Categories
Compliance|Computer & Network Security|Uncategorized

New York DFS – 23 NYCRR 500 Compliance

Checklist for Compliance

In response to the increasing threats of cybercriminal activity and as an effort to protect Non-Public Information (NPI)
held by entities under its jurisdiction, the New York State Department of Financial Services (DFS) implemented a cybersecurity
regulation, 23 NYCRR 500. It has twenty-three Sections and went into effect on March 1, 2017. There are
designated “Transition Periods,” but the last one expires on March 1, 2019. A few key things to consider when looking
at this Regulation:

  • It applies to Covered Entities, which include those operating under NY Banking Law, Insurance Law, or Financial
    Services Law – see next page.
  • It is specifically about protecting Non-Public Information; social security numbers, drivers’ license numbers,
    financial accounts, biometric records, health record, and other personal information.
  • Third Parties that provide services to Covered Entities will indirectly be pulled into some type of compliance.
    See Section 500.11.

The Good News

Some may not agree that any of the regulation is good, but the requirements align with many security best practices.
For the most part, DFS is not asking for many things out of the ordinary (besides reporting and retention), and if you
comply, you will be implementing layers of protection for your company.

What to Do

  1. Check the Exemptions – see next page.
  2. Assess Your Risk. This supports other requirements and your decisions for prioritizing other efforts.
    1. Perform a Risk Assessment.
    2. Perform Vulnerability Assessments.
    3. Perform a Penetration Test.
  3. Establish a Security Program prioritized by risk. This will require effort and time. NIST has many available resources to assist.
    1. Establish a Chief Information Security Officer(CISO). Can be internal or external staff.
    2. Implement Policies to cover required areas -see page 3.
    3. Ensure you have qualified staff. Disciplines of Security are different than IT. You may need to hire or train.
  4. Develop an Incident Response Plan that includes notices to Superintendent. Requires 72-hour notice. There is additional guidance on the FAQ page.
  5. Ensure that your security program addresses the following requirements (prioritized by risk):
    1. Multi-Factor Authentication
    2. Encryption of NPI
    3. Security Auditing. This typically requires a new system or Managed Security Service.
    4. Review of access privileges to NPI
  6. Develop Vendor and Third Party Risk Management Program. You will need to rank your vendors and ensure that you perform due diligence on those with higher risks.
  7. Develop a Data Retention Policy and Process. The Superintendent requires 5 years of records for compliance. Be familiar with other required retention periods for different types of data.
  8. Annual Certification. Submit by each February 15th a written statement covering the prior calendar year.

Covered Entities

The Department of Financial Services supervises many different types of institutions. Supervision by DFS may entail chartering, licensing, registration requirements, examination, etc. More details are available on their website:

  • All insurance companies
  • Banks Trust Companies
  • Budget Planners
  • Charitable Foundations
  • Check Cashers
  • Consumer Credit Reporting Agencies
  • Credit Unions
  • Domestic Representative Offices
  • Foreign Agencies
  • Foreign Bank Branches
  • Foreign Representative Offices
  • Holding Companies
  • Investment Companies (Article XII)
  • Licensed Lenders
  • Life Insurance Companies
  • Money Transmitters
  • Mortgage Bankers
  • Mortgage Bankers-Exempt
  • Mortgage Brokers
  • Mortgage Brokers – Inactive
  • Mortgage Loan Originators
  • Safe Deposit Companies
  • Sales Finance Companies
  • Savings Banks; Savings & Loan Associations (S&L)
  • Service Contract Providers

Exemptions

[fusion_table]

Exemption Exempt From Still Required
500.19 (a) (1) Fewer than 10
employees working in NYS


500.19 (a) (2) Less than $5
million in gross annual revenue


500.19 (a) (3) Less than $10
million in year-end total assets


500.19 (c) Does not control any
information systems and
nonpublic information


500.19 (d) Captive insurance
companies that do not control
nonpublic information other
than information relating to its
corporate parent company

