One of the Best Security Resources for InfoSec Professionals of All Skill Levels

If you haven't heard of The Many Hats Club, then you are missing out. This is by far one of the most useful resources for InfoSec professionals of all skill levels and highlights the tremendous InfoSec community that exists in the world. There are numerous channels with content for everyone... SE, Coding, even a channel for InfoSec jobs. If you are an InfoSec professional, then you need to be part of The Many Hats Club. Check it out.

Https://themanyhats.club

Is Destructive Malware Slowly Becoming a Common Trend?

Ask any end user or general IT administrator which cyber-attack they are most fearful of. There is a good chance they will respond with “Ransomware”. I would quickly argue that any IT administrator who is worth their paycheck should not be fearful of Ransomware. A robust backup plan, a tested and proven incident response/recovery plan and an IT staff that has a sound understanding of their own environment should allow for a smooth and efficient recovery from Ransomware. I on the other hand, based on a trend that is growing, would be fearful of the purely malicious and cruel “Destructive Malware” attacks.
Some notable destructive malware attacks include the NotPetya attack from June 2017, a recent attack on a California voter database and most notably the Olympic Destroyer data-wiping malware that has caused havoc at this year’s Winter Olympic Games. These attacks, especially the NotPetya and Olympic Destroyer attacks, have caused a lot of frustration for those affected, and in the case of NotPetya, large monetary losses. While it is easy to understand the motivation for the actors behind these attacks (politically motivated in a lot of cases), it is also a scary sign of what the future may hold.
It is abundantly clear that a lot of organizations do not implement the necessary security controls or policies required to protect themselves from malicious cyber-attacks. When non-nation state actors and low-level actors decide to start spreading destructive malware with more frequency, any organization that does not maintain a strong security posture will surely experience tremendous frustration, significant monetary losses and possibly the agony of shutting their doors.
If you’re reading this and feel your organization lacks the necessary security controls to properly protect yourselves from destructive malware, Ransomware or other cyber-attacks, the following list may help.
NOTE: In no way is this meant to be an all-inclusive list. I, as well as any other security professional, can write an entire book on recommended steps for securing your organization. This list is meant to provide a very basic overview of recommended steps for beginning the process of securing your organization.
Basic Steps for Securing Your Organization

• Lock down your external exposure.
  • Open network ports externally only if they are required for your organization to properly function.
  • Any systems that need to be publicly exposed should be placed in a DMZ.
• Ensure your systems are up-to-date on all critical system and security patches.
• Ensure your systems are protected by up-to-date and properly functioning anti-malware/virus protection.
• Ensure your users are properly trained on how to utilize their email, web and other resources safely and securely.
• Implement a robust backup solution that allows you to quickly and efficiently recover from a cyber-incident or system failure.
• Develop an incident response/recovery plan for an organized and efficient response to any cyber-incident or other business interrupting event.
• Conduct a risk assessment.
  • If possible, have a third-party conduct the risk assessment.
  • Identifying where your organization is most vulnerable will help prioritize your security tasks and deployment of available resources.
• Lock down user permissions.
  • Lock down local administrators across your organization to only the necessary administrator accounts.
  • Lock down the domain admins group to only the necessary administrator accounts.
  • Create separate admin and non-admin accounts for users who need administrator-level access.
• Limit the use of removable media devices on your organization’s systems.
• Implement application control across your organization, black-listing insecure applications.

