The Enemy Has Say With Your Best Plans

In the field of Cybersecurity we have to do a lot of basic things: as discussed in Behavioralscientist.org

So what is your plan?  Firewall, Antivirus, IT people vigilance, updating devices and software…

What are your enemies’ plans?

When your enemy actually interacts with your employees it  shows.

There are always business level threats (where employees are spoofed) or  (vendors are spoofed).

Do you have a new device with Machine Learning? (a basic type of AI (Artificial Intelligence).  Then the enemy will do something to counteract that.

Adversarial Machine Learning.  It will go against your ML goals, and will try to eventually corrupt your goals by adding faulty data and thus changing your assumptions of the data set.

Another way to use Adversarial Machine learning is to use this method to ‘teach’ your ML to get better  results. It turns out that some ways of GAN (Generative Adversarial Networks) do just that.

For Example:  “Adversarial Machine Learning at Scale” paper from Cornell University   First sentence:

“Adversarial examples are malicious inputs designed to fool machine learning models.”    

Improving the ML learning models if done right. This method has not been used by criminals, as they are still figuring out how to incorporate this in their attacks.

So they may not use this as an adversarial attack, instead they may devise ML attacks which will be hard to distinguish and will become better faster.

Ian Goodfellow (the guy who created GAN – Generative Adversarial Networks) has used the adversarial nature to make a better AI algorithm. Where has this already worked?  Initially he was looking for a Security reason within the AI world, and when he created GAN, it was obvious that he was making AI better.

Who would have known, but AI is creating new images of cats that are entirely  ‘fake’ or better ‘artificial’. the algorithm created a new type of cat picture where needed.

Meow Generator ML algorithms that design cat pictures.

So what does this really mean? Fake pictures of people, animals and other items will start to proliferate.

It remains to be seen how this aspect of AI is actually going to be useful.

Do you want to test ML for Cybersecurity?

We are developing new tests for AI and ML – contact US to discuss.

Malware, Routers Injected, Stolen Identities, Just Another Cyberday

A few headlines in a day or 2 – are typical day at the Cybersecurity Office.

 

Verizon Routers command injection flaw could impact millions of routers. High Severity flaw CVE=8.5.

“The vulnerabilities exist in the API backend of the Verizon Fios Quantum Gateway (G1100), which supports the administrative web interface.”

Exodus Spyware attacking Apple iOS. It is interesting what started as an Enterprise tool to do surveillance or some other control of the Apple devices was turned into spyware by the bad guys.

“Several technical details indicated that the software was likely the product of a well­-funded development effort and aimed at the lawful intercept market,” researchers said in an analysis shared with Threatpost

2.4 million Blur password manager users exposed   since a server exposed a file containing sensitive information about Blur users information (name, email, password hints, encrypted Blur password).

The hits just keep on coming. We are bound to have more data breaches this year 2019.

So what does it really mean? Is there a higher threat level today versus yesterday?

Here is the Internet Storm Center Infocon status:
Internet Storm Center Infocon Status
So even with more breaches the Internet still has a Green level…  This is the explanation of ISC:

“The intent of the ‘Infocon’ is to reflect changes in malicious traffic and the possibility of disrupted connectivity. In particular important is the concept of “Change”. Every host connected to the Internet is subject to some amount of traffic caused by worms and viruses. However, once a worm has been identified and the number of infected machines is no longer increasing, this traffic is not likely to cause any disruptions.”

But what does the effect of all of these breaches have?  I can hear the business people talking… None of these companies went out of business so why should I upend my business, spend a lot more money to do things more securely?

Do we always have to do things only to make more money? How about doing what it takes to make sure your customers do not have to spend time fixing their credit lives after a breach?

 

Remember even Windows10 has a lifecycle and will not update patches after a certain date:

Contact Us to discuss how to avoid getting a breach in the first place.

 

No Mas- Uncle!!! IT Departments Under Siege

We are inundated with constant headlines

Thousands and sometimes millions of records stolen by hackers(the bad guys).

In fact the worst breaches are health records as in this article at Forbes.

“The number of annual health data breaches increased 70% to 344 over the past seven years, with 75% of the breached, lost, or stolen records – 132 million – being breached by a “hacking or IT incident,” a nebulous category created by the government that doesn’t appear to distinguish malicious theft from accidental loss.”

