Month: January 2017

Attackers are erasing database contents and replacing them with a note demanding Bitcoin ransom payment for restoration. It also appears that victims who pay are often not getting their data back, and that multiple attackers are overwriting each other’s ransom demands. Seriously, these databases are of course important to their owners, and these attacks are clearly a headache for them. Hopefully they have backups.

Let’s explore this situation a bit more, and then step back for some analysis.

Here’s What We Know

There is no indication of a vulnerability in MongoDB; rather these systems are allowing administrative access from any IP address, and are (mis)configured for either no authentication or default credentials. There are a large number of such systems – Internet service search engines show approximately 100,000 exposed instances, and several independent security researchers have identified over 27,000 instances that have been hijacked as of January 8, a number that’s growing daily.

Putting aside the mistaken configuration that enabled access with no/weak authentication, let’s look at this from a user access and network perspective. At the risk of being too obvious, these systems are Internet-facing either intentionally or unintentionally. If intentional, their admins clearly require remote access, and therefore these systems must expose some network service.

“People are not IP addresses!”
— Jason Garbis, Vice President of Products at Cryptzone

The problem comes down to how access is restricted – and a realization that relying solely on authentication is not enough. Too many systems are either misconfigured (as appears to be the case with these MongoDB) or are subject to vulnerabilities – enterprises need to limit access at a network level. The issue is that network security tools are built around controlling access by IP address, yet the problem we need to solve is how people (identities) access these systems. And people are not IP addresses!

If these databases were unintentionally exposed to the Internet, then no remote access is required – either admins have local system access, or they’re relying on another security mechanism such as being on a LAN or accessing the network through a VPN. Yet, these systems are exposed directly to the Internet, and therefore not likely on an internal corporate network. Looking at the discovered instances on Shodan, it appears that many of them have IP addresses associated with cloud or hosting providers!

This is an interesting pattern. Because cloud network access is managed by IP addresses, users may be simply setting their cloud network security groups to permit access from anyone on the internet – much to their detriment, as this attack shows.

Clearly, misconfiguring a database to not require authentication is a problem, but there are many exploits that exist even in properly secured and properly configured systems. It’s time to realize that the bigger problem is in allowing unauthorized users to have network access to these systems in the first place. Why are there 100,000 instances of MongoDB available for a public scan? I suggest that most of these were not intended for public access.

The ability to access a service on the network is a privilege, and it must be treated as such. The principle of least privilege demands that we prevent unauthorized users from scanning, connecting to, or accessing our services. Following this principle will dramatically reduce the ability of attackers to exploit misconfigurations or vulnerabilities.

But there’s a problem. There is a disconnect between how we need to model users – as people – and our network security systems, which are centered on IP addresses. And, to repeat myself, people are not IP addresses.

Let’s Bring This Together

Organizations need to secure network access in an identity-centric way, and in a way that’s driven by automated policies so that users – who are people – get appropriate access. Network security systems must be able to do this, and allow us to easily limit user access to the minimum necessary.

The good news is that this is achievable today. The Software-Defined Perimeter (SDP) – an open specification published by the Cloud Security Alliance – defines a model where network access is controlled in an identity-centric way. Every user obtains a dynamically adjusted network perimeter that’s individualized based on their specific requirements and entitlements. The Software-Defined Perimeter is well-suited to cloud environments; network services such as MongoDB can be easily protected by SDP network gateways.

With SDP, organizations can easily define policies that control which users get access to these database instances, and prevent all unauthorized users from scanning or accessing these services – even if they’re misconfigured and don’t require authentication. And, because this access is built around users, not IP addresses, authorized users can securely access these systems from anywhere, with strong authentication enforced at the network level.

We’ll never be completely safe in our hyper-connected world, but we’re unnecessarily making things harder for ourselves, as this latest attack shows. We need to take a new, identity-centric approach to network security, and the Software-Defined Perimeter model provides exactly this. Putting this in place will go a long way towards making our systems more secure while keeping our users productive.

