IT Security and Compliance Thought Leadership – SecurityExperts

Important Tip for Companies Looking to Protect Unstructured Data

Most companies are very good at protecting data that they know about and consider sensitive – they restrict access to the HR systems where compensation data is available.  They put access controls and monitoring procedures on systems that store critical intellectual property like formulas or key financial analytics.

Typically, they have formal policies and associated technology deployments and procedures to protect sensitive data.

When someone downloads that data from a secure environment into an Excel spreadsheet or a thumb drive, all the controls are gone.

Technology can’t solve this  – this is human problem.  It can only reasonably be addressed through appropriate use policies and extensive and ongoing user awareness training.  Employees need to understand DON’T TAKE SENSITIVE DATA OUT OF ITS CONTROLLED ENVIRONMENT!

The CIA has plenty of technology and many smart people, but it couldn’t prevent Edward Snowden.

Important Sources of Threat Intelligence for Security Teams

The goal of threat intelligence (TI) is to recognize indicators of attacks as they progress and act upon those indicators in a timely manner. TI is not a mature area for most organizations.

While tools to automate TI exist and are evolving, most organizations are still using informal ad hoc mechanisms or a small number of email and RSS feeds simply to provide background information to staff. For example, many companies have security staff that subscribe to the SANS@RISK: The Consensus Security Vulnerability Alert email list,  SANS NewsBites email list,  US-CERT Alerts  RSS feed, US-CERT Current Activity RSS feed, and US-CERT Bulletins RSS feed.

Annual or quarterly reports from some security vendors also provide useful information.  These often provide statistics about the types of attacks organizations have encountered, the duration of breaches, the mean time to detect breaches. That type of information can help organizations set some security priorities. Examples include: Verizon’s annual Data Breach Investigations Report, FireEye’s M-Trends Annual Cyber Threat Report, Secunia’s Annual Vulnerability Review, and Cisco’s Cybersecurity Report that gets issued twice a year.

As a wikipedia article on Cyber Threat Intelligence (CTI) says, “CTI is based on the collection of intelligence using Open Source Intelligence (OSINT), Social Media Intelligence (SOCMINT) , Human Intelligence (HUMINT) or intelligence in the deep and dark webs.”  But this means that information is coming from a wide variety of sources, and analysts often come to different conclusions.  In order to get a better common understanding,  there have been efforts to create CTI standards, similar to how the use of CVEs and CVSS  have created a standard for understanding disclosed vulnerabilities.   Unfortunately, at this time there are a lot of standards.  These include:

  • Open Threat Exchange (OTX)
  • Structured Threat Information Expression (STIX)
  • Collective Intelligence Framework (CIF)
  • Open Indicators of Compromise (OpenIOC) framework
  • Trusted Automated eXchange of Indicator Information (TAXII)
  • Traffic Light Protocol (TLP)
  • Cyber Observable eXpression (CybOX)
  • Incident Object Description and Exchange Format (IODEF)
  • Vocabulary for Event Recording and Incident Sharing (VERIS)

Many security vendors offer CTI data at various price offerings.  These vendors include: Cyveillance, Dell, FireEye, IID, RSA, Symantec, and Verisign.

There are also a large number of open source CTI providers.  The GIThub repository  lists a number of such sources and the types of information they focus on. Organizations seeking to automate CTI should consider starting with some of these sources of information as they evaluate products and develop a plan for adoption.

It is also important to remember that a company with a comprehensive logging program already has its own source of data to analyze for TI.  Companies should be analyzing their own log data for indicators. A place to start is by looking at:

  • Activity in accounts of former staff
  • Activity on same asset with different user names (within short time period)
  • Outside-of-hours logins to systems with critical data
  • Outside-of-hours systems’ access by system and user
  • Brute force logins
  • Privileged accounts created or changed
  • Remote email access from countries not typically involved in normal business operations
  • Remote logins from countries not typically involved in normal business operations
  • Repeated unsuccessful logins (administrative and user) by asset
  • Systems accessed as root or administrator
  • Traffic between test and development or live environments
  • User logged in from two or more assets simultaneously

Cybersecurity Responsibilities for SMBs

Cybersecurity is a topic that many small and most medium-sized businesses care about due to all of the news stories about data breaches, identity theft, and ransomware that have appeared in the last several years.  Some small and medium-sized businesses have realized that having a strong cybersecurity program can be a strategic asset for their particular market niche.  It can be a way of attracting additional customers or a powerful way to distinguish the company from its competitors.

