Dark Reading: SMB Security Catches Up to Large Companies

Archive for the ‘Security’ Category

Dark Reading: SMB Security Catches Up to Large Companies

Posted by

Excerpt from: SMB security catches up to large companies

Small and midsize businesses (SMBs) have long had a reputation for being behind the curve in cybersecurity, especially compared with large companies that have more resources. A new report shows SMBs are just as capable of defending themselves, despite facing similar challenges.

“We see time and time again that SMBs are actually punching above their weight,” says Wolfgang Goerlich, advisory CISO with Cisco Security. “They’re doing better than we would’ve anticipated.”

Overall, the numbers indicate small businesses are placing a stronger focus on security over time. The same sentiment is echoed in data from The Manifest, which recently released results from a survey of 383 smaller organizations, most of which had fewer than 50 employees.

“Training is a long-term strategy to ensure employees aren’t acting careless,” says The Manifest’s Riley Panko.

Read the full article here: https://www.darkreading.com/perimeter/smb-security-catches-up-to-large-companies-data-shows/d/d-id/1337725

Microsoft Valuable Professional (MVP)

Posted by

Microsoft has recognized my work in Cloud Computing security with a 2017-2018 Microsoft Valuable Professional (MVP) award. I’ve long relied upon the guidance and advice from MVPs. It’s a fantastic program. I’m honored to now be included, specifically under Enterprise Security.

Hybrid cloud security: 8 key considerations

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting. While security fears are declining as cloud matures, security remains an ongoing challenge that needs to be managed in any organization. And a hybrid cloud environment comes with its own particular set of security considerations.

 

1. Ensure you have complete visibility.

Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

2. Every asset needs an owner.

If you lack 360-degree visibility, you probably lack ownership. Every piece of your hybrid cloud architecture needs an owner.

“A key tenet in IT security is having an owner identified for every asset, and having the owner responsible for least privilege and segregation of duties over the asset,” Goerlich says. “Lack of visibility results in a lack of ownership. This means, quite often, hybrid cloud environments have loosely defined access controls and often are without segregation of duties. Excessive permissions introduce risk, and unowned risk is unaddressed risk.”

Read the full article:

Hybrid cloud security: 8 key considerations
https://enterprisersproject.com/article/2017/7/hybrid-cloud-security-8-key-considerations

Viewing cached credentials and clearing cached credentials in Windows 10

Posted by

This article applies to Windows 10 Anniversary Update (Version 1607). For previous versions of Windows, please see the earlier article.

What are cached credentials?

Windows 10 caches and stores usernames and passwords for Active Directory domains, other computers, apps like Outlook, websites, and FTP sites. This makes it easier to authenticate as you don’t have to type in the username and password every single time. But it does pose a risk of those credentials getting misused.

Where are Windows 10 credentials stored?

Active Directory credentials. Domain credentials (usernames and passwords are stored on the local computer’s registry as salted hashes. This is under HKEY_LOCAL_MACHINE\Security\Cache, found in the %systemroot%\System32\config\SECURITY file.

Generic credentials. You can view Website and Windows credentials by launching the Credential Manager (credwiz.exe).

Internet credentials. You can view Internet usernames and passwords in the Internet Control Panel (inetcpl.cpl). Run inetcpl.cpl, go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords.

When do Windows 10 cached domain credentials expire?

Unfortunately, Windows domain credentials don’t expire in the cache. Within Active Directory, expiration is set on the user object. But if the credential is still valid in Active Directory, the cached copy will still work.

It is possible to control how many credentials are cached using the group policy: Interactive logon: Number of previous logons to cache (in case domain controller is not available)


Designing CyberSecurity | Weekly Blog Series

Designing and architecting security? Join our weekly conversation on what hackers can learn from artists and designers.


How to reset Windows 10 credentials? How to remove Windows 10 credentials?

Active Directory credentials. Open the registry to HKEY_LOCAL_MACHINE\Security\Cache, grant your user account read/write access. Close and reopen the registry to have the access control take effect. Zeroing out the NL$x binary value will clear the cached credential.

Generic credentials. Open the Credential Manager (credwiz.exe to view Website and Windows credentials. Select and remove the passwords you wish to clear.

