Category: computersecuritynews

NIST 800-171 Compliance Can be Done Quickly!

NIST 800-171 Compliance actually means DFARS Cybersecurity requirements must be met.

The NIST 800-171  requirements have always vexed small manufacturers due to the specific wordiness, so the NIST (National Institute of Standards and Technology) has been trying to make this easier to understand with the following pdf: https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

This is an important paragraph: from pdf

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) executive Agent, designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are
necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA issued a final federal regulation in 2016 that established the required controls and markings for CUI government-wide. This federal regulation binds agencies throughout the
executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

 

So needless to say if you are a small manufacturer  and sell stuff to the US government you will have to be compliant  or else…. what is the or else?  I surmise the or else is pretty bad, since there has been plenty of time for you to get on board of this new initiative . Admittedly it has been a chore to get through the NIST 800-171  documents up to now.  As I have discussed in June on this site.

Like this for example:

There are many such points in the document,

Here is the full list of 14 points you have to work on:

14 controls have to be set up

  1. AC  – Access Control
  2. AT – Awareness & Training
  3. AU – Audit & accountability
  4. CM – Configuration Management
  5. IA – Identification and Authentication
  6. IR – Incident Response
  7. MA – Maintenance
  8. MP – Media Protection
  9. PS – Personnnel Security
  10. PP – Physical Security
  11. RA – Risk Assessments
  12. SA – Security Assessments
  13. SC – System & Communications protection
  14. SI – System & Information integrity

 

None of these points are actually brain surgery, where you need 10 plus years of training and schooling. In fact most of these your IT department can perform in their regular work. they just need support from above (i.e. resources).

The one point of audit and accountability the company itself cannot do it by itself effectively. As there is nothing like a person outside of the organization to have a point of view that can be fresh or at least without the company culture in mind.  which is what we do here at Fixvirus.com

So these 14 points should not dissuade you from becoming compliant, in fact even if you do not have multi-factor authentication(Identitification and Authentication), and it would take 6 months to implement, all you have to do is to create a POAM or  Plan of Action and Milestone.   So once you have writtenup proof or POAMs then you are compliant – easy.

This is how I can state that you can come into “compliance” with NIST 800-171 quickly.

Contact us to review and discuss .

New Wi-Fi attack found on WPA2 using PMKID

This could make many “thought safe” Wi-Fi routers not so

Here is where paying attention to new attacks is important.

hashcat.net has the information:

This attack does not even need a full EAPOL 4-way handshake,  EAPOL stands for Extensible Authentication Protocol(EAP) over LAN. A simple 4-way handshake is shown pictorially below  (from hitchhikersguidetolearning.com)

This means that in the past an attack on Wi-Fi would would need EAPOL  4-way handshake to be captured. Capturing the 4-way handshake is sometimes difficult to achieve.

Instead in this attack: ” We receive all the data we need in the first EAPOL frame from the AP.”

First one captures a sample initial Message from the ‘Authenticator’ which includes a PMKID (run hcxdumptool)

Second (run hcxpcaptool) to convert captured data from pcapng format to a hash format accepted by hashcat

Third (run hashcat) to crack the string of data.

 

So now no 4-way handshake is needed, only expertise to run a couple of scripts and to know how to set up the Wi-Fi capture by using the Wi-Fi network card.

The comments on the hashcat webpage do mention that your Wi-Fi network card must have the capability to capture wlan traffic.

So this requires more review and investigations.

Contact us to try it on your network.

NIST 800-171 rev1 (Updated 6/7/2018)

This document was updated and created to protect CUI – Controlled Unclassified Information for all government entities. So if you want to have a contract with the government you better have a plan in place. Due to Executive order 13556 (Nov 4, 2010), Controlled Unclassified Information program to standardize unclassified information and designated the NARA (National Archives and Records Administration).

Interesting to note all this standardization comes from a long list of departments in charge of classifying information. But the reality is there are many things similar to standards like PCI, COBIT 5, and others.

Notice that in 800-171 requires a Security Assessment:

  1. Assess security controls in the organization- are they effective?
  2. Develop and implement plans of action to fix deficiencies and reduce or eliminate vulnerabilities.
  3. Monitor security controls on an ongoing basis
  4. Develop, document, and periodically update system security plans that describe system environments as changes occur, system environments, how they are implemented, and relationships to other systems.

