100 days to find adversary in Network: Do I hear 50?

How can we improve the odds of finding a criminal hacker in our networks?   (My old blogpost in 2017 discusses some threats in your network “Insider Threats: No1 Cybersecurity Problem” in case you want to review)

A great video on this topic is the following Irongeek.com video from BSides Charm2018

In this part of the video they are explaining all the logs and where the logs should be sent.  The idea to send the logs to Splunk is to then create a ticket or an SMS alert to a team.  After Splunk receives data you have to configure Splunk to  create SMS alerts and tickets.

There are specific items to look for in your logs to help you find the criminal hacker.monitoring email

monitor who accesses OWA (Outlook Web Access), monitor the attachments sent out, file transfers.

Web traffic, monitor proxy logs – what sites get accessed? Who is trying to go to dangerous websites.

 

Create daily reports and then you will see what is normal.

Every environment is different, with varying needs for compliance and other needs (HIPAA compliance is likely not needed from a Flower retailer).

The above diagram in the video is the most important diagram for you to understand and digest:

I.e. most companies and people end up logging everything and thus do not check anything (because you cannot drink from a firehose) OR log very little – nothing.   So this is why one must understand what is important in logging to you.

Even though it may be different with every company there will be a specific report that will become a goto report that you will review daily for suspicious behavior. Do not become a statistic which says you do not see the criminal hacker in your network for 100 days, or are told of a breach by law enforcement.  That means you will know at that time that IT has not done their job (too late of course).

 

Get ahead of future problems, and contact us to review your logging environment.

Protect Privacy of Client Data using New Ways

Do you want to actually improve your level of Cybersecurity?

What will you do differently today or in the next few months better than last year?

As in past post the GDPR has laid out new regulations 

that affect an entity that has data of an EU resident with impact on any of the following:

  1. Private and family life, home and communications data
  2. Physical and mental integrity
  3. Personal data
  4. Freedom to work and choose occupation
  5. Freedom of thought , conscience and religion
  6. Freedom of expression

The key in this graph is to be near the Green shaded squares, and not the bright red squares. I.e. having a high probability with a critical impact is bad and requires focus.  Whereas an unlikely probability is negligible impact then this is not so important to focus on.

The problem is to find the Critical impact and high probability events in a manner that are easy to see as well.

In the computer world we have focused almost exclusively on personal data (PII – Personal Identifiable Identity).

But there are more difficult to identify privacy concerns such as:

What does it mean to protect freedom of expression?

So if someone has a political cause that they follow, like Greenpeace. If for some reason another non-profit has an interest in getting new donations.  Here is a google search that had a “People also search for”  area:

So keeping even a log of searches or other information might lessen some freedom.

Freedom to choose an occupation?

How can lack of privacy screw up your freedom to choose an occupation? Besides the pictures on Facebook about your late night parties. What if you say one thing on Facebook, and yet another in interview?

Freedom of thought?

The freedom of thought may be happening already, but that may be “good”. If you are a criminal and try to add illegal items for sale, that may not be possible due to the filters. Although your freedom was curtailed, the overall good of less illegal acts on the Internet may be desirable. Other curtailing of freedom of thought as in my politics is better than yours is quite more complicated to curtail or even attempt to make fair, as it is in the eye of beholder. So politics may not be able to be policed.  This subject will depend on the country it is in, as USA has a unique constitution as in freedom of press and speech.

Private and home communications?

Here the nirvana of the advertiser means to learn how you use ‘stuff’ so that they can modify and make you buy their ‘stuff’ instead. So how much of private information should be ‘clouded’? Too bad there are  no smoke generators, where one can create a bunch of junk signals that makes the advertiser just confused.

 

So you can see that Cyber is about People and information, as an interesting Youtube Blackhat keynote said (presented by The Grugq) : Cyber is a new dimension in conflict which is still not fully theorized or conceptualized. Not that it is stopping anybody.

So we have to start focusing on privacy data protection in many new ways (and use the GDPR as a start – only because one can see into the initial bureaucracy mind of regulations of privacy).

 

Contact us to get a start on the new privacy regulations to come.

Can European Regulation Help You Design Data Privacy?

There is a great video overview of what it is GDPR(General Data Protection Regulation): “Preparing for GDPR” by John Elliott, head of payment security, EasyJet

Make no mistake, bureaucrats like to look at each others notes, so if a “new” regulatory method is coming … the US and Asia is watching.  In fact the GDPR has some aspects of American breach regulations, which apparently European countries have not had before(notification of breaches).

