Author: DKALYA

Simplified Security – E1

DKALYA December 1, 2020December 1, 2020 0

Video Podcast:

Audio Podcast:

Here are some of the headlines for the end of the week on 11/29.

Digitally Signed Malware which goes by the name Bandook, which literally means , Shotgun in Arabic and Hindi, a retooled version of a decade old Backdoor Trojan, unleashes a new wave of attacks against multitudes of Industries. These include Governments, financial, energy , healthcare, IT and Legal institutions located primarily in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey & the US. The attackers behind this malware are linked to Lebanese and Kazakh Governments. For a detailed report, check out Checkpoint’s research website and search for Bandook for more details.

https://research.checkpoint.com/2020/bandook-signed-delivered/

WordPress, that started its Journey in 2003 from the death of its predecessor version of blogging software called b2/cafelog, has come a long way from few hundreds of installations in 2004 to nearly 35% of the internet powered by it. Which obviously interests the bad actors. Attackers probe the internet for vulnerable plugins on these wordpress sites, the pieces of codes that makes the wordpress so useful and popular and using techniques such as SQL injection, broken access control, Cross-site request forgery and 10s of more types of exploitation of various application security risks, these attackers are then able to compromise these websites for their benefit. So if you are interested in keeping upto date on these vulnerabilities, check out WebARX’s WordPress Vulnerability NEWS, which seems to be kept upto date frequently.

WordPress Vulnerability News, September 2020

Now for some Fake News and by the way it is real. It has always been there while its affects were minimal with Print media and televisions and more over the NEWS people took it upon themselves to verify the news before they blurted it out. While most NEWS outlets continue to follow this strict regime of verifications, the millions of online news outlets, which include mom and pop type blogs, to Facebook groups and some even affiliated to major print and television news outlets, have started promoting or pushing fabricated NEWS. With COVID-19, this problem has grown to cost more money and most importantly affecting lives of people.

In UK, a member of parliament, Mr Khalid Mahmood, during a Westminster Forum Conference on tackling fake news and online misinformation, said, that I quote ” is totally negated from platforms where someone can put whatever they want and move forward” and trying to trace that back and address that is becoming increasingly difficult as platforms take time to deal with it.” he said. It will be interesting to see other countries take more steps to deal with Fake news. I believe it is not just the responsibility of the service providers such as google, facebook, twitter, etc but policies and guidelines from various governments and law enforcement working together with Healthcare organizations to publish and provide accurate and correct information so users can verify and make the right choice whether it is deciding to take precautions or to make the right choice when dealing with COVID-19 and its challenges.

If you are interested in learning more about Misinformation and how to deal with it, check out New York Times guide on how to deal with misinformation.

Before we head into CVEs or latest from US CERT’s latest notifications, we are going to cover one more headline, which is more of a good NEWS and definitely worth the mention especially due to nature of the cybercrimes and the challenges there is in nabbing the suspects.

Business Email Compromise, something that we have been dealing since email became the primary medium for businesses to communicate. So I first found out about this from Graham Cluley’s article on tripwire.com. Three were arrested after an year long investigation , which was code named Falcon, into Phishing emails, mass mailing campaigns which these attackers used to carryout extensive Business Email compromise scams. These attackers, who are Nigerian Nationals, were involved in various criminal activities. Criag Jones, INTERPOLs cybercrime director, said, I quote ” This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation”. Check out Interpols NEws and Events page for more details such as the tools, malware and other malicious activities that this group was involved.

https://www.interpol.int/en/News-and-Events/News/2020/Three-arrested-as-INTERPOL-Group-IB-and-the-Nigeria-Police-Force-disrupt-prolific-cybercrime-group

Now lets get a little more useful shall we, in this segment, I will go over some of the new security alerts and information that you can digest and actually use for your security needs.

We have the following to cover,

Fortinet FortiOS System File Leak
This is CVE 2018-13379, Base Score is 9.8 Critical, that was issued by Fortinet Inc in May of 2019, after two DEVCORE Security researchers, Meh Chang and Orange Tsai, discovered and reported this vulnerability. A path traversal vulnerability in the FortiOS SSL VPN Web portal may allow an Unauthenticated Attacker to download FortiOS System Files through specially crafted HTTP resource requests.

