Will Google’s Titan security keys revolutionize account security?

Google wants its Titan security keys to be the new standard in two-factor authentication. Find out how to get and use Titan security keys.

Google’s Titan security keys are now available in the Google Store for businesses and individuals. If Google gets its way, the Titan keys will be the new standard in two-factor account protection.

The tiny Titan keys, which come in USB and Bluetooth form factors, were designed by Google to give users “a complete solution option from Google itself,” said Google’s Sam Srinivas.

Authentication keys are nothing new, nor is the FIDO authentication framework that Google has built Titan around. What is new is a company as big as Google marketing and selling its own hardware key. With as large a market as Google has, the Titan could be the hardware key that finally replaces vulnerable two-factor authentication (2FA) methods.

Second factors: Still vulnerable

Phishing attacks are growing in sophistication, and that growth comes with new methods for subverting two-factor authentication methods. One-time passwords are increasingly phished, websites that masquerade as legitimate login portals can steal 2FA keys, and some methods simply avoid triggering second login factors altogether.

With 41.6% of all account breaches attributable to phishing, password theft, and pretexting, Google thought it was evident that typical second authentication factors weren’t doing their jobs.

Hardware security keys, on the other hand, require a user to physically have a device linked to their account that is present at the time of login; this eliminates the need to transmit data at all, significantly improving security. In fact, Google Cloud product manager Christiaan Brand said that Google hasn’t had any “reported or confirmed account takeovers due to password phishing since we began requiring security keys.”

How Titan security keys work, and why the keys are a good solution for businesses

Titan security keys use the FIDO Universal Second Factor (U2F) protocol, which relies on public key cryptography. Adding a Titan device to an account ties a public encryption key to that account, which is verified against a private key using a cryptographic signature supplied by the Titan device during login.

Titan keys also protect against phishing attacks from fake login portals—even with a compromised password a Titan-enabled account is still protected. When a user logs in to a fake portal, Google said, the key will know that it isn’t a legitimate website and will stop the login process immediately.

Don’t assume that Titan keys are only usable with Google accounts—the FIDO protocol is a popular one that works with a multitude of websites and applications. Any website that supports U2F will work with a Titan key.

Titan hardware is also built to be secure—Google designed the devices around a secure element hardware chip that contains all the necessary firmware for it to function, and all of that information is sealed in during the manufacturing process, as opposed to being installed afterward. Thus, Google said, “the trust in the security key hardware is anchored in the sealed chip as opposed to any other later step which takes place during manufacturing.”

Additionally, Titan keys contain no personally identifying information, and Brand said “don’t know who their owner is.” If a key is found, it’s useless to the person who picked it up, unless they know the owner’s account names and passwords.

How to get and use a Titan security key

The retail kits available to the public, which are now on sale in the Google Store, are priced at $50 and contain two keys: A USB key for plugging in to a computer, and a low-energy Bluetooth key designed to be used with mobile devices or Bluetooth-capable computers. When testing the Titan key, I found both incredibly easy to use—all you need to do to add them (and be sure you register both) is to browse to g.co/securitykey and follow the instructions. You’ll log in to your Google account’s 2FA page, select the option to add a security key, and follow the onscreen prompts.

Android users can log in to an existing or new device by opening the Settings app, logging in on the Account page, and then following the options to use the Bluetooth-enabled key to sign in wirelessly.

iOS users will need to download the Google Smart Lock app to enable the Titan Bluetooth key on their devices. After the app is installed, follow the prompts to log in using your Titan key.

Once you’ve verified your identity on a particular device, you won’t have to log in with your Titan key again—it’s only necessary on new devices or browsers.

Enterprises interested in deploying Titan keys in their organization can contact their Google Cloud representative for pricing and ordering information, or purchase the keys through Google partner Insight.

 

Will Google’s Titan security keys revolutionize 2FA?

Whether Titan security keys will truly change the 2FA game remains to be seen. Google said that 2FA users consider most methods inconvenient, but the addition of a piece of hardware may not be perceived as simpler than waiting for a text or tapping a button on a smartphone.

Most of us already have an iOS or Android device in our pockets, and adding another fob to our keychains might not be the solution. With account security as poor as it currently is, something needs to give, and Titan keys may be the start.

The big takeaways for tech leaders:

  • Google’s Titan security keys are now available for businesses and consumers. Titan keys use the FIDO U2F protocol, which makes them able to secure Google accounts and other services that use U2F.
  • Titan keys don’t contain any personal information, so businesses shouldn’t worry about them being a security risk.

 

via:  techrepublic


Save pagePDF pageEmail pagePrint page

T-Mobile suffers data breach affecting 2.2 million customers

The third most popular mobile network in the US, T-Mobile, has suffered a data breach that affected more than two million of its customers.

According to the company’s website, on 20 August 2018, T-Mobile’s inhouse security team noticed unusual activity that was immediately “shut down.”

Data potentially compromised before the shutdown included subscribers’ names, billing zip codes, phone numbers, email addresses, account numbers and account types (e.g. pre-paid or billed).

Apparently, no social security numbers (SSNs), financial data or account passwords were accessed during the attack.

The alert doesn’t mention the number of subscribers involved but this is being reported by Motherboard as just shy of 3%, or around 2.26 million accounts.

Users caught up in the breach would be contacted with further instructions, T-Mobile said, though the company didn’t say how or when that would happen. (Motherboard quoted a spokesperson as saying that affected customers would be told by text message.)

