February 25

Have You Thought About Printers?

Recently I have spent a lot of time thinking about Printers. Not because I want something on paper. In fact, I do my best to avoid paper. But that doesn’t mean that I don’t care about printers and multi-function devices (MFD). I test security for healthcare organizations, and these are entities that print reams of paper every hour. Most of this printing is done for a good reason, there is a legitimate need to print forms, records, orders etc.

For the last decade, the healthcare industry has been working very hard to come over to the 21st century. One of the largest overall initiatives that have been sweeping through the industry is the digitization of patient records. Along with this has come a plethora of new problems, regulations, attacks, and privacy concerns. Anyone that works in IT in healthcare, and more so those that work in security, knows that everyone has been working hard to find solutions to the new digital problems we are facing. This is all well and good, in fact, it is wonderful.

Unfortunately, this push to secure the digital side of things has left the IT and security departments stretched to their breaking point. Everyone is scurrying in ten different directions to put out the fires. There are very few organizations, at least that I have worked directly with, that have had the time and energy to devote to the security of their printers and MFDs. In most cases, what I see is these devices are simply segregated onto their own VLAN.

Keeping these printers and MFDs off the main network has kept at bay much of the regulatory complaints. It also works well as a mitigating control when a risk assessment or vulnerability scan finds the printer VLAN. But, all that is being done here is putting another thumb in the dam. Unsecured devices anywhere on any network are bad. When those devices are used to process, and print sensitive patient information the landscape begins to look bleaker.

There is a mountain of services running on each of these devices. By default, they have a well-known username and password for administrative access. Often, they are in publically accessible, or semi-public locations throughout healthcare facilities. And on top of all that, they are often configured, managed, maintained, and administered by the hardware reseller, or the printer leasing company. These things put the printers and MFDs that providers so keenly rely upon at a significant level of risk.

Next time you have a vulnerability scan, risk assessment, or penetration test conducted within your organization have them look at this “safe” printer VLAN. See how many of these devices are properly configured. Think about their lifecycle. Does the vendor ever take the devices out for maintenance? If so, what happens to the hard drive? How about when the device is retired? These are just a few starter questions. Just because no one in your organization has had the time to take on printer security doesn’t mean it can be safely ignored.

Consider getting an assessment done specifically for the printers. Have a look at all these aspects. Everything from the placement, access control, life cycle, and configuration to the management of the vendor, security, disk drives, and services as well as all the things in between. Printers are a big part of most healthcare provider’s toolset. They also process significant amounts of sensitive and even patient health data every day. Would you let your EHR database or Active Directory server be that wide open to attack? No.

January 28

Why, Pay Someone to Attack Your Network?

I wondered what people want to know about penetration testing (pentesting) so I checked, according to Google a lot of people are searching in order to better understand the benefits of having a penetration test done. This is a great question, and it is especially important to understand the answer if your organization is not required by regulation or compliance to have a penetration test done. There are plenty of reasons to have a pentest, or red team assessment, done on your organization’s system. A few examples are, compliance, protecting users, keeping customer data secure, finding vulnerabilities, and overall keeping the enterprise secure.

What Good is an External Pentest?

Today’s enterprise network is no longer an enclosed and controlled environment, not like it may have been just a few years ago. Think about all of the reasons that things are no longer contained and controlled. Consider the following: How many sanctioned cloud services are in use? How many servers are hosted by AWS or Azure? Can the users bring in their own devices? Can these devices access any enterprise data? Even just email. I am not going to drive you into a state of paranoia by continuing this line of questioning. However, I am sure you’ve begun to see what I’m talking about.

Since our once solid walls are in a much different state now there really isn’t a better reason to have your network tested via an offensive assessment. A penetration test, or other similar assessment, will take a deep and systematic look as this border. An external assessment is designed to specifically look at the assets that face the internet. External systems are anything that has a public IP or has traffic routed to it via a public IP. By examining all of these systems from the perspective of an attacker a pentester looks for holes, soft spots, and other weaknesses before a real criminal does. This is one of the most effective ways an organization can get the jump on the bad guys and keep themselves, and their customer’s data safe.

So, What About the Internal Pentest?

Regardless of how much we appreciate our employees, the authorized users of the enterprise’s systems. No matter how much trust we have to place in them a lot of major breaches happen from inside the network. The attacker’s method of gaining this access can vary widely. Something as simple as a successful phish of one employee could get them access to a system that sits inside of the enterprise network. Or, maybe they dropped a raspberry pi or cracked the Wi-Fi. Attackers are by no means restricted to only breaching the perimeter from the web. All of this is not even considering an actual malicious insider.

