Welcome!

Posted on by

This is my blog.  There are many others like it, but this one is mine…  (Full Metal Jacket)

Hopefully, I will remember to take good care of this blog, and update it often.  No promises, as real life tends to get in the way of things such as this.

The bulk of the information found here will be security awareness related, focusing on Vulnerability Management and Incident Response.  Going forward I will be trying to include more Privacy and Disaster Recovery items.  I will try not to over post with news items, and will seek to post only the news stories that I feel are relevant and important to be aware of.  Anyway, poke around, drop me a line, tell me what you think should be here, and maybe what shouldn’t.

TRADEWARS RISING

 

 

 

May 2018 Patch Priorities

Posted on by

Get patching!  Microsoft’s May vulnerability count hits 68 CVEs, 21 of which are rated critical, 45 important, and two are low impact. There are at least 2 zero-days being exploited in the wild!

1) A remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation-state three weeks ago. Dubbed ‘Double Kill’ CVE-2018-8174 can be deployed in a number of ways, including luring an IE user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document. It gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware.

2) CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2. An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical. Microsoft hasn’t said how it’s being exploited, but this kind of vulnerability is golden for criminals.
PATCH NOW!

Secure Job Search Tips

Posted on by

I have found myself between successes, and have had a little time on my hands.  I am attending courses and networking events sponsored by an international human resources consulting firm to prepare for my return to work.

As I go through their material and interact with others, it strikes me how little information is available for job seekers about the risks and mitigations to consider as one hunts for that next position.  The Better Business Bureau says that the biggest scams in 2016 involved fake employment recruiting.  As part of one of the scam, callers “hire” people over the phone or online, and ask them for banking information so they can get paid. Instead, they get robbed.  Others involve money mule scams, and information gathering for identity theft and future employer compromise.

I recently created and shared a presentation regarding some considerations and practices that can be adopted to limit the job seeker’s exposure using information found online.  I am posting it here so that others may be aware.

Job Search Security Tips

Cyber vs Information vs IT Security

Posted on by

Business leaders must avoid confusing IT Security, Information Security and Cyber Security.  They are related, they share disciplines, principles, and in some cases, tactics, but they are not the same things. The approach and strategy of Cyber Security is very different than the approach and strategy of IT Security or Information Security. Confusion of these elements will prevent Executives from applying resources and capital in the most effective ways.

Each security context deals with risk introduced by different components of technology, process, and people. In many cases, when applying IT or IS practices to a Cyber Security effort, the risks that get reported often do not get mitigated because the over-arching strategy is flawed.  The findings are reported in the wrong context.

IT Security has traditionally focused on hardware and software security solutions. This approach requires healthy investments in hardware and software that must be managed, groomed and updated. This strategy usually excludes vital Information Security practices like valuation, data mapping, risk management and governance functions such as information or data classification.

In the Cyber Security context, the manager needs to develop a focus on public facing telecommunication networks and the handling of mobile equipment and media that store sensitive information.  Any public access to information electronically needs to be risk assessed and risk treated.

In the Information Security context, the manager should focus on internal access mechanisms and data flows, internal controls, audit trails, and perimeter controls.  Without all of these critical building blocks in place, the design, implementation and day-to-day operations will be incomplete. The Enterprise Information Security Program will be vulnerable.

  • IT Security focuses on securing technology through the use of primarily technological controls.  This security is intended to ensure that Information Technology works as it should, and applies policy and practice to configuration, change and other management functions.
  • Information Security focuses on securing access to proprietary information in any form, from the network core out to the perimeter, including controlling printed information and internal users. InfoSec seeks to safeguard both physical and digital data and resources from unauthorized use, access, disruption, inspection, modification, destruction or recording. This security is to protect the confidentiality, integrity, and availability of data.  In case a business is beginning to generate a security program, Information Security is where they should start since it is the foundation of the data security practice.
  • Cyber Security focuses on defending against unauthorized access to digital information only, from external networks to the perimeter. Cyber Security safeguards computers, data, and networks of an organization, defending against unauthorized digital attack, access, or damage by implementing processes, practices, and technologies. This security is to prevent the data, network, and reputation of the company against electronic attack from external parties.

All of these security disciplines will overlap, as they are attempting to apply the same or similar principles within their own contexts.  Here is a handy diagram.

A holistic security strategy will contain all 3 security contexts, separated tactically, but operating harmoniously through interwoven processes.  Outputs and results from one context should feed inputs into the underlying processes of the other two.

Caution With MS13-061 !!

