Cybersecurity, Solved in 1 hour? Nope takes at least 1 Season..

Yes we are a nation of television watchers and expect everything to be solved quickly, since all TV shows end in 1 hour.

In the online book (in books.google) of “Television and Politics”

The problems solved in our shows apparently are remembered with ‘calls for action’ are the ones solved by individuals.

So maybe after a lifetime of watching these shows we have a predisposed subconscious notion to assume 1 person can solve most problems in a reasonable amount of time (1 hour or 2 hours).

So when a complex issue is placed in front of us such as

Red vs Blue  teams attackers vs defenders where a series of steps breach a server and then use more tools to keep access of the system without the defending teams knowledge.  The solution to this issue is not obvious.

So Why am I beating this horse again?  Because the principle will not go away. The attackers will find ways and use the systems we have to attack us.

For example… we want to defend our SQL servers, maybe by hiding them. But this will not work, as there are tools to ask our systems “what are the SQL servers”? And our computers dutifully answer this request.

 

Technical Example:  Do you have a domain controller? Which is automatically running Active Directory? The program that runs your network and username and password authentication.

Then how do you defend against a user asking various questions to your DC(Domain Controller) with some commands?

You can access Powershell from a command line, and then ask various questions (execute commands) like  get-service or get-process to find out what services and processes are running on the system.

Why is this important? Because you can pick a service running on the system and then try to see what users have access to this service with another tool PowerMemory for example (as the tool(RWMC) in this article is no longer supported)

Here is PowerMemory definition:

Exploit the credentials present in files and memory

PowerMemory levers Microsoft signed binaries to hack Microsoft operating systems.

So! you might say, how does one get command line access on a server?

Let’s say that you got the user to click on phishing malware and now a command line shell was opened, and connects back to one of the Command and Control servers.   techtarget.com explains this phenomena

 

Once the hacker has a command line opened (however they did it). Now they will try and get more access – by obtaining the passwords for administrator accounts.

How to do that?  Sean Metcalf in DEFCON 23 video discusses several methods.

Including using powershell tools created by hackers, tools like

PowerMemory  Exploit the credentials present in files and memory

kerberoast   a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.

The method of obtaining passwords from places on the Microsoft server is also useful: “Finding Passwords in SYSVOL & exploiting Group Policy preferences”  is a good article discussing the same topics as in the video.

The credentials can be taken from .xml files on any windows systems. If the system is in a domain then it will have a local user account and whoever logged into that particular system.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

So the hacker knows where to look and what to find… the .xml files with CPassword variable, which has the password stored in an encrypted format.

So now it only depends on how strong your password is…

What are your password schema characteristics?  Do you require long passwords? more than 14 digits? Because if you have less than 14 digits the hackers will have an even easier time to get your passwords.

So is it still easy? Can you depend on only your defense team (Blue team) to keep all of your assets without unauthorized access? It will take more than a single episode, a season of episodes.  It will take a marathon of binge watching to keep the hackers away. It will take red teams (ethical hackers) to attack.

 

we can help you with a plan of security policies and red team attacks.

Contact Us.

 

 

What Are The Cybersecurity Top-10?

There is only so much time to work on anything. And Cybersecurity is not any different, it requires a focus of IT Management (and Cybersecurity specifically)

 

As far as Cybersecurity goes, what is it that we all must know and understand thoroughly?

  1. Ransomware defense, IT basics such as test your backup (this means you have a valid backup)
  2. Weakest link = Human Social Engineering – If someone  can call you and you give them access how does a security department defend against this?
  3. NGFW (Next Generation FireWall) and other automation – A new updated firewall is a must these days
  4. Threat Analysis
  5. Compliance only is weak
  6. Password Failure
  7. Simplify Instructions to Employees  re: Cybersecurity
  8. Not enough training
  9. Governance process and procedure
  10. Good defense is a good offense (what does that mean in Cybersecurity)

 

How can I come up with this list?

 

Previous posts and research.

Here are the previous posts or “reference points”:

#1 Ransomware:   http://oversitesentry.com/another-hospital-computer-system-down-due-to-ransomware/ A German hospital was affected by Ransomware and was down a considerable length of time due to having to rebuild all machines infected. (likely from scratch).  But that is not the only story  I tried to answer why ransomware is effective in this post:

7 common mistakes (listed in post) are mistakes or failures in security procedures. The German hospital that got hit with ransomware did not have a proper backup

#2 Social Engineering:  This is a primary cause of concern as human error is a major cause of security breaches including at DEFCON22 at the social engineering Capture the Flag event, needless to say the retail teams were breached. If somebody calls you to ask for information on your computer and network be very careful.

#3 NGFW The Next Generation FireWall, the successor to a standard firewall, and really a must in this day and age in a decent size operation.

