Vulnerability Management Fixed!

So that we are all on the same page -Vulnerability Management is when an IT department manages it’s inventory of devices with regard to what vulnerabilities each device could be at risk for.

So if every system you own has a vulnerability, and you have 1000 systems it could get a bit challenging to manage. Consistently updating all systems for all vulnerabilities is a constant job of testing the patch, and updating the production system at a convenient time to the business.

At cvedetails.com you can review all cve’s (Common Vulnerabilities and Exposures)Each piece of software and hardware can have a potential vulnerability. This is much bigger than you think.

Powershell can give you a list of your programs:

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

From the “How-To Geek” website:

A sample in this image:

The image above has 38 pieces of software(which is likely not comprehensive).   Technically all of these can have a vulnerability(not including Windows and all of it’s subpieces).

So already you can see that 100 systems with at least 40 or 50 pieces can have 4000 to 5000 software versions that may not be the same versions for your network.

This is why there are 109403 vulnerabilities, since a vulnerability for software ABC v1.0 is different from ABC v2.0.

So if this is such a large difficult beast, how can we tame it? Or even fix it?

Actually it is relatively easy to fix by combining Risk management and vulnerability management.

 

Evaluate all your systems – which system has the most risk and highest impact with failure?

Finding this system should receive most of your focus on testing and updating. And that is just the start, as now the difficult part of figuring what to do with  the other systems, as if you ignore the other systems attackers will come in from that angle.

Contact us to review your systems and set up a risk management matrix for all your systems.

Run Microsoft(Powershell) Software On Linux? More Risk

Did you think it would never happen? Microsoft and Linux are increasing in their ties to each other.

So as we protect systems in our networks, we are increasingly incorporating Linux systems for various reasons, Web servers, specific SQL server database needs  or other reasons (file sharing or other support systems).

A potential threat vector to the Microsoft Windows environment/ network could be the Linux machine. Especially if Microsoft Powershell  commands can be run on a Linux machine. Now you can truly have any machine  that is taken over be the breach entry that takes down your network.

How is this possible (viewing Internet Storm Center posts)? By installing a number of software pieces:

  1. First install Powershell itself
  2. Second install Mono (an open source implementation of Microsoft’s .NET framework)
  3. Install OpenXML
  4. Now you can run Powershell

This is an interesting development as it means that even a Linux machine can be turned into a sophisticated attack machine into your environment.  Of course we knew that as Kali Linux has specific attack tools. But now we are not using attack tools but Microsoft tools running on Linux.

I want to switch directions a little bit and discuss the problems of directing a company:  By stating “Business Decisions” — “External Pressure”  in a Risk Assessment discussion.

The cybersecurity – world of vulnerabilities is in the space of “External Pressure”, but I wanted to create a picture of the whole world of Risk for a company. And the risks are in Supply Chain,cloud, leadership/labor,change in technologies.  When one sees risk for the company in its totality, the new vulnerabilities risk is much smaller in comparison to the others. especially if the other risks are changes in competitors(Amazon) or changes in environment.

It is only when some news event comes into the fore, like a major breach, then it is obvious that Cybersecurity needs to be reviewed periodically.

Of course if one did that in the first place, then one can focus on the market and technology changes.

This is the problem we computer risk professionals wage, as the CEO/CFO are forever working the major problems for the company, and they rarely see cybersecurity as a major threat – due to much more important problems for the company.

Contact Us to discuss how we can let you focus on more important things, let us do some of the Cybersecurity items.

Innovation and Cybersecurity

Amazon versus sears innovation, comparisons

The obvious angle(in 2018) is to applaud Amazon and chide Sears for the massive technological progress and stagnation respectively. 

Sure Sears did well in it’s day by pioneering catalogs and selling many things one does not think about right out of the catalog(houses and cars). But somehow when the internet technology came into being they were not interested in _this_ new “catalog”. The reason I mention this phenomena is  that it is very hard for CEO’s to see the future with a new technology.  One must live and breathe it (like Mr Bezos did).  what does it mean to “live and breathe it”? 