Posted on by

Patch3Microsoft has pulled its MS13-061 Exchange patch.  After reports of content damage to Exchange Server 2013 after deployment, Microsoft has withdrawn the MS13-061 update for Exchange Server released this past Tuesday.  MS013-61 is very important because it allows someone to send an email and get arbitrary code to run on the Exchange server itself.  It’s already publicly disclosed so expect the bad guys to move on this quickly.

Problems do not affect Exchange Server 2007 or 2010 and Microsoft says that those versions can proceed with testing and deployment.  In the meantime, they have removed the patch from Windows Update and other distribution systems.

Knowledge Base article KB2874216 explains the problem in more detail and provides remediation guidance.

Problems:

  • The content index (CI) for mailbox databases shows “Failed” on the affected server.
  • The Microsoft Exchange Search Host Controller service is missing.
  • You see a new service that is named “Host Controller service for Exchange.”

The KB article describes 2 registry key changes to make. After rebooting the server, the problem should be bypassed.

That is 2 months in a row that MS has pulled a buggy patch back from distribution.

OpenX Ad Server Source Compromised

Posted on by

Weak LinkOpenX is a tool used by hosting providers and webpage developers to provide ads on webpages.  Rotating banner ads have been an attack vector that has been quite popular and effective in the recent past.  This is probably one reason why.

An announcement this week from the OpenX ad server team noted that a backdoor had recently been discovered in their official source code distributions, that has been present since November 2012.  This vulnerability only applies to the free downloadable open source product, OpenX Source.

Exploitation is occurring in the wild, with attacks consisting of simple POST requests to a specific file that allows for remote code execution on the affected server. Users are urged to follow instructions being provided by the community for checking their servers, and rebuilding any that are impacted immediately.

References:

Importance of Security in Small Business

Posted on by

Weak LinkNo business is too small to implement good basic information security practices. Small businesses are linked to other small and larger businesses.  They provide an immediate source of soft targets, and can even stream an attacker into the supply chain.

Like the Infographic at B2C shows, threats lurk around every corner, endangering the survival of small businesses. B2C also provides some startling statistics related to the attitude of small  businesses towards information security.

  • 24.6 million small businesses in the US.
    • 25% do not shred their documents.
    • 27% have never completed an information security risk assessment.
    • 36% have no policies for  storage or disposal.
    • 31% have never trained employees regarding the importance of information  security.
  • There are 2.3 million small businesses across Canada.
    • 47% believe a security breach would not impact their business.
    • 28% are not aware of legal compliance and legislation issues that apply to their business.
    • 35% don’t have a protocol for storage and disposal of confidential  data.
    • 56% don’t have a secure method of document disposal.

Is it any wonder why so many small businesses fail, and we have so many issues with security?

Sensationalist Security Journalism

Posted on by

IDTheftI just read a post on “21st Century IT” that states “So when a white hat hacker approaches you with information regarding a vulnerability in your network, they should be thanked, not treated like a criminal...”

These reporters decided to take advantage of the fact that a company had exposed sensitive information in order to write-up yet another exploitative article. If they were acting ethically, they would have notified the company discretely, rather than demanding the COO make an on-camera interview regarding the issue. Look up the term “responsible disclosure”.

They are not white hat hackers, they are sensationalist journalists.  If they downloaded the files, their actions are in conflict with the law.

If you had left your back door unlocked, would you appreciate me rattling the doorknob, then posting a big neon lit sign on your front door advertising the fact that the back door is wide open?  Would you mind if I took your TV and microwave just to prove to your neighbors that I had done it?  Yes, the company handled the data poorly. Yes, they should be accountable for handling the data poorly. Yes, the reporters COULD have done the public a service by bringing the issue to the company’s attention with screenshots. Yes, the reporters should expect to be treated in a hostile manner, as that is what they have projected.

Just my humble opinion.

Enterprise Information Security, is it BROKEN??

Posted on by

An industry reporter asked me a couple of pointed questions recently as part of an Weak Linkinterview for a feature article.  He wanted to know if I felt that Enterprise Information Security was broken, and what could be done to fix it.

“Given the increasing number of denial of service attacks, Java exploits, break-ins, malware delivered by spam etc. , is Enterprise Security broken?”

No, I don’t believe that Enterprise Security is broken.  I do believe that some of the fundamental assumptions that we in the Information Technology industry made early on in IT and communication development were flawed and are now being abused.  Enterprise Information Security is a strategic model whose intent is to formalize and promote security practices in a consistent manner across an organization remains a fundamentally correct objective.

