He Say She Say ...The Quest for Credible Information

There’s a running joke for students working on assignments; “if you do a Google search and you need to click on the 2^nd page, you are in trouble”. This concept is further emphasized by digital synopsis with their joke; “The Best place to hide a dead body is page 2 of Google search results …or page 1 of Bing”. While these statements are merely jokes, they do have some truth to them and I for one rarely click on page 2 when looking up information on the Internet. Maybe my searches are just specific and I get what I need on page 1 or Google has enough analytics on my preferences that the results returned fit my profile to a T …I will go with the latter. What many people don’t know is that some of the results returned usually don’t necessarily hold the truth we seek and Google is simply ‘serving’ them to us in the order of paid services (in the case of ads) or simply what people are ‘chatting about’, aka what is popular or being clicked on the most.  

Image Courtesy of Designzzz:
Ref http://www.designzzz.com/albert-einstein-quotes/

"The Famous Quote"

We’ve all run into the famous quotes by well known, established individuals, the likes of Einstein and Lincoln. Most of these quotes weren’t even quoted by the authors attached to them; a little Photoshop magic and voila! …we have a winning quote. Not all that is published on the Internet however is fabricated. Before the Internet morphed into the ‘beast’ it is today, people would for example, go to libraries and use published books for their research or they would reach out to subject matter experts like professors for guidance. All these information is now available in the digital space and while it co-habits this space with a lot of other ‘junk’ information, credible information can still be found and used for our day to day research and knowledge adventures.

For this blog post, we will focus on how to identify credible sources of information for threats, vulnerabilities, updates, and security news in general. 

My ‘primary’ go to resources however, are as follows:

National Institute of Standards and Technology (NIST): NIST is an agency of the U.S. Department of Commerce. It publishes security standards and guidelines plus other security-related information that can be used to support decisions by individuals all the way up to industry and government. If you are looking for a ‘how to guide on securing your home wireless network’, NIST will have it. If it’s a business thinking about ‘how to protect their confidential data’, NIST has that too.

National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE): If I want to know what vulnerabilities exist on my system, my two go to resource are NVD (sponsored by DHS/NCCIC/US-CERT) and MITRE’s CVE. both these sites provide valuable information on known vulnerabilities with recommendations on how to mitigate them.

SANS Internet Storm Center and United States Computer Emergency Readiness Team (US-CERT) both provide up to date news and advisories for most computer security topics. If you want to know about the latest patch, security news, bulletins, or a security update; both of these resources are credible.

Other than the resources mentioned above, I also use Information Technology & Security websites that publish peer reviewed articles. Packet storm security for example provides information on exploits, advisories, tools and whitepapers on various cyber related topics. CSO Online, Dark Reading, How-to-geek and many more provide useful information, tips and tricks and just general cyber-related information. Bloggers like Lenny Zeltser or Krebs on security are also credible and their posts can be used as resources given their expertise in the cyber realm. 

In conclusion

There are plenty of credible resources of information out there and this blog would not be enough to list them all out. When looking up information, we should not trust everything presented to us without verifying the source and backing that information up with other sources. Timelines and who wrote the article also matter; some authors hold more weight than others by virtue of being subject matter experts in their processional fields. Outdated articles may lose credibility due to changes over time; an issue that was critical 10 years ago, may not be viewed the same today. When you have a conflict of information, evaluate the sources and use the aforementioned logic; at the end of the day we can always learn from our mistakes …even misinformation.  

As a footnote, while I agree that Wikipedia should always be taken with a grain of salt, I think it does provide some basic information that can be useful in quickly determining definitions and finding well known information. For example, if you want to know what service runs on a given port based on a firewall report you just received, wiki could come in handy. However, an alternative and more credible source for that scenario would be IANA (Internet Assigned Numbers Authority). If there was a conflict in information between those 2 resources, IANA would take precedence over Wiki given IANA is an authority when it comes to protocol addresses and Internet Architecture. 

Current Trends in Cyber-security (week 1: Intro)

This blog came about from a class I took (CIS 608 – Information Security Management) at Bellevue which had a requirement that students maintain a blog throughout the 12-week course. For purposes of the class, students were required to write at least on blog each week and the topic would be anything the student fancied; so long as it had some relevance in the Information Security realm. While the blog was to be maintained during the course, the professor’s recommended students to keep posting blogs beyond the 12 weeks as the goal behind the blog was more than to simply get a passing grade for the class. If you were to do a Google search for blog (inurl:blog) you get 551 million results and if you narrow your search to information security blogs (inurl:blog inurl:information security), the results decrease to about 44k; this shows the prevalence of blogs on the net. Unfortunately, I did not drink the kool-aid as prescribed by the professors and have not posted much since my last class. Just like many of my classmates (I believe) sometimes life takes a hold of many things and the work-school-life balance evades us.