If there’s good news in this incident, it’s that the breach seems to have been noticed quickly by T-Mobile’s inhouse security team, and the company has told its customers within a matter of days.

In plenty of other breach incidents, companies have realized what happened only after they were contacted by a third-party researcher, by the attackers themselves, or, in the worst-case scenario, by customers reporting fraud attempts.

This is often weeks or months – sometimes even years – after the event, by which time a lot of damage has been done.

According to the Privacy Rights Clearinghouse, so far in 2018 (to early August) 513 disclosed data breaches covering 819 million records have been recorded. For comparison, the whole of 2017 saw 831 breaches covering just over two billion records.

 

via:  sophos


Save pagePDF pageEmail pagePrint page

How to set up a rule in Microsoft Exchange to send an alert of a phishing attack

Empowering your employees to easily notify IT security personnel of a phishing attack requires an Exchange rule. This tutorial explains how to set one up.

In general, IT cybersecurity experts agree that when it comes to enterprise phishing emails, the most effective defense, and the only one that will inevitably stop such attacks, is a well-trained and educated workforce. While technologies like artificial intelligence and machine learning may stop many phishing emails from getting through to user inboxes, those tech solutions cannot overcome the careless click of a malicious link by one of your employees when the technology fails.

As we have mentioned before, a 2018 report shows that about 50% of an enterprise’s computer using employees will click on a link sent via email from an unknown user without first thinking of the potential consequences. To overcome this lack of urgency so prevalent amongst users, IT professionals should task the entire workforce with the responsibility of immediately reporting phishing emails when they are uncovered.

The Office 365 add-in, Report Message, allows Outlook users to report a phishing or other suspicious email with the click of a single icon on the standard Office Ribbon interface. However, by adding a new rule to Microsoft Exchange, admins can also receive a copy of the report—with no additional effort on the employee’s part.

This how-to article explains how to set up a rule in Exchange that will piggyback on Report Message to notify the proper IT security team in your organization that a phishing email has been reported.

Set up the Rule

Creating or modifying rules using the following technique requires Exchange Online Administrator authentication status. This tutorial also assumes you have installed and enabled the Report Message add-in for Outlook. (Check out the previous article for details.)

Open the online portal to Office 365 and logon with administrator credentials. Navigate to the Admin Center and then open the Exchange Admin Center submenu. Click the Mail Flow link in the left navigation bar. You should see something similar to Figure A. (Note, the example has no rules yet.)

areportmessageexchangerule.png

Figure A

Click on the Plus button to create a new rule. Name your new rule (Phishing Submission) and then open the Apply this rule if dropdown box. Choose the entry: The recipient address includes. Add these two email addresses to the list as shown in Figure B.

  • junk@office365.microsoft.com
  • phish@office365.microsoft.com

breportmessageexchangerule.png

Figure B

 

In the Do the following box, choose the Bcc the message to entry and add the appropriate security administrator or team as designated by your intrusion detection policy. Set the Audit this rule with severity level to medium, as shown in Figure C and click Save.

creportmessageexchangerule.png

Figure C

Once this rule is established, whenever an employee reports an email using the Report Message add-in, the appropriate security personnel will receive a copy of the message automatically. This will allow your security teams to act swiftly and decisively to mitigate and counteract phishing attacks in accordance with your enterprise’s policies.

 

via:   techrepublic


Save pagePDF pageEmail pagePrint page

Do Something, Know Something, Learn Something – A 3-Step Guide to Keeping Your InfoSec Career Exciting

If you are like most infosec professionals, each day brings new and interesting challenges.

However, like most jobs, there are valleys that we fall into along the course of our professional development. How long can you stare at your SIEM tool before you start to experience some mild tunnel vision, or worse, severe burnout? Neither of these are productive paths for you or your employer.

When I find myself heading down that path of waning motivation, I exercise a 3-step plan to get back on track. I call it the Do Something, Know Something, Learn Something plan.

Here is how it works:

Set three recurring calendar events, each lasting an hour with a 30-minute break in between each task. For the first task, assign some of your daily activities that need your attention.

This may be writing up a report, updating your monitoring logs, or performing triage on the security events under your responsibility. This is the “Do Something” phase. This one is most important, as it is probably the bulk of what is required of your job duties. This task will not only recur daily but should be set to recur multiple times throughout the day.

The next task that should be on your calendar is the “Know Something” task. This is the task where knowledge is the goal.

If you maintain any certifications, this is where a continuing professional education (CPE) credit-eligible webcast can fill the task requirement. This task time-slot can also be used to familiarize yourself with a new regulation or perhaps to just catch up on some of the infosec news of the day.

The purpose here is to increase your knowledge about infosec topics that may come up during a lunch conversation, or perhaps an impromptu conversation with a senior executive in your office. This type of knowledge adds credibility to your role, which is a valuable asset both personally and professionally.

The third task is the “Learn Something” task. This is different from simply knowing, as it is where you use the time to actively research a new skill or learn a new tool.

If your employer is receptive and flexible, the learning can be tangentially related to infosec. For example, knowing the pin-out patterns of various cables may not be directly related to your particular job, yet it is valuable information that can improve your infosec skills in immeasurable ways.

I find that running this three-step pattern over the course of a month does wonders for breathing new life into my job routine. It also brings more value to your employer. Above all, be sure not to let your daily responsibilities slip. This is why the “Do Something” task needs to recur throughout the day.

I understand that you may not have a job that allows the daily attention to each task that I have described here; however, I am certain that there is a way to spread this plan out so that you can implement it to keep you from becoming numbed by the same tasks every day.

