Innovation and Cybersecurity

Amazon versus sears innovation, comparisons

The obvious angle(in 2018) is to applaud Amazon and chide Sears for the massive technological progress and stagnation respectively. 

Sure Sears did well in it’s day by pioneering catalogs and selling many things one does not think about right out of the catalog(houses and cars). But somehow when the internet technology came into being they were not interested in _this_ new “catalog”. The reason I mention this phenomena is  that it is very hard for CEO’s to see the future with a new technology.  One must live and breathe it (like Mr Bezos did).  what does it mean to “live and breathe it”? 

In my opinion it requires a CEO to understand the underlying technology, which nicely segways into Cybersecurity.  If one does not build cybersecurity from scratch (from the beginning).  Creating security after the software is built can make it difficult if not impossible to create true Cybersecurity.   In the picture above there is also an image of hurricanes which are either over land, or moving there.  Which company can better absorb “hurricane of a market”? Or an actual hurricane with the required disaster recovery plans?

Let’s list some of the risks a CEO has to think about in navigating a strategy for the future:

  1. Innovation (how to be a better company with more profits)
  2. Economic environment (general economy)
  3. Regulations (government or industry)
  4. Labor Issues (employee problems)
  5. Natural disasters (including hurricanes – electrical storms etc)
  6. Criminal endeavors (including cybersecurity)
  7. New Competitors (with technological improvements)
  8. Miscommunications by CEO or other officers that cause production problems

What order should your specific list be in?

Maybe you have Labor issues first? then Production problems, competitors and Economic environment.

Usually – Natural disasters and criminals are not in the major crosshairs of a typical company.

The reason people are not focusing on Cybersecurity is that the risk or threat does not seem to be that high in their eyes.

From the VISA  “Global Compromise Trends” informational image (from their presentation a couple of weeks ago) shows that current attacks are shifting from small merchants to eCommerce,financial institutions, and aggregators/ integrators or resellers. I.e. entities that affect several small businesses.

So we find out that for now the small businesses are not in the immediate cross hairs. But the coming Armageddon is surely coming (Winter is Coming), and how can I say that? It is because the criminal element is always changing and learning… developing new methods to attack anyone on the Internet. As soon as you spend no time on Cybersecurity it will catch up with  you.  the reason it will happen quickly and with little forewarning.  Not like a Hurricane which we can see forming off shore.

The expert analyst can see things coming, but most small businesses cannot see this happening.  The technological advances are coming fast, and it is too hard to figure out what is really going to affect a business in the future from the following major themes:

  1. AI – Artificial Intelligence and Machine Learning(Robots) are great improvements for humanity and hard to say what how it affects Cybersecurity/Innovation.
  2. Quantum Computing – Once the quantum computer has been built encryption and Cybersecurity will change quickly as the game changes.
  3. Nanotechnology – was a rallying cry and buzzword for some time, and the tech has been improving. How does this affect your world? In some ways this is already happening in current 2018/2019 computers.
  4. What will the space tech change here on earth, just like NASA’s moon program created many new technologies the drive to go to Mars will do the same.

 

So how can futurists dabbling and current innovators striving make things more difficult for the current CEO?  Well, it happened for Sears… in 18 years Sears went from a still respectable retailer to a forlorn husk of it’s former self. Why? because the Sears CEO of Y2000 did not foresee the Internet as it is today, only 18 years later we cannot go without the Internet and everyone expects eCommerce to exist (this was not obvious in 2000).  So how much time should you spend on the future?

Obviously it can’t be a majority of what we do, but we have to decide whether the future is worth 5-10% of your time. Out of a 40 hour work week, 2-4 hours could be spent on future endeavors. I believe this formula is at a minimum. 

The question is where and how you want to go with your future time, and I would like to discuss how solving the Cybersecurity problem for good (i.e. managing it on autopilot) will free up your time in innovation.

IF you build Cybersecurity into your operation then you really do not have to worry about criminals taking a big chunk of your technology(i.e. China) and then you can truly focus on the things that probably make life more interesting (new gadgets that will increase your market share).

