Why Spend Time On Cybersecurity?

Security does not add value to the company, people, or product.  Why is Cybersecurity important?

As our lives become more connected (not less). Our communications are on the Internet, our phone conversations are on the Internet, our devices that we keep on us and we depend on for business and pleasure have to connect to the Internet.

This video is an attempt at explaining this complex subject:


If we connect to the Internet the problem is that we are also connected to all the digital criminals in the world. Ransomware can destroy our data and even ruin our businesses (40% of businesses were hit by Ransomware and 20% were forced to shut down).

The problem with these digital criminal software makers is that like all software it does not act like it is supposed to. So sometimes when your data is encrypted  and lost, it may not get decrypted even if you pay them.

So the issue is if we do not pay any attention to Cybersecurity then eventually you will bump into the frailty of our digital lives. The simple truth is that the people who do not pay attention may not know they may go out of business if hit with a catastrophic Cybersecurity event.   We are used to watching the news and in our connected world we see a storm coming where the storm is going to potentially destroy our buildings etc.  But in Cybersecurity everything is below the radar, there is even a “Darknet” where the Digital criminal sells your information they stole.

Didyou know that you are playing Cybersecurity Russian Roulette? Do you have a 500Barrel Gun or a 1000barrel gun?

What is you risk level? Tells what size your Russian Roulette gun is.

Well we have to find out what kind of software you have…  and the vulnerabilities they have.

Attack timeline vulnerabilities tell the story of how the criminal gets into your systems and inserts Ransomware.

What can be done? Patch your devices, learn how to perform risk management with all digital devices.

You are playing Cybersecurity roulette whether you know it or not.

I know Cybersecurity is not simple, but you must start working on tackling it, or it will come to you soon enough.

Contact me to create a risk management profile and move away from risky cybersecurity practices.

What Are The Cybersecurity Top-10?

There is only so much time to work on anything. And Cybersecurity is not any different, it requires a focus of IT Management (and Cybersecurity specifically)


As far as Cybersecurity goes, what is it that we all must know and understand thoroughly?

  1. Ransomware defense, IT basics such as test your backup (this means you have a valid backup)
  2. Weakest link = Human Social Engineering – If someone  can call you and you give them access how does a security department defend against this?
  3. NGFW (Next Generation FireWall) and other automation – A new updated firewall is a must these days
  4. Threat Analysis
  5. Compliance only is weak
  6. Password Failure
  7. Simplify Instructions to Employees  re: Cybersecurity
  8. Not enough training
  9. Governance process and procedure
  10. Good defense is a good offense (what does that mean in Cybersecurity)


How can I come up with this list?


Previous posts and research.

Here are the previous posts or “reference points”:

#1 Ransomware:   http://oversitesentry.com/another-hospital-computer-system-down-due-to-ransomware/ A German hospital was affected by Ransomware and was down a considerable length of time due to having to rebuild all machines infected. (likely from scratch).  But that is not the only story  I tried to answer why ransomware is effective in this post:

7 common mistakes (listed in post) are mistakes or failures in security procedures. The German hospital that got hit with ransomware did not have a proper backup

#2 Social Engineering:  This is a primary cause of concern as human error is a major cause of security breaches including at DEFCON22 at the social engineering Capture the Flag event, needless to say the retail teams were breached. If somebody calls you to ask for information on your computer and network be very careful.

#3 NGFW The Next Generation FireWall, the successor to a standard firewall, and really a must in this day and age in a decent size operation.

(A NGFW can inspect applications as well as filter traffic by origin or destination)


#4  Threat analysis: Cyber Threat Intelligence is used to help us defend and make the job of the attacker harder. I.e. the attackers “Pyramid Of Pain” needs to be closer to the top.

FireEye has attempted to explain Threat Intel with a Pyramid representation and I use it here to use the info as an industry standard.

#5 Compliance only is weak – And I discuss that in several ways


If your focus is so narrow as to only focus on crossing all the checks to be marked off a compliance list, then you will miss the overall company security.

