What is DDE protocol?

Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

A common example is when users receive a file containing links to information that are located in different sources. Opening such a document will not trigger any security warnings. Users will be simply asked to update the document links, and then to execute the retrieved application (malware). That last stage can also be eliminated altogether. This is not something new and already exploited quite some time ago.

According to Microsoft, there is patching available to mitigate this issue as it is not vulnerability but a feature.
The warning message when DDE is used. Clicking “No” will stop the action and prevent the attack.

Not all files that uses DDE are malicious and the tricky part is having the clear visibility on what is a malware and what is not. Whenever the user clicks “Yes”, in the first dialog message, it will open second dialog warning advising that command is about to be run.

The second warning message, just before execution of the commands that may potentially trigger a malware.

As the file does not contain the macros or security warnings, the traditional anti-virus will likely not detect or alert against it.

The Microsoft´s recommendation

In their periodic advisory, Microsoft describes scenarios where the feature can be exploited and offer some advices on how to configure the DDE protocol.

“In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.”

You can find the complete advisory note here:

https://technet.microsoft.com/library/security/4053440

Remembering that keeping your system up to date, using a good firewall solution and other layers of defense will always help preventing the advanced malwares that tries to exploit this vulnerability.

The emails

Many malicious spams using the DDE exploits were noted recently (Hancitor). These attacks were usually deploying malicious messages with malicious macros, however they changed their ways of working to include the macro-less malwares to by-pass the potential layers of defense. The attacks using DDE are no more efficient than macro-based attacks; however it opens a new avenue of possibilities for attackers.

The usage of mail protection firewalls can help to identify the attacks using macro-based and DDE-based malwares and block them. You can also neuter DDE attacks embedded directly in emails by viewing all your messages in plain text format, regardless of the format they were sent in.

Note, however, this will disable all formatting, colors and images in all messages, including those sent in the popular HTML email format. This will make some messages harder to read and may prevent you seeing content that the sender is expecting you to see.

Just Say “No”

From all preventions and blocking mechanisms the most efficient is simply clicking “no” when the warning dialog appears. It may looks silly but a good training and awareness of users regarding suspicious emails can bring great results. If you are not 100% sure about the authenticity of the sender, you have good reasons to don´t open a file. In case you already opened the file and again you are not sure why it contains macros or links to external sources, just click “no”.

You probably heard about the GDPR in the news or during the discussions with compliance teams. After four years of discussion and preparation, finally in May 2018 the regulation will take effect for all companies that operate in the EU territory; however this legislation will trigger different changes in all markets around the world.

Europe is notoriously an important market for all big, medium and even small companies. This change in the data privacy requirements must be followed for all these companies, independently of their size or category. It means that if you have any business at any part of Europe, you should be careful about how you handle data from your customers, users, partners and employees.

Differences from previous legislation

The GDPR replaces the Data Protection Directives issued in 1995. The new policy is designed to harmonize data privacy across all Europe and is much straight forward than its previous version. The main changes in the policy are related to its scope, penalties and consent. Also the data subject rights are described with clear description of the obligations that must be followed by data processor and/or controllers.

There are 3 items that requires special attention:

Management of providers – 3rd part providers are also subject of the regulation. All kind of changes, manipulation, sending or receiving data to these providers must be followed and registered by the data controllers.

Notification of fails and breaches – Any fails regarding the administration of the data must be communicated within 72 hours. The impacted parties and the proper authorities must be notified and there is a specific process to follow.

Privacy by Design – Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. The controller must implement appropriate technical and organisational measures in order to meet the requirements of this Regulation and protect the rights of data subjects. Controllers must hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

In the practice the changes brought by the new legislation turns the focus on data protection much less complicated and bureaucratic, however it brings many serious consequences and penalties to those that don´t comply with it. These penalties can be in forms of fines up to 4% of annual global turnover or €20 Million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements. Actions such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts are subject to these penalties. Not having their records in order can also cost the company 2% of their annual revenue. It is important to note that these rules apply to both controllers and processors, impacting directly the cloud services providers.

Data Subject Rights

The new policy has also a list of rights that data owners and citizens are now entitled to, here are some important items to remind:

Right to be forgotten – Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

Data Portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Data Protection Officers

Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements and Data Protection Officers (DPO) appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.