(A NGFW can inspect applications as well as filter traffic by origin or destination)

 

#4  Threat analysis: Cyber Threat Intelligence is used to help us defend and make the job of the attacker harder. I.e. the attackers “Pyramid Of Pain” needs to be closer to the top.

FireEye has attempted to explain Threat Intel with a Pyramid representation and I use it here to use the info as an industry standard.

#5 Compliance only is weak – And I discuss that in several ways

 

If your focus is so narrow as to only focus on crossing all the checks to be marked off a compliance list, then you will miss the overall company security.

#6 Weak passwords and other Password Failures (like 90% of all Point of Sale systems still have default passwords)   Our weakness of not solving password management hurts many organizations

#7 Simplify Instructions to Employees as logistical problems create issues and thus hamper Cybersecurity. Some security issues are complicated and IT terms may cloud what non-IT people have to review and learn.  Why is simple important?   Tom Kolditz of West Point explains: “No plan survives contact with the enemy.”

#8 Not enough training with regards to cybersecurity. No employee should ever answer a phone call and give out too much information, click on bad emails, set up good passwords, but there is a bigger problem. The general sense that we are getting inundated with more and more information. IoT – and Denial of Service and more complexity. But this complexity creates confusion in regular people that needs to be reviewed and trained.

#9 Governance Process and Procedure. Writing complete procedures will be difficult as all are, but once done will be good for the people and the company

#10  Test your network by getting a red team which will act like an attacker — This issue could be higher, and maybe one of the most important items.  The best defense is a good offense is well known adage. And the way it is used in Cybersecurity red team is the offense and the blue team is the defense.

This post and image explain red vs blue team as well:

 

Contact US to review your own Cybersecurity priorities.

Year End Analysis: Psychology of Security Challenges

Increasing Cyber Security awareness and what it entails  is more difficult than it seems.

As in Bruce Schneier’s “The Psychology of Security“:

And my older posts:  8/22/2014 ‘Psychology of Security’

4/1/2015 ‘How much should I spend on Cybersecurity?’

Recently I have focused on Risk management for businesses, due to the nature of Cybersecurity and how much one should pay attention to security. The answer is it depends on many factors. Look at what you are defending.

The recent San Francisco transit hack is interesting to look at since the hackers are not getting  credit card numbers (the usual cyber steal).

Ransomware is now also affecting Apple computers according to Fortune.com videoblog post as well as the now well publicized San Francisco train cyberfiasco:

hackedsanfranterminals

(Picture from @SF_CA_RR Twitter feed)

Somehow the computers running the terminals have been hacked and are held for ransom until $73k would be paid.

There are many points in this Fortune article.

  1. Apple operating systems are now also receiving ransomware demands, as the hackers realize that there is a lucrative field of users here as Apple increases marketshare.
  2. The reporters discussing this issue review the ‘fix’
    1. patch your systems
    2. don’t click on bad links or attachments
    3. backup your systems
  3. The cost to the train system will be much higher than $73k as a lot of revenue is being lost, not to mention good will and credibility.

The problem is as always before an emergency hits what are your procedures and how much should one spend on Cybersecurity? Because once the emergency is there one has the authority to spend “whatever it takes” in some places.

 

So let’s get back to the difficulty of the “Psychology of Security” before an event occurs.

We will always have some people or companies get hacked because 70% of us do not subscribe to spending the resources that are required to brush off a cyberattack.  The problem is that a majority of humans do not want to spend money to prevent something bad will happen to them. Figure out the passwords necessary, remember the passwords, and generally manage the technology as it changes.

The belief is not that it will not happen, it is a risk based analysis. We believe it is a bet worth making – i.e. The bet that nothing will happen and I do nothing-spend nothing. Or I spend money and I reduce the chance a bad event occurs.  Most of us are betting nothing will happen as the bet is with the usual excuses:

  1. Cybersecurity is too difficult – would take too much time and effort to do right
  2. Nobody is interested in what I have anyway why spend time and money on securing “more”

 

The problem is that when something does happen it is pretty bad, and yet we fix the problem (as best we can) and then resume doing business.  The misunderstanding of how bad it can get is slowly seeping into the general consciousness.

Another reason we do not see a major effect on cybersecurity effects is that with past events such as Target, Sony, Home Depot, and other entities that got hacked – and are still there. They received bad press and a bad hack but are still standing. This kind of event reinforces the procrastinator- risk based bet to do nothing.

To sum up all of us in the Cybersecurity field as well as the people running Cybersecurity budgets have to be wary of a significant amount of misunderstanding of “why” and how much to defend the network/computers/applications.

The field always comes back to a compliance angle, but this is a cost of doing business argument, and may not give you ALL the resources you need.   Remember this:

Most of us humans have an innate inkling to do nothing as this makes more sense rather than the extraordinary step of actually creating SOCs and more Cybersecurity especially before an event happens.

