Monday, July 25, 2022

How Does the Internet Work?

     To understand what the internet is and how it works, we need to familiarize ourselves with a few crucial components such as:

  • Network – A group of computers that are connected and can exchange information and data under a managed procedure.
  • Packet – The small amount of data bundled with information about that data, source, and destination sent to other devices on the network as a message.
  • Protocol - Regulated transmission techniques that are comprehensible by all computers on the network and used to send and receive the packets on the networks.
  • Switch – A piece of hardware on a single network used to forward/distribute the packets to the intended devices or destinations on the networks.
  • Router – Another electronic device used as a gateway on every network to control and route the traffic of packets between networks.

 

    Now we know that a group of computers that are connected and in communication with each other is called a network. When we connect different networks to each other, we are creating a “network of networks,” which is called the Internet.

    When a device on a network wants to send a message to another device, it would bundle the data (packet) with a header, including the destination address and other necessary information, and sends it to the “switch.” Switch knows every device on the local network and will forward the packet to the desired destination device if the device exists on the local network. When the destination device is not on the local network, the switch will send the packet to the “router” as the gateway of this local network to the outside world and other networks.

    The router will determine where to send the receiving packets and forward them to the next routers using the Internet’s addressing system or protocol called “IP” (or Internet Protocol).  When packets arrive in the right network and subsequently desired device on another network, the replied packets will go through the same path to be transmitted and giving us the internet as we know as use it every day. The video “Life of an IP Packet” is a well-simplified visual display of the basic internet concept, which is definitely worth watching.

    The chart below from explainthatstuff.com shows the rapid growth of the internet since the 1980s in the world, and obviously, we should expect the continuance of this growth in quality and quantity in the future. Faster, easier, and cheaper internet access seems inevitable with new technologies and societies’ dependency on them, as we witness.


 

    Constant progress in this field is projected, and companies continue to develop and employ new ideas and technologies. Perhaps some of these technologies, like Google’s “Loon Project,” won’t succeed due to business or technical reasons. Still, others like Elon Musk’s “SpaceX Starlink Internet” project would continue to examine different approaches to bringing the internet to every corner and remote area of our planet.

    How Does the Internet Works” is another simple and valuable source of learning about the general concept of the internet, deeper dive into coverage issues, and connecting different continents showing some fascinating scenes of the scope of wiring and connectors on the ground and underwater in the ocean.

 

Reference:

-          https://www.cloudflare.com/learning/network-layer/how-does-the-internet-work/

-          https://techterms.com/definition/packet

-          https://www.explainthatstuff.com/internet.html#whatis

-          https://www.explainthatstuff.com/howcomputernetworkswork.html

-          https://smallbusiness.chron.com/spooling-buffering-72784.html

-          https://www.space.com/spacex-starlink-satellites.html

Tuesday, July 19, 2022

Securing Critical Infrastructure

Importance of strong security practices

    Constant increasing cybercriminal activities feed from inadequate security measures employed in any organization, and the public sector arguably has been more vulnerable due to the slow and red-taped nature of their organizations. The Baltimore ransomware attack is a clear example of unprepared, off-guard, and incompetent cybersecurity in the public sector. Under budget IT and security, aging hardware, unpatched software, lack of risk assessment, and risk management is an open invitation for any hacker.

 

Why is it important that your vendors practice good security?

    The complexity of modern societies demands the reliance of any one organization on several other entities in order to be functional. Outsourcing has been a trend for many years, and it doesn’t seem to slow down at all. Based on a study conducted by Opus & Ponemon Institute, Vendors or 3rd parties are the cause of more than 60% of data breaches in the U.S. every year. Organizations need to be able to trust their vendors’ security with all sensitive data such as PII, PHI, PCI DSS, etc. It is imperative to consider the organizational security posture as a whole, in which the supply chain security or vendors would be certainly included.

 

Why is it important to consider the roles of people, processes, and technology?

    The people, process, and technology (PPT) framework is about the balance in the interaction of these three elements and improving the operational efficiency of an organization. In any organization, people are doing the work, applying processes enhances the efficiency of this work, and technology helps with automation and the quality of tasks. By utilizing PPT, organizations would be anticipating three reasonable outcomes from any task in an ideal condition:

  •      Increased speed
  •      Improved efficiency
  •      Meet or exceed expectations

 

How can you measure or benchmark security solutions using standards such as common criteria?

