Security Bulletin – Meltdown & Spectre
Throughout the day, CIS has been monitoring the ongoing reports related to two uncovered vulnerabilities in global PC hardware. These exploits were discovered by Google’s Project Zero team, whose findings were first reported via the Open Source community, and potentially impact processors from Intel, AMD, and ARM. Unlike many common vulnerabilities, “Meltdown” and “Spectre” reside at the chip level, exploiting foundational aspects of how processors work, potentially impacting computing hardware worldwide. Project Zero’s research suggest that Meltdown “potentially affects every Intel processor made since 1995.”
Both vulnerabilities take advantage of a process known as “Speculative Processing,” which is used to make computing more efficient through anticipating processing requirements and starting them ahead of time. Through this process, there is the potential to exploit discarded critical information, such as passwords and other access credentials, which can be utilized to gain further access to systems. It has been found that this vulnerability can be exploited across virtual servers resident on the same host systems. Because of this, public cloud based servers, such as AWS and Azure are also potentially vulnerable to this exploit.
This remains a developing situation. At this time all major manufacturers, including Microsoft, Apple, Amazon, and Google, are releasing security patches and updates to their cloud, server, and PC products to bridge the vulnerability until further firmware upgrades can be provided. The major public cloud services have already provided security updates to their back-end, and have announced that they are no longer vulnerable, however there may be a notable impact on processing speed.
Early in the response Microsoft issued a critical update to address Meltdown and Spectre, however it had unexpected impacts on various systems, causing failures and “Blue Screen of Death” outages. Microsoft responded to this by making the update available only to systems that have anti-virus from a vendor whose registry key provides compatibility with the released update. Once the update is deployed, systems will be protected against vulnerabilities from Speculative Processing, however Microsoft warns that this could slow system speeds by up to 30%.
CIS’ Security Team continues to monitor these developments. While there is no known code “in the wild” being used to take advantage of these vulnerabilities, several security experts have reported seeing such code in development. It is important to mitigate any potential security risks and, as always, be vigilant against allowing potential malware into secure computing environments.
The CIS team will be getting in touch with any Managed Services clients with specific information shortly. All required updates and patches will be handled as part of the standard patching process, or sooner, following update discussions. CIS has deployed Webroot Anti-Virus for most Managed Services clients, Webroot is fully compatible with the required updates, and should present no technical problems. Following initial fixes, CIS will continue to provide updates and further support as new options emerge. It is currently anticipated that this will require firmware updates, minimally there will be additional patches and required updates. Rest assured, incidents like this are precisely the reason to have a Managed Services contract, the CIS team will do everything in our power to ensure your protection.
For independent remediation, CIS recommends the following steps:
If you have any questions or concerns, or would like to engage the CIS team for direct support, please do not hesitate to contact our service department (firstname.lastname@example.org / 212-577-6033×235) or your account representative (Group Contact: email@example.com)
Further updates will be provided as more details emerge.
CIS is pleased to announce that Tom McCabe has joined the firm in the role of Executive Vice President of IT. Tom comes to CIS with a highly successful 20-year track record managing technical support teams for Fortune 100 companies. Tom is responsible for delivering world-class service to CIS clients through the company’s Help Desk, NOC, SOC and Field operations. In this role Tom drives innovative service offerings for improved service levels and sustained client satisfaction. Before joining CIS Tom was Director of Managed Services for ITsavvy, where he brought this global company from being unranked to 7th Top Managed Services Provider in the world. He is a creative problem solver, particularly in situations that demand highly sensitive technologies, such as security with industry compliance. His strengths are in overall Technical Operations which include Help Desk, NOC, Field Support, Vendor Management, Project Managment, Contract Negotiations and seamless System Migrations. Tom has also been an early champion and successful pioneer for migrating client Infrastructire to Cloud Technologies and has migrated 100‘s of clients to the cloud. Business Continuity and Disaster Recovery are additional areas of proficiency Tom will bring to CIS.