Unfortunately, few small and medium-sized businesses have that attitude when it comes to cybersecurity.  Too many companies still view cybersecurity as a distraction that takes away resources from other important priorities. They choose to do the minimum required by regulatory requirements or even customer demands.

Many small and medium-sized businesses with an Internet presence must comply with not only state and federal laws and regulations, but also European Union laws and regulations, or even other national laws.

The most common cybersecurity responsibilities that small and medium-sized business are responsible for include:

  • Protecting customer’s personally identifiable information in accordance with state and national laws
  • Protecting customer’s credit card information in conformance with the Payment Card Industry’s Data Security Standard (PCI-DSS) as well as state and national laws
  • Protecting customer’s protected health information (pHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Conformance with the European Union’s Data Protection Regulation
  • Conforming with any industry specific laws and regulations

Viewing compliance conformance as a check box rather than a culture or a strategic asset rarely results in a good cybersecurity program, as Sony demonstrated in 2015.

There are a number of security frameworks that companies can use to help them meet their responsibilities.  PCI-DSS is very proscriptive in some areas, while most regulations and laws place more responsibility on each company to make its own decisions about how to maintain a secure environment.

Whichever path to cybersecurity a business takes, there are some common areas that should be addressed.  These include:

  • Day to day IT operational practices including applying security updates, managing systems, managing network traffic, encrypting sensitive data, logging, monitoring, and ensuring technical IT controls are in place and update to date
  • Risk management, to ensure that the company is prioritizing risk remediation and tracking the risks over time
  • Compliance and due diligence, which includes ensuring that relevant laws and regulations are being followed, providing information to customers that are performing due diligence, and performing due diligence to ensure the company’s vendors and suppliers are meeting their security obligations
  • Security awareness training for all employees

How these tasks are organized, or who in a company is responsible for each task can vary widely.  For example in some companies all of these areas may fall under Information Technology.  In other organizations these may be split between IT  and Finance.  In still others the responsibilities may be split between Finance, Legal, and IT.  Some organizations have a dedicated Chief Security Officer and a separate Chief Information Officer.  In organizations dealing with protected health records, it is not uncommon to see separate Security Officers and Privacy Officers.  And of course, in very small businesses, a single person may be wearing all of the hats which makes segregation of duties a very difficult goal to achieve.

In the most secure organizations, cybersecurity is part of the culture. Every executive, manager, and supervisor understands its importance, is engaged in securing the environment, and understands the risk that an insecure environment poses to the future of the company.

Cybersecurity by Segregation

With recent news of Singapore disconnecting its government networks from internet access, and now requiring civil servants to use separate computers, I was asked to comment on the security issues this cybersecurity segregation will cause.

Deciding to disconnect from the Internet is clearly a difficult decision and more than likely a result of a reaction to a painful  situation.  Nobody makes that kind of decision and expects a good reaction. This is not without precedent, however. In North Korea, all websites are under government control.  In Cuba, the only access points to the Internet are at government controlled facilities.  China blocks sites and actively filters content. If you haven’t looked into this, you’re likely to be shocked by how common this actually is. Take a look at this Wikipedia page discussing this topic There are a number of approaches that are used including IP address blocking, Domain Name redirection, censorship and content and search modification or removal.  

As draconian as all of this may seem, it is not uncommon to restrict access, it’s usually just a question of degree. For example, many companies deploy technologies that block access to certain sites from within the corporate network environment. Some ISPs, whether you are aware of this or not, block access to well-known malware sites to reduce the amount of time they have to spend helping their customers recover from infections.

