I spoke to Yassir Abousselham, the CSO for Okta, an identity management cloud security vendor. Before joining Okta this past summer, he worked for SoFi, a fintech company where he built the company’s information security and privacy program. He also held leadership positions at Google, where he built both the corporate security for finance and legal departments and the payments infrastructure security programs, as well as at Ernst & Young, where he held a variety of technical and consultancy roles during his 11-year tenure.
When first started at E&Y, he worked for an entertainment company that hired them to examine their security issues. He found a misconfigured web server that enabled them to enter their network and compromise systems within the first 30 minutes of testing. This got him started in finding security gaps and when he first realized that security is only as good as your weakest link. “The larger the environment and more IT infrastructure, the harder it is to maintain these systems.” Luckily they weren’t billing by the hour for that engagement! He went on to produce a very comprehensive look at the company’s security profile, which is what they needed to avoid situations like what he initially found.
“The worse case is when companies do what I call check mark compliance assessments,” he said, referring to when companies are just implementing security and not really looking closely at what they are doing. “On the other hand, there are a few companies who do take the time to find the right expertise to actually improve their security posture.”
“To be effective, you have to design many security layers and use multiple tools to protect against any threats these days. And you know, the tools and the exploits do change over time. A few years ago, no one heard about ransomware for example.” He recommends looking at security tools that can help automate various processes, to ensure that they are done properly, such as automated patching and automated application testing.
Although he has been at Okta only a few months, they have yet to experience any ransomware attack. “The first line of defense is educating our employees. No matter how much you do, there is always going to be one user that will open an phished attachment. Hackers will go through great lengths to socially engineer those users.” Okta employs a core security team that has multiple functions, and works closely with other departments that are closer to the actual products to keep things secure. They also make use of their own mobile management tool to secure their employees’ mobile devices. “We allow BYOD but before you can connect to our network, your device has to pass a series of checks, such as not being rooted and having a PIN lock enabled and running the most updated OS version,” he said.
How does securing the Google infrastructure compare to Okta? “They have a much more complex environment, for sure.” That’s an understatement.
Working for an identity vendor like Okta, “I was surprised that single sign-on or SSO is not more universally deployed,” he said. “Many people see the value of SSO but sometimes take more time to actually get to the point where they actually use this technology. Nevertheless, SSO and multi-factor authentication are really becoming must-have technologies these days, just like having a firewall was back 20 years ago. It makes sense from a security standpoint and it makes sense from an economics standpoint too. You have to automate access controls and harden passwords, as well as be able to monitor how accounts are being used and be able to witness account compromises.” He compares not having SSO to putting a telnet server on the public Internet back in the day. “It is only a matter of time before your company will be compromised. Passwords aren’t enough to protect access these days.”
To provide better spam and phishing protection, a number of ways to improve on email message authentication have been available for years, and are being steadily implemented. However, it is a difficult path to make these methods work. Part of the problem is because there are multiple standards and sadly, you need to understand how these different standards interact and complement each other. Ultimately, you are going to need to deploy all of them.
VIPRE offers a nice package for small and medium-sized businesses that is easy to use and manage with a wide array of protective features.
We tested VIPRE on a series of different Windows clients during September 2017. It supports all versions of Windows desktop since v7 and servers since v2008R2. It currently protects more than six million endpoints and finds more than a million daily malware infections. VIPRE also sells an on-premises endpoint solution that also includes patch management features.
Pricing starts from $30/yr/seat with significant volume discounts. VIPRE offers free phone based US support during business hours.
An old scam to separate people from their money has been gaining more popularity. It uses a cellphone protocol called WAP billing to steal your money. You have a hint from its name that it has something to do with wireless network protocols, but the idea is to save folks some time when they want to pay for something online by having the charges go directly on the user’s phone bill. I explain the exploit and how it is being used in my latest blog post for iBoss here. One infection point is a “battery optimizer” app that conceals the WAP billing trojan.
Balancing anonymity and privacy isn’t an either/or situation. There are many shades of gray, and it is more of an art than science. Making sure your users understand the distinction between the two terms and setting their appropriate expectations of both should be a critical part of any job managing IT security.
Most users when they say they want anonymity really are saying that they don’t want anyone, whether it is the government or an IT department — to keep track of their web searches and conversations.
However,controlling our privacy is complex: Take a look at the typical controls offered by Twitter. (See the screencap at right.) How can any normal person figure these out? This post for the iBoss blog discusses these and other issues.
You can read my analysis here on HPE’s Enterprise.Nxt site. I review some of its history, highlight a few of the recent innovations with ransomware-as-a-service (such as this web dashboard from Satan shown here), and make a few suggestions on how to prevent it from spreading around your company.
My father’s father emigrated to America from Lithuania about a hundred years ago, and one day I intend to visit the Baltic region and see the land for myself, as my sister and I did earlier this year when we visited my mother’s homeland in northeast Poland. In my mind, the next best thing is to follow the activities of Estonia, a neighboring nation that is doing some interesting things online. (I know, my mind works in strange ways. But bear with me, I needed an intro for this essay.)
One reason why I am interested in Estonia is something that they have had in place for many years called the e-Resident program. Basically, this is an ID card issued by their government, for use by anyone in the world. You don’t have to ever live there, or even want to live there. More people have signed up for this ID than are actual residents of the country, so it was a smart move by their government to widen their virtual talent pool. Once you have this ID, you can register a new business in a matter of minutes. Thousands of businesses have been started by e-Residents, which also helps to bring physical businesses there too. In many countries, offshore businesses are required to have a local director or local address. Not Estonia.
So last week, after thinking more about this, I finally took the e-Resident plunge. It costs about $100, you need to take a picture of your local passport and fill out a simple form. When the ID card is ready, you have to physically go and pick it up at a local Estonia embassy (either NYC or DC would be the closest places for me).