500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.07- Access Privileges

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.07- Access Privileges

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

[/fusion_table]

23 NYCRR 500 Sections

Section 500.00 Introduction
Section 500.01 Definitions
Section 500.02 Cybersecurity Program
Section 500.03 Cybersecurity Policy.
(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and
quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) Third Party Service Provider management
(m) risk assessment
(n) incident response
Section 500.04 Chief Information Security Officer
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.06 Audit Trail
Section 500.07 Access Privileges
Section 500.09 Risk Assessment
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.11 Third Party Service Provider Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
Section 500.18 Confidentiality
Section 500.19 Exemptions
Section 500.20 Enforcement
Section 500.21 Effective Date
Section 500.22 Transitional Periods
Section 500.23 Severability

Categories
Information Security>Data Breach|Computer & Network Security>Viruses|Computer & Network Security>Vulnerabilities

A Ransomware Savings Account – Pay in Advance!

Diet and exercise versus a pill. An ounce of prevention versus a pound of cure. Saving for expenses versus using credit cards.

We all understand that good habits and planning are valuable to achieve our goals. We apply the same principles to Cyber Security…

This is a cautionary tale. We all learn from experience, and when fortunate, we can learn from the experience of others. This story teaches a valuable lesson based on real-world experience, and it will help you avoid a terrible situation.

A medium-sized firm, unfortunately, became the victim of a ransomware attack. An IT employee came into the office early in the morning to discover their ERP server had a white on red full-screen text message (complete with skull and bones ASCII art) stating the contents of the hard drive were encrypted. To recover the contents, they were to transfer one bitcoin to the wallet address on the screen, and to email a Hotmail address notifying them the ransom had been paid in order to retrieve the decryption key.

SecurIT360 Standard Operating Procedures (SOPs) do not recommend paying the ransom under any circumstances. We’ve found that once a company pays the ransom, they are “tagged” for further exploits because the company has been known to pay out. It is safer and better to simply restore from the last known good backup and redo the 12-24 hours of work lost.

Unless the last known good backup is over eight months old.

As a cost-saving measure, this business only purchased a single license for Veritas Backup Exec Server. For the other servers, they used a combination of tarballing, Secure Copy (SCP)/File Transfer Protocol (FTP) or xcopy, and 7zip to archive and transfer critical network files, Microsoft SQL database data, transaction, and log files, and customer detail records to the one server with a backup license.

Business continuity was literally running on a shoestring budget with a fragile, multiple-step process that required each step to complete before the next step would begin. This giant Rube Goldberg machine had a high failure rate. In this case, the Microsoft SQL data and log files hadn’t been transferred from the ERP server to the backup server in eight months. Imagine losing eight months of orders, inventory, fulfillment, and financial reporting. Did we mention that this is a real-world case study?

We discovered that Hotmail address that the hackers provided for payment confirmation had been terminated, and the value of a Bitcoin at that time was nearly $14,000 US. The business owners insisted on paying the ransom even though the likelihood of receiving an encryption key was remote. The felt that they had to try because of the magnitude of the data loss.

Unfortunately, they never received a decryption key.

But maybe they should try this Axis Incyte code:  8EM7YQ58

The company ultimately had to pause operations for two weeks to recreate as much information as possible from employee emails and printed reports. Then, they had to conduct a physical inventory to repopulate their ERP system.

This particular client sadly ended up paying their ransom three times: once in a bitcoin transfer that received no response, once in lost revenue while they recreated their ERP data so they could begin conducting business again, and then once again in new backup server licensing for all of their servers post incident.

How could this have been prevented?

A much less expensive “ransom” could have been paid ahead of time by purchasing five more Veritas Backup Exec Server licenses for $5,000 to cover their remaining servers, properly ensuring business continuity. This would have saved them thousands compared to the cost of the “ransom” paid and the additional 2 weeks of lost productivity while recovering data.

What can you do to not fall into the same trap as this business?

SecurIT360 works with our clients every day to ensure business continuity. Based on our experience, we would like to share 3 critical processes that your business must have in place to avoid this kind of disaster.

