How Do We As Consumers Get companies More Secure?

Every week there are more hacking incidences.

There is a serious problem – a significant number of people and companies are not doing what is necessary to prevent Cyberattacks. This is also a moral weakness, and is a function of misunderstanding Cybersecurity and human nature.

The problem we have is that everyone needs to be better at cybersecurity. So it is a colossal misunderstanding of the nature of Cybersecurity.  This is compounded by Hollywood’s portrayal of hackers and hacking events.

Kevin Mitnick was an early  hacker (before 2000) and got caught – convicted, now he is a consultant.

Hollywood makes hacking mysterious and easy for certain people, but this is a fantasy world. And of course there is no explanation as to how one can defend against hackers.

In my mind (as an ethical hacker and computer professional of 20 years) this state of Cybersecurity affairs will not get better until a paradigm shift.

It would be nice if everyone understood at least the basics, as I have many posts on this topic.

Let’s try and push the companies to do the right thing.

Why are Companies not protecting their computers the way they should?  Misunderstanding and psychology, but what can we do to change their minds?

(from an old post an infograph by Small Business trends)

As a small company if you do not do what it takes, then you may go out of business if you literally lose your data tomorrow. The reason for this is that backups are not what they seem.

Apparently the knowledge of potential failure in the future(due to bad decisions) is not enough for 22% or more ( in some surveys) of companies. This is a huge number and will keep the criminal hackers fed forever. So how can we change that?

All Cyber-consumers should demand Cybersecurity done right from all companies we do business with.  And since it is 2017(almost 2018) and we depend on computers and what the convenience does for us, we should all be interested in making sure only what we want to get done gets done.

So we have to ‘help’ the companies which we depend on to keep operating – like restaurants, banks, hotels, and many other seemingly innocent companies (let’s not discuss government and Equifax), as we are talking about all small businesses, the accountants, the lawyers, the plumbers, HVAC, everyone large and small. All except the public companies, as they _have_ to have somebody taking care of business. It is only the companies that do not “have” to do that don’t in sufficient numbers

What if you could “know” that at least a minimum of processes were done to at least prevent a catastrophe if something does happen? What is that worth to you?

Would you do business with someone if at any moment they can have a catastrophic event and then go out of business?

Sure it should be where we do not have to think about this Cybersecurity thing and thus it “Ought” not to cost anything, but it we do not live in fantasyland like Hollywood.  Do you know why it costs? Because ransomware has changed the game. It used to be when hackers were  just annoying, like spam. But now criminal hackers are making serious money and thus they will continue to do it until we stop them cold. As I have mentioned in the past this is an uphill struggle though since human nature is to ignore the problem and  this has been proven in the fact that 25% of people do not patch their computers.

So let’s repeat: If one does not patch your computer, your computer(or device) becomes vulnerable to malicious software, then it has a higher and higher chance of getting hacked every month it does not get patched.

So eventually it is a beacon for bad software to come in, and very soon (like a year or 2) ransomware will  test your cybersecurity defenses. This problem will get worse until we can peer pressure everyone into  getting Cybersecurity audits from CISA certified professionals.  Like us.

Contact us to help you get up to snuff, or to get a neighbor company up to snuff.

We are going to have an Oversitesentry seal of approval so that everyone that is doing the basics can at least sleep a bit better about their future.

Upgrade or Get Hacked (When Patch Available)

Did you hear the latest in Cybersecurity news?

  1. No not the news that Pizza Hut was hacked
  2. Not the news Hyatt Hotels were hacked.

BUT only the news that the supposed secure WPA2 Wifi Protocol is actually vulnerable to attacks. Which essentially means all current wifi access points are not secure.

CERT has a list of all the vendors with patches and affected vendor models.  CERT used to be Computer Emergency Response Team, but today it is at Carnegie Mellon University and still reviews the important vulnerabilities.

So you say…  Big deal another protocol is insecure the researchers say, just because it may be insecure if a person with knowledge can hack this then my wifi is going to be less secure, but what does it really mean?

It means it is another item to patch in a large schedule of patches (with Microsoft Windows, and other software also having to be patched.)

So we have to evaluate the actual risk and impact before allocating resources.

For one the hacker has to be close enough to your wifi station to see if they can hack your communications, this is not a recipe for mass mania. True,  but as usual it is only the high risk areas that have more to worry about. High risk as in protecting Social security numbers, and other PII (Personal Identifiable Information).

So the largest worry we have is that this patch is going to be ignored by most people, thus leaving 50% or more of wifi access points vulnerable to this attack. So the best thing that can happen here is that companies must evaluate their own situation and then make decisions with their resources as to when to patch this problem. It may not be easily hackable and must have proximity to wifi access points.  So in the future a seeming secure protocol is not until patched.

Unfortunately not everyone patches. As we mentioned before, 25% patch within first week,another 25% within first month, an additional 25% within 6 months. And some do not patch at all.

 

Obviously this is true since there are many ransomware outbreaks and they take advantage of basic patches not applied (vulnerabilities that take advantage of this).

So in the coming months as hackers develop better hacks (programs that take advantage of this vulnerability so the hacker can make money,  only then will the risk go higher and higher. And depending on impact of system affected it might actually get more dangerous for the companies not patching.

