Information Security Summary
advertisement
Class 10 Information Security Summary Chapter 9 of the Executive Guide to Information Security 10 Essential Components of Information Security 1. “C” level management owns the Information Security program for appropriate resources allocations 2. Assign a Full-time, Experienced, Senior-Level staff responsibility for Information Security 3. Establish Cross-functional Information Security Governance Board to develop and enforce policies compliance 4. Establish Metrics and SLAs to monitor program operation 5. Implement Ongoing Security Improvement Program 6. Conduct Periodic Independent Audits 7. Layer Security at Gatway, Server, Client 8. Separate Computing Environment into Zone 9. Start with Basic & Improve Program 10.Consider Information Security an Essential Investment # Critical Security Control Control Description 1 Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. 2 Inventory of Authorized and Unauthorized Software Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. 4 Continuous Vulnerability Continuously acquire, assess, and take action on new information Assessment and Remediation in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. 5 Malware Defenses Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action # Critical Security Control Description 6 Application Software Security Manage the security lifecycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses 7 Wireless Access Control The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems. 8 Data Recovery Capability The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. 9 Security Skills Assessment and Appropriate Training to Fill Gaps For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs. 10 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. # Critical Security Control Control Description 11 Limitation and Control of Network Ports, Protocols, and Services Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers. 12 Controlled Use of Administrative Privileges The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. 13 Boundary Defense Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data. 14 Maintenance, Monitoring, Collect, manage, and analyze audit logs of events that and Analysis of Audit Logs could help detect, understand, or recover from an attack. 15 Controlled Access Based on the Need to Know The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification. # Critical Security Control Control Description 16 Account Monitoring and Control Actively manage the life-cycle of system and application accounts - their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them. 17 Data Protection The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. 18 Incident Response and Management Protect the organization's information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems. 19 Secure Network Engineering Make security an inherent attribute of the enterprise by specifying, designing, and building-in features that allow high confidence systems operations while denying or minimizing opportunities for attackers. 20 Penetration Tests and Red Test the overall strength of an organization's defenses Team Exercises (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. SANS Critical Security Controls for Effective Cyber Defense Cyber Threat Watch as of 11/5/2014 https://cyberthreatwatch.wellsfargo.net/CyberThreatWatch/ Apple iTunes Breach Claimed by Anon-Sec Posted on November 5, 2014 by Daniel Kalusz • • • Security researchers reported a data dump of approximately 3.8 million users account with plain text passwords posted to a public website Pastebin. Anonymous hacktivist group known as Anon-Sec claims to have breached iTunes and they are in possession of 3.8 million accounts to various organizations. The initial post was released on November 4, 2014, and was reported by the hackers as just a sample of the first-thousand of the 3.8 million. Anon-Sec indicates that they will continue to publicly post the remaining user accounts and clear-text passwords in small portions until the account data is completely dumped. Currently, the Apple iTunes data dump may have been attributed to multiple separate attacks over a period of time using password guessing, brute force, and phishing campaigns, and not a single breach event. Apple has not addressed the alleged hack or publicly commented; however, the usernames and passwords do not follow the current password policy length and complexity. Therefore, it is suspected that this data dump may have been stolen from other services such as password managers or online stores that use federated IDs to Apple iTunes accounts. CTI Analysis: Anon-Sec may have falsified claims that this data was from an iTunes breach in an effort to gain notoriety for Guy Fawkes Day (November 5th). The data could have been from other websites or older username and password lists the hacker’s bulked together to make it look like a large data breach occurred. CTI will continue to monitor Pastebin for additional warnings and indicators related to the alleged data breach AirHopper — Hacking Into an Isolated Computer Using FM Radio Signals Posted on November 4, 2014 by Vijay Thavasi muthu • The researchers in Israel have developed a malware called AirHopper which uses a keylogger technique and can capture the keystrokes from a computer using radio signals. The researchers’ claim that a computer with no connectivity to any network can still transmit the data using radio FM signals. The new application known as AirHopper works by using the FM radio receiver included in some mobile phones. AirHopper captures the keystrokes by intercepting radio transmissions emanating from the monitor or display unit of an isolated computer. Radio signals that can transmit modulated data is then received and decoded by the FM radio receiver built into mobile phones. Researchers have demonstrated in a video showing the ability of AirHopper to capture the keystrokes from an isolated computer (air-gap) at a distance of 1-7 meters with a bandwidth of 13-60 bytes per second • CTI Analysis: The new technology using FM radio signals does pose a serious concern with regard to data security. Though it was developed by the researchers with the intent of protecting against such attacks/intrusions in near future it can be used/exploited by the people or organizations with malicious intentions. The frequency level of the monitor that can be compromised using AirHopper is currently unknown. CTI will continue to research to determine complexity and feasibility. Ebola Phishing Scams and Malware Campaigns Posted on October 31, 2014 by Justin Cunnane • • • • • • • • Malicious campaigns utilizing Ebola-related topics began appearing sporadically throughout the summer with a significant increase throughout October. These scams prompted US-Cert to release an advisory warning the public on such campaigns. The victims are not targeted with spear-phishing campaigns; anyone with an internet