Application whitelisting (AWL) is a technology that has been used in the security industry for a long time but is not yet widely accepted in enterprise workstation environments. AWL is the opposite of blacklisting which is the model used in most antivirus software today. Traditional antivirus looks for malicious files by fingerprinting files on the system and checking those fingerprints against a registry of known malware (the blacklist). Antivirus also looks at other variables and file behaviors to decide whether an intervention is needed. That intervention is the antivirus adding that file to the local blacklist. Application whitelisting is different.

Whitelisting operates on a no trust, “default deny” model which does not allow any code to run on the system unless it has been explicitly added to the list of executables known to be NOT malicious. With whitelisting software becoming more advanced and enterprises growing wearier of being attacked this technology is on the rise. If you are not whitelisting at least your critical enterprise servers, you should be. Most industry experts would agree that deploying whitelisting software like McAfee Application Control is the single best way to secure an endpoint from being attacked. The reason every server, workstation, and the mobile device does not use this technology is that it needs to be properly managed.

Deploying a whitelisting program in production is a daunting task that will be met with skepticism throughout the enterprise because people generally do not like to be told what they can and cannot run on their workstations. Getting management support and developing well thought out policies to deal with the inherent issues that will come up once you go live is vital.

Starting a pilot program on enterprise servers that generally do not change much is a great place to start. The way AWL works is you either take a snapshot of a system and all of its executables to create your whitelist or you can use the corporate gold image if one exists. The next step is to turn on the technology in audit mode to allow time for establishing a baseline.

This step allows changes to be made to the system but logs them for review. Generally, 2 – 4 weeks is a good amount of time to get a good picture of what the systems normal behavior looks like. The final step when you lock down the system is establishing policy to decide what happens when the end user tries to execute a program not on the whitelist. There should be a review team able to make decisions in a reasonable amount of time. Every successful AWL deployment will have a dedicated team to deal with approval requests and the management overhead. At ArchetypeSC we have experienced professionals that can give your enterprise the upper hand against the persistent threats attacking networks constantly. When a hacker gains access to a system they need to run tools to successfully achieve their objective. If the tools aren’t able to run because of a whitelisting policy, then the chances of your enterprise having a breach have been drastically reduced.

Not too long ago most people were unaware of how valuable their personal data was and the impact it could have on one’s life when it fell into the wrong hands. All too many people can say they have firsthand experience with the rise in the past 10-15 years of identity theft. Simply being aware of the existence and risk of identity theft can greatly reduce a person's risk of falling victim. Proactively making people aware of the risk they face, often unknowingly, can also reduce their exposure to identity theft.

This is interesting, but you may be wondering why I am writing about this on Archetype SC's IT security blog. When you look at the old model security teams, it involved waiting for something to break then fixing the issue.

A proactive mindset takes the approach to anticipate and solve problems before they arise. In today’s world, with the vast amount of security applications and one stop shop providers, it is incumbent on the provider to provide updates with fixes, both proactive and reactive. With that being said, security teams still play a crucial role in the sector by assessing where the next attack going to happen and how to mitigate them before they take place. By taking a proactive approach toward your security and systems you can fix things before they have the chance to break.

If you need help securing your infrastructure or would like a proactive security assessment, contact the team at Archetype SC. Archetype SC: we do complicated.

In this edition of our “Securing Your Windows Infrastructure” series, I’ll be talking about some great free tools offered by Netwrix. Netwrix was founded in 2006 and offers a comprehensive suite of commercial and free security tools, all focused around increasing visibility into the changes made to your Windows environment.

Among their free tools, you can find Netwrix Change Notifier for Active Directory, Netwrix Effective Permissions Reporting Tool, and Netwrix Change Notifier for File Servers. The two change notification applications should be considered essential in any organization where multiple people have administrative access to Active Directory and member servers, and the permissions reporting tool will increase visibility into the rights that have been granted to a user throughout your infrastructure.

Netwrix Change Notifier for Active Directory will give you “Complete Visibility into Who Did What, When and Where in Your Active Directory”. As with all of the freeware software offered by Netwrix, there are some limitations. Without a license you will not see who made a change, but you can still gain insight into the changes made in your environment, roughly when the change was made (based on when the report was generated), and which objects were affected.

