5-23-14 Podcast Resources

“The measure of progress of civilization is the progress of the people.”

– George Bancroft


Sleeping companies lose big from employee, executive fraud

http://www.csoonline.com/article/2158625/fraud-prevention/sleeping-companies-lose-big-from-employee-executive-fraud.html

http://www.darkreading.com/vulnerabilities—threats/insider-threats/privileged-use-also-a-state-of-mind-report-finds/d/d-id/1269145?

C-IT Recommendations

  1. Set up a fraud reporting hotline educate employees on the kind of activity considered fraudulent to eliminate any grey areas.
  2. Verify your company has an effective and enforced access control standard and policy which defines roles and baselines for system administrators. Ensure the standard and policy expresses that access should be removed when an employee transfers within the organization or leaves the organization.
    1. Roles should be specifically defined by the needs to perform the duties of the roles and only those duties
    2. Privileged access should granted to the roles and not to the individual users. Individual users should then be added to the roles according to their positions
      1. ex: Database Administrator should not have the rights of the Operating System Administrator
  3. Perform periodic access reviews for privileged account users. Any users or groups who are discovered to have  unnecessary access should have privileged access be immediately removed.
  4. Utilize job rotation, and mandatory vacations for all privileged roles. Job rotation allows administrators to
    1. understand that someone else is stepping in to perform the job responsibilities and may be able to detect malicious behavior and consequently deter the administrator’s malicious behavior
  5. Utilize dual control (separation of duties)  for highly sensitive activities.
    1. Ex: The individual  who makes changes in production source code hand off their changes to someone else for installation control.
    2. This deters malicious behavior as each individual knows an honest employee may detect the behavior

Article Resources

Association of Certified Fraud Examiners 2014 Global Fraud Study

http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf

“Fraud prevention: Improving Internal Controls”

http://www.csoonline.com/article/2127917/fraud-prevention/fraud-prevention–improving-internal-controls.html

Ponemon Institute Privileged User Abuse & The Insider Threat Report

http://www.trustedcs.com/resources/whitepapers/Ponemon-RaytheonPrivilegedUserAbuseResearchReport.pdf

Role Based Access Control (has links to other resources including the  “Economic Benefits of Role Based Access Control”)

http://csrc.nist.gov/groups/SNS/rbac/


 

‘Nemanja’ POS malware compromises 1,500 devices, half a million payment cards, worldwide

http://www.scmagazine.com/nemanja-pos-malware-compromises-1500-devices-half-a-million-payment-cards-worldwide/article/348183/

http://www.securityweek.com/most-2013-data-breaches-affected-e-commerce-and-pos-systems-trustwave

C-IT Recommendation

  1. Ensure your organization has Firewalls/Intrusion Prevention Solutions in place that will block incoming attempts to infect PCs.
  2. Ensure your organization has a solid anti-malware solution at the end point and that all endpoints are covered.
  3. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  4. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  5. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage vendor support if specific applications are negatively impacted.
  6. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  7. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

 

Diluted Freedom Act passes House to privacy advocates’ dismay

http://www.scmagazine.com/diluted-freedom-act-passes-house-to-privacy-advocates-dismay/article/348211/

 

5-22-14 Podcast Resources

“In business, what’s dangerous is not to evolve.”

-Jeff Bezos


eBay hacked, all users asked to change passwords

http://www.scmagazine.com/ebay-hacked-all-users-asked-to-change-passwords/article/347967/

http://www.securityweek.com/after-cyberattack-ebay-recommends-password-change

http://www.infosecurity-magazine.com/view/38528/researchers-blast-ebay-over-data-breach/

http://www.darkreading.com/attacks-breaches/ebay-database-hacked-with-stolen-employee-credentials-/d/d-id/1269093?

http://www.csoonline.com/article/2158083/data-protection/how-to-protect-your-company-from-an-ebay-like-breach.html

C-IT Recommendation

  1. Ensure your organization has Firewalls/Intrusion Prevention Solutions in place that is capable of block incoming attempts of malicious activity
  2. Verify your security appliances are reporting to a Security Information and Event Management tool (SIEM) that correlates events and displays intelligible information to security analysts.
  3. Validate your organization has an efficient Security Operations Center (SOC) of which trained analysts are trained to alert on potential malicious events or malicious sources.
  4. Ensure your entity has a log management standard, policy and procedure that addresses
    1. Log retention- ensuring that all computer logs can be accessed in the case of an investigation
    2. Log reviews- enabling the possible early detection of events based upon irregular log entries
  5. Consider using two-factor authentication for your customer base to minimize the probability of accounts being compromised
  6. Verify your company has an effective and enforced data classification standard which requires data owners to seriously assess data sensitivity and requires data custodians to properly secure the information to need-to-know only basis.
  7. Perform periodic access reviews for data stores and applications housing highly classified or confidential information to ensure appropriate access is enforced. Any users or groups who are discovered to have access and don’t have a need to have access should be immediately removed.
  8. Confirm network segmentation in your environment so that only required devices are able to access networks where highly classified or confidential data resides.