One of the biggest concerns that I have had over my 30+ year IT career has been that of consistency.  Remember that Information Security as a recognized discipline didn’t exist when Information Technology was born, and came about well after IT and technology had started to mature.  We built the communications protocols at the heart of TCPIP to support and focus on resilience, continuity, and speed.  The naive belief was, if a set of rules was cast that delivered reliable communication, the job was pretty much done.  The entire concept was based on trust.  What else could you possibly want?

What was missing was consideration of the human factor; an authentication layer, a repudiation criteria, the guarantee of confidentiality, the assurance of data integrity, and the practices of controlled access and least privilege.

People are creative, curious, and in many cases, selfish creatures.  If they find a weakness in an application, or a way to take advantage of a process that will provide them with notoriety, wealth, or some other desired benefit, I guarantee that it will be exploited.  Look at how games get hacked for online gold, extra advantage, or simply bragging rights, to underline the problem.  The abuser doesn’t consider or perhaps even care that the author views the game as a years of work and a revenue stream, and doesn’t gauge the impact that player actions have on the developers’ livelihood.  They just want the desired item.

Until we can replace or rebuild the TCPIP suite with those missing pieces at its core, we need to put in place a governance and architectural model, policies, processes, standards, controls and guidance that when taken together, provide a consistent information security architecture.  That architecture should apply evenly across the enterprise, not only to this group or that region, and should be able to manage and adapt to the upcoming disruptive factors that will make up our IT world in the future.

“What are some of these recent disruptive factors?”

  • BYOD – Employees recently fell in love with the idea of using their own smartphones and tablets for work.  Management embraced the concept, since it enhanced the bottom line, eliminating the need to purchase and maintain hardware that tends to become obsolete within a calendar year anyway. 

BYOD introduced consumer tech into the enterprise, and although I like others resisted it, we all knew it was inevitably going to happen.   These new consumer devices come with all of the warts that you would expect from a consumer device; no standard image, little focus on security and data protection, few points of control, fewer points of integration, and no separation of personal versus corporate identities.

Employees are just now beginning to question how deep they will let work intrude into their personal lives.  Did IT just turn their beloved smartphone into a tracking device?  Can the company now monitor and examine their personal emails, chats, and browsing habits?   Employees are beginning to resent that personal time is now becoming potentially unpaid work time.  Managing these challenges must be part of the new Information Security Architecture.

  • MalwareMalicious software has evolved from a nuisance to a plague.  It’s been monetized, and has grown into a full blown industry unto itself.  Malware is now custom developed, the developers are organized, and they coordinate their efforts.  Some of them specialize, and offer their services to one another, mercenary style.  Our vendors need to do the same, and change the model from signature based detection to signature, characteristic (white-listing), and behavior based protection.  All of them, not one of them.

Vendors also need to move away from the “backwards compatible with everything” development model.  Bloating code to support multiple Operating Systems, especially those that are no longer being developed or supported by their creators, perpetuates vulnerabilities on several fronts.  It potentially brings all of the previous versions’ vulnerabilities into the new version, it perpetuates the existence of out dated software amongst businesses and home users, and it complicates business processes like asset and license management.  All of these result in a larger attack surface to be exploited, and liabilities to customer organizations.

Malware distribution is undergoing a major shift, from being widely distributed so as to have the maximum effect on a target rich environment, from quick in – acquire target – quick out blitzing strategies, to custom-made, no signature available, targeted to a specific industry, business, or user to limit solution development, and placed where it will be most effectively consumed by the target.  The new malware is being tweaked to avoid detection, doing nothing observably destructive, and maintaining a discrete profile for as long as possible.  It stays in the environment, collecting information, trickling out intelligence, and potentially offering backdoor access for its author or owner.  These little nasties tend to stay embedded within an organization for years.

  • Data Leakage –  I used to worry about the impacts malware had, the downtime it incurred, the mess it made, and the time it takes to clean up after an infection.  Incident Response, Business Continuity and Disaster Recovery practices have matured, alleviating the bulk of those concerns, and now I don’t have to worry as much about what sort of malware gets into the environment.  Over the years, I have adopted an attitude that concerns itself more and more with egress management.  I now worry more about what data is getting out.  In order to maximize my nightly pillow time, I develop or procure capabilities to monitor traffic flows, and to identify the types of documents, contents of documents, and other materials that should not be leaving the network.

