Web management consoles have been an administrator’s friend for quite some time. However, they have been an attacker’s best friend since conception. Management consoles often have the hardware primarily integrated into servers and devices to make the administration and troubleshooting of that equipment much easier. As these consoles are deployed into our environment, it is frequently found that they are forgotten about: out of sight out of mind. We leave them off of our patch management programs, even though they are quite frequently installed in the environment with default credentials. Attackers have built word lists based on these default usernames and passwords that are publicly available by the manufacture configuration guides. Due to the fact that administrators need this information when they configure the equipment, the onus to change the credentials falls on the organization.
Home Depot is reporting that it could be the point of origin for a massive credit card breach. Multiple banks, correlating compromised accounts, hint that the large home improvement retailer’s 1,977 US stores could have been compromised as far back as April. If true, it could easily dwarf the Target breach last holiday season.
Over the weekend you’ve probably seen news reports about celebrities being hacked and their private pictures and videos being posted and distributed all over the Internet. Most of the details about what happened are speculative at best, but most reports center around Apple’s iCloud service. While one can question why anyone would take and store naked pictures of yourself on your phone or a cloud service like iCloud…this “hack” is most likely due to a brute force attack on the iCloud service. These are not new attacks contrary to what the mainstream media will tell you. They happen to celebrities and regular people like you every day.
Within the last few years, there has been growing popularity in social engineering attacks. We have experienced a change in both end user and attacker behavior, resulting in adaptations in attack methods. Although the attacks are becoming more malicious, the technology to prevent them remains the same.
The government has been issuing warnings for a month now, and finally organizations are beginning to listen.
On Friday, The Department of Homeland Security (DHS) published a release encouraging retailers using Point of Sale systems (PoS) to proactively check for malware infections. While always a good practice, recent releases are in response to multiple breaches that occurred last week and throughout 2014. So far, seven PoS providers/vendors have confirmed that clients of their in-store cash register systems are affected. Keep in mind, these are only the companies to have publicly come forward. It is estimated that over 1,000 American businesses have been affected; the number may be higher.
As Jason mentioned in his post, last week brought yet more breaches to light in the form of Community Health Systems and now UPS Stores. To be fair, the UPS Stores breach affects a much smaller population, however at potentially 105,000 transactions, it still represents a significant concern. Actually, it’s telling that 105k seems small compared to the other numbers we are used to seeing.
All too often I hear the phrase, “compliance does not equal security”. While this statement is absolutely true, the statement in itself does not provide sufficient context. Compliance does not equal security, it more closely aligns with baseline governance for a subset of data. Security is merely a piece of the overall governance puzzle. Many business executives still see compliance as hindrance to success as opposed to a means to mitigate risk. Compliance is the beginning of the governance process, not the end. Concepts for the subset of data required to be protected by Federal mandate or Industry regulation can be applied across systems for an overall mitigation strategy, maturing your holistic security program.
As we mentioned in the introduction to this blog series, SecureState has reviewed years of data in order to develop these attack vector results. By a decisive margin, weak passwords is clearly the leading attack vector. Weak Passwords have plagued organizations from day one; however, the startling trend is not the attack vector itself, but the proliferation of bad habits which have been ingrained into our users over the years.
During one of the SANS sessions for the For408 course, a question (challenge) was raised by me if it was possible to prevent Windows from logging key user-artifacts. Many user-artifacts, such as thumbnail views, Internet history, recent file opened, etc., are written to disk in defined areas. Our test was to attempt to lock down these areas to prevent user-action artifacts from being written and ultimately not being seen by an investigator.
Like most areas of study, there are certain analogies that we learn as students that stick with us for the rest of our careers. In medical school, you might learn to associate the circulatory system with a tree and its branches, likewise a chemist might be taught to think about atoms as building blocks. No wonder, then, that the concept of an information security “kill chain” has so disrupted the way that we look at our own field. This concept, introduced by Lockheed Martin’s Mike Cloppert in 2009 and then formalized in 2011 as the Cyber Kill Chain® is quickly replacing the traditional “onion” mentality of how we defend our networks.