May 2018 Patch Priorities

Get patching!  Microsoft’s May vulnerability count hits 68 CVEs, 21 of which are rated critical, 45 important, and two are low impact. There are at least 2 zero-days being exploited in the wild!

1) A remote code execution vulnerability in the Windows VBScript Engine affecting all versions of Windows, first spotted being exploited by nation-state three weeks ago. Dubbed ‘Double Kill’ CVE-2018-8174 can be deployed in a number of ways, including luring an IE user to a malicious website with embedded VBScript, using an ActiveX control marked ‘safe for initialization’, or via a malicious RTF file in an Office document. It gives attackers control over the victim’s computer for data theft, eavesdropping or deploying ransomware.

2) CVE-2018-8120, an elevation-of-privilege vulnerability in the Win32k subsystem of Windows 7 32/64-bit and Windows Server 2008 R2. An attacker would need to be logged into the target already in order to exploit the flaw, which is why it’s listed as ‘important’ rather than critical. Microsoft hasn’t said how it’s being exploited, but this kind of vulnerability is golden for criminals.
PATCH NOW!

Advertisements

Secure Job Search Tips

I have found myself between successes, and have had a little time on my hands.  I am attending courses and networking events sponsored by an international human resources consulting firm to prepare for my return to work.

As I go through their material and interact with others, it strikes me how little information is available for job seekers about the risks and mitigations to consider as one hunts for that next position.  The Better Business Bureau says that the biggest scams in 2016 involved fake employment recruiting.  As part of one of the scam, callers “hire” people over the phone or online, and ask them for banking information so they can get paid. Instead, they get robbed.  Others involve money mule scams, and information gathering for identity theft and future employer compromise.

I recently created and shared a presentation regarding some considerations and practices that can be adopted to limit the job seeker’s exposure using information found online.  I am posting it here so that others may be aware.

Job Search Security Tips

Cyber vs Information vs IT Security

Business leaders must avoid confusing IT Security, Information Security and Cyber Security.  They are related, they share disciplines, principles, and in some cases, tactics, but they are not the same things. The approach and strategy of Cyber Security is very different than the approach and strategy of IT Security or Information Security. Confusion of these elements will prevent Executives from applying resources and capital in the most effective ways.

Each security context deals with risk introduced by different components of technology, process, and people. In many cases, when applying IT or IS practices to a Cyber Security effort, the risks that get reported often do not get mitigated because the over-arching strategy is flawed.  The findings are reported in the wrong context.

IT Security has traditionally focused on hardware and software security solutions. This approach requires healthy investments in hardware and software that must be managed, groomed and updated. This strategy usually excludes vital Information Security practices like valuation, data mapping, risk management and governance functions such as information or data classification.

In the Cyber Security context, the manager needs to develop a focus on public facing telecommunication networks and the handling of mobile equipment and media that store sensitive information.  Any public access to information electronically needs to be risk assessed and risk treated.

In the Information Security context, the manager should focus on internal access mechanisms and data flows, internal controls, audit trails, and perimeter controls.  Without all of these critical building blocks in place, the design, implementation and day-to-day operations will be incomplete. The Enterprise Information Security Program will be vulnerable.

  • IT Security focuses on securing technology through the use of primarily technological controls.  This security is intended to ensure that Information Technology works as it should, and applies policy and practice to configuration, change and other management functions.
  • Information Security focuses on securing access to proprietary information in any form, from the network core out to the perimeter, including controlling printed information and internal users. InfoSec seeks to safeguard both physical and digital data and resources from unauthorized use, access, disruption, inspection, modification, destruction or recording. This security is to protect the confidentiality, integrity, and availability of data.  In case a business is beginning to generate a security program, Information Security is where they should start since it is the foundation of the data security practice.
  • Cyber Security focuses on defending against unauthorized access to digital information only, from external networks to the perimeter. Cyber Security safeguards computers, data, and networks of an organization, defending against unauthorized digital attack, access, or damage by implementing processes, practices, and technologies. This security is to prevent the data, network, and reputation of the company against electronic attack from external parties.

