How to Protect Your Organization from Ransomware

One thing is certain in 2017: the threat landscape continues to increase at an exponential rate, and so do the business risks. In my opinion, one of the biggest threats—with the greatest level of impact—is ransomware.

Challenges Shared by All

Like all threats, ransomware is gaining momentum in both sophistication and severity of impact. PC Magazine defines ransomware as “Virus software that blackmails users by encrypting their hard drives or locking them out of the computer. It then demands payment to restore it.”

If organizations fall prey to a ransomware attack, they could choose to pay the ransom—however, paying the ransom proves to hackers that ransomware works. What’s more, there’s no guarantee that if you pay the ransom, you’ll get access to your hacked files. The best recovery method is to have recent backups to restore, but many organizations fail here.

The reality is that ransomware is spreading. McAfee reported that between 2014 and 2015, ransomware across sectors nearly tripled in volume—and new variations more than quadrupled. In 2016, total ransomware grew 80%. Simply put, your organization is at risk.

If the threat of ransomware is enough to make you lose sleep, take heart: You can still protect your organization. Ask yourself:

  • How prepared are you for a ransomware attack?
  • Are you doing all that you can to prepare for a ransomware attack? Do you have the right resources and talent on hand?
  • How informed is your executive team, and do you have the right level of commitment and funding in support of your strategic plan?

Identifying these challenges will help better define your tactical and strategic security goals.

Tactical Adjustments: Preventive Defense

Below are tips on how to minimize the risks from known ransomware threats and vulnerabilities.

  • Ensure that all of your important systems are properly backed up and that backups are stored in a safe, offline location.
  • Implement well-defined security policies, standards, controls, and procedures for compliance and accountability.
  • Execute a robust security awareness program to reduce the risk of unsecure behaviors, such as visiting malware-infected websites.
  • Ensure that your training plans develop the in-depth skills required to utilize effectively the security tools and investments being made by your company.
  • Increase network sub-netting and firewall/Intrusion Prevention System (IPS) to lessen the risk of compromise throughout the enterprise.
  • Mature your group policy structure so that privileged accounts have a higher level of control and protection (e.g., multifactor authentication, restricted use, distribution of authority).
  • Streamline patch management to remediate known vulnerabilities quickly.
  • Put in place thoroughly defined incident response, risk assessment, and audit programs that are fully supported by your staff.
  • Include encryption and certificate management, both of which are critical in securing confidential/protected information.
  • Mature your reporting of work being done to support asset, risk, and impact assessments (quantitative and qualitative), as well as Business Continuity and Disaster Recovery (BC/DR) plans.

Strategic Adjustments: Proactive defense

The cybersecurity industry is maturing to address the challenges of ransomware and other threats. The following are strategic initiatives to consider in your long-term security plans.

  • Grow the sources from which you learn about current threats and how they function, and continue to develop your intelligence networks for information gathering and sharing. (Be sure to use only trusted sites when doing your research.)
  • Subscribe to external Open Source Intelligence (OSINT) feeds specific to malware, which may provide insight into the latest techniques used to bypass security defenses. (Note that Ransomware-specific OSINT sites are limited.)
  • Mature your use of global threat awareness offerings that automatically update your systems to protect against behaviors associated with “zero-day” threats, which exploit an unknown computer security vulnerability.
  • Consider migrating toward cloud-based services for additional advanced security capabilities.
  • Establish performance baselines on network, system, application, and end-point devices. This will greatly improve your monitoring abilities to identify unusual or unsecured behaviors.
  • Start researching Data Loss Protection (DLP) technologies and the skills required to enhance your control of outbound traffic to ensure security compliance.
  • Back up your data. Because restoring the data in a timely manner can often be a challenge (especially if a large volume of data needs to be recovered), leverage virtualization technology to help streamline the recovery process. For example, a Virtual Desktop Infrastructure (VDI) used internally can greatly minimize the time and effort required to restore a compromised system. Be sure to incorporate point-in-time copies of critical data into your BC/DR planning.
  • Leverage Security Information and Event Management (SIEM) solutions to centralize critical system logs and customize dashboards so that they quickly display useful information.
  • Leverage in-depth forensic assessment and researching skills on how ransomware variances are constructed, how they behave, and what threat vectors or vulnerabilities they target. This will enable you to define custom rules within your security tools (Firewall, IPS/IDS, DLP, AV, AMP, URL Filtering, etc.) to alert you to unauthorized activity or system changes.
  • Look for ways to lower the risk of ransomware attacks quickly and cost effectively. For example, quarantine all inbound messages with .ZIP or .RTF attachments and manually review until you have an automated means in place that is proven effective in eliminating these threats or lowering the risk to an acceptable level.

