Why encryption is good.

Privacy is a big topic, and it ties into encryption.

Our data, from the news sites we visit to our social media and purchases, is tracked and cataloged. This data is sometimes compiled from different sources to create profiles for each user. 

Most of the time, this information is provided by non-voluntary measures; however, sometimes, we offer it even if it’s not required. 

I know what you’re thinking… Maybe I can use a VPN and block some of this tracking, use a DNS service, or use similar protection.  It could help a bit, but tracking now is so sophisticated that I’m unsure if this helps much. Your credit card transactions will work against you, and the amount of things required to do business on the Internet will likely create a trail that will be hard to shake off. 

With every data breach, more of our data is leaked: name, address,  phone number, age, gender, and email.  Other data points often collected are ethnicity, income level,  voting registration, and occupation.  

This amount of information, pieced together from various breaches, could be used maliciously. In the same way, advertisers now target us using this data; hackers are likely doing the same. Countries are likely taking advantage of this data.

I’m sure everyone reading this has been sent a notice in email or mail of a notification of their information being disclosed in a breach. 

How do we prevent this? 

We can’t… Too many companies collect our data… There are companies neither of us of heard of that have profiles on us and everyone we know. These profiles are used for split-second advertising auctions that determine the ad you see or even the commercial on your streaming service…. That is a whole other story. 

Since we can’t stop this, what can we do?

Good IT practices are required to secure data, but most importantly, data must be handled carefully, specifically encrypted. Hence, it is only readable with a second factor (usually a key) to decrypt that data, whether in transit or at rest.

If a hacker steals data that has been encrypted using strong ciphers, the data is useless unless the hacker obtains a second factor, such as a key. If the hacker obtains the key, too, well, it’s not the encryption fault at that point…

Our only hope?

Regulatory and other compliance requirements create the frameworks or rules required to protect data in an IT system. 

For instance, a company that processes many credit card transactions must do an IT audit based on the Payment Card Industry (PCI). This audit will ensure the protection of secure data, that only data required is collected, and that other IT controls to validate a safe computer environment are used to process or store credit card data. This is an example of a regulatory standard. Other regional requirements or industries have their requirements. 

However, most companies collecting data on US citizens have few regulations today.

GDPR and NIS 2 for Europeans are trying to address this topic and reduce the risk by questioning data collection and creating requirements for storing data and potentially deleting a user’s data if requested. 

FedRamp is an IT audit that must be passed for cloud-based companies working with the US government. It is based on the NIST 800-53 framework and, in my opinion, is helping the industry as a whole, but it is only applied to cloud-based government contractors. 

Why is encryption good? 

Encryption is required to keep data safe to ensure confidentiality and integrity.

Encryption is a mechanism to render data unreadable outside the intended parties.

This can be used In two ways,

At rest, when an item is stored,  think network share drive or Sharepoint

Or

In transit, when data is moving through the network,  think of credit card transactions.

Business can only be conducted online with strong, reliable encryption to protect transactions. 

Now, imagine if the government wanted to have a back door in any of the encryption standards…..

Every financial transaction, from Amazon to FanDual, must be encrypted to prevent snooping. A backdoor in the encryption protocol used for these transactions would shake the confidence in any online transaction.

Any security professional will understand the CIA triad, confidentiality, integrity, and availability. These are the pillars of data security. 

The government should understand that an encryption protocol with a back door is not secure. 

Please think twice before assuming encryption is a bad thing. Without encryption, online transactions would not be possible. 

The next time you bet on Fandual or purchase on Amazon, consider how you hope your information is encrypted securely. 

Giphy…

Some of you know the name some of you don’t.

Giphy – An application for searching and applying GIFs on your device. Giphy can be integrated into your keyboard for easy access.

But should you….

Everyone already knows data is the new gold, it is valuable and everyone is looking to obtain every piece of information they can about you. Why are we this popular? Well, the more data the more precise advertisements can be made specific to you which increases the cost of the ad. 

Every application you download on your phone most likely will collect data about you to some extent from your mobile phone.

From Twitter to TikTok every application is tracking what you do, what you buy, where you go, what you search for, other general info such as how often you charge your phone and Lord knows what else. 

I’d like to stick with Giphy for this topic. 

When setting up my new phone I downloaded Giphy, which prompt this idea of how dangerous direct access to your keyboard .

You use your keyboard to enter all the information that is inputted into your phone (Voice is not there yet). Every password, every piece of sensitive data is inputted though the keyboard which makes any application that has access to the keyboard extremely risky.

With that being said if Giphy were every compromised, consider that malicious parties would then have access to users keyboards.  This is a bit of stretch but consider the access Giphy requires on a mobile phone to access the keyboard it is possible.  

