Are you using a utility that requires Zip Archive Enabled in WordPress? For me, this was the backup utility Duplicator.
And there’s the pain point. This took quite a bit longer to find than I expected! Here’s the journey to success.
1. The Issue
The issue arose because I wanted to backup my site using Duplicator with Zip archive.
Most of the documents mention changing this in WHM. This was not the case for me.
Of note: What you are about to do has the capability of totally crashing your WordPress site. Be sure to document any changes you make, and test the changes regularly in an incognito window or another computer.
2. The Fix
Log into your hosting company
Access WHM
Go to List Accounts in the left hand menu
Access the cPanel for the site in question
Click Select PHP Version
Select Extensions
Scroll down to activate Zip
Test your site in Incognito window
Go back to Duplicator to confirm it is working!
Zip backups selected, and no errors! We’ve fixed the issue.
Now you can create a Zip archive.
3. But now the question, should you?
Up until now, I’ve used Zip archives because I’ve had issues with Daf archives where the entire site would not be handled. I’m reading this shouldn’t be the case… but it just has been.
Cyberattacks on medical devices are a growing threat to patient safety. Cybersecurity threats to healthcare have increased in both frequency and severity, and continue to be clinically impactful causing healthcare delays. The security of medical devices is essential to protect patient safety and the integrity of healthcare data.
Medical devices are FDA approved solutions that pose unique security challenges when deployed in enterprise networks. There are a number of reasons why medical devices are a cybersecurity and cyber risk challenge. For example, many medical devices are hosted on outdated operating systems. Also, being patient focused “first”, they may not have been designed with security in mind. Another risk is that medical devices are often connected to hospital networks, which means that a cyberattack on one device could spread to other devices on the directly connected network. Additional risk areas are that medical devices often contain sensitive patient data, which makes them a valuable target for hackers.
The increasing number of cyberattacks on healthcare organizations is a major concern. In 2022, there was a 74% increase in cyberattacks on healthcare organizations worldwide. This is due to a number of factors, including the increasing use of connected medical devices, the growing sophistication of cybercriminals, and the high value of healthcare data.
The potential risks of cyberattacks on medical devices are significant. They can lead to the theft of sensitive patient data, the disruption of patient care, and even the loss of life. It is therefore essential to take steps to protect their medical devices from cyberattacks.
These guidelines are focused on patient safety while introducing medical devices to the enterprise network. The document provides guidelines to safely and securely introduce vendor managed medical devices into operational enterprise networks. There are three entities involved. The customer is the hospital or medical facility; the vendor is the distributor of the medical device; and the manufacturer is the manufacturer on record with the FDA.
3. Guidance & recommendations for deploying medical devices
The following guidelines should be considered when evaluating medical devices
3.1 Fully document data system interfaces
Medical devices are often integrated with electronic medical records and other intricate patient health systems. Confirm that the entirety of the medical device data system interface is fully documented with asset information, connected data repository (data source & data destination), ports, and protocols. This information is important when evaluating whether additional protection (such as isolation or network segmentation) is practical. [1]
3.2 Perform threat modeling
All networked devices are susceptible to malicious compromise. In threat modeling medical devices, expect the device is compromised and consider what the threat actor can do with the device. Consider patient safety first, and consider methods and techniques to protect the enterprise from the compromised medical device.
Threat model development are twofold. First is how a threat actor can manipulate the machine itself, potentially affecting patient safety. Second is if the device is compromised, how can that device affect healthcare operations. Threat modeling discussions should include the vendor since the vendor is more likely to intimately understand the vulnerabilities in the device. [2]
While performing the threat model, consider that the hospital is likely not able to thoroughly scan the device for compromise. For example, consider that the device may have explicit but undocumented wireless internet capability (many off-the-shelf computers have built in Internet capable SIM cards), or that a vendor employee may introduce an Internet connected device for maintenance and updates, or that a threat actor could introduce an Internet connected USB leave-behind. Since the hospital is likely not able to scan and control the medical device system, the hospital needs to protect itself from these types of threats.
When performing threat modeling, consider specific examples of what a threat actor could do with the compromised device. For example, a threat actor could:
Cause patient harm: Change the device’s settings or firmware. This could cause the device to malfunction, deliver incorrect treatment, and thereby harm the patient.
Perform data theft: Access and steal sensitive patient data. This could include medical records, insurance information, or financial data.
Leverage as a bastion host: Use the device as a launchpad for attacks on other devices or networks. This could spread malware or ransomware to other devices in the hospital network.
3.3 Request for software changes & cyber security updates
Medical devices often include general purpose computers and industry available off the shelf (OTS) operating systems. These devices are the responsibility of the manufacturer, and controlled by the manufacturers FDA approval. Changes to the device could pose a risk to patient safety.
The device manufacturer bears the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device. [3, 4]
The manufacturer is responsible for validating cyber security software changes to control vulnerabilities. Any requested cyber security changes are ultimately the responsibility and authority of the manufacturer’s engagement with FDA. Concerns related to device security and vulnerabilities need to be addressed by external measures and compensating controls such as network segmentation.
3.4 Implement compensating controls
Due to the “hands off” nature of medical devices, compensating controls should be utilized wherever practical. For example, network segmentation is a method to improve data and system protection. [6] Network segmentation can be used to protect the medical device, and also to protect the enterprise network from compromised medical devices. Creating a network segment also forces the creation of fully documented medical device data system interface (e.g., data flow diagrams), thereby enhancing the security of the engagement.
3.5 Document maintenance responsibilities and maintenance schedules
It is customary that the manufacturer maintains the medical device and associated software. However, there may be situations where operational staff are involved with portions of maintenance. Fully document manufacturer’s requests for involvement.
3.6 Document cyber security readiness
Cyber incidents happen. It is important to ensure that staff are aware of the security risks posed by medical devices and how to protect the patient from those risks. For example, device specific awareness training will guide the medical staff on actions to take during an attack. In addition, indicators of compromise should be documented and staff properly trained for awareness.
A key to successfully resolving cyber incidences is a preplanned incident response playbook (e.g., a cyber security incident response plan, or CSIRP). Document the cyber security incident response opportunities and agreements between the hospital and the vendor, including the cyber security incident response contact teams.
The cyber security protection plan should include guidelines and procedures for
Identify: Threat landscapes are continually evolving, and it is critical to recognize threats as applied to specific devices. During the device lifecycle, many changes will occur, including changes on the device itself, software patches, and connected network changes. Contractually agree to a regular cadence of “re-documenting” the system to confirm cyber security readiness.
Protect: Periodically review the security controls in place, and confirm that the controls continue to effectively protect the device from newly discovered threat vectors and vulnerabilities.
Detect: Identifying signs of compromise. It is especially important that staff be made aware of indicators of compromise, and what to do if a machine is acting as though it is compromised. For example, fully document who the staff should contact when presented with what is believed to be suspicious activity.
Respond: Methods to isolate the compromised device to prevent additional attacks. Keep in mind that these are medical devices, and immediately isolating the medical device may negatively affect patient care. It is important to understand how to respond to a cyber attack while ultimately protecting patient care.
Recover: Restore operations, restoration of patient data.
The CSIRP should periodically be tested.
3.7 Simplicity is the key to security
The least burdensome approach to maintaining and protecting medical devices should be considered. [7, 8] Consider the FDA solution a complex “vendor managed solution” where forcing last minute vendor changes are neither practical nor secure. Instead, recognize the device as unmanaged, with unmanaged risks and unmanaged validation, and work to implement a framework of controls around the device that protects both itself, and protects the rest of the enterprise from the device.
3.8 Informal agreements are not obligations
Emails and discussions are not contractual obligations. Consider the value of the emails and discussions, and document any fundamentally important agreements in contractual obligations. Consider whether the agreements are absolutely critical to the engagement, and apply the principles of practical security.
4. Conclusion
Medical devices are capable of directly affecting patient care. These devices are also often connected to other infrastructure components with an ability to affect patient records, retrieve and store sensitive patient information, and be used as jump boxes to the rest of a hospital network.
When considering methods to protect the medical device system from attack by a threat actor, and to protect the hospital network from being attacked by a rogue device, the most effective methods are
To coach medical staff on cyber security readiness,
To employ methods to encapsulate and control network traffic,
To regularly revisit the vulnerability landscape for the system, and
To understand how an offensive operator can use that medical system to their benefit, to the hospitals detriment, and to the patients peril.
Medical devices & systems are a critical part of patient care, and securing these systems is essential to protecting patients from harm.
——————
References
[1] Food and Drug Administration (FDA), “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices Guidance for Industry and Food and Drug Administration Staff”, September 28, 2022, https://www.fda.gov/media/88572/download
[5] Food and Drug Administration (FDA), “Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, https://www.fda.gov/media/72154/download
[6] National Institutes of Health (NIH), “Information Technology and Medical Technology Personnel´s Perception Regarding Segmentation of Medical Devices: A Focus Group Study”, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151197/
Cyberattacks on medical devices are a growing threat to patient safety. Cybersecurity threats to healthcare have increased in both frequency and severity, and continue to be clinically impactful causing healthcare delays. The security of medical devices is essential to protect patient safety and the integrity of healthcare data.
Medical devices are FDA approved solutions that pose unique security challenges when deployed in enterprise networks. There are a number of reasons why medical devices are a cybersecurity and cyber risk challenge.
1.1 Unpatched and outdated systems
Ripe for exploitable vulnerabilities, many medical devices are hosted on outdated operating systems. Medical devices are normally managed by the vendor, not by the customer. As such, the customer is not always “in the know” for when updates occur. Certainly, contractual agreements may exist, but policy safeguards do not always represent the technical landscape. Often the medical device vendor will rightfully cite “FDA approval’ for controlling the system. If an untested patch is installed by a customer, the untested system may introduce medical control issues that affect patient safety.
1.2 Security not first
Being patient focused “first”, medical devices are not normally designed as “security first”. This may be a difficult situation to negotiate with the vendor. For example, a gamma knife scheduling system compromised by malware may be marginally operational, and not affect patient safety. But a gamma knife compromised by malware or ransomware during a medical procedure may introduce lethal situations to a patient.
As security specialists, it is our job to make sure all parties understand the risks to security compromise. Ultimately, it is our job to notify the business of these risks, and the business that decides how to move forward in these situations.
1.3 Highly network connected
Another risk is that medical devices are often connected to hospital networks and potentially directly to the Internet, which means that a cyberattack on one device could spread to other devices on the directly connected network. The fact that these devices may be vulnerable (as pointed out above), and connected to the Enterprise network makes them nominal bastion hosts to jump into the network, therefore a valuable target for attack.
1.4 Sensitive patient data
Additional risk areas are that medical devices often contain sensitive patient data, which makes them directly a valuable target for hackers without even needing to jump into the rest of the network.
2 The statistics
The increasing number of cyberattacks on healthcare organizations is a major concern. In 2022, there was a 74% increase in cyberattacks on healthcare organizations worldwide. This is due to a number of factors, including the increasing use of connected medical devices, the growing sophistication of cybercriminals, and the high value of healthcare data.
The potential risks of cyberattacks on medical devices are significant. They can lead to the theft of sensitive patient data, the disruption of patient care, and even the loss of life. It is therefore essential to take steps to protect their medical devices from cyberattacks.
3 Guidance & recommendations
The following guidelines should be considered when evaluating medical devices. This guidance document is focused on patient safety and introducing medical devices to enterprise networks. The recommendations provide guidelines to safely and securely introduce vendor managed medical devices into operational enterprise networks. There are three entities involved. The customer is the hospital or medical facility; the vendor is the distributor of the medical device; and the manufacturer is the manufacturer on record with the FDA.
