Tuesday, September 2, 2014

Types of Threats Differ by Industry

In consulting with clients concerning their information security needs, one question that comes up often is, "What is the information security threat to our organization?" 

To answer this question, we are best served in attacking it from both an internal and an external perspective. In other words, we want to know what a client's most sensitive or highest-value information assets are from their perspective as well as what types of threats are out there that could place those assets in jeopardy. This is a risk-based approach.

One often overlooked detail is that the goal should be to determine both the most likely and the most dangerous scenarios for the organization. These two are seldom the same, as the priorities of a bad actor targeting an organization -- what he thinks is valuable -- often will be different from what the organization sees as valuable. 


Think of the person whose home is broken into and ransacked and comes home to find that $25,000 in cash has been stolen. However, the person might actually be relieved when looking around, because she finds that his three original paintings, valued at $100,000+ each, were untouched. Or perhaps his biggest worry on finding he'd been robbed was the draft of his patent application sitting out on his desk. He believes that it is worth millions and will make him rich soon, and the loss of a few thousand in cash is a mere annoyance by contrast. Perhaps the burglar didn't know it was there, perhaps he didn't realize its value, or perhaps he did and just wasn't interested in the effort required to monetize something of no immediate value to him

So it's important to identify the priority targets from both perspectives, as well as to ensure that the client does not undervalue risks that are not the nearest and dearest to their heart. For instance, it is common for organizations to undervalue the risk to their reputation in a breach that might not compromise or destroy anything of tangible value.

From datadrivensecurity.info: Top 10 Threat Actions by Industry:

http://www.isaca.org/Knowledge-Center/Research/Pages/AdvancedPersistentThreatsAreReal-ml.aspx

Friday, August 29, 2014

It's not Always "Either-Or"


It is often possible to narrow a given intrusion or breach down to a single event or vulnerability that caused it. However, this is not always the case. In fact, as any penetration tester can tell you, almost any far-reaching breach must leverage multiple avenues of discovery and attack in order to be successful.

This popped into my head while reading about the Community Health Systems Inc. (CHS) breach. One particular article asked a question that I think is frequently asked by which flies in the face of the fact that most breaches are inherently multi-faceted.


Near the end of the article, the author asks: "Attack Vector – Spear Phishing or Heartbleed?" He points out that there are conflicting reports as to the root of the CHS intrusion. The FBI seems to indicate it came from spearphishing, while other reports implicate the Heartbleed bug on a Juniper router as the root cause.

But why need it be just one or the other? The article says that the breach revolved around malware running on a Windows machine and set up to run as a service. Well, that wasn't done via Heartbleed, was it? Heartbleed is (almost) exclusively a confidentiality risk, which can be exploited to expose information to which the person exploiting the bug was not intended to have access. A huge variety of information, but still just information disclosure. That disclosure might include, however, usernames, passwords, or password hashes on the system which was exploited. These credentials could possibly be used to directly gain access to that device (if a management interface was enabled that was facing the Internet), or they could be used internally (either directly or by seeding a dictionary attack) against other hosts that might have been accessed in an entirely different way. Such as... the aforementioned spearphishing!

So there's one example of a three-step breach: a) gain admin user's credentials off a router/firewall via Heartbleed, b) spearphish a user to get a RAT running on their machine, and c) use the known privileged credentials to elevate privileges on that machine (or another). Extra cleverness points for using the credentials again on the router/firewall once you're inside to access the admin interface and alter any rules or logs that might block or detect your C2 mechanism.

Lesson in a nutshell: never assume that a given intrusion is has a single "root cause." Root cause analysis is important, but keep in mind that things can have more than one root.

Friday, January 10, 2014

Google set to allow any Google+ user to email any Gmail user

So Google is rolling out a new Google+ feature that will allow anyone with a Google+ account to email anyone else with a Google+ account at their Gmail address, even if they don't know your actual email address. This is, as some have pointed out, similar to how anyone on Facebook can send a private message to anyone else. This feature has its usefulness in social networking, mostly in terms of finding out if the person you've found in a search is really the person you think they are. However, most of us just don't view our Gmail accounts the same way we view our Facebook -- it's our EMAIL, and we don't want people to just send things there willy-nilly without even having our address.

So if you don't want this, here is how to disable it:

Click on the little "gear" icon in the upper-left corner. It brings down a menu that looks like what you see on the right. 

The settings menu has multiple tabs, but that's not important for our purposes. 

The setting for Google+ users being able to email you is on the "General" tab (the first one you're on when you go to Settings). You should be looking at something like what you see below. There are four choices.


The "Anyone on Google+" choice is the default, and that is the most infuriating thing about Google's action here. "Extended circles" means the same as what Facebook more clearly calls "friends of friends." Essentially, it's people "two degrees of separation" away from  you. Your "Circles" are the people you've explicitly connected to; that's the setting I put mine on, as I figure I don't mind if someone I've intentionally connected to emails me. It might even be nice, as they can email me even if they've somehow lost my address. The "No one" setting just disable the new feature altogether, meaning nobody can email you via Google+

Read More:
http://www.reuters.com/article/2014/01/10/us-google-gmail-idUSBREA081NH20140110
http://www.zdnet.com/google-allows-gmail-to-send-email-to-any-google-contact-7000024994/