Wednesday, December 5, 2018

Securing a company ... a group of basic steps a company can take


As a security professional, I understand the importance of using data classification to protect a company.  The day of believing that the firewall will protect you is unreal.  Today lots of companies treat computer security like a tomato, “secure” on the outside but leave a soft and mushy target on the inside.  We need to rethink this and classify our data based on the risk and value to the company.  As users click on emails and bad web sites, the risk of successful attacks like ransomware and other security breaches increase.

As a security professional who deals with this issue regularly, it amazes me that companies do not have a process to understand what data in the company is more important than another.  One of the first steps I undertake as a consultant is to understand what a company has from both an infrastructure and data focus.

Does your company have baselines on your servers and network technology?

Do you know what services are running on your servers?

Do you know what ports are open?

If not, how would you know if you were compromised?

Do you use a change management system to approve, test, update systems and record new baselines?

Have you created a portfolio of all the applications that you use, and who is responsible for them?

For the applications you have running, do you understand the workflows and interactions between systems?

Have you built a data classification process that is used by the company? Listing, for example, the following classifications: Finance data, Human Resources data, Customer data, Public data etc.?  Not all data in a company needs the same level of protection.

After building a data classification process, you can next work on the data owners starting to put the data the company owns into proper classifications.

There is tool that you can use to help you with this task. For example, in Windows, there is the File Server Resource Manager (FSRM).  One of the features in FSRM is File Classification Infrastructure that provides a company insight into their data by automating classification processes so that the company can manage its data more effectively.  Companies can classify files, and apply policies, based on classification. Example policies include dynamic access control for restricting access to files, file encryption, and file expiration.  Files can be classified automatically by using file classification rules, or manually, by modifying the properties of a selected file or folder.

Until companies start to think about their data, and what must be protected, companies will continue to see major breaches to their systems.  Infrastructure needs to be understood. Systems need to be baselined.  And, processes documented.  Companies need to train users on what to look for, and what to do, if they have concerns about possible security incidents.  Companies need to train employees on email, possible attacks and vulnerabilities, and what an employee should do if they suspect a possible problem.

Companies need to create, and USE data classification systems to protect and add the appropriate level of security, to those data classifications that the company agrees are an issue.  Companies do not have unlimited resources, so companies should spend time and money protecting those things that are most important to the company.

 

This is the first of a group of blogs on this topic.
 

Sunday, December 2, 2018

Vulnerability chain exploits MacOS

Dropbox recently revealed three critical security vulnerabilities in MacOS that would allow execution of arbitrary programs on a target machine triggered just by visiting a webpage. The vulnerabilities were found by the cybersecurity firm Syndis, who were hired for red team exercises on Dropbox’s infrastructure. The three vulnerabilities by themselves were of minimal actual security impact on their own but when chained together could be used to compromise a target machine by simply getting them to visit a webpage.
The first vulnerability found (CVE-201713890) allowed a malicious webpage to force the target machine to mount an arbitrary disk image. This was due to a content identifier conflict in the Safari web browser. When known filetypes are handled in the Safari browser actions are taken to handle the media automatically. Usually this results in things like a media player opening to handle a download or a PDF client opening a document. But due to the same identifier being defined in multiple locations the wrong action was taken when downloading a .smi file.
The second vulnerability (CVE-20184176) starts the execution path of the arbitrary files in the disk image downloaded by the first vulnerability. During creation of a disk image the creator is able to use the bless utility to set specific options. One of those is —openfolder which allows Finder to open an arbitrary folder upon mounting a disk image. By pointing to a bundle file instead of a folder it will be executed when the image is mounted. Being able to launch the application isn’t quite enough though because the Gatekeeper utility prevents unsigned code from actually launching until it is whitelisted. 
The third vulnerability (CVE-2018-4175) allows launch of an arbitrary program from the malicious disk image without any security checks. The first step is to include a legitimate signed binary in the image, like the Terminal app. At this point the researchers tried launching a malicious script through the Terminal app but it was still blocked due to the quarantine flag being set. This is set when applications are downloaded from the internet and is cleared when the user explicitly says that the application is safe. By modifying the Info.plist for the bundle they were able to associate a new filetype with the Terminal app. When launching the newly associated filetype the quarantine flag was not checked and code execution was achieved.
This vulnerability chain highlights how a string of seemingly not serious vulnerabilities can often be strung together to achieve a compromise. The vulnerabilities were reported to Apple in February and patched in their March security update.

Sources
https:// thehackernews.com/2018/11/applemacos-zeroday.html
https://blogs.dropbox.com/ tech/2018/11/offensive-testing-tomake-dropbox-and-the-world-asafer-place/
and Peraton