26:22 Alert Data: Connection Received
• Jan 15 20:26:33 HPSS012 HPSS Agent: Tarsus.local received an alert from: 8.3.123.42 on port 1433 at 2018-01-15 20:26:32 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2219.txt
• Jan 15 22:03:44 HPSS012 HPSS Agent: Tarsus.local received an alert from: 198.199.113.84 on port 1433 at 2018-01-15 22:03:43 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2220.txt  ==> SQL Server probe from U.S. 

These alerts were being reported to the console from the IP address assigned by the hotel to my friend’s laptop: 63.140.158.108

That IP is registered to:

NetRange: 63.140.128.0 – 63.140.255.255
CIDR: 63.140.128.0/17
NetName: WAYPORT-63-140-182-NET

Wayport is an ATT wifi service providing “hotspots” to various large companies.

These are the types of probes and attacks a box on the open Internet can expect to get. It’s become like cosmic radiation – pervasive. I discussed a previous related event here:  https://stateofsecurity.com/?p=4126

What is interesting in this case is the fact they happened at all.

The hotel was part of a major chain.  The common assumption is they are watching out for their guests to ensure a “safe” wifi environment…and in general they are.

But – there maybe some fine print.

Some hotel wifi agreements apparently specifically allow you to request “advanced” connectivity options, in some cases as a result of wanting to do VPN from your laptop.  The result of those decisions may lead to a public Internet address and full Internet exposure of your device .

So – no Internet firewall but the one you bring with you.

Bottom Line:

• Regardless of the cause, you should expect the worst from “free” wifi.
• Assume full Internet exposure and have a software firewall enabled that blocks unsolicited inbound traffic.

See:

• https://conetrix.com/blog/public-ip-addresses-and-hotels
• https://superuser.com/questions/1063910/public-ip-given-at-a-hilton-hotel
• http://www.corecom.com/ccftp/Testing_Hotspot_Security.pdf

Quote from that last:

“Most private LANs use network firewalls to defend trusted insiders against Internet-borne attacks.This is not necessarily true in hotel broadband LANs, where topologies and security practices vary widely.For example, some use private IP addressing, while others assign each user their own public IP address to facilitate VPN tunneling. Users may assume they are insulated from outsiders, but really have no idea whether any firewall lies between
their notebook and the Internet. Notebooks that do not firewall themselves or that use certain applications that open holes in firewalls could thus be exposed to intrusions from the far side of the Internet.”

The General Data Protection Regulation (GDPR) was passed in May of 2016 and comes into force exactly five months from Christmas Day on May 25, 2018. The aim of this regulation is to strengthen and unify personal data protection for all citizens (and residents) in the European Union, and to allow them to control their personal information (data). This personal data must be protected according to a number of articles in the regulation, and also applies to non-European organizations that process the personal data of EU citizens.

According to the European Commission, personal data is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” As can be seen, this list covers just about everything!

One of the big requirements that is going to affect US organizations that do business with EU persons is their “right to be forgotten.” This means that EU citizens and residents can request that their personal data be removed from corporate databases in a timely manner. If this cannot be done, they have the right to know exactly why not.

Unlike HIPAA/HITECH, non-compliance with the GDPR can lead to some major league fines: in some cases, up to 20,000,000 Euros or 4% of the annual worldwide turnover of the preceding financial year of the organization (whichever is greater). I think that fines on this level show just how seriously personal privacy is being taken in the EU.

This new regulation just illustrates the pressing need for organizations to know how data flows across and is stored on computer networks. If you know exactly where personal data is and how it flows, you can deal with it. If you don’t, better get ready for some trouble ahead!

He knows what “normal” is. Source: Wikimedia Commons

I have repeatedly had the experience of performing external vulnerability assessments and discovering significant issues that were not being called out as such by the regular commercial assessment services employed by the client organization.

I recently discovered a case where active web server logs were freely available on the open Internet .  The usual information – source IP address, target resource, and status codes –  were all available.

