GCTC CPAC COVID-19 eResourceKit

This eResouceKit is your guide to Working, Learning, and Living from Home, with your security and privacy defended. It will be a long and challenging road for us all, but we can and will get there, together by taking informed actions to gain control and risk prioritization during and after the pandemic – Cities and Communities, Businesses, First Responders, and Self-Employed/Gig Worker.


For more information go here

Home / SMB Router Device Security Issues

     Routers are a key piece of any computer network and handle all traffic destined from one network to another. While business networks typically utilize big single purpose routers from vendors like Cisco or Juniper, home networks typically utilize a smaller ‘router’ combining a router, switch, and wireless access point. They make it extremely simple to establish a home network to anyone with about $100. This low cost and ease of use seems to come with a penalty though: The security of the resulting network.
    Two researchers, Peter Weidenbach and Johannes vom Dorp, from the German Fraunhofer Institute recently released a comprehensive report on the state of home router device security. What they found is that nearly every home router device on the market is insecure in various ways.
    In their research the researchers looked at the security posture of 127 different models of routers designed for home use. These included models from name brands you would find at any store carrying this type of product like Netgear, Linksys, TP-Link, and D-Link. The first step in evaluating the security of these devices was extracting the included firmware in order to get a look at how they were configured and the software versions in place. The result of this was surprising: they found that most devices on the market were still using Linux kernel 2.6, which has been EOL for a few years. This means that system security patches are unlikely to be released in a timely manner, if at all for those devices. In the extracted firmware they also found a number of hardcoded credentials as well as cryptographic keys being used in an insecure manner, defeating the point of having them.
   
    Another aspect in their research was figuring out how often updates are released to the devices. Security vulnerabilities can happen to any device, but the impact can be mitigated with regular and timely patching. They disappointingly found that the average number of days between up-dates was 378, over a full year of no up-dates for many of the devices. It did appear that ASUS, AVM, and Netgear were among the better vendors when it comes to updates for their devices. It is also important to note that just because updates are available doesn’t mean they are al-ways applied. Most devices do not have auto-update mechanisms, instead an ad-min must check for and apply updates manually.
    When it comes to the security of your home network it may be worth doing some research before spending your money on a device. It is important to note too that high price is not always an indicator of quality, as many devices appear to focus more on form over function in this space. The best bet would be to look for past security vulnerabilities for the particular device and note how often the device receives updates from the vendor.

Fortinet Makes All Self-Paced Cybersecurity Training Courses Available for Free to Address Skills Gap

    Fortinet is leveraging curriculum from its NSE Institute’s training and certification program to offer 24 advanced security courses for free to help IT professionals expand their cybersecurity knowledge and address new risks.

    By learning about Fortinet technologies, such as FortiGate, FortiNAC and FortiManager, training participants will acquire an array of skills to defend any network against threats. Recorded lab demos for these courses will be available for on-demand viewing and supplemented with regularly scheduled live sessions with Fortinet Certified Trainers. During these live sessions, Trainers will be available to demo labs and conduct Q&A sessions. Anyone interested in getting started with Fortinet’s free training courses can visit here.

Control Baselines for Information Systems and Organizations: Draft NIST SP 800-53B

NIST
seeks feedback on Draft
NIST Special Publication (SP) 800-53B
, Control Baselines for Information Systems and Organizations
SP 800-53B provides three security control baselines for low-impact,
moderate-impact, and high-impact federal systems, as well as a privacy control
baseline for systems irrespective of impact level. The security and privacy
control baselines have been updated with the controls described in SP 800-53,
Revision 5; the content of control baselines reflects the results of a
comprehensive interagency review conducted in 2017 and continuing input and
analysis of threat and empirical cyber-attack data collected since the update
to SP 800-53.

In
addition to the control baselines, this publication provides tailoring guidance
and a set of working assumptions to help guide and inform the control selection
process for organizations. Finally, this publication provides guidance on the
development of overlays to facilitate control baseline customization for
specific communities of interest, technologies, and environments of operation.
The control baselines were previously published in NIST SP 800-53, but moved so
that SP 800-53 could serve as a consolidated catalog of security and privacy
controls that can be used by different communities of interest.

