Tag Archives: IT security blog

Legacy Systems: The (Often) Necessary Evil

15 Jun

GR GiveCamp 2014Many IT environments include one or more systems that are really far behind the times. You might be surprised it hasn’t died of natural causes yet. You know the one I’m talking about – tucked deep away in the back of a closet; both the file system and the original installer are now gathering cobwebs. Generally, we at OST see the most legacy systems in healthcare networks – but they can be anywhere.

From a security standpoint, these kinds of hosts are a nightmare. Often running an unsupported operating system (already a big red mark), these machines are generally not well patched and may be running easily exploitable applications. A thorn in the network administrator’s side, they consistently show up in the results of IT security assessments as high risk and requiring attention.

If you don’t work in IT, you might be wondering why anyone would allow such an obvious security hole to exist in an environment. The answer is quite simple. Most administrators and IT managers are aware of these systems, but their hands are tied – usually for one of two reasons:

  1. It’s a vendor-managed host (for example, a system that operates radiology equipment) and the vendor refuses to upgrade or patch, for a variety of reasons.
  2. It’s an internally managed host, but runs a mission-critical application or service that requires an unsupported OS.

You can see how environments that rely heavily on third party equipment and applications could easily find themselves unable to secure the hardware that sits on their network.

This can lead to serious problems if the organization ever finds itself on the receiving end of a malicious hacking attack. Due to security flaws noted above, legacy systems are often easily taken advantage of and leveraged during an attack. Depending on how the system is positioned in the environment and what kind of data it contains, this can lead to the loss of sensitive data (such as social security numbers, medical records, or other personally identifiable information) or perhaps a full breach of the organization’s domain.

To help illustrate, consider this analogy: if you lived in a bad neighborhood, you’d most certainly want all of your doors locked as often as possible. Well, for starters – the Internet is most definitely a bad neighborhood, and having insecure legacy systems in your environment would be akin to leaving a side window not only unlocked, but also open. Did we mention that your in-laws own the window, and have lodged it open so that it will not shut? Yeah, it’s a lot like that!

How should this predicament be approached? Here are our suggestions on how to mitigate the risk of having insecure legacy systems in a computing environment.

  1. Re-assess if you actually need the system. Is it truly critical to your operations? Sometimes the simplest solution to a security problem is to just power off and retire the offending host. If one person uses it once per quarter to run a single report, it’s probably not mission critical and the risk it poses is greater than the service it offers. If you re-assess and do find that you need it, keep reading.
  2. If it’s a vendor-managed host, reach out to the vendor directly and ask for a resolution. If you’re trying to meet compliance standards (i.e. GLBA, HIPAA), be sure to get an official response from the vendor for your records.
  3. If it’s a dated application and your organization simply hasn’t ponied up the dough to purchase the new, secure version, build that into the budget now. If this is the situation you find yourself in, you’re gravely underestimating the cost of a data breach. Go ahead, Google the average cost of a data breach. We dare you.
  4. If you find yourself in the worst-case scenario, where the vendor will not budge, the application has no patched version and the system genuinely is mission critical, all is not lost. Here’s our recommended plan of attack:

Isolate, isolate, isolate.

Going back to the open window in your house analogy, the next logical step (if you can’t shut it), is to lock the room that the window is in and take all the important stuff out of there. Make that system invisible to everyone on the network except those who need it. Put it on it’s own VLAN and permit access with great discretion. Harden the system with firewalling and an endpoint protection that has IPS/IDS modules. Remove ALL unnecessary applications and services from the host. Patch it as much as you can. We’ve advised clients to, when it made sense, literally unplug the computer from the network and require that be accessed only physically.

Build a Plan for Moving Forward

Get it into your FY plan to retire that system, if you can. If you can’t, make sure that the Board of Directors for your organization is aware of the risk and chooses to accept that risk.

A comprehensive IT security assessment is the best way to find insecure legacy systems. As part of an assessment, a penetration test is generally conducted to help identify the severity of security holes that may exist on these machines.

The OST Security Practice has conducted over 1,000 security assessments for clients in a wide variety of industries and is exceedingly proficient at identify vulnerabilities on legacy systems and helping organizations mitigate the risks they pose.

For more information on an IT security assessment services, please contact dkilpatrick@ostusa.com.

—–

W. Scott Montgomery

W. Scott Montgomery

W. Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott joined OST with over 30 years of IT and IT Security related experience. Scott has personally performed more than 1,000 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the ability to gather, analyze and assess the security of any organization.

