Category Archives: Incident Response

4 tried-and-true prevention strategies for enterprise-level security

Why is it that dentists advise people over and over to floss, yet so few do it? It only takes a minute of your time, yet if you’re running late or feeling tired, you may be tempted to skip it. That is until you remember your upcoming teeth cleaning appointment. There is nothing like the memory of a long and painful visit to the dentist to motivate good dental hygiene. Smart habits today can save you time and money later.

Good habits are also important in cybersecurity. It is typically much cheaper to prevent an attack than to respond to one already in motion. A great example is the WannaCry ransomware attack. Attackers exploited a vulnerability, which resulted in as much as $4 billion worth of damage around the world. The vulnerability had been patched in a security update released by Microsoft one month prior to the attack, so organizations who had installed the latest updates were spared.

Sometimes cyber hygiene advice is ignored because it’s not the new, shiny whiz-bang solution du jour. It’s easier to get attention for a sparkly light-up electric toothbrush than for a plain old piece of dental floss, but that “plain old” floss is key to keeping your choppers cavity free.

With this in mind, we broke out the four best practices of cyber hygiene, outlined in 24th edition of the Microsoft Security Intelligence Report (SIR), to help reduce your risk of attack:

  1. Practice good security hygiene.
  2. Implement access tiers among employees.
  3. Always back up important data.
  4. Teach employees how to spot and report suspicious activity.

Practice good security hygiene

Good security hygiene includes routine policies and procedures to maintain and protect your IT systems and devices:

  • Use only trusted software—If you can’t validate the credibility of the vendor or supplier, don’t use it. Avoid free software from an unknown source.
  • Deploy software updates—Keep your software and operating systems up to date. Vendors regularly release security updates to their applications, and the only way you can take advantage of this is if you deploy the updates. You should also be sure to apply the security configuration baselines provided by your software vendors.
  • Protect email and browsers—Attackers frequently conduct social engineering attacks through email and browsers, so it’s important to deploy security updates as soon as they are available. And deploy advanced threat protection capabilities for your email, browser, and email gateway to help safeguard your organization from modern phishing variants.

Implement access tiers among employees

The principle of least privilege should guide your access control policies. Malicious actors want to take control of the most privileged accounts in your organization, so the fewer people that have them the better. You also should be mindful that even though your company may have a “trusted software only” mandate, employees may unwittingly download unsafe software that can spread “malcode” throughout your organization.

  • Give system access on a need-to-know basis—Set up role-based access to easily onboard users to the systems they need to do their jobs and nothing more. Keep administrative accounts separate from information worker accounts, so that users only sign in to administrative accounts when they need them. Set up just-in-time privileges that give users with administrative accounts access to systems only when they need them and for a limited time.
  • Don’t allow users to download applications from anywhere but an app store—Deploy strong code integrity policies, including restricting the applications that users can run with whitelisting. If possible, adopt a security solution to restrict the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code.

Always back up important data

Your organization’s data is often its most valuable asset. If you suffer a security breach or a ransomware attack, a good backup process can save you if your data is destroyed or removed.

  • Back up data online—Use cloud storage services for automatic backup of data online.
  • Use the 3-2-1 method for your most important data—For on-premises data, keep three backups of your data, on two different storage types, and at least one backup offsite.

Teach employees how to spot and report suspicious activity

Your employees are a constant target of attackers, and many are tricked into downloading malicious software or sharing their credentials. They can also be your first line of defense. A strong cybersecurity education program can turn employees from targets to first responders.

  • Recognize social engineering and spear-phishing attacks—Attackers continuously update the methods they use to gain employee trust and access. Provide context about how these attacks work, including the latest techniques and relevant examples.
  • Use your web browser safely—Educate employees about the dangers of unsafe websites, such as cryptocurrency mining. Ensure they keep their browsers up to date with the latest security features and solutions that provide warnings about unsafe sites.
  • Identify suspicious file types—Teach employees to look for suspicious files if a computer is running exceptionally slow and encourage them to submit a sample to the operating system vendor.
  • Engage IT if you’re not sure about something—Make sure that employees know how to report suspicious communications or get advice from IT on what to do about it.

Learn more

There’s probably nothing that surprised you on this list, but can you confirm with 100 percent certainty that your company is practicing and enforcing all of these cyber hygiene recommendations? Instituting security preventative practices may not be as easy as flossing your teeth, but there are resources that can help.

For more details about these and other security recommendations:

The post 4 tried-and-true prevention strategies for enterprise-level security appeared first on Microsoft Security.

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.

Games people play: testing cybersecurity plans with table-top exercises

If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.