For all the companies that maintain business with partners or customers within the EU territory, it is very important that you get prepared to attend this legislation, enforcing it to all systems that manages, retains or manipulate data at any level. This is just one of the changes foreseen for 2018 in terms of data privacy; many other regulations are expected in different parts of the globe inspired by Europe´s legislations principles.

Identification and Classification

Recent studies from Ocean Tomo (http://www.oceantomo.com/blog/2015/03-05-ocean-tomo-2015-intangible-asset-market-value/ ) shows that intangible information represents more than 80% of an organization´s total value. The first step for a successful data protection program is to identify and classify these intangible assets that must be protected: data. There are different types of relevant data that a company can handle, eg. Upcoming merger and acquisition plans (M&A), product designs and receipts, proprietary algorithms, marketing campaigns not released yet and many others. Also the collection of data acquired from customers, partners and employees (e.g., consumer’s personal data, medical history, etc) can also be extremely sensitive and must be included in the exercise as well.
This collection of data often attract the attention of highly motivated, capable and well-funded adversarial threats, such as unscrupulous competitors, nation states, organized criminal groups or even internal actors with malicious intention. Business leaders appreciate the value of mission-critical information assets but can fail to recognize the extent to which these assets are exposed to threats and the potential business impact should they be compromised. Mission-critical information assets require clear ownership and heightened protection due to the risks to which they are exposed.

The identification and classification of the data as well as the assets where they reside is usually a difficult and tedious exercise, but once you map them the next steps get much more dynamic and allow companies to focus on what is important.

Assess the state

Once you identify and classify data, the next step is to investigate the level of exposure and main adversarial threats to the assets. With this information in hands you can determine the profile of the asset and record them in the appropriate manner.

Part of the investigation is to identify the technical vulnerabilities associated to the assets that host the critical data. These vulnerabilities can be also known by sophisticated adversaries and will be exploited to gain access to the data. There are many examples of technical vulnerabilities: Unnecessary services running or network ports open on systems, not-segregated networks, sensitive information exchanged through unsecure networks, excessive number of user accounts with high privileges, applications running in end of life servers, non-encrypted storage systems hosting sensitive files are just a few to start. Organizations should perform a thorough vulnerability assessment of the technical infrastructure(including servers, network devices, end points and workstations) used to support mission-critical data, to identify indicators of technical vulnerabilities. The results should be recorded and include details of each identified vulnerability.

Identified technical vulnerabilities should be reviewed to help determine their level of criticality. The level of criticality associated with technical vulnerabilities is typically given by the provider of software, the corresponding software vendor, or a specialist organization that offers vulnerability scoring, such as the Common Vulnerability Scoring System (CVSS).

The other relevant factor that must be checked during the assessment phase is the kind of adversarial threat to your critical data. In this stage the organization must evaluate the factors that may influence the level of interest from a particular attacker or group. A popular method that can help evaluate is the PESTLE model: Political, Economic, Social, Technological, Legal and Environmental. When checking these factors, the companies should take into account: the products and services provided, their culture and risk appetite, the industry sector in which they operates and legal/regulatory or contractual obligations. Some examples of factors: business leaders of the organization having high public profile may attract attention from a specific kind of adversary, hostile environment such as countries with poor human rights, organization operating in industry sector that is subject to public scrutiny. Every industry segment has its own list of relevant factors.

As part of the assessment of the adversarial threats is listing the historical information of attacks that resulted in data breach as well as the paths used by the attackers to get access to the data. This information must be recorded and used as part of the plans to improve defenses, educate data owners, examine relationship between different threat events and identify the type of threats (e.g: internal or external attackers)

Determine the protection

The initial steps of identification, classification and assessment are the inputs to determine the protections that must be applied to your Crown Jewels assets. Review the results of the value and business impact assessments together with the threat profiles for mission-critical information assets, evaluate and select protection approaches and agree the security controls and solutions required to support these approaches.

Organizations must elaborate the protection measures according to each kind of environment hosting the mission critical data according to their characteristics: purpose of mission-critical data, different formats, typical structure, life-cycle and supporting technologies. This set of information will support to choose the type of protection and controls that must be applied.