  1. Invest in a backup process for all of your servers and business-critical data.
  2. Regularly test your backups to make sure that all processes are running properly.
  3. And while backups are one of the most important things that you can do to protect your business, they shouldn’t be your first line of defense. Schedule regular “black hat” penetration tests to ensure that your network is protected from this kind of event.

Would you like a free assessment of your disaster preparedness and business continuity procedures? Call us today to make sure that the disaster experience you learn from isn’t your own.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm. We can work with you to stop cyber attacks in real time. Book a meeting with us today for a complimentary budgeting and strategy session by following this link Appointments.

Categories
Uncategorized

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Categories
Information Security|Uncategorized

Budgeting for Cyber Security for 2019

Cyber-Security Budgeting is a Layered Approach

Cyber-Security is arguably the hottest market right now.  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over 250 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  4. Security patching for all hardware/software
  5. Endpoint protections – Antivirus/Malware solutions
  6. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  7. Check for consistent password and access controls across all of your platforms
  8. Encrypt portable devices
  9. Approve Basic Policies to establish guidelines
  10. Provide security training for users and IT staff
  11. Constant inventory devices on your network
  12. Review firewall, remote access/VPN, and wireless solutions regularly
  13. Comprehensive network documentation
  14. A proactive monitoring/logging/alerting solution should be in place
  15. Basic Incident Response capabilities
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Evaluate your ability to perform these basic functions adequately – do we need managed services? 

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  3. Compliment SIEM with MDR (Managed Detection & Response)
  4. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  5. Risk Management
  6. Vulnerability Management
  7. Mobile device management solution
  8. NAC – internal Network Access Controls
  9. Data Loss Prevention technologies
  10. Identity Access Management
  11. Forensic capabilities
  12. Application whitelisting
  13. Incident Response Table Tops, Red Team, Blue Team, Purple Team Exercises
  14. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics, implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)
Categories
Compliance|Information Security>Data Breach|Research|Computer & Network Security>Viruses|Computer & Network Security>Vulnerabilities

Our top 5 findings from IT security audits

What are the top things we have learned from performing 200+ security audits?

1.  The “major issues” do not change

Good security is good security, and you can think of the major security issues as being giant “targets” within your organization.  Targets which the bad guys hope will come into their line of fire, and they are regularly shooting at. You can easily spot and name these targets: User awareness, access control, backups/recoverability, etc.  These are the primary topics that most compliance requirements are based on. Identifying these large targets and putting in the appropriate safeguards to make these targets smaller are the goals of a good security program.

2.  Security is a moving target

Even though the “major issues” (the targets) do not change, do not confuse this with thinking that these targets are stationary.  Once the targets have been identified, key performance indicators should be established so that the targets can be measured and constant improvement can be realized.  As these “targets” move around, they have the tendency to grow over time. If your security program does not have a component of measurement and constant improvement, your “small targets” can quickly become large enough for the bad guys to see.  Just because you did well yesterday, doesn’t mean you will do well tomorrow unless you are able to keep pace with those moving targets.

3.  Most people like the “idea” of being secure

It holds true that almost everyone likes the “idea” of being secure.   Far less actually want to take the steps to become “secure”, usually due to one or more myths:

  • Cost – they believe they require an expensive “widget” to achieve their security goals
  • Effort – the time/manpower simply does not exist (and cannot be prioritized)
  • Impact – the changes proposed will affect the user population too greatly
  • Denial – that will never happen to us OR we are already secure

At the end of the day, security comes down to making risk-based decisions.  If these risk-based decisions are accurately recorded and measured, the decision of mitigating these risks should be an easy one:

What are the potential consequences if I do NOT do this?

4.  That’s not “security” related

Usually, at some point during an audit interview (usually multiple times) when discussing a topic (almost any topic), some detail is revealed that elicits the response “that’s not security related” from the client or user.  We find that people often have a hard time relating everyday events to security issues. They understand that if there is a “hacker” or a “virus” it is a security issue, but may not view things like service interruptions or high resource utilization as “security” related.