Blogs are a way for people to express their views and share their thoughts with the world and in most cases, indulge in debates through comments. I for one have found blogs to be a tremendous source of information especially when writing papers for class and researching work related tasks and projects.  

Figure 1: courtesy of reddit.com (stack overflow)

Figure 1 (courtesy of reddit.com) shows how much information posted on the Internet helps out a lot of students, and the work force too. Many a times, I have been stuck working on an assignment or a project and through simple online searches, I find the information I need. The purpose of this blog is to mainly share thoughts I may have on a topic and in essence, help out anyone out there who may be scratching their head because of the issue; no need to re-invent the wheel, we are all in this together.

Just recently I was faced with the ‘tough’ decision of renewing my anti-virus subscription. As trivial as that sounds and without getting into too much debate on which one is better than which (it’s a preference thing in my opinion), I found multiple blogs providing some insightful views. It is my goal and hope that the topics I post on this blog will provide some guidance to someone out there especially when it comes to information security. The materials will (and should) be backed up by references from industry experts whose opinion will provide that extra nudge when conveying a thought.

So, who am I anyway?

I consider myself to be your regular chip off the old block lad who is just passionate about information security and is always on the lookout for the next ‘fancy’ attack vector. I actually never started out wanting to venture into the information security domain (maybe because I didn’t know about it). I was more inclined into networking and more IT leaning, but after being introduced to security, I was sold. Yes, it sounded like it would be straight out of the War Games script and my blood started racing thinking about it, only to be met with logs …they never told me I would be looking at log-lines. Sigh!

My first information security job was with an MSSP and as an analyst, we would review logs and events and report those anomalies to clients. While the job sounds boring and mundane, I did learn a lot from doing it. I believe every security professional needs to have some log analysis know-how; we all need to put in log analysis time before we move on to the ‘sexier’ red team Vs. blue team exercises as depicted in Mr. Robot (if you haven’t watched it... please do).

I consider myself to still be a rookie in this industry and appreciate the vast opportunities and career paths that it affords us. In addition to a bachelor’s degree, I have 2 certifications both from CompTIA (Sec+ and CASP). I am all for certifications but also against it when it is simply done to advance career-wise, without the recipient fully grasping the concepts; everyone wants to have knowledgeable colleagues after all. I am currently pursuing my Masters in Cyber-security and after that, I will tackle another Certification or 2 based on the role(s) I will have for work by then.

I truly hope my blog will make an impact in your security life and at the very least help you get an idea on how to tackle that assignment that is due in an hour.

Encryption (week 11)

Image courtesy of plus.maths.org

Ever since written communication was developed, humans have always tried to hide, conceal, or scramble sensitive information from prying eyes. Julius Caesar had his scheme where characters were shifted a certain number of positions to scramble the message and this was dubbed the Caesar’s cipher. For this to work the recipients had to know what the count was for the shift. This method is of course very easy to break with the current technology. During world war 2, the Germans had the famous (or infamous depending on what side you were on) encryption device named Enigma. This machine was used by the Germans to encrypt their messages and the way it worked was by providing substitute characters for the letters entered by the operator. The only way this message could be decrypted was through the possession of an enigma machine. When speaking about the Enigma, the name Alan Turing also has to be mentioned as he pioneered the cracking of the Enigma and this changed the course of the war and perhaps the future of the world.

On February 20^th of this year, Linux Mint was breached and hackers were able to point users to a compromised ISO (drive image) that was a modified version of the 17.3 Cinnamon (Linux Mint OS). This version allegedly has a backdoor according to Linux project leader, Clement Lefebvre’s post on the Linux Mint Blog. This is a classic case of awareness and using the available tools to ensure that you are downloading the safe versions of software. By verifying hashes, we can be able to know if a software version has been tampered with.

From the real world affairs to the digital landscape, encryption touches 2 of the 3 aspects of the CIA (Confidentiality Integrity and Availability) triad; confidentiality and integrity. Confidentiality is the process of ensuring that information is only exposed to individuals who are authorized to view that information. There are different methods that can be employed to ensure that this comes to fruition, one way is through policies such as training and awareness of the users, classifying the information based on the level of risk to the business were it to be exposed, and a through technical controls like encrypting this information. Integrity on the other hand is the process of ensuring that data is not tampered with; it involves maintaining the consistency, accuracy, and trustworthiness of the data over its entire life cycle. 

