Unlike loss of a physical device, if an attacker breaks into your corporate network, you still have your data after they steal it. It is more important that ever to detect if your company has been broken into by a hacker. This article identifies a number of indicators of compromise activity on a corporate network. It is not an exhaustive list and I will keep adding to this list along with any recommended security measures you can take to detect and prevent activity that could lead to a compromise of your network by attackers.
Logging: When you log, you can detect and identify any unusual activity on your network and on the end points.
Look for logfile line count and log file line length. Have an average baseline of our log file size at a minimum and then trigger alerts when the log size increases or even worse decrease of events that day.
Look for spikes in traffic types (e.g. SSH, FTP, DNS) and baseline the number of events including bandwidth usage
Look for country of origin of IP connection (or by protocol)
Endpoint
Scan for the software/tools listed in “List of Publicly Available Tools used for Attacks” below. These include scanning for non-malicious network utilities like SysInternals and PsTools that are not rated as malicious by AV and others, but good tools for use by an attacker.
Scan for RDP Sessions in HKCV\Software\Microsoft\Windows\Shell\BagMRU and related keys
Scan for remote access services – VNC, RDP
Scan for remote access ports (TCP 3389, RDP or VNC)
Scan for batch files and scripts
Scan for multiple archive files – ZIPs and RARs including encrypted compressed files
Scan for rar/zip file compression in page files and unallocated spaces
Scan for programs run in the AppCompatCache
Scan for sysadmin tools executed such as tlist.exe, local.exe, kill.exe
Scan for files in the root of C:\RECYCLER
Scan for anomalies like abnormal source location or logon time (for example after say 7pm EST) and other time-of-use rules and baselines
Continue reading “Indicators of Compromise List and Recommended Security Measures”
Google Chrome holds a market share of about 25% of the overall web browser market. It is growing faster and gaining more market share by the day than all the browsers out there. Most of these users seek to extend their usage of the Google Chrome browser to their work environment. The reason Internet Explorer is the dominant browser used in most companies is because Microsoft makes it easy to centrally deploy, manage, upgrade, and configure their web browser across a large number of Windows systems in the enterprise.
Global Browser Trend Data as of December 2011
Figure 1: Global Browser Trend Data as of December 2011 from W3Counter.com
Google understands this and released Google Chrome for Business that enables an Enterprise IT department to easily configure and deploy Google Chrome on Windows, Mac, and Linux environments.
From an Information Security perspective, Google Chrome has been shown as the most secure browser with security features like Sandboxing, JIT hardening, ASLR, and DEP protection. You can read the full Accuvant Labs report here (pdf). http://www.accuvant.com/sites/default/files/AccuvantBrowserSecCompar_FINAL.pdf
Results summary from Dec’2011 Accuvant Report around Browser Security
In order to set Google Chrome Security Settings for the Business edition, you need to download couple items first from Google. They include the Google Chrome MSI and the ADM files which we will use to set Security settings for Google Chrome.
Google Chrome MSI and ADM files
Google Chrome for Business is available as an MSI installer package. What this means is that it allows enterprises to centrally roll out and update the browser using Group Policy or any other standard deployment tools to all their managed users.
Step 2: Download the Google Chrome policy templates
The next step is to securely configure Google Chrome. Google provides policy templates, an ADM and an ADMX template. There are templates available for Linux with JSON files and Mac with MCX configuration as well.
Launch Group Policy Editor Start > Run > gpedit.msc
Import the Google Chrome ADM template
Right click on Administrative Templates under Local Computer Policy > Computer Configuration > Administrative Templates
Under Add/Remove Templates, add the chrome.adm file (for Windows in the zip file, it is under Policy Templates > Windows > adm > en-US
Once complete, a Google folder will appear under Administrative Templates
Google Chrome ADM template in Group Policy Editor
Figure 3: Google Chrome ADM template in Group Policy Editor
Google Chrome Security Settings Configuration
The following sections are recommendations for securely configuring Google Chrome for your enterprise. Please make sure to test the recommended configurations and tweak them as appropriate.
Google Update for Enterprise
This enables your enterprise to customize policies for Google update. The recommendation is to enable the Auto-update function in Google Chrome. If this option is not acceptable to your IT department for testing, reporting, or other management reasons, the Auto Update functionality can be disabled and you can follow the normal patch management/deployment cycle.
