Monday, September 30, 2013

Why Worry About Watering Holes?

Perhaps you have seen recent news stories about "watering hole" attacks and wondered what they were? More importantly, is it something we in county government have to worry about?

A watering hole attack takes its name from nature, where predator animals, such as lions, rather than chase their prey, simply wait for them to come to them by staking out the watering hole. The prey animal's thirst will eventually force it to seek out water despite the looming danger. In cyber security, the predators will compromise a popular or necessary site used by their targets in order to spread malware, and thereby gain access to their target's computers or information. Although perhaps more difficult than other methods, this form of attack is becoming increasingly popular, especially as security awareness programs make other less difficult attacks, such as phishing, less successful.

Watering hole attacks are absolutely a concern for counties. Because of the wealth of information in possession of counties, much of which is tied directly a persons personal and financial activities, we are target for the bad guys. We have information and they want it. Additionally, many counties use the same vendors, the same state services, the same news and information sources, etc. This commonality makes it easy for a predator to identify resources that a large number of us will eventually seek out.

Perhaps even of bigger concern is that we have web services and resources that many in our communities rely on. If certain types of businesses or organizations become a target, our resources might be viewed as the perfect "watering hole" that would attract that target. This makes diligence on our part essential, to keep our resources secure and/or to make sure that our vendors are doing so.

Similar to phishing attacks, in which case there is little we can do to avoid receiving the phishing e-mails, there is also little we can do to prevent a site that is out of our control from becoming compromised. That is the job of the administrator of that site. The best defense then is education and awareness. Recognizing that a site that we rely on could potentially become compromised and knowing what to watch out for can protect us. Avoid downloading software and plugins that are not absolutely essential. Make sure your anti-malware software is up to date and your operating system is patched. Do links to social media sites and login forms look out of place? Are they the same as the last time you visited? Being alert can keep you safe.

In the case of sites we do have control over, the responsibility is on us and our service providers to keep them safe. Can we avoid requiring any sort of plugin for accessing the needed information? Are links to social media necessary? Content Management Systems (CMS) in particular are a potential source of compromise? If we use a CMS for our site, is the CMS software kept up to date? Is the sites security setup properly so only trusted users can post content? Has it been properly setup to not allow certain types potentially malicious content, such as iframes and javascript? Do we have tools in place to check for mal-ware and unwanted links? Are we monitoring the site regularly?

Humans tend to be trusting, and the bad guys know that. That is why watering hole and phishing attacks work. By being a little less trusting, we can protect ourselves and those that we serve from these sort of attacks.

Monday, September 16, 2013

Too Many Passwords!

As a county employee you probably have numerous applications and services you use that require passwords. It seems every state agency that you interact with has at least one web site you need to login to. Some have several. Many of the various affiliates of ISAC have their own web projects, such as the ICIT GIS Data Repository or IowaLandRecords. Many of our vendors offer web sites or services we need to use on a regular basis. And then there are the numerous applications we use each and every day within our own county.

With so many applications and services, it is probably not possible for the average person to remember a unique password for each and every one of them. A common practice that many use to deal with this password overload is to reuse the same password for everything. This might seem like a reasonable approach. It sure beats writing them down and risk someone finding them,  right? Wrong! Password reuse is incredibly dangerous. There have been countless reports in recent years of security breaches involving leaked passwords. If your password is leaked or shared for one service, and you use the same password for other services, the risk is very high that all of your accounts can be compromised.

A better approach is to use a password manager to keep track of all your passwords. Password managers allow you to store all of your passwords, and other sensitive information, in an encrypted file or database. You then access them with a master password that you can remember. Ideally your password manager is accessible all the time, so an application that you can run on your smart phone is a good option. Another option is a web based password manager, but remember that this is sensitive information, so it is vital to pick a provider you can trust.

The product that I use for my personal password manager is KeePass Password Safe. This is an open source product, so it is free to use, and the source code is open to inspection, so you can have confidence in the encryption implementation. I use an Android smart phone, so I use KeePassDroid to have anywhere access to my passwords. For iPhone users, there is MiniKeePass.