Netwrix Effective Permissions Reporting Tool is a new freeware offering with no commercial counterpart. Using this application, you can scan your servers for the rights held by a specific user. After the scan is complete, you will be presented with a report that clearly shows the objects the user has permissions to, their level of access, and via which group(s) the access is gained. At this point, the tool is good for one-off scans or periodic audits, but I’m hoping to see a more feature-full commercial version in the near future.

Lastly, Netwrix Change Notifier for File Servers is very similar to Netwrix Change Notifier for Active Directory, but as you may have guessed, it targets file and folders, detailing changes to both permissions and additions and deletions to the file system. As with Netwrix Change Notifier for Activec Directory, you must upgrade to the commercial version to see who made the change and when.

If you weren’t familiar with Netwrix, I hope this quick introduction to a few of their most popular products was helpful and will give you a new level of insight into the changes made and permissions in your Windows environment. As always, feel free to contact Archetype SC at any time for assistance with auditing, Windows security, or any of the number of other services we offer.

The InfoSec community has seen a rise in attention grabbing names for security vulnerabilities over the last couple years like Heartbleed, Freak, Shellshock, and now the latest android vulnerability Stagefright. The Stagefright exploit is different though, its name is derived from the media engine baked into android OS since version 2.2. The Stagefright engine is built into the application framework of android making it a part of your android OS no matter what country you live in, wireless carrier you use, or what brand of phone you buy. It is estimated there are 950 million devices vulnerable to a Stagefright attack.

The most alarming issue about this exploit is that it can be executed with no end-user interaction. An attacker simply has to send an mms message with malicious code written into a video and the device automatically begins to process the code, setting the attack in motion. Further complicating matters is most manufacturers default settings which are set to auto-retrieve mms messages. The user may not even know they were attacked because after the exploit gains root access of the phone the message is deleted but the malicious code stays.

The Stagefright media engine runs with system privileges on roughly 50 percent of the affected devices making it easy to gain root access to the device. Gaining root access on an android phone is the holy grail of exploits and the damage that can be caused is only limited by the attacker’s imagination.

Android is an open source OS which some might say makes it more secure while others would argue the opposite. The security architecture built into system applications in android take the sandbox approach. Most system apps are designed to be contained within themselves so attacks like the Stagefright exploit are not possible. This brings up the question of why the Stagefright engine has access to the internet and can be executed without the user’s knowledge. The answer is the DRM (Digital Rights Management) copyright control technologies that have been implemented over the last decade have required media players to make sure the content is being played legally. The technologies used to protect the content often require media players to check in via the internet, leaving a door open for malware.

Google has already began patching its Nexus line of phones and tablets with Samsung following as well. The inherent problem with android OS is that it is segmented into thousands of different variations of devices and carriers which makes patching a security hole like this a difficult task. Carriers like AT&T and Verizon control the software updates that get pushed out to their customers further complicating the matter. If there is a silver lining in this exploit being brought forth it is that Google and Samsung are going to begin delivering monthly security updates to devices. This is a step in the right direction for mobile device security.

Here is how to protect yourself from falling victim the Stagefright exploit:

Android Kitkat – Open the messenger app and in the settings menu select “block unknown senders”

Android Lollipop – Open the messenger app and turn off Auto-Retrieve for multimedia messages.

Black Hat, the organization that has been providing the IT industry with the latest in security research, development and trends for the better part of the last two decades, has done it again. Black Hat USA 2015 has come to a close. In traditional Black Hat fashion, researchers have left the security world buzzing about newly discovered exploits and vulnerabilities. These vulnerabilities cover the gambit of technology and range from new malware to vehicle hacking.

Malvertising (malicious advertising) has been the leading delivery method for malware by cybercriminals this year. The use of malvertising has increased by 260%. Malvertising is difficult to distinguish from legitimate banner advertising and has become a major concern. Many enterprises still struggle with end user education regarding e-mail phishing schemes. With the rapid growth in malware delivery via malvertising links enterprise will struggle once again to educate users and mitigate threats targeting both enterprise and BYO devices.