 

Regin Malware: What it Means and How It Affects You

7 Jan

Earlier this week, Symantec researchers released a report concerning a newly discovered piece of malware that has been in use since at least 2008. Normally, reports like this don’t make front-page news. But this is no ordinary piece of malware.

Regin Malware

Regin Malware

With only around 100 infections seen globally so far, Regin (pronounced “region”) was built for one purpose: international, systematic spying. The sophistication and technical competence required to create this tier of malware combined with the geographic location of infected targets (largely Russia, Saudi Arabia) indicates that a Western government is likely responsible.

Regin is capable of executing numerous malicious payloads: capturing screenshots, recording keystrokes, silent monitoring of web traffic, stealing passwords, and recovering deleted files to name a few.

According to Kaspersky Lab, a “mind-blowing” attack was uncovered against an unnamed country in the Middle East. All victims in this country communicated with one another, forming a net of cyber espionage that included the president’s office, a research center, educational institution and a bank.

What does all this mean?

From a timeline perspective, what we’re seeing is another milestone for cyber warfare. Malware has never been used in this way before. It represents the result of a steadily increasing level of interest by nation-states in the capabilities of cyber attacks. OST Security believes this trend will continue: attacks will grow in frequency, complexity, and with an increasing number of functions.

Most users do not need to worry about being infected with Regin right now. Targets seem to be limited and selected with specific intent. Regardless, most security vendors will be adding Regin to their databases of detected malware – so keeping your antivirus up to date and adhering to generally good security practices (applying updates, staying away from dangerous sites, etc.) should go a long ways.

—-

Jeff Serini

Jeffery Serini, IT Security Consultant at OST

Jeffery Serini’s IT security obsession dates back to his teenage years, when he began pen-testing on their home computer. Serini is presently an IT Security Consultant at OST. After joining the Security Team in 2011 under W. Scott Montgomery, he has performed over 250 Security Assessments and consulted with a wide variety of clients, including those in the financial, manufacturing, healthcare, gaming sectors and more. Leveraging a unique approach, the OST Security Team is capable of providing a practical and relevant assessment designed to help administrators and executives alike understand their InfoSec posture.

The Rise of Spearphishing (Pt. 2)

18 Dec

Spearphishing: Protecting Yourself and Your Company

(Continued from Part 1: The Rise of Spearphishing)

The human element is often the easiest attack surface for malicious hackers. Networks can be hardened and secured, but this only goes so far if an organization neglects to train employees about the ways in which they personally can be used and manipulated in an attack. In the previous entry, we discussed the threat of spearphishing and its prevalence. In this entry, we will discuss ways to minimize the risk of this threat. There are four key elements to protecting yourself and your company from spearphishing attacks:

Employee vigilance and email link inspection

Far and away, the most effective way to minimize the likelihood of a successful spearphishing attack is employee awareness training and education. A qualified third-party security firm should conduct awareness training. Alongside this, we recommend company-wide phishing tests be performed to simulate a real attack and to help discover those individuals that may need further training.

In a spearphishing attack, a URL link is often provided which the victim is encouraged to click on. Two critical tips can help reduce risk here:

  1. If you are sent an email containing a link, mouse over the link. A small box should pop up displaying the destination URL if you were to click on the link. Say for example you receive an email from a friend asking if you’re attending a particular Facebook event, with a link to the event provided. When you place your cursor over the link, you see the destination URL is actually to “http://face-book159.com/login.html”. The destination URL is likely a fraudulent copy of Facebook’s site where the attacker will steal your password. Do not click the link and forward the email to your IT administrator.
  2. Any time you receive an email from a popular institution that requires you to login, never click any links in the email – even if the links appear legitimate (have a valid destination URL). Instead, manually type the URL in your web browser’s address bar. So for example, if you receive an email from Amazon.com saying that a password reset is required, do not click any links in the email and only navigate to Amazon by typing http://www.amazon.com in your address bar.

These should be the first line of defense used to protect you and your company from spearphishing attacks. Without the utilization of the above strategies, the remainder of this article is not very helpful – so make sure you have your priorities set correctly!

Limiting information available about you on the web

The spearphishing methodology requires than an attacker performs research on a victim in order to make fraudulent communications with the victim appear to be from a trusted source and to increase authenticity. The first place an attacker will look is Google. If you Google your name, what comes up?

For most people, the answer is social media accounts, web forum memberships, and perhaps other sites that reflect your interests. This information can all be used to create a spearphishing attack that appears genuine. For example, if a Google search of your name shows your Twitter account, an attacker may research this account: see who you tweet to, what their names are, what your conversations are about.

Minimizing this threat is simple. Wherever you can, disable public display of your profile on these sites. Require that requests be sent to you, that your profiles are not included in search engines, and that all of your personal information and pictures are restricted.

