TOPIC: Information Security

Infosec Blocking and Tackling

Global tensions are nothing new.  Recent events in the Middle East prompted warnings in many industries, reminding everyone that adversaries have targeted US infrastructure in the past, and may do so again.  In any conflict, hot or cold, a country’s financial infrastructure becomes a primary target.  Iranian actors targeted US financial institutions in a series of high-profile attacks in 2011-2013.  Russian assets have attacked banks in Ukraine several times since hostilities between the two countries began in 2014.  The hard truth is that banks are a strategic target, which makes the generic “threats” we add to our risk assessments become all too real. 

At 10-D Security, we have long encouraged our clients to focus on the basics - what many of our auditors refer to security “blocking and tackling.”  While attackers can, and sometimes do, employ complex “0-day” exploits, the much more common attacks are the same ones we have seen for years: Phishing, malicious attachments, social engineering tactics, and exploitation of common misconfigurations.  The good news is that basic defensive controls, done right, can make all the difference.

For example, the concept of “least privilege” has been around for a long time.  In theory, the concept is simple: Only give users access to what is needed for their job function, and nothing else.  When done properly, this can help with a myriad of Bad Things™, including:
  • Limiting user privileges on workstations can stop most malware from working, and make other tools used by attackers much harder to run.
  • Restricting network shares a user can access can severely limit the effects of ransomware attacks.
  • Restricting users from running scripts, macros, and other executables that are not needed can make many malicious payloads used in phishing attacks ineffective.
  • Help desk, network administrators, and other IT staff should not use their admin-level accounts for daily activities.  It is harder for an attacker to find and attack these accounts if their use is limited.

At a minimum, make sure you have done the following in your environment:
  • Employee daily user accounts should never have administrative rights to their local workstations.  Full stop.  Software vendors may argue their software “needs admin-rights to work” until the cows come home, but the simple fact is that there are so many workarounds for this problem in modern operating systems there just isn’t any excuse anymore.  Microsoft considers requiring users have local administrative access to run a program a serious bug and has for many years.
  • Use departmental network shares and limit access to these shares based on user groups mapped to job functions.  Tellers probably don’t need access the lending share, HR doesn’t need to see the IT department’s data, etc.
  • User’s shouldn’t be able to run scripts, such as VBS, JavaScript, HTA, and others.  A simple fix for this is to use Group Policy to associate these file types with Notepad.  When users try to open them, they will just open in an editor, not execute.  Group Policy can also restrict macros in Microsoft Office documents.
  • Network administrators should never have their daily account in a privileged group, like local or domain administrators.  When using email, researching problems, or working a ticket system, elevated privileges are not needed, and can be dangerous if they hit a malicious post in a tech forum for instance.  Admin credentials should only be entered when needed to run a tool or perform a management task.

Over the next several weeks, we will be covering more of these basics, focusing on how these principles are applied in real-life environments.  From vulnerability management, to incident response, and others, we hope each topic will provide some advice that will help make everyone’s organization just a little bit more secure.

    Thank you!

    We’d like to thank you for your ongoing support of our Weekly Security Tips!  Many of you send us great topic suggestions week in and week out, the source of our inspiration for many of the tips each year!  As we move into a new decade, we want to show our appreciation and understand you are the reason the tips will continue for years to come!
    Next week, look for our annual checklist, updated for 2020 and know 10-D is here to help in any way we can.  If there are others who you feel would benefit from our tips, please share the sign-up link on our website,  https://10dsecurity.com/weekly-security-tip-wst-sign-up/ .

      Banking-Specific Information Security Officer Training

      Our 2020 schedule is out!This one of a kind course was developed by industry experts, former examiners, and CISSP professionals to share the wealth of knowledge and insight accumulated from years on the banking side, the cybersecurity side, and the regulatory side. Your ISO leaves with the tools to secure your network, bringing you peace of mind. Plus, the opportunity to become a Certified Banking Information Security Officer (CBISO). The training meets FFIEC annual training requirements.Dates and locations of the training are at www.10dacademy.com.

        Airport OPSEC

        Wikipedia defines operations security (OPSEC) as a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.  Put more simply, keep important stuff protected from prying eyes.  Loose lips might sink ships.

