Keeping Systems Current. How Can I Tell That My System Is Patched?

Transcription

1 This quarter s Shield newsletter focuses on one of the foundations of good cyber safety keeping systems current and patched. Keeping Systems Current How Can I Tell That My System Is Patched? By Sam Adams - Cyber Security Administrator One of the easiest ways to protect your computer from malware is by simply having your computer patched and up-to-date. Most operating systems have processes in place to make sure this is done automatically and even tools that can identify any vulnerabilities in your system that may need to be patched. In the James Bond movie, Tomorrow Never Dies, one of the villain s henchmen reports that as planned, their software will be sold to the public full of bugs so the users will have to pay to upgrade in two years. In the real world, software bugs aren t added to increase revenue, they re present because little human mistakes in logic can accumulate into big programming glitches that allow the skilled attacker unintended access to data or programs. Software companies have moved from denying problems exist with their applications to refining their products before they reach the market. They now react quickly to programming errors by releasing revised versions of the errant codes in their programs so end users can patch them. Bad Guys and Bugs Since the beginning of computer programing, some users for fun or malice have tried to find ways to exploit buggy code to bend a program to their wills. Today s hackers exploit computer bugs to make millions using data stolen from users bank accounts and credit cards. They can carry out nationally-sponsored cyber-attacks against critical infrastructure targets like power generating plants or power transmission and distribution control systems. Cyber criminals even Why should you care? The bad guys have come up with increasingly more creative ways to attack and exploit the vulnerabilities of your system. Coupling that with an always-on Internet connection, your computer has a greater chance of being infected. With new security flaws in common applications being discovered every day, it is important to stay current with security updates designed to patch those security holes. If you are unsure of where to start, it is always a safe bet to have Automatic Updates enabled. Automatic Updates will automatically download and/or install critical updates to your computer. In the Windows Update site, you can also install less critical patches that the Automatic Updates do not cover. You can find these options by accessing the Control Panel (Windows) or System Preferences (Mac) and clicking the Security Center (Windows) and Software Update (Mac). There is a free tool offered by Microsoft, called Microsoft Baseline Security Analyzer (MSBA) that scans your Windows operating system, identifies any vulnerability the system may have and provides solutions to correct them. Continued on page 3

2 Keeping Systems Current continued from page 1 sell each other ways to exploit program flaws on illicit web sites. Cyber criminals command top dollar for flaws unknown to the software developers. Malicious programming that takes advantage of these obscure flaws is called a zero-day attack, named because software companies have zero days to prepare software patches to combat them. Zero-day attacks allow cyber criminals to install their software for weeks or months before their attacks are detected and patched. In response, some software companies now offer bounties for turning in zero-day bugs, hoping to entice the software bug hunters away from the dark side of coding these attacks. Rather than rely on employees to install their own patches, businesses have automated ways of receiving and installing patches to operating systems like Microsoft Windows, Apple OS X, and Linux, and major programs like Microsoft Office. These patches are delivered at least once a month and distributed via the corporate network. That way, any computers connected to a business network will keep their software up-to-date with the latest patches. Consequently, users should turn on seldom used computers to ensure that these patches are installed. The challenge for mobile computer users is to insure that their laptops are back in the office often enough to be patched so they aren t attacked when outside the company network. Home users should also be aware of the general monthly schedule followed by software vendors. Microsoft releases patches on the second Tuesday of every month, via a service called Windows Update. Apple OS X Macintoshes use a service called Software Update that can check weekly for patches. Linux distributions all have the same kind of updating service. Other software vendors may announce their patches via , but no one ever distributes software bug fixes via , since it is so easy for cyber crooks to disguise malicious software as a bug fix. MSRT is your friend The Microsoft MSRT (Malicious Software Removal Tool) is a monthly patch for Windows that removes malicious software (malware). Introduced in 2005, the MSRT has been highly successful in combating computer viruses and Trojan horses. It is available for all currently supported versions of Windows. While not intended to replace anti-virus products that keep malware from infecting a PC, it does fill a gap in detecting and removing some types of malicious software that Microsoft believes are widespread. If MSRT detects malicious software it quietly removes it. The next time someone logs into the computer as the computer administrator, a balloon notification will appear to tell the computer administrator that malicious software has been removed. Third Party Patches Software manufactured by someone other than the operating system vendor is called third party software. Examples of third party software include Adobe Reader, Adobe Flash, and various distributors of Java. Third party products usually depend on either voluntary patching where an update program tells a user a patch is available. Users frequently ignore these updates. A list of frequently exploited third-party programs as compiled by the computer security company Secunia is shown below. According to Secunia, the average PC user in the USA has 73 programs installed with 28 from Microsoft and the remaining 45 from third party vendors. Secunia has a list of the top ten vulnerable programs, of which only one is part of Microsoft Windows. Microsoft XML Core Services Sun Java JRE 1.6.x/6.x Adobe AIR 2.x Apple QuickTime 7.x Adobe AIR 3.x Adobe Flash Player 11.x Oracle Java JRE SE 1.7.x/7.x Adobe Reader X 10.x Adobe Shockwave Player 11.x VLC Media Player 2.x Check your PC to see if any of these are installed and then patch them.

