Cybersecurity Quarterly An Ethical Hacker’s Guide to Finding Hidden Assets on Your Network The Costly, But Underpublicized Threat of Business Email Compromise Scams
Summer 2017
A Publication from
Information Rights Management: A Time-Tested Solution for New Problems How Phishers Have Evolved to Fool End Users Hook, Line, and Sinker
Network Entanglement In the Age of The Cloud, BYOD, and IoT, Maintaining an Accurate Inventory of Connected Devices is Now More Important Than Ever Before
Cybersecurity Quarterly
Contents
Featured Articles
Quarterly Regulars
Summer 2017
Why Inventory Matters for Security The importance of determining what devices are connected to your network and its crucial role in data security
8
Network Hide & Seek A tactical strategy guide to discovering hidden assets on your network, straight from an ethical hacker
12
Protecting & Controlling Sensitive Government Information with IRM How a time-tested technology can revolutionize how your organization protects its confidential information
16
Quarterly Update with Steve Spano
4
News Bites & Bits
6
Threat of the Quarter
10
Cyber Tips & Tricks
18
Calendar
19
Confidence in the Connected World Summer 2017 Volume 1 Issue 1 Founded MMXVII
Editor-in-Chief Michael Mineconzo
Cybersecurity Quarterly is published and distributed four times a year, in March, June, September, and December.
Copy Editor Shannon McClain
Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061
Staff Contributors Matthew Grieco Philippe Langlois Ryan Spelman Stacey Wright
For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518 266.3460 Copyright Š 2017 Center for Internet Security All rights reserved
3
Cybersecurity Quarterly
Quarterly Update
with Steve Spano
“At its core, CIS is about sharing information.” I want to welcome you to the first edition of CIS’ newest product, Cybersecurity Quarterly. As the President and COO of CIS, I am proud and humbled to add “editor” to my resume. There are many things that CIS does, from the MSISAC, which is the go-to resource for cyber threat prevention, protection, response, and recovery for state, local, tribal and territorial government entities, to the CIS Controls and CIS Benchmarks, which are recognized best practices for securing IT systems. At its core though, CIS is about sharing information. Cybersecurity Quarterly has been developed to share information on the quarter that has been and to take a moment to highlight what may be coming down the path. The funding to develop this publication comes from our vendor partners in the CIS CyberMarket program (formerly the Trusted Purchasing Alliance), who not only support CIS, but also support our nation’s state and local governments by discounting their products and services. These partnerships have saved our participating organizations over $40 million in the last 4 years, and we forecast that number to continue to grow as we add more vendors in the years to come. We truly value our vendor partners, and I invite you to consider them in your future procurement decisions. I ask that you consider speaking with a member of our staff regarding our current vendor partners, and welcome you to provide suggestions for great products and solutions that we may secure discounts with in the future. The staff who run this program can be reached at info@cisalliance.org and are always looking for new ways they can help your
4
organization obtain the cybersecurity solutions it needs, at a price it can afford. Finally, I ask that you take some time out of your busy schedule to review this publication, as in the hectic world we live in, it is easy to lose sight of the forest when we are putting out so many fires. If we do not take a moment to look around though, we may miss the fact that the tools we need are within our grasp. I will be keeping this column as a way to share a selection of my thoughts on cybersecurity, procurement, and other challenges we all face in finding these tools. As I have worked in and around government for my entire career, I can assure you that I have some opinions! Please do not hesitate to share your thoughts on this newest addition to the family of CIS products. Thank you for being a valued partner in this journey we are all on together.