So let me show you how Innovation and Cybersecurity intertwines and makes for a better company in the today and into the future.  Contact me to discuss

 

 

 

 

What Does it mean? PCI DSS Validation Process

VISA had a presentation last week online to discuss this very question “PCI DSS Validation Process”

We will get into the list shortly…   First let’s discuss why one needs a validation process. PCI stands for Payment Card Industry and in fact the PCI standards organization is composed of Visa, Mastercard, Discover, American Express and JCB(Japan Credit Bureau). In fact before they created the PCI standards organization (PCI Security Standards council) so that their customers and other service organizations that use credit card numbers have a security standard.

  1. First one must build the scope of the systems that affect PCI systems (Credit Card systems) — find all your credit card systems and software. These systems must be analyzed.
  2. Assess your computers means do Vulnerability analysis, i.e. review the patch level of computers and software.
  3. Remediate any patches that were not applied properly.
  4. Create a report that states where the status is of all 11 pieces of PCI compliance reporting  means are in compliance, state of remediation, or building the processes?
  5. Complete the AOC(Attestation of Compliance) paperwork.
  6. Submit your paperwork to your financial provider.

Most likely if you have heard this process before it was from your financial service provider (the company providing the credit card systems).

The process is simply:

Assess –>remediate –>  report

Don’t Forget – to add Audit to your list – use an independent auditor to make sure the opinion is unbiased.

Anyone with higher than 20,000 VISA Ecommerce transactions must get VISA Attestation of Compliance(AOC), or 1million or more in all channels.   From VISA pdf.

Contact Us

Test Your Incidence Response Plans

So we all must have an Incidence response plan, which is only used after a computer security problem:

  1. Detect problem
  2. Investigate problem
  3. What type of the threat to the business?
  4. Does it rise to level of “Breach”? With significant legal disclosure requirements
  5. Did the attackers steal information/data?

 

We know practice makes perfect, but how do we practice responding to a known attack without actually getting a hacker and hacking your systems?

So of course getting a pentester and having your environment tested for problems is a good thing. But we need to also have a method of trying to get our IT staff to not be afraid to follow the crumbs to a potential breach. People tend to get better the more they do something, so a pentest would also be useful for IT staff incident reports.

 

With or without a pentest it is wise to create a “write-up”  report that acts as if the breach or hack happened so the IT personnel computers will be used to working through the “paperwork” process.

 

So let us do it together?

1. We detected a problem in the logs, they were zeroed out on our windows 2012 server.

2. we do not know why this happened, but the event logs now have a handful of events (going back to yesterday only).

3. Is this a threat to the business? If there are no logs to see how will we  know what happened in the last few days before the logs were deleted?

4. Review systems, to see if any new files have been added, you will have to make comparisons to recent backups.  Also review any customer data if it resides on the server (is customer data valid?).  If you have no way of doing this today, better start working on a process now.

5. The last point is where the most difficult assessment has to be performed. Is this a threat to the business? was data stolen?

And this is exactly where many companies get tripped up. Every day you are running your business and it seems like any other day. Losing event logs does not mean much… but it could be a sign of a serious breach.

Find out if your files have been altered. the problem is that some malware is only here for other purposes, so some files being altered have lower risk and impact. How can we know if there is a high impact high risk alteration?

To have any chance of knowing a breach happened means that you need IT Personnel to do the following:

  • Vigilant employees
  • Notice  unauthorized logins
  • See unauthorized usage of computer systems
  • Reboots are mysteriously happening on the own, why?
  • review administrative account access on actions that are unknown to administrators.
  • Notice unusual outbound traffic
  • Are files being added to your computer systems without IT department knowledge?
  • Logs are being deleted or very few event logs available on critical systems
  • Was data stolen?

 

A lot of these bullet points assume you can see potential breach indicators, so here is an Infographic to help you with this process.

 

If you are not testing your incident response plans, what will happen when a real attack happens?

Contact us to help you with Oversite or auditing needs.

 

How are Hackers Always a Step Ahead of Defense?

So the Defense (also known as Blue team) has been inundated with spam, the goal of the spam(for the hackers) is for an unsuspecting user to give up their credentials(username and password). Hackers are always trying to get your usernames and passwords.

