What are three corporate policies to mitigate risks for cybersecurity attacks at the global level?

What are three corporate policies to mitigate risks for cybersecurity attacks at the global level?

• Disable macros at the policy level A very common point of entry for malware, be it botnet, remote access trojan, or ransomware, is through the built-in scripting language of Microsoft Office: macros. In fact, the middle of 2016 saw a very large campaign of spammed Office malware leveraging macros within Macro-enabled Document Templates. (Molyett & Lee, 2016) With Windows 10 and new updates to Office the enterprise level configuration, Group Policy, can enable "Block macros from running in Office files from the Internet" (Khanse, 2016) which is a feature that should always be used. Any person on the network that needs to open such files should be provided a virtual machine for reading those files.


• Submit all email attachments and links to a sandbox scanner Other than Office macros, spam carries with it malware executables, links to exploit kits, and various nested file solutions to execute malcode. An effective network protection policy is to have all incoming emails be submitted to an automated scanner. (Eckstein, 2015) Such a solution does delay emails by a few minutes, but avoiding a ransomware infection is well worth it.


• Two factor authentication The last common delivery through email are directions to phishing websites for collecting user credentials. When a user falls for one of these sites, which often can look pixel perfect due to the same technologies being available to the scammer as to the original web developer, then the attacker gains the user login and password for the copied service. This was how the Hilary Clinton campaign chairman, John Podesta, had his email's hacked in 2016. (Vaas, 2016) By accidentally logging into a fake Google Mail support page, attackers collected his credentials. Two factor authentication usually means that, in addition to knowing the secret password and the not-so-secret username, a user must also possess a physical device to successfully login. Phishing attacks then fail to provide access even once credentials have been harvested.

---

Eckstein, P. (2015). AMP Threat Grid Extends and Bolsters Our Ability to Combat Malicious Malware. Cisco. Retrieved from https://blogs.cisco.com/ciscoit/b-sec-10232015-amp-threat-grid-combats-malicious-malware
Khanse, A. (2016). Prevent and block Macros from running in Microsoft Office using Group Policy. The Windows Club. Retrieved from http://www.thewindowsclub.com/block-macro-malware-microsoft-office
Molyett, M. & Lee, M. (2016). Macro Intruders: Sneaking Past Office Defenses. Cisco Talos. Retrieved from http://blog.talosintel.com/2016/08/macro-intruders-sneaking-past-office.html
Vaas, L. (2016). DNC chief Podesta led to phishing link ‘thanks to a typo’. Sophos. Retrieved from https://nakedsecurity.sophos.com/2016/12/16/dnc-chief-podesta-led-to-phishing-link-thanks-to-a-typo/

Why bug bounties?

"Rule #1 of bug bounties: No matter how much money you're offering, assume that someone evil found the bug first and didn't report it" - Colin Percival of tarsnap

This! This is why locating and fixing possibly exploitable bugs is so important and why bug bounties help.

If a black hat finds an exploit then they will make money. So there is a direct monetary reward for black hats finding vulnerabilities. Bugs = $.

If a developer ships software then they will make money. There is no money in creating perfect vaporware, only in completed software.
Shipped software = $.
Shipped software has bugs. Therefore your developers will be just as likely to innocently introduce bugs as prevent exploits. Not a good line of defense.

A fixed set of QA engineers will only ever find the bugs that they find. And they are on salary.
Time = $.
They will not find the bugs that are outside of the processes and skills of that fixed team.

So at this point, only one of our three groups have a direct financial reward for finding exploitable bugs in shipped software... and they won't be telling you about it. They have had a reason to be pounding on your software to the very best of their abilities and a reason to succeed. Their livelihood is dependent on being the first to that bug. So they probably were. How many 0 days were exposed by Stuxnet? Hacking Team?

Those that benefit most could have spent the most resources on finding the bugs. So you have to assume that they already did.

How many bits of entropy will stop a targeted attack?

Over at security.stackexchange there is currently the following question:

The OpenPGP (private) key format stores the key symmetrically encrypted ... key expansion takes about a second on my computer (GPG).
With this kind of setup, is it possible to make it hard enough to brute-force that it's sane to have the private-key publicly available?
I expect the answer depends on the passphrase complexity. E.g. if you somehow managed to have a passphrase with 256 bits of entropy, then an attacker would be better off just guessing the derived key instead of the passphrase - which in this case amounts to brute-forcing an AES key (which I'd consider hard enough to be "safe"). So the question might really be "how complex does your passphrase have to be to make this safe?".

Source Question at security.stackexchange.com

I touched on this thought in my comment over there, but would like to muse on the question a bit more.

