Categories
Computer & Network Security

Best Practices for Privileged Account Management – Part 1

Basic Privileged Account Management

Abused and Misused privileges are often seen as being the cause of breaches within organizations around the world.  Privileged account management should be a major focus for Security and IT management who are looking to mitigate the risks of data breaches and insider risks.

What is Privileged Account Management?

Privilege Account Management is the definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems.  It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories (FICAM-09).  In other words, how an organization manages privileged passwords and delegates privileged actions.  Do you delegate, control, and filter privileged operations that an administrator can execute?  Do you audit, record, and monitor privileged access?

Why is it important to an organization?

When it comes to utilizing high business value IT systems, privileged users, such as administrators, typically have the widest operational latitude.  They are typically responsible for deploying and managing functionality on which the business depends, from vital day-to-day functions, to strategic capabilities that enable the business to maintain its competitive edge.

However, there are risks to wielding this power.  IT complexity means that minor changes could potentially have unintended, and severe impacts on availability, performance, and/or integrity.  Malicious attackers, inside and outside of the organization, can capitalize on administrative level access to inflict serious damage to the business.  Given the increasing sophistication and popularity of modern attacks via malware and other methods, it is common for attackers to gain and exploit such privileges by impersonating trustworthy personnel.

What are some common best practices?

There are countless solutions out there for organizations to implement and everyone has their opinion on what is the best way to do it.  Below are a set of common privileged account best practices all organizations should follow:

  • Separate regular access accounts from privileged accounts
  • Inventory all privileged accounts and assign ownership to that inventory
  • Do not use shared accounts
  • Minimize the number of personal privileged accounts
  • Limit scope for each privileged account
  • Use privilege elevation for users with regular access
  • Document policies and processes for the management of privileged accounts
  • Monitor and log all privileged access activity
  • Implement separation of duties model to manage superuser administrative privileges
  • Use default administrator, root, and similar accounts only when absolutely necessary
  • Require multi-factor authentication for all privileged accounts
  • Require complex and long passwords for privileged accounts
  • For service or application privileged accounts store passwords in an encrypted vault with a random password

Read Part 2 of this blog here >>.

Categories
Computer & Network Security

What You Can Learn From SolarWinds – The hack That “Blindsided” The US Cyber Command

Security firm CrowdStrike revealed “the worst U.S. cyber attack in years” last December, according to Reuters.

Suspected Russian hackers penetrated major IT management software provider SolarWinds as early as September 4, 2019, spreading to more than 3,000 of the firm’s clients. Such clients included many Fortune 500 companies and high profile organizations, like Microsoft, Cisco Systems Inc, the US Department of Homeland Security, and the US Cyber Command.

Cybersecurity experts say the depth and breadth of this incident calls into question status quo cybersecurity practices across the world. Once penetrated, organizational networks are much more difficult to secure again. Recovering from the attack may take years, according to Tom Bossert, former President Trump’s homeland security officer.

Here’s what happened, and what you need to know to prevent future compromise.

How the Hack Turned Elite Organizations’ Security Practices Against Themselves

In Fall 2019, hackers penetrated SolarWind’s network management tool, Orion, inserting the SUNBURST malicious code. The company unwittingly pushed updates containing the compromised code that ripped backdoors into their client’s IT systems, into which hackers installed even more malware to further their surveillance efforts.

Compromising Orion wasn’t the end goal, though. Instead, the backdoor was used to access SolarWinds’ SAML-tokens, which transmit sensitive data— like usernames and passwords—in concert with the SSL encryption protocol.

From there, hackers entered their networks through forged security certificates. After that, hackers were able to quickly move laterally throughout the network, escalating their privileges and compromising any number of systems under that network’s umbrella.

What The hack Tells Us About Modern Cybersecurity Practices

The incident reveals the weaknesses of current cybersecurity practices, commonly referred to as the “castle and moat” approach, where a premium is placed on perimeter security. The model’s lack of rigorous user access controls is frequently exploited by hackers, who usually exploit easy points of entry and escalate administrative privileges.

This attack effectively illustrates the need for zero-trust security architecture.

What’s zero trust?

It’s basic premise: “never trust, always verify.” That means securing access to networks through a process of authentication of the user’s machine, authorization of the user behind the device, and the verification of user’s security credentials.

Additionally, zero trust mandates that access to sensitive resources are granted on a least-privilege basis, in other words ensuring access only to staff that absolutely need a given resource.

Finally, rigorous logging is employed to track all traffic through specific inspection points to help enforce least-privilege access rules.

How Zero-Trust May Have Prevented SolarWinds

A core tenet of zero trust is adopting a state of assumed breach. Meaning all requests are inherently untrusted and must be verified.