After all, we are working in one of the most exciting fields that doesn’t require any physical danger. I hope my three-step approach helps you to keep excitement alive while improving your skills and your value.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

Guide to Securing Your Mobile App against Cyber Attacks

Thanks to the advent of technology, the number of mobile phone users are increasing day by day. You’ll be shocked to hear that by 2019, this number will cross the 5 billion mark! While mobile phones may have made our life easier, they have also opened up domains for many cybercriminals who are adapting and using new methods to profit from this rapidly growing number of potential victims.

What’s more, apps are used for nearly 90% of usage on mobile phones and tablets making it the number one source for cyber-attacks. People are using apps to access everything from online banking to shopping and even controlling home devices.

User data is like a goldmine for cybercriminals, as they can access anything from credit card details to email passwords and user contact lists. Users have also been scammed into downloading malicious adware, and at times, they unknowingly subscribe to fraud paid services.

This is why a lapse in any mobile app’s security is a daunting scenario for app owners and developers. According to a study, more than 60% of companies reported that an insecure mobile app caused a data breach, and 44% out of them did not take any immediate action to secure their app against further potential cyber attacks.

So, if you are an app owner or developer, start working towards certain frameworks and tools that provide ease and security to your users. Think about the ways you can avoid the mentioned security challenges and protect your app from cybercriminals.

To make your tasks easier, I have listed some of the mobile app security best practices that will benefit you as an owner and also provide your users with a safe and secure online experience.

1. Security by design

The first step towards securing any mobile app is to start by designing a threat model from the very beginning. Think like a hacker and identify every shortfall of your app’s design. Only then will it be possible to implement effective security strategies. You can also hire a professional security team to play the fake bad guys. It is a great way to test the security of your app as they throw different vulnerabilities at you.

Furthermore, if you are a growing eCommerce business and want to develop an online shopping app that can process sensitive information such as financial transactions and credit card credentials, consider the consequences that will occur if a security breach occurs. Ask yourself: in what ways can user privacy be compromised, and how you can prevent it from happening?

Keeping safety as a number one concern from the very beginning will give you ample motivation regarding security measures for your app.

2. Mobile device management

Online security starts with the device that the consumer is using to access your app. Each mobile operating system requires a different approach for its security, whether it is an iOS or an Android system. Developers must understand that the data stored on any device can drive potential security threats.

This is why you should consider encryption methods like 256-bit Advanced Encryption Standard to keep data safe in the form of files, databases, and other data sources. Also, when you are formulating the mobile app security strategy, keep the encryption key management in mind.

In the case of Apple, it has strict policy enforcement practices. Being an app owner, you can restrict any user from installing your app if you feel that the security of the user device seems compromised.

One of the most effective ways to manage iOS devices is to take help of mobile device management (MDM) or enterprise mobile management (EMM) product. There are many vendors such as MobileIron, MaaS360, and Good Technology that offer their services in this regard. Apart from this, you can use the Microsoft Exchange ActiveSync protocol as a policy management tool if you are looking for a cheaper and easier to use option.

Android phones, on the other hand, are a bit trickier to manage. Since they are relatively cheaper as compared to iOS devices, they often become a source of a security breach. You should only be using Android for Work (A4W) in the enterprise. This version of Android encrypts the device and separates personal and professional apps into two categories.

With the combination of the right devices, updated mobile operating systems and MDM, you can provide first level security for your mobile app.

3. App wrapping

App wrapping is a term that is used to define a methodology that segments your app from the rest of the device by capturing it in a secure environment. You will automatically get this option if you are taking help from an MDM provider. Just set a few parameters, and you can segment your apps without any coding required.

4. Strong user authentication

One of the most crucial components of mobile app security is to implement strong user authentication and authorization. You never know who is accessing your app. A seemingly simple question, “Who are you?,” can help secure your device against malware and hackers.

User authentication must include all aspects of user privacy, identity and session management and device security features. Try to enforce 2FA (two-factor authentication) or an MFA (multi-factor authentication). You can get technologies like OpenID Connect protocol or OAuth 2.0 authorization framework on board.

5. Hardening the OS

Another way to secure mobile apps is by hardening the operating system. There is a wide variety of methods in which you can do it. From day one, Apple has done a great job in enforcing security within its operating system. You can use these tools for iOS security:

6. Apply security to APIs

Make sure that you use APIs to manage all app data and business logic. API is a very useful tool for the mobile world, as they are the crown jewels for any enterprise. All data, whether it is in transit or at rest, should be secured.

For data in transit, you can use SSL with 256-bit encryption. For data at rest, you should secure the origin of the data as well as the device itself.

Remember, each API should have an app-level authentication. Make sure you validate who is using the service and limit sensitive data to memory as it can easily be wiped off.

Conclusion

When it comes to addressing your mobile application’s security, think that all mobile devices accessing the app are insecure and hackers can easily capture the data flowing to and fro from your app. It doesn’t mean that you’re overly paranoid.

These assumptions will help you stay on top of your security game, and you will always look out for new ways to harden the security of your mobile app against the most common security failures.

There are many other practices with which you can toughen up the security of your app, but these 6 tips will give you a basic framework that can be applied to any business, irrespective of its size. Which strategies do you use to protect your mobile app against cyber attacks?

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

The Value of Two-Factor Authentication – Save the Embarrassment

These days, it’s not a matter of if your password will be breached but when.