These exercises are designed to be immersive. They might start with a scenario like a board meeting, or a company orientation day. All participants will get a role to play; for the purpose of the session, they might be designated as a head of HR, finance, legal, or IT. As the scenario starts to unfold, a message arrives. The press has been enquiring about a major data breach or a ransomware attack on the company.

Muscles tighten, a wave of nausea passes over the stomach. The fight-or-flight instinct starts to take hold. Your role might say manager, but you don’t feel like you’re in control.

What happens next?

That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.

The exercise should prompt plenty of questions for the participants. What exactly is going on? How do we find out what’s happened? How is this affecting operations? Who’s taking charge? What do we tell staff, or the public, or the media?

A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).

Other organisations may already have a series of steps for what to do in the event of an incident or breach. In these cases, the table-top exercise is about testing the viability of those plans. You can be prepared, but do the steps on paper work in practice? Or as Mike Tyson memorably put it, “everybody has a plan until they get punched in the mouth”.

The exercise can show the value of having a playbook that documents all procedures to carry out: “if X happens, then do Y”. This will also shed light on missing steps, such as contact numbers for key company executives, an external security consultant, regulators, law enforcement, or media.

Fail to prepare, prepare to fail

When it comes to developing or refining an incident response plan, the devil is in the detail, says David Prendergast, senior cybersecurity consultant at BH Consulting. Here are some useful questions to ask:

  • If your policy says: ‘contact the regulator’, ask which one(s)
  • Who is the specific point of contact at the regulators office?
  • Does the organisation have the email address or phone numbers for that person?
  • Who in your company or agency is authorised to talk to the regulator?
  • What information are they likely to need to have that conversation?
  • Do you have pre-prepared scripts or statements for when things might go wrong (for customers, stakeholders, staff, and media (including social media channels)?

It might also force the company into making certain decisions about resources. Are there enough internal staff to carry out an investigation? Is that the most appropriate use for those employees, or is it better to focus their efforts on recovering IT systems?

That’s the value in table-top exercises: they afford the time to practice when it’s calm and you can absorb the lessons. There are plenty of examples of companies that handled similar situations spectacularly badly in full public view. (We won’t name names, but the list includes anyone who uttered the words “sophisticated attack” before an investigation even started.)

By the (play)book

It’s more helpful to learn from positive examples of companies that showed leadership in the face of a serious incident. That can be as simple as a statement of business priorities while an organisation copes with the fallout. In 2017, as Maersk reeled from a ransomware infection, CEO Soren Skou gave frontline staff in 130 countries clear instructions. As the Financial Times reported, the message was unequivocal even as the company was forced into shutting down IT systems. “Do what you think is right to serve the customer – don’t wait for the HQ, we’ll accept the cost.”

Some larger companies will run an exercise just for themselves, but some organisations run joint war-gaming scenarios with industry peers. Earlier this month, financial institutions and trade associations from around Europe carried out a simulated ransomware attack.

According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.

Whether it’s a war-gaming exercise or a table-top event, the goal is the same: to be ready for the worst ahead of time, and knowing what steps are available to you when bad things happen for real.

The post Games people play: testing cybersecurity plans with table-top exercises appeared first on BH Consulting.

AWS Cloud: Proactive Security and Forensic Readiness – part 5

Part 5: Incident Response in AWS

In the event your organisation suffers a data breach or a security incident, it’s crucial to be prepared and conduct timely investigations. Preparation involves having a plan or playbook at hand, along with pre-provisioned tools to effectively respond to and mitigate the potential impact of security incidents. These response measures are more effective when regularly tested, such as by running incident response simulation exercises.

This post relates to incident response in the AWS Cloud. It’s the last in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.

Incident Response

NIST defines a security incident as “an occurrence that actually or potentially jeopardises the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies”. The figure below outlines the typical phases of an incident response lifecycle.

Figure 1: Incident response life cycle. [Source: Computer Security Incident Handling Guide]

Incident Response in AWS Cloud

Incident response in the cloud is not very different from in the traditional on-premise environment. In fact, there are several tools in the AWS cloud environment you can use to help the incident response process, such as AWS CloudTrail, Amazon CloudWatch, AWS Config, AWS CloudFormation, AWS Step Functions, etc. These tools enable you to track, monitor, analyse, and audit events.

Audit logs are treasure troves and are indispensable during investigations. AWS provides detailed audit logs that record important events such as file access and modification. Events can be automatically processed and trigger tools that automate responses through the use of AWS APIs. You can pre-provision tooling and a “clean room” which allows you to carry out forensics in a safe, isolated environment.