There are no silver bullets when it comes to security and while companies couldn’t do anything to protect themselves from the attack’s first phase, as that compromise was on the service side, they could have better protected their network through stronger user authentication and verification.

Before users are granted access to sensitive resources or applications, Zero-trust architecture mandates that users prove both their identity and that of the device they’re using. Requiring multiple verification factors, which are continuously reviewed, zero-trust ensures that foreign actors aren’t using falsified security tokens.

What’s more, such architecture limits access to sensitive resources even after network access is granted using techniques such as just-in-time and just-enough-access (JIT/JEA), securing an additional layer of protection. And by limiting this access to only those who need it, commonly called least-privilege, the pool of potential social engineering targets are greatly reduced. This security layer could have prevented the lateral movement hackers demonstrated after breaching the Orion platform.

In sworn testimony from US CISO Christopher DeRusha, the official told the Senate Homeland Security and Government Affairs Committee that the government should move towards zero trust and away from perimeter security.

“In this new model, real-time authentication tests users and looks to block suspicious activity and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds attack,” DeRusha said. “Many of the tools we need to implement this model already exist within industry and agency environments, but successful implementation will require a shift in mindset and focus at all levels within federal agencies.”

What You Can Learn From SolarWind and Zero-Trust

Of SolarWind’s 36,000 customers, approximately 1800 installed the affected update. If you’re worried that your organization may be impacted and you haven’t taken steps to mitigate this attack be sure to update Orion to the latest version and follow SolarWinds guidance.

However, just because an organization doesn’t use Orion doesn’t mean they’re safe; you should contact your IT vendors or MSP to confirm that they’re not impacted. If so, ask them what they’re doing to reduce your exposure.

Organizations looking to secure themselves against a future attack should leverage a combination of improved network visibility, incident response, comprehensive vendor management and a zero-trust user access model.

You’ll also want to improve your organization’s security culture by teaching and enforcing best practices. That includes how to utilize tools like web filtering and two-factor authentication, how to create strong passwords, and how to properly configure firewalls.

Lastly, remember that your security efforts should be tailored towards the most likely and most potentially damaging threats. This means beginning with threat modeling to identify your most sensitive assets, and brainstorm the most likely paths hackers may take towards compromise. If all this sounds like too much, consider a trustworthy third-party security-focused managed IT provider like SecurIT360.

Conclusion

If nothing else, SolarWind is a reminder of how serious and far reaching attacks on third-parties can be to your organization. Given the wealth of consumer data now held by the average business, just about every company could be a target.

Categories
Computer & Network Security

Understanding the Cybersecurity Maturity Model Certification (CMMC) and its Benefits to You

In today’s evolving threat landscape, organizations are often required to remain compliant with government and industry-based regulations, standards, and policies pertaining to data security and privacy. Therefore, attaining an industry-wide certification for your corporate cybersecurity posture is critical to maintaining a good reputation as well as assuring the confidentiality, integrity, and availability of critical and sensitive information within your computing infrastructure.

It is estimated that cybercrime causes global damages of over $600 billion per annum, thus it is now more important than ever for organizations to protect their information supply chain infrastructure, especially supply chains that process controlled unclassified information (CUI). For organizations looking to conduct business with the U.S. Department of Defense (DOD), there are special cybersecurity regulations that must shape handling of DOD-developed digital assets, and the Cybersecurity Maturity Model Certification (CMMC) is a prime example.

The CMMC consists of five maturity levels, which is used as a guide to protect DOD critical data from a range of cyber-threats, including sophisticated threats posed by advanced persistent threats (APTs). The CMMC framework aligns your organization’s cybersecurity response with security control-measures deemed sufficient by the DoD to protect sensitive information against emerging cyber threats, thus allowing Defense Industrial Base (DIB) companies to provide reassurance to the U.S. government that all CUIs are being monitored and secured with at least the basic controls that are recognized by the CMMC maturity levels.

The Importance of CMMC

Being CMMC-compliant not only protects your reputation, but it also mitigates against the financial burden of a breach. The CMMC framework allows you to leverage new operations and applications with the confidence that they are secured by your existing cybersecurity measures.

In terms of the industry-specific benefits, CMMC compliance will reassure clients that you are adhering to the latest cybersecurity recommendations, which will help you win new contracts and gain a competitive advantage over your competitors. Software vendors will be able to reassure enterprise clients that their security framework meets DOD guidelines, and the same applies if you operate in industries with a complex supply chain.

Another benefit of being CMMC-complaint relates to managing risks across your supply chain. If you know of other organizations in your supply chain that are not yet CMMC-compliant or are not prioritizing cybersecurity, you can recommend that they get an audit. This allows for better protection across your whole supply chain, instead of just your organization.

