Cybersecurity Quarterly
Summer 2018
A Publication from
How to Use Open Source Intelligence Effectively in Your Investigations Does Truly Secure User Authentication Mean Assuming Everyone is Already Compromised? The Financial Rewards of Proactive Cyber Defense
The Continued Evolution of the CIS Controls For over a decade, the CIS Controls have continuously adapted to the ever changing cyber threat landscape. The newest version sees some of the most significant changes in their history
Cybersecurity Quarterly
Contents
Featured Articles
Quarterly Regulars
Summer 2018
The Continued Evolution of the CIS Controls How our latest update has made the CIS Controls even better than before
8
Do's & Don'ts of Using Open Source Intelligence in Your Investigations How to effectively utilize OSINT as a valuable resource in your investigations
14
Safe Driving in the Digital Age Your car insurance rewards you for being a safe driver. Shouldn't your company's cyber liability insurance do the same?
16
Zero Trust Security Models and the Future of Identity Authentication Why the best way to thwart hackers may be assuming everyone is already hacked
18
Quarterly Update with Steve Spano
4
News Bits & Bytes
6
Threat of the Quarter
10
Cyber Tips & Tricks
20
MS-ISAC Update
22
Cyberside Chat
23
Calendar
24
Confidence in the Connected World Summer 2018 Volume 2 Issue 2 Founded MMXVII Editor-in-Chief Michael Mineconzo Copy Editor Shannon McClain
Staff Contributors Freisi Alfonseca Sean Atkinson Paul Hoffman Philippe Langlois Ben Spear Ryan Spelman
Cybersecurity Quarterly is published and distributed in March, June, September, and December. Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518 266.3460 Copyright Š 2018 Center for Internet Security. All rights reserved
3
Cybersecurity Quarterly
Quarterly Update
with Steve Spano
“Speed and security are not opposing values”
A
s the year flies by, it's tempting to just keep pushing forward on the goals we've set for ourselves. At this point, many of you are starting to implement changes in your information security program, completing the deployment of new assets, or are halfway through your own personal and professional goals. Now might be a good time to step back and assess the impact of the changes you are making. What opportunities are you setting aside to drive toward goals that may be less important? What are the initial results of the new technology compared to what you expected? The end of the second quarter is the perfect time to think about these changes. With half of the year still ahead, it is not too late to change course, adjust strategies, or continue to move forward with the confidence that the course you charted at the end of the last year is, in fact, still the right one. The middle of the year is also a good time to focus in on access, specifically who has administrative access. The analogy often used is giving away the keys to the kingdom. While there are many benefits to having administrative privileges, it is, as the name implies, “a privilege,” and something that should be reserved to only a select few individuals. More importantly, access should be limited in scope and assessed periodically, as well as audited frequently (or in real time). When a regular user account is compromised, the damage can be limited. However, when a user with administrative privilege is compromised, it could very well be catastrophic. Many of the major breaches that occurred recently, such as Equifax, were precipitated by this type of compromise. It is often difficult in many organizations to limit administrative privileges, as certain types of software may require it, certain project managers may be
4
justified in having it, and offsite employees may argue it allows them to install and update software without delay. However, speed/agility and security are not opposing values. One way to control the mission creep of administrative privileges is to periodically check who has this special access and if it is still justified. Our CIS Controls recommend the deployment of automated tools to build this inventory. As such, what better time than midway through the year to do this process? Take a moment to assess your progress and what accounts have been granted greater access while you've been pursuing that progress. If deploying an automated tool to assess user privileges isn’t available, most operating systems allow you to easily request a list of administrators for auditing purposes. Possessing this knowledge will help you take a step in the right direction to limit administrative privileges for your organization. The middle of the year is an important time; a moment to look back at what you've done and look forward at what is next. I urge you to take an additional moment to ensure you've taken the key steps to help reduce the risk of a serious breach by double checking your administrative privileges and supporting processes. Conducting this check, along with other recommendations outlined in the CIS Controls, can greatly help reduce the risk of a serious breach.
Steve J. Spano, Brig. Gen., USAF (Ret.) President & Chief Operating Officer Center for Internet Security
Summer 2018
Start Secure & Stay Secure with the New CIS Controls Version 7 →
The CIS Controls V7 are the newly updated prioritized set of actions any organization can follow to improve their cybersecurity posture. The CIS Controls V7 provide clear, step-by-step guidance to tackle the most pervasive cybersecurity threats. Best of all, they’re a free cybersecurity resource everyone can download and implement.
Basic
Basic
Foundational Organizational CIS Controls V7 separates the controls into three distinct categories: Basic: Key controls which should be implemented in every organization for essential cyber defense readiness. Foundational: Technical best practices provide clear security benefits and are a smart move for any organization to implement. Organizational: These controls are more focused on people and processes involved in cybersecurity.
Foundational
Organizational
1
Inventory and Control of Hardware Assets
7
Email and Web Browser Protections
12
Boundary Defense
17
Implement a Security Awareness and Training Program
2
Inventory and Control of Software Assets
8
Malware Defenses
13
Data Protection
18
Application Software Security
3
Continuous Vulnerability Management
9
Limitation and Control of Network Ports, Protocols, and Services
14
Controlled Access Based on the Need to Know
19
Incident Response and Management
4
Controlled Use of Administrative Privileges
10
Data Recovery Capabilities
15
Wireless Access Control
20
Penetration Tests and Red Team Exercises
5
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
11
Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
16
Account Monitoring and Control
6
Maintenance, Monitoring and Analysis of Audit Logs
Version 7 of the CIS Controls keeps the same 20 controls that businesses and organizations around the world already depend on; however, the ordering has been updated to reflect today’s current threat landscape. We’ve also updated the sub-controls to be more clear and precise, implementing a single “ask” per sub-control. The CIS Controls V7 were only possible through the collaboration of CIS and a global community of cybersecurity experts in academia, industry, government, and more. Over 300 individuals contributed to help improve cybersecurity for all.