#6 Weak passwords and other Password Failures (like 90% of all Point of Sale systems still have default passwords)   Our weakness of not solving password management hurts many organizations

#7 Simplify Instructions to Employees as logistical problems create issues and thus hamper Cybersecurity. Some security issues are complicated and IT terms may cloud what non-IT people have to review and learn.  Why is simple important?   Tom Kolditz of West Point explains: “No plan survives contact with the enemy.”

#8 Not enough training with regards to cybersecurity. No employee should ever answer a phone call and give out too much information, click on bad emails, set up good passwords, but there is a bigger problem. The general sense that we are getting inundated with more and more information. IoT – and Denial of Service and more complexity. But this complexity creates confusion in regular people that needs to be reviewed and trained.

#9 Governance Process and Procedure. Writing complete procedures will be difficult as all are, but once done will be good for the people and the company

#10  Test your network by getting a red team which will act like an attacker — This issue could be higher, and maybe one of the most important items.  The best defense is a good offense is well known adage. And the way it is used in Cybersecurity red team is the offense and the blue team is the defense.

This post and image explain red vs blue team as well:


Contact US to review your own Cybersecurity priorities.

Why is Ransomware so Effective?

Most people do not think about security in general. We ignore risks when they cost money and time due to our inherent impulse for this phenomena


I have discussed this before  in the last post of 2016:

How bad is it? Will Cybersecurity get worse?

The problem is one of business decisions which means a little bit of known knowledge and a little bit of psychology, it does not have to do with technical capabilities.

What is the worst problem that can happen to you in your business?

Lose all data? I.e. without a backup!

That is what can happen with a phenomena called “Ransomware”.

What do you think the 7 common causes that companies get hacked are? (From DarkReading article)

  1. Failure to check code before deployed
  2. Leaving source code exposed
  3. failure to change default passwords
  4. Poor patching process
  5. Human error in social engineering , phishing
  6. Poor exfiltration control
  7. Failure to recognize infiltration


All of the 7 common causes are mistakes or failures in operating Information technology in one way or another are directly related to human failures in security procedures

Remember from Bruce Schneier’s Psychology of security 70 % of us do not believe that it is wise to spend money on risk avoidance,  there are other things that we as humans naturally tend to do.


So the bottom line? Ransomware is not going away. Criminals will make more money and make better Ransomware.

I am sure you reading does not have problems, and is paying just enough attention to deny the Criminal any actual pound of flesh (data to exploit).


The key to improve your OODA Loop  (Observe, Orient, Decide, and Act ) is to reduce the time delay and to actually apply patches or reconfigure devices properly.

The only way to ensure that this has been done by your team is to test them with an outside testing person/agency.

There are many stories of Ransomware failures, and here is another one(01/20/17):  Fox2Now  (Channel 2 – Saint Louis) Saint Louis Library system got 1000 systems infected with Ransomware.  Because once 1 system is infected it could affect other systems on the network.

In this story there will be no payment, as the systems will just have to be reinitialized (reinstalled from scratch).

But something is wrong there so it will possibly happen again until the process and procedure failure is rectified.

Contact US to help you fix your processes to prevent ransomware.






Planning Security? You must know TTP







Planning Security? You must know TTP

In this new year of 2017 it is good to know your past so as not create the same situation in the future.

But what is TTP you say?

TTP – Tactics, Techniques, and Procedures.

By that I mean the tactics and procedures of you and your IT team of course.

Some call this acronym Tools, Techniques, and Procedures. Which is very close if not the same thing, as your IT team must have some tools to use within their tactics of defending the network and computer devices.

Interesting to note that TTP is not just in Cybersecurity, but also Terrorist security as well:

Oodaloop discusses a form of TTP,

OODA stands for Observe, Orient, Decide, and Act and this was originally developed by Col Boyd during the Korean war for use in Air-to-Air combat.

