Business

One of the great myths of executive travel is the benefit of racking up hospitality rewards for grand vacations in Fiji or the Swiss Alps. In reality, trips are frequent, exhausting and sometimes bound for undesirable destinations that present a slew of security issues.

Travel Security Challenges and Best Practices

While you may not have much say in when and where you travel, understanding your trip’s goals can help determine the best business security practices. A quick, one-day trip to meet a business partner might mean you can leave your computer at home, for example. A month-long globe trot to multiple satellite offices, client meetings and a little R&R would require a more rigorous approach to securing all of your devices.

It is equally important to know the purpose of your trip, the systems and access you will require while traveling, the sensitivity of information you will be handling and the available security resources. These points will determine what travel security precautions you should take before you even pull out your suitcase.

Bring a Bat Phone

Ideally, you would never take your own phone on a trip. Instead, take a burner phone that contains no personal data. Cybercriminals can use information you may not consider sensitive to facilitate attacks or steal your identity. They can use your contact list, phone call history, texts, personal email and calendar to target other members of your organization or compromise even more sensitive data.

Do not leave any IT device, including mobile phones, unattended. Hotel safes offer little protection from determined attackers, corrupt hotel employees or the host government. If you must leave your things unattended for social or cultural reasons, assign a trusted member of your party to watch all computer and communications gear. If possible, leave them secured at the local embassy or consulate.

Consider disabling your computer’s USB ports as well. You should also use a video camera cover, a laptop screen privacy cover and microphone jack disabler.

Software Security

Be sure to complete virus definition and patch update activities before your departure. Always assume your devices will be compromised upon arrival. In addition to local intelligence services, you may be targeted by agencies from other nations, criminal organizations and commercial competitors.

To avoid a compromise, review and harden the software build of all your equipment prior to your trip. This may include disabling unnecessary features such as the microphone, camera and Bluetooth capabilities.

You should expect any online services you use to be compromised the moment you arrive, but there are steps you can take to protect yourself. Have an assistant forward email to a temporary account that you will delete once you return home, for example. Forwarded emails or excerpts should never contain sensitive information.

Additionally, never update software while connected to an untrusted access point. Disable Java and all noncritical plugins and only allow JavaScript on trusted sites. Don’t click on ads or pop-ups or open email attachments from untrusted senders.

Handling Classified Information

Deleting or moving sensitive information prior to travel is not always sufficient. Take a separate device when traveling to countries of concern so you can minimize the sensitive files — including email history — on your devices. Accept no media or files from untrusted parties, including your host. You can view files on your host’s devices when required.

Bring your PowerPoint or other documents to be shared with hosts on a USB drive, then securely dispose of the device when it’s no longer needed. Do not download files to a device in-country. Most importantly, be sure to promptly and securely delete files once they are no longer needed. Never plug anything into your computer that has been in contact with untrusted systems or media. Upon return, dispose of devices used in countries of concern, or at least have them forensically wiped and rebuilt.

Use strong encryption — including full-disk encryption — on all devices that will accept it to protect data at rest. However, you must recognize that these systems can be defeated. When a device passes through customs, for example, it is subject to inspection and may need to be powered up. If so, use trusted platform module (TPM)-based disk encryption and minimum Federal Information Processing Standard (FIPS) 140-2 level 3 devices or the highest level available.

It’s easier to follow these best practices if noncritical features and ports are disabled because it eliminates the social awkwardness of a perceived lack of trust. This awkwardness can be used as a social engineering attack vector.

Destination Unknown

Have devices transported to the local embassy of your destination in a diplomatic pouch, if possible. If your party can travel with an accredited diplomat, he or she can use diplomatic immunity to protect the entire party’s devices from inspection. If you cannot travel with an accredited diplomat, try to have one meet you at the airport ahead of customs.

