RSA blog: Securing chaos: How Security Chaos Engineering tools can improve design and response

A large portion of security professionals think that their job is to prevent bad actors from gaining access to trusted resources. Yes, in isolation that is a true statement. But the implications of that position hide what is really supposed to happen. Instead, it is the job of infosec pros to ensure only appropriate actors can access trusted resources. One way this is accomplished is through what is called Security Chaos Engineering, which tests security resilience before some attack happens. It is an evolution of the pioneering work that was first done at Netflix many years ago. Now there are a number of similar products and related practitioners in this field.

The concept is simple to explain, but exceedingly hard to implement. One reason why this type of engineering mindset is needed has to do with the way that breaches are understood by corporate workers. Too often we don’t think about our IT infrastructure holistically, and when a breach happens we try to just plug the hole and move on. How many post-breach memos have you read where the author says, “we are taking steps to ensure this never happens again?” Technically that is the right approach: the next breach will happen somewhere else in our network, caused by some other “hole.” Another reason is that the average software stack has gotten so complex and distributed that it’s hard to comprehend and defend. It isn’t a matter of if you will have a breach, but when and how and what part of your systems will be compromised.

Adopting chaos engineering means that you look for potential points of failure across all of your IT systems. Part of this should be inherent in any lifecycle governance of your systems. But part is also being clever about how you test your systems. If you think you have this covered with penetration testing, you need to think again. The usual pen test engagement is a single moment in time when a SWAT team inhabits a conference room (perhaps now they do this virtually) and tries their mettle against your security defenses. Chaos engineering is a continuous practice, whereby your team is continuously testing your systems and software. Sadly, the old methods don’t work anymore. For example, just because you bought a firewall several years ago and have spent time defining a rule set doesn’t mean these rules are relevant or effective today. Your systems might be completely different and no longer protected. And these days, with rising cases of ransomware and data exfiltration, you want to catch these attacks before they do real damage.

Netflix was one of the first places to make overall chaos engineering popular several years ago with a tool they called Chaos Monkey. It was designed to test the company’s Amazon Web Services infrastructure by constantly – and randomly – shutting down various production servers. This always-on feature is important, because no single event will do enough damage or provide enough insight to harden your systems or find the weakest points in your infrastructure. Now that we live in the era of complex security events that leverage multiple malware techniques which are part of a coordinated campaign, we need to design and test for more sophisticated and longer-lasting attacks. We need better tools and that is where Security Chaos Engineering can help. In addition to the open source tools that came from Netflix, there are commercial products such as Verodin/Mandian’s Security Validation, SafeBreach’s Breach and Attack Simulation, and AttackIQ’s Security Optimization Platform, just to name a few of them.

Customers who have used these tools suggest the following best practices:

  • Have an action plan: don’t change more than one variable at a time
  • Define the rules of engagement (including the scaling up of your systems) so you maintain control when things go south
  • Know your “blast radius” and the disruptive implications of your tests
  • Use a tool that integrates with your SIEM logs (for example, SafeBreach can work with RSA’s NetWitness Platform)

This last item bears further explanation. A SIEM log can easily be overlooked, especially if you are hunting for a single entry in a massive dataset. Security Chaos Engineering tools can automatically find these entries and advise you about their implications – such as changing a too-loosely-defined software access roles policy, for example.

If you haven’t yet examined any of these chaos engineering tools – both for general systems analysis and for security-related issues – now might be the time to take a closer look. It is time for every security team to change their mindset from patching as a result of a security event to becoming more proactive in anticipating future attacks.

RSA blog: Time to give thanks and review our predictions

It is a bit risky writing about the year’s trends and predictions this time around. Certainly, the Covid pandemic has dominated our lives during the past year and thrown many of our predictions out the window. But re-reading my RSA blog post from a year ago, there are still these two themes which are very much at the forefront.

