THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Phishing attacks are among the most common and dangerous cyber threats, as they can result in data breaches, financial losses, and reputational damage. As such, organizations need to understand how to protect their computer networks from phishing attacks and compromise. This article will discuss the best practices organizations can use to protect their computer networks from phishing attacks and compromise. We will cover employee training on cyber security awareness, anti-phishing tools, and technologies, email authentication protocols, URL scanning tools, etc. Following these best practices, organizations can protect their computer networks against phishing attacks and compromises. Motivation of Attack Hackers are looking for ways to compromise your network to access your data. The other motivation that attackers see is that the target may have access to systems or networks that may be needed to further the attack. The initial stages of an attack are observation and looking for weaknesses in the protections that may be employed. This may take several days or even minutes, depending on the strength of your security measures. Once the reason for the attack has been determined, and the initial surveillance has been completed against the target network or system, the plan of attack can be created or developed. An attacker must go through this critical stage in the attack matrix. How will they compromise the network to access the information or data they are after? This will also cost them time and resources that they may have to spend to get a "foot in the door," so to speak. Planning the Attack Phishing attacks are a popular way for cybercriminals to access sensitive information. Planning a successful phishing attack requires looking for weaknesses within network security, understanding the target's behavior, and determining the best approach to exploit those weaknesses. To plan an effective phishing attack, it is essential to understand the target's vulnerabilities and how they can be exploited. This involves analyzing the organization's existing security measures, identifying potential gaps in its defenses, and researching methods for using those weaknesses. Attackers must also consider how their victims may respond to their attempts at gaining access and adjust their tactics accordingly. By considering these steps when planning an attack, attackers can increase their chances of success while minimizing any potential risks associated with the attack. 1.Employee Awareness
Cyber security is an ever-evolving challenge requiring businesses to stay updated with the latest threats. Therefore, organizations must ensure that their employees know the current cybersecurity risks and how to protect their data and systems. Employee training on cyber security awareness is crucial in building a secure environment, as it helps employees understand how to identify potential threats and respond appropriately. This training can include identifying phishing emails, understanding password best practices, recognizing malicious websites, and more. By educating employees on these topics, businesses can reduce their risk of falling victim to a cyber-attack. 2.Tools & Technologies One of the key components to dealing with phishing attacks is to detect these threats within its primary attack vector, inside emails. No matter what executable file type, these files can be seen with various tools and technologies. Additionally, some of these attacks may hide the potential attack; this is done through the obfuscation of the code execution files. This is one of the key attack vectors that potential hackers will use to gain access to your computer network. Preventing these files is crucial in reducing the attack surface the attackers must use. Using technologies that disable executable files or prevent them from running in the first place may help avoid these malicious files from executing correctly. This ability goes a long way in helping to secure the computer network as it prevents possibly malicious files from running. With those files unable to provide a backdoor into the network, it shuts down a primary path used by most phishing campaigns. 3.Email Authentication Knowing whom you are getting emails from is one of the biggest things that you, as an administrator, can do to help to prevent potential threats. Restrictions on the type of files or attachments that can be sent may help avoid potential dangers. Additional settings within the various email service providers (Outlook/Gmail) provide different domain and business controls that restrict the size of files and help validate the email's sender using cryptographic controls. This can also be done with third-party authentication applications that will determine if the domain for which the email was sent is reflective of a potentially compromised environment or whether it is legitimate. 4.URL Scanning This is where a user has clicked on a link and they have been taken to a potentially harmful website. Numerous applications can be used that will help to isolate these websites. Additionally, these sites can get reported in real-time as they are continuously uncovered and added to the list of potential threats. While we would hope that our end users would do the right thing and not click on the links in emails, we know that if they do, we need to have a remediation plan in place. Connecting these reporting applications to your already robust white or blacklisted sites will help to restrict which sites your users are going to be able to access. This will help reduce the number of potential sites accessed within the business. This can be crucial when you are targeted by a phishing campaign, as you will want to restrict or prevent your end users from clicking on a potentially harmful link to a compromised site. This is especially helpful if you see several emails or other such communications come in from the same address or domain. Summary While we can't do everything that would prevent our end users from potentially clicking on a phishing email, we must focus on these best practice areas and start to combat the threat that phishing has on our organizations. Whether you conduct phishing tests or simulated phishing campaigns, the end users must understand that they can help prevent a compromise of the network by being cautious as to whom they respond to and what information they provide.