Opening a word document? What if it included a small file that is unlikely  or even impossible to detect when first opening the file? because it gets resized to a small point in the document.

Notice the above image shows how to create a link inside a picture.

the above image is from ISC.sans.edu link.

So due to various dirty tricks in spam we have built 2FA (Two Factor Authentication) so that the connecting to the email server and getting your email will effectively shut out the spam merchants… until now with this nifty trick.  (Do you have to re-establish 2FA every time you get email? Or only when first logging in?)

When you open the word document the picture activates and tries to connect to the criminal-hacker-website.com which then sends the credentials of the computer to criminal-hacker-website.com.

Clearly only username and password defense is not going to do the job, as many tricks will pry the information to your account out of you.  And an incorrectly set up 2FA also would be a problem.

The defense must have a good logging and egress filter setup. (Block port 445/tcp , 137/tcp, 139/tcp, and 137/udp and 139/udp.

Back to my question “How are Hackers Always a step ahead of the Defense?”

The answer lies in logic actually:  If you have to defend 24 hours per day every day while trying to use software of the Internet then it is only a matter of time before a hacker uses ingenuity to break or bypass your defenses as shown above. We have to constantly be aware of new attacks and thus ways of defending against new vulnerabilities found every day.

True it would be nice if all software did not have security issues, but as we know security is not the highest effort while making a product. Making money is, and sometimes a security audit is not high on the priority scale.

So it is the same old story “The risk versus Security” see-saw.

The people who focus on Security might spend more in resources rather than others, so if you hear a new potential attack are you impulsively scoffing? Or saying I have to learn this attack and defend against it (thus spending resources?

if you are scoffing and wish to take on more risk by thinking the security problems might go away just by thinking they will go away. The risk on the internet these days is not that low, the ingenuity of new attacks are coming so fast that if you have not upped your ante, then one day it will be too late and the headlines will serve your epitaph.

So We believe that you should do both seek some risks while also staying secure  by employing Security Auditors.

 

Contact Us to discuss

NIST 800-171 Compliance Can be Done Quickly!

NIST 800-171 Compliance actually means DFARS Cybersecurity requirements must be met.

The NIST 800-171  requirements have always vexed small manufacturers due to the specific wordiness, so the NIST (National Institute of Standards and Technology) has been trying to make this easier to understand with the following pdf: https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

This is an important paragraph: from pdf

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) executive Agent, designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are
necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA issued a final federal regulation in 2016 that established the required controls and markings for CUI government-wide. This federal regulation binds agencies throughout the
executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

 

So needless to say if you are a small manufacturer  and sell stuff to the US government you will have to be compliant  or else…. what is the or else?  I surmise the or else is pretty bad, since there has been plenty of time for you to get on board of this new initiative . Admittedly it has been a chore to get through the NIST 800-171  documents up to now.  As I have discussed in June on this site.

Like this for example:

There are many such points in the document,

Here is the full list of 14 points you have to work on:

14 controls have to be set up

  1. AC  – Access Control
  2. AT – Awareness & Training
  3. AU – Audit & accountability
  4. CM – Configuration Management
  5. IA – Identification and Authentication
  6. IR – Incident Response
  7. MA – Maintenance
  8. MP – Media Protection
  9. PS – Personnnel Security
  10. PP – Physical Security
  11. RA – Risk Assessments
  12. SA – Security Assessments
  13. SC – System & Communications protection
  14. SI – System & Information integrity

 

None of these points are actually brain surgery, where you need 10 plus years of training and schooling. In fact most of these your IT department can perform in their regular work. they just need support from above (i.e. resources).

The one point of audit and accountability the company itself cannot do it by itself effectively. As there is nothing like a person outside of the organization to have a point of view that can be fresh or at least without the company culture in mind.  which is what we do here at Fixvirus.com

So these 14 points should not dissuade you from becoming compliant, in fact even if you do not have multi-factor authentication(Identitification and Authentication), and it would take 6 months to implement, all you have to do is to create a POAM or  Plan of Action and Milestone.   So once you have writtenup proof or POAMs then you are compliant – easy.

This is how I can state that you can come into “compliance” with NIST 800-171 quickly.

Contact us to review and discuss .