October 14, 2020
Good morning, everyone!
|This week’s critical vulnerabilities: Android Users Need to Manually Remove These16 Infected Apps and make sure your operating system is up to date. Synopsys has issued an advisory warning of authentication bypass vulnerabilities in multiple wireless router chipsets built into devices manufactured by Qualcomm, MediaTek, and Realtek. This includes various models of Netgear, D-Link, Buffalo and more.|
The AAA Protocols: Authentication, Authorization & Accounting
Last week CISA released the fourth in their series of Cyber Essentials Toolkits:
This toolkit chapter focuses on the use of access lists and authentication tools to appropriately limit user access on your network. Organizations can provide a secure digital workplace by controlling who has access to the network and applications.
As I was thinking about how to break this down for you (since it’s a really important concept!), I remembered the AAA Protocols. Wikipedia defines the AAA Protocols as “a family of protocols that mediate network access.” They are:
Let’s talk about each in turn.
Authentication: Who are you? This is the most basic step in determining whether this person, device or process should have network access. Who are you? How do I know that you are who you say you are? For users on a network, authentication is most often accomplished by typing in a user name and a password. In some networks, there may be a second factor of authentication (a USB device, a token that generates a one-time code, or a magnetic card). These are great additions to your network security (you know how I feel about 2FA!) and it’s a requirement for DFARS compliance.
Authorization: Are you allowed here? I usually explain this in terms of bookkeeping software, because every business has it and people generally understand the concept of restricting access to financial data. So I’m guessing your payroll clerk can’t make GL entries or run financial statements. You’ve restricted her access. That’s good. What about the accounts receivable clerk, can she see payroll reports? Does the guy who only generates purchase orders need access to the payables report? The payables clerk does nothing but enter invoices, not pay them – can he/she print checks?
These principles apply to network access also. For example, does the shop foreman need a login on the server that holds the bookkeeping software? What about the marketing director? They probably need a login to the file server, email, maybe group calendar … but if they don’t need to access the bookkeeping software at all, then their network logins shouldn’t give them access to it.
Accounting: What are you doing here? The first two of the AAA Protocols fall under the “Protect” core function of the NIST CSF, while the third falls under the “Detect” core function. You’ve heard it said “It’s no longer a matter of whether you are attacked, it’s when” and sadly this is true. A strong Accounting protocol will help you detect an attack, and also determine exactly what happened (so you can plug that hole and mitigate the damage).
You’ve probably read stories of organizations infected with ransomware, and they often say “but no data was stolen.” How do they know this? Without proper Accounting, i.e., being able to trace activity across the network, it’s impossible to say whether or not data was stolen (or worse, tampered with).
This is also why it’s important to have unique login credentials for every user, device and process on the network. If everyone in the sales department logs in as “sales” then it can be difficult to track down the origin of an attack using those credentials.
It’s not Just Users – It’s Devices & Processes Too
Devices. Last year, NASA’s Jet Propulsion Laboratory was hacked (and data stolen) because an employee put an unauthorized device on the network, and it was not properly secured. Do you have a policy that employees cannot buy and install their own hardware on the office network?
Processes. Backups are good, right? If you are doing them yourself, and keeping track of them, and who has access. What about Google Drive Sync and Apple’s Time Machine? Do you have policies prohibiting employees from using/installing these backup applications on office computers? Last year a City of Baltimore employee was fired after “hacking tools” (used by both white and black hats) were found on his office computer. But here’s the twist:
some of the material on his computer had inadvertently been synced from his Google cloud storage
What if company data was synced up to the Google cloud and then to the employee's home computer? What If some of the files synced included malware? Rogue processes on your network can be a backdoor. All processes need to be managed with the AAA Protocols, along with devices and users.
Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam
As Brian Krebs reports, in an advisory released last week, the U.S. Treasury’s Office of Foreign Assets Control said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
Wow. This is serious, and seriously complicated. I'll talk more about this next week.
Meanwhile, that's all for this week!
October 28: Implementing the NIST Cyber Security Framework
November 10: Ethical Duties: How Technology is Undermining Attorney-Client Confidentiality (1 hr ethics CLE)
December 3: Ethical Duties: Practical Strategies for Safeguarding Client Information (1 hr ethics CLE)
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺
Talk to you again soon!