In
addition to your feedback on the three security control baselines, NIST is also
seeking your comments on the privacy control baseline and the privacy control
baseline selection criteria.  Since the selection of the privacy control
baseline is based on a mapping of controls and control enhancements in SP
800-53 to the privacy program responsibilities under OMB Circular A-130,
suggested changes to the privacy control baseline must be supported by a
reference to OMB A-130.  Alternatively, you may provide a description and
rationale for new or modified privacy control baseline selection
criteria. 

Your
feedback on this draft publication is important to us. We appreciate each
contribution from our reviewers from the public and private sectors, nationally
and internationally, to help shape NIST publications to ensure they meet the
needs and expectations of our customers.

A public comment period for this document is open through
September 11, 2020.
See the publication
details
for a copy of the draft and instructions for providing
comments (including a comment template spreadsheet for your use).

NOTE:
A call for patent claims is included on page vi of this draft. For additional
information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

 

Publication
details:
https://csrc.nist.gov/publications/detail/sp/800-53b/draft

 

Ransomware free decryption tools

     No More Ransom initiative, with four founding members, No More Ransom provides free decryption tools for ransomware and has been growing.

    The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

    Since it is much easier to avoid the threat than to fight against it once the system is affected, the project also aims to educate users about how ransomware works and what countermeasures can be taken to effectively prevent infection. The more parties supporting this project the better the results can be. This initiative is open to other public and private parties. 

    The site also has a way to find out what your infected with, whether there is a solution available. If there is, we will provide you with the link to download the decryption solution.

       WannaCry additional prevention advice

1. Disable smb v1, this prevents Wannacry from spreading within your network.

2. Install the Microsoft patches, this also prevents Wannacry from spreading within your network. For more information click here.

How to prevent a ransomware attack?

1. Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your back up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure.

2. Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected.

3. Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it.

4. Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming partner. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system.

5. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Scammers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).

6. If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.


Post-Quantum Cryptography (PQC) Standardization Process:

    It
has been almost a year and a half since the second round of the NIST PQC
Standardization Process began. After careful consideration, NIST would like to
announce the candidates that will be moving on to the third round. The seven
third-round Finalists are:



Third Round Finalists 

Public-Key
Encryption/KEMs

Classic McEliece
CRYSTALS-KYBER
NTRU
SABER  

Digital
Signatures

CRYSTALS-DILITHIUM
FALCON
Rainbow


In
addition, the following eight candidate algorithms will advance to the third
round:



Alternate Candidates

Public-Key
Encryption/KEMs

BIKE;
FrodoKEM
HQC
NTRU Prime
SIKE  

Digital
Signatures

GeMSS
Picnic
SPHINCS+



    During
the third round, the term “finalist” will refer to the first seven algorithms
listed above, and the terms “alternate” or “alternate candidate” will be used
for the other eight algorithms also advancing. The finalists will continue to
be reviewed for consideration for standardization at the conclusion of the
third round. As CRYSTALS-KYBER, NTRU, and SABER are all structured lattice
schemes, NIST intends to select, at most, one for the standard. The same is
true for the signature schemes CRYSTALS-DILITHIUM and FALCON. In NIST’s current
view, these structured lattice schemes appear to be the most promising
general-purpose algorithms for public-key encryption/KEM and digital signature
schemes.


    For
the eight alternate candidate algorithms being advanced into the third round,
NIST notes that these algorithms may still potentially be standardized,
although that most likely will not occur at the end of the third round. NIST
expects to have a fourth round of evaluation for some of the candidates on this
track. Several of these alternate candidates have worse performance than the
finalists but might be selected for standardization based on a high confidence
in their security. Other candidates have acceptable performance but require
additional analysis or other work to inspire sufficient confidence in their
security or security rationale. In addition, some alternates were selected
based on NIST’s desire for a broader range of hardness assumptions in future
post-quantum security standards, their suitability for targeted use cases, or
their potential for further improvement.