Assume that hotel rooms, conference rooms, etc. are under video and audio surveillance at all times. Additionally, shredders that are made available to you can have hidden scanners that deliver the documents you are trying to destroy directly to cybercriminals. Similarly, all voice, data and text carried by local telecommunications companies can be compromised. Access all information via secure tunneling with strong end-to-end encryption vetted by your IT department or a competent consultant.

If you find that this system is not working when in-country, consider that and adversary may have disabled it to force you to use a less secure form of communication. Also consider that internet activity conducted through public terminals or wireless networks may point to real or perceived vulnerabilities that intelligence services or others could leverage to provoke, recruit or embarrass you.

Obviously, all these travel security insights and recommendations are not appropriate for every employee on every trip. But maintaining a high level of awareness and pre-travel preparation always provides added security and peace of mind.


Security Intelligence

To state the obvious, organizations of all shapes and sizes are under constant attack in cyberspace. Some ignore the risk, hoping that it will simply go away or that they won’t suffer a breach. Others opt to weather the storm even if a breach occurs, willingly risking their critical data. Others still deny that a breach would dramatically affect their business. Is this a risk your organization is willing to take?

Take Action to Protect Critical Data

Some forward-looking organizations focus on protecting their critical data assets because they are vital to their business operations and competitive positioning. These organizations understand they must protect critical data to sustain competitiveness in today’s global economy. Assets such as intellectual property, trade secrets, customer information, information about mergers and acquisitions, health information and other sensitive data are extremely valuable to cybercriminals.

Organizations are taking action to understand the type of data they possess, the value of that data to the organization, the controls that are in place and the potential impact to business processes should the data be breached or corrupted. They are implementing the controls required to protect these sensitive assets and monitor potential risks.

Watch the on-demand webinar to learn more about protecting your critical data

A Collaborative Effort

Discussion should not solely be focused on the type of controls in place, the number of patches applied or the number of incidents detected. We need to discuss potential business disruptions due to cyberattacks and the business processes that may be affected. Risk management should be a collaborative effort between business leaders and the IT team.

Are your line-of-business (LOB) owners and executives aware of the risk to their critical data? Do they know which LOBs carry the greatest risk, what sensitive data is at risk, how valuable the data is, who owns the data and which users are putting the data at risk?

Executive boards must understand the need to protect critical data — it’s no longer just an IT issue. In turn, IT leaders must make sure business leaders have the insight they need to protect their assets.

Learn More

For more information, check out the on-demand webinar titled “Stop Playing ‘Chicken’ With Your Data-Related Business Risk — Protect Your Critical Data.”

To learn more about why traditional security metrics are irrelevant to most executives, download the Gartner report titled “Develop Key Risk Indicators and Security Metrics That Influence Business Decision-Making.”


Security Intelligence

Smaller businesses, like the HVAC company that caused the Target penetration in 2013, often think they are too small to be security targets, but SMB cybersecurity can have big implications. Size doesn’t matter as long as your firm has something of value that someone thinks is worth stealing, or a connection that someone thinks is worth exploiting.

In the case of Target, the retail chain had pretty solid cybersecurity practices in place. Its Achilles’ heel was a Windows server running on the HVAC vendor’s site that could be compromised. That server breach led to Target’s point-of-sale system being infected with malware, resulting in millions of dollars in subsequent losses.

Small Leaks Lead to Big Problems

The leak of a pending merger, new product description or confidential personnel memo can cause problems. None of these involve a lot of data in terms of megabytes, but all can influence markets or compromise the reputation of a particular organization. The “I’m too small to be a target” fallacy makes it easier to steal data and compromise SMB cybersecurity than to attack a large bank or other enterprise directly.

Indeed, the more vertical the SMB market, the more likely it is to sustain attacks. Take a specialized medical device vendor, for example. Many of these devices are connected to the internet and have embedded servers. An attacker could potentially penetrate an entire hospital network by compromising a single device.

