Seven Cyberactions for States

Nuclear site hackings, ransomware, and wiper attacks, along with other cyberstories from 2017 like ongoing attacks against the power grid, there are definitely some wider messages for all of organizations regarding needed protective actions.  What lessons can the public and private sector learn from recent events and to prepare for the future? Most experts believe that the worst is yet to come in cyberspace, so after providing a brief recap of top stories, I want to focus on seven actions that state and local governments need to be addressing right now.

1) Back to Basics  The government reports on recent cyberattacks described hackers writing targeted email messages containing fake resumes for control engineering jobs and sent them to the senior industrial control engineers. The fake resumes were Microsoft Word documents that were laced with malicious code to steal credentials and access. Also, the hackers compromised legitimate websites that they knew their victims frequented with malware — called a watering hole attack. In other cases, they deployed what are known as man-in-the-middle attacks in which they redirected their victims’ Internet traffic through their own machines. Security needs to be back to basics of “security blocking and tackling” for many, and consider even traditional cyberthreats, attacks that have been occurring for many years.

2) Do Your Homework — After understanding what threats are happening in these high-profile online attacks like WannaCry and NotPetya, we should ask ourselves what network alert tools we have to tell us about ongoing attacks? What cybermetrics are we compiling ? Do we have a dashboard? Also, do we have contacts with law enforcement and the Information Sharing & Analysis Centers (ISACs) in your industry?

3) Re-examine Critical Infrastructure Is Protected — Many of the recent attacks are specifically going after critical infrastructure. Do we know what data is most critical? Are you working with private-sector partners in these areas? Many industrial control systems are vulnerable to targeted cyber attacks and cyber espionage campaigns. However, because the systems were not designed with security in mind, they are largely unequipped to deal with these attacks. The first step we need to take is to review one of the available ICS Cyber Security Frameworks, e.g. the, ‘NIST Guide to Industrial Control Systems (ICS) Security’ or ‘CPNI — Security for Industrial Control Systems Framework.’ to assist in better understanding the challenges, requirements and responsibilities with regards to Governance, Risk, Managing ICS Life Cycle, Education and Skills, etc.

4) Cyber Assessments and Audits — One good place to start is with current audit findings and known security vulnerabilities, especially in areas such as patching known cybervulnerabilities for critical systems. Instead of fighting the auditors to win points, it is suggested to focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make your case. The framework includes five core functions: identify, protect, detect , respond and recover.

5) Partnerships — The theme of partnerships, especially in gaining actionable threat intelligence, is a constant theme but has never been more important than now with foreign nation-state attacks and the need for help rising globally. One of the new priorities in 2017 is addressing vulnerabilities in voting machines and registration databases. We should ask who are our partners in the public and private sector? Have we practiced responding to incidents together in cybertabletops? Who can you rely on in federal, state and local governments — including law enforcement? What vendors do you rely on?

6) Prepare for Ransomware or Not? — Addressing ransomware needs to be a priority, and the same cyberdefense tactics that are general best practices can help with ransomware. These actions include ensuring backups are performed and tested and other good cyberhygiene is applied enterprisewide. You should ask: What is your incident management plan? Are you ready for ongoing attacks, with clear levels of response? Also, examine your current plans for cyberpriorities and potential federal funding .

7) Cybertraining — Health IT News highlighted the importance of end-user training again this week . New attacks keep popping up using legacy apps. One of these is exploiting Powershell, or .LNK files to run malicious code and serve up ransomware including Locky. Then there’s the newfound threat inherent to PowerPoint that may run malicious code merely by hovering over a malicious URL with one’s mouse pointer. End users may not be thinking about background checks for detecting insider threats during the hiring process or even checking for resumes that are infected with malware. However, updated training can help in these related areas. Keep in mind that phishing and other social media attacks are evolving, so improved end user awareness training is a quick win — like in Missouri.

Amid all of these ongoing cyberheadaches, I never cease to be amazed by companies and governments that still say, “It won’t happen to us.” Or “We’re all set, we have a cyberprogram.” Yes, there have been many calls to government action on cybersecurity over the past decade, but the first half of 2017 shows that those calls were definitely needed. We need to walk away saying that it is time to act now on cyber, whatever their role.