        Next time you’re at the airport, pay attention to all those road warriors working away on their laptop, totally oblivious to everyone around them.  Now, take a moment to actually look at what’s on their screen.  Often, its sensitive company material, or even customer nonpublic information.  When working at the airport, position yourself to allow the most privacy or consider just not working if it’s just too crowded.

        If connecting to public wi-fi at the airport, jump on the company VPN as soon as possible to help protect your communications.  Avoid public wi-fi altogether by using a cellular hotspot if you have one as it’s private, and usually better than the janky public wi-fi wherever you are.  

        So now you have tips for protecting important info when in public spaces, also don’t forget to protect yourself so your health doesn’t get compromised - make sure you travel with hand sanitizer and wet wipes!

          Firewall Management Basics

          Bottom line…firewalls can be complicated.  Even in simple environments, keeping track of the rules, objects, policies, settings, etc. can seem overwhelming.  Unfortunately, misconfigured firewall rules can be detrimental to the health and security of your network.  This is why FFIEC guidance (and general best practice) is to perform regular reviews of your firewall configurations.  The good news is that applying some basic principles to your firewall management can go a long way.  Here are some best practices to help start with a secure configuration, and keep it that way:

          • Establish a routine for checking and applying security-related firmware updates.  The “security-related” part is important, as not every firmware update contains vulnerability fixes.  Also, you don’t need to be on the latest greatest firmware to be sufficiently up to date.  Many firewall vendors have multiple versions or “forks” that they keep updated at the same time.  If you are on the latest supported 6.x version, you may not need to be on the 7.x version number.  As long as your firmware is currently supported and doesn’t contain unpatched security vulnerabilities, you are probably fine.
          • At their simplest, firewalls play traffic cop, using a list of rules to either allow or disallow traffic between systems or networks.  To be effective, firewall rules should restrict traffic to only what is needed for functionality.  Most firewall rules follow the model “Let this system(source) talk to this system(destination) over this port(service).”  Wherever possible, each of those three items should be specific, and not “Any.” 
          • Use comments!  Most firewalls allow you to add notes or comments to each rule or object, so you know you can document when it was created, why, and by whom.  This helps immensely when, a year later, you are looking at the rules and don’t remember why one was created…Who did this.  Was it a test?  Is it still needed? 
          • Have a change control/logging process.  We know…change control is a hated subject!  The process can be as simple as an email chain describing what is about to be changed and why, or a formal ticket system with approvals.  Whatever process you choose, it should include keeping a log of what was changed on the firewall, why, and ideally allow key stakeholders to ask questions.  This is critically important for firewalls managed by vendors.  You don’t want a helpdesk tech to create a rule to solve a problem that opens a much bigger hole in your perimeter than is needed.

            If Antivirus alerts, and nobody is around to hear it…does it make a sound?

            It may not make a sound (depending on your desktop notification settings) but the danger is very real.  Antivirus (AV), or more generally, antimalware controls, have been around for a long time.  They are an imperfect, but important layer of your defense-in-depth.  The problem is that it is still misunderstood in many cases.  Antivirus marketing, with all of the AI, machine learning, mesh…whatever, makes it sound like their software will catch everything and you can rest easy, knowing that your AV software sees all.  That is unfortunately not the case.  What antimalware can do for you however, is make noise. Endpoint antivirus is like the proverbial tripwire with cans strung along it.  It won’t stop an intruder, but it can let you know someone is up to no good.  Many times, during Penetration Tests, our initial payloads are not caught, but the fancy hacker tools we attempt to utilize to further our access DO get caught.  So, monitoring antivirus alerts is essential.  Even more essential, is not assuming that because something is quarantined, that is all there is, because malware is complex and sometimes only one module gets removed, leaving the rest untouched.  Bottom line always assume that your antivirus only alerted on part of the threat.  All alerts need to be carefully followed up on, and when in doubt, the affected system should be reimaged.  Better safe than sorry.

