With the January 3rd announcement of the side-channel MELTDOWN/SPECTRE vulnerabilities and resulting impact on billions of devices it seems IT Security is 35 points behind at the start of a 4th quarter and the other team knows we are throwing long on every play.  Clearly, the understanding that everyone associated with technology – from processor engineer to student worker racing to a workstation with a browser pop-up announcing the user has “won” an Amazon GiftCard – now knows they have a long-term role in IT Security.

We aren’t in the 4th quarter!

IT security takes a game plan.  In the frenzy of announcement, we sometimes lose sight of the greatest risks.  Let’s take MELTDOWN.  It is not in the wild.  It would take intrusive software on the device to exploit this vulnerability that security researchers discovered.  It has even been said it requires a statistical probability either over a long period of time or across many devices to have successful mapping memory from the vulnerability and then plant an exploit.   Guess what?  It is even harder when a user reboots 🙂 The NIST National Vulnerability Database rate these as a medium risk vulnerability with a low exploitability score.  Contrast that with ransomware that are high risk and have double the exploitability.

So what’s the game plan?  If I was the lone IT support with 300 end-user devices and a handful of servers I would expect to spend 30 hours a month on IT Security and compliance.  Some of this time each month is not just patching, scanning, fighting AV and packet-sniffing alerts but educating users THAT REMAINS THE GREATEST RISK, increasing security via automation, and  getting rid of legacy security “holes” (like too many local administrators and old OSes).  We’re not going to lose this game!  We are only at half-time and while a little behind we have a good game plan of USER EDUCATION, vulnerability management, patch management, more security automation, and our all-SEC running back.

So what to do about MELTDOWN/SPECTRE?  Intel has said if the OS is patched MELTDOWN does not really require firmware.   Of the two variants of SPECTRE, both INTEL and flip-flopping AMD have announced they still must complete a firmware that addresses one of the variants.  It will be weeks before that firmware is out.  Chrome is about to release a browser version that purposely slows down direct cache processing to close the timing hole that can be exploited via the Chrome browser.   Part of risk management is knowing your high value targets and that means the first thing to patch are servers with lots of credentials in memory and in February when there is a long-field-tested stable firmware test the firmware on one low-impact system and then apply the firmware to high-value targets.

There is a lot of information on these exploits but one of the best reference is Intel itself.   At the below link INTEL provides both what they and other vendors from Acer as an OEM to Microsoft to Ubuntu are doing.  Now let’s go out there on the field and take the lead!

Intel Side-Channel Updates

 

Email is a hacker’s best friend!

Some of us probably use up to a handful of different mail clients on different platforms at home, at work, and in our mobile lives.  Counting different product versions still in use, there are almost 100 potential mainstream mail clients that might be used.  That is why it is not surprising that a security researcher recently found over 30 mail clients that had a vulnerability he dubbed Mailsploit.  The researcher used the extension of the ASCII coding scheme that the email wrapper can utilize to instead spoof header info, circumvent anti-spoofing software, and introduce code injection into certain lesser-known mail clients.

This is why it is extremely important if users have a mail client of personal preference due to features or taste, they recognize they have the possibility of being spoofed.  If they choose to use a value-added mail client/app they should be aware that they are accepting risk.  Outlook, Outlook Web Access, Gmail do not have the Mailsploit vulnerability risk, but the Mailsploit client list shared by the researcher also points out what clients/apps can be exploited.  Some of these are very mainstream clients on millions of devices.  Most of us think very little about their mail client on a daily basis, as an example many Outlook users believe they can easily recall messages via the Recall function.  They have no concept of both the Exchange Store dependency or the fact the recipients have to be using Outlook too on the function for a successful recall of an email; thus many recalled messages thought to be recalled are never really recalled.   How could a user be expected to understand what happens when an email header is unwrapped?

Not only is email is a hacker’s best friend but at phishing time email is a very loyal companion!

Phishing has overtaken brute force as the preferred method to get credentials.  The sophistication of some phishing attacks’ impersonation of legitimacy is quite astonishing.  As most updated browsers now alert users to sites that are “Not secure” – in other words sites that do not use https – the Phishers have been moving their attack servers to SSL_certificated servers.   PhishLabs reports a quarter of all attacks now link to a site that is https with a valid certificate and will appear in the browser icon as secure (green lock “Secure” in Chrome).   What compounds the problems is the phishers also make sure the certificated site’s URL appears legitimate at a glance:

  https://facebook.com.fb.net

As a point of education, go to PhishTank and — if you have an hour — page through all the reported phishing sites  detected in a single hour.   It may take you an hour to do an hour of phishing sites reported– it is staggering.   Take time to click a few that seem of interest by their name that will give you a safe framed look and you can safely see how legitimate the phishers’ credential capture entry screens appear.   Many security firms have pointed out training on phishing is most effective when users are sent emails that measure whether the targeted users click a link in an internal potential phishing link.  An IT-prepared unanticipated pseudo-phish email to judge users needing training on phishing is worth a dozen abstract warnings.  When it comes to changing phishing behavior, training that help users learn by doing has been measured as far more effective than just getting a “be aware …” email.

