Category Archives: Opinion

You may Wanna Cry on Monday morning if your Anti-Phishing Training was no success

14 May 2017

In the past days WannaCry was making the headlines. I found a really well written post on Binary Defense which explains the basics of the initial infection as well as the propagation method.

WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside.

Packaged this way anti-malware solutions cannot scan the attachment because they can’t enter the password for opening the attachment, although it is stated in the email body. Even APT (Advanced Persistent Threat) solutions may fail if they are not properly configured.

If your Anti-Phishing Awareness Training was successful, the chance of an infection is small.

In addition, it makes sense to block incoming mails with zip files, which cannot be inspected by the anti-malware solution. Don’t deliver them to the users junk mail folder, block them on the mail gateway.

This gives you the time to implement patch MS17-010, if you have not yet done so. Or isolate the affected systems from the network, if patching is not possible, e.g. in GxP controlled environments.

Take care!

A key finding from the Verizon 2017 DBIR: There is no one-size-fits all strategy to IT Secutity.

7 May 2017

As always, the Verizon 2017 Data Breach Investigations Report conveys a plentiful of details about the security incidents and data breaches of the past year. A more detailed analysis of the attack patterns shows, that different industries must implement different defense in-depth strategies for effective protection against cyber-attacks.

Verizon 2017 Data Breach Investigations Report Attack Pattern Analysis

Verizon 2017 Data Breach Investigations Report Attack Pattern Analysis. Click to enlarge.

There is no one-size-fits all strategy to IT security!

Have a good week!

Prevention before Detection in Industrial IT

1 May 2017

Currently, I’m working on a paper for safety engineers about cyber security requirements for Safety Instrumented Systems (SIS). For preparation I examined some of the existing publications from other European countries, e.g. the paper ‘Cyber Security for Industrial Automation and Control Systems (IACS)‘ from the British Health and Safety Executive (HSE).

In the chapter ‘Note 5 – Define and Implement Countermeasures’ one reads:

A hierarchical approach should be adopted, for example prioritising implementation of measures such as inherent resilience, and prevention (e.g. physical security controls, authorisation and authentication) over other measures for detection.

That is diametrically opposed the Gartner’s advice ‘Shift Cybersecurity Investment to Detection and Response’. Gartner’s Sid Deshpande said in an interview:

Gartner is now recommending to companies that they shift their security spending to have at least 60 percent of their security budget to be spent on detection and response, up from 10- to-15 percent today.

I think Gartner’s advice needs to be seen in the context of the industry where one works. IT security deals with Confidentiality, Integrity, and Availability (the CIA) issues. Every industry has specific requirements regarding CIA issues. For example, integrity of product and production plays a higher role in pharmaceutical production than in the process industry. This is be shown very well with a spider diagram:

CIA-Diamond

CIA-Diamond. Click to enlarge.

In general, Gartner’s advice is useful where we have a high demand for addressing confidentiality issues. In industries, where integrity plays a major role, the Gartner advice is less useful because you cannot wait until a customer or the FDA detects that a drug has a wrong composition.

CIAS-Diamond

CIAS-Diamond. Click to enlarge.

Safety is a game changer. As soon as we face medium or high safety requirements, Gartner’s advice is counterproductive.

Have a great week.

Some thoughts on “Zero-Day Exploits – Your Days are Numbered!”

23 April 2017

The Bromium Micro Virtualization Technology is indeed a game changer in the protection against zero-day exploits, unfortunately only for Microsoft Windows based devices.

Smart devices like smartphones, tablets or phablets are increasingly replacing the classic devices, with the consequence, that the overall security is reduced because no endpoint protection is available for those devices in general.

My worst nightmare: A tablet user downloads a word document with a zero-day exploit to an on-premise file share and opens it with Word for Windows on his laptop.

Thus, an additional endpoint protection solution, e.g. a Secure Web Gateway, is required to protect the users of smart devices, and the entire company, against internet born threats.

From my point of view, micro virtualization is great means for protection of classic computing devices against zero days. But to prevent blind spots, it must be embedded in an overall endpoint protection strategy.

Have a good weekend.

Some thoughts on „A Cyberattack on the U.S. Power Grid“ by Robert K. Knake

15 April 2017

The Contingency Planning Memorandum No. 31 „A Cyberattack on the U.S. Power Grid“, published by Robert K. Knake at the Council on Foreign Relations (CFR) in April 2017, illustrates very clearly how vulnerable critical infrastructures like the U.S. power grid are. This memorandum is really worth reading.

