Phishing

Trust No One.

When it comes to phishing, the malicious actors are hard at work thinking of new ideas to trick users.

When reading an email from an unknown or even a known source it pays to be skeptical.

  • Don’t open unknown attachments they could contain anything; you just don’t know.
  • Don’t click links contained within an email as they can lead to a falsified page made to imitate the intended site, once your credentials are entered, the bad guys win.
  • Don’t Replay to the sender as this at a minimum informs the sender that there is someone at the receiving address of the email.

Phishing has advanced over the years, the old tricks to identify a phishing attempt can’t be relied upon. Those annual phishing refresher courses your company offer can be boring but do contain useful information.

One example of phishing advancements is the use of Cyrillic characters, the roman letters are what the majority English speakers use. Cyrillic characters are often used to mimic roman letters which look similar enough but can lead to completely different but usually malicious paths instead of the intended website. Multiple examples exist of URLs utilizing different language keyboards to trick users to enter their login credentials to a false front page. See the graph from Bleeping Computer below.

https://www.bleepingcomputer.com/news/security/cyrillic-characters-are-favorites-for-idn-homograph-attacks/

All users should follow a few basic guidelines to decrease your chances of being phished.

  • Avoid clicking links in email for all email messages. For known users within a work environment certain exception can be made by clicking links within an email. Overall if you can normalize the behavior of avoiding to click links contained within an email and instead type the URL in the address bar yourself it will further reduce the likely hood you would make a mistake on a phishing email.
  • Standardize using an Email Headers in front of the Subject line for your team or organization. This email header will be unknown to outsiders and help fellow employees identify a legitimate email. This is an example of the Email Subject line: [Team Name] Update on the Team Project
  • Enable Two Factor Authentication on EVERYTHING! Good Password practices along with enabling multi-factor authentication will go a long way to protect you and your organization.
  • Use different passwords for each website, if you use the same password for every website, and a hacker obtains your email/password combo they will test it on every possible site. I highly recommend password managers, which provide the advantage of generating a highly secure randomized password for each website.

Life at an Enterprise

During the last two years I’ve been working at an enterprise company which is a new experience for me.

Previously I worked for various IT consulting and IT Assessor firms. 2 years ago, I left to leave for a large organization, since that time I’ve worked on a compliance team for an enterprise software company. It’s been a vastly different experience that has taught me several lessons. Being behind the curtain so to speak has given me a new perspective on things.

Fundamentally mistakes in domains such as access control and asset management will continuously come back to haunt an organization. If these two foundational controls are not built on a strong foundation, an organization can defend themselves against an audit let alone an actual security threat.

Threat hunting is a new term I hear a lot. Threat hunting using cutting edge tools can be helpful, but at the end of the day knowing what’s in your environment and who has access to it is still the foundation of security. Having a strong foundation if limiting access to need to know and having an accurate up to date inventory will go a long way.

I will be back with more.

I’m not dead

I took a new position and along with life during Covid I haven’t had much time for studying new topics. Until now.

Stay Tuned.

Happy 2022!

Jawn of the Month

Sorry for the long delay. It’s been the busy season.

And I’ve been in full swing of migrating to compliance and the audit team.

For the December 2020 Jawn of the Month

Open Office

It’s such a go to for me now that I don’t even think twice about installing it.

It satisfies all of my Office needs and is completely open source.

Is Office suite better yes but this is open source.

https://www.openoffice.org/

Jawn of the Month

I took most of the summer off. I’ll have some cloud articles coming up on the docket for the next few months.

For August 2020 the Jawn of the Month is the PI-HOLE

The PI-HOLE is an operating system built to run upon a Raspberry Pi. This operating system is used as an internal DNS server for your internal network. This internal DNS server will block a majority of ads and some malware on the network layer adding another layer of defense to your home network.

I was late to the party on utilizing a PI-HOLE as my internal DNS server. I used OpenDNS previously and thought it was sufficient to block ads and add a layer of protection on my home network but I was wrong. Instantly implementing the PI-HOLE I could see normal ads that escaped my in-browser protections were now completely blank.

A PI-HOLE is absolutely worth implementing for your home network.

https://pi-hole.net/

2020 is almost over…

Jawn of the Month

For June 2020 the Jawn of the Month is Joplin.

Joplin is a open source note taking application. It is similar to OneNote and just as functional.

It has the ability to sync to a cloud service or file share.

Notes are searchable and tag-able items.

My friend Ian Terry recommended it to me and I thank him for that!

https://joplinapp.org/

We’ve moved in the cloud now what do we do?

Cloud environments make a lot of sense for businesses of all types. As we move to a more agile workforce utilizing cloud resources provide added functionality, which was often not obtainable for smaller to medium businesses. Cloud resources in their nature are highly available, highly scalable, and, easier to implement disaster recovery.