              The Insider Threat

              We are often asked why some internal security controls are needed like blocking USB thumb drive access, public webmail like Gmail, and file sharing websites.  Some statements we have heard when we demonstrate access to sensitive data that COULD be accessed and taken by employees:
              • “Our users wouldn’t know how do that.
              • “I know everyone at the company personally and they wouldn’t do that.”
              • “We wouldn’t have hired them if we didn’t trust them.”
              The reality is you never know who or when a trusted person is going to act maliciously and do things they may have never done before.  With the ability to use a USB drive or upload to a cloud storage site, users can steal any internal data they can access.  File share access controls are an important control to limit employee access to only what they need to perform their duties.  Not all insider threats are due to a malicious employee.  If someone plugs in a USB thumb drive that they found in the parking lot and you lack controls to block such access, you are up for a bad day.  So, keep those internal controls in place and understand there is more than one reason to do so.

                Ncontracts November Webinar - On Guard: Strengthening Risk Assessments in Key Areas of Regulatory Scrutiny 11/25/19 @ 3:00 PM ET

                Register Now!

                Financial institutions are tasked with keeping consumers and the banking system safe. That includes regular risk assessments identifying, assessing, measuring, mitigating, and monitoring risk in areas like information security, Gramm-Leach-Bliley, ACH, Bank Secrecy Act/Anti-Money Laundering, and identity theft.

                What does an effective risk assessment of these areas look like and how can an institution ensure risk is properly managed at all levels? Join Ncontracts’ Michael Carpenter and Ann Davidson from Allied Solutions as they discuss best practices for:
                • Recognizing hot risk areas and common oversights
                • Making data-driven risk decisions
                  • Differentiating between controls and scoring
                  • Understanding the relationship between risks and goals
                • Effectively communicating internally to understand risk tolerances
                  • Managing risks vs. managing tasks
                Don’t miss this opportunity gain insights to shoring up risk management in areas of increased regulatory scrutiny and determine how your institution’s risk assessments compare with industry ideals.

                Sign Up Today!

                  Firewall Management Console Access

                  Having your perimeter security managed by a third-party Managed Service Provider (MSP) allows for institutions to get trained professionals handling their first line of defense without retaining someone full time.  Using an MSP also allows for the potential of 24/7 support with monitoring and alerting, as they are very time-consuming endeavors for a small team or one person to accomplish internally.   Firewalls and other perimeter devices are primarily managed via HTTPS and SSH ports.  When doing firewall reviews and IT audits, 10-D Security frequently sees rules that allow management traffic from a source of “Any” which means that the management login portal is accessible to any IP address in the world!  Ultimately, the firewall should be configured to allow management traffic ONLY from the MSP.  Strong passwords and multi-factor authentication should also be used to help mitigate unauthorized access. Finally, including your firewall in your patch and vulnerability management process will help protect you from known vulnerabilities. Ensuring proper restrictions on access to the management interface is an important control to help you mitigate risk with the management of your firewall.

                    Trade Show Raffle Compliance

                    Employee at a bank ($148MUSA)
                    Our bank is looking to participate in a trade show event, where we will be doing a raffle for prizes (under $600). In order to participate in the raffle, we will have to collect personal information. What are the restrictions/limitations and how can we word it, so we can contact them via phone, text or email? Does anyone have a template of a raffle they have recently used?

