TOPIC: Operations

Make Reconnaissance Harder for the Bad Guys

Before an attacker can attempt to gain access to a network, they must first find the resources utilized by the organization to attack. This is what we call the reconnaissance phase. During this phase public data, such as WHOIS information, domains, IP addresses, and email addresses is collected and documented to give the attacker a fingerprint of an organization and what may be available to exploit.

Let’s take a look at a few of the tools that we use during our reconnaissance phase:
  • DataSploit – Performs automated information gathering of public data such as domains, email addresses, IP information and consolidates the data.
  • DNSenum – Searches for host addresses, name servers, mail servers and subdomains that are related to a given domain.
  • Maltego – This allows for open source data to be visualized and further queried.
  • Hunter.io – A tool that scrapes a given website for email addresses.
Unfortunately, these tools (and others) greatly reduce the work time to build a comprehensive picture of just about any organization.  This also frees up time to work on other things…such as actually attacking your users and infrastructure.

Some basic things that you can do to reduce your online footprint are:
  1. Do not post a staff directory list on your website. This list can give an attacker a set of emails to target with phishing campaigns. Generally, once one email is found, the email syntax is available to create a list of emails to send phishing attacks to.
  2. Privatize WHOIS information. WHOIS information is usually correlated with IP addresses used by an organization. A quick search of the ARIN database can provide an attacker with IP ranges to scan for open ports which can in turn be scanned for vulnerabilities.
  3. Remove vendor relationships from your website. Many companies will show a list of vendors that they work with or clients they support with their products. This information can be used by an attacker for future phishing emails to pose as someone already working with the organization.


    Microsoft Security Configuration Framework for Windows 10 is a Hit

    With Microsoft Windows 7 quickly approaching end of life many organizations are starting the initial process of moving to Windows 10.  Without a current deployment it can be difficult to create a standard deployment that meets the needs of your environment for both security and productivity.  Microsoft has addressed these concerns and created the Security Configuration Framework for Windows 10.  This framework, currently in beta, was created to assist companies that are deploying or migrating to a Windows 10 environment in the enterprise by providing five (5) levels of suggested configuration to balance the need for security and productivity based on the user’s job function.  The five levels defined on the Microsoft site (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) are:

    1. Enterprise security – Minimum-security configuration for an enterprise device.  Recommendations for this security configuration level are generally straightforward and are designed to be deployable within 30 days.
    2. Enterprise high security – Configuration for devices where users access sensitive or confidential information.  Some of the controls may have an impact to app compatibility, and therefore will often go through an audit-configure-enforce workflow.  Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
    3. Enterprise VIP security – Configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (for example, one organization identified users who handle data whose theft would directly and seriously impact their stock price).  An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.  Recommendations for this security configuration level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
    4. DevOps workstation – Microsoft recommends this configuration for developers and testers, who are an attractive target both for supply chain attacks and credential theft attacks that attempt to gain access to servers and systems containing high-value data or where critical business functions could be disrupted. We (Microsoft) are still developing this guidance and will make another announcement as soon as it is ready.
    5. Administrator workstation – Administrators (particularly of identity or security systems) face the highest risk, through data theft, data alteration, or service disruption. We (Microsoft) are still developing this guidance and will make another announcement as soon as it is ready.
    If you are starting your migration process or deploying a new environment based on Microsoft Windows 10, this is a great tool to assist with your initial baseline configuration.  We expect to see additional configuration and options to come from this framework with additional tweaks and development.

      The Inconvenience of Convenience - NFC Technology

      This week’s security tip reminds us that convenience can be fraught with pitfalls.  And that the software and hardware that we so readily rely upon as a society in general, is by no means perfect.  Because it’s designed and manufactured by the most imperfect thing in existence.  Us.

      Researchers at Waseda University, Japan, recently published a report on the exploitation of near field communication technology provided with most smartphones sold today.  You may recognize NFC technology as being used for everything from device-to-device data transfer, to electronic payments ala Apple Pay, Android Pay, and Google Pay used at gas stations across the country every second of every day.

      The exploit is being called “Tap ‘n Ghost” and Seita Maruyama demonstrated the exploit at the 2019 IEEE Symposium using readily available hardware, and Bluetooth and Wi-Fi technologies.  Waseda’s researchers were able to exploit NFC and capacitive touchscreen technology to emulate phantom and redirected screen taps to force a connection to an access point.  The access point could then be used allow further attacks with the intent of gaining access to data or remote command and control of the device.  The scenario included an unknowing smartphone user sitting at a restaurant table that had been modified with the hacking technology which was then used to compromise the device.

