©2018 RSM US LLP. All Rights Reserved. · ©2018 RSM US LLP. All Rights Reserved. #1 –Disable LLMNR 9 Local Link Multicast Name Resolution (LLMNR) is a non-critical Windows service

©2018 RSM US LLP. All Rights Reserved. ©2018 RSM US LLP. All Rights Reserved.


ICBA

15 Things you can do today to improve your bank’s cyber security posture – WITHOUT SPENDING A DIME!

November 1, 2018


… or … how to make your next pen testers really earn their fee - and most likely hate you in the process

©2018 RSM US LLP. All Rights Reserved.

About the Speaker

4

Jeffrey Kline

Director – RSM Technology and Management ConsultingBased in Sioux Falls, South Dakota

National Solution Set LeaderData Center Technologies


Intended Audience

5

The topics in this presentation are applicable to audiences of any technical level within the bank. Non-technical participants will receive a high-level understanding of zero-cost opportunities to improve the bank’s security posture.

However, the actual recommendations are designed for trained information technology professionals only and should be performed by the bank’s I.T. administrator(s) or qualified support provider.

This presentation is not intended to provide the depth of information or instruction sufficient for a non-technical individual to perform any of the recommendations made here.


The Cost of Security

6

• Cyber security is constantly changing

• Security cannot be “bought” but it does cost real money

• These 15 recommendations do not have associated costs

• Most security systems and initiatives do have associated costs – and must be budged for and funded!

• Worldwide, cybercrime (of all kinds) will cause losses of $1.5 trillion in 2018.


2018 Trends

7

• Ransomware• Social Engineering• Business Email Compromise• Advanced Persistent Threats• Headlines:

• United States power grid• Facebook• Panera• Under Armour• Orbitz• Ticketmaster• British Airways• Yahoo


15 THINGS YOU CAN DO


#1 – Disable LLMNR

9

Local Link Multicast Name Resolution (LLMNR) is a non-critical Windows service that is often abused by hackers to gain credentials that are used to further an attack.

Local Link Multicast Name Resolution (LLMNR)

Technical Description: • LLMNR is a Peer-to-peer Domain Name Service (DNS) protocol that sends out multicast messages requesting addresses for network resources

• It is usually enabled by default• LLMNR employs no security or authentication components• It is a Microsoft networking “feature” to make networking easier• The majority of Microsoft networks do not even need it!

What to Do: Create a Group Policy Object (GPO) within your Active Directory structure. Set a Computer Configuration to turn off Multicast Name Resolution.

What it Costs: Not a dime. It just takes a little time to create a GPO, test it, and deploy it to all your Windows systems. That’s it.


#1 – Disable LLMNR (what it looks like)

10


#2 – Disable NBT-NS

11

Like LLMNR, NetBIOS Name Services (NBT-NS) is a non-critical Windows service that is often abused by hackers to gain credentials that are used to further an attack.

NetBIOS Name Services (NBT-NS)

Technical Description: • NBT-NS is also a Peer-to-peer Domain Name Service (DNS) protocol that sends out multicast messages requesting addresses for network resources

• Limited to networks using IPv4 (which is most networks)• It is usually enabled by default• NBT-NS employs no security or authentication components• It is a Microsoft networking “feature” to make networking easier• The majority of Microsoft networks do not even need it!

What to Do: Set an option in the DHCP scope to disable this. Manually disable on systems with statically-assigned IP addresses. Disable by GPO by setting the NetBIOS node type to P-Node.

What it Costs: Not a dime. Just update your DHCP scope settings and manually disable NetBIOS over TCP/IP on systems that don’t use DHCP.


#2 – Disable NBT-NS (what it looks like)

12


#3 – Disable Web Proxy Auto-Discovery

13

Web Proxy Auto-Discovery is an Internet setting that automatically attempts to use a web proxy server. An attacker can deploy a rogue proxy server and mount a man-in-the-

middle attack.

