The intelligence in this week’s iteration discuss the following threats: 419 Scams, Cobalt Gang, GhostMiner, Guccifer 2.0, Orbitz Breach and TeleRat. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.
Mozilla this morning launched a Firefox browser add-on for those users not willing to delete their Facebook account, but also wanting some control over how much of their data Facebook can access. The “Facebook Container,” as the new extension is called, isolates your Facebook identity from the rest of the web. That means Facebook will not be able to use your other web activity to send your targeted advertising.
Today, I will be going over Control 16 from version 7 of the CIS top 20 Critical Security Controls – Account Monitoring and Control. I will go through the thirteen requirements and offer my thoughts on what I’ve found.Key Takeaways for Control 16Don’t forget the logs. Enabling a lot of the later sections of this control will require gathering logging data from endpoints into a centralized location such as a SIEM. The security intelligence of the organization will be in your logs, so collect as much as you can without overburdening the tool and/or necessitating that analysts review the logs.Missing password requirements. The guidance on passwords has been removed from control 16. This is probably a good thing since it has been mostly duplicated by Control 4. If you’re looking for guidance on password requirements, look at any major hardening guide or security framework.Block common attacks. Many common attacks that have been made public hit on a lot of the requirements in control 16. While a zero-day attack gets all of the press at security conferences, attackers are after valid credentials to make their attacks stealthier. Controlling authentication mechanisms and valid accounts is a cornerstone of building a proper security architecture.Requirement Listing for Control 161. Maintain an Inventory of Authentication SystemsDescription: Maintain an inventory of each of the organization’s authentication systems, including those located onsite or at a remote service provider.Notes: Relating back to the first two controls, you cannot protect that which you are unaware of. Authentication systems are the crown jewels of an attacker going after valid credentials, so be aware of where these systems live in your environment.2. Configure Centralized Point of AuthenticationDescription: Configure access for all accounts through as few centralized points of authentication as possible, including network, security and cloud systems.Notes: There are dedicated tools to pull credentials out of centralized authentication systems. Limiting how many you have allows you to more easily defend them. These should also be hardened as much as possible with authoritative sources such as the CIS Hardening Guides or the DISA STIGS.3. Require Multi-factor AuthenticationDescription: Require multi-factor authentication for all user accounts on all systems, whether managed onsite or by a third-party provider.Notes: This is probably one of the more impactful requirements in the entire set of controls. There are going to be varying levels of deploying MFA. Requiring it for any externally available service (VPN, web portals, etc.) will be a quick win rather than trying to scope the entire environment to MFA.4. Encrypt or Hash all Authentication CredentialsDescription: Encrypt or hash with a salt all authentication credentials when stored.Notes: Attackers steal database passwords all the time. To make an attacker’s job harder, each password needs to be encrypted (See section 18.5) or hashed with an algorithm. Since it is trivial to use a high-powered system to crack passwords, each user account should have a unique salt for the hash as well.5. Encrypt Transmittal of Username and Authentication CredentialsDescription: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.Notes: Everything going across the network should be encrypted, especially credentials. Using a packet capturing tool, system administrators can quickly identify if credentials are being sent in the clear over the network.6. Maintain an Inventory of AccountsDescription: Maintain an inventory of all accounts organized by authentication system.Notes: Identity and access management is much harder to do than a single requirement in a set of controls. As with the first two Controls, getting insight into which users you have in your environment will unlock the potential to secure them.7. Establish Process for Revoking AccessDescription: Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts instead of deleting accounts allows preservation of audit trails.Notes: Creating a process is as simple as documenting what needs to happen in order to revoke access. The technical details on how to follow through can be leveraged from existing frameworks like NIST or other regulatory bodies.8. Disable Any Unassociated AccountsDescription: Disable any account that cannot be associated with a business process or business owner.Notes: The previous version of controls required that a list of accounts be reviewed periodically by business owners. While that is not called out in this version, it’s still great advice. Many guidelines