Researchers had a good time with Android this year reporting on two major vulnerabilities affecting nearly all versions of the platform. Stagefright, a vulnerability many are familiar with by now was the most alarming, hence the name. Basically, Stagefright is a mechanism (libStageFright) embedded in the Android OS that helps the system process video sent via MMS or Google’s Hangouts platforms. libStageFright is responsible for pre-loading video sent via MMS to improve the user experience. However, cybercriminals could embed an attack in the video that would in turn, launch automatically. This revelation has led smartphone manufactures and Google to lean towards monthly security updates (thank you). If your device is vulnerable and unpatched you can turn off the MMS auto-retrieve function. Another flaw in Android, though more complex to exploit, lives within the mobile Remote Support Tool (mSRT) apps. Basically, if a device is infected with malware that has mSRT permissions it leaves the device prone to be taken over by an attacker.

New cloud based man-in-the-middle attacks were presented. These attacks find cloud synchronization services (Google Drive, Box, Dropbox, etc) as their delivery method. While your cloud account credentials may remain secure, the tokens used to establish those sessions can easily be hijacked. Once attackers have the tokens it is an easy task to compromise files while they are being synced. In addition, cloud sync can be used to exfiltrate data and even send command and control communications.

Researchers also demonstrated how networked printers can be used to send data via radio signal a far enough distance to be compromised by an attacker. It is done by quickly power cycling the I/O pins on chips inside the printer. A signal can be generated that is strong enough to be picked up by receivers outside the building.

Additional research provided insight into vulnerabilities in internet connected vehicles using internet-aware Programmable Logic Controllers. SquareTrade card readers are vulnerable to an encryption bypassing hardware based attack. Vulnerabilities were discovered in Linux powered firearms allowing unauthorized control and discharge.

If you missed Black Hat USA 2015, more details about the above vulnerabilities (and others) can be found throughout various websites and in 6-9 months all research documentation will be released and can be found in the Black Hat Archives at https://www.blackhat.com/html/archives.html.

In light of all new vulnerabilities and research presented it is as important as ever to remain diligent and ensure that your security team is knowledgeable and well trained in identifying anomalies in your enterprise environment. If you would like an assessment of security conditions at your company, need help implementing solutions to risks, or are trying to recover from an attack, the team at Archetype SC is ready to help. Regardless of your size, our team of experts will help you establish a safer and more secure digital presence.

Welcome to the second installment of Securing Your Windows Infrastructure. In the previous article, I talked about Domain and Server Isolation, a technique that can be used to isolate domain-joined systems from untrusted hosts and optionally to require encryption to and from systems containing more sensitive or confidential information. Today, I’ll be reviewing another low-effort, high-impact method that can dramatically increase the security of your Windows systems.

Microsoft’s Security Compliance Manager is a free download that can help you secure many Microsoft products, including all recent versions of Windows Server. For each product, there are pre-configured settings that combine both Microsoft’s best practices and industry standard settings that can be pushed out to systems using Group Policy, or to standalone (non-domain-joined) systems as of SCM version 3.

In addition to having support for Microsoft’s most popular products, Microsoft SCM includes baseline security configurations for the various roles a server may need to perform. For instance, there are multiple policies for Microsoft Exchange Server 2010 SP2, including CAS, Edge, Hub, Mailbox and UM services. For Windows Server 2012 R2, one will find specific policies for Domain Controller and Member Server compliance, as well as recommended values for account lockout and password configuration settings.

Once a product and role have been selected, an administrator is able to learn more about each of the security settings included in the policy. Along with each is a severity rating, a detailed description of the setting, a description of the vulnerability being addressed, and the potential impact that changing the setting could have on your environment. Using this information, each setting can be configured according to the security requirements of the individual server or enterprise.

After a suitable policy has been created, the easiest way to deploy it is using your Group Policy infrastructure, although other export formats exist including Excel (for documentation), SCCM and SCAP. Simply export the policy from SCM and import it into a new GPO. You will need to use caution when deploying a new security policy as the more restrictive settings may cause problems in your environment. A safe approach is to test a policy first in a QA environment, moving up to Dev and later to production. Another safe option is to deploy the policy only as new servers are deployed, so as to not break any systems in production.

