Yes we are a nation of television watchers and expect everything to be solved quickly, since all TV shows end in 1 hour.

In the online book (in books.google) of "Television and Politics"

The problems solved in our shows apparently are remembered with 'calls for action' are the ones solved by individuals.

So maybe after a lifetime of watching these shows we have a predisposed subconscious notion to assume 1 person can solve most problems in a reasonable amount of time (1 hour or 2 hours).

So when a complex issue is placed in front of us such as

Red vs Blue  teams attackers vs defenders where a series of steps breach a server and then use more tools to keep access of the system without the defending teams knowledge.  The solution to this issue is not obvious.

So Why am I beating this horse again?  Because the principle will not go away. The attackers will find ways and use the systems we have to attack us.

For example... we want to defend our SQL servers, maybe by hiding them. But this will not work, as there are tools to ask our systems "what are the SQL servers"? And our computers dutifully answer this request.

 

Technical Example:  Do you have a domain controller? Which is automatically running Active Directory? The program that runs your network and username and password authentication.

Then how do you defend against a user asking various questions to your DC(Domain Controller) with some commands?

You can access Powershell from a command line, and then ask various questions (execute commands) like  get-service or get-process to find out what services and processes are running on the system.

Why is this important? Because you can pick a service running on the system and then try to see what users have access to this service with another tool PowerMemory for example (as the tool(RWMC) in this article is no longer supported)

Here is PowerMemory definition:

Exploit the credentials present in files and memory

PowerMemory levers Microsoft signed binaries to hack Microsoft operating systems.

So! you might say, how does one get command line access on a server?

Let's say that you got the user to click on phishing malware and now a command line shell was opened, and connects back to one of the Command and Control servers.   techtarget.com explains this phenomena

 

Once the hacker has a command line opened (however they did it). Now they will try and get more access - by obtaining the passwords for administrator accounts.

How to do that?  Sean Metcalf in DEFCON 23 video discusses several methods.

Including using powershell tools created by hackers, tools like

PowerMemory  Exploit the credentials present in files and memory

kerberoast   a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.

The method of obtaining passwords from places on the Microsoft server is also useful: "Finding Passwords in SYSVOL & exploiting Group Policy preferences"  is a good article discussing the same topics as in the video.

The credentials can be taken from .xml files on any windows systems. If the system is in a domain then it will have a local user account and whoever logged into that particular system.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

So the hacker knows where to look and what to find... the .xml files with CPassword variable, which has the password stored in an encrypted format.

So now it only depends on how strong your password is...

What are your password schema characteristics?  Do you require long passwords? more than 14 digits? Because if you have less than 14 digits the hackers will have an even easier time to get your passwords.

So is it still easy? Can you depend on only your defense team (Blue team) to keep all of your assets without unauthorized access? It will take more than a single episode, a season of episodes.  It will take a marathon of binge watching to keep the hackers away. It will take red teams (ethical hackers) to attack.

 

we can help you with a plan of security policies and red team attacks.

Contact Us.

 

 

Calling for help is a good start, but may not be best to create a DR plan on the fly or when a disaster is occurring.

this Cartoon is from Designer Hipster Cartoons

Some decent IT jokes from Steve Goldman Associates:

What's the definition of an IT professional?
Someone who solves a problem you didn't know you had in a way you don't understand.

Why did the IT auditor cross the road?
Because he looked in the file and that's what they did last year.


I like to make jokes sometimes when explaining the actual issue seems too difficult with all of the political repercussions in a company.

 

Make sure you have a working Disaster recovery plan with a proper auditor that will  check and doublecheck your processes and procedures so that you do not have to go out of business like most small business when disaster occurs.

Yes we know yahoo had millions of email addresses hacked or rather the email address password database was stolen by an ingenious hacker.

 

Also according to this story(TechCrunch) the full disclosure over several years is 1 Billion email addresses and passwords were stolen

Updated 3/14  later in day:  also keep in mind if you have an ATT email account that is tied into Yahoo due to a connection the two companies made - aand that includes Verizon. CNET news story "Yahoo hack: It's not just verizon. AT&T should be worried too"

So we know of about a million email addresses being sold on the Dark Web, and this is just the first 100k being sold on a dark web interface:

Image from hackread.com

In this ad for 10.75$ you can obtain 100k  email addresses and the decrypted password.

 

 

So your Yahoo email and password is in many places now, Where did you use the Yahoo email to login? Banks, credit card.

The hackers are not just buying emails and passwords to check your email. First they will check your email and then see what bank and other accounts they can take over.

Or they can use this information to create more focused phishing campaigns. I.e.  the information in emails within all the yahoo emails can be used to create targeted phishing campaigns (also called spear phishing)

So what should you do?

Get rid of your Yahoo email address ASAP, should you require all employees to remove any vestiges of Yahoo emails in their lives?