Information Assets: An Essential Ingredient of Threat Modelling

Threat models are a way of looking at risks in order to identify the most likely threats to your organisation’s security. The first step in the threat modelling process is concerned with gaining an understanding of the application and how it interacts with external entities. This involves creating use-cases to understand how the application is used, identifying entry points to see where a potential attacker could interact with the application, identifying assets, and more. In this post, we focus on identifying information assets.

Assets are essentially threat targets, i.e. they are the reason threats will exist. Assets can be both physical assets and abstract assets. For example, an asset of an application might be a list of clients and their personal information; this is a physical asset. An abstract asset might be the reputation of an organisation. Hereunder, we identify some key informational assets that your organisation or information system might have or process:

  • Credit card data: yours, or (if you sell stuff) a customer’s.
  • Banking data: account numbers, routing numbers, e-banking usernames and passwords.
  • Personally identifying information: Social Security number, date of birth, income data, W-2s, passport numbers, drivers’ license or national ID numbers.
  • Intellectual property: like source code or software documentation.
  • Sensitive personal or business information and communications: e-mails and texts that could be used to embarrass, blackmail, or imprison you.
  • Politically sensitive information or activities that could get you in trouble with your employer, the government, law enforcement, or other interested parties.
  • Travel plans that could be used to target you or others for fraud or other forms of attack.
  • Other business or personal data that are financially or emotionally essential (family digital photos, for example).
  • Your identity itself, if you are trying to stay anonymous online for your protection.

When it comes to protecting the assets pieces of information that could be used to expose your assets are just as essential. Personal biographical and background data might be used for social engineering against you, your friends, or a service provider. Keys, passwords, and PIN codes should also be considered as valuable as the things that they provide access to.

Other operational information about your activities that could be exploited should also be considered, including the name of your bank or other financial services provider. For instance, a spear-phishing attack on the Pentagon used a fake e-mail from USAA, a bank and insurance company that serves many members of the military and their families.

Firewall as a Service

For more than 20 years, companies either managed their edge firewall appliances or had service providers rack-and-stack appliances in their data centers and did it for them. This was called a managed firewall — an appliance wrapped with a managed service, often from a carrier or managed security service provider. The provider assumed the management of the firewall box, its software, and even its policy. But customers ended up paying for the inefficiency of dealing with appliances (i.e. “grunt work”).

A new architecture was thus needed – a transformation that shifted the focus from an appliance form factor towards a true cloud service. This is the Firewall as a Service (FWaaS). The promise of FWaaS is to provide simpler and more flexible architecture by leveraging centralized policy management, multiple enterprise firewall features and traffic tunneling to partially or fully move security inspections to a cloud infrastructure. Some of its elements are discussed in more detail below:

Single, global firewall instance. With FWaaS every organizational resource (data center, branch, cloud infrastructure or a mobile user) plugs into the FWaaS global service and leverages all of its security capabilities (application control, URL filtering, IPS, etc).

Seamlessly scales to address inspection workload. FWaaS provides the necessary compute resources to perform all security processing on all traffic. It can scale to accommodate increasing needs (e.g. growing SSL traffic volume) without disrupting the customer’s business operations.

Enforcing a unified policy. In heterogenous firewall environments security policy is hard to configure and enforce increasing exposure to hackers and web-borne threats. Contrast that with a single cloud-based firewall that uniformly applies the security policy on all traffic, for all locations and users.

Self-maintained.  Because the cloud-based firewall software is maintained by the FWaaS provider, the firewall is kept up to date by quickly fixing vulnerabilities and bugs, and rapidly evolving with new features and capabilities that the customers can immediately access.

FWaaS is a viable alternative for IT teams that waste time and money to sustain their distributed edge firewall environments — the so-called appliance sprawl. With FWaaS, they can now reduce the operational and capital expense of upgrading and refreshing appliances as well as the attack surface resulting from delayed patches and unmitigated vulnerabilities. By simplifying the network security architecture, FWaaS makes IT more productive and the business secure.