3.1 Fully document data system interfaces
Medical devices are often integrated with electronic medical records and other intricate patient health systems. Confirm that the entirety of the medical device data system interface is fully documented with asset information, connected data repository (data source & data destination), ports, and protocols. This information is important when evaluating whether additional protection (such as isolation or network segmentation) is practical. [reference 1]
3.2 Perform threat modeling
All networked devices are susceptible to malicious compromise. In threat modeling medical devices, expect the device is compromised and consider what the threat actor can do with the device. Consider patient safety first, and consider methods and techniques to protect the enterprise from the compromised medical device. [reference 2]
Threat model development are twofold. First is how a threat actor can manipulate the machine itself, potentially affecting patient safety. Second is if the device is compromised, how can that device affect healthcare operations. Threat modeling discussions should include the vendor since the vendor is more likely to intimately understand the vulnerabilities in the device.
While developing the threat model, consider that the hospital is likely not able to thoroughly scan the device for compromise. For example, consider that the device may have explicit but undocumented wireless internet capability (many off-the-shelf computers have built in Internet capable SIM cards), or that a vendor employee may introduce an Internet connected device for maintenance and updates, or that a threat actor could introduce an Internet connected USB leave-behind. Since the hospital is likely not able to scan and control the medical device system, the hospital needs to protect itself from these types of threats.
When performing threat modeling, consider specific examples of what a threat actor could do with the compromised device. For example, a threat actor could:
Cause patient harm: Change the device’s settings or firmware. This could cause the device to malfunction, deliver incorrect treatment, and thereby harm the patient.
Perform data theft: Access and steal sensitive patient data. This could include medical records, insurance information, or financial data.
Leverage as a bastion host: Use the device as a launchpad for attacks on other devices in the networks. This could spread malware or ransomware to other devices in the hospital network.
3.3 Request for software changes & cyber security updates
Medical devices often include general purpose computers and industry available off the shelf (OTS) operating systems. These devices are the responsibility of the manufacturer, and controlled by the manufacturers FDA approval. Untested changes to the device could pose a risk to patient safety.
The device manufacturer bears the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device. [reference 3, 4]
The manufacturer is responsible for validating cyber security software changes to control vulnerabilities. Any requested cyber security changes are ultimately the responsibility and authority of the manufacturer’s engagement with FDA. [reference 5] Concerns related to device security and vulnerabilities need to be addressed by external measures and compensating controls such as network segmentation.
3.4 Implement compensating controls
Due to the “hands off” nature of medical devices, compensating controls should be utilized wherever practical. For example, network segmentation is a method to improve data and system protection. [reference 6] Network segmentation can be used to protect the medical device, and also to protect the enterprise network from compromised medical devices. Creating a network segment also forces the creation of fully documented medical device data system interface (e.g., data flow diagrams), thereby enhancing the security of the engagement.
3.5 Document maintenance responsibilities and maintenance schedules
It is customary that the manufacturer maintain the medical device and associated software. However, there may be situations where operational staff are involved with portions of maintenance. Fully document manufacturer’s requests for involvement.
3.6 Document cyber security readiness
Cyber incidences happen. It is important to ensure that staff are aware of the security risks posed by medical devices and how to protect the patient from those risks. For example, device specific awareness training will guide the medical staff on actions to take during an attack. In addition, indicators of compromise should be documented and staff properly trained for awareness.
A key to successfully resolving cyber incidences is a preplanned incident response playbook (e.g., a cyber security incident response plan, or CSIRP). Document the cyber security incident response opportunities and agreements between the hospital and the vendor, including the cyber security incident response contact teams.
The cyber security protection plan should include guidelines and procedures to
Identify: Threat landscapes are continually evolving, and it is critical to recognize threats as applied to specific devices. During the device lifecycle, many changes will occur, including changes on the device itself, software patches, and connected network changes. Contractually agree to a regular cadence of “re-documenting” the system to confirm cyber security readiness.
Protect: Periodically review the security controls in place, and confirm that the controls continue to effectively protect the device from newly discovered threat vectors and vulnerabilities.
Detect: Identifying signs of compromise. It is especially important that staff be made aware of indicators of compromise, and what to do if a machine is acting as though it is compromised. For example, fully document who the staff should contact when presented with what is believed to be suspicious activity.
Respond: Methods to isolate the compromised device to prevent additional attacks. Keep in mind that these are medical devices, and immediately isolating the medical device may negatively affect patient care. It is important to understand how to respond to a cyber attack while ultimately protecting patient care.
Recover: Restore operations, restoration of patient data.
It is critical that the CSIRP be tested on a regular basis, and after any significant system change. This testing exercise confirms that the CSIRP remains valid in the dynamic operational enterprise environment.
3.7 Simplicity is the key to security
The “least burdensome approach” to maintaining and protecting medical devices should be considered. [reference 7, 8] Consider the FDA solution a complex “vendor managed solution” where forcing last minute vendor changes are neither practical nor secure. Instead, recognize the device as unmanaged (unmanaged from the customer’s point of view), with unmanaged risks and unmanaged validation, and work to implement a framework of controls around the device that protects both itself, and protects the rest of the enterprise from the device.
3.8 Informal agreements are not obligations
Remember that Emails and discussions are not contractual obligations. Consider the value of the emails and discussions, and document any fundamentally important agreements in contractual obligations. Consider whether the agreements are absolutely critical to the engagement, and apply the principles of “practical security”.
4 Conclusion
Medical devices are capable of directly affecting patient care. These devices are also connected to other infrastructure components with an ability to affect patient records, retrieve and store sensitive patient information, and be used as jump boxes to the rest of a hospital network.
When considering methods to protect the medical device system from attack by a threat actor, and to protect the hospital network from being attacked by a rogue device, the most effective methods are
To coach medical staff on cyber security readiness,
To employ methods to encapsulate and control network traffic,
To regularly revisit the vulnerability landscape for the system, and
To understand how an offensive operator can use that medical system to their benefit, to the hospitals detriment, and to the patients peril.
Medical devices & systems are a critical part of patient care, and securing these systems is essential to protecting patients and providing healthcare services.
Reference material
1 Food and Drug Administration (FDA), “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices Guidance for Industry and Food and Drug Administration Staff”, September 28, 2022, https://www.fda.gov/media/88572/download
2 MITRE, “Playbook for threat modeling medical devices”, November 30, 2021, https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf
3 Food and Drug Administration (FDA), “Guidance document, Off-The-Shelf Software Use in Medical Devices, Guidance for Industry and Food and Drug Administration Staff”, September 27, 2019 (originally issued September 9, 1999), https://www.fda.gov/regulatory-information/search-fda-guidance-documents/shelf-software-use- medical-devices
4 Food and Drug Administration (FDA), “Global Approach to Software as a Medical Device”, https://www.fda.gov/medical-devices/software-medical-device-samd/global-approach-software-medical-device
5 Food and Drug Administration (FDA), “Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, https://www.fda.gov/media/72154/download
6 National Institutes of Health (NIH), “Information Technology and Medical Technology Personnel´s Perception Regarding Segmentation of Medical Devices: A Focus Group Study”, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151197/
7 Food and Drug Administration (FDA), “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, January 14, 2005, https://www.fda.gov/regulatory-information/search- fda-guidance-documents/cybersecurity-networked-medical-devices-containing-shelf-ots-software
8 Hoffer, Gregory, “Complexity is Still the Enemy of Security”, https://www.cyberdefensemagazine.com/complexity-is-still-the-enemy-of-security/
Have you ever received a phone call where the caller’s first question is, “Can you hear me?”
A lot of talk on the internet since around 2017 with people saying they were encouraged to say “Yes!” only to later have their voice used to pay for services.
Disclaimer: I am not a lawyer, and I do not play one on television. I am however familiar with social engineering. I can tell you, in my professional opinion, of all the things that never happened, this never happened the most.
But… really? Is this for real? Or is it fear mongering, which is quite common on the internet? With a simple one word answer, can someone really steal my identity, or obligate me to a purchase?
Can I be obligated with a single word?
The answer is: Probably not. Realize, you likely have dozens of video clips with you and your friends on YouTube, or Instagram, or TikTok, or Facebook. And can a single word be used to identify you? So the perpetrators of this likely hoax are saying that a bad actor can order stuff on the internet, be on a call with whoever sales person for however long they need to be on, and then at the crux of the call they will change their voice completely and insert your voice with a single word response “Yes”?
Does that even sound reasonable? Of course it doesn’t sound reasonable. But it makes for good click bait, and fear mongering creates a lot of interest. The problem is, it also distracts you from real adversaries. Distractions are sometimes fun, but distractions are usually not very good use of your time.
Why the “Hello can you hear me” then? What are more reasonable thoughts on why these calls come in with that odd question?
Confirming you are a real person
The reason for the can you hear me is most likely a robocall where the calling company doesn’t want to waste the time of a real agent. Robo companies are operating on volume – the more the calls the better, because some percentage of people will actually buy what they are selling.
If an answering machine answers, there is no reason to waste the time of a real agent. When the “just say yes or no” happens, it is because the robocall recognized a voice, but thinks it has an answering machine.
Buying time for the operator
A second reason is that the robocaller just transferred the call to a real agent, who is trying to buy themselves time in the awkwardness of having the phone answered. You may have said “Hello” or something else, and they don’t know what you said, so in order to trick you into thinking they were having phone issues they ask you to basically repeat yourself with the cue “Hello? Hello? Can you hear me?”
Final thoughts
There are many reasons that a caller would ask whether the called party can hear them, including
A delay tactic, while being transferred to a live agent.
A simple way to start a conversation and to get the other person to respond.
Allows the scammer to test the audio quality of the call and to make sure that they are able to understand the other person.
A way to gauge the other person’s interest in the scam. If the other person responds positively to the “Can you hear me?” question, the scammer is more likely to continue with the scam.
A way to confuse or startle the other person, making them more likely to fall for the upcoming scam in confusion.
A basic tactic for sales, get the potential buyer to get used to saying “yes” in the conversation.
Now that said, these are my professional opinions. And remember, just because you are paranoid doesn’t mean they aren’t out to get you, so hanging up the phone is the right thing to do.
A watering hole attack is a type of cyberattack in which the attacker targets a website or online service that is known to be frequented by the victim’s target audience. The attacker then compromises the website or service and injects malicious code into it. When the victim visits the website or uses the service, they are infected with malware.
Watering hole attacks are a more sophisticated type of attack than phishing attacks. They are also more difficult to defend against, as the victim is not actively tricked into clicking on a malicious link.
The skill of attack: How watering hole attacks work
There are two broad categories for watering hole attacks.
Opportunistic watering hole
Opportunistic watering hole
In one case, there is the opportunistic watering hole attack. In the opportunistic case, the attacker has discovered a vulnerable web site, compromises the web site, and waits for any victim to happen by.
An opportunistic watering hole attack typically follows these steps:
The attacker identifies a website or service that can be compromised.
The attacker compromises the website or service and injects malicious code into it.
Any victim visits the website or uses the service.
The malicious code is executed and the victim is infected with malware.
Targeted watering hole
Targeted watering hole
In a different attack, the watering hole is known to be used by a specific targeted victim. This is a more sophisticated attack against a known specific target.
A targeted watering hole attack typically follows these steps:
The attacker enumerates websites and online services that are known to be frequented by the targeted victim.