Confidence in the Connected World To learn more about the CIS Controls and download a copy, visit: https://www.cisecurity.org/controls/
Cybersecurity Quarterly
News Bits & Bytes The SANS Summer Buy Window is now open. Through CIS' partnership with SANS, U.S. State, Local, Tribal, and Territorial (SLTT) government organizations, nonprofits, and public healthcare and educational institutions can purchase industry-leading training programs and courses to expand their employees' cybersecurity skills and better protect their sensitive data at a drastically reduced price. From June 1st until July 31st, eligible organizations can take advantage of our extremely competitive group purchasing discounts of up to 70% off the regular price of SANS training programs. Learn more at www.sans. org/partnership/cis. Belarc is the newest vendor partner of CIS CyberMarket. Belarc, a leading provider of IT asset and security configuration management products, is now offering their products to all current MS-ISAC members, as well as other state, local, tribal, and territorial (SLTT) governments, nonprofits, and public education and healthcare institutions at an exclusive discounted rate. Through our partnership, eligible organizations can purchase Belarc's suite of products, including BelManage, which simplifies and automates the management of all user desktops, servers, and laptops, using a single database and Intranet server, automatically creating an accurate and up-to-date central repository (CMDB) of software, hardware, and security configurations. Learn more at https:// www.cisecurity.org/services/cis-cybermarket/ software/belarc. CIS has released its whitepaper on GDPR. GDPR (General Data Protection Regulation) officially went into effect on May 25th, 2018, requiring organizations handling the personal data of European Union citizens to
6
implement a number of required data protection measures and guidelines. CIS' new whitepaper outlines these requirements, explains how best practices can make organizations more compliant and secure, and how the CIS Controls, CIS Hardened Images, and CIS SecureSuite can help with GDPR conformance. Download the whitepaper and learn more at https://www.cisecurity.org/gdpr/. CIS has released the CIS Risk Assessment Method (RAM) for CIS Controls V7 for download. Developed by CIS in partnership with HALOCK Security Labs, CIS RAM is an information security risk assessment method that helps organizations design and evaluate their implementation of the CIS Controls. CIS RAM provides instructions, examples, templates, and exercises for conducting risk assessments so they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. Learn more about CIS RAM at https://www.cisecurity. org/controls/cis-ram-faq/ and download the detailed implementation document at https:// learn.cisecurity.org/cis-ram. CIS and Everest InsuranceÂŽ are now working together to provide a 10% premium discount on all stand-alone cybersecurity policies for CIS SecureSuite members using the CIS-CAT Pro tool. In conjunction with broker Arthur J. Gallagher, Everest will offer its new Cyber ElevationSM Policy, a cyber liability insurance policy that includes coverage for breach liability, privacy regulatory, PCI assessments, business interruption, contingent business interruption, breach response costs, cyber extortion, and data loss restoration. All CIS SecureSuite Members, including MS-ISAC members utilizing their free membership, with under $600 million in annual revenue are eligible. Learn more about the policy on the Everest InsuranceÂŽ website.
Summer 2018
7
Cybersecurity Quarterly
The Continued Evolution of the CIS Controls A core tenant of the CIS Controls is to continuously adapt to the latest cyber threats. Version 7 sees one of the biggest update to the CIS Controls to date. By Philippe Langlois As you hopefully are aware, we have recently released an updated version of our CIS Controls, completing its seventh version. While the CIS Controls have had various different names and have been hosted by different companies and organizations, their core principles are consistent and have grown even stronger today. About every two years, the community supporting the CIS Controls convenes, this year on our online collaborative platform CIS WorkBench, to identify what actions organizations need to take to protect themselves against the most prevalent forms of attacks. Why every two years? Well, we believe the cyber threat landscape changes significantly enough in two years that we should reexamine our recommendations to assure that they’re able to combat the latest and greatest adversarial tactics. While every update brings new advantages and continues to promote good cybersecurity practices, this iteration has, in some ways, been one of the biggest updates to date. Fortunately for anyone
who has used the CIS Controls in the past, the core content and concepts of the controls haven’t changed drastically, but we’ve made some structural changes to make it easier for organizations to implement, measure, and assess their implementation of the CIS Controls. Our latest update was not started arbitrarily. Ever since Version 6 was released, we’ve been listing out comments and feedback we’ve received from our community. Before we deleted even one punctuation mark, we began by identifying seven key principles that would drive the development of our content. 1. Address current attacks, emerging technology, and changing mission/business requirements for IT. 2. Bring more focus to key topics like authentication, encryptions, and application whitelisting. 3. Better align with other frameworks.
While every update brings new advantages and continues to promote good cybersecurity practices, this iteration has, in some ways, been one of the biggest updates to date. 8
4. Improve the consistency and simplify the wording of each sub-control – one “ask” per sub-control. 5. Set the foundation for a rapidly growing “ecosystem” of related products and services from both CIS and the marketplace.
