360 Degree Cyber Security, LLC

Tag Archive:InfoSec

Ready or not?

February 27, 2018 – Last week, the city of Allentown was hit with Emotet, malware that started as a banking trojan.  Reports indicate that the initial entry into their municipal business environment occurred via phishing.  Once the malware was downloaded and installed, it began to replicate itself across the city government’s network infecting devices and stealing login credentials.  This has resulted in the city’s financial system being offline, the city’s camera surveillance being taken offline, and the city’s police department being disconnected from the Pennsylvania law enforcement network.

 It is estimated that the cost to remediate this attack will be close to $1 million. This same malware has infected other government and public-school facilities.  In fact, this past January, the same malware cost the Rockingham, North Carolina school district $314,000 to recover from the infection.

 What is Emotet?  Emotet is malware that started out as a banking trojan three years ago.  It was originally designed to sniff network traffic for user login credentials.  Over the last three years, the malware has morphed to allow for custom modules to be added.  Last year, the malware started to use the EternalBlue exploit developed by the NSA and later leaked to the public.  This exploit allows the malware to spread across Windows networks on devices that have not been patched.  The malware is not easily blocked as it can be delivered via .js, .pdf, and .doc/.docx files.

 What can be done?  Ensure that you are auditing your patching to verify that patches are being applied as they should.  Not saying that this malware spread via the EternalBlue exploit, however as a method that it does spread by, are you ready to prevent it from spreading.

Why perform a patch audit?  Sometimes patches may be pushed in an automated fashion, but for whatever reason just don’t make it on to a system and may require a more hands on approach. 

 

Reference:

https://www.washingtontimes.com/news/2018/feb/21/malware-infection-posed-cost-1-million-allentown-p/

Major security flaw in Apple devices running High Sierra is easily exploited.

November 28, 2017 – If you have Apple devices running High Sierra, there is a critical vulnerability that will allow anyone to access the device if they can get their hands on it.  All that needs to be done is log in as guest.  Then via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. Try it for several times. When the problem is exploited, the user is authenticated into a “System Administrator” account and is given full ability to view files and even reset or change passwords for pre-existing users on that machine.

The following can be done to prevent the problem from occurring prior to Apple releases the fix.

DISABLING GUEST USER ON MACOS HIGH SIERRA
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Guest User
Step 4 | Uncheck Allow guests to log in to this computer
CHANGING ROOT PASSWORD ON MACOS HIGH SIERRA
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Login Options
Step 4 | Select Join next to Network Account Server
Step 5 | Select Open Directory Utility
Step 6 | Click the lock and enter your password to make changes
Step 7 | In the menu bar of Directory Utility, select Change Root Password
Step 8 | Create a strong, unique password

Dell Recovery and Backup Service Compromised

October 25, 2017 – Brian Krebs, a known and respected journalist that covers cyber, reported that Dell Inc. had lost control of a the web address that is used by the Dell Backup & Recovery service installed on just about every Dell computer produced. There are indications that during a few weeks this past summer, a malicious group took control of the address and may have pushed malware via the service. The suspected time frame was between June and July 2017.

During the period of loss of control, the website address was being directed to a leased server on Amazon that was and currently continues to be known as hosting malicious content.

The software that performs the service comes pre-installed on Windows systems according to the Dell support forums.

If you are using a Dell computer that has the Dell Backup & Recovery service running on it, ensure your malware/anti-virus software is up-to-date, and be wary of any calls or pop-ups on your computer claiming to be Dell tech support, even if they provide you with the correct service tag. If you receive a call or pop-up, call Dell directly.

For Krebs’ full report see https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/

 

Malware Outbreak – Bad Rabbit

October 24, 2017 – A piece of malware called “Bad Rabbit” is reportedly making its rounds around Eastern Europe and Russia. However, the United States Computer Emergency Response Team (US-CERT) has reported they have “received multiple reports of Bad Rabbit ransomware infections in many countries around the world.”

The ransomware infection is being distributed via a pop-up in the user’s browser that says the version of Adobe Flash Player installed is out of date. Once the fake update is downloaded, it will move from computer to computer encrypting the files and stealing info in memory.

This malware preys on a weakness in Windows operating systems using a method discovered and used by the National Security Agency. This weakness (aka vulnerability) became public when it was stolen and then leaked to the world as “EternalBlue”.