The attacker enumerates vulnerabilities on the websites and online services.
The attacker compromises the websites or services and injects malicious code into them.
The victim visits the website or uses the service. In order to evade detection, the attacker may include exemption code to prevent the malware from running on any targets other than the identified target.
The malicious code is executed and the victim is infected with malware.
The malware can then be used to gain access to the victim’s computer or network, or to steal data.
How to defend against watering hole attacks
There are a number of ways to defend against watering hole attacks, including:
Educating users: Educating user is almost always included as the “go to” solution for all things cyber. Novice defenders believe that “ISO Layer 8” is the easiest attack modal to compromise — and this is true, that the user is the easiest operating system to attack. That said, watering holes are a unique technique in that the end user often has to use the watering hole in their normal course of business. That being the case, how can users be educated to avoid watering holes if these watering holes are otherwise “trusted sites”? The answer is, the end user can’t be taught that basic tenant of “avoid untrusted sites”. Instead, the user needs to be made aware of anomalies that might occur when visiting otherwise known trusted sites, a much more complicated endeavor, although one that must be explored.
Maintain updated systems: Updates and patches must be maintained on the enterprise systems. Maintaining updated and patched software reduces the opportunity for exploits to successfully land on the enterprise.
URL filtering: Use URL filtering software that tests the URL destination for malware before it loads into a potential victim’s browser.
Continuous website monitoring: Organizations should monitor websites that are frequented by their employees or customers for signs of compromise. This can be done using web application firewalls or other security tools. When compromise is identified, block access to the web site and proactively contact the web provider.
Using security software: Security software can help to detect and block malicious code. Security software should be kept up to date with the latest virus definitions.
Using intrusion detection systems: Intrusion detection systems (IDSs) can help to detect malicious activity on a network. IDSs should be configured to detect watering hole attacks.
Conclusion
Watering hole attacks are a serious threat to organizations and individuals. By taking steps to educate users, use security software, monitor websites, and use intrusion detection systems, organizations can help to protect themselves from these attacks.
“The future of malware” is a trigger for most of us in computer security. Most cyber professionals have an idea of what they think malware looks like in the next few years, but truly few of us write about it or document it in a formal way. In 2013, I presented on the “future of malware”. My predictions at the time were that initial attack vectors would pivot strongly away from IP based network attacks and towards (1) social engineering, (2) insider threats, and (3) overprivileged systems. At the time, application sandboxing was somewhat in an infancy (especially phone based applications), and phishing was gaining speed. Stuxnet was at the time a recent exploitation that was still being discussed in the industry.
Since then, Target was attacked through an over privileged thermostat — it was a control unit that was on the same layer of protected network as the rest of the enterprise and credit card machines. Then along came SolarWinds, where the attackers compromised service delivery of an application that was then distributed by the vendor to their clients.
Without much further ado, I’d like to present an interview with ChatGPT, and discovering what an artificial intelligence makes of the future of malware.
ChatGPT was asked to write a 1000 word essay on the future of malware. This is the result. I’ve added notes to each paragraph. ChatGPT content is italicized.
Malware, short for “malicious software,” is a term used to describe any software that is designed to harm or exploit computer systems. It has been a significant threat to individuals and organizations for many years, and it is likely that it will continue to pose a threat in the future.
This is an accurate description to the question “what is malware?”, and the status of malware in the industry. Kudos ChatGPT.
One trend that is likely to continue is the increasing use of malware as a tool for cybercrime, such as ransomware attacks that hold data hostage until a ransom is paid. These attacks can be especially damaging to businesses, as they can disrupt operations and lead to lost productivity and revenue. In recent years, there has been a rise in the use of ransomware as a tool for extortion, and it is likely that this trend will continue in the future.
Types of malware come in many forms. My own opinion of this is that the trend is likely to pivot to data exfiltration and blackmail based on content (compromising the Confidentiality of data while leaving the data itself largely intact and Available) rather than the current lock and hold for ransom (Availability disruption). My basis for this argument is that more companies are using endpoint protection, “thinner” clients, and vendor segmented SAAS solutions where Encryption of large scales of data will be difficult. That said, this is a professional opinion, and I wouldn’t say ChatGPT is “wrong”. Kudos ChatGPT.
Another trend that is likely to continue is the increasing sophistication of malware. As security measures and technologies evolve, malware will also continue to evolve to become more sophisticated and harder to detect and remove. This could include the use of machine learning algorithms to evade detection and the development of “zero-day” vulnerabilities, which are security vulnerabilities that are unknown to the vendor and can be exploited by attackers before a patch is available.
Well, on this one there are a lot of fancy words being used like “sophistication of malware”, “evolve”, and “zero day”, all of which many of us in cyber war have written about. I’m going to say this paragraph is more fluff than fodder No bonus points ChatGPT.
One potential future development in the field of malware is the use of artificial intelligence (AI) and machine learning algorithms by both attackers and defenders. On the one hand, AI and machine learning could be used by attackers to more effectively evade detection and launch more sophisticated attacks. On the other hand, AI and machine learning could also be used by defenders to more effectively identify and respond to malware attacks.
Agreed, and it is of benefit that artificial intelligence is being mentioned. To note, my thesis is in Artificial Intelligence, and I likely would not have mentioned AI in attack and exploitation. While this paragraph doesn’t present many details, it does bring up the subject. So… Kudos to ChatGPT for mentioning it.
Another potential future development is the increasing use of malware in the Internet of Things (IoT). As more and more devices are connected to the internet, they become potential targets for malware attacks. This could include attacks on smart home devices, industrial control systems, and other connected devices. Protecting against these types of attacks will require new approaches and technologies.
Agreed, yes, absolutely. The security perimeter becomes the node or system itself, instead of some artificial boundary between “enterprise” and “Internet”. Up until 2010 or so, breaking the perimeter usually meant bypassing the firewalls protecting the Internet border. That border is now already broken, because IOT (such as that thermostat at Target, or even SolarWinds if it is considered an appliance) is already in the building. Kudos ChatGPT.
To protect against future threats, it is important for individuals and organizations to implement strong security measures, such as keeping software and security systems up to date, using antivirus and firewall software, and being cautious when opening emails or downloading files from the internet. It is also important to regularly back up important data to prevent loss in the event of a successful malware attack.
Hmm. This paragraph on malware protection really seems to fall short. Anti-malware software only helps once signatures have been developed. Patching systems, using antivirus, check, agreed. However, earlier ChatGPT mentioned zero days, and of course zero days have no patch. I think ChatGPT should have tied these two concepts together. Good ideas ChatGPT, but there is something missing.
In addition, it will be important for individuals and organizations to stay informed about new threats and developments in the field of malware. This could include staying up to date on security patches and updates, participating in security awareness training, and staying informed about the latest trends and techniques used by attackers.
There is a quote from the cold war that I’m going to paraphrase for cyber warfare. “In order to beat an attack, you have to think like an attacker.” Defenders will never win until they become the attacker. My recommendation is to regularly rotate the Defender staff out to Attacker mode, let them learn the Attack and Exploitation game, then come back and Defend for awhile while the next group rotates out. A defender will never win until they think like the attacker, and even then, the defender cannot “win”, they can only thwart an attack that is underway. As soon as the Attacker recognizes the Defender has caught on, the Attacker then pivots to a new Attack vector. So… with regard to “staying informed”, I’d say that is implemented as, let the Defender put the Attack hat on from time to time. Kudos to ChatGPT.
In conclusion, the future of malware is likely to be marked by increased sophistication and the use of new technologies, such as AI and machine learning. Protecting against these threats will require strong security measures and a proactive approach to staying informed about new developments in the field. By taking these precautions, individuals and organizations can help protect themselves against the ever-evolving threat of malware.
Great conclusion. Kudos ChatGPT.
Let’s take a look at this!
Overall assessment
ChatGPT as of 2022 provides some clever ideas and insights, and puts together a reasonable basic essay. There doesn’t seem to be much depth, and ChatGPT doesn’t bridge ideas together. There are what I call “flower words and phrases”, such as “increased sophistication” and “new technologies” without explaining why. Diving into this, every year the technology world experiences “increased sophistication” and “new technologies” — so the words and phrases really don’t do much to increase the sophistication of the essay, or to help the reader understand why these statements are being made.
For basic layout, the Chat bot does a decent job at assembling a basic non sophisticated essay. For this example in discovering the future of malware, the bot did a basic 101 level essay on the topic, but not much more.
Chess automata
Concluding remarks
Chess computers have been theorized for a hundred years. The Cray Blitz in the 1980s was the first chess automaton to register as a chess master. Twenty years later in 2006, the world champion Vladimar Kramnik is defeated by Deep Fritz in a 4-2 match. No human has topped a chess computer since.
In the same way, ChatGPT is in its infancy. This is just the beginning. Today, ChatGPT is demonstrating basic and very good writing techniques.
That all said, this is the beginning of ChatGPT and automata writing engines. Give the bot a few months or a few years, and I’d expect the sophistication of the bot to be on a competitive level to human writers. My prediction is that ChatGPT and automata writing engines will be used for “basic framework”, then more advanced human writers will add to the basic text that is generated — very similar to what I myself did in the earlier section. Let ChatGPT and automata do what they are good at (not much different than having an entry level lawyer write the beginning of the contract), then have a more advanced human take over to edit and include details that may have been overlooked by the automata.
So tell me, what are your thoughts? Where is this technology likely to wind up in the next few years?
Dead links are absolutely “no good” for your SEO, and even worse they are no good for your visitors!
There are two kinds of dead links. Links to external sites need to be monitored since the external site might change their structure, or they might even go out of business. In either case, new related articles need to be discovered, or simply kill the dead link.
Links to your own site sometimes go dead because of site structure changes. For example, if you’ve moved WordPress to a “different” subdirectory while migrating to a new hosting company, site destinations may have changed.
This article outlines a few free link checker sites that will review a site for dead links.
Emergency situations call for emergency preparedness. The term “breakglass access” derives from the world of emergency alarms (such as fire alarms) that are protected by “break glass” stations, where once the alarm is activated it cannot be “turned off” without replacing a part of the station. Sometimes the fire alarm has a glass or plastic insert that has to be replaced after the alarm is activated. In any case, a responder is going to immediately recognize that the alarm has been pulled.
In computing, “break glass” is the procedure to access a system that bypasses normal security controls during critical emergency situations. Break glass procedures rely on pre-staged emergency user accounts that are documented, tested, and managed. For example, a “break glass” admin account may be created for situations when network based authentication/authorization services (such as Active Directory) have become unavailable. The break glass accounts should be made in a way that they rely on (1) the user and (2) the target system, with very little tertiary system involvement.
Of course, in all break glass situations, be aware that the break glass accounts can also be weaponized by threat actors. Since the break glass accounts bypass potential mitigation steps, a threat actor may be able to use them. For example, break glass accounts rarely enable conditional access policies such as MFA. Without a second factor to security, a threat actor has easier access to the systems that are being protected.
It is also important to note that “break glass” access is not always a “break glass” account. Break glass access might be a method or procedure. For example,
Break glass in a data center might mean that there are methods to boot the affected system in a Safe Mode container that provides properly authenticated access
Break glass in a cloud environment might mean that there are procedures available to call the service provider and have a new account created.
B. Retain role based security – Emergency access to particular levels of “the stack”
Software is a many faceted beast, including infrastructure (networks & servers), platforms (operating systems), and software (reference AAS sisters). Emergency special access rights need to be configured for all three layers of the beast.