      Although researchers provided countermeasure recommendations directly to many device manufacturers, at the time of this writing, there were no immediate or clear responses or temporary security recommendations from those manufacturers.  This author has disabled NFC on his Android device until further information is available.

      If you are a Bank supporting NFC payment options alongside your e-banking solution and you’re wondering what to publish within your Customer Awareness Program pursuant to FFIEC II.C.16(a) guidelines, this would be a good one.

      Would you like to know more about “Tap ‘n Ghost”?  https://www.youtube.com/watch?v=phuiwh7djQM

        Cognos 11 Dashboarding (H360)

        Employee at a bank ($1.8BUSA)
        Would anyone using the dashboard feature in H360 be willing to share some knowledge with us? We’re a hosted bank and haven’t been able to find any good resources on dashboards in Cognos 11 except some basic beginner tutorial videos on YouTube.

          Vendor Device (In)Security

          Most IT environments have some sort of vendor configured devices on them.  From security cameras or copiers, to core application servers, you probably have at least one device on your network that your vendor setup for you.  Now, hopefully the solution they installed is working well…but is it secure?

          We have the privilege of evaluating a lot of environments and have seen many well-designed vendor systems… and we have also seen some, well, not so well-designed systems.  The problem is, many installation techs are primarily concerned with one thing: making it work as quickly as possible.  Security is often an afterthought, if it is thought about at all.

          Some unfortunate vendor-introduced security risks we have seen during security assessments:
          • Security cameras accessible to the world without requiring a password
          • Remote Desktop Protocol (RDP) allowed inbound directly to a Domain Controller
          • A popular core vendor that setup a critical server with the C: drive shared (Read/Write) with everyone
          • Banks that could browse other banks’ networks through vendor connections
          The point is that any vendor, no matter how thorough, can sometimes slip up.  Don’t assume anything.  At the end of the day, it is the institution’s responsibility to ensure all systems are secure.  This means proper vendor oversight.  After selecting the right vendor, you should ask for documentation on how they hardened (i.e., secured) the system during installation.  Additionally, make sure they provide good change logs so you know when they have made changes and can make sure the changes didn’t introduce new vulnerabilities.

          Finally, your internal audit program (or independent IT auditor) should include not only reviews of documentation, but actual spot checks of vendor systems to make sure they are properly and securely configured.

            Operating Expense

            COO at a credit_union ($117MUSA)

            We have begun using Visible Equity to create monthly reports.  The reports include profitability by loan type and by loan officer.  I have an overall operating expense, but I don't want to use this as I feel it will result in inaccurate data.  My accountant has not provided a breakdown for loan types or officers.  Does anyone have a formula they can share on how you're calculating the operating expense for those items?

              Is it worth your reputation?

              At 10-D Security we see a fair number of organizations where the Risk and Vendor Management programs aren’t understood or don’t get the attention they deserve.  Combine those issues with weak BCP or incident response plans and training, and you have conditions for a perfect storm.  The whole point of these controls is to help the institution prepare for the day when things just go bad. Sometimes the guidance provided by regulators seems like mindless oversight and busy work to comply with regulations, but these areas of concern under the Information Security Program are not to be trivialized and can be as important as physical security.  The wealth is in the information, not in the cash drawer.  That’s not to say physical security is not important, but failure to implement and follow good vendor and risk management controls can increase potential harm to customers or reputational harm to the institution. A recent incident related to a large IT support vendor that was breached resulted in their customers being targeted by the attackers.  If this were to occur at one of your critical vendors, would they be contractually obligated to notify you, and if they did would your Incident Response Plan be useful in responding to the situation?  Review your Vendor Management Program to ensure critical vendors are contractually accountable for responding to and quickly communicating a security incident, and that your Incident Response Plan is similarly complete.  [For more info on the alleged breach, visit https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/] If your institution needs some assistance in these areas, visit the 10-D Security website , including our Certified Banking ISO classes (https://10dsecurity.com/10-d-academy/).  Our sister company, Applied Compliance Services, provides virtual Information Security Officer services or can provide a complete overhaul of your Information Security Program to match regulatory guidance and best practices. Let us know how we can assist you.

                ***Managing Construction Loan Payments***

                VP at a bank ($241MUSA)
                How do other banks manage customers making principal payments on interest only construction loans?  Do you prepay interest which creates negative interest or do you allow your customers to reduce principal which may impact the permanent loan at conversion?  Do you impose a prepayment penalty?

                Any help is appreciated!