Week 5 – Halfway through the last term!

The end of this week marks the downhill side of my final term at Bellevue University. Shortly I will have finished up my Master’s Degree in Cybersecurity. While this is a large accomplishment, my final courses have continued to reinforce that there is always something new to learn. Writing these blog posts is a portion of the assignments for Current Trends in Cybersecurity. The other part of the course deals with threat modeling, something I have little experience with.

Threat Modeling is a concept that requires developers to always study and potentially mitigate threats that their software is susceptible toward. It is an interesting topic and one that has sparked some interest in me. The book and coursework is based on principles established by Microsoft and I have learned a great deal. However, it has also raised several questions for me. The most pressing question is – are startups using threat modeling in their products?

With the startup culture taking over silicon valley and most other development shops across the world, programming practices have changed substantially. Companies now work in sprints, and incubate products quickly to get them out the door. Often times startups refer to their products as minimum viable product (MVP), meaning there are just enough uses for the product that it can be shipped with additional features being added later. This is a great strategy for cash strapped companies to start turning a profit and paying back investors. However, as we look at CES 2018 and other events where every device and gadget is now connected to the internet, I have to question whether everything has been properly vetted and secured.

This topic is nothing new, security analysts have been discussing compromised IoT devices for ages, but it is an important topic. If companies are not focused on security from the start, it can be hard to bolt-on later. Security must come first, even with a minimum viable product.

Dan

Week 4 – Intel’s Vulnerability and It’s Impact

Earlier in the week, two severe vulnerabilities that affect Intel, AMD, and ARM processors were leaked to the media. These vulnerabilities – Spectre and Meltdown are serious and affect nearly every server, computer, and other device in the world. Intel seems to be taking the brunt of the publicity, likely because they own such a large percentage of the overall market.

The vulnerabilities were discovered by a team a Google and their write-up is here. Some key takeaways are that they successfully exploited the vulnerability on server processors, desktop processors, and even a mobile phone processor. Overall, this means that the vulnerability is far reaching and could be used in nearly any situation.

Russell Brandom of The Verge wrote an article earlier this week about how the largest impact will be felt by cloud providers. I could not agree more, but am also concerned about IoT devices and other devices that utilize x86 CPU. Many network infrastructure devices have x86 CPUs in them today. Firewalls, network switches, and routers all leverage chips that are now vulnerable and, in one case, can only be patched by replacing the chip.

This is problematic in many ways. Updating microcode on a processor requires network hardware to be rebooted, causing outage. Many organizations are going to have to take down important systems to patch the affected devices. Even still, that will only fix one of the vulnerabilities.

Originally, the CERT notification for Spectre and Meltdown listed CPU replacement as the solution. However, as noted by The Register, the notification has since been updated to include patches as solution.  The Register argues that chip manufacturers are in “denial” about their patches being a permanent fix and that chip replacement is still the most likely fix.

It will be interesting to watch this play out. While CSP’s rush to patch their respective clouds, I worry most about network infrastructure and IoT devices. Two platforms that rarely get updates, but will desperately need them soon.

Week 3 – Kali Linux and InSpy

Kali Linux is a useful tool for security practitioners and those that want to learn about cybersecurity. The Linux distribution, formerly known as BackTrack, was renamed Kalie Linux in 2013. The distribution contains hundreds of useful utilities and tools to help security professionals test their security posture.

In November 2017, the 2017.3 release of Kali Linux was uploaded for distribution. Four new tools were included in the update, one of which is InSpy.

InSpy is a useful social engineering tool. Focused on crawling LinkedIn, InSpy will gather intelligence about a companies job listings and employees. For security testers, this could be useful to ensure that HR departments are building job listings that meet security standards. It can also be helpful with determining employee compliance with social networking policies.

From a different perspective, InSpy could be really useful when doing reconnaissance on a business. Targeted phishing attempts could be launched by using the EmpSpy function of InSpy. Using this function, the tool will crawl LinkedIn for employees who work at a specific company and provided a list of employee names, titles, and email addresses.

With tools like this openly available, organizations must begin crafting a social media policy that includes special provisions for what information is shared. For instance, a policy could indicate that employees only use personal email addresses on LinkedIn and refrain from sharing which departments they work for.

