Tag Archives: smb

2014 attacks to be highly targeted & well-researched

Leave a reply

Security provider Websense says that  while the volume of attacks will decrease, there will be an increased use of highly targeted, well-researched attacks. These attacks, in turn, will be used as a stepping stone for subsequent malicious activity after stealing user credentials.

The firm also predicts that a major data-destruction attack will occur in 2014.  Further, according to this Websense report (and with the caveat that the firm sells related services), there will be an increase of related ransomware attacks in SMB’s. Other predictions include ongoing Java exploits, increased focus on attacking data in the cloud, and increased reconnaissance activity on executives via professional social networks such as LinkedIn.  The report also speculated increased attacks on the vendors and contractors of large companies with the thought being that these ‘support’ companies will have less sophisticated cyber defenses than their larger partners.

More small businesses doing their own technical support

Leave a reply

smallbizsurveyimageAn 800 participant survey conducted by the National Small Business Association shows more small businesses are managing their own IT and web sites.  Other differences noted between the 2013 survey and a similar survey conducted in 2010 include:

  • desktop usage grew by 11% (76% to 87%)
  • laptop usage grew by 17% (67% to 84%)
  • smartphone usage grew by 17% (57% to 74%)
  • growth in businesses allowing telecommuting – 16% (44% – 60%)
  • online bank account management grew by 10% (73% – 83%)

Notably there was a 12% drop in businesses using external service providers for technical support and a 15% increase in business owners providing their own technical support.  Similarly, there was an 11% drop in companies paying external providers for web support accompanied by an 18% increase in owners that do it themselves.  (I’m guessing WordPress and other blog frameworks had a lot to do with that.)  Social media presence also grew substantially with LinkedIn leading with a 20% increase.

Risk-based authentication as alternative to chronically problematic password paradigm

Leave a reply

riskmeterAuthentication, the process of trying to prove that you are who you say you are to an online system, has primarily been driven by user ID’s, aka logins or user names, and an accompanying password.  In theory, the password is secret, only known by the user associated with it, and thereby by able to authenticate or provide proof of identity.  The problem is that there are a plethora of flaws to that.  Some of these include:

  • the password is not secret because the user shared it with someone else
  • the password is not secret because the user wrote it down on a yellow sticky note & stuck it to their monitor at work or school
  • the password is guessable and could be figured out if there were readily available, free password cracking tools available online
  • there are a million readily available, free password cracking tools available online
  • a password hacked on one site is used on another user site — because users use the same password across multiple different accounts & sites because it’s very hard to remember different complex passwords for many different accounts and sites
  • and on and on

An alternative is a newer approach that computes a risk score that is associated with login attempts (the authentication process).  A usage profile is developed based on several factors:

  • user ID
  • user device
  • geographic location
  • target system (what they’re trying to log onto)
  • time of day they typically log in
  • their IP address
  • typing speed

A user that tends to log into their company’s database on weekdays at a particular time of day from a particular workstation will generate a baseline profile.  An attempt to login to that database Sunday morning from a mobile device will generate a disparity.  This will signal the need for additional proof of identity (maybe a phone call or PIN) or perhaps disable the login entirely.

It seems some time in use and data to analyze effectiveness is called for, but if that looks good, this is pretty cool.  More here.  Even Bruce Schneier likes it!

riskbasedauthent

 

The roof the roof the roof is on fire

Leave a reply

Reminiscent of the delicate lyrics of Rock Master Scott and the Dynamic Three, there’s a lot of press about a number of different attacks right now on individuals, SMB’s, and large enterprises.  CryptoLocker ransomware, a Microsoft attack via images, and the  oldie-but-goodie of continued Java vulnerabilities.  It seems that the attacks are coming from all sides. And I believe they are. 

The CryptoLocker attack seemed interesting and fairly novel a few weeks ago, but I figured it would fade away pretty quickly as new anti-virus signatures or other patches caught up with it.  However, it appears to be on the rise.  CryptoLocker is a form of malware known as ransomware where the attacker encrypts your files and then demands a ransom for the key to unlock the files.  There have been reports of successful file unlocks after paying ransom, no file unlock after paying ransom, and also of the ransomware actor extending the due date.  US Cert has issued an alert regarding the rise in infections.

And then Microsoft has issued a security advisory regarding vulnerabilities in its graphics component and malicious TIFF files. Apparently, malicious code hidden in an image can execute and do arbitrary things.  So we’ve got that going for us. Affected systems include Office 2003, 2007, 2010, Server 2008, and Lync.  Microsoft offers a fixit/workaround here.

Finally, rounding out the happy news is the update from a Kaspersky report  that there were over 14 million attacks with Java exploits between 9/2012 and 8/2013, with more than 8 million of those in the second half of that period.  While chasing down some Java issues across several hundred machines myself last week, I counted over 200 Java fixes in the past year and that’s not counting new ‘features’.

It’s been said before, but the good guys are not winning this battle.  The general consensus is that it’s getting worse, not better.  What to do?  While no panacea, the basics apply — current anti-virus with daily updates, autoupdate on operating systems, good Internet hygiene — don’t open unknown mail, don’t download unknown things, keep a watchful eye for phishing attacks, use good passwords and don’t share them.  I think this will be our best/only approach for some time to come.