                      Default Credentials, Simple but Devastating

                      A common weakness we encounter on Internal Penetration Tests is not what you may expect.  It is not the latest 0-day vulnerability, nor is it a hard to exploit vulnerability.  Sometimes all it takes is a web browser to result in a simulated (or real) attacker gaining full control over your entire network:  Default Credentials. While simple and seemingly a “no brainer” to fix, the reality of modern production networks is that even with mature change control, devices and applications still configured with default credentials can happen.  An example that this engineer has seen on multiple engagements is a trial or demo of a systems management solution still configured with its default logon of “admin/admin” (or something similar).  These solutions often offer a pre- configured VM (virtual machine) “appliance” that you download and run in your environment.  Because it isn’t in “production” yet, many IT folks don’t see a reason to change this default username/password.  Why would they?  They are just taking it for a test drive!  The problem becomes quickly clear as many of these management tools will need domain administrator privileges to perform their functions, e.g. deploy patches, inventory remote systems, etc.  These domain admin credentials are entered to see how well the solution works.  Many times, the system works great, is purchased, and goes from testing to production - many times the default logon is never changed!  Or, just as common, the software isn’t purchased, and the VM is left on by accident, still configured with default credentials. As an attacker, gaining access to management or monitoring solutions is almost always a sure-fire way to gain domain admin level privileges.  If you can’t use the software to create your own domain admin logon, you can use its management features to deploy software, run remote consoles on servers (as a domain admin level user), or sometimes just view clear-text or easily decryptable passwords. While easy to overlook, and extremely dangerous, the fix is still simple, change credentials on any devices or software that get deployed into your environment…even for testing.  Some other recommendations include:
                      • Change control processes should include a step to change default credentials on any new systems.  It is also important to read the documentation.  Often the “admin” user isn’t the only privileged user pre-configured in a system.   All built-in users should have their passwords changed, disabled, or removed if not needed.
                      • Make sure change control applies to test, development, or evaluation systems as well.  
                      • Track deployment of trial software from implementation, to retirement/decommissioning if the trial does not transition into a purchase.
                      • Sometimes a complete reinstallation, or application of large updates, or repair of malfunctioning software can wind up resetting a logon back to a default password.  Again, change control can help ensure that a system is still in a secure state after an upgrade or repair.

                        The Reverse Tailgate . . . Works Every Time

                        OK, Almost every time. You have all heard of Tailgating or Piggybacking, where someone follows someone through a secure door.  The reverse tailgate is simply the reverse of that; someone sneaks through a door someone else has just come out of by catching the door before it closes. If done right the person leaving never sees or hears what has happened, so it is highly successful.  Recommendation: When training on physical security, instill in your staff that they are responsible for witnessing the closing of the secure door they have opened, both inbound and outbound. 

                          Printing Security

                          You’re sure you printed off those confidential documents, but you got distracted and didn't grab them.  When you finally made it to the printer, they were gone!   Many printer and multifunction devices (copy/scan/print) offer private printing.  Private printing allows you to enter a code when printing a document, and then reenter the code on the printer’s keypad once you reach the printer.   Every printer manufacturer does the task a little differently, but the basic premise is to look for a “Private Print” selection in the various printer settings when you File > Print a document.  Practice private printing using a test document, making sure you understand the process before you print something important. If your printer does not support private printing, make sure that you don’t get sidetracked when printing important information - choose the closest printer and walk/run to it as soon as you click “Print”. Remember, leaving sensitive documents unattended on the printer can lead to unintended information and risk exposure!

                            Banks and Credit Unions: Break Down Your Data Silos to Build Up Your Revenue!

                            When your account holder data is spread across disparate systems in multiple lines of business, every aspect of your organization’s performance is impeded from acquisition to onboarding to retention – meaning that your institution has likely missed critical service and marketing opportunities in your account holders’ journeys.
                             
                            Banks and credit unions that are seeking to become more efficient, productive and agile need to centralize their data into a unified platform.
                             
                            Download our free white paper to learn about the many ways you can build up your financial institution’s revenue by breaking down your data silos! 

                              Infographic | Synthetic Identity Fraud - Unreal Identities with Real ROI

                              Infographic
                              Synthetic Identity Fraud
                              Unreal Identities with Real ROI


                              Download Now

                              How are synthetic identities created and exploited in financial institutions?

                              Highlights:
                              •  Identity Fraud and SSN
                              • Hackers and Data Breaches
                              • Synthetic Identity Fraud
                              • How Financial Institutions are Exploited
                              • Synthetic Identity Crime Rings: An Exponential Formula
                              A typical synthetic ID syndicate operates hundreds or thousands of synthetic IDs simultaneously. Learn how criminals turn synthetic identity fraud into real ROI.

                              Download Now

                                MX? Anyone using them?

                                VP at a bank ($789MUSA)
                                We saw the MX presentation at Finovate yesterday and stopped by their booth. We got a lot of information on their transaction cleansing, which we are exploring for a marketing automation system and chatbot. Is anyone using MX for commercial transactions? Anyone have success using MX?