20th century folks use to worry about their snail mail being stolen and getting a paycheck or compromising their accounts, in the 21st century the worry is you might click the email link that compromises your life!

So as we get those New Year’s emails from old acquaintances – hopefully not forgotten – or what looks like a Facebook email reminder on a holiday party photo you are tagged in we really need to know what we’re clicking on.  Or better yet your Security Team hopes you enjoy the holidays with as little work clicking as absolutely necessary!

In the last seven days seeing another 200 patches from Google, Mozilla, Adobe, and Microsoft caused a gasp!

Lone SysAdmins have a tough job.  They have always had among their responsibilities: hardware, software, user profiles, networking, failover, backup, disaster recovery, and very often web services.  However, in the last decade SysAdmins have seen increased duties in virtualization, security monitoring, compliance, and containing the constantly growing fungal spread of 600 million unique malwares.

A decade ago a SysAdmin might have occasionally spent time in some security prevention duties: firewall ports, AV, adware updates, web-filtering, and fighting spam.   In many cases some of these duties were done quite similarly between servers and end-user devices. A decade ago, the SysAdmin might have put up a Microsoft WSUS server and let it run itself mainly for OS updates.   One concern a decade ago was brute force attacks and the more advanced SysAdmin might have talked about and put in place intrusion detection.

That was a decade ago.  There are days brute force attacks look like the good old days!

Today, the SysAdmin has the additional duties of running a true patch management program that includes promptly looking for failures of patch application and applies across all software products, dealing with multiple browsers and their extensions on the same device, intrusion prevention knowing that only detecting an intrusion makes for a bad week, dealing with unexpected configuration vulnerabilities that a vulnerability scanner – either active or passive – detects, responding to different tool security alerts, APT monitoring, active threat capture, advanced malware detection software in case of an infiltration … and … and … and ….

System management now includes more formalized change management, patch management, vulnerability management, alert management, threat management, and compliance management.  Among the challenges this brings (besides being spread as thin as a dragonfly’s wings) are new tools “crying wolf” far too often on normal operations, alert fatigue and the potential it brings to miss a critical alert,  and finally working less and less with the technology that provides a solution to the users.  How does a SysAdmin do it who is dizzy from spinning a chair around from monitor to monitor?

The ordinary struggle and to struggle_with_the_ordinary both take more than perseverance … it takes a plan.  A SysAdmin walking into the day unprepared might meet the definition of insanity .

So how does a SysAdmin approach it? Now add  “time management” and working on SysAdmin automation in addition to all those other SysAdmin-managements.   Seriously!

Let a dev/ops solution take on some of the insanity and with the rest that take “eyeball-time” schedule recurring appointments on the calendar.  “Sorry, I can’t meet with you right now, I have an appointment at 10a that must be completed by 11a.  I’ll look you up afterwards.”  Scheduled duties are completed better than unscheduled ones.  Put on your schedule:

1) a recurring weekly time to advance your automation of some of the duties

2) a daily monitoring duties all at once into one daily recurring appointment with yourself:  was there a daily backup failure? why did the performance alert go off on GHOST-IN-THEMACHINE_12?  what’s the AV console say? Separate the nuisance alerts from the ones worthy of your time …

3) schedule separate recurring times to review those Sysadmin duties that really take diligence and patience and your mind.   You know the ones where you have to backtrack through a dozen alerted IPs to see if there really is an issue, a plan to virtualize more of your infrastructure, planning some major major OS upgrades you’ve been putting off.

Systematizing a SysAdmin might be the most unrealistic duty of all but it is key to the administrative and security requirements of the current times … and it might keep those dragonfly wings beating.

Happy Thanksgiving from your Security Team that is very thankful we get to work with you!

 

CYBERSECURITY AWARENESS MONTH

Happy National Cybersecurity Awareness Month!  October is the National Cybersecurity Awareness Month and is about the only cybersecurity treat we get in an arena of tricks.  The education push during October is a joint effort between Department of Homeland Security and all sorts of partners including US-CERT.  This is all part of the National Cybersecurity Alliance that Texas A&M Information Technology is a Champion organization to “… represent those dedicated to promoting a safer, more secure and more trusted Internet.”

This is a month to recognize the vital role cybersecurity and cybersecurity efforts play in all of our lives and also a time to educate and protect our own privacy more.  There are three actions you should consider:

1. The National Cybersecurity Alliance StaySafeOnline resource page might be is a good link to send to all your customers.
2. The National Cybersecurity alliance is also endorsing a 15-day Privacy Challenge starting October 15th that will give you a Privacy Nugget email each day.  Surprisingly, the Nuggets come from a company based in Edmonton, Canada that you have to give your name and email address to; however, the topics covered include both personal privacy tips and true information resource manager type tips.  To save you time here is the StaySafeOnline direct link 15-Day Privacy Challenge
3. The National Cybersecurity Alliance also has built a great ManageYourPrivacy reference page to educate how to check your privacy settings in eCommerce sites, email, location services, browsers, and much much more including your FitBit and Xbox!

