Week 10 – Developing Action Plans

Security reviews are not complete without a developed action plan. The action plans provides guidance and a path toward mitigating threats. Over the last couple of weeks I have had the opportunity to develop an action plan for a fictional organization as part of my studies.

When building upon findings that already exist, the development of an action plan is not overly difficult. Threats have already been identified and documented, so the creation of a mitigation plan is the next logical step. What can be challenging is understanding the customer’s environment so that the action plan makes sense and can be followed.

During security assessments, assessors should learn enough about the network to provide reasonable actions based on the threats found. At the beginning of the term, we worked through some discovery exercises and eventually created a network diagram. This diagram, along with other reports provided within the case study allowed me to design an action plan that the team should be able to follow and implement with little trouble.

An action plan may contain guidance that is difficult to implement. In our case study, senior management was against securing their wireless network. A lot of times these types of directives are political in nature. Political battles are some of the hardest for IT teams to win. Other action items may take several months or even years for teams to implement. In these situations, the action plan will provide high-level guidance but the team will need to create a more detailed project plan that helps them through the change process.

Action plans are a key part of any security assessment. These high-level guidelines help teams reduce their risk and improve the security posture of the organization. Some actions will be more difficult to implement than others, especially actions that require changing user behavior or deploying stricter security controls.

 

Week 9 – Attackers are Moving Quickly

Last week Cisco disclosed a bug that affected their firewall platform – the Adaptive Security Appliance (ASA). Ranked as a severity 10 vulnerability (the highest available), the bug likely affects millions of firewalls across the globe. Should an ASA be compromised, attackers could gain administrative access to the device and watch all traffic going through the device.

Even though the bug is severe, what is more interesting is how quickly it is being exploited. Within two weeks of the bug being disclosed to customers, Cisco’s own Product Security Incident Response Team began seeing exploitation of the code! Others have reported seeing exploits in the wild and that is concerning for many reasons.

Oftentimes IT teams will wait for a scheduled patch window or use some other window as a way to apply patches. This can delay the application of a patch by weeks or even months. With this particular bug, attackers are beginning to take advantage very quickly. If this trend continues, teams will need to rethink their patch strategies. Two weeks is hardly enough time to thoroughly test a patch, let alone get it deployed!

It may be time for IT teams to start rethinking their patch strategies. At the same time, manufacturers must find ways to patch systems with limited impact when possible.

Week 8 – Harry and Mae’s Seems All too Real

Harry and Mae’s is a fictional company that has been used for case studies throughout my master’s studies. The company seems to operate as many do – focus on growth, worry about security later. This mindset is dangerous, but is a common one in my experience. It is easy for organizations to forego security in their infancy, however it is hard to implant security after the growth has happened.

At Harry and Mae’s company leadership seems to view security as an inconvenience, possibly a growth inhibitor. They provide open wireless access, but fail to segment it from the rest of the network, ignore network operating system updates, and pretend that just because there is a firewall in place they are secure. As a result, several case studies revolve around a data leak at Harry and Mae’s.

Even though Harry and Mae’s is a case study, I have to believe that most businesses act this way as well. In my experience, small organizations fail to implement basic controls – passwords, backups, etc. Instead, they believe they are too small to be attacked. This simply is not true anymore.

In my own hometown (population < 50,000) a small health clinic was attacked. It turns out they refrained from implementing basic security controls and were an easy target. Once the data was compromised, the clinic had to inform all current and former patients of the breach. With some basic protection, this breach could have been avoided. It is important for companies big and small, old and new to implement security policies and controls as soon as they can. Changing a culture is hard to do, startups should focus on security first – it will serve them well as they mature.

 

Week 7 – Why We Ignore Security Requirements

In my prior roles as a network administrator I always wondered why user’s would ignore security requirements outlined by IT? The policies we put forth were not over-the-top nor did they purposely interfere with the day-to-day work of our users, at least not through our eyes. Simple things like 90 day password resets, annual training, and other common policies were all in place so that we could “protect our users.” What usually happened was that IT would find sticky notes with passwords, and users that would try to skirt the rules for reasons we simply could not understand.

I am no longer a member of an IT department, instead I am a user of IT resources at a different company. This company has similar, if not more stringent policies and because of that I have begun to realize why users ignore policy. Turns out, I needed to view things through a different lens.