    NIST
would like to thank all of the submission teams for their efforts in this
standardization process. It was not an easy decision to narrow down the
submissions. A detailed description of the decision process and rationale for
selection are available in NIST
Internal Report (NISTIR) 8309, 
Status Report on the Second Round of the NIST Post-Quantum
Cryptography Standardization Process
. It is also
available on the NIST post-quantum webpage, www.nist.gov/pqcrypto.
Questions may be directed to pqc-comments@nist.gov.
NIST hopes that the teams whose scheme were not selected to advance will
continue to participate by evaluating and analyzing the remaining cryptosystems
along with the cryptographic community at large. These combined efforts are
crucial to the development of NIST’s future post-quantum public-key standards.



    For
the algorithms moving on to the third round, NIST will allow the submission
teams the option of providing updated specifications and implementations (i.e.,
“tweaks”). The deadline for these tweaks will be October 1, 2020. It would be
helpful if submission teams provided NIST with a summary of their expected
changes by August 10, 2020. If any submission team feels that they may not meet
the deadlines, they are strongly encouraged to contact NIST to discuss. NIST
will review the proposed modifications and publish the accepted submissions
shortly afterwards. As a general guideline, NIST expects that any modifications
to the seven finalists will be relatively minor while allowing more latitude to
the eight alternate candidate algorithms. Note, however, that larger changes
may signal that an algorithm is not mature enough for standardization at this
time. More detailed information and guidance will be provided in another
message.



    It
is estimated that this third phase of evaluation and review will last 12-18
months. NIST is planning to hold a 3rd NIST PQC Standardization Conference
in 2021. Obviously, much of the conference details will depend on conditions
relating to the pandemic and have not been finalized. The preliminary Call for
Papers for this conference can be found at www.nist.gov/pqcrypto and
will also be posted to this pqc-forum in another message. The deadline for
submission to the 3rd NIST PQC Conference will likely be sometime around the
end of 2020.



    Note:
These are NIST’s current plans. If new results emerge during the third round
which undermine NIST’s confidence in some of the finalists, NIST may extend the
timeline, or make changes to the process.  If NIST has less serious
concerns specific to a particular finalist and sees the need to continue
evaluating it, NIST may instead defer the decision about standardization for
the affected finalist until the fourth round. 

NISTIR
8309:
https://csrc.nist.gov/publications/detail/nistir/8309/final



NIST
Post-Quantum Cryptography project:
https://www.nist.gov/pqcrypto

CISA Releases New Cyber Essentials Toolkit on Organization-Wide Cybersecurity

    CISA released
its Cyber Essentials Toolkit,
Chapter
2: Your Staff, The Users
. This toolkit is the second in a series of six
toolkits set to be released each month. This chapter follows the release of Chapter 1: Yourself, The Leader
– Drive Cybersecurity Strategy Investment and Culture and CISA Cyber Essentials
in November 2019.


    Chapter 2
emphasizes the importance of the organization as a whole in cybersecurity,
requiring a shift toward a culture of cyber readiness and greater cyber
awareness among staff by providing cyber education, training, and other
resources. Focus areas include, leveraging basic cybersecurity training;
developing a culture of cyber awareness that incentivizes making good choices
online; teaching employees about risks such as phishing and ransomware; and
identifying available training resources from partner organizations.

To learn more
about the Cyber Essentials Toolkits, visit https://go.usa.gov/xfbFN. 

Hacked Data Get Hacked

A security firm based out of St. Louis, Mo. which specializes in collecting breach data from online sources has itself been breached, exposing some 15 billion usernames, passwords, and other personal
information collected from over 8000 website breaches. The breach collector technology called Data Viper, from the cyber threat intelligence firm Night Lion Security, describes its Data Viper product as a “threat intelligence platform designed to provide organizations, investigators and law enforcement with access to the largest collection of private hacker channels, pastes, forums and breached databases on the market.”