If that headline makes no sense, you may not have been following CyberSecurity news closely enough! The weeks since October 24th have seen 2017’s 3rd major propagation of a piece of Ransomware, as a modified version of Not Petya, named Bad Rabbit, has spread throughout much of Europe and Asia. The major path for distribution of the malicious code looks to be via a fake Flash update, which appears as a pop-up on legitimate websites that have been compromised. This is an effective attack vector, as users will typically be far more likely to accept such a download from a previously trusted site, than in an email from an unknown sender.
Bad Rabbit appears to have been coded by fans of pop-culture, as the name is a play on Director JJ Abrams’ company Bad Robot, and the code contains the names of three dragons from the immensely popular series Game of Thrones. Taking a queue from Hollywood that they would likely complain about, Bad Rabbit appears to be largely just a reboot of Not Petya, and WannaCry; analysis by Crowdstrike has determined Bad Rabbit to be nearly 70% identical code to its predecessors.
The most interesting difference between Bad Rabbit and the two major outbreaks earlier in the year is that Bad Rabbit appears to discriminate in who it infects. Where WannaCry and NotPetya would infect any environment into which they were execute, Bad Rabbit appears to be able to determine the potential value of users who land on a distribution page, prior to launching an attack. Attacks directly distributed against several specific networks are also suspected in the spread of Bad Rabbit.
The ransomware seizes machines it can access, spreading laterally across an environment by brute-forcing password combinations, encrypts accessible data, and pops-up a familiar message demanding payment in Bitcoin for the release of company/user data. The good news is, since it was identified early, and largely familiar, most organizations have quickly released updates and patches to help block the spread of Bad Rabbit.
CIS’ advises review and deployment of any critical security updates be done regularly as a Best Practice, to ensure the latest protections. While Bad Rabbit does not utilize a known exploit like Eternal Blue, most of the victims in that attack were only exploited because they lacked current updates and patches that had already
Additional information for CIS’ Managed Services Clients who are operating Webroot and Sonicwall:
From cleaning the gutters to re-sealing the deck every two Springs to getting your oil changed, nobody enjoys the routine maintenance that comes with life. The same is true for many Administrators and ongoing maintenance, particularly when it comes to Patches.
Manufacturers issue patches for two primary reasons: features and security. Feature patches provide new options for users that can provide additional value to the originally purchased software. While it is always a Best Practice to keep software within a version or two of current-release, Feature patches are mostly non-critical. Security patches are issued to close known exposures in software and operating systems, after they have been discovered. These should be treated with paramount concern, but can frequently fall by the wayside as items that are perceived as more important take precedence.
Zero-Day Attacks are difficult and infrequent; exploiting known vulnerabilities is easy!
It’s true, while Zero-Day Attacks are frightening, they are very difficult to architect. Think of Zero-Day Attacks like a heist pulled by the Oceans’ Eleven crew, high-profile, well planned, and expertly executed, taking significant time and resources. Such heists are extremely rare, even in the movies, as they are simply impractical. By comparison, exploits of known vulnerabilities is a far easier and more common approach.
A typical “Black Hat” will spend time knocking on the virtual doors of numerous companies and government organizations, looking for anyone foolish enough to have left vulnerabilities unpatched. Once identified, these organizations can be breached within seconds, utilizing common toolkits, following well-publicized attack vectors, allowing for maximum damage. Simply applying Security Patches as they are released will dramatically reduce exposure to this type of attack.
What’s the frequency?
Patch Management should be handled on a multi-tiered schedule, with daily, weekly, and monthly reviews and scheduled patching. Daily, available patches and security bulletins should be reviewed, and anything critical should be applied. Weekly, non-security Feature Patches that provide valuable functionality should be reviewed and applied as needed. Monthly, a review of all available patches should be conducted, and any remaining items should be applied. Additionally, it is a good idea to review Security Logs, to see where attempts at access occur, to better protect those areas proactively. This can become quite cumbersome for an internal team to tackle on their own. The average IT group is already understaffed by more than two people, with most resources juggling too many tasks in too few hours.
How do I alleviate the stress on my IT team, while keeping up with critical Security Patches?
