100% Cybersecurity is Impossible

Do you want to use the Internet? Computers? Tablets? Cellphones?

There is no device created that is 100% secure with no risk.

So now what?

Risk management – is what we are supposed to do, where the risk of using something is lower than the value of using it. For example: using a computer for business reasons is worthwhile when the cost to keep it safe is relatively low (own a firewall, anti-virus software and more)

Let’s use a different example. what about if a business has highly confidential banking transactions to perform that are worth hundreds of thousands of dollars?  Now the risk of using the computer and getting infected by malware or other viruses even if low likelihood the impact would be high.  Since Likelihood*Impact = Risk

Low*High= higher risk than

Low * Low = Low  or

Low* Med =Medium-Low

 

If Likelihood is High then a small impact is bad too.

High*Low =  High risk

For High likelihood and medium or high impact it is lights out for many organizations.

High*High = Bad … very bad

This Risk matrix has to be set up to analyze the Risk management of your business.

Paul Holland also discusses this in Bsides London “Understanding your business risks are key”

Paul also discusses ‘Things to consider when making decisions on risk appetite’

  1. What kind of loss would you deem materially damaging (impact)?
  2. What can you live without and for how long(impact)?
  3. What information must not fall into the wrong hands(impact)?
  4. How do you protect your information?

So if you are a business owner or CEO, CFO, CIO then you have to answer the subjective risk questions honestly.

So if you are spending 10% on security and you have millions of dollars in risk impact,  should you spend 11% on security?  This is a difficult question to answer. Since we  cannot be 100% secure. Where do we spend money to improve security? Because of the law of diminishing returns works on everything. Sometimes more money spent is not going to be a major change, just an incremental one.

The above image is useful in letting us know when we should re-evaluate our risk profile. External changes or internal changes should cause you to re-do your matrix.

Internal:

  1. Changing markets
  2. New business areas
  3. New Leadership
  4. Change in risk appetite
  5. Cloud adoption (major technical changes)
  6. Supply chain risks

External

  1. New vulnerabilities
  2. Political changes (local, state, national, international)
  3. Regulatory changes
  4. New technology (quantum breaks encryption — AI makes attacks more sophisticated)

We all know attacks are more sophisticated, since the criminals want to attack more people with new methods to make more money every year.

Talking to an expert to navigate this huge moving target is a good idea:

Contact Us to discuss

Why Is It Cybersecurity Pros Make It Complicated?

We say things like: DO NOT CLICK ON Phishing emails!!

But then Equifax creates www.experianidentityservice.co.uk ???  or creditexpert.co.uk/login/login

Bsides in London earlier this year had a presentation by Meadow Ellis (@notameadow).

Meadow makes a good point, as we as Cybersecurity professionals ask users to be careful what you click, and then  somebody in the company makes a difficult to read domain name, since the easy ones are taken.

So if a user can at times be duped and then clicks on malware (let’s face it users will  never be 100% accurate) then we must assume that the hackers can go into one of our systems inside the firewall.

So this scenario describes why we need to have zero-trust network architecture, and in a zero-trust network, we assume the bad guys are everywhere, so it requires identity management to be hardened.

Assume that phishing will work eventually in your environment

Here is where tyhe phishing domains are actually coming from(Paloaltonetworks.com post):

You see the problem is all the hosting companies are in the USA  so as I mentioned all the attackers are already in our midst.

Your risk management and Cybersecurity plans need to reflect that.

Your marketing efforts should reflect a simple domain structure that makes sense so that when the phishing people try to scam your customers, they will hopefully see through the bad domains.

As per Isaca presentation: “State of Cybersecurity”  90% of all federal (US) breaches are started with a phishing email.

 

Contact us to discuss your cybersecurity risk management profile.

 

Achieve True Privacy Protections

Your data and your customer data must be protected and in such a manner that even a breach in an area is not making it easy for the criminal to get the last link and thus the whole database.  Losing a portion of customer data is bad, but losing all of it is much worse.

So just like we have a layered defense in our network a layered defense of the database  is essential.

Before we  discuss technical details it is good to lay out how we intend to use the customer and employee data.

Because the technical people should look at a document that says how you will use data so that  customers, vendors, and employees know what is happening(or supposed to happen).

Also knowing what to do when there is a failure is important.

So we need to answer the following:

  1. Where is the data?
  2. Who has data?
  3. Why is data kept?
  4. What data is kept?
  5. How is data kept is a technical issue, and should be answered if encryption is answered.
  6. When will data be kept til? Forever? or is there a time lapse?
  7. How much data will be kept? (similar to what?) but can clarify the amount and size.

 

The new data privacy compliance law in the EU is GDPR(General Data protection regulation) and we have discussed this before at “Can European Regulation Help You Design Data Privacy”

In the us there are NIST(National Institute of Standards & Technology) standards – specifically 800-171. Which this company (Imprimis) has a video and discusses the complete process to go through to get yourself compliant for government oversight/ contracts.

