Tag Archives: security blog

Wireless: 5 Tips for Keeping It Secure

22 Jun

wireless-150420_640
Everyone knows that wireless networking (WiFi) is here to stay. A large number of companies, OST Security clients included, utilize WiFi as a way to provide employees network and Internet access when they’re using laptops or smartphones. Some organizations choose to offer the general public access to WiFi as well, usually as part of a commitment to customer convenience or experience.

From a security standpoint, most wireless implementations are a nightmare. While we’ve seen dramatic improvement over the past several years, wireless is still a weak point for many organizations. In this article, we’ll look at the key elements to ensuring the WiFi networks at your place of work are optimized for security:

Leverage a strong encryption/authentication method

This might seem obvious, but we still see the occasional WEP-encrypted network. For readers who aren’t in the know, there are different kinds of encryption methods that can be used to secure a wireless network. WEP (or Wired Equivalent Privacy) is a dated, easily defeated encryption method. Organizations should be using at least WPA/WPA2, ideally with added measures such as EAP (using a central authentication server) and MAC address filtering.

Segment from your production network

Every once in a while, OST Security will perform an assessment and see that a wireless network owned by the client is not segmented from their production domain. This means that a bad guy could sit in your parking lot, hop on your WiFi, and perform devastating attacks – just as though he was physically inside your building and plugged into a wall port. The risk here is obvious. Hosts on wireless networks should not be able to communicate with hosts on your wired, production network.

Separate Internet connection

Particularly if you have an open wireless network to give the public access to the Internet, it’s a good idea to have this network on a separate Internet connection entirely. This means that you’ll have to purchase another line from your ISP – but the tradeoff in risk reduction is worth it. Say, for example, that someone commits a computer crime while connected to your public wireless network. If you have a separate Internet connection in place for this public network – and a User Agreement in place that those accessing it must accept – you have built a good amount of legal protection for your organization.

Limit key distribution

For internal wireless networks (ones used by employees), it’s a good idea to limit the distribution of your access key. Ideally, only one or two individuals in the organization would know the key. When an employee wants access to the wireless network, that individual can enter the key for them. Most devices allow for the retention of a wireless key, so you wouldn’t need to have it re-entered all the time. Doing this would drastically decrease the likelihood of inappropriate access to the internal WiFi (i.e. by non-employees).

WIPS/WIDS

Wireless intrusion prevention systems and wireless intrusion detection systems are an excellent addition to a WiFi network already employing the best practices recommended above. WIPS/WIDS usually come in the form of a physical network device that monitors the wireless spectrum for malicious activity (for example, a fake access point trying to lure victims into connecting). WIPS implementations generally include not only the detection of this kind of activity, but also offer countermeasures to defeat attacks.

WiFi networks are a fact of many modern computing environments. If your organization has one (or more), taking the above precautions will effectively minimize many of the risks associated. For a full IT security assessment, including an analysis of wireless configurations, please contact dkilpatrick@ostusa.com.

—–

W. Scott Montgomery

W. Scott Montgomery

W. Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott joined OST with over 30 years of IT and IT Security related experience. Scott has personally  performed more than 1,000 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the  ability to gather, analyze and assess the security of any organization.

Protecting Our Children from the Internet (Pt. 1 of 3)

26 Feb
Technology safety for children

As a parent, how do we react to this technology and how kids are using it? What do we need to know?

 

Over the last few years, I have written a presentation for parents titled “Protecting Your Children: How to Take Control”.  The presentation is designed to give parents valuable advice on how to protect their kids from the dangers of the internet, and bad decision-making when it comes to its use.

The underlying message of the speech is that parents have the right and a need to take control of the technology kids are using.  Some of the recommendations are extreme and would be used if a child/teen is in a dangerous situation.

This is a multi-part blog entry that provides the reader with ten (10) recommendations.  This entry is the introduction to the subject and the first three recommendations.  Please stay tuned for the remaining two blog entries.

Several years ago, as I was collecting notes on this subject, my Dad’s voice kept playing in my mind.  As a teenager, he would always tell me “You can’t get away with anything…. I’ve already done it all!”

As I thought about that, I realized that even though I tried, he was right. Most of us can’t say that to our kids, as the world of technology has changed quickly.  Our kids have grown up with technology that wasn’t available to us at their age.

Most of us did not grow up with digital cameras, cell phones, laptops, texting and maybe even the internet (now I’m aging myself).  I won’t even mention that I remember having three channels and a black and white TV.

So back to reality…. As a parent, how do we react to this technology and how kids are using it?  What do we need to know?

My top ten list of recommendations are as follows:

  1. Data and electronic communications should be considered permanent. Teach your kids to assume that posted and sent pictures and other information will turn up when they have children of their own.

Just because something is deleted from Facebook and other Social Media Sites, doesn’t mean that it is gone for good.  Things have a way of re-appearing when they are least expected.  Search engines (like Google and Yahoo) are constantly indexing web content and making off-line copies that can be retrieved in the future.  Everything is preserved somewhere.