Due to their nature, the mission critical information will require the greatest level of protection. The controls around them must be comprehensive, providing a combination of fundamental, enhanced and specialized security controls to control each aspect of the footprint of the critical assets. The fundamental controls are those basic measures that compose a “must have” for any system: System and application hardening, patch management, complex passwords, authentication, backups, health checks. As part of the enhanced controls we can list: encryption, event logging and monitoring, file sanitization, multifactor authentication, file integrity checks. For the specialized measures items such as Desktop virtualization, application firewalls, biometric authentication, Honeypots, automated alerts, application whitelisting must be taken into consideration.

Detection and reaction

The best approach is always to protect the assets and ensure the Crown Jewels are safely guarded and monitored. However, deploying detective and reactive process and tools will help to minimize the damage in case something goes wrong. Detecting adversarial threat events against mission-critical information assets requires a broad range of specialized security controls and security arrangements that should complement preventative security controls.
The actions in this stage are: Perform rigorous monitoring of individuals associated with mission-critical information assets; Baseline expected activity relating to the use of mission-critical information; Detect tampering and misuse of mobile devices; Record threat-related activity associated with mission-critical information assets; Perform continuous monitoring of security-related events; Detect unauthorized changes to mission-critical information and supporting technical infrastructure; Perform advanced systems and network monitoring; Identify modified or lost equipment.

The monitoring of these events are not always trivial and require some level of investment in tools, process and people. A mix of end-point, mail and network protection (mentioned in our previous article about layers of defense) can be leveraged and focused in protection of the mission-critical assets and other potential devices that are part of the path to get access to the data.

Additionally to the layered approach, a comprehensive process of awareness and training of users, employees and IT professionals is essential to ensure all relevant actions knows their roles for information security and how to protect the Crown Jewels.

Managni systems can support your organization to build a comprehensive program, helping you to identify, classify, assess, protect and monitor your Crown Jewels. Contact our specialists for a detailed description of our capabilities.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him.” – Sun Tzu

During the attacks from the Crypto Malware WannaCry in May 2017, the world watched astonished the destructive power of the cyber threats and how fast they can spread. The malicious codes makes no distinctions from big players or small shops, it can devastates any one that is not prepared. This particular episode opened the discussion on how protected are companies, how fast they can detect and react upon threats and how big is the impact if the worst happens. This article aims to help the companies – from big enterprises to the one-man-army pizza delivery- to prepare themselves for the new scenarios and put in place a comprehensive plan to reduce the likelihood of an attack as well as responding appropriately when the defenses fails.

The Layered approach

Since the dawn of civilization people have thought they were more secure than they really were. Babylon once felt so secure behind its massive walls and sturdy gates that its king feasted while the Persian army laid siege to the city. The Persians entered early the next morning by damming the river and wading along the riverbed, right into the city. No one had considered that the river that passed beneath the walls—the city’s water supply—could also be its fatal weakness; the king paid for his mistake with his life.

The same paradigm applies to our modern problems with cyber security. One can thinks that “Having a firewall and anti-virus are enough to make your network safe”, but that´s a very innocent assumption.

Attackers will use all available methods to find a way into your network and get your data or make some depending on their motivation. The single focus solutions are not more the answer for the modern threats, traditional anti-virus will not stop specific attacks coming from advanced
malwares, or your firewall may not be effective when a user receive mails with malicious attachments. There are so many different vectors that must be considered that different layers of defense is necessary, however keep in mind there is no silver bullet in the cyber security world. You will still need to get yourself prepared if the bad guys break in.

There are many different suggestions for layered security, however considering the modern threats we must always Bring the automation, machine learn and analytics to the table in order to avoid alert fatigue and floods of false positive/negatives. With that said, here is our layered approach:

Network protection

The firewall is the heart of the network defense layer, it controls traffic based on type, port, source and destination. This is one of the most basic ways to protect the perimeter and the main objective of the stop the malicious traffic right from the beginning. Firewalls have evolved enough to incorporate IPS and traffic inspection services, allowing it to inspect closely each packet and differentiate malicious from legitimate traffic. However malwares and bad actors also evolved and become sophisticate enough to easily by pass this layer of protection and connect to users devices using back doors.

There are manufactures that incorporate more capabilities to the traditional firewalls turning them equipped with ability to filter malicous URLs , techniques to prevent zero-day exploits and block malwares.

End point protection

The antiviruses, along with the firewalls, are part of the traditional layer of defense and much valuable part of the security plan. But it should not be the only technology used to protect network and devices. Antivirus started out with a very specific mission of protecting end points (workstations, servers, smartphones, etc) from malware by relying on comparisons to file signatures. Testing and attack tools such emerged and, over time, were updated to employ the concept of polymorphism; these tools use different—but functionally equivalent—programming logic and encoding mechanisms to change their file signatures and avoid detection.

