Information Security Management System and off-shored IT

As we move to the cloud more and more every day, IT environments may get complicated to understand the many different roles and responsibilities between your local IT and your provider. The tendency I’ve seen at different companies is to off-shore most of the operation related IT services, such as network support, workstation support, servers hosting and support, printing solutions, etc. minimizing costs and focusing effort on what the company needs to worry about, doing business.

With all these third parties and vendors providing the essential IT services to your company, the question that might be raised is how secure these vendors are, considering they’re handling your data. Contractual agreements, might be the answer at a first thought, but can we rely just on contractual agreements to reduce risk to the acceptable level? I personally wouldn’t say so and taking this decision in a risk management perspective, having just one control to reduce risk of the entire IT environment might not be enough to avoid fines or reputation damages when a security incident occurs.

My goal on this post is to briefly propose a strategy to manage complex hybrid IT environments, composed of local IT resources/personnel and service providers. This high-level strategy starts off by defining some key premises that will be used later on to define more technical and detailed controls:

• Compose a list of all your vendors and third parties providing services and resources to your company

You may include services that are supporting your IT environment, such as Physical Security, Power Redundancy, Facilities, etc. as well.

• Validate a RACI table for your IT and essential services, most importantly leveraging whether they are an internal responsibility or vendor provided

This step must present you a clear understanding of who is responsible for what on your IT environment, for example if the Service Desk and end user workstation support is under your company’s responsibility or not

• Define the criticality of each vendor/third party in relation to the business

When defining this, consider the impact that these services/resources can cause to the business if they suddenly get disrupted

• Ensure all vendors and third parties have an approved contractual agreement with your company, validated by your legal department

Your legal department should define what are the requirements of a contractual agreement, as well of information security clauses

With all that information organized on the table, you can now start looking at your possibilities in terms of quick wins for security controls and plan your roadmap for controls that must be created. Instead of reinventing the wheel, standards like NIST and ISO 27k can be used as guides for the controls you should look into and later on be chased for a possible certification – I’ve also spoke about it in an older post, check it out.

For the services and resources provided by partners, security controls must be also tied to contractual agreements. This way you may require your vendors to either provide you evidence of compliance to your controls or requiring them to have its own security certification, proving they have sufficient security maturity.

A balanced approach would require vendors to provide KPIs and KRIs on important security controls plus having a market renowned security certification, ensuring that you don’t just rely on trust/contracts to reduce risks and create visibility. While the contract provides you a legal safety and commitment from the partner to you, measures will give you visibility of the reality.

Having both controls should greatly reduce risk and give visibility for improvement opportunities, as in an on-going matter. As in any strategy or project, it needs to be adapted to the company’s reality, since no IT environment is alike and it becomes more complex as days go by, each step should be used as base to map any other requirement that needs to be addressed.

As always, please feel free to share any feedback and thanks for reading.

Building your Secure Development Life Cycle (SDLC) strategy

SDLC or S-SDLC (Secure Software Development Life Cycle) is a methodology that aims to improve the overall security of web and regular application development processes. The main idea is to understand your current, or to-be, development process and include your business`s minimal security requirements on it. Considering development good practices, standards and guides on the different phases of the whole development process, might be an ambitious and challenging project that would require money, man-hours and cultural changes as well.

There are many proprietary and open-source methodologies each one with their specific characteristics and requirements but in the end, the goal is eventually the same, improve the overall security of your development process. While you can discuss and evaluate the development process of your company, the best approach I would recommend is to adapt security to the current process, instead of changing the current process so it become compliant to your security requirements. Doing it this way, would minimize the cultural shock and effort needed to deploy such requirements and it would less “friction” and resistance to your company.

I’d define this initiative in two different projects, based on the reality you’re facing:

• Implementing a SDLC into your company’s development team, if there are any
• Defining your company’s requirements to buy/hire development services

For this post, I’ll be discussing the first point as the SDLC would fit better for this reality.

The first step is to understand how your development process works, what are the main phases, which are the artifacts, documentations, standards and activities that the development team does/has. Generally speaking, your development processes would, at a certain point, fit into one of the most used methodologies like Waterfall, DevOps, Agile, etc. but, as I stated on the start of this post, the idea isn’t to change the development process but is to implement a minimum security standard to it. An overall secure development process can, at a high level, be defined on the following steps:

• Training/Awareness
  • Professionals are presented to the methodology and complimentary security training is provided
• Requirements
  • Security requirements are defined and formalized in an overall manner so it applies to all development projects, based on the business risk appetite
• Design
  • Threat modeling and early definitions of how the coding work should be carried on
• Code
  • Coding is done in a secure way, using secure and up-to-date libraries and languages, static code analysis may also be done
• Testing
  • Pen-tests, static and dynamic analysis are executed on this phase, the project must achieve a result aligned to the defined risk appetite
• Release/Sustain
  • Vulnerability management, recurrent testing and incident management are the activities done in this phase. This needs to occur until the solution is decommissioned.

