Skip navigation
All Places > Services > Blog > Tags security-strategy
1 2 3 Previous Next

Services

34 Posts tagged with the security-strategy tag

As a follow up to our webinar on Defense in Depth – Embracing the Attacker Mindset, I’d like to post my slide notes for the first section after Wade’s intro. I apologize again for the audio issues. We did an hour of sound check beforehand, but of course the signal interference gremlins waited until the curtain went up. We’ve nailed down what caused it and it won’t be an issue for any future webinars in this series. Thank you for sticking with us, and as promised here’s the full transcript of the first third:

 

 

Defining Defense and Depth

So if we’re going to build a defense in depth architecture we need to get an idea of what we mean by defense, what depth is, and what it isn’t.

 

As Wade and I were building this webinar, he brought up a concept that nailed down the crux of what we’re trying to do:  Raise the walls high enough that the unmotivated threat finds an easier target, and raise the visibility enough to catch the motivated threat as they attempt to scale the walls.

 

Regarding depth, there are times when we see an organization has purchased all of the security products from a single vendor, and all of those products run on the same underlying architecture. When a vulnerability is exposed for that architecture, it may be possible for an attacker to pierce all of the layers of that defense using the same or very similar techniques. You need to be careful what you buy and from whom; you want variation so that your layers aren’t lined up perfectly for an attacker.

 

Defense in depth aims to place varied structures and processes throughout the environment to ensure the Confidentiality, Integrity, and Availability of your assets.

 

It’s widely believed that an attacker only needs to be right once, and a defender needs to be right all the time. With a proper defense in depth strategy, we force the attacker to be right a lot more of the time.  The emphasis then is on detection and the speed of our response.

 

Picture2.png

 

Defense Without Understanding

If you want to build good depth in your defense, a lot of organizations immediately look to what’s on the market. There’s a lot of products branded with “Next Generation” that purportedly aim to make your life easier, require less staff, pretty much everything you want to hear. A lot of them are expensive. I’ve used a few of them and they are great, but only if they fit your organization’s needs.

 

We see a lot of organizations that go to purchase solutions that don’t have a map of their environment, or have many disparate maps. The departments doing the purchasing haven’t had in-depth conversations with each other, and there’s only siloed understanding of what’s going on. And so partial knowledge builds partial solutions, and partial defense. Then you’ve got whack-a-mole. You need to look inside first, to get a clearer handle on those needs before you go to market.

 

Depth begins with in-depth conversations that span departments and functions, comprehensive understanding that manifests in shared maps and documents that span teams in IT and IS and outside of it.

 

In the coming months we’ll do a webinar to highlight the processes and common pitfalls of these in-depth exercises, and how you can get the most out of them to build your maps.

 

Exceeding Compliance

A lot of people look at defense in depth through the lens of regulatory compliance. Frameworks like PCI, Sarbanes Oxley, ISO, HIPAA can help provide cues to necessary structures and processes. It’s important to realize that it’s a minimum bar, it’s not where security should end.

 

Organizations often buy to fulfil a specific compliance requirement, and the list of products they implement reads in order of the requirements. The policies do too. It ends up being 20 solutions when a more methodical approach would have revealed that 10 better-implemented products would have covered all of the requirements. These frameworks need to inform your decisions but not drive them.

 

Recently there was a great article by Christophe Veltsos on securityintelligence.com that quotes the Federal Trade Commission. Even the FTC admits that PCI isn’t the be all and end all of a reasonable security program. You need to plan on exceeding compliance.

 

 

It may seem ironic that a consultant is telling you this, but no one can do the first steps of this program better than you can. You know all the moving parts of your business better than anyone. And if you don’t you should. You need to take a concerted effort to know the who/what/when/where/why/how of all of the information that is stored and transmitted.

 

If you buy and build before you develop that catalog of knowledge and map it out, you’ll likely end up with shelfware or at the very least unused features. Organizations that use 10% of the features of the software that they buy are going to be constantly fighting budget battles, administrative staffing burden, and can’t be nimble. Find something that fits you in features and functionality.

 

But sometimes you can’t. Sometimes the product just isn’t there, or the timing doesn’t support it. That’s life. What you can do is license appropriately and plan to rip and replace as you learn and as the product space matures. Build your processes around it but watch your dependencies so that you can move that solution out without drastically upsetting the others.

 

Your goal should be to understand every data flow from start to finish, and all the network objects that are transited, then buy tools that address the security needs in those flows and those structures.

 

 

Organizations often give compliance needs their primary focus, but you should make sure to focus on your needs as a business as well. The things that make your value proposition unique should be protected just as much if not more. What are your detection and response goals? What data flows are you prioritizing and why? What structures are you prioritizing and why?

 

While not a technical consideration, a lot of organizations simply don’t have budgets that line up to these requirements and priorities. Or if they have the budget today, they don’t have budgeting processes that adapt to changes in the security landscape. A case in point: Mobile device management with Bring Your Own Device wasn’t a thing just a few years ago and now it’s a budget item for many organizations. If it takes a few years to alter your budget structures, you get caught flat footed as far as exposure.

 

Likewise, how are you licensing products in consideration for building a flexible security program? The longer term licensing helps keep costs down, but how do you exit from those without incurring large penalties?

 

Lastly, when risk conversations happen at the upper levels of the organization, they rarely get communicated to the people who feel those risks. This can lead to some dangerous improvisation with budgeting and with solutions. Those on the front lines are seeing risks that aren’t acknowledged or addressed and they take a best guess at how to handle them. While that initiative is good, it often comes at the expense of other solutions or priorities.

 

When you evaluate the cost associated with losing a particular structure or data flow because it cannot be budeted or prioritized, who’s aware of that decision?  All parties don’t necessarily need to be part of the conversation and decision, but they absolutely need to know the approach.

 

Check out the recording of the webinar here for the rest.

While I was flipping through some news stories the other day, a small headline appeared that piqued my interest.

 

The headline reads: Former St. Louis Cardinals Exec Pleads Guilty To Cyber Espionage Charges

 

Cyber espionage… in baseball? That was too intriguing to pass up!

 

It essentially describes this: employees from one club, the St Louis Cardinals, left to join another club, the Houston Astros. During their previous tenure with the Cardinals, they had built databases of scouting and talent reports. When the employees joined the Astros, a very similar database got constructed.

 

The Cardinals are now concerned that their intellectual property has been misappropriated. So they used a list of “master passwords” that were in use at the time their databases were built, and use those, or variants of those, to break into the Astros databases.

 

The Department Of Justice says that’s a violation of the Computer Fraud and Abuse Act. The news article also posts an excerpt from the DOJ release:

 

In one instance, Correa was able to obtain an Astros employee’s password because that employee has previously been employed by the Cardinals. When he left the Cardinals organization, the employee had to turn over his Cardinals-owned laptop to Correa – along with the laptop’s password. Having that information, Correa was able to access the now-Astros employee’s Ground Control and e-mail accounts using a variation of the password he used while with the Cardinals.

 

There are a few things are going on as described in the release. Let’s examine them.

 

  1. The employee obviously reused passwords, or close variants, and in this case carried them over from one organization to another. This very common practice by humans lends us to believe that security awareness training was not conducted well or not enforced.
  2. The databases were presumably web-enabled applications from the descriptions. It does not appear that proper account control was used, such as restricted logins
  3. From the DOJ release at least four intrusions occurred before the Astros required all users to change their passwords to something more complex. Was monitoring being done, or was this a lucky break?
  4. However … when they reset the passwords, they emailed the default passwords out to the users …which were intercepted because email accounts were in control of the attacker. Very common security gaffe made by operational teams.
  5. Several more intrusions happened before the intruder was finally caught & identified.

 

The intruder was finally charged with five counts of unauthorized access of a protected computer. Each conviction carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine. Sentencing is set for April 11.

 

Espionage is not just a cloak and dagger drama played out by three letter agencies. It can happen in the unlikeliest of places, even baseball. It stands to reason that you and your organization are just as exposed.

 

The question then is: are you enabling corporate espionage by not having real, enforceable security controls for your organization?

 

To answer that question, you need to look at how you are managing security in your organization. Let’s just look at the points mentioned above.

 

Security Awareness

Security awareness training is an important, but often overlooked and underfunded tool that builds good security behaviors into your organization.

 

Security awareness is recognized in several control frameworks as an essential element to your security program. NIST 800-53 (AT, SA & PM), HIPAA 164.308(a)(5), PCI 3.0 (12.6), ISO27000-2013 (A.7.2.2) and CIS Critical Control 17 all refer to security awareness training.

 

NIST 800-53 has security awareness guidance, in control AT-2. The control states the organization provides basic security awareness training to information systems users as part of initial changes, when required by information system changes, and on an organizational defined frequency thereafter.

 

The common mistake with frequency is that organizations choose annual or bi-annual timeframes. If you want a behavior to become habitual, you need to reinforce it as often as possible. Awareness education also needs to be fresh. You don’t have to spend a lot of money or resources on this. It can be in the form of reminders newsletters, or stories around the water cooler like this one from current events to help describe desired behaviors.

 

Account Monitoring and Control

Proper account monitoring and controls, especially for web-exposed applications are extremely important, as attackers will frequently impersonate legitimate users. NIST 800-53 (AC), HIPAA 164.308 and 164.312, PCI 3.0 (7.1 – 7.3 and 8.7 – 8.8), ISO 27000-2013 (A.9.xx) and CIS Critical Controls number 16 all reference account monitoring and control.

 

The first step is to ensure accounts which cannot be associated to a business process and owner are disabled. Then sweep all old accounts and remove them. Attackers will take advantage of dormant accounts to get into a network. All user accounts should have expirations.

 

Monitoring account activity is also required to spot suspicious activity. A SIEM can spot patterns of use that might trigger an alert (such as logging into a system after business hours), or a login from a restricted IP can be flagged. As Yogi Berra once said, “you can observe a lot by watching.”

 

Default Password Handling

From a process perspective, default passwords should never be emailed. All default passwords should require some form of authentication of the user. This could be a call into support, or a visit to the desk. Attackers can gain control of a users email account, and when passwords are set or reset, the attacker will have access to the account. Human to human interaction for default passwords, with a proper authentication step, is the safest way to distribute passwords.

 

The situation that happened to the Astros could have been prevented or discovered early, and the damage might have been reduced. Take a close look at your account control policies and practices, your web-enabled applications security, and your fraudulent activity monitoring. When was the last time these controls were validated? Do they even exist? As for user awareness, when was the last time they were told about bad passwords and the dangers of re-use? This baseball story is one you can use to illustrate why re-use behavior is bad.

 

I don’t always agree with the famous quote by Eldrige Cleaver, but in this case it’s very appropriate: “You are either part of the solution or part of the problem.

 

And to quote the famous Yogi Berra, “It ain’t over ‘til it’s over!

security_awareness_phishing11x17.jpgThe Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go.

 

Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan in case someone does get through.

 

Here are my recommendations on how to defend against phishing attacks:

 

1. Filter emails for phishing threats

It’s important that you filter your emails for malicious URLs and attachments to prevent phishing emails making it to your users in the first place. Sandboxing can detect a lot of the malware in emails, but make sure that you have a follow up plan in place if you’re deploying this technology in detection rather than blocking mode – otherwise the malware is still live on your systems. Use security analytics to filter out malicious URLs. Rapid7 UserInsight uses threat feeds to detect known malicious URLs and security analytics to alert on unknown ones. It also integrates with sandboxing solutions, such as FireEye NX Series and PaloAlto WildFire, to enable quick and easy incident investigation of malware alerts.

 

2. Update client-side operating systems, software, and plug-ins

Some phishing emails include URLs to exploit vulnerabilities in the browsers and its plug-ins, such as Flash and Java; others send file attachments that try to exploit applications like Adobe Acrobat or Microsoft Office. That’s why it’s important to patch vulnerabilities on your endpoints as well. Many organizations already have a vulnerability management program in place but only scan servers. Make sure you extend coverage to your endpoints and patch operating systems, software, and plug-ins. This not only protects you from phishing emails but also drive-by attacks. Rapid7 Nexpose can help you manage vulnerabilities on your endpoints, and much more.

 

3. Harden Your Clients

Lock down your clients as much as possible. This includes things like not making your users local administrators and deploying mitigation tools like Microsoft EMET (check out this Whiteboard Wednesday on EMET on how to deploy this free tool). Rapid7 Nexpose Ultimate includes Controls Effectiveness Testing, which helps you scan your clients and guides you through the steps to harden them against phishing and other attacks.

 

4. Block Internet-bound SMB and Kerberos traffic

One of our penetration testing team’s favorites is to use an SMB authentication attack. In this scenario, the attacker sets up an SMB service on the Internet and sends a phishing email with a URL or Word document that references an image through file:// rather than http://. This tricks the computer to authenticate with the domain credentials to the SMB service, providing the attacker with a user name and password hash. The hash can then be cracked or used in pass the hash attacks. To defend against SMB and Kerberos attacks, you should block TCP ports 88, 135, 139, 445 and UDP ports 88, 137, 138 for non-RFC 1918 IP addresses, both on the perimeter and the host-based firewalls. You’ll want to have a process in place to detect compromised credentials, for example Rapid7 UserInsight, which leads us to the next item on our checklist.

 

5. Detect malware on endpoints

Many phishing attacks involve malware that steal your data or passwords. You should have technology in place to detect malware on the endpoint. Regular anti-virus is great for catching commodity malware, which is likely the bulk of what you will see used against you. There are also many new endpoint detection vendors out there that have great alternative technologies. Rapid7 UserInsight uses its agentless endpoint monitor to collect process hashes from all machines on your network to highlight known malicious processes based on the output of 57 anti-virus scanners; it also looks for rare/unique unsigned processes that may indicate malware.

 

6. Detect compromised credentials and lateral movement

Even with all of these protections in place, your users may still fall prey to credential harvesting attacks. A common phishing attack is leading users to a fake Outlook Web Access page and asking them to enter their domain credentials to log on, but there are many variations. Once the attackers have the passwords, they can impersonate users. Rapid7 UserInsight can detect compromised credentials, both on your network and in cloud services, such as Office 365, Salesforce.com and Box.com. It detects lateral movement to other users, assets, or to the cloud, so you’ll be able to trace intruders even if they break out of the context of the originally compromised user.

 

7. Implement 2-factor authentication

Add 2-factor authentication (2FA) to any externally-facing system to stop attackers from using stolen passwords. While Rapid7 doesn’t offer a solution in this space, check out our partners Okta and Duo Security. All systems protected with Okta (Rapid7/Okto Integration Brief) or Duo Security can be monitored with Rapid7 UserInsight to help detect any attempts to use compromised credentials.

 

8. Enable SPF and DKIM

There are two standards that help determine if an email actually came from the sender domain it claims to detect email spoofing. The first one is the Sender Policy Framework (SPF), which adds an list to your DNS records that includes all servers that are authorized to send mail on your behalf. The second standard is DomainKeys Identified Mail (DKIM), which is a way for an email server to digitally sign all outgoing mail, proving that an email came from a specific domain and was not altered during transportation. Together, they raise the confidence in the authenticity of the sender and email content by the recipient. To help improve security hygiene, check that your systems have both SPF and DKIM enabled on your outgoing email. For incoming email, you should check if a the sender domain has SPF set up and the email came from an authorized server, and that DKIM signed emails have not been tampered with. While these protections are not bullet proof against targeted attacks that register look-alike domains, they can help filter out a lot of mass phishing.

 

9. Train your employees on security awareness

While even educated users won’t catch everything, they are worth investing in. Train your users about how to detect phishing emails and send them simulated phishing campaigns to test their knowledge. Use the carrot, not the stick: Offer prizes for those that detect phishing emails to create a positive security-aware culture – and extend the bounty from simulated to real phishing emails. Whenever you see new phishing emails targeting your company, alert your employees about them using sample screenshots of the emails with phishy features highlighted. Encourage your users to use secure browsers – I put Google Chrome (64-bit version) on the top of my list for security and usability. Here at Rapid7, we offer Security Awareness Trainings; you can also send phishing simulations with Rapid7 Metasploit Pro that track click-throughs so you can report on user awareness.

 

10. Have an incident response plan

Even if you put all of these protections in place, some phishing emails will get through, especially if they are targeted against your organization and tailored to the individual. It’s not whether these emails will get through but how well you are prepared to respond to intruders on the network. Rapid7 UserInsight enables you to detect compromised users and investigate intruders that entered the network through a phishing attack. This helps you shorten your time-to-detection and time-to-contain, reducing the impact of a phishing attack on your organization. In addition, Rapid7 offers incident response services and can help you develop an incident response program.

 

While these areas cover the most important counter-phishing measures, I’d love to hear if you’ve implemented anything else that you found to be effective - just post your experience in the comments section.

 

If you’re looking at defending against phishing attacks, you may also enjoy my related webcast "You've Been Phished: Detecting and Investigating Phishing Attacks”register now to save a seat to ask questions during the live session.

The Third Court of Appeals upheld the Federal Trade Commission’s decision to sue Wyndham Worldwide for at least three data breach incidents that occurred between 2008 and 2010. The incident exposed more than 600,000 consumer payment card account numbers and led to more than $10 million dollars in fraud loss, according to the FTC complaint. Wyndham Worldwide had challenged the FTC complaint in an appellate court, saying the FTC was over-reaching its authority, however lost the appeal in a 3-0 vote. The unanimous ruling is important, because it shows the government is taking bold steps toward holding data custodians accountable for the data in their care, and the courts are agreeing with them.

 

The Wall Street Journal blogged about this, and put a call out to CIOs to be careful about how they handle data security. “CIO[s] should act defensively to mitigate the company’s exposure to claims by the FTC and other government regulators” states the authors.

 

The article mentions several important points:

  • Compliance with NIST Cyber Security Framework. The National Institute of Standards and Technology Cyber Security Framework is guidance, based on existing standards and good security practices, to better mange and reduce organizational risk. This is becoming an implied de facto standard for cyber security. The challenge for organizations is determining the relevance and how to implement the more than 350 recommendations in the NIST CSF.
  • Updating of data and privacy policies. Even if your company has data security polices, when were they last reviewed and revised to include defense against the most recent threats? Any organization that handles HIPAA data or PCI data is required to do ongoing reviews to ensure their security measures are current and compliant, and may be required to demonstrate this to auditors.
  • Report by respected third-party consultant. A security assessment is a key step in understanding your organization’s level of readiness and maturity. It reveals security gaps, the associated risks, and can help organizations factor high-impact investments into their future business plans. Annual security assessments from respected security consultants can help your organization adapt to new threats, increase employee awareness, and assist in the formulation of a strong security strategy.

 

The government is getting serious about the seriousness of data breaches. The gap between what is required for protecting data and the knowledge of organizations to implement this is widening. As data continues to grow, and more rules are passed on how it is to be governed, this gap, and the accompanying fines, will become tantamount issues for enterprises to manage.


Rapid7’s Global Services organization has experience in all of these areas, and partners with clients to assess organizational security maturity, provide recommendations and advice on how to address gaps in security processes and procedures, and can assist in the development of security programs and policy. These engagements help clients reduce their security risk though the delivery of robust, repeatable and easily governed processes.


I am happy to answer any questions you might have regarding security maturity, cybersecurity frameworks, or a host of other information security services. Please feel free to contact me @JoelConverses on Twitter or Skype. I look forward to chatting with you!


- Joel Cardella

Penetration Tests are a key part of assuring strong security, so naturally, security professionals are very curious about how this best practice goes down from the pen tester perspective. Jack Daniel, Director of Services at Rapid7 with 13 years of penetration testing under his belt, recently shared which flaws pen testers are regularly using to access sensitive data on the job in the webcast, “Campfire Horror Stories: 5 Most Common Findings in Pen Tests”. Read on for the top takeaways from this webcast:

 

  1. Patching & Passwords – Patching trends have shown great progress over the last few years but are still a large area of concern. Organizations have adopted patching standards, and are certainly more mature compared to 5-8 years. The bulk of systems, especially critical patches, are being patched regularly. However, pen testers still find organizations are missing critical patches from years and years ago, even if they are up-to-date with recent patches. As for passwords, when pen testers are able to gain access and do a massive password dump or brute forcing, over 30% of passwords include variations of an employee’s company name or their company’s product names. Pen testers are able to quickly work around or crack weak passwords and password hashes. To avoid these pitfalls, make sure passwords are audited regularly, don’t use weak roots, and do not store password hashes locally.
  2. Beware the Default – Misconfigurations and default configurations are consistently the number 1 most common finding for penetration testers as an issue at almost every organization. If configurations are not regularly reviewed, it can lead to accidental information leaks. A default account left enabled on a device that gets rolled out without a security review is a quick foothold into any network. A system that is different from most others on a network, and outliers within the network in general, are also weak points for attackers to focus on since they know securing an outlier device will require additional expertise from the security team. To prepare for misconfiguration and default configuration issues, know your network and what it will look like to an attacker, and segment wherever possible so that a blind spot cannot spiral into a devastating breach.
  3. Encryption Good, XSS Bad – Storing or transmitting sensitive data in clear text and cross site scripting are two other common missteps that pen testers come across. Data left unencrypted is completely reliant on network controls for protection and vulnerable to attackers. Put an emphasis on securing an app or device itself, and encrypt your data while storing or transmitting it, keeping in mind that databases tend to be less secure. Web flaws and cross site scripting are becoming more pervasive. To combat this, ensure your users and their browsers have client side scripts disabled wherever possible.

 

  To learn more about the most common findings in pen tests: view the on-demand webinar now.