For both confidentiality and integrity, the data may be at rest for example stored in hard drives, tapes, databases etc., in transit meaning that it is traversing the network for example emails being sent, files being transferred, and the last state that data can be in is in use which is data that is in memory and being processed. All three data states need to be secured and encryption is a method that can be used to achieve this security control.

Other elements of security that encryption provides is authentication and this is when the origin and originator of the message can be verified. Non-repudiation is also achieved through encryption and this is when the sender of the message cannot deny sending the message. The way encryption achieves this control is through digital signatures. Before technology, official seals were one way of authenticating the letters sent from for example a business or government agency. In the Internet world, digital signatures are used to perform this task. One key area where digital signatures are common is in software signing. When you download software over the Internet, how do you verify that this is legitimate software from the true publisher for example Microsoft? Digital signatures. The software publishers provide the public with a hash which is a representation of the entire contents of the software posted on their site. If any modifications are made to the software, the hash value would change and the end users can know that there has been tampering therefore the integrity of the software has been compromised. 

Although enforcing encryption controls may be cumbersome to the business or even our home systems, it adds an extra layer of protection for our data. Encryption helps to protect the data against physical threats as well; if we lose our devices, it’s hard for the adversary to read our sensitive information if the files or hard disks are encrypted.  

References:

http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

http://searchsecurity.techtarget.com/definition/digital-signature

http://www.engadget.com/2016/02/22/hackers-compromise-linux-mint-iso/

http://blog.linuxmint.com/?p=2994

https://plus.maths.org/issue34/features/ellis/enigma_in_use.jpg

Privacy Over Security (week 10)

Image courtesy of www.pewinternet.org

After 9/11 2001 the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (aka USA PATRIOT Act) was passed by the legislative wing of the government. What this act did was provide a significant increase in the surveillance and investigative capabilities of law enforcement agencies within the United States and the intention was to ensure that there can never be a repeat of 9/11 on American soil. This act had the right intentions and at the time it was passed, the whole Nation was speaking in unison; “we must get them” and “never forget” were some of the themes.

According to the epic.org article titled USA Patriot Act, under surveillance and privacy, there are three major laws that do not provide many of the protections that were associated with the Federal wiretap statute (in place before the Patriot Act).

The Title III which requires probable cause and approval from a judge before conducting real-time interceptions.

Electronic Communications Privacy Act (ECPA). This act governs how law enforcement can access stored email and other electronic communications. The act states that the use of intercepting tools requires a court order but no probable cause and the court must authorize the surveillance upon government request. That statement shows just how vague the controls or checks and balances are when it comes to electronic surveillance. The court order is just a formality.

Foreign Intelligence Surveillance Act (FISA). This act authorizes the government to carry out electronic surveillance after obtaining a court order that authorizes the surveillance and the only probable cause that they need to provide is that the person of interest is acting as a foreign agent and this applies even to American citizens.

There are many other acts within the Patriot Act that give law enforcement even more authority to intercept, collect and even store private information that they obtain through the use of advanced surveillance tools in the name of National Security. The extent of these surveillance programs within the United States was made public by Edward Snowden who leaked information about how the National Security Agency collected electronic information. Snowden received both support and criticism. His revelations did however lead to more debates on how much privacy are we willing to give up in order to stay secure. The civil liberties and privacy protections that have been part of America and that the constitution dictates are slowly eroding. If you are a proponent of security, your opinion is that security will always trump privacy and we should be willing and expect to lose some of these liberties if we expect to be safe.

The biggest privacy issue this week is of course Apple vs FBI. The FBI are trying to get Apple to create a backdoor that will enable them to crack the deceased gunman Syed Rizwan Farook’s iPhone as they try to access it to get information that may help them with their investigation. Farook was involved in a terrorist attack that killed 14 people in California late last year. As a security feature, Apple iPhones are built to wipe all data after the password is entered incorrectly too many times which makes it popular with companies as they can protect their intellectual property in cases where employees lose their phones. The FBI’s brute forcing attempts must have hit a roadblock and now they are asking Apple to intervene (through a court order). Apple’s argument for non-compliance is that they are not comfortable sharing how to by-pass the security feature with law enforcement as they do not know what their reach will be after they gain the know-how.

“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals… The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices.”

-        Andrea Noble - The Washington Times – quoting Apple CEO, Mr. Cook

The courts already ordered Apple to comply but they are still resisting and have appealed to a higher court. I would not be surprised if Apple took this all the way to the highest court in the land; they certainly have the means. Protests are already planned with anti-surveillance groups planning to let the FBI know how they feel about their request. This is a contentious issue given that the phone that needs to be back-doored belongs to a confirmed terrorist and not a suspect. In my opinion I think Apple will be forced to give in. They may have a condition in place like not being required to share how they did it but you never know, the FBI might get that too. I am curious if Apple’s decision is truly based on its support of privacy or this is just a marketing ploy to rally the masses to their products as they come out of this fight as ‘champions of their customers’.