Figure 2: EC2 Auto Clean Room Forensics using Lambda, Step Functions, Cloud Formation and SNS Topic.  [Source: Automating Incident Response and Forensics in AWS – AWS Summit Sydney 2018]

The following list provides guidance on having an appropriate incident response strategy in place, estimating the impact of incidents in the AWS environment, AWS tools to prepare in advance for incident handling, responding to AWS abuse warnings, containing compromised EC2 instance and wiping information post investigation.

The checklist provides best practice for the following:
  1. How will you ensure that you have an appropriate incident response strategy in place?
  2. What AWS tools should you use to prepare in advance for incident handling?
  3. How will you respond to AWS abuse warnings?
  4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?
  5. How will you ensure sensitive information is wiped post investigation?

Best-practice checklist

1. How will you ensure you have an appropriate incident response strategy in place?

  • Make sure the security team has the right tools pre-deployed into AWS so that the incident can be responded to in a timely manner.
  • Pre-provision a ‘clean room’ for automated incident handling.
  • Have a list of relevant contacts that may need to be notified. Decide on the medium of communication. If the compromised account contains personal data, you may be required to contact the Data Protection Commission (DPC) within 72 hours to comply with GDPR.
  • Conduct incident response simulations regularly in the non-production and the production environments as well. Incorporate lessons learned into the architecture and operations

    Go back to questions list >>

    2. What AWS tools should you use to prepare in advance for incident handling?

  • Tags in AWS allow you to proactively label resources with a data classification or a criticality attribute so you can quickly estimate the impact when the incident occurs.
  • AWS Organisations allows you to create separate accounts along business lines or mission areas which also limits the “blast radius” should a breach occur; for governance, you can apply policies to each of those sub accounts from the AWS master account
  • IAM grants appropriate authorisation to incident response teams in advance
  • Security Groups enables isolation of Amazon EC2 instances
  • AWS CloudFormation automates the creation of trusted environments for conducting deeper investigations
  • AWS CloudTrail provides a history of AWS API calls that can assist in response and trigger automated detection and response systems
  • VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC
  • AWS Key Management Service (KMS) encrypts sensitive data at rest including logs aggregated and stored centrally
  • Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorised behaviour
  • Amazon CloudWatch Events triggers different automated actions from changes in AWS resources including CloudTrail
  • Amazon S3 stores snapshots and related incident artefacts
  • AWS Step Functions coordinates a sequence of steps to automate an incident response process
  • APIs automate many of the routine tasks that need to be performed during incident handling.

    Go back to questions list >>

    3. How will you respond to AWS abuse warnings?

  • Set up a dedicated security communication email address
  • Do not ignore abuse warnings. Take action to stop the malicious activities, and prevent future re-occurrence
  • Open a case number with AWS Support for cross-validation.

    Go back to questions list >>

    4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?

  • When containing the instance manually, use IAM to restrict access permissions to compromised Amazon EC2 instance
  • Isolate the instance using restrictive ingress and egress security group rules or remove it from a load balancer
  • Tag the instance as appropriate to indicate isolation
  • Create snapshots of EBS volumes.
  • Notify relevant contacts
  • Use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation
  • You can automate the above steps using Lambda, Step Functions, Cloud Formation and SNS Topic to prepare an EC2 auto clean room for containing the instance
  • You could also use aws-security-automation code on GitHub, which is a collection of scripts and resources for DevSecOps, Security Automation and Automated Incident Response Remediation.

    Go back to questions list >>

    5. How will you ensure sensitive information is wiped post investigation?

  • Secure wipe-files and delete any KMS data keys, if used.

    Go back to questions list >>

    For more details, refer to the following AWS resources:

    Go back to the introduction AWS Cloud: Proactive Security & Forensic Readiness five-part best practice
    Read Part 1 – Identity and Access management in AWS: best-practice checklist
    Read Part 2 – Infrastructure level protection in AWS: best-practice checklist
    Read Part 3 – Data protection in AWS: best-practice checklist
    Read Part 4 – Detective Controls in AWS: best-practice checklist

    Let us know in the comments below if we have missed anything in our checklist!

    DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.

    Neha Thethi is a senior information security analyst at BH Consulting. She is an AWS Certified Solutions Architect – Associate and holder of the SANS GIAC Certified Incident Handler (GCIH). Neha has published papers, spoken at conferences, written blogs and delivered webinars about challenges of conducting forensics in the cloud environment. She has helped clients develop incident response plans and conducted several digital forensic investigations for cloud environments including AWS and Microsoft Azure.

    Editor: Gordon Smith

    The post AWS Cloud: Proactive Security and Forensic Readiness – part 5 appeared first on BH Consulting.