TOPIC: IT

Who’s Watching the Watchers?

In a world of everything connected to the internet through the likes of IoT (Internet of Things) devices, the prospect of exploits and vulnerabilities abound. For the most part, these IoT devices lack the proper secure coding practices and security hardening that most well-known products implement. The focus is not on security, but convenience, and leads to numerous exploits being found on these remote devices. The remotely controlled video camera in the office or the one facing outside could have lurkers watching from another continent gaining intelligence on someone they’re trying to target. Or these exploits could lead to further escalation into your network if they aren’t segmented properly and ransomware all your files. Unsecured IoT devices provide an abundance of problems.
The best way to secure yourself is to keep these IoT devices off your network and to buy from a trusted vendor that has been checked for security vulnerabilities and exploits. If not, you may have someone from across the world watching your every move. 

    Microsoft Security Update Guide

    As most of you already know, Microsoft has been releasing Windows cumulative monthly updates for some time now.  Each of these updates (generally) includes relevant security updates from previous releases, making the installation process simpler.  Apply the most recent cumulative updates for your Microsoft software, and you should be in pretty good shape.The downside to this approach is that each update addresses multiple issues, and after applying the patch, there may be additional action needed (i.e. a registry key, GPO setting, etc.)  So how is a careful administrator supposed to find out what may be needed after the patch is “installed”?Microsoft has several update information resources, but the most concise place we have found to see the security implications of a particular patch, and any additional actions needed is the Microsoft Security Update Guide ( https://portal.msrc.microsoft.com/en-us/security-guidance ).   Here you can look up individual updates, CVEs, or products.  A nice section called “Release Notes” will tell you about the important patches for any given month, showing the products needing updates, links, and most importantly, recent Release Note documents now indicate what CVEs or advisories may need additional scrutiny.  Items with asterisks (*) link to additional information on registry keys or changed functionality.  This information is incredibly hard to find via other Microsoft support resources.
     
    Consider bookmarking this page and regularly reviewing the monthly update summaries.  This should help keep you up to date on the latest patches and can key you in on updates that might require you to read the “fine print”. 

      Penetration Testing – What Kind Should You Get?

      There are different types of penetrations tests that can be performed, depending on the threat being simulated.  A “no knowledge” penetration test with the tester starting outside the institution’s environment is performed as a “real world” attack on a network, and may involve port scans, exploits of vulnerabilities, and social engineering tactics.  A penetration test can start with the tester given access to the institution’s internal network as well, and a third type of test can strictly target the institution’s wireless networks.

      Which test should be performed depends entirely on the institution’s needs and targeted to accomplish the intended goals.  But making sure you get a worthwhile test comes down to knowing what is generally recognized as a true penetration test, and not just an enhanced vulnerability scan.

      For more details on the different types of penetration tests, the associated methodologies, and reasons why you might want to conduct one or more of the tests see our comprehensive blog post located at: https://10dsecurity.com/penetration-testing-what-kind-should-you-get/ , or you can download it below.

        Why you should consider Ad Blockers

        Many websites use advertisements to help supplement the cost of creating new content, hosting the site itself, and to generate revenue. Many site owners utilize various ad platforms to load ads onto their websites. However, bad actors have been known to abuse these platforms to direct users to malicious websites or download malicious content. This is known as "malvertising". A seemingly innocuous ad could lead a user to a drive-by download or load malicious code from a compromised website.

        Reputable ad blockers such as uBlock Origin and AdBlock Plus allow users to stop ads from loading on websites (as well whitelist specific sites if desired). These programs are usually in the form of browser plugins. Additionally, ad blockers may also offer the ability to import blacklists, which are lists of known bad domains or ad platforms with poor reputations. This can increase your security when browsing by stopping traffic before reaching a malicious website.

        If you haven't used an ad blocker before, try one out in your favorite browser and enjoy a cleaner, safer browsing experience. 

          Local Administrator Password Solution (LAPS)

          Local Administrator Password Solution (LAPS) addresses the basic issue where the same local administrator accounts are used on all hosts throughout the organization, leaving them susceptible for “Pass-the-Hash” and credential re-use attacks.  LAPS does this by leveraging a combination of an application installed on a Domain Controller, Active Directory (AD) Templates, and PowerShell modules. The LAPS password is stored as the ms-Mcs-ADMPwd AD attribute and associated with a domain computer.  LAPS credentials are also passed using Kerberos encryption by default. Additional benefits include automated password rotation of the admin password, and – if the administrator deems appropriate – can allow access to the password where appropriate, such as to help desk staff.  Another practical example would possibly be allowing a user access to an elevated account if they are in a bind without compromising local password (e.g., the user is out of the office and unable to access VPN due to a corrupt VPN client installation, requiring re-installation with elevated credentials).  Then after network connectivity is restored, the LAPS password can be automatically changed once Group Policy updates or via PowerShell.To read more about LAPS and to download all the associated components and documentation, check out this TechNet article.

