New Technology Implementations for Financial Institutions

New Technology Implementations for Financial Institutions

By: Alex Shanteau, Security Engineer, MAD Security | March 28, 2019 A never-ending war is being waged between malicious actors and cybersecurity specialists. In order to stand their ground, defenders must constantly develop new and innovative ways to protect their networks. Purchasing a new security solution can often turn the tide of battle in the defender’s favor, but there are many considerations before blindly buying into the latest and greatest technology. One challenge in particular is understanding the amount of resources needed to properly research and implement new technologies or features.  Small and midsize businesses, such as community banks and credit unions, often underestimate the time, effort, and expertise needed to properly implement new technologies. The often-lengthy transition period actually can decrease your organization’s security posture, introducing additional attack vectors and causing compliance issues. For a simple example think about a firewall upgrade project.  For many years this meant, at an extremely simple level, you block bad traffic and allow good traffic.  Now you want to implement the newest next generation firewall (NGFW) technology, which comes with additional feature such as Intrusion Detection System, Identity Awareness, VPN, and other complimentary functions.  From a complexity standpoint you have just gone from managing basic rules controlling access to managing multiple complex functions that can introduce vulnerabilities if not fully researched and expertly implemented in your environment. When implemented correctly, these features will of course increase your overall security posture.  When we conduct firewall health checks, however, we find that these new features have often been configured improperly.  In the case of using a NGFW as a VPN, for example, an incorrectly...
Mobile Security Defenses

Mobile Security Defenses

By: Jeremy Klinzak, Security Engineer, MAD Security | February 7, 2019   Mobile device security is an important part of securing IT assets for companies today. These devices are some of the most exposed parts of IT infrastructure, as they go everywhere the employee goes. Common threats to mobile devices include malicious applications, malicious advertisements, sideloading, and rogue access points. Fortunately, Mobile Device Management (MDM) solutions exist and serve as a means to simplify the process of securing and managing employee mobile devices. MDM solutions can assist in preventing mobile device compromise and empowers organizations with the ability to respond to security incidents such as a stolen or infected mobile device. In the sections below I will explain some of the common features of MDMs and the threats they can help mitigate. Before reviewing MDM solutions, let’s first analyze the most common threats to mobile devices and discuss developing a Mobile Device Policy.   Common Methods of Infection   There are three common methods that malware infects mobile devices. The three common methods are malicious or infected applications, malicious advertisements or phishing, and sideloading. MDMs can assist in preventing all three methods. Let’s explore these to detail how the devices can become infected and how MDMs can assist in protecting them.   Malicious or Infected Applications   Sometimes attackers manage to upload malicious applications to iOS and Google Play stores posing as harmless software. Attackers can also infect previously safe applications. In 2017 attackers hacked the popular application CCleaner’s distribution servers[i]. This allowed attackers to inject malicious code into the application and infect any device that installed CCleaner after...
Ransomware Defenses

Ransomware Defenses

By: Scott Busby, Security Engineer, MAD Security | February 1, 2019   The name ransomware comes from a not particularly clever combination of the words “ransom” and “malware”. First seen in 2013, ransomware is a type of evolving malware that attempts to encrypt files on a target system and make them unusable for the victim. The attacker then informs the victim that for a hefty fee (often paid in Bitcoin) they can regain access to their data. Losing access to data can be a showstopper for businesses, and for individuals with important photos or documents; it can also be emotionally devastating.   Victims essentially only have three options for getting their data back. The first and most obvious option is to just pay the ransom. Not only is this option costly, but you have no guarantee that the attacker will actually decrypt your data after receiving payment. The second option is to discover the private key that the attacker used to encrypt your data. In most instances this isn’t really an option, however there have been some cases of attackers hardcoding decryption keys that have been documented, but for the most part, brute forcing the private key used to decrypt the data would require nation-state level resources and a long-time commitment. The third and best option (if available) is to just simply restore the data from a backup. In this scenario, having a backup could save your company hundreds of thousands of dollars and reinforces just how critical backing up data is!   Although ransomware attacks have trended downward significantly since their 2013 debut, as much as 16,000 ransomware...
Best Practices for Managing Software Vulnerabilities

