The Botnet Army is coming

Look out Twitter, Amazon, and Facebook – as well as the internet community as a whole. A large botnet army is growing daily with over 2 million Internet of Things (IoT) devices currently under its control. The latest threat has been dubbed “Reaper,” and has quietly infected millions of IoT devices such as webcams, security cameras, and digital video recorders in the last few months.

The primary concern with this attack is that this large-scale army could hold websites hostage. These attacks happen in two phases. Phase 1 is simply showing their victims that its possible. For example, last October the Mirai attack against DYN root server (one of 13 master servers across the internet that’s used for locating resources on the internet) brought down the internet along the entire East Coast of the United States. This attack was conducted with 100,000 bots – far less than the 2 million that Reaper has under its control. In simple terms, 100,000 IoT devices sent data traffic targeted a DYN, so much traffic that the services being hosted by the company were not able to respond. This is a Denial of Service attack, but because it was distributed across the internet it is officially termed Distributed Denial of Service attack or DDOS. DDOS attacks are generally very difficult to protect against, although not completely impossible.

DDOS Attack

Phase 2 is the “shakedown” itself. Once the attacker has proven to their victims that they can, in fact, deploy a Denial of Service attack on their site, they will then threaten to bring it down during its peak period, like the holiday shopping season or a major event like the Super Bowl, unless a ransom is paid. If the ransom isn’t paid, the site goes down and businesses could quickly end up losing revenue. Most recently a DDOS attack was believed to be an extortion attempt on a Hong Kong gaming site.

You may be wondering what happens if a ransom isn’t paid. Let’s take a quick look at the financial impact of these types of outages. In 2015 Apple faced a 12-hour outage that cost them $25million dollars, while Amazon’s outage was estimated to have lost them $62,000 per minute. Smaller companies like Yellowknife Grocer lost about $20,000 for a two-hour outage. In a virtual world, these are the real life costs of cybercrime.

Protecting against DDOS attacks can be very simple – fix what is broken. In the old days (a few years ago), most DDOS attacks were performed by computers that were vulnerable to exploits. In 2006, a new, unprotected computer could be compromised in as little as 10 seconds. Today, however, attacks on unprotected computers are no longer measured, which speaks to the evolution of security from vendors like Microsoft, Apple, and Red Hat. Now, the threat is with IoT devices, which data shows can be infected in as little as 6 minutes after going on line. There are 7 billion devices online today and projected 26 billion by 2020. That’s 7 billion devices that have the protentional of being compromised right this minute, with more being added every second. Reaper has compromised less than half of 1% of these devices and is the most powerful botnet to date.

There are two ways to address this problem. The simple way, and frankly the best option, is to hold the manufacturers of these devices responsible for automated patching, updates, and other security measures. Software vendors like Microsoft and others have started building in automatic updates to enhance and protect their software, resulting in less support calls and a more secure operating environment. Vendors like Meraki have been doing this for years. Every Sunday, the device checks for updates and apply them. During the initial deployment, the device is updated to the latest version of the software. What is preventing this from happening across the board, however, is bottom line profits. In the case of Meraki, a year subscription provides the updates, however my Netgear wireless router – for example – is purchased once with no ongoing support. The user has to go and get the updates, which in most cases is not going to happen proactivity.

Firmware Update Process

In a perfect world automated updates would mitigate threats in the same way Microsoft and Apple have. Unfortunately, we don’t live in a perfect world and we need to have a “belt and suspenders” approach to security. Which brings us to the second way to potentially avoid botnet attacks. We need to work with service providers to identify risk and mitigate them. Let’s not be so naïve as to believe our traffic is not monitored. In fact, in the United States we agree to it automatically, whether we realize it or not, when we utilize services from Verizon, Comcast, and others. ISPs need to publicly and actively monitor their traffic for abuse and exploits. If we can identity 2 million bots across the internet, we have a good idea of what traffic is being generated from which network. ISPs have the ability to mitigate botnets and their effectiveness by shutting down the source, all within the service level agreement that users agree to when subscribing to the service. Although this opens a can of worms and could be a slippery slope, we must do something to migrate these threats as a community.

We have community policing in the real world, and now it’s time to extend it to the internet.