His is talking about having his encrypted private key publicly exposed, most likely in a way that it is associated back to one of his accounts. Unless he plans on never actually using the key pair, there will be exploitable benefits to someone malicious to have the private key. Forge messages, open messages sent to him, possibly open messages sent from him. Also, just the thrill of winning may drive folks to attempt this challenge.

Folks, don't issue challenges like this. Remember Todd Davis, the LifeLock CEO that put his Social Security Number in the ads because of how confident he was in his product? He has been identified as an identity thief victim 13 times. And that is with his entire companies' mission and reputation on the line (a reputation that the federal government viewed as $12 million dollars tarnished!). Don't do it!

Once the challenge is issued, it isn't just a question of can the password be cracked. It now becomes a question of can he be hacked. Well crafted, personalized malicious emails (spear phishing) being sent to him, possibly even coming from his compromised friends. When you are a target, anyone connected to you may become a target. As a target, a large amount of personal information can typically be gathered including address, phone number, family members and more. Unfortunately this activity, doxxing, is fairly common as a type of online harassment. Challenged enough what can someone do with all this information?

Not a *likely* outcome. Source: XKCD

If a hacker gains control of your computer, they can place software to harvest your sensitive data: passwords, pseudonyms, possibly financial information.

Please, don't intentionally make yourself a target. (Says the guy that ran for Congress in 2014)

Extending your home network... insecurely

I reorganized my house this week and gained a private office space, though one without a coaxial jack. This makes it impossible to immediately replicate my previous setup of a whooping three feet of CAT 6 between my main workstation and the FiOS router. Unfortunately a WiFi connection isn't an option as the box isn't compatible.

Options for connecting a new room to your home network

1. Add CAT 6 Ethernet cabling: Doing this cleanly requires running cables through the walls and cutting holes for new outlet boxes with a face plate. Highly suggested if you own your house, but I'm in a rental. Pass.
2. Reuse an extra wireless router as a wireless bridge: I tried this one for a few hours (hours that the wife was not happy I was spending!) but the only router I had sitting around was an Actiontec MI424WR Rev I which is not compatible with DD-WRT firmware.
3. Power-line networking: Add a device to connect Ethernet networking over the existing power lines within the house. The guy I talked to at Best Buy recommended the Actiontec Powerline Ethernet Adapter Kit [PDF] over the WiFi extender I was looking at. At $39.99 instead of $99.99, I decided to try it.

Fast and easy...setup in less than 5 minutes

The box claims a quick and easy set-up, just plug the single adapter into the wall and wire it to the router. Plug the four port adapter into the wall near your machines and wire them up. So I did, and almost immediately my workstation was connected to the Internet... success! Or so I thought.

Verify that the network is up

Along with my main workstation, my office is home to a server which provides multimedia and intranet web hosting. Once I had Internet access, the next step was to check for the rest of the intranet machines. I navigated to http://192.168.1.1 (default MI424WR address) and the expected page pulled up, but my login failed. Double checking my password typing, the login failed a second and third time. More information needed now!

Check Windows' "Network" page

Under Printers there was a Lexmark, under Computer there was a name I didn't recognize. This is a problem, and one that needed addressed immediately! My workstation was connected to someone else's network.

**generic encryption key**

Ease of setup security hole

The problem was documented right there in the manual, the adapters come pre-provisioned with a default, generic encryption key. This is great for easy set up because you can just plug it in and go. It is bad for security because it means you can just plug it in and join any network that is already there! Turns out my neighbors already had expanded their network with a similar, compatible product. They plugged it in and it just worked. I plugged mine in and it just worked... with their existing network.

I don't understand why the manual in the box doesn't tell how to update the encryption key, it just directs you to their website. Which pretty much guarantees that a random person directed by their Best Buy clerk will never update it.

From the Actiontec website:

How do I change the encryption key on a PWR500 Powerline Adapter?
To reset and change the encryption key on the PWR500, follow the steps below:

1. Plug the Adapters into electrical outlets on the same circuit.


2. Press and hold the Security button on each unit one at a time for exactly 10 seconds. On the 10th second, let go of the button. When you release the button, the Power LED's will turn off very briefly and turn back on. The LK LED's will not turn back on at this time.


3. Then on one of the units, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will begin to flash.


4. Now on the other unit, press and hold the Security button for exactly 3 seconds. On the 3rd second, release the button. When you release the button, the Power LED will turn off and back on breifly, and then the LK LED should be lit on both units. Provided the LK lights on both units are lit, the encryption key has been changed and the two Adapters are now connected on the same Powerline network with a new encryption key.

To follow up on the teaser introduction posted a few days ago, here is the public release of my recent paper System Assurance through Memory and Shared Resource Protection!

Week 10 of 12 for this semester. Almost finished!

System Assurance through Memory and Shared Resource Protection