Internet credentials. Open the Internet Control Panel (inetcpl.cpl), go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords. Select and remove the passwords you wish to clear.

Outlook email. To view and clear Outlook passwords on Windows 10, first use the Credential Manager instructions above. Then, download the SaveCredentials.exe tool and follow the directions here.

Windows Live Essentials. To view and clear Windows Live Essentials passwords on Windows, first use the Credential Manager instructions above. Find the SSO_POP_Device. This credential provides Single Sign-On (SSO) access for the Post Office Protocol (POP) when accessing a variety of Microsoft email platforms (@hotmail.com, @msn.com, @outlook.com, etc).

Why bother clearing Windows 10 credentials?

The main reason people follow this article is to troubleshoot cached Windows credentials, Active Directory credentials, domain issues, or problems with apps like Internet Explorer and Outlook. Removing the passwords from Windows allows it to reset and fix authentication issues.

The other reason? Well, security. A common tactic from penetration testers to red teamers to criminals is to gain access to cached credentials. From there, they may be replayed to connect to IT systems, or cracked and reused as part of a larger attack. To prevent this, minimize the data stored on your computer and minimize the likelihood of it being stolen or copied.

Securing Food Production

Posted by

As a rule, I like to work out an idea over year. Explore this aspect. Explore this other aspect. Have discussions with folks in the know and folks who are learning, and come up with yet another take. And I do this, year after year, getting a firmer grasp on the theory and strategy behind a particular security problem.

This year? It’s been the operational technology behind food production. I’ve explored this three ways:

Food Fight. The first few Food Fights were interactive question-and-answer sessions at BSides events. These described the problems we see in the food production industry, and explore how to assess them technically. I gave these sessions at BSides Indianapolis, BSides Chicago, BSides Cleveland, and BSides Detroit. Then, at CircleCityCon, I gave Food Fight on the main stage. To get a sense of this talk, watch BSides Cleveland’s recording.

Food for Thought. While Food Fight is more technical, Food for Thought is more governance. The talk explores operational technology from the perspective of risk management. It’s describes shining a light on the OT risks and integrating the findings into an overall security program. I gave Food for Thought at the Central Ohio InfoSec Summit and the North American International Cyber Summit.

Guarding Dinner, or, Lunch. There’s technical vulnerabilities. There’s cyber security risks. So, now what? The Guarding talk covers several steps organizations can follow the prevent attacks on industrial controls, such as those found in food production. I use a threat model as the foundation and walk through the defense. I gave this talk at MCRCon and as the lunch talk at GrrCon. Watch the GrrCon Lunch talk here.

I’m retiring the series of talks. It was a good way to have conversations around industrial control systems. And we’ve used the lessons learned, both in the original case study and in creating these slide decks, with several manufacturing clients. With that up and running and the knowledge out there, I’m moving onto my next area of interest.

Sneak peek: it’s strategically using encryption, building on past work with threat modeling and business analysis. Stay tuned.

Tower Defense

Posted by

This was originally posed on The Analogies Project and co-written by Claus Houmann. Please visit The Analogies Project for more IT security analogies and ideas. 

Enterprise defense today is hard. Anyone reading the news regularly will have noticed a never-ending stream of attacks, breaches, and data lost to cyber criminals that either attack for financial gain or to cause a company harm.

The companies taking this threat seriously appoint someone to coordinate enterprise defense, and that someone usually receives a job title resembling Chief Information Security Officer, Information Security Director, or Manager. These very people then work to maximize the limited budgets companies have for security. And these very CISOs are also often the ones to take the blame when and if something happens. It is a tough position to be in, and one that warrants a new approach.

One such approach is to consider the job of the CISO analogous to playing tower defense games.

What is a tower defense game? Well, first off we have a map and a mission of protection. The attacks come in a predictable path that can be planned for, similarly to threat modelling and threat intelligence. When attacks come, in waves or over time, we have to choose among a number of different defenses to counter/shoot down these attacks.

Defenses have attributes in common with cyber security. Each defense has a cost, so we’ll have to start with cost effective defenses. Each defense has a likelihood of success or failure, so we’ll have to stack defenses to ensure success. And as the attack progresses, some defenses are successful for some tactics and ineffective for others. Careful planning, then, is needed to create an effective deployment of defenses along the path the attacks take.