Well, as usual, it was bad timing for me. I should have waited a little bit longer. This week we learned that there are potential exploits with the ID cards, at least the cards that have been circulating for the past several years. Almost 750,000 cards are affected. According to Estonian officials, the risk is a theoretical one and there is no evidence of anyone’s digital identity actually being misused. It might change how the IDs are used in next month’s national elections, although they haven’t decided on that. About a third of their voters do vote online. I am confident that they will figure out a fix. Hopefully before my next DC business trip.
Estonia is leading the world in other digital matters too. Lots of companies have disaster recovery data centers located far from their headquarters, but that is an issue with Estonia, which is small enough that far is a just a few minutes’ drive. So they came up with another plan to make Estonia the first government to build an off-site data center in another country. The government will make backup copies of its critical data infrastructure and store them in Luxembourg if agreements between the two countries are reached. My story in IBM’s Security Intelligence blog goes into more details of what they call their “data embassy.” They have lots of other big digital plans too, such as using 100% digitized textbooks in their education system by the end of the decade and a public sector data exchange facility with Finland they are putting in place for this year.
Earlier this year, I read about a course they offered called “Subversive Leverage and Psychological Defense” to master’s degree students at their Academy of Security Sciences. The students are preparing for positions in the Estonian Internal Security Service. The story from CSM Passcode goes into more details about how vigilant they have to be to fight Russian propaganda. These aren’t isolated examples of how sophisticated they are. They also were the first EU country to teach HTML coding in its elementary schools back in 2012, and the Skype software was developed there.
Their former Prime Minister Taavi Rõivas has even appeared on the The Daily Show with Trevor Noah to talk about these programs. Clearly, they have a strong vision, made all the more impressive by the fact that they had almost no Internet access just a few years ago when they were still part of the Soviet empire. Certainly a place to keep an eye on.
The number of choices for automating login authentication is a messy alphabet soup of standards and frameworks, including SAML, WS-Federation, OpenID Connect, OAuth, and many others. OAuth began its life about seven years ago as an open standard that was created to handle authorization by Twitter and Google.Today I will take a closer look at this standard, and you can read the rest of my post on iBoss’ blog here.
In my work as editor of Inside Security’s email newsletter, I am on the lookout for ways that criminals can take advantage of insecure Internet infrastructure. I came across this article yesterday that I thought I would share with you and also take some time to explain the concept of the malicious redirect. This is how the bad guys turn something that was designed to be helpful into an exploit.
A redirect is when you put some HTML code on a web page because that URL is no longer in service, but you don’t want to lose that visitor. The most likely situation is that someone could have clicked on an old link and gotten to that location. So you direct them to the appropriate place on your website. Simple right?
Now the bad guys have used this, but instead of being helpful, they use the redirect code to point you to a place that contains some malware, in the hopes that you will not notice that the new web page is a trap and in an instant, your computer is now infected with something. Surprise! Sadly, this happens more and more.
In a post on Sucuri’s blog, researchers describe several ways the malicious redirect can happen. One way is by leveraging configuration files such as .htacess or .ini files. These are files associated with web servers that control all sorts of behavior and are usually hidden from ordinary browsing. Usually, your website security prevents folks from messing with these files, but if you made setup errors or if you aren’t paying attention, the configuration files can be exposed to attackers. Another way is by having an attacker mess with your DNS settings so that visitors to your site end up going somewhere else. How does some attacker gain access to your DNS servers? Typically, it is through a compromised administrative account password. Do you really know who in your organization has access to this information? Probably more people than you realize. When was the last time you changed this password anyway?
My office is in a condo complex that has several doors to a public alley. Each of the doors has a combination lock and all of the doors have the same combination. A year or so ago, the board was discussing that it might be time to change the combination because many people – by design – know what this combination is. This is just good security practice. Now the analogy isn’t quite sound – by design a lot of people have to know this number, otherwise no one can get out to the alley to take their trash out – but still, it was a good idea to regularly change the access code.
Neither of these exploit methods is new: they have been happening almost since the web became popular, sadly. So it is important that if you run websites and don’t want your reputation ruined or have some criminal spreading malware that you at least understand what can happen and make sure that you are protected.
But there is another way redirects can happen: by an attacker grabbing an expired domain name and leveraging its associated WordPress plug-in. Since a lot of you run WordPress sites, I want to take a moment to describe this attack method.
- Attacker finds a dormant plug-in on the WordPress catalog. Give the thousands of plug-ins, there are lots of them that haven’t been updated in several years.
- Check the underlying domain name that is used for the plug-in. If it isn’t active, purchase and register the name.
- Change the code on your plug-in to serve up the malware whenever anyone uses it.
- Hope no one notices and sit back as the Internet spread your nasty business far and wide.
Moral of the story: Don’t use outdated plug-ins, and limit the potential for attacks by deleting unused plug-ins from your WordPress servers anyway. Make use of a tool such as WordFence to protect your blogs. Update your blog with the latest versions of WordPress and the latest plug-in versions too while you are at it.
When I first started using WordPress more than a decade ago, I went plug-in crazy and loaded up more than a dozen different ones for all sorts of enhancements to my blog’s appearance and functions. Now I am more careful, and only run the ones that I absolutely need. Situations such as this malicious redirect are a good reason why you should follow a similar strategy.
The world of SSL certificates is changing, as the certs become easier to obtain and more frequently used. In general, having a secure HTTP-based website is a good thing: the secure part of the protocol means it is more difficult to eavesdrop on any conversation between your browser and the web server. Despite their popularity, there is a dark side to them as well. Let’s take a closer look at my iBoss blog post this week.