Monthly Archives: October 2017

National Cyber Security Awareness Month

Although National Cyber Security Awareness Month is coming to a close, COMPASS maintains a commitment to raising cyber security awareness throughout the year. The following are this year’s top blog posts that demonstrate ways to implement cyber security risk management in your organization and minimize the threats you may face.

  1. A Risk Manager’s Approach to Cyber Security 

Cyber security threats arguably pose the greatest danger to an organization’s risk management strategy. Risk managers should leverage their organization’s existing risk governance processes and methodologies to effectively analyze and manage cyber threats.

  1. Top 10 Assessment Findings

Although COMPASS’ client base is highly diverse, there are common findings we encounter on almost every single engagement. They are grouped by our approach to cyber security risk management which focuses on the 3 pillars of cyber security – people, policy and technology.

It is important for organizations to regularly assess not only their technical infrastructure, but also their organizational security awareness and policies. Organizations that fail to perform periodic assessments risk leaving themselves exposed to hackers who can exploit these vulnerabilities or negligent insiders who expose data unintentionally.

  1. 5 Steps to Develop a Security Program

Developing a practical and effective cyber security plan is vital to incorporating security into your organization’s risk management strategy. A common misconception is that a cyber security plan is lengthy and difficult to follow. However, that does not have to be the case. COMPASS recommends 5 steps for your cyber security plan.

  1. Business Email Compromise

BECs remain a prominent threat and will continue to be used in targeted scams. The victims of BEC attacks range from small business to large corporations and all employees should be aware of the dangers. Organizations that utilize robust prevention techniques have proven highly successful in recognizing and deflecting BEC attempts.

 

If you have any questions or would like to discuss the unique cyber threats your organization faces, please CONTACT US.

Protecting Critical Infrastructure from Cyber Threats

We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

NCSAM, Week Five: Protecting Critical Infrastructure

It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.

The post NCSAM, Week Five: Protecting Critical Infrastructure appeared first on Connected.

IDADI KUBWA YA PROGRAM TUMISHI ZIMEENDELEA KUIBA TAARIFA ZA WATUMIAJI

Nchini Tanzania Matumizi ya TEHAMA yame endelea kukua katika maeneo mbali mbali. Hii ime endelea kurahisisha upatikananaji wa huduma muhimu na kuwezesha watu kuendelea kuwasiliana kwa urahisi.

Viwanda na Taasisi mbali mbali zimeendelea kutumia TEHAMA ili kukuza ufanisi na kufikia watu wengi kwa kipindi kifupi. Miamala ya kifedha, ukusanyaji kodi, pamoja na mawasiliano ni baadhi tu ya mambo yanayo wezeshwa na TEHAMA nchini.

Usalama wa mifumo ya TEHAMA ni moja ya jambo muhimu sana ambapo Tanzania inapaswa kuwekeza ili kujilinda na aina zozote za kialifu mtandao ambazo zinaweza kupelekea huduma muhimu kutopatikana na hatimae uchumi wa Nchi kuyumba.

-------------------
STATISTICS: Tanzania installed 27,000 KMSof optic fiber connecting all regions and it has 7 mobile operators – About 94%network coverage, 85% SIM penetration and 40% internet users.
-------------------
Mkutano mkuu wa mwaka wa wataalam wa TEHAMA nchini Tanzania ulio fanyika mwishoni mwa wiki iliyopita (26 – 27, Octoba – 2017) jijini Dar-es salaam ulipata kujadili usalama mtandao ambapo mada kadhaa zilizo jikita katika kutoa elimu ya namna bora za kuimarisha usalama wa mifumo yetu zili wasilishwa na kujadiliwa.


Binafsi, Nilizungumza na washiriki kuhusiana na namna bora ya kulinda taarifa zinazo patikana kwenye simu zetu na komputa mpakato (Protecting Mobile devises Data) ambapo vifaa hivi vimekua vikitumika katika utendaji wa shughuli za kiofisi na kufanya miamala ambapo taarifa hizo zimekua muhimu kulindwa dhidi yawahalifu mtandao.
-------------------
QUOTE: “Companies today allow Individuals to make use of their own mobile devises to perform their jobs with direct access to organization’s sensitive data – Therefore, Data in our mobile device are very important for the operations and financial well-being of our business.” – Yusuph Kileo.
-----------------------

Kumekua na kawaida ya kusoma barua pepe za ofisini kupitia simu zetu za viganjani, Kufanya kazi za kiofisi kupitia komputa mpakato binafsi tukiwa maeneo mbali mbali huku yote haya yakipelekea kuweka taarifa muhimu za kikazi kua hatarini kuweza kuingia katika mikono ya wahalifu mtandao endapo hatua stahiki ya kuzilinda hazitachukuliwa.