0 Comments
Organizations of all sizes are using mobile devices in new and innovative ways. The device may be “that you have” part of the Multi-factor Authentication (MFA) process, as the device contains an application that authenticates end users to access the business systems. Or the devices may be used to respond to the business’s needs more effectively. Managing these devices can be difficult because users may want to use their own devices. Additionally, the organization may assign devices as they can better manage these without causing legal liability issues with the management of them. This article explores the various security controls an organization can take to help secure these devices. Managing mobile devices within an organization can be challenging at the best of times. This is additionally complicated by the emergence of targeted mobile device malware, as it continues to be an attack vector that attackers are looking to take advantage of if they can. Threats to Mobile Devices Mobile devices have become an integral part of our lives, and with their increasing use, the risk of cyber threats has also increased. Cybersecurity threats to mobile devices can come from malicious apps, phishing attacks, or other online scams. Users need to be aware of these threats and take steps to protect the data of the business and their privacy. This article will discuss the cybersecurity threats on mobile devices and how IT Security Pros can protect the organization. We will also discuss current best practices to help users stay safe while using their or the businesses’ mobile devices. Controls to Implement Here are the actions that you can take today to help secure the mobile devices used by the business you work for:
IT Security Pro Tip: Summary
Mobile devices can and will continue to be used within the enterprise environment. The IT Security Pro’s role is to establish the controls that will be used for the secure management of these devices. Whether you are dealing with a privately owned device or one owned by the company, they should be treated the same regarding security. Helping to secure these devices against the ever-persistent threats they are exposed to will help protect the organization’s data and the information they may have access to. Securing these devices and implementing a robust management process will allow for a more effective security program within your organization. As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th. What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers. While the damage was little, it could have been a lot worse. Security Failures While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols. These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities. Additionally, remote management software could connect to these systems without being blocked. Here is the list on known security failures as of this post:
While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal. Attacker Accomplished The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes. This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public. Corrective Action Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur. But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies. This creates vulnerabilities where it should be more secure. Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them. While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications. Why didn’t the municipality head those warnings and transition to supported hardware and software applications? Remaining Threat Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it. But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running. This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future. These remaining threats are going to continue to plague our technologically evolving infrastructure as well. As mentioned in infrastructure-security-securing-the-grid-of-the-future.html there are growing threats to the use of new technologies as well as securing the already well established infrastructure by upgrading the network hardware, software, and IT Security posture. Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow: 1.Only use supported hardware/software This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP. This is one of the most common mistakes organizations make, waiting to upgrade later. Do not put it off, when it’s the end of life for a system or application, replace it. 2.Have a patch management program With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization. Have an established patch management program and update software and hardware systems as soon as the patches come out. This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner. 3.Establish Strong Security Policies/ Standards The need to establish strong policies and standards can’t be understated here. The use of the following types of characters should be used:
With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker. While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts. 4.Restrict VPN Access to Key Systems This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points. While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place. This should be especially true to those systems such as a water purification plant or even an electric distribution center. Summary While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse. Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm. No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector. The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago. Even if just upgrading and patching their systems could have helped deter a potential attack. Some of the simplest things make the biggest difference when it comes to these sorts of events. We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible. Reference Site abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550 With growing unrest in the US, there is growing concern that there will be unrest in the country following the Presidential election in November of 2020. While the country continues to deal with ongoing race riots and protests all over the country, it is important to remember that these may be localized to a particular city or even neighborhoods in which the protests are taking place. While it is important to listen to those that are protesting and what their concerns might be. It can’t be disputed that these actions continue to alienate a large part of the population. No matter where you are on the political spectrum, these civil disturbances can directly affect your business. This is not strictly effecting large or national businesses, as we have seen local independent companies effected just as much as the large chain stores. Protests vs. Large Scale Unrest When the terms protest and large scale unrest are used, they can be a little confusing. Protests may be short lived and for one political cause and may last a few hours to maybe even days. A large scales civil unrest is different in that it may encompass a large part of the country as a whole and large numbers of the population take to the streets to demand their demands to be heard. Additionally, large governmental infrastructure (power grid, Internet, supply lines, roadways) may also be impacted as protesters sabotage or disable them in order to make more of the population aware of what is going on. Also, killings of individuals may occur on a regular basis as the population on each side of the political divide fight for their cause. Business Continuity Planning As with any event that may have the possibility of impacting your business, it will be important to plan for the worst case scenario when it comes to a civil unrest situation. With a lot of things in 2020, the unexpected event is one thing you can expect this year. Within the IT Security community, we are treading on new ground as we have never been through a pandemic, and yet we find ourselves 7 months into one. We don’t know what to expect with a large scale civil unrest. Plan for Major Interruptions The one thing Business Continuity has shown us is that we can plan for those events that are most likely to happen instead of those events that may never happen. With civil unrest, the following should be the top of your list of impacting events to prepare for:
While there is not one area on the list that may directly impact your business, any combination of them surely will. Also, while other countries around the world have had to cope with similar issues or impacting events. It is important to realize that the US has not and that North America houses the largest majority of the global Internet infrastructure. So what happens on the continent could have global ramifications.