Whatever side of this topic you may be on, the fact is, times are changing and we will always have this issue hover over us as long as electronic communication is still around. You try to install an app and you are supplied with a terms of agreement. For the application to function, you need to allow it to access different things on your device. When browsing the web, you have cookies that track your every move and if you were to turn these feature off, you would probably not be able to experience the web the way we do today. It seems like everything we do on the web requires some form of loss of privacy.

The debate still rages on; are we willing to sacrifice one over the other? ... because we cannot get both at the same time.

References

https://www.epic.org/privacy/terrorism/usapatriot/

http://www.washingtontimes.com/news/2016/feb/21/apple-justice-extend-fight-over-iphone-privacy-vs-/

http://www.washingtonexaminer.com/the-security-vs.-privacy-debate-is-already-over-and-privacy-lost/article/2545407

Wireless Communication (Week 9 Blog)

This week in my Ethical Hacking and Response class we will be presenting a group project and the topic of discussion is Wireless Hacking. I thought it would be a good topic for my blog post this week. First off I would like to throw in a breach that happened back in 2006.

TJX Companies: 2006. 94 million credit cards exposed. Hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall's stores in Miami, Fla.

“After the TJX breach came to light, one of the questions posed by security experts was: Why are businesses still using WEP?” (Schwartz, 2011 – darkreading)

Let’s briefly touch on a few areas that wireless technology is used:

Voice Communications - cellphones

Remote Control and Monitoring – TV remotes, garage openers, wireless dog fence (cruel), infrared sensors, surveillance videos, heart rate monitors

Remote Measurement and Wireless Sensing – Utility companies can now remotely read your meter

Item Tracking – Think Radio Frequency IDentification tags

Entertainment – wireless speakers, headphones, microphones, home theatres

Navigation and Location – Global Positioning Systems (GPS)

Quality control and Risk Management

Networking – PAN, LAN, WAN, Cellular Networks

Energy Management and Wireless Power Transfer – charging docks

Wireless technology has come a long way and it is freeing existing good ideas from the constraint of wires and, at the same time, enabling an emergence of new ideas and applications that weren't possible before. The list above shows that wireless has played a major role in advancing some technologies that are now part and parcel of our day to day lives, but just like with every good thing, there seems to always be some cons.

“The wireless security market has matured significantly in the past several years, but still many organizations remain vulnerable to attacks, either through legacy protocols with well-published deficiencies, or through new threats that are not adequately addressed”

 – Joshua Wright, SANS

With wireless networks, its biggest flaw is the hardware that is used; the routers, modems etc. A common attack vector for wireless communication is wireless driver attacks. In this type of attack, rather than going after the wireless networks themselves, an attacker will choose the path of least resistance by going after the hardware. Exploitable vulnerabilities in wireless drivers have been discovered in all major wireless card manufacturers. When I looked up the word wireless under NVD (National Vulnerability Database), it returned 359 matching records

So how do we secure wireless communication?

The answer is through the combination of a Strong Encryption Method and a Strong Key/Password

Image courtesy of howtogeek.com

Key Encryption Methods are as follows

WEP (Wired Equivalent Privacy) – in this system, the same shared key is used for both authentication and encryption. With the shared key, the attacker can decrypt frames or pose as a legitimate user. WEP can be easily broken and is no longer recommended.

WPA + TKIP: Wi-Fi Protected Access + Temporal Key Integrity Protocol

WPA TKIP was meant to replace WEP but it is now considered unsecure. TKIP uses the RC4 stream encryption algorithm as its basis and it encrypts each data packet with a unique encryption key, and the keys are much stronger than those of WEP.

WPA + TKIP/AES: Wi-Fi Protected Access + Temporal Key Integrity Protocol/ Advanced Encryption Standard.

AES uses symmetric-key algorithm (same key for encryption and decryption). AES is considered secure and is used by many government agencies. In this encryption method, the TKIP enables compatibility with legacy devices that don’t support AES but this also opens up the network to attacks since the low hanging fruits always get hit first.

WPA + AES – this one just removes the TKIP portion so it’s safer than the latter

WPA2 + AES – This is the most secure and should be used in wireless communication setups. It utilizes keys that are 64 hexadecimal digits long. Note that this method can be cracked too, but it will take too long for any attacker so the incentive to actually commit resources for this ‘mission’ may not be there for most wireless networks. There are other avenues of breaching your network that are less time consuming like sending a phishing email.