Summer 2018
6. Make some structural changes in layout and format. 7. Reflect the feedback of a world-side community of volunteers, adopters, and supporters. One of the more important aspects of the 7 key principles is the one ask per sub-control. The hope was that by separating out and splitting the controls into tangible atomic pieces, it would be easier for organizations to audit and identify as to when they’ve achieved the objective of the control. While this seemed like a relatively easy task at first, it escalated into the re-examination of various controls to ensure that they were not now duplicative. This also added a fair amount of a new sub-controls, increasing the overall number of sub-controls from 149 to 171, most of which aren’t even new subcontrols! One of the intrinsic benefits of the break out is that it helps us define specific and tangible measures and metrics, which can be found in our new whitepaper on our website. Another somewhat big change we’ve made is the ordering of a handful of CIS Controls, specifically Continuous Vulnerability Management, which was Control 4 and is now Control 3, and Controlled Use of Administrative Privileges, previously Control 5 and now Control 4. While we don’t necessarily see or promote the CIS Controls as a strongly defined ordered list, we thought it was important that organizations prioritize their efforts around managing vulnerabilities and administrative users prior to tackling secure configurations. There’s also a relatively pragmatic reason to this ordering: without proper management of your privileged accounts, a malicious hacker can revert, change, or modify any of the secure configuration recommendations. Another key update is the recognition of the complexity in patching software, especially of third-party applications across your environment. To assist users, we’ve tried to be more prescriptive by breaking out the automated patching process into a recommendation-focused process in terms of patching operating systems and another process focused on automating the patching of other software. By dividing out the patching of the OS and applications, we’ve not only helped maintain our one ask per sub-control, but also acknowledge that
patch management, especially of third party apps, represents different opportunities and constraints. In our efforts to help organizations address and tackle cybersecurity in a prioritized fashion, we divided up the high level controls into three different categories. The first category we defined as “Basic,” which identifies the starting point for any organizations beginning their cybersecurity efforts. For the keen readers, they will see that this strongly aligned to what we previously called the Cyber Hygiene controls, with the inclusion of Control 6: Maintenance, Monitoring, and Analysis of Logs. Next of our tiers is “Foundational,” which represents the core activities that all organizations should tackle in their cybersecurity efforts. This is in essence the core of the CIS Controls, which represents the technical guidance to help organizations defend themselves against malicious cyber attackers, and covers Controls 7 through Control 16. Our last set of Controls are called “Organizational,” and they contain controls that, while not technical in nature, are still critical to an organization’s cybersecurity posture. For these controls, we want to provide some high-level guidance, describing the types of activities that organizations should consider doing, but also point to established resources and guidance where organizations can get a more in-depth examination of the topic. For example, in Control 18: Application Security, we point out some key activities, but also refer organizations to OWASP and SAFECODE for more detailed guidance in terms of how to securely code in different platforms and languages. It's our hope that these changes in the CIS Controls will help you identify what you need to do to protect your organization from cyber attacks. As such, we’re always looking for feedback on how the community can better help you. Feel free to reach out to us at controlsinfo@cisecurity.org or on Twitter. Philippe Langlois is the Technical Product Manager for the CIS Controls. In this role, Langlois leads an international community of cybersecurity experts who develop the CIS Controls, as well as manages the production, writing, and publication of a range of cybersecurity resources. Langlois holds an MS in Infrastructure Protection and International Security, and a BA in Criminology.
9
Cybersecurity Quarterly
Threat of the Quarter This Quarter’s Threat: Persistent Infection Vectors Affecting SLTT Governments This year, malicious cyber threat actors have persistently employed two infection vectors, the EternalBlue exploit and Remote Desktop Protocol (RDP), against state, local, tribal and territorial (SLTT) governments. Both these infection vectors tend to result in high-impact incidents, with the incidents involving hundreds of affected systems and hours of costly recovery time. Furthermore, events related to these threats often receive widespread news coverage, amplifying the impact. Fortunately, a few basic precautions can make a significant difference in easing the impact experienced by affected entities.
EternalBlue The EternalBlue exploit allows for the selfpropagation of a variety of ransomware, trojans, and cryptocurrency miners by exploiting the “wormability” of vulnerability CVE-2017-0143 in the Server Message Block (SMB) version 1 protocol. (Wormability refers to how a vulnerability can be exploited for self-replication purposes, allowing an infection to ripple throughout a network.) It is this self-replication that makes malware using EternalBlue a high-impact event, as once in the
Both these infection vectors [EternalBlue and Remote Desktop Protocol] tend to result in highimpact incidents, with the incidents involving hundreds of affected systems and hours of costly recovery time. Fortunately, a few basic precautions can make a significant difference in easing the impact experienced by affected entities. network the malware can spread rapidly, infecting hundreds of machines. Remediation requires a network-wide removal of the malware to prevent reinfection of reimaged devices. The MS-ISAC (Multi-State information Sharing and Analysis Center) is tracking three variants of malware utilizing the EternalBlue exploit that have created these high-impact events amongst SLTT governments. Emotet is a modular infostealer that either downloads or drops banking trojans into the affected network. This malware variant can be delivered through either malicious download links or attachments, such as PDFs or macroenabled Microsoft Word documents. Emotet also incorporates multiple spreader modules, including EternalBlue, in order to propagate itself throughout a network. EternalBlue allows Emotet to compromise hundreds of systems on a single network, yielding a high-impact event. WannaCry is a ransomware cryptoworm that
10
Summer 2018
which if vulnerable and housing sensitive data, such as personally identifiable information (PII), personal health information (PHI), or financial information, can result in a data breach.
Remote Desktop Protocol (RDP)
uses the EternalBlue exploit to spread itself. Version 1.0 has a “killswitch� domain, which stops the encryption process. For the last several months, WannaCry 1.0 has been responsible for a significant number of SLTT government infections. Although these infections are related to Version 1.0 and files are not encrypted, it is important to realize that hundreds of machines are infected in each incident, which means those systems still require reimaging and are highly vulnerable to other malware. There are two other known variants in the wild, which will encrypt files. Wannamine is malware designed to mine (generate) Monero cryptocurrency. This particular campaign is one of the first cryptocurrency worms and leverages two separate propagation techniques affecting Windows environments: Mimikatz and EternalBlue. Similar to WannaCry Version 1.0, these infections may not be viewed as highly detrimental to operations. However, the infections indicate systems are vulnerable and cryptocurrency mining is incredibly resource intensive, which will decrease resources available for other processes and increase machine, networking, and electric costs. Cryptocurrency miners often target servers,
Cyber threat actors are manually deploying ransomware on SLTT government networks by targeting open RDP ports (3389) or brute forcing RDP ports with weak passwords. The most common activity associated with this infection vector is currently the dissemination of strategically targeted ransomware. The MS-ISAC has most recently worked RDP deployed ransomware cases associated with the SamSam (a.k.a. Samas), Dharma, and Amnesia (a.k.a. Scarab) variants. SamSam (a.k.a. Samas) ransomware infections are often strategic targeting, extortion events with ransom demands typically ranging from $10,000 to $50,000, or occasionally even more. It should be noted that extortion incidents often garner attention from the media, requiring public relations efforts. Dharma ransomware is also associated with extortion incidents, as victims are instructed to contact the extorter for a demand amount. The current version of Dharma ransomware came into existence after a decryptor became available for the first version, and both versions are manually deployed via RDP compromise. Dharma incidents characteristically involve the enumeration of affected networks, allowing malicious actors to selectively target the information they encrypt based on its importance. It is unclear whether or not Amnesia (a.k.a. Scarab) ransomware is associated with extortion, as the malicious actors require a negotiation
11
Cybersecurity Quarterly
cannot be scanned by antivirus software, such as .zip files. WannaCry: Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from untrusted sources.
in order to determine a demand amount. However, this negotiation process does indicate strategic involvement, suggesting Amnesia events should also be classified as extortion.