Image above from hroarr.com webpage

The OODA loop can apply to Cybersecurity with a small amount of tweaking.

The above image equates Observe with looking at network traffic and logs on the firewall and computer systems.

Orient is  where we analyze the logs and network traffic with a certain time delay, as it takes time and manpower to review these items. (this is also a place to do pentest or vulnerability analysis)

Decide is next where we have to decide what to do with the data we are analyzing. Of course Analyzing and deciding what to do can take time especially in large environments.

The final point in the process is to Act – Test, patch, and reconfigure .

As this video from Derbycon last year mentions we have to find ways to reduce our time to detection – use new methods, learn new methods.

As Marines say – Adapt, Overcome, Improvise, and get the job done.

So we need to continue to learn new methods of detecting threats into our environments.


The devil is in the details… as we have to find actual new threats to detect.  Testing those threats is a good idea and time is actually on the attackers side. As they only have to get in once and then the game changes. Once attackers are in your network now it is harder to deny more information and access to the data we are defending.

TTP is Tactics, Techniques and Procedure, and if the IT department is not aware of the new attacks the bad guys are coming in with, then the current actions are not good enough.  Knowing your TTP means understanding the OODA loop and it’s weaknesses.  Knowing your weaknesses should also allow you to review the areas where we need to review the most.

Notice the time delay in Boyd’s rule OODA and how I specifically added it in my drawing to signify our lack of forthright ability sometimes and general malaise. Especially when we don’t know the baseline for example (what is good and bad traffic?).

Is it enough to go about your day to entrust your network to a blue team (a blue team is the combined efforts to defend your network)

If we knew all the exact ways the attackers would attack we would never be breached. But we have to find new ways to find the new attacks that we don’t know about yet.

Remember more military axioms:

  1. Your best plans will change contact with the enemy
  2. What you really need to worry about is the unknown unknown… i.e. the breach that you cant see in any logs.


You don’t want to see your company in lights, in the papers, the online journals that explain how companies get breached.

Contact Us to help you with the process of improving detection of attackers, and improving your security policy.



How bad is it? Will Cybersecurity get worse?

I know there are many macro statistics, which we have discussed on this site:

Describing The Cyber Neigborhood

For example Cisco determined that by 2020 there will be 50 Billion devices on the Internet. And we are well on our way to create this prediction.  Bla bla bla…

Forgive me for a minute…

I don’t like to talk politics and say X did this and I don’t agree with Y (insert your politicians in x and y).  I just want to talk about it in the sense that talking politics  even sensibly with facts and such does not change many minds.


I don’t know if you are a Trump supporter or not, but interesting to note many of the Trump naysayers from the very beginning did not understand him (but were 100% certain they were right).

And then the election actually occurs on November 9th and he wins (again proving all the ‘experts’ were wrong) and now the exact people who did not think Trump was going to win are now incredulous about the election. And are not shy about telling you how to think about the election.


Ok Back to your regularly scheduled programming…


Now I would like for you to talk to someone about a subject they have preconceived notions and tell them they are essentially WRONG. How well will that argument go?

I.e. Cybersecurity will get worse next year just like all the years before. So if you have done nothing or very little in the last year and are NOT interested in thinking about it at all. There is likely nothing I will say to change your mind.

I am not interested in changing your mind if you have no understanding and think you will not be affected next year just like this year.


The biggest problem with Cybersecurity is that it is very complicated, has many pitfalls, potential issues, and on top of that it ultimately ‘depends’ on how much you are defending.  But the defense could fail spectacularly to the point of going out of business if the situation is right. Of course the devil is in the details

I can give you proof that this is happening:

https://blog.knowbe4.com/paychex-60-of-hacked-smbs-are-out-of-business-6-months-later   In this blog at knowbe4 Stu Sjouwerman has written a post that discusses Paychex (the payroll services company) and the data came from the National Cyber Security Alliance infographic.

It is worthwhile to review the information from NCSA.

Small businesses have been targeted, according to NCSA 70% of them.