For example, let’s say you have a website built on WordPress deployed on a web hosting server. There are several break glass opportunities and scenarios. To outline a few, there are (1) the website, for example, where new articles are created; (2) the WordPress deployment, for example, where new users are created; and (3) the web hosting login, where a new WordPress might be created. There are of course many others.
But there is no reason to get carried away with break glass accounts. As a reasonable starting point, understand what each break glass account is capable of doing. Do you really need this many break glass accounts? Probably not if you control the entire stack.
If access to the website account is lost, the normal WordPress Admin account authorizations can be used to change the website account password.
If access to the WordPress Admin account is lost, a new account can be created by the normal web hosting login.
If access to the web host is lost, a reasonable break glass procedure might be to call the hosting provider and have the access credentials reset.
C. Use cases: When emergency access is required
To better understand how to protect systems with break glass access, let’s explore why emergency access may be required. To name a few, emergency access may be required in the following situations:
Cyber attack (insider or external) has deleted or removed access to all accounts. In this way, the system is unavailable by all methods other than break glass.
Accounts are federated, and the identity provider is not available. For example, if access to AD has been compromised by way of a cyber attack, or a network outage has prevented access to AD, the system is unavailable by all methods other than break glass.
Multi factor is enabled on all accounts, and the Multi factor grid is not accessible or has become compromised. For example, in a global phone outage (text based MFA), or if an MFA app provider has become compromised. In this situation, the system is unavailable by all methods other than break glass.
Remembering that break glass access can also be weaponized by a threat actor. It is best to restrict the number of methods to gain access, to reduce the vulnerability exposures.
D. Emergency access suggestions
Break glass access is typically either
by way of system access procedures, for example, console access;
by way of contacting a provider company that has access (for example, in a cloud hosted environment);
by way of an account.
In any of the scenarios, the process should be documented and well tested. You don’t want to try to “figure it out” during a real outage that is affecting your users and customers.
Here are suggestions for emergency access:
Top five criteria for all emergency access methods
Fail proof – it has to work 100% of the time
Sufficiently privileged – in order to recover from every situation
Perpetual – not subject to lockout under any circumstance. Cannot be deleted, expired, nor deactivated, so that if a malicious user gains access to the system, the malicious user cannot execute a Denial of Service to the Break Glass account.
Not used for any access other than absolute emergencies – these are not daily access accounts
Regularly tested – triggered by time (say every 90 days), upgrades, updates, new break glass users, terminated break glass users
Additional criteria for emergency access
Simple – since the accompanying emergent situations is already increasing stress levels
Audited – with no ability to destroy audit trails, so that a “break glass” event is evident to observers
Protected – access methods should be stored in a manner in which if the method is accessed, the access is easily identified. For example, if break glass account, store the credentials in an envelope in a locked firesafe where the envelope itself has to be destroyed in order to access the credentials. In this way, anyone who has access can identify if the account information has been accessed.
Monitored – so that if the method is used, every user becomes immediately aware. For example, every admin is immediately notified that the break glass process has been invoked. Keep in mind if an adversary has gained admin access and admin notification occurs, the adversary will then immediately be notified that Break Glass has occurred.
Minimum necessary privilege to recover – for example, the ability to create and manage Admin accounts, where then the admin account can be used for the rest of the recovery process.. Remember, Break Glass is to regain access. The person who logs into the Break Glass account is not likely the person who manages daily access to the system. In a large environment, the Break Glass action is going to be used to establish a “fix beachhead” that is then used to regain global access for multiple other users.
Protected against single person insider threats – for example, requiring more than one person to gain access
Not assigned to an individual – since emergency access is to recover from an emergency, and the individual may be a contributing reason for the emergency (an insider threat bad actor)
Procedures kept current for any new versions or deployments of infrastructure, platforms, or software
Does not require reset, so that if part way through recovery another situation is encountered, the same break glass method can be used
Intentional – to protect against “accidental break glass”
Special considerations for “break glass” accounts
Not multi factor – because multi factor may be a contributing reason for emergency access
Local account – not relying on any centralized authentication or authorization services
Username/Password stored in a container where access is easy to identify and requires “new glass” (such as an envelope) to reset, that is, cannot be easily reversed.
Explicitly excluded from automated cleanup and lockout – cannot be locked out, ever
Explicitly excluded from lockout due to failed passwords – since an adversary could simply DOS the account to lockout break glass access during an attack
Access passwords or password locations changed when staff changes
Bonus: Password separated into two or three parts stored separately, with potentially different people having access to different parts of the password. Remember, breaking a password into separate pieces reduces the cryptographic complexity of the password. For example, if a 12 character password is broken into two 6 character segments, the resulting security is only that of a six character password. If an adversary obtains half of the password, only the second half needs to be cracked.
Other notes on methods and accounts
Of course, “ideal” break glass methods typically require cooperation and configuration from the vendor. For example, with regard to break glass accounts, most vendors provide administration authorization that is universal administration, not limiting the account authorizations to “only account creation and management”. With this in mind, be conscientious in creating break glass methods that can be implemented on the systems that are being managed.
E. Concluding remarks
Dealing with adverse situations is the foundation of business continuity planning. The situation of losing access to a system or server is no different than any other adversity. Break glass access methods are part of the recipe of a comprehensive recovery plan.
I hope this article has been helpful! If you have any recommendations please drop me a line.
Abstract: Have you ever wondered about Link tracking and who clicked my link, fake link to see who clicks, link that tells you who clicked it, or just how to know if someone clicked on your link. However it is asked, the answer is the same! This article will help with your request.
There are times that you’ll want to know if someone has “clicked the link” that you’ve shared. Say, for example, you have interest that “a scammer” is up to no good, and you’d like to know where that scammer is. This article is going to show you some tools available for click tracking.
If you have a web site you’ll likely be using Google Analytics or one of the other “site visitor” trackers. That’s good stuff! But sometimes it isn’t a site visitor that you are looking to track. Of course, this goes hand in hand with the first rule of computer security: “Be aware“.
In comes: Link trackers!
As always, we are only interested in the free link trackers. Here are a few.
Bitly is one of the “original” logger/shortener sites. The free version is “generous”, with up to 1000 different tracked links per month, and a 30 day retention on click through. 2FA is available for those of you who are security conscious — which should be everyone who reads my posts! 🙂
2. Grabify IP Logger
works reasonably well. You provide a web url, and it creates a tracking url.
Grabify logger Create Link page
Grabify works great, and it provides detailed information on your clickers.
Grabify Link Information page
Pros and cons:
(pro) The results page is easy to understand.
(pro) As a bonus, if requested, Grabify will send you an email whenever anyone clicks one of your links.
(negative) Be aware, there are a LOT of advertisements on Grabify. One of the “benefits” to having a free service!
(con) Also be aware that as of the time of this writing, the base domains are all “non normal”. This may or may not be a consideration for you.
(con) there is a lot of delay before the link unwraps to the real URL. Your users may get tired of waiting.
3. IP Logger
IPLogger is another choice in IP Logging. The user interface is cluttered but functional.
4. Wow Link
Wow Link is another excellent choice in IP Logging. The dashboard is clean and modern.
Note though that Wow Link has a lifetime limit of 5000 links and 10,000 total visitors that can be monitored. For a casual user it will take awhile to get there, with a maximum of 25 links per month.
Wow Links limitations with “Free” plan
Final words
It was difficult to find the first few, but once I found a few (as in, replacing goo.gl), it opened up a river of options. My recommendations are to
find one with generous Free allotments, and
start using it.
Once you figure out if you really want to go to all the trouble, then consider doing more research to find a potentially “better” one. But nearly any of these will do.
Oh, and because there are a lot of scam sites out there, I’d recommend using a throw away email address.
Let’s be safe out there!
References
there are a lot of ways to ask about fake link to see who clicks, or link that tells you who clicked it, or even the simplest few words of who clicked my link, wikipedia does a decent job of describing the technique: https://en.wikipedia.org/wiki/Click_tracking
Operational enterprise environments are tempermental. Touch one thing, break another. Replace a server, break the interfaces to that server. Increase the security posture of the organization by changing an operational firewall? Well, we don’t want to think about that!
Wait. Actually, we do want to think about increasing the organization’s security posture.
This article focuses on protecting enterprises with outbound firewall rules. We’ll also explore network based threat hunts, how netflow models can trigger Hunt alerts, and how the models provide valuable metrics for hunters.
Firewalls are security devices that protect enterprises from uncontrolled network flows, in much the same way as dams protect towns from uncontrolled water flows. Most enterprises recognize firewalls as “inbound protection devices”. But firewalls are much more than inbound protection devices. Configured correctly, firewalls protect against unauthorized inbound traffic AND unauthorized outbound traffic.
What does this mean? Consider an adversary (possibly an insider) that has landed on your network. This is already a bad situation — something has happened that allowed the adversary to wind up on the network.
This is where your outbound firewall configuration comes in. Without a firewall, the adversary is able to exfiltrate your sensitive data without you even knowing. That said, a properly configured firewall can make it more difficult for the adversary to exfiltrate data from your network. Even though the adversary is on the network, getting sensitive data out of the network can be made more difficult with the use of firewalls.
Define your network
Dealing with thousands of individual objects is a difficult task. When presented with thousands of individual objects, our minds work to categorize the objects.
Network objects are no different. Combining dozens of objects on a small network quickly become complex. Consider your home network. Probably pretty simple. You might have a half dozen cameras, an Internet ready doorbell, WiFi keypad locks, a couple of computers between you and the family, several phones, a WiFi thermostat or two, printers, WiFi smart watches, network enabled refrigerator, and several other devices. Even in this “pretty simple” environment, simple means dozens of devices.
Dozens of devices potentially means at least dozens of Firewall rules. And every new device means reconfiguring the Firewall. This effort can become unwieldy quite quickly.
So how to proceed? First, recognize that this process is iterative. Each iteration is a brand new opportunity to refine the solution.
Grouping network objects based on “service”
Dealing with large numbers of diverse objects is difficult. It is much better to group objects into “similar” or at least “similar enough”. When it comes to networks, shiny objects are not all created equal. One easy grouping of devices might be based on the “nature of network access”. For example, the groups might include:
(a) INTERNET ACCESS devices that need outbound connected Internet access, but no Internet device needs to initiate access into these devices. These devices include computers, laptops, and phones.
(b) INTERNET BLOCKED devices that do not need Internet access. They never need to communicate to the Internet, and the Internet never needs to initiate traffic to them. These devices include individual cameras that connect to a local DVR, WiFi enabled thermostats that are controlled only by phones that are on the network, and printers. Remember to consider that the devices will not be able to update themselves either, since they will not have direct access to the Internet. Creating a workflow for updating the devices is important, and usually handled by manual updates or by having a local server they’ll attach to that will allow updates.
(c) DMZ DEVICES devices that need to be controlled or accessed by the Internet. These devices require firewall routes from the internet “into” your network. The devices might include a web server if you are locally hosting web sites. This class of device are typically deployed in DMZs (network demilitarized zones) and will not be covered in this short tutorial.
To summarize, a simple categorization or segmentation is (a) devices that can access the Internet, and (b) devices that do not access the Internet.
It is easy to argue that “This binary Yes/No, Open/Blocked network segmentation is insufficient!” And yes, that is an accurate statement. Build as many different groups of devices as you wish, and remember this is an iterative process. At some point you’ll need to get started.