Parents can conduct a few simple steps to see what information about their kids/teens is publicly available.  Use a search engine, like Google, to search based on your child’s name and phone number.  For better results, use “” marks around the name and search for variations as follows:

  • “Joseph F. Doe.”
  • “Doe, Joseph.”
  • “Joseph Franklin Doe.”
  • “(616) 555-1235.”
  • “616-555-1235.”

See what information comes up.

Does your child have a Facebook, Twitter or other Social Media Page?  If they do, display it and use Google Image Search to see where else their picture(s) are being used.

  1. Invest in good internet filtering and parental controls. It’s easier than it sounds.

Many new, mid to high-end home internet routers include services that provide a parent with the ability to configure parental controls, time of day limits, and the ability to block offensive websites.  If your home internet router is a few years old, it may be time to replace it with a device that provides you with greater control.

In addition, internet services such as OpenDNS can be used to restrict the types of websites that can be accessed from your home.

Parental Controls can also be implemented on your child’s PC.  In Windows 7 and 8, you can setup a unique password that allows you to make these changes and keep your child from turning them off.   Windows 8 also allows you to set a computer allowance for time of use.

Most Smartphones, like an Apple iPhone, can have parental controls turned on that limit use of the camera, in-app purchases, and restrict web browser access to adult content.

  1. Keep your password a secret. Teach your kids to keep theirs a secret as well, except when it comes to you.  As parents, you should know every password your children use… always!

Keep a record of the password for your child’s computer, smartphone, email addresses, Apple ID password, etc.  Know the password they use for Facebook, Twitter, and other websites.  Insist that you always know the account and password information.  No exceptions.  It doesn’t mean that you will invade their privacy, but it may be necessary in the event of an emergency or if you suspect a dangerous situation.

Be on alert for “apps” that may be age-inappropriate for use by a child.  Applications like:

  • Kik
  • Tinder
  • Snapchat
  • And others….

Know the purpose and use of every app on your child’s phone.

Stay tuned for the next two parts of this series.  Want more information?  Are you interested in having Scott speak for a parenting group?  Let us know how we can help.

—–

W. Scott Montgomery

W. Scott Montgomery

W. Scott Montgomery joined OST in the spring of 2009 as the Manager of the OST Security Practice. Scott joined OST with over 30 years of IT and IT Security related experience. Scott has personally performed more than 1,000 Security Assessments for several hundred organizations. Using a proprietary and unique assessment approach, developed by Scott and used since 1998, the OST Security Team has the ability to gather, analyze and assess the security of any organization.

The Rise of Spearphishing (Pt. 2)

18 Dec

Spearphishing: Protecting Yourself and Your Company

(Continued from Part 1: The Rise of Spearphishing)

The human element is often the easiest attack surface for malicious hackers. Networks can be hardened and secured, but this only goes so far if an organization neglects to train employees about the ways in which they personally can be used and manipulated in an attack. In the previous entry, we discussed the threat of spearphishing and its prevalence. In this entry, we will discuss ways to minimize the risk of this threat. There are four key elements to protecting yourself and your company from spearphishing attacks:

Employee vigilance and email link inspection

Far and away, the most effective way to minimize the likelihood of a successful spearphishing attack is employee awareness training and education. A qualified third-party security firm should conduct awareness training. Alongside this, we recommend company-wide phishing tests be performed to simulate a real attack and to help discover those individuals that may need further training.

In a spearphishing attack, a URL link is often provided which the victim is encouraged to click on. Two critical tips can help reduce risk here:

  1. If you are sent an email containing a link, mouse over the link. A small box should pop up displaying the destination URL if you were to click on the link. Say for example you receive an email from a friend asking if you’re attending a particular Facebook event, with a link to the event provided. When you place your cursor over the link, you see the destination URL is actually to “http://face-book159.com/login.html”. The destination URL is likely a fraudulent copy of Facebook’s site where the attacker will steal your password. Do not click the link and forward the email to your IT administrator.
  2. Any time you receive an email from a popular institution that requires you to login, never click any links in the email – even if the links appear legitimate (have a valid destination URL). Instead, manually type the URL in your web browser’s address bar. So for example, if you receive an email from Amazon.com saying that a password reset is required, do not click any links in the email and only navigate to Amazon by typing http://www.amazon.com in your address bar.

These should be the first line of defense used to protect you and your company from spearphishing attacks. Without the utilization of the above strategies, the remainder of this article is not very helpful – so make sure you have your priorities set correctly!

Limiting information available about you on the web

The spearphishing methodology requires than an attacker performs research on a victim in order to make fraudulent communications with the victim appear to be from a trusted source and to increase authenticity. The first place an attacker will look is Google. If you Google your name, what comes up?