The interesting slide is the next one that discusses the continuous compliance state one must build into any program

 

continuous monitoring, training and improvements must be done while performing quarterly periodic scans, and annual assessments.

 

We have discussed periodic scans before: our recon scan and vulnerability assessments

NIST 800-171 is the defacto standard of the US government and all of the contractors, sub-contractors, and anyone who is handling classified or CUI(Controlled Unclassified Information) data.  there are 110 items that one has to write an assessment on. So if your data is classified/unclassified one has a framework to work in.

PCI Payment card industry has a new version out (as of May 2018)  Summary of changes link

basically this latest compliance update is just a confirmation of TLS v1.1 or higher and some errata fixes.  Our post: Internet insecure without TLS

So although everyone has different data to place in the  Who, What, When, Why, Where, and how/how much we need to review and constantly improve our data storage and redemption states.

 

Contact Us to review this.

 

100 days to find adversary in Network: Do I hear 50?

How can we improve the odds of finding a criminal hacker in our networks?   (My old blogpost in 2017 discusses some threats in your network “Insider Threats: No1 Cybersecurity Problem” in case you want to review)

A great video on this topic is the following Irongeek.com video from BSides Charm2018

In this part of the video they are explaining all the logs and where the logs should be sent.  The idea to send the logs to Splunk is to then create a ticket or an SMS alert to a team.  After Splunk receives data you have to configure Splunk to  create SMS alerts and tickets.

There are specific items to look for in your logs to help you find the criminal hacker.monitoring email

monitor who accesses OWA (Outlook Web Access), monitor the attachments sent out, file transfers.

Web traffic, monitor proxy logs – what sites get accessed? Who is trying to go to dangerous websites.

 

Create daily reports and then you will see what is normal.

Every environment is different, with varying needs for compliance and other needs (HIPAA compliance is likely not needed from a Flower retailer).

The above diagram in the video is the most important diagram for you to understand and digest:

I.e. most companies and people end up logging everything and thus do not check anything (because you cannot drink from a firehose) OR log very little – nothing.   So this is why one must understand what is important in logging to you.

Even though it may be different with every company there will be a specific report that will become a goto report that you will review daily for suspicious behavior. Do not become a statistic which says you do not see the criminal hacker in your network for 100 days, or are told of a breach by law enforcement.  That means you will know at that time that IT has not done their job (too late of course).

 

Get ahead of future problems, and contact us to review your logging environment.

Protect Privacy of Client Data using New Ways

Do you want to actually improve your level of Cybersecurity?

What will you do differently today or in the next few months better than last year?

As in past post the GDPR has laid out new regulations 

that affect an entity that has data of an EU resident with impact on any of the following:

  1. Private and family life, home and communications data
  2. Physical and mental integrity
  3. Personal data
  4. Freedom to work and choose occupation
  5. Freedom of thought , conscience and religion
  6. Freedom of expression

The key in this graph is to be near the Green shaded squares, and not the bright red squares. I.e. having a high probability with a critical impact is bad and requires focus.  Whereas an unlikely probability is negligible impact then this is not so important to focus on.

The problem is to find the Critical impact and high probability events in a manner that are easy to see as well.

In the computer world we have focused almost exclusively on personal data (PII – Personal Identifiable Identity).

But there are more difficult to identify privacy concerns such as:

What does it mean to protect freedom of expression?

So if someone has a political cause that they follow, like Greenpeace. If for some reason another non-profit has an interest in getting new donations.  Here is a google search that had a “People also search for”  area:

So keeping even a log of searches or other information might lessen some freedom.

Freedom to choose an occupation?

How can lack of privacy screw up your freedom to choose an occupation? Besides the pictures on Facebook about your late night parties. What if you say one thing on Facebook, and yet another in interview?

Freedom of thought?

The freedom of thought may be happening already, but that may be “good”. If you are a criminal and try to add illegal items for sale, that may not be possible due to the filters. Although your freedom was curtailed, the overall good of less illegal acts on the Internet may be desirable. Other curtailing of freedom of thought as in my politics is better than yours is quite more complicated to curtail or even attempt to make fair, as it is in the eye of beholder. So politics may not be able to be policed.  This subject will depend on the country it is in, as USA has a unique constitution as in freedom of press and speech.

Private and home communications?

Here the nirvana of the advertiser means to learn how you use ‘stuff’ so that they can modify and make you buy their ‘stuff’ instead. So how much of private information should be ‘clouded’? Too bad there are  no smoke generators, where one can create a bunch of junk signals that makes the advertiser just confused.

 

So you can see that Cyber is about People and information, as an interesting Youtube Blackhat keynote said (presented by The Grugq) : Cyber is a new dimension in conflict which is still not fully theorized or conceptualized. Not that it is stopping anybody.

So we have to start focusing on privacy data protection in many new ways (and use the GDPR as a start – only because one can see into the initial bureaucracy mind of regulations of privacy).

 

Contact us to get a start on the new privacy regulations to come.