Article Resources

SANS Article “What is the Role of a SIEM in Detecting Events of Interest?”

http://www.sans.org/security-resources/idfaq/siem.php

NIST Guide to Computer Security Log Management

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

Ebay blog announcement

https://blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords/

Ebay Frequently Asked Questions Concerning the Breach

http://www.ebayinc.com/in_the_news/story/faq-ebay-password-change


 

DHS: Control system of U.S. utility company hacked

http://www.scmagazine.com/dhs-control-system-of-us-utility-company-hacked/article/347990/

http://www.securityweek.com/ics-cert-report-highlights-industrial-control-system-security-failures

C-IT Recommendation

  1. If your organization business includes power plants, oil or gas refineries, telecommunications facilities, transportation, or  water and waste control, it will most likely be using SCADA equipment. If not consult with your HVAC, telecom and facilities department and perform an asset inventory of your SCADA equipment. CMDB should include product manufacturers.
  2. Ensure your company has policies and procedures to maintain the asset inventory to include all scada systems and each piece of industrial equipment controlled by the scada technology
  3. Disable the Web Service. Disabling the HTTPS service and still maintaining manageability on the device can be accomplished in a number of ways. Manage the device through a command line service like SSH, or use a Device Cloud account to centrally manage all the devices. Further, if HTTPS service is enabled and on a public IP on the Internet, restrict or disable the HTTPS web interface to specific IPs.
  4. Check Services. If any HTTPS services have been implemented within Python, please evaluate the code and make sure that it is not impacted. If shell scripting uses the OpenSSL commands, please ensure to mitigate the Heartbeat TLS extension.
  5. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  6. Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  7. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  8. Remove, disable or rename any default system accounts wherever possible.
  9. Implement account lockout policies to reduce the risk from brute forcing attempts.
  10. Establish and implement policies requiring the use of strong passwords.
  11. Monitor the creation of administrator level accounts by third-party vendors.
  12. Apply patches in the ICS environment, when possible, to mitigate known vulnerabilities.

Article Resources

C-IT Podcast on Industrial Control System News

http://www.c-itsecurity.com/?p=91

Industrial Control Systems Computer Emergency Response Team January -April Newsletter

http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_%20Jan-April2014.pdf

Industrial Control Systems Computer Emergency Response Team Defense in Depth Principles

http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf


 

IBM Chokes Off APTs with Trusteer Apex Launch

http://www.infosecurity-magazine.com/view/38521/ibm-chokes-off-apts-with-trusteer-apex-launch/

C-IT Recommendation

  1. Ensure your organization has a solid anti-malware solution at the end point and that all endpoints are covered.
  2. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  3. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  4. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Adobe support and/or vendor support if specific applications are negatively impacted.
  5. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  6. Perform an asset inventory of all computers running Windows XP Operating system.
  7. Develop a deployment plan to upgrade all Windows XP OS systems to a Microsoft supported OS or purchase additional support for your Windows XP machines from Microsoft to receive Microsoft XP patch releases.
  8. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

Article Resources

Ponemon Institute 2014 Cost of Data Breach Study News release

http://www-03.ibm.com/press/us/en/pressrelease/43825.wss


 

Study finds payment card info most compromised, breach detection lags

http://www.scmagazine.com/study-finds-payment-card-info-most-compromised-breach-detection-lags/article/347997/


 

Microsoft Silverlight bugs added to Angler Exploit Kit, trojans delivered via malvertising

http://www.scmagazine.com/microsoft-silverlight-bugs-added-to-angler-exploit-kit-trojans-delivered-via-malvertising/article/348001/

C-IT Recommendation

  1. Ensure your organization has a solid anti-malware solution at the end point and that all endpoints are covered.
  2. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  3. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  4. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Adobe support and/or vendor support if specific applications are negatively impacted.
  5. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  6. Ensure your company is using a web content filtering solution to prevent user from accessing malicious websites.
  7. Validate the web content filtering solution is up to date with the latest stable version with the latest site signature updates
  8. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

Article Resources

Cisco Security blog on the Angler Exploit

http://blogs.cisco.com/security/angling-for-silverlight-exploits/

CVE-2013-0074

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0074

 

5-15-14 Podcast Resources

“Most people do not listen with the intent to understand; they listen with the intent to reply.”

– Stephen Covey


Man pleads guilty to selling compromised POS systems, loading up Subway gift cards

http://www.scmagazine.com/man-pleads-guilty-to-selling-compromised-pos-systems-loading-up-subway-gift-cards/article/347146/

http://www.securityweek.com/former-subway-franchise-owner-pleads-guilty-pos-system-hacking

C-IT Recommendation

  1. Use Strong password for Terminal log in accounts and change them regularly
  2. Keep POS operating systems and POS Software Applications updated with the latest patches:
  3. Install a Firewall
  4. Ensure a solid Antivirus solution is running on the PoS terminals
  5. Restrict Access to Internet. POS should not be allowed to access the internet
  6. Disallow Remote Access so
  7. Encrypt traffic between terminals, servers and payment card processor

Article Resources

US-CERT Malware Targeting Point of Sale Systems Advisory

https://www.us-cert.gov/ncas/alerts/TA14-002A

Protecting PoS Environments Against Multi-Stage Attacks

http://www.symantec.com/content/en/us/enterprise/white_papers/b-protecting-pos-environments-against-multi-stage-attacks-WP-21327754.pdf

Retailers join forces to share threat intelligence

http://www.scmagazine.com/retailers-join-forces-to-share-threat-intelligence/article/347215/

http://www.securityweek.com/retailers-share-cyber-threat-intelligence-through-new-retail-isac

http://www.csoonline.com/article/2156060/data-protection/how-retailers-can-boost-security-through-information-sharing.html

C-IT Recommendation

  1. Research security sharing communities your organization can participate in. Delegate someone from your organization to be a contributor and also a liason to the organization
  2. If no official organization exists, consider starting one of for your industry or your town’s key businesses to participate in.

