Monthly Archives: January 2016

Don’t ‘Enable Macro if Data Encoding is Incorrect’!

30 January 2016

If you open a word document attached to an email and you see the message ‘Enable macro if data encoding is incorrect’ you are well on the way to become the victim of a cyber-attack:

Dridex malware requests to lower macor security

Dridex malware requests to lower macro security

Word blocked the auto-open macro in the document to prevent its execution. In the case of document ‘Fax 49 2232949992120160128232732.doc’ it’s about the trojan ‘W2KM_DRIDEX.BM’. Besides other malicious activities the macro downloads and executes the program g545.exe from a server hosted in the Russian Federation.

So far everything went well. Word was well secured and blocked the auto-open macro from executing the payload. The best way to go ahead is to close word and drop the email and the downloaded attachment.

But if you comply with the request and lower the macro virus settings in word you will be definitely tricked.

As always the first line of defense is a well-trained user who follows the commandments

  • ‘Think twice before you click on whatever links or attachments’,
  • ‘Never lower your security settings upon requests of whatever sources’ and
  • ‘Disable all macros with notification’ in Word Trust Center, section Macro Settings.

In the worst case it may come to a blackout in a country, done in Ukraine 23 December 2015.

Have a good weekend.

Key criteria for evaluating the effectiveness of IT security solutions

26 January 2016

What are the key criteria for evaluating the effectiveness of an IT security solution, e.g. a new endpoint protection solution?

Endpoint protection solutions are of significant importance after a data breach has happened. Then, speed in detecting the breach is important. And, of course, to hinder the attacker in searching the network for privileged accounts.

Thus security solutions should expand our ability to

  1. Reduce the attacker’s ability to interact with the company’s IT environment
  2. Reduce the time to discovery

If a vendor cannot prove how your company benefits from his security solution with regards to these criteria stop the evaluation.

Have a good day.

Consumers cut off from progress in endpoint protection?

23 January 2016

The Dridex banking Trojan is back from the ashes like the Phoenix. In his post ‘Dridex malware adopts redirection attacks to target high-value UK banking customers’, published on 20 January 2016 in security blog GrahamCluley, David Bisson clearly shows that the Trojan attacks banks and end users with terrifying speed.

How can end users protect themselves?

‘As for ordinary users, maintaining an updated anti-virus solution and refusing to click on suspicious links will go a long way towards protecting your life savings from low-life criminals.’

To be honest, the advice to keep the anti-virus solution up-to-date creates a false sense of security. Let me give you a current example.

Last Tuesday I got an email with an attachment containing the malware ‘VirTool:Win32/CeeInject.GF’. I uploaded the attachment to VirusTotal for inspection and found that only 8 of 54 anti-virus solutions identified the malware, although the malware or a variant was first published about 9 month ago:

Table 1: Result of first scan

Table 1: Result of first scan

These are definitely not the heavyweights in the consumer market. 7 hours later only 12 of 54 anti-virus solutions identified the malware. For the development in the next days see the following table:

Table2: Changes in identification rate

Table2: Changes in identification rate

In the worst case consumers were unprotected for about 2 days. Moreover, up to yesterday evening 22 of 54 anti-virus solutions had still not identified the malware.

Advanced endpoint security tools could deal definitely better. Unfortunately the vendors of such solutions focus on the private businesses.

In the latest issue of the Cyber Intelligencer Michael Applebaum writes:

‘What the industry desperately needs is rigorous, scientifically validated third-party testing of endpoint security technologies, across a range of real-world scenarios. Invincea has been prominently calling for this and we hope to see progress in 2016 by reputable third parties.’

Even more than the industry the consumers need decision-making aids in how to protect effectively against malware. At the moment they are not participating in the progress in technology at all.

As always the user is the first and best line of defense. ‘Check twice before you click on whatever links or attachments’, is the best possible advice.

Have a good weekend, and, don’t rely too much on your anti-virus solution!

Threat intelligence is the new Hype, but can threat intel actually defend you against future attacks?

19 January 2016

Can threat intel actually defend you against future attacks?

Tim Holman’s answer is simple, although not surprising:

‘Most of the time, yes. But by far the best way is to take a pro-active approach, presume attackers are already on the inside and tailor your defences from the inside out.’