Increasing Cyber Security by Utilizing Cloud Services

Over the next few weeks we will look at different cloud solutions to increase cyber security and hopefully provide insight into what’s going on with your end-point.

The key to effective security is simply knowledge – knowing what your employees and organization are doing is key to securing your environment. Regardless of the controls you have put in place there will almost always be a workaround, and while most are not intentionally malicious, they do produce threats to the organization, whether they’re compliance-based, data leaks, or just a lack of control on corporate information.

Today, we’re going to look at Microsoft’s Cloud Apps Security.

Microsoft Cloud Apps security is available as a standalone offering at $5.00 per user per month or included with Microsoft Enterprise Mobility Suite + Security E5, or Azure Active Directory Premium 2. These packages, which we will discuss in more detail in a later post, offer a host of security services to help strengthen a corporate network. I would suggest looking at all the benefits in Azure Active Directory Premium 2, as it offers a comprehensive solution for security for less than $10.00 per user per month.

Cloud App Security is designed to identify applications and services being used by all devices on your network. Agent or agentless information can be collected from your firewall or from a network device by installing an agent. This is the discovery phase and provides complete visibility and context for usage. Now you will have the ability to know what users are doing on your network. Think about this, if a user were to be transferring 100GB of data to box storage – or worse yet, transferring it via HTTP. This may not be suspicious in and of itself, but you may not have known that level of detail in the past until it was too late. With appropriate security in place, you will now have the ability to investigate early and prevent a potential breach, which could otherwise go unnoticed for months at a time.

Once you have identified sanctioned cloud apps, you can set granular controls and polices to share your data leak protection in your cloud environment. Preventing the use of non-sanctioned cloud based apps which is key to protecting your organizations assets.

When you have configured your polices, the real power of Cloud App discovery can be utilized. Threat protection identifies not only policy volitions (and locks them down) but uses Microsoft threat intelligence and research to identify high-risk usage, security incidents, and detect abnormal user behavior to prevent threats and provide real-time feedback via Microsoft Azure Portal and/or email notifications when a policy violation or threat has been identified.

Cloud App discovery can be used not only in a proactive security model to understand user behavior and provide insight into what’s leaving your network, but also as a real-time reactive tool preventing data loss that may have gone unnoticed.

Configuring this service isn’t that difficult with a bit of experience and practice. The first question that needs to be asked is agent or agentless. Agentless means collecting data from the firewall and then analyzing it with cloud app security; this is a good option in a mixed network environment (i.e.: Macs, Windows, Linux, etc.), with a few caveats:

  1. Your firewall must be supported (In most cases Enterprise and SMB firewalls such as Cisco, Sonicwall, Sophos, Palo Alto, etc. will work).
  2.  You can only analyze what you collect, meaning if you’re not collecting target URL, then it will not be available within the report.
  3. Continuous report data is analyzed twice per day

At a high level, you need to deploy a log collector (syslog or FTP) and then upload to Azure, for additional details see: http://bit.ly/2gFauH6

Agent deployments are very simple. You download an agent that is unique to your Azure deployment and push out via GPO, etc.. I personally prefer the agent deploy as it collects data for users that are off network. For additional information: http://bit.ly/2gEu468. Ideally running both the agent and agentless configuration would give the greatest insight into the end points.

The bullet points:

  • Cloud app Discovery/Security, cloud service provided by Microsoft
  • Standalone at $5.00 per user per month
  • Included with Azure AD P2 (recommended)
  • Included with EMS +security E5
  • Provides insight into what apps are being use by devices on your network
  • Pro-active lockdown of end point when a policy violation has occurred or threat
  • Two deployment models

Firewall data collection (agentless)

