Author: David Forrestall

Categories
Compliance|Computer & Network Security|Uncategorized

New York DFS – 23 NYCRR 500 Compliance

Checklist for Compliance

In response to the increasing threats of cybercriminal activity and as an effort to protect Non-Public Information (NPI)
held by entities under its jurisdiction, the New York State Department of Financial Services (DFS) implemented a cybersecurity
regulation, 23 NYCRR 500. It has twenty-three Sections and went into effect on March 1, 2017. There are
designated “Transition Periods,” but the last one expires on March 1, 2019. A few key things to consider when looking
at this Regulation:

  • It applies to Covered Entities, which include those operating under NY Banking Law, Insurance Law, or Financial
    Services Law – see next page.
  • It is specifically about protecting Non-Public Information; social security numbers, drivers’ license numbers,
    financial accounts, biometric records, health record, and other personal information.
  • Third Parties that provide services to Covered Entities will indirectly be pulled into some type of compliance.
    See Section 500.11.

The Good News

Some may not agree that any of the regulation is good, but the requirements align with many security best practices.
For the most part, DFS is not asking for many things out of the ordinary (besides reporting and retention), and if you
comply, you will be implementing layers of protection for your company.

What to Do

  1. Check the Exemptions – see next page.
  2. Assess Your Risk. This supports other requirements and your decisions for prioritizing other efforts.
    1. Perform a Risk Assessment.
    2. Perform Vulnerability Assessments.
    3. Perform a Penetration Test.
  3. Establish a Security Program prioritized by risk. This will require effort and time. NIST has many available resources to assist.
    1. Establish a Chief Information Security Officer(CISO). Can be internal or external staff.
    2. Implement Policies to cover required areas -see page 3.
    3. Ensure you have qualified staff. Disciplines of Security are different than IT. You may need to hire or train.
  4. Develop an Incident Response Plan that includes notices to Superintendent. Requires 72-hour notice. There is additional guidance on the FAQ page.
  5. Ensure that your security program addresses the following requirements (prioritized by risk):
    1. Multi-Factor Authentication
    2. Encryption of NPI
    3. Security Auditing. This typically requires a new system or Managed Security Service.
    4. Review of access privileges to NPI
  6. Develop Vendor and Third Party Risk Management Program. You will need to rank your vendors and ensure that you perform due diligence on those with higher risks.
  7. Develop a Data Retention Policy and Process. The Superintendent requires 5 years of records for compliance. Be familiar with other required retention periods for different types of data.
  8. Annual Certification. Submit by each February 15th a written statement covering the prior calendar year.

Covered Entities

The Department of Financial Services supervises many different types of institutions. Supervision by DFS may entail chartering, licensing, registration requirements, examination, etc. More details are available on their website:

  • All insurance companies
  • Banks Trust Companies
  • Budget Planners
  • Charitable Foundations
  • Check Cashers
  • Consumer Credit Reporting Agencies
  • Credit Unions
  • Domestic Representative Offices
  • Foreign Agencies
  • Foreign Bank Branches
  • Foreign Representative Offices
  • Holding Companies
  • Investment Companies (Article XII)
  • Licensed Lenders
  • Life Insurance Companies
  • Money Transmitters
  • Mortgage Bankers
  • Mortgage Bankers-Exempt
  • Mortgage Brokers
  • Mortgage Brokers – Inactive
  • Mortgage Loan Originators
  • Safe Deposit Companies
  • Sales Finance Companies
  • Savings Banks; Savings & Loan Associations (S&L)
  • Service Contract Providers

Exemptions

[fusion_table]

Exemption Exempt From Still Required
500.19 (a) (1) Fewer than 10
employees working in NYS

500.19 (a) (2) Less than $5
million in gross annual revenue

500.19 (a) (3) Less than $10
million in year-end total assets

500.19 (c) Does not control any
information systems and
nonpublic information

500.19 (d) Captive insurance
companies that do not control
nonpublic information other
than information relating to its
corporate parent company

 500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.07- Access Privileges

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

 500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.07- Access Privileges

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

[/fusion_table]

23 NYCRR 500 Sections

Section 500.00 Introduction
Section 500.01 Definitions
Section 500.02 Cybersecurity Program
Section 500.03 Cybersecurity Policy.
(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and
quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) Third Party Service Provider management
(m) risk assessment
(n) incident response
Section 500.04 Chief Information Security Officer
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.06 Audit Trail
Section 500.07 Access Privileges
Section 500.09 Risk Assessment
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.11 Third Party Service Provider Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
Section 500.18 Confidentiality
Section 500.19 Exemptions
Section 500.20 Enforcement
Section 500.21 Effective Date
Section 500.22 Transitional Periods
Section 500.23 Severability

Categories
Information Security>Data Breach|Computer & Network Security>Viruses|Computer & Network Security>Vulnerabilities

A Ransomware Savings Account – Pay in Advance!