The main goal is to document all processes and constantly improve them, so there is no “weakest link” left within the supply chain. Having a common understanding of how every element of your supply chain operates from a cybersecurity perspective is hugely reassuring, as you can use this knowledge to maintain DOD contracts, expand your client network, and benefit from the subsidized nature of CMMC audits.

Particulars of the CMMC Framework

The CMMC framework consists of 171 practices mapped across five different levels of maturity. The more practices your organization implements, the better you become at protecting all unclassified data within your infrastructure. For the majority of subcontractors of DOD, the first level of the CMMC framework is what you can expect to be recognized when you invest in an audit from a trusted vendor. This level contains all of the common cybersecurity practices.

As you begin to approach the higher levels of the CMMC model, the processes become more documented and proactive. The main aim is to actively manage, review, and optimize cybersecurity processes to protect all of your devices and data points from the growing sophistication of APTs and their growing attraction to supply chain attacks.

Differences Between Each Level of the CMMC Framework

As mentioned earlier, level 1 CMMC states that organizations follow basic cyber hygiene. This is essential to assuring confidence in your supply chains, or to assuring DOD, that you follow basic cybersecurity practices on (at least) an ad hoc basis. The processes are not documented or actively expanded upon by your IT department, but your employees do adopt the recommended processes as and where possible.

Level 2 CMMC measures involve documenting any cybersecurity processes, so that there is proof that people are trained to implement DOD’s best practices for protecting CUI across your organization’s network.

A level 3 compliant subcontractor would have gone one step further than those in level 1 or 2, as their cybersecurity practices adhere to the NIST 800-171 framework. This model contains various security measures that must be undertaken for you to achieve the best protection for all of the CUI you store and manage. For example, instead of simply implementing security measures from a selective standpoint, you will roll the measures out to any section of your infrastructure that may store/move CUI, to enhance your protection from APTs.

If your organization has maturity level 3 CMMC, all of your cybersecurity practices are documented, assessed, and rolled out to the whole organization, while being reviewed on an ad hoc basis.

Furthermore, a level 4 compliance posture differentiates good cyber hygiene from proactive cyber hygiene: the risk from APT actors is managed in real-time with a “constant improvement mindset.” This maturity level combines all of the processes contained in levels 1–3 while using a forward-thinking approach, surrounding the developing sophistication of APTs and the tactics, techniques, and procedures (TTPs) they implement.

Lastly, level 5 maturity will require your organization to implement all of the previous levels of the CMMC framework while leveraging the controls and procedures to ultimately lower the risk and burden caused by APTs on your CUI—essentially before the risk to your reputation or finances becomes anything more than minimal.

Required IT Controls for Each CMMC Level of Certification

Each level of the CMMC framework implies a different (and more managed) level of IT control. As a guide, here is what you may be expected to implement depending on your industry:

  • Level 1 maturity can include staff updating passwords, updating/patching critical applications, and installing antivirus or other free/low-cost cybersecurity tools.
  • Level 2 maturity ensures that procedures to protect CUI are documented and actively encouraged by your IT department. Best practices may be taught via security awareness training.
  • Level 3 IT controls may include multi-factor authentication (MFA), meaning the NIST 800-171 framework is adhered to. Your organization will identify and implement cybersecurity controls across all data points that may contain CUI.

An organization with level 4 compliance can be expected to implement forward-thinking measures, such as cybersecurity controls on emerging technology, mobiles, or IoT. These are areas of your infrastructure that may have previously been under-prioritized from a cybersecurity standpoint.

Lastly, to become a level 5 compliant entity, your IT department must implement 24-hour controls, to minimize the impact of any form of cyber-threats. For example, a security operations center (SOC) may be created, leveraging both human and automated mechanisms, to actively manage threats. With this type of dualistic data security and privacy countermeasure, security goals remain dynamically-aligned with the needs and objectives of your organization.

Conclusion

Being able to certify your cybersecurity posture is now more important than ever, and the newly implemented CMMC framework offers this opportunity for DOD subcontractors and other eligible organizations to do this. With 5 different levels of maturity, the CMMC model can help your organization to understand what is required of your IT department, and it can help your team proactively manage, detect, and improve against the TTPs of APTs.

Becoming CMMC certified at any level provides immense reassurance to your clients, contractors, and anyone you interact with, as it shows you are fully compliant as an organization with what the DOD recommends. Not only will CMMC certification serve as a route to gain a competitive advantage in your industry, but it can also help you to obtain knowledge about your entire supply chain.

You can use this framework to identify any existing weak links and recommend procedures to implement to further minimize the threats against your organization and anyone else you work with within your industry. If you would like to find out more about the CMMC framework, and how to become certified, contact SecurIT360 today to see how we can help you obtain the audit you need to gain a competitive advantage in your industry.