Fortinet has issued some mitigation steps for the affected FortiOS versions. So if you are on the FortiOS 6.0 (6.0.0-6.0.4) or 5,6 (5.6.3 – 5.6.7) and FortiOS 5.4 – (5.4.6-5.4.12) then you have an option to upgrade to the latest in each of the main versions, namely 6.0, 5.6 and 5.4.

The temporary workaround, which will affect the functionality of your VPN service, is to totally disable SSL-VPN Service.

https://www.fortiguard.com/psirt/FG-IR-18-384

https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379

Drupal Releases Security Updates for Tar and other vulnerabilities
CVE-2020-28949 & CVE-2020-28948, released by Drupal, by the way the analysis for these CVE’s are still being processed, however from Drupal’s Security Advisory, they have deemed it Critical. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
To mitigate this vulnerability, Drupal advises its users to upgrade to the latest versions. If you are using Drupal 8 or prior then you will most likely continue to be vulnerable as this version and prior are end of life. For more details, check out Drupal’s security advisory page:

https://www.drupal.org/sa-core-2020-013

VMware Releases Workarounds for

CVE-2020-4006, which is still being analyzed by NIST. VMWare’s Security Advisory, VMSA, has issued it to be a critical vulnerability. A command injection vulnerability was privately reported to VMware.
A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.

Workarounds are available to address this vulnerability in affected VMware products. And the impacted products include VMWare Workspace one Access and Access Connector, VMWare Identity Manager and Connector, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

VMware is currently working on patches which are forthcoming. For details on this Vulnerability and patches check out the security advisory page of VMware.

https://www.vmware.com/security/advisories/VMSA-2020-0027.html#

Ok. That was all the important headlines and its details but now let me take you to the first recorded DoS Attack of 1988 by Robert Morris. Robert Morris, a student of Cornell University. He released the worm from MIT rather than his alma mater.

The worm exploited several vulnerabilities to gain entry to targeted systems,. According to Morris, the purpose of the worm was to gauge the size of the precursor “Internet” of the time – ARPANET – although it unintentionally caused denial-of-service (DoS) for around 10% of the 60,000 machines connected to ARPANET in 1988.

So what did the worm exploit?

A bug in debug mode of the Unix sendmail program
A buffer overflow bug in the fingerd network services
Remote Shell or Remote Shell execution in Unix by guessing weak passwords or no passwords.

In 1989, Morris was indicted for violating United States Code Title 18 (18 U.S.C.§ 1030), the Computer Fraud and Abuse Act (CFAA). He was the first person to be indicted under this act. In December 1990, he was sentenced to three years of probation, 400 hours of community service, and a fine of $10,050 plus the costs of his supervision. While Morris did not write the worm to cause damage but it replicated excessively, causing damages estimated upwards of $100,000.

That’s all I have time for this First Episode. Next week, I will get you some interesting security bits and continue to evolve. Please provide me your feedback by reaching out on my twitter. All the links to anything I have described is in episode is in the description below.

Make sure you subscribe to simplified security episodes available as podcast and on youtube. Go to icsbits.com/simplified for more details. I am your host Durgesh Kalya. Catch me on my next episode on your favorite podcast app or youtube, until then be safe and think before you click.

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Categories Uncategorized

Contingency Planning – Huh?

DKALYA November 10, 2020June 21, 2021 0

Before you start reading and understanding the core concepts in the context of BCP – Business Continuity Planning, DRP – Disaster Recovery Planning and Contingency Planning, make sure you understand that these are very important concepts and are interpreted differently by different organizations, individuals and security professionals. The main reason is that we as humans may think differently in terms of countermeasures, we have different risk appetite and so are the organizations that the individuals are made of and are in key positions to propose, accept and finalize on various business and operational contingency plans.

Before we begin, let us understand some of the core concepts.

What is a Plan?

Oxford Dictionary defines Planning as “an intention or decision about what one is going to do”.

So what is Contingency planning?

“A contingency plan is a plan devised for an outcome other than in the usual (expected) plan” – From Wikipedia.

Before we get into what is included in each of the plans, let us look into some definitions.