Jason Garbis, Vice President of Products, Cryptzone

[Cloud Security Alliance Blog]

(ISC)² Board of Directors Elect 2017 Officers

International team of security professionals elected to lead governing body;
Wim Remes elected chair for third time in four years

Clearwater, FL, January 18, 2017 — (ISC)²^® today announced the newly elected officers for its board of directors. The 13-member board provides governance and oversight for the organization, grants certifications to qualifying candidates, and enforces adherence to the (ISC)² Code of Ethics.

Effective January 14, 2017, the following individuals assumed board officer positions:

• Chairperson:  Wim Remes, CISSP (Belgium)
• Vice Chairperson:  Jennifer Minella, CISSP (USA)
• Treasurer:  Allison Miller, CISSP (USA)
• Secretary:  Dr. Kevin Charest, CISSP, HCISPP (USA)

“I would like to express my sincere gratitude to the outgoing board officers for all of their efforts to strengthen (ISC)² and for their ongoing commitment to advancing the profession,” said (ISC)² CEO David Shearer. “I also thank Greg Mazzone, Richard Nealon, Howard Schmidt and Freddy Tan, whose board terms ended in December, for their many contributions. I look forward to working with the new officers over the next year as they help us advance the organization.”

Members of the (ISC)² Board of Directors are elected each year from among the organization’s global membership. The board is comprised of (ISC)²-certified volunteers who are industry leaders from around the globe representing business, government and academia. Visit (ISC)²’s website for a complete list of current board members.

###

About (ISC)²

(ISC)²^® is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP^®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, programmatic approach to security. Our membership, over 123,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the public through our charitable foundation– The Center for Cyber Safety and Education^TM. For more information about (ISC)² visit www.isc2.org, follow us on Twitter or connect with us on Facebook.

# # #

© 2017 (ISC)² Inc., (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CCFP, ISSAP, ISSEP, ISSP and CBK are registered marks of (ISC)², Inc.

Media Contact

Maria Forrest
Senior Manager, Corporate Communications
(ISC)²
mforrest@isc2.org

(727) 201-5759

[(ISC)² Press Release]

At the very end of his 2010 speech at the iPad’s debut, Steve Jobs mused on the secret to Apple’s success: “It’s in Apple’s DNA that technology alone is not enough. It’s technology married with liberal arts, married with the humanities, that yields the results that make our hearts sing.”¹

Now I’m not foolish enough to even begin to compare myself to Steve Jobs, but I do know a thing or two about technology, and I have updated the CISA Review Manual for the new 2016 job practices. I also was part of a team brought together to work on the new CISA Online Review Course. Individually, we may not be Steve Jobs, but together we hoped to be inspired by his vision.

The CISA Online Review Course, which will be available later this month, prepares learners to pass the CISA exam using proven instructional design techniques and interactive activities. The online, self-paced course allows learners to prepare for the exam at a time and location that suits their needs. The course keeps track of where learners last left off, and includes a video, interactive content, downloadable workbooks and job aids, case study activities and a practice exam.

We began working on the course in April 2016. I still had my day job, so it involved some long nights and some even longer weekends. My email seemed to be constantly pinging, and once a week, I gave up my lunch break to participate in conference calls with ISACA HQ. It was hard work! But you know what? It also was great fun!

Several of the conference calls resulted in some great ideas that came about due to the intersection of our different strengths. Further, a few times, I would develop something and go to bed tired but thinking “I’ve really nailed that,” only for it to somehow inspire the more creative people in the team, who would suggest changes that only served to further enhance the course.

Becoming a Certified Information Systems Auditor is by no means easy. When studying for your CISA, it will be your turn to work late nights and weekends. It will be your turn to work hard, to learn and (hopefully) have fun. I believe the new CISA Online Review Course will help.

When you read some of the case studies, smile and remember that you read this blog. More than that, remember what you just learned while you smiled, and smile again when that question comes up in your CISA examination. Good luck in your studies!

Editor’s note: The new CISA Online Review Course will be available later this month at www.isaca.org/Education/on-demand-learning/Pages/default.aspx.

Registration is open for the first testing window of 2017 for ISACA’s core certifications. Exams for CISA, CISM, CGEIT and CRISC will be offered in 2017 at PSI testing locations worldwide during three, eight-week testing windows. The first testing window will be 1 May-30 June, with 28 February marking the early registration deadline. Exam registration via the ISACA website is available at www.isaca.org/examreg.