IT administrators spend their days working with infrastructure, logging in and out of servers, systems, and monitoring tools. I would guess that I switched between systems and logged in to them at least fifteen times a day, if not more. Now, as a user, I login to my laptop and a handful of applications. Network administrators read blogs, watch the news, and stay up-to-date on the latest security trends. A nurse, accountant, or HR rep reads blogs and news related to their job function. Network administrators understand the risk of leaving data unprotected. Staff members understand the frustration of not being able to access a spreadsheet that they need to access before the end of the day.

What I have determined from being on both sides of the coin is that IT teams must find creative ways to engage employees about security. IT must realize that even though security is “everyone’s job,” it may not be everyone’s top priority. Instead of forcing more bad training on everyone, IT should work to understand how they can make security automatic – enterprise password managers, SSO, etc. Ultimately, a little empathy might go a long way to securing our enterprises and data.

Week 6 – Other Security News Sources

In my week 2 post I linked to several websites that I use to get notifications about new vulnerabilities. Oftentimes these vulnerability databases are not quite enough and administrators need more context on how the vulnerability is being used in the wild. When I need more context about vulnerabilities or security news in general, these are the sites that I use –

Talos Intelligence

Talos was also included in my Week 2 post, but their site is worthy of another mention, especially the blog and podcasts sections. In Week 2, I detailed their excellent vulnerability database, but the Talos blog and podcast are excellent ways to learn about attacks and how they work. Talos posts about a new attack nearly every week and their podcast happens on a regular basis as well.

Security Now Podcast

The Security Now Podcast, hosted by Steve Gibson and Leo Laporte is a weekly, long-form podcast, with most episodes extending past two hours. Steve and Leo try to cover the entire security industry and do a great job of explaining things in a way that makes sense. Recently they covered Spectre and Meltdown, but also cover malware attacks and other security issues.

Krebs on Security

A post like this would not be complete without mentioning Krebs on Security. Brian Krebs may be the most famous security journalist in the world. His investigative journalism is so good that he often receives threats from the people behind the attacks he exposes. Somewhat famously, he website was knocked offline by the biggest DDoS attack ever seen. The attack was so strong that Krebs’ CDN was forced to take his site offline. If nothing else, this proves that Krebs is an expert in the industry and his blog should be on everyone’s reading list.

Week 5 – Halfway through the last term!

The end of this week marks the downhill side of my final term at Bellevue University. Shortly I will have finished up my Master’s Degree in Cybersecurity. While this is a large accomplishment, my final courses have continued to reinforce that there is always something new to learn. Writing these blog posts is a portion of the assignments for Current Trends in Cybersecurity. The other part of the course deals with threat modeling, something I have little experience with.

Threat Modeling is a concept that requires developers to always study and potentially mitigate threats that their software is susceptible toward. It is an interesting topic and one that has sparked some interest in me. The book and coursework is based on principles established by Microsoft and I have learned a great deal. However, it has also raised several questions for me. The most pressing question is – are startups using threat modeling in their products?

With the startup culture taking over silicon valley and most other development shops across the world, programming practices have changed substantially. Companies now work in sprints, and incubate products quickly to get them out the door. Often times startups refer to their products as minimum viable product (MVP), meaning there are just enough uses for the product that it can be shipped with additional features being added later. This is a great strategy for cash strapped companies to start turning a profit and paying back investors. However, as we look at CES 2018 and other events where every device and gadget is now connected to the internet, I have to question whether everything has been properly vetted and secured.

This topic is nothing new, security analysts have been discussing compromised IoT devices for ages, but it is an important topic. If companies are not focused on security from the start, it can be hard to bolt-on later. Security must come first, even with a minimum viable product.

Dan

Week 4 – Intel’s Vulnerability and It’s Impact

Earlier in the week, two severe vulnerabilities that affect Intel, AMD, and ARM processors were leaked to the media. These vulnerabilities – Spectre and Meltdown are serious and affect nearly every server, computer, and other device in the world. Intel seems to be taking the brunt of the publicity, likely because they own such a large percentage of the overall market.

The vulnerabilities were discovered by a team a Google and their write-up is here. Some key takeaways are that they successfully exploited the vulnerability on server processors, desktop processors, and even a mobile phone processor. Overall, this means that the vulnerability is far reaching and could be used in nearly any situation.

Russell Brandom of The Verge wrote an article earlier this week about how the largest impact will be felt by cloud providers. I could not agree more, but am also concerned about IoT devices and other devices that utilize x86 CPU. Many network infrastructure devices have x86 CPUs in them today. Firewalls, network switches, and routers all leverage chips that are now vulnerable and, in one case, can only be patched by replacing the chip.

This is problematic in many ways. Updating microcode on a processor requires network hardware to be rebooted, causing outage. Many organizations are going to have to take down important systems to patch the affected devices. Even still, that will only fix one of the vulnerabilities.

