Cybersecurity Fundamentals

-

 

While some hacks truly are sophisticated, nation-state attacks, many more are the result of simpler exploits or just social engineering. After the details of such a compromise are released, people comment about how organizations should be doing at least the "basics" or "fundamentals." So what are the fundamentals? And at what point do you cross over into intermediate or expert practices?

I have my opinion, but let me first share a couple official lists:

These are great lists but allow me to expand.

Multi-factor Authentication

First up is multi-factor authentication (MFA). Even in 2024, lack of MFA has resulted in account or organization compromise. Take the recent SEC X / Twitter hack -- the US Securities and Exchange Commission had their X account taken over and was used to post false information. While "SIM swapping" also played a role in the hack, had MFA been enabled, the threat actor may have been stopped in their tracks.

Whether it's Google Authenticator, Microsoft Authenticator, Authy, Duo, or countless others -- install an MFA app on your smartphone and use it for every account you can. Better yet, use a YubiKey or other physical token.

Strong (and Unique!) Passwords

I've previous written about how to make a strong password. One word I failed to mention then and will include now is unique. If there is only ever one change you can make to improve your security -- just make every password unique. 

If you have one strong password and use it everywhere, odds are one of those sites are going to be compromised and they're not going to be using the best hashing or storage mechanisms they could be. Ultimately this leads to your unique password being cracked more easily or even worse, in plaintext, out on the Internet despite your best efforts to make a strong password.

Now on to making your password strong -- everything I said in my original post still holds true. You want to make passphrases, not passwords. Or better yet, let a password manager do the work for you. I am a huge fan of 1Password (no I'm not being sponsored or paid by them to say that) but there are several good options out there.

Ultimately with a combination of unique and strong passwords, even if your credentials are compromised, the damage is isolated to that one account.

Keep Your Systems Updated

Keeping systems up-to-date with the latest patches is undoubtedly important. It's especially important if your systems are Internet facing. We're at an age in the Internet where the entire IPv4 space can be scanned in a matter if minutes. Once a vulnerable version of software has an exploit released publicly, hackers can and do perform such Internet-wide scans looking for this vulnerable software to exploit. 

Take this recent emergency directive from CISA regarding a vulnerability in some Ivanti software. In this case, the vulnerability is recognized as being so dangerous (and the ease of quickly detecting it on the Internet) that CISA is requiring US government agencies physically disconnect Ivanti appliances from the network. Similar vulnerabilities are found in many Internet facing resources, often VPN appliances, which highlights the need for regularly monitoring for and installing updates when available. 

The next level of importance is for those systems that aren't exposed to the Internet, but are active on your network. These are also important to keep up-to-date in the event that your network is compromised, any attacker would have fewer options for lateral movement or further exploitation of your systems.

Change Defaults

In a similar fashion to keeping your systems up-to-date, changing default credentials is incredibly important on anything exposed to the Internet, and important on systems throughout your network in general.

Default credentials and configurations are documented by the manufacturer and known by attackers. Leaving a system exposed to the Internet with a username and password of "admin" is a guaranteed way to have your network breached. 

Don't Daily-Drive Administrator

Regardless of environment, you never want your primary account to be an administrator account. Always use a regular, unprivileged account for day-to-day activities, and escalate to an administrator account as needed. 

Operating in this fashion has multiple benefits, the greatest of which is that if malware is executed on your system it has restricted access in what is can do and reach on your network.

Verify Contacts

As mentioned earlier, something that is often the culprit of even high-profile hacks is social engineering. The best way to do this is to verify the identity of who you are dealing with. This is especially true for those that email or call you. Email accounts are frequently compromised and used to impersonate the true owner, and phone numbers are spoofed on caller ID. Not only that, but with answers to basic information about a person, customer support representatives can authorize you as the owner of an account. Just look at some of the recent SIM swapping attacks carried out (including the SEC account hack mentioned earlier) -- they're popular for a reason..

While there are several technical controls to help verify the authenticity of someone emailing you, some of which I've detailed before, there is nothing like picking up the phone and calling a known-good number. This can be true even with senders you frequently converse with. You never know when someone's email account will be compromised.

It's a bit more difficult when you are a company needing to authenticate those that call into your business. Most companies are bad at this, some are abysmal, but just a handful I've come across are pretty good. To be clear, I'm not saying I have the answer that everyone should follow -- far from it. I empathize with the balance between security and ease of customer service for most businesses. Sure, you could make customer verification accurate 99.9999% of the time but introduce a ton of friction on the road to delivering good customer service. 

The best balance I have found is a consumer account that has MFA enabled by default, and then a PIN is provided to the customer once they are logged into that account. When the customer calls into the customer support line, they need that PIN.

Comments

Post a Comment

Popular Posts

Hashcat - Cracking MD5 and NTLM Hashes

-
Image
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes. I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now ( besides, Hashcat does a pretty good job of that themselves ): Crack MD5 hashes using the rockyou.txt wordlist. Crack NTLM hashes using the rockyou.txt wordlist. Crack NTLM hashes using a mask attack (modified brute force). I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well. As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along. Cracking MD5 Hashes Using rockyou.txt Wordl
Read more

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot
Read more