Ask The Experts: Insights on Facebook Friends

This time around, the experts tackle this question:

Q: “Hey Security Experts, should I be friends with everyone that asks on Facebook? What’s the risk of friending people I don’t really know? Can we be friends on Facebook?” –Scott918

Adam Hostetler weighed in with:

I wouldn’t recommend accepting friends request for anyone on Facebook, unless you actually know them. This especially goes for somebody that claims they work at the same company as you, as it really could be somebody building a network of targets to social engineer.

Take advantage of Facebook privacy settings also. Don’t make your information public, and only make it viewable by friends. I would even recommend against putting too much personal information on there, even if it is only among friends. There have been security issues in the past that allow people to get around privacy controls, and Facebook really doesn’t need a lot of information from you anyway.

John Davis added:

The short answer is NO! I’m a big believer in the tenet the you DON’T want the whole world to know everything about you. Posting lots of personal facts, even to your known friends on Facebook, is akin to the ripples you get from tossing a pebble into still water – tidbits of info about you radiate out from your friends like waves. You never know who may access it and you can never get it back! There are lots of different people out there that you really don’t want as your friend – I’m talking about everything from annoying marketers to thieves to child molesters. People like that are trying to find out information about you all the time. Why make it easy for them?

Finally, Phil Grimes chimed in:

Facebook is a ripe playground for attackers. This is something I speak about regularly and the short answer is NO, absolutely not. If you don’t know someone, what is the benefit of “friending” them? There is no benefit. On the contrary, this opens a can of worms few of us are prepared to handle. By having friends who aren’t really friends one risks being attacked directly, in the case of the unknown friend sending malicious links or the like. There is also the risk of indirect attack. If an attacker is stalking Facebook pages, there is a lot of information that can be viewed, even if you think your privacy settings are properly set. Stranger danger applies even more on the Internet.

So, while they may not be your friends on Facebook, you can follow the Experts on Twitter (@microsolved) or keep an eye on the blog at http://www.stateofsecurity.com. Until next time, stay safe out there! 

Ask The Experts: Online Banking

This time we asked the experts one of the most common questions we get when we are out speaking at consumer events:

Q: Hey Security Experts, do you do your banking online? If so, what do you do to make it safe for your family? If not, why not?

John Davis explained:

I’ve been banking online for many years now and have always loved the convenience and ability it gives you to monitor your accounts anywhere and any time. There are a few simple things I do to keep myself secure. I do all the usual stuff like keeping a well configured fire wall and anti-virus software package always running. I also ensure that my wireless network is as secure as possible. I make sure the signal is tuned so as to not leak much from the house, I use a long and strong password and ensure I’m using the strongest encryption protocol available. I also monitor my accounts often and take advantage of my banks free identity theft service. One final tip; instead of using your actual name as your login, why not use something different that is hard to guess and doesn’t reveal anything about your identity? It always pays to make it as tough on the cyber-criminals as possible!

Phil Grimes chimed in with:

I do almost all my banking online. This, however, can be a scary task to undertake and should always be done with caution on the forefront! In order to bank safely on line, the first thing I do is to have one machine that was built in my house for strictly that purpose. My wife doesn’t play facebook games on it. My kids don’t even touch it or know it exists. This machine comes online only to get updated and to handle the “sensitive” family business functions like bill payment or banking.  The next thing I’ve done to protect this surface was to use a strong password. I used a password generator and created a super long password with every combination of alpha, numeric, and special characters included to reduce the risk of a successful brute force attack. This password is set to expire every 30 days and I change it religiously! Then finally, using Firefox, I install the NoScript plugin to help defend against client side attacks.

Adam Hostetler added:

Yes, I do my banking online. I also pay all of my bills online and shop online. I think the biggest thing that you can do for safety is just to be aware of things like phishing emails, and other methods that fraudsters use to try to compromise your credentials. I also always use dual factor authentication when possible, or out of band authentication, most banks and credit unions support one of these methods these days. Checking all of my accounts for suspicious activity is also a regular occurrence. 

There are also the malware threats. These are mostly mitigated by having up to date software (all software, not just the OS), up to date anti-virus software, and treating social networking sites like a dark alley. Be wary of clicking on any links on social networks, especially ones that are apps that claim they will do something fun for you. Social networks are probably the largest growing vector of malware currently, and a lot of times people install it willingly!

If you’re really paranoid, just have a dedicated PC or virtual machine for online banking.

Got a question for the Experts? Send it to us in the comments, or drop us a line on Twitter (@microsolved or @lbhuston). Thanks for reading! 