Diet and exercise versus a pill. An ounce of prevention versus a pound of cure. Saving for expenses versus using credit cards.

We all understand that good habits and planning are valuable to achieve our goals. We apply the same principles to Cyber Security…

This is a cautionary tale. We all learn from experience, and when fortunate, we can learn from the experience of others. This story teaches a valuable lesson based on real-world experience, and it will help you avoid a terrible situation.

A medium-sized firm, unfortunately, became the victim of a ransomware attack. An IT employee came into the office early in the morning to discover their ERP server had a white on red full-screen text message (complete with skull and bones ASCII art) stating the contents of the hard drive were encrypted. To recover the contents, they were to transfer one bitcoin to the wallet address on the screen, and to email a Hotmail address notifying them the ransom had been paid in order to retrieve the decryption key.

SecurIT360 Standard Operating Procedures (SOPs) do not recommend paying the ransom under any circumstances. We’ve found that once a company pays the ransom, they are “tagged” for further exploits because the company has been known to pay out. It is safer and better to simply restore from the last known good backup and redo the 12-24 hours of work lost.

Unless the last known good backup is over eight months old.

As a cost-saving measure, this business only purchased a single license for Veritas Backup Exec Server. For the other servers, they used a combination of tarballing, Secure Copy (SCP)/File Transfer Protocol (FTP) or xcopy, and 7zip to archive and transfer critical network files, Microsoft SQL database data, transaction, and log files, and customer detail records to the one server with a backup license.

Business continuity was literally running on a shoestring budget with a fragile, multiple-step process that required each step to complete before the next step would begin. This giant Rube Goldberg machine had a high failure rate. In this case, the Microsoft SQL data and log files hadn’t been transferred from the ERP server to the backup server in eight months. Imagine losing eight months of orders, inventory, fulfillment, and financial reporting. Did we mention that this is a real-world case study?

We discovered that Hotmail address that the hackers provided for payment confirmation had been terminated, and the value of a Bitcoin at that time was nearly $14,000 US. The business owners insisted on paying the ransom even though the likelihood of receiving an encryption key was remote. The felt that they had to try because of the magnitude of the data loss.

Unfortunately, they never received a decryption key.

But maybe they should try this Axis Incyte code:  8EM7YQ58

The company ultimately had to pause operations for two weeks to recreate as much information as possible from employee emails and printed reports. Then, they had to conduct a physical inventory to repopulate their ERP system.

This particular client sadly ended up paying their ransom three times: once in a bitcoin transfer that received no response, once in lost revenue while they recreated their ERP data so they could begin conducting business again, and then once again in new backup server licensing for all of their servers post incident.

How could this have been prevented?

A much less expensive “ransom” could have been paid ahead of time by purchasing five more Veritas Backup Exec Server licenses for $5,000 to cover their remaining servers, properly ensuring business continuity. This would have saved them thousands compared to the cost of the “ransom” paid and the additional 2 weeks of lost productivity while recovering data.

What can you do to not fall into the same trap as this business?

SecurIT360 works with our clients every day to ensure business continuity. Based on our experience, we would like to share 3 critical processes that your business must have in place to avoid this kind of disaster.

  1. Invest in a backup process for all of your servers and business-critical data.
  2. Regularly test your backups to make sure that all processes are running properly.
  3. And while backups are one of the most important things that you can do to protect your business, they shouldn’t be your first line of defense. Schedule regular “black hat” penetration tests to ensure that your network is protected from this kind of event.

Would you like a free assessment of your disaster preparedness and business continuity procedures? Call us today to make sure that the disaster experience you learn from isn’t your own.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm. We can work with you to stop cyber attacks in real time. Book a meeting with us today for a complimentary budgeting and strategy session by following this link Appointments.