Summary

Wireless communication has benefited a lot of people and is helping make life easier and with the growing trend in Internet of Things, despite some of the weaknesses associated with it, it is not going anywhere. As users we should always be vigilant of our surroundings (beware of ‘free/open’ networks) and when setting up wireless networks, we should ensure that we adhere to security best practices by using the most secure encryption method (WPA2/AES) and making sure that the key/password is strong enough. Also make sure that defaults are changed. Leaving the devices’ default settings will make it as simple as opening a browser and typing in ‘router passwords’ and you are presented with a list of all the default user names and passwords for all kinds of router makes and models.

Stay safe while you connect!

References:

https://web.nvd.nist.gov/view/vuln/search-results?query=wireless&search_type=all&cves=on

http://www.darkreading.com/attacks-and-breaches/wardriving-burglars-hacked-business-wi-fi-networks/d/d-id/1100324?

http://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both/

The Internet of Things (IoT) and Botnets (week 8)

In 2008, Microsoft released a security bulletin MS08-067 which was in regards to a vulnerability that could allow remote code execution if an affected system received a specially crafted RPC request. The bulletin further indicated that it was possible that the vulnerability could be used in the crafting of a wormable exploit. 

(Hotbots, n.d.)

This post will be about botnets and its impact to the economy. When we talk about botnets, conficker comes to mind. This infamous worm was discovered in 2008 and by mid-2009 there were over ten million infected computers participating in this botnet. Conficker's logic includes mechanisms to generate lists of new domain names on a daily basis to seek out Internet points that the authors use for updates and for command and control of the machines infected.

Within a few months of Conficker’s appearance, some 7 million computers became linked into one of the largest botnets in the world (Singer, 2011).

So what is a botnet?

Botnets are computers that have been ‘captured’ and made to run unauthorized software and are part of a group that is controlled by what is termed as a bot herder or bot master. To understand the potential impact that botnets possess we should first review the Internet. The Internet’s growth is unprecedented and the impact it has to human progress is potentially unequalled. The Internet has made it possible for the world to be closer and for collaboration to take place in ways never seen before. A class can be conducted in the United States and a student can be in the comfort of their home in Australia attending the live class. The Internet has enabled a ‘Global village’ to be possible. With this fast growth however, comes challenges; Innovators don’t always have time or resources to address potential security issues. The market awards and encourages low cost, high volume, and short time to market products and the ‘norm’ sadly appears to be go to market and ‘patch it later’.

When you look at the other side of the story, just as the pace of innovation and adaptation on the Internet increases, so do the criminals and their ‘tools of trade’. With the increased connectivity, the faster it is for an exploit to spread. Botnets are successful because of the many software flaws (vulnerabilities) on Internet connected devices and with the presence of botnets, Internet crime is further propagated. Now we are heading to a time when most things are going to be connected; the Internet of Things (IoT) which means the attack surface just increased.

“With the advent of high speed “always on” connections, these PCs add up to either an enormous global threat, or a bonanza of freely retarget-able resources, depending upon one’s point of view” (Vixie, 2002).

As more devices are connected and less security is being emphasized, not only can these devices be used to propagate attacks but also attack our privacy. We have Internet connected cameras, cars that have WiFi, home appliances that can be accessed from the Internet just to mention a few items. Most of these devices are not secure by default and it would take some effort on the end users part to make them a little bit more secure. Most end users do not bother to check these settings and the bad guys are aware of these. A simple google search on default passwords for WiFi cameras brings back a significant list that can be used to attack those cameras. As mentioned previously, most manufacturers are simply trying to break into the market of IoT and their focus is interoperability as opposed to building secure systems. Attackers can take advantage of these fact and now the spread of bots is worse than it was when conficker first hit the Internet scene.

Conclusion

Due to the threat that botnets possess, every Internet user should be aware of how they may be assisting in the propagation of these exploit vector. Users should know that if their Internet connected device is out of date and/or running unpatched software it means that they may get infected and may be used to participate in illegal activity like DDoS attacks, spam delivery or even identity theft.