How can you make this claim? Because the longer they keep the Yahoo email account the more likely the criminal hacker will access the email account and steal information to phish more effectively, especially into a company account.

 

Have you ever sent something from work email to the Yahoo email? If this is a Yes  now the hacker knows your work email. and can create highly sophisticated phishing attacks with malware that may have an adverse affect on your company.

So owning a personal Yahoo Account may enable criminal hackers to get access to your company in the months ahead as the criminals are just now digesting  how the new information and are setting their attack plans in place.

Remember this OODA Loop image.. from my post a few days ago(Feb 28 Post "What Cybersecurity Methods to Use").

Right now both the criminals(Attackers in red) and you have been given information what is more likely the attacker will Observe, Orient, Decide and Act first or you will process the OODA loop and ultimately ACT!

In the past it has been the aggressive criminals making moves and getting the into company networks.

What will be your move?

Contact Us to discuss.

 

Krebs On Security has a scoop his Blog Post one slick professional video advertisement for selling Ransomware technology.

(Above images are from a video Brian Krebs found that shows off Ransomware software you can purchase)

In case you were wondering what it takes to create Ransomware, the video that Brian Krebs found makes it obvious that the software was created with marketing and actual software engineering, giving many options to the buyer.

 

Options like how long before the files are encrypted, what files to encrypt?

.bmp , .doc, .mp4, .txt. or other options.

 

Should there be a deadline before the files get fully encrypted?

 

I predicted this sophistication of the criminal element as the money to be made is very large while costs are low.  The ROI (Return On Investments) is as high as 1000%.

Unfortunately that old post was from June 2015, so at 2 years away they have gotten more polished and sophisticated.  It would not surprise me if they had Project Managers and standard developer hires to create software pieces, as well as testing departments to see how the software would operate. Or English review.  How this was done was with the large warchests they are making on unsophisticated people that are not spending any time on their defense.

With this one video at Krebs' site we can infer as the marketing produced is smooth and does not have bad spellings or otherwise obvious incorrect grammar it means there is quite advanced Ransomware attempts on us.

 

This software that will attack us (or has attacked us) is not going to look like the old ransomware.

The basic issue is the same though - to defeat ransomware one must have a backup that is not connected to the computer that could be infected. Ransomware will connect to network and cloud drives to infect them. So make sure all your data is backed up. And make sure that the backup is separated from your computers.  Convenience is now your enemy. If it is convenient to you it is convenient to ransomware software made with teams of developers.

So I implore you to think differently when building your backup processes and procedures, as you also have to audit the backup for a Disaster Recovery angle.

I.e. IF ransomware hits computer X and infects all the connected drives, now how will you recover the data? If the backup is on the drive and it gets infected now what?

 

Contact us to review and help audit your processes.

1

A lot of Cybersecurity was discussed at RSA Conference videos this year.

Let's start with Global Healthsecurity Roadmap: Notice the major vendors being used by many an Enterprise for different parts of the architecture:

Including Network, App/Data, IAM(Infrastructure Access Management), Endpoint, and monitoring/analysis

Or about NIST Cybersecurity Framework:

Identify, Protect, Detect, Respond, and Recover.

Of course the NIST Framework is not exactly new. and is the overall environment outline for government organizational Cybersecurity.

The good thing is that the NIST framework gives a template to design an overall Cybersecurity defense.

Us in Cybersecurity always end up talking the attacker and this was discussed at RSAC as well:

Especially how the OODA (Observer, Orient, Decide, and Act)

Our OODA loop (as defender) is longer due to the attacker being able to make quicker decisions. That is why the attacker is set as  inside the standard OODA Loop of the security defense.

But this concept of who is where on each other's OODA loop is not the only image from the conference.

If you notice that the green Business arrows are within and outside of the Attack & Defense loops.  It depends on whether the business is 'hamstrung' with security authority or not.

If you notice business can move fast and faster than attackers, here is an example:

What happens when a salesperson wants to make a sale while using a new application (like a video chat app). The salesperson downloads the app and uses it so the sale is made. The decision and act cycle depends on whether you ask the IT security person or not.

when the salesperson makes their own decision without approval they are actually even faster than the hackers. (since the data stream will now be on a different application).

So even though we can be inside the attackers loop does not mean we ignore security considerations.  This loop means that we need to teach security to people with decision-making powers.

The last points from the conference are the following:

We make headway and map our processes to gap analysis and a Security Architecture.

The key is to build information Security Program Oversight and review your processes of IT backups and all major defense systems.

Here is what I have suggested in the past:

Knowing where a breach occurred is important in your processes, and can be the difference between finding an attacker and allowing the attacker to roam at will in your network and equipment.

 

So in case you were wondering - what methods to use? We circle back and make sure we are doing the basics.

Compliance and Security frameworks are only the beginning. A true Cybersecurity policy companywide is not easy and requires buy-in from everyone.

Contact Us to discuss how to get a leg up on the attackers.