First Steps

The threat of ransomware doesn’t have to keep you up at night. If you understand the risks, identify your organization’s challenges, and develop a plan that defines both tactical and strategic change—one that includes investing in the right technologies and developing the in-depth knowledge and skill on how to leverage those technologies effectively—you will position your organization to be better prepared for the constantly changing threat landscape.

Links in this article are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

You’re Doing It Wrong: Passwords in Plaintext

This article is cross-posted on the NYSTEC Info Security Advisor blog.

Customer:  I forgot my password.

Website:  No problem! Here’s your new password via email — fully visible for your convenience!

oh-the-pain

Oh, the pain. The pain.

EMAILING PASSWORDS = BAD

EMAILING PLAINTEXT PASSWORDS = VERY BAD

There’s so much wrong here.

First, email is not a secure way to send confidential information. Emailing a password makes as much sense as posting an image of your new credit card and CVV number on Facebook. How should you be getting that new password instead? Check out the Open Web Application Security Project (OWASP) guidelines.

Second, getting a password sent to you in plaintext (or cleartext) means your password is being stored in plaintext. Not encoded. Visible to anyone. If that website becomes compromised or your email is exposed, your password could be shared with every hacker in the world.

Bonus badness: If a hacker gains access to your plaintext password, and you use the same password for all of your accounts, have fun trying to recover all of those accounts after the hacker changes your password(s) and email address!

If a website sends you a password in plaintext, it’s okay to cringe. The good news is that it may not be completely terrible. If it’s a one-time password (i.e., a temporary password), that’s sort of passable, especially if it comes with an expiration date. (A far better solution would have been getting a one-time link to click.)

However, if you’re emailed your real password in plaintext, that is completely terrible. Do not store any personal information on that site — credit card numbers, bank accounts, and passwords should be considered off-limits. And never use that password anywhere else.

Passwords are the most valuable bit of information you have. Something that valuable deserves respect. If a website is saving your password in plaintext, then your password — and you — aren’t getting the respect you deserve.

The links in this content are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed therein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

Network Forensics 101

To read the original post “Network Forensics 101,” click here.

A cybercriminal has just wiped all traces of an attack from your server. Now you’ll never know the source of the attack or the extent of the damage, right?

Not if you have a network forensic investigator on the trail.

The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. This article provides a short introduction to network-based forensic investigations of suspected criminal activity related to information technology systems.

A Thorough Understanding

Criminals attack computer systems for a number of reasons, but primarily for economic gain. Among the most common targets are banking and other personal information stored on PCs and servers that will assist in completing fraudulent financial transactions.

Network forensics—defined as the investigation of network traffic patterns and data captured in transit between computing devices—can provide insight into the source and extent of an attack. It also can supplement investigations focused on information left behind on computer hard drives following an attack.

Identifying attack patterns requires a thorough understanding of common application and network protocols. For example:

  • Web protocols, such as http and https
  • File transfer protocols, such as Server Message Block (SMB) and Network File System (NFS)
  • Email protocols, such as Simple Mail Transfer Protocol (SMTP)
  • Network protocols, such as Ethernet, WiFi, and Transmission Control Protocol/Internet Protocol (TCP/IP)

The investigator must understand the normal form and behavior of these protocols to discern the anomalies associated with an attack.