KUTOEA KUSHOTO: Yusuph Kileo (Mjumbe wa bodi ya wakurugenzi AfICTA), Prof. Mike Hinchey (Raisi wa IFIP) , Samson Mwela (Mkurugenzi Mkuu Tume ya TEHAMA), Prof. Rai (Mkuu wa chou kikuu cha zanzibar - SUZA) na Neema Sinare (Raisi wa ISACA)

Aidha, Vifaa hivi vinaweza kuibiwa na taarifa hizi muhimu kuwa katika hatari ya kutumika vibaya. Hivyo umuhimu wa kuzilinda taarifa hizi muhimu ni wajibu wa kila mtumiaji.

Umakini wa Programu tumishi, tunazo zi weka kwenye simu zetu ni wa kuzingatiwa kwa kiasi kikubwa kwani kutokana na chunguzi mbali mbali ambazo tumeendelea kuzifanya katika ngazi ya kidunia, umebaini asilimia kubwa ya program tumishi kua na tabia ya kuiba taarifa za watumiaji na kuzitumia watakavyo.

---------------------
Non-sanctioned applications create a risk to the mobile devises and for enterprises.
October, 2016 – The Top 10 flash App were discovered as Malware.
Feb, 2017 – According to Cisco, 27% of 222,000 assessed applications present a high-risk.
May, 2017 –100’s of Apps investigated were all found with serious Snooping and spying Characteristics.

---------------------




Jitihada mbali mbali zimechukuliwa ikiwa ni pamoja na makubaliano ya mwaka 2014 yaliyo elekeza kila program tumishi kueleza kwa ufupi kila watakacho toa bure kwa mtumiaji na watakacho chukua kwa mtumiaji sanjari na kutoa fursa ya mtumiaji kukubali au kukataa. Aidha, Tuliasa watengenezaji wa Program tumishi kuhakiki wanazilinda ili kutoruhusu wahalifu mtandao kuziingilia na kuzitumia vibaya kwa kufanya uhalifu.


Wazungumzaji wengine walionyesha mapungufu mbali mbali ya kiusalama mtandao yanayo patikana nchini na kuasa taifa kufunga mikanda zaidi.

Kiujumla, Kukuza uelewa kwa watumiaji mitandao kua na matumizi bora, Kuongezea wataalam wetu ujuzi, Kuimarisha mashirikiano katika kudhibiti matukio ya kihalifu mtandao, Kuondoa urasimu usio wa lazima katika kukabiliana na uhalifu mtandao, Kuwa na watu sahihi maeneo sahihi ya kudhibiti uhalifu mtandao, na kua na vifaa sahihi na madhubuti vya kukabiliana na uhalifu mtandao ni miongoni mwa mambo yaliyo onekana kutakiwa kufanyiwa kazi ili kuweza kupiga hatua dhidi ya kukabiliana na uhalifu mtandao nchini.

Matukio ya kihalifu mtandao yanayo kumba taasisi moja hayapaswi kujirudia kwenye taasisi nyingine – huo ulikua wito wangu kwa washiriki wote. Utoaji wa taarifa za kialifu mtandao ili ziweze kupatiwa suluhu ni muhimu pia kwani kuficha taarifa hizi huku matukio kuendelea kuonekana yakijirudia kunaweza kupelekea changamoto za upotevu wa fedha kimtandao kuendelea kukua nahii ina athari kubwa kwa uchumi wa taifa.


Wito ulitolewa kwa vyuo vyetu Nchini kuondokana na mifumo ya kizamani iliyo nyuma na wakati kwa kujitazama upya na kuandaa mitaala itakayo weza kutengeneza wataalam wenye uwezo wa kukabiliana na uhalifu mtandao nchini.

Open Source Pentesting

My talk today at Wild West Hacking Fest was about some documents that I released here. I’ll make this blog post more indepth later but for right now I wanted to get the slides out.

(If you can’t access one of the documents yet, don’t ask for permission to do so, it just means either they aren’t ready yet, I’ll make posts about each one as they become available)

Here is the main slide deck for the docs: https://bit.ly/OpenSourcePentest

Here are the slides for the release talk (not the same as the link above):

The New Security Reality

It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The New Security Reality appeared first on Connected.

