lock_black_and_white_775_x_330

Line of Fire: 5 Security Protections that Will Keep You Out of Most Hackers’ Cross Hairs

Dan Guido | Security, Security First

Editor’s note: This guest post by Dan Guido continues our foray into security first, the premise that technology companies should view security not as an operational necessity but as a strategic differentiator.

Dan Guido is the CEO of Trail of Bits, a cyber security R&D firm. In early 2014, he launched Javelin, a technology risk scoring system for companies of all sizes. His past research has applied intelligence-driven defense to mass malware, mobile security, and state-sponsored espionage, proving time and again that attackers have limited resources too. Prior to Trail of Bits, Dan was an application security consultant at iSEC Partners and led the threat intelligence team at the Federal Reserve System. Dan is a Hacker in Residence at NYU-Poly where he teaches the capstone course on software exploitation in their cyber security program. Dan also runs an annual security conference focused on pragmatic security research, THREADS, which discusses how to automate security to ensure that security is never a roadblock, but a core part of development and operations.

If you look at the current state of cyber security, it can be neatly summed up with three simple words: Everything is hackable. The reality is that the technology we hold most dear is almost always insecure thanks to a variety of issues. The protocol-, design-, and implementation-level flaws in software like OpenSSL and the SSL protocol provide just the latest examples. It’s thanks to issues like these, among others, that companies often wind up getting hacked when they add a new feature or functionality to their products.

Not only is the state of security pretty poor, the security industry is largely driven by fear, uncertainty and doubt. That compounds the problem further by shifting their focus to security products rather than secure products. In other words, they often leapfrog the fundamental (and usually free) steps that they should take to ensure their security, and jump right into investing vast sums of money in point solutions that don’t actually address the problems they’re facing.

So instead of approaching security from the perspective of the next product you need to buy, or trying to sift through the enormous amount of misinformation in the market, take a different tack. Look at security as a straightforward, empirical problem that can be solved through engineering.

The first step is to recognize that hackers aren’t tornados; they’re not forces of nature that cause random damage to random companies based on random vulnerabilities that they’ve identified at those companies. Instead, hackers work to achieve specific goals and generally like to follow the path of least resistance. They look for the cheapest and easiest way possible to gain access to the data they’re after. Putting a few basic roadblocks in their way will discourage them — often to the point where they’ll take their sights off of you to focus on easier targets.

It’s also important to understand the costs of a breach in dollar terms and that those costs can rise quickly with the scale of the breach. According to the 2015 Verizon Data Breach Investigations Report (DBIR) expected costs for a ‘small’ breach of 100 records start around $25,000. However, they quickly rise to around $500,000 for 100,000 records and reach into the multiple millions of dollars for breaches involving 1M records or more. It’s less about the size of your company and more about the size of the data at risk. If you are looking for justification for investing in avoiding a data breach, make sure you check out the 2015 edition of the Verizon DBIR.

Although the stakes are incredibly high — not only are security breaches expensive to fix, they can also seriously damage your brand — there are some very simple things that you can do to dramatically increase your security. They’re not expensive or complicated, yet they’re incredibly effective at deterring hackers. Let’s take a look at five important protections:

(1) Proactive Monitoring

One of the easiest steps your company can take is proactively monitoring your services so that you know if you’ve been hacked before everyone else on the Internet does. That means gathering intelligence by aggregating information from blacklists, IP reputation feeds, threat feeds, and underground websites where people might be talking about compromising your firm or your clients. There are lots of services that you can use to automate this process, such as Google Safe Browsing, VirusTotal and DNSBL.

(2) E-mail Security

Humans are often the weakest link in cyber security and a significant number of us are still susceptible to attacks via e-mail. E-mail forgery and phishing are big problems that aren’t so easy to address. Even the very best training only goes so far, with growing numbers of employees being duped into clicking on fake e-mails. Fortunately, there are technical solutions available that make phishing a lot harder. Take SPF, DKIM, and DMARC, for example, a trio of standards that help prevent e-mail forgery by ensuring that your e-mail must come from your designated mail servers and not anywhere else.

