Posts

Showing posts from June, 2015

Security Basics

We are posting a list of fundamental security practices and controls that all organizations should have in place in some form or other. While these practices are basic, many organizations have very immature programs in some of these areas. These basics are a good place to start in thinking about your security program. The complete list of posts: Security Basics: Know What's on Your Network Security Basics: Patching Vulnerabilities Security Basics: Managing User Accounts Security Basics: Multi-Factor Authentication Security Basics: Full-Disk Encryption Security Basics: Privileged Account Management Security Basics: Malware Protection Security Basics: Database Security Security Basics: Vulnerability Detection Security Basics: Firewalls Security Basics: Email Security Security Basics: Networking Gear Security Basics: Configuration Baselines

Weekly InfoSec New Brief June 22-28

Image
Adobe Issues Emergency Patch for Flash Last Tuesday Adobe issued an emergency patch for its Flash product. The patch fixes a critical vulnerability which Adobe stated was already being exploited in the wild on a limited basis in targeted attacks. This is not the first emergency patch for Flash this year, in addition to the several critical patches that have been released in their normal monthly patch cycle. Flash continues to be one of the most common sources of vulnerabilities on desktops, and one of the most frequently-exploited applications out there. Every organization should be watching closely to ensure they are patching Flash rapidly, as well as perhaps considering measures to block or limit its use. http://krebsonsecurity.com/2015/06/emergency-patch-for-adobe-flash-zero-day/ https://helpx.adobe.com/security/products/flash-player/apsb15-14.html OPM Breach Investigation Stymied by Lack of Log Data When a breach occurs (or is suspected) one of the first thing an invest

Security Basics: Patching Vulnerabilities

Image
This post is one in a series of blog posts on the fundamentals of an information security program. You can see  the complete list of posts in this series here . Vulnerabilities happen. In most major pieces of software, such as Windows, Office, Java, Acrobat, Flash, Chrome, Firefox, Oracle, or anything else that runs on your servers and workstations, you can count on there being new flaws that affect your systems' security being announced frequently, often monthly. While installing patches is a fundamental security activity, many organizations do not make a strong and comprehensive effort in this area. A recent study showed that organizations typically take months to install a patch from the time is it released. The time varied significantly by industry, with technology-centric companies taking just under two months, while financial services companies averaged almost six months. Key factors to keep in mind in considering a vulnerability management program include:

Weekly Infosec News Brief June 15-21

Image
Snapchat Adding Two-Factor Authentication Popular video-chat service Snapchat has been plagued by security issues for some time, and one measure they are taking to remedy that is introducing two-factor authentication. Users will have the option of enabling this feature, which requires the user to enter a verification code sent by text message any time they log on using a new device. "Passwords are dead" is a common saying in information security circles today, and it is true that the use of passwords as a sole authentication mechanism is rapidly falling out of favor. But what is the most common place that most people still use just a password to prove their identity when logging on? Work. As more consumer-oriented email apps, banking services, and the like start using two-factor authentication, workplace users are become more familiar with the concept and more understanding of the need for it. Is your organization applying multi-factor authentication for your systems?

LastPass Hacked, Hashed Master Passwords Taken

LastPass, a popular, web-based password manager, announced Monday that they had suffered a breach and that the hashed master passwords for some or all users had been obtained by attackers. LastPass is recommending that users update their master passwords, and has implemented extra checks for when any user logs in from a new device or computer. They are also recommending that users who haven't done so enable 2-factor authentication for their accounts (this is a great option for any service that offers it). LastPass suffered a breach four years ago as well, but it seems the encrypted data that was taken may never have been decrypted and put to any use by those who stole it. That seems to be the case again with this breach. LastPass stores the master passwords with non-reversible hashing using an extremely strong and multi-step hashing process (over 100,000 rounds of hashing). So these master passwords that were taken will be difficult and time-consuming for any attacker to crack. Pas

Weekly Infosec News Brief 8-14 June

Image
Microsoft Releases Eight Patches for June, Addressing Twenty Critical Vulnerabilities Last Tuesday, Microsoft issued eight patches, two of which are rated as critical. The most significant is MS15-056, which is a patch for Internet Explorer (versions 6, 7, 8, 9, 10, and 11!) This patch addresses a number of serious memory corruption vulnerabilities in IE which could potentially allow for a remote code execution exploit. The other critical update, MS15-057, updates Windows Media Player and fixes a some similar memory corruption issues there. This update has a lower "exploitability" rating than the IE fix, but both should be tested and deployed as quickly as possible. https://technet.microsoft.com/en-us/library/security/ms15-jun.aspx?f=255&MSPPError=-2147217396 http://www.computerworld.com/article/2933775/application-security/a-moderate-june-patch-tuesday-with-a-critical-update-to-ie.html Adobe Releases New Flash Version, Fixes Critical Vulnerabilities Adobe

Weekly Infosec News Brief 1-7 June

Image
OPM Suffers Massive Breach; the Agency Has a History of Information Security Mis-Management The Office of Personnel Management (OPM), which is essentially the human resources agency for the entire federal government, suffered a massive breach this year that was disclosed late last week. The breach of over 4 million current and former government employees' information dominated the headlines last week. The e-QIP system, which collects and stores the personal data of security clearance applicants, was one of the affected systems. OPM's Inspector General released a report in November of last year citing information security as a "significant deficiency" at the agency. Failure to maintain a proper inventory of systems was one factor cited. Do YOU know what's on your network? http://arstechnica.com/security/2015/06/why-the-biggest-government-hack-ever-got-past-opm-dhs-and-nsa/ OPM Breach is Just One of Nine Major Recent Breaches Focused on Collecting PII A ve

Trade Association Membership Info Obtained by Fraud

Image
The Chartered Institute for Securities and Investment, a UK-based trade association for the investment industry, suffered a breach last week which resulted in the release of personal contact information for their entire membership. This breach appears to have been the result of simple fraud, or "social engineering," where an individual contacted an Institute employee and convinced that person to provide the list. As their CEO stated on their website, "I would like to reassure you that this is not a breach of our IT system, but we fell victim to a devious confidence trick on an unsuspecting member of the support team." It is worth noting that, even in this age of malware and highly technical theft and espionage, many of the greatest threats to an organization's data still take the form of simple fraud and confidence games of this type. It is important that every organization have clear and well-communicated policies regarding what types of information are con

Hackers Steal Over 1 Million Japanese Citizens’ Data in Targeted Attack

Image
The Japanese public pension system has confirmed that approximately 1.25 million personal records were compromised by hackers in a recent targeted attack. The compromise, like the majority of data breaches, originated with an email to an employee with access to the data; the email led to malware being installed on the user's computer, which enabled attackers to access and exfiltrate the data. Email containing either attachments or weblinks to malware are the most common cause of data breaches. A combination of user training and technical controls is the best defense. Anchor can help you assess your susceptibility to this type of attack and advise you on how to bolster your defenses. http://www.net-security.org/secworld.php?id=18439& http://www.scmagazine.com/japan-pension-funds-experiences-second-incident-in-less-than-eight-years/article/417985/