            Are you prepared for the EOL Shockwave?

            Often, we take software that seems to have ‘always been there’ for granted, until suddenly it’s not supported.  At other times, ‘must have’ software fades into obscurity as it’s gradually replaced by alternatives.  Either way, you should be prepared for an End of Life (EOL) announcement just as much as you should for important software update announcements.
            This week it’s an announcement by Adobe.  They have announced the EOL for Adobe Shockwave, on April 9th, with extended support only for Enterprise customers.  This also means anyone who continues to use the software after April 9th is assuming a security risk because Shockwave will no longer be supported with security updates. 
            This is a great example of a piece of software that likely remains installed, albeit unused by many users.Staying informed about software updates are important to alleviate potential security risks; you should also stay informed of End of Life announcements.  Take a moment to see if it’s installed in the environment you maintain.  If you are using Shockwave, find a supported alternative soon.  If you don’t use this software, uninstall it.

              Intrusion Detection and Prevention Systems: Are they really working?

              Let’s face it, if you have a public IP you’re going to get some type of illegitimate access attempt directed at your network at some point. Probably multiple times per day. Just look at your firewall logs and alerts sometime. If you are not, you should be; daily.

              If you don’t have one or are not familiar with the concept, an Intrusion Detection and Prevention System (IDS/IPS) will actively detect and prevent malicious or unwanted attempts at access. Your IDS/IPS can be deployed as local software, appliances, Software as a Service (SaaS) solutions (or a hybrid), or potentially as separate systems – detection (IDS) and prevention (IPS) in separate parts. The usual deployment; however, is an IDS/IPS that that prevents as it detects. These systems perform their tasks based on definitions and/or heuristic techniques and may be monitored by a third-party Security Operations Center that can alert you and/or act on your behalf.

              If you don’t have IDS/IPS, you might be saying, “Isn’t my firewall good enough?” Well, a stateful inspection firewall is an absolute must. But even though you might have integrated inspection enabled, your firewall only passively stops what was defined in the last firewall OS release; and what you tell it to through Access Control Lists associated with zones or interfaces. That’s where IDS/IPS steps it up and may be something you can add to or enable on your firewall.

              After a few consulting hours, (maybe the purchase of a new firewall or appliance) and certainly the signing of some type of maintenance contract, you’ve committed many dollars in infrastructure changes to add an IDS/IPS. Things are ticking along great, right?

              Have you bothered to test whether the fancy new system is really doing what it the sales guy said it will do?

              A famous former President was very fond of this Russian proverb: Trust but verify.

              Have your IDS/ IPS checked by someone other than the vendor to ensure it is detecting and preventing while not impacting your network performance. Impact? Yes, impact. Another 1 or 2 seconds per transaction multiplied by the transaction volume and number of impacted employees or customers adds up quick. Time is money.

                A picture is worth a thousand words! Network Diagrams.

                This is especially true when talking about network diagrams. A network diagram is a roadmap that helps you illustrate and document what a network looks like, and how things are connected.

                The following diagrams should be maintained:

                1. WAN topology that clearly shows all ISP, VPN, and WAN connections, wireless connections, LAN segments along with router, firewall
                  and IDS implementations.
                2. Individual LAN topologies showing default gateways, DNS implementation, all servers, and all network devices.

                Here are some key elements of good network diagrams:

                1. Keeping a diagram current and accurate is important, so network diagrams should be updated at least quarterly or after network
                  changes.
                2. Label items with a name, function, and IP address(s).
                3. The look and feel of the diagrams should be consistent, and a common set of visual objects should be used where possible.
                4. Network diagrams should also contain a title that clearly defines the nature of the diagram, confidential statement notice, name of
                  the author, and date of creation / last update.

                If you outsource your IT, make sure your vendor is providing you with current and accurate diagrams.

                  DNS and MFA

                  DNS and MFA
                  On January 22, 2019, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive with the subject, “Mitigate DNS Infrastructure Tampering” ordering all federal agencies to secure login credentials for their internet domain records. Required actions include auditing DNS records, changing DNS account passwords, adding multi-factor authentication to DNS accounts, and monitoring certificate transparency logs to detect prior unauthorized certificate issuance. This directive was issued in response to an uptick in attacks on websites and email servers by altering DNS records.

                  CISA Director Christopher C. Krebs wrote in the emergency directive:

                  “Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services:

                  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.

                  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.

                  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

                  To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.”

                  While this directive was aimed at federal agencies, all institutions should heed this warning and secure access to their public DNS account with multi-factor authentication.

