Monday, November 24, 2014

Surprise! User accounts with elevated permissions still remain a big target for Cyber Actors.

Hi Anything Cyber community, After downloading a report just released by CyberArk regarding the dangers of not properly securing user accounts with elevated permissions (i.e. admin accounts), I reflected on how I was always taught that administrators should have both a user level account with the standard level of rights and admin level accounts with elevated rights. As well, administrators should only use their elevated accounts when additional permissions were needed to perform their work-related duties. While it's good to minimize the time in which an administrator has elevated permissions to minimize the attack window for a Cyber Actor to take control of an elevated account, it's also important that administrator accounts are appropriately fortified to minimize the risk of takeover. For example, make sure that default passwords to administrator accounts are disabled or changed to strong passwords. Minimize the amount of administrator accounts to reduce the attack surface. If an employee no longer requires administrator access or other elevated rights, remove them immediately. In an April, 2013 post, I mentioned the practice of minimizing the usage of privileged accounts. Hopefully corporations will listen after CyberArk's recent report. Jimmie Walker

Tuesday, October 28, 2014

Don't trade home network security for App-controlled lights

Anything Cyber community, Don't know if it's just me but I've seen quite a few network-enabled devices (NEDs) hit the market. I know some who brag about their networked home which allows them to control lights, thermostat, and alarm system from a smartphone app. Aside from the added cost of implementing these conveniences, one must also consider the security implications of having their fridge and lights connected to their home wireless network. Although one can follow all proper measures to secure their wireless network, it's only as secure as the weakest link. Don't let a networked light bulb serve as the weakest link in your home network. If you do decide to make the NED leap, investigate the security measures that the NED vendor takes to harden the device and mitigate the risk of the NED becoming easy assess for hackers to own your wireless network. Just like you need to keep operating systems, wireless routers, and software applications patched, you also want to purchase NEDs that have a capability and commitment by the vendor to provide patches in a timely fashion. Without patches, a once secure fridge can become as easy as hacking WEP overtime. Jimmie Walker

Monday, September 22, 2014

GREM Certified!!!

Good Afternoon Anything Cyber Community,

No, GREM is not short for gremlin. I didn't just become certified in gremlin. Earlier this month I passed the two-hour nerve racking certification exam to obtain the Global Reverse Engineering Malware certification. The GREM certification taught me how to properly handle malware, analyze the static characteristics of a given malware sample, analyze the behavior characteristics of a malware sample, and identifying indicators of compromise that allows for the identification of a given malware sample on a computer or network. I had to become very intimiate with the use of virtual machines which allows for a controllled way to infect a system and rollback the system to an un-infected state to experiment further with a given piece of malware.

I learned a tremendous amount while studying for both GREM and GPEN and I'd highly recommend the SANS courses for anyone who wants some real-world hands-on experience in various data security topics. The below link is a plug to 20 top critical security controls that SANS helped create that all businesses should implement to protect their corporate network. The controls can even be applied to secure a home network.

Until next time,

Jimmie Walker


SANS Top 20

Thursday, August 7, 2014

Possible relief from CryptoLocker

Hi Anything Cyber community,

For those of you familiar with CryptoLocker (ransom ware that encrypts a victim's hard drive and requests hundreds of dollars to decrypt), you might have heard in early June that the FBI shutdown the CryptoLocker operation headed by a Russian hacker called Slavik. At that time, victims of CryptoLocker who had not paid the ransom to get their files decrypted had no avenue for reclaiming their files. Since the CryptoLocker servers had been taken off line by the FBI, there was no way to pay the ransom.

For those of you who still have files encrypted by CryptoLocker, there's hope. You can go to https://decryptcryptolocker.com and enter one encrypted file. FireEye and Fox IT have teamed up to determine the master decryption key based off the one file you submit. The master decryption key can be used to decrypt all other files on the CryptoLocker infected hard drive. Since a unique master decryption key exists for each infected system, you'll have to submit an encrypted file for each system. When choosing a file to submit, do not submit a file containing sensitive information since FireEye and Fox IT will have access to the file contents once decrypted.