How To Be Secure When Working Remotely

Today, more and more companies have opened their doors and stepped outside the four corners of their office. Times have indeed changed and remote work is now slowly taking over.  For the employees who work from home they don’t need to spend for transportation and stress that comes with commuting. As for the employers having some of the staff work remotely means they no longer need to pay serious amounts of money for a huge office space as well as for the electricity consumption.

Despite the numerous benefits of going remote, there are serious risks that still come with this trend. Risks that if left unaddressed early could mean serious losses for companies. These risks involve losses of valuable, confidential data and sensitive information that are not for public consumption. Here, security awareness training is key to equip your employees with the right knowledge, tools, and mindset that will keep them from falling prey to cyber attacks outside. Some of the tools that will help achieve those goals of protecting valuable data and information are discussed next:

Virtual Private Networks. Similar to what a firewall does, VPNs protect your laptop’s data online, with the front end retaining the same security, functionality, and appearance despite being a Wide Area Network. VPNs combine encryption protocols and dedicated connections to create virtual P2P connections, which in turn keep hackers from accessing transmitted data that they may have managed to obtain. A number of VPN security protocols have been developed through the years each offering different features:

  • Point-to-Point Tunneling Protocol (PPTP). PPTP is a VPN protocol that is known to be flexible in terms of its ability to be installed in different kinds of operating systems. It is, however, incapable of performing an encryption; rather, what it does is encapsulate the data packet.
  • Transport Layer Security (TLS). This type of VPN is commonly used by service providers and online retailers. It features a “handshake method” which generates the cryptographic parameters that serve as a means for the two systems to create a secure connection, as well as authenticating the session and exchanging encryption keys.
  • Secure Shell (SSH). This type of VPN creates the VPN tunnel as well as the encryption that provides the protection to the former. This feature enables remote workers to safely transfer information by routing traffic from remote file servers, using of course, an encrypted channel.
  • Layer 2 Tunneling Protocol (L2TP)/IPsec. Similar to the PPTP, the L2TP is likewise incapable of encryption. Nevertheless, it compensates by creating the tunnel while the IPsec takes care of the encryption (as well as data integrity checks).
  • IP Security (IPsec). The partner of the L2TP, the IPsec can no less stand on its own as it operates in two modes: first, the tunneling mode, wherein it encrypts the data packet in its entirety, and second, the transport mode, wherein it only encrypts the data packet message.

Firewalls. A firewall software functions by filtering the information coming through the Internet connection and into your company’s computer system or private network, in the case of homes. Basically, it serves as a “checkpoint” wherein they bar packets of information that are flagged by filters.

Connectivity Guidelines. Business owners should come up with security standards and policies that all remote workers should follow to the dot, and without any compromise. These guidelines may include rules that prohibit remote workers from accessing unsecured connections, unrecognised Bluetooth connections, and the like.

Going Cloud. Another excellent option that is becoming more popular among companies that are looking to improve their remote security are web-based cloud solutions. Cloud-based solutions and apps tend to be compliant with industry regulations and generally data within the cloud is encrypted. Business owners and managers can also regulate the access abilities of their employees.

Docker Security Concerns

Docker is a popular platform for OS-level virtualization instances known as containers. Flexible containerization is completely changing the way we build and maintain applications at scale.

With positivity and momentum of growth in mind, we must keep information security in mind. Let’s take a look at four potential threats and strategies to help secure your container deployments:

1. Vulnerable images:  Anyone can publish a new repository on Docker Hub, so check that you’re familiar with the project maintainer before deploying. Running untested builds from spurious sources may lead to the unintentional introduction of vulnerable components, or even malicious code execution. It is best to check for the official Docker Store and “Certified” program that offers a variety of assured and deployment-ready packages. Paid plans on the Hub feature a “Security Scanning” tool that can check images for known vulnerabilities.

2. IAM breaches:  Cloud providers, such as Amazon Web Services, aim to provide hardened Identity and Access Management (IAM) role structures by default. These can be used in tandem with your Elastic Compute Cloud (EC2) instances for example to ensure your users have been issued the appropriate access rights as per the Principle of Least Privilege. When deploying containers ensure that your registry is sufficiently protected, possibly with two-factor authentication.