Most enterprise networks are not new, they have been around for a long time, there are a lot of systems that have gone through the networks over the years and some are just missed. Chances are pretty good that some of these systems are missing patches, have misconfigured web servers, or a pantheon of other issues that could allow an attacker to gain a foothold. An internal pentest will have the assessors scan, probe, attack, and report on their findings. This report will lay out the vulnerabilities found as well as details of their severity and likelihood so that system admins can begin to remediate or mitigate the issues.

TL&DR

Basically, it comes down to this: most networks have been in place for a relatively long time, hundreds, or many more, systems have been life-cycled out, but there are always exceptions. There’s  almost always a few systems that were deemed “critical” or “too expensive to replace” or were delayed in remediation efforts as a project underway at the time was for that system or apps replacement. Projects falter, costs change for equipment, and the criticality of a system may well have changed. Or, if it is critical perhaps it is time to update/upgrade it so it is more secure and reliable.

A penetration test is a good opportunity to begin from a clean state to prioritize issues and fixes. They also provide a very good and powerful wake-up call to executive leadership that may have been pushing these types of changes off. Regardless of the reason, and the situation, there is rarely a time that a pentest won’t help to make everything more secure, and give a fresh perspective on things that may have gotten stale or fallen through the cracks over time.

January 22

Cyber Thermo-Nuclear War: Are we in an even worse cold war than before?

Not that long ago the USSR was crumbling, the wall in Germany came down, the world was celebrating decades of tension caused by what was affectionally called the “cold war”. The concept behind the cold war was that Russia, and the United States (the two primary super-powers in the world at that point in history), both had roughly equivalent power to destroy each others countries beyond repair.  This was called mutually assured destruction, and because it was based on the size and power of the constituent countries nuclear arsenals the term was very fitting.  If the Russian’s had decided to send a nuke into US territory the US would respond in kind.  This means that it was a standoff, a checkmate, in which neither party could act without assuring their own countries destruction. 

It is important to understand that the destruction that would have been caused by a nuclear shootout between the US and Russia would most likely have ended in wiping out the vast majority of life on this planet.  This would have most certainly wiped out all, or almost all, humans on earth.  Those that were left behind (e.g. Lived in a nuclear bunker or hid underground for a few dozen decades) would be living in a world akin to Mad Max or the world in the video game’s Fallout.  The fallout (literally) from a kinetic conflict between the USSR and the US would have killed off a lot of the world, ended civilization as we know it, and led to the decimation of most of the known world.

Our Current State of Affairs

Today we (and what is left of Russia) have severely shrunk our respective nuclear arsenals.  There is not the same pervasive fear that the communists will destroy democracy, this is not a fear instilled in the American psyche any longer.  But, while we can rest assured that it is very unlikely that Russia, or any other nations that claims to have nukes, will bomb the US, unless they have a suicidal leader.  But while we were reveling in the freedom that this new mindset has allowed we began to embrace technology like never before.

In the decades since the threat of nuclear war was lifted the entire world has slowly put their entire existence and all of their assets into the digital world.  Initially this was a small portion of the worlds data, money, and even physical devices.  However, it was quickly realized that none of this technology had been built to be secure and anyone with a little knowledge of the system could access private data, intercept communications, and a thousand other insecurities. 

Since the beginning of networked computers, our enemies have been able to access them at will.  Despite billions of dollars and thousands of “man years” worth of patches and new tools. The networks we rely on even more totally are not much more secure than they were in the beginning, at least not from nation-states that have the time and resources to “hack in” to the systems. 

Our societal reliance on digital systems has grown exponentially in the last 20 years.  Today all of our money and banking occurs on computers, most of our shopping, school, and even the industrial control systems (ICS) that run our critical infrastructure (e.g. Power, Water, etc.) are completely reliant on the internet, computers, and questionable security practices and software.  The landscape of the world, the fabric that makes up the global society we now live in, is no longer visible to the naked eye, it lives in tiny bits, 1’s and 0’s that travel in electrical signals or are stored on devices using simple magnetism and electrical impulses.