To be completely safe from unwanted viruses, Trojan horses and other malware the only thing you can do is not connect to the Internet at all. Everybody knows this which is why many companies that provide software – such as the major browsers – that help you traverse the Internet, include functionality to help you do that as safely as possible.

IoT Hidden Security Risks

While the security of IoT devices is a growing area of concern for the enterprise, the biggest IoT risk for businesses is if they decide to react to IoT issues rather than plan and prepare for them. Everybody knows that the earlier in a cycle you can deal with a problem, the less expensive it is. The IoT at its core is about sharing data. Some of that data may be benign but in all likelihood some of it will be sensitive, private or confidential and if that data is exposed in unintended ways you may find yourself squarely in the middle of an intellectual property loss or compromise.

When WiFi first starting making its way into the marketplace many organizations were ill prepared to understand the risks associated with laptops that literally travel around the world and communicate with networks you have no control over. All of a sudden, you had to think about all of the “What if?” scenarios of where those systems and the data on them may be.

The question about which devices may cause the biggest problems depends on the industry you’re talking about. The data you care to protect is different for healthcare,  manufacturing,  automotive, travel, agriculture, warehousing or telecommunications.

Regardless of the industry, however, there are common issues that will create potential problems and some of the important ones are as follows:

  • Ensuring that data collected and transmitted by IoT devices are secure in transit and at rest
  • More IoT devices means more opportunities for breaches and hacking
  • Many IoT devices are like to be very small and portable, making them more difficult to trace, monitor or even find

Reducing the Risks of Shadow IT

I was recently asked to comment on what businesses can do to reduce the security risks of Shadow IT. To read the full article click here and if you just want to read my comments – see below.

Plain talk shadow IT exists when corporate IT is failing in a fundamental way.

Weve seen currency traders set up their own development shops because corporate development was perceived to be too slow or bureaucratic.

Weve seen Wall Street traders set up their own wireless access points so they could keep an eye on things when they were at the pub across the street for lunch.

No department or line of business wants to set up its own IT infrastructure and bear that budget burden they only do so because they feel that they have no choice to be successful in the tasks they are measured and a compensated on.

It is like finding mouse droppings. If you see shadow IT, it is a clear indication that there is an unmet business need. Organizations need to investigate those unmet requirements and provide the appropriate IT services in a timely, secure, and policy compliant manner.

DNS: How it Works and Best Practices to Defend Against DNS-based Threats

The Domain Name System (DNS) is a central element in the addressing and routing of all communication over the Internet. Many enterprise IT security professionals don’t always know how DNS works, or how attackers might use it to compromise their data. Following is a discussion about recent attacks and exploits that use DNS and some best practices for defending against DNS-based threats.

The Domain Name System is known to be insecure. For many years, the IETF has worked to address this, and it has published the DNSSEC (RFCs 4033, 4034, and 4035). DNSSECprovides DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. It does not address availability or confidentiality. Unfortunately, DNSSEC is still not widely deployed.

In the meantime, new vulnerabilities and exploits of various DNS implementations continue to be discovered. A quick search of the National Vulnerability Database (NVD) on the term DNS returns 434 matching records. In 2016, 17 new DNS related vulnerabilities have been documented and published in the NVD so far. The CVSS scores of these 17 recent vulnerabilities have varied from a low of 4.3 to a high of 9.8.

Some of the most recently published vulnerabilities apply to a narrow range of products such as “CloudBees Jenkins prior to version 2.3” while others apply to a broad range of products.

In February of 2016, a flaw was found in an underlying library used by the DNS resolver implementation that is found on nearly all Linux machines, including many embedded devices that use Linux. This was published in the NVD as CVE-2015-7547. This also impacted product such as Oracle’s Exalogic and a variety of products from Blue Coat ( as well as many others. The vulnerability can lead to either denial-of-service or the remote execution of arbitrary code.