Federal Standard Should Be Implemented Across All Industries

Becoming a Department of Defense (DoD) contractor is no easy task. While your organization may be great at what it does, there are hundreds, if not thousands of other organizations vying for the same contracts. Thankfully, the DoD has developed a simple strategy for pruning the number of viable contractors to a reasonable number. That strategy is called DFARS.  
DFARS stands for Defense Federal Acquisition Regulation Supplement. To put it simply, DFARS is a government regulation that requires DoD government officials and their associated contractors to follow Department of Defense specific acquisition regulations when engaging in the procurement process for goods and services.  
While DFARS is lengthy on its own, the driving force causing so many contractors to scramble is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 standard. This standard provides guidance on protecting Controlled Unclassified Information (CUI) in nonfederal information systems and organizations. By December 31, 2017, any DoD contractors forced to adhere to DFARS must also comply with the security requirements outlined in the NIST SP 800-171 standard.  
As DoD contractors rush to implement NIST’s standard and submit any necessary paperwork to the DoD before the end of 2017, other industries should be taking notice. While the NIST SP 800-171 standard was developed for nonfederal information systems, it serves as a well-structured, fundamental framework for securing information systems across most, if not all industries.  
The SP 800-171 standard requires organizations to implement basic security controls, such as password and automatic screen-lock policies, as well as more advanced controls, such as multi-factor authentication for network and local access to information systems. While some security requirements may be overkill and unnecessary for most organizations, much of the SP 800-171 standard should serve as a guiding light for any organization that values the confidentiality, integrity, and availability of their information systems, their data, and their clients’ data. 
Since most regulatory standards fail to require organizations to implement the necessary administrative, physical, and technical controls that comprise a solid information technology and cybersecurity foundation, we often base our assessments off the SP 800-171 security requirements, in addition to the requirements of whichever regulatory standard we are conducting an assessment for. This allows us to ensure we are providing our clients with the necessary information, guidance, and skills required to ensure their overall security posture remains strong, despite the constantly in flux threat landscape. 
To all the DoD contractors out there, I know it is no easy task to comply with everything the government can throw at you. To all other organizations, especially those who have never conducted an assessment, I recommend reviewing the SP 800-171 standard, and conducting a risk assessment. A well conducted risk assessment can be an eye-opening experience and will allow you to further enhance your overall security posture, thus helping to ensure continued regulatory compliance.

Who’s Really to Blame for Compromised Passwords?

When a password is compromised and ultimately leads to a breach, whose fault is it? Most people would place the blame on the employee whose password was compromised and argue that they failed to create a strong and secure password. On the other hand, blame could be placed squarely on the shoulders of the IT administrator who failed to properly train their employees on the proper and recommended password standards.
The National Institute of Standards and Technology (NIST) has become the primary source of technology standards and frameworks. NIST has developed standards that are utilized by all industries, including the federal government. As a result, when NIST develops a new standard or updates an existing standard, technology professionals do and should take notice.
In June 2017, NIST published SP 800-63-3 Digital Identity Guidelines. This Special Publication detailed new standards for topics such as Authentication, Identity Proofing and Federations among other topics. Included in one of the three companion documents, SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management, is a section detailing the requirements for “Memorized Secrets” (aka Passwords).
The following is a summary of some of the NIST requirements for Memorized Secrets:

• Must be of sufficient complexity and secrecy to prevent the password from being compromised through guessing or brute force attacks.
• Shall be at least 8 characters in length if chosen by the individual being authenticated.
• NO OTHER complexity requirements should be imposed for memorized secrets, other than length.
• Verifiers (the authenticator) should permit subscriber (the authenticated) chosen passwords at least 64 characters in length.
• All printing ASCII characters, as well as space characters should be acceptable for use in passwords.
• Verifiers should not require the memorized secret to be changed periodically, unless a compromise or security incident has occurred.

While we believe the minimum acceptable password length should be at least 12-16 characters, NIST has placed such an emphasis on password length, and for good reason. Consider the mathematics behind calculating the number of possible passwords given a specific ASCII character set. If an end user was creating a 16-character password with all letters both uppercase and lowercase, the total number of possible passwords would be 52 to the power of 16 = 2,857,942,574,656,970,690,381,479,936. However, consider the total number of possible passwords for an 8-character password consisting of uppercase and lowercase letters, numbers and 32 special characters. The total number of passwords would be 94 to the power of 8 = 6,095,689,385,410,816. Finally, a simple and easy to remember passphrase for any individual, such as “IlovedSummer2016morethananything!”, based on the given character set of uppercase and lowercase letters, numbers and 32 special characters, creates a number of password possibilities too long to be fully displayed on a calculator screen.
Despite the clear logic behind a focus on password length, rather than drilling the word “complexity” into everyone’s minds, administrators continue to ignore the new standards. For example, how many banking websites continue to limit the character length of your passwords? How many retail websites do the same and limit the special characters you are allowed to use to “!@#$%^”? If the administrators of secure entities such as banks, frequently used retail websites and other popular online institutions continue to ignore these new standards, how can we ever expect our end users to change?
As administrators, we should be placing a greater emphasis on proper end user education. We should educate our users on proper passphrase creation and demonstrate for them how easy it is to create a simple yet secure passphrase.
Until we begin to adopt these new standards and pass the knowledge on to our end users, we will continue to experience the headaches of brute forced passwords, compromised accounts, unauthorized information disclosures and unexpected regulatory audits and breach notifications staring us in the face.

References:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf