Risk Analysis Gone Wrong?

Since a picture says a thousand words here is an attempt at explanation of Risk Analysis.

The rows are “Impact on Environment”: none, minimal, minor, significant, major, critical

The “Likelihood” or “Likely – what is % to happen” is  the columns: not likely, low, medium, medium-high, high, will happen.

These are not “real” systems in anyone’s network, only an example of different CVE (Common Vulnerabilities and Exposures) risks in a hypothetical company.  Although I picked on the IoT systems as the likely weak link (one has to update those camera or ups device software or one can be hacked). IoT systems are a weak link since they are not as easy to upgrade and require upkeep like all systems.

In the past I was trying to explain the weak links with this picture:

The problem is that when a system is hacked it now leaves the whole network with all the critical systems open.

The new image, I am trying to explain if a less important system was hacked (like the IoT vulnerabilities) which means an IoT vulnerability system which is critical but has a medium likely chance to get hacked.

Once hacked this system allows the attacker to review other targets and it may be where systems that have lower CVE’s (3-6) are canvassed and with the right vulnerabilities the hacker will now attack and set up persistent methods to stay in the network. Of course the idea is not to just stay in the network, one wants to  attack valuable targets.

“Such as having a High CVE on less critical systems ” before the final attack on a critical system at the highest level.

The ultimate and worst possible attack is a remote code execution attack, as with a simple attack one can execute an attack on the system. for a hacker it is easily done.

So explaining the attack in total gives one a further and more complete understanding of the ultimate goal . But what is even more important? To now have the ability to assess risk better. Instead of assessing each device separately with each vulnerability now one must assess the impact and likelihood with a total attack in mind.

Which means? The lower vulnerabilities can have higher impacts. How should we account for this phenomenon?

We have to become attackers (even hypothetically) to figure out which system would be nice to have with a lower vulnerability… so that the hypothetical attack  can advance through to the eventual goal.

You might be saying now – that’s all? That is all I have to do ? sort my systems, figure out the vulnerabilities, and then patch them. Well, it is not that easy since life and it’s vacations, sicknesses, labor issues, and other things coming your way. Since the vulnerabilities may come at inopportune times (they do not care if your family has an event). the hacker will hack you at Christmas without batting an eye.  The truth of it is the reasons  why people and companies get hacked is because the vulnerability management  programs do not take into account sickness and vacations. Thus labor is always pushed to ever more difficult situations. There seems to be always a push for cost containment in IT and computer security, since it is assumed all systems should be secure. A cost was not associated with computer security in the past. So this is why many companies lost their cohesion over time and then something happens and the attackers get in.

Once the attacker has a toehold, it is possible to stay undetected for months. In the meantime the patching lifecycle is front and center the reason for many systems getting hacked as well.

Notice that when a vulnerability is found by a researcher it takes many days to actually get a fix for the vulnerability and then it takes yet another few weeks before installing it in your system. It may be 60 days before the  system is safe from attack. So we are in a constant state of risk in our networks.  This is why every month with new vulnerabilities is an important report to view. And this is why we must continually test for any potential weaknesses in the network.

 

Now that you know the full reasons from A to Z it is easier to actually assess risk on systems.

What you need when assessing risk is to review all possible risk and decide what to focus on next.

Contact for more information or to discuss your risk assessment.

Also the latest CapitalOne hack seems to have been a misconfigured cloud configuration, including why is it storing private information in a public cloud?? Cyberscoop discusses this in more detail. The breach response may have been fast, but there was a major failure of architecture.

 

Interesting take on CapitalOne breach from former employee: https://medium.com/cloud-security/whats-in-your-cloud-673c3b4497fd

He says that the configuration was faulty as one IAM (Identity Access management) could be used to access all data (which is a large weak link). I.e. if a hacker can get one account username and password they have all of the data.

The thing to do is to perform threat modeling and review your architecture as well as vulnerability management.

Current Attacks Massive 1.6Mil unique addresses found hacked by “GoldBrute”

Internet Storm Center discusses an attack by the ‘GoldBrute’ botnet

They found 1.5mil servers being used by the botnet.

This means that a weakness in Microsoft (CVE-2019-0708)  May 14 Customer Guidance page:

Specifically:  CVE-2019-0708

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

So it seems GoldBrute is taking advantage of this Microsoft weakness to infect machines that have not been patched.  especially the older systems (with Windows7 and Windows Server 2008) You can solve this by downloading the patch and updating as soon as possible.

The other solution is to Disable Remote  Desktop Services  (as per https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)

A workaround is also possible:

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:

1. Enable Network Level Authentication (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2

You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.

2. Block TCP port 3389 at the enterprise perimeter firewall.

 

Contact Us to discuss this latest possible attack and re-mediate your #cybersecurity risks

We are Never Going to Be Secure

I did not have to put 100% in the headline: i.e. “We are never going to be 100% Secure”

Whenever there is a device that is to be used for your purposes,  someone can find a way to use that purpose against you and fight you with it.

So it is my assertion: Do not state “We are secure”!, say “we are  ‘secure’  within our abilities and budget”.

The problem is that some tasks are so basic it is unbelievable when an attack is successful.  take a look at this informational message from a WordPress security company(Wordfence):

(and in text form):
XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers

Last month, a stored cross-site scripting (XSS)h, Vulnerabilities, WordPress Security on March 11, 2019 by Mikey Veenstra   0 Replies flaw was patched in version 5.2.0 of the popular WordPress “plugin Abandoned Cart Lite For WooCommerce”. The plugin, which we’ll be referring to by its slug woocommerce-abandoned-cart, allows the owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.

