Badger InfoSec
  • Home
  • Services
  • About
  • Contact
  • Blog

Musings of a Badger.

We learn. We Share. You Benefit.

do this now! change your dns resolver

2/21/2019

0 Comments

 
Picture
​Using Domain Name Address Resolution
to ​Add a Layer of Security

Shawn Scott, CISSP
President, Badger Infosec, LLC
Welcome back to the second installment of our “DO THIS NOW!” series, in which we offer simple, low-to-no cost steps you can take to improve your personal or business cyber security. Today’s topic sounds wonky and technical, but it is really a quite simple concept. Bottom line up front: You can use free or low-cost services to help prevent you (or your family, or your employees) from inadvertently browsing to malicious websites. These same services can also limit your children’s access to sites you deem inappropriate.  Quick disclaimer: The tools we will describe today should be a layer in your cyber security efforts. They are not a magic bullet, and don’t absolve you of the need for vigilance against phishing or other attacks. 

Some Book Learnin’

If you already understand how the Domain Name System (DNS) works, feel free to skip ahead. If not, its time for a little primer that begins with a simple analogy. You want to send a birthday card to your Aunt Sally in Wisconsin. If you just wrote “Aunt Sally in Wisconsin” on the envelope, the Postal Service would be unable to deliver your card. The Postal system doesn’t work based on names – it works based on addresses. You don’t have Aunt Sally’s address memorized, so you consult an address book and get her address. You drop it in the mail, and within a few days, your card brings a smile to her face.

The internet works in a very similar fashion. I may want to go to badgerinfosec.com – but that is just a name and by itself won’t get my browser where I want to go. I need to consult an address book to get the actual address for my browser to visit. When you type “badgerinfosec.com” into your browser and hit enter, your browser consults an address book for you. That address book is called a “DNS resolver”, which is a server that looks up the name you provided and returns the “real” address. In geek speak, this is called the “IP address”, and looks something like “129.42.38.10.”  You usually never see this address – the browser takes care of translating the website name and initiating the actual website request behind the scenes. 

An Opportunity for Defense

This system presents an opportunity to shim in a layer of security. Most, but not all, malicious links you receive in a phishing email are names for the evil site – not the actual IP address. If you click on one of these links, your browser must perform a DNS lookup to get the address, just like for any other name. If you are using your Internet Service Provider’s (ISP’s) DNS resolver, you will likely get back the malicious IP and be off to frolic in the land of evil. But what if you used a different DNS resolver? What if you chose one that doesn’t just blindly hand out IP addresses, but one which tracks known evil sites and refuses to send their IP address back to you? 
​
That is exactly what “filtering” DNS resolvers such as OpenDNS, Quad9 and CleanBrowsing do. If your browser requests a name translation to a known evil site, they refuse to give you the address. Instead, they send you someplace to explain that you are courting evil…or at least going someplace that you might not want to be:
Picture
​Villains create thousands of new domain names daily, and it is takes time for the evil to be detected and blocked – so these solutions aren’t going to protect you from everything. But some security is better than no security, which may be what you currently have with your ISP’s default DNS resolver.

Some of these filtering DNS resolvers (e.g. OpenDNS, CleanBrowsing) offer options that can help block unwanted content such as adult sites. The level of control you get depends on whether you want to drop real coin, but the free options are good. Do some googling of options, decide what works best for you, and then get the IP addresses for those resolvers (primary and secondary). NOTE: If you choose a paid option, you will likely have to establish an account and may have to perform additional configurations beyond the scope of this article).

One note of caution: Some of these services may break your ability to use a Virtual Private Network (VPN). But it is fairly painless to change resolvers on your local machine, allowing you to use a less restrictive resolver whenever needed. 

​Implementation

The most effective way to protect all the devices connected in your home is to configure the DNS resolver settings on your ISP-provided modem/router. We are going to use a web browser to connect to that small blinky box that your ISP deposited in your home. There are thousands of varieties of router out there, but for most, it is a similar process – and I promise, it’s not hard. This journey may take you to some unfamiliar places, but they are not scary! That being said: You can take down your internet connection by monkeying with the wrong things in your router – so take your time and be sure you are in the right place before making changes. Before you change anything, write down the original values. You always want to be able to undo what you have done. But here we go:

1. The first thing you will need to do is to access the router’s web-based dashboard. Connect to your home network, open a browser, and enter – wait for it – an IP address. Which IP address? Chances are, one of the following six will get you to the dashboard. Try them in this order:

- 192.168.0.1, 192.168.1.1 or 192.168.2.1 
- 10.0.0.1, 10.0.1.1 or 10.1.1.1
​
When you type the IP address into your browser, manually type http:// before the address. Many modern browsers default to https:// (note the “s”), but most home routers don’t support encrypted communications.
Picture
Once you hit enter, expect to get some sort of warning that your connection isn’t secure – but it’s OK, I promise. You may need to select a button like “advanced” in Chrome in order to proceed.