    The Common Criteria, also known as “Common Criteria for Information Technology Security Evaluation, is an international set of standardized guidelines that enable organizations for an objective evaluation and validation of any product or system based on the pre-set and agreed upon standards. These standards facilitate a practical manner to ensure users are purchasing equipment that has been independently verified and meets specific security requirements. Common Criteria is a mandatory requirement for the U.S. federal government. Many non-government organizations with higher security expectations, such as data centers, telecommunication companies, and financial and medical organizations, are also increasingly using these standards.

 

How can critical infrastructure operators keep pace with the latest threat modeling and detection technologies?

    Threat modeling is a pre-defined procedure to assist the cybersecurity team in actively identifying potential threats, vulnerabilities, and security requirements, quantifying the criticality of those threats, and finding and prioritizing remediation procedures. Threat modeling is a risk-based approach to designing a secure system. It contains threats and scenarios much more holistically than other security measures such as penetration tests or security awareness training. It is a complicated process, and often teams struggle to adopt this modeling; therefore, rather than stopping everything from creating the perfect threat model, it is more practical to start simple and grow from there.

 

Why is it important to patch and upgrade systems or third-party platforms on a regular and routine basis?
    The purpose of a security patch update is to cover the security holes that a major software update or initial software deployment was lacking. Every security patch update represents hundreds of victims hacked due to that hole or vulnerability, and the developer was notified to develop and deploy patches. A report about ransomware in 2021 indicates that unpatched vulnerabilities are the most consistent and primary ransomware attack vectors, and hackers are increasingly targeting Zero-Day vulnerabilities and supply chain networks for maximum impact.


References:

·         https://www.verizon.com/business/resources/articles/s/lessons-from-the-robbinhood-ransomware-attack-on-baltimore/

·         https://vvsonic.com/computer-news/lessons-from-the-2019-baltimore-ransomware-attack/

·         https://www.ponemon.org/userfiles/filemanager/nvqfztft3qtufvi5gl60/

·         https://www.plutora.com/blog/people-process-technology-ppt-framework-explained#:~:text=Technology%20helps%20people%20do%20their,people%2C%20processes%2C%20and%20technology.

·         https://www.smartsheet.com/content/people-process-technology

·         https://www.cisa.gov/uscert/bsi/articles/best-practices/requirements-engineering/the-common-criteria

·         https://www.netmotionsoftware.com/blog/security/common-criteria-certification

·         https://martinfowler.com/articles/agile-threat-modelling.html

·         https://www.varonis.com/blog/threat-modeling

·         https://www.synopsys.com/glossary/what-is-threat-modeling.html#D

·         https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updates-and-patches.html

·         https://www.businesswire.com/news/home/20220126005014/en/Ransomware-2021-Year-End-Report-Reveals-Hackers-are-Increasingly-Targeting-Zero-Day-Vulnerabilities-and-Supply-Chain-Networks-for-Maximum-Impact

Defence in Depth (DiD)

    Defense-in-depth is a cybersecurity strategy that employs a multi-layered defense system to ensure maximum safeguards. If a layer of defense fails, the others will be there to block the attacks. The architecture of DiD consists of:

·         Administrative Controls (Policies & Procedures).

·         Technical Controls (Hardware, Software, and Networks).

·         Physical Controls.

 
    Assuming that we are a systems security analyst for an organization and want to deploy the new server, here is my checklist:

·         Ensuring the physical safeguards are in place following security policies and protocols.

·         Using NGFW (Next Generation Firewall) as the first line of defense. This device could include IDS/IPS, application-level monitoring and control, and WAFs.  

·         Check the supply chain of the hardware used for the server.

·         Review and confirm the integrity of the components of the server.

·         Ensuring that IT technicians are following the security policies for hardening the out-of-the-box server procedures and changing all default settings.

·         Ensuring that all the updates and patches have been installed.

·         Appropriate anti-malware installed and properly configured.

·         Unnecessary ports are disabled.

·         Overseeing the testing process of server in DMZ or Screened Subnet as per security policies and protocols.

·         Reviewing the Active Directory, security policies, and logging/monitoring requirements have been met.

·         Ensuring remote access policies have been enforced.

·         DNS protection.

·         VPN and multi-factor authentication.