For most people, the answer is social media accounts, web forum memberships, and perhaps other sites that reflect your interests. This information can all be used to create a spearphishing attack that appears genuine. For example, if a Google search of your name shows your Twitter account, an attacker may research this account: see who you tweet to, what their names are, what your conversations are about.

Minimizing this threat is simple. Wherever you can, disable public display of your profile on these sites. Require that requests be sent to you, that your profiles are not included in search engines, and that all of your personal information and pictures are restricted.

Furthermore, if someone you don’t know sends you, for example, a friend request on Facebook – don’t accept! Be conscientious of what information about you is out there and who can see it.

Avoiding reuse of the same password

This is an extremely common problem. Many people use the same password for all of their online accounts: social media, banking, email, PayPal and everything in between. Well guess what … bad guys know that!

If you do fall victim to a spearphishing attack, the extent of access in which you give a hacker can be limited by having dissimilar passwords across different services and accounts. In other words, don’t use the same password for everything! During a penetration test, when OST discovers a password, the first thing we do is try it in as many other places as we can. It almost always provides us further access.

Not to mention, there’s a big difference between losing control of your Facebook account and losing control of your bank account!

Proper patching, email/web filtering, and antivirus

The primary target in a spearphishing attack is a human. Spearphishing risk mitigation occurs most effectively through awareness, training, and pattern change as described above. However, a strong second line of defense can be added via technology. Regular patching, active filtering and antivirus are also critical elements to protecting yourself. Spearphishers may use infected files as part of their phishing attack (i.e. your “boss” sending you a PDF report on your performance). Though it may not catch all, filters are designed to prevent delivery of these types of infected messages; antivirus is designed to prevent infected files from running.

Everyone knows that computers and networks need to be protected from hackers. Lack of awareness regarding the human element to IT security is the reason that spearphishing is as prevalent and successful as it is. While it is impossible to be perfectly safe, making use of the tips outlined above will dramatically reduce the risk of you or your organization falling victim to a spearphishing attack.

—–

Jeff Serini

Jeffery Serini, IT Security Consultant at OST

Jeffery Serini’s IT security obsession dates back to his teenage years, when he began pen-testing on their home computer. Serini is presently an IT Security Consultant at OST. After joining the Security Team in 2011 under W. Scott Montgomery, he has performed over 250 Security Assessments and consulted with a wide variety of clients, including those in the financial, manufacturing, healthcare, gaming sectors and more. Leveraging a unique approach, the OST Security Team is capable of providing a practical and relevant assessment designed to help administrators and executives alike understand their InfoSec posture.

The Rise of Spearphishing

16 Dec
Photo: Google/Connie Zhou

Google Data Center. Photo: Google/Connie Zhou

Google, the Pentagon, the White House, RSA, HBGary Federal, the New York Times.

That’s a list of organizations you’d expect to have top-notch IT security, right?

Perhaps they do. But malicious hackers have infiltrated all of these high profile entities. Some breaches were perpetrated by organized, state-sponsored threat actors, such as China’s APT1 – a cyber espionage unit responsible for stealing hundreds of terabytes of data from numerous US organizations. Other breaches, like that of HBGary Federal, were conducted by the decentralized loose hacker collective called Anonymous.

So, what common link exists between a government-sponsored cyber warfare unit and a scattered, international group of hacktivists? The answer is their preferred method of attack.

Enter: spearphishing.

Spearphishing is a subset of phishing. Phishing is, by no means, a new tactic. First seen back in the mid-90’s, spearphishing involves fraudulently portraying oneself as a trusted entity and directly communicating with a victim, seeking sensitive information. For example, an attacker may craft an email that appears to be from PayPal and send it to thousands of intended victims, requesting they click a link in order to login and reset their password. The link directs the victim to a PayPal look-a-like site, where their password is recorded when they attempt to login.

Spearphishing takes a more refined approach. In this scenario, the attacker has a particular victim in mind. The attacker may research this victim extensively, learning as much as possible about the victim’s personal life. Leveraging this information, the attacker performs a phish as described above, but personalizes the attack to enhance credibility and authenticity.

91% of targeted attacks begin with spearphishing, according to Trend Micro.

Despite this, we speculate that the majority of individuals in the United States haven’t even heard of spearphishing, much less how to defend themselves from it. With the prevalence of this attack method, we can no longer afford to remain ignorant.

Part two of this segment will outline ways to minimize risk – stay tuned!

—–

Jeff Serini

Jeffery Serini, IT Security Consultant at OST

Jeffery Serini’s IT security obsession dates back to his teenage years, when he began pen-testing on their home computer. Serini is presently an IT Security Consultant at OST. After joining the Security Team in 2011 under W. Scott Montgomery, he has performed over 250 Security Assessments and consulted with a wide variety of clients, including those in the financial, manufacturing, healthcare, gaming sectors and more. Leveraging a unique approach, the OST Security Team is capable of providing a practical and relevant assessment designed to help administrators and executives alike understand their InfoSec posture.