Category: securitycompliance

Vulnerability Management Fixed!

So that we are all on the same page -Vulnerability Management is when an IT department manages it’s inventory of devices with regard to what vulnerabilities each device could be at risk for.

So if every system you own has a vulnerability, and you have 1000 systems it could get a bit challenging to manage. Consistently updating all systems for all vulnerabilities is a constant job of testing the patch, and updating the production system at a convenient time to the business.

At cvedetails.com you can review all cve’s (Common Vulnerabilities and Exposures)Each piece of software and hardware can have a potential vulnerability. This is much bigger than you think.

Powershell can give you a list of your programs:

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize

From the “How-To Geek” website:

A sample in this image:

The image above has 38 pieces of software(which is likely not comprehensive).   Technically all of these can have a vulnerability(not including Windows and all of it’s subpieces).

So already you can see that 100 systems with at least 40 or 50 pieces can have 4000 to 5000 software versions that may not be the same versions for your network.

This is why there are 109403 vulnerabilities, since a vulnerability for software ABC v1.0 is different from ABC v2.0.

So if this is such a large difficult beast, how can we tame it? Or even fix it?

Actually it is relatively easy to fix by combining Risk management and vulnerability management.

 

Evaluate all your systems – which system has the most risk and highest impact with failure?

Finding this system should receive most of your focus on testing and updating. And that is just the start, as now the difficult part of figuring what to do with  the other systems, as if you ignore the other systems attackers will come in from that angle.

Contact us to review your systems and set up a risk management matrix for all your systems.

Run Microsoft(Powershell) Software On Linux? More Risk

Did you think it would never happen? Microsoft and Linux are increasing in their ties to each other.

So as we protect systems in our networks, we are increasingly incorporating Linux systems for various reasons, Web servers, specific SQL server database needs  or other reasons (file sharing or other support systems).

A potential threat vector to the Microsoft Windows environment/ network could be the Linux machine. Especially if Microsoft Powershell  commands can be run on a Linux machine. Now you can truly have any machine  that is taken over be the breach entry that takes down your network.

How is this possible (viewing Internet Storm Center posts)? By installing a number of software pieces:

  1. First install Powershell itself
  2. Second install Mono (an open source implementation of Microsoft’s .NET framework)
  3. Install OpenXML
  4. Now you can run Powershell

This is an interesting development as it means that even a Linux machine can be turned into a sophisticated attack machine into your environment.  Of course we knew that as Kali Linux has specific attack tools. But now we are not using attack tools but Microsoft tools running on Linux.

I want to switch directions a little bit and discuss the problems of directing a company:  By stating “Business Decisions” — “External Pressure”  in a Risk Assessment discussion.

The cybersecurity – world of vulnerabilities is in the space of “External Pressure”, but I wanted to create a picture of the whole world of Risk for a company. And the risks are in Supply Chain,cloud, leadership/labor,change in technologies.  When one sees risk for the company in its totality, the new vulnerabilities risk is much smaller in comparison to the others. especially if the other risks are changes in competitors(Amazon) or changes in environment.

It is only when some news event comes into the fore, like a major breach, then it is obvious that Cybersecurity needs to be reviewed periodically.

Of course if one did that in the first place, then one can focus on the market and technology changes.

This is the problem we computer risk professionals wage, as the CEO/CFO are forever working the major problems for the company, and they rarely see cybersecurity as a major threat – due to much more important problems for the company.

Contact Us to discuss how we can let you focus on more important things, let us do some of the Cybersecurity items.

What Does it mean? PCI DSS Validation Process

VISA had a presentation last week online to discuss this very question “PCI DSS Validation Process”

We will get into the list shortly…   First let’s discuss why one needs a validation process. PCI stands for Payment Card Industry and in fact the PCI standards organization is composed of Visa, Mastercard, Discover, American Express and JCB(Japan Credit Bureau). In fact before they created the PCI standards organization (PCI Security Standards council) so that their customers and other service organizations that use credit card numbers have a security standard.

  1. First one must build the scope of the systems that affect PCI systems (Credit Card systems) — find all your credit card systems and software. These systems must be analyzed.
  2. Assess your computers means do Vulnerability analysis, i.e. review the patch level of computers and software.
  3. Remediate any patches that were not applied properly.
  4. Create a report that states where the status is of all 11 pieces of PCI compliance reporting  means are in compliance, state of remediation, or building the processes?
  5. Complete the AOC(Attestation of Compliance) paperwork.
  6. Submit your paperwork to your financial provider.

Most likely if you have heard this process before it was from your financial service provider (the company providing the credit card systems).

The process is simply:

Assess –>remediate –>  report

Don’t Forget – to add Audit to your list – use an independent auditor to make sure the opinion is unbiased.

Anyone with higher than 20,000 VISA Ecommerce transactions must get VISA Attestation of Compliance(AOC), or 1million or more in all channels.   From VISA pdf.

Contact Us

Does Outsourcing Make You More Secure?

Outsourcing is good, since we cannot specialize in everything we can focus on sales or inventory instead of mundane tasks. So what is important and what is mundane? That depends on your business…  most businesses are not a software company, so obtaining software needs by outsourcing may be smart.  Then the question is should you buy software or just rent the software on a server(“the cloud”) on the Internet?

The answers to what is important depends on your business. Obviously if you are a restaurant, it is food. But what if it is not as obvious?  How about if you are selling services online and offline(with sales people)?