Categories
Computer & Network Security

Endpoint Detection and Response: Monitor and Mitigate Your Cyber Threat Environment

There’s one lasting cybersecurity misconception that’s misled many: that perimeter security is sufficient in itself. 

While preventing attacks using tools like anti-malware, access management, anti-phishing training, and SIEM are effective, they’re ultimately insufficient on their own. Endpoint protection and monitoring (EDR), paired with managed detection and response (MDR), provides the missing element here, pairing prevention (EDR) with response (MDR) to curtail any attempted intrusion before serious damage is done.

To make matters worse, threats have risen 400 percent since before the coronavirus—with a 40 percent growth in ransomware specifically. What’s more, the explosive growth of workers performing their jobs at home has greatly expanded attack surfaces. Here, we’ll delve into endpoint protection and response, its place in modern cybersecurity, and the benefits it supplies.

Why EDR is Relevant to Today’s Threat Landscape

Much of the internet and IT technology was not designed with security in mind. As such, security approaches are enormously varied, often unsophisticated, and rely on mistaken assumptions about today’s threat landscape.

Case-in-point is the industry’s overwhelming reliance on perimeter security or network security, often referred to as the castle-and-moat approach. The thinking is simple, use a few different technologies like firewalls, anti-malware applications, and other security tools to prevent each potential attack vector.

There’s no such thing as perfect defense against an unknowable threat landscape. Each year, organizations face a roughly a 50/50 chance of experiencing a cybersecurity incident. Between malware, ransomware, advanced attacks, insider attacks, and social engineering attacks, such incidents occur so often they’re almost predictable.

Social engineering attacks are a good example. Approximately 91% of data breaches start with a phishing email, according to a Deloitte study. One might assume that effective education and training could prevent most social engineering attack attempts. However, such attacks are incredibly sophisticated, often taking the form of a court notice, IRS refund, fax notices, and are successful through repetition. Falling prey may be a statistical likelihood.

In test attacks from cybersecurity firm Positive Technologies, a whopping 17 percent of employees fell for the fake scam (Done with permissions from leadership). Among those: 25 percent of managers, and 3 percent of security personnel.

While EDR itself can’t prevent an employee from an ill-advised disclosure of data to a phishing email, their later activity in the system—in elevating their privileges and moving across their system—would be visible to effective EDR.

What’s more, EDR serves another important function: reducing the crucial time period between network penetration and the discovery of compromise. Currently, companies take an average of 197 days before discovering an intrusion, according to a Ponemon study. Reducing discovery time can significantly decrease the cost of containment.

Given the extremely high volume of these attacks and the predictability with which they occur, then it follows that cybersecurity must not only prevent attacks but also focus on responding swiftly by containing or removing any such vulnerabilities.

How Endpoint Detection & Response Works

EDR complements typical network security by adding visibility in activity occurring on endpoints, analyzing the resulting data for signs of malicious activity or compromise, and issuing automated responses that contain or remove threats, and alert administrators.

Note that the added responsibility and technical sophistication necessary for effective EDR may be too much for many IT departments. That’s why managed detection and response, a service provided by many cybersecurity managed service providers, may be necessary to cover these responsibilities, 24/7 monitoring, and any necessary maintenance. Together, EDR and MDR combine to form a comprehensive incident response program.

Personal Devices in the Workplace Are On The Rise

The explosion in personal devices in the workplace forms one of the most pressing security concerns today. Approximately 90 percent of US employees use their smartphones at work, while 50 percent of companies with permissive personal devices usage policies had such devices breached, according to Trend Micro.

Given their enormous cost savings benefit and their preferred status amongst workers, this is unlikely to change. Still, this growth means business networks are hosting a high volume of endpoints that aren’t likely to be secure.

Popular operating systems, whether we’re talking about Windows, MacOs, IOS, Android, or others, rest on a foundation of insecure code and contain a wealth of vulnerabilities to boot. Also, the software they run may not be secure, and they’re easily able to download malicious resources from the web.

If such devices can be manipulated and controlled by hackers, either directly or through malware, one can’t assume trustworthiness. Attackers depend upon this weakness and use it to escalate their privileges to gain access to the resources they’re after.

Endpoint protection’s deep visibility shows which user owns the endpoint, the location in which it’s currently being used, any applications running on it, and any content it’s creating.

EDR greatly minimizes that risk, ensuring that, if and when a cybersecurity event occurs, it can be quickly shut down, through deletion, containment, and rapid notification of relevant personnel.

This is crucial as it currently takes organizations an average of 197 days to identify a breach and another 69 to contain.