According to the NIST Special Publication 800-34, IT contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption.

Contingency planning generally includes one or more of the approaches to restore disrupted IT services:
- Restoring IT operations at an alternate location (Example: Hot Site, Warm Site and Cold Site)
- Recovering IT operations using alternate equipment (Example: Secondary Server, High Availability Configuration)
- Performing some or all of the affected business processes using non-IT (manual) means. (Example: Manually collect a customer’s credit card information through phone)

Because Contingency Plan includes broad scopes for recovery, continuity and response to business needs, business threats and emergencies, it is important to note that an organization may choose to implement the Contingency Plan in many different ways. This is when we start talking about BCP, DRP, COOP, IRP, etc. There are more. See Appendix A for expansion of these acronyms.

For a CISSP, it is important to understand the main differences between various types of plans.

What is a BCP?

Business Continuity Planning (BCP) is a process of creating or putting in place, systems and mechanisms for prevention and recovery of business systems to deal with potential threats to a business goal.

Business Continuity Plan is a formal document consisting of a set of processes, drawings, flow charts, ordered lists etc. that will help a business navigate through a business interruption(s) by providing tested and proven methods to recover and prevent a potential threat to the existence of the business. A BCP can have other plans included as part of its scope.

What is a DRP?

Disaster Recovery Plan (DRP) is a very detailed, hands on plan when compared to a Business Continuity Plan. It is highly reactive. It contains detailed instructions on how to respond to unplanned incidents such as hurricanes, flooding, earthquakes, power outages, cyber attacks and any other event that will cause disruptions to the business operations. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.

CISSP Tip

Contingency plans help you continue to operate or sustain your business goals and can be reactive such as BCP, DRP and BRP. Parts of these plans can be proactive as well. For example, if you have servers configured in the High Availability (HA) mode, then you will limit downtime and improve performance. This is a proactive approach. If you have a backup server or a warm site, then you are making sure you can continue to operate when servers are down, this represents a reactive approach.

Appendix A

BCP : Business Continuity Planning
DRP : Disaster Recovery Planning
BRP : Business Recovery Planning
COOP : Continuity of Operations Plan
IRP : Incident Response Plan
OEP: Occupant Emergency Plan

This was chapter 1 on Contingency Planning. If you have any comments or questions, leave them below or message me!

Over and Out! Stay safe, think before you click (anywhere).

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Categories Security Concepts, Security Tips Tags BCP, Contingency Planning, DRP

Jam 6: Session 1: Jam 6 Networks and OSI Model

DKALYA October 18, 2020October 18, 2020 0

Post Views: 161

This session covers very basic concepts of Network and OSI Model. Domain 4 of CISSP.

Presentation Files:

PPT

Notes

Video

Categories CISSP Study Tags Application Layer, Certification Station, CISSP, CISSP JAM, cyberdk, Data Link Layer, Decapsulation, Discord, Domain 4, Durgesh Kalya, Encapsulation, ISC2, Network Layer, OSI Model, PDU, Physical Layer, Presentation Layer, Protocol Data Unit, SDU, Service Data Unit, Session Layer, TCP/IP Model, Transport Layer

CISSP is an Entry Level Certification.

DKALYA October 4, 2020September 15, 2021 0

Post Views: 745

No it is not. The ISC2’s CISSP Exam was a very intense exam even for someone with 15+ years in IT Industry with having applied IT Security in day to day job duties (yeah that is me 😉).

The last time I heard entry level means someone is at the lowest level in an employment hierarchy, just means that they are starting out, that could be 1 to 3 years of industry experience. If someone says or writes about CISSP being an entry level certification, please refer them to me. I will get the CISSP community to weigh in and will reach out to them and do our due diligence. Or simply direct them to ISC2’s requirements section. (Required Experience)

So why was this post necessary?
It is because of CIO.com’s recently published article which claims CISSP is an entry level Certification. Below is a tweet of that article.

Why I am writing this post?
Because CISSP is not an entry level certification and it takes 5+ years of experience in two (out of eight) of the security domains to get this credential next to one’s name. The exam is also not as easy or simple. It takes more than just knowing the IT Security concepts to answer the 150 questions in three hours.