If the above IP address options don’t work for you, you can determine your router’s IP address by getting your hands a little dirty in the command line. In your Windows search bar, type “cmd” (no quotes) and hit enter. Once the command prompt appears (black window, white letters), type:
​
ipconfig | findstr /i "Gateway"
Picture
That vertical symbol between "ipconfig" and "findstr" is called the pipe symbol, and you will likely find it just above your enter key. You should be able to easily see the IP address you need:
Picture
2. Once you are at the web interface, you will need to login. Hopefully you know your credentials, because you changed them and securely stored them when you first got the router. If not, try looking for a sticker on the device. If still stuck, try googling your router’s model number with the search term “default password.” 

3. CAUTION: Do not get confused if you see a link to a setting for “Dynamic DNS.” This is NOT what you are looking for – stay away! This is not the DNS you are looking for!

4. Now here is the part where you need to do some exploring – or perhaps Googling by your router’s model number. Seriously, if you are at all uncomfortable with where this is going, do a two word google search: “OpenDNS” and “<YOUR ROUTER’S MODEL NUMBER>”. 

5. You are looking for the section that allows you to enter the IP addresses of the DNS resolver you have chosen. Some clues to aid your search:
  • On many home routers, you will find these under ADVANCED SETTINGS > WAN SETTINGS. 
  • The language used to describe the setting will vary, but it will almost always have a place to enter two IP addresses – one primary and one secondary. You can use the same address for both.
  • If you see options for IPv4 and IPv6, Choose IPv4.
  • The fields may be labeled “DNS 1” and “DNS 2.” 
  • If you have an option to select DNS type, choose “Static DNS
​
Once again, your router will likely be different than mine, but here is a sample walkthrough for configuring a home router to use OpenDNS Family, which has a primary IP address of 208.67.222.123, and a secondary of 208.67.220.123 (note the difference of 222 vs. 220):
Picture
​After you login, go to the Advanced Setup Feature.
Picture
​Look for WAN Settings, and any sub-menus with “WAN” in the title. CAUTION: Avoid the “Dynamic DNS” area – you can see this in my example just below where you really want to be.
Picture
I ensured that “Static DNS” is chosen, and enter the primary and secondary IP addresses for OpenDNS FamilyShield.

After that, look for some sort of “Apply” or “Save” button near the bottom of the page. Your router may reboot, and if so, you may temporarily be kicked off the network. No worries – you just added a layer of security to your life – small price to pay.

And that’s all folks. You now have an additional layer of security, and all it took was a little tooling around in a browser. Thanks for taking the time to read our second installment – and please continue to check back for future tips and guides. Want to receive notifications of new articles? Drop us a line at info@badgerinfosec.com
​

Huzzah!


0 Comments

DO THIS NOW! Password vaults

1/4/2019

1 Comment

 
Picture
Simple Tools to Mitigate the Human Weaknesses in
Password-Based Authentication

Shawn Scott, CISSP
President, Badger Infosec, LLC


In my last article on “Effects-Based Cyber Security,” I discussed the need to seek value when implementing defensive measures. There are many valid use cases for high-end tech solutions such as next-gen firewalls, software-based networking and rigorous network monitoring with SIEMs. But unfortunately, it is more often the failure to get the basics of “cyber hygiene” right that make attackers’ jobs easy. This article is the first in a series called “DO THIS NOW!” in which I will discuss how relatively simple solutions can dramatically improve cyber hygiene, both for organizations and individuals. A tip of the cap to my inspiration for this series, Brian Johnson of 7 Minute Security, who is a true evangelist for “getting the basics right.”

YOU ARE NOT RAIN MAN.
For the foreseeable future, usernames and passwords will continue to be the most widespread method of identification and authentication. While there are certainly much more secure methods, the real weakness in the username/password paradigm is in how we humans use them. We all know that we should be using long complex passwords, and we know that we should be using unique passwords for every account. But let’s face it – most of us aren’t Rain Man, and thus we choose poor password complexity and tend to re-use those poor passwords for multiple accounts. Password vaults, such as LastPass, Dashlane and Keeper help mitigate the inherent weaknesses in the username/password paradigm by making it easy to use long complex passwords and take away the incentive to re-use them on multiple accounts.

