Social engineering and relationship management

Active sales processes are supported by thought-out processes, continuous improvement, A/B-testing, communication in multiple channels – and logging results in databases to analyze performance. The field is typically referred to as customer relationship management, and the cloud king of the field is Salesforce.com.

Some criminals aren’t very sophisticated and they still manage to earn money through cyber-scams. There are many ways they can do this, such as identity theft, document fraud, credit card fraud – or direct extortion schemes. The latter tends to have a faster path to the reward, although credit card fraud is still a big money-making machine for the criminals. But what happens when criminals get organized, and introduce customer relationship management? Most likely the same as happens when an unstructured sales team invests in methodologies, measurements and an improvement culture; they get much more efficient and they increase their revenue streams.

This is where organized crime comes in. Organized crime groups are running efficient business operations, including in cyberspace. They map out their infection processes, and start to optimize. They keep tabs on who they are trying to scam. They use content management to build trust. And they are cashing in big time. Let’s look at the touchpoints for potential revenue optimization for a typical extortion scheme using ransomeware.

ransomeware_process

A common ransomware process: each point in this process is an opportunity for optimization for the adversary. Each transition between two phases is an opportunity for the target to stop the adversary’s process. 

The first part, obtaining contact points, or rather, harvesting email addresses is a first point. If you collect these from generic lists, or buy them from large spam networks on the deep web, they will most likely be of low quality, and with little context. What if the criminal sets up an engaging platform for collecting email lists, curated with “useful content” and collecting information about use patterns, typical interests and the like? The e-mails will be real, they will be active, and the adversary will have intelligence on interests and “click triggers” for each address. Using this information would give a solid boost in the number of successful email transmissions.

The second box has another great opportunity for optimization. Armed with the context information, targeted e-mails can be generated to increase the click-rate. Links that seem to be leading to interesting content, similar to your favorite reads, will get much higher click-through-rates – even better than Google AdWords. And, of course, the click rates can be measured and used to further improve targeting. Using automation techniques – just the same as you would when using marketing automation solutions for legitimate business.

The ransomware download can also be optimized to increase infection rates. It can be disguised as a tool, it can be a JS-file that the user is told to execute, it can be an MS Office macro downloader, and so on. The key is to make the user bypass all sanity checks and allow installation – and armed with the context information from earlier, it is much easier to shape the message, and the piggyback on established trust.

We could go on with this analysis – but the main point is that this is occurring, and the criminals using these techniques are the same organized crime groups that deal in illegal weapons, drugs and human trafficking. They are sophisticated operators abusing our natural instinct to trust things we feel are useful to us.

To counter this, we need to be just as systematic and smart about things on our side too. Baseline security will take you a long way but you also need to keep the people processes up to date in order to reduce the exposure to optimized malware supply chains.

Why high-reliability organizations evaluate the threat potential of suppliers

Cyber attacks tend to penetrate the attack surface using one of just a few initial attack vectors:

  • Phishing e-mails (80%)
  • Abuse of trust relationships
  • Web application session hijacking

Sometimes the easiest way into a large and well protected organization is through compromising a trusted third-party, such as a key supplier with less secure practices. If you are really good at security awareness, application security and network segregation, it may be easier to exploit your trust with a supplier instead. How do the best in class organizations deal with this type of risk?

20150424_155646090_iOS

Your internal security practices may be good – but how does that help if an attacker can abuse a trusted supplier with less degree of organizational hardening to gain access to your systems? Supplier qualification is a key risk management activity – also in the cybersecurity domain.

Qualify your suppliers

Every professional procurement organization already does supplier qualification. They tend to ask for ISO 9001 certification (quality management), they do credit and financial solidity check (you don’t want your supplier to go bankrupt before delivering the crucial goods), and so on. And those organizations that are the most security-aware include security related checks in this process. A quick informal survey on Twitter shows that most people don’t do this (and the result is quite biased – most of the respondents here are IT pros, not “normal people”). A whopping 44% says that they don’t have any process for evaluating the security implications of their supplier selection!