For help avoiding common mistakes when using this tool in your environment, please contact our experienced team by using the form on the contact page of this website or by giving our office a call. Good luck, and stay secure.

Everyone makes mistakes, that’s right, I said everyone. The most important part of making a mistake is embracing the opportunity to learn from and adapt your behaviors and processes once a mistake is made. User education on computer security is, without any doubt, one of the most (if not #1) difficult and important functions of your IT Security Team. The bottom line is, most users of technology understand that technology is by function only. Meaning, many users are experts at sending emails, using Facebook and social media, or creating and sharing all of those wonderful Microsoft Office documents we all know and love. However, most users are not aware of the dangers of malicious scripts hidden in Office macros or how URLs can be made to look like a known site but actually send users to malicious sites designed to distribute malware and steal information.

But is user-education the solution to preventing data-loss in your organization? I suppose the answer is both “Yes” and “No”. Bruce Schneier (CTO of Resilient Systems) said, “I too have tried educating users, and I agree that it’s largely futile”. Part of the problem with user education is finding a balance of understanding. There are people in your environment that just don’t understand how technology works, and don’t want to. This may be generational or just a learned behavior but it is difficult to overcome. That being said, many of the people in your environment are able to absorb some of the technical knowledge required to use technology as safely as possible. The key is finding a balance between user education and the implementation of technologies that protect the environment in areas where education continues to fail.

In order to find that balance the IT Security Team needs to rely on metrics. Metrics can come from security appliances reporting on incidents or from user surveys and town hall meetings. Keep track of the gaps, the points where both technology and user training seem to be failing, and work together to find a solution. A common gap in many organizations is removable media protection. Not just portable hard drives and flash media but also DVDs and CDs too. Technologies exist to block and monitor these devices. Protect your environment from those promotional CDs that are embedded with rootkits and botnets by not allowing users the opportunity to forget their annual security training. Simply remove the “user choice” variable from the equation.

Of course in many environments the “push back” that comes from taking away functionality can be swift and harsh. Again, this is where the need for balance arises. In order to be profitable in business, there must always be some risk that is simply identified and accepted. The IT Security Team and Executives must work together to identify and mitigate or accept the risks.

So are users the weakest link in the Security chain? There are definitely arguments for both yes and no. User training and education is not going to go away. It is also important that as Security Professionals we make our servers and end-points as secure as possible regardless of who sits in front of them. At Archetype SC our Consultants and Engineers are ready and willing to help your organization design or improve your end-user training program. Let our skilled professionals analyze the gaps in your environment and help you plan for and implement technology and training modules to increase your organizations security posture while allowing the business to function optimally.

In this series I will cover some lesser-known features, built right into Windows, which can be used to secure your Windows infrastructure. I’m going to start the series by discussing a feature known as “Domain Isolation”. Domain Isolation (along with Server Isolation) is relatively easy to implement, transparent to users, and best of all, does not require any additional hardware, software or licenses.

Domain isolation is provided by the Windows Firewall with Advanced Security and provides two services: authentication, and optionally, encryption. Using Group Policy Objects, computers and servers in an Active Directory forest can be required to authenticate before communicating, or, in more secure environments, encryption of network traffic can be required. Once implemented, the computers of visitors such as guests and consultants can share the same physical network segment, however all network traffic between these systems and domain-joined systems will be blocked by the Windows firewall.

Before requiring authentication or encryption, all systems in the forest must first be configured to request authentication. Unless a system is able to request authentication, it will never be able to communicate with systems that require authentication or encryption. In other words, configuring a system to request authentication enables its ability to be part of an isolated domain.

After that policy has been implemented and verified, the next step is to select systems that will require authentication, and a policy to enable this feature must be deployed. Domain Controllers and infrastructure servers such as DNS and DHCP servers generally should not be configured to require authentication, since computers that are not domain-joined may require their services. Publically accessible systems such as web and email servers must also be omitted from the policy. After authentication is required on a system, it will not even respond to pings from unauthenticated hosts, so it’s critical to have a good understanding of your environment and what the implications of this change will be.

