Some important security news you should be aware of…

Each year, many large organizations publish their annual security report…many are good, some are not. One of the best is Verizon, which has been publishing their annual Data Breach Investigation Reports for many years. Their report for 2015 is out, and is a must-read if you are involved with network security. You can download a copy here. Note…it asks for you to opt-in for other announcements from Verizon, but there is a “Download Only” link available if you prefer.

Microsoft has released a Security Bulletin (MS15-034) for a rather nasty vulnerability with how Windows handles HTTP stack requests. Although most Windows clients would not have any applications running that would handle HTTP requests, that is not the case for Windows Servers (especially IIS). If you manage Windows servers, you need to quickly take a look at this Bulletin…there are active exploits in the wild already.

Do you still use DES and 3DES for all your VPN and IPsec needs? I sure hope not. Do you wonder what the current and future trends are for encryption? I sure do…inquiring minds want to know, right??!! Well, good news…you don’t have to do all of that worrying….Cisco has done it for you. (And I bet they pay a lot of engineers some VERY good money to work all this out.)

Take a look at this short webpage at Cisco detailing out the current state of encryption protocols. Review your encryption configs, and if you are using any noted as Legacy or Avoid, make plans now to step up to the more secure protocols. Yes, this will take some time and effort to change, but you need to do this soon. If your company is publicly traded or in the medical arena, hopefully past audits have already flagged these issues.

One other thing to note…if you do find yourself needing to make use of better encryption protocols, make sure your existing hardware has the horsepower needed to run some of these more complex algorithms. You may find that you need to upgrade hardware too.

Since network security is one of the hats that I wear, I get various security alerts throughout the day…from my firewall or IDS (Intrusion Detection System). Most of the time they are nothing to worry about, and I quickly figure out what happened. Sometimes, though, I end up spending a lot of time trying to figure out if the alert was serious…is something bad happening on MY network?

But then, sometimes it’s just comical….like, “Hello, I’m a newbie hacker, please let me in”. Take a look at this…

Like duh….textbook portscan example (sterilized for public consumption)

As you can see, this portscan is stepping through my public IP address range, hitting three different destination ports…80 (http), 8080 (http alternative port), and 1080 (typically used for proxy services). And this is just a snippet…there was a total of 147 packets in less than 10 seconds. The source IP address (192.0.17.168) is from a parent block owned by an entity in China, but is sub-delegated to a hosting facility located in Los Angeles. Go figure. There really is no way to know who is doing this…probably some 11 year old kid in Beverly Hills.

But I did get a laugh out of this. Hope you did too.

As a follow-up to an earlier post concerning real (physical) damage from cyber-attacks, check out this post on Wired about damage done to a steel mill in Germany. Talk about scary…and it’s just going to get worse, I’m afraid. At least until people understand that infrastructure and control networks MUST be separated and secured from the Internet and other Internet facing networks/systems. In the simplest form, you can tie the two networks together and remove the connecting cable….leave it unconnected, except only when needing to perform patches, etc. And then, lock the connecting ports up in a box of some sort, and only the CIO and Admin have the keys. (I’m not kidding folks.)

Yes, I know….this is a bit too simplistic and perhaps not viable in the real world. But, we need to take this seriously. With the escalation of nation state “cyberwar”, you will be seeing more examples of this over the next couple of years. I’m worried…are you?

Unless you are involved in the security field, you probably have not heard much about the heightened security concerns related to critical infrastructure that are so vital here in America. This would include water, electricity, oil, mining, and other fundamental services. Let me tell you, there is a lot of work underway in trying to secure these services from hackers (and others) who would just love to damage any of these systems, especially without even having to enter the country. Not sure how real this is? Take a look at this…

Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar Era (Bloomberg.com)

This oil pipeline explosion occurred back in 2008, and is just now becoming public knowledge. One reason this is such an issue is that most of the systems that control this infrastructure are still running on old PC’s, which are running Windows XP. And they were not originally designed with security in mind. Not good at all.

Not sure about you, but this gives me the willies.

Folks, here is one nasty piece of malware: Regin. Symantec has a fascinating and rather detailed write-up on Regin here. Very scary stuff. Most reports show that Regin has been in the wild since 2008, but I’ve seen a report or two that points further back to 2003. Due to the incredible complexity of Regin, consensus is that a nation state is the author, and the best choices are USA, Great Britain, China, or Israel. (Notice that no infections have been reported in USA or China.)

If you run a blog or website on WordPress (like I do), then note that WordPress has issued an update of their software which fixes a number of bugs and security vulnerabilities, including a critical flaw that could be used in a XSS (Cross-Site Scripting) attack. Exploits for this are most likely already out in the wild, so it is highly recommended that you apply the updates. You can view the security notice here.

If you read some of my security postings lately, especially this one, then you should already be signed up to receive CERT notifications. (If not, WHY?) You would have received a US-CERT alert about a “Phishing Campaign Linked with ‘Dyre’ Banking Malware”. Have you read it? AND acted on it? (Here is the US-CERT Alert if you have not read it.)

The most important action item is to educate your users. Yes, you have firewalls and antivirus configured, and perhaps a URL filtering service. And that’s good. But the best defense against phishing is an educated user community. You should be sending out an email on a regular basis, perhaps quarterly, educating your users on what phishing is, and how to recognize it. (It would make more impact if this email came from your CIO or IS-VP.) AND, make sure and let them know that banks and other institutions will never be asking for sensitive data via emails. You should include a sample phishing email (with attachments and embedded links removed, of course).

How to get a sample phishing email? Well, if you have trained your users properly, they will be sending them to you on a regular basis. If they forward these emails to you with a note such as “Received this today…it looks fishy, so I just deleted it, but wanted to let you know”, then you have done well in your training!! Otherwise, just check the inbox of your upper management and finance personnel. Believe me, they are getting them on a regular basis, because they are being targeted. Hackers and Scammers (otherwise known as “Slimy Scum-Bags”) are not emailing the whole world anymore…instead, they are sending their mucky-muck to the people that have the access and power. And this strategy is working. Make sure and educate these users….frequently!

Let me repeat:  The BEST defense against phishing is an educated user community!

Make it so. (In my best Captain Picard voice.)

Here are a couple of additional security resources to check out, and they are both very good. (Check out my first post on security resources if you missed it.)

US-CERT  –  This governmental organization does a good job of monitoring and alerting on critical vulnerabilities and associated fixes/patches. Go to their homepage and sign up for their alerts and tips.

Verizon Data Breach Investigation Report  –  This is an excellent source of information from around the world concerning the hacking community, methods of infiltration and what’s driving the hackers. This report comes out once a year and is well documented and detailed. You really can’t read it all in one sitting, so download a copy onto your tablet, and work your way through it bit by bit during your daily lunch. (Note: After reading this your first impulse will be to run to work and disconnect your company from the Internet. Effective, yes….but not very conducive to long term employment.)