Yes many videos from RSA Conference in San Francisco, also Twitter posts with hashtags:  #RSAC2017, #RSAC, and

So these are my Cybersecurity focused thoughts on RSA conference ending today(02/17/17):

Top 7 new attack vectors (from SANS team youtube):

  1. Ransomware
  2. IoT as attack platform
  3. Ransomware on IoT
  4. ICS attacks more sophisticated
  5. random number generators cause problems for Bitcoins and elsewhere -- Impact  of random numbers on WPA2 - if not random then can be guessed
  6. Insecure software components (Private Master Key Input)
  7. Service integrity (including cloud)

The Ransomware as IoT deserves special scrutiny:

With the following questions -

  1. What would you pay to turn your lights back on? your heat? your car?
  2. What would you pay to get your factory running again?

Factory running again is also in the ICS(Industrial Control Services) attacks area -

If somehow the ICS devices such as PLC controlling the factory floor are hijacked?

German Steel Mill destruction in Wired story  where a German steel mill had "failures in control systems that did not allow a blast furnace to shut down in a controlled manner which resulted in massive damage".

Here is a picture of an Eagle PLC:

There is no confirmation of the type of equipment in the German company with the problem, the above picture is only to illustrate what a typical PLC (Programmable Logic Controller) looks like. The PLC is programmed to perform tasks such as open and close a circuit within certain conditions. So whatever was controlling a PLC in Germany blast furnace was disabled or otherwise controlled when the furnace was given a shutdown command by the operator. A DOS (Denial Of Service) Attack could have also caused this at the right time.

As a note to this post portion about SANS video, there were 2 guys on there well known in the CyberSecurity  field Dr. Ullrich (of Internet Storm Center) and Ed Skoudis on staff at Sans.edu (and has been in the community for years. Ed had the first 3 points of top7 new attack vectors, the bottom 2 were Dr. Ullrich, and Michael Assante had the middle 2 (4&5) as he is the ICS specialist.

 

Now I want to move to the 2nd of the important videos (I'm still watching the multiple videos available from RSAC2017.

This one is from a top NGFW(Next Generation FireWall) company CEO Mark McLaughlin of Palo Alto.

It is no surprise from a firewall vendor to try to explain how their product is better than others, but there was a "new" theme in this talk by Mark McLaughlin, the theme of sharing collaboratively with other vendors and potentially allowing their clients to share some data to make us all more safe.

The same themes were there (since they did not go away)

  1. 80% of board of Directors were concerned or very concerned
  2. 72% of CEO's are not feeling fully prepared for a cyber attack.

The new model (i.e. this is what 2017 will bring) is to include

  1.  More innovation
  2. More sharing
  3. More automation
  4. More software
  5. More ease of deployments
  6. More flexibility of usage.

This is not a surprise  we must improve or we will fall, so moving ahead the main theme that I got out of the videos watched: Ransomware and new ways ransomware will attack us is coming soon. As well as collaboration by the security vendors, although I suspect this will take time.

Contact Us to discuss

 

 

 

 

 

There is only so much time to work on anything. And Cybersecurity is not any different, it requires a focus of IT Management (and Cybersecurity specifically)

 

As far as Cybersecurity goes, what is it that we all must know and understand thoroughly?

  1. Ransomware defense, IT basics such as test your backup (this means you have a valid backup)
  2. Weakest link = Human Social Engineering - If someone  can call you and you give them access how does a security department defend against this?
  3. NGFW (Next Generation FireWall) and other automation - A new updated firewall is a must these days
  4. Threat Analysis
  5. Compliance only is weak
  6. Password Failure
  7. Simplify Instructions to Employees  re: Cybersecurity
  8. Not enough training
  9. Governance process and procedure
  10. Good defense is a good offense (what does that mean in Cybersecurity)

 

How can I come up with this list?

 

Previous posts and research.

Here are the previous posts or "reference points":

#1 Ransomware:   http://oversitesentry.com/another-hospital-computer-system-down-due-to-ransomware/ A German hospital was affected by Ransomware and was down a considerable length of time due to having to rebuild all machines infected. (likely from scratch).  But that is not the only story  I tried to answer why ransomware is effective in this post:

7 common mistakes (listed in post) are mistakes or failures in security procedures. The German hospital that got hit with ransomware did not have a proper backup

#2 Social Engineering:  This is a primary cause of concern as human error is a major cause of security breaches including at DEFCON22 at the social engineering Capture the Flag event, needless to say the retail teams were breached. If somebody calls you to ask for information on your computer and network be very careful.

#3 NGFW The Next Generation FireWall, the successor to a standard firewall, and really a must in this day and age in a decent size operation.

(A NGFW can inspect applications as well as filter traffic by origin or destination)

 

#4  Threat analysis: Cyber Threat Intelligence is used to help us defend and make the job of the attacker harder. I.e. the attackers "Pyramid Of Pain" needs to be closer to the top.

FireEye has attempted to explain Threat Intel with a Pyramid representation and I use it here to use the info as an industry standard.

#5 Compliance only is weak - And I discuss that in several ways

 

If your focus is so narrow as to only focus on crossing all the checks to be marked off a compliance list, then you will miss the overall company security.

#6 Weak passwords and other Password Failures (like 90% of all Point of Sale systems still have default passwords)   Our weakness of not solving password management hurts many organizations

#7 Simplify Instructions to Employees as logistical problems create issues and thus hamper Cybersecurity. Some security issues are complicated and IT terms may cloud what non-IT people have to review and learn.  Why is simple important?   Tom Kolditz of West Point explains: “No plan survives contact with the enemy.”