Web Proxy Auto-Discovery

Technical Description: • Web Proxy Auto-Discovery (WPAD)• It is one of the settings boxes in Internet Explorer that is checked by default• Abusing WPAD requests allows an attacker to intercept plaintext and attempt to

decrypt encrypted traffic• This feature exists in Windows, Linux, and Mac browsers• The majority of networks do not need it!

What to Do: • Stop and disable the WinHTTP Web Proxy Auto-Discovery Service on all Windows systems

• Disable Web Proxy Auto-Discovery by GPO• Manually turn this feature off on non-Windows systems• Create your own dummy wpad entry in DNS – just in case

What it Costs: Not a dime. A little diligence looking into every system to make sure you’ve turned this feature off, and then a simple DNS entry to catch any systems that may have slipped through the holes – not much work at all.


#3 – Disable WPAD (what it looks like)

14


#4 – Change Default Credentials

15

Even the most benign device can be used by hackers! Every device on your network should be secured.

Default Credentials

Technical Description: • Many devices come with a default username and password• These defaults are well known to hackers• Hackers also have access to lists of the most commonly used custom passwords that

people use• IP-based systems like printers, multi-function devices, UPSs, cameras, PDUs, OOB

management systems, thermostats, environmental monitors, telephony devices, etc., all can be used by hackers!

What to Do: • Make a list of all the devices on your bank’s network – run a network scan if necessary

• Change the default credentials to unique, complex passwords and unique user names (if possible)

What it Costs: Not a dime. A little time and some legwork is all you need!


#5 – Remove Local Admin Rights

16

Users should never have administrative rights to their workstations. If a hacker is able to gain access on behalf of the user, they instantly have local admin access on the system.

Local Admin Rights

Technical Description: • Local admin rights makes a social engineering attack much more powerful• Some software vendors (even banking software!) claim local admin rights are

required – usually they are NOT.

What to Do: • Change permissions on all Windows systems to revoke local administrator rights from users

• If you have any software that “requires” these rights, figure out the minimum specific granular rights the user needs to run the software without giving them local admin rights.

What it Costs: Not a dime. It just might take a little time to surgically tweak permissions without using the sledgehammer local-admin approach some software vendors prefer.


#6 – Set Unique Local Administrator Passwords

17

Most network admins have a favorite local administrator password that is used on most/all of the systems in the environment – if one is compromised, the attacker has keys

to the whole kingdom.

Local Administrator Passwords

Technical Description: • Every non-domain-controller system has a local administrator account• Often the passwords to all of these is set to a “favorite” of the network admin• If a hacker has access to a system and is able to crack the password, they instantly

have the local administrator password to ALL systems

What to Do: • The hard way - Set unique local administrator passwords on all systems• The easy way – Deploy and configure Microsoft Local Administrator Password

Solution (LAPS) on an existing utility server

What it Costs: Not a dime. LAPS is a free Microsoft solution and if you deploy it on an existing Windows utility server, there are no licensing costs. Just set it up and use it.


#6 – LAPS (what it looks like)

18


#7 – Update PowerShell

19

Most network admins have a favorite local administrator password that is used on most/all of the systems in the environment – if one is compromised, the attacker has keys

to the whole kingdom.

PowerShell

Technical Description: • PowerShell version 4.x (and previous versions) is installed with Windows 2012 / Windows 8 and earlier versions of Windows

• A number of remote exploits against these versions of PowerShell are available to “script kiddies” through easy-to-use, point-and-click hacking tools

• (sometimes pen testers use the same tools)• Remote exploits can allow a hacker to remotely:

• Execute code• Dump credentials • Modify files• Open up connections

What to Do: • Update to the latest version of PowerShell 5.x • Configure your monitoring tool to keep an eye on PowerShell operations

What it Costs: Not a dime. Update PowerShell when/where you can and use your existing monitoring / logging tools to keep a close eye on it.


#7 – Update PowerShell (what it looks like)

20


#7 – Update PowerShell (what it looks like)

21


#8 – Harden Your Hosts

22

Almost all hypervisors are installed with default security settings and little is usually done to make them more secure.