Categories
Uncategorized

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Categories
Information Security|Uncategorized

Budgeting for Cyber Security for 2019

Cyber-Security Budgeting is a Layered Approach

Cyber-Security is arguably the hottest market right now.  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over 250 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  4. Security patching for all hardware/software
  5. Endpoint protections – Antivirus/Malware solutions
  6. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  7. Check for consistent password and access controls across all of your platforms
  8. Encrypt portable devices
  9. Approve Basic Policies to establish guidelines
  10. Provide security training for users and IT staff
  11. Constant inventory devices on your network
  12. Review firewall, remote access/VPN, and wireless solutions regularly
  13. Comprehensive network documentation
  14. A proactive monitoring/logging/alerting solution should be in place
  15. Basic Incident Response capabilities
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Evaluate your ability to perform these basic functions adequately – do we need managed services? 

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  3. Compliment SIEM with MDR (Managed Detection & Response)
  4. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  5. Risk Management
  6. Vulnerability Management
  7. Mobile device management solution
  8. NAC – internal Network Access Controls
  9. Data Loss Prevention technologies
  10. Identity Access Management
  11. Forensic capabilities
  12. Application whitelisting
  13. Incident Response Table Tops, Red Team, Blue Team, Purple Team Exercises
  14. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics, implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)
Categories
Compliance|Research>The Hitlist

The Hitlist: International Travel

International travel is common in today’s business world.  Many times businesses assume that their standard policies can apply to any international destination.  We recently had a client contact us about traveling to their international office in a country that is typically known for lacking respect for other’s privacy.  They asked us, considering this client would be discussing corporate trade secrets and other senstive info, what precautions they should take.

We gave them a list of recommendations and explained that many of these would not make travel simple from a technological standpoint, but would provide them the most security benefit.  These recommendations are not for travel to any country, but to countries where government’s can have a pervasive nature with regard to network communications.

Some recommendations for consideration:

  • Assume that all communication will be monitored
  • Understand that some of these countries put higher priority on Intellectual Property and Trade Secrets than they do personal or financial information
  • Take a clean machine with no data – some countries may even confiscate or copy data at the border
    • Lock the machine down to the minimum amount of use possible
    • Make sure personal firewalls are set to be very restrictive
    • Whitelist applications if possible
    • Take data only on encrypted removable media – many countries such as China, Israel, and Russia have limitations on encryption tools
    • Encrypt hard drives
  • Communications
    • Do not use Bluetooth or WiFi
    • Avoid connecting to the internet at all
    • Any time you connect to the internet, make a secure connection to the US as quickly as possible using technologies that provide virtual desktops or VPN connectivity and preferably with multi-factor authentication if allowed.  If VPN connections are not allowed in a particular country, plan on limited to no use of the internet.
  • Make sure mobile devices are encrypted and managed with MDM – again if country restrictions allow
    • Communication should be limited, even email.  Again, assume all communication will be monitored
    • Beware if you get a certificate error while downloading anything.  This may mean that someone has brokered the connection
  • Upon return, format all electronic media that made the travel, and under no circumstance should anything be plugged back into a network

Again, these are just a few things to consider when traveling to certain countries that may have a governmental interest in data and communications.

Categories
Uncategorized

WannaCry – Worldwide Ransomware Attack – Updated

A widespread ransomware attack has spread across the globe infecting tens of thousands computers in as many countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in many languages.  There have been several versions and updates, but the ways to protect remain the same.  Recently, a decryption tool has been discovered – see here.

Technical Details

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through a Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows SMB vulnerability.  Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017.  According to open sources, one possible infection vector is via phishing emails.

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL.  During runtime, the loader writes a file to disk named “t.wry.”  The malware then uses an embedded 128-bit key to decrypt this file.  This DLL, is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files.  Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.  Subsequent versions are manifested differently.

What to do to protect against Wana Decrypt0r aka WannaCry

1.    Patch all Windows Operating Systems

  1. For supported Operating Systems see MS17-010
  2. Emergency Patch for Windows XP and Windows 2003 is here

2.    Run a port scan and or Vulnerability Assessment against your firewalls. 

Ensure that Remote Desktop Protocol (RDP) and SMB protocols are not open to the internet.  These are typically on ports 3389, 445, and 139 respectively, but can be mapped to different ports on your firewall.  These configurations are security best practice.