Without real understanding of IT Security concepts and without having sufficient experience applying these various security concepts in the real world scenarios, will leave you playing Eeny, meeny, miny, moe and will give you just under 2% success rate according to these math geeks. (Link)

Why the Click Bait?
If you saw a post or a NEWS article claiming CISSP is an entry level certification, then it is definitely a click bait, just look at the views on this post 😊 (I am guessing it must be in its hundreds by now, it was only posted on 10/4/2020). Just demonstrating… or am I?

Post Views: 745

What does ISC2 have to say about all this?
Here is ISC² Tweet responding to an individual, confirming they are also aware of this incorrect classification of CISSP Certification in the specific CIO’s article:

Still not convinced?
Then I suggest you to join this Discord group called Certification Station. No, this is not an advertisement and they are not selling anything, but it is a group of professionals in IT Security who like to hangout and learn together. Check them out here: https://certificationstation.org/

DK, CISSP

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Categories World of Security News Tags CISSP

Don’t pay that Ransom yet. Call OFAC first.

DKALYA October 3, 2020October 3, 2020 0

Who is OFAC? What is the deal here? You will learn all of that in a minute. But first, let us focus on this word Ransom, what is it?

Paying a ransom is not something new. It has been used in the early 1800s to pay for release of a prisoner. In today’s day and age, this word is very widely used in the Cybersecurity space with billions of dollars in Bitcoin being paid as a ransom for release of information that was encrypted or stolen by the bad actors (the bad guys/gals) every year.

While it is very natural for an organization or individual to make payments in the hopes of getting their sensitive data back, often times promises are not kept and there are other issues such as repeat of the same attack.

Here are few examples of ransoms that was paid 2019 to the bad guys where the organization paying the ransom was able to get its data back.

2019

Park DuValle Community Health Center, Kentucky, USA
Amount paid: $70,000
La Porte County, Indiana, USA
Amount paid: $130,000
Jackson County, Georgia, USA
Amount paid: $400,000
Lake City, Florida, USA
Amount paid: $500,000

There are many more…

Most of these organizations used Cyber Insurance and were able to use some part of its payout as payment to the cyber criminal. Also, most of these organizations contacted FBI or other US Agencies and worked directly or indirectly to negotiate and process the payments.

The big question to be answered comes when you are at the crossroads of whether to pay the ransom or simply accept that the data is lost and then plan to spend millions of dollars in recovering from such an incident. While the answer to this question is not straight forward like any other decision in the Cybersecurity space. It is often answered in a haste or without considering all risks. Take the example of City of Atlanta,

The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin.
Newman, L. (2018, April 24). Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. Retrieved October 03, 2020, from https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/

Then there are other considerations such as organization’s reputation, continuing business operations and putting proper counter measures in place to prevent this from happening in the future. There is however one more thing that you have to consider in the form of this simple question.

Are you violating any rules and regulations of the U.S Department of Treasury’s by making a payment to the bad guys?

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently put out an advisory – Ransomware Advisory (Link) bringing up several important things to consider for organizations affected by ransomware or companies* who are assisting organizations hit by ransomware.

* These companies include Law firms, Cybersecurity insurance companies, or Financial institutions facilitating the ransomware payments.

Let us look at a few highlights of this Advisory:

OFAC states that these ransom payments could facilitate the bad actors and the states they may represent to support their illegal activities.

Ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.
U.S. Department of the Treasury. (2020, September 28). Retrieved October 03, 2020, from https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001

OFAC has designated these malicious actors, aka our bad guys, under its cyber-related and other sanctions programs. OFAC uses these sanctions to effectively enforce foreign policies and national security goals.

So what does it really mean? If you or an organization were to pay the ransom in any way or form to an cyber-criminal, aka bad guy, and this individual or entity happens to be in one of the sanctioned countries , then you will be violating OFAC’s regulations. Simply put these payments with the sanctions nexus (associated or connected with the sanctions) threatens the U.S. National Security Interests.

So what should an organization that actively dealing with a ransomware attack do?

