Cisco Cybersecurity Report: “It’s Mighty Sporting Out There” Wanacry Now?

Cybersecurity in the news:

Wannacry ransomware is hitting the news cycle with many high profile organizations having to admit they got hit with ransomware, which means they did not patch their machines for one reason or another.

This focus on Cybersecurity is only short term, as the headlines change in the coming days there will be less focus again.

Even in the darkest moments there is always a way back from the depths of despair even if all your data is destroyed with no backup. (Time to dust off paper processes).

Recently Cisco came out with their latest Annual report for 2017.

If you look at the potential threats assaulting defense personnel it is fairly even with mobile, cloud data, cloud infrastructure, and user issues all high threats.

The interesting chart for me is the consistent thoughts that _we_ do not have a problem.

And the reason? Cybersecurity as a high priority is still only as high as 63%, even as low as 55%. This may be better than last year, but we have a long way to go.

Cisco’s 2017 report discusses malware mostly, attacker behavior, the fact that spam includes most of the malware that attacks us.

It might be useful to review the working theories of attackers using spam. If a spammer uses a service to send out a million emails for $20-$40 then all he needs s to 1 response for ransomware at $300 to get a 700% return. And if there is a bit of luck with 2-6 responses, then $40 spam email cost plus whatever it cost to make or buy the payload and infrastructure (if any). with 5 ransomware ‘hits’ and $1500 the cost being $200 is still a 700% return.

Needless to say we will not have a reduction of ‘spam with malware’, if anything we will get an increase of ‘spam with malware’. Since everyone wants to make more money next year.

The problem with cybersecurity is that it will not affect people 100% of the time. It is not a certainty and thus a sense of false bravado exists. But we will be affected as we are all connected. What happens is the weak link, or the weakest machine gets hacked. And then if there is more money to be made there will be further issues and further hacks.

As in the next image – the lowest hanging fruit will get hacked and now it is easier to hack the high profile systems.

As in my previous post the youtube video by Saumil  explains that we need to develop new methods of defense that will definitively defend our systems, not just a “high likelihood” or “low likelihood” of risk.

Setting Cybersecurity as a high priority also means you need to set good policies and resources. Even though you do not want to think about it, it will have a tendency to come and bite you. Better to be prepared and stave off the next ransomware Armageddon.

Contact Us to discuss this.

Will Automation Cause more #Cybersecurity Problems?

There seem to be lots of attention to ‘new’ automation in many areas of our lives.

Atlantic Story: ” the Parts of America Most Susceptible to Automation”

Notice that no one is interested in Cybersecurity problems that will be created within this new automated world.

Sometimes Hollywood is looking further ahead than we are, on Season 7 episode 16 ‘Murder by Remote Control’  an “automated house” killed a person because it was programmed to do so in a house that was automated (opens and closes doors, lights and more). the episode played on CBS 2/10/2000.

So 17 years ago Hollywood played an episode that looked unrealistic at the time. I am not here to discuss the viability of the episode or the cast/show etc. I am here to discuss what can go wrong as we automate more and more aspects of our lives. Today we also call these devices IoTs (Internet of Things) where these devices power on and off lights and alarms, doors and others.

what happened in the episode could happen today with a hacker controlling your IoTs which are controlling  heating and air conditioning to make your life in the house unbearable and maybe even dangerous (depends on the add-ons you installed) and although it may not be dangerous yet, but it may be in the future.

On TV (which is visual) the computer system is shown at it’s control screen where one can see the cameras and make adjustments, this control screen may be replicated by a remote hacker (ransomware) today.

The Atlantic story was trying to find economic regions which are most likely to see automation:

(image from Atlantic Article). You can see that the major metropolitan areas seem to be more likely to have concentrations of automation as an estimate this may be accurate.

But what is a glaring omission in this article?

