Written by Trevor Bidle, US Signal’s Information Security & Compliance Officer
For West Michigan-based information security professionals, GrrCON is the conference to attend. Every year the conference is a great place for CISOs, security professionals, white-hat hackers, and students to learn, grow, and network. The conference goes fast, and has a lot of good information. This is not a vendor or policy conference.
For US Signal, a multi-year supporter of GrrCON, the conference provides multiple benefits. We always want to gain the business of new customers, and we meet with many. The immediate benefits to US Signal, however, are the skills and techniques that our software development, IT, and security team members gain through attendance. The knowledge is immediately deployable, and not based on theory or books. GrrCON is also a great way to support up-and-coming security professionals.
This year, the conference featured many great topics. The underlying message was that new tools or software are not the key. Rather, focusing on fundamentals will help move security posture further. Here’s an overview of a few of the sessions I found most interesting.
Social Engineering and Phishing
Malicious emails accounted for 66% of malware deployments according to the 2017 Verizon Data Breach Investigations Report. GrrCON delivered multiple breakout sessions that discussed how easy it is to generate malicious email campaigns, the lifecycle of successful data breaches, and the need for better user awareness training. For CISOs, the lesson was clear: the only defense is better user education. The keynote address was particularly noteworthy for addressing the real-world attacker mindset that many do not think of when battling phishing schemes.
Embedded Systems, Building Automation, Cameras, and IOT
CISOs attending the multiple Internet of Things (IoT) and embedded system sessions learned that they should be putting all camera, monitoring, and HVAC support systems on their active risk register. Enterprise-grade camera management software, IP cameras, and HVAC controllers are often neglected, not being patched by the vendors, and are not something that many CISOs know are deployed. These systems are easy targets for hackers. The stats below show the number of vulnerable systems in Michigan that are not being protected by basic security measures such as firewalls. If you do not know what you have, consider a network or security assessment.
Patching was talked about in many sessions and in many ways, but the message was clear. Patching is one of the best lines of defense. Many of the ransomware attacks of 2017 were prevented because of patching. CISOs need to drive accountability for patching and make this a scorecard item for executive management to track. BitSight Technologies, a US Signal partner and vendor, provided a look at systems in Michigan that are not patched, showing how many companies are struggling with this issue.
The presenters who talked about blue teams and defensive tactics were uniform in advocating for a focus on fundamentals and the use of simple solutions to help contain an attack when it occurs. The key message to all security practitioners was, “You will be breached. What you have done before the attack will set the stage for its detection, containment, and mitigation.” Here are some of the takeaways.
Phishing time to breach from click averages 20 seconds.
Implement Microsoft Local Administrator Password Solution (LAPS) to centrally store unique Local Admin Credentials for each workstation deployed on your network.
Setup alerting in your SIEM for your Local Admin account login failures. If you receive an alert, you know there is a problem.
Train and educate employees to ask for help and admit they clicked on a suspicious link.
Ransomware is enabled by unpatched machines, so patch!
Establish honeypot files and folders on your servers and file shares that, if opened, detect hackers and ransomware.
Deploy a folder at the top of your file share that should never be touched. If ransomware is spreading, using File Integrity Monitoring as a cost effective and accurate canary to alert via your companies Security Information and Event Management (SIEM) platform.
Where possible, limit the use of admin credentials.
Compliance standards are not keeping pace with current attacks.
CISO Awareness of Online Footprint
Many of the presentations repeatedly stressed the importance of CISOs and security professionals understanding their companies’ online presence, and how their companies look to the internet. SHODAN.io is a free or minimal cost tool that is great for looking at a company. For a deeper dive, companies like BitSight Technologies can be engaged for further data and forensics. CISOs need to know if they are bolting the front door, but leaving the back door wide open. To provide reference as to why this is a problem, there are 7,200 Microsoft remote desktop sessions available in Michigan for hackers, and 3300 VNC sessions online for hacking. This should be part of a company’s risk register and a regular part of its security operations.
That’s a Wrap
This year’s conference delivered great tools and techniques to help security practitioners keep pace with the current attack environment. One of the main takeaways was that if, as a CISO, you don’t have the resources to handle the issues discussed, engage trusted partners who do. I’m looking forward to attending next year and learning about more ways US Signal can continue being that trusted partner for our customers.
See US Signal's Data Security page for more information on how we help.