Employee Security Awareness Training

Because humans are often the weakest link when it comes to cyber security, it is critically important to integrate employee security awareness training into your cyber security action plan. By educating employees on best practices, policies, procedures, popular attack methods and trends, organizations can significantly reduce their risk of a data breach.

Increasing your investment in cyber security awareness training can decrease the threat of a cyberattack by 45% to 70%. Common and effective employee training methods include:

  • On-boarding – When a new employee joins your organization, immediately make them aware of cyber security best practices your organization requires. This will create a strong cyber security posture throughout the employee’s lifespan.
  • Mock phishing exercises – Phishing attacks are one of the most common forms of social engineering that can harm businesses. By employing these exercises organizations can test their email platform and see how their employees would react in a real-life scenario.
  • Webinars – Webinars on cyber security trends give employees a chance to ask questions and hear firsthand of the importance of keeping data secure. These interactive sessions empower employees with the information necessary to support the organization’s goal of protecting its sensitive data.
  • Policy check surveys – Regularly testing the knowledge of employees is important to their understanding of company policies and procedures. These can identify and prioritize gaps that should be addressed in further employee training sessions. In addition, these surveys and their results will be important if your organization is audited or breached.
  • Regularly discuss cyber security with employees – Make cyber security part of your workplace culture so that employees are regularly acting with the organization’s best interests in mind. Proactively address employee negligence as it is one of the top causes of security incidents.
  • Incident response plan –Ensure employees are aware of their role in the company’s incident response plan. Practice this plan quarterly so in the event of a breach your organization can respond quickly and comprehensively to minimize the impact and associated costs.
  • Onsite training – Providing face-to-face security awareness training on cyber best practices and company policies and procedures gives employees an opportunity to ask questions and learn from experienced personnel.

Proactively training employees before an information security incident is critical to protecting the future of your business. Create policies and guidelines that assume your company will be targeted by cybercriminals and make sure employees know the appropriate actions that are necessary to keep the company’s data safe. Implementing employee training in your organization at least quarterly is one of the best and most cost-effective ways to reduce cyber security risks.

For more information on employing training in your workplace, please contact us.

Cyber Security Careers Are in High Demand

October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.

Read this next:

 

The post Cyber Security Careers Are in High Demand appeared first on Connected.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:

 

The post WPA2 Hacks and You appeared first on Connected.

Shut Down Unlikely Attack Vectors in Your Organization

As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.

For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.

That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.

That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.

So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.

Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.

The post Shut Down Unlikely Attack Vectors in Your Organization appeared first on Connected.

Mobile Device Management

Mobile Device Management (MDM) is a great method to ensure that your employees remain productive and do not violate any corporate policies. In the ever-expanding Bring Your Own Device (BYOD) world, more organizations are allowing employees the freedom to work from their own mobile devices. Tablets, smart phones, and personal laptops are taking a larger and larger space on corporate networks.

While there are numerous advantages to a BYOD environment, allowing personal devices onto a corporate network introduces a variety of security threats. A Mobile Device Management solution helps in securing that environment.

Here are 5 Tips you should implement when securing your devices with a MDM approach:

  1. Require standards for password strength – Make sure that your MDM is configured to require device passcodes that meet or exceed guidelines concerning length, complexity, retry and timeout settings for the appropriate device.
  2. Device Update Compliance – Set a minimum required version for employee mobile devices. This will require that employee devices are kept updated and restrict devices that do not comply with this setting.
  3. Prevent Jail-breaking – Prevent jail-broken or ‘rooted’ mobile devices. Allowing these devices could add an additional attack vector as many ‘rooted’ or jail-broken devices install third-party app stores that may contain malicious apps. Preventing these devices helps secure access to company data.
  4. Require usage of signed apps and certificates – Use your MDM to screen any mobile devices for suspicious applications before allowing access to company resources. These could be email programs, mobile apps, and networks (Wi-Fi or company VPN access). As with jail-broken devices, unsigned apps and certificates may allow malware to infect the device.
  5. Seek Employee BuyIn – Prior to allowing a user device onto your network, require the user acknowledge and accept basic corporate policies. Make sure that the user understands that company administrators will be able to revoke and/or restrict access to devices that don’t comply with company policy.

The best idea is to decide your corporate strategy and then choose a MDM solution that fits your project. For more information on mobile device security, download our iPhone and Android Security Guides. If you would like to begin a conversation about Mobile Device Management, please CONTACT US.

2017 GrrCon Hiring List

Created the 2017 UNOFFICIAL GrrCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/ddfN6gHPbCJweGUw2

(One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.)

Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/18YEyfp3ctrCz3WgaCArKp0wLn0xWEfV99X-UDmhy4D0/

A Massive Cyber Breach at a Company Whilst it was Considering the ‘Cloud’

(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)


Folks,

Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."

With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?



The C-Suite Meeting

Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.


This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -

  1. Chief Executive Officer (CEO)

  2. Chief Financial Officer (CFO)
  1. Chief Information Officer (CIO)

  2. Chief Information Security Officer (CISO)

 Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.




Meeting In-Progress

After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.

The C-Suite then took a break for lunch.

The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...

... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.

Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?"  He said "Yes."





Houston, We Have a Problem

The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!


He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.

He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."

He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"




Its Over

The CEO asked the CIO - "What's wrong? What happened?"

The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"


The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"

The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"

The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"

The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"

The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"




Mimikatz DCSync 

The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."


The CEO asked - "What is Active Directory?"

The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"

The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"

The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."

The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"

The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"

The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"

The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."



The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!

The CISO replied - "Seventeen years."

The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?!  Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"




This is for Real

Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!


We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.




This Could've Been (and Can Be) Easily Prevented 

This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.


Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!

Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.

Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.


Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.

Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!




Fast-Forward Six Months

Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.


All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.





Summary

The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.


I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.

Best wishes,

CEO, Paramount Defenses



PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here  etc.  etc.



PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."

Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.



PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)

PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory

Automatically deleting old Gmail email

Like many of you I’m a gmail hoarder. I never deleting anything, just “archive” everything. I “might” need it later, or “I’ll get to it when I have time”. If we get really honest with ourselves, we never will actually get to it, and because we have this buffer, this procrastination opportunity, we grab it. We use words like “but I may need proof of X”, or “I could need to reference this”, or “I don’t really want to put this person in my contacts so I’ll just save the email”.

Personally I have made a choice to force myself to be more engaged in my email going forward. I have set a Google Script to run through all of my email every day and if it is older than 90 days, and doesn’t have the specail label “keep” on it, it’s gone. I obviously didn’t care enough about whatever was going on in that email to take the time to respond to it.

Whatever your reason for finding this post, here is how I got it done:

At first I started with just searching for a way to make a simple filter to do this. There are plenty of blog posts that show you this is possible, but it turns out that at some point Gmail switched to only applying filters to incoming messages (makes sense, lots less overhead, no need to load EVERYONEs email every hour). This makes deleting messages older than X impossible with simple filters however. I did however learn of a search query term you can use to find messages/threads older than X. Imaginatively called older_than:. So a search in Gmail for older_than:90d resulted in exactly the emails I wanted to find.

That’s when I started looking into Google Scripting. The language is pretty easy and straight forward if you have ever programmed in anything like Javascript or C++.

Using the API reference here: https://developers.google.com/apps-script/reference/gmail/ I was able to cobble together the following in about 20 minutes:

function DeleteOldEmail () {
	var threads;
	var thread;

	threads = GmailApp.search("older_than:90d");
	for(var i = 0; i < threads.length; i++)
	{
		var thread = threads[i];
		GmailApp.moveThreadToTrash(thread);
	}
}

Now, that script leaves a lot to be desired. It doesn’t have any case where a label like “save” or “keep” might come into play, it just hauls off and deletes everything old. But before we start improving lets show you how it looks when you’re actually doing it (I’ll comment out the “moveThreadToTrash in the screenshots)

Go to https://script.google.com/ and you’ll be presented with a new project if you haven’t been here before:

Then, copy and past the code in and save it. It’ll ask you to name the project. I just named it DeleteOldEmail. Feel free to name it anything you wish. It is what is going to show up in your Google Security “Approve Apps” list.

The first time I ran this I commented out the lines for deleting and added in a “Logger” line just so I knew what would be deleted:

function DeleteOldEmail () {
	var threads;
	var thread;

	threads = GmailApp.search("older_than:90d");
	for(var i = 0; i < threads.length; i++)
	{
      var thread = threads[i];
      Logger.log(thread.getFirstMessageSubject())
		//GmailApp.moveThreadToTrash(thread);
	}
}

Then run it, the first time you run it, it will ask for permissions:

If you try this out and decide you don’t like it you can revoke the permissions here: https://myaccount.google.com/permissions

If you went with the logging you’ll see something like this if you go to View->Logs:

Last step is to set this up so it automatically runs, I mean that’s the whole point. For that, we go to Edit->Current Project’s Triggers. And we are greeted with the following (once we click to add a new trigger):

I chose to set up mine to run every 12 hours, but you can set it to run once a day, once a week, whatever.