Lastly, encryption of all traffic to certain hosts can be required. Encryption uses IPSec transport mode, which encrypts just the contents of a packet, unlike a more common IPSec tunnel, in which the entire packet is encrypted. Servers holding the most sensitive information would be good choices for this policy, as well as Hyper-V host servers. One advantage of encrypting traffic between Hyper-V hosts is that it will protect replication traffic without requiring the configuration of certificates from within the Hyper-V settings.

I hope this quick overview of Domain and Server Isolation helped you understand the capabilities and benefits of this powerful and easy to use security feature. If you’d like assistance implementing Domain and Server Isolation in your environment, or if you have questions or concerns about the security of your infrastructure in general, please feel free to contact us at any time.

Everybody wants to be secure but not everyone is willing to make sacrifices to achieve it. The security/functionality/ease of use triangle is a simple but effective representation of the challenges faced when implementing security of any kind. When applied to IT security it acts as a sliding scale directly impacting all three of the points. IT security is not that different from other types of security like physical security, financial security, or national security but it doesn’t get the respect it deserves. The fact remains that as we make something more secure it generally becomes more difficult to use or less desirable from an ease of use perspective.

 If you look at the triangle and see yourself closer to the security point of the triangle then you probably have a bulletproof email password, full disk encryption on your workstations, two factor authentication for all of your web apps, and can spot a phishing attempt from a mile away. That person would find themselves in the minority when compared to the general population.  The problem is most people do not practice good habits or common sense where IT security is concerned.

Verizon’s 2015 DBIR (Data Breach Investigation Report) found that 50% of phishing emails are opened and 10% of them have the link within executed. These phishing attacks require a user to take action for the malicious activity to take place yet they are successful 10% of the time. This is just one of the many statistics that show we have a long way to go in the area of IT security. You can put up the tallest wall around something you want to protect but if someone with a key is going to let the criminal in the front door then the wall isn’t going to stop them.

Every security professional will tell you the importance of creating unique, long, and strong credentials for all of the accounts you have but that can be a daunting task considering how many accounts most of us have today. While all of humanity waits for something better (ie. Biometrics), the username and password is here to stay and we need to embrace its existence. LastPass is a password manager that has some useful features and while it is not the only password manager on the market, it is the one I use and have used for over 5 years for personal use.

LastPass’s offerings include a free version which is full featured with the exception of mobile devices, a premium version which allows access to your ”vault” from your mobile device and other mobile features for $12 yearly, and an enterprise option adding SSO to web applications and other enterprise password management features at a cost starting at $24 yearly per user. I am a premium user and can honestly say that it is something I use every day and encourage others to as well.

LastPass for your browser comes packaged as an extension and works with all of the major browsers. Once installed it will automatically recognize pages with logins and either suggest that it save that site for future logins or fill with credentials you have in your vault. More importantly though, it can create a unique password for that site and save it for you. Next time you visit that site you need only to put in your LastPass master password and it will automatically log you in using the unique password it created without the need to remember it. When a website is breached and credentials are taken, the first thing criminals will do with that information is try and correlate the stolen credentials with other more important sites like your bank or email accounts. Using a unique password for every site is the easiest way you can protect yourself from being hacked.

LastPass mobile brings your vault to your phone or tablet and comes with other mobile features as well. One of the things I have been pleased with over the five years I’ve used it is its updates. The developers are always adding new and useful features making the $12 yearly investment seem worthwhile. Again it is cross platform with all major phone operating systems and comes as an app. The app is multi-functioned because it gives you access to your vault allowing for copy and paste into other browsers but it also come with its own secure browser. If you need to check your accounts you simply open the app, put in your master password, and you are free to securely move from account to account without having to put in any credentials. It will fill your unique passwords automatically making it a huge time saver especially on a touchscreen.

There are dozens of other features bundled with the product including secure storage of notes, form fill profiles and many more that make it a great addition to your online life but one of the coolest is its security check. LastPass will audit your vault and perform several activities. It will check your email addresses against known breaches to make sure your accounts have not been compromised. It also checks for duplicate, old, weak, and compromised passwords and suggests remediation activities. All of this information is compiled and you are given a score to compare your security posture against other Lastpass users. Just released is the option of a one click password change allowing you to tell LastPass to change passwords for multiple sites and it will do it for you.

