Friday, 15 September 2017

VMworld Europe 2017 - General Session Keynote

I attended my second VMworld this year, which you may find odd as I rarely blog about virtualisation or VMware.  VMware is changing and security is now more apparent in the solutions and roadmap.  

On Tuesday 12th September, we had a General Session Keynote from Pat Gelsinger - VMware CEO.

The VMware vision was similar to the previous year, but there are new partnerships with telcos, moving the telco networks closer to cloud, as well as the growth of IoT.


Gelsinger talked about the mix of devices, applications, and platforms causing the core challenge.  There needs to be anywhere access for people to the applications, but it's complicated.  There is a mass of devices, applications, services and security.

He is only reiterating the challenges securities have been facing for a number of years, with the increase in Shadow IT, less complimentary but highly connected applications, and uncertainty of any associated security.


Workspace One is the solution, grown from AirWatch to supporting iOS, to work with many more operating systems, including Google Chrome.  


MDM (Mobile Device Management) solutions have had to grow into EMM (Enterprise Mobility Management) solutions, w here it's no longer just the management of the device, but also the applications, the content, the availability and in my world, the identity and security.

Gelsinger moved to security, highlighting the target has moved form just applications and data, to user infrastructure, including users and devices, but also cloud infrastructure of the network and compute, as these are seemingly under the control of the security team.




The gasps when some of the audience was shocked with this slide, where the security guys have been working with and understanding a number of different areas.  Security people know that security spend is increasing, but the cost of breaches are increasing even quicker.  As Gelsinger says, "your spending more and falling further behind", "something is broken" and "we the tech industry have failed you the customers".  "We need a new approach"



There needs to be move from infrastructure to secure infrastructure.  Security needs to be built in, not an after thought, as I have been saying for a number of years.  There needs to be an integrated ecosystem, leveraging quality solutions and products, where you do not excel.  All of this with cyber hygiene regime. 


I'm glad that a tech giant like VMware is embracing cyber security and embracing the areas, I believe are the most important.  The pillars of cyber hygiene are important for every environment.  

Least Privilege, Micro-segmentation, Encryption, Multi-Factor Authentication and Patching, have been evangelised by security experts for a number of years.  So great to these elements are now considered mainstream.


As expected the EU General Data Protection Regulation (EU GDPR) came up in the keynote, and of course VMware are able to support the regulation by securing the data, automating governance and secure operations.


Gelsinger introduced VMware AppDefense and how it helps the security challenge able to capture, detect and respond.


VMware approach is looking at the security challenges of a business, without the business itself becoming a security expert.

I think it's a very exciting time for a security person to be looking at VMware, and I'm glad I was at VMworld Europe 2017 to see this for myself.

For those unable to attend, the General Session is available to watch here: https://www.vmworld.com/en/europe/video/general-sessions.html (where I also got the screen grabs, as the photos didn't come out so well)

Wednesday, 30 August 2017

Phishing and passwords - 3 years on

Nearly three years ago, I wrote a blog piece about the compromise of iCloud accounts aka "The Fappening".  In the last 3 years there have been little improvement to the users interacting with phishing attacks, and it's disappointing to hear of the Fappening 2017.

Phishing
I've been guilty in the past to blame users for not checking the constructs of an email, and detecting incorrect domain names, etc, but with the technology available today, this shouldn't be the job of an email users.  Using a mainstream web-based email solution, these checks are done for you:


In a commercial environment, there are email filtering solutions to prevent the user from ever seeing these in the first place.

Passwords
The previous advice around regularly changing passwords may not have been the best, as people will just increment numbers, and typically the password will become weaker.  The advice now is to use stronger passwords and use a password manager to secure these passwords.

2-Step Verification
Many websites, including Facebook, LinkedIn, Twitter, WhatsApp and many more, support the use of 2-step verification.  This is a process where you log into one of these websites with your username/email address and your password.  Before you can gain access to the site or application, it will text your nominated mobile number with a code, which will need to be entered into the website before you can gain access.

Even if your login details were compromised, a hacker would be unable to gain access to the site or application without access to your mobile phone.

These solutions are provided free of charge, so it would make sense to enable this wherever possible.

So what?
So some people's iCloud accounts were compromised due to falling for a phishing attack... so what?