Steve J. Spano, Brig. Gen., USAF (Ret.) President & Chief Operating Officer Center for Internet Security
Summer 2017
Gartner’s #1 Security Technology is Cloud Access Security Broker (CASB)
Cloud Security for Every App, Every Device, Every User Approved for the CIS CyberMarket
Contact: Jesse.Fulger@cissecurity.org www.skyhighnetworks.com
AUTHORIZED
Cybersecurity Quarterly
News Bits&Bytes As of June 1st, the SANS Summer Buy Window is officially open. Until July 31st, state, local, tribal, and territorial governments, nonprofits, and public healthcare and education institutions can purchase some of SANS’ most popular cybersecurity training programs, including Securing the Human security awareness training, as well as OnDemand and vLive online technical training courses, at up to 70% off the regular price. Visit www.sans.org/partnership/ cis for more information. Last month, CIS’ Kathleen Patentreger, Senior Vice President of Programs, was elected to the Board of Advisors for the PCI Security Standards Council (PCI SSC). As a member of the Board of Advisors, Kathleen will work with other board members from industry leaders to provide directional and technical input on matters of focus vital for maintaining payment security standards. The board will work to ensure the PCI Security Standards properly address new and emerging threats, information sharing with industry and law enforcement, and address merchant needs across industries and global regions. In May, CIS officially launched our new website. The improved website illustrates CIS’ ongoing commitment to creating confidence in the connected world by offering the cybersecurity tools, resources, guidance, and support to its members, partners, and the global online community. The new design also emphasizes the benefits of CIS’ integrated portfolio of cybersecurity resources. For example, the website leverages the cybersecurity insights and analyses generated by the MS-ISAC to highlight current threats. This information is also displayed in other solution areas of the CIS website, so visitors can understand how to bolster their own organization’s cyber defenses in the context of current threats. See our new and improved website at www.cisecurity.org.
6
The CIS CyberMarket is proud to announce our newest vendor partner, Skyhigh Networks, the world’s leading cloud access security broker (CASB). Through our partnership, participating state, local, tribal, and territorial governments, nonprofits, and public healthcare and education institutions can purchase Skyhigh for Shadow IT to enforce security, compliance, and governance policies across their networks for at least 25% off the regular price. The SANS Institute has released their 2017 Security Awareness Report. Now in its third year, the report highlights what successful programs do right to change behavior and what lagging programs can do to improve and move beyond compliance. The report includes detailed recommendations and action plans to address the key findings uncovered in the analysis and is based on over 1,000 participant surveys from the awareness community. The data was analyzed by a global team of information security and data experts. Download the report at https:// securingthehuman.sans.org/resources/securityawareness-report-2017. Earlier this year, CIS was named one of the 2017 Top Workplaces for the New York Capital Region by the Albany (NY) Times Union. CIS was a Top Workplace winner in the midsize company category and the overall winner in the Employee Training category. Out of hundreds of area companies, only 50 are selected for the annual award. The awards are based solely on results from an employee feedback survey administered by WorkplaceDynamics LLC, a leading research firm specializing in organizational health and workplace improvement.
Summer 2017
Secure Your Future with A Cybersecurity Master’s Degree
M.S. IN CYBERSECURITY Exclusive CIS Benefit
U.S. News & World Report
20%
Top 3
Tuition Scholarship
in Online Graduate Computer Information Technology
tandon.online@nyu.edu
NSA Designated University
1 9 of
National Centers of Academic Excellence in Cyber Operations
online.engineering.nyu.edu/partner/cis
7
646.997.3623
Cybersecurity Quarterly
Why Inventory Matters for Security One of the first and most important steps in securing your organization’s network — determining what devices are actually connected to it By Philippe Langlois As many organizations are chasing down the “best threat feed” and scrambling to find the tools with the most “machine learning capabilities,” they sometimes neglect some of the foundational security controls that every organization should master. At CIS, we are firm believers that organizations must have an intimate knowledge of their infrastructure to know what to protect and how best to protect it. Consider it a form of “defensive intelligence” that focuses on internal knowledge of assets and vulnerabilities, instead of “threat intelligence” that focuses on adversaries. We realize that not every organization has the resources to stand up their own intelligence team and translate threat intel reports into defensives actions; that is why we’ve imbued our knowledge of adversaries and cyber defense into the CIS Critical Security Controls, a set of prioritized cybersecurity recommendations used by organizations worldwide to counter the most pervasive cybersecurity attacks. There are currently 20 CIS Controls, each of which is further divided into sub-controls. The CIS Controls provide the ultimate end-state organizations should seek to achieve as part of their cybersecurity efforts, while the sub-controls provide prescriptive actions organizations can take to achieve the goals. The CIS Controls cover many of the traditional areas of
8
