Category: computersecuritynews

NIST 800-171 rev1 (Updated 6/7/2018)

This document was updated and created to protect CUI – Controlled Unclassified Information for all government entities. So if you want to have a contract with the government you better have a plan in place. Due to Executive order 13556 (Nov 4, 2010), Controlled Unclassified Information program to standardize unclassified information and designated the NARA (National Archives and Records Administration).

Interesting to note all this standardization comes from a long list of departments in charge of classifying information. But the reality is there are many things similar to standards like PCI, COBIT 5, and others.

Notice that in 800-171 requires a Security Assessment:

  1. Assess security controls in the organization- are they effective?
  2. Develop and implement plans of action to fix deficiencies and reduce or eliminate vulnerabilities.
  3. Monitor security controls on an ongoing basis
  4. Develop, document, and periodically update system security plans that describe system environments as changes occur, system environments, how they are implemented, and relationships to other systems.

So essentially common sense security functions.

Anytime a change occurs (new device, moving, adding, subtracting) one has to re-evaluate security posture.

How about Risk assessment:

  1. Periodically assess risk to organizational operations(mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
  2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  3. Remediate vulnerabilities  in accordance with risk assessments.

 

So if you look at the document – it just means what all respectable requirements have.

  1. Document and inventory your stuff.
  2. create risk assessments and impact assessments
  3. set up vulnerability scans
  4. remediate vulnerabilities!

 

 

 

Talk about change, the document 800-171 has recently been revised and updated, Both in February and June 2018:

  1. February: 16 editorial changes and 42 substantive
  2. June: 27 editorial changes and 5 substantive.

Most of the changes were deletions and some clarifications.

There is a change in authentication, now MFA(Multi Factor Authentication) is required instead of two-factor or regular password authentication.

Above is the section (Identification and Authentication) where MFA is shown.

If you need help in performing risk and security assessments Contact Us.

 

Tuesday July 10th patch Tuesday #7 of 2018

53 vulnerabilities in today’s Patch Tuesday

There is a Dashboard set up by Morphus Labs

3 publicly disclosed and 17 critical.

It is always important to keep up on your patching regimen, as today’s vulnerabilities become more and more dangerous in the future.

But one has to assess the current and older vulnerabilities with what is going on in _your_ environment.  Here is another article on what type of updates there are in this month’s updates Dark Reading: “July Security Updates”

Since most of these updates are browser based except for the latest update for the Meltdown and Spectre type of fix.

Looking over the updates one has to look at the remote code execution vulnerabilities to find the issues to patch first.

Because Microsoft has put out patches once a month on the 2nd Tuesday, some other software companies also do the same, so IT departments have a consistent review of the patches to be installed. Adobe has released 105 vulnerabilities for Reader and Acrobat, as well as some Flash. One thing that comes out of these situations is the planning of downtime for cloud systems which have to have all patches installed for the users who wish to run their applications.

So even if most of the vulnerabilities are browser based then some servers may need to have a number of patches.

In my opinion this Vulnerability “CVE-2018-8327” is very dangerous, as it is a remote code execution malicious code  potential. Microsoft Security TechCenter goes into some details.

Since this is a new vulnerability as of July10 there is a race now on, the race is as to who will install patches or who will download malicious software (Malware) first.

 

Image is from the SanS.edu website.

Also an update today – 7/12/18:

Lists the vulnerabilities in a different manner than Internet Storm center.

From Talos Blog:
Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month’s release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.
Reference: https://blog.talosintelligence.com/2018/07/ms-tuesday.html
Snort SID: 47111-47114, 47091-47092, 47107-47110, 47100-47103, 47096-47099

 

Contact Us to discuss the current patches within your environment.

Sophisticated Method to Hack Your Network Devices

So the Criminal hackers have to get more sophisticated as some networks are patching their devices.

 

You must have heard of the Casino that got breached through a thermometer in the fish tank?  We get excited with new capabilities of Internet connectivity. But unfortunately we forget that a Cybersecurity weak device can open doors for criminal hackers.  You have a firewall right? It defeats the easy entry of a hacker.

But what if the hacker is already in your network? How? Somehow they were able to make the connection…

“Wicked Botnet uses passel of exploits to target IoT”by Threatpost.com has an interesting paragraph:

“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”

Since other previous malware has already infected the easy to infect routers, the  botnets now have to infect using exploit tactics.  This is typical of old and new tactics as the cybersecurity landscape changes quickly.

