Keep Your Eyes on the Threat Horizon to Improve Incident Response

The ever-growing list of cybersecurity threats looks like something out of a 21st century version of “The Wizard of Oz” — but instead of lions and tigers and bears (oh my!), today’s security professionals must contend with Internet of Things (IoT) data leaks, fragmented cloud infrastructures due to regulations, augmented intelligence (AI)-powered malware and trusted professionals creating a new type of insider threat. This is just a small sample of the emerging threats looming in the shadows of cybersecurity.

Microsoft Office Tops the Exploit Charts

Key Takeaways

  • Recorded Future research shows that seven of the top 10 vulnerabilities exploited in 2017 targeted Microsoft products.
  • At least two of these, CVE-2017-0199 and CVE-2017-0189, were critical vulnerabilities — their exploitation allowed threat actors to arbitrarily execute code or access and change data.
  • Despite being aware of at least some of these vulnerabilities for many months, Microsoft did not immediately patch them, leaving users exposed. Patches were not released until after exploits targeting those vulnerabilities appeared for sale on the dark web.
  • The pattern and timeline of vulnerability recognition and response shows that proprietors like Microsoft do not always disclose information about existing cybersecurity threats, illustrating the usefulness of third-party threat intelligence in providing another measure of your organization’s vulnerabilities.

According to Recorded Future’s research, seven of the top 10 most exploited vulnerabilities in 2017 targeted Microsoft products. This represents a shift from past years, where vulnerabilities in Adobe products consistently topped the list. The more troubling news, however, was Microsoft’s slow response to these vulnerabilities. Despite being identified by both Microsoft and cybersecurity companies like McAfee, some of these vulnerabilities were not patched for many months, leaving users dangerously exposed to exploitation.

How to Use Security to Drive Sales

Making information security a priority within an organization isn’t easy. Security is usually seen as a specialized technical function within the organization and often isn’t aligned with organizational strategy or even day-to-day business tactics. Instead, information security teams are often siloed from the effects of their decisions and hyper-focused on detection, defense and mitigation. This is why companies’ security strategies often conflict with business operations. Does that new two-factor authentication system leave your sales team hanging out in the cold when they get locked out of your system in the middle of a demo? Too bad. The “S” in “IS” is for security, not sales.

CISO Chat – Rick Orloff, Chief Security Officer at Code42

Ever wondered what the role of a Chief Information Security Officer (CISO) encompasses? To put it simply, they are the guardians and protectors of everything information security related to a business. However, the tasks are far from simple as their teams work around the clock to respond to incidences that directly affect the safety of the company and its data. As the issues in cyber have evolved, so too has the role of the CISO, which also involves consulting to boardroom level executives about the multitude of potential risks that threaten their business and being prepared for an eventual attack.

Biometric and App Logins Will Soon Be Pushed Across the Web

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers’ accounts and data more secure.

20 Critical Security Controls: Control 9 – Limitation and Control of Network Ports, Protocols, and Services

Today, I will be going over Control 9 from version 7 of the CIS top 20 Critical Security Controls – Limitation and Control of Network Ports, Protocols, and Services. I will go through the five requirements and offer my thoughts on what I’ve found.Key Takeaways for Control 9Reduce your attack surface. So much of control 9 is about limiting the external attack surface of a system. This is always the first step in securing an endpoint.Duplication with other controls. Everything being done in control 9 is going to be accomplished by completing other controls elsewhere. I would probably leave this one for last as it’s the least impactful (due to duplication) out of any of the controls.Requirement Listing for Control 91. Associate Active Ports, Services and Protocols to Asset InventoryDescription: Associate active ports, services, and protocols to the hardware assets in the asset inventory.Notes: Utilize the same technology, or at least the same asset database which you are using in Control 2 (specifically 2.5). A more advanced integration would be to tie the ports and protocols to the applications and then associate the applications with a business unit if possible. This would also relate to control 11.2, which asks to associate traffic configuration rules on the network to a business unit.2. Ensure Only Approved Ports, Protocols and Services Are RunningDescription: Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.Notes: Create the baseline of what is listening on the systems. Over time, you can comb through the results and make sure nothing is out of the ordinary. As you are going through that process, new ports should trigger an investigation if they are not expected. Using a vulnerability scanner such as IP360 or a tool like Tripwire Enterprise to list out ports will make this much easier on the security teams.3. Perform Regular Automated Port ScansDescription: Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.Notes: Performing these scans will feed the previous sections. For smaller environments, a simple NMAP scan could suffice. However, larger organizations will want to take advantage of more robust scanning tools, such as IP360, that can tackle thousands of endpoints in a shorter period of time.4. Apply Host-based Firewalls or Port FilteringDescription: Apply host-based firewalls or port filtering tools on end systems with a default-deny rule that drops all traffic except those services and ports which are explicitly allowed.Notes: Don’t fall for the trap that only applying a network-based firewall is going to protect you as traffic on the same subnet can bypass network firewall configurations. When implementing, don’t forget that limiting outbound traffic is just as important as restricting inbound communications.5. Implement Application FirewallsDescription: Place application firewalls in front of any critical service to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.Notes: Any firewall or IDS/IPS that can understand the application layer traffic is going to be more effective than just blocking ports and protocols. I would expect to see this requirement dropped in favor of combining it with requirement 18.10 (Deploy Web Application Firewalls). However, a four requirement control would be a little light, so maybe we need to move the remaining controls elsewhere as well in favor of a more impactful control? See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.Read more about the 20 Critical Security Controls here:Control 20 – Penetration Tests and Red Team ExercisesControl 19 – Incident Response and ManagementControl 18 – Application Software SecurityControl 17 – Implement a Security Awareness and Training ProgramControl 16 – Account Monitoring and ControlControl 15 – Wireless Access ControlControl 14 – Controlled Access Based on the Need to KnowControl 13 – Data ProtectionControl 12 – Boundary DefenseControl 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and SwitchesControl 10 – Data Recovery CapabilitiesControl 9 – Limitation and Control of Network Ports, Protocols, and Services