  • Better authentication. In the past year, we saw Apple wholeheartedly embrace FIDO and new implementations that extend its features to web-based authentication. Both will go a long way towards implementing this standard. And support for multi-factor authentication continues to improve too, although it still is far from universal. Only 10% of enterprise users use any form of multi-factor authentication for any of their application logins. Given the popularity of smartphones, installing an authentication app on your phone is the easiest form of protection you can get. But wait, there is more bad news: less than 20% of companies in most industries are protected with email authentication tools such as DMARC and SPF. Sadly, most state and local government domains remain unprotected with these technologies.
  • Ransomware continues to rise. Various reports (such as this one) show a rise in the number and severity of these attacks, with new exploits and variants being seen every week. Some ransomware is designed specifically to target machine learning data, so that models will report bad results and poison automated security solutions.

But let’s look forward, not backward, and certainly we should discuss where we go with Covid. Now that everyone is working from elsewhere, endpoints are being shared across families, making them more vulnerable to exploits. Google has seen 1M daily phishing attempts across its email infrastructure. And there are tons of phishing lures with Covid-related subject lines, or messages that offer free testing or deals on travel. The virus also demonstrated why business continuity and better risk management decision-making is essential.  Security awareness training now starts with the home, and if you are sharing your networks with your family, they need to be trained as well.

RSA’s Anti-fraud group has also found an increase in QR code fraud. These codes became more popular this year to try to promote contactless retail shopping or dining experiences. The bad guys quickly picked up on this trend. They trick users into downloading malicious programs or to use QR codes for a new type of phishing attack that bring users to a malicious copycat website. The above link has a bunch of handy suggestions to discern whether your QR code will bring you to potential malware-infested sites and other tips on how to be more aware of malicious codes.

What does the future hold? We should expect more high-profile victims in 2021. In 2020, Twitter, Zoom, Marriot and Nintendo were the top victims of various social engineering and credential stuffing attacks. None of these were technically sophisticated – the Marriott attack, for example, was successful because it managed to compromise just two employees’ accounts. Better authentication and more security awareness training could have prevented this.

A second issue is that of deep fake videos. What began as innocent and simple photo editing software has evolved into an entire industry that is designed to pollute the online ecosystem of video information. The past couple of years has seen advances in more sophisticated image alteration and using AI tools to create these deep fakes. I also see improvements to that will be harder for recipients to discern, and fakes that will quickly spread across social networks.

Network Solutions blog: How to defend against web skimming attacks

Magecart web skimming group targets public hotspots and mobile users | CSO  OnlineYour eCommerce website is vulnerable to a variety of threats known collectively as web skimming. The hackers behind these threats are getting better at penetrating your site and installing their malware to steal your customers’ money and private information. And web skimming is getting more popular both with the rising frequency of attacks and with bigger data breaches recorded. In this post for Network Solutions’ blog, I describe how these attacks work, reference a few of the more newsworthy ones and provide a bunch of tips on how to prevent your own eCommerce site from becoming compromised.

 

Securing your IRS online account

It is hard to believe that it has taken the US IRS all this time to figure out a better authentication mechanism for taxpayers. But starting next month, all taxpayers can apply for an identity protection personal identification number (IP PIN) to block identity thieves from falsely claiming any tax refunds. To give you an idea of the magnitude of this problem, the IRS says several billions of dollars of phony refunds have been prevented through its half-hearted efforts to date. This includes phony refunds that are issued to taxpayers who never filed returns.

The IP PIN process used to be for high-risk taxpayers: those who have been victims of refund fraud attempts in the past. Starting next month, we can all join this party (hopefully not the victims group). They explain all of this here, which they call “secure access.”

To participate, you will need a “real” cellular phone number (vs. an IP service like Google Hangouts) and your email address. You will also need a credit card or some other financial instrument (not a debit card) to prove your identity. If you are concerned about giving your phone number to the IRS, you can substitute your postal address and they will send the confirmations that way.

The IP PIN is a six-digit code that changes annually. That is annoying — why not use Google-like authenticator smart phone app —  and to make matters more confusing, this differs from the five-digit PIN that is used during the e-filing process for your return. (When I first typed in e-filing, I didn’t use a hyphen and one of the suggestions was effing. That isn’t too far from reality. But I digress.)

Even though the IP PIN effort isn’t happening until next month, you can sign up for your IRS electronic account now.  (CORRECTION: The IRS took down the service until January, see the link in my comment.)