Deploying firewalls in new enterprises
Greenfield
Configuring firewalls in new environments is a much simpler task than configuring firewalls in operational environments. In a new environment, the firewall can start life with outbound connections set to Block All. Each new device, each new service, can be assessed for traffic requirements. For example, you know your employees need to access web sites? Open outbound TCP 80 and 443 for the workstation endpoint IPs. You know a server engineer needs to sftp to a remote server? Open outbound TCP 22 for that server IP.
In the Groupings solution defined above, onboarding each new device requires that the device is categorized as either (a) Internet access necessary or (b) Internet access is blocked. It is quite valuable to have subcategories as well. For example, the workstation endpoints should not necessarily have 22 open. On the other hand, Server endpoints often do not have 80 & 443 open (you don’t want your Server engineer to browse potentially nefarious web sites and download malware).
One thing to remember is to create policies & processes for onboarding new devices. Each new device should be attached to a group that will allow the appropriate and reasonable amount of Internet traffic.
Deploying firewalls in operational environments
Operational environments require a bit more planning and diligence. The problem is that blocking all ports is going to break everything — suddenly, nothing will work.
Complexity is the enemy to security
The basis of this recommendation is: Make a plan! Whatever you are going to do, make sure you’ve developed a plan, and make sure the plan includes backout steps.
Here is an operational plan for changing firewall rules that will work in every environment.
1. Monitor and capture netflows
Goal: Identify each (a) device that is communicating to the Internet, and (b) the remaining devices that have no need to access the Internet.
Understanding basic network metrics is the best place to start in protecting an existing environment with firewalls. Users are not impacted during the monitor and capture phase since traffic shaping does not occur during the monitor phase.
The monitor phase should continue for at least a month, more reasonably at least a quarter. The reason for this extended timeframe is to capture as much “known traffic” as practical. For example, vendor software updates are normally scheduled at least quarterly. By monitoring for at least a quarter, the capture will include vendor software update flow. To note, Microsoft and other vendors initiate the infamous “Patch Tuesday“.
The monitor phase metrics results in two useful artifacts.
First, ports that are not used during the normalization phase can be considered for blocking (explained in the next phase).
Second, the netflows can be used during threat hunts. The way this is used during a hunt is that the hunters have a model for “normal” traffic, and thereby can also recognize “not normal” traffic.
Know that this step is not going to stop an existing bad actor that has already infiltrated your network. In fact, you aren’t even going to be made aware of a bad actor during this step.
Bird of prey
Threat hunting
Recognizing “not normal” traffic is a key to network threat hunting. During a threat hunt, the team is looking for anomalies, for traffic that doesn’t belong. If a “disallowed” netflow shows up in a capture, the netflow might be an indicator of compromise, a key sign of trouble that needs to be investigated by the threat hunt team.
To explore this a bit, network modeling is not “binary”. That is, it isn’t just the “disallow” list that is important to modeling netflows. Ports that wind up on the “allow” list should continue to be monitored for excess traffic. An artful threat hunt includes investigating abnormal traffic spikes. If a port model demonstrates a certain daily traffic volume, then suddenly experiences a traffic spike, the excess traffic should result in a Security Alert.
2. Explicitly allow “active” netflows; explicitly deny all others
The second phase of tuning the outbound firewall rules is to only allow the “known active” ports. This is performed by explicitly Allowing netflows that were observed during Phase 1 Monitoring, and explicitly Denying all other flows.
Active block in a previously open enterprise is likely to introduce issues. The team needs to have a plan and procedure ready to “unblock” required flows. This step of “Explicit block” should be delayed until the policies and procedures are available. Blocking netflows in large complex enterprises should be handled delicately since these environments may require flows opened that simply didn’t show up during the analyze phase.
For complex poorly documented operational environments, it may be more reasonable to “alert on unused ports” instead of “block unused ports” during the early parts of the transition. However at some point the phase of “explicit deny” must conclude with “block unused ports”.
Threat hunting
Advanced organizations might consider replacing simple “blocks” with redirects. For organizations that actively threat hunt, redirecting an unallowed/unused flow to a honeypot can quickly alert the crew to call Hunt On! Unused ports are easily identified in the Netflow capture since the unused ports simply will not show up in the list. For example, if Port 3389 (a port associated with Remote Desktop Connection) doesn’t show up during the monitor phase, and the team knows that there are no reasonable and acceptable outbound remote desktop connections, then an advanced team might consider redirect 3389 to a honeypot. If any devices wind up landing on that honeypot, the hunt team needs to search for the rogue device and user.
3. Refactor “active” netflows
Once the “known unused” ports have been handled successfully and the organization defaults to “Block” or “Redirect to Honeypot”, it is time to move on to refactoring the “active” netflows.
Refactoring reduces the firewall ruleset. If there are 150,000 endpoints in an environment, it is likely a good idea to distill those into different types of endpoints — for example, Workstations, Servers, Phones, and Cameras. The simplest refactoring will identify “all <specific types of> endpoints” allowed outbound traffic to “all destinations” over “listed ports”. For example, “<all Workstations> allowed outbound traffic to <all Internet destinations> over port 80 & 443”. However, this is just the beginning of this phase of tightening down the firewall.
In operational environments, refactoring operational ports is likely a multi-phased approach; one phase covering workstation endpoints; another phase covering servers; and several phases covering “other endpoints” like phones, cameras, and keypads/door entry systems. Eventually the firewall will have a collection of rules for many different types of endpoints.
Example: SMTP
For example, say that Ports 25, 465, and 587 show up in the “operational port” report. These ports are associated with SMTP (also known as Simple Mail Transport Protocol). While it is reasonable for a mail relay such as an Exchange server to communicate over these ports, it is less reasonable that a workstation/user endpoint relay their own mail. The ruleset should Allow the Exchange server and Deny all other systems.
Example: Web traffic
Another example exists for web traffic over 80 and 443. While it may be reasonable to open web traffic for all endpoints, an adversary can use those allowed flows to exfiltrate traffic. One might consider, is it reasonable for a Server to contact web sites over 80 & 443, or only Workstation endpoints configured for user traffic? Even moreso, is it appropriate for even the Workstation endpoints to communicate out directly, or is there a web proxy protecting the end users from visiting known malicious web sites?
Threat hunters are in a constant battle with threat actors. The more data available for the hunt, the more likely the hunt will succeed.
Threat hunters need data, and netflows are an invaluable form of data to a hunter. Continue monitoring netflows even after the firewalls have been normalized. The continuous monitoring provides data that is useful for computer network defenders and threat hunters. Identifying anomalies is a bases for alert generation, and identifying anomalous traffic volumes is an event that should trigger an alert.
Conclusion and after thoughts
Firewalls are “moderators to the real world”, they defend against inbound malicious traffic, and they defend against adversaries who are trying to exfiltrate traffic on outbound ports. Defending your precious sensitive data requires a fully operational bi-directional firewall.
Managing operational environments is a task in balancing many parts of a complex puzzle, from satisfying user demands, to enforcing security, to addressing Cxx level board room concerns. Managing underused firewalls in these operational environments can be an undoubtedly perilous concern, and managing firewalls is equally necessary to properly protect the environment.
As always, Prior planning prevents poor performance, and this adage holds true for deploying Firewall changes in operational environments. Make a plan, and stick to it. But what happens if the plan has too many edge cases? If the need arises to deviate from the Firewall Protection Plan, change the plan itself and restart instead of deviating from the plan.
If you tell all your friends about that great five or six character domain name, and they tell their friend, and they tell their friends before you actually register it? Right. Someone else might just register it before you can.
But it is worse. It has been my experience that searching for a domain name on the internet, looking at various whois registries, asking if a domain is available to your favorite domain registrar, that someone somehow intercepts the information and poof, registers the domain before you do! Then they’ll gladly sell you the front run domain at their price. This practice is known as Domain Name Front Running, it is a real thing, and Network Solutions even admitted to the practice.
The places to go for domain search
So where is it safe to search? In my experience, I use two different engines, and avoid everything else.
Don’t work with red hot dealers! They may be front running you!
GoDaddy? In my opinion just say no
My experience, and this is just one of my experiences. At one point in my history of life, I used to use Go Daddy as my domain registrar. I was looking for a new domain name, so I of course went to Go Daddy to do the searching. I entered hundreds of different names, most of which were already taken. But there were a few great short domains that I came up with! I was excited! I decided to sleep on it. A couple of days later, the domains were registered by someone else, of course the domains were using private registration, and the domains were parked on Go Daddy “This domain is for sale” pages.
I of course cannot confirm that Go Daddy systemically takes potentially popular domains from the sea of domains for which their customers search, and it is completely possible that the domains were just cool names that someone else also thought about at the same time I thought about them. It is also possible that a disgruntled Go Daddy employee decided to search for the search terms their customers were using and decided to steal the domain — not really stealing, maybe more being opportunistic, but it sure felt like a stealing at the time.
Note that Go Daddy claims they are not involved with front running here, and here, and here, and I am not accusing anyone of front running, not even Go Daddy. I just know I had a bad experience with front running, and it is reasonably easy to avoid being front run.
The Coronavirus quarantining and social distancing has resulted in tight quarters. More of us have combined working and living in the same physical spaces now, working remotely or working in other unusual spaces. There is not the same “clean separation” between Work and Personal space where you leave your home and drive to your work. However, separating your “Work Identity” and “Personal Identity” remains very important, both for your protection and for the security of your company.
LinkedIn is a personal social media site. Use your personal email address for personal sites
When you create online accounts, consider whether the account is something that you wish to retain if you separate from your company, or whether the company needs to retain the account information. Also consider whether you want your company to monitor everything about the account.
For example, a B2B supplier would likely be a “Work Identity” account. For those accounts, use your Business email.
On the other hand, a LinkedIn account, Facebook account, or account at your child’s school are “Personal Identity”. For those accounts, use your Personal email.
Take away
Personal identity and Work identity need to remain separated, for both your personal security and the security of your company. Only use your Work email address when representing the company and when necessary for company business. Use your Personal email address for your personal online identity.
The COVID19 Coronavirus situation has affected our families, our homes, and our work environments. Our children are home, some people are new at working remotely, others have to be extra vigilant in keeping their areas clean and sterile, and even more are stressed and overworked with more caseloads and more patient care than is common.
During these stressful times, the Internet Bad Guys are going to do their best to trick you. They are working hard to entice you to do the wrong thing. The Bad Guys are going to strike your nerves with Fear, Uncertainty, and Doubt, three of the most powerful influencers ever used against mankind.
How can you protect yourself? The same methods you use to keep you safe “in real life” will also secure your digital world — be aware! Know your contacts, know your computer, and know your context. Let’s take a look.
Know your contacts (your people, your connections)
Do not open links from unknown contacts! Do not open files! Are you receiving more emails about “COVID19”? Information about your stimulus check? Brand new “Preventions” and “Cures”? Source for Toilet Paper and Masks? Do not click those links unless you know the sender, and do not open attachments. These social engineering techniques are known as Phishing attacks.
Are you receiving phone calls asking for information? Spoofing Caller ID is easy; do not rely on Caller ID alone to identify the caller. Be especially vigilant with odd requests such as sending money, or a caller suggesting that you open a web page. These social engineering techniques are known as Vishing attacks.
Did you receive a USB memory stick in the mail or find one while shopping? “Free Gift” from Best Buy or your favorite shopping site? “Proprietary Information” from your employer? Just toss it in the garbage. USBs can be used to spread viruses. If you do not know its origin, it is not worth risking a computer virus infection. These social engineering techniques are known as USB Drop attacks.
Know your computer (your systems)
Be aware when things are not working correctly, or seem particularly slow. Contact your manager or help desk if you notice anything that “doesn’t seem right”.