For organizational use, there are some limitations to KeePass, so we use a product called PasswordState to manage passwords at the county. This is a commercial product, and we pay per user, but since many of the passwords we use need to be shared among employees and/or survive employee turnover, this is a great tool for secure, centralized password management. It is a web based product, so it is also accessible from a smart phone, although the user interface is clearly not designed for touch or small screens.

Of course these are just a couple of products that are available for password management. Perhaps you have a favorite already. Regardless, passwords aren't going away anytime soon, so effective password management is an important step in keeping your accounts secure. So get a good password manager and start using it!

Tuesday, September 10, 2013

Who, Me?

In the past two weeks I've done three different security seminars with three different organizations and their security staff.  The one trend that continues to surprise me, and was confirmed at all three events, is that most employees still do not realize they are a target.  I continue to be surprised as this, as I thought with all the media attention, both in peoples' lives and at work, they would realize they have value, bad guys are after them.  Based on what I'm seeing that is not the case.

That does not bode well when securing the human element.  To change peoples' behaviors we need to engage them, and we will never achieve that first step until they realize they are a target.  If you are looking to secure your employees, contractors and staff, the first question you have to answer is do they even realize they are a target?  If not, then do not even bother trying to teach them how to secure themselves.  Instead explain to them who is targeting them, how and why.  Once you have their attention, then you can begin changing behaviors.

Lance Spitzner is the training director for SANS Securing The Human.  To learn more about human security, visit http://www.securingthehuman.org/resources.

Monday, September 9, 2013

The NSA, Internet Encryption, and What It Means for Iowa Counties

No doubt you have seen the recent news regarding the NSA "cracking" internet encryption techniques. Encryption is a fundamental tool for ensuring privacy and security of numerous internet transactions, including financial data and privacy mandates which effect counties, such as HIPAA and CJIS. Many of the news stories, especially those targeted toward a non-technical audience tend to exaggerate the implications. Others tend to focus on the NSA and what this latest leak reveals about their practices. I don't want to add to either of those conversations. I do think however there are some lessons, none of them necessarily new, that we can learn from.

First off, I would like to mention that one of the best analysis that I have seen in regards to what the NSA is able to do was written by Johannes Ullrich and published on the Internet Storm Center's diary this morning. In believe his entry entitled SSL is broken. So what? adequately summarizes the real nature of what occurred and what the appropriate technical response should be.

Despite all the attention that it is receiving, the fact of the matter appears to be that the NSA isn't actually cracking the encryption, they just have a way to get around much of it. The fact that the NSA has a way around encryption probably does mean that eventually others will too. The good news in my opinion is that now that this vulnerability has been exposed, there will no doubt be efforts to address it. Hopefully the necessary changes to fix the issue can be made before the ways to actually exploit the various backdoors are leaked.

Ultimately however, this capability of the NSA doesn't really change anything. Encryption is still import for securing internet transactions, and most of the bad guys don't have the resources to break the encryption. As Dr. Ullrich mentioned in his article, in many cases vulnerabilities in client software, or social engineering techniques resulted in data leaks, not failures in the encryption infrastructure. It is much easier for hackers to get what they want through insecure human behaviour.

One of these insecure human behaviours is running out of date software. I can't even count the number of times over the years that I have had to install new software on servers specifically to address issues with the SSL implementation. New notices regarding adjustments to how systems are setup, encryption key lengths, etc. are released all the time. It is of vital importance to stay on top of these, not to ignore them. In many cases Iowa counties rely on a vendor for these services. When is the last time you checked on how they are doing in this regard? Do you have tools in place to check for vulnerabilities in your systems where possible? Just making sure you keep the systems you are responsible for up to date can go a long way in keeping your private communications private.