5. Gadgets and gizmos will not make you secure

One of the mantras that we regularly preach to our clients is that security is all about the “process” not the “product.”  We do this because of the large number of people who believe that “If I buy the latest HyperWall from DarkPlus with the VisorNet addon, I will automagically be secure!”  No matter how much we would like for our gadgets to be plug-and-play, if there is not some form of human interaction on the back end, the tool will become stale and less useful over time (or it may not have ever worked, to begin with). You should always try to measure the state of your security products/programs and strive to improve them over time in order to be effective.

We hope that these five keys will help you better evaluate your security.  If you would like to learn more about how you can protect your corporate data, please click here to contact us.  SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.

Categories
Compliance|Research>The Hitlist

The Hitlist: International Travel

International travel is common in today’s business world.  Many times businesses assume that their standard policies can apply to any international destination.  We recently had a client contact us about traveling to their international office in a country that is typically known for lacking respect for other’s privacy.  They asked us, considering this client would be discussing corporate trade secrets and other senstive info, what precautions they should take.

We gave them a list of recommendations and explained that many of these would not make travel simple from a technological standpoint, but would provide them the most security benefit.  These recommendations are not for travel to any country, but to countries where government’s can have a pervasive nature with regard to network communications.

Some recommendations for consideration:

  • Assume that all communication will be monitored
  • Understand that some of these countries put higher priority on Intellectual Property and Trade Secrets than they do personal or financial information
  • Take a clean machine with no data – some countries may even confiscate or copy data at the border
    • Lock the machine down to the minimum amount of use possible
    • Make sure personal firewalls are set to be very restrictive
    • Whitelist applications if possible
    • Take data only on encrypted removable media – many countries such as China, Israel, and Russia have limitations on encryption tools
    • Encrypt hard drives
  • Communications
    • Do not use Bluetooth or WiFi
    • Avoid connecting to the internet at all
    • Any time you connect to the internet, make a secure connection to the US as quickly as possible using technologies that provide virtual desktops or VPN connectivity and preferably with multi-factor authentication if allowed.  If VPN connections are not allowed in a particular country, plan on limited to no use of the internet.
  • Make sure mobile devices are encrypted and managed with MDM – again if country restrictions allow
    • Communication should be limited, even email.  Again, assume all communication will be monitored
    • Beware if you get a certificate error while downloading anything.  This may mean that someone has brokered the connection
  • Upon return, format all electronic media that made the travel, and under no circumstance should anything be plugged back into a network

Again, these are just a few things to consider when traveling to certain countries that may have a governmental interest in data and communications.

Categories
Uncategorized

WannaCry – Worldwide Ransomware Attack – Updated

A widespread ransomware attack has spread across the globe infecting tens of thousands computers in as many countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in many languages.  There have been several versions and updates, but the ways to protect remain the same.  Recently, a decryption tool has been discovered – see here.

Technical Details

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through a Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows SMB vulnerability.  Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017.  According to open sources, one possible infection vector is via phishing emails.

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL.  During runtime, the loader writes a file to disk named “t.wry.”  The malware then uses an embedded 128-bit key to decrypt this file.  This DLL, is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files.  Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.  Subsequent versions are manifested differently.

What to do to protect against Wana Decrypt0r aka WannaCry

1.    Patch all Windows Operating Systems

  1. For supported Operating Systems see MS17-010
  2. Emergency Patch for Windows XP and Windows 2003 is here

2.    Run a port scan and or Vulnerability Assessment against your firewalls. 

Ensure that Remote Desktop Protocol (RDP) and SMB protocols are not open to the internet.  These are typically on ports 3389, 445, and 139 respectively, but can be mapped to different ports on your firewall.  These configurations are security best practice.

Verify Other Protections Are working as expected.

*************************************IMPORTANT******************************************

Do NOT assume you are safe just because you have purchased and installed a product.