I still have Giphy installed on my device but I decided to avoid allowing it access to my keyboard. 

Instead I can open the Giphy application, find a GIF I’d like then copy/paste where I’d like to use it. 

This is not as easy as adding it to my keyboard but it is not difficult. 

Giphy is a fine company, but my fear is that level of access it seeks is too high for essentially any company. Consider Giphy had been owned by Meta but just recently was sold to Shutterstock. 

In my experience, Facebook and Instagram are the worst offenders, I refuse to download either on my phone. Instagram and Facebook pull the same data Twitter does in addition to financial, health and sensitive information, I have no idea why Meta pulls this info but it paints the picture that you truly are the product when using Instagram or Facebook. 

Phishing

Trust No One.

When it comes to phishing, the malicious actors are hard at work thinking of new ideas to trick users.

When reading an email from an unknown or even a known source it pays to be skeptical.

  • Don’t open unknown attachments they could contain anything; you just don’t know.
  • Don’t click links contained within an email as they can lead to a falsified page made to imitate the intended site, once your credentials are entered, the bad guys win.
  • Don’t Replay to the sender as this at a minimum informs the sender that there is someone at the receiving address of the email.

Phishing has advanced over the years, the old tricks to identify a phishing attempt can’t be relied upon. Those annual phishing refresher courses your company offer can be boring but do contain useful information.

One example of phishing advancements is the use of Cyrillic characters, the roman letters are what the majority English speakers use. Cyrillic characters are often used to mimic roman letters which look similar enough but can lead to completely different but usually malicious paths instead of the intended website. Multiple examples exist of URLs utilizing different language keyboards to trick users to enter their login credentials to a false front page. See the graph from Bleeping Computer below.

https://www.bleepingcomputer.com/news/security/cyrillic-characters-are-favorites-for-idn-homograph-attacks/

All users should follow a few basic guidelines to decrease your chances of being phished.

  • Avoid clicking links in email for all email messages. For known users within a work environment certain exception can be made by clicking links within an email. Overall if you can normalize the behavior of avoiding to click links contained within an email and instead type the URL in the address bar yourself it will further reduce the likely hood you would make a mistake on a phishing email.
  • Standardize using an Email Headers in front of the Subject line for your team or organization. This email header will be unknown to outsiders and help fellow employees identify a legitimate email. This is an example of the Email Subject line: [Team Name] Update on the Team Project
  • Enable Two Factor Authentication on EVERYTHING! Good Password practices along with enabling multi-factor authentication will go a long way to protect you and your organization.
  • Use different passwords for each website, if you use the same password for every website, and a hacker obtains your email/password combo they will test it on every possible site. I highly recommend password managers, which provide the advantage of generating a highly secure randomized password for each website.

Life at an Enterprise

During the last two years I’ve been working at an enterprise company which is a new experience for me.

Previously I worked for various IT consulting and IT Assessor firms. 2 years ago, I left to leave for a large organization, since that time I’ve worked on a compliance team for an enterprise software company. It’s been a vastly different experience that has taught me several lessons. Being behind the curtain so to speak has given me a new perspective on things.

Fundamentally mistakes in domains such as access control and asset management will continuously come back to haunt an organization. If these two foundational controls are not built on a strong foundation, an organization can defend themselves against an audit let alone an actual security threat.

Threat hunting is a new term I hear a lot. Threat hunting using cutting edge tools can be helpful, but at the end of the day knowing what’s in your environment and who has access to it is still the foundation of security. Having a strong foundation if limiting access to need to know and having an accurate up to date inventory will go a long way.

I will be back with more.

I’m not dead

I took a new position and along with life during Covid I haven’t had much time for studying new topics. Until now.

Stay Tuned.

Happy 2022!

Vulnerability Management

A lot of ambiguity exists around how to properly manage vulnerabilities.  The vulnerability management program will encompass multiple teams, tools and processes with the common goal to secure and maintain security of the environment. A proper vulnerability management will allow for the management and measurement through metrics, which mature programs regularly produce.

Before performing vulnerability scans things a few things must be considered.

What should be scanned, or how should different segments be treated?  Is one zone PCI and the other is HITRUST but the dev network is out of scope.

Once the scope is identified we need to

Discover Assets

Keep a valid asset inventory is not a fun or cool thing to do but it is important and often over looked.

Another often-overlooked aspect of an update to date asset inventory is the utilizing outside sources of alerts.  For example if I know I have a ton of Apache Web Servers I can set alerts from multiple sources to notify me or the team of any new vulnerabilities specifically against the criteria I define.

Once assets are discovered we will need to confirm custodian/ownership or who is patching them?

After assets are known and owners are identified we need to assign criticality rating based on business function.