In a world of clouds, mobile devices, BYOD, and so on, why does it matter to protect hardware? ... because data still resides somewhere, and we still have a duty to protect the confidentiality, integrity, and availability of that data. cybersecurity, such as vulnerability management (Control 4) and malware defense (Control 8), as well as objectives that are often considered to be IT management activities. In this article, we’ll examine the importance of managing your hardware and software through CIS Control 1: Inventory of Authorized and Unauthorized Devices. In a world of clouds, mobile devices, BYOD, and so on, why does it matter to protect hardware? ... because data still resides somewhere, and we still have a duty to protect the confidentiality, integrity, and availability of that data. Therefore, we better know what is in our environment and how it is being stored, processed, and accessed. Your inventory of hardware assets should include not just a static list of assets, but also the ability to automatically detect new assets being connected to your environment, as
Summer 2017
well as the ability to deny those unapproved devices. There are two main reasons why you should care about maintaining an accurate inventory of hardware on your network. The first is the more classical justification in security: “I want to detect and correct when bad guys walk in and plug something into my infrastructure.” It might sound rather far-fetched to think that someone could just simply walk into your organization and plug in a device, but this has become a common part of many pentests for a reason – it works! Of course, you would hope that staff would be a little wary of an unknown and unaccounted device suddenly showing up, but what if that computer was just a small Raspberry Pi hidden in a universal power supply? If you haven’t heard of the companies that now produce pentesting tools masquerading as normal office technology, fire up your favorite browser and learn all the creative places people have stuffed their favorite pentesting operating system. Neat stuff for a pen tester; a little more harrowing from a defender’s perspective. The second reason an accurate hardware inventory matters: how can you protect something if you don’t know it’s there? In order to properly scan, fix, and secure all your assets, you need to have an accurate count of them. We’ve seen it happen all too often where a scanner was misconfigured or a single device was forgotten, leaving the door open for cyber criminals to wreak havoc. One of the classic
Inventories can get complicated and it may not seem like a high pay off at first, but without knowing what to protect and how to keep rogue devices off your network, you’ll have a difficult time applying the other Controls and protecting your organization. stories about forgotten assets is the case of the university that was unable to find one of their server racks, only to discover, after physically following the Ethernet cable, that it had been walled over! Inventories can get complicated and it may not seem like a high pay off at first, but without knowing what to protect and how to keep rogue devices off your network, you’ll have a difficult time applying the other Controls and protecting your organization. Don’t let your forgotten assets be an easy target!
Philippe Langlois is a Technical Product Manager for the Center for Internet Security (CIS) Critical Security Controls. In this role, Langlois leads an international community of cyber security experts who develop the CIS Controls, a set of actions proven to mitigate 85% of the most prevalent cyber threats. Langlois manages the production, writing, and publication of a range of cybersecurity resources. Working in collaboration with users of the CIS Controls, Langlois ensures the quality and utility of the CIS Controls guidance, plus the availability of tools, scripts, and other resources aiding users with implementation of the CIS Controls. Langlois holds a Masters of Infrastructure Protection and International Security, a BA in Criminology, and certifications as a Global Industrial Cyber Security Professional (GICSP), GIAC Penetration Tester (GPEN) and GIAC Critical Security Controls Certification (GCCC).
9
Cybersecurity Quarterly
Threat of the Quarter This Quarter’s Threat: Business Email Compromise Scams What is it? Companies and U.S. state, local, tribal, and territorial (SLTT) governments are frequently targeted by Business Email Compromise (BEC) scams that attempt to deceive recipients into sending money or employees’ personally identifiable information (PII), or that use the entity’s name to fraudulently obtain material goods. Successful attacks are highly likely to result in financial fraud or identity theft, and it is possible they will result in compromises or data breaches. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has identified three variants as routinely targeting or effecting SLTT governments. These variants are also widely reported as targeting private companies around the globe. All three originate from compromised, spoofed, or fraudulent email accounts, which are used to issue the request, and all three are associated with significant data or financial loss. Purchase Order Fraud Variant: In this variant, cybercriminals obtain publicly available purchase order forms, and change the contact details on the forms to include different telephone numbers and email addresses or copycat websites. They then submit the purchase order to a vendor, have the goods shipped to a new address (often a mule, another victim, or directly overseas), and sell them for profit while the bill goes to the affected entity. W-2 and PII Data Theft Variant: In this variant, cybercriminals pose as an administrator or senior official and send a targeted email to the human resources or finance departments requesting an email with all employees’ W-2 information or PII. The MS-ISAC believes W-2 information and PII stolen in this manner are often used to commit tax fraud and
10
identity theft. Ransomware vs. BEC Ransomware infections often receive more press coverage, although BEC scams can be more costly. In 2016, ransomware attacks were estimated to cost organizations $1 billion, while BEC scams have resulted in over $5 billion stolen since 2013, according to the Internet Crime Complaint Center (IC3). According to NTTSecurity, the average cost of a ransomware attack to an organization is $700, while the average cost of a BEC scam is $67,000.
