ITSecurity Training – Explaining Security

Vulnerability Management Fixed!

So that we are all on the same page -Vulnerability Management is when an IT department manages it’s inventory of devices with regard to what vulnerabilities each device could be at risk for.

So if every system you own has a vulnerability, and you have 1000 systems it could get a bit challenging to manage. Consistently updating all systems for all vulnerabilities is a constant job of testing the patch, and updating the production system at a convenient time to the business.

At cvedetails.com you can review all cve’s (Common Vulnerabilities and Exposures)Each piece of software and hardware can have a potential vulnerability. This is much bigger than you think.

Powershell can give you a list of your programs:

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

From the “How-To Geek” website:

A sample in this image:

The image above has 38 pieces of software(which is likely not comprehensive). Technically all of these can have a vulnerability(not including Windows and all of it’s subpieces).

So already you can see that 100 systems with at least 40 or 50 pieces can have 4000 to 5000 software versions that may not be the same versions for your network.

This is why there are 109403 vulnerabilities, since a vulnerability for software ABC v1.0 is different from ABC v2.0.

So if this is such a large difficult beast, how can we tame it? Or even fix it?

Actually it is relatively easy to fix by combining Risk management and vulnerability management.

Evaluate all your systems – which system has the most risk and highest impact with failure?

Finding this system should receive most of your focus on testing and updating. And that is just the start, as now the difficult part of figuring what to do with the other systems, as if you ignore the other systems attackers will come in from that angle.

Run Microsoft(Powershell) Software On Linux? More Risk

Did you think it would never happen? Microsoft and Linux are increasing in their ties to each other.

So as we protect systems in our networks, we are increasingly incorporating Linux systems for various reasons, Web servers, specific SQL server database needs or other reasons (file sharing or other support systems).

A potential threat vector to the Microsoft Windows environment/ network could be the Linux machine. Especially if Microsoft Powershell commands can be run on a Linux machine. Now you can truly have any machine that is taken over be the breach entry that takes down your network.

How is this possible (viewing Internet Storm Center posts)? By installing a number of software pieces:

First install Powershell itself
Second install Mono (an open source implementation of Microsoft’s .NET framework)
Install OpenXML
Now you can run Powershell

This is an interesting development as it means that even a Linux machine can be turned into a sophisticated attack machine into your environment. Of course we knew that as Kali Linux has specific attack tools. But now we are not using attack tools but Microsoft tools running on Linux.

I want to switch directions a little bit and discuss the problems of directing a company: By stating “Business Decisions” — “External Pressure” in a Risk Assessment discussion.

The cybersecurity – world of vulnerabilities is in the space of “External Pressure”, but I wanted to create a picture of the whole world of Risk for a company. And the risks are in Supply Chain,cloud, leadership/labor,change in technologies. When one sees risk for the company in its totality, the new vulnerabilities risk is much smaller in comparison to the others. especially if the other risks are changes in competitors(Amazon) or changes in environment.

It is only when some news event comes into the fore, like a major breach, then it is obvious that Cybersecurity needs to be reviewed periodically.

Of course if one did that in the first place, then one can focus on the market and technology changes.

This is the problem we computer risk professionals wage, as the CEO/CFO are forever working the major problems for the company, and they rarely see cybersecurity as a major threat – due to much more important problems for the company.

Test Your Incidence Response Plans

So we all must have an Incidence response plan, which is only used after a computer security problem:

Detect problem
Investigate problem
What type of the threat to the business?
Does it rise to level of “Breach”? With significant legal disclosure requirements
Did the attackers steal information/data?

We know practice makes perfect, but how do we practice responding to a known attack without actually getting a hacker and hacking your systems?

So of course getting a pentester and having your environment tested for problems is a good thing. But we need to also have a method of trying to get our IT staff to not be afraid to follow the crumbs to a potential breach. People tend to get better the more they do something, so a pentest would also be useful for IT staff incident reports.

With or without a pentest it is wise to create a “write-up” report that acts as if the breach or hack happened so the IT personnel computers will be used to working through the “paperwork” process.

So let us do it together?

1. We detected a problem in the logs, they were zeroed out on our windows 2012 server.

2. we do not know why this happened, but the event logs now have a handful of events (going back to yesterday only).

3. Is this a threat to the business? If there are no logs to see how will we know what happened in the last few days before the logs were deleted?

4. Review systems, to see if any new files have been added, you will have to make comparisons to recent backups. Also review any customer data if it resides on the server (is customer data valid?). If you have no way of doing this today, better start working on a process now.

5. The last point is where the most difficult assessment has to be performed. Is this a threat to the business? was data stolen?