·         The server has been added to the inventory record, and its baseline configuration is well documented.

·         The server’s data is protected in-rest in-transit and has been set for redundancy based on the organization’s policies and protocols.

·         Ensuring all the updates and patches are current.

·         Installation of perimeter defenses such as IDS, IPS, and firewalls.

 
Added endpoint-related pieces of advice such as:

·         Installation of the preset OS by using a workstation installer or snapshots to keep a uniform endpoint in the organization.

·         Endpoint protection and installation of the latest version of the corporate licensed anti-malware.

SolarWinds Attack

Employed Techniques

    The SolarWinds attack was a software supply chain hack executed against American software company SolarWinds, which develops and maintains network monitoring tools used by major corporations and government agencies.

    The state-sponsored attack exploited the SolarWinds Orion Platform by embedding backdoor code into a legitimate SolarWinds library and wad spread via an automatic software update (Trojanization). The attacker gained remote access (RAT) into over 18,000 victim’s environments and a foothold in the network, which was used by the attacker to attain privileged credentials. FireEye named it “Sunburst backdoor.”

    The attacker used various defense avoidance techniques such as masquerading, code signing, obfuscated files or information, indicator removal on the host, and virtualization/sandbox evasion. Many MITRE ATT&CK tactics, such as lateral movement, command and control, and data exfiltration, were believed to be used.

 


Mitigations recommended by the NSA

    The NSA provides guidance for a practical evaluation methodology to assess how to improve Operational Technology (OT) and control system cybersecurity, recommending several steps that organizations can take to increase OT security, such as:

  • Protecting all access vectors by encryption
  • Logging all access attempts from vendors or any outsourced OT support, remote connections, and internal access.
  • Disconnecting all remote access connections unless an active monitoring procedure is implemented.
  • Creating an OT network map and device settings baseline.
  • Identifying and validating all equipment and devices on the network.
  • Assessing and prioritizing OT network cybersecurity requirements and employing network hardening strategies.

 


Detection strategies recommended by NSA

Attackers are abusing trust in “on-premises” federated identity providers or single sign-on (SSO) to gain access to resources, including resources in “off-premises” cloud services. These systems often use cryptographically signed automated messages called “assertions” shared via Security Assertion Markup Language (SAML) to show that users have been authenticated. When an actor can disrupt authentication mechanisms, they can gain illegal access to a wide range of an organization’s assets.

The security of identity federation in any cloud environment depends on “trust in the on-premises components,” which perform authentication, assign privileges, and sign SAML tokens. If any of these components is compromised, the trust in the federated identity system can be abused for unauthorized access. Therefore, taking these steps seems to be essential:

  • Securing SSO configuration and monitoring service usage.
  • Hardening the system
  • Monitoring the use of SSO tokens and examining the logs for suspicious tokens
  • Audit the creation and use of principal service credentials.
  • Using Azure AD as the Authoritative Identity Provider to benefit from more protection offered by the cloud provider.

 


Reference:

https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12

https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack

https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach

https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html

https://digitalguardian.com/blog/following-solarwinds-nsa-publishes-ot-security-guidance-fed-space

https://www.bankinfosecurity.com/nsa-offers-ot-security-guidance-in-wake-solarwinds-attack-a-16505

https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDFSolar

Monday, July 18, 2022

Responding to Cyber Threats

 A short case study of Stuxnet


    According to Gartner’s predictions, Cyber attackers will be able to weaponize operational technology and harm or kill humans by 2025. The operational technology includes the monitoring or controlling equipment or processes in manufacturing, resources, and utilities, which are targeted in particular. Cyber-physical systems (CPS) and internet of things (IoT) devices are increasingly affecting our quality of life and also playing a more critical role in our society’s infrastructure and government. The combination of global digital interconnection and sophisticated major cybercrime players (such as states sponsored or organized crime hackers) are increasing the consequences of such attacks.

 

Stuxnet, the world’s first “Digital Weapon”

    Stuxnet, a highly sophisticated 500 KB worm, was first uncovered in 2010 after destroying many centrifuges in Iran’s Natanz uranium enrichment facility. It was initially developed to remotely exploit a zero-day vulnerability of a version of Siemens SIMATIC STEP 7 and PCS7 software running on Microsoft Windows machines in Iranian nuclear programs. This supervisory control and data acquisition (SCADA) system control equipment is utilized in power plants and other manufacturing industries. The worm was identified by a security company from Belarus due to spreading beyond the intended target, caused by an error in programming and infecting more than 200,000 computers across the world while physically destroying 984 centrifuges.