Hopefully a service like this will come about for variants of CryptoLocker such as CryptoWall which is currently causing havoc and encrypting victim hard drives. The typical attack vector for CryptoLocker, CryptoWall, and other malware is via spear phishing e-mails. Be very weary of e-mails from people you don't know especially if the e-mail contains a link or attachment. Also scrutinize e-mails from people you do know if the content of the e-mail seems out of character. Perpetrators are also using e-mail addresses that look very similar to a person you know and trust except for 1 or 2 characters of the address are different.

Stay safe in the digital world!

Jimmie Walker

Tuesday, July 29, 2014

GPEN Certified!!!

Hi Anything Cyber community,

Although I'm usually modest, I have to brag a little today. Months of studying paid off when I passed the GIAC Penetration Tester exam earlier this month to earn the GPEN credential. To pass the exam, I had to become proficient in numerous ethical hacking and penetration testing topics such as: password cracking, pass-the-hash techniques, wireless hacking, SQL injections, XSS attacks, Metasploit, Wireshark, tcpdump, user enumeration, Nmap, etc. Prior to the months of study, I completed a week long SANS 560 course to gain hands-on experience identifying computer vulnerabilities and exploiting them to gain unauthorized access.

While I already had the CISSP and ISSMP credentials, the GPEN credential was very hands-on versus just reading a book and completing practice exams. I now have an arsenal of software tools and the know-how to perform penetration testing. The GPEN certification furthered my computer security knowledge and I highly recommend learning the concepts taught in SANS 560.

Jimmie Walker

Tuesday, June 24, 2014

Social Engineering as relevant as ever!

Anything Cyber Community,

Although I've studied social engineering on plenty occasions during my career in Cyber security, I did not realize how much damage can be caused by a good social engineer on a victim company. Mandiant a few months ago reported over 90% of attacks involve spear-phishing e-mails. Based on what I see on a day to day basis, spear-phishing has matured significantly since a few years ago when the bogus emails were laden with broken English and misspelled words. Now social engineers use a combination of phone calls and well-crafted emails to influence personnel at companies with access to the corporate bank account to transfer large sums of money. The transfers will be necessary for a big deal to be completed. Yet, in reality, the big deal is making the Cyber criminals rich.

While a company may have above average network and data security in place, it is important not to take for granted the human element. Annual security awareness training is a must for all personnel. Also, so that the training has a chance to be absorbed by personnel, make the training interesting and interactive to keep the attention of employees. Don't allow employees to simply plow through the training without absorbing anything. Also, make sure employees are fully aware not to click on links from unknown or untrusted email senders. Last, make sure employees with access to the corporate bank account have well documented and visible protocols for the approval of bank transfers or wires. One person, not even the owner of the company, should have sole authority to transfer sums of money over a corporate-defined threshold.

And remember, if you receive an email or any other offer that emphasizes you must act today and you cannot tell anyone else, 99.9% of the time it's a scam. Don't buy it.

Jimmie Walker, CISSP-ISSMP

Tuesday, April 29, 2014

The importance of Pen Tests

Hi Anything Cyber community,

Since I just finished a week long course in Penetration Testing (Pen Testing) hosted by SANS, I was inspired to discuss the importance of having a professional Pen Test performed on corporate networks and computers periodically. During the course, I was exposed to and practiced many techniques used by hackers to crack passwords and gain access to sensitive data (i.e. PII). Companies cannot with confidence say that  they have performed due diligence in regards to network security unless a professional Pen Test is performed periodically against their network. The Pen Test will reveal the vulnerabilities of a network and also make recommendations to the corporation that will strengthen their defenses to mitigate the likelihood of sensitive data compromise.

While performing a Pen Test is great, the corporation must take the resulting Pen Test report and apply the recommendations of the Pen Testers. It's hard to say which is worst: not having a Pen Test or having one and not doing anything to remedy the findings.

Jimmie Walker