Best Practices for Managing Software Vulnerabilities

By: Chris Roth, Security Engineer, MAD Security | January 24, 2019   Software vulnerabilities provide one of the biggest attack vectors into an organization. New security flaws are constantly being discovered, making defending against them an ongoing struggle to keep our organizations safe. The good news is that there are best practices that help mitigate the risks associated with them. Two of the most significant practices include patch and vulnerability management. While these may seem simple on the surface, software vulnerabilities are frequently our main point of entry during security assessments. A well implemented patch and vulnerability management program can remediate and detect patch-related vulnerabilities before an attacker is given a chance to abuse them. Below we will step through the basic components of what a successful patch and vulnerability management program should encompass.   Patch Management   What is patch management?  It may seem like a silly question, but patch management encompasses much more than just “applying patches” and is a continuous set of tasks that have the overall goal of preventing the exploitation of vulnerabilities. At a high level, this is done by applying security related updates to remove attack vectors exposed by poor coding or through incorrect implementation of the software.  There are a number of steps that are needed to ensure that patching is successful across your infrastructure.  These steps can be broken down to the major categories of: hardware inventory, software inventory, patch testing, and patch deployment. Each of these has been broken out below and explained in more detail to help gain a better understanding of how it is accomplished, as well as...
Phishing Protections

Phishing Protections

By: Will Young, Director of Technical Testing, MAD Security | January 10, 2019   Protecting users from phishing attacks requires utilizing a defense in depth strategy. Users are the last line of defense against phishing attacks and are also unfortunately, the weakest.  Ideally, your other protections ensure that phishing emails never make it to your users to begin with. In order to understand how to protect against phishing emails, let’s walk through a few examples of an attacker sending out a malicious email to one of your users and discussing the different steps in the delivery process where we could prevent this from happening.   Impersonation Protections   SPF, DKIM, and DMARC records all help weed out phishing emails that attempt to impersonate another organization. When configured by an organization, these records essentially dictate who is allowed to send emails on behalf of that organization.  Anyone sending an email attempting to impersonate an organization with these records will likely have their email rejected by most modern mail servers.   SPF Records   At a basic level, SPF (Sender Policy Framework) records establish a method for receiving mail servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. SPF records are TXT records that are configured on an authoritative DNS server for the sending domain.   Let’s suppose that your company’s domain name is “globalcorp.com” and let us also suppose that an attacker attempts to send an email from “[email protected]” to one of your employees using an SMTP server that is owned by the attacker. When your company’s mail server receives...
4 Common Cybersecurity Threats

4 Common Cybersecurity Threats

By: Alex Shanteau, Senior Security Consultant, MAD Security | January 3, 2019   As the untamed cyber threat landscape evolves in scope, sophistication, and reach, the risks organizations face will continue to increase not only in number, but in severity, and they are finding new ways to infiltrate your internal and external networks every day. In this blog post, we’ll take a look at some common threats you’re likely to see throughout 2019, and over the next several weeks we will go in-depth on prevention and mitigation of these types of attacks.   Sophisticated Phishing Campaigns   Most phishing attacks come in the form of email spam, tricking users out of their credentials, financial, or other sensitive information. Phishing emails have come a long way from the cliché Nigerian Prince scam. Most current phishing emails replicate an email you may think is completely normal and credible, and can come in a number of formats, from a LinkedIn request to a fraudulent invoice. These phishing emails are becoming ever more sophisticated, including the successful usage of multi-factor authentication, the inclusion of homographic domain names, and almost perfect impersonation of legitimate applications. This attack vector exploits the weakest link in the cyber defense chain – people – and can lead to devastation and sometimes catastrophic compromises for companies.   During a recent red team exercise we conducted for an enterprise-sized company, LinkedIn phishing requests were sent to targeted employees that were identified by combing publicly available information on the Internet. These users received an email asking them to join a group associated with their company on LinkedIn. When users clicked on the...