In my opinion it requires a CEO to understand the underlying technology, which nicely segways into Cybersecurity.  If one does not build cybersecurity from scratch (from the beginning).  Creating security after the software is built can make it difficult if not impossible to create true Cybersecurity.   In the picture above there is also an image of hurricanes which are either over land, or moving there.  Which company can better absorb “hurricane of a market”? Or an actual hurricane with the required disaster recovery plans?

Let’s list some of the risks a CEO has to think about in navigating a strategy for the future:

  1. Innovation (how to be a better company with more profits)
  2. Economic environment (general economy)
  3. Regulations (government or industry)
  4. Labor Issues (employee problems)
  5. Natural disasters (including hurricanes – electrical storms etc)
  6. Criminal endeavors (including cybersecurity)
  7. New Competitors (with technological improvements)
  8. Miscommunications by CEO or other officers that cause production problems

What order should your specific list be in?

Maybe you have Labor issues first? then Production problems, competitors and Economic environment.

Usually – Natural disasters and criminals are not in the major crosshairs of a typical company.

The reason people are not focusing on Cybersecurity is that the risk or threat does not seem to be that high in their eyes.

From the VISA  “Global Compromise Trends” informational image (from their presentation a couple of weeks ago) shows that current attacks are shifting from small merchants to eCommerce,financial institutions, and aggregators/ integrators or resellers. I.e. entities that affect several small businesses.

So we find out that for now the small businesses are not in the immediate cross hairs. But the coming Armageddon is surely coming (Winter is Coming), and how can I say that? It is because the criminal element is always changing and learning… developing new methods to attack anyone on the Internet. As soon as you spend no time on Cybersecurity it will catch up with  you.  the reason it will happen quickly and with little forewarning.  Not like a Hurricane which we can see forming off shore.

The expert analyst can see things coming, but most small businesses cannot see this happening.  The technological advances are coming fast, and it is too hard to figure out what is really going to affect a business in the future from the following major themes:

  1. AI – Artificial Intelligence and Machine Learning(Robots) are great improvements for humanity and hard to say what how it affects Cybersecurity/Innovation.
  2. Quantum Computing – Once the quantum computer has been built encryption and Cybersecurity will change quickly as the game changes.
  3. Nanotechnology – was a rallying cry and buzzword for some time, and the tech has been improving. How does this affect your world? In some ways this is already happening in current 2018/2019 computers.
  4. What will the space tech change here on earth, just like NASA’s moon program created many new technologies the drive to go to Mars will do the same.

 

So how can futurists dabbling and current innovators striving make things more difficult for the current CEO?  Well, it happened for Sears… in 18 years Sears went from a still respectable retailer to a forlorn husk of it’s former self. Why? because the Sears CEO of Y2000 did not foresee the Internet as it is today, only 18 years later we cannot go without the Internet and everyone expects eCommerce to exist (this was not obvious in 2000).  So how much time should you spend on the future?

Obviously it can’t be a majority of what we do, but we have to decide whether the future is worth 5-10% of your time. Out of a 40 hour work week, 2-4 hours could be spent on future endeavors. I believe this formula is at a minimum. 

The question is where and how you want to go with your future time, and I would like to discuss how solving the Cybersecurity problem for good (i.e. managing it on autopilot) will free up your time in innovation.

IF you build Cybersecurity into your operation then you really do not have to worry about criminals taking a big chunk of your technology(i.e. China) and then you can truly focus on the things that probably make life more interesting (new gadgets that will increase your market share).

Updated 20/23 noon: Wall Street Journal has an article  about the Ford CIO experimenting with Quantum Computers, as he signed a $100k 1-year contract with NASA’s Quantum Artificial Intelligence Laboratory. “Our mission is to be early enough in the game so that when it’s evolved to the point of maturity and applications that matter to the business, we’ll have an advantage,” said Ken Washington, Ford’s chief technology officer and vice president of research and advanced engineering, in an interview with CIO Journal.

Notice how it is important for the CIO to look to the future and innovate just like  I said above… quantum computers have the chance to completely change the game in computer processing power as it may be x to y power instead of 2 to y with current binary technologies.  x could be 4 or 10 or another number (this is being devised now) as the engineering for a quantum computer is challenging. The math is available, so all we need is the engineering to catch up with the theory.

