Category Archives: Best Practices

Remote Work Policies

When Covid happened 9 months ago no one really knew what to expect. I am not sure that anyone still knows what to expect, but it looks like that Work From Home (WFH) is here to stay.

Many companies have decided that it has not negatively impacted productivity and some even say that productivity is better.

Some companies have decided that it is a great employee benefit and helps with recruiting. It also allows companies to recruit talent anywhere in the country (although companies need to watch out for the potential impact of having to comply with personnel, privacy and tax laws in multiple states). Facebook, for example, has said that they anticipate that 60% of their employees will work from home forever.

But it does mean that we should consider security impact of WFH. Here are some thoughts.

#1 – Your employee’s computer, even if it is a company provided one, is operating in hostile territory. You have no control over the rest of the employee’s family, what their computing habits are, whether they ever patch anything, what web sites they go to and even if their wireless has been updated since, say 2013.

This means that you have to assume a zero trust environment. Your employee’s computer is likely operating in a war zone full of land mines and snipers. Are your computers’ protections up to the task?

#2 – If you allow your employees to use their own computers, it is even worse. Not do you not understand the security of your employee’s family’s computers (and phones and video games and IoT devices), but you don’t even know the security setup of your employee’s computer. For example, when was the last time it was patched. Not just the operating system but every application that is installed on the computer.

#3 – If employees have to VPN into your network or into a cloud network, do they have access to the entire network? Does every employee have access to the entire network? Do they need access to everything. This is where sub-netting and segmentation come into play.

#4 – Continue and enhance employee security training, phishing training and now, also, vishing training. Attacks are up and the environment is hostile. Attackers know that and are taking advantage of it.

Some things that you can do:

Provide employees a personal HARDWARE firewall that they are required to place between their computer and the rest of their home network. Not inexpensive, but highly effective. This firewall can establish a VPN tunnel between the employee’s computer and the company’s office or data center transparently.

Create policies about BYOD computers. It is a pain to enforce, but your company is at risk.

Implement network segmentation. It may mean that you need to buy, one time, some consulting expertise, but once it is done, your IT assets are much more secure.

For company owned computers make sure that patching remains a high priority and encourage employees to patch personally owned computers.

Ask employees to, if possible, connect via a network cable and not via wireless. Wireless connections are significantly more vulnerable to attack.

If employees have to use wireless connections, make sure the default router password has been changed and that the router has been patched.

If possible, implement a device management solution such as Microsoft Intune, JAMF for Mac or Airwatch.

The security situation is not going to get any better any time soon. You are in control of your company’s destiny as cyber is a key to protecting your company. I read stories every single day about companies that have been hit by cyber attacks of one form or another and how it is impacting their business. One company I read about today has been down for a month trying to recover. Another can’t ship products. A third has its online services offline. That is just today. Do not be the next news story. Please.

Feds Pass IoT Security Law – Its a Start

The new law is called The Internet of Things Cybersecurity Improvement Act and it is a start. Just a start.

While no one can agree how many billions of IoT devices are going to installed when, what we do know is that it is going to be tens of billions of devices and growing dramatically every year.

We also know that IoT devices are being hacked regularly including the hacking of the St. Jude implantable cardiac device and the Mirai botnet.

The bill was passed by the House a couple of months ago and just passed UNANIMOUSLY by the Senate and sent to the White House for signature who is expected to sign it.

So what does it do?

NIST is Required to Publish IoT Security Standards within 90 Days

This is kind of a freebee since NIST has been working on this for a couple of years, but still it is not released. Here is a link to the draft version.

NIST is Required to Publish Federal Government Standards for Use and Management Within 90 Days

This is a big one. If the standard requires features in order for a company to be allowed to try and sell to the federal government (after all, who would want to be able to legally sell to the feds?), they are not likely to make two models – one for the feds and one for everyone else, so everyone benefits.

Six Months After NIST Publishes the Standard OMB will Review the Standards (and Modify any OMB Rules Needed to Comply)

This is a bureaucratic thing to make sure that government agencies don’t ignore the law, so therefore this, too, is important.

NIST Must Develop Vulnerability Reporting Guidelines Within 180 Days

NIST will work with industry and academia to create guidelines to report, coordinate, publish and receive information about security vulnerabilities in IoT devices. This is important to standardize so that security researchers know the rules and what they can and cannot do.

The Federal Comptroller will Report to the House and Senate Bi-Annually About any Waivers Granted

This just provides a little daylight to any government shenanigans. The reports will be unclassified. The Comptroller will brief these committees after 1 year and then every two years about the broader IoT effort.

This bill is one thing that has come out of the Cyberspace Solarium Commission that issued its report earlier this year. Hopefully, more will come of it that report.

While it seems unlikely that the current occupant of the White House cares much about Internet security, it is already apparent that the next occupant will care significantly more. If Congress is nudged by the future White House to pass more legislation, that will certainly increase the odds that they will, which is, hopefully, good for security overall. Credit: CSO Online

Default Passwords on Gov Websites – What Could Go Wrong?

You would think that in 2020 we wouldn’t have to tell people not to use default passwords.

You would certainly think that we wouldn’t have to tell government IT folks not to do that.

But if you thought that, apparently, you would have thought wrong.

We are still telling end users to change the password on their WiFi router. And on their Internet modem or firewall. But those are consumers.

We recently did a penetration test for a client. The client has a lot of locations.

For the most part, their Cisco ASA firewalls were secure.

Except for a couple of them.

Which still had the default password. At that point, we owned their entire network.

Fast forward to last month. The FBI said, privately, that foreign actors had successfully penetrated some government networks and stole source code.