LENGTH AND COMPLEXITY MATTER
It’s worth taking a moment to review why password length/complexity are so important, and why password re-use is so very, very bad. When you create a username and password combination, the server responsible for performing the authentication stores your password in an encrypted format called a “hash.” When you authenticate, the application you use takes the password you enter and performs the same hashing operation, and then the server compares the two hashes. If the hashes match, you are granted access.

When attackers steal the credentials list from a server, they normally only obtain the hashes of passwords – not the passwords themselves. To “crack” a password, the attacker needs to determine what character string, when passed through the hashing algorithm, will produce the matching hash. The two primary methods to crack passwords are brute-force and dictionary attacks. In a brute-force attack, the cracking computer tries every combination of all letters, numbers and special characters. Each combination is put through the hashing algorithm and compared against the list of hashes.  Even when using all character varieties, cracking a password of seven characters or less is trivial for modern desktop computers. But each additional character dramatically increases the number of possible combinations, especially if the password uses the full character set.

Dictionary attacks play upon our tendency to pick passwords that are combinations of words or variations thereof. The cracking machine simply tries combinations of all the words in a dictionary file, often “mangling” them to overcome common practices like substituting “@” for “a” and “!” for “I.”

So how much length and complexity is enough? Ideally, the answer is “as long and complex as the site will allow.” Advances in cloud computing have made it inexpensive for attackers to rent incredibly powerful hash-cracking beasts. A physical computer that would cost over $20,000 to purchase can be had for $7.20 an hour in Amazon’s EC2 cloud.  So you create an incredible password for your bank account, something like “d8$k24Vs(&3i90q0i6%x7?jsq1wn^DP7Qe2.” You even manage to memorize this thing of beauty. But that was hard, and you are not Rain Man. So you re-use this password when you create your account at redneckbaitshop.com.

Bubba, the proprietor and chief worm farmer at redneckbaitshop.com, decided to build his own e-commerce site, and he stores all credentials without encryption. Not surprisingly, redneckbaitshop.com is hacked and attackers steal the credentials list. Within minutes, the attackers are trying every username and password combination on all the major banking sites – including yours. That beautiful password you created is now used against you to drain your life savings.

PASSWORD VAULTS FTW!
So what is a password vault, and how does it help? These services act as a secure repository for all your credentials. Generally, they operate as plug-in to your web browser or a separate application on your mobile device. You sign in to your vault using a single password – and this is the only password you must remember. When you navigate to a site requiring a login, the password vault can usually auto-fill your credentials. Most will recognize when you enter credentials that are not already stored in the vault – then offer to add them for future use with a single click. When creating a new password, most will generate a very complex and very long password for you and store it automatically. By making the generation and storage of strong passwords easy, these programs eliminate the human tendencies that incentivize weak passwords and password re-use.

As a general rule of thumb, sharing passwords is a bad idea because it makes attribution difficult. If more than one person is using the same credentials, how do we know who to blame if the account is used inappropriately? But in the real world, there are times when we need to share passwords both in our personal and professional lives. Family and Enterprise versions of password vaults enable you to easily share passwords. You can also designate an emergency contact, who can apply to receive access to all your credentials (shared and non-shared) in the event you are incapacitated. A few years ago, my father passed away and I was named the executor. I spent countless hours in that first hectic week simply gaining access to the accounts needed to make final arrangements. I sleep much more soundly at night knowing that when the inevitable happens, my loved ones will not have to endure the same experience.

Most of these applications can store much more than just usernames and passwords. Securely store family social security numbers, bank account numbers, home alarm safe words, or just about anything else. Some, such as LastPass, allow you to securely store documents such as birth and marriage certificates.

BUT ARE THEY SECURE?
Password vaults can make our lives convenient and give us comfort in our personal lives, but are they secure? Trusting a company with all your credentials can seem pretty scary - especially to those of us who understand that there is no such thing as a perfectly secure application. Yes, there is risk in using a password vault. Even some of the larger and more well-regarded password vaults have had security incidents. For me, it is about managing risk. I believe that for the vast majority of people, the risks in using a password vault are much less dangerous than the alternative.
​
You can also increase the security of this solution by applying some of the same, common-sense principles that you should be using elsewhere in your life. First, make sure that you choose a very long master passphrase (20+ characters) that has some complexity. It doesn’t need to look like “d8$k24Vs(&3i90q0i6%x7?jsq1wn^DP7Qe2.” Something like “n3v3reatradishn@ch0s1nbed” (never eat radish nachos in bed) provides a reasonable balance of length and complexity with the human need to remember it. Second, only choose a vault that supports two-factor authentication. In the event your master passphrase is compromised, this will at least make it more difficult for an attacker to login to your account. Ensure that you have screen lock timers set for all your devices, and lock your devices manually when leaving them unattended. As you add passwords to your password manager, use the opportunity to change them. Storing your passwords securely doesn’t mitigate the dangers of password re-use!

