Improving Cyberdefenses

If you are reading this post you know that protecting our assets is a time consuming, resource consuming and money consuming but it is our goal and main task at the end. For this reason I would like to highlight the basic components that we should take into account to manage an InfoSec Program properly.

Information Security Awareness Program

We know that people are the weakest link in information security. How much is an awareness speech? Because it can save you a headache and save money to your company. However, an information security awareness program should be done for all people at all levels because everybody has access to information.

Risk Management Process

How do we know where we have to invest money? First, we have to know what information and assets we have to protect, what value it has into the business and what happens if it is disclosed or stolen. Therefore, a risk management process is mandatory to align security investments with the business.

Access Control Policy

Mechanisms for authentication and authorization should be taken into account in an access control policy because there will be people with different permission levels to different assets.

End-point Protection Measures

Today, barriers are not in the perimeter because information can be accessed with end-point devices like laptops and mobiles from Internet and this is a challenge for information security managers. As a result, end-point protection with antimalware solutions is a must.

Penetration Test & Vulnerability Scan

Everyday we see new vulnerabilities but without penetration tests and vulnerability scans we won't know if it impacts to our systems. Don't you want know if you are vulnerable?

Path Management Process

Once you know which vulnerabilities you have to fix, it's time to plan how to fix them. Can they be fixed? All of them? When? How? If some of them can't be fixed, what measures and controls can be applied?

Log Monitoring Process

It is worthless to have a SIEM and many reports if we don't review it adequately. Log monitoring process is more than save logs, it is to analyze information and take actions accordingly.

Incident Response Process

New attacks and techniques to bypass security are known continually. Therefore, end users should be ready to detect and mitigate new threats.

Disaster Recovery Process

Once the information is lost, it is lost, if we don't have tested backups, we are lost too. We should have to plan how to recover information, how much time we need to recover it and what information we are willing to lost.

As you'll have read, this can be seem ambitious but we should have to adapt it to our needs. This can be seen as an ISO 27001 summarized.

Regards my friend and remember, protect your assets, protect yourself!!

Traffic Direction Systems (TDS)

Last weeks we are detecting through Sonda Ariolo a trojan infection called Keitaro TDS which redirects HTTP request of users to malicious websites to download malware and compromise their systems. At first glance it seems that although the public IP is from Russia and threat intelligence engines like OTX and virustotal don't categorize it with bad reputation or malicious IP, when we analyze in depth, we are going to find out that it has lots of domain name register against the same public IP. How have they avoided to be detected by threat intelligence? Maybe with DGA, who knows!!

 

What is it a TDS or Traffic Direction System? At the beginning it reminded me a load balancer which can analyze the HTTP header to send the user request to the proper web server. For instance, a mobile user with an iPhone is redirected to the mobile web page version while an user with a laptop is redirected to the normal web page. This is done just looking at User-Agent attribute inside the HTTP header. But … What is it a TDS? Actually, it is a system which can analyze users' system settings to gather information of users like their browser, IP address, language, Operating System, etc and TDS along with this information and web traffic redirection techniques like server-side redirection, iframe redirection, video redirection, etc redirect our request to a web server.

Is this a malicious activity? Of course it isn't, it is legal but it can be also used for malicious activities. In fact, there are many TDS services out there like Keitaro TDS or WapEmpire which help publishers and advertisers earn money with advertising campaigns. However, these services can be also used by cybercriminals to choose either specific targets or wide-ranging groups, depending on their geographic locations, software preferences or language settings to deploy and distribute malware and to steal critical information. For instance, they can redirect users' traffic to pharmaceutical websites in the morning and to adult websites at night, or they can redirect unwanted traffic to default website like Google or Yahoo and wanted traffic to pay-per-click (PPC) websites to earn money.

How does it work? Mainly it works with business partners or Partnerka, which is a Russian word. On one hand, there are people who compromise end-user systems creating a botnet from where they request legitimate sites. On the other hand, there are people who compromise websites injecting 0 x 0 iframes capable of handling requests from invisible iframes. Besides, there are people who manage TDS systems to filter and redirect traffic to make money.

Today, this technique is also used by Black Hat SEO to make aggressive campaigns by those who are looking for a quick financial return on their web site. However, this trick can be banned by search engines banning your web site.

Regards my friend and remember, drop me a line with the first thing you are thinking.

Myths and Truths

Sometimes, as network engineers, we have doubts about obvious things although we work with them daily. From time to time, my colleagues and I like to test each other with questions which we have to think deeply about it. Some of them easy but another not as easy. In addition, we often ask this questions to the beginners who work with us to know if they have done the tasks at University and they really know these basic networking concepts.

Can we ping a TCP port?