Before you do anything, you need to understand how you communicate with your customers so that you can then tell them exactly which authorized methods you’ll be using to contact them. Once you do, inventory all of your mail services, including third-party services like MailChimp or other mailing list managers. Make sure that you turn on all of those standards in a report-only mode. Then review and tighten your configuration every quarter. When properly configured, using these security standards will not only make your e-mail communications more secure, but also help you improve your mail delivery rates.

(3) Transport Layer Security (TLS)

It’s important to have a properly configured digital certificate and properly configured TLS protocol support on your server. Why? You want to ensure that all client communications are kept private and not modified by others. The difference between using TLS and not is the same as between sending a postcard and sending a letter. Anyone can look at your postcard, cross out words and replace them with something else. By using TLS, however, you can ensure that your communications remain enveloped behind a tamper-protected seal.

Maybe more importantly, you don’t want visitors to your website having to click through a warning to be able to access your website and you don’t want your developers shut out from the latest HTML and JavaScript features. As browser vendors have made clear, this is something that’s going to be increasingly the case in the years ahead.

So how do you do this right?

First, create a high-security certificate from a reputable authority like Let’s Encrypt or DigiCert. This certificate should use the “SHA-2” hashing algorithm and refer to the correct hostname. Second, you need to configure your server software correctly. Don’t enable weak ciphers, old versions of SSL, or client-initiated renegotiation. Finally, make sure that you have an automated process set up to ensure renewal of your certificate when it expires.

Remember, using TLS is not just for websites. Any service you offer should protect the confidentiality and integrity of the information it transmits. After you get TLS setup for your website, check that your mailserver uses it too.

(4) Registrar-Lock

Your domain name is critically important to your business because it’s how people interact with you. That’s why you must ensure that it can’t be transferred away or deleted — something that can and does happen on a regular basis. It’s the number one tactic that hactivists have used to cause meaningful damage (see this post about Tesla, one of the more prominent hacked brands in recent months).

Fortunately, there’s a special feature that most domain registrars have called a registrar-lock. If you turn it on, your domain registrar is required to call you or perform some kind of out-of-band communication with you to ensure that whatever change you’ve just made to your registration was authorized. Most registrars support this and two-factor authentication. All you need to do is login in and turn the registrar lock feature on. When you do, make sure that you’ve got two-factor authentication turned on too.

Very few people know about this and it’s one of the cheapest solutions available to help you ensure your security.

(5) Reduce Your Attack Surface

There are a number of different network services you should not expose to the Internet. For example, services like Elastic Search frequently have remotely exploitable issues.

You also don’t want to expose services from SQL databases such as Microsoft SQL, Oracle or MySQL directly. The same is true for key-value stores such as Redis or CouchDB; in the case of Redis the default is no authentication. You will also want to turn off Telnet, VNC and Terminal Services, and make sure you are not exposing NFS or any other network file system.

If any of these services are accessible from the Internet an attacker can use password cracking and continue to grind on them day in and day out.. Once inside, they can wreak havoc on any part of your infrastructure because now the attacker will be operating from a trusted host.

It’s also a good idea to work from an outside-in perspective (so that you can see what others see) using a tool like nmap to map out all the services your company is running. Then setup alerts so that if a host starts listening on a new port you’re notified quickly. For example you might want an alert if a server starts listening on port 4444 (the default port for Metasploit).

Don’t Give Hackers a Chance

Staying out of most hackers’ line of fire is easier and cheaper than you think. It doesn’t take complex point solutions, but rather a back-to-basics approach. Everything I have described above can be done at no cost other than your time. By ensuring that you’re following all of the steps outlined in this post, you’ll be light years ahead of most of other companies and a harder target for hackers.