And this is exactly where many companies get tripped up. Every day you are running your business and it seems like any other day. Losing event logs does not mean much… but it could be a sign of a serious breach.

Find out if your files have been altered. the problem is that some malware is only here for other purposes, so some files being altered have lower risk and impact. How can we know if there is a high impact high risk alteration?

To have any chance of knowing a breach happened means that you need IT Personnel to do the following:

Vigilant employees
Notice unauthorized logins
See unauthorized usage of computer systems
Reboots are mysteriously happening on the own, why?
review administrative account access on actions that are unknown to administrators.
Notice unusual outbound traffic
Are files being added to your computer systems without IT department knowledge?
Logs are being deleted or very few event logs available on critical systems
Was data stolen?

A lot of these bullet points assume you can see potential breach indicators, so here is an Infographic to help you with this process.

If you are not testing your incident response plans, what will happen when a real attack happens?

How are Hackers Always a Step Ahead of Defense?

So the Defense (also known as Blue team) has been inundated with spam, the goal of the spam(for the hackers) is for an unsuspecting user to give up their credentials(username and password). Hackers are always trying to get your usernames and passwords.

Opening a word document? What if it included a small file that is unlikely or even impossible to detect when first opening the file? because it gets resized to a small point in the document.

Notice the above image shows how to create a link inside a picture.

the above image is from ISC.sans.edu link.

So due to various dirty tricks in spam we have built 2FA (Two Factor Authentication) so that the connecting to the email server and getting your email will effectively shut out the spam merchants… until now with this nifty trick. (Do you have to re-establish 2FA every time you get email? Or only when first logging in?)

When you open the word document the picture activates and tries to connect to the criminal-hacker-website.com which then sends the credentials of the computer to criminal-hacker-website.com.

Clearly only username and password defense is not going to do the job, as many tricks will pry the information to your account out of you. And an incorrectly set up 2FA also would be a problem.

The defense must have a good logging and egress filter setup. (Block port 445/tcp , 137/tcp, 139/tcp, and 137/udp and 139/udp.

Back to my question “How are Hackers Always a step ahead of the Defense?”

The answer lies in logic actually: If you have to defend 24 hours per day every day while trying to use software of the Internet then it is only a matter of time before a hacker uses ingenuity to break or bypass your defenses as shown above. We have to constantly be aware of new attacks and thus ways of defending against new vulnerabilities found every day.

True it would be nice if all software did not have security issues, but as we know security is not the highest effort while making a product. Making money is, and sometimes a security audit is not high on the priority scale.

So it is the same old story “The risk versus Security” see-saw.

The people who focus on Security might spend more in resources rather than others, so if you hear a new potential attack are you impulsively scoffing? Or saying I have to learn this attack and defend against it (thus spending resources?

if you are scoffing and wish to take on more risk by thinking the security problems might go away just by thinking they will go away. The risk on the internet these days is not that low, the ingenuity of new attacks are coming so fast that if you have not upped your ante, then one day it will be too late and the headlines will serve your epitaph.

So We believe that you should do both seek some risks while also staying secure by employing Security Auditors.

Is There Cyber Risk? How to Assess Risk?

An interesting video from RSA Conference 2018: “There’s no such Thing as a Cyber-risk”

So if you look at possible risk domains Computer Security (or Cybersecurity is not on there.

Operations: errors – fraud – talent – employee engagement – safety
Service Availability: capacity, resiliency, data integrity, intentional disruption
Product delivery: pre-executions – release executions
Compliance: regulatory, contractual obligations, privacy lane, employment law, other laws

Of course data integrity is there – so if there is a cybersecurity problem data integrity may become an issue.

The definition of “Operational risk” is the prospect of loss resulting from inadequate or failed procedures, systems or policies. Employee errors. System failures. fraud or other criminal activity. Any event that disrupts business processes

The problem with Cyber risk is that it can affect operations but is not always obvious how bad it can get until it happens. Can you operate without computers? Can it get that bad? What if it does? Just like one may have electricity backup in an area which has frequent power outages, one has to consider what to do if there are no computers to run credit card transactions.

To properly assess operational risk, what is it one must ask in regards to computer assets with regard to cybersecurity? What if I cannot use this device? i.e. it has been hijacked by hackers or otherwise incapacitated.

If credit card processing is stolen, what could be worse is now your reputation can take a hit. Since the news will be filled with stories of Credit card fraud originating at your business.

Consider reputation in assessing operational risk. And reputation does not always mean systems fail or money is lost due to no electronic access.

It all depends on who you claim to be in the public space. Is your business marketing claim to be up-to-date? Then reputation may have to have a higher impact. Make sure you are spending enough resources in relation to your REAL level of risk.

If you need help in assessing risk contact us.