First, an important concept that every network engineer should know, without doubts, is about the ICMP protocol and TCP/UDP protocol. Can we ping a TCP port? The answer is NO. Why? Because ping use ICMP echo request and echo reply packets which are in the layer 3 to measure the round-trip time (RTT) for messages sent from the originating host to a destination computer and back. However, ping works in layer 3 instead of layer 4 like TCP/UDP.

Nevertheless, the word “ping” comes from active sonar terminology that sends a pulse of sound and listens for the echo to detect objects under water. What does it mean? Well, we can also measure the round-trip time (RTT) since we open a TCP connection till we close it. Therefore, when we talk about ping we usually talk about layer 3, although we should know that TCP round-trip time is measurable.

Ping al puerto tcp/80

Análisis del ping al puerto tcp/80

Is ARP a layer 3 protocol or a layer 2 protocol?

Another mistake, and it is difficult to understand sometimes, is about the ARP protocol. Is ARP a layer 3 protocol or a layer 2 protocol? Some people think that it is a layer 3 protocol because it is encapsulated in a layer 2 protocol. However, ARP is a layer 2 protocol that it is used by the IP which works in layer 3. Therefore, ARP works below the network layer, it isn't routable and it is used as a service by the Internet Protocol (IP).

Análisis de tráfico ARP

Do we have two Gigabit of throughput in a full-duplex mode?

Today, switches have interfaces with the auto-negotiation feature. Therefore, we know that we don't have to worry about the negotiation because switches are going to negotiate the best method. Most of the time, switches are going to negotiate in a full-duplex mode. We also know that full-duplex is a bidirectional connection which allow us to send and receive data at the same time. However, if we have switches with Gigabit interfaces connected each other, do we have two Gigabit of throughput in a full-duplex mode? Yes but no. We will have one Gigabit of throughput for transmitting and another Gigabit of throughput for receiving. Therefore, two Gigabit of capacity but in each direction because it is bidirectional.

Who has the 127.250.250.250 IP address?

Finally, another questions that we can ask them is about the loopback interface. Who has the 127.250.250.250 IP address? First, we ask them to ping it and they see that it works, who has this IP? In fact, we should know that class A network 127.X.X.X/8 is the loopback address block which can be used to test our TCP/IP stack and therefore it should always respond to internal ICMP packets.

Ping a la interface de loopback

Of course that there are more interesting concepts and questions to take into account which we don't think about it sometimes, and it is useful when we want to test someone. Would you like to help me with more myths and truths to have better network engineers?

Regards my friend and remember, drop me a line with the first thing you are thinking.

National CyberSecurity Summit – Valencia

As a “requirement” to be updated and maintain my CISA/CISM certifications with continuing professional education (CPE) credits, these weeks I have been watching videos of the IX National CyberSecurity Summit that ISACA organized last year in Valencia. There have been interesting talks about the responsibilities of the government, companies and citizens, speeches about virtual vs physical, crime as a service, etc, etc and I would like to mention some reviews and summary about it.

We know that this world and our society work with confidence and trust but there are unfortunately criminals who want to get our data and money, and therefore we have to protect against them. But when we have data and/or money of others, not ours, we have to build fences and apply controls to avoid that this valuable information is compromised. In fact, as a government or company, we have responsibilities to take care of it.

This summit spoke about eGovernment as well. What, where and how the government protect our data? I mean … where my personal data are? who can see it? are there traceabilities controls? are they secured? who and how are going to notify to me if they are stolen? Today, we live in the digital age where most of our data are bits easy to access but easy to attack too. Fortunately, LOPD and ENS (Esquema Nacional de Seguridad) are here to protect our personal data but as Carmen Serrano from CSIRT-CV of Valencia said in her speech, it is a challenge to align the security strategy when the government changes every four years. However, CSIRT-CV along with S2 Group, they are 40 people aprox. working to protect citizens, pymes and the regional government. From my point of view, it is an enviable situation compared with other regions. Congratulation!!

From the side of private companies there are responsibilities as well. Is my bank account being protected properly? What about my insurance agreement? Are consultancies taking into account the security to protect the personal data of their customers? And private medical companies? Going beyond … are nuclear power plants protected against cyberattacks? What about electrical power grids? Thankfully, there are institutions like INCIBE, CSN and CNPIC which know that a cyberattack can impact the real world.

Therefore, as it was said in the summit, the virtual world or the cyberworld is a technology which can be used to attack and damage the real world. Everything we do in the virtual world impact in the real world. Cyberbullying, cyberattack, cybercrime … all impact the real world. Accordingly, cyber is a fashion world that it allows us to identify the medium where the offense has been done.

At the end of this summit, I was wondering, should there be the cybersecurity a public service to help private companies to protect personal information as well? What is the threshold between private cybersecurity services and public cybersecurity services? Because all of us know that most private companies can't, or they don't want, to invest money to protect against cyberattacks which we know that they impact the real world.

Regards my friend and remember, drop me a line with the first thing you are thinking.