From Vulnerability Found, To Patched Safe

 

While we are preparing for the holidays and the New Year, may it be Christmas/ Hanukkah or otherwise, the hackers are also busy prepping for their busiest time of the year. Although the Holidays is a season to be jolly, it is not a reason to slack off in keeping up with your Cyber Security.

The following image shows a potential timeline of when a vulnerability is found, disclosed to public, Anti-virus software rewritten, patch released, and patch installed.

Notice there is a number of days with no defense in your machines, and that is why a patch that is released should be installed soon.

Why do we say that hackers are also busy? This is because when people tend to lower down their guard, thinking that everyone is busy with the flow of the season, it is also the time that our Cyber protection becomes lenient and weak. When the defense turns less, then the attacker works harder to find these weakness and then it snowballs.

The reason for the easy attacks by the criminal hackers is because we become complacent and do not patch vulnerabilities when we should, and as you can see the vulnerability has been known by the wily attackers for some time… which makes time your enemy.

 

Ever seen a honeybee hive? The bees defend their hives vigorously, regardless of the time of day or season of the year. They attack-to-defend, to secure the hive at the slightest sense of a perceived threat. That is how optimal your Cyber defense should work. That is how wide your Cyber security should be manifested. It should cover all impact levels and all angles whether the threat may be old or new, small or huge.

 

Just like the bees, to keep your system up to date in “sensing perceived threats”, regular sweep and periodic re-enforcement of defenses must be done by updating your system patches. Before running any computer patches on your system, it is always a good decision to perform a system backup at a certain point. This is for you to be able to reset your systems at its most recent format should the patch go bad in the middle of its installation.  Keep in mind that a patch is a fix to system vulnerabilities (that has been out for months), and it is only now that a fix has been created. Although it took time to create the patch, it is still imperative that the patch be run to ensure that probable threats to your system are reduced if not totally eradicated; and for your computer to work properly improving its performance and usability.

 

Question is, how do you know which patch to run? This depends on the probable risks you are able to determine, based on the major threats and concerns you have sited. To illustrate in a process map, think of it this way:

 

  1. Determine the major threats to your working system. Major threats are external forces that you have no control of, that may interrupt or invade your secure cyber space. This may include:

 

  1. Unauthorized access
  2. Insider threat
  3. Data loss due to external sharing
  4. Insecure interfaces
  5. Fraud / Hijacked accounts

 

  1. Next, determine the major concerns that you need to work on to defend your system against the major threats. Major concerns are the areas that cover the major threat and of which you have the capacity to control. Examples are:

 

  1. Data Loss / Leakage
  2. Privacy and confidentiality of information
  3. Legal and regulatory compliance
  4. Compromised security

 

  1. Identify the impact of the threats and the likelihood that they will occur affecting your major concerns. This depends on your usage to the system. These are the magnitude of the identified Risks that you need to work on. Remember the formula for risk analysis as:

 

Risk = Likelihood * Impact

 

The higher the impact of the major threats, the higher the risk factor.

 

  1. Determine the controls and oversite that you need to work on and improve/update your network processes to fix or to be ready to defend your systems aggressively. This is where necessary patching comes in.

 

Since patching is a strenuous process (doing back up, uninstalling all system instances, then patching), it is where most people slack off. You cannot expect not to be robbed if the gate of your house is closed but the front door is open. It may take a while getting used to checking for bug fixes, but vigilance is the key to reducing risks.

 

So if we patch less (due to holidays or otherwise) and we are not as vigilant as we should be amidst the season break, then … you can expect that Hackers are indeed getting busy.

Contact us this year or next to discuss your details.

Insider Threats: No1 Cybersecurity Problem

 

Not all Insider threats are malicious in nature, some problems are just laziness, incompetence, not paying attention, or just plain mistakes. How does Murphy’s law  for Cybersecurity work again?

Social engineering is when a someone (usually an evil criminal hacker) tries to trick you by using your good intentions of going about your business on an every day basis.

What happened when evil  hackers wanted to change Point of Sale Credit card systems?

They were not turned away at Michael’s and in fact were allowed to install their own credit card systems, since no one checked if that was sanctioned by corporate or otherwise(no process to see that) and sales associates go along with social engineering scams if they are well executed.

Then of course the evil hackers captured all credit cards as used by shoppers in that location.

Here are some uncomfortable insider threat truths:

  1. The average hacker stays hidden in the network for 140 days.
  2. 45% of IT personnel knowingly circumvented their own policies
  3. There has been a 29% increase in the total cost of data breaches sine 2013
  4. 20% of organizations experience a BYOD (Bring Yur Own Device) breach
  5. 78% of people aware of the risks of unknown links still click on them anyway
  6. 65% of professionals identified phishing and social engineering as the biggest security threat
  7. 70% of millenials admitted to bringing outside applications in violation of IT policies
  8. Trade Secrets lost – Employee of company’s trusted business partner stole the information before accepting job from competitor
  9. Virtual machines Data loss – closely guarded computer code can be exfiltraded using  virtual machines which are hard to detect.
  10. File sharing not secure(dropbox and more), as employees abruptly quit their job and former employees retained cloud access

There are many more stories of businesses not double checking as they should…

When we do not double check a single mistake can blow up to a serious mistake and then it mushrooms from there.