Furthermore, if someone you don’t know sends you, for example, a friend request on Facebook – don’t accept! Be conscientious of what information about you is out there and who can see it.

Avoiding reuse of the same password

This is an extremely common problem. Many people use the same password for all of their online accounts: social media, banking, email, PayPal and everything in between. Well guess what … bad guys know that!

If you do fall victim to a spearphishing attack, the extent of access in which you give a hacker can be limited by having dissimilar passwords across different services and accounts. In other words, don’t use the same password for everything! During a penetration test, when OST discovers a password, the first thing we do is try it in as many other places as we can. It almost always provides us further access.

Not to mention, there’s a big difference between losing control of your Facebook account and losing control of your bank account!

Proper patching, email/web filtering, and antivirus

The primary target in a spearphishing attack is a human. Spearphishing risk mitigation occurs most effectively through awareness, training, and pattern change as described above. However, a strong second line of defense can be added via technology. Regular patching, active filtering and antivirus are also critical elements to protecting yourself. Spearphishers may use infected files as part of their phishing attack (i.e. your “boss” sending you a PDF report on your performance). Though it may not catch all, filters are designed to prevent delivery of these types of infected messages; antivirus is designed to prevent infected files from running.

Everyone knows that computers and networks need to be protected from hackers. Lack of awareness regarding the human element to IT security is the reason that spearphishing is as prevalent and successful as it is. While it is impossible to be perfectly safe, making use of the tips outlined above will dramatically reduce the risk of you or your organization falling victim to a spearphishing attack.

—–

Jeff Serini

Jeffery Serini, IT Security Consultant at OST

Jeffery Serini’s IT security obsession dates back to his teenage years, when he began pen-testing on their home computer. Serini is presently an IT Security Consultant at OST. After joining the Security Team in 2011 under W. Scott Montgomery, he has performed over 250 Security Assessments and consulted with a wide variety of clients, including those in the financial, manufacturing, healthcare, gaming sectors and more. Leveraging a unique approach, the OST Security Team is capable of providing a practical and relevant assessment designed to help administrators and executives alike understand their InfoSec posture.

The Rise of Spearphishing

16 Dec
Photo: Google/Connie Zhou

Google Data Center. Photo: Google/Connie Zhou

Google, the Pentagon, the White House, RSA, HBGary Federal, the New York Times.

That’s a list of organizations you’d expect to have top-notch IT security, right?

Perhaps they do. But malicious hackers have infiltrated all of these high profile entities. Some breaches were perpetrated by organized, state-sponsored threat actors, such as China’s APT1 – a cyber espionage unit responsible for stealing hundreds of terabytes of data from numerous US organizations. Other breaches, like that of HBGary Federal, were conducted by the decentralized loose hacker collective called Anonymous.

So, what common link exists between a government-sponsored cyber warfare unit and a scattered, international group of hacktivists? The answer is their preferred method of attack.

Enter: spearphishing.

Spearphishing is a subset of phishing. Phishing is, by no means, a new tactic. First seen back in the mid-90’s, spearphishing involves fraudulently portraying oneself as a trusted entity and directly communicating with a victim, seeking sensitive information. For example, an attacker may craft an email that appears to be from PayPal and send it to thousands of intended victims, requesting they click a link in order to login and reset their password. The link directs the victim to a PayPal look-a-like site, where their password is recorded when they attempt to login.

Spearphishing takes a more refined approach. In this scenario, the attacker has a particular victim in mind. The attacker may research this victim extensively, learning as much as possible about the victim’s personal life. Leveraging this information, the attacker performs a phish as described above, but personalizes the attack to enhance credibility and authenticity.

91% of targeted attacks begin with spearphishing, according to Trend Micro.

Despite this, we speculate that the majority of individuals in the United States haven’t even heard of spearphishing, much less how to defend themselves from it. With the prevalence of this attack method, we can no longer afford to remain ignorant.

Part two of this segment will outline ways to minimize risk – stay tuned!

—–

Jeff Serini

Jeffery Serini, IT Security Consultant at OST

Jeffery Serini’s IT security obsession dates back to his teenage years, when he began pen-testing on their home computer. Serini is presently an IT Security Consultant at OST. After joining the Security Team in 2011 under W. Scott Montgomery, he has performed over 250 Security Assessments and consulted with a wide variety of clients, including those in the financial, manufacturing, healthcare, gaming sectors and more. Leveraging a unique approach, the OST Security Team is capable of providing a practical and relevant assessment designed to help administrators and executives alike understand their InfoSec posture.