How We Can Help and Stay Safe

Despite our advances and our attempts to protect our digital assets, it has long been known that the only reason our systems are still intact is because it is well known that we would retaliate against attackers. It is my firm belief that every nation-state that has the funds and knowledge to set up a cyber offensive unit of any sort has, and will continue to have, their hooks in all of our most sensitive systems and critical infrastructure. They are fully aware of our vulnerabilities, they have the same ones, they also know of our offensive capabilities. They are also aware that we too have our hooks in all of their critical systems.

The first step, in my humble opinion, is for us, as a nation, to accept the risk we are all facing and begin to work on ways to protect our interests. For now, say vigilant, and keep an ear to the ground. There are many, especially in power, who would rather we just pretend this isn’t a problem.

January 14

Biomedical Worries

Pacemakers and FitBits seem to be the canaries in the mine as far as health-data collecting devices are concerned. The vulnerabilities these devices present are systemic and caused by a culture of cheaper, faster, and simpler. Devices, regardless of what their final MSRP cost may be, are all designed, developed, and eventually produced utilizing the least expensive means available. This cost cutting allows for cheaper FitBits but is directly causing the security issues we see as any and all corners are cut. While it would be easy to think that a device like a pacemaker, which costs the consumer (and/or their insurance company) 10s of thousands of dollars, are inherently safer. Unfortunately, they are still motivated more by profit than any other factor, a common theme in today’s increasingly capitalistic world.

Some devices are certainly more vulnerable than others. Some factors that contribute to security weaknesses include, additional or extra features, software, and how they communicate with external devices (i.e. BlueTooth, WiFi, or a wired connection). When a device has the ability to send and receive signals wirelessly it has a markedly higher risk of being vulnerable to attack. It boils down to a conflict that has been plaguing InfoSec professionals for as long as Information security has existed; convenience verses security.

FDA To the Rescue (sort of)

The Food and Drug Administration (FDA) recently released voluntary guidelines to industry on post-market surveillance of medical devices to find security vulnerabilities (http://www.fda.gov/MedicalDevices/Safety/CDRHPostmarketSurveillance/default.htm). They have chosen to focus their efforts on patient safety and security and as such consider vulnerabilities in medical devices that may cause a breach to be of low priority. While this is not necessarily good news for the healthcare organizations themselves, it is a very important step to help improve the safety of patients that rely on biomedical devices. The FDA’s new program seeks to implement a proactive, comprehensive risk management program specifically targeted to keep customers of biomedical devices safe from serious risk. The FDA says it will have a consumer level database in place at mdvis.nhisac.org, however at the time of writing the site does not appear to be online yet.

What Can a Villain Do?

The potential ramifications of a successful hack on biomedical devices is dependent on the type of device, its functionality, as well as how it interacts with the patient and other systems. A device such as a FitBit or other “activity tracker” collects data on its users physical activity (such as steps, and heart-rate), some of the more advanced devices will monitor GPS locations, sleep patterns and even other more private physical activities. An attacker that gains access to this information can use it as a means of extortion against the user by blackmailing them with information they would prefer to keep private. Devices like pacemakers and are a little bit of a different story. In most cases external communication of these devices is in the form of “logs” or data on how the device is performing and how the patient is doing. However, it is entirely possible that a determined attacker could cause an intentional malfunction of a device to injure, hospitalize, or potentially even cost the victim their life.

One of the biggest concerns coming from devices such as FitBits and SmartWatches that are capable of collecting a lot of useful health related data, is the data itself. As it stands most data from these devices is kept private and only provided to the user. However, there have been attempts by insurance companies, employers, and healthcare providers to gain access to this data. But, it should be kept in mind that this information can be used by these same organizations to make coverage and treatment choices that are more likely to benefit the “bottom dollar” than the patient. They may be denied coverage, or treatment due to this information.

Have  I Been Hacked?

This is one of those “age old” questions that is very difficult to answer. The basic guideline is the same as the government and police often say, “see something, say something.” If you see something out of the ordinary, changes to settings, passwords, configurations or anything else that seems odd, it could be a sign that an attacker has compromised the device, or accounts linked to it. If you suspect there is something fishy going on, speak to the provider or maker of the product and ask them to investigate your suspicions.

(Blog Post for Week 5 of CYBR650)

January 7

New Year, Same Challenges.

If you are reading this blog post you have officially survived 2016. By most accounts this last was a rough year. Cyber attacks have been no exception to this calculation. We saw the announcements of some of the biggest breaches in history, the continued proliferation of ransomware, and even the recent reports that Russia was meddling in our politics through attacks on our IT security.