Cybersecurity

This is the paragraph concluding the article:

 

The work by Moenius and his colleagues suggests that this divergence will only continue. While a handful of cities with good jobs and highly educated workers will continue to thrive, other areas are going to see more and more jobs disappear as automated technologies become ever better. This may have much wider implications, politically and socially. People in America’s struggling regions feel left behind economically, as the 2016 election indicated.

It is not surprising that Cybersecurity is not on the radar of most people,  and will not be until they experience it for themselves, or at least it is simplified to their level.

As I have discussed in many blogposts until there are concrete reasons like compliance or experiences with Cybersecurity events there is no mention of disaster recovery or other ‘potential’ calamities. IT is supposed to handle this.

I believe the owner/ managing person needs to be aware of a minimal set of standards like making backups and ensuring they work. defending against cyberattacks.

The problem is there are many compliance levels which are not good enough in some cases.  So what is a small business to do? This image is the problem:

With minimal Cybersecurity standards one can defend and ensure the viability of the business. Even when automation creates an even greater reliance on technological advances with computing devices.

Here are a few cybersecurity automation examples from a 3 year old defcon video:

https://www.youtube.com/watch?v=h5PRvBpLuJs

“Hack all the things 20 devices in 45 minutes”

There were many Android devices from GoogleTV  to standard routers, embedded multi media, file storage devices, smart refrigerators, blu-ray devices, cloud connectivity devices, printers, baby listening devices,  and devices that control on-off states of electrical appliances in a home.

The devices in our homes are not automated yet, because we have not dreamed up enough uses but the video hcked them all using UART mostly as a way into the hardware. The end result was almost always the same – full exploitation, allowing many full admin rights and allowing other code to be run than from what the manufacturer wanted to produce.

As usual, in many cases the root password was simple and in plain text on the system.  It is obvious to me that Cybersecurity is not important at this time.

So in the coming days Fixvirus.com and Oversitesentry will propose a solution to this dilemma.

#SmallBusinessWeek Fail on Cybersecurity

I apologize, but I see most small business do not have plans in place for disaster recovery and Cybersecurity because it does not help them run their companies.

True it does not help run the company but it allows you to run the company after a Cyber event happens.

I have written about this before in the past few posts and weeks/months. But there is a definite disconnect between the Decision makers and the current environment. Here is a past post where the mechanics of making money for the Cyber criminals only makes it clear in dollars and cents that the Criminals are making MORE money every year.

I don’t want to bore you with actual criminal dollar numbers, because they are low estimates since people do not report the actual amount.

This picture from a past post also explains the large problem of database breaches.

 

To come back to my initial post – if you never backup your files in a proper way then ‘when’ a problem occurs you will not have a business.

This isn’t even insurance, because if there are no files backed up then it is over. Insurance is “a thing providing protection against a possible eventuality”.

If you have cyberinsurance you can get some money back to rebuild your files. But you still have to rebuild.

IF small business would have had proper IT practices then there is no need for cyber insurance. Look around the world for others that perform good practices that will help you keep your information safe.

Saumil has presented 7 axioms of security at BlackHat Asia  online here: youtube video

7 axioms of security

Intelligence Driven Defense

  1. Defense doesn’t mean risk reduction
  2. CISO’s job is Defense
  3. Schrödinger’s hack – i.e. test realistically
  4. Can’t Measure? Can’t use it
  5. Identify your target users, and improve them
  6. The best defense is a creative defense
    1. create credit cards with no usage except to tell you when it is used.
  7. Make defense Visible, make defense count
  • Intelligence means collect everything!
  • Get creative, get organic (organic security=grow it yourself)

Contact me to discuss: tonyz”@”fixvirus.com

 

Changing Default Passwords: Too Hard?

Is changing the default password too hard on your devices?  For example the highest profile devices (not IoT Internet of things), but the ones that process money: POS(Point Of Sale) terminals.

Above is an Ingenico ISC250 with a stand. (from discountcreditcardsupply.com)

Are manufacturers making it easy or hard to change the default password?

