More Security or More Business? is it Us vs Them?

When we say We need to be more secure in cyberland, does that mean small business needs to change what they do to be more secure?

ISACA says we need governance:

Governance and management for Enterprise business should use the COBIT 5 principles

  1. Principle 1: Meet stakeholder needs
  2. Principle 2: Covering the enterprise from end-to-end
  3. Principle 3: Applying  single integrated framework
  4. Principle 4: Enabling a holistic approach
  5. Principle 5: Separating governance from management

The COBIT framework ‘simplified’ means for the business to drive “cybersecurity”. I.e. if you need to sell widgets on the Internet you have to have cybersecurity on the Internet with credit card processing then that is what you have to say: ” We have to protect our systems to sell our products and stay in business”.

The conversation cannot start with ” I need security more than sales” because we know how that conversation ends. In fact the Cybersecurity person needs to say we facilitate sales, and make sure they are done safely. We take care of government compliance.

Besides  some good sound bites, the hard work of creating a truly secure organization is to set up a framework of weighing risks versus threats and impact.

A methodology must be used instead of just telling your IT department “keep us as secure as possible” ok?

What consistent methods do we need to operate to make Cybersecurity for companies work effectively for the stakeholder?

I listed the 5 principles of COBIT, and one of the most important piece of one of the principles is to assess risk (likelihood * impact) for each computer and IT device in your company.

An Audit has to be performed where all the pieces of the network and computer systems for the business needs are cataloged and rated for importance and weaknesses.

Once this inventory has been created a Risk analysis with expenditure of money has to be accumulated and reviewed with the stakeholders.

The process of reporting is also important, how to report and whom to report to.

Principle 5: separating governance from management has it’s reasons. The IT department must be overseen and directed by a governing body. If you want to discover these details get an audit from an ISACA Auditor and get on the path to become more secure within your business needs and requirements.

Contact us to audit your business

 

Who is Responsible For Cybersecurity?

I am talking about the reality that someone must be responsible so we can hold their feet to the fire. We don’t want to get to the point of too many directions of responsibility, as then when a breach does happen it is dangerous to see what will happen from there? So the CISA (Certified Information Systems Auditor) exam prep says that the Board of the company is responsible as they are the stakeholders. The board ultimately controls the purse strings, and hiring/firing of the CEO. But the problem with Cybersecurity is the changing nature of threats with increasing use of technology. Thus if the CEO changed some parameters unknown to the board, or if the board has not had time to digest then the CEO should be part responsible as well.

So if the CEO is part responsible because of changes that are occurring without the board’s knowledge…  or is it that the board should have contingency plans for unknown changes?

Let’s review what responsibility means?

Definition from Google:

The state or fact of having a duty to deal with something or of having control over someone.

The state of fact of being accountable for something

The opportunity or ability to act independently and make decisions without authorization

I want to restate this dictionary definition for cybersecurity specifically:

The ISACA Auditing standard will stay as the “Financially” responsible entity will stay in the board.

But I want to pick into who is responsible for Cybersecurity? Is it the person who misuses one of the definitions:

“The opportunity or ability to act independently and make decisions without authorization”

We all use computers (and mobile devices) independently, and in fact more devices are coming into our lives that will  create problems if we do not use them properly.

So even though the board is financially responsible, we are all responsible for using our devices with a certain amount of Cybersecurity intelligence.

The board has to set the stage with enough funding for firewalls, and audits and the like, but the users are responsible for using the devices without clicking on phishing emails or going to questionable websites that will cause problems even in the most secure environments.

Contact Us to create a security policy for the future.

Cyberjoke Friday Summer Edition v1.991

Library jokes in the summer:

What do you get when you cross an elephant with a computer?

A lot of memory.

Why did the computer sneeze?

It had a virus

What did the spider do inside the library computer?

It made a web page.

Or we have the ultimate ring fight:

Hmm always there isn’t it? Human error versus our best devices and efforts.

Pinterest has some good jokes sometimes…

Cybergeeks say that the weakest link is the human.

How about xkcd?  In the computing world, xdck is classic and great.

 

Be careful what you ask for. The Darknet is one such place

Guns available on the Darknet in the past

And don’t believe that anything on the Internet or Darknet is actually ‘anonymous’. If it sounds too good to be true, then it is.

 

And finally

It is always amazing to me that how little people update their computers and other devices – no matter the ultimate fix.

Contact me to discuss IT security…

How Can You Tell If Hackers Are Hacking You?