Let us, as a collective, decide to do better this year. Most of the atrocious breaches and other IT Security related incidents could have been avoided if we could get on top of our security hygiene. Security starts with basics and that is where we need to return to this year.

Back to basics

Before we start to spend boatloads of money on new security solutions, like new software and hardware, look at what is there and how it can be better protected. I perform penetration testing and security assessments almost every working day, almost as often I find terribly simple mistakes that could lead to compromise or sensitive data leakage. Most of these issues are directly related to missing patches or, even worse, using end-of-life (EOL) and deprecated software.

Can you answer these questions confidently? When was the last time you did a vulnerability scan on your network? How many findings were there? How many of those would still be there if another scan was run today? Obviously, those are rhetorical questions and I don’t expect a deluge of emails answering them. However, I am here if anyone has questions for me.

Now, how would you answer those questions? Don’t feel ashamed if you would have much the same results from a new scan, almost everyone is in that same boat. But, why? Because it is too easy to put things off, to wait for a new system to replace the vulnerable one, to ignore fixes due to lack of time. This does not mean this is the right attitude, but it is the pervasive one.

Attitude Adjustment

I believe that one of the single greatest improvements that we could make to security today is to address that security today. With what there is already in place. Before you start blowing the seemingly endless 2017 budget on bigger and better analytics, or a rack-mounted box of silicon and aluminum that promises to save the day through security black magic, consider your own house first. How long ago did you intend to have all of the EOL systems off of the corporate network? Are you still accepting TLS 1.0, or worse yet any version of SSL? These are just a few of the items that I see practically daily.

What I propose is that we make initiatives, and follow through, to get these old systems shored up. So what if the firewalls, database, or system is due to be replaced this year. Attackers are not looking for issues to exploit next month, or even tomorrow, they are looking for cracks in the perimeter now. I am by no means saying that you should not move forward with improvements and upgrades. What I am saying is that those line items should not be used as an excuse to ignore issues residing on the network now.

What Can We Do?

What we once thought of as a wall around our network is now more of a porous mesh that lets almost anything through. We let users bring in their own mobile phones, connect them to corporate email, and trust they won’t allow their device to be compromised. We have all opened up countless ingress and egress points in our once solid walls to allow cloud-based services to be accessed, to allow our users to access the web, to allow external devices (BYOD and contractor provided) to access the internal network. This is the new face of security, but that does not mean it should be ignored. Our attack surfaces are growing exponentially every day and if we ignore issues we know about then new fixes will not make a difference.

Business as usual should continue for one. Then, step back and look at all of those things that got pushed to the back burner last year. How many of these might well be the root cause of an upcoming incident? Reassess and prioritize how the resources available should be allocated. Approach the here and now, plan for the future but don’t rely on it as a fix for problems that are real and present in this moment. As always we are more than willing to help with that assessment.

December 9

Be a Hero: Without Breaking a Sweat

With the holiday season in full swing all of us who have a job that is remotely IT related become the extended family’s tech support person. It really doesn’t matter how much technical knowledge you really have. What does matter is that you know better, at least I hope you do. All of us, that is you dear reader, will have the opportunity to help keep our loved ones safe online and help to incrementally weaken the power of some of the criminal bot-nets that have been plaguing the web recently.

Let’s Clear Some Things Up

To begin with I want to make sure it is clearly understood that the Internet of Things (IoT), is not just made up of internet connected lights and toasters. Things (aka: systems) that connect to the internet are what make up the “internet of things”. This encompasses a surprisingly large number of various devices, for example: home internet routers, internet connected cameras, home automation systems, and countless other items. The list is growing daily and these devices often come with vulnerabilities installed and no simple or automatic method to update them. Hence, there are millions of these little devices connected to the web with hundreds of thousands more coming online every day.

A large portion of the most powerful networks of zombie computers (systems that do the bidding of a criminal’s command server) are heavily reliant upon IoT devices to power their attacks. This means that every toaster, camera, and especially routers, are a serious threat in almost every home, even your grandmother’s. Start at your own house, take stock of every item in your house that has an IP address.

Start with the Router

A substantial portion of the homes in the United States have high speed internet piped directly to a wireless router/modem. These devices are given to the customer, usually at a high cost, by the Internet service provider’s (ISP). The devices are almost without fail the cheapest and least secure (by default) devices they could buy. Log into the router’s configuration or admin page (just Google for device specific directions) then before you do anything else change the admin password.