  • Requires a data collector
  • Agent deploys
  • Agent to be installed on each computer
  • Reports and Notification

https://www.linkedin.com/pulse/api/edit/embed?embed=%257B%2522request%2522%3A%257B%2522originalUrl%2522%3A%2522https%3A%252F%252Fwww.youtube.com%252Fwatch%253Fv%3DCcAmgQ8dXA8%2522%2C%2522finalUrl%2522%3A%2522https%3A%252F%252Fwww.youtube.com%252Fwatch%253Fv%3DCcAmgQ8dXA8%2522%257D%2C%2522images%2522%3A%255B%257B%2522width%2522%3A480%2C%2522url%2522%3A%2522https%3A%252F%252Fi.ytimg.com%252Fvi%252FCcAmgQ8dXA8%252Fhqdefault.jpg%2522%2C%2522height%2522%3A360%257D%2C%257B%2522width%2522%3A1280%2C%2522url%2522%3A%2522https%3A%252F%252Fi.ytimg.com%252Fvi%252FCcAmgQ8dXA8%252Fmaxresdefault.jpg%2522%2C%2522height%2522%3A720%257D%255D%2C%2522data%2522%3A%257B%2522com.linkedin.treasury.Video%2522%3A%257B%2522width%2522%3A480%2C%2522html%2522%3A%2522%253Ciframe%2520scrolling%3D%255C%2522no%255C%2522%2520allowfullscreen%2520src%3D%255C%2522%252F%252Fmedia.licdn.com%252Fembeds%252Fmedia.html%253Fsrc%3Dhttps%25253A%25252F%25252Fwww.youtube.com%25252Fembed%25252FCcAmgQ8dXA8%25253Ffeature%25253Doembed%26amp%3Burl%3Dhttps%25253A%25252F%25252Fwww.youtube.com%25252Fwatch%25253Fv%25253DCcAmgQ8dXA8%26amp%3Btype%3Dtext%25252Fhtml%26amp%3Bschema%3Dyoutube%255C%2522%2520width%3D%255C%2522480%255C%2522%2520frameborder%3D%255C%25220%255C%2522%2520class%3D%255C%2522embedly-embed%255C%2522%2520height%3D%255C%2522270%255C%2522%2520%252F%253E%2522%2C%2522height%2522%3A270%257D%257D%2C%2522provider%2522%3A%257B%2522display%2522%3A%2522YouTube%2522%2C%2522name%2522%3A%2522YouTube%2522%2C%2522url%2522%3A%2522https%3A%252F%252Fwww.youtube.com%252F%2522%257D%2C%2522author%2522%3A%257B%2522name%2522%3A%2522Microsoft%2520Cloud%2520Platform%2522%257D%2C%2522description%2522%3A%257B%2522localized%2522%3A%257B%2522en_US%2522%3A%2522Microsoft%2520Cloud%2520App%2520Security%2520helps%2520you%2520to%2520bring%2520deeper%2520visibility%2C%2520stronger%2520controls%2520and%2520enhanced%2520threat%2520protection%2520for%2520your%2520cloud%2520apps.%2520It%2520starts%2520with%2520disco…%2522%257D%257D%2C%2522title%2522%3A%257B%2522localized%2522%3A%257B%2522en_US%2522%3A%2522Microsoft%2520Cloud%2520App%2520Security%2520Log%2520Upload%2522%257D%257D%2C%2522type%2522%3A%2522video%2522%257D&signature=Adl_CFDh-IIRV27lzRZLcMzwIeoX

Follow me on Twitter @JSLauria for real-time security notification.

The Future of Cybersecurity

cybercrime

The past few months have been a significant wake up call for the cybersecurity industry, as well as a clear illustration of the impact and power of cyberterrorism and cyberwarfare around the world. Due to ransomware programs and viruses like WannaCry and Petya, or secret government sponsored hacking tools that have yet to be discovered, the global infrastructure is vulnerable and, unfortunately, there’s no end in sight. In the cases of WannaCry and Petya, these attacks relied on a known, published vulnerability, which gave users time to apply the appropriate patches and security updates. For those that followed appropriate protocol, many were able to avoid becoming victims of either of these attacks. However, in most cases, cyberattacks find and exploit unknown vulnerabilities, which results in far more individuals and organizations becoming victims.

As more devices and services come online, the risks are magnified. The internet offers access to global information in a way that we’ve never seen before. Gone are the days of Encyclopedia Britannica, libraries and hard copies; they’ve been replaced with search engines, Wikipedia, and social media for up-to-date information. The convenience of the internet has also found its way into the enterprise space. Gone are the days of MPLS, VPN dial-up, and private lines; they’ve been replaced with the global network – aka the internet – which businesses have embraced due to faster speeds, instant access, and lower costs.