Well looking at security and the principles in play, this also makes corporate networks susceptible to these sorts of hacks.  Phishing attacks happen to gain access to corporate credentials, in fact worse so, as there are also spearphishing attacks.  Phishing attacks are typically broad brush attacks, spreading the net (excuse the pun) wide.  Spearphishing is targeting an individual, such as a member of the senior management team, or someone with administrative credentials, enabling access to personal information.

Privileged Access Management
The priority for any organisation, is the protection of administrative passwords, typically known as Privileged Access.  Depending on the analyst's reports you read, 80-100% of data exfilration compromises have required administrative credentials.

Privileged Access Management is a technology to grant administrative access to a user, without them knowing the password.  The technology will securely store the password, and is also able to change the password once the user is done with that session.  What could be more secure than a user unaware of the administrator password?  

Some other benefits include the ability to record the screen of the user session, as well as in depth analytics.

Securing passwords
Whether you are a home user, or a corporate user, passwords have always been important, but password security is more important than ever.  Whatever the situation, there are ways to secure the password and minimise the damage a hacker can do.

Friday, 26 May 2017

Pull the budget and suffer the consequences: the NHS ransomware attack [Link: Information Age]

I was asked to help source an article about WannaCry on the NHS. Here is the article that was published on the Information Age website: http://www.information-age.com/pull-budget-suffer-consequences-nhs-ransomware-attack-123466474/

=========================================

Why wasn’t more done to protect NHS organisations from the WannaCry ransomware attack?


Ransomware infects computers around the world every day. In the last 18 months, instances of it have surged so prolifically that today it is the most common type of malware. However, the WannaCry strain hit the headlines because it brought large parts of the NHS to a crunching halt.

This is the problem with malware, it can have devastating effects. We don’t know what the real-world physical implications of WannaCry have been, for instance, patient treatments. Perhaps we will never know.

At a first glance, it appears almost criminal to be running operating systems that are no longer supported, in the case of the NHS, Windows XP. This was in no way helped by the government pulling the plug on an XP support contract to save money.

The ransomware infection was so serious that the government chaired a Cobra meeting, code for official panic. While patching an operating system is a fundamental security step, there can be a number of issues that complicate the process.

For instance, an organisation with a desktop fleet consisting of thousands of PCs might simply have not set up its configurations correctly, leaving holes in its patching process through which malware can insinuate itself.


Risk register


Some organisations might be reluctant to automatically apply operating system patches because they could cause conflicts with business critical applications. In short, they might be unable to patch for fear of slowing down, or even halting other parts of the business.

In both these cases there should be at least an awareness of the potential risks. It could be that an IT team is stretched thinly and is juggling other issues such as networking or storage, and consequently security slides down the list of priorities. This isn’t uncommon.

In these cases IT should be creating a Risk Register which is essentially a list of system vulnerabilities of why they exist, how they can be remediated and why they haven’t been addressed. This could be because of budget limitations or some other reasons.

The C-level executive team should sign off on the ‘risk register’ to show that they are aware of the issues and have accepted responsibility. This protects IT from any fallout should a serious breach occur, and also illustrates that they are doing their job.

Finger pointing


The WannaCry breach led to a lot of finger pointing and within hours had also become a political hot potato. Many people in the industry were quoted saying that defences are only as strong as the weakest link.

This is a self-evident truth, but in this case a very large condemning finger was pointed at end users. The implication was that a naïve employee or cluster of employees had clicked on an email link which unwittingly unleashed the worm-like WannaCry ransomware.

Phishing emails are increasingly sophisticated and even the most alert and astute end user can be fooled if the mail is targeted and well-crafted. The only problem with blaming end users is that it smacks of scapegoating and is essentially an abnegation of responsibility. However, there has been no evidence to suggest that WannaCry was initiated by an email or spread by user interaction.


First lines of defence


End user education and training is important and should certainly be more than an annual box ticking exercise. As well as patching operating systems, it should be a last line of defence and certainly not the first line.

Any organisation that is serious about IT security will have a range of defences in place to safeguard against these types of attacks. For instance, an email security gateway with sandboxing will filter out ransomware even if a user clicks on a malicious link. A web security filter with sandboxing will protect against drive by downloads, in which someone has to just visit a website to inadvertently download malware.

Web filtering tools in conjunction with a good firewall can detect dubious websites, as well as flag traffic that is leaving an organisation for a questionable destination. Of course there is also heuristic and signature detection, so if malware does penetrate the network it is immediately detected and stopped.