Recommendations Due to developing malware threats and multiple high-profile incidents, SLTT governments are strongly encouraged to ensure networks and systems are protected against these threats by implementing the following high-priority recommendations: EternalBlue (SMB): As the EternalBlue vulnerability exploits SMB, these recommendations limit the ability to exploit SMB. Consider disabling SMBv1 on all systems and utilizing SMBv2 or SMBv3 after appropriate testing. Additionally, consider disabling the use of SMB between endpoints and restrict communication between endpoints and file servers. Limit and audit files accessible via SMB shares. Furthermore, apply the Windows MS17-010/ CVE -0147, which specifically patches against the EternalBlue exploit. Emotet: To combat Emotet infections, provide social engineering and phishing training to employees. Urge them to not open suspicious emails, click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords and/or personal information to any unsolicited request. Additionally, consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that
12
WannaMine: Check for abnormally high resource use, suspicious files, log entries, and spikes in electricity use, as these are indicators that cryptocurrency mining may be occurring on your network. As many cryptocurrency mining malware variants use Powershell during the infection process, restrict the execution of Powershell to authorized signed scripts or disable Powershell if it is not needed. Remote Desktop Protocol: Assess the need to have RDP open on systems and, if required, limit connections to specific, trusted hosts. Verify cloud environments adhere to best practices, as defined by the cloud service provider. After cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose. We recommend that any system with an open RDP port be placed behind a firewall and users should be required to use a virtual private network through a firewall. Enable strong passwords and account lockout policies, to defend against brute-force attacks. Performing regular backups of all systems, in accordance with risk management policies, will limit the impact of data loss in the event of a ransomware incident. Be sure to store the backups offline as some ransomware is able to encrypt backup files if they are connected to the network. For more information on ransomware infections and additional tips to better secure your organization against them, review the MS-ISAC Ransomware Security Primer.
Kroll’s experienced leaders help clients make confident decisions about people, assets, and operations across the globe.
INVESTIGATIONS AND RISK MANAGEMENT SOLUTIONS Cyber Security & Incident Response
Business Intelligence & Due Diligence
Fraud & Corruption Investigations
AML & ABC Compliance
Asset Search & Recovery
Third-Party Screening
Dispute Advisory & Litigation Support
Security Risk Management
Cybersecurity Quarterly
Do's & Don'ts of Using Open Source Intelligence in Your Investigations Open source intelligence can be a valuable tool for conducting investigations, but having a well-established action plan is crucial for success By Micah Hoffman Using open source intelligence (OSINT) in investigations can be an exercise fraught with trap doors and nets. Not only are you navigating a nearly endless maze of data to find evidence, but your own search data is being collected and used for and/or against you at all times. Having a plan and being aware of your surroundings is key. Here are the do’s and don’ts to read before you start. Don’t: Fail to have a plan. Do: Develop a reliable process for OSINT that can be used repeatedly by multiple people on your team. This process will ensure that all of your investigations are effective and capable of being completed without revealing your identity or tactics. One resource that is helpful for planning is a mindmap. Mindmap templates are available online for free and can help you build a framework for the data you will be collecting. Don’t: Begin an investigation before gathering the requirements. Do: Formalize the requirements of your investigation up front to help define success for your investigation, including who is in need of the data, and what their desired outcome will be. Is
14
Using OSINT in investigations can be an exercise fraught with trap doors and nets. Having a plan and being aware of your surroundings is key. the customer interested in attribution alone, or will prosecution be a desired outcome? Are there legal or other restrictions that may constrain your investigation? Is success realistic with the time, cost, covertness, and other constraints that must be applied to the investigation? Documenting these types of requirements will keep you from making missteps that could invalidate your investigation’s results. Don’t: Expose your network or location. Do: Consider the network from which you will be accessing online sources for your investigation. What IP are you working from? Are you on a home or work network, at a customer site, or using a cloud or proxy? Some tools may ‘phone home’ and may collect your information or even identify you to your target. Your covertness may be lost if you do not control this aspect of your investigation. Your research could also activate IP shunning, which
Summer 2018
would cause the source to block your IP or entire organization. Don’t: Use a ‘dirty’ machine. Do: Reduce your risk as much as possible by using a virtual machine for your investigation if you can. A clean virtual machine will allow you to work without the influence of stored images, searches, or other material that may have been collected from the sites and tools involved in previous investigations. If you can’t use a virtual machine, at least use a separate web browser for your research. Or, create a unique browser profile for OSINT activities. Regardless of the method used, you should remove all data from your system after each assessment is complete, either archiving or deleting it per your process and customer’s wishes, to avoid contaminating your next case with the previous case’s data. Don’t: Use personal accounts. Do: Plain and simple, do not use your personal accounts for any OSINT research. Create a barrier between you and your target, otherwise, you may become the target. Some social media sites can tell the target who you are. For weeks after a search, some social sites are designed to remember your previous searches and will take actions based on that data (recommending friends, products, etc.). Create sock puppets, or false accounts, or seek other methods to retrieve the data you need. Also, you need to consider what information is coming from
Document your steps and the data you find before it changes, disappears, or uncovers your identity or location. There are no guarantees in OSINT, and your access, or the data, can change as time and actions move ahead. your system and network that may give away who and where you are. Don’t: Leave anything out of your documentation. Do: Use manual and automated tools to document your steps and the data you find before it changes, disappears, or uncovers your identity or location. There are no guarantees in OSINT, and your access, or the data, can change as time and actions move ahead. When the time comes to write the report and deliver results, your data should not lack references, URLs, dates, hashes, or how you obtained the content. Documenting these details can help you to fully corroborate your data, and ensures that your investigation can be completed successfully. Micah Hoffman is a certified instructor at the SANS Institute. Hoffman has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations. He leverages years of handson, real-world OSINT, penetration testing, and incident response experience to provide excellent solutions to his customers. Hoffman is the author of SEC487: Open-Source Intelligence Gathering and Analysis and holds GIAC's GMON, GAWN, GWAPT, and GPEN certifications as well as the CISSP. Hoffman is a highly active member in the cybersecurity and OSINT communities. When not working, teaching, or learning, Hoffman can be found hiking on Appalachian Trail or the many park trails in Maryland. Catch him on Twitter @ WebBreacher.