At each step, security requirements should be added, for instance when doing the regular development training for employees, secure development practices should also be included in this training, teaching developers the good security practices and bringing awareness to the topic. Having security addressed at each one of the main development phases, will reduce the amount of re-work and most importantly risks at the end of the development project. Leaving the security checks for the end of the project will, almost certainly, impact business`s deadlines due to vulnerabilities or security risks needing to be fixed on production or pre-production environments. That’s why it isn’t enough to just do dynamic analysis or pen-tests as the last check before going to production.

Unfortunately, as many other things in life, there’s no silver bullet that would perfectly fit your reality, the whole SDLC methodology is, more than anything else, an awareness and training initiative. A detailed and deep study of your current reality needs to be done, at the same time that your risk appetite defined and because of that, each SDLC project may differ from the other.

Let me know what you think of this topic, feedback is always welcome and check out some references and sources below.

• https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project
• https://www.microsoft.com/en-us/securityengineering/sdl
• https://www.sans.org/reading-room/whitepapers/securecode/
• https://www.nist.gov/publications/system-development-life-cycle-sdlc

IoT – Wolf in sheep’s clothing

The world of IoT (internet of things) devices is certainly a magnificent one, the idea of having everything connected with remote access possibilities such as televisions, telephones, cameras, personal assistants, electronic controllers (light and temperature) attracts the attention of everyone, from regular people that aren’t much of tech savvy to the technology enthusiasts.

At the same time IoTs brings comfort, agility and most importantly, clients to your business or even assists your business to perform better, it also may bring serious security risks to your network and company. You probably heard about SDLC, Secure Development Life Cycle and many other processes that aims to reduce security risks, since the early stages of a development process, this is exactly what`s generally missing when we talk IoT.

Many IoT companies that either builds their own devices from scratch or just create slightly modified clones, aren’t very interested in their security side of development, devices are manufactured aiming only the user experience or maybe just its functional purpose, without taking in account the security that encompasses its own functionality. One strong example of IoT devices that suffered with its lack of security is Stuxtnet, a piece of malware that attack SCADA systems (basically factory machinery controllers) and was renowned for the damage it caused to Iran`s nuclear power program.

As you may be thinking now, industrial IoT devices pose a greater security risks when we look at the industrialized side of it due it`s life threatening consequences but let’s not forget your smart TV or your personal assistant monitoring your conversations show it can present you “relevant” ADs.

I brought all these points to raise awareness about the IoT subject, being your home or your company network, IoT security and its life cycle should be part of any ISMS (Information Security Management System) or, at least, one of your main concerns. Besides cost and benefit, there must be processes in place to control, monitor and most importantly, update these devices. A regular vulnerability management program may address the IoT matter by including these devices into its controls but, as a personal opinion and also based on my experience, IoTs should have a dedicated attention due its nature and evolving volume.

My recommendation, as in a general way to manage IoTs, are separate key actions, by achieving any of them, you`ll slowly increase your maturity handling the IoT security risk. These steps may be defined as follows:

• Discovery
  • Network scans are key for this step, discovering everything that is connected to your network is important so you`ll be able to evaluate the effort and investment needed to the whole project.
  • You may also tag these devices, by defining vlans, using asset database such as a CMDB or even acquiring and vulnerability management platform such as Nexpose, Nessus, Qualys, etc.
• Inventory
  • Build and maintain an inventory of such devices with information like technical and business owners, so the right people can be accountable correctly whenever some action towards an IoT needs to be taken, such as updating its firmware
• Control
  • A management and evaluation process must be defined for acquisition or development of new devices, this must ensure that new devices aren’t being added to the network without the proper control
  • IoTs that will be bought from vendors need to be evaluated according to its security maturity and the wanted levels defined by the organization, avoiding vulnerable or insecure devices to be added to the network
  • Development to take in account both hardware and software, this is a complex topic but in a general way, these newly developed devices must be aligned with the desired security level
• Life Cycle
  • Define the management process for all IoT on the network by agreeing on regular vulnerability scans, updates and patches published by vendors and when to apply such updates or decommission a device
  • Define hardening profiles to all possible devices, just as workstations, network devices and servers have their own hardening profile, capable IoT devices need to be hardened. Changing its default password, open ports, disabling unnecessary services is something to start with

These steps are definitely not extensible and may miss a thing or another, but my goal on this post is to open the topic for discussion and bring up awareness to this security risk that you may not have seen yet in your “house”. As always, for a successful security program in your company, it is key to be aligned with your business goals and have their support, otherwise any security initiative my face a lot of resistance.

Feel free to reach me out or post your comments about this, I’ll be more than happy to discuss with the security community.