As an example, suppose we start with the most cost-effective defense such as a laser tower. The laser tower will shoot down attackers, and as more and more attackers come, we’ll deploy more laser towers in strategic locations on the map. This resembles the CISO building an enterprise defense. However, the attackers will then evolve and start using flying attacks which your ground-facing laser tower cannot counter, at which point you’ll have to add to your laser towers or replace with anti-aircraft missile batteries. This is the CISO deploying new processes, people and tools to counter new attack vectors that were getting through in unacceptable numbers. And so it goes, with each round escalating the attacks and defenses.

In the tower defense game, you actually earn money by beating the earlier stage attacks, potentially giving you enough budget to build new defenses for the later stage attacks. For the CISO, this is analogous to using past successes and proper planning to build the business case for investing in the security program. The messaging becomes one of sustainably developing controls along established attack paths, understanding that programs must be maintained and developed to keep pace with crime.

In sum, let’s make real life a bit more like tower defense games. Let’s understand the path the criminals take, understand that no one defense is completely effective, and that no defensive strategy survives beyond a couple of rounds. We promise not to build an expense-in-depth defense (thanks again, again for this phrase, Rick Holland). Instead, playing tower defense is a way to build a capacity for defense proactively – and justify the security budget.

Channel 9: An Interview with Wolf Goerlich

Posted by

Join Technical Evangelist, Annie Bubinski, for an interview with Wolf Goerlich (@jwgoerlich), who presented this year at CodeMash 2016 about Security Culture in Development.

CodeMash has educated developers on current practices, methodologies, and technology trends in a variety of platforms and development languages for 10 years in a row. In honor of the 10th anniversary of CodeMash and the launch of Windows 10, Microsoft Academy College Hires teamed up to record interviews with 10 different CodeMash Speakers.

https://channel9.msdn.com/Blogs/raw-tech/Security-Culture-in-Development-An-Interview-with-Wolf-Goerlich

 

Why You Should Work in Information Security

Posted by

Rasmussen College reached out for advice on why information security is a great field to be in. My response is below. Click through to read more thoughts.

 

Expert Advice on Why You Should Work in Information Security … NOW
http://www.rasmussen.edu/degrees/technology/blog/expert-advice-why-work-in-information-security/

 

1. Working in information security is exciting, challenging and never-ending

“Information security is new unexplored territory … and this creates exciting and challenging work,” says J. Wolfgang Goerlich, vice president of consulting at VioPoint.

Information security professionals work on teams to develop tactics that will help find and solve unauthorized access as well as potential data breaches. A crucial part of the job in information security is keeping companies from having to deal with unwanted exposure.

The best information security teams, Goerlich says, are those that provide “consistent mentoring and cross-training.” He says professionals in this field must be constantly learning and sharing what they know.

“As the technology is shifting and the attacks are morphing, the career effectively is one of life-long learning,” Goerlich says.

IT Maturity: The First Ten Steps to a Secure Future

Posted by

Today’s security leaders drive change across business strategy, technology, compliance and legal, and operations. Yet even as the scope has widened, the fundamental questions remain the same: Where are we today? Where are our benchmarks and targets? How can we best close the gap?

A risk-based maturity approach is often being employed to answer these questions. Such a model, when fully considered, is comprised of the following three components:

  • Controls Framework – this could be a top-level framework such as ISO 27001-27002 and NIST 800-53, industry frameworks such has NERC CIP and PCI DSS, or third-party frameworks such as the CIS Critical Security Controls
  • Maturity Framework – the most common is the Capability Maturity Model Integration (CMMI), however, various standards have specific maturity frameworks and some organizations have developed internal maturity models
  • Cultural Framework – the most common is the Security Culture Framework

All three frameworks yield the deepest insights into the current state and provide the clearest answers into potential improvements. That said, an assessment can be performed using simply the controls framework to get a quick read. It is up the organization to determine the level of effort to invest in the assessment. For the rest of this article, we will assume that all three frameworks are in play.