15
Cybersecurity Quarterly
Safe Driving in the Digital Age Staying ahead of the dangers of cyber attacks can be a difficult task, but tackling it with the right tools can be rewarding, both institutionally and financially By Kevin Sherry and Rapheal DaCosta The Cyber Insurance practice at Everest Insurance® looks to incentivize our policyholders to take actions or use tools that we believe will effectively strengthen their defenses against a cyber attack. Similar to auto insurance, we are looking to give our insureds the “safe driver discount” of cyber insurance, while helping them mitigate their exposure. Cybersecurity is not as simple as learning how to drive defensively or maintaining an appropriate amount of distance between you and the car in front of you in normal road conditions; it is learning how to drive defensively when there is a truck actively trying to cause an accident. That being said, in the cybersecurity world, hackers typically follow the path of least resistance – so you don’t necessarily have to be the best driver on the road, you just have to be better than most of the other drivers. CIS has found an effective way to address corporate cyber risk by creating the CIS Controls; a prioritized, consensus-based list of recommended defensive actions that provide a "must-do, dofirst" starting point for every organization that is seeking to improve their cyber defense. The CIS Controls are developed and regularly updated by an international consortium of cybersecurity professionals from every part of the ecosystem (cyber analysts, vulnerability-finders, solution
16
Cybersecurity is not as simple as learning how to drive defensively or maintaining an appropriate amount of distance between you and the car in front of you in normal road conditions; it is learning how to drive defensively when there is a truck actively trying to cause an accident. providers, users, consultants, policy-makers, executives, academia, auditors, etc.) to greatly reduce the risk of a security breach and to assist organizations in the development of a network security posture that will make them one of the better “drivers” on the road.
CIS-CAT Pro The CIS-CAT Pro tool can be a useful and costeffective tool for hardening an organization's systems. Available to all CIS SecureSuite Members, the CIS-CAT Pro tool quickly compares the configuration of an organization's systems to CIS Benchmark recommendations and reports their conformance on a scale of 0-100, making it possible to quickly assess how securely the analyzed
Summer 2018
systems are configured. The tool also assists in implementing the CIS Controls associated with the CIS Benchmarks of their choice, and allows them to monitor their system compliance over time against the CIS Benchmarks and their own internal security protocols through the CIS-CAT Pro Dashboard. As many CIS SecureSuite Members are aware, last year two ransomware outbreaks (WannaCry and NotPetya) wreaked havoc on the computer networks of thousands of companies in Eastern and Western Europe; the outbreaks even managed to hit several major U.S. networks. Implementation of several of the CIS Controls recommendations via the CIS-CAT Pro tool could have helped stem the spread of the attacks, such as: Maintain an accurate inventory of all hardware and software running on the network Scan the network for vulnerabilities and deploy software patches, when applicable Securely configure hardware and software on the network in order to prevent attackers from exploiting vulnerable services and settings As many cybersecurity experts have opined, these types of attacks are poised to become commonplace in the future. Among these experts raising the alarm of the increase in cyber attacks is the Multi-State Information Sharing and Analysis Center (MS-ISAC). A recent analysis of attack data collected by the MSISAC noted that reported data breaches increased 63% during the three-month period between Q4 2017 and Q1 2018.1
Most successful cyber attacks are accomplished using a familiar list of attack vectors and known vulnerabilities. The CIS-CAT Pro tool helps implement the CIS Benchmarks and CIS Controls that mitigate the threat from these attacks. and CIS Controls that mitigate the threat from these attacks, and also helps information security personnel identify which actions will have the biggest impact in strengthening their network security, ensuring time and financial investments have the best return possible. It is for these reasons that Everest recognizes the value in the CIS Controls and, as such, is offering a 10% “safe driver discount” to all CIS SecureSuite Members that use or plan on implementing the CISCAT Pro tool in the near future, including MS-ISAC members utilizing their available free CIS SecureSuite membership. You can learn more about Everest's cyber liability insurance program and its initiative with CIS on the Everest Insurance ® website.
Kevin Sherry is the Head of Everest Insurance®’s Cyber Insurance Practice, where he provides oversight of the company’s cyber liability underwriting operations, product development, and risk mitigation initiatives. Under his leadership, Everest Insurance® launched its cyber liability insurance product, the Cyber Elevation Insurance Policy, which offers a suite of comprehensive services to assist in responding to cyber attacks. Prior to joining Everest, Companies that do not implement these foundational actions outlined in the CIS Controls will Sherry oversaw cyber underwriting for Zurich North America’s Diversified Financial Institutions Group. be at a heightened risk for cyber attacks, not just in the next ransomware outbreak, but also when Raphael DaCosta recently joined Everest Insurance®’s it comes to a security breach, a crippling business Cyber Insurance Practice as a Manager for Cyber interruption event, or a privacy event, which can and Technology Errors and Omission Liability devastate a company’s brand. Most successful cyber Insurance. In this role, DaCosta is responsible for all attacks are accomplished using a familiar list of underwriting functions within retail and wholesale attack vectors and known vulnerabilities. The CISbusiness segments. Prior to joining Everest, DaCosta CAT Pro tool helps implement the CIS Benchmarks was a senior underwriter for Zurich North America 1 Q1 2018 Cybersecurity Threats, Multi-State Information & and an underwriter for Chubb Insurance.
Analysis Center. https://www.cisecurity.org/cybersecuritythreats/.