This will be a prerequisite for the universal IP PIN process. You’ll notice that particular link isn’t mentioned in the earlier link that explains what secure access is: Dontcha just love our gummint? Anyway, I spent about 20 minutes getting my digital ducks in order for myself and about the same time for my wife’s account. My first credit card for some reason wasn’t accepted, and the site was initially down the time I tried to sign up my wife. I was going to use my Amex card but the IRS doesn’t take that either. Eventually, both of us passed muster and created our accounts It was nice to see that we didn’t owe the IRS any money from past filings.

If this has awakened a desire to be more proactive about protecting your digital identity, Brian Krebs has a bunch of other suggestions that he calls “planting your digital flag.” They are all good ones, although if you are paranoid about your privacy you might want to think about the security tradeoffs you are making.

Avast blog: The rise of the OGUsers hacking group

The hacker’s forum called OGUsers has ironically been a tempting target for criminals, with a series of at least three successful hacking attempts in the past couple of years: Once in May 2019, a second time in March 2020, and a third time just last week. In my post for Avast’s blog, I talk about how this forum came to be and its involvement in a series of earlier hacks that it originated as well as more specifics on the three attempts. And a few suggestions on what you can do to prevent your account data from being compromised.

 

Book review: Tom Clancy’s Net Force Attack Protocol

This is the latest in a series of books written by others, in this case by Jerome Preisler. I had high hopes for this book, which is part of a series  about a new cybersecurity-enhanced Seal Team type of military commandos. This shows how good an author Clancy is, and how Preisler is just a pale imitation. Like the “Rocky” movie sequels, the book picks up where previous books end, so you really can’t realize your full value if you read it as a standalone volume. And it just ends at some random plot point, without really resolving many of the characters’ situations. Like Clancy, it is filled with jargon, weaponry, mil-speak, and plenty of explosions and gun play. Unlike Clancy, none of this really makes much sense or is essential to moving the plot along, or even mildly interesting. As someone who works in cybersecurity, I thought its treatment of the IT issues were just juvenile and superficial and didn’t draw me into the narrative or characters. Plus, the actual advanced cybersec defenders are less dependent on those macho things that shoot bullets and more on using their brains and computer skills.  If you are hungry for more Clancy, pick up one of his old classics like “Red October.” Or if you want to read a series that has much better character and plot development how an actual cybersec team works, check out this series.  In either case, you should give this Protocol a pass.

Buy the book from Amazon here.

Network Solutions blog: an IT professional’s guide to virtual events

You’re in your comfort zone. Maybe you’re solving problems related to IT security, network management or cloud computing. Perhaps you’re helping someone reset their password or get set up on a VPN. Whatever the task is, you feel good about it. You understand your specialty, and you like to stay focused on doing what you do best. Then, one day, someone in your organization messages you and asks you to help run a virtual conference.

Time stops. Your hand freezes on the mouse. The text cursor blinks in the reply field, counting down the seconds until you have to respond. A virtual conference? How do you even start to prepare for something like that?

It might be outside of your wheelhouse, but the truth is that IT professionals like you have a critical role to play in facilitating and troubleshooting virtual conferences. Your team needs your help to ensure the event goes smoothly. You’ll need to choose the right conferencing solution, find event management software that fits your needs and learn how to work with a production team. Then, when the big day comes, you’ll have to perform live troubleshooting to make sure it stays on track.

Download my latest eBook from Network Solutions here to learn more about best practices in supporting virtual events.

There was no hacking of our elections. Period.

I have struggled trying to write something about the underlying IT of our recent elections without making this overtly partisan or political. So here goes: there was no hacking of our ballots. We had probably the most secure election in our nation’s history. No foreign power changed any ballots. Numerous recounts verified the results. Biden won, fair and square.

Yes, the precise tabulation of votes was off by a few votes here and there. But not enough to change the overall result or who will become our next president. The states that were called for each candidate – including an early prediction by Fox News that Biden won Arizona on election night — remained unchanged.

Sunday night on 60 Minutes Chris Krebs was interviewed about his role in securing our election. Krebs ran the Cybsersecurity and Infrastructure Security Agency for DHS for several years and built up a powerhouse support team for local elections officials. If you haven’t yet watched the segment, please take the time to do so, or at least read the transcript of his interview. He makes it very clear what happened, and more importantly, what didn’t happen. The claims by our president are just pure fantasy.