 

Contact me to discuss this phenomenon and  or to help you with any cybersecurity project that we can help you with.

 

 

 

Is It Enough to Patch Computers?

Once your computers, switches, firewalls and routers are all patched now what?

All your devices on the Internet have been tested and configured correctly. And thus they are about as secure as can be. Now what?

 

windowspatch

Assuming the desktop and servers are patched and antivirus software is installed is there anything else to make you more secure?

For Servers there is “tripwire” which is a program that notifies you whenever there is a change on the filesystem. (this is obviously not for the desktop). Make sure your backups are working.  This means actually testing a restore and recover on a separate system.

Assuming all of that has been done. (Backup, Anti-Virus, and file changing software alerts)

Now there is still the IPS systems as well as more advanced logging systems. These systems are another layer of defense. The problem with additional systems is that the network resources(i.e. people watching) must be available for you to add new security systems. If you buy a new system but no one checks it then it is not very useful.

So the next steps and in fact all steps are budget driven.

 

The hackers figure out what you have and change tactics accordingly.  It depends on your budget, i.e. what are you defending?

A budget for an extra security person  has to be justified with protection of high value targets(credit card numbers, health information, other databases, or business secrets).

 

If your work perimeter is in good shape, the hacker will try to attack at home. Attack on the road. Social engineering the users which sometimes give up good information in public areas(Facebook, LinkedIn, other social media) which allows the hacker to attack better.

 

What is the most effective method of attack by hackers?  Phishing and targeted emails to make you click on stuff(Spear phishing).  Once you click on something even though you are patched and looking good, there is still a chance this could be a Zero-day attack for which there is no defense.

 

The human element of clicking on stuff or going to ‘bad’ websites is something that really has no 100% effective defense. We can attempt to mitigate this by patching and installing AV products. But some attacks are wily and will make it easy for criminals to attack your machines.

spearphishing

Image from  Korea Joongang Daily

Korea had an especially bad spate of spear phishing in July.

The difference  of “spear” phishing versus standard phishing is that it is targeted to you. The hacker has done some homework from your public information(LinkedIn, Google and others). And is using that info to make you click on the attachment or link.

 

Unfortunately they work.  So we must learn and teach these methods, but let’s face it not everything will work. So the backup and restore is an important part of security defense.

 

Contact US to discuss

Criminal Hackers Have Job Security

The Security Conversation has to change.

Unknowing we(us humans in business and more) create a scenario which prevents us from being more secure

 

Our Psyche seeks risk when confronted with loss decisions but seeks safety when confronted with gain decisions.

This has been studied (Previous post as well) and is accurate for 70% of the population.

 

So what does that mean especially when decision makers do not understand Cybersecurity anyway?   Let’s dissect this “Seek risks when confronted with loss“.

So we are confronted with a ‘loss’ in Cybersecurity that usually means a breach, ransomware or other calamities. But they don’t happen everyday and in fact a security event is usually unnoticed for months. So everything looks like its going fine. The person who spends money to prevent an attack are less in number than the people who are betting that it will not happen to them.

 

WHY SHOULD I SPEND MONEY ON CYBERSECURITY?

The consumer bets that nothing will happen (risk) than give out hard earned money for a day that ‘might’ happen.

The constant Cybersecurity industry yelling from the rooftops about xyz vulnerability that will take down the network is also to blame. I.e. man crying wolf one too many times.

 

This human psychology is a false bravado and a false argument.

Bad Cybersecurity practices will make you become a casualty of Ransomware and other maladies sooner rather than later.

The criminal hackers are having a field day with the malaise of the users and administrators.

(Following image from Derbycon6.0 Recharge Adrian Crenshaw videos)

teachamantophishandfeedhimself

anonymous

So where do we need to be?   “What is Your Budget in Unforeseen Attacks” is a a good starting post.

To save you from reviewing: the post recommends to spend 10% of your time and resources on Cybersecurity  on a regular basis. Since it is a good idea to learn new things. Imagine yourself in the future with a better understanding of Cybersecurity and therefore you will incorporate Cybersecurity within everything.  We need to become better at Cybersecurity as a whole.

 

Sure I can also say hire pentesters to test your newfound acumen, but you would know that now that you are more cybersecure aware.

Becoming compliant is one thing, but being “CyberSecure” is another.

 

And that is where we truly need to get to – we need to be Cybersecure all the time (but we are not there yet).

Due to human psychological failings we will always have a certain amount of the population be insecure. And since the hackers are getting better every year where the insecure person is not. Thus there will be a bountiful harvest of potential hacked devices for the criminal hacker until the numbers ar switched.

Unless we can turn the numbers around i.e. 90% are safe or “hard to hack” … only then the criminal hacker will have a hard time to operate. Until then the Criminal hacker has it easy and is making thousands of dollars on our general malaise.

whypayattentiontosecurity