 

Malware and security metrics

Probably, at some point in your security career, you have been asked the most difficult question a specialist could ever be asked – How secure are we (the company)? Very tricky question that may put you in a hard time trying to figure out what to respond. Numbers are everything to any CEO and it is no different when talking about security, that’s why it is important to have data when requesting more resources or showing that you have been doing a good job. Consistent security related data may be very hard to gather in a compiled and organized way and in this post I’ll talk about how we can use malware related data to get interesting numbers.

System Center Configuration Manager is a solution that I`d say a vast majority of mid to big companies have/should have in their Microsoft domain, besides many other characteristics, it facilitates workstation and server’s administration, allowing mass deployment, monitoring and compliance. As you may know or suspect, it has a lot of information inside its database ranging from software installed, updates, last logged user to the malware related data, if and only if you`re using SCEP (System Center Endpoint Protection).

I`ve been working lately with the virus/malware data that SCCM database compiles, generated by SCEP, which is then stored into the database. My idea isn’t to talk about how good or bad SCEP is as a malware solution but to work with what I have and transform all this data into useful information that can lead to most relevant security risks, other than just a ton of alerts that came from a keygen or crack being quarantined in a user`s thumb drive. My goal with this post is to open your mind related to the possibilities we have (if you at least have the same or similar resources as I do) by doing some data analysis.

Some interesting security indicators that would reflect how your organization have been handling malware infections are:

• How many malware infections occurred in a given period, having this information in a location specific view would be even better;
• How many malware infections required a manual/admin intervention in order to be resolved, when the anti-malware solution isn’t capable of cleaning the machine just by itself;
• How many malware infections resulted in a security incident, that led to business disruption in some way;
• How long does it take to firstly remove an infected machine from the network and ultimately, re-image it if needed;
• Are all malware solutions up-to-date and executing security scans in a timely manner, this indicates the solution health;
• How many APT (advanced persistent threats) or high-risk infections occurred in a given period, recurrent infections, malware family name, disabled anti-malware solutions, etc. may indicate some kind of persistent malware.

Each one of these measures could be a good challenge to develop and many security vendors will promise you that it’s solution will easily provide you this type of data but it may not be that simple. Intelligence to build these relations aren`t technology tied, it’s a matter of knowing what matters the most to you and what kind of information you have, only then it will be possible to make the links between each piece of information. That’s why its important to first do your home work of knowing what you have and what is important before buying solutions or developing anything.

Here are some examples of data that can be very useful when building relations regarding malware:

• Date of last scan;
• Date of last update;
• Date of last infection (historical data can be very useful);
• Date of operational system installation;
• Date of last login and reboot;
• Indication that all anti-malware modules are operational;
• Anti-malware solution infection status;
• Infection path (indicating the infection root);
• User that caused the infection or has the most console runtime.

You can then relate data to trigger your high-risk infections, for example, relating the last scan, last update and operational status so you can build a compliance health check for the malware-solution across all domain machines. Another one is relating the infection path to a probable root cause, if it comes from a pendrive (F: or G:) it may indicate that the user is infecting the machine, you can then use these numbers to run a security training or awareness campaign. A last one could be the infection status against the last infection, indicating that the anti-malware solution is cleaning the machine but the malware is persistently re-infecting it.

Your current technology won`t be the barrier here, you can either have SCEP or any other market solution, the goal is to have the data and knowing what you`re looking for, of course that technology will matter on the sense of compiling the information for you. Most importantly, never assume that you got it all covered, security risks, malware and hackers change every day and you must adapt to these changes, having efficient and relevant measures will assist your organization adapting to emerging threats, as well of answering that “question”.

 

 

User behavior analytics – How to use data analytics for security

You probably already heard about new trends on how security is evolving by, instead of working reactively and detecting malware signatures in each workstation for example, it should work by observing how your users behave inside your corporate network, keeping an eye on malicious actions like trying to connect directly to your main AD or executing files without enough privileges.

This way of thinking security is supported by technologies named UBA (User Behavior Analytics) or UEBA (User and Entity Behavior Analytics), both are more o so the same thing, the difference is that UBA only worries about the user behavior meanwhile UEBA will also look to entities like hosts, network devices, etc. In today’s world, what’s matter isn’t how impenetrable your network is but how fast can you detect an incident, react and contain it, you must work on the premise that you will eventually be hacked, sooner or later, and these solutions will assist you better than any firewall.

Most security vendors will say that this is the approach of the future but how much this kind of intelligence and technology will cost and, more importantly, is it worth it? Cutting edge appliances or cloud services tend to have a very high price, and thinking of monitoring the behavior of everyone, you certainly can add to this count a huge amount of data coming and going.

This post is about what can you do to bring some more intelligence when analyzing the information you already have so you can increase your maturity on detecting malicious behaviors on your network, without having to invest enormous amounts of money. I’ll take as example some analysis I developed myself inside my company, looking at all the data we had about the countless malware infections SCEP detects daily, ultimately compiled and provided by SCCM. If you have an SIEM technology, you can go even further when analyzing data, but this is material for another post.