Krebs reiterates the points made in this November 12th letter signed by various government election officials who have been supporting the underlying security efforts: “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” Krebs wrote an op-ed for the Washington Post.

Krebs and his team put together a special website called “rumor control” that is still online. It contains FAQ about rumors and misinformation about our electoral process. We should have similar pages across all government agencies, especially in these times where facts are hard to come by. The Rand Corporation calls this truth decay and how we can’t agree on the facts anymore.

Ironically, many of these rumors were started by our president and his advisors.

Krebs was very accessible on election day, hosting a series of teleconferences with reporters every few hours. It was an odd series of briefings. I kept waiting for the ball to drop but as the day wore on, it was clear that our vote was clean. “It is just another Tuesday on the Internet,” Krebs said at one point. It was clear that he had done his job well, and we should have praised him. Instead, he was fired by a tweet a couple of weeks later.

In the process of writing about elections security for Avast’s blog, I have met and interviewed some of the computer scientists who wrote their own letter. They firmly state that claims about rigged elections “either have been unsubstantiated or are technically incoherent.” This includes allegations about the operations of one of the tech voting machine vendors: there was no wholesale transfer of votes.

Another irony: it is the abundance of paper ballot backups – and the 100M people that voted early and by mail — that made these claims false. Look at the Georgia manual recount. Yes, Georgia has had some tech problems in the past year, documented by this investigation in the Atlanta newspaper. But they ultimately pulled it together for November. Again, their final tally differs by a few votes here and there. There were some counting errors, but those were done by humans, not computers. And more importantly, they were discovered and corrected. The final tally for both candidates increased slightly. But Biden’s victory margin was tens of thousands of votes and remained intact after the recount. What is more impressive is the number of counties where the counts remained exactly the same.

Our elections – and our democracy – worked. Krebs said last night that it is “a travesty what is happening now with all these death threats to election officials. They are defending democracy. They are doing their jobs.” Here is more from another interview where he talks about these threats to a WaPost reporter.

Avast blog: Return of the Mirai botnet

Remember Mirai? This four-year old botnet was the scourge of the internet and used as the launching pad for numerous DDoS attacks. It continues to be the basis for new attacks, and I blog about this for Avast here. There are several mitigation measures you can take, including  using a free tool from F-Secure that can check your router for any potential weaknesses. You might also use this to put a more complete program in place to ensure all critical network infrastructure has appropriately complex and unique passwords. 

Lessons learned from the Home Depot breach

You might have forgotten about the massive Home Depot data breach. After all, it happened in 2014. More then 56M customers’ payment card data was exposed as a result of malware being installed on the self-checkout lanes in numerous stores. (While I haven’t been in any store in a while, I do recall those self-checkout lanes to be annoying and spending time rescanning my items.) The malware operated for several months before it was detected and removed. At the time, it was the largest breach on record. The main cause of the breach was stolen third-party credentials. A report that SANS has put together is an excellent analysis of what happened.

The company was fined $17.5M as a result as part of a settlement which was announced this past week with various state and federal officials. Reviewing the press release was quite revealing (for once) because it lists a number of action items that Home Depot had agreed to implement to prevent further breaches. These include:

  • Having a Chief Information Security Officer report to C-level executives and the Board of Directors
  • Providing resources necessary to fully implement the company’s information security program, including a comprehensive security awareness and privacy training program
  • Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, and data encryption controls
  • Regular vulnerability scans of their networks that includes risk assessments, penetration testing, intrusion detection, and vendor account management
  • Appropriate network segmentation of their POS equipment and other sensitive areas

One would hope that in the past six years they have actually done all of these. Yes, our legal system moves quite slowly. But it is a handy reference list for all of us to evaluate the IT security of our own businesses. And it isn’t as simple as turning on all the features of their endpoint protection tool (something that Home Depot didn’t do back in 2014 for some odd reason) but implementing more system-wide efforts that need continuous attention. For example, the POS was running Windows XP, which was outdated and quite vulnerable even in 2014.

IT security isn’t a destination, but an evolutionary process. Take your eyes off the ball and you’ll find yourself in a similar situation to Home Depot.