Verify Other Protections Are working as expected.

*************************************IMPORTANT******************************************
Do NOT assume you are safe just because you have purchased and installed a product.
**********************************************************************************************

3.    Backups

Review your backups to ensure that they are working as expected.  Test restores of critical data.

4.    SPAM Filter

Enable strong spam filters to prevent phishing e-mails from reaching the end users.  Most enterprise filters should detect WannaCry.

5.    Antivirus & Malware Protections

  1. Ensure that real-time scanning enabled to detect file downloads, email attachments, and web links
  2. Ensure that scan engines are up to date and that definitions are downloaded and regularly deployed – at least daily. We recommend more frequently
  3. Configure anti-virus and anti-malware solutions to conduct routine scans
  4. Inventory protected machines to ensure that all have products installed and that they are functional

WannaCry Remediation

  • Isolate compromised computer systems.
    1. Unplug from network to prevent spreading
    2. Power down other computers or unplug network access switches during eradication
    3. Wipe and reload infected machines
    4. Paying the ransom does not guarantee you recovery
  • Ensure that proper logging is enabled and preserved on key systems.
  • Contact law enforcement. Contact a local FBI field office upon discovery to report an intrusion and request assistance.  Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan.
  • Ideally, organizations should not store critical data on workstations. Critical data should reside on centralized storage systems.  Storage systems should have complete, verified, and tested backups.  Ofen the most efficient response is to restore data from a known clean backup.

Signatures

File name:  @WanaDecryptor@.exe

Confirmed indicators – SHA-256 Hashes:

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c25d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b976a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdfbe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafaaee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002cc365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aab9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {

meta:

description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”

strings:

$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “wcry@123”

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”

condition:

$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8

}

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {

meta:

description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “https://www.exploit-db.com/exploits/41987/”

date = “2017/05/12”

strings:

$ms17010_str1=”PC NETWORK PROGRAM 1.0″

$ms17010_str2=”LANMAN1.0″

$ms17010_str3=”Windows for Workgroups 3.1a”

$ms17010_str4=”__TREEID__PLACEHOLDER__”

$ms17010_str5=”__USERID__PLACEHOLDER__”

$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”

condition:

all of them

}

Categories
Information Security>Asset Management|Compliance|Computer & Network Security>Microsoft

Best Practice: Securing Windows Service Accounts and Privileged Access – Part 2

Securing Windows Service Accounts Part 2

In the first post I covered best practices for securing service accounts.  In this post, I am going to discuss some key elements in securing priveleged access.  Keep in mind, Microsoft has published a comprehensive guide to securing an Active Directory.

Keep in mind that many of these things will require additional work on the front end, but that is usually due to poor existing practices.  Once processes are in place, these key components should not add significant overhead to administrative tasks.

  1. No users should regularly reside in Domain Admins (DA) or Enterprise Admins (EA) groups
    1. Straight from the horse’s mouth: As is the case with the Enterprise Admins (EA) group, membership in the Domain Admins (DA) group should be required only in build or disaster recovery scenarios. There should be no day-to-day user accounts in the DA group with the exception of the built-in Administrator account for the domain, if it has been secured as described in Appendix D: Securing Built-In Administrator Accounts in Active Directory.
    2. Follow MS’ recommendations for securing DA and EA accounts.
    3. If you are a single forest, single domain then no one needs to be in the enterprise admins period
    4. Don’t allow domain admins to logon to workstations
  2. Ensure that priv accounts follow at least the standard password policy
  3. Don’t forget other privileged groups besides DA and EA (Schema Admins, Account Operators, Backup Operators, Administrators, etc.)
  4. Maintain separate admin credentials and standard user accounts
    1. Do not use the same account for admin access and for regular access
    2. This includes things like browsing the web on member servers or workstations with priv accounts
      1. Block internet access from all servers
    3. No remote access with privileged accounts
  5. Use a jump off server for admin tasks.
    1. Remote to it with a standard account and then remote from there to perform admin tasks
    2. You should allow interactive logons by authorized users and should remove or even block other logon types that are not needed for server access. (https://technet.microsoft.com/en-us/library/dn487449.aspx)
    3. Admin functions should require more than one factor of authentication
  6. Use LAPS to generate a different password for all local admins
  7. Either use read only domain controllers in a DMZ or create a separate domain with a one way trust (trade off of complexity and security)
Categories
Information Security>Asset Management|Compliance|Computer & Network Security>Microsoft