Continuous Monitoring and Forensic Analytics

As we mentioned up top, perhaps the most transformative aspect of endpoint services is the greater visibility they lend to endpoint activity.

For instance, EDR can validate that packets coming from an endpoint have been created by a legitimate application. It can also monitor the file integrity of key resources, which are automatically flagged in the case of improper access to secure files and theft of sensitive data.

What’s more, this monitoring is continuous, meaning EDR is always on the hunt for signs of compromise, recording, and storing all related data.

The latter is essential in providing usable forensic data that can help security professionals understand circumstances surrounding any attack, and thus how to prevent the next one. Such investigations could uncover patterns of behavior behind such threats to predict future ones.

Real-time monitoring leverages file integrity monitoring of key data, applications, and devices to find compromise. This includes activities like changes to a malware-related registry, improper access to secured files, and sensitive data theft. EDR is also capable of monitoring critical system events like startups and shutdowns, license changes, hard disk failures, and changes to the systems clock. And with automated policy enforcement, any such event can be rapidly contained.

Single Source for Endpoint Management

The unprecedented visibility that EDR extends is crucial; users will find that having a centralized location to monitor network endpoints is immensely valuable and educational.

From here, policies can be set and automatically enforced. Historical data across each endpoint can be investigated, which can uncover routes to penetration not previously considered; every endpoint, affected user, and step in the hacking process.

Since EDR systems are tasked with monitoring all devices within a network, they’re often much easier to integrate into network infrastructure. Many EDR solutions are compatible with a wide range of security tools, allowing endpoint data to be analyzed alongside other security network data.

This accessibility is further enhanced by the simplicity and ease of use of many modern endpoint solutions. Drag-and-drop interfaces and easy-to-read analytics make them layperson-friendly—crucial if they’re to be understood by stakeholders.

Perhaps the most compelling, and necessary, component of an EDR solution is its ability to be remotely managed by cyber security professionals.

EDR remote management options allow trained and certified experts to monitor network activity, flag and respond to anomalous activity, and stop cyber attacks that would otherwise compromise your organization. Having experienced and trained security professionals on your side is a superior alternative to installing a piece of software and hoping the built-in software is sufficiently up-to-date and nuanced enough to effectively identify and respond to threats.

Where to Go From Here

The combination of endpoint monitoring with traditional network security gives organizations an unprecedented and holistic view of their organization’s threat surface—and the once-invisible activity occurring on it.

At SecurIT360, we are a team of skilled cyber security professionals that can partner with your organization to provide an EDR solution that is customized to protect your business, its data, and your bottom line. EDR can integrate with minimal lift from your team or changes to your existing security architecture.

Oh, and if you’re curious: the proper way to respond to a cybersecurity incident.

SecurIT360 is a managed services provider proficient in monitoring and incident response, assessments and penetration testing, compliance, and general cybersecurity consulting. Contact us to learn more.

 
Categories
Computer & Network Security

Artificial Intelligence Advancements In Healthcare: The Needed Next Level of Cyber Security

How is Artificial Intelligence being used in healthcare?

Artificial Intelligence, or AI, is having a dramatic effect on the healthcare sector. At its core, artificial intelligence seeks to mimic the unique processing capacity of the human brain. Using algorithms, pattern matching, deep learning, cognitive computing, and heuristics, AI is able to quickly sort through masses of raw data. This is incredibly helpful in the medical field. In addition to the millions of Electronic Health Records (EHRs) at the center of our healthcare system, medical practitioners must also incorporate data from studies, data from testing, and past patient records when diagnosing and treating a case. AI can use predictive models to find irregularities or similarities in raw data that doesn’t have to be pre-sorted. This helps doctors improve diagnosis accuracy, patient care, and outcomes. AI’s ability to find meaningful relationships in data is being used as a powerful tool to aid in drug development as well as patient monitoring and treatment plans. Artificial Intelligence is becoming more common in many parts of the healthcare system, and it is estimated that $36.8 billion will be invested in AI systems across the US by 2025. AI is poised to be the main force that drives improvement across the healthcare industry.

Why is this a big deal?

Artificial Intelligence will be the engine of change by organizing masses of data and giving relevance to data points, which will ultimately improve reliability and objectivity in diagnoses. AI will provide context for patient data more quickly than ever before, allowing doctors to identify and treat diseases accurately, minimizing misdiagnosis and lowering the mortality rate. In addition, the costs for drug development will be lower, as we will more accurately be able to predict the drugs’ effects in certain patients. This all leads to an increase in doctors’ facetime with patients. They become freed from analyzing mountains of data and more able to focus on care and healing.

What concerns with cybersecurity arise when using AI?

