As part of my pursuit for more knowledge in the information security field, I visited the InfoSecurity.nl Conference in Utrecht, the Netherlands on November 4th. After entering the premises I started with a bit of wandering through the stands since it was a combined event of Information Security, the Storage Expo and an IT-Tooling event.
For the afternoon, I had several talks to which I subscribed,mostly focused on improving the IT/Info Security department.
Effective monitoring, think like a hacker – DearBytes Security
The presenter began with a short intro on how he became a hacker. With examples of gaining remote access to computers of his friends when he was still a kid. After that he presented some examples of big hacks such as the US Office of Personnel Management, Target and Gemalto. Posting the statement that although these were big hacks but nothing was detected and asking the question how that was possible?
He introduced the purpose of the talk as how to look differently at network traffic by setting various traps, introducing the following four examples:
Example 1: The Evil canary
The introduction of the evil canary was done by a comparison to the Mining industry. Canaries were used to detect gas in the mines to enable a safe escape of miners, when the canary dies, there’s gas and everybody must get out immediately. The Evil Canary works the other way around. You introduce a machine in the network with the sole purpose of never being touched in the first place. As soon as anything touches this machine, either by a port-scan, remote access or other means, alarms must be triggered to notify the security team that something is happening to it. This allows rapid response and early identification of undesired activities.
Example 2: The honeyuser
Based on the same principle as the evil canary, a honey-user is a specially crafted user-account which, when used triggers all sorts of alarms. It has to be an account attractive to a malicious user but not obvious enough to be left out for testing. Once the account is being used to log in anywhere, alarms are sent to the security team for rapid response.
Example 3: The honeypot.
The third example was the example of a honeypot. This was mostly the common story of honeypots, being an attractive system with triggers in place for early detection. Nothing really new here to be honest.
Example 4: The evil canary (again)
Then for the fourth example, the presenter circled back to the Evil Canary again. But now with the additional feature of detecting the difference between automated and manual attacks. Build some triggers in an environment with triggers only humans can follow and monitor actively on it. This helps differentiate between the common automated scanning and a (hopefully more sophisticated) manual attack by an actual human being.
Overall the talk was nice and informative although perhaps not the best way of starting the story by telling how one broke the law in the past. The examples of the HoneyUser and Evil Canary were quite nice although for some people perhaps not new. I really liked the concept of the Canary, being a system in the network that is not supposed to be touched.
Five thoughts on better IT security
The next talk was hosted by Madison-Gurkha and was focussed on everyday assumptions we see in the world of Info/IT security. The presenter had identified 5 assumptions which should be considered misconceptions.
1 The supplier does security… does he?
Too many times it is assumed that suppliers perform the necessary security activities. However most contracts are still focussed on the functional requirements of delivered services. This makes it even more important to watch contracts not just for what an application or service it must do (functionality) but also what it shouldn’t do (security). Also, make sure to ask the right questions when it comes to security. Find out if a product or service is tested for its security and what the results are. Know your rights and obligations as a customer, if you can test it for security and if so, what should be done with the results. Maybe even more important so, know what the supplier does with the results. Nothing is a bigger waste of resources than a good security test when nothing is done with the results.
2 We can trust everyone internally
The internal network should be perceived as if it is a coconut… hard on the outside but soft inside. And it is the soft inside that has to be protected by all means. This analogy was chosen specifically because of the soft inside, there is always an unpatched system on the network which can be exploited. Therefore the misconception of trusting everyone internally should be let go of. Be sure to be aware of the vulnerabilities in the internal network and how any user could exploit those. Compartmentalize the network and for each compartment, furthermore take a host-based approach when it comes to securing the network and attached devices.
3 Our security measures prevent breaches
The fact that an organization has security measures is not sufficient in itself. The primary focus is on preventing issues and although that is the bare necessity, good security revolves around prevention, detection, responding and recovery. We hear security fashion statements such as SOC, SIEM and the latest hype called threat intelligence. However don’t spend any money on these solutions if you don’t know what you’re doing with them. As long as your security team has limited resources, at least log security events and store the logs. Next items to focus on are response and recovery.
4 Our internal employees don’t do things they shouldn’t
Another assumption is that employees follow the rules. The presenter provided the example of the Ashley Madison hack and the list of passwords disclosed. This list consisted of bad, weak passwords such as 12356, 111111 and QWERTY. He made the statement that if you protect your cheaters-life this badly, how well would you be protecting something as non-personal as company data. Most likely not too well.
Even though people mean well, a lot of security issues come from the fact that people make mistakes. These mistakes are made because people are unaware they do things which may be not so smart. Most important counter-measure presented was to make people aware of what happens and where to report suspicious activities. Also, when these activities are reported, make sure to rewards the people publicly on reporting them, make good behaviour something to be proud of.