The vulnerability utilizes a communication method that is used between Windows based computers called Server Message Block version 1. As this method of communication is the oldest version in use, there were a significant amount of computers that were easily attacked in April/May of 2017. This is evidenced by the WannaCry and the Petya/notPetya malware that took control of over 230,000 computers in 150 different countries. If it was not for an alert cyber security researcher that found a method of killing the malware, this number would have been much higher. Organizations that were affected include FedEx, British hospital system, and French auto manufacturer Renault, to name a few.

A fix for the vulnerability was sent out in March by Microsoft. The computers that did not apply the fix were left vulnerable. As of this date, there are still computers vulnerable as they have not received the fix.

What can you do? Ensure your computers are up to date on patches. This can be done by using Windows Update on your computers or by using a patch management system.

If there are any questions, please do not hesitate to reach out to me.

Be Proactive – Not Reactive

October 15, 2017 – Cybersecurity is not ONLY about responding to a ransomware or hacker but being prepared to prevent it from happening. When you are prepared to prevent an attacker for entering your computers or network, you make it difficult for them to be successful. For an attacker that means they will have to spend more time trying to get what they want. If it is simply to hold your computer and information for ransom, then they will likely move on. If it is your information that they want, they will expend the extra time to get it. But who said you had to make it easy?

So, what can you do? Well, a lot. But don’t despair. It may not cost you a lot to implement. Let’s follow the National Institute for Standards & Technology (NIST) Cyber Security Framework. In the framework there are two areas that are easily addressed. Identify and Protect.

Identify

Asset Management – Get a list of EVERYTHING that processes information electronically. It could be a security camera connected to your network, your computers & servers, a printer, all you network devices, etc. Record what it is, what operating system (Windows, Linux, macOS, etc) and what software is installed on it (Office 2016, Adobe Reader, Adobe Flash, and the other programs you use). If it is a device like a printer or a security camera, record the brand and determine the firmware version.

Protect

Maintenance – Update your software and firmware when new version are available as they may address security flaws in the software. For Windows and other applications, updates are provided monthly. Others, not so often. Check with the developer and see if they have an email list you can join to be notified when there are updates.

The longer a security flaw remains in your software or firmware the easier you make it for an attacker to be successful in taking or ransoming your information. But by doing these two things, you have done a lot to protect your information and taken a proactive stance in preventing an attack from being successful.

If you need assistance, let us know.  We’ll be glad to help you become proactive!

Helping small business understand what is risk

Non-credit card pumps

Gas station in Plainwell, MI that still does not accept credit cards at the pumps.

To help businesses understand what is at stake in their business when it comes to information technology, it helps to show them the value of what they have as assets and then apply a level of risk to that asset

Rarely do you find a business any more that does not use a computer of any sort.  Gone are the days of credit card carbon slips, paper ledgers, and hand drawn engineering diagrams.  We are striving to do more with less to increase profit.  In this effort, we reduce what is at stake in one way and see increases in others.  For example, in my recent travels to Michigan, I stopped for gas at a gas station that did not have any card readers on their pumps.  While I do not know why, it provides a good example of what is at stake by not adopting technology.  For example, the reduced threat of credit card theft, but at the expense of having people drive off as it provides a different experience than at other gas stations.

To that end, to remain competitive, businesses of all sizes that are adapting to new technology, may not understand what is at stake by not addressing the risk of implementing it.  Does your small business understand what is at risk by providing free and open Internet access to your customers?  How about the risk of placing card readers on the gas pumps?  Do the benefits out weight the risks?  What information does your business have or use?  What happens if that information could be used to embarrass your business?  What can be done to reduce the effect on your business?

The effect can be reduced by identifying risk and that starts with identifying what you have at stake.  Don’t think of what is at stake just physically, because what you have is more than the physical devices that you may have purchased.  For example, the laptop that you bought may have only cost $300.  The value of the laptop itself may decrease (likely), but what about what you have been doing on that laptop for your business. How much information do you have stored on it (think contracts, projections, plans, contacts, etc?)  What is the value of that information?  Do you now see that the laptop is worth a lot more than just the value of the physical device.  Identifying what you have is designating what you have as assets.