CIS conducts regular Patch Management as part of a Managed Services Program, while providing a team of experts to deploy, implement, integrate, customize, secure, and support solutions of all types. Clients utilize CIS to offload the monotonous task of handling things like patching, allowing an internal team to focus on the more critical aspects of their job. CIS resources will monitor, review, and deploy any critical patches, with a customized approach to each client’s individual needs and requirements.
As a Premiere Micro Focus Identity and Access Partner, CIS is excited to announce that we will be hosting a webinar on December 5th, from 12:30 to 1:30pm EST, to formally introduce our Managed Services offering for Micro Focus NetIQ Identity and Access Management Solutions.
CIS has been architecting, implementing, and supporting large-scale Identity implementations since the first release of the product. The CIS Identity team is comprised of the foremost subject matter experts and thought-leaders who are known worldwide, are now available to provide ongoing support and production functionality in our CIS-MIAMITM services model.
Support is provided in various optional tiers, including:
When thinking about end-users and IT Security two related things leap to mind; the first is an early 2000s gameshow, the second an adage about chain strength. Both serve to say the same thing, when it comes to network security, your end-users ARE your weakest link.
Regardless of the amount of money spent on firewalls, intrusion detection, log management, compliance, and network vulnerability testing, security surveys are unanimous that end-user actions are directly responsible for more than 80% of global security breaches. Whether direct or indirect, intentional or accidental, end-users are reliable only in that they expose their employers to massive security risks. Because of this, diligence is required in making sure your users understand the corporate risks inherent to a data breach, and what they as individuals and as a collective can do to prevent such unauthorized access.
End-user focused security services have become of paramount concern in the age of the cloud and remote-worker, there are simply too many paths open for an industrious hacker to exploit. Computer Integrated Services works with clients to help identify the key users and topics of concern, then conducts end-user security seminars, focused on education and awareness of best practices for security.
“But a lot of my users are Millennials, they were born online, they know this stuff”
While that may be true of an increasing number of companies, the truth is that a large portion of the workforce is still comprised of the opposite end of the user spectrum, aging users who are not generally inclined to keep up with changes in technology. And, often, these are your power users, key executives with the most access and the most privileged information.
The first step CIS’ elite Network Security Team recommends is to conduct end-user testing from several vectors. It is critical to identify potentially troublesome users in your environment. This identification allows CIS and our client’s IT staff to provide guidance to specific users, as well as attempt to establish technology barriers to help protect them.
Testing also serves as a guideline for focusing the development of CIS’ Security Seminar program, a customized end-user focused presentation, or series of presentations, from CIS’ Chief Information Security Officer. Training seminars are conducted in groups of users, typically coordinated by need and level of capability, to allow for focused learning, as well as efficient use of time.
Seminar material varies from client to client, depending on the needs of each specific user base, as well as the continual emergence of new network security threats. Seminars are typically best when they are engaging and interactive, so CIS always encourages questions within the covered topics. Follow-up materials such as best-practices reminders, written tests to review and reinforce the subject matter covered, and follow-up one-on-one sessions are also typically provided on an as-needed basis.
Topics covered will typically include:
Regularly covering these topics, and more, and staying diligent about end-user education is the only path toward real security. Users are notoriously demanding of any IT Staff, it’s time to be demanding back; IT Security should be every employee’s concern.
For further details, or to schedule a CIS Security Seminar, please contact us today.
Computer Integrated Services’ Network Security Team is monitoring the following…
At 12:37AM EST on October 16th, 2017, ARS Technica disclosed to the World a “new” flaw in a wireless protocol (communication language). They call it KRACK (“Key Reinstallation Attacks”). This vulnerability theoretically makes it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.
This issue potentially affects any device using WPA2 (Wi-Fi Protected Access II). To quote one report, “Both Windows and iOS aren’t believed to be vulnerable to the most effective attacks. Linux and Android appear to be more susceptible.”