Another insecure human behaviour is just how easily we can be manipulated by clever people. The bad guys exploit this all the time. It is usually much easier to just bypass the technology than trying to break it. That is essentially what the NSA has done. They have convinced others, whether it be encryption software developers or service providers, to give them the keys to their kingdom. Hackers try to do the same thing to us, through phishing e-mails or compromised web sites we visit. The best way to combat this is through education. By increasing awareness of how these devices work, how to spot them, and what to do when we fall prey, we can better protect ourselves, our organizations, and the internet transactions we depend on.

Like most organizations, counties certainly fall into the category of having "limited time and limited resources to fight unlimited worries." By focusing on the things we have control over and not getting distracted by the latest sensational headline, we can continue to make our counties more secure.

Sunday, September 8, 2013

The Importance of the Least Privilege Principal

One of the things we were reminded of last week during the SANS presentation was just how bad humans are at estimating risk. I think the assumption that many people have is that those of us who work in IT should be better at it. Unfortunately, it seems that many in the IT field tend to sacrifice good principles in favor of expedience or efficiency, and in doing so increase the risk to an organizations computer systems. A recent e-mail conversation regarding the practices of some our vendors who provide software and services proves this point.

The discussion surrounded whether or not a certain vendor should have sysadmin level access to the county's database servers. The vendor argued that they could not adequately provide support without this access, and that some of their processes required this level of access. The problem with this is that it violates the security principle of "Least Privilege", which mandates that a person or process must be able to access only the information and resources that are necessary for its legitimate purpose.

We know the vendor understands this principle, because it is a part of their software and the practices they recommend, which includes a separation of duties, access control lists to specific functionality and records within their software, and audit logs to track who did what. The problem is, that when this principle starts to make it more difficult for them, and especially when it is outside their own systems, they no longer care about it. It is expedient to just set access to "wide open" by granting them or one or more of their accounts the "sysadmin" role in the database server. But should that resource or account be compromised, it exposes not just their systems, but the entire database server to risk.

While the original conversation focused on one specific vendor, I am not mentioning them by name because so many of our vendors are guilty of it. What makes matters worse is that many of these vendors use the same credentials in one county after another, so if one organization is compromised, all of their other customers may be easily compromised as well. This demonstrates the importance of another reminder we were given during the SANS presentation last week, which was the dangers of reusing passwords.

I believe in this day and age it is vital that we hold our software vendors to the highest standards. They should be endeavoring to adhere to best practices when it comes to security, such as the "Least Privilege" principal, and when they do not, we should demand that they change. In order for this to work though, it will take more than just the IT people demanding that these practices be changed. For starters, there are still many counties that do not have in-house IT people. Additionally many of the vendors tend to place more weight on the opinions of the policy makers and those who hold the purse strings than they do the IT staff.

No matter what our position is with the county, whether it is IT, an elected or appointed official, an employee or even a citizen, whenever we have a chance to interact with one of our vendors, we should reinforce the importance of adhering to best practices when designing, implementing and supporting the software and services they provide.

For more information on best practices when it comes information security, our friends at SANS provide a wealth of free information.

Saturday, September 7, 2013

Resurrection of ICIT Security Committee

On Friday, September 6th, 2013, to show their support of ICIT, especially our county technology assessment program, representatives from the SANS Institute's Securing the Human presented information on "Next Generation Security Awareness Programs" and "Phishing and Measuring Impact". The presentations were part of the program at ICIT's first Tech Team Workshop, an event designed to refine and formalize the technology assessment program for Iowa Counties that ICIT began in November 2011. To date ICIT has performed assessments for ten of Iowa's counties.

Both informative and energizing, Lance Spitzner's presentations provided timely reminders of why Security Awareness is so important and should be a priority for counties. As a result of the presentations and the discussion among ICIT members that followed, I have decided to create this blog, which will be open for posting by other ICIT Security Committee members as well. The focus of this blog will be to provide information regarding Cyber Security that is relevant to Iowa Counties.

A big Thank You! to SANS for their support and for resurrecting our security committee, which has been floundering for some time. We hope you enjoy our blog!


Security Awareness