The biggest problem with Cyber attacks is that they are hard to find and attribute (find who did it and blame them/ arrest them). That   is why it takes so long to find an attack that was successful (140 days or more).

If you have not thought about this then it is high time to do it. Cyber attacks are becoming more sophisticated and can cripple your business by taking over key pieces of machinery. As we move to the new year (2018) and if there is no thought put towards cybersecurity… Then it is high time you did because the solution is not very hard or that costly if you compare the loss to your reputation.

There are actions to be done to minimize risks.

An average Hacker stays hidden for so long you will not know what is happening until it is too late. Do you know how companies find out?  When the authorities contact the company and tell them the bad news.

There are many bad news scenarios:

Company trade secrets are lost to a competitor –

Employee of the company’s trusted business partner stole the information before accepting job from competitor.

File sharing not secure, as drop box or other programs can be abused by employees before they leave to other jobs.

There are more real life scenarios cataloged in this youtube Video by SEI (Software Engineering Institute) Carnegie Mellon

Although each person makes a decision of good vs evil you have to help them make this decision a right one by setting the checks and balances within your company, and letting everyone know that there is a review of your actions. So if something does happen there is a paper trail, and it is not “lost” which is always the evil  thought (they won’t find me).

The key is to get your company up to speed as the bigger companies do (what is called the Enterprise companies– 1000 computers and larger).

Contact Us as a CISA certified person we can help you with GRC (Governance Risk Compliance) as an enterprise company does things it always leaves a trail so that a criminal internal or external can be found.

 

 

Psychology of Security

People by nature are quantitative. Meaning, people would believe a fact if the parameters of the fact were exactly defined. And when it is, they scrutinize it even further by asking about the basis of how the parameters were considered or under what maximum circumstances were these facts tested or tolerated.

 

People always find a loophole whether or not the scrutiny is triggered by knowledge or ignorance.

 

Sizing up what is indefinite in the field of cyber science, like projected risk exposure budgets, risk recovery figures, and intensity of cyber security know how, not to mention having to recommend what proper action needs to be done to prevent, recover or mitigate a cyber attack, is a challenging role. Not all people are open minded about including IT maintenance costs in their business budget ahead of time, so that proper infrastructure or network check ups can be done to avoid higher recovery costs in the event an unsuspecting cyber attack occurs.

 

Preparing one’s business before a sudden unrecoverable cyber attack is like having to decide if a baby will be immunized early in life. Similar to taking care of a baby before the baby becomes sick, you have to increase the body’s defenses early so that when a sudden sickness comes about, the body has enough defenses to mitigate and recover from the external force. Ignoring these possible sicknesses amidst blatant viral or bacterial exposure will lead to higher hospital bills or even fatality in the case that the meager defenses of the baby’s body can no longer hold up. If your business was like a baby, would you not do everything to ensure that it grows healthily, knowing that every day, exposure to external factors are always at hand? You know that there are a lot of diseases that can happen to a child, especially if they are left unprotected by immunization, healthy food and healthy environment. So if you heed precaution, the growth will be a healthy success. And if you don’t, well, you may have saved a few dollars from the start by not taking immunization into consideration, but in the event the baby becomes sick, recovery may be void.

 

Simply put: Why is there a need to look deeper into your cyber risk status?  We created an infographic that helps explain your understanding of why we may act in a manner that is contrary to what we should do.

This is generally how the brain works when faced with the concept of cyber network and infrastructure health.

 

Less is more. More is less.

Computers have upended many things(where else can more capabilities cost less year after year?) including now in the security area.  As more people connect to the Internet, more business is possible (more sales) but the risk increases as more criminals also connect and learn how to perform hacks so they can make money.

Unfortunately as more people connect higher risks and higher costs in Cybersecurity are mandatory just to keep up.

Look at this slide from VISA seminar:

It is not like the industry is staying still(payment card industry)… but as time goes on more data is at higher risk. this chart has a cost built-in.

 

Focus on the positive health impact to your business (just like a babies health) to gain more and for your projected IT maintenance budgets to be sufficient. The more defense, the lesser the risk. The higher opportunity of ignoring what is needed in your business technologically, will eventually lead to losses in the event that a cyber attack occurs due to limited defenses. Preparing ahead and thinking ahead no matter how undefined or developed the cyber diseases shall be, if you are taking care of your technological health properly, then you can expect constant growth to your company.

Contact Us to discuss risk assessment analysis for your business.

Cybersecurity Challenges in Cloud

It is a known fact: technology is always on the move for progressive changes. So as the phase of virtualization becomes more advanced, it is imperative that we also look upon the parameters of cyber risks and controls oversight, in order to maximize the benefit of virtualization. Oversight controls pertains to seeing in advance, the possible cyber challenges of managing the information technology. Part of a control is to review Cyber Risk of a business, as well as planning, testing and executing methods of recuperation and resiliency to avoid critical risks and losses for a business. In other words, it entails thinking outside of the box, attempting to size up and prevent, if need be, unwanted occurrence and re-occurrence of high risk situations; hence the term oversight controls and risk controls in order to protect a managed virtual environment.