Weaknesses in the laptop represent vulnerabilities.  These weaknesses can come in the form of how susceptible it is to damage (physical or logical).  For example the laptop is a portable device that contains various pieces of software installed on the computer and the information that is important to your business.  Each of these items are vulnerabilities that has different weaknesses.   But these weaknesses don’t necessarily mean your information will be lost.

Look at the weaknesses.  What or who might take advantage of or exploit those weaknesses?  The threat could come in the form of the user having an accident.  For example, accidentally spilling Starbucks into the keyboard, loosing it at the airport or mall, and dropping it on the ground?  Or the threat could be external:  Your house or place of business catches on fire; a meteor smashes a hole through the computer; or someone steals it.  How about cyber criminals infecting the laptop with malware when you visit innocently visit of interest?  Threat can come in many different forms and it is necessary to identify threats, even the hypothetical and far-fetched ones.

Given the look at the weaknesses and threats, the question that begs to be answered is “What is the likelihood?”   The chance that a meteor might smash a hole through the laptop is pretty slim.  That someone would steal your laptop is higher.  By identifying what risks exist, a small business can address the threats in a way that would reduce the risk.

For example with the laptop, what can be done to keep from loosing the information on it if it is stolen?  For example, maybe you could encrypt the hard drive.  Use cable locks to secure the laptop.  Keep it with you and don’t leave it in a car.  What about that meteor leaving a hole in it?  Back up the information off of the device.  These actions are called mitigating actions, in that the mitigate the risk by reducing the likelihood that the weaknesses we identified would be exploited.

Identifying what is at stake and determining what the risk is based on the weaknesses and the identified threats will help small businesses make informed decisions on the actions necessary to protect their information and ultimately their business, brand, and good name.  If you need help identifying what is at risk for you, do not hesitate to reach out to us info@360cybersec.com.

 

Guest Blog – Are you really going to use that?

by Peter Lipa, Regional Director for the Americas for Sticky Password

Talking with small business owners, all too often I find that they have an authoritarianmentality in regards to their customers, as in: “the more customer data I have, the greater control I have over them!” This is particularly true of online businesses, where customers (and their money) are hidden behind the virtual invisibility of the Internet. (I intentionally do not use the word anonymous, because the Internet is anything but anonymous!) The thinking being that more data/information will hopefully translate to more opportunities to monetize all those contacts.

The desire to create ties that bind is understandable, but is it even effective in today’s online world of permission marketing (i.e. where customers and potential clients sign up to receive specific email notifications from businesses they like, in the hopes of minimizing unsolicited spam from brands and organizations they don’t care about)?
I don’t know about you, but I don’t consider my home address, or even my date of birth, as an appropriate cost to receive an email telling me a new blog is up. Why isn’t an email address – entered twice, to make sure it’s correct – enough to ensure that I’ll get the latest news and offers from Acme Widget Company?
selling-user-data
Given all the options available online to customers today, why do some businesses still think it is acceptable to require potential customers to create password-protected accounts just to read a blog? While undoubtedly interesting, is the information being shared in the blog so sensitive or valuable that I have to create another password-protected account to read it? That’s not a hypothetical question. If it’s the information in your blog that you’re charging for – i.e. that’s your product – then by all means go ahead and tie it to private accounts. But, if your blog is basically a marketing tool, then don’t do it.
But beyond the annoyance factor – which is no small thing – the issue of security is much greater.
The frequent news of cyber attacks on huge corporations is a strong reminder to all businesses that they are responsible for all customer data that they ask for. Businesses sometimes downplay the threat to their small business and neglect important aspects of Internet security because they think their business is under the radar of hackers. In reality, there is no under the radar for bad guys.
Let’s take a look at 5 best practices for taking care of customer data:
1. Have a privacy policy. In addition to informing your customers that they can trust you with their data, the process of creating a privacy policy will help you decide what customer data you really need.  
Even though customers may be willing to give you their personal details, ask yourself if you really need specific data before you start collecting it. Don’t ask for information unless you have actual plans to use it. If an email address will do, then don’t ask for a home address or telephone number.
2. Limit access to the data. Make sure that only colleagues and employees that have a ‘need to know’ are able to access your customers’ data. No exceptions.
3. Don’t ask visitors to create password-protected accounts unless it’s really necessary!
Customers who don’t think there’s a valid security reason for having a password for a site tend to use silly authorization credentials or to re-use passwords from other sites.
With so many password accounts, it’s easy for people to get lazy about using strong unique passwords. Not only does that put the customer’s accounts at risk, it also becomes a weak point in your security.