Article Resources

Retail Cyber Intelligence Sharing Center

http://www.r-cisc.org/

Security for Business Innovation Council

http://www.emc.com/emc-plus/rsa-thought-leadership/sbic/index.htm


 

PayPal Fixes Vulnerabilities In MultiOrder Shipping Application

http://www.securityweek.com/paypal-fixes-vulnerabilities-multiorder-shipping-application

5-15-14 Podcast Resources

 “You have to be very nimble and very open minded. Your success is going to be very dependent on how your adapt.”

-Jeremy Stoppelman


NIST standard puts security at start of critical systems development

http://www.scmagazine.com/nist-standard-puts-security-at-start-of-critical-systems-development/article/346988/

http://www.securityweek.com/review-nist-crypto-standards-and-development-process-kicks

C-IT Recommendation

  1. Find out if your Information Technology organization has Security embedded into the Software Development Life Cycle. This is regardless if your organization does in house development or not. There should be no new systems released to the public or deployed in your organization that has not undergone a security review.
  2. Verify your IT organization has controls to protect the integrity of the software products you are selling to or using on behalf of your customers.
  3. Verify your organization has a Release management process that requires input from the information security organization. Release management is the process intended to oversee the development, testing, deployment and support of software releases.
  4. Verify your organization has a Change management process that requires approvals from the information security organization. Change management is the process of ensuring no one can make system modifications without the modifications being reviewed and approved by a group of authorized individuals who have vetted the change and identified the risks associated with the changes to be acceptable.

Article Resources

NIST Publication draft Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems

http://www.scmagazine.com/nist-standard-puts-security-at-start-of-critical-systems-development/article/346988/

ISO/IEC 15288:2008 – Systems and software engineering — System life cycle processes

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=43564


 

F-Secure offers NSA-proof sync and share service

http://www.infosecurity-magazine.com/view/38413/fsecure-offers-nsaproof-sync-and-share-service/

C-IT Recommendation

  1. Evaluate the organizational risks for allowing users in your organization to use online document sharing sites such as dropbox, google drive, Microsoft One Drive. Understand once the information leaves your organization you no longer have controls. This evaluation should include input from your core business leaders, the legal department and the information technology and security leadership.
  2. Make an organizational decision to whether or not you will allow users to store files on online document sharing sites.
  3. Ratify a data storage policy that explicitly addresses your directives for storing files on online document sharing sites.
  4. If you decide to disallow users to use online document sharing sites, you may want to consider blocking those sites on your web content filter appliance.
  5. Evaluate the total cost of ownership and return on investment for deploying tools that manage ShadowIT

Article Resources

Cloud Computing:Case Studies and Total Costs of Ownership

http://ejournals.bc.edu/ojs/index.php/ital/article/view/1871/1709


 

Phishers Target Execs With Sophisticated Wire Transfer Scam

http://www.securityweek.com/phishers-target-execs-sophisticated-wire-transfer-scam

C-IT Recommendation

  1. Notify your financial and accounts payable departments of these attacks and the techniques.
  2. Verify all transactions with your third party partners and vendors, especially when refunding money (phone calls directly to a known phone number).
  3. Provide enhanced education and awareness of these types of attacks.
  4. If you have fallen victim to this attack, notify your local FBI office immediately

 

Adobe patches critical flaws in Reader, Acrobat, Flash Player and Illustrator

http://www.csoonline.com/article/2154842/adobe-patches-critical-flaws-in-reader-acrobat-flash-player-and-illustrator.html

http://www.securityweek.com/microsoft-adobe-patch-critical-security-vulnerabilities

C-IT Recommendation

  1. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  2. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  3. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Adobe support and/or vendor support if specific applications are negatively impacted.
  4. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  5. Perform an asset inventory of all computers running Windows XP Operating system.
  6. Develop a deployment plan to upgrade all Windows XP OS systems to a Microsoft supported OS or purchase additional support for your Windows XP machines from Microsoft to receive Microsoft XP patch releases.
  7. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

Article Resources

Adobe Security Bulletin for Adobe Illustrator (CS6)

http://helpx.adobe.com/security/products/illustrator/apsb14-11.html

Adobe Security Bulletin for Adobe Flash Player

http://helpx.adobe.com/security/products/flash-player/apsb14-14.html

Adobe Security Bulletin for Adobe Reader and Acrobat

http://helpx.adobe.com/security/products/acrobat/apsb14-15.html

 

5-14-14 Podcast Resources

 “Surviving a failure allows you more self confidence. Failing is a great learning tool, but it must be kept to an absolute minimum.”