Now this route probably runs contrary to how you deploy software and OS patches at your company. The reasons are valid where you want to test for patches, assess and prioritize the risk, and roll them out in some fashion. What you may want to keep in mind is that the web browser represents the single greatest threat vector to companies and it may be prudent to update the browser as soon as possible. With that said, the template used: http://dl.google.com/update2/enterprise/GoogleUpdate.adm
Current Settings (Google -> Google Update -> Google Chrome):
Enable the Allow installation option to install Google Chrome updates including security updates using Google Update/Google Installer.
Under “update policy override,” select the Automatic silent updates option where updates are automatically applied when they are found via the periodic update check.
Check for auto updates once every 24 hours or 1440 minutes. Under Preferences, enable the Auto-update check period override and set it to a value of 1440.
Configure the Proxy Server settings. The recommendation is to customize via a .pac proxy script.
Configure Remote Access Options
This option enables remote clients to discover and connect to the user’s machine even if they are separated by a firewall.
Disable the “Enable firewall traversal from remote access host” option.
Content Settings
This section customizes the JavaScript and other content rendering within the Chrome browser.
JavaScript is set to power the future of the web. Leave it to a “not configured” state and let the user choose when they want to deny a particular website from executing JavaScript.
Disable the Default Plugins setting. Customize plugin functionality through an approved whitelist by using the Allow plugins on these sites.
Leave the Default popups setting to “not configured.” This option will enforce the BlockPopups behavior by default and the user will be able to change it.
Enable the Default Geolocation setting and choose the “Ask whenever a site wants to track the user” option.
Google Chrome Frame
Google Chrome frame is not recommended as a secure alternative to render HTML in legacy browsers at this point.
Disable the default HTML renderer for Google Chrome Frame
Disable the Always render the following URL patterns in Google Chrome Frame
Disable the Always render the following URL patterns in the host browser
Default Search
This setting controls the default search provider to be used when a user types text in the omnibox that is not a URL.
There is no recommendation from Security for a default search provider. We recommend leaving it to the user to choose a provider of their choice.
Extensions
This option lets us customize the extensions the user can or cannot install. Make sure that all the extensions if any are approved and have a valid business case at your company. Disable this functionality and whitelist the approved extensions when required.
Enable the Configure extension installation blacklist and choose a value of ‘*’ to blacklist all extensions.
Disable the Configure extension installation whitelist unless there are approved exceptions.
Homepage
There is no recommendation for the default homepage. Users should be given the flexibility to configure it to a homepage of their preference.
Password Manager
Using the default password manager built into Google Chrome is not recommended as a viable password storage mechanism at this point.
Disable the Enable the password manager option to prevent the saving of passwords or using already saved passwords.
Disable the Allow users to show passwords in Password Manager. This prevents the password manager from not showing passwords in clear text in the password manager window.
HTTP Authentication
HTTP supports authentication using the WWW-Authenticate request headers and the Authorization response headers.
Disable the basic access authentication method, which transmits credentials in plaintext to the server or proxy.
Configure the authentication schemes to “digest, ntlm, negotiate.” The default Chrome behavior chooses Negotiate first followed by NTLM and finally the digest mode.
Choose the CNAME lookup option to “not configured” for determining the canonical name of the server via CNAME lookup instead of using the server name.
Choose the authentication server whitelist to “not configured.” With this option, the servers in the Local Machine or Local Intranet security zone are in the permitted list.
Disable the Cross-origin HTTP Basic Auth prompts option. This controls whether third-party sub-content on a page is allowed to pop-up an HTTP basic authentication dialog box. This is disabled as a phishing defense. If a challenge comes from a server outside of the permitted list, the user will need to enter the username and password.
Proxy Server
This section enables us to specify the proxy server used by Google Chrome. Configure it to your current proxy settings. If you are using IE, you can easily replicate those current settings.