What factors to consider?

There are many ways to qualify a supplier. You might want to do a full due-diligence audit, require ISO 27001 certification, and so on – but then it will most likely be very hard to procure goods as most suppliers don’t have this mature processes in place – unless you deal in very special markets. So what should you have a look at, at the initial state? Here’s a quick list of some important factors:

  • The business sector(s) the supplier is active in. The sector may be of interest to some actors, and loss so to others.
  • The size of the firm. The medium sized businesses tend to be the ones most often targeted by cyber attacks. Smaller to a lesser degree but they often have very weak controls. Large enterprises are less attractive targets because they typically have better controls.
  • Political risk: is the company heavily involved in business relationships in regions with high political risk? Studies indicate that companies in countries with a higher degree of political risk are attacked more frequently than those in more politically stable regions.

Creating criteria based on these factors should give you some relevant hooks to use for supplier qualification. Depending on the nature of procurement you may choose to disqualify a supplier, to introduce more controls in the contract if the risk is perceived as higher, or also to do a more in-depth review before making a decision (such as asking to review their policies, etc.).

The outcomes of doing this in a reasonable manner are:

  • Better risk management for your firm – reduced likelihood of being stung by the third-party bee
  • Driving security culture at your own firm, tying security practices to business workflows in an obvious way, thereby making benefits less mysterious
  • Helping suppliers become more security-aware and resilient – thereby creating shared goodwill that will strengthen the supplier relationships

Earth Day: Fighting climate change with cybersecurity

One of the biggest challenges of our time is climate change. The world struggles to get our ongoing path to environmental destruction under control. Today is Earth Day. This day is for most people about avoiding meat, taking public transport, using reusable shopping bags, drinking wine instead of beer, and turning lights off – but nerds can do more than that. Our biggest challenge is to reduce the climate gas emissions from transport.

trheimtorg

Walkable cities are nice – and cybersecurity can contribute to that! Happy Earth Day 2017!

  • Information technology has a gigantic role to play in the solution to that problem:
  • Self-driving cars, buses, metros make public transport cheaper. But can they be hacked? Of course they can.
  • Smart assistants using AI to help plan your day, your travel and to optimize your choices also with regard to environmental footprint can do a lot. But can they be hacked, thereby destroying all hope of privacy protection? Sure they can.
  • Telework can reduce the need to travel to work, and the need for business travel to talk to people in other locations. This brings a whole swath of issues: privacy, reliability. If people don’t trust the solutions for communication, system access, and if they don’t work reliably, people will keep boarding planes to meet clients and driving cars to go to the office.
  • Cloud services are nice. They make working together over distances a lot easier. Cloud services require data centers. If the reliability of a data center is not quite up to expectations the standard solution is to replicate everything in another datacenter, or for the customer perhaps to replicate everything in his or her own datacenter, or possibly mirroring it to another cloud provider. This may not be seen as necessary if the reliability is super-good with the primary provider – particularly the ability to deal with DDoS attacks. Building reliable datacenters is therefore part of the climate solution – in addition to providing datacenters with green energy and efficient cooling systems.

OK, so DDoS is a climate problem? Yes, it is. And what do cybercriminals need to perform large-scale DDoS attacks? They need botnets. They get botnets by infecting IoT devices, laptops, phones, workstations and so on with malware. Endpoint security is therefore, also, a climate issue. Following sensible security management is therefore a contributor to protecting the environment. So in addition to choosing the bus over the car today, you can also help Mother Earth by beefing up the security on your private devices:

  • Make sure to patch everything, including routers, cell phones, laptops, smart home solutions, alarm systems, internet connected refrigerators and the whole lot.
  • Stop using cloud services with sketchy security and privacy practices. Force vendors to beef up their security by using your consumer power. And protect your own interests at the same time. This is doing everyone a favor – it makes AI assistants and such trustworthy, making more people use them, which favors optimized transport, consumption and communications.
  • Prioritize efficient, safe and secure telework. Use VPN when working from coffee shops, and promote the “local work global impact” way of doing things. Being able to avoid excessive travel, whether it is to the office or to a client on the other side of the globe, your decisions have impact. Especially if you manage to influence other people to prioritize the same things.