-Jeffrey Immelt


CISOs at top firms relay security investment strategies

http://www.scmagazine.com/cisos-at-top-firms-relay-security-investment-strategies/article/346809/

SBIC  Key Recommendations

1. Look ahead at least three years ahead when creating a game plan for security investments, and that professionals enhance their assets by integrating technologies in use.

2. Consider cutting-edge technologies (such as big data analytics, security intelligence platforms and governance, risk and compliance (GRC) management tools) to help security teams better see the “bigger picture

3.  Maximize the value of their current investments by formalizing their deployment efforts. In doing so, companies can better estimate operational costs and enhance management capabilities, including security tool maintenance and monitoring

C-IT Recommendation

  1. Ensure your organization has a structure framework to address security. Frameworks provide a foundation to build effective security practices within an organization. Examples of frameworks include the National Institute of Standards and Technology Framework, International Organization for Standardization 27001, and Information System Audit and Control Association’s Control Objectives for IT.
    1. Ensures your organization has a plan for Information Security
    2. Provides direction for developing information security policies, procedures, standards and guidelines
    3. Ensures organizations have administrative, physical and technical controls to deter, detect and/or prevent malicious behavior

Article Resources

“Transforming Information Security: Focusing on Strategic Technologies,”

http://www.emc.com/collateral/solution-overview/h13125-report-sbic-strategic-technologies.pdf

Security for Business Innovation Council Report Repository

http://www.emc.com/microsites/rsa/security-for-business-innovation-council.htm

Enterprises Generate 10,000 Security Events Per Day on Average: Report

http://www.securityweek.com/enterprises-generate-10000-security-events-day-average-report


 

Enterprises Generate 10,000 Security Events Per Day on Average: Report

http://www.securityweek.com/enterprises-generate-10000-security-events-day-average-report

C-IT Recommendation

  1. Consult with your Security organization and ensure you have all the necessary tools to
  2. Verify your security appliances are reporting to a Security Information and Event Management tool (SIEM) that correlates events and displays intelligible information to security analysts.
  3. Validate your organization has an efficient Security Operations Center (SOC) of which trained analysts are trained to understand priority types of events, and targets in your organization.
  4. Evaluate your organization’s incident response capability asking the questions “Do we have adequate technology intelligence and adequate staffing to detect, contain, eradicate and recover from security events? Is it more cost-effective to hire more people or to purchase a service to do this for the organization?

Article Resources

Damballa State of Infections Report Q1 2014

https://www.damballa.com/downloads/r_pubs/Damballa_Q114_State_of_Infections_Report.pdf


 

BlackBerry Fixes Vulnerabilities Related to Heartbleed, Flash

http://www.securityweek.com/blackberry-fixes-vulnerabilities-related-heartbleed-flash

C-IT Recommendation

  1. Perform an asset inventory of all company owned Blackberry devices using company provided cell phone service. Your company should have a configuration management database to show which devices have which operating systems versions.
  2. Ensure your patch management policy

Article Resources

Blackberry Flash Advisory

http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB35925&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Blackberry Heartbleed Advisory

http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=623F80158D7C2E32CDA4746B0A8F9B3A?externalId=KB35955&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

 

 

5-13-14 Podcast References

“Rule No. 1: Never lose money; Rule No. 2: Don’t forget Rule No. 1.”

-Warren Buffett


Global Hoster Point DNS Suffers Major DDoS Attack

http://www.infosecurity-magazine.com/view/38370/global-hoster-point-dns-suffers-major-ddos-attack/

In related news

Hijacked anti-DDoS servers used to carry out massive DDoS attack

http://www.scmagazine.com/hijacked-anti-ddos-servers-used-to-carry-out-massive-ddos-attack/article/346619/

C-IT Recommendation

  1. Ensure your organization has a strong asset inventory with an accurate configuration management database.
  2. Identify all devices which are providing NTP or DNS services and evaluate the release and  configuration settings of each device. Ensure you have publish standards, policies and procedures that address the requirement for keeping your key critical infrastructure assets up to date.
  3. Validate that your organization has a Vulnerability Management program that regularly scans your environment against the latest threats and specifies remediation activities when vulnerabilities are discovered.
  4. Identify any security devices and ensure the patches for those devices have been kept up to date with the latest operating system and vendor security patches. Ensure your patch management policy and procedure includes addressing security

To minimize the risk of the Domain Name Service amplification attack

  1. Disable Recursion on Authoritative Name Servers which do not need to support recursive resolution of other domains on behalf of a client
  2. Limit recursion on DNS servers only to authorized clients on the organization’s network
  3. Run authoritative and recursive name servers on different systems, with Response Rate Limiting implemented on the authoritative server and access control lists implemented on the recursive server.