Financial Theft Variant: In this variant, cybercriminals pose as an employee or senior official and request immediate wire transfer or that “transactions” need to be “set up and processed.” The emails are typically directed toward the human resources or finance departments and convey a sense of urgency. In financial theft BEC emails, cybercriminals often use the name of the email target to establish trust and imply an existing relationship, which increases the likelihood of the target sending money to the cybercriminal. All variants of the BEC scam can involve compromising the email account of the senior official and using it to send the email request, rather than simply spoofing the account. When that occurs, the cybercriminal has full access to the account, and can setup auto forwarding or other rules, resulting in additional compromises. According to IC3, there are multiple variants of the scam which target businesses and governments. More information on how the IC3 defines the five variants is on the IC3 website.
Summer 2017
Recommendations Cybercriminals use traditional social engineering and phishing techniques to conduct BEC scams, which help increase the likelihood of successful attacks. Since the ultimate target of a BEC attack is the end-user, awareness of BEC scams and the indicators are key. The MS-ISAC recommends: Indicators of BEC spam emails can include: Information Technology (IT) staff should handle incidents where the user supplied their credentials as a potential data breach. Mitigation steps need to include changing the user’s password and ensuring that malicious actors did not login to the network and/or setup email rules. If malicious actors did login, IT staff should consider the incident as a possible breach until it can be determined if the malicious actors had network access and/or received information. Read and implement the recommendations from the MS-ISAC Spear Phishing Primer at https://www. cisecurity.org/white-papers/cis-primer-phishing. Craft a policy for identifying and responding to phishing emails and train staff to follow the policy. Make sure to include the following: When receiving unusual requests, users should verify the identity and authority of the email sender via standard (non-email) channels. The true recipient of an email can often be verified by hovering the mouse over the address in the email header. Users should “hover to discover,” ensuring that their email is going to the correct person. Users should reply by forwarding, and not by hitting the “reply” button, which helps to prevent successful spoofing attacks.
Poorly crafted emails with spelling and grammar mistakes, especially those indicating the email was sent from a mobile device (e.g. iPhone, iPad, Android, etc.) in order to convince the recipient the mistakes can be ignored. The email may include the wrong or an abbreviated signature line for the supposed sender. The email may use full names instead of nicknames (e.g. “Jennifer” instead of “Jen”) and the language structure may not match how the supposed sender normally communicates. The email specifies that the only way to contact the sender is through email. In some cases, the emails appear to be timed to correspond with times the senior official is out of the office. The transactions are for a new vendor or new contract. Internal warning banners to indicate the email is possibly spam, spoofed, or from an external source. Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IPs at your firewall. Flag emails from external sources with a warning banner.
Users should report suspicious emails to security staff. The MS-ISAC also appreciates receiving notifications of all BEC scam attempts.
Reach out and warn other departments and agencies of the BEC scam.
Train staff in the finance and human resources departments to identify potential BEC scam emails and follow the suspicious email policy.
Report BEC scams at https://bec.ic3.gov/. Taxrelated suspicious emails should be reported to the IRS at https://www.irs.gov.
11
Cybersecurity Quarterly
Network Hide & Seek A white-hat hacker’s step-by-step guide to discovering hidden assets on your network using open source software and tactical strategy By Tyler Wrightson Want to understand your network environment like a cybercriminal might? You’ve come to the right place! Understanding your environment by identifying and creating an inventory of your devices is a foundational step in being able to secure your assets. After all, if you don’t know what you have, how can you be expected to secure it? We’re going to take a unique approach here and identify assets utilizing the same methods a would-be attacker might use. And you’re in luck — we’re going to take an extremely pragmatic and economical approach by only utilizing open source software.
