Unknown Risks – Are you ready for 2019?

Are you ready for new year surprises?

Why is it that 60% of businesses fail after a major Cyber attack?

  1. Spam Email – most attacks come in through well crafted emails (spear phishing)
  2. Social Engineering – An attacker can use 1 and 4 to call you to craft a sneaky method to get on your network.
  3. Darkweb – all information created from 1,2,4, and 5 are here and for sale to other hackers. I.e. a cyber attacker does not need to be an expert at all things, only at 1 and buy the others.
  4. Facebook Hacks – or other social media. Hackers use social media to profile you and then use 1&2 to attack you
  5. IoT (Internet of Things) in House – vulnerabilities are not patched and attacks come into IoT devices
  6. Unknown Zero-Day – unknown sophisticated attack using non-defensible methods(i.e. cannot defend against this)

The following is per Smallbiztrends.com ,  and it looks like that is what it says: 60% of small companies go out of business within 6 months of a cyber attack.

I want to discuss why that is?

Let’s assume our small business is like most small businesses, they are living “paycheck-to-paycheck” in a small biz manner. I.e. there is enough business to make payroll and to do a few things for the business: small changes for new technological improvements(new computer, new phones, website improvements).  But is there enough time and effort to overhaul IT cyberdefense?  Why overhaul when you can make adjustments, since with adjustments we can still stay alive and keep on surviving another year.

What if an unforeseen attack occurs? That we are not ready for? So that means we have to reconstruct our IT information “from scratch”. I.e. from non-electronic sources. In that case a lot of things can go wrong, and if expenses go too high or it takes too long to reconstruct, one can easily see how it might be easier for the small business to go out of business rather than create a huge debt burden. This is why 60% of small business goes out of business with a successful cyber attack.

The attacks coming into your business are no longer from loner hackers or your neighborhood Geek with too much time on his hands… The attackers are sophisticated and in great breadth, which are certainly coming daily  because it is easy to setup thousands and millions of attacks on previously purchased databases with information stolen in years past hacks on the Darkweb. The hacker uses his computer knowledge and this information to craft sneaky spear phishing attacks. Once on the network it could be months before you actually find out what is happening, since he will sell his access to your network to others who are experts at extracting money out of you.

So the hacker goal is to employ a number of experts over time to infiltrate and eventually extract extortion scams out of ransomware schemes…   FBI news and tips for dealing with Ransomware.

New IoT attack examples from Anson McCade’s Twitter feed:

 

So in the future a crafty sneaky attacker could control more than your business servers, but also your fitness devices and more. I.e. Pay the hacker $1000 or else …

 

Contact us to update and overhaul your cyberdefense methods.

Vulnerability Management Fixed!

So that we are all on the same page -Vulnerability Management is when an IT department manages it’s inventory of devices with regard to what vulnerabilities each device could be at risk for.

So if every system you own has a vulnerability, and you have 1000 systems it could get a bit challenging to manage. Consistently updating all systems for all vulnerabilities is a constant job of testing the patch, and updating the production system at a convenient time to the business.

At cvedetails.com you can review all cve’s (Common Vulnerabilities and Exposures)Each piece of software and hardware can have a potential vulnerability. This is much bigger than you think.

Powershell can give you a list of your programs:

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

From the “How-To Geek” website:

A sample in this image:

The image above has 38 pieces of software(which is likely not comprehensive).   Technically all of these can have a vulnerability(not including Windows and all of it’s subpieces).

So already you can see that 100 systems with at least 40 or 50 pieces can have 4000 to 5000 software versions that may not be the same versions for your network.

This is why there are 109403 vulnerabilities, since a vulnerability for software ABC v1.0 is different from ABC v2.0.

So if this is such a large difficult beast, how can we tame it? Or even fix it?

Actually it is relatively easy to fix by combining Risk management and vulnerability management.

 

Evaluate all your systems – which system has the most risk and highest impact with failure?

Finding this system should receive most of your focus on testing and updating. And that is just the start, as now the difficult part of figuring what to do with  the other systems, as if you ignore the other systems attackers will come in from that angle.

Contact us to review your systems and set up a risk management matrix for all your systems.