To minimize the Network Time Protocol amplification attack

  1. Upgrade all versions of ntpd that are publically accessible to at least 4.2.7. In cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software

Article References

2014 DDoS Threat Landscape report

http://www.incapsula.com/blog/ddos-threat-landscape-report-2014.html

Neustar Annual DDoS Attacks and Impact Report

http://www.neustar.biz/resources/whitepapers/ddos-protection/2014-annual-ddos-attacks-and-impact-report.pdf

US-CERT NTP Amplification Attack Advisory

https://www.us-cert.gov/ncas/alerts/TA14-013A

US-CERT DNS Amplification Attacks

https://www.us-cert.gov/ncas/alerts/TA13-088A


 

Microsoft Word Vulnerability Used in Targeted Attacks Against Taiwan

http://www.securityweek.com/microsoft-word-vulnerability-used-targeted-attacks-against-taiwan

http://www.darkreading.com/attacks-breaches/recent-word-zero-day-used-in-attacks-against-taiwan-government/d/d-id/1252676

C-IT Recommendation

  1. Ensure your organization has a solid anti-malware solution at the end point and that all endpoints are covered.
  2. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  3. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  4. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Adobe support and/or vendor support if specific applications are negatively impacted.
  5. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  6. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

 

Research gives reason to double-check Heartbleed fix

http://www.csoonline.com/article/2154240/data-protection/research-gives-reason-to-double-check-heartbleed-fix.html

C-IT Recommendation

  1. Consult with your Vulnerability and Threat Management Team/Individual (VTM)
  2. Ensure the VTM Team/Individual has discovered all vulnerable devices to the Heartbleed vulnerability
  3. Verify the keys and certificates have been replaced on your vulnerable SSL Servers
  4. Request the team to validate the vulnerability has been cleaned up by running the crowdstrike scanner or a similar scanner which can give you the results of your remediation efforts. A rescan will also allow you to see any servers that may have been missed in the initial scan or scans due to downtime or servers that were not discovered because they were no longer on the network.

Article Resources

Crowdstrike Blog detailing tool

http://www.crowdstrike.com/blog/new-community-tool-crowdstrike-heartbleed-scanner/index.html

Download Free Crowdstrike Scanner

http://www.crowdstrike.com/community-tools/index.html


 

Point-of-Sale Malware Has Become Highly Sophisticated

http://www.infosecurity-magazine.com/view/38381/pointofsale-malware-has-become-highly-sophisticated/

C-IT Recommendation

  1. Asset inventory
  2. Ensure your organization has a solid anti-malware solution at the end point and that all endpoints are covered.
  3. Harden PoS terminals to run only services they need to run.
  4. Patch management
  5. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  6. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage vendor support if specific applications are negatively impacted.
  7. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  8. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

Article Resources

ASERT Threat Intelligence Brief 2014-6

http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf

 

5-12-14 Podcast References

Heartbleed Bug Hits Industrial Control Systems

http://www.infosecurity-magazine.com/view/38359/heartbleed-bug-hits-industrial-control-systems/

C-IT Recommendation

  1. If your organization business includes power plants, oil or gas refineries, telecommunications facilities, transportation, or  water and waste control, it will most likely be using SCADA equipment. If not consult with your HVAC, telecom and facilities department and perform an asset inventory of your SCADA equipment. CMDB should include product manufacturers.
  2. Ensure your company has policies and procedures to maintain the asset inventory to include all scada systems and each piece of industrial equipment controlled by the scada technology
  3. Update Firmware on SCADA equipment. The recommended fix for Heartbleed for Digi International devices is to update to a fixed firmware version update, available on the www.digi.com/support web site.
  4. Change Certificates. If HTTPS service is enabled, and the user has deployed a private key and certificate to the web interface (highly recommended), change the certificate at this time and update to an unaffected firmware version prior to changing the private key certificates.
  5. Change Passwords. If HTTPS service is enabled, change all passwords associated with the affected device, including device user passwords. If using TACACS or RADIUS, change the user passwords as well as the shared secret. If VPN is used in this configuration, change the passwords and/or tokens.
  6. Disable the Web Service. Disabling the HTTPS service and still maintaining manageability on the device can be accomplished in a number of ways. Manage the device through a command line service like SSH, or use a Device Cloud account to centrally manage all the devices. Further, if HTTPS service is enabled and on a public IP on the Internet, restrict or disable the HTTPS web interface to specific IPs.
  7. Check Services. If any HTTPS services have been implemented within Python, please evaluate the code and make sure that it is not impacted. If shell scripting uses the OpenSSL commands, please ensure to mitigate the Heartbeat TLS extension.
  8. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  9. Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  10. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Article Resources

Heartbleed Details

http://heartbleed.com/

Digi International Security Notice

http://www.digi.com/support/kbase/kbaseresultdetl?id=3564

Industrial Control Systems Cyber Emergency Response Team Advisory

https://ics-cert.us-cert.gov/advisories/ICSA-14-128-01

ICS-CERT Section for Control Systems Security Recommended Practices

http://ics-cert.us-cert.gov/Recommended-Practices


 

IT malpractice: Doc operates on server, costs hospitals $4.8M

http://www.csoonline.com/article/2153302/security/it-malpractice-doc-operates-on-server-costs-hospitals-4-8m.html