Know the Sources

Network forensic investigators examine two primary sources: full-packet data capture, and log files from devices such as routers, proxy servers, and web servers—these files identify traffic patterns by capturing and storing source and destination IP addresses, TCP port, Domain Name Service (DNS) site names, and other information.

Full-Packet Capture. The advantage of full-packet capture is that the content, and therefore the meaning and value, of data being transferred can be determined. Packet capture is not usually implemented on networks full-time because of the large amount of storage required for even an hour’s worth of data on a typical business network. In addition, there may be privacy concerns (although most businesses today require all employees to sign an acknowledgement that they do not have a right to privacy while on business-owned systems and networks).

Data capture is typically implemented when suspicious activity has been detected and may still be ongoing. The packet-capture-network tap point must be chosen carefully so that it can capture traffic flowing among all affected devices, or multiple taps must be implemented.

Log files. Most modern network devices, such as routers, are able to store NetFlow (or equivalent) data into log files on a full-time basis without affecting performance. Web servers, proxy servers, firewalls, Intrusion Detection Systems (IDS), DNS, Dynamic Host Control Protocols (DHCP), and Active Directory server log files also contain much useful information about activity on the network. These log files can be analyzed to identify suspicious source and destination pairs (e.g., your server is communicating with a server in Eastern Europe or China) and suspicious application activity (e.g., a browser communicating on a port other than port 80, 443, or 8080).

One advantage of using log files is the much smaller file size compared to full-packet capture. Another advantage is that the collection points are already in place in key locations, and it is not difficult to collect and store the output from multiple devices into one master log for analysis. There are many free as well as commercial tools for log aggregation.

Know the Tools

There are many free software tools available for network forensics. While a few have a graphical user interface (GUI), most free tools have only a command-line interface, and many run only on Linux.

Especially in the case of full-packet captures, data must be reduced through filtering before detailed analysis is performed.

What You Can Do

There are steps organizations can take before an attack to help network-based forensic investigations be successful. Here are three things you can do:

  1. Put a process in place. For network forensic investigators to do their work, there need to be log and capture files for them to examine. Organizations should implement event-logging policies and procedures to capture, aggregate, and store log files.
  2. Make a plan. Incident management planning will help to respond to and mitigate the effects of an attack.
  3. Acquire the talent. The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. Whether the talent is in-house or external, it’s vital that organizations have access to computer and network forensics investigators who are experienced and accessible.

Cyber Security Shopping Tips

To read the original post, click here.


Being a safe and secure shopper starts with taking security precautions and thinking about the consequences of your actions online. Remember the following tips:

  • Use websites with trusted names and strong reputations. Well-established retailers usually have more robust online security.
  • Use credit cards instead of debit cards. A compromised debit card will enable access to your money, but a compromised credit card will only expose the bank’s money, and the consumer is typically not responsible for purchases they did not make. Just be sure to regularly check your statement and notify your credit card company of any suspicious charges. Whenever possible, use a payment service like PayPal.
  • Look for the “https” URL and the padlock symbol.  The “s” in “https” stands for security. It signals that the site uses encryption. https-url-padlock-symbol
  • Avoid using public WiFi for online shopping. Public WiFi is easily compromised. In public, you are better off using your cell phone network with WiFi disabled.
  • When in doubt, throw it out. Don’t click on links in emails, texts, or social media posts. Links are the most popular means for cybercriminals to install malware on devices.
  • Make your password a sentence. These days, your password should be more than 15 characters long. Using a remembered sentence mixed with letters, numbers, and symbols is a good way to create a password that’s difficult to crack. Avoid using birthdays or anniversary dates.

Example: #y0uCantH@ckM3!

  • Use different passwords for different accounts. Don’t use the same password twice. If you reuse the same password, hackers need to steal it only once to access all your accounts.
  • Multi-Factor Authentication. Use strong authentication tools. Google and Apple allow two-step verification by sending a one-time PIN to your cell phone coupled with a password while logging in.
  • If possible, use a separate computer for online shopping and banking. Most viruses and malware are transmitted through casual web browsing. If possible, use one computer or device for web surfing, email, and social networking, and a different computer for online banking and shopping.