I can’t tell you the number of times I’ve identified large ranges of network subnets which were unknown to our client. Consider this article the very first tactical step you can take in identifying assets. You’ll want to follow this up with additional steps to create a comprehensive inventory of the assets on your network. For the sake of brevity, in this article, we’ll focus on the following three major steps that you can take to identify what your network looks like and what currently resides on it:
12
Map your network at layer 3 (Active IP Subnets) Identify IP based assets on the network Identify general information of those assets (hostname, services, etc.) There is something to be said for identifying every single asset on your network; however, this is an extremely difficult goal to scale. For that reason, we’re going to focus on identifying the most meaningful data first, such as number of active subnets, network topology, and most important subnets (based on the types of assets on that subnet). I can’t tell you the number of times I’ve identified large ranges of network subnets which were unknown to our client. In a few cases, these were vendor networks connected via either a dedicated line or a VPN. In other cases, they were simply areas of the network that had been forgotten; we were wiping away the digital cobwebs, so to speak. To identify live subnets, my tool of choice is Masscan (https://github.com/robertdavidgraham/masscan). According to the Masscan website, Masscan is “the fastest Internet port scanner.” It can scan the entire
Summer 2017
Internet in under 6 minutes, transmitting 10 million packets per second.
The final argument is the network range to be scanned.
If masscan can scan the entire Internet in six minutes, it should have no problem on your network! That being said, a word of caution: if you try to utilize the maximum speed of masscan, you are almost guaranteed to cause problems on your network. To identify all live subnets, we’ll want to scan all RFC 1918 addresses. Note that you’ll also want to scan any public IP ranges that your company owns. The private IP ranges are:
The ports we chose here are common ports. If you know of unique ports that are likely to be in your environment, then you should include them in the list. The ‘rate’ argument is one of the most important, as it defines the Packets Per Second. At a rate of 1,000, you can expect to generate over 500 Kbit per second! This means that if you set the rate much higher, you can easily overload boundary links (such as firewalls).
10.0.0.0/8
In addition to scanning all of the private IP ranges, you’ll also want to scan any public IP ranges your organization owns. If all the subnets you identified are known to you, great! Proceed to Go and collect $200. If there are subnets you were previously unaware of, we’ll want to further understand what is on those subnets.
172.16.0.0/12 192.168.0.0/16 The command we’ll use is: masscan -oG 10.mass.txt -p21,22,23,25,53, 139,389,445,80,443,1433,1443,3389,8008,8080, --rate 1000 10.0.0.0/8 Here’s a breakdown of the arguments: -oG specifies the output file to save the results in (in grepable formant) -p specifies the ports to scan on each host --rate specifies the Packets Per Second (PPS)
Understanding the general makeup of the systems is relatively straightforward. We can make some assumptions based on the ports we find open and then get additional information based on those services. For example, if we see a host with port 139 (NBT),445(CIFS) and 3389(RDP) open, we can assume it’s a Windows system. We can then get more information about the specific system by connecting via RDP, or query its hostname via NetBIOS. Utilizing tools such as nbtscan, we can scan a subnet to obtain information about NetBIOS hostnames on target windows systems. The nbtscan tool is very straightforward to use. (continued on next page)
user@linux:~$ nbtscan 192.168.1.0/24 Doing NBT name scan for addresses from 192.168.1.0/24 IP address NetBIOS Name Server User MAC address -----------------------------------------------------------------------------192.168.1.35 Web1 <server> <unknown> d0:67:e5:40:0b:43 192.168.1.30 KBOX <server> KBOX 00:00:00:00:00:00 192.168.1.5 FileSrvr <server> FileSrvr 00:00:00:00:00:00 192.168.1.55 LSWINBOX <server> <unknown> 00:21:cc:65:d1:00 192.168.1.106 Laptop01 <server> <unknown> 10:0b:a9:74:39:3c 192.168.1.111 MF840-C02S94YLF <unknown> c4:b3:01:c3:71:67
13
Cybersecurity Quarterly
In the example shown at the bottom of the previous page, you can see this appears to be a somewhat convoluted subnet. We have indications there could be servers (file and web), laptops, and a printer. Many times, understanding the general makeup of hosts and their hostnames is a great step in the right direction to identifying the purpose of those systems and the subnet.
Many times understanding the general makeup of hosts and their hostnames is a great step in the right direction to identifying the purpose of those systems and the subnet. Of course, the old standby of obtaining a banner with a tool, such as netcat (or telnet), if you are unsure of the service you’ve identified can be helpful as well. Many services will give a strong indication of what service is running simply by connecting with netcat. In the example below, you can see someone configured SSH to run on a nonstandard port (port 8080) and, by connecting with netcat, we immediately get a specific version of SSH. user@linux:~$ nc 192.168.1.5 8080 SSH-2.0-OpenSSH _ 7.2p2 Ubuntu-4ubuntu2.1 An additional tool that has proven to be extremely helpful is EyeWitness, which you can download from https://github.com/ChrisTruncer/ EyeWitness. EyeWitness allows you to take screenshots of websites that we specify. If you’ve identified many unknown systems with ports 80,443,8443,8008,8080, etc. open, you can specify those as the target file to EyeWitness and quickly get a screenshot of the web application running on that system. You might be surprised just how many forgotten web applications and systems can be found on your networks.