So, here’s the scenario and what you need to have so you can get going:

• Aggregated and organized data regarding malware infections detected in your environment
• A centralized way to consult and display this information in a structured way, like a BI tool
• Relevant information, for example:
  • What is the malware family/name
  • Hostname and last logged on user
  • Time and day of occurrence
  • The path where the malware was detected/executed in the first place
  • Was it successfully removed or it need a manual action like an reboot

You can now think of building relations and linking information that would be useful to you, generally speaking, as a security manager you would definitely be interest in knowing the source of your malware infections, they could be coming from a malicious user or maybe system vulnerabilities. Knowing this is key to direct your already limited resources to mitigate risks, check below some examples of relations that will help on doing so:

As shown above, we are creating links between different data that may seem useless if taken separately, but if you put them together it gets a whole new meaning. In order to automate possible root causes of infections, we could create measures indicating which is the most probable root cause of infection in a given period of time. This data could be then used to drive investments in areas like user awareness, policies and standards or even to acquire new technology. Of course that we are targeting only infections that we can detect but it’s a way to at least have a better knowledge of your own environment. This data could also feed an incident management process, saving investigation time by suggesting a probable root cause and raising alerts to the risk of a malware outbreak.

I’m safe to say that if you have the data and the tools to dig into it, you can transform it in information and bring intelligence and facts to the actions you take inside your organization. For higher management, this is key while requesting investments and, most importantly, to do a good job as a security professional.

As always, feel free to share feedback and your experiences about this subject.

A new “hacking” trend – Mining Bitcoin on the comfort of your browser

You may have heard already about Bitcoin or some other crypto currency on your work, talks with friends, news or internet, so I suppose that this subject isn’t new for you. If it is, make sure to check out some good sources about the subject on the end of this post. For now, I’ll be talking about something that I perceive as a new “hacking” trend and maybe even something that companies could use to generate income (if done legally).

Mining Bitcoin is something that is on the backstage of the whole Bitcoin subject, people does that to generate their own Bitcoins, at least used to.

• So, what is this all about? How does one mine Bitcoins?

The short answer – when people says that one is mining bitcoin, it basically means that the person or group of persons is exchanging his/her computational power for Bitcoins.

• Why would I exchange computation power for bitcoins?

The technology behind Bitcoin consists of a huge network of computers, each computer of this network processes transactions that are made with Bitcoin, something like a real-life broker. So, imagine that you’re buying something from a friend and you’re paying with Bitcoins, by doing that you send to his wallet the amount of 1 bitcoin. To the Bitcoin network complete the transaction, it must be processed by all computers on the network, this guarantees the transaction uniqueness and safely “register” it on the network.

If you opt to join Bitcoin’s processing network, you will be able to execute and register these kind of trades, receiving a “salary” for doing so. This is in simple terms how you “mine” Bitcoins.

• Is this profitable?

If you are willing to put your domestic computer to work while you’re on the office, the short answer is no. Nowadays, there is so many computers “mining” Bitcoins that it is totally unreliable to use domestic computers for it, the electrical power that you will use to keep your computer running will suppress the amount of money you’ll make.

• So, why are hackers using my browser to do that?

That’s the golden question and the answer is scalability.

Imagine Facebook, how many people goes to Facebook everyday and stays there for a while? A lot… Now, think about my previous statement, where I said that a single domestic computer won’t be able to mine enough Bitcoins to become profitable. So, what about 1 million computers working together at a given hour/minute/second?

That’s sounds like a lot of computational power, right? And that’s exactly how it’s being done, not only via browsers but as well computer viruses.

• How do they do that?

In a way most people won’t even notice, “hackers” add a piece of code into their websites or stolen/hacked websites, so when someone opens the site, the piece of code starts using your computer power to mine Bitcoins to him/her trough the browser. They usually set the code to use just some of your processing power, so the most users won’t notice it, and it stays there sucking your computational power until you leave the web site or close the browser completely.

The first one to do this was a famous torrenting site called the Piratebay. A few pages of the site were set to mine Bitcoins by using its visitor processing power, the site said that they were testing a way to generate revenue with the people that uses its services but they didn’t alerted the user about it and kept doing it until someone noticed and brought it to the news.

Now you are probably asking yourself: How can I detect and avoid this? Until now, you pretty much have two ways of doing it…

• Stay alert for sudden loss of computer processing power when visiting websites

Or

• Block resources used by your browser to load and run web pages, more specifically JavaScript

Right now may not be the best time to worry about it since this technique is pretty new and most sites that does this are the “underground” ones, but it is indeed very interesting to be ready and aware of what comes next.

So, just like me you may be wondering, will this new trend become popular among hackers? Will my favorite website start doing it for additional revenue? These are answers that only time can will be able to answer.

At the end of the day, this probably could be done legally and be an alternative for those annoying Ads.IN my opinion, this won’t be a problem if visitors and customers are warned about what’s going on with their processors, after all what’s bad in sharing a little of processing power in exchange of accessing your favorite content?

