Weekly Security Round-Up: May 21, 2018 – May 25, 2018

There were some very interesting events occurring over the past week on the Information Security front. More specifically, we saw Russia preparing for an enormous attack on Ukraine using a massive botnet of IoT devices. Anyone who watched the UEFA Champions League final in Kiev over the weekend should be thankful the FBI stepped in and took control of the botnet before any damage could be done. See below for some of the notable InfoSec events from the past week.  

Russia is infecting thousands of home routers with a new IoT malware named VPNFilter. The resulting effects could incapacitate a substantial portion of Ukraine's Internet infrastructure.

https://blog.talosintelligence.com/2018/05/VPNFilter.html 

https://www.bleepingcomputer.com/news/security/fbi-takes-control-of-apt28s-vpnfilter-botnet/ 

Malicious actors, such as the actors behind the SamSam and CryptON Ransomware strains, are still actively and easily compromising machines with open and unsecure RDP ports. If you want to avoid the pains and costs of dealing with Ransomware remediation, close off any unnecessary open ports, or at the very least, lock their access down to specific IP addresses.

A malicious actor made over $18 Million by combining two attacks on the Bitcoin Gold cryptocurrency exchanges. The two attacks leveraged by the actor are a 51% attack and a double spend attack. This is an interesting event, since a 51% attack defeats an essential characteristic of blockchain, which is to be distributed in nature. 
https://www.bleepingcomputer.com/news/security/hacker-makes-over-18-million-in-double-spend-attack-on-bitcoin-gold-network/ 

Mozilla is rolling out multi-factor authentication for Firefox accounts. For anyone who syncs their browser settings, bookmarks, etc. across multiple devices, multi-factor authentication is a must. Additionally, many users store passwords in their browsers, which makes the added security of multi-factor authentication via an app, such as Google Authenticator, even more critical. 

https://www.zdnet.com/article/firefox-accounts-gets-2fa-security-you-can-use-google-authenticator-one-time-codes/ 

The General Data Protection Regulation officially went into effect on Friday, May 25, 2018. Adhering to this regulation is critical for any organization who collects personal data on European Union citizens. In the context of the GDPR, personal data includes items such as name, physical address, IP address, and digital cookies. If you suspect you may need to comply with the GDPR, I encourage you to reach out to an organization who can help guide you through this process.

Risk Assessments; What Are They and Why Are They Important?

What is a risk assessment? A risk assessment is one of the most important components of a sound and robust cybersecurity program. A well conducted risk assessment will help an organization identify where they are most vulnerable and will help prioritize their security tasks and deployment of available resources. Before delving into the ins-and-outs of risk assessments, an important distinction needs to be made. What is the difference between a risk assessment and an audit?

The terms “risk assessment” and “audit” are often used interchangeably and considered to be the same, but this is a common misconception. According to ISACA, risk assessments “are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan.”. Conversely, ISACA defines an audit as a “formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.”.

To put it simply, a risk assessment is an overview of the technical, physical and administrative controls being implemented by an organization, with the goal of identifying areas of risk for the organization. An audit on the other hand, is an in-depth review and test of the technical, physical and administrative controls being implemented by an organization, with the goal of determining whether an organization’s controls are being implemented effectively and functioning as intended.

Risk assessments may be conducted for several reasons. In many cases, risk assessments are required for an organization to maintain compliance with a regulation or standard. For example, risk assessments are required for regulations and standards such as HIPAA, PCI DSS, DFARS, GDPR, New York’s DFS and many more. Additionally, risk assessments are often conducted by organizations for the sole purpose of identifying gaps in their security, with the hopes of building a stronger security posture.

Now that we have identified what a risk assessment is, let’s discuss its key components. The core of any risk assessment is to identify all the business processes, information systems and services that are within the scope of the assessment. For many organizations, every aspect of their environment will be in scope. For other organizations, only a subset of their environment will be within the scope of an assessment. This is a critical step, as it will help prioritize how and where resources are utilized to conduct the assessment. The scope of a risk assessment is typically determined by the regulation, standard or other purpose for which the assessment is being conducted.

Once the scope of the assessment has been identified, the next step is to assess the pertinent technical, physical and administrative controls being implemented by the organization. The goal of this step is to identify areas of risk and vulnerabilities that exist within the organization’s environment, despite the currently implemented controls. This step is critical, as it will determine the overall risk level for the organization.

Once areas of risk and vulnerabilities have been identified, the next step is to assign a risk value to each identified entity. Risk values are determined by comparing the impact an exploited vulnerability can have on an organization with the likelihood of a vulnerability being exploited, based on the currently implemented controls. For example, a vulnerability that will have a severe impact on an organization if exploited, but has a low likelihood of being exploited, may receive a risk value of “Medium”.