14
Tyler Wrightson is the founder and president of Leet Cyber Security, a boutique cyber security firm that provides offensive security services, such as penetration testing, red teaming, and ethical hacking, to provide corporate clients with a clear understanding of their security problems and recommendations on how to become meaningfully more secure. Wrightson is an author of two books on cybersecurity, Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization and Wireless Network Security: A Beginner’s Guide. A serial entrepreneur, Wrightson is also the founder of ANYcon, an infosec, hacking, and cyber security conference, and owner of Stacks Espresso Bar, an independent chain of specialty coffee shops.
Let us hack you, before they do. Whffffff ffffff ffffff ffffffffffpffffffff ffff ffffffff ffffffffff ffffffffffffffff ffffffffffffffffff, ffhffffff ffff ff ffffffff ffffffff ffhffffffff ffffff ffffff ffffffffffffff ffff ffffffffffffff ffffff ffhffff ff ffffffff ffffffffff ffffffffffffffffff ffffffffff ffff ffff ffffffffffffffffffff ffffffff ffffffffffffffffff Lffffff Cffbffff Sffffffffffffff pffffffffffffff ffhffff ffffffffffffffffffffffffff ffff ffffffff ffffffffffffffffffffffff’ff ffffffffffffffffffffff bff ffffffffffffffffff ffhffff Cffbffff Cffffffffffffffff ffffffffff ffff ffff hffffff ffffffff ffffffff ffffffffffffffffffffffff ffffff ffffffff ffffffffffff ffff ffffffff ffffffff ffffffffffffffff ffffffffffffff Iff ff ffffffffffffffffffff ffffff ffffffff ffffffffffffff, ffff ffffffff ffff ffhff ffffffff ffff “Cffbffff Cffffffffffffff” ffff ffhffff ffffff ffffff bffffffffff ffffffffffffffbffff ffffff ffffffffffffffffffffffff ffffffff ffffffffffffff Lffffff Cffbffff Sffffffffffffff ffffffffffffff ffff pffffffffffffffffffff ffffffffffffff ffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffff
Cybersecurity Quarterly
Protecting and Controlling Sensitive Government Information with IRM By Rick Comeau State, local, tribal and territorial (SLTT) governments continuously receive, process, and transmit vast amounts of sensitive, citizen-centric information. Personally identifying information (PII), compensation and tax data, court records, law enforcement information, driver records, protected health information, vital records—these are just some of the types of sensitive information SLTT governments must ensure are kept confidential and out of the hands of unauthorized individuals. SLTT government officials are entrusted by their constituents with keeping their private and sensitive information secure. There is no amount or level of public apologies, credit monitoring services, etc. that can repair the damage in public trust resulting from a breach of citizen PII or other private or financial data.
There is no amount or level of public apologies, credit monitoring services, etc. that can repair the damage in public trust resulting from a breach of citizen PII or other private or financial data. SLTT governments are in an especially challenging position when it comes to data breaches. They are responsible for securing more sensitive information than just about any other infrastructure sector. However, they face the same amount—if not more— cyber threats, both malicious and unintentional, as
16
many organizations in the private sector and at the federal government level. SLTT governments are also faced with insufficient budgetary resources and therefore must spend judiciously on cybersecurity controls that help achieve the greatest overall reduction in cyber risk. Cybersecurity decisions must also be made in a world where workforces are becoming increasingly mobile and citizens expect online government resources to be available from anywhere, at any time and on any device. With data breaches continuing to climb, SLTT government cybersecurity and IT professionals should consider the prospective return on security investment of an Information Rights Management (IRM) solution. IRM, also referred to as Digital Rights Management (DRM), is a security technology offering huge security benefits to organizations that must maintain protection and control over sensitive information externally shared with partner organizations (e.g. other states or local governments, federal agencies) and customers (citizens, businesses, etc.) IRM uses strong encryption and a complex—yet user-transparent— system of digital certificates and licenses to extend protection and control over files residing outside an organization’s network perimeter. An information owner leverages IRM technology to restrict file access to a specific recipient(s) wherever that file may be sent or saved, including a personal desktop or laptop computer, USB “thumb” drive, personal email account, or consumer grade cloud storage service. The content remains lifetime-protected by Advanced Encryption Standard (AES) encryption and is restricted to only authenticated and authorized
Summer 2017
user(s). Explicit usage rights or permissions (e.g. view only, view/print, view/print/edit) can also be set for IRM-protected files, and those permissions are enforced for the life of the file and wherever it may travel. An unauthorized user, no matter where he or she may have downloaded and saved an IRMprotected file, will simply not be able to break the strong encryption protecting the file contents and will be prevented from accessing the information.
