- My opinions are my own. They do not reflect on my employers or my family / friends.
- Occasional salty language may be included.
- Advice is presented without warranty. InfoSec is about risk mitigation, not absolute prevention. (To be clear: You can do everything right and still get hacked.)
- This blog site will NEVER automatically ask you to install anything. If you receive a dialog or popup from this site asking you to approve any actions, please refuse and notify me immediately.
- I have four categories of posts. (This blog is primarily for non-technical folks.)
- Audience 1 – Non-technical.
- Audience 2 – Intermediate. (Tech savvy non-IT pros.)
- Audience 3 – Advanced. (IT pros.)
- Audience 4 – InfoSec Pros.
- My cat sometimes writes in my place. Do not be alarmed.
Welcome
I have frequently posted InfoSec advice for my personal friends on Facebook, and that seems to have been relatively well-received. I have therefore decided to put my thoughts, musings, and so forth into a blog format. My audience is primarily going to be non-tech people who want to learn some basics in order to more secure, and tech-savvy individuals or small businesses (not working in InfoTech or InfoSec) who can digest a little more technical detail. Occasionally, I might drop a more technical post, but I plan on those being relatively rare. Posts will be categorized so you know how technical it will be before you read it.
I look forward to your feedback. Let me know if you find this useful!
Rob
Reducing the risk of breaches: Opus 1 in five movements
Today I heard an interview with the leader of the InfoSec team at Anthem during the breach they experienced (the breach was disclosed in February, 2015). Wikipedia page on Anthem breach. Besides being super interesting in terms of insider perspective on a major breach, the interview reinforced with me five particular common weaknesses in enterprise InfoSec. As these tasks usually fall to the IT staff, I have classified this post under “IT pros.”
First: You must know what is on your network: asset management is of the utmost importance. For small enterprises that lack resources this task can be particularly cumbersome – it often has to be done manually. If the enterprise is lucky enough to have asset management tools, that’s great – but IT staff has to follow through and ensure that inventories are accurate and complete. When third parties / vendors perform work which introduces new devices to the network, the new devices must be documented. (Of course, other steps follow, but for the purposes of this discussion I’m merely talking about accurate housekeeping.)
Second: A common blind spot in small to medium enterprises today is internal network activity. This lack of visibility means that adversary lateral movement post-breach will usually go undetected. I hear this question all the time: “I have perimeter security, so why do I have to worry about internal visibility?” The answer is layered security: when the perimeter is breached, there needs to be another layer of defense behind. Proper asset management and classification (see above) leads to properly segmented networks and visibility / filtering at the choke points. Endpoint agents (such as Red Cloak) are also advised.
Third: During mergers and acquisitions, enterprises are often exposed to risks (often due to political concerns) that would otherwise be untenable. When companies experience these conditions, it is important for IT staff and InfoSec pros to step forward and demand processes that result in the most secure environment possible. M&A always result in a mesh of technologies and processes, but it should be the best possible combination of both. The first step is for each organization to fully disclose to the other all of the necessary information – and that begins with proper asset management (see above). It is usually advisable to filter traffic between the two organizations until a consensus can be found on processes. However, without buy-in from upper management, filtering can be off the table. It is important – which leads me to my next point.
Fourth: Many breaches occur through third-parties, vendors, and other improperly secured connections (such as those in a M/A.) In particular, the Target breach and the Anthem breach occurred due to weaknesses in this area. Secure the connections and the access – proper firewalling and IAM are important. Always use least privilege when assigning access rights. Monitor these connections judiciously – at the perimeter and internally.
Fifth: Use a true MFA solution for remote access to your network, and insist that third-parties with direct access to your network also use true MFA. (This can extend to multiple layers – what if the third party has a vendor with direct remote access? – so due diligence can be challenging. ALL remote access should be behind some sort of MFA.) Obviously – yes – MFA can be defeated by a diligent adversary. But phishing creds and using creds for VPN access is still an all-too-common method of attack. This is basic. Don’t be the low-hanging fruit.
Stay safe out there, my droogies.
Comments are welcome!
I was going to talk to my friends in HR, but …
… it’s not quite the season yet.
So, instead, I am making a general recommendation.