Added to this are a raft of endpoint tools that can protect devices, and we’re not just talking about patching operating systems but also patching browsers, plug-ins and third party software for vulnerabilities. On top of this, admin rights should be removed from endpoints so software doesn’t automatically run by default.


Lack of willingness


In short, the tools are available to protect organisations from ransomware and other types of malware, and they don’t have to be the latest and the greatest either.  The real question is whether the willingness to take security seriously is there? Given the large number of attacks that happen regularly you’d have to say it’s not. For instance, if there’s commitment then budget is always made available to help over stretched IT teams.

Clearly in the case of the NHS the funding was missing, and if the government doesn’t yet fully understand the importance of comprehensive cyber security then who will? Will it take loss of life before someone sits up and takes security seriously?

Exclusive Networks Takes GDPR Message on The Road [Link: CommsBusiness]

I was asked by our Distributor, Exclusive Networks and Vendor, Gemalto for a quote regarding a bus they were using to promote GDPR (General Data Protection Regulation).  This was published on the CommsBusiness website: http://commsbusiness.co.uk/news/exclusive-networks-takes-gdpr-message-on-the-road/

===========================================

Exclusive Networks and digital security company Gemalto are taking the GDPR message on the road. A refitted double-decker bus began its UK tour in York on 23rd May, finishing at Infosec in London on 6th June. The bus will be making stops at key regional centres where channel partners and customers can meet security experts from Exclusive Networks and Gemalto and hear how a six-step process can aid GDPR readiness and compliance.

According to Exclusive Networks’ vendor alliances director, Stuart Nairne-Clark “many partners are still confused and lack clear understanding on the whole GDPR topic and what it means for them and their customers. Because there is no silver bullet – it’s as much about people and process as it is technology – by coming aboard they’ll get first-hand guidance on what’s needed to become compliant. They will hear directly from Data Protection Officers, understand the essential legal requirement and see how the latest multi-factor authentication, encryption and key management tools aid GDPR compliance. Already large and small organisations from right across the commercial, public and charity sectors are booked on and given it’s such a comprehensive regulation we encourage all partners and their customers to sign-up. It’s the ideal setting to engage with compliance, data protection and encryption experts.”

Andrew Tang, service director – security, at reseller MTI noted that “being a GDPR Practitioner I appreciate there is no precedent for what is coming. Understanding both the regulation and its context is essential if partners are to work with their customers to build an effective GDPR strategy and plan. My customer meetings are now all GDPR related so having the bus clinic pass by the door of many customers, especially the 50% or so who are just beginning to get to grips with the subject, is invaluable. It is doubly invaluable when you consider the only technology set mentioned within the regulation is encryption, and that is something Gemalto does best.”

The Exclusive Networks and Gemalto GDPR Bus clinic will be stopping in York, Leeds (25/5), Chesterfield (26/5), Birmingham (30/5), Milton Keynes (31/5), Oxford (1/6), Reading (2/6), Alton (5/6) and London (6-8/6). Seats aboard the bus are pre-booked and partners can sign-up here. In addition, a survey is being conducted to gauge how far those affected by the regulation have progressed along the road to compliance.

Jason Hart, identity and protection CTO at Gemalto added: “With a year or so left until the regulation is enforced it is essential partners and customers cut through all the noise and understand what they need to do on their road to compliance. Plenty of reports show a general state of un-readiness and lack of understanding. By taking the issue on the road we can reach more partners and customers and get to explain how Gemalto’s data protection, encryption and identity authentication technologies are essential in securing compliance and avoiding crippling penalties.”

Tuesday, 23 May 2017

So you have WannaCry 2.0, what next?


So you machine is infected, what can you do?

Immediate Action


  1. Find all the machines vulnerable to MS17-010.  This can be done using scanning tools or wholesale apply the patch to all machines.
  2. On the infected machines, don't pay the ransom - Research suggests that payment will get your files back two thirds of the time.
  3. Try the WannaCry decryption tool and skip to step 5 on.
  4. If the decryption tool fails, re-install your operating system - remembering to patch it.
  5. Install a good malware protection solution, switch on real-time updates and update it.
  6. Scan your machine with your newly installed and updated malware protection software.
  7. Re-install essential applications, remembering to check for patches, and switch on auto updates.
  8. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.