IRM technology has actually been around for well over a decade; however, it has matured greatly over the last few years. IRM technology has actually been around for well over a decade; however, it has matured greatly over the last few years. One of the biggest, longstanding challenges had been making IRM work across independent organizations and users where each organization has its own mechanism for identity and access management. Potential solutions included letting external partners into an organization’s own user directory system; replicating an organization’s directory service in a network “demilitarized zone” (DMZ), where identities and access authorizations of external users could also be managed; and even establishing direct, trusted connections between partner organizations’ directory systems. However, all of these strategies have proven to be incredibly complex and costly to implement, difficult to manage and maintain, and loaded with security risks. And these challenges only increase as organizations seek to expand their IRM trust model to larger groups of external collaborators. Fortunately, there now exist mature, cloud-based IRM solutions that have overcome the previous challenges with making this game-changing, information-level security technology work across independent organizations and users. There are even cost-effective IRM capabilities that are natively available within intuitive secure collaboration platform solutions. However, not all IRM technologies are alike, and there are essential functions and features SLTT governments should look for in an IRM solution, including the following:
Intuitive and easy to use – applying IRM protection to a file should be readily apparent and easy to do (“click of a button”). Plug-in free/agentless – an authorized external party whom receives an IRM-protected file should not have to install a browser plug-in or software agent (or wait on their IT administrator to do so) in order to access and use the file. Dynamic policy updates – an information owner should be able to dynamically change user permissions, as well as eliminate (“unshare”) access/ use rights, to IRM-protected files if and when necessary. The benefits of IRM technology arr likely still unknown to many SLTT government IT and cybersecurity personnel, but it offers a promising solution that could greatly enhance the security of sensitive, often citizen-owned or identifying, information. SLTT government mission activities will continue to require the constant exchange of sensitive information with the people and businesses within their jurisdictions, as well as other public and private sector entities. IRM solutions would provide the necessary assurance for SLTT governments to continue providing their vital, information-intensive services in the face of targeted data exfiltration attacks, malicious insiders, and even unintentional data exposures. IRM protection would also boost citizen confidence that their personal and private information is being safeguarded—even after it leaves SLTT government firewalls. Rick Comeau is a Security Advisor for Intralinks, a global technology provider of inter-enterprise content management and collaboration solutions. He previously led the Center for Internet Security (CIS) Security Benchmarks program. Comeau’s other previous experience includes leadership, management, and operational roles at the MultiState Information Sharing and Analysis Center (MS-ISAC), New York State Office of Cybersecurity, and leading industry government consulting firms. Comeau began his professional career as an officer in the U.S. Coast Guard. He received his undergraduate degree from the United States Coast Guard Academy and MBA from the George Washington University.
17
Cybersecurity Quarterly
Cyber Tips & Tricks This Quarter’s Tip: Stop and think before you click by Stacey Wright, Intel Program Manager, MS-ISAC I think I’m dating myself here, but back in the spring of 2000, I received several emails from friends, family members, and co-workers with the subject line “ILOVEYOU.” Now admittedly, getting an email like that from my grandfather wasn’t too surprising. We had just gotten him a new laptop and the concept of the space key continued to elude him. (As did how to work the mouse, but that’s a different story!) What I didn’t expect was to receive an email with that subject line from my boss or another coworker.
address book. That spreads the campaign and, since the phishing emails come from someone you know, it’s much more likely that you’ll click on the link. So, what’s to be done? Well, as ILOVEYOU taught us, it’s not just about blocking unknown senders — it’s also about a little bit of education and awareness and a little bit of forethought.
