How to Analyze Your Security in Less Than a Week

Vulnerability assessments are very important tools for Upper Management and their organization. A vulnerability assessment takes a look at the current security status of a business’s network and systems with regards to the data being protected and the effectiveness of the protections against an expected level of attack; the assessment aids in preventing unauthorized access to the network and systems by providing a high level overview of security that allows management to fix the issues before they are exploited. The most effective assessment looks at more than just closing ports on the network. Rather, a comprehensive understanding of the most tantalizing targets for invaders, the impact of loss upon the network’s company or organization, and recognition of the true business risks are required.

Once the assessment has been performed, the business can use the information gathered to reallocate resources towards the improvement of the systems and network. Therefore, the vulnerability assessment is rarely performed in isolation, but rather as part of a review series that includes penetration, system hardening and defense in depth strategies that cover all aspects of the business including operations.

The vulnerability assessment begins with a cataloging of all resources currently in the system. This includes software, hardware, objects that allow access or administrative capabilities, the maximum capability of each item and the extent to which it is currently used.

Step 1. Identify the data and critical functions of the business. Take note of the most likely targets for attackers. This knowledge allows you to focus security measures where they are most needed and also more accurately analyze impact of loss in case of an attack or other issue that can cause a detrimental impact.  This may already have been accomplished in your organization’s business impact analysis, so you will want to check there first to start with a baseline and save you some time.

Step 2. Identify contributing applications and data that support the business operations and key processes identified in step 1. Again, take note of these essential applications.  These contributing applications and resources may also have been tracked in your business impact analysis as well.

Step 3. Identify your hidden data sources. These are typically mobile devices and laptops that sometimes get overlooked. Many times they disregard the other aspects of security implemented at the organization and may often have sensitive data on them with minimal security. These devices always present a high security risk and if you haven’t already it would be a good idea to encrypt them when you can and first evaluate what may be on these mobile devices.  This can be done pretty cheaply these days and will save you a headache later on as it is only a matter of time until a laptop is stolen.

Step 4. Identify hardware that runs or supports those mission-critical applications and sensitive data. These are your routers and anything on the perimeter of your network controlling security.  It is always a good idea to have your Access Control Lists thoroughly reviewed by someone other than the person who manages it.  Many times these lists become so complicated that it is hard to understand what is actually going on.  This is usually the main reason that openings to the network are overlooked that allows hackers access they normally wouldn’t get.

Step 5. Run vulnerability scans both internally and externally to establish all available services, shares, software, and user accounts within the environment.  This will help you identify current measures and controls, examine how they are used and the extent of their capabilities.  Map the network to ensure the understanding of all information flow through the systems and network.  Visio is perfect for that task.

Step 6. A trained professional should conduct a review of patches on the machines, assessing their exposure factor and looking for external vulnerabilities as an attacker would.  This includes enumerating all possible ports, entry points, and gates that permit access into the system/network from an attackers point of view. Identify all open services and processes. These are the points of vulnerability that attackers can use to access the system.  An outsider usually does this as well, as it is very easily to overlook issues when you are looking at your own network.

Step 7. Document all your findings and present to upper management. This should list vulnerabilities discovered, rank risks (from the most critical to lowest risk) and quantify impact of loss. Suggestions to mitigate risk should be included along with your calculations of annual lost expectancy and single loss expectancy.

Assessments should be run regularly to maintain the security of your network. Anytime hardware, software, or firmware is altered, a new assessment should be conducted to account for the change. Up-to-date assessments mitigate the possible effects and success of malicious activity on the network. Regular vulnerability assessments are required aspects for compliance with several business and industry standards such as NCUA, PCI DSS, Gramm-Leach-Bliley Act, and FFIEC. While 100 percent security is impossible to guarantee, regular performance of these assessments, testing, and the implementation of security measures discovered minimizes security breaches and damages in maintainable fashion.

Vishing – Fraudulent Text Messages

FBI

So what should you do if your financial institution members are being bombarded with fraudulent text messages that ask them to call a specific number that in turn tries to phish credit card numbers or other sensitive information from them?  A vulnerability assessment won’t help you here but you should keep the abuse numbers below handy.

 

You should email the abuse numbers for the carrier of that number .  For example if you can find out that it was Verizon phone number, you can email Verizon at abuse@verizon.com and phishing@verizonwireless.com.  In addition you will want to forward the email to abuse@fbi.gov and abuse@fcc.com as well.

 

So what information should you include in this email?  You will want to include the following information:

 

Offending Text Message Number along with Area Code

The Victim Text Message Number along with Area Code

The Carrier

The Location the Text Message is calling From

The Calling Area

The Time Zone

The Time at the Current Location

 

You will also want to call the carrier of the offending number and attempt to have it blocked by the carrier.  In most instances the carrier will be happy to do it for you.