If you really do need passwords to restrict access to your website, then make sure you require customers to follow best practices in creating their passwords.

Implement an automated password system that:

  • disallows obvious notorious weak passwords like 123456, qwerty, Princess and other dictionary words
  •  requires a minimum of 8 or more characters
  •  requires that each password include a mix of letters, numbers and special characters
  • never sends passwords to your customers in plain text in an email
  • supports a limit on the number of failed attempts to access an account
  • notifies you of unusual activity
  • supports automated password resetting
Even if you are the owner of the business, you should never know or ask for a customer’s password!
Let your customers know that you take passwords – and the security of their data – seriously.
4. Be responsive and make it easy for your customers to get in touch with you when they have a security question.
 
5. Don’t go it alone. Unless you’re in the business of online security, you shouldn’t try to wing it when it comes to the security of your customers’ personal data. This isn’t an area where you should try to save a few dollars by hiring your neighbor’s son or daughter who’s a wiz with computers. The potential risk isn’t worth it. Make sure you engage a responsible service that will be able to help you if something goes wrong.
About the author:
Peter Lipa is Regional Director for the Americas for Sticky Password, a password manager (https://www.stickypassword.com/). Find out more about passwords, privacy and security on the Sticky Password blog.

Critical Security Controls for Truely Small Businesses – Identify

I listen to a number of podcasts weekly.  One of my favorite is Down the Security Rabbit Hole (#dtsr).  Frequently I hear the hosts talk about focused measures and that basically one size does not fit all.  If you look at the Critical Security Controls initially published by SANS & Council on Cyber Security and now promulgated by the Center for Internet Security.
 
The controls fall into broad categories defined the U.S. Governments National Institute of Standards and Technology (NIST) Cyber Security Framework.  The framework breaks down controls into five areas.  This blog post will cover the first Identify.
The controls while applicable to larger small businesses (20+ endpoints) Let’s take a look at ways that smaller businesses with less can make this happen without going broke.  So breaking this down into items easily accomplished by completed by the business IT person or a consultant. For a small business they can look at “quick wins”.

 

The Critical Security Controls show seven Quick Wins.  Some are not so easy to implement and may require purchasing additional software and hardware to manage.  But what it comes down to is really knowing what you own.

 

For example a local accounting firm may only have five or six computers, a server, a couple of printers, and basic networking devices.  For simplicity sake, let’s say 10 endpoints.
Why did I choose an accounting firm?  Typically these firms process a considerable amount of personally identifiable information (pii) and additionally there is quite a bit of financial information about their personal and business clients.  This can make them a juicy target for cyber criminals.
So of the seven Quick Wins, really only two are initially necessary.  I say initially, only because the others can be addressed later as the business is able to.  The same goes for the other items under the Identify framework category.
1.2 – Deploy automated asset inventory.  Well maybe not automated, a hand developed list with manufacturer, model number, serial number, location, and assigned IP addresses.  Maintain and update the list as things change within the business.  Identify those pieces of hardware that process or store information critical to the business.  In the case of an accountant, it might be a server and workstations that store the information.  If you utilize a managed service provider, have them provide this list to you.  To go with this, draw out a map showing how the network is connected. 

 

2.3 – Deploy software inventory tools.  Again like the hardware, a hand developed list of software is all that is really necessary that contains the developer, version number, and last time updated.  A typical list can be derived by looking at the add/remove programs console.  Given that it is possible that not everything installed will appear in the list, it will contain your major applications and add-ons (Adobe Acrobat, Flash, etc.)
By completing these two items, a small business can meet the intent of the Identify category.  If you require assistance, please contact us.  We will be glad to assist your small business.
 
 

Incident Response – Not as simple as pulling the plug

Imagine this…  You are in charge of a major bank’s cyber security operations center.  It is 2:10AM and your cell phone is blowing up.  The network has been compromised.  The night time analyst has identified a worm and isolated it in……….  a system that controls the air conditioning at one of the branches.  A threat exists… Yes… But does not warrant taking down all of the banks networks.  It does indicate that extra vigilance and investigation are required.   The analyst performed all the steps as outlined in the incident response plan and mitigated the threat.