DO THIS NOW!
So which solution should you choose? I’m not going to endorse a single product, but you should choose an industry leader that has been strongly scrutinized by the security community. Your solution should perform all encryption and decryption on your device; unencrypted data should never be visible by the solution provider. The encryption algorithm should be strong, such as AES-256. LastPass, Dashlane and Keeper are but a few of the good choices available.
There are free options available, but you should expect to pay a few bucks a month for some premium features such as password sharing. Securely storing your passwords is one of the most important things you can do in your digital life, so consider it money well spent, and DO THIS NOW!

 

​

1 Comment

Effects-based cyber security

12/15/2018

0 Comments

 
Picture
​A Strategic Approach to Implementing and Maintaining Your Cyber Security Program
Shawn Scott, CISSP
President, Badger Infosec, LLC


    During the first Gulf War, the doctrine of Effects-Based Operations rose to prominence among military strategists – and has remained a key component of doctrine to this day. The concept is relatively simple; all tactical operations should be deliberately planned to support the broader desired effects that we wish to impose on the battlespace. In turn, these effects should support movement towards a desired end-state, or more simply, “what we want things to look like once the shooting stops.” The creator of the effects-based strategy, Lt General David A. Deptula, explained the benefits of this approach in a speech marking the tenth anniversary of the Gulf War air campaign: "If we focus on effects, the end of strategy, rather than force-on-force, the traditional means to achieve it militarily, that enables us to consider different and perhaps more effective ways to accomplish the same goal quicker than in the past, with fewer resources and most importantly with fewer casualties."
   There are many analogies between the never-ending battle against cyber adversaries and the battles fought by our nations’ militaries. Just as in military operations, our cyber security efforts should seek to accomplish our goals more quickly, using fewer resources and with fewer incidents. When taking an effects-based approach to cyber security, we must begin by defining the desired end-state. What are the characteristics of a more mature cyber security posture?  I offer that the goals of any cyber security program must include the following:
  1. Greater visibility. You must have visibility into the vulnerabilities that provide vectors for adversary attacks on the organization. You can’t mitigate vulnerabilities that you don’t know exist.
  2. Greater understanding of the risks those vulnerabilities pose to core business functions. Quantifying risk is an inherently subjective task. Dr. Eric Cole offers an equation for calculating cyber risk: Risk = Threats x Vulnerabilities. But this is still a qualitative method, as threats are scored by perceived likelihood, and vulnerabilities are scored by perceived impacts. However, we should not “let the perfect be the enemy of the good.” Something is better than nothing, and prioritization of risk is a pre-requisite to effective resource allocation.
  3. A robust strategic plan to mitigate cyber risk. Very few organizations have the resources (or the will) to dramatically improve the maturity of their cyber security program in the short term. Communications infrastructures are a complex patchwork with countless interdependencies that represent years of investment. You can’t just wipe the slate clean and start over from scratch to build a perfectly secure environment. And even if that were possible, the threat environment would change tomorrow. In our desired end-state, planning and budgeting for cyber security is a normalized and repeatable process on par with any other cost center. Analysis of cyber security impacts are part of the risk analysis process for any new service.
With an understanding of what we want the end-state to look like, we can identify the “tactical” actions that we can perform to support these strategic objectives. Our tactical actions should build upon previous actions, and set the stage for what is to come – so I offer this loose order of implementation:
  1. Pick a framework. Security is hard enough without re-inventing the wheel. A framework will provide a structured method for assessments and help prioritize your remediation efforts. There are numerous good frameworks available, and the one that is right for your organization is a function of your regulatory requirements, your industry vertical and organizational characteristics. For the small to medium-sized businesses I primarily work with, the Center for Internet Security’s 20 Critical Controls (CIS 20) is often a good fit. If you do business with the U.S. government, NIST 800.53 may be a better (though more complex) option. Some frameworks are mandated by regulation or industry standards, such as PCI-DSS. However, most of these frameworks easily map to each other, and if you secure your organization with a comprehensive framework such as CIS 20, compliance with regulatory frameworks will be much easier.
  2. Empower someone to take charge of your program. While this person should be technically savvy, uber-geek status is not required. Managerial and planning skills are more important. Train them in cyber security management vice technical competencies. I recommend they at least attend some of the courses in the management track offered by the SANS Institute (https://www.sans.org/curricula/management). These courses are not cheap but are a worthwhile investment if you don’t already have a qualified manager on hand.
