Thursday, March 31, 2016

Being Ready for Zero-Days, a Badlock Example

Being ready for the eventuality of zero-days is something all organizations should integrate into their security plans. This means knowing your environment and knowing how to respond quickly to critical threats. Let's take the latest 'Badlock' announcement as an example.

Last week SerNet issued a notification of a potentially critical bug that is present in Windows and Samba. They have named the vulnerability the Badlock bug. Their notification stated that patches for this issue will be released on April 12th. If a critical issue does exist, the large lead time before patch availability does give malicious actors some time to identify the bug and exploit it before patches are available. We currently have no information as to the actual severity of this issue, however, you should take this time to perform the following actions:

  • Identify all existing CIFS/Samba servers on your network.
  • Review firewall rules and processes for issuing rule changes.
  • Ensure that your monitoring tools are updated and working as expected.
  • Review your patching procedures and plan for the possibility of emergency patching on April 12th.

Identify all existing CIFS/Samba servers on your network.

It's important to be aware of all existing services on your network in order to properly address new vulnerabilities that threaten your infrastructure. To identify CIFS/Samba servers on your network you can use a number of different methods. Even if admins self-identify services their systems provide, they may not be cognizant that this service was enabled automatically.

  • Port scanning your address space using tools like nmap or masscan
  • Check network flows for connections to local hosts on port 445 using tools like bro or netflow collectors like nfsen or argus.

Review firewall rules and processes for issuing rule changes.

If you are utilizing firewalls rules either at your network border or directly on the host, you should make sure they are configured correctly and that you know the process to enable rules both technically and procedurally. Limiting network access can also be accomplished through utilizing private address space that is not accessible outside of your local network. If you have services that are exposed to the public internet that should not be publicly accessible, consider moving these services to such internal private networks.

Ensure that your monitoring tools are updated and working as expected.

Proper monitoring of your environment will help you identify services on your network and anomalous activity like attacks against your network or individual systems. Tools like Bro can help identify services on your network that you may not have been aware of. Bro and other tools like Snort/Suricata can help identify active threats against your network and can even help actively respond to such attacks. As potential threats like Badlock become actual, ensure that you know how to update your monitoring tools to identify these specific attacks.

Review your patching procedures and plan for the possibility of emergency patching on April 12th.

SerNet is suggesting that immediate patching is needed to address this vulnerability when it is released, thus the need for a pre-release announcement. It's possible this is a non-event, however, in any event you should be prepared should the need arise to mitigate this issue. This means blocking and/or monitoring network traffic and on-host activity for vulnerable hosts and patching affected systems. If you manage these systems, you should consider planning for emergency patching on April 12th and what that may entail including downtime of services, affected users, software compatibility and reconfiguration of monitoring policies.

Regardless of Badlock or the next named vulnerability down the road, these steps should always be considered in order to proactively address potential threats against your infrastructure. You need to know your environment, understand your internal procedures for mitigation methods, keep your monitoring up-to-date, and have a plan for system patching.

Tuesday, March 29, 2016

Announcing CCoE Webinar Series

In January we announced that CTSC was named NSF's Cybersecurity of Excellence. Its role is to provide readily available cybersecurity services tailored to the NSF science community. With this in mind, we are announcing the CCoE Webinar Series. The kickoff presentation will be presented by members of the CTSC Leadership Team and focuses on who we are, our activities, projects, and areas we can assist the community. Presentations will be recorded and include time for questions with the audience.
The first event will occur April 25th at 11am (EDT). Click here to register for the kickoff event.

We will be communicating upcoming topics on our discuss mailing list. If you haven't joined the list yet, subscribe here. To submit topics or request to present, contact us here.

Friday, March 25, 2016

ScienceNode on "What does security mean in science today?"

ScienceNode ran an article earlier this week "What does security mean in science today?" featuring a virtual panel with Anita Nikolich (NSF), Tim Minick (Gemini), Steve Barnet (IceCube), and Abe Singer (LIGO).

In case you missed it, there was also an interview earlier this month with Anita Nikolich.

We encourage readers with ideas for other stories regarding cybersecurity and science to contact the ScienceNode editors.