SMB’s operating under false sense of security

Leave a reply

When I used to fly in the service, one of the safety concerns was ‘complacency’.  Complacency was letting down your guard because of a feeling of safety based on numerous previous flights where nothing bad had happened.  System X never failed, system Y hadn’t failed, system Z had failed a little bit, but there was a backup, etc.  Per a recent McAfee and Office Depot survey, small to medium sized businesses (SMB’s) are suffering from a similar thing.

From a study of over 1000 participants, a majority (66%) felt confident  that their devices and data were safe from hackers.  Further, 77% felt they had never been hacked. This feeling of security is inconsistent with the evidence of SMB’s increasingly being targets of cyber attacks.  According to a statement by Congressman Chris Collins, part of the reason for this complacency is that attacks on small and medium sized businesses typically don’t make the news.  However there are a lot of them, hence the long tail.  According to McAfee, another reason for the increasing malicious activity on SMB’s is that larger businesses have had some success in hardening their enterprises to cyberattack and that has shifted the effort-invested and payoff balance for cyber criminals.

The study also found that 45% of the SMB’s responding did not secure data on employee’s personal devices and 14% hadn’t implemented any security measures at all. 

Vulnerability found in Netgear home and small business router

Leave a reply

netgearrouterA significant vulnerability has been found in the latest version (WNDR3700v4) of Netgear’s N600 Wireless Dual-Band Gigabit Router.  Per the researcher with Tactical Network Solutions that discovered the flaw, it is “trivially exploitable” and allows the attacker to disable authentication, open up a backdoor (telnet session), and then return the router to its original state so that the user never knows it was open.  According to PC World, other routers may be affected as well.

To mitigate the risk:

  • get the latest patch from Netgear (the Shodan database still shows at least 600 unpatched routers with the WNDR3700v4 hardware revision)
  • disable remote administration of the router (always)
  • use strong WPA2 pass phrases
  • don’t allow strangers on your network

Vulnerability discovered in several D-Link wireless routers

Leave a reply
One of the models with the vulnerability

One of the models with the vulnerability

The Register reports that a vulnerability has been discovered in several home and small business router models made by D-Link. The vulnerability allows unauthenticated users to gain administrative access to the router’s Web interface, thereby providing access to the network behind the router.  Per the post, models include DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units.

 

Because there is no current fix, users should disable admin access via wireless connection.

Motivating adoption of cybersecurity frameworks

Leave a reply

US-WhiteHouse-LogoThe Federal government is seeking to motivate businesses that operate our nation’s critical infrastructure systems to voluntarily adopt a Cybersecurity Framework currently under development by NIST (National Institute of Standards and Technology).  These systems include the electricity generation and distribution grid, transportation systems, and drinking water storage and distribution systems.  A preliminary draft is available now here and it will also be presented in two weeks at the University of Texas.

Roughly simultaneously, the Departments of Homeland Security, Treasury, and Commerce have been developing various options to try to provide incentives for companies to voluntarily adopt the Framework.  Per the White House Blog, there are eight core areas or approaches to incentives under consideration.

  1. Engage the insurance industry to develop a robust cybersecurity insurance market.  As discussed in an earlier post, this is not without it’s challenges.
  2. Require adoption of the Framework for consideration of Federal grants related to critical infrastructure or include as a weighted criteria as a part of the grant evaluation process.  This seems reasonable to me, though it only incentivizes those companies applying for Federal grants (but maybe that’s most companies?)
  3. Expedite government service provision for various programs based upon adoption of the voluntary Framework adoption.  Again, seems logical, though this one seems a short step away from changing the ‘voluntary’ part of the Framework adoption.
  4. Somehow reduce liability exposure of companies that adopt the Framework.  Per the White House Blog, this could include reduced tort liability, limited indemnity, higher burdens of proof, and/or the creation of Federal legal privilege that preempts State disclosure requirements. If one were a cynic, that last one could sound like buying a loop hole.  This whole core area of modifying liability seems to be to be pretty tough to manage, particularly to manage transparently and equitably.
  5. The White House Blog says that “Streamlining Regulations” would be another motivator for participating companies.  I don’t get this one.  I don’t understand how the government could “streamline regulations” for one company but not for another.  Sounds to me like interpret the law one way for one company and another way for another company.
  6. Provide optional public recognition for participating companies.  This one seems like a good idea.  Sort of a Good Housekeeping Seal of Approval, Better Business Bureau endorsement, or similar to Joint Commission on Accreditation of Healthcare Organizations endorsement for hospitals.
  7. Companies in regulated industries such as utilities could be offered some sort of rate recovery contingent upon adoption.  This seems reasonable logically, but I would imagine a bear to implement and manage (which is kind of a theme for many of these).
  8. The White House Blog says that “cybersecurity research” is an incentive.  This one I don’t get either. How does identifying weak spots in the Framework and encouraging research in those weak areas motivate Framework adoption? I mean it’s a good thing to do, but how does that make any one particular company want to participate.

While these are proposals for incentives for critical infrastructure companies, I’m wondering if some of these can serve as a model for SMB’s for adoption of cybersecurity standards for SMBs. Adjusting cyber insurance premiums based on participation would seem to be an obvious approach. However, as has been discussed previously, a mature cyber insurance market does not yet exist and it’s not a slam dunk that one will evolve sufficiently fast to address this need.  For SMB’s seeking government grants, to include SBIR (Small Business Innovation Research) grants, compliance with an SMB cybersecurity framework would seem to be a no brainer. Also, optional public recognition for compliance with an SMB cybersecurity framework would seem to be a practical approach.

What would motivate you as an SMB to adopt an established Framework?