Pandemic with Civil Unrest The majority of businesses today are worried about just dealing with the global pandemic going on. But if the civil unrest were to materialize, then there will be a lot more to worry about. Just this one event could have the potential of derailing any sort of recovery effort that might be in the works at this time. Businesses should take the “lessons learned” from dealing with the pandemic and use them to potentially deal with a civil unrest scenario as most of the responses could be similar to those. Companies will find ways in which to deal with outages or interruptions, but when the violence comes to the individual neighborhoods or communities, then they may be effected in very different ways. Brining the Fight As with all disturbances, civil unrest can cause the business to be impacted in different ways compared to other potential scenarios. Choosing to fight against the opposing party may be part of that as personnel may be killed or injured. This can also cause issues if there are mass arrests that may happen as part of the rioting or protests that happen for longer than normal period of time. A company may also come under fire for supporting on faction over the other or may be forced to support one group over the other by mass crowds, or even in the media. (This is currently happening with groups like BLM, as they support Marxist and Communist ideologies, and the destruction of the nuclear family). Employees will be new the equation as most of the business continuity planning take only the company infrastructure or business operations into consideration in their recovery efforts. The loss of personnel will cause businesses to have to replace personnel or work differently than they did previously prior to the outbreak of the disturbances. Systems are easy to replace, personnel are not. Summary While this article may seem to be raising unreasonable concerns or un-needed worry. Just think a few months ago about the potential for a global pandemic, and yet here we are. Plan for the worst potential in hopes that they never materialize. I would not be doing my job if I would look the other way and not look at the potential that this time in our country could possibly impact the businesses we work for and with. Planning for a disaster is the same whether it is a man-made on or natural. It is still not too late to take action and address the various concerns that have been brought up here. Planning on how you would react if given a specific scenario helps to sharpen our skills in responding to disasters and also helps us be more confident in our recovery efforts if they may be needed. Disclaimer This article is meant to be a thought exercise on how businesses would recover in case of a large scale political unrest were to hit the US. This article in no way endorses or condones violence of any type (from any side). It is the hope of this author that all registered voters exercise their Constitutional right and vote in the upcoming election and that there may still be a middle ground in which both political sides can get together and discuss the issues affecting our country. As I write this article today, I’m sitting in my home office coughing and having some difficulty breathing. Being right in the middle of a potential pandemic hot-zone of Washington State can help bring things into focus when it comes to planning for the worst-case scenario when it comes to planning for an incident to impact your business. Taking the right course of action in a timely manner can help to protect the business, but most importantly, the community at large as well. Epidemic Tracking Right now, we are concerned with the COVID-19 (Coronavirus) and the potential impact it may have on the population since it was an unknown virus to the human population just a few months ago. When the emergence of this virus started, I started to keep track of the numbers that we were seeing and how it was spreading. As part of my IT Security role, I have a responsibility for Business Continuity Management within the company. Therefore, I keep an eye out on these sorts of things, as they have a potential to turn quickly if we are not looking. I believe that this is what happened here, and I believe that China for the most part has not provided accurate information to the world at large. No matter what the epidemic is, planning to take action as a business or other organization should be the prudent move here. Planning for what the company may do if faced with a certain situation allows for calm and calculated planning to occur instead of being reactive to what is going on around them. Any decisions that the business makes will have an impact on the company, and ultimately the work force that you employ as well. Epidemic Impact No matter how you plan, the decisions you make or plan for will always change. Flexibility is the name of the game here. Have several different levels or ways to address an issue as it arises and plan on meeting those changes as they occur and not be reactive to them. Being cautious and taking, an aggressive approach at the onset may help prevent more of an outbreak than waiting on what the state, national, or global authorities may suggest. We are seeing this play out in Seattle and in King County, Washington, as the local authorities have suggested that employees work remotely if they can for a length of time in order to prevent a further spread of the virus. Businesses in the county will have to determine how they plans to address this issue. Will they take the steps that have been requested by the local government, or will they side on their own best interests in order to preserve their business? The impact of an epidemic is not just a personal one, but also a monetary one for the company that has to make those choices. This is one of the crucial aspects of the planning process that seems to be left out for most businesses, pandemic insurance or emergency funding in case it is needed. While organizations will focus on business operations for emergency funding, pandemic funding or planning for the potential impact of it should also be in consideration as well. "The suggestion is to have at least 3 months of operating capital on hand in case of a pandemic." - Erich Barlow Developing a Plan The first course of action should be to establish and develop a Pandemic Response Plan that will be implemented in case a pandemic or epidemic is declared. This plan should have the following areas:
Plan Testing One of the core issues that plans sometimes have is that they aren’t tested as often as they should be. This will lead to plans that are out dated or inaccurate and with personnel not knowing their particular role in the plan when it is activated. It is recommended that at least once a year a tabletop test be performed in order to validate the planning process. Testing your plan is one of the best ways of making sure that it will be there when it is needed in case a pandemic hits where you are located. Summary While there are a lot of different areas that need to be addressed when planning for a potential pandemic, the time that is taken in planning for it will pay off if it ever has to be implemented. This is what we are seeing play out right now with those organizations in Washington State that have not planned for such an event. While most businesses will have plans for fire, flood, or even an earthquake. Pandemic Response Planning is one of those areas that are not really planned for. Taking the proper steps in developing a robust response plan before you have to need it will go a long way in helping the company recover from a potential outbreak. Whether it is suggesting working remotely or limiting social interaction within large groups, it is important to address these issues ahead of time. Reader’s note: Due to the rapidly changing situation and the impact that the current epidemic is having on the community in which I live. I plan to update this article through the next few weeks as we deal with this outbreak and how we are going to react to it. Working from Home During the COVID-19 Pandemic – Blog Update May 23rd, 2020 After two months of working from home (and changing jobs in the process) it has been a huge change for me and those that I work with. While I saw most of my friends be laid-off or fired due to the impact of the virus, a large majority have been able to keep working. Essential Workers While a lot of jobs were declared “essential” and we saw that they were able to keep working (although with some modifications) and were still able to earn a paycheck. While the government was able to determine who was essential and who was not, this designation was not applied equally across the board and those folks that we all depend on everyday lost their jobs because the government decided that they posed a risk to our health. Pandemic Mental Health Like most of the people that I work with, I have been impacted on a personal level with the restrictions that have been imposed on me “for my health”, but it is my belief that our mental health has been impacted in ways that we don’t fully understand. Whether it is our kids that we are now all homeschooling or those of us who are social beings, we have had to change the way that we function in the world around us. Being able to go to the gym for a good workout and helping to relieve stress has been off the table of things I have been able to do (which I have seen some weight come back) for the last two months now. Additionally, being able to practice my faith have been prevented as well, which like a lot of people, has been a great source of comfort before the outbreak, and it still is, but the practice of it has had to change. Technology Work Changed Forever
While there are a lot of issues that we all have had to endure over the last couple of months, there are some bright spots. One of them is that working from home, or at least the ability to do so has become the norm and not the rarity that it once was. While there have been some difficulties in the adjustment to it, I think that it will become the way business is done in the future, even after being able to return to the office. More and more people are seeing the benefit of working remotely (not to mention the savings we get from not being in rush hour traffic). While a lot of companies were not sure about how they could make working remotely work, they were able to figure it out. Now with that infrastructure in place and working efficiently, why dismantle it when the pandemic is declared over? I think that we are going to see more businesses adopt the model and keep on working this way, or at least have it as a full option for workers if they choose to do so. Security at Home One of the biggest issues that companies have had with going to the work from home model of business, is how do you enforce security on personnel when they are not in an office? Businesses have quickly learned that the use of encryption for communications and network connections are an important aspect of those security measures. Additionally, making sure that employees are adhering to IT Security best practices has also been an important issue that has been addressed. Providing IT Security information to the end user has been a focus of the IT Security teams around the globe that are supporting the