IPS Audit – NCUA Questions

IPS

Core Review

Does management have a formal, documented IDS/IPS management policy that addresses:
Risk assessment?
Access control?
Change management/updates?
Log management?
Escalation procedures?
Is the number and location of the IDS/IPS sensors appropriate?
Is the management of your IDS/IPS outsourced?
Is the IDS/IPS system updated on a regular basis?
If yes, how often?
Are the IDS/IPS reports reviewed periodically by an employee?
How often are reports received and reviewed by an employee?
Is the review process documented?
Is rule configuration process documented in a procedure?
What type of intrusion detection/prevention system(s) (IDS/IPS) are used?
Network-based
Host-based
What IDS/IPS design type is being used?
Signature
Anomaly
Hybrid
Does the network diagram accurately show the placement of the IDS/IPS sensors?

Access Control

Is access to the IDS/IPS system limited to appropriate staff (vendor or credit union employee)?
Can the IDS/IPS be accessed by a secondary IT staff member, or a designated backup staff member in an emergency?
Is the IDS/IPS system located in a physically secure location?

Configuration Management

Are the IDS/IPS configurations processes in line with the policies and procedures?
Is there a separation of duties between those who configure the IDS and those who monitor the IDS?
Is the IDS/IPS operating system updated regularly?
Does Management ensure the IDS/IPS system maintains an up-to-date list of attack signatures?

Alerts and Monitoring

Are automated, real time alerts in place?
Are alerts sent to a centralized logging system?
Are alerts parsed using an automated system?
How long are the IDS/IPS logs maintained?
Are IDS/IPS logs backed up?
Is a review of the IDS/IPS alert logs performed daily?
If no, how often is the review completed?
Is a qualified individual responsible for the regular monitoring of network traffic for potential intrusions?

Host Based System – Alerts and Monitoring

Does the system monitor changes in identified critical operating system files?
Does the system monitor changes in the identified application files?
Does the system monitor administrator activity on critical servers?
Are there separation of duties between server system administrators and IDS administrators?

Incident Response

Does management include dynamic reconfiguration of the IDS/IPS as part of the incident response capability.
Do intrusion detection policies and procedures address escalation procedures?
Do policies and procedures address how and when to notify an appropriate individual to determine the need to file a Suspicious Activity Report?
Are documented escalation procedures in place based on the threat-level?

Custom Signatures

Does management deploy custom signatures; if no, skip this section.
Is third party or credit union staff trained to add custom signatures?
Are custom signatures approved by management prior to implementation?
Is documentation retained for the approval and change process?
Are custom signatures verified by an independent party and is documentation retained of the verification?

Business Continuity

Can the IDS/IPS be quickly reconfigured from backups (e.g., to restore a previous configuration)?
Is backup recovery of the IDS/IPS tested at least annually?
Does Management obtain maintenance support for IDS/IPS appliances within a defined time period of failure?

Security Assessment – Testing

Are external penetration tests attempted after a major system update?
Are external penetration tests conducted periodically?
Did the last test result in a favorable rating?
Did management take corrective action on the recommendations from the penetration test results?
Is there an audit trail of who accesses the IDS/IPS administrative accounts?
Are IDS/IPS signatures, policies, and procedures reviewed at least annually by a qualified auditor?
Is each signature documented sufficiently to allow for review by a qualified auditor?
Is there an audit trail of configuration changes made during the past year?

IDS/IPS – Vendor Management

Do non-corporate personnel or vendors access the IDS/IPS? If no, skip this section
If so, have contracts with this vendor been reviewed by corporate legal personnel?
Do access control limits restrict access to specific static external IP addresses in the case of remote vendor support?
Is remote access limited to only the IDS/IPS?
If no, please describe.
Is all access by encrypted channel (e.g., SSH)? Exception: terminals directly connected to the IDS do not require a encrypted channel.

