Unknown Risks – Are you ready for 2019?

Are you ready for new year surprises?

Why is it that 60% of businesses fail after a major Cyber attack?

  1. Spam Email – most attacks come in through well crafted emails (spear phishing)
  2. Social Engineering – An attacker can use 1 and 4 to call you to craft a sneaky method to get on your network.
  3. Darkweb – all information created from 1,2,4, and 5 are here and for sale to other hackers. I.e. a cyber attacker does not need to be an expert at all things, only at 1 and buy the others.
  4. Facebook Hacks – or other social media. Hackers use social media to profile you and then use 1&2 to attack you
  5. IoT (Internet of Things) in House – vulnerabilities are not patched and attacks come into IoT devices
  6. Unknown Zero-Day – unknown sophisticated attack using non-defensible methods(i.e. cannot defend against this)

The following is per Smallbiztrends.com ,  and it looks like that is what it says: 60% of small companies go out of business within 6 months of a cyber attack.

I want to discuss why that is?

Let’s assume our small business is like most small businesses, they are living “paycheck-to-paycheck” in a small biz manner. I.e. there is enough business to make payroll and to do a few things for the business: small changes for new technological improvements(new computer, new phones, website improvements).  But is there enough time and effort to overhaul IT cyberdefense?  Why overhaul when you can make adjustments, since with adjustments we can still stay alive and keep on surviving another year.

What if an unforeseen attack occurs? That we are not ready for? So that means we have to reconstruct our IT information “from scratch”. I.e. from non-electronic sources. In that case a lot of things can go wrong, and if expenses go too high or it takes too long to reconstruct, one can easily see how it might be easier for the small business to go out of business rather than create a huge debt burden. This is why 60% of small business goes out of business with a successful cyber attack.

The attacks coming into your business are no longer from loner hackers or your neighborhood Geek with too much time on his hands… The attackers are sophisticated and in great breadth, which are certainly coming daily  because it is easy to setup thousands and millions of attacks on previously purchased databases with information stolen in years past hacks on the Darkweb. The hacker uses his computer knowledge and this information to craft sneaky spear phishing attacks. Once on the network it could be months before you actually find out what is happening, since he will sell his access to your network to others who are experts at extracting money out of you.

So the hacker goal is to employ a number of experts over time to infiltrate and eventually extract extortion scams out of ransomware schemes…   FBI news and tips for dealing with Ransomware.

New IoT attack examples from Anson McCade’s Twitter feed:

 

So in the future a crafty sneaky attacker could control more than your business servers, but also your fitness devices and more. I.e. Pay the hacker $1000 or else …

 

Contact us to update and overhaul your cyberdefense methods.

Innovation and Cybersecurity

Amazon versus sears innovation, comparisons

The obvious angle(in 2018) is to applaud Amazon and chide Sears for the massive technological progress and stagnation respectively. 

Sure Sears did well in it’s day by pioneering catalogs and selling many things one does not think about right out of the catalog(houses and cars). But somehow when the internet technology came into being they were not interested in _this_ new “catalog”. The reason I mention this phenomena is  that it is very hard for CEO’s to see the future with a new technology.  One must live and breathe it (like Mr Bezos did).  what does it mean to “live and breathe it”? 

In my opinion it requires a CEO to understand the underlying technology, which nicely segways into Cybersecurity.  If one does not build cybersecurity from scratch (from the beginning).  Creating security after the software is built can make it difficult if not impossible to create true Cybersecurity.   In the picture above there is also an image of hurricanes which are either over land, or moving there.  Which company can better absorb “hurricane of a market”? Or an actual hurricane with the required disaster recovery plans?

Let’s list some of the risks a CEO has to think about in navigating a strategy for the future:

  1. Innovation (how to be a better company with more profits)
  2. Economic environment (general economy)
  3. Regulations (government or industry)
  4. Labor Issues (employee problems)
  5. Natural disasters (including hurricanes – electrical storms etc)
  6. Criminal endeavors (including cybersecurity)
  7. New Competitors (with technological improvements)
  8. Miscommunications by CEO or other officers that cause production problems

What order should your specific list be in?

Maybe you have Labor issues first? then Production problems, competitors and Economic environment.

Usually – Natural disasters and criminals are not in the major crosshairs of a typical company.