    It is believed that in 2008 Siemens shared its source code with US authorities and Idaho National Laboratory in order to find any possible security vulnerabilities in the PLC system used in nuclear energy facilities operations.

    It is commonly believed that the US and Israeli joint intelligence task force against the Iranian nuclear program was informed about the vulnerability found in Siemens software, and they started developing Stuxnet. The task force’s code name was “Operation Olympic Games,” which had worked under president Bush and President Obama's administrations. The Stuxnet domain, “mypremierfubol.com,” was registered in late 2008, which was supposed to be used only for code download and updates. it seems that Stuxnet had spread itself via LAN into contractors’ systems working with the Iranian nuclear program, at first, and then transferred into the offline PCs inside the facility by a USB stick, most probably by an insider. The worm was programmed to check the machines after infection and identify whether it was part of the targeted control system made by Siemens or not, and if it was, it would try to access the internet for the latest updates. The next step was reconnaissance and gathering information, which was then used to take control of the centrifuges, making them spin irregularly and push them to failure. The worm also was giving false feedback and reports to the outside controllers, so they couldn’t diagnose the problem.

    It seems this attack was massively successful because of:

  • Multi-States sponsored sophisticated team
  • Shared zero-day vulnerability
  • Serious security breach in Iranian organization (personnel and cyber security and protocols); they failed to consider supply chain vulnerabilities, implement an effective IDS/IPS, AD and ACL, and monitoring system.

    On the Iranian side, the attack could have been prevented or at least minimized the impact by implementing:

  • Multi-layered defense, or defense-in-depth, to ensure more effective security such as security policies, ACL, component isolation, segmentation, and workforce training.
  • Physical and logical barriers between networks (SCADA and organizational networks).
  • Disabling all unnecessary ports (physical & logical).
  • Restrict user privileges and pre-approval procedure for any software installation or changes.
  • Constant administrative monitoring procedures on the network.

 

    For a country like Iran that technologically depends on other states and multinational corporations, there is always a considerable risk of manipulation or exploitation. However, their critical point of failure was the lack of proper security, personnel, and IT, especially for such a secretive and politically imperative program.


[1] https://www.gartner.com/en/newsroom/press-releases/2021-07-21-gartner-predicts-by-2025-cyber-attackers-will-have-we

[2] https://www.sciencetimes.com/articles/32372/20210720/what-are-cyber-physical-attacks.htm

[3] https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

[4] http://large.stanford.edu/courses/2015/ph241/holloway1/

[5] https://www.cisa.gov/uscert/ics/advisories/ICSA-12-205-02

[6] https://www.britannica.com/technology/Stuxnet

[7] https://web.archive.org/web/20170904015230/https://www.mac-solutions.net/en/news/129-sheep-dip-your-removable-storage-devices-to-reduce-the-threat-of-cyber-attacks

[8] http://large.stanford.edu/courses/2015/ph241/holloway1/docs/SI-v10-I1_Kesler.pdf

[9] https://www.telegraph.co.uk/news/worldnews/middleeast/israel/8326387/Israel-video-shows-Stuxnet-as-one-of-its-successes.html

[10] https://medium.com/dataseries/zer0-days-how-stuxnet-disrupted-the-iran-nuclear-program-and-transformed-computer-security-9b9587199f06

[11] https://www.sciencedirect.com/topics/computer-science/stuxnet

[12] https://medium.com/dataseries/zer0-days-how-stuxnet-disrupted-the-iran-nuclear-program-and-transformed-computer-security-9b9587199f06

Cyber Vulnerabilities

The Human Element


    Mistakes and error in judgment is a core part of the human experience to learn and grow; however, when it comes to security, they could play a significant role in cybersecurity breaches.

    According to the IBM Cybersecurity intelligence index report[1], human error is a major contributing cause in 95% of all breaches. It is safe to imagine that the majority of this 95% could be unintentional and because of a variety range of reasons such as recklessly infecting the system with malware, failing to follow the security protocols and policies, naively falling for a socially engineered trap, or just taking the shortest and easiest path like an easy password.