Now we are getting at least some of the rest of the story. We still don’t know which agencies were hacked and what was stolen, but we do know how.

SonarQube is an open source application to help companies or agencies improve code quality through continuous static code analysis.

But if you put that on a public facing web site and you don’t change the default password – which is a really hard to guess “admin/admin”, you kind of have a problem.

I don’t understand enough about how SonarQube works, but it seems to me that it SHOULD NOT be exposed publicly and it probably should not be on production servers.

Here it is, at the tail end of 2020 and we are still telling people – IT people – to change the freaking password.

And security folks have been talking about this specific problem with SonarQube for a couple of years now and not just inside the gov.

Come on folks – get with the program. Hopefully what was stolen was not too sensitive but the fact that they are not telling us who was hacked and what was stolen probably means that it was sensitive. Credit: ZDNet

What Will 2021 Bring for Security Teams?

Let’s start with the bottom line: dynamic and unpredictable.

Sorry for the bad news.

And hackers will continue to take advantage of that.

Permanent Remote Work

For some companies, some roles will never return to work at the office. The process is working and the competitive advantage in attracting talent is significant. That makes things harder for security and audit teams and for those of you in regulated industries, the regulators are going to want to know how you are securing those remote work locations.

Dynamic Risk Environment

That includes new and unexpected cyber risks and general business risk. How quickly will your security team be able to handle new business models needed to survive in 2021?

Audit Teams will Become a Core Part of Business Response to Risk

If you thought audit was a pain in the (somewhere) in the past, they are going to need to be more integrated into the business model. That also means that some companies will be increasing the size of their audit teams.

Hackers Will Continue to Innovate

Hackers tend to be much more agile than businesses have been traditionally. During Covid, the hackers have taken advantage of that to run their game. Ransomware is through the roof. When People weren’t paying the ransom, the hackers started stealing their data. When companies called the hacker’s bluff as to whether they were going to publish the data, hackers started threatening individual customers and outing the companies that they hacked on Facebook. You are going to need to be very agile in 2021 to stay ahead of the hackers.

Credit: Help Net Security

Microsoft Says Switch Away from SMS-Based Two Factor

This falls into the “well, it is about time” category.

While text message based two factor authentication is, by far, the most popular method of two factor authentication, Microsoft said it should be avoided, along with voice based two factor authentication.

Why? Is two factor authentication bad? Or useless? No, none of the above. It is just that there more secure methods. They say that ANY form of two factor authentication significantly improves security.

They provide a list of reasons why you should move to other forms of MFA and we know that this will take time to adopt, so this is a good message to deliver now.

The way we have seen the most compromises of two factor authentication go down is by what is called SIM-Jacking, where the hacker gets the phone provider to transfer your number to the hacker’s phone. At this point, any text messages meant for you go to the hacker. This is still a targeted attack, but the target may be any high value situation. Banking, for example.

Migration to app-based authentication, which would require the hacker to physically steal your phone, is considered far more secure. One risk of it is what happens if you lose your phone. For that, many of the apps support sending an encrypted backup to the cloud, protected by a strong password.

Examples of (all free) app based authentication software is Microsoft Authenticator, Google Authenticator, Facebook Authenticator and Authy. Most websites that support app based MFA will work with any of these apps, even when they say to use one of them.

One strategy is to move what you consider high value target accounts to app based MFA first. For example, if it would be a problem if a hacker stole all of the money out of your retirement account, that might be a good first account to protect using this new method.

Credit: Helpnet Security

Chain of Evidence

This seems to keep coming up, so maybe spending a little time on the subject might be helpful.

The security or privacy team creates this form for users to acknowledge something or approve something and then hand it off. Marketing gets in the middle of it to make it look pretty. Developers then take a few shortcuts to get it done on time.

Problem solved. Or is it?

Eventbrite was involved in a dispute with a customer. They wanted to invoke the arbitration clause in their terms of service. Okay. So far, so good.

But they run three versions of their application: A desktop website. A mobile website and a mobile app. They all had a terms of service acknowledgement, so are we still good?

Here is where they got into trouble.

Three platforms, three different acknowledgement forms.

Three different color schemes.

Three different button locations.

Then when they went to court they close cropped the screen shot hoping the judge wouldn’t figure out there was a whole bunch of distracting stuff next to the terms of service link.

Did marketing intentionally reduce the contrast of the link so people would not actually read what they were agreeing to?

Then there is the issue of the fact that there were, over the years, multiple versions of that screen.

So here is a question for you to ponder.

COULD YOU TELL A COURT WHAT VERSION OF THE RELEVANT SCREEN WAS IN PRODUCTION AT THE TIME THE USER AGREED TO THE TERMS?

I didn’t think so.

Then there is the issue of which platform the user agreed to the terms on.

COULD YOU TELL A COURT WHICH PLATFORM A USER AGREED TO YOUR TERMS ON?

Then there is the issue of time.

In this case the user signed up 5 years ago.

So what you need to do is know what version of the software was running whichever platform the user was on at the time the user actually acknowledged whatever it is you are concerned about and keep track of that for say, 5 years or 10 years or more. You need to be able to produce a visual image of what the screen actually looked like, including colors and positions. For each platform.

Are you good?

Oh, yeah, one more thing. Are your log files forensically sound? Could you swear under oath that the data that you had could not have been manipulated or even accidentally changed by a DBA or admin? Do you even keep logs for long enough? Do you collect all of the right data? You get the idea.

For the legal version of this conversation, read Professor Goldman’s blog here, but you probably have enough of a headache now.

Likely, you need to partner with your legal team to make sure that you get this right. It basically cost Eventbrite their case.

Could you defend your case if you had to?