Chrome Detailed Security Configuration Settings
Configuration
Setting
Rationale
Allow Google Chrome Frame to handle the listed content types
Disabled
Google Chrome frame is not being presented as a secure option
Allow invocation of file selection dialogs
Not configured
Allow file selection dialogs as normal
Allow running plugins that are outdated
Disabled
Outdated plugins are prevented from running as normal plugins
Enable alternate error pages
Not configured
Enables the use of alternate error pages built into Google Chrome
Always run plugins that require authentication
Disabled
External plugins are disabled unless whitelisted via approved business case
Application locale
Not configured
Defaults to en-US and lets users customize
Enable AutoFill
Disabled
Prevents auto completion of forms using previously stored information such as credit card numbers
Block third party cookies
Not configured
User discretion
Enable bookmark bar
Not configured
User discretion
Clear site data on browser shutdown
Not configured
Preserves site data on browser shut down and user will be able to change it
Enable Google Cloud Print Proxy
Disabled
Prevents the local computer from acting as a proxy to share its local printers with Google Cloud Print
Enable submission of documents to Google Cloud Print
Disabled
Prevents users from submitting print jobs to Google Cloud Print
Set Chrome as Default browser
Not configured
User discretion
Disable Developer Tools
Not configured
Allows access to developer tools and the JS console
Disable support for 3D graphics APIs
Not configured
User discretion
Specify whether the plugin finder should be disabled
Disabled
Prevents search for and installation of non-approved plugins
Disable SPDY protocol
Not configured
Allows usage of SPDY protocol
Specify a list of disabled plugins
Not configured
Setting customized by EnabledPlugins and DisabledPluginsExceptions
Specify a list of plugins that the user can enable or disable
Not configured
Setting customized by EnabledPlugins and DisabledPluginsExceptions
Disable URL protocol schemes
Not configured
All listed protocol schemes are set to be accessible in Chrome
Set disk cache directory
Not configured
User discretion
Set disk cache size in megabytes
Not configured
User discretion
Enable network prediction
Not configured
User discretion
Set download directory
Not configured
User discretion
Enables or disables bookmark editing
Not configured
User discretion
Specify a list of enabled plugins
Disabled
Prevents installation of non-approved plugins
Enterprise web store name
Not configured
Customize to your internal App Store
Enterprise web store URL
Not configured
Customize to your internal App Store
Set Google Chrome Frame user data directory
Disabled
Chrome Frame is disabled
Prevent app promotions from appearing on the new tab page
Enabled
Promotions for Chrome Web Store apps will not appear on the new tab page
Import bookmarks from default browser on first run
Not configured
User discretion
Import browsing history from default browser on first run
Not configured
User discretion
Import of homepage from default browser on first run
Not configured
User discretion
Import saved passwords from default browser on first run
Disabled
Prevents import of saved passwords from current IE browser
Import search engines from default browser on first run
Not configured
User discretion
Incognito mode availability
Disabled
Set to Incognito Mode disabled. This data aids in investigations and forensic analysis if required
Enable instant
Not configured
User discretion
Maximal number of concurrent connections to the proxy server
Not configured
The default value of 32 will be used to specify the max number of simultaneous connections to the proxy
Set media disk cache size
Not configured
User discretion
Enable reporting of usage and crash-related data
Disabled
Prevents reporting of usage and browser crash related data to Google
Enable printing
Not configured
User discretion
Enable safe browsing
Enabled
Enables the safe browsing feature including phishing and malware protection
Disable saving browser history
Disabled
Saves browsing history
Enable search suggestions
Not configured
User discretion
Show Home button on toolbar
Not configured
User discretion
Disable synchronization of data with Google
Enabled
Prevent synchronization of data, for example with Google Docs
It is very important to choose a secure password to help protect your identity and information on the Internet. I previously wrote about strong password suggestions and how easy it is for bad guys and hackers to guess your weak password. In this article, I will walk you through a process on how you can create passwords that are not only secure but more importantly easy to remember. After all, you don’t want to forget your secure password. At the end of every step, I will show you how strong that password is.
Step 1: Choose a passphrase and create a pattern
The first step is to choose a sentence or a line that you know and is easy to remember. For example, I will use a generic sentence “Create a strong password for my bank account“. Now, select the first alphabet from your sentence. This would be
Caspfmba
A weak password with just alphabets
Step 2: Add Numbers
You can choose any combination but I would recommend on choosing the first letter of each word and doing simple substitutions such as 4 for “for”. Doing this substituion, we get
Casp4mba
A better password with numbers
Step 3: Add special characters
The above password is reasonably strong but let us make it better by adding special characters. Special characters are those you get when you press <shift> key plus one of the numbers on your keyboard.
To the password we created above, I will add special characters $ and :
$Casp4mba:
A strong password with numbers and special characters
Step 4: Associate it with a website
Again, there are ways to add more complexity to make it a strong password, but for the sake of remembering a password, choose a pattern and stick with it. You can choose the major words and pick the first alphabet (BoA for Bank of America), choose a website/company’s stock name (amz for Amazon) or some other pattern. But choose one, and stick with it.
For example:
$Casp4mba:BoA for Bank of America
Fb$Caspmba: for Facebook
$Casp4mba:Amz for Amazon
Gm$Casp4mba: for Gmail
Choosing a strong password
Step 5: Final Recommendation
I will recommend choosing three different passphrases. One for generic everyday accounts (e.g. some coupon site), another for more important accounts (e.g. your Gmail account) and finally another for very critical websites (e.g. your bank account).