For effective treatment of the inevitable he recommends to invest in a ISMS:

‘No firm can ever defend against 100% of attacks, 100% of the time, but without a doubt you can create resilient systems and business processes that are 100% effective in restoring your firm to business-as-usual when the inevitable cyber attack happens.’

For the full report please see ‘Security Think Tank: Security intelligence demands getting the basics right‘ published on

 Have a good day.

The Sum of all Gaps

18 January 2016

In the 11 January issue of the Cyber Intelligencer Invincea’s COO Norm Laudermilch talks about the difficulties in evaluating the effectiveness of endpoint security products:

‘The key is to understand what part of the threat landscape a product covers, the scope of the protection, the efficacy of that protection, and how it fits with the rest of your security and IT architecture.’

Very well said! But it is important to take the next step: Once you have conducted this evaluation the sum of all gaps or the residual risk could be grasped.

In my opinion this is the most important information. It shows the critical vulnerabilities and, when related to the current overall threat landscape, the direction for further investments. A CISO is  well advised to do this matching regularly.

Have a good day.

Technical Account = Privileged Account = Member of the Administrators Group – It’s time to break this vicious circle

16 January 2015

I had some discussions in the past weeks about technical accounts in the administrators group. To be honest, I am a strong supporter of the ZERO administrators doctrine: Under normal conditions the administrators group of a computer has no members. If required, an account is added to the group and removed directly after the job is done. Strict implementation of a ZERO admin doctrine requires the implementation of a smart PAM solution to avoid undue delays in the case of trouble.

What really worries me is that technical accounts are always seen as privileged accounts. And that they are very often assigned to the administrators group for convenience, even though a system login is not required.

For example a technical account for querying a database needs no system privileges at all. Even a login to the application or database server is very often not required. In the best case the technical account only needs the privilege to open a database connection and to get access to a well-known set of database objects. Granting whatever system privileges to such accounts or assigning them to the administrators group enlarges only the attack surface of the system.

As always, the Principle of Least Privilege shows the direction. Grant privileges only if required, carefully evaluate if membership in the administrators group is necessary, and treat membership in the administrators group as an exception. To keep the attack surface small it’s wise to check the administrative groups for unnecessary technical accounts regularly.

Have a good weekend.

Isolation of Everything

9 January 2016

I am currently preparing a presentation on IT security matters for the plant safety group of the Verband der Chemischen Industrie (VCI). Plant safety and IT security are closely linked, in particular because more and more safety equipment (e.g. safety relief valves) have built-in computers and networking options which allow data gathering and remote configuration and testing up to a certain extend.

To create awareness for the new challenges I searched for examples of successful cyber-attacks in the process industry. Stuxnet comes immediately into mind but is somewhat behind the times. In December 2014 a cyber-attack on a German steel mill was widely reported in the press.

On January 8, 2015 Kim Zetter wrote in WIRED ‘A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever’. A post from Greg Masters in SC Magazine on December 23, 2014 was titled ‘Cyberattack fells German iron plant’.

An attacker has to pass some hurdles to get from the Internet to the Process Control System. Usually Process Control Systems (PCS) are well protected by a cascade of firewalls which isolate the control systems from the process plant network and the process plant network from the office network.

But, as in many other cases, the starting point was a phishing attack. In the BSI publication ‘The State of IT Security in Germany 2014’ published on December 17, 2014 we read:

The attackers used spear phishing e-mails in tandem with sophisticated social engineering to gain initial access to the steel mill’s office network. From there they worked their way progressively into the production networks.

The sentence ‘From there they worked their way progressively into the production networks.’ is of particular interest. It indicates a problem that is widely ignored by the plant operators because the firewalls give them a false sense of security.

For simplifying IT operations very often the same Active Directory is used for managing the Windows accounts of the plant operators in the office network and the plant network. But network isolation and segmentation by firewalls blocks traffic only on the OSI layers 1 .. 3, not on layer 7, where Active Directory works. Once an attacker manages to get on the office network it’s only a matter of time when he finds an operator account that grants him access to the plant network.

Thus a first step towards enhanced security in process plants is to isolate the Active Directories in the office and the plant network. In addition, access to email and internet from the plant network must be blocked, if possible with technical means.

The general design principle is ‘Isolation of Everything’ – Cyber attackers raise only a weary smile (LOL) at the Layer over Layer (LoL) approach with firewalls.

Have a good weekend.