Major websites experience massive data breaches at an alarming rate. Have I Been Pwned currently has records from 295 sites comprising 5.3 billion accounts. This includes well-known names like LinkedIn, Adobe, and MySpace.

Password breaches are a cause for embarrassment; they are talked about in hushed tones just like finding mice in your home or having your credit card declined. They don’t need to be, though; they are part of the online experience associated with a modern cyber life.

Instead of being embarrassed, take steps to minimize the impact that a data breach has on your life.

One of the best ways to do this is to enable two-factor (or multi-factor) authentication on the accounts that you use on a regular basis. Adding a second form of authentication (typically in the fashion of a code generated by or sent to a device you own) can ensure that no one accesses your accounts even if they have your passwords.

Here you will find step-by-step instructions on how to configure two-factor authentication on some of Internet’s most popular websites.

Facebook

  • Log into Facebook and visit Settings.

Save the Embarrassment: The Value of Two-Factor Authentication - Facebook

  • On the left hand side, select Security and Login and click Edit next to Use two-factor authentication.

Save the Embarrassment: The Value of Two-Factor Authentication - Facebook

  • Set up the 2FA methods of your choice. I recommend Text Message and Authentication App, at a minimum.

Google

  • Visit your Google Account page and follow the Signing in to Google link.

Save the Embarrassment: The Value of Two-Factor Authentication - Google 3

  • Select 2-Step Verification and follow the steps to enable Authenticator, SMS, or Google Prompt 2FA. Note that some applications may stop authenticating and require application specific “App Passwords.” You can read more about those here.

PayPal

  • Log into PayPal and visit Settings.

Save the Embarrassment: The Value of Two-Factor Authentication - PayPal 4

  • Click Security and look for the Edit link under Security key.

Save the Embarrassment: The Value of Two-Factor Authentication - PayPal

  • Add your mobile number under Register a new mobile number.

Save the Embarrassment: The Value of Two-Factor Authentication - PayPal

Microsoft

Save the Embarrassment: The Value of Two-Factor Authentication - Microsoft 7

  • Follow the more security options

Save the Embarrassment: The Value of Two-Factor Authentication - Microsoft

  • At this point, you can turn on 2FA by clicking Set up two-step verification under Two-step verification. You can also set up an authenticator app like Google Authenticator or Microsoft Authenticator by clicking Set up identity verification app under Identity verification apps.

Save the Embarrassment: The Value of Two-Factor Authentication - Microsoft

Apple

  • Log into Apple ID and click Edit under Security.

Save the Embarrassment: The Value of Two-Factor Authentication - Apple

  • Follow the steps under TWO-FACTOR AUTHENTICATION to enable 2FA on your Apple Account.

LinkedIn

  • Log into LinkedIn and click Me and Settings & Privacy.

Save the Embarrassment: The Value of Two-Factor Authentication - Linkedin

  • Turn on two-step verification in order to enable SMS verification codes for future LinkedIn logins.

Save the Embarrassment: The Value of Two-Factor Authentication - Linkedin

Twitter

  • Log in to Twitter and click on your avatar and Settings and privacy.

Save the Embarrassment: The Value of Two-Factor Authentication - Twitter 13

  • Under Security, click to Set up login verification. Follow the prompts to enable 2FA on your Twitter account.

Save the Embarrassment: The Value of Two-Factor Authentication - Twitter

Enabling two-factor authentication is quick and painless in most cases, although it is recommended that you print out back-up codes from sites that support it. These codes can be a life saver when it comes to websites that use authenticator applications should you lose or damage your phone.

Are there any websites that you’d like to enable two-factor authentication on that weren’t in the list above?

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

Fortnite Says It Will Reward Users Who Enable 2FA With Free Emote

The Fortnite team announced it will reward users who enable two-factor authentication (2FA) on their accounts with a free emote.

On 23 August, the makers of the popular online video game revealed an incentive to help users boost their account security: in exchange for enabling 2FA on their accounts, gamers would receive the Boogiedown emote for free in Fortnite Battle Royale.

image

On a page linked to in its tweet, Fortnite explains that users can enable two-factor authentication to receive verification codes either via email or via an authenticator app installed on their mobile device. The latter option is the more secure of the two, as an app like Google Authenticator can help protect users’ Fortnite profiles in case their email accounts are ever hacked. In many cases, users can also employ that same authenticator app to protect their emails against an account compromise.

Team members recommend that Fortnite users click here to get started. They also make clear that they’ll never ask users for the account passwords. If they receive such a request from someone posing as a Fortnite employee, they should alert the real Fortnite team using the “Contact Us” feature.

Fortnite isn’t the only game that’s used an in-game reward to encourage users who might not otherwise be concerned about their web account security to enable 2FA. Video game developer ArenaNet awarded players of Guild Wars 2 who enabled SMS-based login codes, a 2FA deployment which doesn’t always guarantee account security, with the Mini Mystical Dragon as a free pet. Even so, ArenaNet and Fortnite are in the minority when it comes to video game developers, or tech companies in general, who put a premium on users taking their account security seriously.

In the prevailing absence of such incentives, it’s up to users to take the lead on protecting their accounts with login verification codes. Here’s a resource that explains how you can enable this additional login step on many of the web’s most popular services.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

The True Cost of an Industrial Cyber Security Incident

Industrial control systems are essential to the smooth operation of various national critical infrastructure. While once segmented from the web, these systems are now becoming increasingly more networked and remotely accessible as organizations transform to meet the digital age. This development potentially exposes industrial control systems to digital threats.