Next Steps


  1. Create a standard user account for general use, and keep the administrator account for configuration changes only.  Although WannaCry did not need administrator credentials, other ransomware does.
  2. Consider Application Whitelisting to ensure only known applications are able to execute on your machine.
  3. If you existing firewall allows it, switch on web filtering to prevent traffic to known malicious sites.
  4. Consider using an IPS (Intrusion Prevention System) to protect your network. 
  5. A Web Security Gateway to monitor and prevent traffic to malicious websites, and sandboxing to scan unknown packages.
  6. An Email Security Gateway can monitor and scan emails, working in combination of a sandbox to scan unknown attachments, and a Web Security Gateway to validate URLs within emails.  Although email was not the delivery mechanism for WannaCry, it is for pretty much 90+% of ransomware.
  7. Check existing backups and/or start doing backups.

Planning for the future


  1. User training is important, but it must be remembered that WannaCry 2.0 wasn't propagated by email and didn't require user interaction to install or spread.
  2. Ensure an open policy for users to report to IT Teams or Information Security Teams with any suspicious behaviour on their machines.
  3. Test the environment with simulated attacks to ensure the People, Process and Technology work hand in hand together.

WannaCry/WCRY 2.0 - What do we know?


On Friday 12th May, we were all made aware of a global ransomware attack, which hit nearly 200 countries, infecting over 300,000 Windows machines.  Named WannaCry/WCRY 2.0, it encrypts your data and demanded a ransom of US$300 payable in Bitcoins (electronic currency).

Timeline


Looking back to earlier in 2017, shows how WannaCry evolved.

14th March 2017 - Microsoft leased a patch it classified as Critical as part of its month patch cycle.  The patch was called MS17-010 which resolved a vulnerability in the SMBv1 server on machines running Windows workstation and server operating systems.

14th April 2017 - Shadow Brokers leak the NSA hacking tools which exploited the MS17-010 vulnerability.

14th April 2017 - WannaCry/WCRY 1.0 was released

12th May 2017 - WannaCry/WCRY 2.0 was released

History


WannaCry/WCRY 1.0 was a spam campaign, which delivered its payload via compromised or malicious Dropbox accounts.  To all intents and purposes, it felt like a typical ransomware attack, delivering an email with a link, the user clicking on the link to download the ransomware, the ransomware would exploit a vulnerability (in this case MS17-010) and then encrypt the data.

Why is WannaCry/WCRY 2.0 different?


It is believed that WannaCry/WCRY 2.0 was not distributed via email, nor was it caused by clicking on a link.

WannaCry/WCRY 2.0 scans for Windows machines that are running SMBv1, and will try to infect them.  I say try to infect them, because if the machine had the MS17-010 patch installed, it could not be infected.  The ransomware will exploit the vulnerability, install and encrypt the data.  WannaCry/WCRY 2.0 also has a worm like characteristic, where it will scan the local network and random external IP address to see if they are running SMBv1 and try to infect them as well.

The clever part of this ransomware, is that it requires no user interaction to initiate it or to spread it.

What as the criminal gain?


Some organisations have been monitoring the Bitcoin wallet and they estimate that the financial gains from this attack is in the region of US$65-70,0000, which doesn't sound like a great deal.

Whose vulnerable now?


Using Shodan it's possible to search for Windows machines on the internet using the SMBv1 protocol.  Of course, it doesn't show if these machines have been patched to prevent MS17-010 from being exploited.


Sunday, 14 May 2017

So you have Ransomware, what do you do?

I've put a lengthy blog post about ransomware, but you just want a quick and simple answer?

Your machine is infected and your have this screen:


  1. Don't pay - Research suggests that payment will get your files back two thirds of the time
  2. Re-install your operating system - remembering to patch it!
  3. Create a standard user account for general use, and keep the administrator account for configuration changes only.
  4. Install a good malware protection solution, and update it
  5. Scan your machine with your newly installed and updated malware protection software.
  6. Re-install essential applications, remembering to check for patches, and switch on auto updates.
  7. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.
Going forward:
  • Be mindful of any email attachments or links within emails
  • Continue to update malware protection, operating system and applications
  • Ensure backups are happening to prevent data loss, and even consider multiple backup destinations
  • Only use the admin account for configuration changes
This advice is more based for home users, but your can see the relevance to organisations as well.  For a more detailed look at ransomware, and what approach a organisation can take, have a look here.