Small Company Cybersecurity basics: PCI Compliance!

Yes, the small company cyber security basics are included in PCI (Payment Card Industry)compliance.

There are 12 steps to compliance:

  1. Firewall maintenance
  2. Change your default passwords (and create a password policy)
  3. Protect stored cardholder data (if you are not developing software or have a website that you are developing – this may not be necessary)
  4. Encrypt Cardholder data – i.e. use devices that encrypt cardholder data (or develop this properly)
  5. Protect all systems against malware (using anti-virus software)
  6. Develop and maintain secure applications (only if you are developing software)
  7. Restrict access to cardholder data (if developing authenticate before giving access)
  8. Identify and authenticate access to system components
  9. Authentication physical access (only qualified people should access credit card systems)
  10. Track and monitor all access to network resources and cardholder data (log systems)
  11. regularly test security systems and procedures
  12. Maintain a policy that addresses security information for all personnel

But as you can tell – each business will have it’s own specifics to focus on – especially if they develop web software to accept credit cards. But if you do not have credit card(CC) development then a lot of items can be skipped. And if one does a few other items(like segment networks) then it is even easier. Just make sure all devices that run credit cards are encrypting the CC numbers.

We have modified this set of headings into a security policy. The inventory of all items may not have it’s own heading, but it is a part of a heading, and I believe it is important enough to get it’s own bubble in the infographic.

I.e. you can make a security policy out of all the headings here(ones relevant to you).

Why should one become compliant? Because it is basic cybersecurity, thus you will save yourself from potential future headaches (possible hacks and ransomware). The attackers are forever trying to steal your resources, and this is a good start (a minimum level of Cybersecurity).

What is better than just PCI compliance? Using a framework which encompasses all company processes and data (not just credit card data).

Contact us to discuss

 

Uploaded my latest Fixvirus show video:
https://youtu.be/J6DiGw9ym68 Why PCI compliance? 12 subheadings quick ~6min

How to defend Against phishing attacks and more

 

What better way to discuss phishing than an infographic?

First: consider the From: field in an email

In most emails they make sense – like  an email that comes from Netflix should say abc@netflix.com  not tello.com

The from field is very important clue as to whether this is spam or phishing email or not.

Second: read the text twice, and note spelling, grammar mistakes.  does not seem right? It is spam or phishing email.

Third: Is there an attachment? That is always a problem because one can see if there is malware, (using virustotal.com) but it is timeconsuming and dangerous. so unless you absolutely know the person sending you the attachment I would not click on it no matter what (unfamiliar email? do not click).

Fourth:  Do not click on shady links – especially short links, you can unpack a short link  https://urlex.org/ 

Fifth:  always have a backup available just in case things go wrong.   make sure to have a backup that is offline? I.e. not on the system.

 

Contact Us to discuss

 

Password Managers are Impossible to Hack?

How paranoid should you be when you want to devise methods of defending passwords?

If someone accesses your computer (with malware or otherwise) and can now read off the RAM  it is possible to read the password manager  stream of data as it comes off/or on.

So what is the best way to handle passwords?

Should you just have a written password list(offline) on pen and paper?

It seems to me that to get into the password manager you need a complex password.

I just set up Dashlane password manager to see what the standard is, and they make you enter at least an 8 digit password, upper case, lower case , and a number.

So the example in xkcd above would not work: correcthorsebatterystaple  is 25 digits and is easy to remember, but does not have a number or caps. It would be very hard to guess this number with brute force password guessing programs. But Dashlane has the old method of creating a password(complex but shorter).  the reason these passwords do not work is that over time, one forgets the complex passwords, and resetting the password periodically may be good if you want to do it (like 2x per year), but if you forget 6x per year than this system is no good.

This is why everyone has to figure out their own password management system.

In my estimable opinion, it is wise to have an entry in both systems (offline and online). Keep the offline with a date next to it so you can decide when to change it.

The problem with password managers is that you are using less of your memory. The more of your memory you use, the longer you will keep it. Of course one has to be capable of learning new things and remembering a number of passwords without writing them down.

So make it relatively easy to use for some passwords like certain locations (like games or other items that are not monetized).  Then for bank sites, other financial websites, one could keep those offline.

When I set up Dashlane it imported 500 passwords into  the software from the browser storage. I looked through the list, and many of those sites are defunct or I no longer use them. So realistically a good 100-200 sites are now in Dashlane. And a bunch of useless passwords  that are no longer being used.

So which is my most important password? The one that can unlock all of them? Or my email?  Using my email and phone a thief can re-create my digital world. Unless there is no digital setup.  My phone reboot password is not in Dashlane, since one has to be booted in to use Dashlane.  So there are a few passwords that can’t or should not be on Dashlane.

Keep your offline passwords in a spot that says passwords in big letters (just kidding). Obviously do not make it easy to see what it is.

I am sure Dashlane or any of the other password management softwares are good and will not succumb to consistent hacker attacks (hmm maybe – maybe not).  Should we take that risk?  It depends on your net worth and what you are defending. How paranoid are you really?

If you want to discuss this with someone else, let me know.

Contact Us  to review your situation

 

 

“Cybersecurity News” and what to do with it

So what has happened that I want to make another post about “Cybersecurity News”?