Run Microsoft(Powershell) Software On Linux? More Risk

Did you think it would never happen? Microsoft and Linux are increasing in their ties to each other.

So as we protect systems in our networks, we are increasingly incorporating Linux systems for various reasons, Web servers, specific SQL server database needs  or other reasons (file sharing or other support systems).

A potential threat vector to the Microsoft Windows environment/ network could be the Linux machine. Especially if Microsoft Powershell  commands can be run on a Linux machine. Now you can truly have any machine  that is taken over be the breach entry that takes down your network.

How is this possible (viewing Internet Storm Center posts)? By installing a number of software pieces:

  1. First install Powershell itself
  2. Second install Mono (an open source implementation of Microsoft’s .NET framework)
  3. Install OpenXML
  4. Now you can run Powershell

This is an interesting development as it means that even a Linux machine can be turned into a sophisticated attack machine into your environment.  Of course we knew that as Kali Linux has specific attack tools. But now we are not using attack tools but Microsoft tools running on Linux.

I want to switch directions a little bit and discuss the problems of directing a company:  By stating “Business Decisions” — “External Pressure”  in a Risk Assessment discussion.

The cybersecurity – world of vulnerabilities is in the space of “External Pressure”, but I wanted to create a picture of the whole world of Risk for a company. And the risks are in Supply Chain,cloud, leadership/labor,change in technologies.  When one sees risk for the company in its totality, the new vulnerabilities risk is much smaller in comparison to the others. especially if the other risks are changes in competitors(Amazon) or changes in environment.

It is only when some news event comes into the fore, like a major breach, then it is obvious that Cybersecurity needs to be reviewed periodically.

Of course if one did that in the first place, then one can focus on the market and technology changes.

This is the problem we computer risk professionals wage, as the CEO/CFO are forever working the major problems for the company, and they rarely see cybersecurity as a major threat – due to much more important problems for the company.

Contact Us to discuss how we can let you focus on more important things, let us do some of the Cybersecurity items.

Innovation and Cybersecurity

Amazon versus sears innovation, comparisons

The obvious angle(in 2018) is to applaud Amazon and chide Sears for the massive technological progress and stagnation respectively. 

Sure Sears did well in it’s day by pioneering catalogs and selling many things one does not think about right out of the catalog(houses and cars). But somehow when the internet technology came into being they were not interested in _this_ new “catalog”. The reason I mention this phenomena is  that it is very hard for CEO’s to see the future with a new technology.  One must live and breathe it (like Mr Bezos did).  what does it mean to “live and breathe it”? 

In my opinion it requires a CEO to understand the underlying technology, which nicely segways into Cybersecurity.  If one does not build cybersecurity from scratch (from the beginning).  Creating security after the software is built can make it difficult if not impossible to create true Cybersecurity.   In the picture above there is also an image of hurricanes which are either over land, or moving there.  Which company can better absorb “hurricane of a market”? Or an actual hurricane with the required disaster recovery plans?

Let’s list some of the risks a CEO has to think about in navigating a strategy for the future:

  1. Innovation (how to be a better company with more profits)
  2. Economic environment (general economy)
  3. Regulations (government or industry)
  4. Labor Issues (employee problems)
  5. Natural disasters (including hurricanes – electrical storms etc)
  6. Criminal endeavors (including cybersecurity)
  7. New Competitors (with technological improvements)
  8. Miscommunications by CEO or other officers that cause production problems

What order should your specific list be in?

Maybe you have Labor issues first? then Production problems, competitors and Economic environment.

Usually – Natural disasters and criminals are not in the major crosshairs of a typical company.

The reason people are not focusing on Cybersecurity is that the risk or threat does not seem to be that high in their eyes.

From the VISA  “Global Compromise Trends” informational image (from their presentation a couple of weeks ago) shows that current attacks are shifting from small merchants to eCommerce,financial institutions, and aggregators/ integrators or resellers. I.e. entities that affect several small businesses.

So we find out that for now the small businesses are not in the immediate cross hairs. But the coming Armageddon is surely coming (Winter is Coming), and how can I say that? It is because the criminal element is always changing and learning… developing new methods to attack anyone on the Internet. As soon as you spend no time on Cybersecurity it will catch up with  you.  the reason it will happen quickly and with little forewarning.  Not like a Hurricane which we can see forming off shore.