The challenges here are accounting for every egress method, every potential removal vehicle, every characteristic that makes a document sensitive, and dealing with each one in an appropriate and manageable fashion.  The electronic communications are the low hanging fruit, they are easily monitored.  It is the physical devices that pose the greatest challenges.

  • Next Generation Firewalls – The Internet Protocol suite was built to support communication using a set of rules, identifying specific ports and protocols, packet and frame sizes, and expecting specific content to be in each frame.  The developers assumed that applications and people would operate within those rules.  We also assumed that technology would present a perimeter that could be easily controlled and managed.  If the protocol used matched the port designated for it, and that port/protocol set was allowed to pass through the firewall, it was all good.  Unfortunately, attackers do not play by those rules.  They use them against us.

Next Generation Firewalls are emerging that analyze relationships and behaviors.  They inspect traffic to ensure that someone or something is accountable for each packet on the network, that it fits within an expected data request stream, conforms to much more granular rules based on expected and observed behavior, and that it is shaped and formed the way the rules expect it to be.

  • The Cloud – Every silver lining has a cloud, and every cloud has security implications.  We experimented in the past with out-sourcing our IT worker bees in order to save costs.  In some places that was successful, and not so successful in others.  We are now doing the same thing with applications, services, data, and infrastructure.  The risks to those assets remain the same, but we are now concentrating those assets along with many other assets in one place, and giving up visibility and control, while increasing the value of the hosting target.

The arguments make sense, we are not an IT company, why do we need to invest in so much hardware, software, and staff to maintain it?  Someone else can do this better, focus entirely on it, and save us money by providing it to the masses as a Service. The other side of the coin is that the risks don’t go away, the liabilities don’t go away, but the ability to directly control and manage the out-sourced entities becomes more difficult.  Accountability becomes fuzzy, but ultimately lies with the data owner, not the hosting comapny.  In a cloud-based model, you are trusting someone else to do a better job of managing and protecting your data, you are trusting them not to mis-use your data, and you are trusting them to provide access to the right people while blocking access of the wrong folks.  Audit and Compliance issues become evident.

Ultimately, if this new juicy data target is breached by someone attacking you or one of the many other customers that use this service, your data may be exposed, and your business is liable and accountable.  Your data may not even be exposed, but if you use the breached vendors’ services, the perception may be that you were breached.  Your customers won’t care if the breach happened at your data center or your provider’s.  You were trusted with their data, and it was at risk of exposure on your watch.  You may also increase your dependency on the cloud service, and that increases your susceptibility to denial of service attacks.

  • Attacker Motivation & Capability – The enemy has found that those annoying virus and worm characteristics developed in the past for notoriety or destructive power can be used for financial gain, espionage, and they have gotten organized.  The dark side has put forth significant effort into developing a diverse set of tools, expertise, and strategies.  We need to model our defenses after those of the attackers.  Vendors need to start integrating, working together, and providing the enterprise with consumable, actionable, accurate intelligence about what is going on inside and outside of their networks.  SIEM is a step in the right direction, but let’s not stop walking forward.

 “Do we need a fundamental change in the way enterprises approach/design security?”

Here, I would say yes, and I believe that this change has been cooking along for quite some time in a very slow, “bolt-it-on” fashion.  Technology changes seem to be revolutionary, coming out of nowhere and establishing themselves quickly in response to disruptive factors and needs.  Changes in protection capabilities tend to be evolutionary, taking their own sweet time to develop and mature in reaction to unforeseen circumstances that arise post-implementation of technology.  Physicist Niels Bohr said, “Prediction is very difficult, especially if it’s about the future.”

We in IT as an industry, and businesses in general, need to realize that the perimeter is continuing to melt, to focus on monitoring the network and protecting the data, to insist on integration, increased visibility, and to demand built-in security from our products, vendors, service providers, and business partners.  Enterprise Information Security offers a conduit through architecture and governance to provide a well thought out strategy that can adapt and react to disruptive advancements in technology.  It lays the ground work, and operates best by implementing consistent governance over people, processes and technology at the enterprise level for the purpose of supporting management, operation, and the protection of information and assets.

Security Under Fire

Posted on by

Questions and Answers signpostHere is an interesting article that talks about emerging technologies and the vulnerabilities, threats, and risks that they increase as they are adopted.  Several experts are interviewed in the article, and although their experiences vary, they are consistent for the most part in their opinions that businesses are scrambling to adopt these technologies fast, and to figure out how to secure them.  Good work Howard!

Computing Canada – May 2013 Read it now: http://epubs.itworldcanada.com/i/129542/23