Out of those 70% who have been targeted there are some who have experienced cyber attacks, and out of those with successful cyber attacks 60% go out of business in 6 months.

To me the numbers are staggering but it makes complete sense.

IF you do absolutely nothing with Cybersecurity and get a catastrophic attack (like Ransomware) which is very prevalent these days. AND you did not have a tested reviewd backup which actually restored your data. You might actually have to pay the Criminals to get your data back.

In my last post (last week) I noted that IBM surveyed a number of business executives and found that 70% of the executives paid to resolve the hack.

Now let me ask you something…  If you paid once will you pay again?

What makes you think this will be easy next year? The criminals will hire young kids who code in their sleep to hack your systems to make more money. (with the money you paid them).

So I made a proof positive case that small business people have to do something to solve this problem (Cybersecurity). But will it actually help?

Because proving that a backup actually works is complicated and costs a lot of money and time for all of the employees (as they have to check the data). But if you do not do it, and the ransomware tech support did not set up their software correctly you may have lost your data forever. And if you do it nothing improves in your business as this is not a “sales” decision.

So if x then y and then out of business.  What would happen tomorrow if you lost your data and would have to recreate it?

What would happen on the off chance that a tsunami blows down your house?  Let’s forget about whether you are near an ocean or not. Imagine a bad calamity since if I explain some Cyber cause most people would not understand.

ULTIMATELY this is a BUSINESS DECISION. (not technical)

We have to spend time and effort to test a backup. Just in case of a calamity, yes it could be a cybersecurity problem, but it also could be a physical problem.

I would like to see in 2017 the number of SMB businesses that go out of business go to near zero at least due to a Cybersecurity attack.

We do have to talk to business leaders in their language – money. So lets watch what we say and watch from their peers and financial people, such as:

ABA The ins and outs of Cybersecurity Insurance

So maybe the businesses need more insurance because the median claim payout is $144k and average payout is $733k

Median Cost per breach expense 110k, and average cost for breach response services: $366k

I wont list the legal costs as those can always balloon.

Most interesting is Hackers were the most frequent cause of data loss, followed by employee mistakes(32%)


So as a business decision you should get Cyber Insurance (and I don’t sell it).

But before you get it you have to do a risk assessment, the risk assessment has to weigh the potential risks with real and maybe even unknown threats.

Look at this extortion threat to a bank:

So an insurance claim could be due to a client with intimate knowledge of your information and infrastructure that could cause serious harm to you and your reputation.

This is unfortunate but in the realm of reality these days.

I found the actual Security Survey post in NCSA:

  • A Majority of SMBs Believe Security Is Critical to Their Success and Brand: Seventy-three percent of SMBs say a safe and trusted Internet is critical to their success, and 77 percent say a strong cybersecurity and online safety posture is good for their company’s brand.
  • SMBs Unprepared to Handle Data Breach Losses: Nearly six out of 10 (59 percent) SMBs do not have a contingency plan outlining procedures for responding and reporting data breach losses.
  • Two-thirds of SMBs Aren’t Concerned About Cyber Threats: Sixty-six percent of SMBs are not concerned about cyber threats – either external or internal. External threats include a hacker or cyber-criminal stealing data while internal threats include an employee, ex-employee, or contractor/consultant stealing data.

This makes sense to me as that is what I have experienced, essentially everyone believes Cyber Security is important, but do not understand the actual details on how to be safer or they are not concerned at all. Which is why when a Cyber—tsunami(Ransomware on critical data without a backup) blows you over then in 6 months small business is out of business.

As many people say…  BOOOM!!!


Let me help you develop a security policy and review your risk management since the current risk management models are not working. Start your education so you understand the risks as this is not an easy subject to break down.

What exactly are the costs in a successful data breach? And what would actually happen with your business after a successful breach?

“Risk Managment Failed Us” is an article I wrote quite some time ago, but is still apt.


Contact US   Tony Zafiropoulos –  tonyz “@” fixvirus.com