Originally, the CERT notification for Spectre and Meltdown listed CPU replacement as the solution. However, as noted by The Register, the notification has since been updated to include patches as solution.  The Register argues that chip manufacturers are in “denial” about their patches being a permanent fix and that chip replacement is still the most likely fix.

It will be interesting to watch this play out. While CSP’s rush to patch their respective clouds, I worry most about network infrastructure and IoT devices. Two platforms that rarely get updates, but will desperately need them soon.

Week 3 – Kali Linux and InSpy

Kali Linux is a useful tool for security practitioners and those that want to learn about cybersecurity. The Linux distribution, formerly known as BackTrack, was renamed Kalie Linux in 2013. The distribution contains hundreds of useful utilities and tools to help security professionals test their security posture.

In November 2017, the 2017.3 release of Kali Linux was uploaded for distribution. Four new tools were included in the update, one of which is InSpy.

InSpy is a useful social engineering tool. Focused on crawling LinkedIn, InSpy will gather intelligence about a companies job listings and employees. For security testers, this could be useful to ensure that HR departments are building job listings that meet security standards. It can also be helpful with determining employee compliance with social networking policies.

From a different perspective, InSpy could be really useful when doing reconnaissance on a business. Targeted phishing attempts could be launched by using the EmpSpy function of InSpy. Using this function, the tool will crawl LinkedIn for employees who work at a specific company and provided a list of employee names, titles, and email addresses.

With tools like this openly available, organizations must begin crafting a social media policy that includes special provisions for what information is shared. For instance, a policy could indicate that employees only use personal email addresses on LinkedIn and refrain from sharing which departments they work for.

InSpy and Kali Linux information can be found here – https://tools.kali.org/information-gathering/inspy

Week 2 – Finding Vulnerability Information Online

There are many sources available online to track down vulnerability and threat information. However, it is important to carefully consider the source and ensure that the information is credible. To aid in that, here are three websites known for providing valuable threat intelligence –

National Vulnerability Database

The National Vulnerability Database (NVD) is a database that contains information and analysis of CVEs. The database is maintained by the NIST Computer Security Division and was created in 2000.

In addition to the useful information provided within the database, the NVD website also houses several useful visualizations. Below is one example –

These visualizations are helpful in spotting trends that developers should be on the look out for. Authentication issues is currently on the rise, so it would make sense that development teams spend more time focusing on their authentication code.

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) have been around for many years. There have been over 98,000 CVE IDs created since the inception of the project. https://cve.mitre.org is the de facto home for the CVE database. This website provides information about each CVE ID. Users can search by CVE ID and the returned data will give you a description of the attack as well as several references for more information.

The CVE site also contains a page dedicated to other useful sites on the web. For instance, the NVD is mentioned as are other sites like US-CERT.

Talos Intelligence

Talos is the security organization that powers many of Cisco’s security products. The Talos group maintains an excellent web presence, providing visitors with in-depth blog posts as well as reports about vulnerabilities. These reports often cross-reference the CVE ID database.

In addition to their reports, the Talos group also maintains a blog. The Talos blog provides in-depth coverage of the latest attacks plaguing the internet. Because Talos is tasked with understanding threats and protecting customers, they are required to breakdown the attacks in order to protect against them. While doing that, they frequently write in-depth blog posts about the attack. Take this one about WannaCry as an example.

Week 1 – Blog Introduction

Cybersecurity is an ever changing topic. Whether you are reviewing the latest exploits or attacks taking advantage of them, there is a never ending list of reading. During the last course I spent most of my time studying and writing about new attacks that were cropping up. This term I plan on discussing tools that security professionals can use to protect their environments. Understanding what tools are available is the first step in deploying an architecture that successfully thwarts attackers.

If you have not followed my blog before, welcome. My name is Dan and I have been in the IT industry for several years. Throughout my career I have consistently found security to be one of the most interesting subjects in our industry. Partly because, as outline above, it is always changing but also because companies are digitizing themselves at a rapid pace. As this transformation continues to occur, IT teams are tasked with understanding and implementing secure environments. In the past this was done with firewalls and anti-virus. However in today’s world, a firewall and anti-virus simply is not enough to keep data secure. Other tools such as intrusion prevention software, malware protection, and SIEM tools are required to get the job done.

Hopefully by the end of the term I will have amassed several articles outlining those additional tools. My goal is to make the posts informative and worthy of a reader’s time investment. I will start the term off with an in-depth look at malware prevention software.

Dan