 

So everyone must have a patching regimen. Get going already – get a CISA tester on hand (like US – contact us).

 

Can We Make Community Immunity(Inoculation) Work in Cybersecurity?

Instead of another post about the dangers of not patching your systems or inadequate configurations(i.e. errors in configs( that ultimately lead to ransomware and computer viruses running amok (or ‘in the wild’)

One ransomware infection “in the wild” means somebody failed to upgrade their machine, failed to have enough protection.

Some viruses try to infect other machines by replicating using email or other methods.

Cisco explains the difference between Viruses, worms, Trojans, and Bots

There are many different classes of bad software trying to infect us.  when 1 machine is badly configured and badly managed it is affecting all of us.

We need an environmental sound policy for all – right? We need clean water, clean air, and clean electric networks – together we can do it.

It has to be everyone including home users, but especially companies that accept credit cards, or store social security numbers and other Personally Identifiable Information (PII).

I recommend that all users step up their Cybersecurity game by doing what is necessary. As  a CISA(certified Information Systems Auditor) certified person I know what must be done and it requires another person double-checking the Information Technology of your company because it is that important.

If 80% of the computers were properly inoculated (something similar to inoculating with flushots every year against the flu) then when a new variant of a trojan/virus comes out it will not propagate as fast as today.  The eventual goal is to get 95%  inoculation and that is where herd immunity comes into play.

My contention is we do not have anywhere near that point now. One estimate is that 50% patch computers  within a month.

As CSOonline states 25% of machines get patched  within the first week, 25% of people patch within first month, and 25% of people patch after first month.

25% do not patch.  So the problem is that we cannot get anywhere near herd immunity with 75% patching within 6 months or so.

We need to change this to most people patch and a small minority does not. Until this happens we will have many problems.

Contact me to discuss your patching regimen.

Upgrade, Patch, and Reboot: No! Too Hard?

How can it be that upgrading software and hardware is too hard? Or is it that the reboot is too hard?

We don’t actually want to reboot do we?

I know some people who deliberately do not reboot their computers until forced to do so by power outage or other dramatic events.

Or is it that a reboot has a small chance of screwing up the balance of the computer? I.e. the registry might become corrupted (example of a registry failure after restart)? This phenomenon happens during faulty (or ‘buggy’) patches. But since we have heard about these things, we think postponing the update (for months) is better.

The solution? Test the patches with a suitable copy by your IT department. So again we run into the problem of resources.  The It department has to have a suitable test machine and has to have the time to test the upgrade with all of the software that you must use.

  1. Accounting
  2. Word/ excel (or Office)
  3. Website software compatibility  (Firefox, Chrome, Iexplorer)
  4. specialized software.

So now what seems like a 30 min job at most turned into several hours.  And remember now it also depends on the other tasks the IT department has. Updating servers are more complex which could take longer to update. This was likely the problem at Equifax where an Apache Struts application was not patched within a short time.  “Learning From Equifax Breach” Sep27 blogpost.

And I don’t know if you noticed but there are patches every month, sometimes more frequently:

 

Here is an example of a past patch Tuesday (2nd Tuesday of the month) in 2015 on this blog 

A single vulnerability may affect 8 different types of systems, and if you have many of those systems (due to not standardizing) then each system must be tested properly to figure out if the patch will work.

So it is not that the single act of rebooting is the cause of our consternation, rather it is the large testing regime that SHOULD be done. Of course a loose IT department can just wing it and patch without testing. On most months that would be ok, but periodically there will be problems and then a lot of downtime.

So ask yourself is there a lot of unscheduled downtime for different systems? then it may be time to do things differently.  We do not want to be the company that is in the news due to a cybersecurity incident (which may have started due to an insufficient update process).

Contact us for a review of your machines and processes

Learning from Equifax Breach

I wish I could say that this post would be something new – like buy “xyz” product and perform handstands or something and all your problems are solved.

Unfortunately The Equifax breach likely happened due to unpatched systems. As even Equifax itself admitted¹:

 

So as we discuss this problem many times, how can a company with IT people and Cyber security people possibly miss patching  this kind of a vulnerability?

 

it is not as if the vulnerability is a minor one. this Apache Struts vulnerability is a severity 10 (on a scale of 1-10) and as I have mentioned before the time after a vulnerability is found the clock is ticking. The hackers try to exploit and companies try to patch the problems as soon as possible to prevent from happening what happened to Equifax. Rapid7² discusses the exploits available and what should be done.  (Solution: upgrade to latest apache-struts)

 

Somehow the upgrade process and patching of critical pieces of infrastructure is very difficult for organizations and thus they are susceptible to attacks. and will be until we as consumers can push them into fixing things.  How will we know if companies are patching? Someone has to audit them, someone like us (as a Certified Information Systems Auditor) at https://fixvirus.com/

It seems simple to me, but somehow this process of patching highly vulnerable systems is very difficult. And thus it takes time, which the hackers use to try and gain entry. Once the hackers have entry into your systems (evading defenses and taking information) it is a short time to a full fledged breach.

 

  1. https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/
  2. https://www.rapid7.com/db/vulnerabilities/apache-struts-cve-2017-5638