Never respond to emails that request sensitive information (personal, business, or otherwise) without verifying the identity and the legitimacy of the requesting party. This means picking up the phone and calling the requester using a known good contact phone number (you can’t trust information in the email.)
This post was prompted by thoughts of HR folks seeing phishing emails requesting W-2 information. In case I forget to post about it in January: HR types need to be particularly phishing-aware. If your boss or CEO or President wants to see all your W-2 info – well, yeah, that deserves a phone call before you reply.
Good luck out there!
Phishing defense
Phishing defense is hard. We all know it. But it is easy to overreact as IT and InfoSec pros intent upon protecting our respective organizations.
Awareness training is necessary but is only effective to a point. You should plan on a certain failure rate and layer your technical defenses appropriately. A 20% failure rate on phish testing is typical, and if you come in below 20% you’re doing an exceptional job training them (or have exceptional users.)
Some negative side-effects of overly aggressive phishing awareness programs are:
- Users who delete any email with a link or attachment.
- Some users who are simply too afraid to use email at all.
- Users who won’t report clicked phishes to IT.
There are other examples. The three presented here represent lost productivity, and, in the case of number 3, a negative security impact.
I have clients who choose negative reinforcement as a response to user phishing failures. One, notably, tacked up a printout of a fish in the work space of any employee who failed the company’s periodic phishing tests.
Cute. But not productive.
From a security standpoint, it is most important that a user who clicks a phish reports that click to IT as soon as they realize what has happened. Attaching negative consequences to phish test failures or phish clicks in general reduces the report rate dramatically.
I have also seen organizations who try positive reinforcement, such as rewards for reporting phishing emails, clicks, and so on. These programs also tend to fail. Users will phish themselves or click intentionally and then report in order to get the rewards.
Layer your technical defenses. Do not expect your users to become InfoSec pros. Plan on failure.
And do not phish-shame your users.
Uh, Apple? Is that you?
Apple’s generally strong history of good security practices makes the recently disclosed “root security bug” surprising indeed. If you have a Mac and you haven’t heard about this bug, haven’t patched lately, and are running MacOS High Sierra 10.13, you will want to perk up and read on.
As vulnerabilities go, this is bad. Really bad. This is especially true if you have any data on your Mac that you might consider confidential. Here’s one example of how it works: When attempting to change system settings you are prompted to enter your password to confirm the change. On a vulnerable system, you need only type “root” in the user name field and leave the password blank and you will be authenticated. (Root is the system administrator account on Linux, the OS on which MacOS is built – the use of root on Macs is rarely needed.) Using root/blank password in this way also works in several other scenarios, including for remote desktop access if you have it enabled.
About 18 hours after the bug was disclosed (irresponsibly, I might add, on Twitter – but that is another rant) Apple issued a patch. BUT – and here’s the “wtf, Apple” moment – if you were running High Sierra 10.13, applied the patch, and subsequently updated High Sierra to 10.13.1, the patch broke, the bug was back, and you were vulnerable again. The patch needed to be applied AGAIN and the system rebooted for the patch to take effect. Oh, and the patch didn’t tell you that you had to reboot.
So much pooch-screwing. Man.
So if you have a Mac and you have auto-updates turned on (you probably should) then you are most likely already patched up to 10.13.1 along with the security patch (Security Update 2017-001). You can verify this by doing the following.
From the Apple menu in the corner of your screen, choose About This Mac. The version of your operating system appears beneath “macOS” or “OS X” in the window that opens.
You can also attempt to reproduce the bug as described above. It might take a few clicks with root/blank password – but if you are unable to authenticate after several tries, then you’re all good.
I am an advocate for engaging auto-updates whenever possible, including auto-updating third party applications like Adobe Reader, Java, etc. There’s almost no downside to doing this if you are an average home user.
Here’s how to turn on auto-updates on a Mac running Sierra. The process should be very similar for all recent versions of MacOS.
Choose Apple menu > System Preferences, then click App Store.
Select “Automatically check for updates.”
To have your Mac download updates without asking, select “Download newly available updates in the background.”
To have your Mac install app updates automatically, select “Install app updates.”
To have your Mac install macOS updates automatically, select “Install macOS updates.”
To have your Mac install system files and security updates automatically, select “Install system data files and security updates.”