In my eyes the most interesting aspect of GDPR is that this snapshot of the video shows how it is now focusing on potential data security problems (breach, privacy etc) which will be weighed as to it’s effect on the actual customer data. i.e. besides the breach and obvious effect of a number records stolen to criminal hackers. There is a “respect for private and family life, home and communications”, “Freedom to work and choose an occupation”.  These two sentences picked out of the others show that the bureaucrat can make up a lot of rules out of this, and it is not clear what the company has to do to the data for it to be “respect for private and family life”.  It may be that the data has to be deleted so that no one sees it after so many days.

The general nature of this new effort by the EU is of course written in this manner because technology is ever changing. Thus it is hard to write regulations with new technologies especially as they are implemented faster than the regulations are written( the last time EU regs were redone was in the 90s).

Another snippet from the video refers to general security note of what he terms it as a “Regulatory Zone of Compliance”:

A graph of how much focus every entity wants to end use on GDPR.

The four choices:

  1. Money is no object
  2. Playing safe
  3. Probably ok
  4. Hope we are lucky

I think I would change #1 to “100% safe by using all possible effort and resources($$) to ensure this”.

And maybe add to #4 the phrase “we will not be hacked or regulators will not find out if a problem occurs”

But instead why don’t we change this graph to a Focus on Cybersecurity %? Which dovetails closer to my Psychology of Security past blogpost.

What is our Focus on Cybersecurity?

Best to start at bottom.

  1. Little Focus (25% of what it needs to be) – hope regulatory bodies and hackers avoid us
  2. Good Focus (50% of the effort) – we make some effort at regulation and defense against hackers
  3. Better Focus( 75% of effort) – more effort at defense against hackers and compliance
  4. Best Focus (100% effort) – There is no expense spared and effort performed that we will not make sure  that hackers do not affect business, of course compliance is a given.

Is it the Best it can be? 100% effort?

The Psychology of Security if you remember, has to do with most people not focusing on security, since the risk is not obvious and thus we are willing to risk higher and higher levels until it stares us down.

So we need to discuss a way for us to change minds, if you have problems with decisions at the top.

Where we need to be more secure, here is where compliance can help us make the people that run organizations focus more on security and data privacy.

Since Security decisions are dependent on emotions as well as practicality, we can fulfill both by saying we will tackle this new compliance as we do not want to get fined and reduce the FUD (Fear Uncertainty and Doubt) or emotions.

 

In fulfilling this compliance we are also protecting our client data, although it may seem hard to see.  The bureaucratic movement never ends, and even now it is learning from the EU in america, and make no mistake… it will come here soon enough. Better to  get ahead of this push.

What I would recommend is to find all of your client data and make sure that you are not selling it or even the look of selling it.

Be careful how you handle the data.   Treat it better than your own, treat it as if it is gold (or bitcoin).

 

Contact me to discuss this in detail.

What will 2018 bring to Cybersecurity?

Happy New Year 2018 very soon!!!

This is a good time to review the technologies that are shaping our lives which means what to Cybersecurity?


Amazon, iPhone devices, Android devices… these are technological breakthroughs that are quickly changing their technological landscape to either enhance user friendliness and features or to be the better brand or flagship product type in the technological category they belong. This means more Internet connectivity, not less.

What does more Internet mean? Does more function mean less security? Based on statistics, one thing is for sure, this means cybersecurity will be more important in 2018. Because as you will see more connectivity means a ripple will cause more problems, so we _have_ to focus on cybersecurity a certain amount or this decision of apathy to cybersecurity will cause you regret.

If we look back to the year 2015, in one of our blogposts, we discussed the relevance of the Cisco VNI (Visual Networking Index) forecast. In 2015, the projection as to how many devices will be connected to the Internet to be an immense 24 billion devices by 2019. Current day VNI projection are showing a much larger number than the 2015 projection, with numbers now at 29.1 billion, although closer, we should get even better projections as time goes on.

What is the relevance of this then? It means the number of connections to the Internet has grown exponentially, no mention of the data usage we have when plugged in to the net. More devices, means more occurrences of net usage. More net usage means a wider variety of data transfer and traffic. More data traffic means more open opportunity to risk factors that may lead to higher risk in cybersecurity.

