6-26-14 Podcast References

“Every day that we spent not improving our products was a wasted day.”

—Joel Spolsky


Montana Notifying 1.3 Million After State Health Agency Server Hacked

http://www.securityweek.com/montana-notifying-13-million-after-state-health-agency-server-hacked

http://www.csoonline.com/article/2367661/montana-data-breach-exposed-13-million-records.html

C-IT Recommendation

  1. Verify your company has an effective and enforced access control standard and policy which defines roles and baselines for system administrators. Ensure the standard and policy expresses that access should be removed when an employee transfers within the organization or leaves the organization.
    1. Roles should be specifically defined by the needs to perform the duties of the roles and only those duties
    2. Privileged access should granted to the roles and not to the individual users. Individual users should then be added to the roles according to their positions
      1. ex: Database Administrator should not have the rights of the Operating System Administrator
  2. Perform periodic access reviews for privileged account users. Any users or groups who are discovered to have  unnecessary access should have privileged access be immediately removed.
  3. Utilize job rotation, and mandatory vacations for all privileged roles. Job rotation allows administrators to
    1. understand that someone else is stepping in to perform the job responsibilities and may be able to detect malicious behavior and consequently deter the administrator’s malicious behavior
  4. Utilize dual control (separation of duties)  for highly sensitive activities.
    1. Ex: The individual  who makes changes in production source code hand off their changes to someone else for installation control.
    2. This deters malicious behavior as each individual knows an honest employee may detect the behavior
  1. Validate your organization has an efficient Security Operations Center (SOC) of which trained analysts are trained to alert on potential malicious events or malicious sources.
  2. Ensure your organization has a security incident investigation process that includes discovering breach, and disclosing the breach. Validate your process aligns with the requirements of your regions regulations.
  3. Consult your Risk Management team to see if your company has any cybersecurity insurance.
  4. If you have coverage, ensure the organization has performed an information security risk assessment to see if the current coverage is adequate for your company’s risk appetite. If you do not have coverage, consider performing an information security risk assessment to transfer potential financial loss in case there is a need to pay for forensic investigations, credit monitoring, reputation management, business interruption, and compliance with state breach notification laws in the case of a data breach.

Article Resources

Role Based Access Control (has links to other resources including the  “Economic Benefits of Role Based Access Control”)

http://csrc.nist.gov/groups/SNS/rbac/

Separation of duty definition

http://www.pcmag.com/encyclopedia/term/51110/separation-of-duties

NIST Computer Security Incident Handling Guide

http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf


 

‘Luuuk’ Cybercrime Operation Steals €500,000 From Bank

http://www.securityweek.com/luuuk-cybercrime-operation-steals-%E2%82%AC500000-bank

http://www.darkreading.com/luuuk-stole-half-million-euros-in-one-week/d/d-id/1278845?

C-IT Recommendation

  1. Ensure your organization has Firewalls/Intrusion Prevention Solutions in place that will block incoming attempts to infect PCs with a crimeware kit
  2. Ensure your organization has a solid anti-malware solution at the end point and that all endpoints are covered.
  3. Enforce a patch management standard in your organization which requires security patches to be deployed in the production environment within a reasonable time after they are tested within your test environment.
  4. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  5. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Adobe support and/or vendor support if specific applications are negatively impacted.
  6. Consult with your Vulnerability and Threat Management Team (VTM) to verify all production systems are patched with the latest updates.
  7. Implement an advanced malware solution such as Invincea Freespace, FireEye Web Security (NX Series), Source Fire FireAmp to keep remote connections from initiating from your internal network.

Article Resources

Man in the browser attack definition

http://searchsecurity.techtarget.com/definition/man-in-the-browser

Securelist technical description of Luuuk attack

http://www.securelist.com/en/blog/8230/Use_the_force_Luuuk


 

‘Havex’ malware strikes industrial sector via watering hole attacks

http://www.scmagazine.com/havex-malware-strikes-industrial-sector-via-watering-hole-attacks/article/357875/

http://www.securityweek.com/attackers-using-havex-rat-against-industrial-control-systems

C-IT Recommendation

From the end-user perspective

  1. Ensure your organization has a strong asset inventory with an accurate configuration management database.
  2. Identify all devices which have the vulnerable versions of Adobe Flash Player
  3. Deploy the Adobe security update to test machines in your environment
  4. Test business functionality of each type of device and record any issues impacting any business functions on the devices.
  5. If no issues result in the testing, deploy the security updates to the production systems. If functionality impacting issues occur on the test devices, engage Adobe support and/or vendor support if specific applications are negatively impacted
  6. Finally, as always it is good practice to run a vulnerability scan against the devices to ensure the vulnerability has been addressed.

From the Website Perspective

  1. Ensure your company is using a strong Web Code review process before publishing sites
  2. Use a software code security analysis tool to check your website for potential vulnerabilities
  3. Require your security team to perform penetration testing after any code changes to your externally facing websites.
  4. If websites are deemed vulnerable after penetration testing, require through policy that the web development teams roll back to the previous version of the website until vulnerabilities are resolved

Leave a Reply

Your email address will not be published. Required fields are marked *