Ultimately, for effective protection of the society in the case of a breakdown of the power grid we need something like a nation wide operated ISMS, with hundreds of stakeholders from the private and public sector. This is a Herculean task in the U.S., and needs a miracle in Europe.

But the discussion of attack vectors is characterized by the traditional ISA 95 paradigm:

Regardless of which part of the power grid is targeted, attackers would need to conduct extensive research, gain initial access to utility business networks (likely through spearphishing), work to move through the business networks to gain access to control systems, and then identify targeted systems and develop the capability to disable them.

In the era of the IIoT, the network perimeter with all its high sophisticated security controls is no longer existent. For example, a lot of Industrial Control Systems are already connected directly to the internet today. With this, the effort for attacking critical infrastructures is decreasing, as well as the likelihood of detection.

From my point of view, it is of crucial need to take this paradigm change into account in risk management.

Happy Easter!

CVE-2017-6033 – Keep Calm and Carry on

9 April 2017

When I read the note about CVE-2017-6033 on LinkedIn and the related ICS Cert Advisory ICSA-17-094-01 on Wednesday morning my first thought was: Sounds like a really big issue if Schneider Electric recommends to upgrade to Windows 10 to solve this security issue with their Interactive Graphical SCADA System (IGSS) Software.

What happened: Someone identified a search path vulnerability in the IGSS software. This means that if an attacker manages to place e.g. a fake IGSS dynamic link library (DLL) in a path which is searched earlier than the default installation directory, then the fake DLL is executed instead of the version installed in the installation directory. Ok, this sounds really dangerous.

The CVSS V3 vector string for CVE-2017-6033 is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

The UI (User Interaction) is important in this case. UI:R (Required) means that

“Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.”

In this case, the attacker must convince a user or administrator to copy a malicious DLL to a directory, which is searched earlier than the IGSS installation directory, to the computer where the IGSS software is installed.

To be honest, Schneider Electric’s recommendation for mitigation of this risk is somewhat oversized. End users should under no account fall into blind actionism and start migrating to Windows 10. The operational risk is far too high compared to the effort an attacker has to take to prepare the attack.

In this case, I would propose to simply make the users aware of the problem, and that’s it. If production networks are well designed and maintained and user awareness is high then there’s no need to run in the patch treadmill. To keep pace with this endless flood of patches pulls us away from doing the right and important things.

Have a good weekend.

Vastly improve your IT security in 2 easy steps?

1 April 2017

Keep your software patched and defend against social engineering, and you will win the battle against the bad guys. Let me be clear: From my point of view this is simply not enough. Nevertheless, Roger A. Grimes’ post “Vastly improve your IT security in 2 easy steps” published on March 21, 2017 at InfoWorld is really worth reading, in particular the section about patching.

The key to diminishing this risk is to identify the right software to patch and do it really, really well. The risk reducers I respect know the difference between the largest unpatched program in their environment and the unpatched program mostly likely to be exploited in their environment. A security expert knows there is usually a gulf between the two.

In particular in the production domain, where patching has always to be delayed to the next scheduled maintenance, this is a very important hint.

The big question is: How can we identify the right software on the right and important systems? Without an up-to-date asset directory with the relevant details about cyber security this is a very complex and expensive matter.

But even with an up-to-date asset directory this remains a complex task.

Rockwell/Allen Bradley Systems directly connected to the Internet

Rockwell/Allen Bradley Systems directly connected to the Internet in North America

For example, the likelihood of a cyber-attack on an Industrial Control System (ICS), which is directly connected to the internet, is many times higher than the likelihood of an attack on an ICS which is completely isolated in a security zone within the production network. The first ICS is definitely one of those systems Roger Grimes has in mind, the latter can be ignored.

But the likelihood of a cyber-attack is only half the story. For example, in functional safety the risk is the combination of the probability that a hazard will lead to an accident and the likely severity of the accident if it occurs. Thus, from this point of view, even the first ICS may be uncritical unless it is not used for controlling a critical infrastructure.

To identify the right and important systems is the hard task. It requires an up-to-date asset inventory and a smart risk management process. The plain patching process is just a piece of cake.

Have a good weekend.