    A data breach monitoring service typically scans, collects, analyzes, and presents breach data from a variety of sources including the dark web, paste bin sites, hacker forums, and other locations, then
sells access to this information to concerned parties. The service allows private companies, Law Enforcement, and other organizations to search and monitor for “data of interest”. This is usually account information such as usernames and credentials indicating that an organization has been breached. The service compiles and indexes previously hacked databases in a proprietary backend. Some of this data has already been disclosed and publicly reported, while some of the data corresponds to yet undisclosed security breaches.

    If this data is valuable enough to be offered by cybersecurity firms as a service and subsequently purchased by organizations worried about a compromise or validating a data leak, then it is valuable
to cybercriminals. The very places where much of this data was originally acquired are also where cybercriminals are now reselling the information. The hacker claiming recognition for the breach has ads on the Empire dark web market place selling access to over 8,225 data-bases exfiltrated from the Data Viper service and proof of legitimacy.

     The traditional risk/reward to calculate profit potential versus the effort required to compromise the desired system has swung greatly in the hacker’s favor when targeting threat intelligence platforms. The effort required to compromise one company or information system to gather information from one distinct group or database is essentially a payout of 1:1. That effort can be expended on compromising an information system holding much more.

    At face value the Data Viper breach ratio seems to be on the order of 1:8225 (8,225 databases were exfiltrated). But wait, it’s even greater than that! Not only did the hacker not need to put in the original effort required to compromise these victims but they also absolved them-selves from having to perform all the data collection, processing, management, and warehousing tasks required to make said information consumable. That value-added effort was already undertaken by the company offering the threat intelligence platform.

     In conclusion, the reward is too great for these systems not to be under constant attack, the carrot is too big and some fences too small, creating a huge incentive for cybercriminals.

Sources:

Security Guidelines for Storage Infrastructure: Draft SP 800-209

    Storage
infrastructure—along with compute (encompassing OS and host hardware) and
network infrastructures—is one of the three fundamental pillars of Information
Technology (IT). However, compared to its counterparts, it has received
relatively limited attention when it comes to security, even though data
compromise can have as much negative impact on an enterprise as security
breaches in compute and network infrastructures. 


    In
order to address this gap, NIST is releasing Draft Special Publication (SP) 800-209, Security Guidelines for Storage Infrastructure,
which includes comprehensive security recommendations for storage
infrastructures. The security focus areas covered in this document not only span
those that are common to the entire IT infrastructure—such as physical
security, authentication and authorization, change management, configuration
control, and incident response and recovery—but also those that are specific to
storage infrastructure, such as data protection, isolation, restoration
assurance, and data encryption.


    The public comment period for this document is open through August
31, 2020.
See the publication
details
for a copy of the document and instructions for submitting
comments.



    NOTE:
A call for patent claims is included on page iii of this draft. For additional
information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Project Freta: detecting rootkits and advanced malware, in memory snapshots of live Linux systems

   Project Freta: free service from Microsoft Research for detecting evidence of OS and sensor sabotage, such as rootkits and advanced malware, in memory snapshots of live Linux systems



   Incubated at Microsoft Research, Project Freta is a roadmap toward trusted sensing for the cloud that can allow enterprises to engage in regular, complete discovery sweeps for undetected malware. The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, a pioneer of battlefield imaging. While snapshot-based memory forensics is a field now in its second decade, no commercial cloud has yet provided customers the ability to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms and a priori forensic readiness. Just as yesteryear’s film cameras and today’s smartphones have similar megapixels but vastly different ease of use and availability, Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.

Project Freta’s four properties of trusted sensing
1. Detect. No program can:
Detect the presence of a sensor prior to installing itself
2. Hide. No program can:
Reside in an area out of view of the sensor
3. Burn. No program can:
Detect operation of the sensor and erase or modify itself prior to acquisition
4. Sabotage. No program can:
Modify the sensor in a way that can prevent the program’s acquisition

To learn more go here.