The reason people are not focusing on Cybersecurity is that the risk or threat does not seem to be that high in their eyes.

From the VISA  “Global Compromise Trends” informational image (from their presentation a couple of weeks ago) shows that current attacks are shifting from small merchants to eCommerce,financial institutions, and aggregators/ integrators or resellers. I.e. entities that affect several small businesses.

So we find out that for now the small businesses are not in the immediate cross hairs. But the coming Armageddon is surely coming (Winter is Coming), and how can I say that? It is because the criminal element is always changing and learning… developing new methods to attack anyone on the Internet. As soon as you spend no time on Cybersecurity it will catch up with  you.  the reason it will happen quickly and with little forewarning.  Not like a Hurricane which we can see forming off shore.

The expert analyst can see things coming, but most small businesses cannot see this happening.  The technological advances are coming fast, and it is too hard to figure out what is really going to affect a business in the future from the following major themes:

  1. AI – Artificial Intelligence and Machine Learning(Robots) are great improvements for humanity and hard to say what how it affects Cybersecurity/Innovation.
  2. Quantum Computing – Once the quantum computer has been built encryption and Cybersecurity will change quickly as the game changes.
  3. Nanotechnology – was a rallying cry and buzzword for some time, and the tech has been improving. How does this affect your world? In some ways this is already happening in current 2018/2019 computers.
  4. What will the space tech change here on earth, just like NASA’s moon program created many new technologies the drive to go to Mars will do the same.

 

So how can futurists dabbling and current innovators striving make things more difficult for the current CEO?  Well, it happened for Sears… in 18 years Sears went from a still respectable retailer to a forlorn husk of it’s former self. Why? because the Sears CEO of Y2000 did not foresee the Internet as it is today, only 18 years later we cannot go without the Internet and everyone expects eCommerce to exist (this was not obvious in 2000).  So how much time should you spend on the future?

Obviously it can’t be a majority of what we do, but we have to decide whether the future is worth 5-10% of your time. Out of a 40 hour work week, 2-4 hours could be spent on future endeavors. I believe this formula is at a minimum. 

The question is where and how you want to go with your future time, and I would like to discuss how solving the Cybersecurity problem for good (i.e. managing it on autopilot) will free up your time in innovation.

IF you build Cybersecurity into your operation then you really do not have to worry about criminals taking a big chunk of your technology(i.e. China) and then you can truly focus on the things that probably make life more interesting (new gadgets that will increase your market share).

Updated 20/23 noon: Wall Street Journal has an article  about the Ford CIO experimenting with Quantum Computers, as he signed a $100k 1-year contract with NASA’s Quantum Artificial Intelligence Laboratory. “Our mission is to be early enough in the game so that when it’s evolved to the point of maturity and applications that matter to the business, we’ll have an advantage,” said Ken Washington, Ford’s chief technology officer and vice president of research and advanced engineering, in an interview with CIO Journal.

Notice how it is important for the CIO to look to the future and innovate just like  I said above… quantum computers have the chance to completely change the game in computer processing power as it may be x to y power instead of 2 to y with current binary technologies.  x could be 4 or 10 or another number (this is being devised now) as the engineering for a quantum computer is challenging. The math is available, so all we need is the engineering to catch up with the theory.

 

So let me show you how Innovation and Cybersecurity intertwines and makes for a better company in the today and into the future.  Contact me to discuss

 

 

 

 

NIST 800-171 Compliance Can be Done Quickly!

NIST 800-171 Compliance actually means DFARS Cybersecurity requirements must be met.

The NIST 800-171  requirements have always vexed small manufacturers due to the specific wordiness, so the NIST (National Institute of Standards and Technology) has been trying to make this easier to understand with the following pdf: https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

This is an important paragraph: from pdf

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) executive Agent, designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are
necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA issued a final federal regulation in 2016 that established the required controls and markings for CUI government-wide. This federal regulation binds agencies throughout the
executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

 

So needless to say if you are a small manufacturer  and sell stuff to the US government you will have to be compliant  or else…. what is the or else?  I surmise the or else is pretty bad, since there has been plenty of time for you to get on board of this new initiative . Admittedly it has been a chore to get through the NIST 800-171  documents up to now.  As I have discussed in June on this site.