¹ www.wsj.com/articles/SB10001424053111904875404576532342684923826

Ian Cooke, CISA, CGEIT, CRISC, COBIT Foundation, CFE, CPTS, DipFM, ITIL Foundation, Six Sigma Green Belt, Group IT Audit Manager

[ISACA Now Blog]

End users, the very community of individuals chartered to preserve the integrity of your business, embody a profound vulnerability point within your network’s security infrastructure. By the year 2020, IDC expects mobile workers, in the United States alone, will account for nearly three quarters of the total workforce^*. As a result, IP addresses are no longer an effective proxy for end users as they are constantly moving to different physical locations and using multiple devices, operating systems, and application versions to access the data they need. It’s now critical to an organization’s risk posture to identify who the network’s users are – beyond IP address – and the inherent risks they bring based on the device being used.

To control the threat exposure unknowingly caused by the end user community and protect your organization from breaches, leverage User-ID, user-based access controls, on your Palo Alto Networks next-generation firewall (NGFW). With User-ID, you can allow access to sanctioned applications based on user identity information, rather than IP address, providing visibility into who is using what applications on the network, and who is transferring files and possibly introducing threats into your organization.

When applied correctly, user-based access controls can reduce incident response times and strengthen your organization’s security posture. Outlined below are five key points to consider when applying User-ID technology to your NGFW security infrastructure.

1. Understand the organization’s user environment and architecture

To do this, ask yourself the following questions:

• Which locations does my organization operate in? An organization might operate in several different locations, such as a main campus, branch offices or remote locations.
• What authentication method is used in each location? Do users log in directly to directory servers, or are they authenticated and authorized on wireless LAN (WLAN) controllers, VPN systems or network access control (NAC) devices?
• What are the operating systems (OS) in each location? There could be heterogeneous environments with Windows®, Mac and Linux capabilities, or homogenous environments with only one OS.
• How do endpoints log on to the network? Are endpoints identified and authenticated prior to logging on to the network?

2. Figure out supported user-to-IP mapping strategies, and determine the ones you will use

Figure out what user-to-IP mapping strategies are supported by your next-generation firewall. A number of mechanisms are typically supported to identify users – third party proxy servers, WLAN controllers, terminal services agents, directory service logs, and more.

Based on discoveries in the first step, select the user-to-IP mapping strategies that apply to your environment.

3. Implement the selected user-to-IP mapping strategy for user visibility

Implement the selected strategy to gain visibility into user’s behavior. Collaboration with other team members, such as IT architects, security operators and network admins, is critical here.

This visibility will enable the identification of activities and usage patterns tied to users, instead of IP address, including insights such as top users and browsing history; top apps accessed by users in the marketing group in the last 24-hours; or Software-as-a-Service (SaaS) application usage broken down by user – all providing valuable data points around which to formulate appropriate user-based access controls.

Share the visibility reports and data with other team members with whom you collaborated.

4. Ensure business policies exist to justify user-based access controls

Before rolling out User-ID-based controls, ensure supporting business policies exist that define access parameters. Typically, such policies are established by human resources (HR) and legal. If such policies do not exist, collaborate with HR and legal to establish policies, leveraging the user-based reports as your guide.

In addition, when defining user-based access controls, it’s best to do so in terms of groups, rather than individual users. Instead of marketers, Jane, John and Joe, think of the three individual users as the marketing group. This will go a long way to simplify policies and keep administrative overhead to a minimum.

5. Implement user-based access policy

Once corresponding business policy is aligned and user groups defined, user-based access controls can be implemented. Create a list of security rules that whitelist acceptable applications and websites, and deny access to ALL else, and then implement the policy, one group at a time.

The user groups impacted by the new access controls will likely have questions. Communication is key here. Let the impacted user groups know what you plan to do and when you plan to do it. Organizations can also consider forming a special incident response team to field the higher-than-average volume of inquiries related to the implementation to ease the minds of users and drive a smooth execution.

With these considerations in mind, implement User-ID on your Palo Alto Networks NGFW security infrastructure to defend against successful cyberattacks and make the most of your security investment.