**********************************************************************************************

3.    Backups

Review your backups to ensure that they are working as expected.  Test restores of critical data.

4.    SPAM Filter

Enable strong spam filters to prevent phishing e-mails from reaching the end users.  Most enterprise filters should detect WannaCry.

5.    Antivirus & Malware Protections

  1. Ensure that real-time scanning enabled to detect file downloads, email attachments, and web links
  2. Ensure that scan engines are up to date and that definitions are downloaded and regularly deployed – at least daily. We recommend more frequently
  3. Configure anti-virus and anti-malware solutions to conduct routine scans
  4. Inventory protected machines to ensure that all have products installed and that they are functional

WannaCry Remediation

  • Isolate compromised computer systems.
    1. Unplug from network to prevent spreading
    2. Power down other computers or unplug network access switches during eradication
    3. Wipe and reload infected machines
    4. Paying the ransom does not guarantee you recovery
  • Ensure that proper logging is enabled and preserved on key systems.
  • Contact law enforcement. Contact a local FBI field office upon discovery to report an intrusion and request assistance.  Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan.
  • Ideally, organizations should not store critical data on workstations. Critical data should reside on centralized storage systems.  Storage systems should have complete, verified, and tested backups.  Ofen the most efficient response is to restore data from a known clean backup.

Signatures

 

File name:  @WanaDecryptor@.exe

 

Confirmed indicators – SHA-256 Hashes:

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c25d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b976a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdfbe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafaaee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002cc365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aab9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {

meta:

description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”

strings:

$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “wcry@123”

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”

condition:

$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8

}

 

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {

meta:

description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “https://www.exploit-db.com/exploits/41987/”

date = “2017/05/12″

strings:

$ms17010_str1=”PC NETWORK PROGRAM 1.0″

$ms17010_str2=”LANMAN1.0″

$ms17010_str3=”Windows for Workgroups 3.1a”

$ms17010_str4=”__TREEID__PLACEHOLDER__”

$ms17010_str5=”__USERID__PLACEHOLDER__”

$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”

condition:

all of them

}

Categories
Information Security>Data Breach|Uncategorized|Computer & Network Security>Vulnerabilities

Security Incident Case Study – A MSSP Run Amok

This is a case study of a security incident that occurred recently. The purpose of sharing this case study is to provide an example as to why proper security measures must be constantly validated both internally AND externally to include Managed Service Providers.

 

NIST Security Incident Response Lifecycle

 

Security Incident Overview

A valid user account (UserX) downloaded a malicious executable file on the Remote Desktop Protocol (RDP) server used by employees for remote desktop access in the middle of the afternoon. The updated security software on the server blocked the file from executing and placed it into Quarantine. Upon closer inspection, after being alerted via email the next day, it was learned that the UserX account also self-created a local administrator account on the RDP server – an uncommon administrative task.

The UserX account already had Domain Administrator-level privileges and belonged to a Manager Services provider (MSSP) that is currently under contract with the Client. However, the physical user works the third shift between 11p and 7a Local. The MSSP confirmed the physical user was not working during the time of the incident.

 

Actions Performed by the Client

  1. Exported logs from RDP server and found two network addresses in two separate European countries had been logging in as UserX for at least a month.
  2. Immediately shut down the RDP server, rebuilt the server from a safe image, and restored services. Placed the RDP server behind a VPN gateway so now employees must first connect via VPN to access the RDP server resulting in better security.
  3. Audited Active Directory users, groups, and permissions to ensure appropriate permissions.
  4. Immediately forced all users, including MSSP, to change network passwords.
  5. Audited firewall for open service ports and only allowed inbound traffic from the US and three countries that Client performs business.
  6. Audited all Windows servers looking for unauthorized local administrator accounts. None found.
  7. Exported security logs from all Windows servers to identify other security breaches. None found.

All activity undertaken by Client was timely and appropriate. Kudos to the IT staff.