presence could potentially be impacted. A few of the current campaigns have been observed attempting to infect the user with malware variants such as the DarkComet RAT and Zeus Trojan as well as leveraging recent zero-day vulnerabilities in order to gain access and control over the victim’s machine. This type of ‘current event’ scam campaign generally breaks down into five categories of purpose; listed below in order of potential severity to the victim: Deliver malware Phish for Basic User Information and Personally Identifiable Information (PII) 419 Scams – scams originating from Nigeria that attempt to trick victims into providing money as an ‘advanced fee’ in order to receive a large amount of money Click fraud/Web Traffic Generating Nuisance/Trolling, but essentially harmless spam The ongoing Ebola campaigns have touched on all of these categories. Social networking sites have seen an array of click fraud-related scams that attempt to lure the user into clicking links by using far-fetched headlines, such as: Ebola Cont. • The threat actors play on the victims desire to satisfy their curiosity, click the link, and be sent through a series of website redirects that ultimately end with the victim presented with a scam survey (sometimes referred to as ‘click fraud’) to fill out or prompts for downloading software known as potentially unwanted program (PUP) which are bundles of freeware that, while not directly malicious, will negatively impact the victim’s machine via unwanted activities, such as: • Display pop-up ads • Change the user’s default settings • Install unwanted apps such as search bars and tool bars in browsers • Automatically redirect users to specific unwanted browsers and search engines Ebola Cont. • The more severe Ebola-related campaigns have been observed beginning in mid-October and come in the form of email spam with malicious attachments and/or links. The emails claim to be from various senders, primarily the World Health Organization (WHO) under the guise of contacting the victim to provide ‘Ebola Safety Tips’, which are conveniently provided in an email attachment. One such campaign infected the user with the DarkComet Remote Access Trojan (RAT) which essentially allows the attacker access and control to the victim’s machine enabling them to proceed with a long list of potentially malicious activity including data exfiltration, keylogging, executing shell commands and more. Researchers at Symantec also observed infections in the same manner that involves malware variants such as Trojan.Zbot (Zeus), Trojan.Blueso, Backdoor.Breut and W32.SpyRat (worm). Sony Experia Devices Secretly Sending User Data to Servers in China Posted on October 31, 2014 by Vijay Thavasi muthu Sony Smartphones has been found sending User data secretly to the servers in China. Users running Android version 4.4.2 or 4.4.4 on their phone found communications with the servers back in China. The users have found a presence of a folder called Baidu (which some claim to be created automatically and it is considered as spyware). Deleting this folder yielded no result as the folder gets created again (automatically) without the users knowledge. Even unchecking the folder from device administrator has zero effect on this folder. It is claimed that with the help of Baidu folder the following information can be retrieved: • Read status and identity of your device • Make pictures and videos without your knowledge • Get your exact location • Read the contents of your USB memory • Read or edit accounts • Change security settings • Completely manage your network access • Couple with Bluetooth devices • Know what apps you are using • Prevent your device from entering sleep mode • Change audio settings • Change system settings Sony Experia Devices Secretly Sending User Data to Servers in China Cont. The affected devices includes Sony Experia Z3 and Z3 Compact, though it is not limited to Sony as users with phones like HTC One M7, HTC One X also have the presence of Baidu folder in their respective handsets. • The following steps have been recommended for to disable Baidu Spyware for Sony Smartphones: • Backup important data and factory reset the device. • Turn on the device and go to Settings -> Apps -> Running and Force stop both “MyXperia” apps. • Then remove the baidu folder using File Kommander app. • Go to Settings -> About Phone -> Click 7 times on the Build Number to enable developer mode. • Download or Install the Android SDK on your computer and then connect the Sony device to it using USB cable. • Run the adb tool terminal : adb shell • In adb shell, type the command: pm block com.sonymobile.mx.android • Exit adb shell • Reboot the device CTI Analysis: It is unknown exactly how the reported spyware was embedded in the new devices. Previously, the Huawei and Xiaomi have been discovered have backdoors and spyware or secretly send data to servers in China on mobile devices. Xiaomi Phones Secretly Sending Users’ Sensitive Data to Chinese Servers Posted on October 30, 2014 by Vijay Thavasi muthu Xiaomi (also known as Apple of China), which is Chinese telecoms equipment supplier made foray into the Indian market with its mobile phone called RedMi 1S. The phone has a good configuration and is available at a decent price attracting a lot of buyers. Researchers and users of the phone have found that Xiaomi RedMi 1S phone is sending data from the phone to the servers in China “api.account.xiaomi.com” even when the Backup – Data option is turned off. Xiaomi RedMi phone has been sending data like IMEI of the phone, IMSI Number (through Mi Cloud – like ICloud in IPhone) , Contact details , Text messages. • Researchers have found that the Xiaomi phones keeps trying to make a connection with an IP address based in Beijing, China even after turning off the cloud service on the phone called Micloud services (like ICloud in Apple Phone). • The Indian Government Agencies have already issued a circular to its personnel asking them to avoid using the phone. Xiaomi did accept that RedMi 1S phone is sending information (Did not mention sensitive information) to it servers based in China. They assured that they will route all the users data to the servers based in Singapore and other locations other than China. • (http://thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html) CTI Analysis: Many Chinese products have been reported in the past for suspected backdoor entry and various organizations and institutions have banned the use of it us about using it. In 2012, ZTE and Huawei Technologies Co Ltd smartphones were discovered to have a backdoor. • ZTE Confirms Security Hole in U.S. Phone • (https://cyberthreatwatch.wellsfargo.net/CyberThreatWatch/?p=21397) • However, it is recommended to keep the people and other community aware of. The US government is aware of backdoor entry features of Chinese products and has been caution these new products to prevent personal information being used for any malicious activity.
