All Posts By

Josh Williams

Overwatch: Staying on Top of Your Vulnerabilities

By | Security News | No Comments

If you’re an information security professional, you know that managing your vulnerabilities in your environment isn’t a sprint. It’s a marathon.

New vulnerabilities are discovered each day, and it isn’t enough for us to turn on Windows Updates and hope for the best. Attackers aren’t just looking at OS vulnerabilities. They’re also looking at the software you have on your desktop, that nifty app on your mobile phone, and the scripts you have running on your website.

Read More

What happened on your network last night?

By | Learning Events | No Comments

 

firemon_logo_black

If you’ve ever worked in an operational role, especially on the network team or on the security team, then you know how painful it can be to answer that question.

When I was managing an infosec team back in my retail days, there was nothing I “loved” more than that 3:00 AM phone call from the folks in the command center (one of the most underappreciated teams in IT), who needed me to assist in resolving a production-impacting incident.

Over time, I learned that there were a few things I could do reduce the number of 3:00 AM calls while increasing the amount of sleep I was able to get AND improving the availability of our network.

  • Fully document your environment. How many systems are connected to your network? What apps run on those systems? Who are the business owners? Developing a complete understanding of your environment is critical if you intend to stabilize those systems (i.e., ensure their availability) through patch management and secure configuration management processes.
  • Reduce the complexity of your environment. As organizations grow, their IT infrastructure grows along with them. Over time, your firewall(s) might become littered with rules that no longer needed, creating inadvertent paths from one system to another. As a professional penetration tester, I can assure you that these paths are one of the ways that attackers gain unauthorized access to internal systems.
  • Implement an effective change control process. You’d be surprised at how often systems break because someone made an unauthorized change. (Then again, if you’ve been working in IT for a few years, chances are you wouldn’t be surprised at all.) Maybe a change was made by a system admin who thought they could fix a minor issue without bothering anyone. Or maybe the change went through a basic change control process, but testing didn’t account for the condition that triggered the production-impacting incident. A well-planned, well-documented change control process is one of the most effective preventative controls you can implement to keep you network up and running.

Jacadis continues to seek out technology partners who can help our customers better manage risks to the confidentiality, integrity, and availability of organizational systems and data. QualysGuard does an incredible job of helping organizations understand and document their networks, and FireMon’s product suite is a solid solution for supporting change control processes and reducing firewall complexity. By using both tools in conjunction with one another, you can simplify those processes even further.

As always, if you have any questions about how to improve your organization’s security controls, then please contact Jacadis. We’d love to help.

Get details on both products during the Jacadis/FireMon Lunch and Learn, October 24, 2013.

Preparing For and Mitigating DDoS Attacks

By | Business | No Comments

The Distributed Denial of Service (DDoS) attack against Spamhaus, an anti-spam group, has been dubbed the largest DDoS attack to date. According to The New York Times, the impact of the attack extends beyond Spamhaus, affecting other sites and services that rely on the same infrastructure (like Netflix).

But did you know about the DDoS attack on Wells Fargo? Key Bank? TD Bank? PNC? JPMC? Capital One? SendGrid? Free Malaysia Radio? Krebs on Security? All of these sites have recently been victims of DDoS attacks, a list that unfortunately continues to grow.

Simply put, a Denial of Service (DoS) attack overwhelms a system or application by throwing more data at the target than the target can handle. A Distributed of Denial of Service (DDoS) attack accomplishes the same result, the key difference being that a DDoS attack is launched simultaneously from multiple sources (attackers).

Although the most widely publicized DDoS attacks are launched by Internet activists/hacktivists, these types of attacks are also launched by criminal organizations in an effort to extort money from business owners, as well as by unscrupulous business owners trying to gain the upper hand on their competition. Don’t take my word for it, though. Ask your local FBI field office.

If you’re concerned that your organization may be targeted with a DDoS attack, there are steps you can take to harden your web application infrastructure against these types of attacks. An ounce of prevention now could mean the difference in your site being offline for a few minutes and your site being offline for a few days.

Take a look at this list of recommended controls designed to help you prepare for and mitigate both DoS and DDoS attacks. Where are the gaps in your infrastructure?