Info Security: You’re Doing It Wrong

To read the original post, click here.


This month’s episode: Too Many Toolbars

CUSTOMER:    The Internet is too slow.

HELP DESK:     Can I see how you have your browser set up?

Too Many Toolbars

If your toolbars are taking up most of your browser screen, you’ve got too many toolbars. Really.

Image Source: “Too Many Toolbars” by Abraham Williams. Copyright 2010.  Creative Commons License.

 

Too Many Toolbars = BAD

Sure, it’s convenient having lots of things in your browser toolbar, and you may like the personalization.  But you’re going to hate how slow all those toolbars make your Internet connection.  And we hate how many of these add-ons can (and do) steal your private data.

(Want to remove those extra toolbars?  Ask your info security team for help.)

So stop with all the toolbars already.  Your system—and your info security team—will thank you.

Disclaimer: The link to this content is provided because it has information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the link and neither endorses nor intends to promote the advertising of the resources listed therein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

A Business Continuity and Disaster Recovery Checklist

To read the original post, click here.


As business processes and their supporting Information Technology (IT) systems become more important to public and private entities, the requirements for an effective Business Continuity/Disaster Recovery (BC/DR) program are becoming more critical. There are many factors to consider when developing an effective BC/DR program. The checklist below can help you get started.

First, high-level definitions:

Business Continuity and Disaster Recovery Program: The overall package; includes everything from the governing policy to periodic testing

Business Continuity Plan: A formalized set of steps that define how an organization’s business processes will be sustained during and after a significant incident

IT Disaster Recovery Plan: A written plan with detailed steps for recovering critical business applications in the event of a major hardware or software failure or the unavailability of facilities

Cold Site: An alternate site that has the necessary electrical and physical components of a computer and/or business facility but does not have the computer equipment or other business requirements in place; to facilitate a cold site, contracts with third-party suppliers would need to be in place for rapid delivery (typical recovery timeline: three to five days)

Warm Site: An alternate site that has the necessary electrical and physical components of a computer facility and is partially equipped with IT and telecommunications equipment to support relocated IT and business operations in the event of a significant incident (typical recovery timeline: two to three days)

Hot Site: An alternate site that is fully operational and equipped with hardware, software, replicated data, and/or business equipment to be used in the event of a disaster (typical recovery timeline: within hours)

So why should you implement a BC/DR program? Three key reasons:

  • A major incident/outage of system could have a massive impact on the business if there’s no BC/DR program in place.
  • When a disaster occurs, a BC/DR program with a formal process helps you avoid business failure.
  • Effective backup and recovery strategies will mitigate the impact of disruptive events.

Plus there are numerous business outcomes from an effective BC/DR program. You can:

  • Build a partnership between business units and IT to develop a set of plans and procedures that will maximize the potential of an effective and timely resumption of disrupted critical business processes.
  • Coordinate BC planning and IT recovery planning programs on an ongoing basis.
  • Minimize potential disruptions.
  • Mitigate financial and operational impacts to the business if a major incident occurs at an occupied facility.
  • Effectively utilize all available resources for recovery—including facilities, personnel, communications, equipment, and supplies.

The BC/DR Checklist

For a BC/DR program to be effective, it should include the following:

  • Business Impact Analysis (BIA) and IT Risk Assessment (R/A). The BIAs and R/As are required to identify and prioritize critical business processes, supporting IT systems, and other components. The BIA and R/A are crucial steps to ensure that efforts are being spent on truly critical business areas.
  • Continuity and Recovery Policy Statement and Standards. A formal policy provides the governance, guidance, and requirements necessary to manage an effective BC/DR program. Formal recovery standards define the minimum required for items such as tape backup, hard copy backup, crisis management, application development, and training.
  • Preventive Measures. Actions taken in advance to reduce the effects of incidents can also increase system availability and reduce BC/DR lifecycle costs.
  • Business Continuity Plan. The business continuity plan describes the steps the business will follow to recover quickly and effectively following an incident.
  • IT Disaster Recovery Plan. The IT disaster recovery plan contains detailed steps and procedures for recovering damaged or unavailable IT systems.
  • Application Recovery Procedures. The application recovery procedures should be detailed enough that any experienced IT person can recover the business applications. This reduces the need for the on-site support of application programmers, database managers, etc., for recovery. It also allows for the use of third-party providers to recover for you, with minimal knowledge of your systems.
  • Plan Maintenance. All plans should be thought of as “living documents” and, as such, should be updated and recertified regularly to remain current with facility and system enhancements.
  • Plan Testing and Training Exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall preparedness.

If you take the time and effort to implement a BC/DR program, you will be better situated to either head off or respond to major incidents that impact your ability to sustain your business.

The Internet of Everything: What Are the Risks?

To read the original post, click here.


I recently attended a training class where, during the break, one of the instructors told me how excited he was about the new refrigerator he’d just bought, which was going to be part of the Internet of Everything (IoE). From his smart phone, he said, he would be able to inventory the items in his refrigerator and know when he ran low on key items such as milk, eggs, and, of course, beer.

I said he might want to rethink putting beer in the new refrigerator, because he might not be the only one with deep insight into his dietary purchases. His health insurance company could have access and observe his sugar, fat, and sodium intake by monitoring his purchases—and even potentially raise his health insurance rates based on that data.

The instructor replied, “I never thought about that. I’ll have to keep my old refrigerator for my beer and junk food.”

What is the IoE? Is it something great, or should we be worried? The answer is likely a little of both.

The IoE essentially is the growing trend of connecting everyday objects to the Internet. These devices include everything from mobile phones, wearable devices, thermostats, and home entertainment systems, to coffee machines, refrigerators, and automobiles.

While there are many benefits to having items connected to the Internet, such as being able to inventory your refrigerator before you leave work or turn on the oven before you get home, there are privacy and security concerns that consumers must consider. It is important to understand that when items in your house are connected to the Internet, they are potentially accessible to the entire world of Internet-connected users—and the data they collect on you becomes valuable.

Read that privacy agreement on your new refrigerator carefully!

Cameras and Microphones

Think about all of the products in your house that may have a camera and/or microphone: TVs, videogame consoles, toys, and, of course, computers and smart phones. It is important to be aware that your private, in-home conversations may not be so private. Unfortunately, sophisticated attackers next door, or on the other side of the world, may be able to hack into your home network. If that happens, they could access your connected devices and compromise your data.

How can you protect yourself? If you do not have cyber forensic tools at your disposal, or don’t know how to use them, there are still some simple, cost-effective techniques to protect your privacy:

  • Secure your home router and wireless network. Don’t just look for the quickest and easiest way to get a home router working; instead, take the time to enable security such as strong passwords, firewall rules, and the use of encryption.
  • Unplug or turn off the device, or disable the microphone when you are having private conversations.
  • Cover or turn the camera away when you do not want to be seen.

Home Appliances

Others on the Internet may be able to access personal devices that are connected to your home network, or any wireless network in range. Hopefully, new IoT devices will be manufactured with basic security controls in place to restrict access. However, we can’t assume there will be built-in security. That’s because IoT devices, including home appliances, will have the same—if not more—bandwidth and energy constraints that all devices and applications face, which limits the amount of security that can be built in. Software is inherently insecure (new malware variants are being created at the alarming rate of nearly 1 million per day), so it’s well within reason to expect that home appliances connected to the Internet will be at least as vulnerable to cyberattacks as computers already are today.

It will also be more difficult to patch these devices, as they often run embedded firmware that is not easy to update or maintain.

Automobiles

Cars connected to the Internet may seem like a terrific way to help you be safe—your car could detect the sudden appearance of, say, a child’s ball rolling into your path and apply the brakes before you see the child running into the street. But as this article reveals, it’s possible for the manual controls in a car to be overridden by someone miles away from the driver. Among other things that could be done remotely: turn on the radio and air conditioning, even control the steering.