Happy Earth Day 2017. Promote climate action through security practices!

Cross-site scripting for fun and profit

Still one of the most common vulnerabilities in web applications, XSS (cross-site scripting) still serves as a useful point of attack for hackers. If you are a we developer, knowing how to properly protect your application from these attacks is a must.

Don’t leave your app ooen to attack – injection vulnerabilities are not nice.


Cross-site scripting vulnerabilities exist when user input in web forms or in API calls are not properly escaped and sanitzed before it is used. Directly reflecting user input back to the browser can be sketchy practice. If the user inputs JavaScript into a form input field, and that script executes, then you have a vulnerability that hackers can take advantage of.

There are two ways users can give input to a web page; through web forms, and through URL parameters (usually by clicking links on the page). Both input types are interesting injection points for someone looking to exploit your page.

Modern web applications seek to filter out this type of input. OWASP has put together a large selection of attack vectors for XSS exploits that try to bypass these filters. You can see the list here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.

To manually test your own applications you can try the following input strings:

  • [Script]alert()[/script]: usually doesn’t work. (Brackets to avoid getting lost in WordPress escaping… Should’ve been script tags)
  • <img src=x onerror=alert()>: typical stored xss exploit, typically in comment functionality etc. If this one pops an alert on reload of the page you have successfully injected JavaScript into the page that will be used by others too. Now you can just go ahead an change the alert with a more evil kind of thing, like a redirect to you phishing site of choice (don’t do it, it really is evil. And illegal).
  • In url parameters: data:html,alert() or data:text/JavaScript,alert(); or JavaScript:alert()

The URL manipulation is typically used in links supplied in scam emails etc. It makes your code execute within the context of the web application, and is often used to steal session data.

Avoiding XSS as a developer

There are several things you can do as a developer to avoid these vulnerabilities. The best way is to use a framework/templating system that autoescapes dangerous input for you. Most modern web frameworks will do this for you, as long as you enable the right middleware!

You should also test for vulnerabilities, including XSS. You can do this manually by trying to inject strings like the ones above, and you can use a vulnerability scanner. Allow someone else to look at your code to try and find weaknesses – it is harder to see errors when you have made them yourself! You should use multiple test methods when available, and also consider including security tests in unit testing for your code.

Some takeaways:

  • Also big league players have XSS vulns on their sites. See this Register story from 2014 on a plugin bug for WordPress, affecting most of the platform (2014)
  • XSS will allow hackers to attack your users. You are partially to blame if this was possible due to neglect on your behalf. Right? And your customers would get angry.
  • Web application frameworks deal with this in a good way. It is very hard to write context-aware escaping manually, so stick with a framework!

How do leaked cyber weapons change the threat landscape for businesses?

Recently, a group called Shadow Brokers released hundreds of megabytes of tools claimed to be stemming from the NSA and other intelligence organizations. Ars has written extensively on the subject: https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/. The leaked code is available on github.com/misterch0c/shadowbroker. The exploits target several Microsoft products still in service (and commonly used), as well as the SWIFT banking network. Adding speculation to the case is the fact that Microsoft silently released patches to vulnerabilities claimed to be zerodays in the leaked code prior to the actual leak. But what does all of this mean for “the rest of us”?

shadowbroker

Analysis shows that lifecycle management of software needs to be proactive, considering the security features of new products against the threat landscape prior to end-of-life for existing systems as a best practice. The threat from secondary adversaries may be increasing due to availability of new tools, and the intelligence agencies have also demonstrated willingness to target organizations in “friendly” countries; nation state actors should thus include domestic ones in threat modeling. 

