2nd Quarter Almost Over – Time to Reassess and Plan

There seem to be a few posts doing a bit of reflection:

Internet Storm Center:  “An occasional Look in the Rear View Mirror”, discusses that every so often look into what you can do to see if anything can be retired.

At year end we look over the year and look into next year for new goals etc.

So what will happen in 3Q/4Q? Will we  develop new and better procedures, guidelines and other items to improve our organizations?

With a couple of weeks left in the quarter it would be great to review and reassess any plans you had and redo if necessary.

Dark Reading: “Why Compromised Identities Are IT’s Fault”

Yes it is IT’s fault because IT has to do a better job policing itself where it matters. But since it is hard to police “yourself” an outside entity should do it.

Dark reading claims:

“Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects. IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night. This first front can be summarized as the CIO and CISO divide.”

So somewhere along the lines security lost a small battle (or a big one). In an Audit program (or framework) the outside entity  is independent and ultimately reports to accountable people (the board or exec team).

It does not have to be a fight… errr discussion between CISO and CIO and whether it is productivity or security that should ‘win’.

ISACA framework(ITAF) is an audit guideline, and the basics are the following:

  1. Plan the audit
  2. Risk assessment of the plan
  3. Audit IT functions under Supervision (test the network, servers, software function and more)
  4. Document audit function
  5. Create reportsout of the tests – signifying the ineffective controls, control deficiencies, and what these problems would cause for the business
  6. Evidence of the test results and conclusions must be presented.
  7. May have to use other experts to find specific issues(like a DBA (Data Base Admin) for example)
  8. Note Irregularity or illegal acts and reduce risks to an acceptable level

One of the tenets of an Auditor is being ethical in creating the audit tests. The reason for this is if one does not have expertise in a section of IT that needs audit work, then an expert in that field must be brought in. For example if the company has an agile  programming project and the auditor does not understand agile programming techniques, it means the auditor must get an agile programming expert to review the project.


So the ethics of the auditor is very important, as knowing when to ask for help is good, as well as  having the good sense of when to stop. Knowing to do the right thing is important.

contact  us to review your situation.

OneLogin Security Failure Spotlights Even the “Experts” Get Hacked

So what to make of the OneLogin Security Incident?

So what to do when even the “experts” get hacked and potentially have lost confidence and your data.

Unfortunately in this case it is usernames and passwords (potentially), as it is not obvious what was removed or accessed, as a lot of data is encrypted at OneLogin.

The function of onelogin is of course to have a secure method of logging into your environment with one password/ authentication method.

so what is a user and an IT department to do with password management?

Don’t do what Sony did, and store your passwords in an excel file.

compliance standards require password management to be with a minimum set of parameters:

  1. at least a certain size (~10 or more) letters with a certain complexity (numbers and letters/specials)
  2. set lockout duration (i.e.) with an incorrect entry lock the access for 30 min.
  3. inactivity idleness lockouts
  4. unique ids and passwords (do not reuse)
  5. Do not reuse passwords across multiple entities


So why did you set up a oneLogin system? To make it easier to access a variety of platforms and networks.  We did not expect for oneLogin to have a security problem which causes the very act of logging in securely to fail, as now the potential is there that the hackers have your userid and password, and since you have made it easier to access your network the whole network is accessible to hackers.

This is usually an acceptable risk for the most part, but if you had a computer system and database that is especially problematic if hacked I would set up a seperate authentication from the OneLogin setup, even though this makes things more difficult.

As I have discussed before Perfect security is not possible. Especially if you also want functionality.


The real question is what kind of Russian Roulette did you want to play for your business?

The game is this… (it depends on your situation of course) every day you are shooting a X barrel gun and if it actually has a bullet then a security event occurred. So the idea is to have a very large gun, with lots of barrels (like 500) so then at least the chance is low for a security event.

The funny thing with probability comes into being.

In a true 1 in 500 event, you may never actually hit it. The odds are that you will hit it once every 2 years or so. But we have another problem, how do we accurately represent our risk of the organization? How big is your “risk gun”?

I made these 1000 gun barrels units as well as a 500 gun barrel to try and represent what a physical Security risk gun would look like.

So Since Risk = Impact * Likelihood

The higher the impact is therefore your risk is higher.

If the impact is high risk is higher than where the impact is low. Now we get into the subjective gauge of likelihood. Here is where this setting can be fluid and can create many problems as circumstances change. As new malware is introduced and machines are not patched or other situations.

So RISK becomes a moving target that has to be assessed by an independent person so as to approximate it as best as possible under the circumstances. Here is where you figure out is it a risk of 1 in 1000(low) or 1 in 500(not low – but higher)

or 1 in 300 (medium) or a 1 in 150 (high) for each day.

So when you have a Single sign on application it better be checked for security otherwise the risk is greater since the impact is great.

Contact US to review.

Heart Pacemakers Need Cybersecurity Upgrades

Ok, so this has not happened yet, where somebody hacks your pacemaker connects to your phone and says:

Pay up or you heart will flutter.

But according to Threatpost story we are almost there (my interpretation):

“Pacemaker Ecosystem Fails Its Cybersecurity Checkup”

there have not been any cases of ransomware or other cybersecurity issues on pacemakers, but this report suggests that it would be good if some authentication (any) would be built into the devices, as no one knows what kind of shenanigans could  be created by criminal hijackers.