Ask The Experts: Favorite Tools

This question came in via Twitter:
“Hey Security Experts, what are your favorite 3 information security tools?” –@614techteam

John Davis responds:

I’m in the risk management area of information security; I don’t know enough about technical information security tools to give an informed opinion about them. However, my favorite information security ‘tool’ is the Consensus Audit Group’s Twenty Critical Security Controls for Effective Cyber Defense (which is very similar to MicroSolved’s own 80/20 Rule of Information Security). The ‘CAG’ as I call it gives me as a risk manager clearer, more proactive, and detailed information security guidance than any of the other standards such as the ISO or NIST. If you’re not familiar with it, you can find it on the SANS website. I highly recommend it, even (and especially) to technical IT personnel. It’s not terribly long and you’ll be surprised how much you get out of it.

Adam Hostetler adds:

I’ll do some that aren’t focused on “hacking”

OSSEC – Monitor all the logs. Use it as a SIEM, or use it as an IPS (or
any other number of ways). Easy to write rules for, very scalable and
it’s free.
Truecrypt – Encrypt your entire hard drive, partition, or just make an
encrypted “container” to hold files. Again, it’s free, but don’t be
afraid to donate.
OCLhashcat-plus – Chews through password hashes, cracking with GPU
accelerated speed. Dictionary based attacks, and also has a powerful
rule set to go after non-dictionary based passwords.

And Phil Grimes wrote:

NMap is probably one of my favorite tools of all time. It’s veristile and very good at what it does. Using some of the available scripts have also proven to be more than useful in the field.

NetCat – This tool is extremely well rounded. Some of my favorite features include tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel. While NMap is my go to port scanner, there is built-in port-scanning capabilities, with randomizer, and dvanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data. 

Wireshark – Sharking the wires is one of my favorite things to do. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need.

What’s your favorite tool? Let us know in the comments or via Twitter (@lbhuston). Thanks for reading! 

Ask The Experts Series – Workstation Malware

This time around we had a question from a reader (thanks for the question!):

“My organization is very concerned about malware on desktop machines. We run anti-virus on all user systems but have difficulty keeping them clean and are still having outbreaks. What else can we do to keep infected machines from hurting us? –LW”

Phil Grimes (@grap3_ap3) responds:

In this day and age, preventing infection on desktop workstations is a losing battle. While Anti-virus and other measures can help protect the machine to some extent, the user is still the single greatest point of entry an attacker can leverage. Sadly, traditional means for prevention don’t apply to this attack vector, as tricking a user into clicking on the “dancing gnome” often launches attacks at levels our prevention solutions just can’t touch.

Realizing this is the first, and biggest step to success here.

Once we’ve embraced the fact that we need better detection and response mechanisms, we start to see how honeypots can help us but also how creating better awareness within our users can be the greatest investment an organization might make in detection. Teach your people what “normal” looks like. Get them in the habit of looking for things that go against that norm. Then, get them to want to tell someone when they see these anomalies! A well trained user base is more efficient, effective, and reliable detection mechanism an organization can have. After that, learn how to respond when something goes wrong.

John Davis added: 

Some of the best things you can do to combat this problem is to implement good, restrictive egress filtering and ensure that users have only those local administration rights to their workstations that they absolutely need.

There are different ways to implement egress filtering, but a big part of the most secure implementation is whitelisting. Whitelisting means that you start by a default deny of all outbound connections from your network, then only allow those things outbound that are specifically needed for business purposes. One of the ways that malware can infect user systems is by Internet surfing. By strictly limiting the sites that users can visit, you can come close to eliminating this infection vector (although you are liable to get plenty of blowback from users – especially if you cut visiting social networking sites).

Another malware infection vector is from users downloading infected software applications to their machines on disks or plugging in infected portable devices such as USB keys and smart phones to their work stations. This can be entirely accidental on the part of the user, or may be done intentionally by hostile insiders like employees or third party service providers with access to facilities. So by physically or logically disabling users local administration rights to their machines, you can cut this infection vector to almost nil.

You still have to worry about email, though. Everybody needs to use email and antivirus software can’t stop some malware such as zero day exploits. So, for this vector (and for those users who still need Internet access and local admin rights to do their jobs), specific security training and incentive programs for good security practices can go a long way. After all, a motivated human is twice as likely to notice a security issue than any automated security solution.

Adam Hostetler also commented:

Ensure a policy for incident response exists, and that it meets NIST guidelines for handling malware infections. Take the stand that once hosts are infected they are to rebuilt and not “cleaned”. This will help prevent reinfection from hidden/uncleaned malware. Finally, work towards implementing full egress controls. This will help prevent malware from establishing command and control channels as well as combat data leakage.

Got a question for the experts? If so, leave us a comment or drop us a line on Twitter (@microsolved). Until next time, stay safe out there!