CIS is monitoring this issue on behalf of our clients, and will provide patches or further advisories when they are available from manufacturers. At the time of this writing, the attack has NOT been reported to have stolen any information. If you have specific concerns about this issue, please contact the CIS Service and Support Desk at firstname.lastname@example.org.
CIS and Micro Focus, global leaders in Identity and Access Governance, are teaming up on October 5th to bring an exciting engaging dinner event to C-Level executives interested in learning more about the organizations and their cutting-edge Identity solution. The event will feature a private dinner and discussion with Dan Shmitt, Chief Information Officer, Major League Baseball (MLB) Advanced Media. Mr. Shmitt will share his experiences working with both organizations, and host a round-table discussion focused on the many advantages gained from implementing the solution. Highlights will include:
The event will take place at a famous New York City steakhouse, and is by invitation only. If you are interested in attending, please contact your CIS rep, or email us and someone will get right back to you.
To celebrate our many years of partnership, and reward our treasured mutual clients with a top-end dinner and night out, CIS and ShoreTel are pleased to announce we will be hosting an exclusive Client Appreciation Dinner on the evening of September 27th. The Italian restaurant selected for the event is among the most well-reviewed in New York City, and is sure to provide a first-class experience for everyone in attendance. We are doing everything possible to touch base with personal invitations, but if you are a CIS or ShoreTel client who has not heard from us, and would like to attend, please contact your CIS rep today!
Well, probably not, but that could largely be due only to the fact that the KGB was disbanded in 1991. The current iteration of Russia’s State Security organization is known as the Federal Security Service of the Russian Federation, or FSB; this is the organization alleged to be utilizing ties to Kaspersky Lab for nefarious purposes.
Kaspersky Lab is the 4th most widely adopted anti-virus platform in the world, and holds the largest market share of European cyber-security manufacturers. With over 400 million users added since the company was founded in 1997, Kaspersky is a very large player in the global security space. Which makes dire warnings about the company’s product line, such as those issued by the U.S. Cybersecurity Coordinator, Rob Joyce, at the end of August, extremely concerning.
“I worry that as a nation state Russia really hasn’t done the right things for this country and they have a lot of control and latitude over the information that goes to companies in Russia.” – Rob Joyce, U.S. Cybersecurity Coordinator
Following Joyce’s commentary about the security of Russian companies, he continued to say that he would not recommend Kaspersky Lab products to family and friends, further confirming an official stance by the U.S. government that Kaspersky products are not to be trusted.
Suspicions about Kaspersky Lab have been abundant in tech and government communities for several years now, persisting despite strong denials by Kaspersky Lab and its founder, Eugene Kaspersky. Kaspersky, acting as CEO of the company, has gone so far as to offer source code for his security products for independent review; an offer which has yet to be accepted by any government organization.
A great deal of the suspicion in this case is directed at Kaspersky himself. A member of Russia’s elite, Kaspersky was educated in a KGB-connected University, and maintains many connections to high-profile figures in Russian government and national industry. The Russian government, and this community of oligarchs, has repeatedly and publicly made attempts to exploit Russian companies for their own benefit, both legally and illegally. There is a growing fear that even if Kaspersky Lab is not willingly cooperating with the Russian government, they may be otherwise compromised.
Recent news reports have confirmed that, throughout the summer, the United States Federal Bureau of Investigation has been meeting with U.S. energy and technology sector companies, to quietly advise them to remove all Kaspersky Lab products from their systems. Additionally, all products from Kaspersky Lab will no longer be utilized by any branch of the U.S. Federal Government. This is an extremely aggressive step which we believe the government would not have taken without careful consideration, as it has potentially broad impact.
At this point, CIS is recommending a highly cautious approach to this situation, and advising our clients to follow the lead of the U.S. Government, and begin to remove Kaspersky Lab products from any critical systems. Additionally, we advise that any current Kaspersky Lab clients either conduct a Network Vulnerability Assessment, or, at minimum, run network security scanning tools. Our team of security experts is available to discuss your requirements at any time, and make recommendations for alternate technology from more trustworthy organizations. If you would like to coordinate a call with our team, please contact your CIS rep today.