Without the proper know-how, a business wanting to gain more leverage against its competitors by using cyber advancement or automation may actually lead its business to ruin. So instead of paving its way to a more effective and efficient business, it may go the opposite way just because they did not look into possible risks, no matter the complexity, before they actually happened.

 

This is the very reason why some businesses opt to have managed servers. Business owners can save time, money, overhead costs and effort by paying for sites and domains in the managed server environment bringing their business forward with automation. However, this same technological asset may lead a business left behind with limited understanding of what happens in risk exposure.   Open possibilities of risk and fraud may happen if business owners do not understand the challenges of managed servers risk analysis. Here are some questions you may ask yourself, if you are one of the many that see the beauty of using advanced technology in e-commerce:

 

In the managed server environment there are other challenges:

 

  • Are you using a shopping cart in your site?
  • Is your shopping cart exploitable?

 

  • Are you using WordPress for your online business? Is your WordPress site exploitable?
  • Have you ever used add-ons for your site that may actually be a means for higher vulnerability?
    • What plugins are susceptible to attacks?
    • Is your theme safe?
    • Are widgets used?

 

 

In the advanced stream of technology also comes the advanced stream of risks and vulnerabilities. To enjoy the beauty of technology it is always an advantage if we know how to detect, exploit (to one’s own business advantage) and prevent these cyber risks which challenges proper oversight controls. Oversight management as well as risk management are pertinent arenas to be considered when one is a player in the universe of virtualization. Aside from this, a business owner should also know what the costs in the business are if the network fails. No matter how we think managed servers may be the better option to run in your business, as it will minimize overhead cost in maintaining the business you have started (not to mention being able to compete head to head in the e-commerce world), having a Risk Manager and Consultant who would think about the what if’s is a great control measure to minimize and prevent cyber vulnerabilities.

 

True nothing may happen, as it is a “what if” but the risk of failure is so high that doing nothing is even riskier.  So the question is, as the ultimate “Risk Manager” (if you are the decision maker) what is the minor cost that you can live with?  Our best suggestion: Test your devices, network and systems using a qualified individual.

 

Contact Us and experience the empowered difference of a sound virtual environment.

Small Businesses Do NOT Get Hacked!

Just Kidding…

If you are a small business owner, you may be thinking: “Why would we get hacked? We are not such a huge company and we could not possibly have anything that the hackers want. I don’t see how a hacker can do things against us when we are very good at managing our infrastructure.”

Maybe so, but then again, maybe not. Think again.

Cyber defense is not a minor concept that any business owner can just dismiss as this can post a grave threat even to the simplest business type. Let’s dig deeper and discuss in plain language what you may need to know with regards to your Cyber security.

Ask yourself these questions: Do you run computers in your business and have a domain that you maintain, or servers that are connected all the time to the Internet? Do you use computers to look-up websites or to generate more leads and to process online payments via credit cards for your customers?

 

In other words, if you are you using computers to perform business processes for standard uses in the delivery of marketing, sales or servicing your clients, — which of course, you most probably are, it is imperative that you must give time to review and protect your hard earned assets. As most businesses get more efficient by using computers and software that help facilitate the business, Cyber protection is also a must for your industrial infrastructure.

All these are quite basic, so why do I mention these? What is it then, that can happen to your computers without the proper cyber defense? Here are some truths below.

 

  • Malicious software may potentially insert itself into your computer and into your system causing: 
    • Slow computers
    • It could be that the hacker is now on your computer and is using it to attack others
    • It could be that the computer is now running bitcoin mining software that it may get the hacker money
    • A Computer that freezes
    • Reboots the computer
    • Ransomware encrypts all your files making your computer inoperable

 

  • Hacker software may get installed into your website causing:
    • Hackers collect info from everyone that visits your website (clients or potential) so they can send well crafted emails to snare your clients or your clients’ client
    • Installation of ads that can mount malware (malicious software) on anyone that visits your website
    • The software that is installed on your website can be invisible to the eye, yet it does its work for the hacker

 

  • Cloud environment has different threats:
    • Other cloud customers could see your information
    • Hacker software gets installed in the cloud that you use to steal or alter business information that can be silent until it’s too late

 

Risk management in the age of Cyberattacks.

 

The problem with constant threats of Cyberattack is that one has to work on the highest risk to counteract on first. Large scale companies (those of more than 1000 employees) have Cyber Security Departments who review specific security threats, depending on their environment, business portfolio or on their technological situations and hire accordingly.

To ensure that you have what you need to do in this day of higher risks and unknown attacks, it is always beneficial if you perform information security reviews or infrastructure checks more regularly, by a qualified technological individual.

 

You don’t need to go far to talk to a professional. Contact Us and we’ll help you identify your potential infrastructure hazards, vulnerable computers and potentially high technological risk situations.