The expert analyst can see things coming, but most small businesses cannot see this happening.  The technological advances are coming fast, and it is too hard to figure out what is really going to affect a business in the future from the following major themes:

  1. AI – Artificial Intelligence and Machine Learning(Robots) are great improvements for humanity and hard to say what how it affects Cybersecurity/Innovation.
  2. Quantum Computing – Once the quantum computer has been built encryption and Cybersecurity will change quickly as the game changes.
  3. Nanotechnology – was a rallying cry and buzzword for some time, and the tech has been improving. How does this affect your world? In some ways this is already happening in current 2018/2019 computers.
  4. What will the space tech change here on earth, just like NASA’s moon program created many new technologies the drive to go to Mars will do the same.

 

So how can futurists dabbling and current innovators striving make things more difficult for the current CEO?  Well, it happened for Sears… in 18 years Sears went from a still respectable retailer to a forlorn husk of it’s former self. Why? because the Sears CEO of Y2000 did not foresee the Internet as it is today, only 18 years later we cannot go without the Internet and everyone expects eCommerce to exist (this was not obvious in 2000).  So how much time should you spend on the future?

Obviously it can’t be a majority of what we do, but we have to decide whether the future is worth 5-10% of your time. Out of a 40 hour work week, 2-4 hours could be spent on future endeavors. I believe this formula is at a minimum. 

The question is where and how you want to go with your future time, and I would like to discuss how solving the Cybersecurity problem for good (i.e. managing it on autopilot) will free up your time in innovation.

IF you build Cybersecurity into your operation then you really do not have to worry about criminals taking a big chunk of your technology(i.e. China) and then you can truly focus on the things that probably make life more interesting (new gadgets that will increase your market share).

Updated 20/23 noon: Wall Street Journal has an article  about the Ford CIO experimenting with Quantum Computers, as he signed a $100k 1-year contract with NASA’s Quantum Artificial Intelligence Laboratory. “Our mission is to be early enough in the game so that when it’s evolved to the point of maturity and applications that matter to the business, we’ll have an advantage,” said Ken Washington, Ford’s chief technology officer and vice president of research and advanced engineering, in an interview with CIO Journal.

Notice how it is important for the CIO to look to the future and innovate just like  I said above… quantum computers have the chance to completely change the game in computer processing power as it may be x to y power instead of 2 to y with current binary technologies.  x could be 4 or 10 or another number (this is being devised now) as the engineering for a quantum computer is challenging. The math is available, so all we need is the engineering to catch up with the theory.

 

So let me show you how Innovation and Cybersecurity intertwines and makes for a better company in the today and into the future.  Contact me to discuss

 

 

 

 

What Does it mean? PCI DSS Validation Process

VISA had a presentation last week online to discuss this very question “PCI DSS Validation Process”

We will get into the list shortly…   First let’s discuss why one needs a validation process. PCI stands for Payment Card Industry and in fact the PCI standards organization is composed of Visa, Mastercard, Discover, American Express and JCB(Japan Credit Bureau). In fact before they created the PCI standards organization (PCI Security Standards council) so that their customers and other service organizations that use credit card numbers have a security standard.

  1. First one must build the scope of the systems that affect PCI systems (Credit Card systems) — find all your credit card systems and software. These systems must be analyzed.
  2. Assess your computers means do Vulnerability analysis, i.e. review the patch level of computers and software.
  3. Remediate any patches that were not applied properly.
  4. Create a report that states where the status is of all 11 pieces of PCI compliance reporting  means are in compliance, state of remediation, or building the processes?
  5. Complete the AOC(Attestation of Compliance) paperwork.
  6. Submit your paperwork to your financial provider.

Most likely if you have heard this process before it was from your financial service provider (the company providing the credit card systems).

The process is simply:

Assess –>remediate –>  report

Don’t Forget – to add Audit to your list – use an independent auditor to make sure the opinion is unbiased.

Anyone with higher than 20,000 VISA Ecommerce transactions must get VISA Attestation of Compliance(AOC), or 1million or more in all channels.   From VISA pdf.

Contact Us