One of the most serious threats confronting industrial control systems today is the Internet of Things (IoT). Organizations and users are becoming more and more dependent on Internet-connected devices, so much so that there’s not enough time to secure them. Such hype has enabled the creation of threats like VPNFilter, a type of botnet which targets routers, network access storage (NAS) devices and other IoT products.

In May 2018, researchers observed that VPNFilter had infected half a million IoT products in what Ukrainian officials believed were Russia’s preparations for a digital attack. Less than two months later, Ukrainian law enforcement thwarted an attempted VPNFiler attack by Russian agents against a chlorine station.

The IoT threat facing industrial control systems is expected to get worse. In late 2016, Gartner estimated that there would be 8.4 billion connected things worldwide in 2017. The global research company said there could be approximately 20.5 billion web-enabled devices by 2020. An increase of this magnitude would give attackers plenty of new opportunities to leverage vulnerable IoT devices against industrial control systems.

Concern over flawed IoT devices is justified. Attackers can misuse those assets to target industrial environments, disrupt critical infrastructure and jeopardize public safety. Those threats notwithstanding, many professionals don’t feel that the digital threats confronting industrial control systems are significant. Others are overconfident in their abilities to spot a threat.

For instance, Tripwire found in its 2016 Breach Detection Study that 60 percent of energy professionals were unsure how long it would take automated tools to discover configuration changes in their organizations’ endpoints or for vulnerability scanning systems to generate an alert. Even so, 70 percent of participants affirmed it should take only minutes for those same solutions to detect an alteration.

Industrial professionals would be wise to not underestimate threats against industrial control systems. That’s because the costs of disruption can be significant to the business. In response to a 2016 ransomware attack, Michigan’s Board of Water & Light ended up paying approximately $2 million dollars for digital security experts and a law firm to assist it in its recovery and prevent similar attacks from occurring in the future.

Even worse, a 2012 malware attack cost Saudi Aramco – the world’s biggest oil company – approximately $1 billion, as the company needed to replace 35,000 computers damaged by the attack. It also hired at least six firms and dozens of experts to help with the recovery, reported Reuters.

Tim Erlin, VP of Product Management & Strategy at Tripwire, feel these incidents demonstrate the importance of organizations protecting their industrial environments now rather than later:

If your business has an industrial control system footprint now is the time to evaluate how you’re securing that environment. Industrial companies have accepted the reality that digital threats can have tangible consequences. This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so. It is vital that organizations properly secure their critical infrastructure by investing in robust cybersecurity strategies that involve proper foundations of critical security controls and layers of defense. Failure to do so will result in a major breach that will cause catastrophic failure, which is a significant concern among security professionals as a critical disaster could result in significant loss of life.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

5 Key Areas Security Professionals Should Consider – Healthcare Industry

The Healthcare industry by its very nature is populated with some amazing people who are devoted to those in need of physical and mental care. Given this noble cause, it was perfectly understandable for them to ask “Why would someone attack us?” when WannaCry hit their sector.

In my opinion, the WannaCry compromise was the crescendo of almost a decade’s worth of neglect. Unpatched servers, legacy applications, forgotten risk registers and discarded business cases for investment all played their part. However, it did answer the million-dollar-question asked of all security teams: “What is the real risk of us being attacked?”

At the time of the attack, security teams across the country were rallying to resolve the issue, with many (I’m sure) searching for evidence that they had once warned their organization of the dangers of poor cyber-response arrangements and poor patch management.

Dare we ask how many servers compromised by WannaCry only required a reboot to enable the patch – denied only because no agreement could be reached to arrange a maintenance window?

As sad and as controversial it sounds, sometimes it takes an incident of this magnitude and publicity for organizations to remember the basics. Despite the irresistible urge for some to shout “I told you so,” we must understand how we can improve now that we have the attention of executive management who wish to avoid the implications of another WannaCry.

In recent years, I spent less time on policy and more on advising on change – mostly trying to mediate between innovation and security. In adapting my thinking to include transformation and change, I have identified five key areas I believe all security (and IT) professionals should be considering:

1. THE ‘GIG ECONOMY’

Organizations want to try new things and do not want to be bogged down with procedures and policy. However, we must be mindful of integration and support. Get the right contracts in place; secure robust support agreements and software assurance. Do not become dependent on a third-party application. We all know solutions with security flaws with vendors having no appetite to fix them.

Finally, be prepared to forgo the usual third-party assessments for these smaller firms. Streamline it, and document exceptions!

2. DIGITAL TRANSFORMATION

The right digital plan must be established. It must be designed with a care plan/business strategy at its heart and underpinned by robust architectural designs and operational basics. Base your security strategy around this, and you will not go far wrong. (It also makes asking for investment far easier!)

3. DATA, DATA, DATA

If you cannot extract data from a solution to demonstrate value and outcomes, why bother with it?

And critically, look for a common integration and data extraction tool rather than a swathe of bespoke interfaces known only to the developer who left the organization two years ago.

4. A RETIREMENT PLAN

Support functions cannot be expected to support operating systems that are no longer supported by the vendor. Like the financial sector, it will only be a matter of time that the healthcare sector will be required to provide decommissioning plans and timelines.

Be proactive with your hardware; refresh and ensure your third-party vendors are contracted to ensure their applications are supported by the latest technology and operating systems.

5. COURAGE

Finally, we must have the courage to stand up for what we know is the right thing to do: do not be swayed by pressure to adopt bad practice or technology.