Keep your computers and phone software up to date. Install all security updates when they are available. Make sure your virus protector is on and updated.
Know your context (your surroundings, your work environment)
Just like in the real world, know your surroundings. Be aware of who is around. Be especially aware when discussing sensitive information. Our environments are rapidly changing, and our work lives and home lives are now more tightly integrated than just a few weeks ago. Know who is around when you are discussing sensitive information, whether it be financial information, patient data, or anything else that should be kept private.
Famous last words
Take care of yourself
Remember, security starts with you. Be aware, be conscious of your surroundings, and be knowledgeable about your rapidly changing work environment.
Fear, uncertainty, and doubt: Three powerful influencers especially at times like today when our physical health is threatened. Let’s be careful out there.
Tell me more! What are your safety tips? How can we all be safe out there?
Have you received a threatening call from the government? The urgent message will demand that you pay an immediate fine or tax or penalty; or else face imminent arrest by the IRS, or revocation of your medical credentials, or something even worse.
These calls are known as “vishing” campaigns in the espionage and social engineering subculture. Vishing is a social engineering technique very similar to the familiar email “phish”. However, instead of the now familiar email phish, vish rely on voice calls and voicemails.
As with phishing emails, vishing voice calls take many forms. In all the forms, you will receive a time-sensitive message alerting you to impending doom. Let’s take a look at a few common vish campaigns.
1. Jail threats with the DEA or IRS
A popular vish is the Drug Enforcement Administration (DEA), calling to explain that there has been suspicious drug prescription activity or some other anomaly associated with your medical license. If you deny having any association with the fraud, the caller may demand to validate that you are actually you. They’ll need you to provide your medical license number, maybe your home address and a credit card with your name on it. Or they may demand that you pay a fine or face revocation of your license. If you don’t pay, the caller will have to immediately notify the hospitals where you have privileges. Of course, the fine can be paid by way of Western Union or MoneyGram.
Another vish is the Internal Revenue Service (IRS), calling about delinquent tax liens. In this scenario, the caller may claim to be at your address waiting for you, but of course you are at work or at another location. They may have your home address, and the caller ID will normally be spoofed to be a real government agency such as a local police station. In this scenario, the caller will give you the option of either paying the debt or being arrested. The caller may demand that you call an “agent” at another phone number to make arrangements for payment.
2. Bank, telephone, or company
Banks and other companies are also popular vish. The caller ID may actually show your bank’s number (do not believe the caller ID!). The scheme may describe how there has been suspicious activity on your account, or maybe even an upgraded card that is now available to you. The caller may have the last four digits of your account number (fairly easy to find since it is on nearly every receipt). To prove that you have the card in your hand, the caller will ask you to verify the remaining digits, or to verify your billing address, or provide the three-digit code on the back of the card. In general, just say no. If you believe the call is actually from your bank, then call the bank back on the number on the back of your card.
3. Hospital or school emergency
Another vish is the emergency call from a hospital or school. Your child, mother, or spouse has been involved in an accident, and the caller needs your permission to treat your loved one. In order to verify your identity over the phone, they’ll need some form of personal identification such as your birthdate, or your social security number, or a bank card number.
B. Vishing: Don’t be a victim
Vish are ever evolving. There is no way to know what tomorrow’s vish will be. That said, here are a few tips to help you avoid being a victim.
1. Be suspicious!
Avoid responding to phone calls unless you know the caller and understand the implications. Research the caller’s identity. If you call the caller back, avoid using the contact information provided by the caller. Instead, use a known valid number if at all possible, such as the number on your bankcard, or a known contact number for the government agency from which the caller is claiming association.
Do not go to websites the caller provides since the website may be infected with malware. Instead, go to the official websites that you know are valid and use the official phone numbers available to you.
2. Keep secrets secret!
Often the vish is used to get “just a little more” information about you for an even bigger fraud like identity theft or creating credit cards in your name. Therefore, avoid confirming or providing personal information to the caller. Sensitive information like account numbers, Social Security Number, addresses, passwords, birthdates, and even mother’s maiden name can be used against you.
3. Maintain your personal, financial, and professional contacts!
Update your mailing addresses, phone numbers, and email addresses with important organizations. Notify your employers, banks, and legal institutions when personal contact information changes.
4. If you think you are a victim?
Report the situation to affected parties. Contact your leader if you have been vished at work or if the vish regards a work related context such as your medical license. Contact your bank if your financial accounts are compromised. Change all passwords for accounts that are compromised. Watch for signs of identity theft. Consider reporting the phone call to the police if you feel physically threatened.
5. Most of all, be alert!
Social engineering attacks take many forms, and not all forms are easy to spot. Technology safeguards alone cannot protect you. You must be able to outsmart “the bad guy”. Look for signs of trouble, question everything, and ask probing questions instead of answering them.
Remember, security starts with you.
C. The Trojan horse
Sometimes all that glitters is not gold. A little cuddly teddy bear might be vicious ransomware instead
Social Engineering is a confidence fraud and takes many forms. A classic social engineering swindle happened during the Trojan War. As the story goes, after ten years in an exhausting and unsuccessful siege against Troy, the Greek army packed their bags and set sail leaving an enormous wooden horse to the Trojans – a gift seemingly to say, “We lose, you win”.
The Trojans wheeled their new bounty into the gates and celebrated their victory with food, drink, and glad hearts! Only, this horse was not a gift. Greek warriors filled the horse, warriors who waited patiently until the Trojans fell asleep. The warriors then violently took over the city.
Today, Trojan software is a particular class of malware that tricks users by appearing to perform legitimate operations while actually doing something nefarious. In the world of vishing, the Trojan caller is the caller masquerading their identity as the bank, IRS, or hospital; when in fact, the caller is really part of a scam. Note to self: Do not fall prey to the deceptive Trojan horse!
In today’s world of privacy, with regulations surrounding PHI/HIPAA, PCI, and SOX, you may be surprised to know that your company is required to keep records of your using their computers — everything you do on their computers. For example, your company likely monitors and records Internet access from any of their computers when you are shopping online, when you are browsing for training videos or research articles, when you are accessing personal Gmail or Yahoo accounts, and even when you are accessing your child’s school website or sending what you believed to be “personal” notes to family and friends.
Okay, so what? You are thinking, you aren’t doing anything “wrong”, so what, who cares, you are only using the computer during lunch or after the end of the day. You might think that, but you really should rethink that. Sure, those records are available to management, and you don’t care.
Stalker much?
But here’s the issue. Your records are also available to lawyers and the courts during discovery (going through a divorce?), your records are available to hackers who breach your company’s assets, and most nefariously your very personal records are also available to rogue coworkers who want to “know more about you”. Stalker much?
How can you keep private matters private? Here are a few “privacy safe” ideas!
Personal contact information
Use personal contact information for personal business. Do not use your employer’s email account. Use your personal email, your personal cell phone, and your personal physical mail address. When in doubt? Use your personal contact information.
Personal internet
When you need to access the internet or your emails, use your personal cell phone or wait until you can get to your home computer instead of using your employer’s computers.
Personal devices
Integrating your cell phone with your business? Be careful! Many times, your company has the ability to “observe” your personal data on your personal phone. Why? To catch what is called “data loss”, such as when an employee inadvertently downloads sensitive information to their phone. How to avoid this snafu? Just use a second phone. Simply, either (1) add a phone to your existing cell phone account, or (2) use an old phone and attach via WiFi hotspot to your primary phone. Best advice is to keep business and personal information separated.
Your website is a huge part of your identity. When it comes to protecting your identity, is there ever enough security? Well, it depends.
This article is going to explain how to add a host hardening layer of protection by password protecting the WordPress login script, the “wp-login.php” file — all for free.
To better understand the task at hand, “wp-login.php” is a special login script associated with logging into WordPress. A brute force “password knowledge” attack is going to start by navigating to “www.yourdomain.com/wp-login.php”. Once there, the attacker will have the option of logging directly into your WordPress host.
As with any lock, the goal here is to make it just a little more difficult for the attacker. In this case, we’ll password protect the WordPress php login script itself. In this way, the attacker will have to circumvent the file system’s password protection before even being presented the opportunity of circumventing wp-login. It is just yet another step to reduce the number of driveby attacks.
Here are the steps to wrapping wp-login.php with file system protection:
1. Update .htpasswd file
The .htpasswd file is the password repository. For those familiar with Unix based systems, it is similar in structure to the old school /etc/passwd file, with each line affiliated with a single user. Here’s the process to create or update the .htpasswd file.
a. Identify base location for .htpasswd file
This is a rather simple but vital step. You can use a tool to identify the .htaccess base location. Place the following code in a php file (such as “path.php“) in the directory structure wherever .htaccess should be placed.
<?php
$dir = dirname(__FILE__); # NOTE double underscores on either side of FILE
echo "<p>Path to this directory: " . $dir . "</p>";
echo "<p>Path to .htpasswd file: " . $dir . "/.htpasswd" . "</p>";
?>
Then execute the php code from a web browser like Chrome:
https://www.<sitename>.com/path.php
The output will resemble
Path to this directory: /home/<sitename>/public_html
Path to .htpasswd file: /home/<sitename>/public_html/.htpasswd
b. Create .htpasswd file
There are many options available on the internet or even downloadable applications. You might need to google “htpasswd generator”. Here is one option: http://www.htaccesstools.com/htpasswd-generator/
Create at least one username and password pair. I’ve used “special-username” as my login name. The file is going to look something like this:
Computer security incidents happen. Why? Because computer defense is reactive. Regardless of the expansive and proactive nature of any particular defensive team, the Computer Network Defense (CND) job must include Computer Security Incident Response.
A properly running CND team includes a Red Team subgroup of Attack and Exploitation experts. The Red Team actively looks for vulnerabilities in your network. However, that subgroup is dwarfed by the number of active attackers in the world.
So what should a CND team do? The team should prepare for incident handling and response. As it turns out, when it comes to incident handling and response, prior planning provides utmost performance.
In the beginning was ARPA. And the Internet was with ARPA. And the Internet was ARPA.
History of the Internet
The Advanced Research Projects Agency (ARPA, later known as DARPA) network was established in 1969. ARPANET was developed with guaranteed delivery, high availability, multi connection, and multi path in mind. ARPANET was the precursor of what we now know as the Internet.
Internet expansion to universities
In the early and mid 1980s, NSF (the National Science Foundation) established a network of supercomputers at colleges and universities around the United States. NSFNET brought DARPANET to a more general and wide reaching audience, expanding the usefulness of the connected network to sharing tens of thousands of very high cost computer assets.
Robert Morris worm
In 1988, a young Cornell student named Robert Morris created an application intended to search the interconnected network for all computer assets, and report back what it could find out about each of the end nodes. The intent was to gauge the size of the “internet” by replicating the application to each of a particular computer’s peers using a sequence of weak passwords and services available universally known at the time. The application then called back to a central server to identify “node alive” status.
Pixabay nasty computer worm!
Unfortunately, Morris poorly crafted his application. Instead of replicating on peers forward, the application replicated on every peer of every site repeatedly. That is, if two peers were available to a particular node, each of those nodes would be infected by the originating source. What happened instead was that the targets infected their peers, and also reinfected the source node. Eventually every interconnected node reinfected to full saturation and was no longer able to respond resulting in a Denial of Service.
Even worse, when a network engineer or systems administrator rebooted the machine to regain access, the nearby computers would quickly reinfect the machine. Recovery was not a simple task, and the Internet came to a screaming halt.