The fundamental problem with traditional antivirus software is that it is built in the reactive mentality: systems must suffer an attack before it can be stopped, and protection requires a “sacrificial lamb,” or first victim. As a result, legacy antivirus has offered solutions based on that reactionary model. Even the most advanced techniques of signature-based detection, exploit prevention, whitelisting, application controls, and endpoint detection and response, all fall into that victim-first model.

Again the artificial intelligence and machine learn plays a fundamental role by collecting data and learning from patterns, in order to discover new threats.
Vendors leveraging artificial intelligence and behavior analysis to their products are few steps ahead from the old paradigm that requires a “scarified lamb” to discover new threats

Mail and web protection

More than 90% of the targeted attacks start with mail, and these threats are always evolving. The email is definitely the favorite and most efficient tool of attackers in order to deliver malicious payloads. An efficient email protection systems act as a firewall with policies that helps filtering Spams, impostors, bulk, phishing, malwares and undesired content. To protect against sophisticated and threats, the advanced products can offer mechanisms to detect and block malicious attachments and URLs, as well as usage of sandbox to detonate suspicious content. Like the modern anti-malware engines, the machine learning and predictive analysis are key to minimize the risk of a patient-zero-dependent product.

To avoid users surfing unprotected in the wildness of internet the proxies plays an important role. Beyond the expected capabilities of filtering, the web proxy also works as a layer of defense in case a well-crafted phishing mail or sophisticated malware sneaks in and try to call home.

Prevention is ideal, but detection is a must

Attackers can strike across multiple layers and one of these tries will pass through, it is just a matter of “when” and not “if” . In case the worst happens, the ability to detect and remediate is crucial. The tools and capabilities described above can also be used to detect and contain attacks. Network monitors can help collecting and analyzing unusual activity such as: high-bandwidth traffic, stealthy activities, malicious DNS connections and atypical web traffic. All these signals and many other patterns can be collected and interpreted through logs a Security Information and event manager (SIEM) and handled by incident responders.

These incidents must be triaged and classified according to their criticality, as well as checked to avoid false positives. Here again the paradigm of using traditional tools against next-generation that uses artificial intelligence and machine learn to help automate the analysis of security-relevant logs.
After detection, the remediation is another key step and where the tough work starts. As soon as the infected system is detected it is imperative that malwares are remove or quarantine for in depth investigation in order to determine what kind of damage, how extensive and if remediation was effective.

Managni systems can support you to find the right strategy for your organization in order to protect, detect and respond appropriately to the modern threats. We have a team of seasoned experts ready to analyze your case and suggest the right solution.

There is everlasting demand for better user experience and better bandwidth in wireless. Recently Wave2 standards have emerged and vendors are coming up with cutting edge Wave 2 technology. But, what does Wave2 mean?

The primary feature that defines Wave2 technology is MU-MIMO (Multi User – Multi Input Multi Output). MU-MIMO enables wireless networks to be super-efficient by concurrently serving a number of clients, including phones, tables, laptops, etc.

The older technology, which is SU-MIMO (Single User MIMO), the AP’s can use multiple spatial streams to send data to clients that can receive the streams. Devices like Phones, support single stream only, hence can’t take advantage of this capability

With the Wave2 Technology MU-MIMO, we will be able to use all the spatial streams. Access Point will be able to simultaneously use individual spatial streams to different clients like phones, laptops, tablets, etc. This feature will help improve wireless end user experience dramatically, when large number of devices are connected to Access Point.

The recent innovation of MU-MIMO will really help complement the SU-MIMO. Access Points can now choose the either option to transmit data, either by sending concurrently to multiple devices or by sending sequentially to individual device as efficiently as possible. The new generation of client devices experience will greatly benefit with MU-MIMO capability of Wave 2 Access Points. This innovation is yet another leaf in the chapter to providing near wired experience over next generation wireless networks.