Hover over those links to make sure they are secure and really taking you where you hoped to go.

REMINDER: TAMU also has the half-day Dev/Ops Security Mashup event on Thursday, October 26. See the full agenda and RSVP for lunch at https://goweb.tamu.edu/devops-security-mashup/.

BACKUPS

In the ransomware age backups are a key part of cybersecurity protections!  Just ask anyone who finally paid the ransom because they could not find a recent or decent backup! As an example, many times information managers set up backups with a periodic full every two weeks and then a daily incremental.  However, they never test the restore and forgot to consider the more file modifications you have the longer it takes to index and restore.  Most that have done restorations know backup time has very little to do with restoration time.   This is why it is important you test your backups applying the entire cycle of incrementals to a full backup, make an entry in your backup log of testing, and adjust as appropriate.

It is also extremely important that you check those daily incrementals daily.  Certainly, no one wants to find out an incremental failed on day 5 of a 14-day backup cycle during a restoration.

REMINDER:  For anyone that has rebuilt RAID-5 the same unexpected elongation of time occurs with a backup as well.  It isn’t easy to either spread data across multiple disks or deal with a backup that must mimic user file modification behavior.  Consider that in any timeline when building a Recovery Time Objective (RTO).

PATCH TUESDAY

Microsoft celebrated National Cybersecurity Awareness Month as well with only 28 Critical fixes and breaking WINDOWS 10 for some users.  You may want to test the WIN10 updates.  However, Adobe in the most merciful celebration ever … released NO — ZERO — NADA Flash Security updates.  (Once they realized Flash was sunsetting in 2020 they must have discovered they closed all the holes. 🙂 )

Microsoft Office has an IMPORTANT patch for a reported and exploited vulnerability in Word’s automation component, CVE-2017-11826 —  IMPORTANT is just plain wrong, open the exploit document and the bad actor has your privileges.

There is both a DNS advisory of interest and an advisory with more-than-likely low applicability on TPM.  Many do not use TPM firmware to generate keys after Windows 8 but reading the advisory and applicability to HP, Lenovo, and Fujitsu systems using TPM firmware by Infineon it is pretty frightening to think of fixing if this was deployed to hundreds or more systems where you had relied on TPM to generate keys for either AD Certificates or Bitlocker.  10.19.17 UPDATE:  Microsoft updated the Advisory to include affected Surface and ACER hardware.

Security recommends applying all Critical and Important updates and the Advisory link is below:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

Thank you for all your security efforts!

In the last three months the three most-reported international security incidents have been always attached to a lack of security patching.  Equifax is claiming an unpatched Apache Struts security vulnerability aided hackers.  The Equifax incident site states, “The attack vector used in this incident occurred through  a Vulnerability in Apache Struts (CVE-2017-5638) …,” while others are pointing to a variety of other Equifax security weaknesses including use of admin:admin on web facing systems and also storing framework keys in a web facing system. Let’s only concentrate on security patching. 

This week and by next Tuesday over 200 security patches will be released by Microsoft, Apple, Adobe, VMWare, and Ubuntu. The first three have cross-pollinating products with patches released this week (Office for Mac, iTunes for Windows, Reader for everything), then there are those omni-platform Google Chrome surreptitious ones.  The steps even with a patch management product require constant oversight and monitoring.  When have you last worked your OU’s WSUS Update Status Summary report?  The first week of a month before “Patch Tuesday” is a good time to review for devices that are detected as needing many missing old patches.  Patching is a process and not a prayer. Use Microsoft Baseline Software Analyzer on devices that have consistent issues and it might tell you clearly what is missing.  The SANS organization has said they never do a customer consulting review and not find missing critical Microsoft patches.  Never!

Following a schedule of patching work can aid small shops in their work each month like:

• First week – audit non-domain systems patch status
• Second and Third weeks – software vendor new monthly patching
• Fourth week -audit domain joined systems patch status
• Fifth week (that some months have) – catch your breath. 

For your third party patch management product the steps always should be DEPLOY, VALIDATE, REPORT, MONTHLY PATCH AUDIT.   Third party products normally  have good reporting summaries and if you can report by domain-joined and non-domain joined then all the better to segment validation during the month.  But the key is taking the reporting and prioritizing to resolve the critical missing third party software security updates first.

Two final items:

1. Ubuntu tcpdump vulnerability update can be found at  https://usn.ubuntu.com/usn/usn-3415-1/
2. Apache Struts developers who had released a security patch for the Equifax-cited CVE on March 7, 2017 published sound advice this week for any security patching approach:

Our general advice to businesses and individuals utilizing Apache Struts as well as any other open or closed source supporting library in their software products and services is as follows:

1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions.

2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

3. Any complex software contains flaws. Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.

4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. 

5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.

Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax.

For the Apache Struts Project Management Committee,

René Gielen
Vice President, Apache Struts 

Patch on AgriLife!