3. Excess resource usage: By default, a Docker container has no resource constraints. As a result, actively deploying containers without resource limits could lead to severely degraded host performance. Make sure to set limits on memory, bandwidth and disk usage to mitigate performance issues. Such issues could be caused also by malicious code (such as denial of service code execution).

4. Container breakouts: An adversary that gains access to one of your containers should not be able to move laterally to other containers or the Docker host. However, Docker is evolving quickly and privilege escalation exploits may arise, so take care to build infrastructure with a layered defense-in-depth approach in mind.

Has Your Information Security Strategy Gone Obsolete?

The DDoS attacks of 2016 and the WannaCry ransomware that recently affected thousands of computer systems have compelled businesses to look into their security mechanisms and identify pitfalls that might make them prone to cyber threats. Verizon had already highlighted the intensity of upcoming challenges in their annual 2016 Data Breach Investigations Report as: “No locale, no industry or organization is bulletproof when it comes to the compromise of data.”

Although cyber security agencies, IT security teams, and security engineers are striving to overcome the menace of threats with all their might, the increasing number of incidents clearly indicates that cyber criminals have taken the lead and by a great margin. Statistics reveal no good signs for the future estimating that by 2021, the cost of the damage caused by cyber attacks will exceed more than $6 trillion. Here are five some signs that may indicate your IT security strategy needs a revamp:

1. System Performance has Changed: Computer systems connected in the circuitry of your overall organizational network are experiencing extreme fluctuations in terms of speed and performance. This could be a sign that your system is running a lot of programs, perhaps malicious payloads, in the background.

2. Malicious Login Activities: Unauthorized login is still the primary method of breaking into an organization’s system. Network administrators need to keep a check on the logins and their relevant IPs to identify any malicious activity in real time. Similarly,  one needs to keep an eye on any malicious insider activities.

3. Data Mines Have Been Compromised: If the backups you made recently have become unresponsive, some files went missing, or the arrangement of your data logs looks different, it is an indication that your IT security strategy needs a revamp.

4. Abrupt Increase in Spams: Unrecognized requests, spammy emails , pop-ups, and messages saying “Program Unresponsiveness, Click Ok to make it faster” or “New Version found: Click Ok to update” could all be signs that your system has been infected by malicious software.

5. Routine Shutdowns and Downtimes:  When a system is infected with a Trojan or virus, downtown and automatic shutdowns become routine. Merely notifying your IT department won’t resolve the issue. You need to address it through more stringent security measures.

With the number and sophistication of attacks on the rise, companies need to invest in sound security strategies in order to protect their valuable data. By revamping your security strategy, you’ll be in a better position to provide sufficient protection, allowing your business to continue to thrive without fear of becoming a victim.

More information: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf

The Encryption Debate

A seminal 2015 paper argues that if you leave a key under the doormat, a burglar eventually finds it. When law enforcement argues it needs a “backdoor” into encryption services we need to ask whether we should entrust a key to someone who gets robbed, perhaps frequently?

In March, WikiLeaks released nearly 9,000 documents exposing the CIA’s hacking arsenal. More so-called Vault 7 secrets trickled out as recently as this week. And then there’s the mysterious group or individual known as the Shadow Brokers, which began sharing purported NSA secrets last fall. April 14 marked its biggest drop yet, a suite of hacking tools that target Windows PCs and servers to devastating effect.

The fallout from the Shadow Brokers has proven more concrete than that of Vault 7; one of its leaked exploits, EternalBlue, facilitated last month’s WannaCry ransomware meltdown. A few weeks later, EternalBlue and two other pilfered NSA tools helped advance the spread of Petya, a ransomware outbreak that looks more and more like an act of cyberwar against Ukraine.

“If a hacker were to compromise a significant encryption platform, we could see something much worse than the WannaCry ransomware attack,” says Mitnick. WannaCry froze up hundreds of thousands of computers; WhatsApp, which uses Open Whisper Systems’ Signal Protocol, has well over a billion users with default, end-to-end encrypted chat. The implications come into even sharper relief when you consider countries where access to encrypted chat provides the best defense against oppressive regimes.

More information: https://www.wired.com/story/encryption-backdoors-shadow-brokers-vault-7-wannacry/