SMB Cybersecurity Best Practices

Tripwire offered some suggestions to improve SMB cybersecurity practice that won’t cost millions, such as providing incentives through tax breaks or noncompliance fines to motivate SMBs to partner with a cybersecurity vendor to improve their posture and strengthen their security program. Another idea is to emulate financial firms and other large businesses by leveraging threat data and sharing best practices.

Small businesses should also train employees to recognize phishing attacks. SMB firms often lack the security depth and training to recognize these scam emails, especially as cybercriminals get better at using insider information to make the communications more believable.

Finally, SMB cybersecurity insurance should be made more available and attractive to help protect smaller companies from potential adverse effects.


Security Intelligence

August 6, 2016 -- 

On this week's show we speak with Signal Sciences' co-founder Zane Lackey about hackers building defensive tools and software companies. Dan Guido and Andy Greenberg talk about car hacking and the week's security news, and Wade Woolwine of Rapid7 is in the sponsor slot talking about EDR/IDR software.

Links to everything are in this week's show notes.

icon for podpress | Show Player | Play in Popup | Download


Information Security Podcasts

A few more photos from the Black Hat USA 2016 Business Hall.

Featured companies: NSFOCUS, Qualys, FireEye, Synack, Forcepoint, LogRhythm. Also featured is the US Department of Homeland Security.

NSFOCUS
Qualys
FireEye
Synack
Forcepoint
LogRhythm
US Department of Homeland Security


Help Net Security

Systems Affected

Outdated or misconfigured SAP systems

Overview

At least 36 organizations worldwide are affected by an SAP vulnerability [1]. Security researchers from Onapsis discovered indicators of exploitation against these organizations’ SAP business applications.

The observed indicators relate to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). The Invoker Servlet contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems.

Description

SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks.

The Invoker Servlet vulnerability affects business applications running on SAP Java platforms.

SAP Java platforms are the base technology stack for many SAP business applications and technical components, including:

  • SAP Enterprise Resource Planning (ERP),
  • SAP Product Lifecycle Management (PLM),
  • SAP Customer Relationship Management (CRM),
  • SAP Supply Chain Management (SCM),
  • SAP Supplier Relationship Management (SRM),
  • SAP NetWeaver Business Warehouse (BW),
  • SAP Business Intelligence (BI),
  • SAP NetWeaver Mobile Infrastructure (MI),
  • SAP Enterprise Portal (EP),
  • SAP Process Integration (PI),
  • SAP Exchange Infrastructure (XI),
  • SAP Solution Manager (SolMan),
  • SAP NetWeaver Development Infrastructure (NWDI),
  • SAP Central Process Scheduling (CPS),
  • SAP NetWeaver Composition Environment (CE),
  • SAP NetWeaver Enterprise Search,
  • SAP NetWeaver Identity Management (IdM), and
  • SAP Governance, Risk & Control 5.x (GRC).

The vulnerability resides on the SAP application layer, so it is independent of the operating system and database application that support the SAP system.

Impact

Exploitation of the Invoker Servlet vulnerability gives unauthenticated remote attackers full access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.

Solution

In order to mitigate this vulnerability, US-CERT recommends users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet. For more mitigation details, please review the Onapsis threat report [1].

In addition, US-CERT encourages that users and administrators:

  • Scan systems for all known vulnerabilities, such as missing security patches and dangerous system configurations.
  • Identify and analyze the security settings of SAP interfaces between systems and applications to understand risks posed by these trust relationships.
  • Analyze systems for malicious or excessive user authorizations.
  • Monitor systems for indicators of compromise resulting from the exploitation of vulnerabilities.
  • Monitor systems for suspicious user behavior, including both privileged and non-privileged users.
  • Apply threat intelligence on new vulnerabilities to improve the security posture against advanced targeted attacks.
  • Define comprehensive security baselines for systems and continuously monitor for compliance violations and remediate detected deviations.

These recommendations apply to SAP systems in public, private, and hybrid cloud environments.

Note: The U.S. Government does not endorse or support any particular product or vendor.

References

Revisions

  • May 11, 2016: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


US-CERT Alerts