 

Well, if you Google “hacking a point of sale terminal”, then several interesting links come through:

Old news stories are relevant as many businesses (small and large) do not make changes and purchase old equipment. Wired 2012 story of 63  breached POS systems using malware.

The story also mentioned 40 people arrested in Canada over a carding ring, which also tampered by stealing POS terminals and installing sniffers on them.  Which means they were able to modify the machines at will.

 

So this is why I mention the difficulty of changing the default password on these machines. Yet the password information is on the Internet, so if you are a hacker and wish to spend time to learn the password it is available for you to do so.

Helcim Support helpfully has the method of changing the password on their website:

Check the default password from manufacturer: ‘123456P’ not very sophisticated??? and the new password is to be 7 characters long with one letter. An amazing testament of password schema from the manufacturer Ingenico.

At oversitesentry we are dedicated to helping companies harden their security systems, including POS. Changing your default password is a must, and places you in compliance with PCI DSS (Payment Card Industry – Data Security Standard)

I don’t understand why owners and managers in charge of POS systems that depend on revenue from these systems have not understood the concept of changing the default password on their POS devices. Why am I mentioning this?

Because small businesses fail after a successful criminal cyber attack

(from a previous post among many on our blog)

The statistics are bad… but why is this? Is it that the default password is _REALLY_ that hard to change? Is it that difficult to make a Cyber policy?

I think that the managers and owners assume nothing will happen to them, because last month nothing happened.  Their education is based upon experiences and the news of companies being hacked is not a big deal.

VISA has stated in the past that the major problems (breaches) come from basic failures like not changing default passwords. Visa website to go for more information.

The following is a screenshot from a VISA presentation on PCI compliance challenges.

Card Present Vulnerabilities:

  • Insecure remote access used by attackers to gain access
  • Weak or Default passwords and settings commonly used
  • lack of network segmentation
  • malware deployed to capture card data
    • absence of anti-virus tools to detect malware

 

 

So I would like for you to contact me if you want to do something about this problem – tonyz”@”fixvirus.com or 314-504-3974 Tony Zafiropoulos.

What are the top 5 thoughts to keep in mind?

I was watching Feynman videos and saw this unique   list (10 times Feynman blew our minds) that has insight into what we should focus in Cybersecurity as well.

I wanted to distill this video into 5 top items and relate them to Cybersecurity.

#5 Asking How Things Work Can Start You on a path of discovery (the definition of a hacker), and keep asking how, make experiments etc.

#4 History is fundamentally irrelevant when trying to solve new problem. As the new problem will not have an old method solution. (Of course Feynman assumes you DO know the methods of the past). This is akin to TTP Tactics,Techniques, and Procedures in Cybersecurity.  We as humans tend to let our history guide our future, but if we want to solve new problems, we need to have new solutions.  In this arena we do not need history (fundamentals still need to be known).

#3 In trying to learn about the world, ask questions and doubt. Can you live with doubt and approximations? Not everything learned is exact. In cybersecurity there are many areas that we do not know – for example: ” How will the next attack come into our environment?” . Can you live with this knowledge? We have to learn how to perform risk management with an incomplete picture

#2 Naming things(xyz) does not give you knowledge (it allows you to talk to others about xyz). Fundamental knowledge is not about the name. Also analogies are also bad as they can mean different things to different people.

#1 Know that you don’t know – and what it is you don’t know (basic tenet of blue team defense).

As Rumsfeld has been known to say “There are known knowns and known unknowns” Things that you think you know that it turns out you did not.

 

With these 5 tenets we can develop Cybersecurity top5 tenets:

  1. Known unknowns – Keep searching for new methods to learn environment in new ways.
  2. Explain methods and reasons without technical jargon
  3. Always review your environment with a level of uncertainty
  4. Tactics, Techniques, and Procedures cause a certain mindset to develop, one must still try to think out of box to see the attacker’s viewpoint.
  5. Asking how things work is good beginning. And eventually it can build into being a subject matter expert.