As always, thanks for you time on reading this and feel free to share any comments about the subject!

References and more content:

• https://www.theguardian.com/technology/2017/sep/27/pirate-bay-showtime-ads-websites-electricity-pay-bills-cryptocurrency-bitcoin
• https://motherboard.vice.com/en_us/article/ne7nvm/is-the-pirate-bays-in-browser-cryptocurrency-mining-better-than-its-crappy-ads
• https://www.coindesk.com/information/what-is-bitcoin/

 

 

Planning your Infosec strategy with ISO 27000

This post is about how to establish your strategy to properly implement the security controls your company needs most, based on the global security standard ISO 27000. First things first, if you never heard of ISO 27000, here’s a short explanation about it:

“The ISO/IEC 27000 family of standards helps organizations keep information assets secure.

Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).” Source: https://www.iso.org/isoiec-27001-information-security.html

In other words, ISO 27000 is a series of documentation that defines, suggests and explains what you, as a manager, need to be worried about when defining the information security strategy of your company, by using security controls to mitigate risks. There are a few other frameworks that provides guidance on this matter, like NIST Cyber Security Framework and SANS Critical Security Controls but for this post I’ll be referencing ISO. ISO is also the worldwide standard for most companies and is recognized as the best practices around the information security matter.

My point here isn’t to get in every single detail of the standard but to bring awareness to everyone who’s seeking out for directives, good practices or even something to start off in your company, from small to big business, ISO’s directives can be applied based on your company’s needs.

Talking about business focus/needs, this should be the first thing you need to have in mind before drawing your strategy, knowing what your business does and what it’s willing to do is key.

• Get to know your business needs, worries and how flexible it is to changes in the short-medium term;

As I stated before, this step is key because your business will be very inflexible or even intolerant to changes that impact their operation or sales. You even can get in a complicated situation trying to force safe behaviors in your company, so it’s very important to work with your business, not against it.

• Summarize the main risks that your business is exposed to;

Map the risks that your company is exposed to, for example, if the core business of your company is to transport goods, I would say that the main risks are related to goods transportation, storage and inventory (in a very simplistic analysis). You should then check for controls that mitigate these risks.

• Check the ISO (or any other framework) for suggested security controls regarding the high risks you’ve mapped before;

Using the example stated before, ISO have a few directives for physical access controls that may make sense applying in this business scenario. If you check the directives from controls A11, for example, you can observe that there are controls for security perimeters, physical entrances, protection against external threats, etc. You can always look for other market standard if ISO doesn’t cover all the gaps, mixing up more than one standard like ISO, PCI and SOX will always increase your security maturity.

• Start with the quick wins first, anything that is easy to implement, any controls that just need some tweak, security policies and standards or even security awareness;

Based on your maturity ruler (all ISO controls) map the quick wins and show how much progress could be made with them. Showing your directive board how they can mitigate risks with quick and cheap actions is a good way to acquire their support. Once the board have seen how valuable these risks mitigating actions are, it will be a lot easier to move on the hard ones later.

• Plan the rest of your actions accordingly. Invest yours and company’s resources in actions that will bring valuable results to what the business is worried about;

It is not interesting for a company that doesn’t have or doesn’t see the IT department as a core resource for the business, to implement all ISO’s controls aiming a possible certification.

In the end, remember that 100% secure will never be possible and even at some companies 50% secure can be a real challenge, you should then be realistic about the current situation and what’s reliable to do. I’m summarizing below some key success factors that you should take note before creating your strategy:

• Align your strategy to the business. Define how much compliance to the framework is enough to your company to mitigate the main risks;
• Don’t push long term cultural changes in short periods of time. Losing stakeholders or sponsorship can end your strategy and even your position;
• Work with the quick wins first and show the results. In other words, use the 80-20 strategy, fix 80% of the problems with 20% of the effort/resources;
• After doing the quick wins, show how far your company can go in terms of security, risk mitigation and money saving if more resources were invested in the security plan;
• Spread security awareness and mentality. The more people you have thinking about security, the more attention and sponsorship your work gets.

By the end of the day, following these tips, planning your strategy aligned to your company reality and going one step after another, you job as information guardian should be done successfully. Companies need to follow the technology evolution in other to keep up the market pace and business is always looking for the profit, it’s your job to keep their feet on the ground and guide them minimizing the security risks.

Cyber hygiene and security awareness programs

Security sensitive companies (now a days almost every single one that is connected to the internet) spends a lot of manpower and most importantly, financial resources, trying to keep their infrastructure and users safe from the most recent threats the internet has to offer. This means spending thousands of dollars on the most recent technology, training people and monitoring the environment. The irony of it all is knowing that all this effort and investment could come down at once just by a single click, of course that the more security layers you have, the less chance of someone clicking or running something suspicious on his/her computer.

