Upgrade, Patch, and Reboot: No! Too Hard?

How can it be that upgrading software and hardware is too hard? Or is it that the reboot is too hard?

We don’t actually want to reboot do we?

I know some people who deliberately do not reboot their computers until forced to do so by power outage or other dramatic events.

Or is it that a reboot has a small chance of screwing up the balance of the computer? I.e. the registry might become corrupted (example of a registry failure after restart)? This phenomenon happens during faulty (or ‘buggy’) patches. But since we have heard about these things, we think postponing the update (for months) is better.

The solution? Test the patches with a suitable copy by your IT department. So again we run into the problem of resources.  The It department has to have a suitable test machine and has to have the time to test the upgrade with all of the software that you must use.

  1. Accounting
  2. Word/ excel (or Office)
  3. Website software compatibility  (Firefox, Chrome, Iexplorer)
  4. specialized software.

So now what seems like a 30 min job at most turned into several hours.  And remember now it also depends on the other tasks the IT department has. Updating servers are more complex which could take longer to update. This was likely the problem at Equifax where an Apache Struts application was not patched within a short time.  “Learning From Equifax Breach” Sep27 blogpost.

And I don’t know if you noticed but there are patches every month, sometimes more frequently:

 

Here is an example of a past patch Tuesday (2nd Tuesday of the month) in 2015 on this blog 

A single vulnerability may affect 8 different types of systems, and if you have many of those systems (due to not standardizing) then each system must be tested properly to figure out if the patch will work.

So it is not that the single act of rebooting is the cause of our consternation, rather it is the large testing regime that SHOULD be done. Of course a loose IT department can just wing it and patch without testing. On most months that would be ok, but periodically there will be problems and then a lot of downtime.

So ask yourself is there a lot of unscheduled downtime for different systems? then it may be time to do things differently.  We do not want to be the company that is in the news due to a cybersecurity incident (which may have started due to an insufficient update process).

Contact us for a review of your machines and processes

Learning from Equifax Breach

I wish I could say that this post would be something new – like buy “xyz” product and perform handstands or something and all your problems are solved.

Unfortunately The Equifax breach likely happened due to unpatched systems. As even Equifax itself admitted¹:

 

So as we discuss this problem many times, how can a company with IT people and Cyber security people possibly miss patching  this kind of a vulnerability?

 

it is not as if the vulnerability is a minor one. this Apache Struts vulnerability is a severity 10 (on a scale of 1-10) and as I have mentioned before the time after a vulnerability is found the clock is ticking. The hackers try to exploit and companies try to patch the problems as soon as possible to prevent from happening what happened to Equifax. Rapid7² discusses the exploits available and what should be done.  (Solution: upgrade to latest apache-struts)

 

Somehow the upgrade process and patching of critical pieces of infrastructure is very difficult for organizations and thus they are susceptible to attacks. and will be until we as consumers can push them into fixing things.  How will we know if companies are patching? Someone has to audit them, someone like us (as a Certified Information Systems Auditor) at https://fixvirus.com/

It seems simple to me, but somehow this process of patching highly vulnerable systems is very difficult. And thus it takes time, which the hackers use to try and gain entry. Once the hackers have entry into your systems (evading defenses and taking information) it is a short time to a full fledged breach.

 

  1. https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/
  2. https://www.rapid7.com/db/vulnerabilities/apache-struts-cve-2017-5638

Cybersecurity!! Or Else!

Mr. Business owner/manager if you do not take Cybersecurity seriously then it will bite you but how exactly?

 

Spend money on cybersecurity or you will eventually get attacked… I know that is hard to understand fully

As discussed before The Psychology of Security (Oversitesentry post from 8/22/14)

Believe it or not on a regular basis we tend to seek risks when there could be losses .  So what does that mean with regards to Cybersecurity?  Well, if you do nothing with Cybersecurity efforts on your computers and network devices then you are risking ransomware taking all of your data and thus testing your IT backup processes.   But knowing or not knowing  (maybe subconscious) we do not accept that we have to address a risk  such as ransomware. Even if ransomware could destroy our data. Part of the problem is that we are running our business and home life with certain levels of computing and every day things are working as we expect. So why should we spend more time with Cybersecurity concerns?

  1. the right thing to do – create a proper cybersecurity
  2. The more we disregard the threat and the potential impact could be higher

So this phenomenon becomes a vortex of

NOTHING to see here – keep moving

to

When attackers find weaknesses then the attack could put your small business out-of-business (if no backup tests were done and the right circumstances create the perfect storm).