Once all areas of risk and vulnerabilities have been assigned a risk value, an overall risk level for the organization can be determined. By assigning risk values to all identified risk areas and vulnerabilities, an organization can prioritize its remediation process. For example, an organization may allocate all available resources to mitigating and resolving all “High” level risks first, saving all “Low” level risks for last.

Performing risk assessments can be a cumbersome process, but they will benefit any organization in many ways. Risk assessments will help improve an organization’s understanding of their environment, which can help improve business processes and overall operational efficiency. While this process may seem like a daunting task, there are many organizations that pride themselves on performing top-level risk assessments for a wide-range of regulations, standards and general business needs.

One of the Best Security Resources for InfoSec Professionals of All Skill Levels

If you haven't heard of The Many Hats Club, then you are missing out. This is by far one of the most useful resources for InfoSec professionals of all skill levels and highlights the tremendous InfoSec community that exists in the world. There are numerous channels with content for everyone... SE, Coding, even a channel for InfoSec jobs. If you are an InfoSec professional, then you need to be part of The Many Hats Club. Check it out.

Https://themanyhats.club

Is Destructive Malware Slowly Becoming a Common Trend?

Ask any end user or general IT administrator which cyber-attack they are most fearful of. There is a good chance they will respond with “Ransomware”. I would quickly argue that any IT administrator who is worth their paycheck should not be fearful of Ransomware. A robust backup plan, a tested and proven incident response/recovery plan and an IT staff that has a sound understanding of their own environment should allow for a smooth and efficient recovery from Ransomware. I on the other hand, based on a trend that is growing, would be fearful of the purely malicious and cruel “Destructive Malware” attacks.
Some notable destructive malware attacks include the NotPetya attack from June 2017, a recent attack on a California voter database and most notably the Olympic Destroyer data-wiping malware that has caused havoc at this year’s Winter Olympic Games. These attacks, especially the NotPetya and Olympic Destroyer attacks, have caused a lot of frustration for those affected, and in the case of NotPetya, large monetary losses. While it is easy to understand the motivation for the actors behind these attacks (politically motivated in a lot of cases), it is also a scary sign of what the future may hold.
It is abundantly clear that a lot of organizations do not implement the necessary security controls or policies required to protect themselves from malicious cyber-attacks. When non-nation state actors and low-level actors decide to start spreading destructive malware with more frequency, any organization that does not maintain a strong security posture will surely experience tremendous frustration, significant monetary losses and possibly the agony of shutting their doors.
If you’re reading this and feel your organization lacks the necessary security controls to properly protect yourselves from destructive malware, Ransomware or other cyber-attacks, the following list may help.
NOTE: In no way is this meant to be an all-inclusive list. I, as well as any other security professional, can write an entire book on recommended steps for securing your organization. This list is meant to provide a very basic overview of recommended steps for beginning the process of securing your organization.
Basic Steps for Securing Your Organization

• Lock down your external exposure.
  • Open network ports externally only if they are required for your organization to properly function.
  • Any systems that need to be publicly exposed should be placed in a DMZ.
• Ensure your systems are up-to-date on all critical system and security patches.
• Ensure your systems are protected by up-to-date and properly functioning anti-malware/virus protection.
• Ensure your users are properly trained on how to utilize their email, web and other resources safely and securely.
• Implement a robust backup solution that allows you to quickly and efficiently recover from a cyber-incident or system failure.
• Develop an incident response/recovery plan for an organized and efficient response to any cyber-incident or other business interrupting event.
• Conduct a risk assessment.
  • If possible, have a third-party conduct the risk assessment.
  • Identifying where your organization is most vulnerable will help prioritize your security tasks and deployment of available resources.
• Lock down user permissions.
  • Lock down local administrators across your organization to only the necessary administrator accounts.
  • Lock down the domain admins group to only the necessary administrator accounts.
  • Create separate admin and non-admin accounts for users who need administrator-level access.
• Limit the use of removable media devices on your organization’s systems.
• Implement application control across your organization, black-listing insecure applications.

