“Cybersecurity News” and what to do with it

So what has happened that I want to make another post about “Cybersecurity News”?

  1. Microsoft states they will implement the new CCPA (California Consumer Privacy Act) across the nation by January 1, 2020 https://blogs.microsoft.com/on-the-issues/2019/11/11/microsoft-california-privacy-rights/  November 11)
  2. 68000 patients of Methodist hospital impacted by Phishing attack  (By HIPAA Journal) (October 17)   https://www.hipaajournal.com/68000-patients-of-methodist-hospitals-impacted-by-phishing-attack/
  3. Domain Registrar Network Solutions discloses breach – although no credit card information was accessed there was account information from their data. https://www.bleepingcomputer.com/news/security/worlds-first-domain-registrar-network-solutions-discloses-breach/   (October 30)
  4. DoorDash confirmed a data breach with a third party vendor exposing 4.9 mil customers, workers or merchants.  (September 26) https://techcrunch.com/2019/09/26/doordash-data-breach/
  5. Zynga was breached, a mobile game maker claimed a hacker accessed 218 million user records. (September 30, 2019)
  6. Facebook database users’ phone numbers found online. https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/   (September 4)

What does it mean to the regular Internet user, when large breaches happen?

First of all if you are affected then you will be notified (or should be) within a certain amount of time (depends on state – could be a few weeks). What about if one is not affected? I.e. there was no direct user under the breaches noted now one is affected because the general nature of the criminals is that they try and sell the data to other attackers. Here is where even a remote user or infrequent access user of the service may have data in the criminal database. And there is also another ‘affect’. the Darknet now has all of these databases of the breaches.  So the criminal empire has just enriched themselves with some more datapoints to send out yet more spam and phishing attempts.

So my contention is when breaches occur the criminal empire grows and our life gets harder. We have to continually evolve to keep up defenses with the new attacks generated by the criminal hacker.

What does it really mean when 218million accounts are accessed by hackers?

Or 4.9 million customers/workers/merchants?

68000 patients data was accessed by a hacker!

And to top it all off Microsoft wants to help us implement CCPA across the nation.

Contact me to discuss

What Does it Mean When Your Website’s Registrar is Hacked?

On October 16 Web.com, Networksolutions.com, and register.com had a breach, and as of Nov2nd there is no mention of anything like a breach on their website (web.com owns the others)

The breach information was obtained from the always useful Krebsonsecurity.com site.

 

So what happens when your website’s registrar was hacked? It likely means all of your personal information that you entered into the registrar is now in the hacker’s hands.

What else can happen?

Depending on how bad the breach was(how much the hackers stole) passwords could have been stolen. This is why one should change passwords periodically anyway, but especially after a breach at your registrar.

So if the hackers get sneaky, they can redirect your website to other servers and take over your webtraffic. What could happen then is that anyone trying to access your website could get malware and then get hacked. It is a possibility in this scenario to get some liability for hacking your customers inadvertently.  This is the case in any hacker scenario.

Let’s say due to errors and misconfigurations your website was hacked by the bad guys(not just a registrar error), now the bad guys set up your website to have hidden downloads for all of the people that visit it.  each one of these downloads is actually malware that installs ransomware. So now your clients and potential clients are being infected by your website.  If your client can point to your site and say that is where I got my ransomware – you could be liable!!

So a potential hack on your website has a high impact. And thus it is important to review and make sure it is in good shape all the time. It is not enough to just making sure the server is up. The website has to be unaltered.

 

Contact us to discuss this subject further.

Chrome Zero Day Vulnerability Noticed on Halloween

https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/

ZDNet points out that Google Chrome has a Zero-day vulnerability – which means you cannot patch or fix your Chrome Browser.

The above image is from a Mac Chrome browser, thus I want to make sure you know any Chrome browser (including on Android or IPhone as well).

I have discussed Zero-Day vulnerabilities before (Dec15/15 post):

Zero-Day Attacks And Why Patching Means Catching Up

Here is a risk management matrix:

So this new vulnerability is a high impact and maybe a medium likelihood.  You can reduce your likelihood by being extra careful to phishing attacks.

Update Nov 5th : the Chrome Zero-day vulnerability was patched: https://www.techradar.com/news/google-patches-another-major-chrome-zero-day

So now it  is up to all of us that use Chrome to patch and update your software!!

Contact us to discuss how your risk matrix looks.

New PCI – Payment Card Industry Standards in 2019

A new Secure Software Requirements and Assessment Procedures was released v1.0 on Jan 2019.