Again, this script leaves a lot to be desired, You can totally mess with the query search string any way you wish. I’ve created a Github repository that I’ll put improvements on the script: https://github.com/mubix/GScriptOldEmal

Have fun with it. The two improvments I’ll be adding are the label exclusion for “keep” and notifications (a list of email subjects deleted)

Thanks for your time.

THE RISE OF FINANCIAL CYBER THREATS

FINANCIAL threats are still profitable for cyber criminals and, therefore, continue to be an enduring part of the threat landscape. From financial Trojans that attack online banking, to attacks against automated teller machines (ATMs) and fraudulent interbank transactions, there are many different attack vectors utilised by criminals.

Symantec predicted in 2015, there was an increase in attacks against corporations and financial institutions during 2016. This was evident from a series of high-value heists targeting Society for Worldwide Interbank Financial Telecommunication (Swift) customers. While there is no evidence of any such high value heists on Swift customers this year, the 2016 attacks saw several such institutions lose millions of dollars to cyber criminals and nation state-supported attackers such as the Lazarus group.


On average, 38 per cent of the financial threats we detected in 2016 were found in large business locations. Most of these infection attempts were not targeted attacks but were instead due to widespread email campaigns. Although we have seen a 36 per cent decrease in detection numbers for financial malware in 2016, this is mainly due to earlier detection in the attack chain and more focused attacks.


With more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of Ransomware. The financial Trojan threat landscape is dominated by three malware families: Ramnit, Bebloh (Trojan.Bebloh), and Zeus (Trojan.Zbot). These three families were responsible for 86 per cent of all financial.

Trojan attack activities in 2016. However, due to arrests, takedowns, and regrouping, we have seen a lot of fluctuations over the last year. Globally, financial institutions in the US were targeted the most going by the samples analysed by Symantec, followed by Poland and Japan.



Infection vectors for financial Trojans haven't changed much in the past year and are still identical to other common Trojans. Distribution mainly relies on spam email with malicious droppers attached and web exploit toolkits. The use of scam emails was the most prevalent method of distribution for financial Trojans in 2016.

The already well-known Office document attachment with malicious macros continued to be widely used. However, Microsoft Visual Basic Scripting (VBS) and JavaScript (JS) files in various attachment forms have also been used in massive spam runs to distribute malware.

We have also seen Office documents without macros, and instead with embedded OLE objects and instructions for the user to double-click the payload. The Necurs botnet (Backdoor.Necurs), which sent out more than 1.8 million JS downloaders in one day alone in November 2016, highlights the magnitude of some of these campaigns.

Phishing emails, where the victim is lured to fake websites that trick them into revealing their account details, decreased to just one in 9,138 emails in March 2017. In 2016, the average number of phishing emails was slightly higher than one in 3,000 emails. Simple phishing no longer works against most banks and financial institutions, as they rarely rely on static passwords alone. But phishing attacks can still be successful in stealing online retail account credentials and credit card details.

-------------------
Equifaxhas revealed 2.5 million more Americans than previously thought may have had information compromised in a huge cyber security breach at the firm.
The credit report giant said, about 145.5 million of its US customers might have been affected, up from a previous estimate of 143 million.
---------------------

ATM and point of sales (POS) attacks continued to increase in 2016. ATM malware has been around for 10 years but is still effective. With the increase of targeted attacks aimed at banks, we also saw an increase in attacks against ATMs from within the financial network. Since the adoption of Chip & PIN has begun to spread outside of Europe, we have seen a decrease of classic memory scraping threats, as they are no longer efficient for the attackers.

There are various degrees of sophistication seen in the wild when it comes to ATM attacks. For some attacks, the criminals need physical access to the ATM computer and they get this by opening the cover with a stolen key or picking the lock.

Once they have access to a USB port or the CD-ROM, they can install malware and attach a keyboard to issue commands (the Ploutus malware uses this attack vector).

Similar attacks have been reported in hotels where attackers used the often exposed USB ports on the backside of the check-in computers to install malware.

 In retail stores the attackers added their sniffer to an exposed network port inside the shop. This allows them to compromise any attached POS device and scrape the memory for payment card information.

With physical access to the ATM, another attack vector is possible. As reported in April 2017, some attackers discovered they could drill a hole into the ATM casing in order to access the internal bus system. Once access is obtained, a cheap microcomputer is all that is needed to send commands to the bus in order to make the ATM dispense its cash.

