Inventorying Organization Authentication Points

Are you looking for threat-proactive ways to secure your enterprise? One of the best ways to do this is by inventorying all of the points of authentication within your organization. In this blog post, we’ll discuss the steps you need to take to properly inventory and secure your Internet-facing authentication points. While you should have a complete and accurate inventory of these exposures, starting the process with a focus on critical systems is a common approach.

Inventory Process

1. Identify the different types of authentication used by the organization for remote access (e.g. passwords, two-factor authentication). If possible, use vendor data to include cloud-based critical services as well.

2. List all of the systems and applications that require remote access within the organization. External vulnerability scanning data and Shodan are both useful sources for this information.

3. For each system/application, document the type of authentication used and any additional security measures or policies related to remote access (e.g., password complexity requirements). Vendor management risk data can be useful here, if available.

4. Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely.

5. Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication.

6. Regularly review and update existing remote access authentication processes as necessary to ensure the continued security of organizational resources over the Internet.

Why This Is Important – Credential Stuffing & Phishing

Inventorying all of the points of authentication within an enterprise is essential as protection against credential stuffing and phishing attacks. Credential stuffing is a type of attack where malicious actors use stolen credentials to gain access to different accounts, while phishing attacks are attempts to acquire confidential information through deceptive emails or websites. In both cases, it is important that organizations have proper authentication measures in place to prevent unauthorized access. Inventorying all of the points of authentication within an organization can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

In addition, having a detailed inventory of all points of authentication can help organizations identify any weak spots in their security measures. This allows them to take steps to strengthen those areas and further protect themselves from potential credential stuffing or phishing attacks. By regularly reviewing and updating their authentication processes, organizations can ensure that their resources remain secure and protected from any malicious actors.

Lastly, ensure that you feed this inventory and the knowledge gained into your enterprise risk assessment processes, incident response team, and other security control inventories. Make a note of any security gaps identified during the inventory process and ensure complete coverage of the logs and other intrusion detection systems at each potential point of authentication. By following these steps, you can ensure that your enterprise remains secure and protected from any potential threats associated with credential stuffing and credential theft associated with common phishing attacks.

 

Tips For Recognizing a Phishing Email

Below are some common tips for helping to identify phishing emails at work or at home. The same rules apply.

Most Phishing Emails Originate at Common Domains

The first way to recognize a phishing email is that most originate from a public email domain.

There are few legitimate organizations that will send emails from an address that ends in @gmail.com, not even Google does this.

To check an organization’s name, type it into a search engine.Most of the time, organizations have their own email and company accounts and don’t need to use an @gmail.com address.

Check the Spelling of the Domain, Carefully!

There is another clue hidden in domain names that shows a strong indication of the scam.

Anyone can purchase a domain name from a website. There are many ways to create addresses that are easily confused with the official domain of a brand or company. The most common ways include slight mis-spellings of the domain name, or by changing one character to a number or letter that resembles the original. Be extra vigilant for these types of spoofing attempts.

Grammer and Spelling Counts

It’s often possible to tell if an email is a scam if it has poor spelling and grammar. Odd terminology or phrasing is also a clue. For example, your bank is unlikely to misspell the word checking or account, and they would not usually call an ATM machine a “cash machine”. These clues can be subtle, but often indicate that an email is not what it claims to be.

Beware of Potentially Malicious Links and Attachments

Sometimes, the wording in an email might be right, but the links send you to somewhere unexpected on the web. You can check this out in most clients and browsers by simply hovering the mouse cursor over the link without clicking on it. That’s an easy way to know where the link is taking you, and note that it might be somewhere other than what the links says it is.

You should always beware of attachments in emails. Everyone knows that malicious code and ransomware can be hiding in documents, spreadsheets and such, but they can also appear to be image files, presentations, PDFs and most types of documents. If you aren’t expecting the attachment, delete it!

Too Good To Be True

Lastly, if the offer is too good to be true, it probably is. Few people have won the lottery and been notified by email. Even less have been chosen for random gifts or to receive inheritance from Kings and Queens. Don’t be gullible, and remember, scammers are out there, and they want to trick you.

