Why Is It Cybersecurity Pros Make It Complicated?

We say things like: DO NOT CLICK ON Phishing emails!!

But then Equifax creates www.experianidentityservice.co.uk ???  or creditexpert.co.uk/login/login

Bsides in London earlier this year had a presentation by Meadow Ellis (@notameadow).

Meadow makes a good point, as we as Cybersecurity professionals ask users to be careful what you click, and then  somebody in the company makes a difficult to read domain name, since the easy ones are taken.

So if a user can at times be duped and then clicks on malware (let’s face it users will  never be 100% accurate) then we must assume that the hackers can go into one of our systems inside the firewall.

So this scenario describes why we need to have zero-trust network architecture, and in a zero-trust network, we assume the bad guys are everywhere, so it requires identity management to be hardened.

Assume that phishing will work eventually in your environment

Here is where tyhe phishing domains are actually coming from(Paloaltonetworks.com post):

You see the problem is all the hosting companies are in the USA  so as I mentioned all the attackers are already in our midst.

Your risk management and Cybersecurity plans need to reflect that.

Your marketing efforts should reflect a simple domain structure that makes sense so that when the phishing people try to scam your customers, they will hopefully see through the bad domains.

As per Isaca presentation: “State of Cybersecurity”  90% of all federal (US) breaches are started with a phishing email.

 

Contact us to discuss your cybersecurity risk management profile.

 

Achieve True Privacy Protections

Your data and your customer data must be protected and in such a manner that even a breach in an area is not making it easy for the criminal to get the last link and thus the whole database.  Losing a portion of customer data is bad, but losing all of it is much worse.

So just like we have a layered defense in our network a layered defense of the database  is essential.

Before we  discuss technical details it is good to lay out how we intend to use the customer and employee data.

Because the technical people should look at a document that says how you will use data so that  customers, vendors, and employees know what is happening(or supposed to happen).

Also knowing what to do when there is a failure is important.

So we need to answer the following:

  1. Where is the data?
  2. Who has data?
  3. Why is data kept?
  4. What data is kept?
  5. How is data kept is a technical issue, and should be answered if encryption is answered.
  6. When will data be kept til? Forever? or is there a time lapse?
  7. How much data will be kept? (similar to what?) but can clarify the amount and size.

 

The new data privacy compliance law in the EU is GDPR(General Data protection regulation) and we have discussed this before at “Can European Regulation Help You Design Data Privacy”

In the us there are NIST(National Institute of Standards & Technology) standards – specifically 800-171. Which this company (Imprimis) has a video and discusses the complete process to go through to get yourself compliant for government oversight/ contracts.

The interesting slide is the next one that discusses the continuous compliance state one must build into any program

 

continuous monitoring, training and improvements must be done while performing quarterly periodic scans, and annual assessments.

 

We have discussed periodic scans before: our recon scan and vulnerability assessments

NIST 800-171 is the defacto standard of the US government and all of the contractors, sub-contractors, and anyone who is handling classified or CUI(Controlled Unclassified Information) data.  there are 110 items that one has to write an assessment on. So if your data is classified/unclassified one has a framework to work in.

PCI Payment card industry has a new version out (as of May 2018)  Summary of changes link

basically this latest compliance update is just a confirmation of TLS v1.1 or higher and some errata fixes.  Our post: Internet insecure without TLS

So although everyone has different data to place in the  Who, What, When, Why, Where, and how/how much we need to review and constantly improve our data storage and redemption states.

 

Contact Us to review this.

 

100 days to find adversary in Network: Do I hear 50?

How can we improve the odds of finding a criminal hacker in our networks?   (My old blogpost in 2017 discusses some threats in your network “Insider Threats: No1 Cybersecurity Problem” in case you want to review)

A great video on this topic is the following Irongeek.com video from BSides Charm2018

In this part of the video they are explaining all the logs and where the logs should be sent.  The idea to send the logs to Splunk is to then create a ticket or an SMS alert to a team.  After Splunk receives data you have to configure Splunk to  create SMS alerts and tickets.

There are specific items to look for in your logs to help you find the criminal hacker.monitoring email

monitor who accesses OWA (Outlook Web Access), monitor the attachments sent out, file transfers.

Web traffic, monitor proxy logs – what sites get accessed? Who is trying to go to dangerous websites.

 

Create daily reports and then you will see what is normal.

Every environment is different, with varying needs for compliance and other needs (HIPAA compliance is likely not needed from a Flower retailer).

The above diagram in the video is the most important diagram for you to understand and digest:

I.e. most companies and people end up logging everything and thus do not check anything (because you cannot drink from a firehose) OR log very little – nothing.   So this is why one must understand what is important in logging to you.

Even though it may be different with every company there will be a specific report that will become a goto report that you will review daily for suspicious behavior. Do not become a statistic which says you do not see the criminal hacker in your network for 100 days, or are told of a breach by law enforcement.  That means you will know at that time that IT has not done their job (too late of course).

 

Get ahead of future problems, and contact us to review your logging environment.

Protect Privacy of Client Data using New Ways

Do you want to actually improve your level of Cybersecurity?

What will you do differently today or in the next few months better than last year?