In the past, for a smaller company to scale up to meet demand it would require a huge up-front investment to acquire new hardware. That hardware would require time to set up and then configuration. With the advent of the cloud hosting these operations have become much easier and at a much affordable subscription model instead of previous up-front costs of hardware/licensing. I can see some situations which may still require on-site equipment for various, compliance, legal, or cost requirements. Those situations will be the exception, as most businesses will benefit from the cost savings associated with cloud hosting. Additionally, as more companies utilize Linux systems for web applications and their services that will also reduce cost as most Linux operating systems are open-source and do not require any licensing costs.

One misconception about migrating to a cloud environment is that by default they’re secure. I would say that is partially true but not completely. By default, AWS, for example, will utilize a deny all policy for its security groups. Utilizing a default-deny policy is a best practice that requires that any access to that system will require a security group (firewall) rule to specifically allow that traffic into the cloud resource. As best practice access should be opened up according to the need. In a cloud environment you are not responsible for the physical security of your cloud systems or underlying network but the security of your hosts and services is your responsibility. An application, which is only utilized by your employees, should limit access to those specific employees. This can be implemented by a direct connection, VPN, certificate to authenticate the device, or by whitelisting the specific IP addresses for those employees that require access (This can be painful if they are not static IPs for the users). Whitelisting IP addresses for remote workers would be cumbersome as those addresses can change but for smaller organizations, it could be feasible. If you have a web application which users should be able to access from anywhere in the world then you’ll need to open up access to everyone for that application.

Opening access to the world can be a scary concept. If your system is available over the open Internet expect it to be tested consistently. Regardless of the service, if something exists and is accessible to everyone on the Internet it will be discovered by crawlers some of these will be for research purposes and others will be for malicious purposes. This is a fact of life that every organization, government, and Internet user must face. In order to protect your systems, you must implement proper access controls, secure transmissions, and permissions to limit the possibility of unauthorized access.

Making a system secure requires multiple layers of protection in place. A layered approach can deter an attacker, as it may be too difficult to make an entry, it could also prevent a deeper breach or prevent an attacker from obtaining the keys to the kingdom (administrator access). Keeping an environment secure either in the cloud or on-premises will require the same concepts. Create a strong perimeter either on the network layer or if you’re following a Zero Trust model on the host itself. That means shutting down services, which aren’t required, utilizing a default, deny all rule and allowing specific traffic by exception into the host. Add multi-factor authentication to your remote access methods to further secure your access.

After securing the perimeter protections should be in place to limit file/network access to the user’s role. There is no need for a standard user to have privileged rights. Securing the perimeter and limiting user access will be a great start for a program but to fully secure systems techniques such as:

Centralizing Access – One Location which stores all of the user information and can edit permissions/access at a moment’s notice. Changes in this system are reflected in all systems.

Centralizing Monitoring – All Logs of all devices will send logs to a SIEM or Syslog server which can create metrics or trigger alerts for defined events.

Adding Network Detection/Prevention Systems – These systems can sit on a network and detect or prevent malicious activity and send alerts based on triggers. Different than a SIEM as these triggers can be set according to network traffic while SIEM triggers are based on logs.

Application Firewalls – If you have an application you own and it is exposed to the internet you should have an application layer firewall. These next-generation firewalls can detect and inspect application-layer traffic.

To some this rant up into something meaningful, your new and exciting cloud hosting will still require the same old boring security practices that helped keep your on-premise servers secure (mostly). As more organizations move to the cloud they’ll need to hire staff with skills to implement and utilize cloud features to make the cloud safe, secure, and cost-effective. Pick your vendors, contractors, and assessors wisely as they’re not all created equal. When you talk to your third party consultant make sure they understand how cloud infrastructures work and function. It is all too often we see items a previous assessment team missed completely, or they misunderstood and did not fully understand. Mistakes like these can go in either direction such as providing an organization a false sense of security or requiring an organization to perform wasteful remediation for a system that meets requirements but is just poorly understood. As not all cloud-hosting providers are created equal the same can be said about security organizations. Perform your due diligence as for the credentials of the team members, ask for references, and hold discussions with them to see if they’re on the level. Picking a partner to help secure your organization may be one of the most important choices you make.

Jawn of the Month (May 2020)

April was a crappy month so we’ll just skip it…

The jawn of the month for May 2020 is Grammarly.

One area where I need to improve is my grammar and writing skills. It is something I’ve often overlooked and have not spent the time I need to improve it. I wouldn’t doubt some of you have noticed my affinity for writing down rants and ramblings. Grammarly has helped turn some of the rants and ramblings into a somewhat readable format.