To learn more about the benefits of leveraging User-ID, user-based access controls, on your Palo Alto Networks NGFW:

• Register for the “How to Implement User-based Controls for Cybersecurity” webinar on January 18, 2017
• Check out the PAN-OS Administrator’s Guide
• Visit the Palo Alto Networks Live Community

^* U.S. Mobile Worker Forecast, 2015–2020, International Data Corporation (IDC), May 2015

Stephanie Johnson

[Palo Alto Networks Research Center]

Here’s some good news for the countless businesses getting ready for the migration to Windows 10: Microsoft recently announced that its Windows 10 Anniversary Update features security updates specifically targeted to fight ransomware. No defense is completely hack-proof, but it’s great to see the biggest names in the tech world are putting ransomware at the top of their list of concerns.

Patching holes, preventing users from “clicking the link”
Microsoft released a guide on how the latest Windows 10 Anniversary Update specifically enhances protection against ransomware. The company focused on eliminating the vulnerabilities hackers have exploited in the past, and says its updated Microsoft Edge browser has no known successful zero-day exploits or exploit kits to date.

The company says its smart email filtering tools helped identify some 58 million attempts to distribute ransomware via email—in July 2016 alone. But what if a phishing email does reach gullible and mistake-prone end users? Microsoft says it has invested in improving its SmartScreen URL filter, which builds a list of questionable or untrustworthy URLs and alerts users should they click on a link to a “blacklisted” domain.

Thanks to security upgrades, Microsoft says Windows 10 users are 58 percent less likely to encounter ransomware than those running Windows 7.

Better threat visibility for IT
On the response end, the Windows 10 Anniversary Updates also sees the launch of the Windows Defender Advanced Threat Protection (ATP) service. The basic idea behind Windows Defender ATP is to use contextual analytics of network activity to see signs of attacks that other security layers miss. Microsoft says the new service gives “a more holistic view of what is attacking the enterprise…so that enterprise security operations teams can investigate and respond.” Better visibility of your users’ activities—now that’s something we at Code42 can get behind.

Using the intelligence of the “hive mind” to fight ransomware
One impediment to the fight against ransomware has been organizations’ reluctance to share information on attacks, both attempted and successful. We already know that new strains of ransomware emerge daily, but without this shared knowledge, even older strains are essentially new and unknown (and thus remarkably effective) to most of the enterprise world. The sheer size and market share of Windows puts Microsoft in a unique position to solve this problem. Its threat detection products are now bringing together detailed information on the millions of attempted ransomware attacks that hit Windows systems every day. With Microsoft now focused on fighting this threat, we’re eager to see the company leverage the intelligence of this hive mind to beat back the advance of the ransomware threat.

What does Microsoft say about ransomware recovery?
It’s important to note that responding to a ransomware attack is not necessarily the same as recovering from an attack. In other words, Windows 10 says it can help you detect successful attacks sooner and limit their impact—but how does it help you deal with the damage already done? How does it help you recover the data that is encrypted? How does it help you get back to business?

The Windows 10 ransomware guide makes just one small mention of recovery, urging all to “implement a comprehensive backup strategy.” However, Microsoft offers a rather antiquated look at backup strategies, leaving endpoint devices uncovered, focusing on user-driven processes instead of automatic, continuous backup, and even suggesting enterprises use Microsoft OneDrive as a backup solution. As we’ve explained before, OneDrive alone is insufficient data protection. It’s an enterprise file sync-and-share solution (EFSS), built to enable file sharing and collaborative productivity—not continuous, secure backup and fast, seamless restores.

Making the move to Windows 10? Make sure your backup is ready
Most enterprises are at least beginning to plan for the move to Windows 10, as they should be. The new OS offers plenty of advantages, not least of which are security features that undoubtedly make Windows 10 more hack-resistant. But as security experts and real-world examples continually show, nothing can completely eliminate the risk of ransomware. That’s why your recovery strategy—based on the ability to quickly restore all data—is just as critical as your defense strategy.

Moreover, as more organizations make the move to Windows 10, they’re seeing that the ability to efficiently restore all data is the key ingredient to a successful migration. Faster, user-driven migrations reduce user downtime and IT burden, and guaranteed backup eliminates the data loss (and resulting lost productivity) that plagues the majority of data migration projects.

Jeremy Zoss, Managing Editor, Code42

[Cloud Security Alliance Blog]