And mark this point in time, Criminal Hackers will create shenanigans. There will be methods yet unknown that will be done —

think DOS -or Denial Of Service.

Sure you may not need the pacemaker all the time, but you need it at certain times. What if it does not operate as it should? Whose fault is it? the hacker, doctors, or pacemaker manufacturer.

I found this email very interesting:

“They need to make sure projects meet requirements should it touch any government data

  • #1 priority is a technical person, they can teach security guidelines”

The email is a recruiter looking for a certain type of security analyst that will look over the shoulder, review code and help programmers and others to code with a security mindset.

Now you can see that here we have a germination of a security agenda at this entity.

This is a good thing, and this position should be just one part with another part a security testing regime, which I did not see mentioned in the qualifications.

Overall Cybersecurity problem is the complexity and thus needs an unfettered testing department checking on a programming department even one where Cybersecurity is important and built-in.

Just because you write good code with Cybersecurity in mind does it mean it is secure?

One must still test the code to reduce the risk of security problems further.


Should CyberSecurity Be An IT Thing?

Before we can answer who should be in charge of Cybersecurity…

What is Cybersecurity?

Here is Google definition:

“The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.

So Cybersecurity really means to patch and upgrade your devices.  Configure devices so unauthorized access is not possible. create good security practices that reduce the chance of  Cybersecurity ‘events’. I.e. we want the people that are supposed to use computer resources to use them not others – like criminals or ransomware bots.

ISACA (Information Systems Auditing and Control Association) has another cybersecurity definition that adds CyberRisk.

“To understand Cybersecurity we must define the term cyberrisk”

“Cyberrisk is not one specific risk, it is a group of risks, which differ in technology, attack vectors, means, etc. “

The problem with this definition is that you have to have an understanding of risk, which is fine for most IT professionals, but the risk in IT is not understood by IT lay people(people that do not understand IT).

The CxO makes the decisions ultimately and cannot understand IT to the depth most IT people understand. So there will always be a gulf of misunderstanding. But the CEO does understand business risk, so we as IT professionals need to set up an environment where we can explain cybersecurity in terms of business risk.

The disconnect is as to what can happen and how much money needs to be budgeted to ensure that Cyberrisk is minimized?

Due to Cyberrisk of Ransomware – enough resources must be budgeted to ensure there is enough to successfully complete a Plan A or Plan B

  1. Plan A – patch all systems (assuming resources available)
  2. Plan B – If you do get attacked with ransomware – better have a functioning backup.

Your decision loop takes longer than the attackers which all they do is find new exploits and attack.

Businesses have to budget, purchase stuff, and execute. This always takes longer than the attacker finding new exploits.

So the attackers are always ahead of the game.


Now how should we answer the question? Who should be in charge of Cybersecurity? Should IT be in charge?  I think that there is no way around it, the new executive must understand a  certain level of Cybersecurity to talk to IT in a good manner(with understanding) and since Cybersecurity affects the whole company only the Senior execs should be in charge. But they just drive the whole thing (or are supposed to). The true answer is everyone is in charge of security

Contact Us to discuss your Cybersecurity cyberrisk.

Cisco Cybersecurity Report: “It’s Mighty Sporting Out There” Wanacry Now?

Cybersecurity in the news:

Wannacry ransomware is hitting the news cycle with many high profile organizations having to admit they got hit with ransomware, which means they did not patch their machines for one reason or another.

This focus on Cybersecurity is only short term, as the headlines change in the coming days there will be less focus again.

Even in the darkest moments there is always a way back from the depths of despair even if all your data is destroyed with no backup. (Time to dust off paper processes).

Recently Cisco came out with their latest Annual report for 2017.

If you look at the potential threats assaulting defense personnel it is fairly even with mobile, cloud data, cloud infrastructure, and user issues all high threats.

The interesting chart for me is the consistent thoughts that _we_ do not have a problem.

And the reason? Cybersecurity as a high priority is still only as high as 63%, even as low as 55%. This may be better than last year, but we have a long way to go.

Cisco’s 2017 report discusses malware mostly, attacker behavior, the fact that spam includes most of the malware that attacks us.

It might be useful to review the working theories of attackers using spam. If a spammer uses a service to send out a million emails for $20-$40 then all he needs s to 1 response for ransomware at $300 to get a 700% return. And if there is a bit of luck with 2-6 responses, then $40 spam email cost plus whatever it cost to make or buy the payload and infrastructure (if any). with 5 ransomware ‘hits’ and $1500 the cost being $200 is still a 700% return.

Needless to say we will not have a reduction of ‘spam with malware’, if anything we will get an increase of ‘spam with malware’. Since everyone wants to make more money next year.

The problem with cybersecurity is that it will not affect people 100% of the time. It is not a certainty and thus a sense of false bravado exists. But we will be affected as we are all connected. What happens is the weak link, or the weakest machine gets hacked. And then if there is more money to be made there will be further issues and further hacks.

As in the next image – the lowest hanging fruit will get hacked and now it is easier to hack the high profile systems.

As in my previous post the youtube video by Saumil  explains that we need to develop new methods of defense that will definitively defend our systems, not just a “high likelihood” or “low likelihood” of risk.

Setting Cybersecurity as a high priority also means you need to set good policies and resources. Even though you do not want to think about it, it will have a tendency to come and bite you. Better to be prepared and stave off the next ransomware Armageddon.

Contact Us to discuss this.