A well-defined and practiced incident response plan will provide the guidelines necessary to make a determination by the network administrator if the system/network should be shut down immediately or require remediation in place.

The response plan should take into consideration the criticality of the system, the value of the information, and the attack/threat characteristics.  Depending on the system/network’s purpose questions about the operation of the system need to be answered.  Questions such as:

•    Is the system critical to life/death/dismemberment?  Will physical damage result from an attack on the system?  What would happen if the device or network was disconnected or immediately shut down?
•    Does the device support critical infrastructure?  Will fail safe’s kick in if the system/network access is removed?
•    Is the device simply a database that contains personally identifiable information (PII) or electronic protected health information (ePHI)?
•    Is the network/device a mail server or web site server?

With the network/devices and criticalities identified, make a determination on the threat and how pervasive is it.

•    Is it a worm?
•    Is it a botnet?
•    Is information being ex-filtrated?
•    Are devices being remotely controlled preventing use?
•    What are the characteristics of the attack?

It is these types of questions that need to be answered and documented in an incident response plan.

A good example of an attack occurred late last year in Germany.  A steel mill in Germany was attacked that caused actual physical damage.  The attackers took control of a blast furnace and prevented an orderly shutdown of the furnace.  Technicians Utilized immediate emergency shutdown procedures over riding the control system at the furnace and prevented further damage (Zetter, 2015).  This example highlights that removing the system from the attack prevented subsequent damage.

However if the system is a critical system, like a power substation controller, and the attack vector appears to be a worm that is not immediately degrading the network or system, it may be beneficial leaving the system as is and attempting to mitigate the problem by migrating the responsibilities elsewhere.

A case can be made either way for shutting down the system/network immediately.  Factors such as attack impact and system criticality must be weighed.  A good response plan will take into account many such scenarios and will allow for improved decision making, coordination between internal and external entities, and a unified response which will ultimately result in the limitation of data.

References:
Zetter, K. (2015, January 8). A cyber attack has caused confirmed physical damage for the second time ever. Retrieved 2015, March 26 from http://www.wired.com/2015/01/german-steel-mill-hack-destruction/

Protecting Grandma’s Secret Recipe

 

Need-to-know is part of a larger program of identifying (or classifying) information as confidential/sensitive and determining who as access to that data within your business.  Why is this important?

Look at it this way.  A business generates a lot of information.  There is banking information, clients, vendors, income, expenses, information technology, etc.  Each of these items should be afforded some form of protection from people that do not require access to perform their job.  How do you protect it?
Classify the information.  Look at the information you have.  Determine its value to your business.  The following example is roughly based on the construct the government uses to classify information.  Take a look at your information in this manner.
1.       Sensitive – Information (client credit card information, HIPAA, etc) or proprietary information that if released to the public or competitors would likely cause you to have shut your doors and go out of business. $$$$
2.       Private – Information that if released could cause your business to lose some customers, provide insight into the business’ finances or potentially cause the business some embarrassment. $$
3.       Public – Information releasable to the general public.
Now that you have classified the information, you need to determine who has the need-to-know that information.  For example, you run a chocolate shop and make your own chocolates.  You have a secret recipe handed down from grandma that you have classified (using the previous guide) as being sensitive.  It would inappropriate for the recipe to be known by the cashier, the delivery guy, accountant, or your customers.  So who has the need to know?  The employees that you have placed a special trust in and make the chocolate using that recipe.  Because the employee makes the chocolate, they “need-to-know” the recipe.  Without it they cannot make it.
Special trust is similar to the clearance system the government uses to determine if a person has the trust of the government to a certain level of information.  In the example above, you may have a special trust in your accountant.  However it is the need-to-know that prevents the accountant from knowing the secret chocolate recipe.
As part of the need to know process you have those employees that have access sign a non-disclosure agreement to ensure the secret recipe remains a secret.  This provides you legal recourse should the secret recipe be released to your competitors or the public.
So as you can see, not everything in Information Security is directly tied to a computer.  However because this information may be processed on an Information Technology device, you need to protect those systems according to how you classified information.
Our next article will discuss how to protect the secret recipe from intruders coming from the Internet.