As in past post the GDPR has laid out new regulations 

that affect an entity that has data of an EU resident with impact on any of the following:

  1. Private and family life, home and communications data
  2. Physical and mental integrity
  3. Personal data
  4. Freedom to work and choose occupation
  5. Freedom of thought , conscience and religion
  6. Freedom of expression

The key in this graph is to be near the Green shaded squares, and not the bright red squares. I.e. having a high probability with a critical impact is bad and requires focus.  Whereas an unlikely probability is negligible impact then this is not so important to focus on.

The problem is to find the Critical impact and high probability events in a manner that are easy to see as well.

In the computer world we have focused almost exclusively on personal data (PII – Personal Identifiable Identity).

But there are more difficult to identify privacy concerns such as:

What does it mean to protect freedom of expression?

So if someone has a political cause that they follow, like Greenpeace. If for some reason another non-profit has an interest in getting new donations.  Here is a google search that had a “People also search for”  area:

So keeping even a log of searches or other information might lessen some freedom.

Freedom to choose an occupation?

How can lack of privacy screw up your freedom to choose an occupation? Besides the pictures on Facebook about your late night parties. What if you say one thing on Facebook, and yet another in interview?

Freedom of thought?

The freedom of thought may be happening already, but that may be “good”. If you are a criminal and try to add illegal items for sale, that may not be possible due to the filters. Although your freedom was curtailed, the overall good of less illegal acts on the Internet may be desirable. Other curtailing of freedom of thought as in my politics is better than yours is quite more complicated to curtail or even attempt to make fair, as it is in the eye of beholder. So politics may not be able to be policed.  This subject will depend on the country it is in, as USA has a unique constitution as in freedom of press and speech.

Private and home communications?

Here the nirvana of the advertiser means to learn how you use ‘stuff’ so that they can modify and make you buy their ‘stuff’ instead. So how much of private information should be ‘clouded’? Too bad there are  no smoke generators, where one can create a bunch of junk signals that makes the advertiser just confused.

 

So you can see that Cyber is about People and information, as an interesting Youtube Blackhat keynote said (presented by The Grugq) : Cyber is a new dimension in conflict which is still not fully theorized or conceptualized. Not that it is stopping anybody.

So we have to start focusing on privacy data protection in many new ways (and use the GDPR as a start – only because one can see into the initial bureaucracy mind of regulations of privacy).

 

Contact us to get a start on the new privacy regulations to come.

Can European Regulation Help You Design Data Privacy?

There is a great video overview of what it is GDPR(General Data Protection Regulation): “Preparing for GDPR” by John Elliott, head of payment security, EasyJet

Make no mistake, bureaucrats like to look at each others notes, so if a “new” regulatory method is coming … the US and Asia is watching.  In fact the GDPR has some aspects of American breach regulations, which apparently European countries have not had before(notification of breaches).

In my eyes the most interesting aspect of GDPR is that this snapshot of the video shows how it is now focusing on potential data security problems (breach, privacy etc) which will be weighed as to it’s effect on the actual customer data. i.e. besides the breach and obvious effect of a number records stolen to criminal hackers. There is a “respect for private and family life, home and communications”, “Freedom to work and choose an occupation”.  These two sentences picked out of the others show that the bureaucrat can make up a lot of rules out of this, and it is not clear what the company has to do to the data for it to be “respect for private and family life”.  It may be that the data has to be deleted so that no one sees it after so many days.

The general nature of this new effort by the EU is of course written in this manner because technology is ever changing. Thus it is hard to write regulations with new technologies especially as they are implemented faster than the regulations are written( the last time EU regs were redone was in the 90s).

Another snippet from the video refers to general security note of what he terms it as a “Regulatory Zone of Compliance”:

A graph of how much focus every entity wants to end use on GDPR.

The four choices:

  1. Money is no object
  2. Playing safe
  3. Probably ok
  4. Hope we are lucky

I think I would change #1 to “100% safe by using all possible effort and resources($$) to ensure this”.

And maybe add to #4 the phrase “we will not be hacked or regulators will not find out if a problem occurs”

But instead why don’t we change this graph to a Focus on Cybersecurity %? Which dovetails closer to my Psychology of Security past blogpost.

What is our Focus on Cybersecurity?

Best to start at bottom.

  1. Little Focus (25% of what it needs to be) – hope regulatory bodies and hackers avoid us
  2. Good Focus (50% of the effort) – we make some effort at regulation and defense against hackers
  3. Better Focus( 75% of effort) – more effort at defense against hackers and compliance
  4. Best Focus (100% effort) – There is no expense spared and effort performed that we will not make sure  that hackers do not affect business, of course compliance is a given.

Is it the Best it can be? 100% effort?

The Psychology of Security if you remember, has to do with most people not focusing on security, since the risk is not obvious and thus we are willing to risk higher and higher levels until it stares us down.

So we need to discuss a way for us to change minds, if you have problems with decisions at the top.

Where we need to be more secure, here is where compliance can help us make the people that run organizations focus more on security and data privacy.

Since Security decisions are dependent on emotions as well as practicality, we can fulfill both by saying we will tackle this new compliance as we do not want to get fined and reduce the FUD (Fear Uncertainty and Doubt) or emotions.

 

In fulfilling this compliance we are also protecting our client data, although it may seem hard to see.  The bureaucratic movement never ends, and even now it is learning from the EU in america, and make no mistake… it will come here soon enough. Better to  get ahead of this push.

What I would recommend is to find all of your client data and make sure that you are not selling it or even the look of selling it.

Be careful how you handle the data.   Treat it better than your own, treat it as if it is gold (or bitcoin).

 

Contact me to discuss this in detail.