                    Is This Partnership a Right Fit? More than 50 Banks Found Out Firsthand.

                    In January, 56 community banks from 20 states joined Bankers Healthcare Group for a behind-the-curtain experience at our Informational Regional Seminar in Nashville, Tenn.

                    Our 75 attendees heard from BHG’s Founder/Chairman/CEO Al Crawford and c-suite leadership team in finance, credit, underwriting, compliance, marketing, sales, and analytics. This was a great opportunity for them to learn about our business model, commercial medical loan program and financial strength, and uncover new revenue opportunities for their banks.

                    We had a great mix of prospective customers and current customers from some of BHG’s 940 bank partners, which gave everyone a chance to network and learn. Prospective customers love to hear about the experiences of current customers, while current customers appreciate the business and product updates, as well as the opportunity to connect with key BHG contacts.

                    Our seminars are a great way to get to know BHG—and we hold them throughout the year, across the country. If you’d like to attend an upcoming seminar, please email bhgbanks@bhg-inc.com or call 877-731-6562 to get the details!

                    About BHG: Bankers Healthcare Group (BHG) is the leading provider of financial solutions for licensed healthcare professionals. The company originates, underwrites and funds medical and professional loans before selling them to local banks nationwide.

                    To date, BHG has underwritten nearly $15 billion in commercial loan requests with an average size of $100,000, providing a network of more than 940 U.S. community banks a source for premium loans, portfolio diversification, and competitive yields without overhead costs traditionally associated with this quality borrower. Banks purchase BHG loans through a secure, online system that allows for daily sale and delivery of loans. This has been a highly effective channel for a bank to quickly approve and purchase loans according to their underwriting standards. BHG’s 2018 sales distribution has averaged $4 million per day and new loans are posted daily.

                    Pinnacle Financial Partners, Inc., and its subsidiary Pinnacle Bank hold a 49% total interest in BHG.

                      What do ISO's need to know?

                      The role of the Information Security Officer is ever-changing, and the knowledge base required goes beyond patch management and tracking IT assets. This certification course outline gives you an idea of the topics we drill down in during the training. and highlights the skills required of a well-rounded ISO.

                      This one of a kind course was developed by industry experts, former examiners, and CISSP professionals to share the wealth of knowledge and insight accumulated from years on the banking side, the cybersecurity side, and the regulatory side. Your ISO leaves with the tools to secure your network, bringing you peace of mind. Plus, the opportunity to become a Certified Banking Information Security Officer (CBISO). The training meets FFIEC annual training requirements. Our 2019 courses will be in:

                      For more information, visit: www.10dacademy.com.

                        Outlook Web App and 2FA should keep your Exchange server secure, right? Think again.

                        10-D performs hundreds of penetration tests each year, so we see trends for weaknesses into customer networks. One of the more common weaknesses we currently see is a weakness with public facing Exchange servers. It is commonly perceived that if you lock down the Exchange Outlook Web App (OWA) login portal by denying most users access and enabling two-factor authentication for the others you will secure your Exchange server from attackers. Unfortunately, a service commonly enabled on many Exchange instances called Exchange Web Services (EWS) bypasses both of those controls. Simply put, EWS is a service that allows client devices to connect to the server to get email and other data. The vulnerability associated with this service is that an attacker can brute force logins and if successful, will be able to login to users email without two-factor authentication. This service can be disabled; however, that may cause a mutiny within your organization if users lose access to some of their data. 10-D Security doesn’t recommend a specific solution for this vulnerability as Exchange implementations vary greatly, but some options to consider for locking down this service would be as follows:

                        • Limit which users have access to the EWS service
                        • Limit which applications are allowed to access the EWS service
                        • Application Firewall/Reverse Proxy that can whitelist only valid EWS attempts
                        • VPN only access for email

                          Overnight File Maintenance Review

                          VP at a bank ($79MUSA)

                          Any other FIS Bankway banks out there? Curious to see what others are doing for overnight file maintenance reviews? The file is massive and our FDIC IT examiner wants a documented review of changes. Any one have any other reports that may help?

                            CBANC Premium - Workspace Tips

                            Manager at a Company (USA)

                            Here is a quick tutorial on how to add users to your CBANC Premium Workspace application. Workspace is a central source of truth for your policies, procedures, and other important documents. It also includes 25 policy & procedure checklists, updated by experts as regulations change, to help your team hit the ground running. Workspace is great for collaborating with your board of directors, impressing your examiners, and streamlining policy and procedure management. Works great on iPads without the need to download additional software and has bank-level security built in.