Example:

64.39.99.99 – – [02/Aug/2017:10:09:07 -0400] “GET /client/chat.php?id=1%22%20%3E%3C/script%3E%3Cscript%3Ealert%28%27QualysXSSTestPart2%27%29%3C/script%3E&xhash=1 HTTP/1.1” 302 433 “-” “-“
64.39.99.99 – – [02/Aug/2017:10:09:08 -0400] “GET /index.do HTTP/1.1” 302 301 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:10 -0400] “GET /userui/welcome.php HTTP/1.1” 302 311 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:12 -0400] “GET /struts2-rest-showcase/orders HTTP/1.1” 302 321 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:08:58 -0400] “POST /rest/json/login HTTP/1.1” 302 308 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:14 -0400] “GET /node.xml HTTP/1.1” 302 301 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:14 -0400] “GET /user/login HTTP/1.1” 302 303 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:15 -0400] “GET / HTTP/1.1” 302 293 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:16 -0400] “GET /admin.php HTTP/1.1” 302 302 “-” “-”
64.39.99.99 – – [02/Aug/2017:10:09:16 -0400] “GET /console/login/LoginForm.jsp HTTP/1.1” 302 320 “-” “-”

The highlighted entry is a “cross site scripting” (XSS) test being run over the Internet by the vulnerability management service “Qualys“.

From “whois 64.39.99.99”

NetRange: 64.39.96.0 – 64.39.111.255
CIDR: 64.39.96.0/20
NetName: QUALYS

Anyone on the Internet was able to view these logs and learn of the organization’s use of Qualys and something of the types of tests being performed and what the outcome of those tests were.

All highly useful information to any potential attacker.

Note that the problem here is NOT with Qualys.

The site that allowed these logs to be revealed had no “technical” security problem. Any internal user who was basing their understanding of the external security status of the organization strictly on the scanning service reports would likely have no reason to believe anything was wrong.

Your organization needs at least one knowledgeable and caring staff member whose job it is to know what your organization looks like from the Internet and can see when something is clearly wrong in the same way a neighborhood patrol officer can notice a strange car or a gate open that is normally locked.

You need your own “cop on the beat”.

How closely do you inspect what 3rd party plugins and libraries you use with software and development? We kind of tend to take for granted that once we vet a library or plugin and add that into our usage, then it’s likely to never be a threat in the future. However, over the last few years attackers have started increasing abuse of this trust. A type of watering hole attack that reaches a larger amount of people than a typical focused attack.

There’s 3 main ways this has happened:

• Attackers buy the plugin/library from the original author or assume control of one that is abandoned
• Development system or other system in chain is compromised by attacker
• Attackers create releases that mimic popular and established libraries/plugins in name and function

This has affected a wide range of software, from web applications to web browsers to text editors/IDE’s. Let’s take a brief look at a few instances.

WordPress Display-Widgets plugin. This plugin was sold by the original developer, and at that time had several hundred thousand active installations. The new developers then added code to it that downloaded and installed a plugin that added spam the site.

The Node.js package repository was found to have malicious packages that looked like real packages, differing slightly in the name in an attempt to fool anyone trying to find specific packages. The malicious packages generally tried to send sensitive environment data back to a server.

Python also experienced something very similar. Package uploaded in an attempt to fool anyone not paying close enough attention. Not relying on just misspelling the name, but with names that look legitimate, such as “bzip” for the real package “bzip2file”.

Those are just a few examples, Chrome and Firefox have both had similar issues multiple times as well. So how do we protect against this? Partly some of this has to be on the software that allows the plugins to run. There are some bad policies and practices here, such as WordPress letting anyone claim “abandoned” plugins.

Some things you can do yourself are to install any libraries/plugins (for python, ruby etc) with your systems package manager. If you use pip, gem or the like, make sure you are using the correct plugins, avoid misspellings or “close enough” names. Check the reputations of plugins via Twitter or search for reviews and info on plugins, by name, in your search engine. If you find any  anomalies report them on social media and forums associated with your language. Try not to use plugins that have been abandoned and recovered by another developer with no reputation.