TOPIC: IT

Microsoft Security Configuration Framework for Windows 10 is a Hit

With Microsoft Windows 7 quickly approaching end of life many organizations are starting the initial process of moving to Windows 10.  Without a current deployment it can be difficult to create a standard deployment that meets the needs of your environment for both security and productivity.  Microsoft has addressed these concerns and created the Security Configuration Framework for Windows 10.  This framework, currently in beta, was created to assist companies that are deploying or migrating to a Windows 10 environment in the enterprise by providing five (5) levels of suggested configuration to balance the need for security and productivity based on the user’s job function.  The five levels defined on the Microsoft site (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) are:

  1. Enterprise security – Minimum-security configuration for an enterprise device.  Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.
  2. Enterprise high security – Configuration for devices where users access sensitive or confidential information.  Some of the controls may have an impact to app compatibility, and therefore will often go through an audit-configure-enforce workflow.  Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
  3. Enterprise VIP security – Configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (for example, one organization identified users who handle data whose theft would directly and seriously impact their stock price).  An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.  Recommendations for this security configuration level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
  4. DevOps workstation – Microsoft recommends this configuration for developers and testers, who are an attractive target both for supply chain attacks and credential theft attacks that attempt to gain access to servers and systems containing high-value data or where critical business functions could be disrupted. We (Microsoft) are still developing this guidance and will make another announcement as soon as it is ready.
  5. Administrator workstation – Administrators (particularly of identity or security systems) face the highest risk, through data theft, data alteration, or service disruption. We (Microsoft) are still developing this guidance and will make another announcement as soon as it is ready.
If you are starting your migration process or deploying a new environment based on Microsoft Windows 10, this is a great tool to assist with your initial baseline configuration.  We expect to see additional configuration and options to come from this framework with additional tweaks and development.

    The Inconvenience of Convenience - NFC Technology

    This week’s security tip reminds us that convenience can be fraught with pitfalls.  And that the software and hardware that we so readily rely upon as a society in general, is by no means perfect.  Because it’s designed and manufactured by the most imperfect thing in existence.  Us.

    Researchers at Waseda University, Japan, recently published a report on the exploitation of near field communication technology provided with most smartphones sold today.  You may recognize NFC technology as being used for everything from device-to-device data transfer, to electronic payments ala Apple Pay, Android Pay, and Google Pay used at gas stations across the country every second of every day.

    The exploit is being called “Tap ‘n Ghost” and Seita Maruyama demonstrated the exploit at the 2019 IEEE Symposium using readily available hardware, and Bluetooth and Wi-Fi technologies.  Waseda’s researchers were able to exploit NFC and capacitive touchscreen technology to emulate phantom and redirected screen taps to force a connection to an access point.  The access point could then be used allow further attacks with the intent of gaining access to data or remote command and control of the device.  The scenario included an unknowing smartphone user sitting at a restaurant table that had been modified with the hacking technology which was then used to compromise the device.

    Although researchers provided countermeasure recommendations directly to many device manufacturers, at the time of this writing, there were no immediate or clear responses or temporary security recommendations from those manufacturers.  This author has disabled NFC on his Android device until further information is available.

    If you are a Bank supporting NFC payment options alongside your e-banking solution and you’re wondering what to publish within your Customer Awareness Program pursuant to FFIEC II.C.16(a) guidelines, this would be a good one.

    Would you like to know more about “Tap ‘n Ghost”?  https://www.youtube.com/watch?v=phuiwh7djQM

      Vendor Device (In)Security

      Most IT environments have some sort of vendor configured devices on them.  From security cameras or copiers, to core application servers, you probably have at least one device on your network that your vendor setup for you.  Now, hopefully the solution they installed is working well…but is it secure?

      We have the privilege of evaluating a lot of environments and have seen many well-designed vendor systems… and we have also seen some, well, not so well-designed systems.  The problem is, many installation techs are primarily concerned with one thing: making it work as quickly as possible.  Security is often an afterthought, if it is thought about at all.

      Some unfortunate vendor-introduced security risks we have seen during security assessments:
      • Security cameras accessible to the world without requiring a password
      • Remote Desktop Protocol (RDP) allowed inbound directly to a Domain Controller
      • A popular core vendor that setup a critical server with the C: drive shared (Read/Write) with everyone
      • Banks that could browse other banks’ networks through vendor connections
      The point is that any vendor, no matter how thorough, can sometimes slip up.  Don’t assume anything.  At the end of the day, it is the institution’s responsibility to ensure all systems are secure.  This means proper vendor oversight.  After selecting the right vendor, you should ask for documentation on how they hardened (i.e., secured) the system during installation.  Additionally, make sure they provide good change logs so you know when they have made changes and can make sure the changes didn’t introduce new vulnerabilities.

      Finally, your internal audit program (or independent IT auditor) should include not only reviews of documentation, but actual spot checks of vendor systems to make sure they are properly and securely configured.