Host Hardening

Technical Description: • Today’s hypervisors have a wealth of options that we usually don’t set (or even know about)

• Many of these settings can help improve the bank’s overall security posture• The hypervisor vendors provide some great information on how to harden the hosts,

storage connections, virtual networking, management systems, and virtual machines

What to Do: Follow the guides provided by the hypervisor vendors:• https://www.vmware.com/security/hardening-guides.html• https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-

hyper-v-security-in-windows-server

What it Costs: Not a dime. It might take a little reading and a maintenance window here or there, but you should be able to do this without any need for a budget!

https://www.vmware.com/security/hardening-guides.html

https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-hyper-v-security-in-windows-server


#9 – Protect Your Storage

23

When SAN / NAS devices are used in an environment, it is important to make sure they have basic protection and isolation from the rest of the network.

Protecting Storage

Technical Description: • SAN or NAS storage is available over the network• It is important to isolate these systems so they are only accessible (even via ping) by

the hosts that need access• Additional (and free) protection is available through Challenge Handshake

Authentication Protocol (CHAP) to iSCSI SAN systems• Isolation through physical separation or layer 2 VLAN segmentation should be used

for all IP-based storage network traffic

What to Do: • Turn on CHAP, host/storage firewalls, or any other features available to enhance storage security

• Segment storage traffic on separate physical switches or non-routable layer 2 VLANs

What it Costs: Not a dime. You may need to move a few things around, configure a network port or two, or turn on some features the bank already owns, but you won’t need to be signing any purchase orders for this one!


#10 – Adopt a Least Permissions Approach

24

The common approach is to give users full permissions to everything and then reduce their rights from there. Least permission starts with users having NO permissions and

only giving them the minimum permissions they need to the minimum resources.

Least Permissions

Technical Description: • A user’s permissions can be used against the bank during an attack involving social engineering, ransomware, etc.

• Users should have write rights to a very limited set of files (and even fewer – if any –folders)

What to Do: • Audit NTFS permissions on all systems and file servers• Update permissions using the least-permission approach• Anytime a user has write permissions to a file or folder, carefully consider if the

permissions are appropriate• Rein in the use of “Everyone” or “Authenticated Users” or “Domain Users” when it

comes to giving write permissions

What it Costs: Not a dime. … but this can be a large undertaking (depending on your file structure / size). But, your hard efforts will pay off, especially WHEN your bank is unfortunate enough be the victim of ransomware, etc.


#11 – Verify Backup Integrity

25

Backups are a frequent target of attackers. Unencrypted data stored within online backups is easy for unencumbered exfiltration. Recent ransomware variants will first

attack online backup files to force banks into paying ransom for the return of data.

Backup Integrity

Technical Description: • Backups should be stored as “offline” as possible• Domain credentials should not be used to access backup repositories• Use storage-based snapshots when possible• Backups of databases or other applications (taken through maintenance plans or

other mechanisms apart from the enterprise backup solution) should be stored encrypted.

What to Do: • Verify that your backups are impervious to attack or compromise• Assume the entire domain is unavailable or domain admin permissions have been

compromised – what can an attacker get to? If it includes backups, update your design.

What it Costs: Not a dime. Just take a fresh look at how your backups are being stored and what the worst case scenario would be in the event a hacker gets access to your environment.


#12 – Aggressively Patch Everything

26

Everything on the bank’s network is a potential target. Likewise, everything on the network can (and should) be frequently updated / patched.

Patching

Technical Description: • Unpatched systems (not just Windows patches) are the top vulnerability for exploits• Many banks don’t regularly patch non-Windows software (Adobe, Java, etc.) and

hardware (switches, printers, etc.)

What to Do: • Develop a patching schedule• Patch EVERYTHING that is on the network• Look for methods to keep ancillary software (Adobe, Flash, Java, etc.) up to date• If something cannot be patched, remove it

What it Costs: Not a dime. As long as you’re maintaining support on current systems, the vendors should be providing updates and patches without charge. It just takes some work (and a process) to keep everything up to date.