C-IT Recommendation

  1. Ensure your organization has a structure framework to address security. Frameworks provide a foundation to build effective security practices within an organization. Examples of frameworks include the National Institute of Standards and Technology Framework, International Organization for Standardization 27001, and Information System Audit and Control Association’s Control Objectives for IT.
    1. Ensures your organization has a plan for Information Security
    2. Provides direction for developing information security policies, procedures, standards and guidelines
    3. Ensures organizations have administrative, physical and technical controls to deter, detect and/or prevent malicious behavior
  2. Verify your company has an effective and enforced access control standard and policy which defines roles and baselines for system administrators. Ensure the standard and policy expresses that access should be removed when an employee transfers within the organization or leaves the organization.
    1. Roles should be specifically defined by the needs to perform the duties of the roles and only those duties
    2. Privileged access should granted to the roles and not to the individual users. Individual users should then be added to the roles according to their positions
      1. ex: Physician should not have the rights of the Operating System Administrator
  3. Perform periodic access reviews for privileged account users. Any users or groups who are discovered to have  unnecessary access should have privileged access be immediately removed.
  4. Utilize job rotation, and mandatory vacations for all privileged roles. Job rotation allows administrators to
    1. understand that someone else is stepping in to perform the job responsibilities and may be able to detect malicious behavior and consequently deter the administrator’s malicious behavior
  5. Utilize dual control (separation of duties)  for highly sensitive activities.
    1. Ex: The individual  who makes changes in production source code hand off their changes to someone else for installation control.
    2. This deters malicious behavior as each individual knows an honest employee may detect the behavior

Article Resources

NIST Cyber Security Framework

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

ISO\IEC 27001 Framework

http://www.iso.org/iso/catalogue_detail?csnumber=54534

ISACA COBIT

http://www.isaca.org/COBIT/Pages/default.aspx?cid=1003566&Appeal=PR

Role Based Access Control (has links to other resources including the  “Economic Benefits of Role Based Access Control”)

http://csrc.nist.gov/groups/SNS/rbac/


 

Bitly Compromised; Users Warned to Reset Accounts

http://www.infosecurity-magazine.com/view/38358/bitly-compromised-users-warned-to-reset-accounts/

C-IT Recommendation

  1. Consult with your IT/Social Marketing departments to determine whether or not your organization uses Bitly for URL shortening in social media campaigns. If so,
  2. Log into your Bitly profile.
  3. Change your API keys and OAuth tokens,
  4. Reset your Bitly passwords.
  5. Copy down the new API key and change it in all applications as well, including social publishers, share buttons and mobile apps.

Article Resources

Bitly Urgent Security Update

http://blog.bitly.com/post/85169217199/urgent-security-update-regarding-your-bitly-account


 

GE Acquiring Wurldtech to Expand Critical Infrastructure Cyber Protection

http://www.securityweek.com/ge-acquiring-wurldtech-expand-critical-infrastructure-cyber-protect

5-09-14 Podcast References

US Navy sysadmin charged with ‘Team Digi7al’ hacktivist attacks on military

http://www.csoonline.com/article/2152820/data-protection/us-navy-sysadmin-charged-with-team-digi7al-hacktivist-attacks-on-military.html

http://www.darkreading.com/attacks-breaches/navy-nuclear-carrier-sysadmin-busted-for-hacking-databases/d/d-id/1251134?

C-IT Recommendation

  1. Verify your company has an effective and enforced access control standard and policy which defines roles and baselines for system administrators. Ensure the standard and policy expresses that access should be removed when an employee transfers within the organization or leaves the organization.
    1. Roles should be specifically defined by the needs to perform the duties of the roles and only those duties
    2. Privileged access should granted to the roles and not to the individual users. Individual users should then be added to the roles according to their positions
      1. ex: Database Administrator should not have the rights of the Operating System Administrator
  2. Perform periodic access reviews for privileged account users. Any users or groups who are discovered to have  unnecessary access should have privileged access be immediately removed.
  3. Utilize job rotation, and mandatory vacations for all privileged roles. Job rotation allows administrators to
    1. understand that someone else is stepping in to perform the job responsibilities and may be able to detect malicious behavior and consequently deter the administrator’s malicious behavior
  4. Utilize dual control (separation of duties)  for highly sensitive activities.
    1. Ex: The individual  who makes changes in production source code hand off their changes to someone else for installation control.
    2. This deters malicious behavior as each individual knows an honest employee may detect the behavior

Article Resources

Role Based Access Control (has links to other resources including the  “Economic Benefits of Role Based Access Control”)

http://csrc.nist.gov/groups/SNS/rbac/

Separation of duty definition

http://www.pcmag.com/encyclopedia/term/51110/separation-of-duties


 

Surge in ‘Viknok’ infections bolsters click fraud campaign

http://www.scmagazine.com/surge-in-viknok-infections-bolsters-click-fraud-campaign/article/346199/

C-IT Recommendation

  1. Ensure your organization maintains a solid asset inventory standard and policy that requires a configuration management database that captures the operating system and installed applications.
  2. Ensure your organization has a solid anti-malware standard and policy. As well as an anti-malware solution at the end point and that all endpoints in the cmdb are covered with anti-malware.
  3. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  4. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  5. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Microsoft support and/or vendor support if specific applications are negatively impacted.
  6. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  7. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

Article Resources

NIST Use Case for IT ASSET MANAGEMENT: Securing Assets for the Financial Services Sector

http://csrc.nist.gov/nccoe/financial-services/NCCoE_FS_Use_Case_ITAM_FinalDraft_20140501.pdf

NIST SOFTWARE ASSET MANAGEMENT

http://csrc.nist.gov/nccoe/Building-Blocks/SAM.pdf


 

Microsoft Plans to Release 8 Security Bulletins for May Patch Tuesday

http://www.securityweek.com/microsoft-plans-release-8-security-bulletins-may-patch-tuesday

C-IT Recommendation

  1. Ensure your organization maintains a solid asset inventory standard and policy that requires a configuration management database that captures the operating system and installed applications.
  2. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  3. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  4. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Microsoft support and/or vendor support if specific applications are negatively impacted.
  5. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.

