Monthly Archives: April 2015

Some thoughts about: People and process remain the soft underbelly of banks

25 April 2015

In post ‘Security Think Tank: People and process remain the soft underbelly of banks’, John Colley discusses on the example of the Carbanak attack some new concepts for surviving the cyber war.

I like the idea of sharing knowledge about attack vectors and best practice for the defense against cyber-attacks across industries. But what is the proper scope for action?

John Colley writes:

‘Even worse, the persistence of bad cyber security practices is driving banks to try to protect badly designed systems by hiding them from view. Many banks try to prevent attackers discovering what internal programs they use; yet it shouldn’t matter if outsiders know what software a bank uses for its internal systems, if that software is secured properly in the first place.’

I am discussing such issues for months now. My advice is crystal clear:

Before you start sharing information about your internal systems with whatever partner, carefully consider

  • what information and what level of detail is required, and
  • how the information must be protected.

Every available information about your internal systems will support attackers in finding vulnerabilities in your systems. Remember: It’s merely a matter of time before cyber criminals break into your company network…

Too many details increase the attack surface of your company!

Have a good weekend!

The 70/30 split is the new guiding principle in IT security

23 April 2015

About 70% of all cyber-attacks are executed by malicious insiders. 30% are performed by external attackers from outside the organization’s network.

But do we take this 70/30 split into account when planning IT security programs and allocating budgets? My personal feeling is that it is exactly the other way.

However, it seems that the IT security industry is reconsidering the direction of further development. The following statement of the new RSA President Amit Yoran saved my day:

“Building taller walls and digging deeper moats is not solving our problems. The perimeter mindset is still clinging to us. We say we know the perimeter is dead; we say we know the adversary is on the inside, but we don’t change our actions.”

For more details please see report “Yoran: RSA, information security industry needs ‘radical change’”, published 21 April 2015 by Michael Heller.

Take care!

Phishing is the attack vector #1.

18 April 2015

In report ‘Phishing email’ the key to hacking of TV5 Monde‘, published 14 April 2015 on thelocal.fr, we read:

“According to a source close to the investigation cited by Europe 1, the hack started with a “phishing” email that was sent to all journalists at the TV channel at the end of January.

Three journalists responded, allowing the hackers to infiltrate the channel’s system using so-called “Trojan Horse” malware (malicious software).”

You may remember the Anthem cyber-attack some weeks ago. The credentials of five employees were phished and used by the cyber attackers to steal millions of customer data sets. Cyber-attacks start very often with phishing emails. Even if only a few employees responds it always ends up in a catastrophe.

Would risk management have prevented the TV5 Monde attack? Definitely not!

In the TV5 Monde case it is very likely that the Trojan-Horse would have been detected by a proper configured Anti-Malware scanner on the mail-in server. For details please see my post ‘Free email providers are preferred distribution channels for malware’.

@Mr. Oettinger. It’s time to start a truly useful European initiative:

‘Email providers shall run an in-depth scan of every email when it is posted to the mail-in server. If an email contains malicious object it must be rejected!’

It is very likely that the TV5 Monde attack could have been prevented, if a next generation firewall would have been used to run an in-depth scan of the phishing mails.

Have a good weekend!

This morning in my garden.

This morning in my garden.

Would the European NIS Directive have averted the TV5 Monde hack?

16 April 2015

‘Never one to miss a chance to push policy, Oettinger also suggested that the proposed Network and Information Security (NIS) Directive could have averted the hack in the first place.’ This excerpt from Jennifer Baker’s post ‘What would have stopped TV5Monde hack? Yup, MOAR LAWS’, published on 14 April 2015, shows once again the naïvety of top European leaders.

The implementation of an information security risk management will not raise the security level. It just manages the structural weaknesses of a security strategy. That’s much more than most of the companies have in place today, but it’s not enough to fight the current attacks and, to stay secure in future. This is best explained by an example.

One of the required controls for implementation of an Information Security Management System (ISMS) is a security standard or security baseline. The baseline lays down the security configuration of e.g. the servers in a company. It’s very important to define a security baseline because it allows you to find deviations of an individual server from the baseline. Each deviation is a vulnerability that could be exploited by an attacker and should be mitigated as soon as possible.

But a security baseline lays down the structural weaknesses of a security configuration as well. If your baseline was originated on the basis of Windows 2008 R2 Server, and if you use it for Windows 2012 R2 Server without changes, a Windows 2012 Server will show the same structural weaknesses as a Windows 2008 Server.