The difficulty of people losing control of their health records has not been felt yet. What will happen when a ‘fake’ medical record already received your monthly pharmaceutical allotments?

The crush of constant attacks and patching environment in the IT department causes much stress.

We have monthly patch updates for operating systems (Microsoft Windows) and the underlying software (MS Office, Adobe, Java, Financial SW, Cisco and others).  The patches and vulnerabilities never end.

Next month there are new vulnerabilities and new ways that an attacker can achieve their aims.

Here is a snippet of the CVE Details website  

Since 1999, there have been 112364 vulnerabilities, sometimes 16k in one year. This is a huge crush of constant updates in the IT departments of the world.

There is only so much time to install patches, to make sure the servers and systems are operating. So sometimes we have to make risk assessments:

Every department has to decide which systems to fix first. Make the decision with Risk – Impact analysis. I.e. which system if compromised will create more problems than other systems.

This constant crush of patching is exacerbated the more systems one has. As systems are not standardized the patching gets more complicated and vulnerabilities pile up.

So why do i say No Mas(No more)? It is because there is no end to the tough schedules, there will always be off hours patching, and off-hours work. No matter your personal lives or otherwise issues that arise in a regular life.

Having someone check on whether your systems are properly patched can help, as the high vulnerabilities should be the highest priorities. from there the medium vulnerabilities should be tackled. For PCI compliance one must work and resolve any vulnerability over 4.0

Contact Us to discuss

Time For Security Major Effort?

I.e. Do we need to make a major research effort to solve all(or most) Cybersecurity problems?

Why?

Because mistakes keep happening:

And these are not small mistakes – they may shift our world underneath us…  As California considers more legislation and Breach reporting requirements, other states may also look into this issue.  At Databreachtoday.com there is a story about how California is proposing new changes to Data breach notification requirements.

The California law is  adding clarification to potential breaches, as before it is not obvious that government issued identification is part of “personal identification”, and any biometric data as well.

The now defined “personal information” includes:

  • Social Security number;
  • Driver’s license number, California identification card number or other government-issued identification number;
  • Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account;
  • Medical information;
  • Health insurance information;
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
  • Information or data collected through the use or operation of an automated license plate recognition system.

It is good to get clarification which only means most other states will follow and also enact similar laws.

If you have a breach you are on the clock and will be judged by how fast you can deliver information to your customers or employees about the breach.

 

What is different in California is the privacy law AB375 which is actually referred as “The California Consumer Privacy Act of 2018.”

(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
There are going to be implications for all companies that store data from this law.
So are we now forced to spend a lot more money and to push for much higher Cybersecurity? Yes and no…  of course we will have to focus on Cyber aware policies that pay closer attention to how we use data, but is it truly necessary to spend an inordinate amount of money on Cyber products and people?
I don’t believe so.
We have to learn how to do the basics efficiently.
It is the basics that are not done right… that is the focus and constant improvement we need to focus on. Maybe a new tech is needed, but it will likely not cost an arm and a leg. It should be a Risk-reward analysis that uncovers what is needed from the governance policy and standards.
That is what is needed – proper governance, and reviewing what is really needed. A ‘moonshot’ or silver bullet is not there for us, we don’t have to ask some super agency to create a Cybersecurity ‘Manhattan Project’  that will solve all our problems.  The problems we have will always be there until we address them.
Let’s get after them now…  Contact us to get started.

Is Compliance Enough for Your Company?

If you accept credit cards you need PCI compliance

If you have health data then you need HIPAA compliance.

A financial company gets many pieces of compliance which depends on what types of financial instruments you sell. You may need other types of compliance.

Unfortunately PCI compliance does not require a backup of your critical data , so if you have critical data then it is up to your judgement to set up processes to make sure if they are corrupted then can be recovered.

This point of corruption of data to recovery is the single most likely reason for small businesses to fail six months after a major cybersecurity event.

In 2019 your company could be doing business as usual in January, then in February the right attack could cause problems for your company…  if you are not ready for it, six months later you could be out of business.

Which is why we want to highlight it and make sure you understand the inattention that can cause disaster.

We are here to go over your processes to make sure that this type of disaster does not happen. You can make it go away for a few dollars and attention. That is all it takes.

Contact Us to discuss – Three-One-Four-five -zero-four, three,nine, seven, four.  Leave me a message and I will get back to you.

TonyZ