New Technology Implementations for Financial Institutions

New Technology Implementations for Financial Institutions

By: Alex Shanteau, Security Engineer, MAD Security | March 28, 2019 A never-ending war is being waged between malicious actors and cybersecurity specialists. In order to stand their ground, defenders must constantly develop new and innovative ways to protect their networks. Purchasing a new security solution can often turn the tide of battle in the defender’s favor, but there are many considerations before blindly buying into the latest and greatest technology. One challenge in particular is understanding the amount of resources needed to properly research and implement new technologies or features.  Small and midsize businesses, such as community banks and credit unions, often underestimate the time, effort, and expertise needed to properly implement new technologies. The often-lengthy transition period actually can decrease your organization’s security posture, introducing additional attack vectors and causing compliance issues. For a simple example think about a firewall upgrade project.  For many years this meant, at an extremely simple level, you block bad traffic and allow good traffic.  Now you want to implement the newest next generation firewall (NGFW) technology, which comes with additional feature such as Intrusion Detection System, Identity Awareness, VPN, and other complimentary functions.  From a complexity standpoint you have just gone from managing basic rules controlling access to managing multiple complex functions that can introduce vulnerabilities if not fully researched and expertly implemented in your environment. When implemented correctly, these features will of course increase your overall security posture.  When we conduct firewall health checks, however, we find that these new features have often been configured improperly.  In the case of using a NGFW as a VPN, for example, an incorrectly...
Mobile Security Defenses

Mobile Security Defenses

By: Jeremy Klinzak, Security Engineer, MAD Security | February 7, 2019   Mobile device security is an important part of securing IT assets for companies today. These devices are some of the most exposed parts of IT infrastructure, as they go everywhere the employee goes. Common threats to mobile devices include malicious applications, malicious advertisements, sideloading, and rogue access points. Fortunately, Mobile Device Management (MDM) solutions exist and serve as a means to simplify the process of securing and managing employee mobile devices. MDM solutions can assist in preventing mobile device compromise and empowers organizations with the ability to respond to security incidents such as a stolen or infected mobile device. In the sections below I will explain some of the common features of MDMs and the threats they can help mitigate. Before reviewing MDM solutions, let’s first analyze the most common threats to mobile devices and discuss developing a Mobile Device Policy.   Common Methods of Infection   There are three common methods that malware infects mobile devices. The three common methods are malicious or infected applications, malicious advertisements or phishing, and sideloading. MDMs can assist in preventing all three methods. Let’s explore these to detail how the devices can become infected and how MDMs can assist in protecting them.   Malicious or Infected Applications   Sometimes attackers manage to upload malicious applications to iOS and Google Play stores posing as harmless software. Attackers can also infect previously safe applications. In 2017 attackers hacked the popular application CCleaner’s distribution servers[i]. This allowed attackers to inject malicious code into the application and infect any device that installed CCleaner after...
Ransomware Defenses

Ransomware Defenses

By: Scott Busby, Security Engineer, MAD Security | February 1, 2019   The name ransomware comes from a not particularly clever combination of the words “ransom” and “malware”. First seen in 2013, ransomware is a type of evolving malware that attempts to encrypt files on a target system and make them unusable for the victim. The attacker then informs the victim that for a hefty fee (often paid in Bitcoin) they can regain access to their data. Losing access to data can be a showstopper for businesses, and for individuals with important photos or documents; it can also be emotionally devastating.   Victims essentially only have three options for getting their data back. The first and most obvious option is to just pay the ransom. Not only is this option costly, but you have no guarantee that the attacker will actually decrypt your data after receiving payment. The second option is to discover the private key that the attacker used to encrypt your data. In most instances this isn’t really an option, however there have been some cases of attackers hardcoding decryption keys that have been documented, but for the most part, brute forcing the private key used to decrypt the data would require nation-state level resources and a long-time commitment. The third and best option (if available) is to just simply restore the data from a backup. In this scenario, having a backup could save your company hundreds of thousands of dollars and reinforces just how critical backing up data is!   Although ransomware attacks have trended downward significantly since their 2013 debut, as much as 16,000 ransomware...
Phishing Protections