Article Resources

Security Bulletin Advanced Notification

https://technet.microsoft.com/library/security/ms14-may


 

Cisco Warns of WebEx Player Security Vulnerabilities

http://www.securityweek.com/cisco-warns-webex-player-security-vulnerabilities

According to Cisco, updates are available for the following:

  • Cisco WebEx Business Suite (WBS29) client builds T29.2 or later
  • Cisco WebEx Business Suite (WBS28) client builds T28.12 or later
  • Cisco WebEx Business Suite (WBS27) client builds T27TLSP32EP16 (27.32.16) or later
  • Cisco WebEx 11 versions prior to 1.2.10 with client builds T28.12 or later
  • Cisco WebEx Meetings Server client builds 2.0.0.1677 or later
  • Cisco WebEx Meetings Server client builds Orion 2.0 or later

Article Resources

Cisco Security Advisory

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140507-webex


 

House votes to outlaw NSA’s bulk collection of phone records

http://www.csoonline.com/article/2152822/networking-hardware/house-votes-to-outlaw-nsas-bulk-collection-of-phone-records.html

http://www.scmagazine.com/house-committee-passes-bill-to-stop-unbridled-govt-access-to-phone-data/article/346186/

5-08-14 Podcast References

France’s Orange Hit by Hackers Data Raid

http://www.securityweek.com/frances-orange-hit-hackers-data-raid

http://www.csoonline.com/article/2151893/malware-cybercrime/orange-warns-of-phishing-attacks-after-data-breach.html

C-IT Recommendation

  1. Ensure your organization has Firewalls/Intrusion Prevention Solutions in place that is capable of block incoming attempts from bad reputation IP addresses from countries on the watch list.
  2. Verify your organization has some sort of extrusion detection/prevention tool such as data loss prevention or
  3. Ensure your security appliances are reporting to a Security Information and Event Management tool (SIEM) that correlates events and displays intelligible information to security analysts.
  4. Validate your organization has an efficient Security Operations Center (SOC) of which trained analysts are trained to alert on potential malicious events or malicious sources.
  5. Verify your company has an effective and enforced data classification standard which requires data owners to seriously assess data sensitivity and requires data custodians to properly secure the information to need-to-know only basis.
  6. Perform periodic access reviews for data stores and applications housing highly classified or confidential information to ensure appropriate access is enforced. Any users or groups who are discovered to have access and don’t have a need to have access should be immediately removed.
  7. Confirm network segmentation in your environment so that only required devices are able to access networks where highly classified or confidential data resides.

 

How the Target CEO resignation will affect other execs’ security views

http://searchsecurity.techtarget.com/news/2240220103/How-the-Target-CEO-resignation-will-affect-other-execs-security-views

C-IT Recommendation

  1. Ensure your organization has a structured framework to address security. Frameworks provide a foundation to build effective security practices within an organization. Examples of frameworks include the National Institute of Standards and Technology Framework, International Organization for Standardization 27001, and Information System Audit and Control Association’s Control Objectives for IT. A framework provides the following benefits:
    1. Ensures your organization has a plan for Information Security
    2. Provides direction for developing information security policies, procedures, standards and guidelines
    3. Ensures organizations have administrative, physical and technical controls to deter, detect and/or prevent malicious behavior
  2. Corporate leaders must establish a security debrief cadence with the information security teams. CSOs/CISO’s should meet with operational teams weekly to understand internal security risks. CSO/CISO’s should then meet with  CFOs, CEOs, CIOs monthly or bi-weekly to communicate priority risks to the business. Executives should be prepared to provide feedback and decisions to the information security organizations.
    1. Material to be covered
      1. Current Risks (including potential severity and probability)
      2. Emerging Risks (including potential severity and probability)
      3. Plan to address Risks (Avoidance, Mitigation, Transfer, Acceptance)
      4. Monitoring Progress of Risk Handling

Article Resources

NIST Cyber Security Framework

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

ISO\IEC 27001 Framework

http://www.iso.org/iso/catalogue_detail?csnumber=54534

ISACA COBIT

http://www.isaca.org/COBIT/Pages/default.aspx?cid=1003566&Appeal=PR


 

Malware infections tripled in late 2013, Microsoft finds

http://www.csoonline.com/article/2151925/data-protection/malware-infections-tripled-in-late-2013-microsoft-finds.html

http://www.securityweek.com/vulnerability-disclosures-increased-second-half-2013-microsoft