Along with this sobering news, remember that as auto manufacturers test driverless car features, hackers may see new opportunities for stealing and controlling cars from a remote location.

Medical Devices

There are countless lives saved every day by Internet-connected technologies that enable early detection of heart conditions and other maladies. That being said, proper security needs to be designed into these medical devices, which may be vulnerable to malware and other cyberattacks.

_________

In every decision, there is a cost-benefit analysis to be made. When it comes to the IoE, it is important for consumers to fully understand the risks before they make a purchase. The well-funded marketing teams of large corporations producing Internet-connected devices will understandably emphasize the benefits of the devices they sell. It’s up to consumers to look into the risks—and know how to manage them.

It may be worthwhile to stay off the bleeding edge of technology and wait until IoE devices are thoroughly tested.

Caveat emptor!

How to Spot Poisoned Links

To read the original post, click here.


You’re looking for information on a particular topic, so you do a web search using your favorite browser.  The results page displays the first batch of links, and the first one looks especially promising — from the title and link description, it seems a perfect match.  But how safe is that link you’re about to click?

Whether you are using Google, Bing, Yahoo, or another search engine, chances are you trust the results page.  Cybercriminals are counting on that.  They use automation tools to build fake webpages stuffed with popular search terms (or keywords), tricking search engines into placing those fake sites higher on their results pages.  The higher the rank (i.e., the closer to the beginning of the search results), the more likely it is that you’ll click one of those “poisoned” links—and when you do, you’ll open a page that’s loaded with malicious software intended to damage your computer or steal your information.

Getting Clicks at Your Expense

Search engine poisoning isn’t new.  “Spamdexing” — a combination of spamming and indexing — became a big issue in the late 1990s as the Internet rose to prominence and people looked to monetize websites by driving traffic to their pages from search engines.  Spamdexing is a form of unethical search engine optimization (SEO), a “black hat” technique that deliberately modifies HTML (the standard markup language to create web pages) to include irrelevant or even erroneous information — so spamdexers get clicks at the expense of search engine users.  Spamdexing had all but compromised search engines.

And then Google developed a page ranking system that discounted spam sites.  Ever since, Google has been updating the algorithms that sniff out and remove black hat sites, and other search engines have followed suit.

Attackers, in return, are constantly updating their methods.  Aggressive marketers are working to improve their ranking in search engine results pages artificially.  Spammers are looking to make a quick commission based on the number of links clicked, and cybercriminals are hunting easy prey.

A particularly effective form of search poisoning fools Google’s algorithms and presents a completely different search result to unsuspecting users.  This technique, called “cloaking,” tells Google’s search engine one thing but shows something completely different to the user.  You think you’re clicking a legitimate link displayed on the results page but are instead tricked into downloading malicious content — compromising your system and effectively handing over your personal information to the attacker.

Updated OHIP MARS poison search

This illustration shows the results of a Google search for a program under the Office of Health Insurance Programs (OHIP).  The red arrow points to the first search result, which is labeled as a petition for OHIP, but the URL points to a treatment for macular degeneration.

Poison Control

You can protect yourself from search poisoning and keep both your computer and your personal information safe from attackers.  Along with making sure that your browser and antivirus software are up to date, you should follow these key steps:

  1. Stop and look. When you perform a search through your preferred browser, don’t just click on the first link result.  Take a few moments to examine the URLs and the displayed links to make sure they are legitimate.
  2. Hover.  When you hover your cursor over the link — without clicking — you will see the full hyperlinked web address.  Check it carefully.  If anything looks wrong — misspelled, jumbled, nonsensical — don’t click.
  3. Check the format. It’s not only fake webpages that can be cloaked — fake PDF links can trick the algorithms and take you to a promoted website or to a page riddled with malware.  If you didn’t specifically request a PDF document in your search, don’t click a PDF link.

Remember, all an attacker can do is lead you to poisoned links.  No one can make you click.