There are two key questions we need to ask and try to answer:

  1. Should threat models include domestic nation state actors, including illegal use of intelligence capabilities against domestic targets?
  2. Does the availability of the leaked tools increase the threat from secondary actors, e.g. organized crime groups?

Taking on the first issue first: should we include domestic intelligence in threat models for “normal” businesses? Let us examine the C-I-A security triangle from this perspective.

  • Confidentiality: are domestic intelligence organizations interested in stealing intellectual property or obtaining intelligence on critical personnel within the firm? This tends to be either supply chain driven if you are not yourself the direct target, or data collection may occur due to innocent links to other organization’s that are being targeted by the intelligence unit.
  • Integrity (data manipulation): if your supply chain is involved in activities drawing sufficient attention to require offensive operations, including non-cyber operations, integrity breaches are possible. Activities involving terrorism funding or illegal arms trade would increase the likelihood of such interest from authorities.
  • Availability: nation state actors are not the typical adversary that will use DoS-type attacks, unless it is to mask other intelligence activities by drawing response capabilities to the wrong frontier.

The probability of APT activities from domestic intelligence is for most firms still low. The primary sectors where this could be a concern are critical infrastructure and financial institutions. Also firms involved in the value chains of illegal arms trade, funding of terrorism or human trafficking are potential targets but these firms are often not aware of their role in the illegal business streams of their suppliers and customers.

The second question was if the leak poses an increased threat from other adversary types, such as organized crime groups. Organized crime groups run structured operations across multiple sectors, both legal and illegal. They tend to be opportunistic and any new tools being made available that can support their primary cybercrime activities will most likely be made use of quickly. The typical high-risk activities include credit card and payment fraud, document fraud and identity theft, illicit online trade including stolen intellectual property, and extortion schemes by direct blackmail or use of malware. The leaked tools can support several of these activities, including extortion schemes and information theft. This indicates that the risk level does in fact increase with the leaks of additional exploit packages.

How should we now apply this knowledge in our security governance?

  • The tools use exploits in older versions of operating systems. Keeping systems up-to-date remains crucial. New versions of Windows tend to come with improved security. Migration prior to end-of-life of previous version should be considered.
  • In risk assessments, domestic intelligence should be considered together with foreign intelligence and proxy actors. Stakeholder and value chain links remain key drivers for this type of threat.
  • Organized crime: targeted threats are value chain driven. Most likely increased exposure due to new cyberweapons available to the organized crime groups for firms with exposure and old infrastructure.

How to embed security awareness in business processes

All businesses have processes for their operations. These can be production, sales, support, IT, procurement, auditing, and so on.

All businesses also need risk management. Traditional risk management has focused on financial risks, as well as HSE risks. These governance activities are also legal requirements in most countries. Recently cybersecurity has also caught mainstream attention, thanks to heavy (and often exaggerated) media coverage of breaches. Cyber threats are a real risk amplifier for any data centric business. Therefore it needs to be dealt with as part of risk management. In many businesses this is, however, still not the case, as discussed in detail in this excellent Forbes article.

awareness_monkey

Most employees do not even get basic cybersecurity training at work. Is that an indicator that businesses have not embedded security practices in their day-to-day business?

  1. One common mistake many business leaders make is to view cybersecurity as an IT issue alone. Obviously, IT plays a big role here but the whole organization must pull the load together.
  2. Another mistake a leader can make is to view security as a “set and forget” thing.  It is unlikely that this would be the case for HSE risks, and even less so for financial risks.

The key to operating with a reasonable risk level is to embed risk management in all business processes. This includes activities such as:

  • Identify and evaluate risks to the business related to the business process in question
  • Design controls where appropriate. Evaluate controls up against other business objectives as well as security
  • Plan recovery and incident handling
  • Monitor risk (e.g. measurements, auditing, reporting)
  • Get your people processes right (e.g. roles and responsibilities, hiring, firing, training, leadership, performance management)

What does the security aware organization look like?

Boiling this down to practice, what would some key characteristics of a business that has successfully embedded security in their operations?