C-IT Recommendation

  1. Ensure your organization has a strong asset inventory with an accurate configuration management database.
  2. Utilize any of the following tools to scan against your Microsoft Windows Machines to discover and remove the infection.
    1. Microsoft Security Essentials or, for Windows 8, Windows Defender
    2. Microsoft Safety Scanner
    3. Microsoft Windows Malicious Software Removal Tool
  3. Ensure your organization has an Anti-Virus policy and a solution deployed on all endpoint computers that enables the policy to be enforced
  4. Ensure your policy requires the endpoint security team keep the antivirus signature files updated within a reasonable timeline of the vendors signature file releases

Article Resources

Microsoft Malware Protection Center: Win32/Rotbrow

http://www.microsoft.com/security/portal/threat/Encyclopedia/entry.aspx?Name=Win32/Rotbrow

Malware Protection Center: TrojanDropper:Win32/Rotbrow.L

http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/Rotbrow.L

5-07-14 Podcast References

Microsoft Updates Reports on Software Supply Chain Security, Critical Infrastructure Protection

http://www.securityweek.com/microsoft-updates-reports-software-supply-chain-security-critical-infrastructure-protection

C-IT Recommendation

  1. Find out if your Information Technology organization has Security embedded into the Software Development Life Cycle. This is regardless if your organization does in house development or not. There should be no new systems released to the public or deployed in your organization that has not undergone a security review.
  2. Verify your IT organization has controls to protect the integrity of the software products you are selling to or using on behalf of your customers.
  3. Verify your organization has a Release management process that requires input from the information security organization. Release management is the process intended to oversee the development, testing, deployment and support of software releases.
  4. Verify your organization has a Change management process that requires approvals from the information security organization. Change management is the process of ensuring no one can make system modifications without the modifications being reviewed and approved by a group of authorized individuals who have vetted the change and identified the risks associated with the changes to be acceptable.

Additional Resources

Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity White Paper

http://download.microsoft.com/download/9/B/D/9BD9FBFF-A1D9-4DA9-954C-EAE9242C689D/Toward%20a%20Trusted%20Supply%20Chain%20white%20paper.pdf

Critical Infrastructure Protection: Concepts and Continuum White Paper

http://download.microsoft.com/download/4/6/8/4688D909-116C-480A-A398-703B30C7D7B3/CIP-continuum.pdf


 

Dropbox Storage Service Patches Privacy Issue

http://www.securityweek.com/dropbox-storage-service-patches-privacy-issue

http://www.csoonline.com/article/2151920/data-protection/dropbox-fixes-flaw-that-exposed-user-documents.html

C-IT Recommendation

  1. Evaluate the organizational risks for allowing users in your organization to use online document sharing sites such as dropbox, google drive, Microsoft One Drive. Understand once the information leaves your organization you no longer have controls. This evaluation should include input from your core business leaders, the legal department and the information technology and security leadership.
  2. Make an organizational decision to whether or not you will allow users to store files on online document sharing sites.
  3. Ratify a data storage policy that explicitly addresses your directives for storing files on online document sharing sites.
  4. If you decide to disallow users to use online document sharing sites, you may want to consider blocking those sites on your web content filter appliance.
  5. Evaluate the total cost of ownership and return on investment for deploying tools that manage ShadowIT

Additional Resources

Dropbox Blog

https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/

Shadow IT Definition

http://searchcloudcomputing.techtarget.com/definition/shadow-IT-shadow-information-technology


 

IBM Unveils New Threat Protection Suite

http://www.securityweek.com/ibm-unveils-new-threat-protection-suite

C-IT Recommendation

  1. Verify your company has an effective and enforced data classification standard which requires data owners to seriously assess data sensitivity and requires data custodians to properly secure the information to need-to-know only basis.
  2. Perform periodic access reviews for data stores and applications housing highly classified or confidential information to ensure appropriate access is enforced. Any users or groups who are discovered to have access and don’t have a need to have access should be immediately removed.
  3. Perform a Risk assessment- methodical process consisting risk Identification, risk analysis and risk evaluation
  • Risk Identification is the process of generating a comprehensive list of your organization’s assets which includes information the sources of a threat and vulnerabilities that exist in your environment which could be exploited by a threat.
  • Risk Analysis is the process of quantifying or qualifying the likelihood that a threat actor exploiting a vulnerability as well as the positive or negative consequences of an occurrence of such
  • Risk Evaluation is the process of deciding which risks need to be treated and how to prioritize those risks.
  1. Evaluate your organizations ability to prevent advanced persistent threats. “Do we have the adequate technology to prevent advanced attacks?”
  2. Evaluate your organization’s incident response capability asking the questions “Do we have adequate technology intelligence and adequate staffing to detect, contain, eradicate and recover from an advance threat? Is it more cost-effective to hire more people or to purchase a service to do this for the organization?

 

Investigation continues in second Affinity Gaming payment card breach

http://www.scmagazine.com/investigation-continues-in-second-affinity-gaming-payment-card-breach/article/345812/


 

FireEye to Acquire Network Forensics Firm nPulse Technologies in $70 Million Deal

http://www.securityweek.com/fireeye-acquire-network-forensics-firm-npulse-technologies-70-million-deal

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/fireeye-to-buy-npulse-technologies/d/d-id/1251030?


 

Last Day to Save $250 for Suits and Spooks New York

http://www.securityweek.com/last-day-save-250-suits-and-spooks-new-york