Stop Using SSL 3.0!

To read the original post, click here.


Did you know that an obsolete security protocol developed waaaay back in 1996 is still in use today– and it can make your data vulnerable to a cyberattack?

In this Q&A article, you’ll learn why the original cryptographic protocol used in Netscape back in 1996 still matters today, how a design flaw can put your current data at risk, and what you can do to help keep your information secure.

What is SSL?

Security protocols are used every day on the Internet to make sure your data is secure (confidential, unmodified, and trustworthy). Secure Socket Layer (SSL) is the first secure protocol used in the original web browser: Netscape. The purpose of SSL is to provide a mechanism by which a user can access a webpage and be sure that the communication is both trusted and confidential. Version 3.0 was created in 1996.

However, there were some problems with SSL. It involved into a new protocol, called Transport Layer Security (TLS), in 1999. TLS provides a way for web servers to support older web browsers by changing (or downgrading) the security protocol from the new TTL to the older SSL protocol. Since SSL evolved into TLS, we often use one term to describe the other. The evolution of the SSL/TLS protocol looks like this:

SSL 2.0 → SSL 3.0 →TLS 1.0 →TLS 1.1 →TLS 1.2

Why is SSL 3.0 bad?

On October 14, 2014, two Google researchers discovered a new way to defeat the protection provided by SSL ((LINK: https://www.openssl.org/~bodo/ssl-poodle.pdf )). They called this vulnerability POODLE.

Can I patch this vulnerability?

No, there is no patch. The protocol has a design flaw, and the only fix is to stop using SSL 3.0 on browsers and web servers.

There is an optional protocol extension called TLS_FALLBACK_SCSV, but both the client and server must use it. Additionally, not all browsers support this extension; therefore, even if you configure your server to use it, there is no guarantee that the browser will support it. You cannot depend on this extension.

How bad is this problem?

The attack requires the attacker to both intercept your traffic and inject new traffic. This requires either malware on your computer or an untrusted network connection (such as a public WiFi connection). Although difficult, skilled hackers can do this, and for around $100, an unskilled hacker can buy a commercial device that makes this attack easier to perform.

When an attack is successful, your “secure” communication is no longer secure. It can be intercepted and modified. If you were to connect to your bank, your account information, passwords, etc., could all be seen and modified.

But my browser normally supports TLS.  Won’t this protect me?

No.  Normally the TLS protocol will check to see if both parties can agree to use TLS instead of SSL, but an attacker can intercept and modify the communication (this type of attack is called Man in the Middle, or MITM) and claim that SSL must be used. Once the two computers “agree” to downgrade (i.e., choose to use a weaker, older protocol) to SSL3, the POODLE attack can be used to intercept and modify all secure communications.

As long as both the server and your browser support SSL, you cannot assume that your connection is secure.

What should I do?

To protect yourself, you should configure your browser to stop using SSL.  

If you have a server, you can protect your clients by disabling SSL. For instructions on how to do that, this link ((LINK: http://disablessl3.com/ )) provides a nice guide.

What will break if I have a web server and I disable SSL?

You should not notice any problems. Nearly all browsers support TLS.

The only people who will be affected are those who use Internet Explorer (IE) version 6, or Opera version 4.0. These are the only browsers that do not support TLS. According to this page, the percentage of people who use IE6 is less than 0.3% ((LINK: http://www.w3schools.com/browsers/browsers_explorer.asp )).

The only users who must use IE6 are those running Windows XP, which received its last service pack in 2008. It is no longer maintained, unless you purchased an extended support contract for obsolete software from Microsoft. In other words, it is highly unlikely (0.3%) that your customers will notice any problem if you disable SSL 3.0 on your servers.

Does this affect only web servers and web browsers?

Sadly, no. Many companies allow clients to connect to their systems using a VPN (Virtual Private Network). This VPN creates a secure connection over the Internet from the client’s machine to the customer’s network. Some of these VPN servers use SSL/TLS. And that means the “secure” VPN connection is vulnerable to security attacks.