17
Cybersecurity Quarterly
Zero Trust Security Models and the Future of Identity Authentication In order to thwart hackers, the best solution for securely authenticating a user's identity may be assuming that everything already is, or soon will be, compromised By Robert Paul We’ve all been familiar with the two-factor authentication codes that have been on the rise over the last few years. You know the form: “A text message with a 6-digit verification code was just sent to your number.” It seems almost standard now these days for anyone who cares about the security of their accounts. It’s even becoming mandatory on many websites today. The problem is, hackers are still one step ahead of leading industry security practices. The hack is called ‘SIM Swapping.’ It’s the act of remotely hijacking your phone, allowing the hacker to receive any calls or SMS messages that you receive — Including that 6-digit multi-factor authentication code so many websites rely upon today. Most people might assume that this is a sophisticated attack that requires a very specific set of circumstances for the
We’ve all been familiar with two-factor authentication codes being on the rise over the last few years...The problem is, hackers are still one step ahead. vulnerability to be exploited. Unfortunately, that isn’t the case. Your phone provider is the one willingly giving hackers access to your phone. The hack isn’t complicated and isn’t new. Even NIST removed SMS-based multi-factor codes from their recommended guidelines back in 2016.1 Their reasoning was due to the increase in frequency of the attack, the ease of exploitation, and the inability for telecom companies to protect against the attack. As a pentester, I would often have to leverage a SIM swap to grant myself access into a corporate VPN, or to pivot to a more protected network or to gain access to a company’s DNS records, thus giving me complete control over their entire network. The process is straightforward and takes only a few minutes. First, you conduct research on your target to find leaked information. There is a trove of 1
NIST Special Publication 800-63B: Digital Identity Guidelines, National Institute of Standards and Technology, 25 Jun 2018. https://pages.nist.gov/800-63-3/sp800-63b.html.
18
Summer 2018
leaked information on most people, including social Now all that’s left is to login to security numbers, addresses, phone numbers – all the things you would need to verify your identity to their email, enter their two-factor the telecom support staff. This information isn’t hard authentication code, and proceed to find and isn’t expensive either. Access to hoards of to reset every account they easily searchable records are available for sale online, signed up for that email with. or you can grab the raw data yourself from security research sites, such as databases.today or Public DB Host, or other more legitimate services, like Spokeo. reuse attacks, like SIM swapping. But, for such an effective tool, password managers have not seen Once you have all the data you’re looking for, it’s just widespread adoption. LastPass, one of the most popular password managers, has only about 7 a matter of correlating data across leaked dumps million users2, but there are more than 3.2 billion to find the most current and relevant data. Then people worldwide using the internet.3 These tools all you need to do is call their phone provider with also have vulnerabilities of their own.4 a sob story about how you accidentally ran your phone through the washing machine and the world is ending because you’re expecting a call today for a job interview. The phone provider will do everything they can to help you out and is willing to happily swap your number over to a new SIM card that you just bought – if you confirm your identity. You give the representative all the details you harvested on your victim and it’s done. You can now receive all SMS messages and calls that were originally intended for your victim. Now all that’s left is to login to their email, enter their two-factor authentication code, and proceed to reset every account they signed up for that email with: Their banking and credit card accounts, cryptocurrency exchange accounts, e-trade account, other email addresses for which they have that email as their recovery email, their social media accounts. Everything. There are a lot of challenges in dealing with online identity. Arguably the biggest challenge is the users themselves. Password managers, like LastPass or Intel’s True Key, can completely defeat password 2
Sarah Perez, LogMeIn Acquires Password Management Software LastPass For $110 Million, TechCrunch, 9 Oct 2015. https://techcrunch.com/2015/10/09/logmein-acquirespassword-management-software-lastpass-for-110-million/. 3 Jacob Davidson, Here's How Many Internet Users There Are, Time, 26 May 2015. http://time.com/money/3896219/internetusers-worldwide/. 4 Password Manager LastPass Warns of Breach, Krebs on Security, 15 Jun 2015. https://krebsonsecurity.com/2015/06/passwordmanager-lastpass-warns-of-breach/. 5 What is Zero Trust Architecture?, Palo Alto Networks. https:// www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trustarchitecture
Since no solution is perfect, the security industry has shifted their focus to building Zero Trust security models.5 A ‘Zero Trust’ model is one that assumes the user’s machines and environment is already compromised, and that the service they are communicating with can be or will be compromised. The Distributed Identity Foundation (DIF) boasts some of the latest technology for dealing with the issues surrounding online identity authentication. Industry giants like Microsoft, IBM, RSA, MasterCard, and various startups have pooled their resources into tackling this problem. The DIF focuses on using Zero Trust encryption technologies, like Zero Knowledge Proofs of Knowledge in order to verify users within untrusted environments. The DIF also has a heavy focus on blockchain technologies to achieve a more decentralized approach that is resistant to traditional attacks, which focus on attacking single point of failure services – like using your email as an online identity. Robert Paul is the Principal Protocol Architect at NuID, a startup leveraging zero knowledge cryptography and blockchain technology to eliminate the need for businesses to store passwords and other authentication credentials. Paul is a self-taught white hat who has been hacking since his early teenage years. Before joining NuID, Paul held a contract position at Microsoft working on the cryptographic libraries for Azure. Before that, Paul spent two years at Ericsson, where he conducted penetration testing and built and deployed a wide range of security systems for their managed services clients.
19
Cybersecurity Quarterly
Cyber Tips & Tricks This Quarter’s Tip: Cybersecurity While Traveling by Freisi M. Alfonseca, Cyber Intelligence Analyst, MS-ISAC It’s that time of year again — the season of conferences and vacations! Unfortunately, traveling presents additional cybersecurity challenges that must be considered in order to prevent an array of scams and compromises. As you pack for your upcoming work travels or better yet, a muchawaited vacation, remember these essential cybersecurity tips that will help you rest assured during your travels. Hold off on posting those travel selfies until after you have returned home to avoid revealing information to malicious cyber threat actors. A lot of scams rely on knowing where you are or where you are not, like home! Not posting those pictures until you get home helps keep you and your house secure, and it will help prevent your relatives and co-workers from being targeted as well. It may be tempting to ask a kind stranger to watch your devices as you quickly step away for a few minutes, but that creates an opportunity for device tampering. Maintain accountability of your devices at all times to ensure they are not maliciously altered. Passwords are so under-rated! Ensure each of your devices is protected by a secure password. If you are able, utilize full disk encryption on your devices to protect the information on them even if they are lost and where possible, remove apps and auto-logins from devices before you travel. Public Wi-Fi may appear convenient but accessing unsecured Wi-Fi during your travels can expose you to man-in-the-middle attacks, leading to the exposure of data. Instead, connect your devices to the Internet by creating a hot spot with your mobile device.