Incidentally, as more business and services move to the internet the less secure we become. When some services, like Amazon or Netflix, are unavailable it’s nothing more than inconvenience, however not being able to access critical services like banking, health information, or and infrastructure is far more than just an inconvenience. Globally, the critical services and infrastructure (such as power, water, transit, and communications) of cities are becoming automated and connected. While these connections allow for better management of the municipalities and their resources, they also make them vulnerable and targets.

Over the past few months we have seen a significant amount of cybercrime/attacks through ransomware and other malware or exploits. When you take a deeper look, you start to see a pattern of behavior which includes:

·      Attacks on a larger scale, meaning more end-points being infected

·      Globalization within hours as opposed to days

·      Larger Internet outages, such as the east coast in October 2016

·      Hostile countries such as Russian, North Korea, and China being identified as state sponsors of cyber attacks

It’s a only a matter of time until a large scale attack brings down a city’s power grid, or worse. You can expect to see more attacks over the next year from countries like North Korea and China.

What can be done? Companies like Microsoft are calling for a global digital convention (http://bit.ly/2vqWov9) to globally combat cyberattacks and set policies for rules of engagement, such as not attacking civilians during times of war. Unfortunately, this thinking is naïve. We’re not talking about dropping bombs or shooting bullets, more damage can be done within minutes from keyboard 6,400 miles away from its target. When thinking about cyberwarfare what are the targets? Services such as power, communications, and transit. An attack on any of these services would be a direct attack on civilians. Better technology, more security, and less connectivity is what will, ultimately, be effective in reducing cyberattacks.

 

The Bad News Is, Cybercrime Is Growing

cybercrime logo

Since 2011 the cybercrime industry has grown from $114 billion to an estimated $600 billion in 2016, and is expected to exceed $2 trillion by the year 2020. These dollar amounts, which are a rough estimation due to the fact that many instances of cybercrime go unreported, represent the amount of money that has been extracted from companies either by way of identity theft, extortion, or the cost of making repairs to systems and hardware, and do not include figures that represent lost wages and productivity. On average, 1.5 million people each day are effected by cybercrime, which includes ransomware, phishing, and stolen identities, and sadly many of these crimes could be avoided if IT best practices were followed.

The recent global ransomware attack (WannaCry) highlighted two things; one) that corporate networks are still incredibly vulnerable and unsecured, and 2) that this attack was avoidable. This attack worked by scanning the Internet for computers and took advantage of a known vulnerability within the Microsoft operating system that had been identified – and had a patch released to address the vulnerability – two months prior. Unified Threat Management devices, as well as end-point protection devices, had been automatically updated as early as the first week in April.

The widespread, global scale of this attack reveals that there were many organizations that did not deploy the appropriate patches in a timely manner, thus leaving their systems vulnerable. It is, quite frankly, concerning that enterprise organizations – especially those that deal with healthcare, banking, and package delivery – were armed with the tools and the notice to prevent such an attack and yet, they took little-to-no pre-emptive action.

Interestingly, non-business home-users were the group that was least affected by WannaCry, due to the popularity of Windows 10 and its automated patching process. At this point in time, Windows 10 holds a much larger market share within the home-user space versus the business space, therefore automatically protecting home-users, whereas small business and enterprise level organization are still mainly relying on Windows 7.

However, home-users are not immune to the threats of cybercrime and have suffered significant monetary loss. Mobile ransomware is up 225% in Q1 of 2017. The focus of many ransomware campaigns is on the home-user, since corporate devices can be easily wiped and redeployed, rather than having to paying the ransom to retrieve the data being held hostage. Home-users should also be employing IT best practices, such as backing up their data to the cloud using a service like Dropbox or Apple’s iCloud.

It is undeniable that cybercrime comes at a cost; an enterprise organization is expected to pay $3.4 million per cybercrime incident in 2017 and upwards to $150 million in 2020. Unfortunately, small businesses on the other hand – which represent the majority of businesses – are generally unable to absorb the costs inflicted by a cyber-attack, and 60% of them end up going out of business within six months of a substantial attack.