Best Practice: Securing Windows Service Accounts and Privileged Access – Part 1

Securing Windows Service Accounts Part 2

I recently had a client ask me about our recommendations for securing service accounts within Active Directory.   We talked for a bit, and then I decided to write them down.  This post will have two parts, the first part is for Service Accounts and then the second post will be about privileged accounts.

What is the minimum privilege needed?

  1. If the account will only use local resources on a single device, use a local account on that device.
  2. If the account needs permission to see users, computers, groups etc use a domain service acct.
  3. When only read access to or minor file manipulation is required a standard domain user is usually sufficient.

For local accounts – typically IIS type service accounts or simple applications, a normal local user account is sufficient

  1. Create a strong password, 25+ characters, and forget the password.  If needed, just change the password.  If the password is needed regularly, store in an enterprise password manager
  2. Explicitly deny network and remote desktop logon rights
  3. Ensure IUSR accounts and any anonymous accounts do not have access outside of quarantined folders

Any other type of domain account

  1. Create an OU for service accounts to manage separately
  2. Create usernames with a random component such as <creation date>_servicename (to prevent guessing).  A compromise of a domain user could allow an attacker to read all users, so even this could go further to just create a random username and use a password manager to keep track of them.
  3. Do not use the description field in AD to keep track of their purpose since all users can read that information.
    1. You can use a custom field within the AD schema to store this information set the confidentiality bit (http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory by ) in order to allow only domain admins to see this information.
  4. Ensure your domain functional level is 2008 or greater and set a fine grained password policy for all service accounts.  Require strong passwords.  Either forget the passwords or use a password manager, preferably just forget them.
    1. Passwords should be changed regularly at least 90-180days depending on other mitigating controls
  5. Disable interactive logon for the service accounts
  6. Do not give service accounts domain admin rights.  This is rarely necessary and is usually only done out of laziness (I can speak from past experiences).
  7. Create a special group (by Jessica Payne (MSFT))called NoWorkstationAccess or NoLateralMovement and add all service accounts to it.  Use the linked blog to assign this group as part of SpecialGroups. Then be sure to add this to any computer that those users should not be logging on it (you may need more than one group), an alert will be generated regarding the login and a logging system can alert on it.  This can capture malicious lateral movement.

In addition to the blogs mentioned, Microsoft has some good whitepapers for preventing pass-the-hash which apply in part to this: https://www.microsoft.com/en-us/download/confirmation.aspx?id=36036

Categories
Computer & Network Security>Adobe|Compliance|Computer & Network Security>Java|Computer & Network Security>Vulnerabilities

Third Party Apps: Consider The Risks

What are 3rd party tools?

Everyone, from individuals to enterprises, uses third party tools and applications on their workstations, servers and mobile devices.  Some examples are Adobe Reader, Java, WinRAR, and many more.  They are applications that are run or installed, but are typically not centrally managed by your organization.

Why are they important to an organization?

Many times these tools are required to carry out critical job functions.  These can be running applications that require Java applets, fax services, custom written applications and so on.

What risks can they introduce?

Since these applications are usually not centrally managed, their patches and updates may not be applied as quickly.  Just like all software/hardware, vulnerabilities are found every day in third party applications such as a recently exposed flaw in WinRAR. According to Apigee, new attack techniques are emerging as well, including:

  • Exploitation of mobile and app vulnerabilities with insecure API access
  • Stealing of sensitive data cached by apps that don’t follow security best practices
  • Social engineering of developers to gain unauthorized access of developer keys and credentials.

So what can you do?

While this is an accepted risk when choosing these tools, there are several things you need to remember in order to make the tools as secure as possible:

  • Ensure you stay up-to-date on zero-day vulnerabilities
  • Always be aware of any updates available
  • Use strict authentication methods to secure your systems
  • Consistent monitoring & reporting

In summary, third party tools are an unlocked window into your network and have the potential to cause great damage to your organization when not properly secured. Organizations should consider adopting policies and procedures around approving specific applications and maintaining an inventory of where they are used.  This, in addition to a patch management process for these applications can significantly improve the security posture of your organization.