work from home business model. Additional Updates While I live in the Pacific Northwest, the Governors here are continuing to restrict business operations and the abilities of the people to go about their normal lives. The area that I live will be under these restrictions until at least the end of summer, if not later. So, I will be posting updates as we continue to deal with the pandemic in hopes of preventing its spread. Also, updates on what are considered best practices during this unprecedented outbreak will also be posted to this blog. Scanning won’t cut it anymoreWhen it comes to IT Security, an organization wants to make sure that they are doing everything right. Whether it is scanning for vulnerabilities or looking for malware on the network, a company will spend time, effort, and money to make sure that they are doing everything right in protecting their business. As the IT Security Professional, it is our responsibility to make sure that those resources are used effectively. Are you using applications or systems that are actually helping you? How do you know? Network Monitoring Network monitoring and vulnerability management are areas that many IT Security Professionals focus their time and energy on these days. Especially with all of the compliance requirements that have been mandated by the government. This has led to a sense of security when it comes to using network monitoring applications or systems. As we rely on these systems to automate the processes that we were doing by hand just a few years ago. It is important to remember that these systems need to have a human in the middle to interpret the information, and then to take action on those areas that have been highlighted. Making the Case Making the case for going after advanced persistent threats (APTs) should be a no brainer. Nevertheless, the truth is that not every threat is going to make itself known to the scanning application(s) (or to multiple applications, for that matter) which may give a false sense of security. This will cause those that may be responsible for network maintenance to not believe the results. The goal for all IT Security Professionals is to both, educate others in the organization to the importance of vulnerability scanning, and to make sure action is taken when a threat or vulnerability is found. While APTs do pose a threat to the network, they are a hidden threat that goes under the radar until they actually do something to the company. By then, it’s too late, and the potential for information loss is significantly greater. Behavior is NOT a Signature While a lot of network monitoring software will utilize a signature of the potential malware or threat in order to detect it. Looking at system behavior and network traffic is a better way to track down those systems that may be compromised. Heuristics is an area that has the ability to look at the whole picture and to see areas that may not look like they are connected, but when looked at heuristically, they make perfect sense. The benefit for heuristics is that software changes at a rapid pace, but behaviors don’t. In order to detect malware applications, some network monitoring applications require a signature in order to detect it. Between the time the new version of the detection application is being updated and sent out to customers, a heuristic application may have already caught it due to its behavior. The malware will utilize any means necessary in order to hide or go undetected. Attack Approach Most APTs will use a multiphase attack methodology. These are the phases regardless of how they entered the network that may be followed depending on the organizational structure of the group(s) conducting the attack against your network:
Key Indicators of APT Attack
While APTs have been known to evade detection by most anti-virus scanning applications, there are some signs to watch for if you suspect that your network may be compromised by an APT:
Mitigation Strategy While detection of APTs may be difficult, there are mitigation steps that every organization can take in order to lessen the potential risk of an attack. The steps are listed below:
Gaining Control Once an APT has been identified, all effected systems should be brought offline and network access disabled. This will help to isolating the systems on the network and also helps to lessen the damage that may be caused by an ongoing compromise of the network. While this will stem the loss of data, it is not meant as a fix. These steps just remove the immediate threat, recovery steps will need to be taken once the threat has been identified and isolated. Summary APTs are continuing to plague organizations as they struggle with dealing with securing their data. This can lead to data loss and an impact to the business in ways that may not be realized for years to come. No matter what type of business you are in, the potential threat is there for APTs to cause havoc for your network. Also, due to the complexity of detecting and protecting against APTs, businesses need to be proactive in their approach to these threats and all members of the support teams and groups need to understand the need to act swiftly once a threat has been identified or suspected. Using an application and systems that not only use heuristics but also those that use signature based detection in conjunction with the behaviors are the ones best utilized in these circumstances. It is not just the signature that will catch the threat, but what is actually going on behind the scenes that you are not looking at that will help to identify what is really going on, on your network. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|