already state that each account should be a named owner such as a username. For the remaining accounts, generate a list and work towards associating them with a user, team, application, or business unit.9. Disable Dormant AccountsDescription: Automatically disable dormant accounts after a set period of inactivity.Notes: Unused accounts may not be monitored, so it’s best to remove them if they are not needed. Don’t forget that this also applies to third-party services such as Amazon Web Services as well.10. Ensure All Accounts Have an Expiration DateDescription: Ensure that all accounts have an expiration date that is monitored and enforced.Notes: Having an expiration date will make the previous requirement easier to manage. However, if a legitimate user is locked out because their account is expired, this may create additional overhead for the helpdesk team.11. Lock Workstation Sessions After InactivityDescription: Automatically lock workstation sessions after a standard period of inactivity.Notes: To automatically do this, refer to whichever standards your organization are using. This is easily done with centrally managed group policies for Windows users. For another quick win, train users to lock their workstations when walking away as well. For Windows users, two keystrokes (Windows + L) is all it takes!12. Monitor Attempts to Access Deactivated AccountsDescription: Monitor attempts to access deactivated accounts through audit logging.Notes: This is facilitated by enabling and collecting audit logs on servers and endpoints. Your SIEM needs to be able to correlate login attempts to deactivated accounts, so an integration into your Active Directory or LDAP will be critical to making this easy for you.13. Alert on Account Login Behavior DeviationDescription: Alert when users deviate from normal login behavior such as time-of-day, workstation location and duration.Notes: As with the previous requirement, this is enabled by logging. Many SIEMs will have this logic built into their correlation engine. If not, simple rules or reports for time of day, location, and duration can be easily created and reported on during regular intervals. See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.Read more about the 20 Critical Security Controls here:Control 20 – Penetration Tests and Red Team ExercisesControl 19 – Incident Response and ManagementControl 18 – Application Software SecurityControl 17 – Implement a Security Awareness and Training ProgramControl 16 – Account Monitoring and Control
Last month it was Catalyst 9000 switches, and this month its routers. Yes, my project engineering staff have had a surprising amount of inquiries regarding routers.
Meet the Huawei P20. It’s a pretty nice phone. I played around with it, and I can confirm that it is, indeed, a solid flagship with some suitably over-the-top features — what’s that you say? Three rear-facing cameras?! But all of this is kind of a moot point if you live here in the States.
It was a Davos for digital hucksters. One day last June, scammers from around the world gathered for a conference at a renovated 19th century train station in Berlin. All the most popular hustles were there: miracle diet pills, instant muscle builders, brain boosters, male enhancers. The “You Won an iPhone” companies had display booths, and the “Your Computer May Be Infected” folks sent salesmen. Russia was represented by the promoters of a black-mask face peel, and Canada made a showing with bot-infested dating sites.
Recent advances in artificial intelligence have led to speculation that AI might one day replace human radiologists. Researchers have developed deep learning neural networks that can identify pathologies in radiological images such as bone fractures and potentially cancerous lesions, in some cases more reliably than an average radiologist. But the great majority of radiologists will continue to have jobs in the decades to come — jobs that will be altered and enhanced by AI. Because of this, they will need to adopt new skills and work processes. The only radiologists whose jobs may be threatened are the ones who refuse to work with AI.
President Donald Trump’s newly appointed national security adviser has a history of denying that Russian hackers breached the Democratic National Committee in the run-up to the 2016 presidential election.
“Monetize your business with your users’ CPU power.” That’s the alluring promise to make a fortune overnight through crypto-mining, the practice of using computing power to generate cryptocurrency – digital money that can be converted back to hard cash at any crypto exchange.
A new Total Economic Impact (TEI) study conducted by Forrester Consulting and commissioned by AlienVault, a leading crowdsourced threat intelligence provider, examined the potential return on investment (ROI) for organisations that deployed the AlienVault Unified Security Management (USM) Platform and has revealed excelling results for the product.
Kathy Willens/Associated Press
Can the Florida Panthers make a successful run at the final playoff spot in the Eastern Conference? That question may not be answered until the Panthers complete their final game April 8 on the road against the Boston Bruins.