No matter how hard we try, some phishing emails will get to the end user. We just can’t block I’m, of course, referencing the Love Letter worm that everything, which means it’s up to us to remind the spread prolifically around the Internet in May 2000. end user to stop and think before clicking. I think most people remember that incident or have at least read about it in their history books, but the When ILOVEYOU appeared, it was a nightmare for lesson it taught us is one worth revisiting. Namely, IT staff to remediate and we all wondered how so just because the email comes from someone you many people could think their bosses and coworkers trust, doesn’t mean you should trust the email. would send them an email that said “I love you.” Today we laugh about it because it seems so outrageous, but social engineering attacks continue We just can’t block everything, to spread via email using this same technique.
which means it’s up to us to remind the end user to stop and think before clicking
What to do? Training and awareness for users is key. ILOVEYOU works as a teaching point because many modern users will easily understand how absurd it Over the past year, the MS-ISAC has observed a series is whereas they struggle to remember that an email of phishing campaigns that come from compromised claiming to be from IT might not really be from IT. Use the resources on the CIS website (cisecurity.org) email accounts. One of these campaigns uses an and Stop.Think.Connect (stopthinkconnect.org) to “IT Help Desk” themed email. That email, complete bring social engineering awareness to employees with the proper names of employees and company all year long. Put posters in common hallways and logos, alleges that the recipient needs to login to change them out frequently to ensure that they their account and provides a helpful link to do so. are read. (A quick Internet search for “cybersecurity Recipients click on the link in the email and are posters” is a great place to start!) Talk about the taken to a well-crafted phishing page, hosted on a compromised website, that asks for their credentials. ILOVEYOU virus and the modern campaigns that use employee accounts to spread. If the employee enters their credentials, the phishers use those credentials to remotely log into the compromised account and send more phishing emails to everyone in the compromised employee’s
18
And remember, your boss might admire and appreciate you, but they aren’t likely to intentionally send you an email declaring their love!
Summer 2017
Upcoming Events
June June 29th Cyber Security Summit: D.C. Metro takes place at the Ritz-Carlton, Tysons Corner. This event will bring together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest threats from industry leaders. SLTT organizations can receive free admission to the event. Contact the CIS CyberMarket team for details.
August 8th - 10th The Vermont Captive Insurance Association Annual Conference takes place in Burlington, Vermont, where insurance professionals will gather to learn the latest issues facing the industry. CIS Senior Director Ryan Spelman will speak during the event’s breakout session on cybersecurity, discussing current threats facing the industry and how to effectively develop cyber liability insurance policies.
July July 1st - 31st The SANS Summer Buy Window continues through the month of July. Through our partnership, SLTT governments, nonprofits, and public education and healthcare institutions can receive up to 70% off the regular price on some of the most popular cybersecurity training programs offered by SANS. Contact the CIS CyberMarket team or visit our partnership page for more information.
August 27th - 31st The National Association of State Technology Directors (NASTD) Annual Conference & Technology Showcase in Memphis, Tennessee takes place. State government technology leaders will come together to learn about the latest issues facing their organizations, as well as celebrate NASTD’s 40th anniversary. Among the event’s featured speakers is MS-ISAC’s Senior VP, Thomas Duffy, who will discuss the latest threats facing state governments and strategies to combat them.
July 7th - 10th The National Association of Secretaries of State Annual Conference takes place in Indianapolis. Leaders from the nation’s Offices of the Secretary of State and their senior staff will come together to discuss current issues facing the agencies. MSISAC Senior Cyber Intelligence Analyst Ben Spear will brief election cybersecurity task force members about identifying threats and mitigation planning. August August 8th Cyber Security Summit: Chicago takes place at the Hyatt Regency Chicago, bringing together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest threats from industry leaders. SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
September September 15th Cyber Security Summit: New York takes place at the Grand Hyatt New York. This event will bring together senior executives, business leaders, and senior cybersecurity professionals to network and learn about the latest threats from industry leaders. SLTT organizations can receive free admission to this event. Contact the CIS CyberMarket team for details. September 24th - 26th The Business Council of New York State Annual Conference takes place in Bolton Landing, New York, drawing business leaders together to learn and discuss how to improve the state’s business climate and economy. CIS President & COO Steve Spano will address the event’s attendees from the main stage on the importance of cybersecurity.
19
Cybersecurity Quarterly
Confidence in the Connected World
Copyright Š 2017 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699
20