Cyber hygiene comes in place when we try to look for an answer for this matter, it can be defined as the responsibility of the individual in maintaining a safe behavior towards his actions on the work place and even at home. A safe behavior, for example, includes checking if an e-mail is legitimate or expected before opening it or downloading any attachments and not providing your personal information, like passwords, to anyone. Unfortunately, this kind of behavior isn’t present in most of the companies around the world and that’s the problem.

Most users have the concept that the company is the only one responsible for keeping their information, work tools (such as pcs) and everything that is work related safe and sound from threats. By doing so, people usually doesn’t think or even critically analyses what they are doing before it’s done, for example opening a file that comes from e-mail or clicking a link. Others may say that the fast-paced day to day tasks leaves them with no time to stop and analyze everything.

Independently of the reason, the truth is that everyone should act towards their day-to-day work tasks the same way they act on the street or with strangers. You usually don’t accept anything offered from someone you never saw or look suspicious on the street and doesn’t follow people around when they call you for an irresistible offer on the store around the corner, do you?

So, how should we get in touch with these people and pass some knowledge about Cyber Hygiene? It’s crystal clear that people who doesn’t care about this kind of subject won’t invest much time or attention on this matter and making them go thru a long training or reading extensive documentations won’t bring much result. That’s where security awareness takes place.

Successful security awareness programs should deliver the following:

• Relevant information regarding the people you are trying to inform;
• Quick and easy to understand directives (tips);
• Illustrative images regarding the messages you send;
• Gamification of security awareness is also a plus if possible;
• Up to date subjects, latest information leakages, attacks or trends;
• Physical actions, work desk and behaviors that takes place on the physical world should also be included;
• Recurrence and knowledge evaluation.

Unfortunately, there’s no silver bullet for security awareness programs but there are directives you should follow and adapt to your reality. The goal is same for any program, which is to basically make people think and question before doing any action.

I would recommend starting small with informative e-mails or maybe phishing campaigns and measuaring the results of those actions to check whether they are being effective or not. It’s also very important to be aligned with your Human Resources department, as they have the expertise to talk with the employees and maybe require them to take the awareness courses or tests.

There’s an awesome free resource for this kind of awareness but it is a Brazilian entity with all its content in Portuguese, if you can understand Brazilian Portuguese I strongly recommend checking this site out. As soon as I find anything like that in English, I’ll sure share with you all.

• https://www.cert.br/

As usual, feel free to comment below and to reach contact with me.

Hardening HTTPS connections on your server

In this post, I’ll be talking about a very common vulnerability in HTTPS encrypted connections and how to fix it. Most web server’s or services that uses HTTPS don’t worry about the hardening of its ciphers and protocols.

The main problem is that encryption protocols and ciphers become obsolete over time and new vulnerabilities rises from its deprecation, for an example, SSLv2 and SSLv3 are long considered vulnerable and yet you still can find many services that uses this type of protocol.

Going for what matters, this guide is about setting only the strongest and compliant protocols on your cryptographic connections over Windows and some web services on Linux. The procedures on this guide may need to be tweaked in order to function properly on your environment, as I can’t predict all the possible variations. Here are some benefits of applying this hardening guide:

• It will remediate attacks known as DROWN, Logjam, FREAK, POODLE and BEAST;
• Insecure ciphers and protocols will be disabled, such as SSL 2.0, 3.0, PCT 1.0, TLS 1.0, MD5 and RC4;
• Only TLS 1.1 and TLS 1.2 protocols will be accepted;
• These changes are compliant with PCI 3.1 and FIPS 140-2 practices;
• Old web browsers may no longer function with HTTPS connections, such as Internet Explorer <7.0.

Obs.: It’s highly recommended to use a test environment before applying any change on the production environment.

Windows environments

There’s a tool called IIS Crypto that will do basically everything for you, you can find it here:

• https://www.nartac.com/Products/IISCrypto
• IS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Here’s what to do once you download and run it:

• Run it as administrator;
• Click the “Best Practices” button;
• Uncheck the “TLS 1.0” option. TLS 1.0 is no longer recommended or safe. This may crash some RDP (Remote Desktop) functionality;
• Click “Apply”;

As fast as it can be, it’s all done now. If you want to check out the changes that this tool made, do the following:

• Run “regedit.exe”;
• Go to the following folder “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL”;
• Check the new folders and keys generated.

You can also to it all by yourself if you want, check out Microsoft’s guides about it:

• https://support.microsoft.com/en-us/kb/245030
• https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

Linux environments

Doing this kind of stuff on Linux is a bit trickier, since it has a lot so distros and several types of web services, this guide may not apply for everything. Anyway, there’s also a tool that may help you a lot while doing this, this is a online tool that can be found at:

• https://mozilla.github.io/server-side-tls/ssl-config-generator/
• https://wiki.mozilla.org/Security/Server_Side_TLS
• Mozilla SSL Configuration Generator

It is a web page where you can set your web service and it’s version, once you’ve done that, the tool displays for you the configuration lines that must be imported onto the file that sets the security characteristics of your web server. If you use Apache or any other technology, just navigate to the folder where this file resides and modify it, remember to always have a backup copy of it.