Every business has customers or patients, (whatever the industry term is). And every business has to get paid somehow. So the payment information and customer database has to be secured in all businesses(or for that matter non-profits as well).

Customers are important to the business since they keep the business afloat. Thus everything to do with our customers is important to us and our competitors. Of course employee data is also important to keep secure.

This methodology is the same line of thinking when you set up a risk management analysis.

Depending on the business some important information electronically may be how one creates a product.

For all businesses the financial transactions, accounting and anything to do with money has to be safeguarded. Overarching needs of Identity Access Management(IAM) is important.

The major business sectors:

  1. Sales of items not unique(commodities) retail, wholesale, restaurants etc.
  2. Manufacturing, Mining, and Farming industries that obtain stuffs from the earth, and might have IP (intellectual property)
  3. Health industry – any business that takes care of patients
  4. Consultant industry – bills hourly rate with labor
  5. Computer  systems are used to create technology

All of these businesses have some things in common, even if not all of them may have IP (Intellectual Property), Customer database, Computer Equipment, Financial Information (accounting).

The commonality of the computer systems, accounting,customers, and employees makes all businesses think what exactly do we outsource?   the experts say outsource the functions that are not central to your main business model.  So everyone except for accountants could outsource the financial applications by using online Internet apps in the cloud(someone else runs the computer).  Notice, I do not say the reason to outsource is to be more secure.  Security on the Internet is not predicated on whether you outsource to the cloud.

To outsource has to do with business reasons not security.  The bottom line in the year 2018 and beyond Cybersecurity must be in everything no matter what.  The key is even though we expect it(Cybersecurity) we do not want to overpay.  So this is where the next stage of our analysis comes into play.

RISK MANAGEMENT – is a direct result of what is important to the business, what is outsourced, and how to allocate resources.

Every business is different, and must make the choices to weigh the needs of the business.  If you have IP then that could be more important than customers, since the customers will come back to you if you have the IP.

But if there is no IP, the most important functions might be a close tie between customers and financial (Credit Card or bank information). Everyone has Computers that connect to the Internet, here is where the true outsourcing idea can come to fruition.  So we still have to secure our personal devices to connect to the cloud.

Social Engineering and scams can always take over and steal your hard earned resources even if you have good security.  So the reality is outsourcing or “the cloud” does not matter.

Secure your devices!!  Keep up to speed with changing cybersecurity landscape such as in our Security News Analyzed page.

Contact us to make this happen by using security policies, risk management analysis and more.

 

Unknown Risks: Possible to Gauge?

Does the definition of unknown make measuring  risk also unknown?

Let’s assume a cloud account has been created on Amazon Cloud(AWS – Amazon Web Services)  or elsewhere (Rackspace, Azure, or Google cloud)

This cloud account will always be the Achilles heel of your Internet presence.  I.e. if someone gets a hold of he main account instead of who is supposed to take care of it, the criminal hacker can modify and add users so as to make imperceptible changes to your website until it is too late.

Then let’s dissect an interesting interview with Bruce Schneier at Threatpost about “Going Dark”   

Specifically “people’s long tail of digital metadata.

A person’s metadata will include the phone’s gmail account, all the places you have been using Google’s map app, and many other apps that are on your phone and soon your car. How will it all look once everything in your house, car, and work is interconnected? Identity Access Management will be that much more important.

I.e. how you can access the phone and all the apps. Every time an app says you can reset your password by sending an email, that means the email is the one thing that has to be defended without fail.

So if the cloud account was set up with a specific email, that email account has to be defended without a hacker even remotely able to access it. Of course one has to keep operational intelligence about various company actions out of social media.  I.e. a new promotion in IT in charge of cloud accounts is not something to discuss in social media(in fact anywhere). You can say you have understanding in cloud architecture, but I would not get into details.  It is important to keep many details about your environment out of any site on the Internet.

Notice how a Facebook “friend” can send you phishing requests via SMS (text or messages via Facebook) and try to get access to your computer that way.  if you click on link then it goes to a website that looks like Facebook but is really a scam. notice the URL:  facebook.ssbh.edu.bd (a Bulgarian university server)   This example is from today’s post in Internet Storm Center: Facebook Phishing via SMS

There are many ways somebody can get access to your credentials, including if you just give them away.

My policy is to never follow a link if they are asking for my credentials I just do not enter them.  Answering a bunch of questions about some quiz on Facebook, on whether you are Italian or not… is generally a bad idea as Kirstin Fawcett wrote in mentalfloss.com :“taking Facebook Quizzes Could Put You at Risk For Identity Theft”

Or maybe they are called ‘surveys’ , either way  they constitute a risk that may not be worth taking.   Every action on the Internet  increases your risk of a potential attacker gaining more insight into your environment / personal life/ or other facet that advances an attacker.

Spam email is a perfect phishing attack by hackers to gain information or credentials from you. – never click on a link that then asks for credentials to be entered.   Are there exceptions to this rule? unfortunately yes, as some reset procedures require you to click and reset your credentials in some environments.  So how does one get past this?  Not every user is going to be well versed in Domain name methods of hackers. And to some degree there will never be a 100% foolproof way to differentiate good sites from bad.

So do your social engineering training and keep up with attacks, and you have to accept some risk.

Back to my original question are unknown risk possible to gauge?  I think that some risk is impossible to put a number on it. But we can mitigate and accept some unknown risk, and keep vigilance.   Knowing as much as we can about potential unknowns is the est we can do – Some Unknown  unknowns are inevitable, but no point fretting on those.

contact Us to discuss this.