Different DNS vulnerabilities have different mitigations. For example the list of recommended mitigations for CVE-2015-7547 include:

  • A firewall that drops UDP DNS packets > 512 bytes.
  • A local resolver (that drops non-compliant responses).
  • Avoid dual A and AAAA queries (avoids buffer management error) e.g. Do not use AF_UNSPEC.
  • No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow.
  • No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow.

However, some other recommendations that were effective against other DNS vulnerabilities were not effective for CVE-2015-7547, for example:

  • Setting `options single-request` does not change buffer management and does not prevent the exploit.
  • Setting `options single-request-reopen` does not change buffer management and does not prevent the exploit.
  • Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query.
  • The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not protect your system from the exploit.
  • Blocking IPv6 at a local or intermediate resolver does not work to prevent the exploit. The exploit payload can be delivered in A or AAAA results, it is the parallel query that triggers the buffer management flaw.

The primary defenses that companies must manage well are:

  1. Subscribe to services that will inform the IT staff when a security vulnerability for the company’s systems has been disclosed and when a new security update is available
  2. Apply security updates from your vendors in a timely manner
  3. When your vendors publish recommended mitigations to address a known vulnerability, test the recommendations and deploy them if possible

The recommendations above are not unique to DNS vulnerabilities.

The Dangers of Wireless Technology on the Road

How to Protect Your Data in Airports, Coffee Houses, and Hotels

In a recent interview, I was asked a series of questions about the dangers of wireless technology on the road. I’d like to share my responses here as to ways that travelers can protect their data when hooking up to “free” wireless technology in airports, coffee houses and hotels.

1) What is a sniffer?

A sniffer is most analogous to a phone wiretap.  However, a wiretap only listens to the phone line it is connected to versus a packet sniffer can listen to all communications on the network.

2) Are sniffers ever used for legitimate network functions?

Yes.  Packet sniffers are commonly used to diagnose network problems, analyze traffic patterns, and even detect if a user is sending inappropriate data on the network.

3) Why are sniffers so difficult to detect?

Sniffers are designed to be “listen only” devices and are specifically built not to tamper with data as it traverses the network.  However, placing a sniffer on a wired network may require special hardware or device settings on the network switch.

4) Why is unsecured Wi-Fi — such as that found in coffee shops, airports and hotels — the least secure and vulnerable to sniffers?

On a wireless network, unlike a wired network, all local network traffic shares the same channel.  A rogue packet sniffer does not require special hardware or settings you changed on the wireless access point and can capture all the data that is sent wirelessly.

5) How does this happen — in plain English?

The wireless network card in your laptop, tablet or phone will connect to a selected open wireless access point (WAP) based on four pieces of information supplied by the wireless access point: the Service Set Identifier (SSID), the Media Access Control (MAC) address, a wireless channel, and the transmission power.  It is trivial for an attacker to set their wireless network card to look the same as the coffee shops wireless access point.  If the attacker sets a wireless transmit power slightly higher than the WAP’s transmit power, users will connect to the rogue device instead.  The attacker may then use a second wireless card to connect to the legitimate WAP in order to capture unsuspecting users data as it passes through their computer and out to the Internet.

6) Why does it happen?

The primary goal is identity theft or corporate espionage.  By capturing data as it goes across the network any attacker can passively look for unencrypted or under-encrypted data.  Even with an encrypted connection to a website an attacker who has forced all of your network traffic to go through their computer may be able to strip off or reduce the encryption without the user being aware.

7) How can travelers prevent their data from being unlocked and free for the picking?

I recommend travelers should use a paid VPN service that will create an encrypted tunnel between the laptop or phone and to the exit site of the VPN service.

Alternatively, travelers should consider altogether avoiding dangerous free wireless networks and using their cell phone as a mobile hotspot device to connect to the Internet while traveling.

8) Is the threat of data or identity thieves widespread?

It is a universal truth that criminals will capitalize on every vulnerability they find whether it resides in the physical or virtual realm.