 

Root Cause Analysis

The situation leading up to this security incident is two-fold: (1) allowing RDP traffic directly from the Internet is inherently insecure and should always be protected by encryption, and (2) MSSP circumvented security policies currently in place on Client’s network by creating domain administrator accounts with no password complexity, expiration or lockout parameters. It was also noted that MSSP engineers shared passwords and stored them cleartext in Microsoft Excel. This created the opportunity where an unauthorized person having identified a valid username through a Windows NULL session attack could brute force guess the password without being stopped. And because every user in this group is a Domain Administrator, a successful authentication opened the entire computer network to unauthorized access.

 

Remediation

Both security incident vulnerabilities were remediated, (1) RDP is now protected by a VPN gateway, and (2) all MSSP accounts have security policies enforced to require password changes, complexity, and lockout on failed login.

Additionally, an amendment to the seven year, multi-million contract with the MSSP has been drafted, signed and countersigned stating that all MSSP personnel must abide by the security policy of the client, and any further security incident breaches directly attributed to the MSSP will immediately terminate the contract.

 

Final Observations

Always have concrete terms in your contracts with your service providers. A chain is only as strong as it’s weakest link and sometimes we take for granted that a MSSP will always act in our best interests when they themselves may be the weak link.

Categories
Computer & Network Security|Information Security>Data Breach|Social Engineering

Law Firm Breach Used for Insider Trading Profit

Three Chinese citizens are charged for insider trading after allegedly making $4 million by using information obtained from Law Firms.  The breach has to do with stolen credentials and malware planted within Firm systems – a very common tactic.  The Law Firm names have not been released yet.  Firms are typically diligent with Banking and Healthcare data, but this breach had to do with a merger that was in the works.  The hackers bought shares before the announcement and profited from the stock increase.  This highlights the need for more than just basic cyber security products.  A more disciplined approach of reviewing each Legal Matter for the value of the information and potential risks associated could lead to limiting and increased monitoring of access, which may prevent or identify unauthorized use.

 

See the full article here

Categories
Information Security>Asset Management|Compliance|Computer & Network Security>Microsoft

Best Practice: Securing Windows Service Accounts and Privileged Access – Part 2

In the first post I covered best practices for securing service accounts.  In this post, I am going to discuss some key elements in securing priveleged access.  Keep in mind, Microsoft has published a comprehensive guide to securing an Active Directory.

Keep in mind that many of these things will require additional work on the front end, but that is usually due to poor existing practices.  Once processes are in place, these key components should not add significant overhead to administrative tasks.

  1. No users should regularly reside in Domain Admins (DA) or Enterprise Admins (EA) groups
    1. Straight from the horse’s mouth: As is the case with the Enterprise Admins (EA) group, membership in the Domain Admins (DA) group should be required only in build or disaster recovery scenarios. There should be no day-to-day user accounts in the DA group with the exception of the built-in Administrator account for the domain, if it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.
    2. Follow MS’ recommendations for securing DA and EA accounts.
    3. If you are a single forest, single domain then no one needs to be in the enterprise admins period
    4. Don’t allow domain admins to logon to workstations
  2. Ensure that priv accounts follow at least the standard password policy
  3. Don’t forget other privileged groups besides DA and EA (Schema Admins, Account Operators, Backup Operators, Administrators, etc.)
  4. Maintain separate admin credentials and standard user accounts
    1. Do not use the same account for admin access and for regular access
    2. This includes things like browsing the web on member servers or workstations with priv accounts
      1. Block internet access from all servers
    3. No remote access with privileged accounts
  5. Use a jump off server for admin tasks.
    1. Remote to it with a standard account and then remote from there to perform admin tasks
    2. You should allow interactive logons by authorized users and should remove or even block other logon types that are not needed for server access. (https://technet.microsoft.com/en-us/library/dn487449.aspx)
    3. Admin functions should require more than one factor of authentication
  6. Use LAPS to generate a different password for all local admins
  7. Either use read only domain controllers in a DMZ or create a separate domain with a one way trust (trade off of complexity and security)