After the admin password has been changed from the default, check the firmware to see there are any updates available. If so, install these updates immediately and reboot the router. Now using that admin console most routers will allow you to see a list of devices that are connected to that access point. This is a good way to take stock and see what other devices may be communicating out to the internet. Anything that is connected should be checked make sure the default admin passwords are changed and firmware is up to date.

Grandma’s House

Now, as you head out to spend time with your extended family over the holidays give them the gift of security. When you are inevitably pecking at your phone cause everyone is watching something you couldn’t care less about, check out their router. See what devices they have on their networks. In the case of a non-technical relative, despite the general consensus that this is bad, write the passwords down for them. Tell them to keep them somewhere they can find it. Then, next year when you go back you will already know the admin passwords and updating their firmware will take even less time.

Everyone Can Help

While every little bit helps and each of us should do what we can, the more that are involved the bigger the impact. So, tell your techie friend about this idea, they don’t have to read my blog, just tell them to fix their family’s stuff. If all of us, meaning anyone who knows about technology, would do that it could have a serious impact on some of the criminal’s ability to carry out such high impact attacks against infrastructure that holds the Internet (upon which most of us rely) together.

Regardless of whether you plan to stay in this December or fly across the country to see relatives take ten minutes to steal some of your own devices back from the bad guys. You can even do this from your phone’s web browser while you are binge-watching whatever show you plan to watch during your break. Enjoy the holidays, no matter how you spend them, but let’s also spread some holiday security.

November 30

Better Tailored Offensive Assessment

The maturity of an organization’s security program and the number of past assessments should be a critical metric considered when an organization contracts to have any sort of offensive assessment performed.  I can’t count the number of times that, when preparing to perform a penetration test, I find that the organization had the exact same assessment at least once before and often for many years running.  It is important that this assessment is not being performed simply to “check the box” for compliance.  While compliance is an important part of remaining secure, the bar set by most standards is not nearly high enough to truly protect an organization from modern malicious threats.  The assessments and the scope should be carefully considered from a risk based and business process standpoint, ensure that this test is going to help improve the security stance of the organization as well as help to meet, (or beat) compliance minimums.

Now it is certainly true that doing the same assessment each year is a lot better than no testing at all.  However, if an external pentest is performed against the same systems year after year there is little chance of finding any serious issues that were not previously known.  Sure, there may very well be a new vulnerability on those systems, but those types of things are usually found by vulnerability scans. Penetration tests and other in depth offensive assessments are time consuming and generally only performed once or twice a year.  This means that once or twice a year most organizations have a limited window of time in which a skilled offensive security professional will dig into any systems or networks they are given authorization to look at.  It is the responsibility of the leadership to carefully consider their goals and provide a scope of systems that can help them to achieve their business and security goals.

Expand what you test, expand what you know

Continuing to perform the same actions and expecting that the results will somehow be different is futile.  Should these organizations be performing the exact same test year after year?  Does it even seem like that will make any significant impact past the first year?  The answer to both of these questions is simple and binary: No!! 

It is perfectly acceptable to simply add to last years test, check the same systems plus a new subnet or subset of systems.  By performing a penetration test once a year, and expanding the scope as the security program matures, in just a few years the security program will be significantly more mature, plus awareness of vulnerabilities and holes in the network will be remarkably improved.

Penetration testing and other offensive assessments, such as Phishing, Social Engineering and Adversary Simulations (Adversary Simulations will be detailed in my next blog in this series) is most effective when specifically tailored for the target organizations maturity.  For example, if an organization has never had any offensive assessment performed it would be best for them to start small, with their most critical web-facing systems.  After the web-facing infrastructure has been evaluated and remediated another pentest of just those systems (the same scope) will not make any major impact on the security stance of the company.

Use the Hacker at your Disposal

If your organization is considering a penetration test, or has already scheduled one soon, make sure there is a detailed and thorough dialogue between the organization and the tester.  Hackers have been attacking systems for a long time, and we know some of the highest risk areas.  We can help you determine how to best meet your goals and test the systems that are potentially at the greatest risk. 

In all of CynergisTek’s penetration testing offerings there is a need to limit scopes.  Money and time are not unlimited.  We strive to assist you in finding the greatest value in your offensive assessments.  Regardless of the scope or number of IPs that are “included” with your test we would rather look at a larger picture and help you narrow that down from a risk based perspective.  We will assess the list and help to identify the systems that we believe are most at risk allowing you to limit the scope as needed without lowering the value that can be gained from the testing performed.