Defensive Security Management
Sunday, February 9, 2025
Wednesday, May 24, 2017
WannaCry - Executive summary
Conclusion
- Windows – patch management for EOF is vital.
- Antivirus – as always didn’t detect anything. Not sure they can by design.
- Hots with open SMB to the internet by the millions
- Internal networks are very vulnerable.
Security product failing at money time
deatils:
• Few month ago - Microsoft identifyee MS17-010 – affecting ALL
MS versions
• March 2017 - Patch was publicly released
• April 2017 – Shadow Broker leak MS17-010
• 12 May 2017 ~ (two month later) a massive ransomware attack was identified – WannaCry
• The ransomware apparently utilize few know weakness
including MS17-010
• Microsoft also update to unsupported versions. Also published
work around
Impact
•
Telefonica – Spain
•
Sever damage according
to ww cert’s
•
Fedex –USA
•
NHS – UK
•
Prime minister called
the public to not arrive at the hospitals
•
World wide news
publications
•
Very bad publicity to
NSA and Microsoft
•
Microsoft had to issue a
fix for un supported versions - XP and Windows server 2003
Vulnerability
•
Ransom ware – files are
encrypted unless bitcoin payment is done
•
Attack apparently start
with spear phishing emails contains attachments
•
The exploit was
installed in the windows OS as the results of user opening the attachments
(activating it)
•
Then the exploit code
start looking for random internet IP’s and try to infect them.
•
It is then looks at the
internal IP range and trying to infect the local PC’s
•
Attack vector was SMB v1 – used for internal file sharing
services thus targeting the internal networks
•
The ransom ware is then
encrypt files of various types (list in the following pages)
•
Kill switch was
discovered:
•
The ransom ware is trying
to access a unique domain name in the internet.
•
if it doesn’t exists it
start encrypting the files.
•
If the domain exists the
encryption doesn't start. A new versions without kill switch released
Prevention recommendation
•
Recommendation to not
block port 80 access to the following sites:
www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
*Note the this is outbound connection.
•
If proxied browser then
allow this traffic out
•
Firewall should block
any traffic from the internet on TCP445, TCP139, UDP137, UDP138
•
Patch ASAP
•
Is not a zero day – was
know 3 month ago
•
Any un patched MS box is
at risk
•
NSA can hack almost
anything but also can cause damage if they leak tools and vulnerabilities
•
Ransomware was 300 600-
$ with bit coins
•
TechNet notification by Microsoft
•
Patching old systems /
versions is critical
•
Ignoring patching even
when challenging cost money
•
Security incident on
massive scales happens
•
Internal networks are
expose to exploit (not just web sites)
•
Any system should have
emergency plan to patch unsupported versions
Wednesday, April 12, 2017
Why the web app security problem exists ?
Complexity – did you wrote a code for an app and saw how
many items needed to be addressed before even talking about security ?
Non standard – write code is based on the developer knowledge
and experience. There are many ways to implement even a simple concept like
salt password. There are no standards or
guide lines that every web developer is committed to.
3rd party – developers must rely on 3rd
part library servers and have no way to verify that they are all secure.
Design - Web app are design to server client with various content
and the goal is to sell or market them self or just share information. It means that security
comes as a secondary goal at the best case and that make total sense.
Easy – due to the comply of web apps it is not that difficult
to find holes or take advantage of innocent users and trick them to install a
male ware.
Heard to deal with - Organizations are struggling to secure
all their customer information and try to stay above water. The reason is they
have so many security concerns, product, procedure, logs, tasks, and much more which
makes it almost un manageable.
Genesis – web application security is still not a fully solid
process and some of the basics are still not decided and adopted as best
practices within the industry
Monday, April 10, 2017
2017 - The return of the WAF. why WAF are back ?
It’s out there
• Web application are the highest targeted and they are open 24/7 for attack
• Web application have complexity hence more security concerns
• No one sees the big picture in terms of security
Security:
• Virtual patching is good remediation
• There are still SQLi vulnerability
• The ultimate forensics tools
• The only way to know if someone try to hack or already hacked you
• WAF sees the big security picture while apps are not design for security
• Bots are a change to any web site owner, WAF can deal with bots
New technology
• New environment: Cloud technology takes us to the old days of unsecured web sites with the same problems but just a little more sophisticated.
• New protocols: web socket is underlying protocol and enable the implementation for various usage that should take care of the same old security attack vectors: session management, scrubbing user input and more.
• There are more challenges to the application than ever. Scarping , DoSing Bots and much more business problem with security orientation that should be detected and mitigated.
And there is more…
• Web application are the highest targeted and they are open 24/7 for attack
• Web application have complexity hence more security concerns
• No one sees the big picture in terms of security
Security:
• Virtual patching is good remediation
• There are still SQLi vulnerability
• The ultimate forensics tools
• The only way to know if someone try to hack or already hacked you
• WAF sees the big security picture while apps are not design for security
• Bots are a change to any web site owner, WAF can deal with bots
New technology
• New environment: Cloud technology takes us to the old days of unsecured web sites with the same problems but just a little more sophisticated.
• New protocols: web socket is underlying protocol and enable the implementation for various usage that should take care of the same old security attack vectors: session management, scrubbing user input and more.
• There are more challenges to the application than ever. Scarping , DoSing Bots and much more business problem with security orientation that should be detected and mitigated.
And there is more…
Monday, March 13, 2017
SEA ? Security Exposure Analysis
a post from 4.5 years.
"
Every time I go to one of the dozens of Security conference I like to go to vendors booth and ask them the following questions:
"
Every time I go to one of the dozens of Security conference I like to go to vendors booth and ask them the following questions:
1.
Which attack vector your
product detects and or mitigate?
2.
What is the amount (ratio/
percentage) of you false positive and false negative?
3.
How much performance impact
your product adds to the existing web application/ environment / system /
network in terms of latency?
4.
How much time and human
work it takes to deploy your product?
5.
How much human work needed
to maintain your product?
6.
How many customer using
your product ?
7.
What is your road map ?
why asking ?
few years ago I spoke to a guy who introduce himself as a security expert. and he told me about a concept called Security Exposure Analysis. when I asked him what it means he told me the above questions. then he told me, if you are talking to a vendor ask him those questions, then you will know if you need to buy their product or not. ever since i'm asking it and it does help.
which question you ask before you buy a security product ? "
Thursday, March 2, 2017
Cyber , yes !
Cyber, I remember very clearly that few years ago the term cyber was mostly related sex. When someone said cyber you immediately understood that he talks about cyber sex which was something very new to the world. Cyber then become a name to people who don't do real sex, they do cyber. That wasn't very long time ago however times are changing and familiar words get new meaning. Today when you say cyber most of the people understand your talking about cyber security unless they still do the other cyber which btw is known for a fact that sex made the internet so big.
It is even more crazy because everyone that I talk to lately is in cyber. A sales guy whom I know and who know nothing about computers and used to sell mobile just told me he decide to go to cyber, he didn't even say cyber security , just cyber. A girl who used to work in my regular bar told me a week ago that she wants to go to cyber as a product manager, re he he ly ?? yes ! Cyber, scary word that means money ! and security is great cuz we Israeli knows all about security, we live and breathe security from childhood.
And ! we are also a startup nation which means that If you combine the natural security orientation we have with the startup nation fact, you will get a cyber security startup nation which means lots of Cyber startups. Cyber security not cyber sex startups.
LR
Subscribe to:
Posts (Atom)