What is alarming is when we think about how much of that number is criminal traffic and how much of that is checking your defenses. We want to advance to a new level by increasing capabilities but we may be overlooking that more capabilities mean more chances of risk. In many cases, we don’t see the possibilities of where risk may come about, because we are focused on making it work or creating revenue. So do we see the increase of possibilities and opportunities that we have increases technological capabilities and Risk analysis complexity?

That is why, developing a risk analysis process is important. It is not only a review of how much and what kind of Internet occurrences you have but a check on the data load you use. Alongside this realization of data transfer, it is pertinent that you do optimal checks and create regular controls updates within your your organization. Having an external risk auditor will help a lot in knowing how much more protection you need to uphold or how much risk oversight you need to work on. If you value the investment you have worked on, it always pays back to also value its maintenance through cyber protection. Contact us, to learn more.

From Vulnerability Found, To Patched Safe

 

While we are preparing for the holidays and the New Year, may it be Christmas/ Hanukkah or otherwise, the hackers are also busy prepping for their busiest time of the year. Although the Holidays is a season to be jolly, it is not a reason to slack off in keeping up with your Cyber Security.

The following image shows a potential timeline of when a vulnerability is found, disclosed to public, Anti-virus software rewritten, patch released, and patch installed.

Notice there is a number of days with no defense in your machines, and that is why a patch that is released should be installed soon.

Why do we say that hackers are also busy? This is because when people tend to lower down their guard, thinking that everyone is busy with the flow of the season, it is also the time that our Cyber protection becomes lenient and weak. When the defense turns less, then the attacker works harder to find these weakness and then it snowballs.

The reason for the easy attacks by the criminal hackers is because we become complacent and do not patch vulnerabilities when we should, and as you can see the vulnerability has been known by the wily attackers for some time… which makes time your enemy.

 

Ever seen a honeybee hive? The bees defend their hives vigorously, regardless of the time of day or season of the year. They attack-to-defend, to secure the hive at the slightest sense of a perceived threat. That is how optimal your Cyber defense should work. That is how wide your Cyber security should be manifested. It should cover all impact levels and all angles whether the threat may be old or new, small or huge.

 

Just like the bees, to keep your system up to date in “sensing perceived threats”, regular sweep and periodic re-enforcement of defenses must be done by updating your system patches. Before running any computer patches on your system, it is always a good decision to perform a system backup at a certain point. This is for you to be able to reset your systems at its most recent format should the patch go bad in the middle of its installation.  Keep in mind that a patch is a fix to system vulnerabilities (that has been out for months), and it is only now that a fix has been created. Although it took time to create the patch, it is still imperative that the patch be run to ensure that probable threats to your system are reduced if not totally eradicated; and for your computer to work properly improving its performance and usability.

 

Question is, how do you know which patch to run? This depends on the probable risks you are able to determine, based on the major threats and concerns you have sited. To illustrate in a process map, think of it this way:

 

  1. Determine the major threats to your working system. Major threats are external forces that you have no control of, that may interrupt or invade your secure cyber space. This may include:

 

  1. Unauthorized access
  2. Insider threat
  3. Data loss due to external sharing
  4. Insecure interfaces
  5. Fraud / Hijacked accounts

 

  1. Next, determine the major concerns that you need to work on to defend your system against the major threats. Major concerns are the areas that cover the major threat and of which you have the capacity to control. Examples are:

 

  1. Data Loss / Leakage
  2. Privacy and confidentiality of information
  3. Legal and regulatory compliance
  4. Compromised security

 

  1. Identify the impact of the threats and the likelihood that they will occur affecting your major concerns. This depends on your usage to the system. These are the magnitude of the identified Risks that you need to work on. Remember the formula for risk analysis as:

 

Risk = Likelihood * Impact

 

The higher the impact of the major threats, the higher the risk factor.

 

  1. Determine the controls and oversite that you need to work on and improve/update your network processes to fix or to be ready to defend your systems aggressively. This is where necessary patching comes in.

 

Since patching is a strenuous process (doing back up, uninstalling all system instances, then patching), it is where most people slack off. You cannot expect not to be robbed if the gate of your house is closed but the front door is open. It may take a while getting used to checking for bug fixes, but vigilance is the key to reducing risks.

 

So if we patch less (due to holidays or otherwise) and we are not as vigilant as we should be amidst the season break, then … you can expect that Hackers are indeed getting busy.

Contact us this year or next to discuss your details.