When we open up patient records to artificial intelligence, we are opening up our systems to outside attacks. With sensitive information at risk, healthcare providers must be very careful that their rate of system upgrade does not outpace their security improvements. Installing new systems that sort sensitive patient data must be tested from all endpoints to ensure there are no flaws or vulnerabilities to attack. AI dramatically increases the complexity of assessing security threats. These new systems could be a point of entry for malware that will be difficult for systems designed to monitor human behavior to detect. 

What upgrades in cybersecurity are necessary to protect against these concerns?

Greater use of AI in healthcare systems means that we need greater use of AI in cybersecurity software to match it. Our main protection will be anomaly detection. This will mean installing these detection programs across all endpoints in the system. Anomaly detection works in the same way that the AI identifies meaningful relationships in patient data. It monitors the system and senses potential threats whenever there is unusual behavior. Anomaly detection can do more than discover malware within a system. It can also identify where the cyber attacks are coming from and what kind of attacks being perpetrated. Predictive analytics for malware detection can also stop problems before they start. These analytics can identify suspicious files and prevent them from opening, stopping problems before they start. Properly planned and configured, these new cyber security measures act like the immune system for a healthcare company. 

What are the challenges in implementing new AI/Cyber Security Procedures in healthcare systems?

Establishing new and heightened security procedures require behavior monitoring, to make sure users are complying with new systems. While some users may think that increased security measures are intrusive at first, compliance is paramount. When cybersecurity systems are implemented without factoring in the human element and allowing time for training, it can often lead to users falling back on unauthorized apps and outdated but familiar systems. These non-sanctioned entrances into the system leave it vulnerable to a breach. There are human users in your system in addition to AI, and it can take time and planning to make sure your innovations don’t outpace your cyber security procedures. A coordinated strategy that considers both human and artificial intelligence creates a healthcare system that is more accurate, faster, and cheaper for patient treatment.

Want to know more about how you can ensure your company is secure? Contact us!

Categories
Computer & Network Security

An Argument for Increased Focus on Data Backups

The necessity for backups has always existed, but the reason for backing up has changed significantly in recent years. Today, backing up data is just as important for cyber security reasons as it ever has been for disaster recovery. But our architecture must be rethought with this new emphasis.

When did we start conducting data backups?

A long time ago–in a galaxy far, far away…–backups we’re theoretically designed to mitigate against the risk of a disaster: fire, flooding, equipment failure etc. In reality, they were used primarily to correct bad decisions (we updated the server and it crashed, now we must go back to the previous version). A long standing practice of any IT change process I have been a part of has been “Back it up before you do that.” With the prevalence of virtual machines and the ease of taking a “snapshot,” back ups became very easy to do. Software and converged infrastructure have also made this increasingly robust and convenient as well.

However, with convenience comes a price. Many of our backup systems are on shared storage. We back up to the same place logically that our files are stored. And this is the underlying fallacy in our new cyber security reality. Our backups used to go to tape and get stored off-site. A return to this complexity needs to occur.

Backup Best Practices

Backups need to be on a completely separate storage volume that is not accessible to anyone or any bot, except that backup software. The credentials need to have strict complexity and policy to prevent access. Traffic should only be initiated from the backup network to the backup target and no traffic allowed to be initiated from the client network. Additionally, this information needs to be taken offline with regularity, removing it from the network.

Data Backup Illustration
Data Backup Best Practices

Here’s a scenario: Organization X is performing backups and test restores according to their risk management profile. Some info is backed up daily, some hourly. Everyone is happy with the results. Suddenly, ransomware attacks the network and begins encrypting any data that is exposed, including backup files on a shared drive. This renders the backups useless for recovery from this attack.

Finally, this needs to be an executive level discussion. If you were the CEO of an organization, you would immediately be informed if the network was “down.” Being operational and ensuring your employees are productive is the most important piece of information you can receive from your IT team. The second most important piece of information should be “the backup process didn’t work last night.” The amount of risk this puts you in, potentially having to replace work from an entire day or longer, should be a risk you are aware of and constantly guarding against.

Categories
Computer & Network Security

Have You Switched to Microsoft Advanced Security Auditing Yet?

Stop waiting.

Nothing is more critical during a security investigation (incident response, or “IR”) than the quality of the information coming from your log sources. During a recent incident, progress stopped due to insufficient auditing settings. The IR closed with inconclusive findings and a remediation project to standardize and enable Microsoft Advanced Security Auditing. Microsoft released Advanced Security Auditing with Windows Vista and Windows Server 2008. After 12 years, I still see environments that have not configured it. In today’s threat landscape, most businesses are one incident from regretting it.

What is Advanced Security Auditing?