#8 Not enough training with regards to cybersecurity. No employee should ever answer a phone call and give out too much information, click on bad emails, set up good passwords, but there is a bigger problem. The general sense that we are getting inundated with more and more information. IoT - and Denial of Service and more complexity. But this complexity creates confusion in regular people that needs to be reviewed and trained.

#9 Governance Process and Procedure. Writing complete procedures will be difficult as all are, but once done will be good for the people and the company

#10  Test your network by getting a red team which will act like an attacker -- This issue could be higher, and maybe one of the most important items.  The best defense is a good offense is well known adage. And the way it is used in Cybersecurity red team is the offense and the blue team is the defense.

This post and image explain red vs blue team as well:

 

Contact US to review your own Cybersecurity priorities.

1

If we had to start somewhere in computer security (or Cybersecurity) what should be done?

First: start with performing minimum compliance standards (this objective also doubles as a documentation of compliance)

Second:  Improve security by spending some time on Cybersecurity (an ounce of prevention is worth a pound of cure)

Third: Integrate Governance Risk Compliance (GRC) into your business  (as we discussed here)

Many compliance standards were built with actual security in mind, even if the process becomes only a check box methodology. Not all checkboxes may prove truly secure.  Nevertheless it is a good place to start.

But once you have started move into the world of "Not Just Compliance: Be More Secure"

The key is to find weaknesses that are outside of PCI compliance.  http://oversitesentry.com/where-does-pci-compliance-fail/

You can see in the above diagram, that the IT security framework encompasses PCI compliance. What if you have a local HR server which houses your employee Personal Identifiable Information(PII)?  The Human resource data is not covered by Payment Card Industry compliance because there are no credit cards to charge for the HR department. But what if the HR server is compromised? Then the attacker has an inside network resource to try to attack other machines.

This is what I was trying to explain in the above Risk management matrix. The systems that are not as critical to your operation (not CC systems, not HR systems) those have a higher chance of getting attacked due to lack of attention over time.

Thus once your lower priority systems are hacked the hacker now is in the network and it will be harder to get the hacker out of your critical systems if not set up correctly.

Everyone claims to create a risk management profile on your servers and systems. But it is also important to actually assign the right amount of resources as maybe you do not have enough resources in the security area. So the key for Risk Management and analysis of your IT resources  is not how to cut costs, but are we secure enough? And if not, then we need to fix the profile in time.

As long as you know you have a problem then you can move forward and address it. So start with the basics and build from there. The security complexities are wide and understood properly over time.

 

Contact Us to discuss

GRC = Governance, Risk & Compliance

Currently on front page: https://fixvirus.com/

Governance is difficult and there is a reason, as the constant patching of thousands of vulnerabilities and bugs create organizational problems for many IT departments. Especially if one does want to do things in a correct manner.

Obviously one can just "wing it" and do something but not enough and then eventually (like a majority of IT) they will get hacked.

So this is why many companies get hacked and the famous quote of FBI director James Comey: "

(image from azquotes.com)

Above quote is from DNI James Clapper (from previous blogpost )

 

What will it take for some people to get more serious about Cybersecurity? I think the only thing that makes us more aware is disaster. So unfortunately they or someone close to them must have gotten bit by criminal hackers before more attention is paid.

This is obvious when looking at statistics:

60% of small businesses close within 6 months of a successful cyberattack.

1

Most people do not think about security in general. We ignore risks when they cost money and time due to our inherent impulse for this phenomena

 

I have discussed this before  in the last post of 2016:

How bad is it? Will Cybersecurity get worse?

The problem is one of business decisions which means a little bit of known knowledge and a little bit of psychology, it does not have to do with technical capabilities.

What is the worst problem that can happen to you in your business?

Lose all data? I.e. without a backup!

That is what can happen with a phenomena called "Ransomware".

What do you think the 7 common causes that companies get hacked are? (From DarkReading article)

  1. Failure to check code before deployed
  2. Leaving source code exposed
  3. failure to change default passwords
  4. Poor patching process
  5. Human error in social engineering , phishing
  6. Poor exfiltration control
  7. Failure to recognize infiltration

 

All of the 7 common causes are mistakes or failures in operating Information technology in one way or another are directly related to human failures in security procedures

Remember from Bruce Schneier's Psychology of security 70 % of us do not believe that it is wise to spend money on risk avoidance,  there are other things that we as humans naturally tend to do.

 

So the bottom line? Ransomware is not going away. Criminals will make more money and make better Ransomware.

I am sure you reading does not have problems, and is paying just enough attention to deny the Criminal any actual pound of flesh (data to exploit).

 

The key to improve your OODA Loop  (Observe, Orient, Decide, and Act ) is to reduce the time delay and to actually apply patches or reconfigure devices properly.

The only way to ensure that this has been done by your team is to test them with an outside testing person/agency.

There are many stories of Ransomware failures, and here is another one(01/20/17):  Fox2Now  (Channel 2 - Saint Louis) Saint Louis Library system got 1000 systems infected with Ransomware.  Because once 1 system is infected it could affect other systems on the network.

In this story there will be no payment, as the systems will just have to be reinitialized (reinstalled from scratch).

But something is wrong there so it will possibly happen again until the process and procedure failure is rectified.

Contact US to help you fix your processes to prevent ransomware.