                              National Cybersecurity Awareness Month

                              It's National Cybersecurity Awareness Month (NCSAM) and the Department of Homeland Securty provides a free toolkit to businesses and individuals looking to stay safe online and increase everyone’s overall awareness of cyber-threats. Great information to share with employees and customers, alike. Check it out, https://www.dhs.gov/sites/default/files/publications/NCSAM_GeneralToolkit_final.pdf

                                Quarterly Firewall Reviews are a Requirement

                                For many companies there is only one device between their internal network and the whole wide world, AKA the Internet. This one device, called a firewall, is a key component in a secure architecture and it is often under managed. By that we mean the firewall is often not receiving the ongoing attention it deserves. The common issues we find with firewall configurations include:

                                1. Managed Firewalls: In today’s environments we often see the management of firewalls outsourced and all but forgotten about by the institution. Most managed service providers are not conducting independent reviews of the managed firewall configuration or rules as part of the service agreement. A misconfiguration or undesirable rule will still affect the institution regardless of who’s managing it.
                                2. Old Rules: Rules are usually added out of a need. This does not hold true for removing old and unneeded firewall rules. They tend to stay around.
                                3. Default Settings: You would think that in today’s world a new firewall would default to most secure. Well they don’t. By default, all traffic is generally allowed outbound. This is not a good idea for many reasons, but we find overly permissive outbound rulesets all the time.
                                4. Descriptions: The person adding a rule to a firewall knows why they are adding it, but 6 month later they may not remember and anyone else looking at the rule will not know the specific reason and history behind the rule. That is why every rule should have a comment or description with details about the rule. This will also help allow less technical staff to decipher the firewall configuration.
                                  FFIEC guidance calls for quarterly firewall policies audits or review. Significant network changes or rule changes may also warrant a firewall policy audit or review. NIST, PCI and HIPAA/HITECH have similar requirements as well.
                                  These firewall reviews do not need to be performed by an independent source and can be done internally. For those not comfortable with doing this internally or for those that would just like to have an extra set of eyes review their firewall let us know, we will be glad to help.

                                  Chrome safe browsing tips

                                  In an internet full of malicious actors and exploits around every corner, it is a good idea to protect yourself while browsing by using a few of Google Chrome’s plugins. These certain plugins will protect you from exploit kits, drive-by downloads, and malvertising to name a few. It is even possible to stop being tracked by websites to preserve your anonymity. There are numerous plugins for Chrome, but safe browsing should be the main priority.

                                  Here are the top 4 security plugins for Chrome:

                                  1. uBlock Origin – Adblocker for blocking ads of all kinds
                                  2. HTTPS Everywhere – Forces all sites to use HTTPS instead of HTTP, a much safer alternative
                                  3. Privacy Badger – Detects and blocks trackers from spying on you
                                  4. Flashcontrol – Disables Flash content, which is highly susceptible to exploitation

                                  With these plugins combined, it can create a more seamless internet browsing experience as well. Blocking ads, trackers, and Flash will have the benefit of a page loading faster and with less clutter. Ultimately, the crux of safe browsing comes down to not clicking on suspicious links or going to unknown websites. However, if you succumb to clicking on something dubious, these plugins should most help ease your mind knowing the attempt has been blocked. And don’t forget, never tread the wilds of the internet unprotected.

                                    Stuck in APCL

                                    News broke on Twitter at the start of this week that a currently unpatched privilege escalation bug was found in 64-bit versions of the Windows 10 and Windows Server 2016 operating systems.
                                    The bug itself is a part of the advanced local procedure call (APCL) of task scheduler and allows a malicious user to set a DACL (Discretionary access control list). The change of DACL will allow the user to set the security of a file in the C:\Windows\tasks path. Which means a malicious hard link can be inserted into this file, pointed at any read access file, and the DACL will perform a write. Which is simple terms means this allows any user regardless of permissions to call and set local file permissions to anything they like. Which most notable to the hacker includes higher privilege level files.

                                    What can I do until the patch?
                                    The best advice we can give is to keep an eye on your logs. The reason why is the POC (Proof of Concept) code released on GitHub used the Print Spooler Service. Thus, any activity tied to spoolsv.exe spawning processes you don’t expect could be an indication that someone is using an unedited version of the code released. Other services can be leveraged for the attack if the user is able to edit the code themselves so keep in mind this is a not a perfect way to detect the exploit, but one you should be mindful of.
                                    It was also noted that upon exploitation a Security event log called 4664 will be generated when the hard link is created in the task folder.

                                    Pay special attention to any Security Bulletins by Microsoft as they have acknowledged the exploit, so a fix is likely being worked on now. 10-D Security also wants to remind you that Privilege Escalation bugs are found frequently and pose serious risk to organizations. One way to help prevent the impact of such exploits is to practice good network segmentation. Segmentation helps create barriers, hampering an attacker, so that even if they can elevate their privilege level on a user’s system they will still have a difficult time using that access to compromise critical infrastructure.