The OFAC’s Ransomware Advisory encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately. At the end of the document, it lists all the departments that you may need to contact, such as:

U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
Financial Crimes Enforcement Network (FinCEN)
Cybersecurity and Infrastructure Security Agency (us-cert.cisa.gov)
Homeland Security Investigations Field Office (ice.gov)
Federal Bureau of Investigation Cyber Task Force (fbi.gov)
U.S. Secret Service Cyber Fraud Task Force (secretservice.gov)

In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous, adding to the various risks that an organization should consider when planning their Business Continuity and Disaster Recovery programs. While this article focused on United States and affects US Persons and Non-US Persons. It will be worthwhile to research regulations and laws in your regions of business operations.

Looking for the OFAC’s Ransomware Advisory, check out this page: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001

Categories World of Security News Tags Bitcoin, cyber criminal, Cybersecurity, OFAC, Ransomware, Ransomware Advisory, The U.S. Department of the Treasury’s

Jam 5: Session 1: General Discussion on Forensics for CISSP.

DKALYA September 26, 2020September 26, 2020 0

Post Views: 62

Video is Hosted On YouTube

This session covers the various Investigations and Terms Related to Computer Forensics.

Presentation Files:

PPT

Notes

Video

Categories CISSP Study Tags administrative Investigation, Administrative Law, Agency Investigations Private Regulations, Chain of Custody, CISSP, Code of Ethics, Company Policies, Computer Forensics, Criminal Investigation, Criminal Law, Domain 7, E-Discovery, EDRM, Electronic Discovery, Electronic Discovery Reference Model, Evidence, ISC2, Private Investigators, Security Operations

Stop Posting Pictures of Your Certifications and Employee ID cards.

DKALYA September 22, 2020September 22, 2020 0

Post Views: 268

Congratulations! You made it! You achieved it. Now make sure you secure it.

If you just passed an exam and had an urge to post a picture with your certificate or if you just retired or were just hired by your dream company, you posted a picture of your ID card or your certification, then this article is for you. Hundreds of these pictures are now showing up online on websites that are soliciting fake degrees, certifications, jobs, and more.

While you are proud of your accomplishments make sure you do not post your photos publicly which reveals your name, certificate, and other details. A photo with a face and a certificate in your hands can be used to advertise anything and an acquaintance of mine recently shared a disturbing story.

This individual, whom I call Mr. Good. had recently passed his CISSP exam and like most of us, had posted it on LinkedIn. Mr. Good is a very private person normally but LinkedIn is a social community that he spends most of his time socializing. Thanks to tens of different controls on privacy on LinkedIn, it has gotten even more confusing when you post an update. So out of mere excitement and innocence, he posted his picture. He was proud. A few days later, he discovered, by accident, a photo circulating on Facebook with several others soliciting the sale of illegal certificates such as CISSP and other exams.

That was it for Mr. Good, he immediately removed his picture from his post. But wait, his stolen photo from LinkedIn is being used by someone claiming to be him. Mr. Bad did not even bother to blur out Mr. Good’s name on the certification photo. This would take several attempts, which included contacting Facebook to remove this post. While Facebook is looking into his query, which by the way is probably 1 in a million. It will continue to be online until it is removed.

Here are some examples that I found online.

Real Example 1:

John Cam (Fake Name) claims to sell CISSP Certificates on Facebook with the image on the side. He was a little generous and clipped the picture to remove the face. Image1 is taken from a publicly posted image on LinkedIn profile post, Image 2.

I have pixelated the face to protect the individual.

Real Example 2:

Here is the same individual who is selling illegal certifications, this time it is IELTS Certifications without writing the exam. Not sure how it works or if it is a money-making scheme by fraud.

I have already reported this individual on Facebook but upon doing a simple web search, I found this individual/group has posted at several popular web services such as TripAdvisor, Pinterest, Medium.

What can you do?

If you come across such advertisements or postings, simply report as Spam or use the methods provided. For example, TripAdvisor provides an option on a photo to report. Pinterest provides a feature on their pins and users to be reported.

Do not take photos of your employer ID cards, Certificates, and Degrees and post them publicly. I understand we all have a tendency to post on social media such as LinkedIn, Facebook, Instagram but think about the profound negative effects on your identity if these posts and images were exploited.

Over and Out! Stay safe, think before you click (anywhere).

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.