        Living off the Land - WST

         Many malicious users try to fly under the radar by using built in system commands or living off the land as its often called. Built in system commands typically don't look out of the norm and allows the malicious user to perform tasks such as: domain enumeration, load malicious code using a scheduled task, start remote processes, and more.
        Figure 1: user enumeration using system commands By default, these commands are not logged on windows hosts; however, logging can be enabled. Once enabled, you can go a step further and forward these logs into your central logging or SIEM (i.e., Security Information and Event Management) solution for additional parsing and alerting.
        Figure 2: Event viewer show command line usage To enable edit the following GPO or registry settings.  For additional information, visit the following Microsoft article:  https://devblogs.microsoft.com/commandline/how-to-determine-what-just-ran-on-windows-console/  Enable the Audit Process Creation audit policy so that 4688 events are generated by editing the following GPO Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed TrackingEnable the Include command line in process creation events by editing the following GPO Computer Configuration\Administrative Templates\System\Audit Process Creation. Or enable on the local system by, editing the local registry HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
        ProcessCreationIncludeCmdLine_Enabled
        registry key value to “1”. Authored by - Brian Hitchcock CISSP, OSCP, PCNSE, ACCP 

          Take my Credentials Please

          Server Message Block (SMB) is the network sharing protocol that is commonly used in organizations to allow systems within the same network to share files. SMB requires ports 139 or 445 to be open, to communicate with other systems. One way that an attacker can take advantage of this protocol, is if an organization’s outbound SMB traffic is not blocked at the firewall.  An attacker can send an email containing links to a resource such as an image on a remote server. If a user clicks the link, a Windows workstation will try to authenticate to the remote share and sends your encrypted credentials to the remote server. After this happens an attacker can attempt to crack the encryption using readily available tools on the internet and collect the credentials. At this point it’s simply a matter of time before a persistent attacker can find a place on your network to use these credentials for further attacks.  SMB security best practices would be to block all versions of SMB at the network boundary by blocking TCP port 139 and 445 plus all related UDP protocols (137,138), for boundary devices.  Link to CISA best practices:
           https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

            Training Users on Password Management

            Passwords are the bane of our existence, and with the number of logins required by employees to do their jobs, it can be overwhelming. While institutions are training their users on creating strong passwords, are any training their users on how to manage them? Using a (unique) memorable passphrase would be ideal for each login, however, remembering all those phrases or passwords gets difficult after a while. Users will likely want to either reuse their passwords or write them down somewhere.

            Training users to use a password manager such as KeePass, LastPass, or 1Password will hopefully get them to store their passwords in a place that is encrypted while not in use. Additionally, a solution such as these will come with a password generator, allowing users to create extremely difficult to crack passwords at the push of a button. All a user would have to remember would be their domain password and the master password to unlock their vault. This would be a vastly superior solution to, say, an unencrypted Excel spreadsheet saved to a user’s Documents folder.

              New CBANC member benefit: CBANC Network announces the acquisition of Lendwell

              Pleased to announce a new benefit for the CBANC community.  We've acquired Lendwell, a mortgage settlement services provider used by hundreds of small- and mid-sized FIs. 

              Our acquisition of Lendwell is the next step in our strategy of unlocking the power of cooperation and the collective purchasing power of thousands of financial institutions within the CBANC Network. The Lendwell platform will help our network members reduce the cost of lending operations while improving their ability to serve their customers.

              FIs can expect to save up to two hours of time per mortgage file and 15-20% on services like AVMs, property assessments, flood certifications and many others. Best of all, there's no up front fee for CBANC members, and it'll take about half an hour to get up and running with Lendwell.

              Learn more and start the sign-up process at www.cbancnetwork.com/lendwell

                How many different programs or services do you currently use in your Mortgage Loan or Heloc process? More than two?

                You should take a look at our partners at Lendwell. You could get everything from:
                •    Automated Valuation Models
                •    Closing Services
                •    Document Preparation
                •    Flood Determination
                •    Legal & Vesting Reporting
                •    Lien Protection
                •    Property Appraisals
                •    Property Condition Reports
                •    Property Reports
                •    Title Insurance

                Get everything you need in one place. See more about Lendwell and Download our attachment.

                  Who’s Watching the Watchers?

                  In a world of everything connected to the internet through the likes of IoT (Internet of Things) devices, the prospect of exploits and vulnerabilities abound. For the most part, these IoT devices lack the proper secure coding practices and security hardening that most well-known products implement. The focus is not on security, but convenience, and leads to numerous exploits being found on these remote devices. The remotely controlled video camera in the office or the one facing outside could have lurkers watching from another continent gaining intelligence on someone they’re trying to target. Or these exploits could lead to further escalation into your network if they aren’t segmented properly and ransomware all your files. Unsecured IoT devices provide an abundance of problems.
                  The best way to secure yourself is to keep these IoT devices off your network and to buy from a trusted vendor that has been checked for security vulnerabilities and exploits. If not, you may have someone from across the world watching your every move. 

