Cybersecurity: Challenging Onerous Tough

 

Overview of Cybersecurity challenges :

David Kennedy is in the above youtube video first 25 min and he has a good overview of where we are in Cybersecurity, a single employee can take down your company. It is not just the technical details, but also includes people learning best practices to defend from hacking type activities by the bad guys(black hat hacker). David also ‘hacks’ a person that came up from audience and finds her social security number in a few minutes.

 

The Harvard Business Review also has an article on “Why is Cybersecurity so Hard?”

The Differing Rules in Cyberspace paragraph explains why this is such a difficult subject:

Physical-world models do not work in cyberspace – you cant assign a local police department for a network that connects the whole world.

What about responsibility between government and private sector? Who is responsible for a virus infection that infected your own company and another company (due to address list emails being sent)?

When the NSA has specific bugs/hacks so that they can use to keep track and see enemies of the state that may be good for national goals, but it becomes bad when the enemy steals these hacks…

Wannacry was an NSA exploit.

Who is responsible for this software flaw in the first place? Is it Microsoft that should have known better?

The problem with Cybersecurity is that security flaws sometimes are not found until later in the software development cycle.

The flaw is found and then the vulnerability is introduced to the world, the exploit is released somehow it always is. The wannacry vulnerability was found by the NSA first, then stolen by the Russians before actually being released. But the vulnerability was there nonetheless for anyone with a unique computing talent to find.

This is actually the crux of the Cybersecurity issue: there are unique hacking computer talents that can take advantage of our computing infrastructure. Somehow there are flaws in various aspects of the operating systems or other pieces of the information technology puzzle and these computer whizkids (we call them hackers) find these flaws and create exploits so that they can make some money. The criminal underground has built a method of monetizing this phenomena with ransomware.

Here is another interesting issue that just arose:

gSOAP Flaw Leaves thousands of IoT devices vulnerable to remote code execution.

gSOAP is used in many applications and products including IoT devices (apparently as many as 34 different kinds), although this is a unique vulnerability which requires some doing to exploit it, the exploit would likely veer more towards using devices without permission such as the Mirai event as David Krebs notes.

The Mirai event was a DDOS attack, by using these IoT devices online to make the cyberattacks on various infrastructures. In this case the criminal element sells time on these illegally obtained usage rights to attack systems.

So this is another reason of the difficult problem, as the complexity of software and understanding of what happens is not trivial. The very nature of this problem then causes some confusion, or apathy. The problem only rears its ugly head when it is your software being attacked or being used.

The only way to combat this is to elevate your game and to perform audits of your IT infrastructure and software. The audits must be done to further understanding and the end result (which is to deny criminals).

Contact us to review and audit your environment.

We are CISA Certified Informations Systems Auditor

 

Disaster Recovery – Backups – also a Cybersecurity must

Why discuss backups and Disaster Recovery on a Cybersecurity topic?

Because what is the worst thing that can happen to your  computer data?

Oh yes ransomware will encrypt data and the only way to unencrypt is to pay the criminals. Of course there is no guarantee that after you pay the criminals the unencryption will happen without any flaws.

So what is your only solution? If you ask me the criminals with their Ransomware are forcing us to use proper IT processes and activities.  Make sure and use your Backup that you have with the backup written process so that way you are not creating something new, just recovering from a standard IT problem with data a backup is required.

So really we should have a backup and recovery process and procedure no matter what, and especially since more and more ransomware is making the pain of failure so much higher.

And ransomware is not going away, criminals are making more of them, more sophisticated with affecting more PC’s (Petya ransomware story at digitaltrends.com). After petya notpetya was developed to make more money for the criminal enterprise.

The bottom line is you better create a disaster recovery process with backups and more for a real disaster and not just a ransomware disaster.

In my eyes the ransomware stories that are out there are creating more need for the disaster recovery procedures you should have.

What exactly are you waiting for? Why take the chance every day that you are going to click on something that will inevitably  link you to one of the ransomware outbreaks in the world?

Imagine revolving a gun barrel of a number of barrels (like a 100 or 500) depends on your risk and impact level. 500barrel RiskGun   If something happens out of your control the RiskGun fires and you get ransomware.

Contact me to discuss how I can review your processes and procedures to ensure your business will whether any storm.

The Old FUD – Fear Uncertainty Doubt

The FUD techniques are certain to come up again and again as they are effective (to a degree).

FUD is a marketing technique to sow fear into cost conscious customers that are thinking of going to a competitor. Pushing safety in numbers and other uncertainty creates FUD in the mind of potential customers. Thus it is not so easy to go with a competitor unless one is armed with knowledge.

the first FUD campaign happened when IBM mainframes finally receive some competition with Amdahl mainframe company.

Above picture is an Amdahl mainframe (with red-hued panels instead of the familiar IBM blue). Newcastle university in picture)

So obviously Newcastle University did not pay attention to FUD by IBM

Why do I mention this FUD business? Because it is an old tactic and is being used by competitor Firewalls in the security firewall market space.  Palo Alto is muscling into a larger marketshare (due to developing and running a good firewall operation)

So the competitors have developed a youtube video 

First one selects an exploit 

Then configure the test environment which means setting up what kind of attack will be ‘tested’.

then conveniently one can Run the attack.

So the competitor ran the Evader software with specific evasion techniques to see if they can evade the Palo Alto firewall they have set up so they can evade it.

 

This is exactly why FUD works, make future Palo Alto customers(or current ones) see that they can have a firewall that is not bullet proof.