Federal Standard Should Be Implemented Across All Industries

Becoming a Department of Defense (DoD) contractor is no easy task. While your organization may be great at what it does, there are hundreds, if not thousands of other organizations vying for the same contracts. Thankfully, the DoD has developed a simple strategy for pruning the number of viable contractors to a reasonable number. That strategy is called DFARS.  
DFARS stands for Defense Federal Acquisition Regulation Supplement. To put it simply, DFARS is a government regulation that requires DoD government officials and their associated contractors to follow Department of Defense specific acquisition regulations when engaging in the procurement process for goods and services.  
While DFARS is lengthy on its own, the driving force causing so many contractors to scramble is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 standard. This standard provides guidance on protecting Controlled Unclassified Information (CUI) in nonfederal information systems and organizations. By December 31, 2017, any DoD contractors forced to adhere to DFARS must also comply with the security requirements outlined in the NIST SP 800-171 standard.  
As DoD contractors rush to implement NIST’s standard and submit any necessary paperwork to the DoD before the end of 2017, other industries should be taking notice. While the NIST SP 800-171 standard was developed for nonfederal information systems, it serves as a well-structured, fundamental framework for securing information systems across most, if not all industries.  
The SP 800-171 standard requires organizations to implement basic security controls, such as password and automatic screen-lock policies, as well as more advanced controls, such as multi-factor authentication for network and local access to information systems. While some security requirements may be overkill and unnecessary for most organizations, much of the SP 800-171 standard should serve as a guiding light for any organization that values the confidentiality, integrity, and availability of their information systems, their data, and their clients’ data. 
Since most regulatory standards fail to require organizations to implement the necessary administrative, physical, and technical controls that comprise a solid information technology and cybersecurity foundation, we often base our assessments off the SP 800-171 security requirements, in addition to the requirements of whichever regulatory standard we are conducting an assessment for. This allows us to ensure we are providing our clients with the necessary information, guidance, and skills required to ensure their overall security posture remains strong, despite the constantly in flux threat landscape. 
To all the DoD contractors out there, I know it is no easy task to comply with everything the government can throw at you. To all other organizations, especially those who have never conducted an assessment, I recommend reviewing the SP 800-171 standard, and conducting a risk assessment. A well conducted risk assessment can be an eye-opening experience and will allow you to further enhance your overall security posture, thus helping to ensure continued regulatory compliance.

Who’s Really to Blame for Compromised Passwords?

When a password is compromised and ultimately leads to a breach, whose fault is it? Most people would place the blame on the employee whose password was compromised and argue that they failed to create a strong and secure password. On the other hand, blame could be placed squarely on the shoulders of the IT administrator who failed to properly train their employees on the proper and recommended password standards.
The National Institute of Standards and Technology (NIST) has become the primary source of technology standards and frameworks. NIST has developed standards that are utilized by all industries, including the federal government. As a result, when NIST develops a new standard or updates an existing standard, technology professionals do and should take notice.
In June 2017, NIST published SP 800-63-3 Digital Identity Guidelines. This Special Publication detailed new standards for topics such as Authentication, Identity Proofing and Federations among other topics. Included in one of the three companion documents, SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management, is a section detailing the requirements for “Memorized Secrets” (aka Passwords).
The following is a summary of some of the NIST requirements for Memorized Secrets:

• Must be of sufficient complexity and secrecy to prevent the password from being compromised through guessing or brute force attacks.
• Shall be at least 8 characters in length if chosen by the individual being authenticated.
• NO OTHER complexity requirements should be imposed for memorized secrets, other than length.
• Verifiers (the authenticator) should permit subscriber (the authenticated) chosen passwords at least 64 characters in length.
• All printing ASCII characters, as well as space characters should be acceptable for use in passwords.
• Verifiers should not require the memorized secret to be changed periodically, unless a compromise or security incident has occurred.

While we believe the minimum acceptable password length should be at least 12-16 characters, NIST has placed such an emphasis on password length, and for good reason. Consider the mathematics behind calculating the number of possible passwords given a specific ASCII character set. If an end user was creating a 16-character password with all letters both uppercase and lowercase, the total number of possible passwords would be 52 to the power of 16 = 2,857,942,574,656,970,690,381,479,936. However, consider the total number of possible passwords for an 8-character password consisting of uppercase and lowercase letters, numbers and 32 special characters. The total number of passwords would be 94 to the power of 8 = 6,095,689,385,410,816. Finally, a simple and easy to remember passphrase for any individual, such as “IlovedSummer2016morethananything!”, based on the given character set of uppercase and lowercase letters, numbers and 32 special characters, creates a number of password possibilities too long to be fully displayed on a calculator screen.
Despite the clear logic behind a focus on password length, rather than drilling the word “complexity” into everyone’s minds, administrators continue to ignore the new standards. For example, how many banking websites continue to limit the character length of your passwords? How many retail websites do the same and limit the special characters you are allowed to use to “!@#$%^”? If the administrators of secure entities such as banks, frequently used retail websites and other popular online institutions continue to ignore these new standards, how can we ever expect our end users to change?
As administrators, we should be placing a greater emphasis on proper end user education. We should educate our users on proper passphrase creation and demonstrate for them how easy it is to create a simple yet secure passphrase.
Until we begin to adopt these new standards and pass the knowledge on to our end users, we will continue to experience the headaches of brute forced passwords, compromised accounts, unauthorized information disclosures and unexpected regulatory audits and breach notifications staring us in the face.

References:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf