Introduction
Modern information security is a powerful tool with some very potent capability to deter and prevent cyber attacks on enterprise networks. Firewall, VPN, CA, multifactor authentication, IDPS, antimalware, traffic monitoring, and audits are just some of the components that are implemented by a strong security posture and are a major part of defense-in-depth strategy. Of course, misconfiguration of any of these systems can cause a security vulnerability, and programmers often do not take security best-practice into account as a part of the SDLC, which creates even more vulnerabilities. However, we can audit and correct misconfigurations and we can test applications for vulnerabilities and stay up to date with patches and security hotfixes. One of the biggest concerns now turns to the inevitable question of how to “fix” the biggest gap in enterprise security – people.
An effective cracker often is like water, following the path of least resistance. This is one of the primary reasons that some honeypots are even successful to begin with in protecting the true assets of the network from prying eyes. With all of these increases in technology surrounding information security, it’s become far more difficult for a cracker to penetrate the network through traditional vectors. We often think of a cracker forcing his way through the firewall, brute forcing passwords, and kicking down virtual doors. In fact, most crackers don’t even bother for two reasons. First, they know that this kind of approach drastically increases the likelihood that the attack will be noticed and then shut down. Secondly, it makes their effort a waste of time because after tripping the security system, it will possibly be investigated, the security breach fixed, and the cracker still won’t have been able to get at the information they wanted to breach. So, what is the solution? If the technology is too hard or risky to bypass, then don’t bother hacking the tech – hack the people running it. This highly effective path of least resistance is the go-to tactic for current crackers looking to quietly breach a target and the insider threat is currently the most potent.
As an observer, I often find that people are generally suspicious and paranoid when it comes to their dealings with other people, but when primarily using technology, this paranoia often completely vanishes and they become incredibly naive and trusting. Social Engineering techniques employed by crackers are intended to strike at the very nature of human beings to capitalize on this very type of phenomenon through the employ of some very psychological warfare-ish tactics. If a stranger walked up to someone standing on the corner and asked them to open a suspicious package, they wouldn’t do it, but if someone sends them a suspicious email with a link in it, they can’t click it fast enough. Often, it’s not that people don’t care, but that technology has exploded so quickly that we often take it for granted and trust that it is safe. The reality is that you are no more safe walking down the street in the Internet than you are walking down a shady street in the middle of the night on the wrong side of the tracks in the real world.
Getting people to be compliant then is the real issue and subject of this discussion. We, as security, managers, and executives, must find a way to combat this problem. Some people in the information security discipline have thrown up their hands in exasperation and declared it a lost cause. Unfortunately, I find that these people often have made several incorrect assumptions when attacking the problem and this leads to ineffective solutions. Security professionals cannot simply assume that education alone is a fix for the problem. A complex problem often requires a complex solution. Simplicity is an enemy. To guard against social engineering, we have to harden the “operating system”, if you will, of the wetware (people) in much the same way that we would harden a technology OS, however; the approach, while similar in purpose, has more to do with psychology than with education. Social engineers use psychology and traditional workplace culture to exploit people. To guard against this, we have to put countermeasures in place using our own psychology (which does include education), but also manipulation of the workplace culture (to harden against the “vulnerabilities” that are being specifically attacked).
Planning for Success
All good endeavors first start with an effective plan or strategy. This is absolutely no different. To begin to plan, we want to identify the tactics being used, examine the psychology or culture involved in that particular vector, develop a list of potential mitigations, consider proper implementation action, and begin to lay out the structure for processes that will tie into other relevant security and operational policies which already (or at least should already) exist. This isn’t a single-policy solution and will require the review and change of other policies to ensure that each are effective and supported.
Identify Tactics
For two brief examples (or “cases”), let’s consider the classic phishing email. What are the tactics? They often involve replication of official-looking correspondence or pretend to be from someone in a position of authority within the organization. They can also target people personally by preying on their curiosity, such as a line which might read, “OMG, look at this crazy picture of you on the Internet!!” accompanied by a malicious link.
Examine Psychological and Cultural Factors
The first example is intended to get people to bite out of complacency or trickery in a professional sense, and the second is an exploitation of the fact that most people desperately try to manage their online persona to project only a positive image. People often take official-looking emails for granted and click away and some are intimidated into clicking a link or attachment out of fear of being punished or fired. In the personal sense, the scandal of someone publically posting that picture of them plastered drunk at the beach 5 years ago during summer break creates a curiosity and fear that renders most people unable to take the chance of it being fake and click anyway to see this alleged picture. Both of these methods are extremely common ways to social engineer people into clicking on links that will then infect the machine with malware, and possibly, even allow a cracker to take remote control of the computer without the knowledge of the user or the IT department and launch an attack from inside the company.
Consider Mitigations
Now we have the tactics and the psychological and cultural factors. Let’s consider the proper mitigations. In the first example, the person is ignorant of the threat, so we can identify education as a mitigation, but also; there is the component of workplace fear to consider. Mitigation for this needs to come in the shape of policy and culture reform. Employees must not fear retaliation for adherence to policy. This means that top-down support for a full-on culture change in the workplace that is security-centric and aware is absolutely paramount. To combat fear of getting in trouble, employees need assurances in writing that they will not get in trouble for following policy to the letter. If that policy doesn’t even exist to begin with, then you as a manager are failing your company and setting yourself and your employees up for failure. Crackers can and will take advantage of your culture if you don’t take control of it. Employees must be educated on social engineering vectors and how to identify possible threats and report them, but again, they must also be freed of fear of retribution or punishment for taking proper action. This leads us into a discussion of good ways to be effective in education and creating a security culture, but that will be discussed more in-depth later.
The second example demonstrates that someone is likely looking at their personal email at work. While this may be allowed by some organizations, it is strictly prohibited by others and for good reason. We can mitigate personally targeted attacks on employees by limiting their access to personal media while on company dime. Again, this goes into policy and education, but this also gives us the opportunity to examine the necessity for policy to have real teeth that can bite. In other words, policy must not only exist, but must be enforceable and enforced regularly and consistently to function as a proper mitigation. An example would be barring the use of personal email and social media accounts on corporate machines and including filters that prevent people from navigating to these sites to begin with. Any attempt to circumvent these controls should be identified and addressed as willful attempts to bypass security controls and a direct attack on the company and should be handled with prejudice (i.e. make an example out of them). This also feeds into “risk deterrence”, as other employees will see that the organization is serious about security and will act on policy to protect itself, making other employees fall in line.
Develop Implementation
A plan within a plan is a great idea as long as the scope is kept appropriate and it doesn’t become too ambitious. Sometimes, the best way to approach this situation is to spawn a completely separate child plan which is tied through processes and policy to parent plans. Developing implementation of mitigations often involves lengthy discussion around the verbiage and wording of policy, but can be sped up by taking advantage of policy advice and templates that come from industry-proven pros such as SANS, ISO, and NIST.
Implementation of a Communication Plan can make all the difference and is, in my opinion, a key step toward taking the information gathered and putting real control measures into place. Education can only work when paired with a top-down culture of security in the organization whereas even the most senior people in the organization visibly show their staunch support for these new policies in a positive and encouraging way. Employees look to their leaders and superiors to determine how to behave and what is acceptable in that particular corporate environment’s culture. Expect a fight and be ready to stand your ground as many people often perceive comprehensive and extensive changes as a threat to their position and power-base within the company. However, over time as the culture shifts and changes, the dissent will become a forgotten echo of the past.
Ways to help positively change the culture into one that is security-centric and aware, is by using the Communication Plan to develop appropriate ways to disseminate information about policy and security. Employees and managers need to be shown exactly how important security is. They aren’t going to take the threat seriously until they realize that it is a serious threat. A strong word of caution here, though, is that we must make certain not to alienate the employees by being too heavy-handed and cramming it down their throats. It will only make them come to hate infosec and further reinforce their belief that security is nothing but a pain in their rump. The Communication Plan should outline a tiered system that will be slowly introduced over a period of time so as to make the increase of information more palatable.
Strong and effective methods can include log-in banners and Message Of The Day (MOTD) reminders, as well as a weekly security bulletin sent through email, a security section with prominence on the home page of the intranet site, and other digital means. But don’t forget that there are many other ways to also increase security and policy awareness. For example, you could have quarterly security briefings which are also semi-instructional using quality methods (not some boring monotone speaker pointing at a powerpoint slide with a laser) which could be made more like a cookout with some kind of prize for certain demonstrations of knowledge and skill – for example – a reservation for two at a popular restaurant for the highest score on a security/policy quiz or other prizes such as being able to leave work that Friday at noon instead of 5. One sure way to get people to have a better outlook on security is to tie it into something that is both fun and rewarding so that they don’t feel browbeat or burdened. Also remember that traditional marketing can be a huge power-play. Weekly security pamphlets (that tie into the quarterly or bi-annual meeting test) along with posters that are brightly colored, friendly and not harsh or threatening, and in well trafficked areas will also help to foster a security-friendly culture.
Tying Into Processes and Policy
All of these things are great, but another extremely important task is to evaluate how all of this fits into your business processes and policies. For example, if you train employees to be able to identify social engineering attempts and report them, there must be some kind of policy, standards, or guidelines that enable this by providing clear and concise rules and procedures to follow. There must be no question about what the employee should do. Furthermore, if you develop that policy, then you must also develop processes and policies which implement a reporting structure that is tied into your Disaster Recovery Plan (DRP), Business Continuity Plan (BCP), and develops your processes and policy for your Incident Response Team (IRT).
For example, if that employee reports a suspected social engineering attempt, who is to field that complaint? What information is recorded? How does the investigation proceed? Who is alerted and how far up the chain does it go? Who is responsible for overseeing the investigation? How is the response and reporting handled? Who prepares the After Action Report? Who gets to see that report when it is finished? Is the AAR protected as classified data or is it to be publicly released? Is law enforcement to be notified if there is a significant breach?
There are a lot of these questions which must be answered and the policy must be developed with a reasoned approach. Again, organizations can take advantage of policy templates from reputable experts in information security consulting that can be altered to meet the individual needs of that organization. To attack this problem, you will want to assemble a team of people to help develop all of these policies who will come from various functional areas of the organization. All of the above steps are best informed when you involve all of the most talented and experienced people in your stables.
Conclusion
Once this system is in place, then you can begin to establish processes by which the entire system is audited and evaluated. This allows the organization’s Communication Plan and associated policies to stay relevant and effective. Minor changes will always need to be made to the policies and proper change management controls should be applied. By creating a lifecycle to security policy which directly addresses psychological and culture-based security, you empower the organization to continue to harden your defenses to social engineering in an effective and productive manner.
The concept of the cheetah and the gazelle do not apply to information security. If you were a gazelle being chased by cheetah, the saying goes, that you don’t have to be the fastest gazelle, just faster than the next gazelle (your competition). Unfortunately, this simply isn’t a fair comparison to information security when it comes to social engineering. To more adequately compare, it would be more akin to all the gazelles in the pack being slow as snot and there are not three or four hungry cheetahs, but millions of them. The odds are absolutely not in your favor and simply scrimping by with the least amount of security possible went out in the late 90′s. Unfortunately, far too many people have ineffectively implemented infosec policies and the resulting backlash has only reinforced the stigma that security is pointless, expensive, hindering, and a nuisance. I hope that after reading this short blog, you can see that a proper plan can be implemented that will help to change the environment into a security-friendly one that an organization absolutely must have in modern times to protect its intellectual property and business secrets.
Posted in IAS Basics Series by .
Why do bank robbers wear masks? Obviously, they want to hide their identity. For the most part, this is true of most criminal or legitimate covert activity. If someone doesn’t want people to know who they are, they will hide their identity from scrutiny and doing so on the Internet is actually fairly easy for the net-savvy. However, there are other factors to consider as well. It’s not a simple thing, especially when dealing with very capable attackers in a cyberwarfare scenario. Since my blog is aimed toward beginners to infosec, I’ll start very small and work my way up as an example to explain how complex this can be.
Proxy
A proxy is a machine that acts on someone’s behalf. I could connect to a proxy in the UK and then navigate to a US-based website. Generally speaking, that US website will register my visit as having originated in the UK, because the proxy is there and I am behind that proxy. If it’s a VPN proxy, my connection to that proxy is also encrypted. There is absolutely nothing illegal about this. Many people do this as a means of protecting their identity and their traffic but it also has other benefits as well. For example, some organizations seek to censor information on the web and block content from being viewed to other countries. Some TV shows in the UK will not stream their shows to the US and give the message that the content is not viewable in your location. Connecting to a UK proxy would then allow the streaming because the distributor only sees the UK IP address. So, it’s possible to bypass censorship like this.
Lots of Proxy
But just connecting to a proxy isn’t going to protect someone from scrutiny. If an attacker wants to attack a target but also protect their identity, then a single proxy isn’t enough. The attacker will want to connect to many proxies in what we call “chaining”. So they want to connect to multiple proxies, but which ones do they choose? Does it matter? Which proxies are chosen is absolutely paramount.
Proxy Selection
For example, if the attacker is in the US, then obviously, they won’t want to bother connecting to a UK proxy because the US and UK have very good relations and intelligence sharing. So, it would make sense to chain through proxies that are in countries that don’t have a good working relationship with the US. So, is that it? Not if they want to stack the cards in their favor as much as possible. There’s still plenty more that can be done and proxy selection is very important.
As an attacker, I would want to chose proxies that are spread out as much as possible on multiple continents, but just as it’s important to make sure that they are in countries not friendly to the US, it’s also important to try to use proxies in countries that aren’t friendly to each other. It’s also very important to make sure that as many of the proxies as possible are “logless”, meaning that the system does not keep a log of who connected from what IP address, when, and what they did while connected. A good rule of thumb spread throughout the hacker community is that one should use at least 7 “hops” before being comfortable. Many will also suggest using software to randomize their MAC address as well as an extra layer of precaution.
Misdirection
The attacker has managed to select lots of hops in areas such as Iran, China, Argentina, etc… but could there be even more to be done? If there is a target that would already be likely to suspect an attack from a particular entity or organization, would it not be of help to feed that suspicion as a means of deflecting blame? Of course, it would. If an attacker wanted to attack a US-based military contractor, would it not make sense to make it appear as if the attack originated in China? Anything an attacker can do, no matter how little or subtle, to throw investigators off track is just one more layer of protection. Sometimes, this takes the form of custom virus payloads which have “clues” as to who the attacker is inside the code, but placed there intentionally to throw investigators off the scent.
Cyberwarfare
As you can see from the information provided above, it can be all but impossible to track down the source of an attack and it can sometimes be very difficult to discover the true purpose of the attack. Not all may be as it seems. The attack itself may have been a rouse to invoke a reaction that sets the target up for a different attack at a later date. If the attacker knows they can get a reaction out of the target to an attack, then they may just use that to their advantage.
For example, let’s say that a disgruntled employee who formerly worked in the IT department of a company (and is familiar with their IP addressing scheme) has a beef they want to take action on. This person is aware that the organization uses an IDPS that is setup to temporarily block IP addresses which exhibit certain behavior that could be classified as a threat. The attacker then does something that they know will trigger an IDPS ban, but in multiple attacks spoofs the IP addresses of critical business partners. The IDPS automatically bans the IP addresses and now the entire communications chain for the organization is shut down, potentially costing the company millions of dollars by making them block their own people.
Caution
As we see with the South Korean hacking incident, there is a need for caution and patience. I would bet that the forensics experts are under political pressure to provide answers so that politicians can point fingers, but rushing the results can lead to a disastrous consequence. Investigators must not operate under any impression or hunch of what the motive for an attack may be simply because that misconception might be feeding into what the attacker actually wants. They must conduct a full investigation of each detail discovered and even then there may not be enough evidence in the end to even come up with an answer. Unfortunately, that is a possibility, but acting too swiftly and with only superficial intelligence might just be playing right into the hands of the attacker.
Posted in Security Blog by .
Jan 13
14
IT Ops vs. Infosec
Walk into any company that needs IT systems and ask random employees what their opinion is of their IT security. Probably, you’ll hear, more often than not, some very negative voices. Of course, we know that when we move the pointer closer to security, we detract from functionality and ease-of-use, so it’s not all that unexpected to hear some grumbling.
Users often don’t like the fact that they have mandated password changes every 60/90 days. They often don’t like being forced to adhere to password complexity requirements. They hate it when they step away from their system for just a minute to pick up something off the printer, only to come back and have to enter their password again because the screensaver automatically locked it. These are understandable, but acceptable losses of ease-of-use in the name of security and risk management. But a real problem exists when senior staff feel the same way.
I recently sent a tweet in which I stated that IT security and IT operations are two completely different processes and need to be treated as such before a proper reporting structure can be put into place. To elaborate on this idea, it might be best to simply explain it as the following: When senior leadership isn’t fully engaged in direction and oversight of IT security, infosec becomes an annoying afterthought relegated to the depths of the basement that nobody wants to have to deal with. Instead of being a boon to the organization, it is seen as a burden that should have as little effort and money spent on it as possible. IT operations are inherently different from that of IT security. Operations deals with provisioning hardware and configurations, while security deals with policy and governance. Far too many organizations think that security is a subset of IT Operations and this can lead to catastrophic failures.
It doesn’t have to be this way. Organizational security is so much more than people trying to justify their jobs and budget. Properly applied security should be built into the process system from the beginning – not injected later. It is certainly possible to change paths once it starts, but bear in mind that there will often be a lot of resistance from all levels. But not all is lost. It’s important to engage senior leadership in terms that they understand so that they can see why they should be highly interested and involved in providing strategic direction and oversight of infosec implementation.
One good bit of information to bring up is this fact, according to the National Archives & Records Administration in Washington:
93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately.
If an organization treats security as a burden, and not a boon, it is putting the survivability of the organization at risk. When I did consulting for a particular organization, one of the first things I wanted to do was to physically secure the server room and prevent it from being a common thoroughfare for everyone in the building. This was met with a lot of resistance. The reasoning was, “We haven’t had an issue with it before, so why should we start locking it up now?”. Many people have never had a fire in their homes, but they certainly install fire alarms. Many people have never had something stolen from their home, yet they don’t leave without locking the doors. Why are people willing to protect their own personal items, but don’t want to have to deal with the inconvenience of protecting company assets?
This brings me full circle on my discussion. That particular organization had the head of the IT department reporting to the Office Manager. Security wasn’t something they were generally interested in, because of the combination of inconvenience and cost. There was no CIO. There was no CISO. There was no CTO. This organization pulled down millions of dollars a year and the senior leadership was completely (and willfully) ignorant of exactly how fragile their existence was (and probably still is). When senior management becomes engaged and interested in security and a proper reporting structure is put into place, we can increase the organizational security to appropriate levels while keeping costs low and providing scalability for the future. When your “off-site backup” is a 10-year old dell desktop sitting in the next building, you’re doing it wrong. This is begging for Murphy to come and slap your organization into bankruptcy court. Information is the primary source of wealth. Until senior leadership recognizes the extreme importance and value of taking professional responsibility for the direction and oversight of infosec processes in their organization, we will continue to see failure after failure.
Posted in IAS Basics Series by .
Dec 12
24
Bots, Hacks, and Backdoors
I have spent a large majority of my time as a watcher. I’ve always been curious to know what other people know. How hackers managed to pull off some of the things they did and not really risk getting caught amazed me.
When I was reading up on Google “dorks” – basically coding put into the Google search engine to pull out results that might not otherwise appear – I thought to myself that it could be very useful to get information on this. As it turns out, there are bots out there that automatically attack and harvest all kinds of information. The amount of information I found out there was absolutely mind blowing.
I was able to locate web pages with lists of compromised accounts and services. Referred to as a “dump”, the administrators of the bots often harvest what is of direct interest to them, and then put the rest of the information online for other hackers to find and use. These can be credentials to everything from rented virtual servers, to premium paid online services (premium accounts to online pornography sites appear to be especially desirable).
I found that there were lists of hundreds, if not thousands, of compromised virtual servers from all around the world – accompanied with username and password to gain access to them. It makes perfect sense that if one wants a place to stage an attack from (especially outside CONUS), then using port 3389 RDP bot attacks to check for default logins and other common logins would be highly profitable.
Hackers can then access these remote servers and have them do their bidding – often without the owner/renter of the system even knowing the machine has been compromised. One only needs to ensure anonymity before connecting, then upload any tools or scripts they want to run, and let that machine do the work. I’m sure this could be fairly easily automated as well, although I have personally not attempted to do such a thing and have not personally seen such an instance in the wild.
Most of what I have seen and dealt with online has come in the form of automated attacks specifically against defaults. That is one of the most fundamental parts of hardening that I constantly talk about. Always change or disable defaults. Failing to do this is leaving the door wide open. Often, people simply install applications with default settings and then never even realize that there is a vulnerability created. Whether this is due to complacency, laziness, or simple ignorance, it’s a big problem.
Some applications come with backdoors already installed. Although, never originally intended to be used for a malicious purpose, they were there for application designers to have as a convenience to them while developing the product and they are sometimes forgotten about and not pulled out of the code before release. Hackers can find these as well and exploit them to quickly and easily take control of that application and then possibly move laterally through the system to attempt to take control of the host itself.
This is why it’s so very important to read the documentation that comes with the product and to always keep products up to date. Usually, once the developer realizes that they have left the backdoor in place, they will release a patch to correct this. Promptly updating your applications will help to address security issues as quickly as possible. Unfortunately, developers can’t always be counted on to fix these issues and they create very serious problems for everyone else. Which is why defense in layers is so important.
Posted in IAS Basics Series by .
Dec 12
19
Emergency Continuity
One very important thing for beginners and students to understand is how emergency policies work together to respond in a time of crisis. Obviously, risk management is performed to identify the risks and policy then lays the groundwork for mitigation implementation. But as we all know, it’s simply not possible to completely avoid every possible calamity and catastrophe that might befall an organization.
To this end, we have three components that function together to help guide staff during these troubling times:
- Disaster Recovery (DR)
- Incident Response Team (IRT)
- Business Continuity Plan (BCP)
Planning and creating the DR policy takes a team effort that involves experts from each functional area who will work together with stakeholders to establish policy, standards, and guidelines in the event of disasters. For example: What to do if there is flooding? What are the procedures for recovering from a power outage? What happens if a disgruntled employee breaches security? What takes place if someone reports a social engineering attempt?
When disaster strikes, people often panic. The DR provides a structured approach to recovering from a disaster so that the organization can return to normal operations as quickly and efficiently as possible. It provides step-by-step instructions and guidance so that staff can react decisively and effectively with advance knowledge of procedures already approved by senior executives.
The IRT is the team that handles the disasters. They are often security experts, but a good team also can make use of liaisons from departments such as HR, who, for example, may need to perform certain HR tasks and coordinate with other members of the IRT for appropriate responses to dangerous situations. The IRT implements the DR policy and tackles the problem.
But what happens while the organization is in the midst of the disaster? A large enterprise might be losing millions of dollars and that’s going to make some people very grumpy! While full operating capacity isn’t often going to be possible during a disaster, it certainly is possible to operate at least in a limited capacity so that some of the loss is mitigated. The BCP describes how the organization should proceed to mitigate some of this loss. One example would be if a grocery store loses power and can’t operate the registers, but the employees are able to handle cash purchases and write out receipts or use other manual forms of processing orders. At least this will keep some of the cash flowing in the interim. Use your imagination and you can come up with all kinds of BCP procedures to help mitigate loss in all forms of business.
These three components work together in sync to help provide a safety net for organizations. Disasters are going to happen. You may have heard the saying, “There are two kinds of motorcycle riders – those who have been down, and those who are going to go down”. When it comes to organizations, there are those who have had disasters, and those who are going to have them. It’s not a matter of “if”; it’s a matter of “when”. Woe unto those who did not plan ahead.
Posted in IAS Basics Series by .
Dec 12
1
NSA Wiretapping Illegal?
This is something that I’ve been interested in lately. I would personally love the opportunity to work for the NSA, but they have come under very heavy fire recently. A lot of accusations are being thrown around that they are illegally wiretapping domestic US citizens and collecting data on everyone.
That is a bit alarming. Obviously, we don’t want a very secretive agency doing illegal things and basically “going rogue”. But, I don’t see that the NSA would be able to do that for long if that really were the case. The NSA insists that they are adhering to every letter of the law while also doing their job to protect us.
Obviously, there are two sides to every story, and usually, the truth lies somewhere in between. It’s being stated that the NSA is collecting every single bit of raw data that they possibly can and storing it away. People are obviously freaked out about this and they’re calling it illegal. But, what they don’t understand is that it probably isn’t illegal (in my uneducated opinion – consult legal counsel) and here’s why I think so.
18 USC § 2510 Definitions define “wire communication” as being “aural transfer” and that being defined as “…containing the human voice…”. Also, then wiretapping must involve someone actually overhearing the conversation. So what it appears we have, is a loophole. One in which the NSA is doing nothing wrong by “slurping” every byte that crosses the wire, as long as they don’t actually put on headphones and actually “listen” to any of it.
So what they are then able to do is “data mine” that repository of information using queries to get information. Again, the result of a database query does not constitute a human being putting on headphones and “listening”, so technically speaking, from what I can tell, there is nothing illegal about this because they do not require a warrant. Anything not encrypted that goes over the wire is public domain and can be captured by anyone for any reason. It would be like complaining that someone records video of you when you step out into a public street. You have no reasonable expectation of privacy.
So, my only concern is that of abuse. The NSA has stated that they are under incredible scrutiny by oversight, and I tend to believe that. But, I also can’t help recognize that a government that collects extremely detailed information about everyone has gone the way of Stalin, Hitler, and Mao. Perhaps it is a bit alarmist to compare to these old school governments. Times have changed and information is power. Dealing with threats like terrorism most certainly does call for a complete reorganization of our intelligence operations post-9/11. We simply can’t fight terrorists or a “lone wolf” threat with tank battalions, artillery brigades, and bomber wings. Afghanistan has proven that.
So, it seems that both sides are correct, but only have a different perspective. The alarmists claim that the NSA is a rogue shadow government attempting to illegally record every citizen as a part of a plan to subvert our people to pave the way for a new military dictatorship. The NSA claim they are doing everything in their power to prevent another 9/11. It does seem as if, perhaps, the truth lies in the middle, that the NSA is doing an incredible job at what they do, but that in the process of using this loophole, US citizens have every right to be concerned.
There will always be distrust focused upon ultra-secretive organizations simply because a lack of transparency is automatically suspicious in most people’s minds. Being former Army and having previously held a security clearance, I know things that the average civilian doesn’t. Yet that doesn’t mean that I abused my position in any way during or after my service. The patriot in me wants to believe that the NSA is full of the most intelligent minds in our nation who only desire to serve our nation and protect our people. The historian in me sees all too well the slippery slope that is domestic recording. I would like to imagine that there are incredibly powerful access controls in place to prevent abuse, but I, nor anyone else not NSA, are not privvy to that information, and around we go again with suspicion.
I am a hacker to my core and I believe that information should be free. I believe that knowledge is power and when governments attempt to limit access to information, it is time for a revolution (save – of course - legal classification restrictions – I mean general information). Yet, what I see is not the government limiting information, but wanting access to it no different than any hacker. Is it not hypocritical to stand for the cause of free information, yet want to deny information to others, even if that be a government entity? This smacks more of anarchism than of free information.
I simply cannot believe that 30,000 of the brightest and smartest mathematicians, linguists, and analysts in our nation, who are also patriots, could ALL be 100% complicit in some shadowy scheme for the intelligence community to supplant and replace the government with a Gestapo-like regime. I think it’s alarmist. I think it’s idiotic. Most of all, I think it distracts from the real issue.
If this is nothing more than a loophole that is being taken advantage of, then the people need to be aware of it and make a decision whether or not this is something they want to allow. We govern ourselves and we, through the democratic process, determine how our government operates. So, my call is to all my fellow patriots out there. Take off the tin foil hat and let’s engage this realistically. Is it worth it for me personally to avoid NSA “slurping”?
Personally, I believe that before 9/11, the only real issue that the intelligence agencies had is that they refused to cooperate with each other. It is obvious from reports that the 9/11 hijackers were being monitored by the NSA. However, the NSA did not pass that information on to the FBI, who would have had domestic authority to act on it. The system we had before worked just fine, except that we needed to ensure that the agencies would share information. That has certainly been fixed by now, but we have also seen the largest government restructuring in recent history, to include incredible expansion of intelligence services and operational scope and capability.
I believe that it would be an incredibly powerful tool to have, but I also recognize how dangerous it is simply because it exists, so I am very torn on the subject. I’m certain that smarter minds than mine will explore this and I believe everything will work out in the end.
Posted in Security Blog by .
Nov 12
26
Country Blocking
Welcome back to my weekly blog. I hope you enjoyed your holidays and there are still more to come. Again, going to keep things short this week. I want to discuss the importance of firewalls.
Obviously, there could be an entire series devoted to firewalls. As a beginner, it’s likely that you’re aware of the importance of firewalls, but perhaps you’ve never written any rules. Maybe the extent of your knowledge is the local software firewall you use on your personal computer at home. In enterprise, the firewall is the one place that is going to take the brunt of any attack. Let’s assume that you have a corporate network that only has one access point to the internet and there you have a border router and with firewall.
The firewall is going to give the Administrator the ability to determine what is acceptable and what isn’t. Certain traffic can be blocked or “dropped” at the router if it violates certain set rules. For example, no router should forward an external source with an internal IP. So, if you are getting packets coming in from the WAN that have a LAN address, someone is spoofing the address and trying to slip past your perimeter defense. Checking logs will allow the Administrator to see what IP range this came from and then block all traffic to that address.
As you can imagine, my blog is the source of many attacks. I’m not claiming to be a “security expert”. Sure, I know quite a bit of the technical stuff, but I have much to learn and I enjoy sharing that with others. But, people often want to attempt to access my website and, being a security related website, I guess some people take it as a personal challenge. One person in particular has really taken it upon themselves to attempt to break my backend Admin account.
In standard hacker behavior, this person is hopping IP addresses all around the world to prevent blocking. So, what can be done about this? Virtually all of the attempts have come from fairly tight IP ranges, meaning that this person is using particular proxies and they’re not just random. So, I’m able to block the IP range coming from that proxy and now they cannot even access my site to try to break the password.
IP blocking is a very important aspect of controlling traffic and eliminating a huge source of malicious threats to the network. This can be a real pain for companies that do business all over the world, but for those who are local and have no plans to sell anything to anyone in Taiwan, Nigeria, South Korea, or Uzbekistan, (or other places where many hackers and scammers launch attacks from) it’s perfectly reasonable to block the entire IP range coming from that country. This is known as “country blocking”.
China is completely blocked too. As a matter of fact, I’ve blocked every single country except a very few. Since doing that, the number of attempts to compromise my website have dropped drastically. I use many different features combined to create a defense around my website that will prevent bots and the average skid from having their way with my site. The ability to block IP addresses, IP ranges, and entire countries by IP is a huge benefit that simply cannot be overlooked.
Posted in IAS Basics Series by .
Nov 12
15
Hardening
This week, I want to discuss something very basic, but something that is also a big issue. Hardening. We all know we should do it, so why do so many fail to do it? Whether the day is taken up with long discussions with stakeholders about policy decisions, examining the business continuity plan, or making sure that IT supports the mission statement, it seems that the basics can often be forgotten and left behind.
Hardening a system requires that information be gathered about the system so that the mitigations put into place are effective. We need to identify the very purpose of a particular solution, document exactly what is critical to the operation of that solution, and also document those items that we absolutely do not need. This bring us to the long-established practice of disabling services.
Much of basic hardening deals with removing (or changing) defaults and establishing baselines. When it comes to services, we find those items we do not need and get rid of them, such as NetBIOS. But services are just one of many things that need to be done. Here is a short list:
- Eliminate default accounts where possible
- Where the above is not possible, change the default password
- Disable services
- File encryption
- Traffic encryption
- Patches, Hotfixes, and Service packs
- Fuzzing tests for application stability and vulnerability
- Validate inputs to guard against injection attack
But, is it simply enough to perform the technical responses above? Absolutely not. Don’t forget that people need to be hardened too. This means that there needs to be a communication plan in place that meets the goals of the security policy by educating users in a manner in which the applied controls can be measured for their effectiveness. Think auditing. For example, the organization can put out weekly media such as flyers and pamphlets that discuss recent security concerns. Also, an MOTD can be used for very important information that needs to be disseminated. Without establishing policy that guides the creation and operation of an incident response team, one cannot hope to even begin to ensure that the employees know how to respond properly to an incident.
If one of your employees thinks they may have been the target of a social engineering attack, do they know what to do? Who do they call? What information do they immediately record? What actions do they take? Who in the organization is trained to respond to the situation? Who will perform what tasks? Who is the team leader? How is the issue documented? How is this information applied forward to address future incidents? Does policy dictate law enforcement is notified? If you have all of the above in place, how do you know your employees will respond according to policy? Without “drills” or at least some minimal penetration testing, how do you know for a fact that the incident will go according to plan? This is how you “audit” your employees.
For example, you can have one of the members of the team call the front desk asking for information that isn’t supposed to be given out. You could have someone send around a harmless attachment asking people to open it. The point is, that if you don’t test them to see how they will respond, you simply don’t know if the mitigations you put in place will actually work when they need to. More and more often, it is becoming an accepted fact that people are easier to hack than networks. So, in your rush to harden your defense perimeter and your application layer, don’t neglect the biggest security risk of all… the people.
Posted in IAS Basics Series by .
Nov 12
10
Skids Beware
Today, I was browsing the internet using certain keywords and I happened to notice a specific search result that grabbed my attention. I clicked on the link and was absolutely amazed at the amount of fail I witnessed.
I’m not going to dignify the thread, or the posters, with a link to the site. I’m sure there will be enough information in this article that, if you choose to seek it out, you will find it. To put it simply, a group of video gamers are participating in an online tournament. However, one of them fancies himself a “veteran hacker” who has managed to get the IP address of several of the participants and he is DDoS’ing them to harass them.
In typical child form, the cyber-bully then makes demands to amuse himself and make himself look cool. The bully demands that people take pictures of themselves holding one of their shoes on top of their head and send them to him – which he then uploads online to humiliate them.
The rest of the thread continues on with many arguing back and forth, and one victim repeatedly crying that he can’t possibly stop the DDoS attacks from happening. (Gee, I dunno – clean your system of malware and get a new IP address maybe?) It was complete fail from start to finish, with many people trying to flex their e-peen and kids laughing at others while engaging in illegal activities.
Oh, yes. That’s right. I wrote it. “Illegal activities”.
I recently retweeted a link to an article, where a 15 year old pled guilty to a number of hacking charges to avoid spending 3 years behind bars. The plea deal was this – plead guilty, and you stay out of jail. BUT – you lose access to the internet for 6 years. So, this 15 year old will not have unsupervised access to the internet (and only for educational purposes) until he is also old enough to legally consume alcohol. Kids think this stuff is just fun and games. They fancy themselves big-time hackers. So, for any kids, parents, or other interested parties, let me just say this: You are playing with fire and if you step over the line and grab the wrong persons attention, you might find yourself at the business end of a judge’s gavel too.
If you have been the victim of cyber-attacks and cyber-bullying, I urge you to contact law enforcement so they can conduct an investigation. This kind of behavior puts us all at risk and as any “real” hacker will tell you – you’re not Mr. big-time hacker because you can click a button. You can, and just might, end up in jail.
“Hacker sentenced to six years – WITH NO INTERNET ‘Cosmo the God,’ signing off”
Posted in Security Blog by .
Nov 12
6
Access Control
This week, I will be very briefly covering access control. I’ll describe three main classifications for information, and then discuss some control methods that have been used (and are being used) to keep access to information appropriate and in accordance with access policy.
To begin, there are these three categories:
- Public Use
- Internal Use
- Restricted Use
Public Use information is that information which is available to the public, but may not simply be outright advertised openly. For example, some organization’s may need to comply with certain regulations and, as a part of that, certain information is “public” and “reportable”. The organization may provide this information to the necessary agencies, but not openly post the information available to the public (even though it may be available publicly through the oversight agency).
Internal Use information is that which is not intended to be seen or used by anyone outside of the organization or its oversight agencies due to the sensitivity of the information. Such information may include employee files, client tables, and similar information. Note that some of this type of information may also be subject to certain laws ( and often is, for example in the case of medical patient records, which are protected by HIPPA).
Restricted Use information could be devastatingly damaging to the organization if it should get out. For example, proprietary information, product development plans, marketing strategies, etc… could all be catastrophic situations if the information is exposed.
The access controls themselves help to not only organize the access to information based on its category, but also provide protections. Primarily, we can say that there are three main branches to which these often belong.
- Implicit Deny
- Least Privilege
- Job Rotation
Implicit Deny is an extremely granular way of going about assigning permission to access information. It essentially says that the person only has access to the information specifically given permission to access, on a file-by-file case basis.
Least Privilege is often associated with role-based permissions, where someone is given only the permissions required to perform their job. These permissions can already be pre-established in a role object (such as an Active Directory User Group Object) to which that user can be assigned and will then inherit the associated permissions for that role (for example, Auditor) automatically.
Job Rotation may not sound like access control at first, but think about this: You have had the same senior network admin for 15 years at your company. He’s always been very insistent that nobody else is allowed access to his administrator information (logins, etc) because he is very protective of the system. Last Sunday, on his way home from a cook out, his vehicle was struck by a bus and he is now in intensive care in a coma. While the gravity of the situation for the family and the administrator is most certainly a terrible tragedy, it does immediately follow – how are we going to get access to those administrator controls and the operational knowledge?
Job Rotation fixes that by not allowing one person to become embedded into a position so deeply that the organization simply can’t function without them. It also allows for the employees to gain valuable experience in multiple domains which actually increases their worth and value to the organization. There was a saying in IT for a long time, that if one wanted to have job security, the goal was to “Make it just hard enough so that when it breaks, you’re the only one who can fix it.” Because of that mentality, many organization’s suffered. However, the opposite is actually true. If the employee is very well rounded and can fill any role in the organization’s IT department, they are a huge asset. Having a person that is a “silo” in a modern agile organization is just terrible business practice.
To learn more about how these are applied in a model of access control, Google and research the following concepts:
- Noninterference Bell-LaPadula Model
- Biba Model
- Clark-Wilson Model
- Information Flow Model
- Noninterference Model
Lastly, there are several regulations that you will need to be aware of because of how they affect your access control plan. Look up more information on these laws and regulations for a more in-depth understanding:
- Health Insurance Portability and Accountability Act (HIPPA)
- Gramm-Leach-Bliley Act (AKA – Financial Modernization Act of 1999)
- Computer Fraud and Abuse Act (CFAA)
- Family Education Rights and Privacy Act (FERPA)
- Computer Security Act of 1987
- Cyberspace Electronic Security Act (CESA)
- Cyber Security Enhancement Act (AKA Section 225 of Homeland Security Act)
- USAPATRIOT Act
That concludes my brief introduction this week. Again, thanks for reading my weekly series and I hope you find the information valuable.
Posted in IAS Basics Series by .
About Kevin
Kevin Pope holds a degree in Computer Networking Technology and is continuing education in the Information Security discipline.