References:

Singer, P. W. (2011, October 21). Mark Bowden’s “Worm: The First Digital
     World War”. Retrieved February 7, 2016, from https://www.washingtonpost.com/
     entertainment/books/mark-bowdens-worm-the-first-digital-world-war/2011/08/30/
     gIQAwcKO4L_story.html 

Microsoft Security Bulletin MS08-067 - Critical. (2008, October 23). Retrieved
     February 7, 2016, from https://technet.microsoft.com/library/security/
     ms08-067 

Vixie, P. (2002, October 17). Securing the Edge. Retrieved February 7, 2016,
     from https://archive.icann.org/en/committees/security/sac004.txt 

hotbots [Photograph]. (n.d.). Retrieved from https://www.usenix.org/legacy/event/
     hotbots07/tech/full_papers/wang/wang_html/figure1.png 

Physical Security Controls (week 7)

Photo Credit: Microsoft studios, security-cameras-for-a-business

There is a huge emphasis on protecting data in the Security industry but what about the physical elements that aid in the storage, processing and transmission of these data? In this post we will discuss how Physical Security should not be taken for granted when planning for Information Security within an organization. The logical systems cannot exist if there are no hardware components in place. Even in cloud setups where an organization’s data is 100% stored on the cloud, the business still has to have some hardware on premises that enables them to access this data. If a physical breach were to occur where an attacker gained access to the hardware components that interact with the logical environment, the damage might be irreversible.

Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism (Rouse, 2005). Physical security entails the controls or steps taken to limit or deny physical unauthorized access to a building, its facilities, the resources within the building, and the information stored there.

There are different types of Security Controls:

Directive controls – these are the administrative controls intended to guide or advise the employees on how to conduct themselves when using the systems or when they are in the business premises.

Preventive controls – these are the steps taken to stay ahead and hopefully stop any actions that may be in contrast with the controls in place. Example would be locked doors and windows.

Deterrent controls – these involved the use of notices and warnings of consequences to security violations. Example would be having CCTV's installed in every room

Detective controls – these are the controls that aid in identifying, monitoring and potentially reacting to security violations. Examples would be security alarms, motion sensors, heat sensors etc. 

Corrective controls – these are the controls designed to react to the detection of an incident in order to resolve and prevent any future re-occurrence.  

Recovery controls – these are the controls used to restore the system/operation back to its normal state after an actual incident occurs.

Different security measures can be implemented to protect against physical threats and they fall under different security controls as described above. These measures can include:

Protecting the premises: the entry and exit points should be evaluated to ensure there are sufficient controls in place for security. Interior partitions like walls, ceilings and floors should be secure enough to prevent any breaches. Man-traps and Turnstiles can be used to prevent piggy backing attempts. Surge protectors and UPS systems should be in place to guard against power related threats, whether inadvertent or planned. Fire suppression systems should be in place and fire extinguishers should be easily accessible in case of a fire emergency.

Locked rooms: the server room or data center is perhaps the most critical of all rooms and should always be located in a central area and access to it should be restricted to only authorized personnel. Locked doors should be used and if possible, 2 factor authentication should be enforced. Surveillance cameras should be installed to monitor activity to and from the data center. If there is a need to have outsiders in the room, like vendors and maintenance staff, access should only be allowed with the presence of an escort.

Other critical devices like switches, hubs, routers should also be locked. Gone are the days where the network equipment like cables were all stashed in the same closet as the janitor’s ‘tools of trade’. If you don’t secure these devices, an attacker can impersonate the cleaning crew and walk into the closet and simply plug into the network and cause havoc.

Secure workstations and laptops: docking stations should have the capability to lock down laptops when users step away from their desks. Workstations should also be secured and the case should be protected using case locks. This will prevent attackers from opening up the computer towers and removing the hard drive.

Laptops and handhelds should be encrypted and bio-metric readers should be used for access. In case of a loss, the organization should be able to remotely wipe out the data on it.

Removable media capability should also be disabled to prevent attackers and rogue employees from downloading information without authorization.

Protecting backups: most organizations plan for the production environment and ensure that security controls are in place to protect this environment, but what about the DR site or their backups? Organizations need to ensure that their backup tapes and/or disks cannot be stolen. These backups usually have the same information that can be found in the production environment, if security controls are lax in this environment, attackers will definitely choose this easier route.

Protecting non-critical devices: even the basic devices and elements like printers, fax machines, phones, trash bins need to be protected. Attackers can gain information through dumpster diving and the organization needs to secure the bins and have locked shred bins which are located in secure areas within the building. Only approved reputable vendors should be used to dispose of the old data (if the company outsources this service). This should also apply to the disposal of the hardware like hard disks and decommissioned appliances.

Another area to look at when it comes to physical security is the undefined perimeter. With more employees working remotely and organizations having sales reps working on the road, the organization needs to account for the physical protection of those devices by having logical controls in place. Policies should be enforced as a guide to help employees adhere to best practices that can help minimize the potential for losses. Employees should not leave their laptops and other documents in visible places in their cars. The business should have a way of remotely wiping the data on the devices like smart phones if they are reported stolen. Hard drives should be encrypted to avoid the exposure of information to unauthorized individuals.  