Here is an explanation from Microsoft:

“Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, the definition of security auditing is the features and services that enable an administrator to log and review events for specified security-related activities.

Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.”


Microsoft goes on to explain the difference between audit policies located in “Local Policies\Audit” and in the Advanced Audit Policy Configuration:

The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.

There are a number of additional differences between the security audit policy settings in these two locations.

There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they allow administrators to be more selective in the number and types of events to audit.

Image of a Local Audit Policy

For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.

In addition, if you enable success auditing for the basic Audit account logon events setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.”

Image of Microsoft’s Advanced Audit Policy Configuration

What does this mean for my organization?

Where possible, SecurIT360 recommends implementing Microsoft Advanced Security Auditing at the domain level. This, in combination, with Event Log Policies force retaining security log information as long as possible on all machines.

SecurIT360 has teamed up with the Center for Internet Security to establish best practice settings. These settings can be the difference between an IR that ends with a conclusion vs. an IR that ends inconclusively.

For more information on how SecurIT360 can assist you with Security Monitoring, Auditing, Managed Detection and Response Services, and Endpoint Detection and response, contact us.


References: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq

Categories
Computer & Network Security

Everything you wanted to know about Ransomware…but were afraid to ask

What is Ransomware?

Ransomware is a type of malicious software that prevents users from accessing their computer system or files until a sum of money (ransom) is paid. In the malware landscape, ransomware has earned itself a well-deserved nasty reputation.

There are two types of ransomware identified in this branch of the malware family tree; 1) locker ransomware and 2) crypto ransomware

Locker ransomware effectively locks Windows access preventing the user from accessing their desktop or files. Typically designed to prevent access to one’s computer interface, Locker ransomware mostly leaves the underlying system and files unaltered.  A message would be displayed on the screen with instructions on how to regain access to the files. Winlocker is an example of this type of ransomware.

Crypto ransomware was designed to prevent access to specific, valuable data by encrypting the files using strong, public-key encryption. After performing the encryption, the bad actor would demand payment in exchange for a key that could be used to decrypt the files. Examples of this type of ransomware include Cryptolocker and CryptoWall among others.

Ransomware History

Modern crypto ransomware variants didn’t really come into the forefront of cybersecurity until around 2005. However, would you believe the first of this type was seen in 1989? The AIDS Trojan was identified in 1989 in England, making it the first of its kind. Also known as PC Cyborg Trojan it was propagated by mail…that’s right, no ‘e’. The creator of the virus, Dr. Joseph Popp snail-mailed some 20K diskettes through physical postage to victims under the guise of supplying AIDS research information.

The malware would replace the AUTEXEC.BAT file when the diskette was inserted into the user’s disk drive. The altered BAT file would track the number of times the computer was rebooted.  When the boot count reached 90 a splash screen informed the user of their situation; “Unless you pay me $$ you will not get your files back”. The virus worked by encrypting filenames. Relatively primitive in design it nonetheless rendered the files unusable. It didn’t take long for security researchers to reverse engineer the code and give users the ability to unlock their files.

The AIDS Trojan established the ransomware threat in 1989 but this type of malware wasn’t widely used in cybercrime until many years later. Jump forward to 2005 to see the accelerated acceptance and use of ransomware by criminal enterprises and bad actors.

Evolution of Ransomware
Ransomware in today’s threat landscape is affecting users worldwide. Different variants have evolved over the years. Driven by criminal enterprises who have seen the opportunity for financial gain, this family of malware has seen a dramatic increase in use over the last 15 years. Other direct revenues generating risks in the digital age include misleading apps and fake anti-virus.

Misleading Applications

Some of the early manifestations of revenue generating malware were called “misleading applications” and “fake anti-virus”. The first wave of these types of malware was identified around 2005.

Misleading applications intentionally misrepresent the security status of a user’s system. Fake anti-virus programs attempt to convince the user to purchase software to remove non-existent malware or security risks from the computer. Pop-up Ads would be presented to users while browsing, usually from sites which had been compromised. The ads posed as spyware removal tools, system performance optimizers or anti-virus solutions.

The ads would exaggerate the condition of the system or the impact of a discovered “threat”. The offer was to fix these issues for a small license fee. As a rule, there were no actual threats or issues and even if the user paid the extortion fee nothing was changed on their system.

These were not ransomware by the strict definition but nonetheless, they exploited a user’s lack of security awareness and fear.SpywareClear, ImproveSpeedPC, SpySherriff, and RegistryCare are early examples of this type of malware.

Locker and Crypto Ransomware

Around 2008 the attack methodology shifted from fake anti-virus to a more troublesome form of revenue generating malware. Enter the Locker Ransomware family of malware. Now, cybercriminals disabled access and control of a user’s computer, effectively holding the system hostage until payment is made.