Whilst saying “No” is never really an option, the transferal of risk certainly is.

How Tripwire Can Help

All healthcare organizations need to take steps to strengthen the security of their systems so that they can ensure the availability of critical medical services and protect their patients’ data. Such measures are especially important in the case of defending against vulnerabilities like EternalBlue, the Microsoft SMB flaw which WannaCry exploited in 2017.

CVSS risk scoring is a good start. But in these types of instances, such low-medium-high scoring is not of any use because the vulnerability will show up as “high” in every part of the business where critical systems/assets that provide the “business as usual” state are in the same category as non-critical systems.

This is where Tripwire IP360 can assist. Tripwire not only provides the CVSS risk scoring but also adds a unique way the assets are weighted depending on criticality to the business, amongst other criteria. This creates a way for limited resources to apply patches quickly to the critical systems, thereby providing the secure “business as usual” state for the business.

In the meantime, Tripwire Enterprise can be utilized to monitor the network for any changes or drifts of compliance and policies, providing real-time notification to the resources on anything that is detrimental to the estate so they can address them immediately.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page

A How To for Asset Tagging using Tripwire

The systems in your environment are extremely important assets. Storing intellectual property, customer information, financial information, business automation, etc. If any of these systems are breached or become unavailable, there is a business and financial impact.

You’ve installed Tripwire Enterprise agents on these systems to ensure that you know what changed, that the changes were authorized and that these systems remain hardened.

But when you have thousands and thousands of assets, how can you view and report on them in a meaningful way? Not all assets are created equally. Often, not all assets are managed by the same group. Different assets run different applications. It’s a jungle in there!

Into the fray steps the Tripwire Enterprise (TE) Asset Tagging feature. Asset Tagging makes the automation of managing these assets possible as well as makes reports more meaningful for the business.

Now, having an asset tagging system is nice and all… but now we have to apply these informational tags to the assets. There are several ways to do this that we will be touching on in this article. But we need to do these things in order. Before we can apply tags to the assets, we have to create tags that are meaningful to the business. Yes, Tripwire Enterprise comes with a set of common Asset Tags for Operating Systems, Device Types and such. But we don’t know what applications, locations, owners and other types of tags you might have in your environment.

So, we’ll start with Asset Tag creation.

Creating Asset Tags

Asset Tags give you a way to assign information about a System (a node in Tripwire) to the asset item. This also creates groups for those nodes in the Smart Node Groups area of the Tripwire GUI.

There are 3 common types of Asset Tags you may want to create.

  1. Tags for assigning Tripwire Rules to an asset
  2. Tags for what assets to include in Tripwire Reports
  3. Tags for administrative purposes

An example of a tag used to assign rules: tag an asset with an Linux-Apache tag, then create a Tripwire Task that uses the Apache application Rule (filesystem) and indicates the node group Linux-Apache for running the check. Any new assets that are assigned the tag “Linux-Apache” will be automatically added to that group; the next time the Task created for that group runs, that new asset with that tag will be baselined.

An example of an asset tag that deals with reporting is to assign a Threat Level to an asset based on the scan results from the IP360 vulnerability management product. Any systems with a Threat Level that is High may be automatically added to a report such as “new executable files added to the system.” Until the system is patched and rescanned, this report about an unpatched asset reduces the risk that the vulnerability was exploited by showing you any new (or modified) executable files on that set of at-risk assets.

Creating Asset Tags should be more of a setup time step, not something you should need to do on an ongoing basis. If the applications, locations, and other meta-data about the assets change often, then an integration to a source of asset information (like a CMDB) is very useful. I’ll go through some examples of doing that later in this article.

An example of an Administrative Tag could be “EG-Processed” to show that you’ve turned on the Tripwire Event Generator real-time flag for that asset. It’s not used for reporting or checking, but it’s still useful for the Tripwire Administrator. The first step is to create the asset tags to be assigned in the Tag Sets area of the Tag Management display.

pic

In Screenshot 1, you can see that “Manage Tagging” was clicked on, then in the left pane, “Tag Sets” was chosen. This brought the currently defined set of Tag Sets and their tags into view in the center pane. The right pane has some documentation with suggestions and help for creating Tag Sets and tags.

If you know what traits you’d like to assign to your various assets, then you’re ready to group them by their function and come up with a Tag Set name. Then add the tags that belong to that group to the tag set. Empty tag sets have a link called “add tags” across from the tag set name. Click on the “add tags” link and start entering the names in the space provided below the tag set name.

pic

That’s the manual method for creating asset tags. If your environment has a CMDB already in place with asset classifications, you can take advantage of that information.

Using the Tripwire Enterprise REST API calls or TECommander and some scripts, you can pull information from the CMDB and create (if it doesn’t already exist) the asset tag and assign it to the asset in the Tripwire console. In this way, new asset tags are created as needed based on information from your asset management product.

Assigning Asset Tags Manually

You can manage tags for each asset (or multiple assets) from here by choosing the checkboxes next to each asset and then following the steps to manually assign asset tags. This is usually done for one-off assets or if there’s very little change in the list of assets tracked by Tripwire.

pic

Check the boxes next to the names of the assets in the center pane you want to assign a tag to and then notice the right side pane changes to show the “Edit Tags” button. Choose the Edit Tags button and the center pane changes to show the tags.

pic

Next, you open up the tags set(s) by clicking on the > icon next to the tag sets you’re interested in using.

pic

Once the tag sets are open, click on the tags you want to assign to the chosen assets. By clicking on the checkboxes next to the tags you want to use, you’ve now assigned those tags to the assets. Click on the “Close” button at the bottom of the center pane when you’re done.

pic

pic

Assigning Tags using Tagging Profiles:

Tagging profiles are very convenient for doing automatic Tagging via the basic information Tripwire gathers from a system when it first reports into the TE Console. When a new asset first reports to the Tripwire console, it gives three basic areas of information: the hostname of the asset, the IP address of the asset, and the OS the asset is running.