Phishing Protections

By: Will Young, Director of Technical Testing, MAD Security | January 10, 2019   Protecting users from phishing attacks requires utilizing a defense in depth strategy. Users are the last line of defense against phishing attacks and are also unfortunately, the weakest.  Ideally, your other protections ensure that phishing emails never make it to your users to begin with. In order to understand how to protect against phishing emails, let’s walk through a few examples of an attacker sending out a malicious email to one of your users and discussing the different steps in the delivery process where we could prevent this from happening.   Impersonation Protections   SPF, DKIM, and DMARC records all help weed out phishing emails that attempt to impersonate another organization. When configured by an organization, these records essentially dictate who is allowed to send emails on behalf of that organization.  Anyone sending an email attempting to impersonate an organization with these records will likely have their email rejected by most modern mail servers.   SPF Records   At a basic level, SPF (Sender Policy Framework) records establish a method for receiving mail servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. SPF records are TXT records that are configured on an authoritative DNS server for the sending domain.   Let’s suppose that your company’s domain name is “globalcorp.com” and let us also suppose that an attacker attempts to send an email from “[email protected]” to one of your employees using an SMTP server that is owned by the attacker. When your company’s mail server receives...
4 Common Cybersecurity Threats

4 Common Cybersecurity Threats

By: Alex Shanteau, Senior Security Consultant, MAD Security | January 3, 2019   As the untamed cyber threat landscape evolves in scope, sophistication, and reach, the risks organizations face will continue to increase not only in number, but in severity, and they are finding new ways to infiltrate your internal and external networks every day. In this blog post, we’ll take a look at some common threats you’re likely to see throughout 2019, and over the next several weeks we will go in-depth on prevention and mitigation of these types of attacks.   Sophisticated Phishing Campaigns   Most phishing attacks come in the form of email spam, tricking users out of their credentials, financial, or other sensitive information. Phishing emails have come a long way from the cliché Nigerian Prince scam. Most current phishing emails replicate an email you may think is completely normal and credible, and can come in a number of formats, from a LinkedIn request to a fraudulent invoice. These phishing emails are becoming ever more sophisticated, including the successful usage of multi-factor authentication, the inclusion of homographic domain names, and almost perfect impersonation of legitimate applications. This attack vector exploits the weakest link in the cyber defense chain – people – and can lead to devastation and sometimes catastrophic compromises for companies.   During a recent red team exercise we conducted for an enterprise-sized company, LinkedIn phishing requests were sent to targeted employees that were identified by combing publicly available information on the Internet. These users received an email asking them to join a group associated with their company on LinkedIn. When users clicked on the...
The Marriott Breach: Lessons Learned for the Hotel Industry

The Marriott Breach: Lessons Learned for the Hotel Industry

By: Alex Shanteau, Senior Security Consultant, MAD Security | December 19, 2018 The massive breach of the reservation system for Marriott’s Starwood subsidiaries is no doubt one of the largest breaches to date and highlights some of the most prevalent security challenges for the hotel industry. As consolidation continues amongst hotel chains to achieve scale across more geographies, the likelihood of these types of breaches will continue to rise. In this post, I’ll analyze what exactly happened and how other hotel chains can avoid such breaches. On November 30, 2018 Marriott announced that “On September 8, 2018, (Marriott) received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database…Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.” Four years, that’s how long the attackers had been in their network. Technical details about the compromise were not disclosed, but I wonder if they just installed a monitoring tool and when they turned it on, they managed to finally see the indicators of compromise, or perhaps the attackers had been in the network for that long but hadn’t attempted to access or exfiltrate data. My next question is what’s the damage? “contains information on up to approximately 500 million guests” That is a lot of people, even larger than the Equifax breach at 148 million people.  So what kind of data did the attacker access? “the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date,...