#13 – Educate Your Users

27

Social engineering is the favorite tool of the lazy hacker. Arm your users with the training and top-of-mind awareness to keep the bad guys at bay.

User Education

Technical Description: • Hackers use your people to make their work easier• Whether its clicking on a rogue link, opening an infected file, giving remote access to

an internal system, transferring funds, sending sensitive information, or even letting a stranger into the bank – users are often tricked into doing things they shouldn’t

What to Do: • Use your existing training material and double-down on your user training• Make cyber security a top of mind issue at your bank – lead the charge!• Test your users OFTEN• Post results of your tests in your newsletter or in the breakroom

What it Costs: Not a dime. Use what you have – and use it a lot. Be loud and obnoxious if you need to – but make cyber security THE topic at your bank. Eventually your users will get on board and be your best first line of defense.


#14 – Use Data At Rest Encryption

28

Data stored on hard drives is susceptible to loss by theft, or even simply returning a failed drive / device for warranty replacement.

Data At Rest Encryption

Technical Description: • Data at rest encryption tools store all data in encrypted files• Lost or stolen (or warranty returned) media will not contain recoverable bank

information if it is protected with data at rest encryption• These technologies are becoming more of a standard / must have in the banking

industry – and examiners are asking about them!• Encryption is available on SAN/NAS systems, servers, desktops, laptops, etc.

What to Do: • Check your SAN/NAS for data at rest encryption capabilities and turn it on if it is available.

• Configure and enable BitLocker on all Windows desktop / laptop systems

What it Costs: Not a dime. You most likely already have these tools available, its just a matter of turning them on! If you don’t have them, as you naturally replace hardware, make sure the new systems DO have this feature!


#14 – Encryption (what it looks like)

29


#15 – Tag External and Suspect Email Messages

30

Email spoofing and business email compromise have become prominent forms of attack in recent years. Giving your users a clear and obvious warning at emails are from

external or suspect sources helps them make good decisions.

Tag External and Suspect Email Messages

Technical Description: • Microsoft Exchange and Microsoft Office 365 contain options to detect email coming from outside the organization

• Sender Policy Framework (SPF) provides a check to ensure an external email came from a server that is authorized to send on behalf of that domain

• Microsoft Exchange and Microsoft Office 365 can check the SPF record and warn if an email is coming from an unauthorized server (indicating it may be fraudulent or spoofed)

What to Do: • Configure your email server to clearly and obviously notify users whenever they receive an external email

• Configure your email server to check for SPF records and provide a clear and obvious warning for any email that was sent with an unauthorized email server

What it Costs: Not a dime. You just need to create some rules on your email server(s) and provide your users with training


#15 – Tag Email Messages (what it looks like)

31


Checklist

32

❑ Disable Local Link Multicast Name Resolution (LLMNR)

❑ Disable NetBIOS Name Services (NBT-NS)

❑ Disable Web Proxy Auto-Discovery❑ Change Default Credentials❑ Remove Local Admin Rights❑ Set Unique Local Administrator

Passwords❑ Update PowerShell❑ Harden Your Hosts

❑ Protect Your Storage❑ Adopt a Least Permission

Approach❑ Verify Backup Integrity❑ Aggressively Patch Everything❑ Educate Your Users❑ Use Data At Rest Encryption❑ Tag External and Suspect Email

Messages

15 Things you can do today to improve your bank’s cyber security posture – without spending a dime!


QUESTIONS?


This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional

advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional

advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its

affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and

consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal

entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other

party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.

RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered

trademark of RSM US LLP.

© 2018 RSM US LLP. All Rights Reserved.

Documents

©2018 RSM US LLP. All Rights Reserved. · ©2018 RSM US LLP. All Rights Reserved. #1 –Disable LLMNR 9 Local Link Multicast Name Resolution (LLMNR) is a non-critical Windows service