Not only did the cybercriminals increase the impact to the user’s system with lockerware they also increased the dollar amounts they were demanding. Additionally, as the use of locker ransomware gained popularity (its use peaked around 2011 and 2012) it shifted from just reporting non-existent issues or errors to actually taking control of access to the computer.

2013 brought the next step in the malware evolution; crypto ransomware. This was the year that the first variant of CryptoLocker was identified and with it a came a new mechanic to the ransomware modus operandi; asymmetric encryption.

As was discussed earlier, locker ransomware changed access controls and prevented a user from accessing the data. This meant that the data was still on the system in a readable format but a user could not access it through the OS.  Crypto ransomware differed in that it actually rendered the data unreadable by using encryption techniques. The user still had logical access to the data files but could not read them.

CryptoLocker was a hugely successful but short-lived variant in this malware family. The original CryptoLocker botnet that controlled it was shut down in the middle of 2014. However, it was reported that hackers successfully extorted nearly $3 million USD before being shut down.

The old saying “imitation is the sincerest form of flattery” very appropriately describes cybercriminal activity in the crypto ransomware field subsequent to CryptoLocker.  Since its launch, cybercriminals have widely mimicked and copied the CryptoLocker approach. So much so that the Cryptolocker name has become synonymous with ransomware.

Ransomware – What Lies Ahead

Ransomware is a constantly evolving threat. It is difficult to predict the direction ransomware will head in the coming years. The threat landscape is continually changing with cybercriminals always looking for new methods and vectors in which to generate revenue. The ransomware concept has matured to a healthy level so much so that “Ransomware as a Service” is an identifiable vertical in the cybersecurity theater.

The battle against ransomware is a major task that requires everyone’s participation. Engineers and production designers creating new technologies or products will need to embed security into their creation process by considering use cases that could be leveraged for malicious intent. End users will need to stay vigilant and utilize basic security best practices to help protect their data. Security awareness needs to be emphasized to end users to help them avoid clicking on malicious links and making sure their systems and software are appropriately patched.

One of the most important (and underemphasized) mitigation strategies that you can do to protect yourself and your data is making backups. At the least, backup the data that is important to you and do it on a regular basis.

Ransomware Solutions

There is no bullet-proof solution when it comes to cybersecurity.   Security is a process, not a product.  Knowledge is a powerful weapon in the fight against cybercriminals. This knowledge can be gained by both individual research and professional consultation. While reading up on ransomware and cybersecurity will increase your awareness of threats and help you better understand how to recognize and avoid future attacks, a consultation with SecurIT360 can provide valuable tools to take your cybersecurity strategy to the next level.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, assessments, and analysis of systems and operations across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.

Categories
Computer & Network Security

Do you really need a smart toaster?

Even though you CAN buy it, you need to ask yourself if you really SHOULD you buy that Internet-connected appliance……..

Very few people would seriously consider this question before purchasing a brand new appliance or item that has all sorts of nifty and exciting ‘up-sell’ features, such as network or direct Internet-connectivity.

But for those of us who work in the computer and network security fields, this question is neither academic nor trivial.

It’s easy to understand why Internet-connected gadgets are tempting. Who wouldn’t want a dog collar with a GPS in it, in case Fido runs away? Who would turn down a tracking unit you could put in your child’s backpack in case they get lost or something more sinister happens? And who wouldn’t find some convenience in a video-capable home security system that was able to be monitored while you were at work?

The problem is that the security of these gadgets is questionable at best. Multinational, experienced software companies, such as Microsoft and Apple, have entire divisions devoted to securing their software and hardware, and yet potential and actual compromises are announced almost on a weekly basis. Most corporations have IT security teams who monitor and test systems on a regular basis but we read about corporate breaches almost daily.

In light of those observations, can we really trust the manufacturing company that creates a product that allows you to keep track of your child or pet via an Internet-based website? How do we know they’re performing due diligence to keep the location of your child safe? How can you be assured that a potential burglar isn’t watching for the next time you kennel your pets, giving them a good idea when you’re out of town? And who’s monitoring the log data to be sure that your home security system wasn’t shut down remotely for a brief period today and then reactivated? Or who’s making sure that your “private” video feed into your house isn’t quite so private after all?

Sometimes it pays to be a little paranoid and cautious. When purchasing a product with a network connection, do some due diligence. First, ask yourself if you really need it. Is it going to simplify your life or bring a reward that’s worth the risk? Second, do a little research. Find manufacturers with a proven track record or maybe those who have partnered with a security-conscious company. And above all, be careful. Be aware of what you have and practice common sense security precautions – change passwords, watch for anomalous behavior, and review and apply software updates.