• Set your technology (yellow);
• Set the “modern” option (Blue). This defines the acceptable protocols and ciphers, only the good ones;
• Set the server version and OpenSSL version. The “HSTS” is a security header option that may be not compatible with older web applications;
• Check the configuration to be imported (green);

All right, you are all good now, at least better than before. The worst down point on doing all this stuff, is that some old browsers may have issues connecting to your web page or service. Older versions of IE like 6 or 7 does not support TLS 1.1 or higher.

If you are worried about this, you can check out this awesome reference on Wikipedia which compiles the support of HTTPS connections on most of the browsers, look after the big table named “TLS/SSL support history of web browsers”

• https://en.wikipedia.org/wiki/Transport_Layer_Security

Comments are always welcome!

Installing and running Cuckoo malware analysis platform – Part 2

As I promised, this is my second post of the Cuckoo tutorial set, I’ll be guiding you through the process of making a Windows VM (Sandbox), where Cuckoo will run all the malware you throw in it. This part will also show a first run of the platform.

It is important to state that this step isn’t as easy it seems to be, the hardest part is tuning the VM as much as possible so most of the malware found around the internet won’t be able to identify it as a VM. Malware now a days have various ways to check whether it is being ran on a VM or a real host. This happens because the people who make them put a lot of effort on doing so and they won’t be pleased to know that their malware got reversed engineered and countered.

To start off, as you could have imagined, you are going to need a Windows 7 ISO image to install on your new VM. Check the list below for the specs recommended for it, some specs are also checking points for malwares like HD size and memory available. Remember that this tutorial is based on a Virtual Box environment.

• At least 60 GB HD;
• At least 2 GB RAM Memory;
• At least 2 processor cores;
• Set up the “Pointing Device” as “PS/2 Mouse” (this may cause malfunction with the mouse while operating the VM on the Linux machine through xRDP);
• Set up the processor execution cap at 100%;
• Set up the extended feature “PAE/NX”;
• Set up the hardware virtualization “VT-x/AMD-V” and “Nested Paging”;
• No video acceleration is required;
• Set up the network to “Host-only adapter”.

After setting up the characteristics for the VM, it is time to install your Windows 7 image. It’s optimal to install a fully up to date image, since your sandbox should look like a real machine. After doing the steps above, your VM should look something like this:

Note that my VM has only 40 GB HD, this is something that I came across while creating it and running some tests on it. It is widely advised that you build yours with at least 80 GB HD, since this is something that malware nowadays look after. So, when Windows finishes installing, there’s some steps you’ll need to take to keep up with the setup of your sandbox, here they are:

• Do not install Virtual Box Guest additions. Some malware look for registry entries and they may find those. If you do, my guide will cover you up lately;
• Fully update the system via Windows update;
• Turn off Windows update after the step above;
• Turn off Windows firewall;
• Turn off Windows defender;
• Turn off Security Center;
• Turn off UAC;
• Turn off all the notifications you will get by disabling these services;
• Set the “Adjust for Better Performance” option on System Properties
• Set a fixed IP address, Cuckoo default network is 192.168.56.x, so you can set up yours with something like 192.168.56.7. This address must be placed on the virtualbox.conf file on the Cuckoo conf folder (check this out on part 1);
• Set video resolution to 1024×768;
• Put some garbage on users folders like images and music, also surf the web a bit for browser history.

Now that you’re done tweaking Windows, it’s time to install all the software and tools you will be needing to run the vast majority of malware you will find. You have basically 3 ways to do so:

• First is to setup an ISO image with all the software you need inside it and open it up on the VM;
• Second is to make a network share between your host machine and the VM, then move the files to the VM;
• Third and the least recommended is to install Virtual Box guest additions and transfer all the files;

The third way is the least recommended because, as I already stated above , it leaves traces on the machine that it is a virtual machine. You can still install it and remove all the registry entries that relate to Virtual Box, I’ve done that. So, about the software you need to install, here’s the list:

• Microsoft Office 2013 x86 (32 bits)
• Microsoft .NET Framework 4.6 and 4.6.1
• Microsoft Visual C++ 2005, 2008, 2010, 2012, 2013, 2015
• Adobe Reader v9.0
• Flash Player v11
• Java RE 6 (I’ve installed v6u22)
• Python 2.7
• Pillow 2.9.0
• 7zip
• Cuckoo agent “agent.pyw”
• PaFish – Paranoid Fish (tool used to check whether the VM is well obfuscated or not)

After every installation, be sure to run the software for the first time and accept any terms it may pop up, also leave it maximized and then close it. Cuckoo won’t be able to run every single software that exists, it has compatibility with some software at specific versions. Be sure to check out Cuckoo documentation for details about this.