What to Do When You Spot a Phish

The first thing is to delete the email and attachments. If it is a work email, you should also notify the security team that you received it. They can investigate, as needed. In some firms, they may want you to forward it to a specific email address for the security team, but most security teams can recover the email information even if you delete it. Follow their instructions.

At home, just delete the email and tell your family and friends about it. The more folks are aware of what’s going around, the less likely there are to fall into the trap.

More Information

We’d love to discuss phishing attacks, emerging threats or common security controls for organizations. Reach out to info@microsolved.com or give us a call at 614-351-1237 for help.

Thanks for your attention, and until next time, stay safe out there.

 

 

How to Avoid Getting Phished

It’s much easier for an attacker to “hack a human” than “hack a machine”.  This is why complicated attacks against organizations often begin with the end user.  Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company.  Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
 
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting.  Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year.  Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user.  A majority of these attacks were caused by an employee opening a malicious e-mail.  I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
 
Verify link URL:  If the e-mail you received contains a link, does the website URL match up with the content of the message?  For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com?  A common tactic used by attackers is to direct a user to a similar URL or IP address.  An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
 
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address?  It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor.  Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
 
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender.  Would you provide your checking account number or password to a random person that you saw on the street?  If not, then don’t provide confidential information to unknown senders.
 
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call.  Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection.  Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions.  Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error.  Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
 
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further.  Typically these attachments or links are the actual mechanism for delivering malware to your machine.
 
This blog post by Adam Luck.

YAPT: Yet Another Phishing Template

Earlier this week, we gave you the touchdown task for July, which was to go phishing. In that post, we described a common scam email. I wanted to post an example, since some folks reached out on Twitter and asked about it. Here is a sample of the email I was discussing.

<paste>

Hi My name is Mrs. Hilda Abdul , widow to late Dr. Abdul A. Osman, former owner of Petroleum & Gas Company, here in Kuwait. I am 67 years old, suffering from long time Cancer of the breast.

From all indications my condition is really deteriorating and it’s quite obvious that I won’t live more than 3 months according to my doctors. This is because the cancer stage has gotten to a very bad stage.

I don’t want your pity but I need your trust. My late husband died early last year from Heart attack, and during the period of our marriage we couldn’t produce any child. My late husband was very wealthy and after his death, I inherited all his businesses and wealth .The doctor has advised me that I will not live for more than 3 months ,so I have now decided to spread all my wealth, to contribute mainly to the development of charity in Africa, America,

Asia and Europe .Am sorry if you are embarrassed by my mail. I found your e-mail address in the web directory, and I have decided to contact you, but if for any reason  you find this mail offensive, you can ignore it and please accept my apology. Before my late husband died he was major oil tycoon in Kuwait and (Eighteen Million Dollars)was deposited  in a Bank in cote d ivoire some years ago, that’s  all I have left now,

I need you to collect this funds and distribute it yourself to charity .so that when I die my soul can rest in peace. The funds will be entirely in hands and management. I hope God gives you the wisdom to touch very many lives that is my main concern. 20% of this money will be for your time and effort includin any expensese,while 80% goes to charity. You can get back to me via my private e-mail: (hilda.abdul@yahoo.com) God bless you.
1. Full name :
2. Current Address :
3. Telephone N° :
4. Occupation :
5. Age :
6. Country :

MRS. Hilda Abdul

<end paste>

As you can see, this is a common format of a phishing scam. In this case, you might want to edit the targeting mechanism a bit, so that they have to click through to a web page to answer or maybe even include a URL as supposed proof of the claim. That way you would have two ways to catch them, one by email reply and two by click through to the simple phish application.

As always your milage and paranoia may vary, but it is still pretty easy to get people to click or reply ~ even with age old spam phish attacks like this. What kind of return percentages did you get? What lessons did you learn? Drop us a line on Twitter (@lbhuston) and let us know. 

July’s Touchdown Task: Go Phish Yourself!

This month’s touchdown task is to spend about an hour doing some phishing. Phish your user base, executives and other likely targets. Use the process as a basis for ongoing awareness and security training.