The asset, asset owner, /custodian, and the criticality rating of each asset should be included in the inventory along with the location, name, serial number, important software, OS or versions and other relevant information.

Now the fun stuff…

Identifying Vulnerabilities (Detection Phase)

A vulnerability scan is a combination of an automated or manual tools, techniques, and/or methods that are run against external and internal network devices and servers, designed to expose potential vulnerabilities in networks that could be exploited by malicious individuals. Once these weaknesses are identified, the entity should focus on remediating deficiencies discovered, and repeats the scan to verify the vulnerabilities have been corrected.

A vulnerability scan should be performed against the internal network and the external footprint of an organization. The frequency of the scans can vary depending upon compliance regulations but a suggested practice would be to scan quarterly and after any major changes to your environment.

PCI requires quarterly scans from an approved vendor for organizations external environments. Internal scans are defined for annual along with penetration tests.

HITRUST does require vulnerability scanning quarterly as well. 

Evaluation of Vulnerabilities (Prioritizing of Risk)

On a typical vulnerability scan findings will range from critical, high, medium and low 

These ratings are based on the Common Vulnerability and Exposures, which is commonly referred to as a CVE. 

A CVE score is used for prioritizing the security of vulnerabilities. The CVE glossary is a project dedicated to tracking and documenting vulnerabilities for software and hardware. Since 1999, MITRE Corporation has maintained the CVE system, which is funded by the National Cyber Security Division of the US Department of Homeland Security.

When a security researcher discovers a new vulnerability it will be evaluated and identified according to the Root CVE Numbering Authority. Once independent researchers can confirm the vulnerability it will be entered into the NIST National Vulnerability Database (NVD).

The Common Vulnerability Scoring System CVSS is utilized to identify a final score for vulnerability. 

3 parts of the CVSS score.

The Base score, temporal score and environmental score.

Knowing the criticality ratings of each system will help judge associated risk of the system based on the vulnerability rating considering as well the the system rating. The CVSS score includes an environmental score that would help determine a vulnerabilities risk specifically against your organization.  The temporal score is based on the timing of available patching or fixes for vulnerabilities.

A high vulnerability on a system that is not external exposed and requires network access before it can be exploited will be rated lower than a high vulnerability found on an externally exposed web server. This is a simple example but situations will be similar and using a defined methodology will help.

Remediation (Fixing the detected Issues)

Remediation efforts should be tracked, managed and reviewed. Ideally a central ticketing system will be utilized which can track remediation efforts to provide meaningful metrics to the overall vulnerability management program.  Metrics from the remediation effort can include, mean time to detection, mean time to remediation, average window of exposure, % of systems without critical or high vulnerabilities.

  • Rinse, Repeat and Document
  • Set a defined frequency for:
    • Scanning
    • Patching
    • Reviewing Scans
    • Reviewing Remediation efforts

A vulnerability management program should consist of a team of individuals including IT, Security and a management level IT or Security person.  The idea is to include IT that most likely will perform remediation and have it managed and overseen by security. IT or Security management should be included to prove buy-in and to help with any approvals required.

A vulnerability management program provides an organization the data needed to properly manage and measure their IT infrastructure. 

A mature vulnerability program will encompass not only vulnerability scanning but inventory management, a remediation process for discovered vulnerabilities, penetration testing, and risk management. A mature program will have the ability to coordinate the results of previous scans to create meaningful metrics that an organization can use to review the processes for improvements and additional risk reduction.

Jawn of the Month

Sorry for the long delay. It’s been the busy season.

And I’ve been in full swing of migrating to compliance and the audit team.

For the December 2020 Jawn of the Month

Open Office

It’s such a go to for me now that I don’t even think twice about installing it.

It satisfies all of my Office needs and is completely open source.

Is Office suite better yes but this is open source.

https://www.openoffice.org/

Jawn of the Month

I took most of the summer off. I’ll have some cloud articles coming up on the docket for the next few months.

For August 2020 the Jawn of the Month is the PI-HOLE

The PI-HOLE is an operating system built to run upon a Raspberry Pi. This operating system is used as an internal DNS server for your internal network. This internal DNS server will block a majority of ads and some malware on the network layer adding another layer of defense to your home network.

I was late to the party on utilizing a PI-HOLE as my internal DNS server. I used OpenDNS previously and thought it was sufficient to block ads and add a layer of protection on my home network but I was wrong. Instantly implementing the PI-HOLE I could see normal ads that escaped my in-browser protections were now completely blank.

A PI-HOLE is absolutely worth implementing for your home network.

https://pi-hole.net/

2020 is almost over…

Jawn of the Month

For June 2020 the Jawn of the Month is Joplin.

Joplin is a open source note taking application. It is similar to OneNote and just as functional.