So essentially common sense security functions.

Anytime a change occurs (new device, moving, adding, subtracting) one has to re-evaluate security posture.

How about Risk assessment:

  1. Periodically assess risk to organizational operations(mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
  2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  3. Remediate vulnerabilities  in accordance with risk assessments.

 

So if you look at the document – it just means what all respectable requirements have.

  1. Document and inventory your stuff.
  2. create risk assessments and impact assessments
  3. set up vulnerability scans
  4. remediate vulnerabilities!

 

 

 

Talk about change, the document 800-171 has recently been revised and updated, Both in February and June 2018:

  1. February: 16 editorial changes and 42 substantive
  2. June: 27 editorial changes and 5 substantive.

Most of the changes were deletions and some clarifications.

There is a change in authentication, now MFA(Multi Factor Authentication) is required instead of two-factor or regular password authentication.

Above is the section (Identification and Authentication) where MFA is shown.

If you need help in performing risk and security assessments Contact Us.

 

Tuesday July 10th patch Tuesday #7 of 2018

53 vulnerabilities in today’s Patch Tuesday

There is a Dashboard set up by Morphus Labs

3 publicly disclosed and 17 critical.

It is always important to keep up on your patching regimen, as today’s vulnerabilities become more and more dangerous in the future.

But one has to assess the current and older vulnerabilities with what is going on in _your_ environment.  Here is another article on what type of updates there are in this month’s updates Dark Reading: “July Security Updates”

Since most of these updates are browser based except for the latest update for the Meltdown and Spectre type of fix.

Looking over the updates one has to look at the remote code execution vulnerabilities to find the issues to patch first.

Because Microsoft has put out patches once a month on the 2nd Tuesday, some other software companies also do the same, so IT departments have a consistent review of the patches to be installed. Adobe has released 105 vulnerabilities for Reader and Acrobat, as well as some Flash. One thing that comes out of these situations is the planning of downtime for cloud systems which have to have all patches installed for the users who wish to run their applications.

So even if most of the vulnerabilities are browser based then some servers may need to have a number of patches.

In my opinion this Vulnerability “CVE-2018-8327” is very dangerous, as it is a remote code execution malicious code  potential. Microsoft Security TechCenter goes into some details.

Since this is a new vulnerability as of July10 there is a race now on, the race is as to who will install patches or who will download malicious software (Malware) first.

 

Image is from the SanS.edu website.

Also an update today – 7/12/18:

Lists the vulnerabilities in a different manner than Internet Storm center.

From Talos Blog:
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month’s release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.
Reference: https://blog.talosintelligence.com/2018/07/ms-tuesday.html
Snort SID: 47111-47114, 47091-47092, 47107-47110, 47100-47103, 47096-47099

 

Contact Us to discuss the current patches within your environment.

Sophisticated Method to Hack Your Network Devices

So the Criminal hackers have to get more sophisticated as some networks are patching their devices.

 

You must have heard of the Casino that got breached through a thermometer in the fish tank?  We get excited with new capabilities of Internet connectivity. But unfortunately we forget that a Cybersecurity weak device can open doors for criminal hackers.  You have a firewall right? It defeats the easy entry of a hacker.

But what if the hacker is already in your network? How? Somehow they were able to make the connection…

“Wicked Botnet uses passel of exploits to target IoT”by Threatpost.com has an interesting paragraph:

“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”

Since other previous malware has already infected the easy to infect routers, the  botnets now have to infect using exploit tactics.  This is typical of old and new tactics as the cybersecurity landscape changes quickly.

This new botnet is called “Wicked Botnet uses passel of exploits to target IoT”  and scans for ports 80,81,8443, and 8080.

Unfortunately  there are cloud based problems as well:

Nolacon2018 had Sean Metcalf discuss this very issue

There is a specific issue  Sean is concerned about

because every 2 minutes password synchronization has to occur for Azure cloud, thus an attacker can capture the stored password hash, and then try to guess it at their leisure.

The reality is the hacker will always try to use the technologies that you use to outfox and steal your money, data, and anything else they can.

In some ways it is always a losing game – a catch-up if you will. We have to defend everything, and all the criminals have to do is to attack and succeed in one spot.

So we have to do the proper risk management analysis to figure out where to put most of our time and resources.

Contact us to discuss.