 

 

So essentially what wordfence is suggestingwordfence is suggesting is to update WooCommerceAbandoned cart  Cart Lite for WooCommerce.

Wordfence is suggesting to update the plugin ASAP to 5.2.0 or higher to solve the sanitization checks that a bug introduced.

 

So now that we know a specific problem with a specific plugin, all we have to do is update. But this basic act of updating is not that easy sometimes.

This is typical of software and our security dilemma,  a new vulnerability is discovered, has to be fixed and patched/released. Then of course the administrators have to install the patch.

So this is why we will never be 100% secure there will always be a time when the vulnerability is discovered to the time it a patch is installed  when  we are not secure.

I wrote about this before(Dec 2017): From Vulnerability Found , to patched safe

The above image describes the journey from Vulnerability found to Patched better than

What are the  possible problems when patches are not applied? and hackers do their work first?

Here is a worst case scenario:

Onlineathens.com has the story of the  Ryunk Ransomware

Here is a notable quote:

Jackson County Sheriff Janis Mangum said Friday that experts are still cleaning their computers.

“We can book someone (in jail) without doing it on paper, but deputies are still doing paper reports,” she said.

Mangum said she received a telephone call last Saturday from the Information Technology staff “wanting to know if we had an FBI contact they could reach. That’s when I knew it was more serious than just being down,” she said.


This article does not go into the forensics investigation of how the ransomware software installed itself, and we will keep an eye out to the Internet as to how exactly this started.

But very likely something was not patched, the hacker software installed and then went from there to control the data and all the devices on the network it can.

Even if the initial infestation was unique (social engineering ) the additional attacks of infesting the rest of the computers usually requires some additional vulnerability which also can take advantage of unpatched devices.

The weaker you are with patching the more likely you will be attacked and hacked. In this case (Sheriffs computers in court house) somehow were infested and then later the encryption software download happened. After that the software tries to propagate and destroy the rest of the systems on the network.

Also an Auditor reviewing your patching is also advisable.

There are no guarantees, although one can reduce risk with enough safeguards and testing in place.

Like we can do  CISA certified contact us.

Hacking, is it Like a Recipe?

One thing we do know that Hackers are very successful in hacking overall. We don’t really know how they do it? But the headlines say it all: “Yahoo says 500 Million Accounts Stolen

If you study the image above (a bubble representation of all hacked entities) from the website www.informationisbeautiful.net

You see Yahoo actually with 320 million and River City Media with 1.37 Billion  hacked accounts. Each bubble has a story, with a breach and people affected by the hackers attacking some aspect of the information technology defense.

So how easy is it for hackers to attack ? Is it a recipe? Do you perform a few functions and then steal the data?

I have blogged this methodology for 3 years now, and it is interesting that in 3 years plus with various explanations the methods of hackers has not changed too much.

(image from previous post)

We can summarize and say the hackers review the job (attack) and try to find an opening to perform their objectives:

  1. Money
  2. Political reasons
  3. The fun of it (young hackers)
  4. National goals

After they review the attacks by looking at your defenses they are now ready to probe your specific defense with specific attacks.

In my mind the #1 reason for hackers to attack is money and the Darknet tells the story, the Darknet is where the criminal hackers trying to make money sell their gains.

If you ask me the credit card problems we have gotten due to the new normal of these “hacking events” is annoying but not life changing for the most part.

What would be LIFE changing is the hacking and stealing data (information) of health records. Now the hackers could really mess with other aspects of our lives which we are not used to modifications.

How exactly would a “screwed up” health record look? The next time your doctor looks at health records are they doctored? Or not?

Every day there is a new day and the hackers are looking for new ways to make money including using the massive amount of health data already stolen.

This means we need to be wary of our information usage and review all manners of defenses everywhere.

Test, test, test your defense should be the mantra. Because the hackers are probing and attacking all the time. It is a classic red vs blue issue.

Contact Us to review your defenses

 

Sure Connect ABC device to Internet!!??

Sure Connect ABC device to Internet!!??

Amazing to note that many companies are creating devices to connect to the Internet and thus open these devices up to a variety of attacks.

Note the following Blog MWR Labs 

The default root password has been disclosed by Packetstorm last year January 12th, 2016.

Login to telnet with the credentials: root / founder88

Did you read that correctly?  Yes last year.

This Biometric hardware by Fingertec does not operate like a traditional machine, it is ‘updated’ and gets it’s intelligence from the ‘cloud’. Which means it is on the Internet.

This means that you are exposing this device to the hackers and wily operators of the world.

The problem we have is managers that make decisions to purchase and install these devices are not thinking about security at all.

In fact due to their preconceived notions of it will not happen to us, we are too small, we have nothing to steal, and more excuses, Cybersecurity is not thought about.

They do not understand the implications of clear text tcp/ip communications by Fingertec. To a seasoned hacker (security professional) the device will take a little effort but can be breached rather quickly. Especially if basic precautions are not kept, like changing default passwords.

PCI compliance requires default passwords to be changed, but do we really have to wait for PCI compliance to require the biometric devices to have encrypted communications over the Internet

What if you have Biometric devices? are they connected to the Internet? Maybe they are vulnerable.


Contact US to help you with vulnerability analysis