    Based on Verizon’s 2021 data Breach Investigation Report (DBIR)[2], 61% of breaches are attributed to exploited credentials. Passwords with privileged access to the organization’s resources could create a disastrous incident for the companies and their customers. DBIR indicates that “privilege abuse” had been the cause of almost 80% of the breaches.

    A Google study in 2019 revealed that:[3]

  • 75% of Americans are still struggling to choose & maintain passwords
  • 24% have used simple passwords such as: 111111, abc123, Password, 123456, etc
  • 59% of US adults used a combination of their birthday or name with passwords

    NCCIC/US-CERT recommends choosing strong passwords and securely maintaining them can help us to reduce breaches.[4]

    In my personal experience receiving phishing emails generally depends on the level of your digital exposure and footprint in modern societies. I used to have Facebook and Instagram accounts, contributing to receiving several emails and notifications daily. Other than limiting unnecessary social media presence, there are different ways to minimize the amount of receiving emails in your inbox, such as 3rd party apps that can automatically opt you out of the list and blocking emails based on the configuration of white/blacklisting. My email security setting usually won’t let many phishing emails in my inbox. Still, even if they arrive, I wouldn’t bother opening them while my wife receives hundreds of emails daily.

    To avoid spear phishing attacks:

  • Security team should train the employees.
  • Implementing security measures to prevent or minimize receiving phishing emails.
  • Stay updated by research and get to know new threats and intelligence in the business fields.

Sunday, July 17, 2022

GDPR’s impacts on cybersecurity, both in and outside the EU

    The European Union’s General Data Protection Regulation (GDPR) requires extensive data protection and safeguards. GDPR’s guidelines to collect and process PII of EU citizens apply to any company, anywhere in the world; therefore, this law has impacted worldwide privacy policies and procedures. GDPR’s mandate to notify the public of any security incident that leads to a personal data breach in a short time has increased cybersecurity efforts and improved the skillset of professionals in this field. Although these measures are negatively adding the cost of services for the users, based on a report published by Capgemini research institute, 39% of consumers will spend more when they trust the companies with their PII and hence positively could lead to more sales and translate into financial intensive. Enforcement of this law, regardless of the geographic authorities, seems to be successful since the companies are obligated to comply if they want to be in business.

    Studies and economic analysis on the financial impact of the GDPR (before the pandemic) show a 26.1% decline in the number of monthly EU contracts. In comparison, there has been a 33.8% increase in the dollar value per contract. GDPR also negatively affected new foreign investments in the EU, especially start-ups and data-related companies. Based on another report, fifty-five percent of mergers and acquisitions did not conclude due to concerns about companies’ compliance with GDPR.

    Under the GDPR law, any EU residence is entitled to the right to:

  • access to their personal data
  • be forgotten if they want and ask the company to delete their data
  • data portability
  • be informed about their data collection
  • information correction
  • restrict data processing
  • be notified if there has been a breach
  • consent before gathering their data
    These are the most extensive rights for consumers, who are given complete control of their personal data.

    In my opinion, GDPR will take more share of the privacy security field and force the other international standards, guidelines, and policies to be more adaptive in the future. If I were to make any changes to this law, I would have made it a little more business-friendly to maximize efficiency and lower the cost of handling personal information.

Reference:

[1] https://www.capgemini.com/wp-content/uploads/2018/05/GDPR-Report_Digital.pdf

 (Links to an external site.) (Links to an external site.) (Links to an external site.) (Links to an external site.)[2] https://www.prnewswire.com/news-releases/analysis-gdpr-data-regulation-hurts-eu-economic-growth-300994464.html#:~:text=GDPR%20had%20a%20negative%20effect,dollar%20amount%20raised%20per%20deal

 (Links to an external site.)

 (Links to an external site.) (Links to an external site.) (Links to an external site.)[3] https://datainnovation.org/2019/06/what-the-evidence-shows-about-the-impact-of-the-gdpr-after-one-year/#:~:text=The%20GDPR%20Negatively%20Affects%20the%20EU%20Economy&text=Three%2Dquarters%20(74%20percent),2017%20(Bitkom%2C%202019)

 (Links to an external site.

 (Links to an external site.)

Evolution of Open Source Intelligence (OSINT)

  and rising in modern investigation The genesis of OSINT [1] , as we know it, in the United States goes back to the 1940s and World War II ...