Cyber Warfare Exercise: part two

There are only two certainties in a company’s life: Taxes and your network will be hacked.

I recently returned from the 15-day cyber warfare exercise hosted by the Massachusetts Army National Guard.  Attendees included soldiers and airmen from Vermont, New Hampshire, Maine, Massachusetts, Connecticut, and Rhode Island as well as personnel from private organizations such as Mitre and ManTech.

An important change in this year’s event was that actual representatives from the Massachusetts Governor’s IT office, Massachusetts Water Resources Authority (MWRA), and the Massachusetts Department of Transportation (DoT) were active participants.  They were able to give an accurate portrayal of their interests and identify network resources that are critical to them.  This was all vital information to our “Blue Team” defenders.

I was acting as a “Red Team” aggressor and by the luck of the draw I was selected to attack the team of defenders I have been working with for the past few years.  I provided them denial-of-service attacks, phishing campaigns, website defacements, and other “cyber effects” for them to detect, react, and report on.  In several areas my team performed well, but I was most impressed with the cooperation and information sharing between my military coworkers and their civilian counterparts.

I have had some time to reflect on the lessons learned and the direction I want to take my team in the train-up leading to next year’s exercise.

  1. Baseline your infrastructure.

As a system owner, just knowing what accounts are privileged and what servers you have on your network is no longer enough. System owners need to know what kind of traffic is normal within their network, what services/processes should be running on each device and which devices need to talk to each other.  When equipped with this knowledge, a network defender is far more effective at detecting ill intentioned actors on your network.

  1. Know what is most critical.

In previous exercises military personnel played the part of industry representatives and identified key infrastructure as being the domain controllers or DNS servers.  Having actual industry representatives at this year’s exercise radically changed the defenders ideas of what is most critical.  For example, representatives of the Governor’s office identified the Governor’s external website as being critical as it is the “face” of the government in Massachusetts. It is important to have identified those critical systems before an attack to focus the network defense on what is most important to the organization instead of focusing on what the attackers see as most important to them.

  1.  Able to detect wrongdoing.

There are only two certainties in a company’s life: Taxes and your network will be hacked.

Every organization should have a secure and centralized logging server along with sensors, distributed throughout the infrastructure, capable of full packet capture.  Having this in place provides not just data but contextual information about what is going on in your environment.  There seems to be a trend for organizations to spend considerable resources on IPS/HIPS systems, but once an attacker compromises their system they lack actionable information and throw up their hands in defeat. These defensive measures are admirable, but we should operate on the motto: “Prevention is ideal.  Detection is a must.”

Protecting Data from Cyber Thieves

Getting hacked is one of the most feared outcomes for anybody who is doing business on or through the Internet. The bad news is there are always people trying to hack systems and get access to sensitive, private or confidential data. The good news is that the tips a financial advisor should follow to safeguard sensitive client information are well documented and easy to accomplish.

Here are a few important tips that every financial advisor should be following:

Email is both friend and foe

  • Don’t open attachments from anybody not intimately known or attachments that seem odd
  • Even if the person is known, screen it with antivirus before opening
  • If sensitive data has to be transmitted in email, either obfuscate or encrypt the data

Backup data frequently so a system can be wiped clean to “start over” quickly

  • Backup the data to a separate device

Use encrypted file storage devices or technology so that even if a hack is successful the data is protected

Consider using secure cloud based storage instead of local system storage.

  • Allow regular system OS and software updates and patches
  • Use antivirus that scans emails and Internet URLs and looks for malware
  • Use unique passwords and change them regularly

When dealing with an advisor or other professionals that have access to sensitive information, there are a few basic questions you can ask that will determine if there are any red flags:

  1. Does the advisor share their work system or resources with other businesses or family?
  2. Are they using current systems and applications or outdated or unsupported services?
  3. Do they use public Wi-Fi Internet as part of doing work?
  4. Do they access client data remotely, if so, how is the data protected?