  3. Perform a comprehensive vulnerability assessment to establish a baseline. Do not be fooled by the “$1000 specials” being offered by managed service providers (MSPs) or security solution vendors. These are simply marketing ploys to set up the sale of their services. Your assessment should be as objective as possible, and for that reason, it shouldn’t be performed by an in-house team unless that team 1) was not responsible for creating or maintaining the environment they are assessing, and 2) is fully qualified based on both experience and credentials. Many of our clients are finding that prospective B2B partners are requesting to review past audits and assessments as a normal part of discovery prior to entering into contractual relationships. A professionally-performed third-party assessment may become an asset to your bottom line.
  4. Make cyber security a separate line-item in your budget, distinct from information technology. You don’t steal from funds dedicated for building maintenance to pay for your physical security (alarms, guards, etc). How much is the right level? Resist the temptation to Google for rules-of-thumb, especially while your program is still immature. The “right” amount will depend on your existing risk exposure and be weighed against competing interests in your organization. Having a solid risk assessment will help your Chief Risk Officer (or whomever performs that function) make informed input to the overall corporate budgeting effort. FOOT STOMPER: Understand the total life-cycle costs of proper implementation of any solutions you choose. Here’s another military analogy for you: Why are all the high-tech weapons that we have given to the Iraqi and Afghani militaries rusting away and falling apart? Because there was no proper plan in place to sustain them. Even the slickest security solutions need properly trained people to operate and tune them. A flashy new Security Incident Event Management (SIEM) solution will do you no good if you don’t also invest in the human needed to use it effectively.
  5. Seek value. Remember when I said earlier, “Don’t let the perfect be the enemy of the good?” Chances are, reconfiguration of security or IT solutions that are already in place (paid for!) can move the needle on your overall cyber security posture. You don’t need to wait for next year’s budget to implement mitigations. You don’t need to re-architect your environment for software-defined networking to make it harder for attackers to move laterally in your network; basic segmentation through VLANs can almost certainly be performed with your existing hardware. Working with a security consultant can help you identify where “low hanging fruit” exists in your environment. Taking advantage of these easy-pickings can be an attractive bridge to more long-term solutions.
  6. Score yourself (or have someone score you). Adopt a maturity model to enable easier communication of your current security state and future goals. Even a relatively “simple” framework like the CIS 20 is too granular for C-level (or Board) consumption. A maturity model can provide a much more effective and high-level yardstick that can help drive buy-in from resource decision makers. But remember – a maturity model is a tool to help drive continuous improvement, and not an end-in-itself. Don’t create an environment where the disincentives for honest assessment encourage pencil-whipping. There are many available models to choose from – some designed by government agencies and some by private organizations. Once again, work with a security professional to choose the model best suited to your environment.
Conclusion. 
   I’ll conclude with one last analogy to military doctrine. After September 11, 2001, the U.S. and its allies embarked on a major expedition which sought to rapidly eradicate terrorist forces from large swaths of the Middle East and Southwestern Asia. But by 2008, the prospects of quick victory with a return to a pre-9/11 world had vanished. Military and national security thinkers began to view the roots of terrorism in more broad socioeconomic and political terms, with endemic poverty and instability creating fertile soil for anti-western ideologies. The logical conclusion of this line of thinking is that radicalism will be with us for the indefinite future. Thus, our efforts to combat it must be strategic and sustained – because the adversary isn’t going away.
    The roots of cyber threats lie in the innate human trait of greed, and so we should expect these threats to be with us indefinitely. We must accept these threats as part of the enduring environment in which our organizations operate. Like any other enduring environmental factor, we must make threat management a continuous business process. By adopting an effects-based cyber security strategy, your organization can address these persistent challenges in an organized manner that will reduce your long-term risk. 

0 Comments

    Archives

    Effects-Based CybeR Security

    DO THIS NOW! PASSWORD VAULTS

    February 2019
    January 2019
    December 2018

    Author

    Shawn Scott is a veteran of both cyber and combat military operations. He currently leads Badger Infosec, where he specializes in assisting organizations adopt strategic and sustainable approaches to cyber security.

  • Home
  • Services
  • About
  • Contact
  • Blog