3 Keeping Windows security software current In addition to checking a variety of security software settings, the Windows Security Center application and the Windows Action Center can help home users see if Windows Update is properly working and that your computers antivirus software is installed and updated. This includes the Microsoft Windows Defender, available with Windows 7 and Windows 8 default installations. The Windows Security Center is present in Windows XP SP2 and Windows Vista. Beginning with Windows 7, the Windows Security Center functions were rolled into the Windows Action Center. By default, these applications will present alerts on the task bar when a problem is encountered. How Can I Tell That My System Is Patched? Continued from page 1 The tools described above will check for patches associated with the operating system or programs closely associated to the operating system. There are other commonly used applications such as your Internet browser (Google Chrome, Mozilla Firefox, etc.), Java and Flash that could need patches, that these tools would not cover. Typically, these applications will notify you of any updates but there are tools out there that can manage all your applications in a single pane. Patching and updating your computer should not take the place of an anti-virus program. They should be used in tandem to increase the security of your system. Get reputable malware protection from a vendor you trust. If your PC came with an anti-virus product, consider renewing the subscription when it comes due. Or choose from a list of Microsoft partners who provide anti-malware software often for Windows, Macs, and Linux PCs at microsoft.com/ windows/antivirus-partners. Otherwise there are free alternatives for Windows, Mac OS, and Linux. For example, Microsoft Security Essentials offers free real-time protection against malware. Sophos provides a free Mac OS AV product called Sophos for the Mac, and the open source ClamAV can be used for Linux PCs. Windows Security Center The most important rule to remember when keeping your system up-to-date is to not ignore any notifications to patch your system. Patches typically deal with vulnerabilities that are widely known and it is best to take care of it as soon as possible. If you want to learn about how to best secure your computer, there are numerous articles on the Internet about this subject. Windows Action Center Sources: Bradley, Tony. "How Can I Keep My Computer Patched and Up To Date?" About.com Internet / Network Security. N.p., n.d. Web. 16 Sept

4 Cyber Security Our Shared Responsibility We all enjoy the benefits and convenience that cyberspace provides us as we shop online from home, bank online using our smart phones, or interact with friends through social networks. However, we need to remember that mobile devices have unique security challenges. For one thing, they are easy to misplace, potentially compromising any unencrypted sensitive data or applications stored on the device. How can you protect your mobile device? Use the same tactics you employ on your laptop, plus wireless protection. Restrict access to your home wireless network, by only allowing authorized users access to your network. When accessing the Internet from a Wi-Fi hotspot, assume there is no security at all, meaning avoid unfamiliar websites, and sites requiring you to log in. Keep your security applications up-to-date. Change any and all preconfigured passwords. Cyber Mobility Online Safety and Security Keep the anti-virus software on your mobile device updated. Always use caution when downloading or clicking on unknown links. Download only trusted applications from reputable sources or marketplaces Make sure when you log in to any financial sites, the URL reads " which means the site takes extra measures to help secure your information. Remember, " is not secure. Cyber Workforce Training Next Generation Leaders In 2013, you d be hard pressed to find many people who are truly computer illiterate. Perhaps they can t program in special languages, but they interact with computers on their cable boxes, gaming systems, phones, in cars, and even on many appliances in our homes. In fact, teenagers starting college in 2013 have always known flat screen televisions and have always been able to read books on electronic screens. That s encouraging for the future of cyber security. Kids are growing up with computers and understand security issues as one aspect in their overall technology education. If you feel like you need help in knowing the basics or explaining the concepts to your children, visit the StaySafeOnline web site. It contains age-appropriate resources for understanding cyber security. For the post-secondary learners, the Omaha area has three institutions designated by the National Centers of Academic Excellence in the study of Information Assurance. In Nebraska, the University of Nebraska at Omaha and Bellevue University earned that designation. In Iowa, Iowa State University owns that designation. Finally, if you need help determining what kind of training is available or needed for a cyber security position, the National Institute for Cybersecurity Careers and Studies offers many resources designed with for professional cyber security administrators. Everyone has to play a role in cyber security. Constantly evolving cyber threats require the engagement of the entire nation from government and law enforcement to the private sector and most importantly, from the public.