20
If a connection to sensitive accounts or systems is required, use a virtual private network (VPN) connection, if it is legal in the country to which you are traveling. VPNs allow data to be transmitted in a manner that protects it from anyone listening in. Do not plug USB-powered devices into public charging stations. Only connect USB-powered devices to the power adapter with which they were intended to be used in order to prevent inadvertent data exposure.
Travel for Work Traveling for work presents its own special requirements. In addition to the tips listed above, utilized the extra tips below to help your travels go more smoothly. Have your organization outfit you with a MiFi device, which is a wireless router that acts as mobile Wi-Fi hotspot. This solution may be more convenient than using a cellular hotspot, especially if you use a lot of data. If you are delivering a presentation, be sure to email materials ahead of time or bring your own laptop or USB device instead of accessing your email, in order avoid risks associated with keylogging attacks. Be sure to spread these tips amongst your colleagues to strengthen your organization’s culture of cybersecurity. These are only a handful of tips that can aid you in your efforts to remain secure while traveling. A more detailed list is available in the MS-ISAC's latest Security Primer. You can view this helpful whitepaper on the CIS website.
Summer 2018
Gartner’s #1 Security Technology is Cloud Access Security Broker (CASB)
Unleash the power of the cloud with McAfee Skyhigh Security CloudTM Approved for the CIS CyberMarket
Contact: Jim Bergen (Jim_Bergen@McAfee.com) www.McAfee.com
AUTHORIZED
21
Cybersecurity Quarterly
MS-ISAC Update The MS-ISAC Membership Reaches Another Significant Milestone
Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC)
2018 continues to be an excellent year for the MS-ISAC Stakeholder Engagement team! Through our continued hard work, thousands of miles of travel, countless phone calls, and untold speaking engagements, the team has continued to foster incredible growth and help strengthen the cybersecurity defenses of the state, local, tribal, and territorial (SLTT) community.
Since the 2016 election, the cybersecurity of our nation’s elections has been a hot topic. The designation of election infrastructure as a critical infrastructure subsector by the U.S. Department of Homeland Security (DHS) opened up new funding and assistance opportunities for state and local election offices and led to the formation of a Government Coordinating Council (GCC) comprised of federal stakeholders and state and local election officials. Following a 120 day pilot to identify resource needs, the GCC approved the formation of an Election Infrastructure Information Sharing and Analysis Center, or EI-ISAC, housed at CIS.
On May 17th, the County of Chenango, New York, became our 3,000th member! Since our inception in 2010, we have steadily grown membership and our commitment to local governments is paying very big dividends. With an increased focus on elections security and the creation of the EI-ISAC on March 7th, we are expanding our reach and providing a truly valuable service to our nation. Thank you to all of our current members for touting us to the greater community, without your efforts on our behalf we would not have achieved this goal.
The EI-ISAC, offers U.S. SLTT election offices access to all the benefits of MS-ISAC membership, such as a 24x7x365 Security Operations Center, threat and vulnerability monitoring, and incident response, as well as an elections-focused cyber defense suite of sector-specific threat intelligence products, cybersecurity awareness and training products, and tools for implementing security best practices, like CIS’ Handbook for Election Infrastructure Security. The EI-ISAC is also overseeing an expansion of the Albert monitoring program to state election offices. Since its launch in March 2018, the EI-ISAC has seen explosive membership growth, with 50 state election offices, two territorial election offices, over 700 local election offices in 42 states, and a number of key member associations. Membership in the EI-ISAC is easy to obtain, available at no cost, and open to all U.S. SLTT election-focused government agencies - simply complete the registration form at https://learn.cisecurity.org/ei-isac-registration.
22
Summer 2018
Cyberside Chat This Quarter's Topic: Awareness & Training — Evolving the Process by Sean Atkinson, Chief Information Security Officer, CIS As we experience and work to make our internal company and personnel more secure, it seems that the rehashing of an annual training and a yearly email phishing campaign may not be enough to thwart those whose campaigns, attacks and nefarious activity is ever-evolving.
Updates and Awareness Factors To combat training fatigue and not practicing what is preached as best controls, it makes sense for organizations to move into the active role of applying policy awareness and training. Training can come in many forms, such as phishing campaigns, desktop and tabletop exercises, and USB drops. To avoid providing information and training which is then immediately forgotten, integrate continual processes of behavioral change into your business processes. In some cases, we can improve the security posture with SPF, DKIM, or DMARC for reducing the risk of a successful phishing campaign. It is important that the technical controls are not the only assessment performed against an organization. The effectiveness of CIS Control #17 should be measured and applied to role based access controls.
Moving Forward an Improved Awareness and Behavioral Program Updating your training program should also include investment in its management and performance analytics. The return on investment will be based on the measure and if such effectiveness is calculable. Implementing role based security and access control requirements is an impetus of GDPR. Privacy has become a highlighted requirement for organizations, those in managing and safeguarding PII under Gramm-Leach Billey has
requirements for safeguarding, such as with health related information and financial requirements. Each industry has an approach that requires a form of protection and as these become more integrated across business units and functions, knowing what you have in terms of data will allow specific training programs to be built. One approach is to spear phish a particular department or utilize a multi-phish email approach for the whole organization. This can allow the organization to gauge clicks, versus the ‘hey don’t click that’ from colleagues. Using a role based and even country based approach may allow for better aligned security training and develop a mechanism to test the approaches across business units. Analytics can be used to identify those who ‘get it’ and those who may require more hands-on approaches. Different learning styles may also be a factor. If the visual learner gets a PowerPoint and the kinesthetic gets something from a spear phish, wouldn’t it make sense to use both approaches and get a broader coverage? Social and solitary styles will require some understanding, preparation, and a different approach, but if the results prove fruitful, your overall security risk may be diminished.