Categories
Computer & Network Security>Apple

iOS Malware – The Sky Is (not) Falling!

By now you should have heard that malware has been detected in apps available from Apple’s App Store.  (Let’s take a short break to let the rival Android users stop chuckling)  Should you be panicked?  Should you contact your IT department and have them wipe all of your company’s iPhones?  Should you rush home and trade your teenager’s iPhone for an old Samsung flip phone?  No, you shouldn’t – the Appleocalypse is not upon us.  (except maybe for the last one – have you seen the trouble teenagers can get into on smart phones?  Sheesh!)

Because this is somewhat of a rare event, the Internet has been filled with opinion pieces and editorials concerning iOS malware but the facts, so far, have been hard to nail down.  The truth of the matter is that most US, LA, and European users should have little to worry about but that Asia-Pacific iPhone users could be in a bit of trouble.

What actually happened is that some Chinese programmers downloaded a corrupted version of Xcode, which is Apple’s official iOS and OS X app creation tool.  Apps were then created with the corrupted tool (which quietly embedded exploits) and were subsequently uploaded to Apple’s App Store.  About 50 corrupted apps were eventually identified by security firm Palo Alto Networks, and while these apps have now been removed from the app store, they weren’t removed before being downloaded by several million people.  Most of the apps are Asia-Pacific-centric, (like WeChat) but a few are in heavy rotation in the West.  (CamCard, a popular business card reader, being the most prominent).

Remediation is simple: If you do have any of the listed apps installed, report this to your IT department so they’re aware of a potential issue.  IT Staff and individuals should be checking corporate and personal iPhones for the apps.  Change iCloud and other passwords stored on your phone as a precautionary measure, and report any suspicious events to your IT department.

You can find a list of the corrupted apps here: (courtesy of macrumors.com)

Infected iOS apps (as released by Palo Alto Networks)
网易云音乐 2.8.3
微信 6.2.5
讯飞输入法 5.1.1463
滴滴出行 4.0.0.6-4.0.0.0
滴滴打车 3.9.7.1 – 3.9.7
铁路12306 4.5
下厨房 4.3.2
51卡保险箱 5.0.1
中信银行动卡空间 3.3.12
中国联通手机营业厅 3.2
高德地图 7.3.8
简书 2.9.1
开眼 1.8.0
Lifesmart 1.0.44
网易公开课 4.2.8
马拉马拉 1.1.0
药给力 1.12.1
喜马拉雅 4.3.8
口袋记账 1.6.0
同花顺 9.60.01
快速问医生 7.73
懒人周末
微博相机
豆瓣阅读
CamScanner
CamCard
SegmentFault 2.8
炒股公开课
股市热点
新三板
滴滴司机
OPlayer 2.1.05
电话归属地助手 3.6.5
愤怒的小鸟2 2.1.1
夫妻床头话 1.2
穷游 6.6.6
我叫MT 5.0.1
我叫MT 2 1.10.5
自由之战 1.1.0

A more thorough list, according to fox-it.com:

Mercury
WinZip
Musical.ly
PDFReader
guaji_gangtai en
Perfect365
网易云音乐
PDFReader Free
WhiteTile
IHexin
WinZip Standard
MoreLikers2
CamScanner Lite
MobileTicket
iVMS-4500
OPlayer Lite
QYER
golfsense
同花顺
ting
installer
下厨房
golfsensehd
Wallpapers10000
CSMBP-AppStore
礼包助手
MSL108
ChinaUnicom3.x
TinyDeal.com
snapgrab copy
iOBD2
PocketScanner
CuteCUT
AmHexinForPad
SuperJewelsQuest2
air2
InstaFollower
CamScanner Pro
baba
WeLoop
DataMonitor
爱推
MSL070
nice dev
immtdchs
OPlayer
FlappyCircle
高德地图
BiaoQingBao
SaveSnap
WeChat
Guitar Master
jin
WinZip Sector
Quick Save
CamCard

Again, it depends on which version of these apps you might have or from where they were downloaded that would indicate if you have a corrupt copy.  Be conservative and remove or update them if you have them.