I’m still not sure I should disable SSL3.

If you do nothing at all, SSL3 will stop working. That’s because vendors are removing support for SSL3 from their products. Some examples include:

So TLS 1.0 is okay?

Well, that’s another problem. In December 2014, it was discovered that TLS 1.0 was also vulnerable to the POODLE attack. ((LINK: https://www.imperialviolet.org/2014/12/08/poodleagain.html))  This was an implementation error that browsers could be patched to address, but TLS 1.0 is still vulnerable to attacks from skilled hackers.  

Ideally, the latest and greatest version of TLS should be used, but this cannot be done until every one of your clients’ browsers have upgraded to support TLS 1.1 and 1.2.

As of February 2013, contemporary browsers (Chrome v20+, IE v8+, Opera v10+, and Safari v5+) support TLS 1.1 and TLS 1.2. However, Windows 7 and 8 users who use IE version 10 or lower do not have TLS 1.1 and TLS 1.2 by default. Therefore, we do not recommend at this time that TLS 1.0 be disabled on a server, unless you know that your users’ browsers will not be affected.

——

In short, a surprising number of web servers still use SSL 3.0. Stop using SSL 3.0! It’s not secure, and it’s not needed.

Links in this article are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

Planning for a System Security Plan

To read the original post, click here.


Many organizations today are involved with collecting and processing Personal Identifying Information (PII) or Personal Health Information (PHI). Because it’s crucial that such data is protected and handled properly, regulating agencies are requiring System Security Plans (SSPs) to be completed.

For example, the SSP template provided by the Centers for Medicare & Medicaid Services  (CMS) is described as “the current level of existing security controls within the System that protect the confidentiality, integrity and availability (CIA) of the system and its information.” The resulting SSP contains many other documents that address policy and procedure, and also provide evidence of implementation for more than a dozen groups, or “families,” of related security controls.

It would be one thing if responding to SSP requests was a “one and done” process. However, an SSP requires periodic review and adjustment to changes in hardware, applications, staffing and other factors, as well as fresh evidence of implementation. In addition, if your organization is involved in healthcare, insurance, or analytics, it’s highly likely that you will be required to respond more than once to requests from multiple agencies.

In other words, your SSP is an ongoing process — one with many pieces, including dozens of documents, data files, and screen shots. And this process can be a burden.

But it doesn’t have to be — not if you plan for your System Security Plan. Once you assemble an SSP team, deciding to do some extra work up front will make it easier on the team in the long run.

Here are four steps you should take when planning for your System Security Plan.

  1. Share it. Store the SSP electronically and securely. Make it available to staff as appropriate — not just to the team collaborating to complete the SSP but also to those who will be using it to determine the supporting documentation that will be required. For ease of sharing, put your SSP on a trusted intranet site, such as a file server.
  2. Store your sources. A good SSP requires documentation of the assertions indicating compliance with controls from NIST, HIPAA, or some other regulation, law or requirement. For example, an assertion may indicate that an audit log extract shows proper configuration to capture events as required. In this case, store the log extract with the SSP on an intranet site. Make it clear which control or step the log extract is used with, and write instructions on how to create another such extract, including the systems and programs needed (e.g., text editor) for the next time.
  3. Commit to staying current. It’s not enough to create policy documents, which are almost always required with an SSP. You also need to show that these documents are reviewed and revised on a schedule (quarterly, annually, etc.). This clearly indicates that your organization is committed to keeping your security policies up to date.
  4. Take (and keep) notes. When using interviews of staff or management as evidence of compliance, keep notes of the conversations, making it clear what questions were asked and how they were answered. Put the notes in an electronic format and store them with the SSP on an intranet site. This will save time when you respond to your next SSP request — instead of starting from scratch, review the previous notes, identify changes, and make any necessary updates. In addition, making the effort to produce and retain this documentation will demonstrate a real commitment to properly securing PII and PHI.

Thinking about a System Security Plan as an ongoing process will greatly improve the SSP and provide a way to address and improve areas where changes or updates are needed.