Questions for the Reader What has proven effective for your organizations cyber security training and awareness? Is the only method to change behavior getting caught or scammed? Can we effectively simulate such a scenario to make those ‘once bitten, twice shy’ without the bite?
23
Cybersecurity Quarterly
Upcoming Events July
team for more details.
July 10th - 12th The National Homeland Security Association will hold its National Homeland Security Conference 2018 in New York City. The event will bring together homeland security and emergency management leaders and professionals to network and share their knowledge on emergency response at all levels of government. MS-ISAC Director of Cyber Intelligence Stacey Wright will lead two breakout sessions at the event on cybersecurity and current cyber threats.
July 18th - 20th The Opal Group will host its Cyber Security Summit 2018 in Newport, Rhode Island. This event will gather together senior information security leaders and experts to discuss strategies and tactics to protect from and prevent cyber attacks. CIS Senior Director Ryan Spelman will be a featured panelist at the event, discussing issues regarding governance, risk, and compliance. CIS members can receive discounted admission to the event. Contact the CIS CyberMarket team for details.
July 13th - 16th The National Association of Counties (NACo) will hold the 2018 NACo Annual Conference & Exposition in Nashville. NACo's premier member event will draw together elected officials and leaders from the nation's counties together to network, learn, share best practices, and discuss NACo's policy agenda. MS-ISAC Director of Engagement Andrew Dolan will be a featured panelist on two panels during the conference's County CIO & Technology Leadership Forum.
July 18th - 20th The International Association of Government Officials (iGO) will hold the 2nd Annual iGO Conference in Reno, Nevada. The event will offer educational sessions for state and local government officials to learn about the latest topics and issues facing government today. MS-ISAC Senior Program Specialist Kateri Gill will lead a breakout session on the MS-ISAC services and elections security.
July 13 - 16 The National Association of Secretaries of State (NASS) and the National Association of State Elections Directors (NASED) are hosting their annual NASS/NASED Summer Conference in Philadelphia. Members from both associations, as well as other state government officials, will come together to learn about and discuss the latest issues regarding elections and government-business relations, as well as other important topics. th
th
July 18th Cyber Security Summit: Seattle will take place at The Westin Seattle, bringing together senior executives, business leaders, and senior cybersecurity professionals learn about the latest threats from industry leaders. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket
24
July 30th - August 2nd The Florida Government Information Systems Association (FLGISA) will be holding its 2018 Annual Conference in Boca Raton, Florida. The conference will bring together local government employees and technology professionals to network and learn about information technology in government. MS-ISAC Director of Stakeholder Engagement Andrew Dolan will be keynoting the event and Senior Program Specialist Kateri Gill will be leading a session on elections security. July 30th - August 2nd The National Conference of State Legislatures (NCSL) will hold the 2018 NCSL Legislative Summit at the Los Angeles Convention Center. The event will offer the opportunity for state legislative leaders and professionals to network with their peers and learn from innovators about the constantly changing work of state legislatures. MSISAC Stakeholder Engagement Program Manager
Summer 2018
Paul Hoffman will lead a breakout session at the event on responding to new cybersecurity threats.
August August 13th - 15th The Information Systems Audit & Control Association (ISACA) and the Institute of Internal Auditors (IIA) will be holding their annual Governance, Risk, and Controls (GRC) Conference in Nashville. The event will bring together governance, risk, and control professionals from around the world to discuss challenges and forge solutions in the industry. August 15th - 18th The Maryland Association of Counties (MACo) will be holding the 2018 MACo Annual Summer Conference in Ocean City, Maryland. The event will bring together local, state, and federal government officials to discuss issues facing the state. CIS Senior Director Ryan Spelman will be a featured panelist during the event's opening Tech Expo, covering cybersecurity for county governments. August 19th - 22nd GMIS International will hold its 2018 GMIS MEETS Conference in St. Louis, Missouri. Government IT leaders and professionals will gather together at the event to network, discuss opportunities, and learn about industry issues from thought leaders. MS-ISAC Senior Program Specialist Eugene Kipniss will lead a breakout session on MS-ISAC services. August 24th - 25th The 2nd Annual ANYCon will be taking place in Albany, New York. The event will bring together information security professionals to network and learn about issues facing the community. CIS Senior Director Ryan Spelman will lead a breakout session on workforce development, and the MSISAC SOC management team will host a session on their work protecting state and local governments. MS-ISAC members can get $100 off admission. Contact the CIS CyberMarket team for more details. August 27th - 29th EnergySec will be holding its 14th Annual Security & Compliance Summit in Anaheim, California.
This premier security conference for critical infrastructure professionals is one of the longest running events of its kind in the industry. CIS Senior Director Ryan Spelman will be leading a breakout session at the event on compliance management. August 29th Cyber Security Summit: Chicago will take place at the Hilton Chicago, bringing together senior executives, business leaders, and senior cybersecurity professionals learn about the latest threats from industry leaders. CIS Senior Director Ryan Spelman will be a featured panelist at the event, discussing incident response and cyber defense. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
September September 5th - 6th The U.S. Department of Homeland Security will be hosting its 2nd Annual FLETC Cybercrime & Technical Investigations Training Conference in Glynco, Georgia. The event will educate law enforcement professionals dealing with cybercrime and technical investigations on new cyber threats. MS-ISAC Director of Cyber Intelligence Stacey Wright will lead two breakout sessions, on MSISAC services and cybersecurity while traveling. September 23rd - 26th The International City/County Management Association (ICMA) will be holding its 104th Annual Conference in Baltimore. The event will bring together city and county management leaders and professionals from around the world to network and share knowledge about managing local communities and their resources in today's environment. September 25th Cyber Security Summit: New York will take place at the New York Hilton Midtown, bringing together senior executives, business leaders, and senior cybersecurity professionals learn about the latest cyber threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
25
Confidence in the Connected World
Copyright Š 2018 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699