You can find all this software around the web with a few clicks but I know how boring it would be to get all this stuff. Knowing that, I will soon put a link on this post with all the stuff you need in a single ISO file, stay tuned. x64 versions or most recent versions of some software’s such as Office and Adobe Reader, may not work properly with Cuckoo, you can try them out if you want.

Going forward, there’s still some things you need to do before you can fire Cuckoo up. There’s a piece of software from Cuckoo platform that we need to put on the VM so it starts every time the VM runs, it’s the “agent.pyw”. You can find the file on the Cuckoo dir that you’ve downloaded before. Here are the steps:

• On the Windows VM, navigate to “C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”;
• Put the agent.pyw file on the folder;

All right, we now need to add a file I made myself which does some changes to Windows every time you start it up. Since Cuckoo will run a snapshot of the live VM, as soon as the VM fires up when analyzing a sample, this script will clear some stuff that may be used by malware for tracking, such as the registry entries from Guest Additions.

• Open up a notepad;
• Type in the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM]
"SystemBiosDate"="06/12/10"
"SystemBiosVersion"="BC1.05"
"VideoBiosVersion"="VC1.20"

[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__]
[-HKEY_LOCAL_MACHINE\HARDWARE\ACPI\RSDT\VBOX__]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Virtual Box Guest Additions]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VBox*]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E97D-E325-11CE-BFC1-08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E97D-E325-11CE-BFC1-08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97D-E325-11CE-BFC1-08002BE10318}\0020]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase\pci#ven_80ee&dev_cafe]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VBoxGuest\Enum]

• Save the file as any name you want with the extension “.reg”
• Put it or create a shortcut to it in the startup folder “C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”

This file will erase a few registry lines and rewrite some Bios data about the machine.

The next step is to delete a device that is installed by the Virtual Box, it gets there every time the machine starts up. I couldn’t find any other way to prevent it from being installed or removing it with a script. If you find out any way to do that in a more automated way, please let me know!

It’s almost over now, run the “pafish” tool to check how well obfuscated your VM is. I couldn’t make mine perfect, from all the research I’ve done, many have stumbled with the same stuff I have and I didn’t found out how to fix it. Anyway, here’s how it should look like.

As you can see I got traced on a few things, this means that my sandbox setup isn’t as good as it could be.

For the final steps, you’ll be going to need to do the following:

• Export the VM to an “.ova” file (if you were using Virtual Box outside of the Cuckoo linux host) and move it to the Linux host;
• Import the machine on the Virtual Box of the Linux host:
  • Log in the Linux host with xRDP
  • Run the console and type “sudo virtualbox”
  • Import the appliance
• Close Virtualbox and type the following on console:
  • sudo vboxmanage list vms (check VM name)
  • sudo vboxmanage controlvm “Sandbox-Windows7” poweroff (make sure it’s off)
  • sudo vboxmanage startvm “Sandbox-Windows7”
  • Wait the machine to start and uninstall manually the device showed above, then close every window and leave the desktop clear
  • Go back to the console on the Linux host and type “sudo vboxmanage snapshot “Sandbox-Windows7” take “baseline” –pause”
  • sudo vboxmanage controlvm “Sandbox-Windows7” poweroff
  • sudo vboxmanage snapshot “Sandbox-Windows7” restorecurrent

Ok, from now on Virtualbox is ready to receive the samples from Cuckoo and the virtual machine will turn on right where we left it when a job is sent. You should double check the conf files of Cuckoo to make sure that all settings match with the VM, for example, the IP address you’ve set on the VM must be the same at virtualbox.conf file, as well the VM name.

Now it’s time to run a few commands and try out Cuckoo, do the following and start testing!

• Start Virtualbox network interface (you will have to do this every time the Linux host boots)
  • VBoxManage hostonlyif create
  • VBoxManage hostonlyif ipconfig vboxnet0 –ip 192.168.56.1 –netmask 255.255.255.0 (if you didn’t changed the default IP address, it will be the same)
• Open two console windows on the Linux host
• Run sudo -i to make sure you got root privileges on both
• Navigate to the main Cuckoo folder and type this:
  • python cuckoo.py -d
• On the other console, also navigate to Cuckoo main folder and then on the web folder and type this:
  • python manage.py runserver 192.168.X.X:80 (where X is the IP address of the Linux host)

Now you can go to your browser and type in the IP address from your Linux host, if everything went fine, you should see this:

Try out Cuckko sending your first sample. You can also check out the VM working alone.

And that’s it!

It’s all good to go and you can start testing. Check out the results on any analysis you make on the web interface. You can open up the xRDP on Linux to see Cuckoo working or to troubleshoot any problems you face.

I hope I’ve had covered everything in these two parts, if you got any trouble, ideas or suggestions, please comment below or just leave your feedback. I’ll be around and improve anything that may need an extra touch.