                    Microsoft Security Update Guide

                    As most of you already know, Microsoft has been releasing Windows cumulative monthly updates for some time now.  Each of these updates (generally) includes relevant security updates from previous releases, making the installation process simpler.  Apply the most recent cumulative updates for your Microsoft software, and you should be in pretty good shape.The downside to this approach is that each update addresses multiple issues, and after applying the patch, there may be additional action needed (i.e. a registry key, GPO setting, etc.)  So how is a careful administrator supposed to find out what may be needed after the patch is “installed”?Microsoft has several update information resources, but the most concise place we have found to see the security implications of a particular patch, and any additional actions needed is the Microsoft Security Update Guide ( https://portal.msrc.microsoft.com/en-us/security-guidance ).   Here you can look up individual updates, CVEs, or products.  A nice section called “Release Notes” will tell you about the important patches for any given month, showing the products needing updates, links, and most importantly, recent Release Note documents now indicate what CVEs or advisories may need additional scrutiny.  Items with asterisks (*) link to additional information on registry keys or changed functionality.  This information is incredibly hard to find via other Microsoft support resources.
                     
                    Consider bookmarking this page and regularly reviewing the monthly update summaries.  This should help keep you up to date on the latest patches and can key you in on updates that might require you to read the “fine print”. 

                      Penetration Testing – What Kind Should You Get?

                      There are different types of penetrations tests that can be performed, depending on the threat being simulated.  A “no knowledge” penetration test with the tester starting outside the institution’s environment is performed as a “real world” attack on a network, and may involve port scans, exploits of vulnerabilities, and social engineering tactics.  A penetration test can start with the tester given access to the institution’s internal network as well, and a third type of test can strictly target the institution’s wireless networks.

                      Which test should be performed depends entirely on the institution’s needs and targeted to accomplish the intended goals.  But making sure you get a worthwhile test comes down to knowing what is generally recognized as a true penetration test, and not just an enhanced vulnerability scan.

                      For more details on the different types of penetration tests, the associated methodologies, and reasons why you might want to conduct one or more of the tests see our comprehensive blog post located at: https://10dsecurity.com/penetration-testing-what-kind-should-you-get/ , or you can download it below.

                        Why you should consider Ad Blockers

                        Many websites use advertisements to help supplement the cost of creating new content, hosting the site itself, and to generate revenue. Many site owners utilize various ad platforms to load ads onto their websites. However, bad actors have been known to abuse these platforms to direct users to malicious websites or download malicious content. This is known as "malvertising". A seemingly innocuous ad could lead a user to a drive-by download or load malicious code from a compromised website.

                        Reputable ad blockers such as uBlock Origin and AdBlock Plus allow users to stop ads from loading on websites (as well whitelist specific sites if desired). These programs are usually in the form of browser plugins. Additionally, ad blockers may also offer the ability to import blacklists, which are lists of known bad domains or ad platforms with poor reputations. This can increase your security when browsing by stopping traffic before reaching a malicious website.

                        If you haven't used an ad blocker before, try one out in your favorite browser and enjoy a cleaner, safer browsing experience. 

                          Local Administrator Password Solution (LAPS)

                          Local Administrator Password Solution (LAPS) addresses the basic issue where the same local administrator accounts are used on all hosts throughout the organization, leaving them susceptible for “Pass-the-Hash” and credential re-use attacks.  LAPS does this by leveraging a combination of an application installed on a Domain Controller, Active Directory (AD) Templates, and PowerShell modules. The LAPS password is stored as the ms-Mcs-ADMPwd AD attribute and associated with a domain computer.  LAPS credentials are also passed using Kerberos encryption by default. Additional benefits include automated password rotation of the admin password, and – if the administrator deems appropriate – can allow access to the password where appropriate, such as to help desk staff.  Another practical example would possibly be allowing a user access to an elevated account if they are in a bind without compromising local password (e.g., the user is out of the office and unable to access VPN due to a corrupt VPN client installation, requiring re-installation with elevated credentials).  Then after network connectivity is restored, the LAPS password can be automatically changed once Group Policy updates or via PowerShell.To read more about LAPS and to download all the associated components and documentation, check out this TechNet article.

                            Are you prepared for the EOL Shockwave?

                            Often, we take software that seems to have ‘always been there’ for granted, until suddenly it’s not supported.  At other times, ‘must have’ software fades into obscurity as it’s gradually replaced by alternatives.  Either way, you should be prepared for an End of Life (EOL) announcement just as much as you should for important software update announcements.
                            This week it’s an announcement by Adobe.  They have announced the EOL for Adobe Shockwave, on April 9th, with extended support only for Enterprise customers.  This also means anyone who continues to use the software after April 9th is assuming a security risk because Shockwave will no longer be supported with security updates. 
                            This is a great example of a piece of software that likely remains installed, albeit unused by many users.Staying informed about software updates are important to alleviate potential security risks; you should also stay informed of End of Life announcements.  Take a moment to see if it’s installed in the environment you maintain.  If you are using Shockwave, find a supported alternative soon.  If you don’t use this software, uninstall it.