 

So let me show you how Innovation and Cybersecurity intertwines and makes for a better company in the today and into the future.  Contact me to discuss

 

 

 

 

What Does it mean? PCI DSS Validation Process

VISA had a presentation last week online to discuss this very question “PCI DSS Validation Process”

We will get into the list shortly…   First let’s discuss why one needs a validation process. PCI stands for Payment Card Industry and in fact the PCI standards organization is composed of Visa, Mastercard, Discover, American Express and JCB(Japan Credit Bureau). In fact before they created the PCI standards organization (PCI Security Standards council) so that their customers and other service organizations that use credit card numbers have a security standard.

  1. First one must build the scope of the systems that affect PCI systems (Credit Card systems) — find all your credit card systems and software. These systems must be analyzed.
  2. Assess your computers means do Vulnerability analysis, i.e. review the patch level of computers and software.
  3. Remediate any patches that were not applied properly.
  4. Create a report that states where the status is of all 11 pieces of PCI compliance reporting  means are in compliance, state of remediation, or building the processes?
  5. Complete the AOC(Attestation of Compliance) paperwork.
  6. Submit your paperwork to your financial provider.

Most likely if you have heard this process before it was from your financial service provider (the company providing the credit card systems).

The process is simply:

Assess –>remediate –>  report

Don’t Forget – to add Audit to your list – use an independent auditor to make sure the opinion is unbiased.

Anyone with higher than 20,000 VISA Ecommerce transactions must get VISA Attestation of Compliance(AOC), or 1million or more in all channels.   From VISA pdf.

Contact Us

Test Your Incidence Response Plans

So we all must have an Incidence response plan, which is only used after a computer security problem:

  1. Detect problem
  2. Investigate problem
  3. What type of the threat to the business?
  4. Does it rise to level of “Breach”? With significant legal disclosure requirements
  5. Did the attackers steal information/data?

 

We know practice makes perfect, but how do we practice responding to a known attack without actually getting a hacker and hacking your systems?

So of course getting a pentester and having your environment tested for problems is a good thing. But we need to also have a method of trying to get our IT staff to not be afraid to follow the crumbs to a potential breach. People tend to get better the more they do something, so a pentest would also be useful for IT staff incident reports.

 

With or without a pentest it is wise to create a “write-up”  report that acts as if the breach or hack happened so the IT personnel computers will be used to working through the “paperwork” process.

 

So let us do it together?

1. We detected a problem in the logs, they were zeroed out on our windows 2012 server.

2. we do not know why this happened, but the event logs now have a handful of events (going back to yesterday only).

3. Is this a threat to the business? If there are no logs to see how will we  know what happened in the last few days before the logs were deleted?

4. Review systems, to see if any new files have been added, you will have to make comparisons to recent backups.  Also review any customer data if it resides on the server (is customer data valid?).  If you have no way of doing this today, better start working on a process now.

5. The last point is where the most difficult assessment has to be performed. Is this a threat to the business? was data stolen?

And this is exactly where many companies get tripped up. Every day you are running your business and it seems like any other day. Losing event logs does not mean much… but it could be a sign of a serious breach.

Find out if your files have been altered. the problem is that some malware is only here for other purposes, so some files being altered have lower risk and impact. How can we know if there is a high impact high risk alteration?

To have any chance of knowing a breach happened means that you need IT Personnel to do the following:

  • Vigilant employees
  • Notice  unauthorized logins
  • See unauthorized usage of computer systems
  • Reboots are mysteriously happening on the own, why?
  • review administrative account access on actions that are unknown to administrators.
  • Notice unusual outbound traffic
  • Are files being added to your computer systems without IT department knowledge?
  • Logs are being deleted or very few event logs available on critical systems
  • Was data stolen?

 

A lot of these bullet points assume you can see potential breach indicators, so here is an Infographic to help you with this process.

 

If you are not testing your incident response plans, what will happen when a real attack happens?

Contact us to help you with Oversite or auditing needs.