As a co-worker pointed out (if you read this and are ok with a shout out I will edit your name in) to me it wouldn’t be safe to use around sensitive information. But it can be used for any personal writings or etc.

https://www.grammarly.com/

Jawn of the Month

For February 2020 the Jawn of the month is…

NMAP

NMAP is such a powerful tool that it is can be used for multiple functions including pen testing, network mapping, vulnerability scanning and more.

https://nmap.org/

What Do You Gain by Performing a Penetration Test?

As we continue to rely on technology in our everyday lives we must remember this interconnectivity comes with a price.  The ability to access devices remotely over the Internet has created a new world of ease and freedom, which can be manipulated by malicious actors.  If a device is exposed on the Internet it has the possibility of being compromised.  Organizations can’t help but exposing some services over the Internet, items such as VPNs, SFTPs, HTTP Logins, Emails, APIs and etc. will require exposure to the Internet.   Items such as these often become the target of a hacker.  Hackers will scan the Internet looking for specific known ports containing exposed running services, which can be exploitable. Hackers will eventually find the services you’re hiding and will test your defenses.  How will your perimeter defenses hold up against any possible attacks?

Organizations can take steps to protect themselves against hackers and make their environment unappetizing for any attacker. Testing systems through vulnerability scanning is now a common practice which companies utilize to gain meaningful incite regarding both their internal and external postures.   These vulnerability scans are high-level automated scans that provide information regarding the versioning of systems, identifying exposed services and determining the associated risk of those findings. A vulnerability scan can help an organization determine if their configurations are following best practices and if system patching is occurring regularly. New vulnerabilities are discovered every day and once a discovery is reported a specific software or hardware vendor must scramble to remediate the issue through a patch and push those patches out to its clients. If a patch is not applied and the vulnerability exists it creates a possible vector for a hacker to pinpoint. This is where the difference between a vulnerability scan and Penetration test begin to diverge.

A Penetration test can utilize information obtained from vulnerability scans and additionally probing with the goal of discovering possible exploits. After vulnerabilities are discovered a hacker will plan and begin executing different exploits against those detected vulnerabilities.  A Penetration test will provide the organization with a live assessment of real-world techniques to obtain unauthorized access into your network.

During a Penetration test, an ethical hacker will review and plan a course of action to perform exploits and test different perimeter defenses.  Additional tactics such as social engineering to obtain user access are also common practices, which can be included in a Penetration Test.  Often an attacker will spray an organization with fraudulent emails attempting to either inject malware into the company network or trick the user into entering the network credentials into a malicious site, which are sent directly to the attacker. According to the Verizon Data Breach Investigations Report 2017 90% of all incidences and breaches included a phishing element. [i]

Once a hacker has obtained a user’s credentials the next step will be to access the network and pivot. Once access is obtained the hacker will attempt to pivot access to different systems along with obtaining administrator-level credentials for further access into the network.  If administrator credentials are obtained an attacker can create several different backdoors back into the organization, which can be extremely difficult to detect.

The type of Penetration test required will need to be decided by each organization. There are different types of Penetration testing, which include, web application testing, internal testing (simulated insider threat) and external testing.  Web application Penetration testing will test an application for weakness in several different ways. An internal Penetration test could simulate an insider threat.  This attack could originate from a remote user’s credentials being compromised and provide VPN access to a hacker. In this scenario, the attacker has access to the internal network but must bypass any internal controls to access sensitive systems.   And the last type of attack is an external attack, which is the most common. This type of attack is simulating a hacker with no knowledge of your infrastructure and attacking only the external addresses provided for testing attempting to breach the internal network.

Ethical hackers will simulate as close as possible what is a real-life attack scenario. Utilizing Penetration testing will only strengthen your organization’s security posture. The findings from a Penetration test can provide valuable incite for an IT or InfoSec department to add additional risk levels to correctable items or create new additional risk for unrealized discoveries. As interoperability continues to grow the risk of the Healthcare space attracting more hackers will only continue. While companies grapple with difficult issues such as managing 3rd party access and tracking, the prevalence of remote access workers and the constant threat of human error it will only increase the probability of creating vulnerabilities that a hacker can and will eventually exploit.  It’s important to stay a step ahead of all the scary things, which lurk on the Internet.

Organizations must face the reality that hackers are out there searching for their next victim. In 2019, the publication Recorded Future reported on the 100th publicly reported state or local government hit with a ransomware attack.[ii] These types of numbers are alarming and should motivate every organization to bolster its Information Security budgets not only for better defenses but security awareness training.


[i] https://www.phishingbox.com/downloads/Verizon-Data-Breach-Investigations-Report-DBIR-2017.pdf

[ii] https://www.recordedfuture.com/state-local-government-ransomware-attacks-2019/