Thus, the baseline has to be continually improved to at least keep the security level because the threat level develops faster than vendors release new security features.

Would the European NIS Directive have averted the TV5 Monde hack?

The answer is: Definitely Not!

Information Security is more than implementing policies and the obligation to inform the authorities in the case of a cyber-attack.

Take care! And check the complexity of your passwords!

For details about the NIS directive please see the NIS platform.

Premera is still stuck in my mind

9 April 2015

Every data breach tells a story. Since only the attacker has the detailed story board we are left to guesswork about the plot of the cyber-attack. But from the sometimes weeks later published really interesting news about a cyber-attack we could try to create our own rough storyboard.

The lessons learned from the plot of a cyber-attack

  • May show the weak points of our defense system, or
  • May support us in evaluation of our defense system and the residual risk we take, or
  • May support us in developing appropriate counter measures.

I’m in particular interested in the beginning of the story (the initial attack vector). And of course in the development after gaining access to a company’s network.

In the next weeks I like to develop a plot of the Premera cyber-attack. I would be pleased if you would join me in this journey. Suggestions and comments are highly welcome.

Here’s some food for thought. Dan Bowman writes in ‘Premera knew systems were vulnerable prior to attack’ published 19 March 2015:

Premera’s systems initially were breached on May 5, 2014, but were not detected until Jan. 29 of this year.’

How could attackers stay undetected for nearly nine month? Any ideas?

Have fun!

IT security projects fail because people are not affected personally

 4 April 2015

In the past weeks I had a lot of discussions with system operators about services running as real users, very often as domain users, if not as domain administrators. In some cases these accounts are used to run services on workstations as well.

From a security point of view this is a nightmare. Once an attacker got the login data of one of the service accounts, he can move across the network and collect credentials. The game is over when he gets access to a workstation where a user signs in with domain administrator credentials.

Executing the service as a local defined account with individual passwords would be a good choice to tackle this problem but, from an operations point of view this is the nightmare because the administrative effort will go straight through the roof.

This clash of interests is a really big challenge for the change manager. ADKAR is a often used model to guide activities during a change processes. But how could a change manager create Awareness in this case? Just telling the system operators to do things differently will not help. You must touch people’s minds with good stories and pictures.

Seeing is believing’ is my recipe: Find a workstation where a globally defined service account is used to run a service and extract all passwords from the LSASS process with MIMIKATZ. MIMIKATZ extracts the password hashes and the WDIGEST and Kerberos passwords in plain text.

Mimikatz Output

MIMIKATZ Output

The MIMIKATZ output contains the passwords for the service accounts and, if applicable, for the domain administrator. Store this output encrypted in a file, highlight the service accounts and use the file as eye-opener in the next awareness session.

In my experience this  creates the necessary emotional involvement which is required for the next steps in the change process.

There is nothing left to say but …

Wishing you an Easter
that touches your heart
and lives in your thoughts
as a sweet reminder of
just how special you are.

Lessons learned from the Premera cyber-attack – Always the same passwords lead to a disaster!

2 April 2015

Do you have a favorite password? Maybe something like ILovePeteSinceFeb2010? Not bad at all, easy to remember, and easy to crack.

When I build my first Windows NT 3.5 domain I had to enforce the password rules of my organization. The most annoying rule for the users was the Password History. We had to configure Windows to remember ten passwords.

We started without a Minimum Password Age (the period of time in days that a password must be used before the user can change it) and found that many users changed their password ten times within a short period to keep their favorite password.

When we introduced the minimum password age it came to a near-uprising. 20 years later, the users get accustomed to the minimum password age of one day.

It’s all the more surprising, that on some of the Premera systems a minimum password age was not enforced last year. In the Final Audit Report of the UNITED STATES OFFICE OF PERSONNEL MANAGEMENT, dated 28 November 2014, we read on page 5:

Password History Configuration

Premera has implemented a corporate password policy that is applicable to all infornation systems on the network. However, we performed automated configuration compliance scans that indicated that several systems did not limit the time between password changes.

This configuration would allow users to circumvent Premera’s password history requirement by changing their password multiple times within a short time period and then reuse their initial password.

That’s really bad. If an attacker has guessed a password, the missing minimum password age and the user’s convenience supports him to stay in the system.

As always we have to deal with people and process issues. The technology was still there, but not used to enforce the rules.

Never say die!