  1. Microsoft states they will implement the new CCPA (California Consumer Privacy Act) across the nation by January 1, 2020 https://blogs.microsoft.com/on-the-issues/2019/11/11/microsoft-california-privacy-rights/  November 11)
  2. 68000 patients of Methodist hospital impacted by Phishing attack  (By HIPAA Journal) (October 17)   https://www.hipaajournal.com/68000-patients-of-methodist-hospitals-impacted-by-phishing-attack/
  3. Domain Registrar Network Solutions discloses breach – although no credit card information was accessed there was account information from their data. https://www.bleepingcomputer.com/news/security/worlds-first-domain-registrar-network-solutions-discloses-breach/   (October 30)
  4. DoorDash confirmed a data breach with a third party vendor exposing 4.9 mil customers, workers or merchants.  (September 26) https://techcrunch.com/2019/09/26/doordash-data-breach/
  5. Zynga was breached, a mobile game maker claimed a hacker accessed 218 million user records. (September 30, 2019)
  6. Facebook database users’ phone numbers found online. https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/   (September 4)

What does it mean to the regular Internet user, when large breaches happen?

First of all if you are affected then you will be notified (or should be) within a certain amount of time (depends on state – could be a few weeks). What about if one is not affected? I.e. there was no direct user under the breaches noted now one is affected because the general nature of the criminals is that they try and sell the data to other attackers. Here is where even a remote user or infrequent access user of the service may have data in the criminal database. And there is also another ‘affect’. the Darknet now has all of these databases of the breaches.  So the criminal empire has just enriched themselves with some more datapoints to send out yet more spam and phishing attempts.

So my contention is when breaches occur the criminal empire grows and our life gets harder. We have to continually evolve to keep up defenses with the new attacks generated by the criminal hacker.

What does it really mean when 218million accounts are accessed by hackers?

Or 4.9 million customers/workers/merchants?

68000 patients data was accessed by a hacker!

And to top it all off Microsoft wants to help us implement CCPA across the nation.

Contact me to discuss

IoT, IT and OT Merging and Needs Integrated Defense

First of all what is the alphabet soup: IoT, IT and OT?

Internet of Things, Information Technology, Operational Technology are explained best in the sans.org white paper: https://ics.sans.org/media/IT-OT-Convergence-NexDefense-Whitepaper.pdf

Operational Technology (OT) consists of hardware and software systems that monitor and control physical equipment and processes, often found in industries that manage critical infrastructure, such as water, oil & gas, energy, and utilities, but also in automated manufacturing, pharmaceutical processing, and defense networks.  It even forms the foundation of building control systems, air and road traffic controls, shipping systems and, increasingly, management of distributed data storage and processing networks, i.e., cloud services.

In other words this OT is going to be the backbone for all IoT devices (anything that will be eventually be on the Internet), like refrigerators, Alexa, Google, and Apple devices that are voice responsive. It seems to me that the utility companies will develop Asset management and IT management software so that the rest of us can also buy a type of software that can manage all our IoT/IT/OT stuff.

Here is another document from ABB (A manufacturer of PLC’s) https://search.abb.com/library/Download.aspx?DocumentID=9AKK106713A9904&LanguageCode=en&Action=Launch

You can see that integrations in a factory floor environment are important, even if not ‘very’ important. There is also a kind of urgency to this endeavor, since the future build out of IT/OT/IoT is only going to be bigger and more integrated.

Next note the 2014 IT/OT convergence survey from Siemens http://etsinsights.com/infographics/infographic-2014-utility-itot-convergence-survey/

As you can see lots of data is being collected, but costs are the reason that companies are still waiting to implement more automation and integration.

this was an interesting note: “By 2019, 35% of Large Global Manufacturers with Smart Manufacturing Initiatives Will Integrate IT and OT Systems to Achieve Advantages in Efficiency and Response Time (IDC)”

The image is from iebmedia.com document: https://iebmedia.com/index.php?id=11673&parentid=63&themeid=255&hft=95&showdetail=true&bb=1

You can see from the above images the need for IT and OT to become one, as it would be beneficial for control. but interesting to note in all of these images, where is the Cybersecurity angle?

Searching for ICS(Industrial control Systems) Cybersecurity comes up with the following:

from Automation World webpage https://www.automationworld.com/article/technologies/security/making-sense-ics-cybersecurity-market

The IT and OT commonalities are Endpoint protection, Perimeter Firewalls, and Network Segmentation(VLAN). I have also seen IDS/IPS to be used in OT. It seems to me most of the IT items could be used in OT, so the only item that is not useful or well known to iT is the One-way data diode. which only means that data will flow one way and not the other. (in the case of a critical asset). from Microarx.com

https://www.microarx.com/data-diodes

 

The differences between IT and OT devices with regards to Cybersecurity are not significant so the only stumbling block for convergence is resources and will.  It seems after some more data breaches this convergence will speed up.  It is true that ICS factory devices sometimes are legacy devices with little chance of upgrade, so the vulnerabilities are inherent to the device.This is the difference between OT and IT. OT has to have a way of defending these legacy mission critical devices, whereas most IT environments can upgrade and patch… thus making the environment less vulnerable. Legacy devices get replaced in IT. Not in the factory floor. So auditing the different environments require more expertise and preparation than an IT network where one can see all devices.

Contact Us to review your environment.