  • Network Architecture
    • Do you have redundant network devices installed?
    • Do you have an Intrusion Prevention System (IPS) installed and tuned?
    • Do you have a Security Information Event Management (SIEM) system installed and tuned?
    • Do you have any anti-DDoS hardware installed in your network infrastructure?
    • Are you running IPv6 on any Internet-facing devices without corresponding business justification?
  • Network Router
    • Have you enabled Reverse Path Forwarding on your router?
    • Does your router filter all RFC-1918 address spaces?
    • Have you configured the router to drop forged packets, per RFC-2827?
    • Does your router enforce rate limiting for ICMP and SYN packets?
  • Network Firewall
    • Does your firewall deny all private, illegal, and routable source IP’s?
  • Internet-Facing Hosts
    • Have all Internet-facing hosts undergone a system hardening process, removing insecure configurations and unnecessary services?
    • Are all Internet-facing hosts fully patched?
    • Are all Internet-facing hosts free from known denial of service (DoS) vulnerabilities?
  • Web Application
    • Are third party services enabled to proactively mitigate DDoS attacks?
    • Is a web application firewall installed and enabled?
    • Is the application load balanced across multiple servers?
    • Are the web and application servers virtualized?
    • Has an application performance baseline been tested and documented, including traffic thresholds and expected source IP’s?
    • Are web application vulnerability scan results free from known DoS vulnerabilities?
    • Has CAPTCHA been implemented on all submittable forms?
  • Security Incident Response
    • Have you provided your staff with training on security log analysis and/or security incident response?
    • Have you documented a DoS/DDoS Attack security incident response procedure?
    • Does the security incident response procedure include ISP contact information?
    • Does the security incident response procedure include instructions on how to null route attackers?
    • Does the security incident response procedure include instructions on when and how to enable temporary third party DoS/DDoS mitigating controls?
    • Have you implemented a list of invalid geographic source IP deny rules in the firewall?

Did Google Index Your Organization’s WiFi Password?

By | Business | No Comments

iPad and iPhone users are no strangers to .mobileconfig files. These are the files that contain customized iDevice configurations unique to your organization. Administrators can create these XML files with the iPhone Configuration Utility, and then send the files to users via email or a download link. When a user installs the .mobileconfig file on their device, the device settings (e.g., passcode, VPN, are automatically updated to match the predetermined configuration.

Pretty cool feature, but what happens when Google indexes .mobileconfig files that it discovers on Internet-facing websites?

The end result is that the wifi password that you thought you had hidden within that .mobileconfig file is now publicly available.

The field HIDDEN_NETWORK Password isn’t quite as hidden as it’s supposed to be. To see what .mobileconfig files have already been indexed, you can plug this search query into Google:

 

filetype:mobileconfig hidden_network password

 

If your organization’s internal wireless password is ever exposed in this manner, the first priority is to take the appropriate security incident response measures:

  • Change the wireless network password
  • Distribute an updated .mobileconfig file to your users
  • Remove the old .mobileconfig file from your Internet-facing web server
  • Review wireless logs for any suspicious activity

Going forward, you can take certain precautions to significantly reduce the likelihood that this type of incident could happen in the future. A few of those precautions include:

  • Publish .mobileconfig files on password-protected webpages
  • Deploy a Mobile Device Management (MDM) solution to securely manage mobile devices
  • Implement a type of Network Access Control (NAC) so that devices need more than just a password to connect to your wireless network

If you have any questions about how to secure your network and manage mobile devices, let us know. We’re here to help.

HHS unveils Final HIPAA (HITECH) Omnibus Rule

By | Business | No Comments

Last Thursday, HHS published its Final Rule, conclusively settling the conversation about its numerous interim and proposed rules developed in light of the American Recovery and Reinvestment Act of 2009. Our inbox received a  surge of alarming announcements by analysts and vendors telling us how the new rules would impact our way of doing business.  We propose a more measured, analytical approach to the implementation of the changes imposed by the Final Rule.  The Final Rule becomes effective on March 26, 2013.  Those covered by the Rule will have until September 21, 2013 to comply.

Final Omnibus Rule Comprised of Final Versions of Four Proposed or Interim Final Rules

The four rules that combine to create the omnibus final rule include:

  • Modifications to the HIPAA Privacy and Security Rules required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
  • Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
  • A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
  • A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

While we believe the size of the Omnibus Rule and the time allotted to allow to plan for compliance in September provides the opportunity to have an educated response we also strongly believe that the signs exist that enforcement actions will become more aggressive and more encompassing.

Expanding Patient’s Privacy Rights and Protections while Strengthening Enforcement

In the press release accompanying publication of the Final Rule, HHS Office of Civil Rights Director Leon Rodriquez stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

These comments are in the shadow of HHS issuing its first-ever HIPAA fine to small non-profit organization for a portable device data breach for a loss of 441 records.  The action is the first for a breach of protected health information for fewer than 500 individuals under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The not-for-profit Hospice of North Idaho reported to the HHS Office for Civil Rights that an unencrypted laptop with patient information was stolen in June 2010.

Disabling Java in Your Web Browser(s)

By | Business | No Comments

If you’ve been following the news surrounding the latest Java 0-Day vulnerability, then you’re aware that it is already being exploited. You may also be aware that US-CERT has made an official recommendation that everyone disable Java in their web browsers until this vulnerability has been fixed.

The simplest way to disable Java in all your web browsers at once is as follows:

1. Open the Java Control Panel

    • In Windows (7), go to Start > Control Panel
    • In Mac OS X (10.7.3 and above), go to System Preferences > Control Panel

2. Change View by: to Large icons, and then click Java

3. Select the Security tab in the Java Control Panel, uncheck the box that reads Enable Java content in the browser, and click OK to save your changes

Java Control Panel - Security Tab

– See more at: http://www.jacadis.com/blog/disabling-java-in-your-web-browsers/#sthash.xAVmElHA.dpuf