Morris made international history by this simple coding mistake. The infectious application became known as the Morris Worm.
Computer Emergency Response Team
At the time, DARPA and the Defense Department were positioning the Internet to provide a guaranteed delivery, always available information network. The Morris Worm realize the vulnerability of the Internet, and DARPA’s response was to create the Computer Emergency Response Team (now known as CERT[tm]) hosted under the Software Engineering Institute (SEI) at Carnegie Mellon University. The charter for CERT was to be a coordination center for computer network operations defenders in the United States and around the world.
2. NIST incident handling guide
NIST’s Computer Security Incident Handling Guide (NIST Special Publication 800-61r2) is an excellent source of how to organize and design a Computer Security Incident Response Capability. Realize, it will take some time to digest the entire document. You’ll have to forget some ideas you’ve likely held on to, and learn new techniques that have been proven in the art of incident response.
But why would you want to rewicker your incident handling policies, plans, and procedures? This is a costly endeavor, no? Well, yes, it is. But it is going to help your organization prepare for incident response, will help in the process of incident response and recovery, and may even help in preventing an incident in the first place.
If your management is resistant to reviewing the policies, plans, and procedures in place, you might want to help them reconsider their position. If you happen to work in an industry or at a company who is responsible to external validation, or maintaining information that requires response to incidents (read this: just about everyone, including those who handle SOX, PHI, PII, PCI, and nearly any other data), you might want to make sure your policies, plans, and procedures follow NIST or some other industry accepted guidance platform, even if not strictly required. When you are breached (and it is a when, not an if), your adherence to NIST or other standard is likely to go a very long way in reducing your fines.
3. Reviewing the NIST guide
The NIST Computer Security Incident Handling Guide SP800-61r2 is a comprehensive industry accepted incident handling guide. The following sections take abstracted quotes from the NIST guide.
Executive summary
Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incidentrelated data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Establishing an incident response capability should include the following actions:
Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT) office within the Department of Homeland Security (DHS).
Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications
Organizations should document their guidelines for interactions with other organizations regarding incidents
Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors
External/Removable Media: An attack executed from removable media (e.g., flash drive, CD) or a peripheral device.
Attrition: An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
Web: An attack executed from a website or web-based application.
Email: An attack executed via an email message or attachment.
Improper Usage: Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the above categories.
Loss or Theft of Equipment: The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.
Other: An attack that does not fit into any of the other categories.
Organizations should emphasize the importance of incident detection and analysis throughout the organization
Organizations should create written guidelines for prioritizing incidents
Organizations should use the lessons learned process to gain value from incidents
Chapter 1: Introduction
This document has been created for computer security incident response teams (CSIRTs), system and network administrators, security staff, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and others who are responsible for preparing for, or responding to, security incidents.
1.1 Authority
1.2 Purpose and Scope
1.3 Audience
1.4 Document Structure
Chapter 2: Organizing a Computer Security Incident Response Capability
Organizing an effective computer security incident response capability (CSIRC) involves several major decisions and actions. One of the first considerations should be to create an organization-specific definition of the term “incident” so that the scope of the term is clear. The organization should decide what services the incident response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. Incident response plan, policy, and procedure creation is an important part of establishing a team, so that incident response is performed effectively, efficiently, and consistently, and so that the team is empowered to do what needs to be done. The plan, policies, and procedures should reflect the team’s interactions with other teams within the organization as well as with outside parties, such as law enforcement, the media, and other incident response organizations. This section provides not only guidelines that should be helpful to organizations that are establishing incident response capabilities, but also advice on maintaining and enhancing existing capabilities.
2.1 Events and Incidents
2.2 Need for Incident Response
2.3 Incident Response Policy, Plan, and Procedure Creation
2.4 Incident Response Team Structure
2.5 Incident Response Team Services
2.6 Recommendations
Chapter 3: Handling an Incident
The incident response process has several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after controls are implemented. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. This section describes the major phases of the incident response process—preparation, detection and analysis, containment, eradication and recovery, and post-incident activity—in detail. Figure 3-1 illustrates the incident response life cycle.
3.1 Preparation
3.2 Detection and Analysis
3.3 Containment, Eradication, and Recovery
3.4 Post-Incident Activity
3.5 Incident Handling Checklist
Chapter 4: Coordination and Information Sharing
The nature of contemporary threats and attacks makes it more important than ever for organizations to work together during incident response. Organizations should ensure that they effectively coordinate portions of their incident response activities with appropriate partners. The most important aspect of incident response coordination is information sharing, where different organizations share threat, attack, and vulnerability information with each other so that each organization’s knowledge benefits the other. Incident information sharing is frequently mutually beneficial because the same threats and attacks often affect multiple organizations simultaneously.
As mentioned in Section 2, coordinating and sharing information with partner organizations can strengthen the organization’s ability to effectively respond to IT incidents. For example, if an organization identifies some behavior on its network that seems suspicious and sends information about the event to a set of trusted partners, someone else in that network may have already seen similar behavior and be able to respond with additional details about the suspicious activity, including signatures, other indicators to look for, or suggested remediation actions. Collaboration with the trusted partner can enable an organization to respond to the incident more quickly and efficiently than an organization operating in isolation.
This increase in efficiency for standard incident response techniques is not the only incentive for crossorganization coordination and information sharing. Another incentive for information sharing is the ability to respond to incidents using techniques that may not be available to a single organization, especially if that organization is small to medium size. For example, a small organization that identifies a particularly complex instance of malware on its network may not have the in-house resources to fully analyze the malware and determine its effect on the system. In this case, the organization may be able to leverage a trusted information sharing network to effectively outsource the analysis of this malware to third party resources that have the adequate technical capabilities to perform the malware analysis.
This section of the document highlights coordination and information sharing. Section 4.1 presents an overview of incident response coordination and focuses on the need for cross-organization coordination to supplement organization incident response processes. Section 4.2 discusses techniques for information sharing across organizations, and Section 4.3 examines how to restrict what information is shared or not shared with other organizations.
4.1 Coordination
4.2 Information Sharing Techniques
4.3 Granular Information Sharing
4.4 Recommendations
Appendix A: Incident Handling Scenarios
Incident handling scenarios provide an inexpensive and effective way to build incident response skills and identify potential issues with incident response processes. The incident response team or team members are presented with a scenario and a list of related questions. The team then discusses each question and determines the most likely answer. The goal is to determine what the team would really do and to compare that with policies, procedures, and generally recommended practices to identify discrepancies or deficiencies. For example, the answer to one question may indicate that the response would be delayed because the team lacks a piece of software or because another team does not provide off-hours support.
The questions listed below are applicable to almost any scenario. Each question is followed by a reference to the related section(s) of the document. After the questions are scenarios, each of which is followed by additional incident-specific questions. Organizations are strongly encouraged to adapt these questions and scenarios for use in their own incident response exercises.
A.1 Scenario Questions
A.2 Scenarios
Appendix B: Incident-Related Data Elements
Organizations should identify a standard set of incident-related data elements to be collected for each incident. This effort will not only facilitate more effective and consistent incident handling, but also assist the organization in meeting applicable incident reporting requirements. The organization should designate a set of basic elements (e.g., incident reporter’s name, phone number, and location) to be collected when the incident is reported and an additional set of elements to be collected by the incident handlers during their response. The two sets of elements would be the basis for the incident reporting database, previously discussed in Section 3.2.5. The lists below provide suggestions of what information to collect for incidents and are not intended to be comprehensive. Each organization should create its own list of elements based on several factors, including its incident response team model and structure and its definition of the term “incident.”
B.1 Basic Data Elements
B.2 Incident Handler Data Elements
Appendix G: Crisis Handling Steps
This is a list of the major steps that should be performed when a technical professional believes that a serious incident has occurred and the organization does not have an incident response capability available. This serves as a basic reference of what to do for someone who is faced with a crisis and does not have time to read through this entire document.
1. Document everything. This effort includes every action that is performed, every piece of evidence, and every conversation with users, system owners, and others regarding the incident.
2. Find a coworker who can provide assistance. Handling the incident will be much easier if two or more people work together. For example, one person can perform actions while the other documents them.
3. Analyze the evidence to confirm that an incident has occurred. Perform additional research as necessary (e.g., Internet search engines, software documentation) to better understand the evidence. Reach out to other technical professionals within the organization for additional help.
4. Notify the appropriate people within the organization. This should include the chief information officer (CIO), the head of information security, and the local security manager. Use discretion when discussing details of an incident with others; tell only the people who need to know and use communication mechanisms that are reasonably secure. (If the attacker has compromised email services, do not send emails about the incident.)
5. Notify US-CERT and/or other external organizations for assistance in dealing with the incident.
6. Stop the incident if it is still in progress. The most common way to do this is to disconnect affected systems from the network. In some cases, firewall and router configurations may need to be modified to stop network traffic that is part of an incident, such as a denial of service (DoS) attack.
7. Preserve evidence from the incident. Make backups (preferably disk image backups, not file system backups) of affected systems. Make copies of log files that contain evidence related to the incident.
8. Wipe out all effects of the incident. This effort includes malware infections, inappropriate materials (e.g., pirated software), Trojan horse files, and any other changes made to systems by incidents. If a system has been fully compromised, rebuild it from scratch or restore it from a known good backup.
9. Identify and mitigate all vulnerabilities that were exploited. The incident may have occurred by taking advantage of vulnerabilities in operating systems or applications. It is critical to identify such vulnerabilities and eliminate or otherwise mitigate them so that the incident does not recur.
10. Confirm that operations have been restored to normal. Make sure that data, applications, and other services affected by the incident have been returned to normal operations.
11. Create a final report. This report should detail the incident handling process. It also should provide an executive summary of what happened and how a formal incident response capability would have helped to handle the situation, mitigate the risk, and limit the damage more quickly
No matter where you live, you’ve probably heard about the many breaches of data that have occurred over the last few years. It is even worse than what you read: identity theft is on the rise. Just to name a few (and no, I’m not singling out any particular companies):
Phishing is a real problem, and that problem is only increasing in frequency.
Phish attacks come in many different forms. Everyone is affected by phishing. Whether it be that a credit card number is stolen from your family member, or your friend gets their Facebook account hijacked, or you have your company web site blacklisted for SPAM, we are all affected by phishing attacks. Some of those attacks are worse than others.
Exploitation is an attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders
Social engineering is a confidence trick, an attack vector that relies on human interaction to take advantage of tricking people into doing something that is likely not in their best interest
Social Engineering is an attempt to take advantage of the vulnerability called the Human OS
Phishing is the attempt to take advantage of social and emotional constructs to obtain sensitive information by disguising as a trustworthy entity in an electronic communication
Comparison to SPAM
SPAM are unsolicited or unwanted emails, often related to product endorsement
Unsolicited mail predates computers; SPAM is electronic unsolicited mail
Phish are pretextual lies intended to dupe the victim into providing something private or valuable, or inadvertently providing command and control access to a computer
Pretexting predates computers; a pretext is something that is put forward to conceal a true purpose
Information Warfare (hackers) v the Software Developer
I hear you fancy yourself a software developer? Great! Me too. But what is your take on hackers and the craft of cyber warfare? Do you think you write hack safe code? Fact is, people are out there that want to
Cyber crime hacks
Remotely control systems that you control,
Exfiltrate your data, and
Otherwise compromise the integrity of your technology.
What they want to to is all fine and dandy, but surely this can’t happen to my code, right? Well, wrong.