Firewall Audit – NCUA Questions

firewall auditSometimes the NCUA will have questions about a credit union’s firewall so I’ve decided to post what some of those questions from the NCUA might be:

  • Does management have a formal, documented firewall configuration management policy that addresses the following:
    • Purpose
    • Scope
    • Roles
    • Responsibilities
    • Management commitment
    • Coordination among organizational entities
    • Compliance
    • Does the firewall administrator receive adequate training?
    • Does the credit union have a comprehensive list of what should be allowed/disallowed through the firewall?
    • Is the firewall located in a controlled access area?
    • Is the firewall(s) secured against unauthorized access from the Internet, Extranet and Intranet users?
    • Are inner firewalls placed around all critical, financial and transactional systems?
    • Can the firewall be accessed by a secondary IT Committee member or assigned staff member in an emergency?
    • Do you place firewalls at all sub-network boundaries where policies differ between the connecting sub-networks?
    • Does the credit union maintain an inventory of all firewalls in use?
    • Are firewall configuration changes properly documented, reviewed, and approved?
    • Is adequate documentation maintained to support the specific business reason for each firewall rule?
    • Has the firewall been tested to ensure that it would fail closed?
    • Are internally hosted web services protected by firewalls that inspect all traffic for common web application attacks?
    • Are firewall rules reviewed periodically determine whether they are still required from a business perspective?

Firewall Security & Maintenance

  • Does the firewall system enforce approved authorizations for logical access to the system in accordance with applicable policy (policy reviewed above)?
  • Does Management configure the firewall to provide only essential capabilities and specifically prohibits or restricts the use of  management identified  functions, ports, protocols, and/or services such as:
  • IP spoofing attacks?
  • Denial of Service attacks?
  • Programs like finger, whois, tracert and nslookup?
  • Is there a default deny rule?
  • Is the firewall operating system updated regularly?
  • Is the firewall system(s) appropriately configured to protect the confidentiality and integrity of information at rest, i.e. rule sets?
  • Is the firewall rule change control process automated?
  • Does the credit union have an automated monitoring system that provides real-time alerts about firewall configuration changes?
  • Does the credit union use automated tools to evaluate the firewall rule set for errors or conflicts after making significant changes?
  • Is the firewall system(s) appropriately configured to protect the confidentiality and integrity of information at rest, i.e. rule sets?
  • Is the firewall rule change control process automated?
  • Do assigned individuals monitor events on the information system in accordance with Management’s organization defined monitoring objectives and detect information system attacks?
  • Are automated alerts in place?
  • Are alerts sent to a SIEM?
  • Are firewall logs reviewed?
  • Is the log review conducted at least each business day?
  • Are the firewall logs maintained for a specified period of time?
  • Are firewall logs backed up?

Firewall Business Continuity

  • Has Management obtained maintenance support and/or spare parts for firewalls within a Management defined time period of failure?
  • Can the firewall be quickly reconfigured from backups (e.g., to restore a previous configuration)?
  • Is backup recovery of the firewall tested at least annually?
  • Is the firewall on an Uninterruptible Power Supply (UPS)?
  • Does Management include dynamic reconfiguration of the firewall  as part of the incident response capability?
  • Is the firewall backed up?
  • Are backups safeguarded?
  • Has Management tested the firewall recovery using a firewall backup?
  • Is automatic failover enabled?

Firewall Security Assessment

  • Are vulnerability assessments periodically run on the firewall to identify open ports and services?
  • Did the last assessment result in a favorable rating?
  • Does management take corrective action on the recommendations from the assessments?
  • Are external penetration tests attempted after major system updates?
  • Is there an audit trail of who accesses the firewall administrative accounts?
  • Are firewall rules, policies, and procedures reviewed at least annually by a qualified auditor?
  • Is each rule documented sufficiently to allow for review by a qualified auditor?
  • Is there an audit trail of changes made during the past year?

Firewall Vendor Management

  • Do non-corporate personnel or vendors access the firewall? If no, skip this section
  • If so, have contracts with this vendor been reviewed by corporate legal personnel?
  • Does Management document, for each connection, the interface characteristics, security requirements, and the
  • nature of the information communicated with third party vendors?
  • Does Management authorize connections from the information system via the firewall to other information systems outside of the credit union’s authorization boundary (network)  through the use of appropriate contractual agreements?
  • Do access control limits restrict access to specific static external IP addresses in the case of remote vendor support?
  • Is access limited to only the firewall?  If vendor has other access please indicate.
  • Is all access by encrypted channel (e.g., SSH)?  Exception:  terminals directly connected to the firewall do not require a encrypted channel.
  • If the firewall product uses a remote management architecture (e.g., Checkpoint management module and firewall module), are the controls adequate?

 

Use SPF Records to defend against Social Engineering

3d key

No one can outright argue that social engineering isn’t the biggest threat to companies like banks and credit unions when it comes to gaining access to internal systems.  The reason being is no matter how tough your IT controls and security posture is, how good your vulnerability assessment is, it all becomes worthless when someone will easily hand over the keys just by asking.  This is the reason why SPF records are so important.

SPF stands for sender policy framework.  SPF records help to stop spam, email spoofing and thus social engineering attacks against employees.  This is important because one of the ways that an attacker will try to social engineer employees is by spoofing someone else such as the IT Manager and asking for another employee’s credentials.  This of course is done in a crafty manner like sending the employee to some fake credit union website that asks for the employee’s login information.  If an email looks like it is originating from the IT Manager how can you ask employees to ignore it?