So if you are developing software for the Payment card industry either for an application on a website or for a retail location you have a new framework and software requirements standard.

Developing software to capture credit card information (and use it) is not an easy process. This PCI framework puts a process together to make developing software more secure.

 

A few helpful aides for small business and informational items.  we know small businesses are getting attacked – successfully for many reasons. PCI Security Standard’s:  small_merchant_guide to safepayments image from pdf file.

Next is an obvious attack  angle  into   your computer. Next image is from PCISecurityStandardsCouncil resource guide  defending against phishing attacks

 

 

Most companies are not creating software  but they just want to run equipment and software that works without getting hacked. So for that to happen (stay secure and stop the hackers):

  1. Learn how phishing works and create new rules before you answer emails/ texts/ phone calls
  2. Patch and update your equipment
  3. Make sure to change passwords periodically, and make them as long as possible (more important than a complex password).
  4. Multi factor authentication is a great idea to make it harder for hackers to get a successful attack.
  5. having somebody doublecheck your environment would be a good idea and reduce errors and omissions.

Contact Us to discuss

IoT, IT and OT Merging and Needs Integrated Defense

First of all what is the alphabet soup: IoT, IT and OT?

Internet of Things, Information Technology, Operational Technology are explained best in the sans.org white paper: https://ics.sans.org/media/IT-OT-Convergence-NexDefense-Whitepaper.pdf

Operational Technology (OT) consists of hardware and software systems that monitor and control physical equipment and processes, often found in industries that manage critical infrastructure, such as water, oil & gas, energy, and utilities, but also in automated manufacturing, pharmaceutical processing, and defense networks.  It even forms the foundation of building control systems, air and road traffic controls, shipping systems and, increasingly, management of distributed data storage and processing networks, i.e., cloud services.

In other words this OT is going to be the backbone for all IoT devices (anything that will be eventually be on the Internet), like refrigerators, Alexa, Google, and Apple devices that are voice responsive. It seems to me that the utility companies will develop Asset management and IT management software so that the rest of us can also buy a type of software that can manage all our IoT/IT/OT stuff.

Here is another document from ABB (A manufacturer of PLC’s) https://search.abb.com/library/Download.aspx?DocumentID=9AKK106713A9904&LanguageCode=en&Action=Launch

You can see that integrations in a factory floor environment are important, even if not ‘very’ important. There is also a kind of urgency to this endeavor, since the future build out of IT/OT/IoT is only going to be bigger and more integrated.

Next note the 2014 IT/OT convergence survey from Siemens http://etsinsights.com/infographics/infographic-2014-utility-itot-convergence-survey/

As you can see lots of data is being collected, but costs are the reason that companies are still waiting to implement more automation and integration.

this was an interesting note: “By 2019, 35% of Large Global Manufacturers with Smart Manufacturing Initiatives Will Integrate IT and OT Systems to Achieve Advantages in Efficiency and Response Time (IDC)”

The image is from iebmedia.com document: https://iebmedia.com/index.php?id=11673&parentid=63&themeid=255&hft=95&showdetail=true&bb=1

You can see from the above images the need for IT and OT to become one, as it would be beneficial for control. but interesting to note in all of these images, where is the Cybersecurity angle?

Searching for ICS(Industrial control Systems) Cybersecurity comes up with the following:

from Automation World webpage https://www.automationworld.com/article/technologies/security/making-sense-ics-cybersecurity-market

The IT and OT commonalities are Endpoint protection, Perimeter Firewalls, and Network Segmentation(VLAN). I have also seen IDS/IPS to be used in OT. It seems to me most of the IT items could be used in OT, so the only item that is not useful or well known to iT is the One-way data diode. which only means that data will flow one way and not the other. (in the case of a critical asset). from Microarx.com

https://www.microarx.com/data-diodes

 

The differences between IT and OT devices with regards to Cybersecurity are not significant so the only stumbling block for convergence is resources and will.  It seems after some more data breaches this convergence will speed up.  It is true that ICS factory devices sometimes are legacy devices with little chance of upgrade, so the vulnerabilities are inherent to the device.This is the difference between OT and IT. OT has to have a way of defending these legacy mission critical devices, whereas most IT environments can upgrade and patch… thus making the environment less vulnerable. Legacy devices get replaced in IT. Not in the factory floor. So auditing the different environments require more expertise and preparation than an IT network where one can see all devices.

Contact Us to review your environment.