If you are writing router software or Operating System software, you know the importance of creating safe, secure code. But how about a game programmer? Is it really necessary to put the extra effort in to make your code safe? You bet it is.
Maybe your code is just the way the hacker gets on the system, looking for more gold at the end of the tunnel. We’ll talk more about this and examine even more questions you may have about hackers and protecting your code and your customers in this paper. Remember, the best security is built into the system, not bolted onto the system.
Safe coding practices & Development rules of thumb
Complexity is the enemy of security
Keep your code as simple as possible
Avoid obscure code and undefined behavior
Use minimal privileges for deployed applications
Don’t require user to have root priv if not strictly required
Catch all bugs and questionable results
Your software needs to catch anomalies
Test & apply tools early and often
Protect at the unit level, plus protect again anywhere you like (like in the client side browser), but keep the unit level protections (e.g., don’t trust the user!)
Never trust the client nor user
nor network nor file system nor DLLs nor cookies nor anything else that is not part of your executable, and sometimes not even that (hacker could nop the authentication routine)
This includes both inputs and outputs
Perform sanity checks on server side, not client
Don’t volunteer too much information
Expect adversity, even if your program is simple
Your program may simply be the vector into the intended system
Happy reading! And remember, let’s be safe out there… you are part of the cyberwar.
Content Filtering companies have gained quite a bit of traction in the Computer Network Defense (CND) industry. The goal of content filtering is to attempt to stem the carnage that malicious sites can wreak on unsuspecting individuals and companies by blocking access to malware and other forms of ransomware.
The filtering engines work by way of proxying requests between the end user and the destination site. They are performing a “man in the middle” attack between the user and the destination by a number of different ways such as DNS cache poisoning (Cisco’s Umbrella), and content interception (Symantec’s Bluecoat). Filtering engines use a combination of human control and machine learning to differentiate safe sites from malicious sites. Even more than static understanding of sites, filtering engines can identify when a safe site is hijacked and will block traffic when that known safe site is compromised.
Identifying safe sites is not precise nor exact — the task is all a best effort. The beginning of the best effort is listing your site in the filtering engines. If you don’t have your site listed as “safe” by the content filter company, you will likely be blocked!
“You don’t know me, but I know your password. Let me get right to the point. I have access to your computer. I recorded you through your camera. You can pay me in bitcoin and I will disappear. If you don’t pay me I will send the video to everyone on your distribution list.”
Popular online scam
Have you ever received a threatening email by an unknown assailant who claims they have access to your accounts and have collected damaging information about you? Well sure, the email might be just a scare email with no real “meat” to it, or… it could be a bit more insidious. How can you know for sure whether this hacker really has control of your computer, or really recorded a video of you?
Hackers have a few things in their favor when it comes to getting into your network and stealing data. One of those things is the elusive zero day. When it comes to hacking, a zero day is an “exploitation against a publicly unknown vulnerability”. But hackers don’t need a zero day. They only need a “zero to me day”. What does that even mean?
Putting your computer in chains is one way of hardening the system
Computer Security. Kind of scary, actually. With the likes of Target going down to hackers in late 2013, and a large attack on Home Depot in 2014, what can the rest of us do? If Home Depot can be compromised, how can I protect myself?
The bad news — you are a target. Why though? Well, let’s consider:
Do you have any financial data on your computer? You are a target.
Does your company operate a health care agency with HIPAA/HITECH protected data? You are a target.
Do you have a point of sale system where you perform credit card transactions? You are a target.
Are you attached to the Internet? You are a target. What? That is crazy sounding. Why am I a target just because I am using the Internet? Because a hacker can use your computer as a relay to attack other computers!
At this point you are likely thinking, oh great, thanks for making my day. But remember, we are trying to make your computers safer. Before we get into that though, let’s take a look at how malware gets on your computer in the first place.
You may think, hey, the only way malware can get on my system is through the network. A firewall is sufficient to protect against those blasted attacks!
Hey look! I have a new email! But… is that email a virus?
Unfortunately, not all malware infects systems the same way. Certainly, network attacks are one attack vector, but there are others.
There are email attack vectors, mp3 attack vectors, html attacks, mpeg attacks, apk attacks, over privilege attacks, Excel attacks, Word attacks, PDF attacks, and in fact the list never ends. An attack is possible anytime there is an interface to a computer. Sure an mp3 attack may come through a network or USB, but it isn’t a network attack. It is an attack on the software that is rendering the mp3. Exploring attack surfaces is well beyond the purpose of this paper, and will not be fully discovered in this paper.
Pixabay – Laugh is on them! But wait, not exactly. Don’t think that your data is safe, and neither think that your data is not worth stealing
One thing to note though. You might think hey, I don’t really care if someone exploits my mpeg player. That is a risk I’m willing to take! What are they going to get? A movie? The laugh’s on them!
Well… not exactly. The way system exploitation works is, exploit a low hanging fruit and get a shell on that system. Once an attacker has a root shell? Game over. He owns you. Even worse, he may own your network, depending on perimeter defenses that are in place. Think: defense in depth.
How to protect your computer
Alright already, we’ve covered enough. You may be thinking, this is way too much to pick up. You are right, it is! The short question is, what can you do to make your computer more safe? Let’s explore a few ways to help protect you from an attack.
1. Update your operating system software
Nothing lasts forever! It might be time to retire your system if you can no longer receive patches and updates
The first thing you should do is to make sure you are using a modern operating system if at all possible. Sure, sometimes this isn’t possible — for example, some programs, especially embedded programs, are still operating on XP. If that is the case for you, you’ll have to make other concessions to safeguard your systems, your networks, and your data.
You may be thinking is, why in the world should I pay to update my operating system? I paid for a version, it is working fine, so why should I update? Because hackers know that there is a delay between the time a patch comes out and the time it is fully adopted in the community. What happens when a patch comes out, especially a security patch, is that hackers are going to reverse engineer those updates to determine how an existing installation can be compromised. And compromise they will.
Again, if at all possible, upgrade your operating system to a modern x64 bit solution and keep that operating system patched. Are you using an outdated version of Windows and don’t wish to pay for an operating system? Then use a free operating system such as Ubuntu or one of the other Linux platforms. If that is not possible, then realize you are providing a fluid and rich attack surface and do what you can to protect perimeter systems.
2. Update your application software
Is your application software end of life? Might be time to find a new software solution!
Are you still using a x16 or x32 bit application? Do what you can to upgrade that application.
In the same way as outdated operating system software present security vulnerabilities, outdated user applications present security vulnerabilities in a very bad way. Each time an application is updated, hackers are very likely to review the updates to identify vulnerabilities in the existing installed user base.
Freeware software
Do you use an outdated version of Firefox? Or an outdated Adobe reader? My suggestion is: Don’t. But how about if our company forces you to use an outdated version of one of these applications? Yes, that can be an issue. You can only do so much especially if these decisions are above your pay grade. If you are forced to use outdated software, realize that those are reasonable attack vectors. Being aware is the first step to security.
Paid commercial software
But what about paid applications, you might ask? You paid nearly $5000 for your AutoCAD solution and more than a thousand for Adobe, is paying for an updated version really necessary? The answer is yes. You happen to be using a coveted piece of software. If you spent thousands for AutoCAD, it is likely that you have drawings and blueprints that are worth thousands more. Someone could use those drawings, especially if they can freely exfiltrate them from your computer.
How about layered applications like Internet Information Services, or IIS, used to serve web pages to the world? Well, you picked up on an easy target! IIS is a common attack vector, in part because it is easy to thumbprint the version that is being used on a network. Once an attacker identifies that an old version of IIS is being used, the attacker only needs to find a known vulnerability with that particular version of IIS to compromise the server.
Keeping your application software updated will go far in protecting your systems. Will it cost money? Yes, it likely will cost. I am a big proponent for open source software and the Free Software Foundation, so I’m not supporting the idea of having to spend money on new software. If you can find an equivalent open source software package that can do an equally good job for you, I’d suggest migrating to that open source software. Otherwise, yes, you’ll have to pay for that update.
Software updates or compensating controls
If an application cannot be updated, do what you can to find a different and more modern application to use in its place, or add some other compensating controls to the software deployment
3. Use a virus protector
A lot of people are going to discount virus protection as part of the solution. Why? Because virus protectors provide a false sense of security. Virus protectors only protect against “known” viruses.
This is true. Virus protectors do provide a false sense of security. That said, virus protectors do provide protection against known viruses, so why not use one?
There are several free solutions, one of which is Windows Defender.
4. Download only from known good sites
This is a really important artifact. Download only from known good sites.
For example, are you looking for an HP printer driver? Then go to the HP web site for the download. Do what you can to avoid “third party” driver sites.
Are you looking for a game or a program? Download from downloads.com / cnet.com, or from another known good source. There are web sites that are devoted to providing you excellent software — with associated trojan or other form of malware attached.
Are you looking for a free Hollywood movie or free APK sideload of the latest Android software through The Pirate Bay? Then be aware that the free download may also have a free Trojan attached. How will you know whether that illegal download is malware? You likely won’t know, even if you run it through the Cuckoo Sandbox automated malware analysis software.
5. Behavior modification
Don’t be Pavlov’s dog! If your behavior is “security unsavory”, then it is time to change your behavior
Wait a second, behavior modification? I’m not looking for a psychologist! I don’t want to be Pavlov’s Dog! Well, that is not exactly what I mean by behavior modification.
Be careful about downloading software that you are not absolutely sure about. Downloading it to your primary computer, especially if you use that computer for financial transactions, is doubly dangerous. Set up a second computer or a Virtual Machine where you can run any questionable programs,. If those programs perform unexpected actions your financial records will not be compromised.
You know those sweet popups that promise the first thousand who click on the banner will win a free iPad? Yeah, you aren’t going to get a free iPad. What you will get is infected. Don’t click that ad. Sadly, that the ad even popped up may be very bad news, you may already be infected.
6. Use reasonable passwords
It might be better said as: Don’t use unreasonable passwords.
Protect your passwords! Writing them down in a conspicuous place is not suffiicent
What does this warning mean anyway? One of the ways a hacker attempts to gain access to a system is through password cracking. Password cracking is a method to gain access to a system by way of basically “guessing” the password. A trained hacker will use one of the many password cracking software suites.
Is it reasonable to use abc123 or 1234 for a password? Probably not. Is it reasonable to use a single dictionary word? Probably not. Once a hacker has identified a username these types of passwords are very quickly guessed.
So what are more reasonable passwords? Throw in a few upper case letters and maybe symbols. For example, @bC123* is going to be a much less likely guess compared to abc123, and a long passphrase like Mygr3atsecretpa$$w0rd is better still.
7. Periodic scans
Another great safeguard is to run periodic full scans of your system. Run Microsoft Defender/Security Essentials full scans, but also run other scans such as the free Trend Micro Housecall.
8. (Advanced) Use a two way firewall
This might not at first sound reasonable. Why would I need a two way firewall? Because if a Trojan or other rogue executable finds its way on your computer, a bidirectional firewall will be able to alert you that the software is trying to communicate.
A great free solution is ZoneAlarm Free Firewall.
The five word solution!
With regard to computer security and systems hardening, there is no easy answer
So what is the solution to keep me and my data safe from attackers? The answer is: There Is No Easy Answer. There are things you can do to make yourself more protected, and there are things to avoid that would make you less protected. Some of them have been covered in this paper.
The best advice available is: Be aware. Your data and your systems are costly, and compromises to your systems can be even more costly.
If you need personal advice on how to protect your data and your systems, feel free to contact me.