Conclusion

Just as with logical security measures, physical security controls should adopt the security in-depth approach when being implemented. Just having CCTV’s or security guards on site is not an enough deterrent to an attacker attempting to break in. If they are adamant at breaching the perimeter, they will find a way. Different controls need to be adopted and they can act as complements to each other. If one has gaps, another control can cover that gap. For example, having locked doors with 2 factor authentication requirements to unlock the room and also a security guard or even a receptionist at the entrance can be a better deterrent to an attacker as opposed to simply having locked doors and cameras at the front door.  

References:

Covington, R. C. (2015, June 23). Physical security: The overlooked domain.
     Retrieved January 31, 2016, from ComputerWorld website:
     http://www.computerworld.com/article/2939322/security0/
     physical-security-the-overlooked-domain.html 

Rouse, M. (2005, December). Physical security. Retrieved January 31, 2016, from
     TechTarget website: http://searchsecurity.techtarget.com/definition/
     physical-security 

https://microsoftstudios.com/hololens/wp-content/uploads/sites/4/2015/12/security-cameras-for-a-business.jpg?w=693

Critical Security Controls (CSCs) in Mitigating Attacks

Last week in my graduate class “Information Security Management”, we learned about policies and why they are crucial (legally binding) documents that a business should use to convey their values, goals and mission. One of the common policies that new hires encounter is the acceptable use policy (AUP). This policy requires users agreeing to and signing the document prior to being granted access to the organizations network or Internet. If any violations are detected that go against the AUP, an organization is legally able to discipline the employee to the extent outlined. Given that humans will always be humans, regular training and visual reminders like having posters and info-graphics posted on the break room notice board or banners that pop up on computers can be used to drill the message home.

SANS a well-recognized institute when it comes to Cyber and Information security published a list titled “SANS top 20 Critical Security Controls” which is basically a list of recommendations that an organization can use as a checklist or guide when setting up shop. The focus for this post will be the top 5 checks:

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges

To see how adopting the above controls can assist an organization, let’s look at the Target attack and how it occurred. Can a replication of the attack be avoided if a company followed the control recommendations?

According to Brian Krebs author of the KrebsonSecurity blog, Target was infiltrated via a 3^rd party vendor who was responsible for their HVAC systems. Using the stolen credentials from the vendor, the attackers accessed the Target network using the assigned access vectors allowed for the vendor. The attackers were later able to move through the network and access segments of the network that contained customer data; information like PII and credit card data. Once the attackers were able to access the Point of Sale systems, they downloaded the malware that would be used to scrape the memory of these systems. Over a period of time, the attackers successfully ex-filtrated the data out of the network without Target noticing this move.

With that scenario in mind, if Target diligently adhered to the 5 critical security controls, these are some of the vulnerabilities and exploits that could have been prevented:

Misconfigured and vulnerable systems both on vendor side and Target side – the attackers were able to access the vendors network based on some vulnerabilities that enabled them to break in and steal credentials. This also applies to Target’s network which enabled the attackers to be able to infiltrate it. These issues are covered by CSC 3 which outlines how to securely configure both the hardware and software elements of a network. Hardening the network by for example closing unneeded ports and services, having up to date and patched systems running can help mitigate potential threats using this attack vector.

Malware installed on Point of Sale systems – once the attackers got in, they were able to install their malware that would be used to infect the systems and steal the data. This is all covered by CSC 2, 3 and 5 in that having secure configurations will help stop exploits as described previously. Inventory of unauthorized software would have enabled Target to notice the malware once installed or even prevent it from being installed on the systems in the first place. Controlled use of administrative privileges would have enabled Target to keep track of what privileged accounts were doing and this anomaly would have been caught if any regular auditing took place.  

Failure to respond to alerts by Security systems – Target did not put much thought to the alerts that were generated by suspicious activity on their network. Also if Target reviewed their vulnerability assessment reports they would have caught on to the fact that the networks were not segregated from each other. The attackers were able to jump from the vendor to Target and gained access to the customer network segment. Given that sensitive data is stored on the customer segment, the vendors should have not had capability to move across these segments. CSC 4 would have helped Target mitigate this hole.

Data ex-filtrated from network – the attackers moved a significant size of data out of the network without raising any alarms. This tells us that Target did not have any checks in place to stop data ex-filtration. If CSC 3 is adhered to, an organization can be able to have secure configurations setup on the network that would generate alarms when data is moved.

Conclusion

While having the proper Tactics, Techniques and Procedures (TTPs) and tools (technology) may be a step in the right direction for mitigating potential breaches, the weakest link still has to be accounted for. If you cannot rally the people to support the Information Security checks and balances in place, it will fail. The people who interact with the organization's assets and resources are crucial to the success of any security measures in place. In my opinion, the main flaw that enabled the Target breach was the people. It seems that there were minimal checks in place at the very least but the people who should have checked and validated their effectiveness did not perform their due diligence. 

