crowmoor.se

A CIO at an industry here in Sweden dropped me a mail and told me how they received their reporting. On a monthly basis they get a list of possible patches to deploy, from that list they have to select what to patch and what to not patch. This raises a number of CHRs and updates to their risk registry. A month later they get a list of the patches that were deployed and which that failed with a question if they should retry.

To say the least the CIO was less than happy and asked my viewpoint on this. In short I would say that no matter what they have an assignment to patch, keep on trying! Solve the problem! How hard could it be?

On a more interesting note I would skip the reporting and get a compliance engine that monitors for missing patches. That would be a lot more useful rather than a worthless report.

Vacations are supposed to be a time for contemplating and relaxation but apparently there are no rest for the wicked. I have been stuck with a few contracts regarding security SLAs where I would like to share my thoughts with you all. Security SLA is always a challenge, how to you measure that you are secure enough? Something that struck me while examining the contracts is the reactiveness in the SLAs and reporting. One of my clients have outsourced their infrastructure to a third party and we are discussing patch management and vulnerability scanning. In the contract it states that patches should be deployed every Tuesday on a weekly basis and that reporting of this should be done monthly. And here is my thought of the day for this: It is useless!

The patching in itself is OK, most zero days still take about a month before hitting this target so patching on a weekly basis is in this case good enough (and we have other protections as well), but the monthly reporting…Why on earth should I be interested to get an Excel-sheet with what patches are deployed on what server? It gives me nothing to know the status a month ago. I need to know in this very second what risks I have, not what is patched, but what is unpatched. Any takes for solutions?

I think that no one have missed that we celebrated Midsummer in Sweden, one of our famous public holidays where we mimic frogs and drink a lot of booze. Even if it´s a public holiday in Sweden the rest of the world, especially the criminals, still keep pondering at our doors trying to find a crack. So when all of have hangovers it is imperative that the security still works 24/7. You need to make sure that you not only have juniors but also seniors available to be able to respond to incidents. When I´m out conducting tests it is always during vacations or holidays that process flaws emerge that I could exploit, even with a hangover.

A few days ago I was sitting at a client with a colleague tasked with some simple pentesting to prove that our risk analysis was valid. We had already conducted social engineering to get into the buildings so our test now was to find a way into their Office365. As we had network access with a patch cable (fancy that!) I decided to just test out if my old friend Cain and Able was a possible tool to use. I fired it up and captured about ten computers network traffic. We heard some swearing in the landscape but soon enough we saw something interesting and disturbing. The users ignored the SSL-error and just clicked forward when logging into their mail. And just like that we got their username and passwords in clear text. To add insult to injury as they had ADFS activated the accounts we got hold of was also their AD-accounts. Within a few minutes we got complete access to all their systems.

It was interesting that we, with old tools, still could get complete access in a matter of minutes. The problem turned out to be that they still used Office 2010 and a compatibility setting that allowed this form of attack. When contacting Microsoft, they told me that it was the standard setting but that they will change that now.

I know that a bunch of you have started to look at the new data protection directive. If you have spent some time with it, you probably have read that if you encrypt your data properly you don´t need to inform your customers of a data breach. This is of course good news for encryption developers but even better for most application developers as most encryption changes the data format. I would suggest that you instead start to look at non-intrusive encryption solutions. By doing that you minimise the need for changes in the application and database and hence minimise costs.

Is it possible for a hacker to reduce the carbon footprint? At least it is far easier to reduce the number of password guessed by reusing the passwords stolen from other sites. This means that they don’t need to deploy as much cracking of passwords as otherwise making the use of passwords crackers as low as possible. By reusing your passwords you are helping the world to become a greener and darker place.

My team managers asked me what to look for in a security specialist CV. The quick and direct answer they got from me was: ‘A valid CISSP certification’.

As you could imagine they looked like living question marks so I had to explain it a bit more. A CISSP certification is a very strong certification in the security market. It shows that you both have five years of full-time experience and that you have the skills to manage to answer a very tough set of questions.

Another thing that’s important is that it is very easy to verify that the certification is valid. By entering the candidates full name and Certification number here you get a quick reply on the candidate’s current certification status. As you hopefully are aware of a CISSP is only valid for three years, after that you need to either do the test again or show that you have spent enough time either giving back to the community or educated yourself. Many do take the certification but fails to do the work needed to keep it. Hence a verification should always be made.

If a candidate fails to give you his Certification number, you could bet he has lost their CISSP.

This is how it looks like.

My challenge this month have been conducting a large risk analysis at a client. The challenge has been the estimate of the analysis as it turned out that when lifting all the rocks we found more than our share of cans of worms. This is not an unusual situation however. Many times an organisation think they have good security, especially if they have a security officer that has been working for a number of years. This month challenge for me is mainly explaining for him that the security architecture he is working with is outdated and creates bigger risks. Already 2005 I was saying that the firewall is crumbling. Still to this day he is challenging me at every turn that his firewalls are state of the art and impenetrable. I have to give him credit that the firewalls are very well maintained. Nothing else is however. I hope that he understands this time as we will conduct a live hacking session as part of our presentation.

I have started to device a set of security mechanism that will end up as a pattern in the month to come. However, I think you all are interested in the reasoning how to protect yourself?

First of all, you need to start looking at access paths, how does the ransomware hit you. The access paths are mainly the same as for any other Trojan, hacked websites or files in your mail or through an USB-stick.
If we take the mail path first with the attached file the first thing to do is blocking executables and files that normally isn´t sent through mails like flash files, avi etc. Of course you need to check with your organisation first so that you don’t block any functionality.

After that I would use a chamber to quarantine the file and conduct automated sandbox testing before I let it through to the user.

When it comes to links I would put them through sandbox testing there as well in conjunction with a ‘known malware spreading site register’ like Smart Screen in Internet Explorer Edge.
Files on a USB-stick is a bit tougher though but there are good tools in the AV that could check for those. I´ll have to look further on for this one.

I have to say that I really hate ransomware. It´s just like the old times when a henchman placed himself outside your store and blocked your customers from coming in but without the satisfaction of beating him with a bat to make him go away.

A client of mine was targeted with a ransomware and had to restore 1 TB of files (mostly Word, Excel and PowerPoint). You could just image the time it took to restore all the files from backup!

Gladly this company have listened to my advice regarding backups and made sure that they were fully functioning but they still lost three days of work. Today I have been tasked with devising a way to protect against this menace. If you got an idea or two, please feel free to drop me a mail and let’s discuss it.