5 Cyber Security Our Shared Responsibility Cyber Crime New Faces on an Old Problem According to the Federal Communications Commission, theft of digital information has become the most commonly reported fraud, surpassing physical theft. Mobile technology accounts for some of the increase seen in reported fraud. As of 2011, global smartphone shipments exceeded personal computer shipments for the first time in history. Along with more wireless access, more wireless transactions are taking place. Their growing numbers make users targets for traditional security risks (e.g. viruses, spam, Trojans and worms) as well as sophisticated new forms of attacks. Like any kind of mobile device, the use of third-party and wireless networks and short-range networks like Bluetooth introduce additional vulnerabilities that must be mitigated to access the web safely. Wireless connectivity (sometimes advertised as a Wi-Fi hotspot) allows users to by-pass the secure Trusted Internet Connection (TIC) and connect directly to the Internet and other untrusted sources. Only connect to the Internet over secure, passwordprotected networks. Do not click on links or pop -ups, open attachments, or respond to s from strangers. Do not respond to online requests for Personally Identifiable Information (PII); most organizations banks, universities, companies, etc. do not ask for your personal information over the Internet. Password protect all devices that connect to the Internet and user accounts. Limit the amount of personal information you post. Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your friend posts information about you, make sure the information is something that you are comfortable sharing with strangers. Take advantage of privacy and security settings. Use site settings to limit the information you share with the general public online. Be wary of strangers and cautious of potentially misleading or false information. Critical Infrastructure Cyber Protection At OPPD, we take our responsibility to provide electricity to our customers seriously, very seriously. We know how expensive an outage can be for those without power. As recently as 2013, OPPD s Energy Plaza experienced a blackout along with many downtown Omaha businesses. Energy Plaza employees and downtown workers were unable to work. We understand the cost to business. At most OPPD locations, employees are seeing more and more regulations, requirements and training involving cyber security. It s not the latest management fad if that s what you re thinking. It s the result of previous security analyses of our nation s entire infrastructure. The 2013 outage resulted from an equipment failure, not a security problem. It was accidental. It is those outages caused by premeditated actions and intentional damage we need to improve our protection against. As recently as March of this year the U.S. Director of National Intelligence called the cyber security attacks tops on the list of threats facing the country. According to a classified US Department of Homeland Security (DHS) report, Chinese-linked cyber espionage campaigns targeted 23 US natural gas pipeline operators between December 2011 and June The companies were targeted through spear phishing attacks. OPPD employees play an instrumental role in the cyber defense for our utility. It s only a matter of time before some campaign is mounted against the national, regional or local electric grid. Following the prescribed security standards helps us keep our defense solid.

6 North American Electric Reliability Corporation (NERC) Quarterly Update OPPD s NERC CIP Cyber Security Policy CIP R1 OPPD s NERC CIP Cyber Security Policy represents OPPD s commitment and ability to secure NERC CIP related assets and cyber assets. As required by NERC, OPPD s NERC CIP Cyber Security identifies OPPD s responsibilities pertaining to security and compliance actions in relation to the following NERC CIP Requirements: Cyber Security - Critical Cyber Asset Identification, CIP-002 Cyber Security Security Management Controls, CIP-003 Cyber Security Personnel and Training, CIP-004 Cyber Security Electronic Security Perimeter(s), CIP-005 Cyber Security Physical Security of Critical Cyber Assets, CIP-006 Cyber Security Systems Security Management, CIP-007 Cyber Security Incident Reporting and Response Planning, CIP-008 Cyber Security Recovery Plans for Critical Cyber Assets, CIP-009 OPPD employees and contractors with authorized NERC CIP Access can locate a hard copy of the OPPD NERC CIP Cyber Security Policy in or around NERC CIP Physical Security Perimeters. For OPPD employees, the OPPD NERC CIP Cyber Security Policy is located on the Cyber Infrastructure webpage page of the OPPD intranet. Finally, all OPPD authorized personnel who have completed the required annual NERC CIP Security Training are required view and adhere to all requirements identified within the OPPD NERC CIP Cyber Security Policy. OPPD s NERC CIP Cyber Security Policy is annually reviewed and approved by OPPD s Vice President of Energy Delivery and Chief Compliance Officer, Mr. Mohamad I. Doghman. OPPD s Reliability Compliance Department recommends that all OPPD employees and OPPD contractors with authorized NERC CIP Access be familiar with this policy and to reference the policy for any questions or concerns there may be relation to OPPD NERC CIP assets and cyber assets. References: North American Electric Reliability Corporation (NERC) Cyber Infrastructure Protection (CIP) Standards: pa/stand/pages/cipstandards.aspx Midwest Reliability Organization: If you have any questions or require any additional information regarding this subject please contact Michael Nickels OPPD Reliability Compliance Specialist, manickels@oppd.com.