InSpy and Kali Linux information can be found here – https://tools.kali.org/information-gathering/inspy

Week 2 – Finding Vulnerability Information Online

There are many sources available online to track down vulnerability and threat information. However, it is important to carefully consider the source and ensure that the information is credible. To aid in that, here are three websites known for providing valuable threat intelligence –

National Vulnerability Database

The National Vulnerability Database (NVD) is a database that contains information and analysis of CVEs. The database is maintained by the NIST Computer Security Division and was created in 2000.

In addition to the useful information provided within the database, the NVD website also houses several useful visualizations. Below is one example –

These visualizations are helpful in spotting trends that developers should be on the look out for. Authentication issues is currently on the rise, so it would make sense that development teams spend more time focusing on their authentication code.

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) have been around for many years. There have been over 98,000 CVE IDs created since the inception of the project. https://cve.mitre.org is the de facto home for the CVE database. This website provides information about each CVE ID. Users can search by CVE ID and the returned data will give you a description of the attack as well as several references for more information.

The CVE site also contains a page dedicated to other useful sites on the web. For instance, the NVD is mentioned as are other sites like US-CERT.

Talos Intelligence

Talos is the security organization that powers many of Cisco’s security products. The Talos group maintains an excellent web presence, providing visitors with in-depth blog posts as well as reports about vulnerabilities. These reports often cross-reference the CVE ID database.

In addition to their reports, the Talos group also maintains a blog. The Talos blog provides in-depth coverage of the latest attacks plaguing the internet. Because Talos is tasked with understanding threats and protecting customers, they are required to breakdown the attacks in order to protect against them. While doing that, they frequently write in-depth blog posts about the attack. Take this one about WannaCry as an example.

Week 1 – Blog Introduction

Cybersecurity is an ever changing topic. Whether you are reviewing the latest exploits or attacks taking advantage of them, there is a never ending list of reading. During the last course I spent most of my time studying and writing about new attacks that were cropping up. This term I plan on discussing tools that security professionals can use to protect their environments. Understanding what tools are available is the first step in deploying an architecture that successfully thwarts attackers.

If you have not followed my blog before, welcome. My name is Dan and I have been in the IT industry for several years. Throughout my career I have consistently found security to be one of the most interesting subjects in our industry. Partly because, as outline above, it is always changing but also because companies are digitizing themselves at a rapid pace. As this transformation continues to occur, IT teams are tasked with understanding and implementing secure environments. In the past this was done with firewalls and anti-virus. However in today’s world, a firewall and anti-virus simply is not enough to keep data secure. Other tools such as intrusion prevention software, malware protection, and SIEM tools are required to get the job done.

Hopefully by the end of the term I will have amassed several articles outlining those additional tools. My goal is to make the posts informative and worthy of a reader’s time investment. I will start the term off with an in-depth look at malware prevention software.

Dan

Week 11 – Netflix Stethoscope

On Tuesday, Netflix released their open-source, user led security tool, Stethoscope. From their blog post, Netflix outlined their belief that users are more open to security when it is not forced upon them.

It is an interesting web based tool (that works on mobile). The tool analyzes a user’s device and gives them easy to follow recommendations on securing the device. Things like encryption, screen locks, and OS updates are all topics the tool will offer advice about. It also integrates with existing tools an organization may be using, such as LANDESK. This is great because many organizations could provide this without making large changes to their environment.

This is a excellent tool that Netflix is providing to the community (it is on GitHub). Forcing security on users is tough for everyone. By explaining the needs is a very custom way, users may be more likely to implement the changes requested by the IT team.

I will be spinning Stethoscope up to take it for a test drive over the next week or two. Look for a follow-up post soon!

Week 10 – Aadhaar’s Security Problem

An interesting article popped up on Mashable.com this week about India’s biometric database Aadhaar. The Aadhaar database is India’s method to make up for the lack of birth certificates and other identification of Indian citizens. For many years, according to the article, the majority of people in India did not have birth certificates. To help combat this, the Indian Government designed Aadhaar.