The great thing about SPF records is that it is very easy to tell if your records are set up right or not. From the command prompt:

Nslookup

Set type=txt

creditunionwebsite.com

At the end of the SPF record you should see –all to prevent spoofing.  If you see a +all, ~all or ?all that SPF record will most likely still allow spoofing.

If you need any help setting them up or want to check if you even have one, there is a great wizard to at Microsoft that will easily help you do that:

Microsoft Wizard

If you want to get a little more creative to see if your mail servers will allow you to spoof an employee’s email try the following from a telnet prompt after connecting to your SMTP mail server.

helo <your domain name here><click enter>

250 OK

mail from: <your email address you want to spoof here><click enter>

250 OK

rcpt to: <who you want the recipient to be><click enter>

250 OK

data <click enter>

354 Send data.

Subject: <enter subject field here><click enter>

<enter your text body here>

<click enter>

. <click enter and yes that is a decimal>

<click enter>

250 OK

quit<enter>

That does it and a long as those SPF records aren’t set up right you can appear to be anyone you want to be minus some great spam protection on the mail servers.  Social engineering is such vulnerability that we need all the technical help we can get to help defeat it.  This is just one simple fix that will help you get where you need to be.

DDoS attacks and what the grownups aren’t telling us.

DDoS

With so much DoS and DDoS information going around from popular websites, CUNA, NCUA and FBI, it’s hard to tell what to actually trust and what you can do to mitigate.  I just wanted to take the time to sift through all of the information and provide a navigation guide for you.

The truth is that there are many little mitigation tactics on many websites, different vulnerability assessments you can do, but if the bandwidth of the targeted attack is larger than the pipe it’s attacking, then there is not much you can do to defend the company against it.  You can have an asset that is larger than the potential threat, but that can get really expensive.  The other option is to have fault tolerant systems.  That’s the whole reason that you see so many companies really confused because there aren’t many solutions that don’t cost a truckload of money.

So what should you do to mitigate DDoS attacks and conduct your own vulnerability assessment? The first step is to understand that you need a DDoS Mitigation Plan in place that states exactly who is in charge of what.   You most likely already have contacts that will help in the event of a DDoS attack.  You just need to make sure you know what services they offer paid or free and have a contact plan.  Most companies like credit unions have their IPS and or Firewall managed so they should also have contacts and numbers of the ISP, managed Firewall, managed IPS and any other critical service provider. That alone is half the battle and will give you bonus points from an auditor.  What you don’t need to do is bust the company’s budget by getting a really expensive DDoS mitigation package (Unless the company can afford it that is).

The second thing you need to do is build a strategy around your assets so that they are fault tolerant.  So what do you need have a strategy for?  The following assets are what you will need to build your DDoS mitigation plan around in case these assets become stressed:

1.) Server

2.) Host-Based IPS (HIPS) on that server

3.) Internet Circuit (Ethernet, T1, Cable, DSL)

4.) Internet Router

5.) Internet Facing IPS

6.) Internet Facing Firewall

7.) Local Area Network (LAN) Facing IPS

So, if an attack happens on one of these assets what do you do?  A company should work closely with its Internet Service Provider (ISP) as that Internet service provider is usually the company’s best chance at neutralizing the threat unless the company is working with an expensive third party DDoS Mitigation Company.  This means that you should have their documented DDoS mitigation plan that includes a contact, phone number and list of both paid/free services the ISP offers.  Many times the ISP can just block the incoming traffic for you free.  Call up your ISP and see what they offer.

If your company is taking advantage of offsite hosting it is imperative that you get the hosting company’s DDoS Mitigation Plan as well.

Simple vulnerability assessment steps you can take right now:

1.) Prepare your mitigation plans.  This doesn’t mean that you have to create a book on steps you need to take, but it does mean that you should have some sort of plan in place.

2.) Disable All Unnecessary Ports.  The best way to do this is to simply use Nmap to find out what ports are running and close them.

3.) Use Access Control Lists to limit access to only specific hosts, ports and services required.

4.) Update your anti-virus software.  The best way to accomplish this is to use some sort of anti-virus management console to make sure all machines are updated with the most current signatures.

5.) Make sure you are consistent with your patching.  Like anti-virus you should be using some sort of patch management console to make sure that you are using the most current patches after Patch Tuesday.

The most effective thing you can do is stay very consistent.  That means that you have a system in place to make sure that the steps above are being adhered to and followed without fail.  Using a calendar notification for these things work well.