References:

https://www.sans.org/critical-security-controls

http://www.computerweekly.com/feature/Embarking-on-a-voyage-of-asset-discovery

http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

Data Protection (week 5 Blog)

Last month, one of the topics of my blog post was cybercrime motivation, one of the motivators that was discussed was competitive advantage. This motivator is usually associated to expert attackers who are either trying to ex-filtrate company blue prints or personal information of the company’s personnel. “One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people's fingerprints were stolen as part of the hacks” (Peterson, 2015).

5.6 million people! That is indeed a scary number. How did the attackers manage to get the data out of the OPM network without raising any flags? I am hard pressed and concerned that a government agency of that magnitude does not have safeguards in place to protect its confidential information from ending up in the wrong hands.

So how do we (attempt) to mitigate against data loss?

Data Protection (Data Loss Prevention - DLP)

DLP is a technology that is used to prevent both the intentional and unintentional loss or leakage of information that should not leave a specific network or be disclosed to unauthorized parties. Detective controls alone cannot stop the loss of data, although companies put in place policies and procedures, there is no stating how much of these guidelines are actually followed. Having preventive controls like a DLP solution can assist a company in enforcing the policies (Kanagasingham, 2008). Some of these policies could include who is allowed to handle what data and how that data is to be handled and what systems should be in place to aid in the transmission, usage and storage of that data.

To protect data, we first need to understand what the data is and at what state the data is. The individuals assigned responsibility of the data need to define the data. Some questions to ask include:

What type of data is being protected?

Where should the data reside and where should it not?

Who is granted access to this data?

What policies (like acceptable use) are in place for this data?

When designing solutions, the data states need to be accounted for. The different states of data are:

Data at rest – data saved on file servers, computer hard drives, portable drives, offsite backups etc.

Data in motion – when data is being transmitted e.g. through email, through web traffic etc.

Data in use – active data residing in volatile memory (RAM) and is prone to changes e.g. databases, open spreadsheets etc.

Solutions

1. Training

This is a key component of attempting to mitigate the possibility of a user inadvertently exposing data or coming into unauthorized contact with data. With regular reminders, employees are able to adopt best practices when handling data.

2. Defining policies

Policies act as guidelines and can be used as a legal document if the laid out policies are breached intentionally. A policy that can be adapted in preventing data loss is classification of data and having banners attached to all documents. Before accessing any document, an organization can have banners pop up with wording warning users of the nature of the data and the classification of this data. This can be used as a reminder to the users to be more careful when handling data and also act as a deterrent since the banner can be used as legal evidence that the users were notified on the company’s data handling polices prior to their access to it. If the user breaches the policy, they can be held accountable.

3. Incident response plans

Human error is inevitable and organizations need to prepare for when an incident occurs. A team that will be responsible for putting a cap on any data breaches should be in place. Planning for the worst can help prepare the organization and also aid in efficiently mitigating the repercussions that may come from data loss or data leakages. 

4. Technology for monitoring data

Having policies and contingency plans may not be enough if there are no technologies in place to stop the potential loss or leakage of data. Some technologies to adopt may include pattern matching or data matching that can catch specific data like SSN’s or Credit Card numbers leaving the network. Another option can be to watermark documents in order to prevent copyright breaches. Scrubbing devices should also take place as users can store data on their local workstations or laptops for later use or in the case of a rogue employee, offline data ex-filtration.

Conclusion

Data prevention is one of the toughest elements of Information Security; totally eliminating the prospect of data loss or leakage is a myth as it is impossible to be 100% secure but adopting the solutions outlined above can help mitigate the risk. Organizational commitment is needed from the top down and policies should be used to emphasize this organizational goal. The Information Security team should note that one solution may not necessarily apply to all scenarios and they should also be aware that some solutions may handicap the business if aggressively implemented. There needs to be a balance between control and business continuity. Testing and constant reviews should be a routine occurrence to evaluate efficiency of the checks and balances in place.

References:

Peterson, A. (2015, September 23). OPM says 5.6 million fingerprints stolen in
     cyberattack, five times as many as previously thought. Retrieved January
     17, 2016, from The Washington Post website: https://www.washingtonpost.com/
     news/the-switch/wp/2015/09/23/
     opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/ 

Kanagasingham, P. (2008, August 15). Data Loss Prevention (J. C. Bambenek, Ed.).
     Retrieved January 17, 2016, from SANS.org website: https://www.sans.org/
     reading-room/whitepapers/dlp/data-loss-prevention-32883