In closing, everyone has usernames and passwords that need to be used daily and keeping them unique and strong is almost impossible without a system. Too often the “system” is a post-it note stuck to a computer monitor or using the same credentials for multiple sites. LastPass uses local-only decryption and the key never leaves the device meaning that if their systems were breached your information would not be compromised. The vault is stored on their servers using the AES 256-bit encryption and it is routinely increased to keep everything secure.

Check out www.lastpass.com for the latest information

The CyberSecurity Information Sharing Act of 2015 (CISA), is a law currently circulating through Congress in draft form. In a nutshell it is supposed to allow the sharing of threat indicators both to and from the federal government and private entities and corporations. The bill has been met with opposition, primarily from the ACLU (American Civil Liberties Union) and the EFF (Electronic Frontier Foundation).

The main concern is of course consumer privacy. The bill in its current form provides a blanket authorization for companies to monitor the internet activity of all of their users. That in itself doesn’t seem so bad since companies already have that authority. However, another provision in the bill requires the instantaneous sharing of that information with military and intelligence agencies like the NSA.

Is CISA starting to sound like a “cyber-surveillance” bill yet?

The bill does not require the sanitization of Personally Identifiable Information (PII) prior to transmission to government agencies. CISA also does not limit sharing only of cybersecurity information but also a wider range of offenses including crimes involving any level of physical force without that force causing bodily injury or death. One additional provision permits companies to take action against users (even innocent ones) without regard to the potential harm that could be caused.

The icing on the cake is that the bill also incorporates immunity to corporations from potential lawsuits further increasing the likelihood that the provisions in the bill will be acted on.

The Center for Democracy & Technology has written a letter to the Senate Select Committee on Intelligence outlining the objections of civil society organizations, security experts and academics and it can be viewed here: https://cdt.org/insight/letter-to-senate-select-cmte-on-cisa/

I am all for information sharing in the modern age that allows for the protection of consumer interests. However, how much of our rights to privacy should we throw away in order to “feel” safe?

 

Today we will be taking a look at some of the recent security issues Adobe has been including Adobe's recently-issued security advisory APSA15-02

Summary

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. 

Most people are aware of the security risks of running plugins like Java and Adobe Flash in their browser so it comes as no surprise when we see criminals using vulnerabilities in these plugins along with exploit kits such as Angler and malvertising schemes to further their illegal activity. Adobe announced a 0-day vulnerability in Adobe Flash Player version 16.0.0.296 delivered by an exploit kit called HanJuan. The vulnerability is caused by a bug in how Flash handles the FlashCC ”fast memory access” feature (domainMemory), when the last is used by flash Workers (flash threads). So this attack per TrendMicro was delivered through malicious advertisements served in popular websites like Dailymotion, Wowhead, Answers.com and redirected to multiple sites that ended up leading to the URL “hxxp://www.retilio.com/skillt.swf”.

Recently the Angler Flash zero day (CVE-2015-0311) was discovered by a French researcher named Kafeine . We have also seen other exploit kits besides for Angler like RIG and Nuclear Pack taking advantage of CVE-2015-0311.

Cisco has reported that 1,800 domains have been compromised using Angler and have been associated with exploits and the landing page. We have also seen Flash zero day exploit code in Angler that was installing click-fraud malware called Bedep and using that as a dropper to be used to install malicious files. We are also seeing that this exploit code was hidden among several layers of obfuscation to avoid detection.

So exploit kits are dangerous since they have the ability to turn web servers into a launching pad for drive-by installs. In most instances simply visiting one of these web pages that have been poisoned can result in remote control of your computer through an unpatched plugin or browser. Flash is an attractive target since it uses local storage to cache files and has the ability to send and receive data to remote targets which makes this exploit extremely dangerous. Flash cookies can be an appealing target since these can have credentials among other sensitive information in these data stores. You can view information from Shared Objects on the file system in the following locations. For Mac you can go to Library/Preferences/Macromedia/Flash Player/#SharedObjects folder that exists in your Home directory and on Windows the files exist in C:\Documents and Settings\[Username]\Application Data\Macromedia\Flash Player. My advice would be if you must use Flash and JVM plugins use whitelisting otherwise disable or uninstall them altogether. HTML5 flash is also another alternative in place of Adobe Flash.