Yes we know that – no firewall is bulletproof no matter how well you configure it, there is always one item that is missed over the days and years. Since we are assaulted day after day and all the hackers have to do is get one attack to work. We have to be cognizant to not be complacent and invincible (it will not happen to me attitude).

It is true we have better firewalls and the only thing to combat FUD no matter your industry is massive amounts of information, thus knowing what you have backwards and forwards.

Contact us to review your environment so that you don’t worry about FUD.

2nd Quarter Almost Over – Time to Reassess and Plan

There seem to be a few posts doing a bit of reflection:

Internet Storm Center:  “An occasional Look in the Rear View Mirror”, discusses that every so often look into what you can do to see if anything can be retired.

At year end we look over the year and look into next year for new goals etc.

So what will happen in 3Q/4Q? Will we  develop new and better procedures, guidelines and other items to improve our organizations?

With a couple of weeks left in the quarter it would be great to review and reassess any plans you had and redo if necessary.

Dark Reading: “Why Compromised Identities Are IT’s Fault”

Yes it is IT’s fault because IT has to do a better job policing itself where it matters. But since it is hard to police “yourself” an outside entity should do it.

Dark reading claims:

“Before an organization can fight identity-based attacks, it must survive its own internal battle between IT and security. There are two battle fronts. The first: identity access management (IAM) typically comes under the control of the CIO, where more access is better than less to enable business processes at customer speed, even more so for mobility and cloud projects. IAM is not managed by the CISO, even though identity-based risks are at the core of security issues that keep CISOs up at night. This first front can be summarized as the CIO and CISO divide.”

So somewhere along the lines security lost a small battle (or a big one). In an Audit program (or framework) the outside entity  is independent and ultimately reports to accountable people (the board or exec team).

It does not have to be a fight… errr discussion between CISO and CIO and whether it is productivity or security that should ‘win’.

ISACA framework(ITAF) is an audit guideline, and the basics are the following:

  1. Plan the audit
  2. Risk assessment of the plan
  3. Audit IT functions under Supervision (test the network, servers, software function and more)
  4. Document audit function
  5. Create reportsout of the tests – signifying the ineffective controls, control deficiencies, and what these problems would cause for the business
  6. Evidence of the test results and conclusions must be presented.
  7. May have to use other experts to find specific issues(like a DBA (Data Base Admin) for example)
  8. Note Irregularity or illegal acts and reduce risks to an acceptable level

One of the tenets of an Auditor is being ethical in creating the audit tests. The reason for this is if one does not have expertise in a section of IT that needs audit work, then an expert in that field must be brought in. For example if the company has an agile  programming project and the auditor does not understand agile programming techniques, it means the auditor must get an agile programming expert to review the project.

 

So the ethics of the auditor is very important, as knowing when to ask for help is good, as well as  having the good sense of when to stop. Knowing to do the right thing is important.

contact  us to review your situation.

OneLogin Security Failure Spotlights Even the “Experts” Get Hacked

So what to make of the OneLogin Security Incident?

So what to do when even the “experts” get hacked and potentially have lost confidence and your data.

Unfortunately in this case it is usernames and passwords (potentially), as it is not obvious what was removed or accessed, as a lot of data is encrypted at OneLogin.

The function of onelogin is of course to have a secure method of logging into your environment with one password/ authentication method.

so what is a user and an IT department to do with password management?

Don’t do what Sony did, and store your passwords in an excel file.

compliance standards require password management to be with a minimum set of parameters:

  1. at least a certain size (~10 or more) letters with a certain complexity (numbers and letters/specials)
  2. set lockout duration (i.e.) with an incorrect entry lock the access for 30 min.
  3. inactivity idleness lockouts
  4. unique ids and passwords (do not reuse)
  5. Do not reuse passwords across multiple entities

 

So why did you set up a oneLogin system? To make it easier to access a variety of platforms and networks.  We did not expect for oneLogin to have a security problem which causes the very act of logging in securely to fail, as now the potential is there that the hackers have your userid and password, and since you have made it easier to access your network the whole network is accessible to hackers.

This is usually an acceptable risk for the most part, but if you had a computer system and database that is especially problematic if hacked I would set up a seperate authentication from the OneLogin setup, even though this makes things more difficult.

As I have discussed before Perfect security is not possible. Especially if you also want functionality.

 

The real question is what kind of Russian Roulette did you want to play for your business?

The game is this… (it depends on your situation of course) every day you are shooting a X barrel gun and if it actually has a bullet then a security event occurred. So the idea is to have a very large gun, with lots of barrels (like 500) so then at least the chance is low for a security event.

The funny thing with probability comes into being.

In a true 1 in 500 event, you may never actually hit it. The odds are that you will hit it once every 2 years or so. But we have another problem, how do we accurately represent our risk of the organization? How big is your “risk gun”?

I made these 1000 gun barrels units as well as a 500 gun barrel to try and represent what a physical Security risk gun would look like.

So Since Risk = Impact * Likelihood

The higher the impact is therefore your risk is higher.

If the impact is high risk is higher than where the impact is low. Now we get into the subjective gauge of likelihood. Here is where this setting can be fluid and can create many problems as circumstances change. As new malware is introduced and machines are not patched or other situations.

So RISK becomes a moving target that has to be assessed by an independent person so as to approximate it as best as possible under the circumstances. Here is where you figure out is it a risk of 1 in 1000(low) or 1 in 500(not low – but higher)

or 1 in 300 (medium) or a 1 in 150 (high) for each day.

So when you have a Single sign on application it better be checked for security otherwise the risk is greater since the impact is great.

Contact US to review.