Obviously if you have been hacked and have ransomware that is too late to know that you have been hacked:

I would like to discuss how we can find out if hackers are altering your files or are looking around in your network. There are several ways to explain what is happening when a criminal hacker is trying to attack your machines. Usually it starts with reconnaissance of your computers, online profile and other system methods.

 

The cybersecurity  industry has  created something called the Cyber Kill Chain which explains this phenomena(how does a criminal hacker attack you). CSOonline explains it a little… But Cyber Kill Chain was created by Lockheed Martin, a defense contractor with defense terminology.

Advanced (targeted)                 Persistent(month after month)       Threat (person with intent, opportunity and capability)

 

The cybersecurity industry is obsessed with this Cyber Kill Chain – why? because the explanation is a good method of detailing the steps an attacker uses to find a way into your network.

If you think about it there must be a way for us to explain how an attacker attacks, so that we can look and find this attack.

I tried to use less technical  terms with my SVAPE & C diagram using the Mandiant attack analysis of the Chinese hackers.

Scan Vulnerability Analysis – Penetrate Exploit and Control  – i.e. SVAPE & C

The portion of criminal attack we want to dissect is the Penetrate and Exploit.  In other words, recon has already been done, vulnerabilities analyzed, and reviewed.Or as in the Cyber Kill Chain, somewhere between delivery, exploitation, and installation.

Now the attacker is actually trying to take over the machine, by exploiting the system somehow.

What is it that we are looking for? If a system is being altered by a human being the event logs  will also be altered. So keeping an eye on event logs is a good idea.

But if this attack is by an automated program (bot or virus or other malware) then the event logs will only be changed if the bot decides to do this, so likely the bot needs to send information back to the programmer at some point (information like cc numbers, health info, whatever data that you keep on your computer).

How do these criminal hackers attack your computers?

It turns out they use the same techniques as people in DEFCON 25 would (latest convention in Las Vegas). So you can browse through the media server to see what the presentations were.

I like the Leveraging-Powershell-Basics by Carlos Perez

In this presentation the theme is to run little known commands using Powershell which you have to be looking for when trying to find hackers in your network.

The Powershell commands can perform many things for the hackers, and to find out whether commands are run you must turn on advanced auditing enabled, some command line jiu-jitsu is also required.  Hackerhurricane Blog discusses the commands  and settings in Win7 and Windows 2008  and later.

So the key is to find what the hackers do and then try to detect these types of actions.  But then there is another issue, including making sure there are people to modify the scripts to detect the criminal hackers.

Target had the methods(detection) but failed in personnel to act on the detection, because one has to find the real problem within the many false positives.

Most important there must be a will to defend and act.

Contact Us to review your plans, we can audit your defensive plans.

 

Doing the Basics Would Have Saved You

A new Zero-Day attack is out available for attackers. this attack was discussed in the SANS website Internet Storm Center: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

SMBLoris – the new SMB flaw

The article was written from reviewing a Threatpost article, but was ultimately triggered because of the DEFCon 2017 presentation:

 

Notice the arrows on right with memory usage on a webserver going close to 100%.

What makes this attack (DOS – Denial Of Service) so bad is that it is easily disguised as ‘SlowLoris’ as sending partial HTTP requests to webservers (i.e. not fully connecting to the webserver). This partial connection essentially slows the webserver to a crawl when requesting enough connections.  And since this is a standard request, it is hard to distinguish friend from foe.

This is an interesting point from the archive.org webpage:

“Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.”

So this is not a simple easy to see issue. This issue abuses the way the webserver operates for the following 4 applications:

 

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

slowloris is just one variant and as hackers review this attack…  variants may get created and thus exploit this in yet unknown ways. As of this posting there is no CERT classification yet.

What do I mean about the basics?  Well, if you have a webserver it should not have port 445 open to the public:

Google Port 445 definition:

Port 445 is a SMB port, or Structured Message Block which is used in NETBIOS protocols usually in file sharing applications. Well, one should not have a webserver with port 445 open and available on the Internet.

So, if you have done the basics, i.e. not run 445 or other ports that are unnecessary than this attack will likely not affect you or at least minimally affect you.  If you had to keep everything open, it might be time to run a firewall port limiter device in front of your website.  This is a fluid issue at this time, so keep an eye out for new attacks.. Contact Us to discuss.

 

Remember the hacker takes advantage of poor configurations.

Contact Us to discuss auditing your environment and review the basics in IT security.