Part of the actions in the effort to keep the environment safe of threats is to have a good visibility over the weak spots, implementing an efficient vulnerability management process is a good way to bring visibility and create awareness. For those not used with the IT security world, we can use the analogy with a house where its owner goes for inspections regularly. He walks through the entire perimeter looking for cracks, broken doors, checking the lockers, testing the resistance of the windows and other potential entry points. After a thorough analysis from the external and internal aspects of the house, he keeps a list of all the problems found and prioritize the most critical issues. The vulnerability management process works in a similar manager and companies can manage it using different approaches, technologies and processes. What we propose in this article is some tips on how to start your own vulnerability management and how to get insights from data generated by the analysis.

 Getting started

A good starting point before you implement this process is getting a reference from ISO 27002 supporting orientations. It contains a list of best practices and steps to take in order to get a traditional vulnerability management service up to speed. In a nutshell the relevant points are:

Make an Asset inventory – Effective vulnerability management depends on your knowledge of relevant information about your information assets, like software manufacturer, software version, where the software is installed, and who is responsible for each piece of software. A well maintained asset inventory is key for a successful vulnerability management process.

Define responsibilities –  Vulnerability management requires many different activities to be done (e.g., Run scans, risk assessment, correction, etc.), so it is important to clearly define who is doing what to ensure suitable tracking of assets and actions.

Define reference sources – Manufacturer sites, specialized forums, and special interest groups should be in your list of sources of information to be consulted about news related to vulnerabilities and correction measures. The scanning tools used to run the tests usually make the correlation from what is found with the group of reference.

Define your process – Independent of the urgency to deal with vulnerability, it is important to treat it in a structured manner. Change management or incident response procedures should be considered to treat vulnerabilities. The times to respond and fix vulnerabilities will also dictate the efficiency of your process; these vulnerabilities can be potentially dangerous when connected to critical systems. Don´t forget that before implementing any remediation, the appropriate tests most be conducted in order to provide visibility on side effects or undesired outages in legacy applications.

Make records and re-assess – Maintaining incident records of what happened and what procedures were done is vital to learn from the incident and prevent further events, or at least to minimize their impacts, as well as to improve the vulnerability management process itself. In addition, be sure to conduct periodic evaluations, so you can implement improvements, or make corrections, as soon as possible.

Improving your vulnerability management process

There are other relevant actions that can contribute with your vulnerability management process and make it more robust. The traditional VM processes are focused, most of the cases, in running a scanning tool, consolidating the report, prepare action plans, implement remediation and re-assess. Additionally to that a strong Security Policy defining the minimum standards accepted for servers, data base, applications and other assets is certainly one of the key points to improve your VM process.  These policies can be added to the standard scanning and provide visibility over problems that are not easily discovered in the basic vulnerability management process.

Real life

When we look at the real situations that different companies, it can be quite difficult to implement all recommended actions, remediation and fixes pointed by a vulnerability scanning report.  Cross referencing the vulnerabilities found with critical systems will help you to guide the actions, whenever the fixes are not possible, consider alternatives and mitigations control.  Keep a rigorous control of any risk accepted and check if the right awareness about the potential materialization of this risk. The risks accepted must be reviewed periodically and well known by the stakeholders.

What about the Cloud and IoT?

Nowadays it is very common to see companies moving their IT infrastructure to cloud providers like Azure, AWS and others.  These assets can also be vulnerable  and the concept of vulnerability management applies same way as the on premise platforms. The good news is that service providers also realized that you can hire these as a service. There are always the possibility to go to a hybrid mode, using your on premise processes and tools to assess the state of your assets in the cloud, as well as applying for a customized process using the tools from your cloud provider.

In the IoT field, things are little more complex – Make sure you choose devices and technologies that provide a minimum security framework. With the popularity of IoT devices not all vendors adopted and implemented the security best practices embedded to their products. You can use the vulnerability scanners to discover what is plugged to your network and how vulnerable they are, the remediation of these vulnerabilities will depend on the technology implemented for each particular IoT device.

 Getting Insights

The volume of information generated by the vulnerability management process is huge and also valuable. You can use this information to cross reference with your threat intelligence feeds and get visibility over likelihood of attacks to un-protected systems. Another good way to get valuable insights is matching the cases of system unavailability to information from vulnerable assets, this way you can correlate the chances of an potential outages been related to security attacks, especially for environments and systems with low security monitoring maturity. The historical number of vulnerability also shows you the capability to fix problems and implement systems with right security standards.

In summary, the vulnerability management process is crucial for protection of the environment and also a rich source for analytics and threat intelligence.