Regardless of the size of an organization, there are a few steps that most businesses can take to protect themselves from falling victim to a cyber-attack:

  • Properly training the end user is key. Employees need to understand the threat, what is looks like, and how to protect themselves from it. Traditional security awareness training no longer works – IT departments should consider working with a marketing team to make security awareness training more social and interactive, rather than simply sitting an employee in front of a computer to watch videos.
  • The simplest solution, in this case, is probably the most important – devices should be patched in a timely fashion. Come up with a schedule that works and be aggressive. Critical patches should be applied within days of the their release, while low impact patches can be applied within 45 to 60 days of their release. The biggest risk is relying on the end-users to deploy the patches to their systems themselves. IT departments should consider thinking about implementing a cloud-based solution that can force patches and account for those patches such as Microsoft InTune.
  • Deploy modern operating systems such as Windows 10 Enterprise with the Advance Threat Protection added on. Although Windows 7 is still being sold (we’re going to skip over Windows 8), it is end of mainstream support as of 2015.  All new deployments should be Windows 10, and a strategy should be developed for deploy/upgrading Windows 7 devices.
  • An oldy but a goody – use least privileges. At this point, it seems like everyone is an administrator of their own computer. While this may be more convenient for the IT department, it is fundamentally not a good idea. Access should be restricted on local and network devices.
  • Segment networks to prevent the spreading of worm time threats such as WannaCry.
  • Lastly have a good, tested backup of your data and use hybrid solutions that includes both local and online backups. This is your last line of defense.

Taking these measures will not ensure you are bullet proof, however they will help to reduce your attack vector significantly.

 

 

Two-Factor Authentication and Self-Service Password Resets Recipe for Disaster and a Hacker’s Dream

aaeaaqaaaaaaaas4aaaajgu5zjg2njq2ltrhyzetngy5ns04nwi0lwzlngi2nzk2nty5mq

The Technology

Two-factor, or multifactor, authentication has become the standard for authentication and is now used globally for access to secure networks, banking accounts, email, and even Amazon. The idea of multi-factor authentication is easy to understand and execute and is fundamentally sound. Essentially, a user logs on to a web site or VPN and enters their user name and password. Once that’s done they are then required to enter a secondary password that is typically only valid for one-time use. The delivery of this password typically has been in the form of a random number that changes every 30 seconds from a token device (a small usb drive sized device that displays a random numbers every 30 to 60 seconds), however technology has now advanced to a point that the one-time password can be sent to the user via SMS or via ann app (on mobile devices). Once this secondary information has been entered the user is granted access to their account or network of choice.

Another trend has been self-service password resets. This tool has enabled users to change and recover their passwords without the assistance of IT departments, 24 hours a day. In most cases a user would pre-enroll by providing secondary information that would be unique to them and hard for others to identify, such as the make and model of their first car, their maternal grandmother’s maiden name, or the name of their first pet. In many cases at least four questions are asked upon set-up, and are then are later randomized when being used to gain access to an account to reset a password. Over the past few years, vendors have also implemented SMS password resets as they’re typically more convenient for the end-user since they don’t require remembering multiple challenge and response questions.

These technologies and approaches have increased security exponentially over simply requiring a single user name and password, however in some cases the implementation has become flawed over the years. The cardinal rule of IT security is to never weaken security for the sake end-user convenience. Unfortunately, although we are increasing the security footprint by implementing these technologies, we are weakening the effectiveness by implementing “convenience measures” such as SMS messaging.

In the “real world” a police officer simply being on patrol will deter 90% of crimes that may potentially take place – but 10% of crimes will happen regardless of the security present. IT security is no different, 90% of potential hackers will walk away from a multi-factor authentication hack, but 10% will see their mission through.

The Hack

There are 2.1 billion smartphones in use globally, of which 207.1 million are being used in the United States, making SMS messaging a convenient method for secondary authentication and identification. That also means that there’s 207.1 million devices that are vulnerable to being hacked. Although most hackers like automated process as millions of devices can be exploited one at a time, it is important to point out that targeted hacks – although simple to execute – do require manual intervention.