Phishing is a LOT easier and more effective than you might think. We’ve made it easy for you to do, with a free tool called MSI SimplePhish. You can learn exactly how to do it by clicking here.

Pay special attention to this step:

PreCursor: Obtain permission from your security management to perform these activities and to do phishing testing. Make sure your management team supports this testing BEFORE you engage in it.

You might need a couple more ideas for some phishing templates, so here are a couple of the most simple examples from real phishing going on right now:

1. Simply send a non-sensical subject line and the entire body of the message is the phishing url. You might encode this to make it more fun using something like a URL shortener.

2. Copy one of those spam messages that go around where the target inherits 40 million dollars from an oil company exec in the Congo or somewhere. Check your spam folder for examples. Replace the URLs with your phish site URL and click send.

3.  Send a simple music trivia question, which is common knowledge, and tell them to click on the target URL to answer. Make it appear to be from a local radio station and if they answer correctly, they win a prize (movie tickets, concert tickets, etc.)

As a bonus, simply do what many testing vendors do ~ open your gmail spam folder and pick and choose any of the spam templates collected there. Lots to pick from. 

The exercise should be fun, easy and likely effective. If you need any help, drop us a line or give us a call. Until next month, stay safe out there! 

Go Phish :: How To Self Test with MSI SimplePhish

Depending on who you listen to, phishing (especially spear phishing), is either on the increase or the decrease. While the pundits continue to spin marketing hype, MSI will tell you that phishing and spearphishing are involved in 99% of all of the incidents that we work. Make no mistake, it is the attack of choice for getting malware into networks and environments.

That said, about a year ago or more, MSI introduced a free tool called MSI SimplePhish, which acts as a simplified “catch” for phishing campaigns. The application, which is available for Windows and can run on workstations or even old machines, makes it quite easy to stand up a site to do your own free phishing tests to help users stay aware of this threat.

To conduct such a campaign, follow these steps:

PreCursor: Obtain permission from your security management to perform these activities and to do phishing testing. Make sure your management team supports this testing BEFORE you engage in it.

1.  Obtain the MSI SimplePhish application by clicking here.

2. Unzip the file on a the Windows system and review the README.TXT file for additional information.

3. Execute application and note the IP address of the machine you are using. The application will open a listening web server on port 8080/TCP. Remember to allow that port through any host-based firewalls or the like.

4. The application should now be ready to catch phishing attempts and log activity when the following URL structure is clicked on: http://<ip address of the windows system>:8080/ and when that URL is accessed, a generic login screen should be displayed.

5. Create an email message (or SMS, voice mail, etc.) that you intend to deliver to your victims. This message should attempt to get them to visit the site and enter their login information. An example:

Dear Bob,

This message is to inform you that an update to your W-2 tax form is required by human resources. Given the approaching tax deadline, entering this information will help us to determine if an error was made on your 2012 W-2. To access the application and complete the update process, please visit the online application by clicking here. (You would then link the clicking here text to your target URL obtained in step 4.)

6. Deliver the messages to your intended targets.

7. Watch and review the log file MSISimplePhishLog.txt (located in the same directory as the binary). Users who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and **the first 3 characters** of the password they used.  Users who visit the page, but do not login, will be recorded as a “bite”, including their IP address.

** Note that only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged. **

8. Let the exercise run for several days, in order to catch stragglers. Once complete, analyze the logs and report the information to the security stakeholders in your organization. Don’t forget to approach the users who use successfully phished and give them some tips and information about how they should have detected this type of attack and what they should do to better manage such threats in the future.

That’s it – lather, rinse and repeat as you like!

If you would like to do more advanced phishing testing and social engineering exercises, please get in touch with an MSI account executive who can help put together a proposal and a work plan for performing deep penetration testing and/or ongoing persistent penetration testing using this and other common attack methods. As always, thanks for reading and until next time, stay safe out there!

Threat Update: Wide Scale Phishing in Progress

GlobalDisplay Orig

Just a quick update about the ongoing threat from malware dropped by phishing attacks. There are a lot of phishing attacks currently in progress. Fishing has been a leading form of compromise for quite some time and indicators appear to point to an increasing amount of phishing attacks and a larger amounts of damage from successful exploitation.