Choose the “Manage Tagging” section in the left pane of the Asset View. Click on the 2nd item in the left-hand pane – “Tagging Profiles”. Make sure you’ve created the Asset Tags you want to assign before getting to this step. Otherwise, you won’t have anything to assign here.

pic

I’ve added a set of locations to the Locations Tag Set. Start by clicking “New Profile” in the center pane of the display. The display changes and shows the asset tags in the center, and at the top of the pane, there’s a space to give the profile a name. This tagging profile will be “Tag Herndon Assets.” We will assign the “Herndon” location to the assets in 3 ways:

Tagging by Hostname:

There are several ways to tag by the hostname:

pic

These hostnames include Contains, Does Not Contain, Matches (Regex), and Does Not Match (Regex). The easiest is “Hostname Contains.” I just enter “HERN” in the space below the “Host Name” and “Contains” dropdowns, and if the asset has the letters “HERN” together anywhere in the hostname, it will match and assign it to the Herndon location. (Selecting the location happens in the section on “Choose Tags to Apply.”)

pic

To be more precise with the naming convention, there is the Regex option. Click on the “Contains” drop-down and choose “Matches (Regex).” The Java Regex is supported. So if you want to ensure that only hosts with “HER” in the 3rd, 4th and 5th positions of the hostname match, in the space provided you’d enter:

pic

The first two dots “..” represent the 1st character and then the 2nd character of the hostname. Then the HER in the naming scheme ( in this case ) means “Herndon.” Then the rest of the hostname follows. By using the “Add a new condition,” you can get very precise with asset tagging. Add a 2nd condition by leaving the option at the top set to “All” for the Match “All” conditions. That means you AND together each condition.

Thus, if I add a second condition that the IP-Address much be in the 10.10.22.0 to 10.10.22.255 range as well, then only systems with HER in the 3rd to 5th positions of the hostname and have an IP address that falls into the correct range will get the asset tag you’ll assign with the “Choose Tags to Apply” section. If you want to match on any of the conditions (an “OR” case), then click on the “Match … contains” dropdown and choose “Any.”

Tagging by IP-Address

pic

Tagging by the IP-Address range is straightforward. There is a few options for how you might set up that range though:

pic

You may use a typical IP address range “10.10.22.0 to 10.10.22.255.” You may use Classless Inter-Domain Routing (CIDR).

pic

Thus, any assets in the range you define will then have the Asset Tag(s) you pick in the “Choose Tags to Apply” section set to those assets.

Finally, you can set a node’s asset tag by the System Defined Tags. This means that when a node registers with the TE Console, there are tags that are assigned to the node automatically. The OS for a filesystem agent, the Database type for a new database node and so on for each node type.

Typically, using the system defined tags allow you to tag assets in a more generic fashion. For instance, any system type with Red Hat in it – Red Hat 5.3, Red Hat 6.1, Red Hat 6.3 – can be lumped into a Red Hat group so that you can report on all of the Red Hat boxes from one group (or run the Red Hat rules against every version of the Red Hat OS that you have from one TASK).

pic

Assigning the Tag

Once you’ve defined how to identify systems for a tag, now you need to choose the tag that the Tagging Profile will assign. Just under the Tagging Profile Name, click on the “Choose Tags to Apply.”

pic

The Available Tags appear. Open up the Tag Set that defines what was tested for in the Conditions. Click the checkboxes next to the tags that apply. Click on the Save button at the bottom right of the display to save the Tagging Profile.

When a new node is added that matches the condition, it will now automatically be tagged with the label assigned here.

Assigning Tags via Tripwire ACTIONS

Assets can also be tagged using a Tripwire Action. In the ACTIONS portion of the TE GUI, you choose “New Action” and then choose the Common Action “Tag Action.” Like most Common Actions in Tripwire, they are usually attached to a Conditional Action. You can change an asset tag based on the content of a change that’s detected.

pic

Give the new Tag Action a name and choose “Next”.

pic

Choose the Tag Set that contains the tag you want to set then pick a Tag from the “Choose a Tag” drop-down.

pic

As with all Tripwire Actions, the Tag Action must be attached to another Action, to the Action tab of a Rule or in the Action tab of a Task.

pic

A change must be detected before the Action will run. So, Tag Actions are excellent for dropping an Asset into a particular Smart Node Group for reports when changes to specific files or certain configuration changes are made.

Assigning Tags via TECommander or REST API Calls

pic

There is one more way to assign asset tags. TECommander takes the Tripwire REST API calls and exposes them via a command line tool, thus making scripting of TE Console interactions possible. You can also call the Tripwire Console REST API directly if you have a resource that knows how to integrate using API calls.

One possible implementation is to use a script that can look up information from Tripwire or from other sources (CMDB, a spreadsheet, etc) and use that information to make decisions on tagging assets. The example in the script screenshot shows TECommander retrieving information from Tripwire Elements, testing the content and then Asset Tagging the asset based on what was found in the element contents.