5 Big data is an opportunity
Many companies see the approach of big data as an opportunity. One thing they do seem to forget here (either wilfully or accidentally) is that more data also means more risk. Yes, an organization can perform more analysis if they have more data but at the same time, in case of a breach there is also more data lost. With the new Dutch/European ‘law on reporting data leakage’, having more data may mean more data that has to be protected sufficiently. The good thing with this law is that it only focusses on Personally Identifiable (PII) Data. However, companies should consider if they really do need the data they store. Also, if they do not need it, how to remove or destroy it.
The Drone matrix – Motiv
Although I had registered for the talk of continuous view of vulnerability & compliance, due to overrun of the schedule and too many people in the queue for that talk I decided to skip it. After wandering through the conference for a few minutes I walked by the Motiv Stand where a talk on Drones or Unmanned Aerial Vehicles (UAVs) was just started. Although not directly relevant for my personal knowledge but still an interesting topic, I decided to listen in on this talk instead.
The presenter started with a short video of a drone flying over a beach, in an aerial fight with some other drones. Even though the presenter first faced some technical challenges with the multiple screens, it was a nice video to see. After the video he continued the story with the many different names and acronyms used for these Unmanned Aerial Vehicles or UAVs and that the most common name/acronym is either UAV or Drone. In general, drones are perceived as scary but there is nothing scary about (except for the cameras and sensors maybe). One of the main fears presented is the idea that a Drone does not have a pilot but flies autonomously. This can be discarded as a misconception since each drone still has a pilot, the pilot is just not physically present in the aircraft. It is remote controlled.
The presenter mentions that this is also one of the key benefits. It is all computer guided which makes it less fault – sensitive. In his presentation, he made the comparison to flying and landing an F18 on an aircraft carrier. The first female F18 pilot has once presented the story that taking off and landing an F18 is actually done with just the press of a button, the computer does the rest.
This is also where for drones the main importance is. Safety is key. Sense and avoid must be active (collision detection and avoidance) both a CAS system (onboard) and the ITS (international standard as used on helicopter) have to be implemented.
The presenter concluded with an overview of the broad application of drones is already being done. Overall a nice insight into the application and possibilities of drones and the unfairly presence of fear regarding drones.
The e-mail that will cost you millions, The story of carbanak – Kaspersky Labs
The last talk I attended was from Kaspersky Labs and litled “The e-mail that will cost you millions”. The presenter introduced himself as being part of the Global Research and Analysis Team (GReAT) and showed a picture of their ‘elite’ team (his words). In general I do not like this way of showing off how fabulous one is (your legend should precede you, not being spread by yourself). And this kind took away my first interest in his story. However I do like to give people a second chance so I stayed for the story itself.
In 2013, the Kaspersky team received an email from the Ukraine. One of their known contacts said he had a problem and needed help from the research team. They had to come over to see what the problem was because he did not want to tell too much over the phone. So they flew over to the Ukraine and were lead to an on-site CCTV room. There they were shown a video of a man who walks into a bank, then few seconds later the ATM starts spewing money. The visitor collects roughly 1 Million in cash and leaves the bank again. Obviously, the team was baffled with the display on the video and wanted to investigate what had happened.
They found out there was a challenge/response mode activation with malware installed on the ATMs. This allowed the ‘money mule’ to walk into the bank, activate the challenge/response on the ATM and have them spewing money all over the place. But how did it get there and what happened? Two times in 2014, the same thing appeared to happen when one of the domain controllers appeared to send info to China. It started with spear phishing and a malware infection, the attackers observed user behaviour to learn the procedures, watched the screens while transactions were made and identified interesting approaches and linked or related systems.
The Kaspersky researchers decided there were two possible things to do. Either update the signatures against the malware or write a script against the malware. Once the report was published, the carbanak malware/botnet was taken down. Eventually new, modified versions came back online so it can still not be said that the entire problem is eradicated.
Despite the initial “We’re the elite” introduction which is my personal allergy, it was an interesting talk about the entire process of detecting, analysing and eventually working with the authorities to catch the bad guys breaking in. Therefore I am happy that I stayed after the initial presentation of the team and have to say that they have done great work and are able to show it.
Overall, the visit to the InfoSecurity conference was a nice start to get some knowledge on what is happening in InfoSecurity Land. However one of the key learning points after such a first visit is to keep a ‘burner-phone’ number and e-mail address for registration on these kinds of events. Both before and after visiting the seemingly ‘free’ conference, spamming on both cellphone and e-mail started to get me interested in buying all kinds of security solutions. Even though I am not a buyer and am not planning to buy anything as a result of a visit to such a conference. It is a good opportunity to network with people and revive some contacts you have not spoken with in a long time. I am happy to have visited and may visit again next year.