Many organizations are reporting wide spread phishing using recycled, older malware including Zeus, Tepfer and other common remote access tools. In some cases, these malware are repackaged or otherwise modified to evade anti-virus detection. Attackers are showing medium to high levels of success with these attacks.

Once compromised, the normal bot installation and exfiltration of data occurs. For most organizations that don’t play a role in critical infrastructure, this likely means credentials, customer information and other commercially valuable data will be targeted. For critical infrastrcuture organizations, more specific  design, future state and architectural data is being targeted along with credentials, etc.

Organizations should be carefully and vigilantly reviewing their egress traffic. They should also be paying careful attention to user desktop space and the ingress/egress from the user workstation DMZ or enclaves (You DO have your user systems segregated from your core operations, correct???). Remember, you CAN NOT depend on AV or email filtering to rebuff these attacks at a meaningful level. Detection and response are key, in order to limit the length of time the attacker has access to your environment. Anything short of full eradication of their malware and tools is likely to end with them still maintaining some level of access and potentially, control.

Now is a good time to consider having a phishing penetration test performed, or to consider using MSISimplePhish to perform some phishing for yourself. Awareness alerts and training are also encouraged. This is going to be a long term threat, so we must begin to implement ongoing controls over the entire technology/ppolicy & process/awareness stack. 

If you have any questions on phishing attacks, malware or incident response, please let us know. Our teams are used to working with these attacks and their subsequent compromises. We also have wide experience with designing enclaved architectures and implementing nuance detection mechanisms that focus on your critical assets. Feel free to touch base with us for a free 30 minute call to discuss your options for increasing security postures.

Audio Blog Post: Spear Phishing

Brent Huston, CEO and Founder of MicroSolved, Inc., discusses with Chris Lay, Account Executive, the new trends with spear phishing. In this audio blog post, you’ll learn:

  • How traditional spear phishing has changed
  • The new approach attackers are now using
  • The LinkedIn password breach and how it could be used in phishing attacks
  • Some non-traditional spear phishing campaigns

Grab a drink and take a listen. As always, let us know what you think!

Click here to listen.

MicroSolved, Inc. Releases Free Tool To Expose Phishing

MSI’s new tool helps organizations run their own phishing tests from the inside.

We’re excited to release a new, free tool that provides a simple, safe and effective mechanism for security teams and administrators to run their own phishing tests inside their organization. They simply install the application on a server or workstation and create a url email/sms/etc. campaign to entice users to visit the site. They can encode the URLs, mask them, or shorten them to obfuscate the structures if they like. 

The application is a fully self contained web mechanism, so no additional applications are required. There is no need to install and configure IIS, Apache and a database to manage the logs. All of the tools needed are built into the simple executable, which is capable of being run on virtually any Microsoft Windows workstation or server.

If a user visits the tool’s site, their session will create a log entry as a “bite”, with their IP address in the log. Visitors who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and the first 3 characters of the password they used.

Only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged.

“Organizations can now easily, quickly and safely run their own ongoing phishing campaigns. Instead of worrying about the safety of gathering passwords or the budget impacts of hiring a vendor to do it for them, they can simply ‘click and phish’ their way to higher security awareness.”, said Brent Huston, CEO & Security Evangelist of MicroSolved. “After all, give someone a phish and they’re secure for a day, but teach someone to phish and they might be secure for a lifetime…”, Mr. Huston laughed.

The tool can be downloaded by visiting this link or by visiting MSI’s website.

ICQ Vulnerability Should Increase Your Vigilance

A newly discovered format string error in ICQ version 6 build 6043 once again highlights the need to be cautious about who you are conversing with. Interaction  with the embedded Internet Explorer component can allow specially crafted messages to execute arbitrary code on the affected system. Make sure that you only open messages from known and trusted contacts.  It is a good idea to clean unknown or untrusted contacts from your contact list and enable the “Accept messages only from contacts” option. The build named above is known to be vulnerable other versions may also be affected