To Asset Tag new nodes when they are discovered, set up an Asset Tag Set for Administrative processing. One of the Tags is shown in the screenshot is “Processed.” Any node that has the Tripwire Event Generator turned on or another other on-board processing will have the “Processed” tag set (once you’ve implemented based on the steps below). As any asset that is “Untagged” in that Tag Set hasn’t been processed, you now have a set of “unprocessed” assets in a group that can be handled at one time.

The “Untagged” grouping of a Tag Set does NOT show up in the Smart Node Groups. So how can you access that information when you want to work on “Untagged” assets? Create a “Saved Filter”! A saved filter allows you to create a Smart Node Group that includes assets that are “untagged”.

pic

Once you have the Assets in the Saved Filter named, for example “Unprocessed Assets,” you can then take action on those assets. Set up a Task that uses the “Unprocessed” assets and choose a Rule to run on the Unprocessed Assets, say, look for a particular application on the systems.

Then create an Execution Action that you call from the Action portion of the Task and call the TECommander Script you’ve created. Test the asset for information you’re interested in (from the initial baselined information) and then Tag the asset with the Asset Tags based on your script logic.

The execution action to call the script (in the screenshot below) would look like this:

pic

The execution action for this script is set to run every time the task is run even if no changes are found. But it will only do something if there are Nodes in the Saved Filter we set up. Once the “Processed” tag is set on an asset, it will no longer be in our Saved Filter. Thus, only new TE nodes will be processed by this script — just one time.

Asset Tags
Scripting is a little more complicated but gives you ultimate flexibility. Tripwire Professional Services group often builds integrations and custom logic for our customers using TECommander and other integrations tools. Just ask your sales rep if you require their expertise.

One customer integration with the CMDB allows them to classify their assets as they come into the TE Console. Is the asset in production? Staging? Development? Their CMDB has this information, so they pull the information from the CMDB and then tag the Tripwire Agent with the applications and environment of the asset. Their CMDB has categories for the types of tags they have; those become Tag Set names in TE. If the category or the tag in the category doesn’t exist when that asset is being processed, they create the Tag Set or add the tag to the tag set on the fly using the API calls.

They also check their assets once each day to see if they’ve moved from one environment to another. Does the CMDB still show the asset in staging? Has it moved to production? If the tags in TE don’t match the CMDB, the tags are then updated to match. This is On Going processing.

If a Tripwire asset has an error classified as a “Communications Error,” the check the CMDB for the state of that asset. If the asset is marked “retired,” then they set the administrative asset tag to “retired” and unlicensed the asset. After the asset is unlicensed for 90 days, they then remove the asset from the console.

They helpfully automate the management of assets, making the tagging more accurate which improved reporting. Removing assets that no longer need to be reported on helps clean up their back end TE database and prevents DB bloat. The time saved by their TE Admins when asset management tasks are automated means one TE Admin working part-time on the product can spend more time on what changed and why (much of which can also be automated, but that would be a separate article).

Combining Tags with Saved Filters

Saved Filters allow you to combine asset tags. This can be helpful if you want a group of systems that are in one location and have a particular OS, say, “Herndon” nodes that are running “Apache.” In that case, click on the “Saved Filters” entry in the left pane and click on “New Saved Filter” button at the top of the center pane. Then give the Saved Filter a name, say “Herndon Apache Servers.” Then click the checkboxes next to the Location “Herndon” and the Application “Apache.”

All assets that have both of those asset tags will show up in that saved filter group in the Smart Nodes Group view. That way, if you have MS-SQL nodes in Herndon as well, you can create another Saved Filter for Herndon-MSSQL. Then you have the equivalent of two DB types nested under Herndon.

And as noted above, Saved Filters are the only way to take a set of “Untagged” assets and make them visible as a group in the Tripwire Smart Node Groups.

The Asset Tag functionality in Tripwire Enterprise makes management of TE much easier and is another great way to integrate with other products so that information can be shared. At more and more large customers, TE has become the glue between several other security products. Not only that, it adds valuable information about unexpected modifications to those products. By using Asset Tags along with the TECommander script, integrations with TE have helped to break the silos of security information, thereby making a combination that is more powerful than the applications alone.

Tripwire users are using Saved Filters to only run tasks against healthy nodes by creating a Saved Filter for “Windows 2016 Healthy Nodes” that includes the System Tag for the Windows 2016 assets and the “untagged” checkbox under the Health tags then use that group in the Check Task for Windows 2016 systems. This can often speed up your checks by excluding nodes with current errors. Once those errors are cleared, those nodes are again included in the scheduled task.

Saved Filters are being used to identify when new nodes come into the system by having an Administrative tag set and a Saved Filter that includes only nodes that have no Administrative tags – or in the Saved Filter, the “Untagged” checkbox is selected. The Saved Filter could be named “Unprocessed Nodes” or even do them by platform type. Create a Saved Filter for new Red Hat nodes by creating a Saved Filter that includes “Red Hat Enterprise Linux Server 7” and Administrative “Untagged.” This gives me a group of Red Hat 7 nodes that are new to the console. Once I’ve done whatever it is I do for new nodes, I then tag them with any tag in the “Administrative” tag set and the node leaves that group.

The possibilities for Saved Filters is endless. If you’re not sure about how to set up anything in your Tripwire Console, just ask your partner, TE SE, or Tripwire support. We’re always happy to help!

To learn more about Tripwire Enterprise and asset tagging, click here.

 

via:  tripwire


Save pagePDF pageEmail pagePrint page