The hack is simple:

  1. The target individual is identified. Most targets tend to work at the C-Level of small businesses (under a few hundred users), as these businesses tend to have gaps in security and processes.
  2. Identify the email system or computer system being used. This can be easily done with online tools such as https://mxtoolbox.com/SuperTool.aspx.
  3. Review DNS records for the target. Most companies that have remote access make it simple to identify the host by using URLs such as remote.xxx.com, vpn.xxx.com.
  4. Send an email to the target that will elicit a response – even if it’s an out of office reply. The information that the hacker is looking for is typically the cell phone number associated with the account and these days many people now include their cell phone numbers on their signature. If this does not work the hackers will then try getting the information the good old fashioned way – with a little bit of research via Google, LinkedIn, or the Wayback Machine (https://archive.org/web/).

Once the hacker has the necessary information, it’s time for the attack, which is fairly simple to execute at a high-level. First, the hacker will transfer the targets phone number to a different provider. Because phone numbers are now portable, you can transfer to any one of a thousand providers – the key is timing and the ability to receive text messages. Cell phone providers require basic information that is easily obtained to move from one service to another. Keep in mind the target still has their device in hand (this is why timing is critical) and the attacker will only have a small window of opportunity (in most cases 12 hours) to complete their objective, which is why most of these attacks come from over-seas.

When the hacker has control of the cell phone, they will refer back to the information obtained in the prior steps. They will start with resetting the corporate email password and, if they’re lucky, the password reset is done by sending an SMS message. Figuring out the user name is simple as, in most cases, it’s the target’s email address. Once the hacker has access to the email account, everything else is a matter of data mining, and unfortunately users often mix business and personal email together (this is truly the case with C-Level executives), which means that sensitive information such as their personal bank accounts may now also be accessible to the hacker.

Mitigation

As with everything else, the risk versus the reward must be weighed, and a risk assessment if fundamental to this process. The benefits of implementing strong security measures versus the likelihood that an organization or individual will be hacked – and the detrimental effects that the hack could have on the organization/individual – should be considered. Generally, a hack that is targeted and manual requires effort, and the benefit of self-service and multi-factor password resetting far out ways the risk of having no other security measure in place.

However, by taking just a few simple measures you can almost eliminate attacks completely.

Cell Phone:

  1. Have a limited number of cell phone managers. These are the people that can make changes to the accounts – such as transferring the service from one carrier to another. In many cases the individual employee that is assigned to a specific cell phone number has the ability to make changes to their accounts (whether a company realizes it or not). These privileges should be removed immediately and granted only to members of the IT department.
  2. Changes to the account should require the use of an account password as well as a call back to the company’s primary phone number so that they can be verbally confirmed/denied by someone with the appropriate authority.

These two steps will eliminate transferring of accounts.

Two-Factor:

  1. Require users to use an app rather than an SMS messaging, this will eliminate a huge amount of the risk, since even if the cell phone number is switched to a different carrier the hacker will not have access to the apps on that particular device.
  2. Install a mobile device management tool for greater control and insight to the end points. Thinking ahead when a device is lost or compromised, the ability to remotely wipe all data from the device is critical.

These steps will increase the strength of your two-factor authentication and align with the original principles of providing access via something you know (the password) and something you have (the unique token).

Self-Service:

  1. Eliminate SMS password resets all together.
  2. Restrict challenge questions to non-public information, i.e. mother’s maiden name, place of birth, marriage date or location. All this information is easily obtained from www.ancestry.com or other public search services. The questions should reference things that only the user would know, such as the name of their first pet, the place they went on their first date, etc.
  3. Use technology to monitor geographic usage and connections. Microsoft offers a service (Enterprise Mobility Suite + Security) that does just that, as well as MDM and password resets. This will allow your organization to recognize if changes to a device are being made from across the globe – or even just the other side of the state.
  4. Monitor user names and password to ensure they have not been compromised.

Simple yet effective.

The User

  1. Users should keep personal and business interests/accounts/etc separate at all times. If they are using their business email to handle their online banking and their corporate email is hacked they are not at even greater risk.
  2. User should not use the same password for business accounts as they do for personal account.
  3. Have users routinely check to see if public services that they use have been compromised by visiting https://haveibeenpwned.com/.
  4. Education your users – it’s the most simple and effective way to avoid potential security breaches. Take the social approach to education. https://secureshell.info/2016/11/16/information-technology-should-embrace-marketing/