It has the ability to sync to a cloud service or file share.

Notes are searchable and tag-able items.

My friend Ian Terry recommended it to me and I thank him for that!

https://joplinapp.org/

We’ve moved in the cloud now what do we do?

Cloud environments make a lot of sense for businesses of all types. As we move to a more agile workforce utilizing cloud resources provide added functionality, which was often not obtainable for smaller to medium businesses. Cloud resources in their nature are highly available, highly scalable, and, easier to implement disaster recovery.

In the past, for a smaller company to scale up to meet demand it would require a huge up-front investment to acquire new hardware. That hardware would require time to set up and then configuration. With the advent of the cloud hosting these operations have become much easier and at a much affordable subscription model instead of previous up-front costs of hardware/licensing. I can see some situations which may still require on-site equipment for various, compliance, legal, or cost requirements. Those situations will be the exception, as most businesses will benefit from the cost savings associated with cloud hosting. Additionally, as more companies utilize Linux systems for web applications and their services that will also reduce cost as most Linux operating systems are open-source and do not require any licensing costs.

One misconception about migrating to a cloud environment is that by default they’re secure. I would say that is partially true but not completely. By default, AWS, for example, will utilize a deny all policy for its security groups. Utilizing a default-deny policy is a best practice that requires that any access to that system will require a security group (firewall) rule to specifically allow that traffic into the cloud resource. As best practice access should be opened up according to the need. In a cloud environment you are not responsible for the physical security of your cloud systems or underlying network but the security of your hosts and services is your responsibility. An application, which is only utilized by your employees, should limit access to those specific employees. This can be implemented by a direct connection, VPN, certificate to authenticate the device, or by whitelisting the specific IP addresses for those employees that require access (This can be painful if they are not static IPs for the users). Whitelisting IP addresses for remote workers would be cumbersome as those addresses can change but for smaller organizations, it could be feasible. If you have a web application which users should be able to access from anywhere in the world then you’ll need to open up access to everyone for that application.

Opening access to the world can be a scary concept. If your system is available over the open Internet expect it to be tested consistently. Regardless of the service, if something exists and is accessible to everyone on the Internet it will be discovered by crawlers some of these will be for research purposes and others will be for malicious purposes. This is a fact of life that every organization, government, and Internet user must face. In order to protect your systems, you must implement proper access controls, secure transmissions, and permissions to limit the possibility of unauthorized access.

Making a system secure requires multiple layers of protection in place. A layered approach can deter an attacker, as it may be too difficult to make an entry, it could also prevent a deeper breach or prevent an attacker from obtaining the keys to the kingdom (administrator access). Keeping an environment secure either in the cloud or on-premises will require the same concepts. Create a strong perimeter either on the network layer or if you’re following a Zero Trust model on the host itself. That means shutting down services, which aren’t required, utilizing a default, deny all rule and allowing specific traffic by exception into the host. Add multi-factor authentication to your remote access methods to further secure your access.

After securing the perimeter protections should be in place to limit file/network access to the user’s role. There is no need for a standard user to have privileged rights. Securing the perimeter and limiting user access will be a great start for a program but to fully secure systems techniques such as:

Centralizing Access – One Location which stores all of the user information and can edit permissions/access at a moment’s notice. Changes in this system are reflected in all systems.

Centralizing Monitoring – All Logs of all devices will send logs to a SIEM or Syslog server which can create metrics or trigger alerts for defined events.

Adding Network Detection/Prevention Systems – These systems can sit on a network and detect or prevent malicious activity and send alerts based on triggers. Different than a SIEM as these triggers can be set according to network traffic while SIEM triggers are based on logs.

Application Firewalls – If you have an application you own and it is exposed to the internet you should have an application layer firewall. These next-generation firewalls can detect and inspect application-layer traffic.

To some this rant up into something meaningful, your new and exciting cloud hosting will still require the same old boring security practices that helped keep your on-premise servers secure (mostly). As more organizations move to the cloud they’ll need to hire staff with skills to implement and utilize cloud features to make the cloud safe, secure, and cost-effective. Pick your vendors, contractors, and assessors wisely as they’re not all created equal. When you talk to your third party consultant make sure they understand how cloud infrastructures work and function. It is all too often we see items a previous assessment team missed completely, or they misunderstood and did not fully understand. Mistakes like these can go in either direction such as providing an organization a false sense of security or requiring an organization to perform wasteful remediation for a system that meets requirements but is just poorly understood. As not all cloud-hosting providers are created equal the same can be said about security organizations. Perform your due diligence as for the credentials of the team members, ask for references, and hold discussions with them to see if they’re on the level. Picking a partner to help secure your organization may be one of the most important choices you make.