Like this for example:

There are many such points in the document,

Here is the full list of 14 points you have to work on:

14 controls have to be set up

  1. AC  – Access Control
  2. AT – Awareness & Training
  3. AU – Audit & accountability
  4. CM – Configuration Management
  5. IA – Identification and Authentication
  6. IR – Incident Response
  7. MA – Maintenance
  8. MP – Media Protection
  9. PS – Personnnel Security
  10. PP – Physical Security
  11. RA – Risk Assessments
  12. SA – Security Assessments
  13. SC – System & Communications protection
  14. SI – System & Information integrity

 

None of these points are actually brain surgery, where you need 10 plus years of training and schooling. In fact most of these your IT department can perform in their regular work. they just need support from above (i.e. resources).

The one point of audit and accountability the company itself cannot do it by itself effectively. As there is nothing like a person outside of the organization to have a point of view that can be fresh or at least without the company culture in mind.  which is what we do here at Fixvirus.com

So these 14 points should not dissuade you from becoming compliant, in fact even if you do not have multi-factor authentication(Identitification and Authentication), and it would take 6 months to implement, all you have to do is to create a POAM or  Plan of Action and Milestone.   So once you have writtenup proof or POAMs then you are compliant – easy.

This is how I can state that you can come into “compliance” with NIST 800-171 quickly.

Contact us to review and discuss .

New Wi-Fi attack found on WPA2 using PMKID

This could make many “thought safe” Wi-Fi routers not so

Here is where paying attention to new attacks is important.

hashcat.net has the information:

This attack does not even need a full EAPOL 4-way handshake,  EAPOL stands for Extensible Authentication Protocol(EAP) over LAN. A simple 4-way handshake is shown pictorially below  (from hitchhikersguidetolearning.com)

This means that in the past an attack on Wi-Fi would would need EAPOL  4-way handshake to be captured. Capturing the 4-way handshake is sometimes difficult to achieve.

Instead in this attack: ” We receive all the data we need in the first EAPOL frame from the AP.”

First one captures a sample initial Message from the ‘Authenticator’ which includes a PMKID (run hcxdumptool)

Second (run hcxpcaptool) to convert captured data from pcapng format to a hash format accepted by hashcat

Third (run hashcat) to crack the string of data.

 

So now no 4-way handshake is needed, only expertise to run a couple of scripts and to know how to set up the Wi-Fi capture by using the Wi-Fi network card.

The comments on the hashcat webpage do mention that your Wi-Fi network card must have the capability to capture wlan traffic.

So this requires more review and investigations.

Contact us to try it on your network.

NIST 800-171 rev1 (Updated 6/7/2018)

This document was updated and created to protect CUI – Controlled Unclassified Information for all government entities. So if you want to have a contract with the government you better have a plan in place. Due to Executive order 13556 (Nov 4, 2010), Controlled Unclassified Information program to standardize unclassified information and designated the NARA (National Archives and Records Administration).

Interesting to note all this standardization comes from a long list of departments in charge of classifying information. But the reality is there are many things similar to standards like PCI, COBIT 5, and others.

Notice that in 800-171 requires a Security Assessment:

  1. Assess security controls in the organization- are they effective?
  2. Develop and implement plans of action to fix deficiencies and reduce or eliminate vulnerabilities.
  3. Monitor security controls on an ongoing basis
  4. Develop, document, and periodically update system security plans that describe system environments as changes occur, system environments, how they are implemented, and relationships to other systems.

So essentially common sense security functions.

Anytime a change occurs (new device, moving, adding, subtracting) one has to re-evaluate security posture.

How about Risk assessment:

  1. Periodically assess risk to organizational operations(mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
  2. Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
  3. Remediate vulnerabilities  in accordance with risk assessments.

 

So if you look at the document – it just means what all respectable requirements have.

  1. Document and inventory your stuff.
  2. create risk assessments and impact assessments
  3. set up vulnerability scans
  4. remediate vulnerabilities!

 

 

 

Talk about change, the document 800-171 has recently been revised and updated, Both in February and June 2018:

  1. February: 16 editorial changes and 42 substantive
  2. June: 27 editorial changes and 5 substantive.

Most of the changes were deletions and some clarifications.

There is a change in authentication, now MFA(Multi Factor Authentication) is required instead of two-factor or regular password authentication.

Above is the section (Identification and Authentication) where MFA is shown.

If you need help in performing risk and security assessments Contact Us.