Eventually this weird sense of not wanting to deal with cybersecurity because it increases risk will be your undoing.

So what does it really mean??   Cybersecurity or Else?

It means you can go out of business if you lose all your data and cannot recreate them in a reasonable amount of time or at all.

This has happened before:

The above is an old picture, but likely has not changed much if at all. We are unfortunately creatures of habit.

 

So these are your choices

Everyone makes an unconscious decision to spend some, more or no time on Cybersecurity for a variety of reasons.

What has to be done is to check your systems with testing and auditing process, such as with a CISA certified person. Like Us – Contact Us

 

So what is really happening is the CISA audit is a type of catastrophic insurance. If audits are done on a regular basis then the computer systems will not get to the point of catastrophe (losing all data with no recovery).

Maybe what is needed is to frame the debate of cybersecurity is to focus on the business aspects.

No cybersecurity attention? then $100k in costs or loss of business outright.

How to fix this? Management must be more cybersecurity savvy, and ask the right questions to the cybersecurity professionals.

 

More Security or More Business? is it Us vs Them?

When we say We need to be more secure in cyberland, does that mean small business needs to change what they do to be more secure?

ISACA says we need governance:

Governance and management for Enterprise business should use the COBIT 5 principles

  1. Principle 1: Meet stakeholder needs
  2. Principle 2: Covering the enterprise from end-to-end
  3. Principle 3: Applying  single integrated framework
  4. Principle 4: Enabling a holistic approach
  5. Principle 5: Separating governance from management

The COBIT framework ‘simplified’ means for the business to drive “cybersecurity”. I.e. if you need to sell widgets on the Internet you have to have cybersecurity on the Internet with credit card processing then that is what you have to say: ” We have to protect our systems to sell our products and stay in business”.

The conversation cannot start with ” I need security more than sales” because we know how that conversation ends. In fact the Cybersecurity person needs to say we facilitate sales, and make sure they are done safely. We take care of government compliance.

Besides  some good sound bites, the hard work of creating a truly secure organization is to set up a framework of weighing risks versus threats and impact.

A methodology must be used instead of just telling your IT department “keep us as secure as possible” ok?

What consistent methods do we need to operate to make Cybersecurity for companies work effectively for the stakeholder?

I listed the 5 principles of COBIT, and one of the most important piece of one of the principles is to assess risk (likelihood * impact) for each computer and IT device in your company.

An Audit has to be performed where all the pieces of the network and computer systems for the business needs are cataloged and rated for importance and weaknesses.

Once this inventory has been created a Risk analysis with expenditure of money has to be accumulated and reviewed with the stakeholders.

The process of reporting is also important, how to report and whom to report to.

Principle 5: separating governance from management has it’s reasons. The IT department must be overseen and directed by a governing body. If you want to discover these details get an audit from an ISACA Auditor and get on the path to become more secure within your business needs and requirements.

Contact us to audit your business

 

Who is Responsible For Cybersecurity?

I am talking about the reality that someone must be responsible so we can hold their feet to the fire. We don’t want to get to the point of too many directions of responsibility, as then when a breach does happen it is dangerous to see what will happen from there? So the CISA (Certified Information Systems Auditor) exam prep says that the Board of the company is responsible as they are the stakeholders. The board ultimately controls the purse strings, and hiring/firing of the CEO. But the problem with Cybersecurity is the changing nature of threats with increasing use of technology. Thus if the CEO changed some parameters unknown to the board, or if the board has not had time to digest then the CEO should be part responsible as well.

So if the CEO is part responsible because of changes that are occurring without the board’s knowledge…  or is it that the board should have contingency plans for unknown changes?

Let’s review what responsibility means?

Definition from Google:

The state or fact of having a duty to deal with something or of having control over someone.

The state of fact of being accountable for something

The opportunity or ability to act independently and make decisions without authorization

I want to restate this dictionary definition for cybersecurity specifically:

The ISACA Auditing standard will stay as the “Financially” responsible entity will stay in the board.

But I want to pick into who is responsible for Cybersecurity? Is it the person who misuses one of the definitions:

“The opportunity or ability to act independently and make decisions without authorization”

We all use computers (and mobile devices) independently, and in fact more devices are coming into our lives that will  create problems if we do not use them properly.

So even though the board is financially responsible, we are all responsible for using our devices with a certain amount of Cybersecurity intelligence.

The board has to set the stage with enough funding for firewalls, and audits and the like, but the users are responsible for using the devices without clicking on phishing emails or going to questionable websites that will cause problems even in the most secure environments.

Contact Us to create a security policy for the future.