Cybersecurity would be a standard part of the agenda for board meetings. The directors would review security governance together with other governance issues, and also think about how security can be a growth enhancer for the business in the markets they are operating.

Procurement considers security when selecting suppliers. They identify cybersecurity threats together with other supply chain risks and act accordingly. They ensure baseline requirements are included in the assessment.

The CISO does not report to the head of IT. The CISO should report directly to the CEO and be regularly involved in strategic business decisions within all aspects of operations.

The company has an internal auditing system that includes cybersecurity. It has based its security governance on an established framework and created standardized ways of measuring compliance, ranging from automated audits of IT system logs to employee surveys and policy compliance audits.

Human resources is seen as a key department for security management. Not only are they involved in designing role requirements, performance management tools and training materials but they are heavily involved in helping leaders build a security aware culture in the company. HR should also be a key resource for evaluating M&A activites when it comes to cultural fit, including cybersecurity culture.

If you are looking to improve your company’s cybersecurity governance, introducing best practices based on a framework or a standard is a great starting point. See How to build up your information security management system in accordance with ISO 27001 for practical tips on how to do that.

The [Cyber] Barbarians are at the [Internet] Gateways?

If you follow security news in media you get the impression that there are millions of super-evil super-intelligent nation state and hacktivist hackers constantly attacking you, and you specifically, in order to ruin your day, your business, your life, and perhaps even the lives of everyone you have ever known. Is this true? Are there hordes of barbarians targeting you specifically? Probably not.

 

dungeons_26_dragons_miniatures_2

Monsters waiting outside your gates to attack at first opportunity? That may be, but it is most likely not because they think your infrastructure is particularly tasty!

 

 

So what is the reality? The reality is that the threat landscape is foggy; it is hard to get a clear view. What is obviously true, though, is that you can easily fall victim to cyber criminals – although it is less likely that they are targeting you specifically. Of course, if you are the CEO of a big defense contractor, or you are the CIO of a large energy conglomerate – you are most likely specifically targeted by lots of bad (depending on perspective) guys – but most people don’t hold such positions, and most companies are not being specifically targeted. But all companies are potential targets of automated criminal supply chains.

The most credible cyber threats to the majority of companies and individuals are the following:

  • Phishing attacks with direct financial fraud intention (e.g. credit card fraud)
  • Non-targeted data theft for the sake of later monetization (typically user accounts traded on criminal market places)
  • Ransomware attacks aimed at extorting money

None of these attacks are targeted. They may be quite intelligent, nevertheless. Cybercriminals are often quite sophisticated, and they are in many cases “divisions” in organized crime groups that are active also in more traditional crime, such as human trafficking, drug and illegal weapons trade, etc. Sometimes these groups may even have capabilities that mirror those of state-run intelligence organizations. In the service of organized crime, they develop smart malware that can evade anti-virus software, analyze user behaviors and generally maximized the return on their criminal investment in self-replicating worms, botnets and other tools of the cybercrime trade.

We know how to protect ourselves against this threat from the automated hordes of non-targeted barbarians trying to leach money from us all. If we keep our software patched, avoid giving end-users admin rights, and use whitelists to avoid unauthorized software from running – we won’t stop organized crime. But we will make their automated supply chain leach from someone else’s piggybank; these simple security management practices stop practically all non-targeted attacks. So much for the hordes of barbarians.

These groups may also work on behalf of actual spies on some cases – they may in practice be the same people. So, the criminal writing the most intelligent antivirus-evading new ransomware mutation, may also be the one actively targeting your energy conglomerate’s infrastructure and engineering zero-day exploits. Defending against that is much more difficult – because of the targeting. But then they aren’t hordes of barbarians or an army of ogres anymore. They are agents hiding in the shadows.

Bottom line – stop crying wolf all the time. Stick to good practices. Knowing what you have and what you value is the starting point. Build defense-in-depth based on your reality. That will keep your security practices and controls balanced, allowing you to keep building value instead of drowning in fear of the cyber hordes at your internet gateways.