All of these security disciplines will overlap, as they are attempting to apply the same or similar principles within their own contexts.  Here is a handy diagram.

A holistic security strategy will contain all 3 security contexts, separated tactically, but operating harmoniously through interwoven processes.  Outputs and results from one context should feed inputs into the underlying processes of the other two.

Caution With MS13-061 !!

Patch3Microsoft has pulled its MS13-061 Exchange patch.  After reports of content damage to Exchange Server 2013 after deployment, Microsoft has withdrawn the MS13-061 update for Exchange Server released this past Tuesday.  MS013-61 is very important because it allows someone to send an email and get arbitrary code to run on the Exchange server itself.  It’s already publicly disclosed so expect the bad guys to move on this quickly.

Problems do not affect Exchange Server 2007 or 2010 and Microsoft says that those versions can proceed with testing and deployment.  In the meantime, they have removed the patch from Windows Update and other distribution systems.

Knowledge Base article KB2874216 explains the problem in more detail and provides remediation guidance.

Problems:

  • The content index (CI) for mailbox databases shows “Failed” on the affected server.
  • The Microsoft Exchange Search Host Controller service is missing.
  • You see a new service that is named “Host Controller service for Exchange.”

The KB article describes 2 registry key changes to make. After rebooting the server, the problem should be bypassed.

That is 2 months in a row that MS has pulled a buggy patch back from distribution.

OpenX Ad Server Source Compromised

Weak LinkOpenX is a tool used by hosting providers and webpage developers to provide ads on webpages.  Rotating banner ads have been an attack vector that has been quite popular and effective in the recent past.  This is probably one reason why.

An announcement this week from the OpenX ad server team noted that a backdoor had recently been discovered in their official source code distributions, that has been present since November 2012.  This vulnerability only applies to the free downloadable open source product, OpenX Source.

Exploitation is occurring in the wild, with attacks consisting of simple POST requests to a specific file that allows for remote code execution on the affected server. Users are urged to follow instructions being provided by the community for checking their servers, and rebuilding any that are impacted immediately.

References:

Importance of Security in Small Business

Weak LinkNo business is too small to implement good basic information security practices. Small businesses are linked to other small and larger businesses.  They provide an immediate source of soft targets, and can even stream an attacker into the supply chain.

Like the Infographic at B2C shows, threats lurk around every corner, endangering the survival of small businesses. B2C also provides some startling statistics related to the attitude of small  businesses towards information security.

  • 24.6 million small businesses in the US.
    • 25% do not shred their documents.
    • 27% have never completed an information security risk assessment.
    • 36% have no policies for  storage or disposal.
    • 31% have never trained employees regarding the importance of information  security.
  • There are 2.3 million small businesses across Canada.
    • 47% believe a security breach would not impact their business.
    • 28% are not aware of legal compliance and legislation issues that apply to their business.
    • 35% don’t have a protocol for storage and disposal of confidential  data.
    • 56% don’t have a secure method of document disposal.

Is it any wonder why so many small businesses fail, and we have so many issues with security?

Sensationalist Security Journalism

IDTheftI just read a post on “21st Century IT” that states “So when a white hat hacker approaches you with information regarding a vulnerability in your network, they should be thanked, not treated like a criminal...”

These reporters decided to take advantage of the fact that a company had exposed sensitive information in order to write-up yet another exploitative article. If they were acting ethically, they would have notified the company discretely, rather than demanding the COO make an on-camera interview regarding the issue. Look up the term “responsible disclosure”.

They are not white hat hackers, they are sensationalist journalists.  If they downloaded the files, their actions are in conflict with the law.

If you had left your back door unlocked, would you appreciate me rattling the doorknob, then posting a big neon lit sign on your front door advertising the fact that the back door is wide open?  Would you mind if I took your TV and microwave just to prove to your neighbors that I had done it?  Yes, the company handled the data poorly. Yes, they should be accountable for handling the data poorly. Yes, the reporters COULD have done the public a service by bringing the issue to the company’s attention with screenshots. Yes, the reporters should expect to be treated in a hostile manner, as that is what they have projected.

Just my humble opinion.