Aadhaar is a biometric database which contains information on 99% of India. This database is used for more than just identification though. The government of India has plans to do away with credit cards, moving to fingerprint based transactions. In addition to being a payment gateway, Aadhaar is also poised to pivot into a digital wallet. India’s citizens will be able to load their health card and driver’s license into an electronic wallet of sorts, removing the need for normal cards.

This sounds great, but the problem is the database has never gone through an assessment or audit process. This, of course, has led to falsified entires into the database. These falsified entries are being used for all types of scams and a complete lack of oversight is leaving the citizens with little to no privacy.

My take – This is why we develop with a security first mindset. Aadhaar is already so big that it will be hard to transition into a more secure platform. If security would have been considered during software development, some of these problems could have been avoided.

Additionally, the government needs to consider routine audits of the database. A risk management strategy would really help the Indian government accelerate their chances of securing Aadhaar. Many identities are at risk if they do not adopt a risk management strategy for this database. A continuous assessment plan should be considered and adopted. This would certainly help with falsified records.

Week 9 – President Trump Fires White House CISO

In a follow-up to my Week 7 post about President Trump using a 5-year old Android phone, he has now decided to fire the CISO that President Obama hired in 2015. TechTarget Senior Reporter, Michael Heller, reports that the President is likely using his private security firm to handle duties until a replacement is hired.

When President Obama hired Cory Louie back in 2015, he wanted to help the White House better understand the risks and threats that they faced. While there was never much publicity about this hire, it is obvious that the former President and his staff felt the need to better protect the White House. I would tend to agree. As stated in my week 7 article, there are no laws dictating what types of technology the President can use, therefore it is easy to see why the President may want a security advisor. It is likely that Louie helped shape the President’s security strategy as well as making recommendations for how the President should use technology.

Frankly, if the President Trump’s private security team is allowing him to use a five year old phone, I have to question whether or not they can guide the White House away from security threats. I believe President Obama made the right decision in hiring a CISO for the White House, and am hopeful that President Trump will hire a replacement.

Week 8 – Super Bowl Security Considerations

As someone without a cable subscription, I was happy to see the NFL and Fox heavily promoting that one would be able to stream the Super Bowl using the Fox Sports Go app. I have seen a similar trend with the NBA offering most of their playoff games via streaming apps.

This is great for cord cutters, but it got me thinking about the security threats faced by the NFL and Fox. According to Business Insider, a Super Bowl commercial costs $5 million this year, up about $200,000 from last year. With streaming becoming a more popular form of consuming media, I would wager that advertisers are hoping for a high number of streamers to view their advertisements as well. Not only that, but streamers provide more analytics than typical cable viewers. With money and data at stake, the NFL and Fox have a vested interest in offering a high-quality stream. Because of that, I am sure attackers are also interested in taking the stream offline.

So while the NFL used to mainly focus on the physical security of their event, now they are going to have to also consider their cyber security strategy. Though I doubt we will ever get to see a breakdown of how the NFL implements this protection, I am sure they have a large team dedicated to minimizing the risk of a stream cutting out. I certainly hope they do, after all I want to see some ridiculous commercials without interruption!

Week 7 – President Trump’s Old Phone

While President Trump has been in the news all week for various Executive Orders, one thing that caught the security community’s attention was a New York Times article. In the article, Maggie Haberman notes that President Trump is still using an “old, unsecured Android phone” even though aides have urged him to give it up.

This is not a new practice, after all President Obama fought to keep his Blackberry clear back in 2009. The difference being President Obama took a new, secure Blackberry. At this point, President Trump has refused to give up his old Android handset.

Lily Newman writes about the inherent risk of President Trump using an old phone (some speculating it might be over five years old) in her article on Wired.com. Newman points out that the risk may not even be attacks against the President. Many applications, Twitter being one of them, constantly track a user’s location – not exactly secure.

My overall take is one of disbelief. Back in 2009 smartphones were relatively new, mainly used for email. There was not a real alternative at the time, so it makes more sense for President Obama to fight for a secure version of his device. Reportedly President Trump has been offered a secure device, but refuses. Furthermore, according to Newman, there are no policies requiring the use of secure devices by a President. This makes no sense from a security standpoint, but reminds me of most organizations that let their senior leaders ignore policy. Business should remember that they are only as strong as their weakest link, hopefully in this case the weakest link is not a five year old Android device.