🦑How do you secure remote access in ICS/OT?

Here are 5 tips on how to allow remote access AND secure it.

As much as possible.

1. Multifactor Authentication

This one goes without saying. While MFA isn't a silver bullet...

It vastly decreases the chance an unauthorized party can establish a VPN connection without a valid second factor.

2. On-demand Access

Besides MFA, this is my favorite.

Always assume that any VPN user's system could be compromised.

-> Your vendors.
-> Your employees.
-> Your other third parties.

Once compromised, do you want an attacker having 24x7x365 access into your ICS/OT network?

Of course not.

Limit VPN access to only the time windows in which access is required.

Have the outside parties schedule or call when access is required.

Many say that this is burdensome and too much overhead.

Which I can understand.

You'll have to weigh the advantages and disadvantages for your environment.

For me, I always push for on-demand access to greatly reduce the risk.

3. Implement Harden Jump Hosts

Require remote parties to login to a jump host before accessing ICS/OT resources.

There could even be multiple jump hosts for them to authenticate to.

For these jump hosts, ensure that each system is hardened.

Also ensure that the host's network connectivity is limited to only the IP addresses and ports that are necessary.

4. Monitor for Suspicious Activity

No security solution is perfect.

A VPN can become compromised.

Attackers can gain access to your network.

For when they do, it's important to be watching.

95% of ICS/OT networks don't perform network security monitoring.

This doesn't mean you shouldn't.

Watching your network activity. Your host activity.

All for signs of compromise.

Which brings us to...

5. Record and Monitor Jump Host Activity

This one isn't high on many lists.

But if you have the resources, watch in real-time what remote parties are doing on jump hosts.

Ensure all activity looks legitimate.

And if something looks suspicious, take action!

Thanks for checking out the list!

P.S. Do you know someone with unsecured remote access?


Ref: Mike HolcombMike Holcomb
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Underground #Ransomware Group Targets Simmtech Co, Ltd

https://undercodenews.com/underground-ransomware-group-targets-simmtech-co-ltd/

@Undercode_News

🛡️ Upgrading Your SIEM: A Guide to Modern Cybersecurity

https://undercodenews.com/upgrading-your-siem-a-guide-to-modern-cybersecurity/

@Undercode_News

#Windows 11's Evolving Start Menu: A Step Forward, But Still a Nudge Too Far

https://undercodenews.com/windows-11s-evolving-start-menu-a-step-forward-but-still-a-nudge-too-far/

@Undercode_News

Getting RCE via Worst Fit 🤦

If you watched the Black Hat talk from Orange Tsai and Splitline last week in London, you might have found yourself shocked to see that a code snippet like the one below can lead to RCE.

Why can this be hacked? 🤔

Well, because you can inject double quotes... But can you? Not really, because 'subprocess.run()' would handle them securely. What you can do instead though is inject the odd fullwidth quotation mark: ＂

This shouldn't be a problem because surely shells wouldn't interpret this, right?

Wrong. Since Windows historically stores a lot of things, like cmdlines, environment variables, etc., in both ANSI and UTF-16, we run into a problem... How can you represent a value in ANSI if that value doesn't actually exist in the character set?

Meet "Best Fit". Which converts certain UTF-16 characters to similar-looking ANSI characters (such as converting a ∞ to an 8. Or converting a ¥ to a backslash. Or converting a ＂to a normal double quote).

This means that you can pwn this code snippet by injecting something like:

＂ --use-askpass=calc ＂

This pops calculator.

If you want to play around a bit with this, you may want to check out this PoC that I've created: https://lnkd.in/dBgeFscq

Also, you may want to check out https://worst[.]fit/ which tracks a list of Windows binaries vulnerable to this attack.

The worst part? Microsoft says this isn't a Windows vulnerability while open-source library maintainers say it is. So who is gonna fix it? 🤷‍♂️

Ref: Florian Walter
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🔍 Serbia's #Spyware Scandal: A Deep Dive into the NoviSpy Affair

https://undercodenews.com/serbias-spyware-scandal-a-deep-dive-into-the-novispy-affair/

@Undercode_News

🔴 ColdFusion Improper Access Control (#CVE-2024-20767) - HIGH

https://dailycve.com/coldfusion-improper-access-control-cve-2024-20767-high/

@DailyCVE

🔴 #Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (#CVE-2024-XXXX) (Critical)

https://dailycve.com/windows-kernel-mode-driver-elevation-of-privilege-vulnerability-cve-2024-xxxx-critical/

@Daily_CVE

Winnti Group's Glutton: A Multi-Layered PHP Backdoor with a Twist

https://undercodenews.com/winnti-groups-glutton-a-multi-layered-php-backdoor-with-a-twist/

@Undercode_News

Farewell, Dragon! #SpaceX Cargo Ship Departs Space Station

https://undercodenews.com/farewell-dragon-spacex-cargo-ship-departs-space-station/

@Undercode_News

Dragon Departs the International Space Station: Witness Its Undocking Live on #NASA+!

https://undercodenews.com/dragon-departs-the-international-space-station-witness-its-undocking-live-on-nasa/

@Undercode_News

🚨 Internet-Exposed HMIs: A Growing Threat to Water and Wastewater Systems

https://undercodenews.com/internet-exposed-hmis-a-growing-threat-to-water-and-wastewater-systems/

@Undercode_News

🦑 𝟏𝟎 𝐁𝐥𝐮𝐞 𝐓𝐞𝐚𝐦 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐅𝐑𝐄𝐄 𝐂𝐨𝐮𝐫𝐬𝐞𝐬

1- Cybersecurity for Students: lnkd.in/g4YmXP9J
2- SOC Fundamentals: lnkd.in/gVfUGNR3
3- Phishing Email Analysis: lnkd.in/giQWrn3a
4- Detecting Web Attacks: lnkd.in/gUTFXRzM
5- Malware Traffic Analysis with Wireshark: lnkd.in/g5Ze-iwU
6- Linux for Blue Team: lnkd.in/gvpWMdea
7-Building a Malware Analysis Lab: lnkd.in/gGXunp4q
8-📊 Splunk for SOC: lnkd.in/gkZMam_n
9-🔐 Introduction to Cryptology: lnkd.in/g3jbE84W
10-💼 Job Hunting: lnkd.in/g9MeH9P7

Ref: Mohamed Hamdi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🚨 Rhode Island's RIBridges System Compromised in #Ransomware Attack

https://undercodenews.com/rhode-islands-ribridges-system-compromised-in-ransomware-attack/

@Undercode_News

🛡️ Agile Business, Agile Security: How #AI and Zero Trust Work Together

https://undercodenews.com/agile-business-agile-security-how-ai-and-zero-trust-work-together/

@Undercode_News

🖥️ Beware Graphic Designers: Malicious Ads Targeting You with Fake #Software

https://undercodenews.com/beware-graphic-designers-malicious-ads-targeting-you-with-fake-software/

@Undercode_News

🚨 Iranian Cyberweapon Targets Critical Infrastructure: Decoding the IOCONTROL Threat

https://undercodenews.com/iranian-cyberweapon-targets-critical-infrastructure-decoding-the-iocontrol-threat/

@Undercode_News