In a risk-based maturity approach, having determined the frameworks, the security leader and his team then complete the following ten-step process:

  1. Assess the security program’s controls and compliance to the control framework
  2. For each implemented control, assess the current people, processes, and technologies
  3. Perform both process validation (is it functioning as designed) and technical validation (is the control sufficient) to ensure the control addresses the risk
  4. For each implemented and functioning control, assess the maturity and identify improvements
  5. Document implemented controls that is not addressing the risk, and missing controls
  6. Analyze the organization’s capabilities and constraints for these missing controls (see our previous article on Action-Oriented IT Risk Management)
  7. Develop a project plan for immediate, short-term, mid-term, and long-term improvements in the control
  8. Create a communications plan and project metrics to ensure that these improvements change the culture as well as changing the security posture, using a cultural framework
  9. Execute the plan
  10. Re-assess the controls, maturity, and culture on a regular basis to adjust the plan

The above ten-step process establishes, maintains, and improves the quality of risk management program and overall security posture. It baselines the current program and provides a roadmap for making process and technical improvements. Each improvement is tracked technically (does it work), procedurally (is it sustainable), and culturally (is it implicitly performed). Culture is key, turning the IT risk program into a set of behaviors adopted by the entire organization. When everyone does their part to protect the organization, without the need for excessive oversight and intervention, the security leader moves from day-to-day supervision and toward strategy and value.

Controls, maturity, culture: three levers for advancing the security program and elevating the leader’s role.

Cross-posetd at http://content.cbihome.com/blog/it_maturity

Moving Tokens to the Point of Sale Can Slow Crooks

Posted by

Before Target, there was TJX, the major 2007 breach that impacted about 45 million credit cards. The crime and its prevention were basic, and provide a lesson for today’s retailers that are battling a new wave of data theft.

It is easy to forget, going on a decade later, how relatively simple the TJX crime actually was. TJX’s Wi-Fi was unprotected and the wireless network allowed access to the back-end IT systems that stored credit cards in the clear in centralized databases.

Several security improvements have been made since then, of course, but the most fundamental is shifting from using credit card information to tokens in those back-end databases. Using tokens as part of a process called format-preserving tokenization meant that criminals could not just walk out the front door with the database. PCI issued guidance on tokenization, many retailers adopted it, and for a while the security controls seemed to be working.

Until, of course, Target took TJX’s place as splashy retail breach. Approximately 40 million credit cards were stolen in November and December 2013. Target was using format preserving tokenization. So what happened?

Unable to get readable credit card numbers from Target’s database, the criminals went after the point of sale systems. Here, the credit cards were available in the clear. It was only after reading the card information that the token was generated and passed onto the retailers’ back-end systems. On the one hand, the impact on the consumers between TJX and Target was roughly the same. On the other hand, the cost to the attacker was much higher. Rather than gaining access to one database, they had to gain access into 1,700 stores and get data back out of these secured networks.

If we want to stop attacks such as the Target breach, tokenization needs to be moved up to the point of interaction. Emerging payment methods like Apple Pay and Google Wallet do just that. The tokenization occurs when the consumer enrolls in Apple Pay or Google Wallet. The token is passed via Near Field Communication (NFC) to the point of sale and the card information is never directly exposed within the retailers’ systems. We just raised the criminal’s level of difficulty from one database to a thousand stores to millions of phones.

That is not to suggest that systems like Apple Pay and Google Wallet are the stopping point. As ubiquity of NFC payments increases so will the efforts to steal from the consumers. Mass adoption is well underway, as demonstrated by the separate announcements late last year that McDonald’s and Subway are supporting NFC payments in over 40,000 locations. Not surprisingly, news has begun to surface about Apple Pay fraud, including attacks on the enrollment process and schemes to add wallets to stolen Apple devices.

Each action we take moves the criminals’ activities. The adoption of tokenization on back-end systems moved the criminals to the point of sale systems. The adoption of NFC moves the criminals to the consumer’s devices. New controls provide protection for a finite amount of time, but crime ultimately finds a way. Retailers who inspect the entire payment processing chain regularly, performing ethical hacking to find the cracks, are the retailers who avoid being the next splashy name in the news. Those that lag behind and only adopt the controls that fight the last breach remain criminals’ favorite marks.

Originally posted at: http://www.paymentssource.com/news/paythink/moving-tokens-to-the-point-of-sale-can-slow-crooks-3021519-1.html