This new botnet is called “Wicked Botnet uses passel of exploits to target IoT”  and scans for ports 80,81,8443, and 8080.

Unfortunately  there are cloud based problems as well:

Nolacon2018 had Sean Metcalf discuss this very issue

There is a specific issue  Sean is concerned about

because every 2 minutes password synchronization has to occur for Azure cloud, thus an attacker can capture the stored password hash, and then try to guess it at their leisure.

The reality is the hacker will always try to use the technologies that you use to outfox and steal your money, data, and anything else they can.

In some ways it is always a losing game – a catch-up if you will. We have to defend everything, and all the criminals have to do is to attack and succeed in one spot.

So we have to do the proper risk management analysis to figure out where to put most of our time and resources.

Contact us to discuss.

 

Criminals Trying to Run Crypto Miners on Your Systems

Good YouTube video: “Rise of the Miners Josh Grunzweig

Ransomware is no longer a viable method of making money for the criminals, since Bitcoin is worth a lot of money, and it would be difficult to get people to pay for their ransomed computers.

So the Criminals have moved to Cryptomining.

The cryptominers have infected hundreds of thousands of machines to capture pennies per day for each machine.  Together on a daily basis the criminal can accumulate wealth. And it never ends. 609000 machines times 2 pennies per day = $12,180  per day or $365,000 per month. $4.4mil per year.

It may be worth it for the criminal to spend a little money on spam or watering hole attacks.   A water hole attack is where a popular website is infected with malware (a water hole).   as soon as the infections go into the hundreds of thousands the traffic and infrastructure will be noticed, so you may need to bribe various organizations as well. Like in Russia,  you may have to pay the local government officials to keep quiet (or China too).

In North Korea, the state itself could be running an operation like this.

 

Contact us to discuss this phenomenon.

5 Top Cybersecurity Attacks Revealed at RSAC2018

YouTube Video of the discussions of the following people:

Alan Paller, Moderator, Research Director and Founder, SANS Institute Ed Skoudis, Faculty Fellow, Penetration Testing

The following image shows the most interesting points brought forward in the video, as this is a presentation at RSAC every year now with SANS’ top instructors or employees that work throughout their company. Dr. Johannes Ulrich is at Internet Storm Center many days(although others keep it going when he is not available).

Top Cyber attacks to look for this year:

  1. Cloud Storage leakage
  2. Big Data Analaytics
  3. Crypto Currency mining on your infrastructure
  4. ICS/SCADA  will get some attention from hackers
  5. IoS will continue to be attacked and used for hacker purposes

These possible attack vectors are not surprises really, but it is good to reinforce where we need to focus.

Cloud storage can be a problem when not configured with security in mind. Have you done an audit with  your data?  Considered if private repositories were marked public? Public repositories with sensitive data? Github, Amazon, Google cloud, Microsoft Azure, Docker Hub and more each have their own pitfalls.

When you collaborate within the cloud is the software written within the cloud written with security in mind?  We know that some chips cannot keep all data within the bounds as we expect without a patch.  This information was found after the software was out in the world for years. New cloud security problems are being investigated now.

Big Data Analytics

Now the criminals are using the data that they have already stolen in new ways…  Maybe they fill out your new credit card with all info about you(as if it was you).  Also could fill out a completed tax form with 90% accuracy.    So it is possible that new methods are being devised where data is being found on you to help create better scams or general criminal enterprises.

Data is not important, criminal hackers want your computer resources to run crypto currencies.

Finally, the ICS/SCADA cyber problem is going to just get going. The problem in SCADA is that people will likely get hurt.  The problem in this space is that the ICS (Industrial Control Systems) space is not as secure as other systems have been due to a lack of focus on security.

Of course the IoT(Internet of Things item is also an important attack area. If you think about it the criminals will come up with new ways of attacking our infrastructure and will try and find any method that is possible. So if you are not focusing on an area, or it has not had a Cyber focus in the past… then it will be found sooner than later.

 

It is true, the hackers are trying to get the low hanging fruit, but we need to circle the wagons, and review everything again and again.

The simple thing to do is to audit your systems with a framework of audit work such as in CISA (Certified Information Systems Auditor).

Lucky we have this CISA certification –

Contact Us