We have also seen trends in financial malware attempting to hide configuration files from researchers as well as the move to redirect attacks or even manually log into the system to issue large transactions if interesting financial software is detected.

Mobile threats on Android are mainly focusing on form overlay attacks or fake online banking apps. We have seen more than 170 mobile apps targeted by mobile malware. Mobile threats are still relevant as many financial institutions have deployed two-factor authentication through mobile phone applications.

As it has become more difficult to conduct such attacks on the latest Android OS, we have seen attackers reverting to social engineering attacks, where they trick victims into authorising fraudulent transactions. The end-user still remains the weakest link in the chain during an online transaction, which means even the strongest technologies are susceptible to social engineering attacks.

When a cyberattacker successfully compromises an internal network, he can steal any credentials that will help maximise his profits. This could mean stealing online banking credentials, sensitive personal data or other passwords. It is common for financial threats to steal any other account information that they can find on a compromised computer.

Once compromised, cyberattackers can use any stolen information to spread their malware further, or even sell them on underground forums. Credit card details are still the most sold digital goods on the underground forums, while bank account access information is priced according to the account balance.

For example, an account with US$1,000 in it can be sold for US$10. An account with a greater balance will be on sale for a larger sum.

The attacks are not only targeting the banks' customers. We have seen several attacks against the financial institutions themselves, with attackers attempting to transfer large sums in fraudulent inter-bank transactions. Financial institutions are confronted with attacks on multiple fronts. The main two types are attacks against their customers and attacks against their own infrastructure.

In the event of a cyber breach, companies' losses extend far beyond just monetary value. Their reputation and customers' trust - areas that take time and effort to develop - will also be damaged. We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them. Prevention is by far the best outcome, so it pays to pay attention to how cyber breaches can be avoided. Emails and infected websites are the most common infection vectors for malware. Adopting a robust defence against both these infection vectors will help reduce the risk of infection.


We expect financial threats to remain a problem for end-users in the future, but attackers will likely increase their focus on corporate finance departments and using social engineering against them.

Penetration Testing vs. Vulnerability Scanning

Frequently, new or existing clients will come to us requesting a penetration test. Usually, one of the first things we tell them is that they do not need a penetration test done…yet. Within IT, and within InfoSec specifically, there is a disconnect between terms used by industry professionals, their clients, and the media/public. Two of the most confusing terms are:

  • Penetration Testing
  • Vulnerability Scanning

Most clients will seek out security consulting services to have a ‘pen test’ performed, without knowing what a penetration test entails. Too often they picture a scene from Mr. Robot, or Hackers – someone in a darkened room, in front of a console, furiously typing away to hack into servers.

Most of our clients are organizations that have not worked with a security consulting firm before, but are used to working with managed service providers, so they expect to be sold hardware or software solutions. Because COMPASS is vendor agnostic, we evaluate what our clients’ needs are, and then offer a series of services that we think will help our clients achieve their goals.

As previously mentioned, we almost always have the conversation about Penetration Testing. Whenever we discuss this with our clients we try to help them understand the difference between a penetration test and a vulnerability scan. So, let us get into defining the two:

Penetration Test

A Penetration Test has a specific goal, to exploit weaknesses and gain access to data within your network, to achieve administrator privileges or possibly alter financial data. A Penetration Test should not be performed as a start to your information security program. It should be something performed when you have a security configuration in place that needs to be tested for example; once you have established a patch management process, hardened network devices and essentially closed any known gaps within your network architecture.

A Penetration Test should only be performed once vulnerability assessments have been executed and all remediations implemented, since they can be expensive and should be employed when you want to test security that is already assumed to be in place and adequate.

Vulnerability Scan/Assessment

A Vulnerability Scan or Assessment, whichever flavor you prefer, should be an organization’s first step in building a strong security stance. Vulnerability scans are technical assessments that that are designed to discover as many vulnerabilities as possible within a target network. Vulnerability scan reports include severity ratings for the discovered vulnerabilities, remediation/mitigate instructions and allows for prioritization of vulnerability remediation.

A Vulnerability Scan/Assessment should be performed at the start of your security journey. It will help you to generate a prioritized list of things wrong with the network, from OS patches and third-party vulnerabilities to open ports and services running on perimeter devices. The goal of a vulnerability scan should always be to fix as many findings as possible.

For more information on how to get started with your security assessment, download our Cyber Security Assessment Checklist or CONTACT US for a deeper discussion.