Why is Cybersecurity so Difficult to Understand?

Not everyone understands all of  the complex pieces and the economic ramifications of them.

What makes this  decision so difficult to require an owner to spend at least 3-4 hours a week on a topic which will not make any money, but will just help you keep running your business.  In fact this “expenditure” of resources (time) makes it increasingly unlikely you will be ready for a possible extinction level event.

The problem is a matter of perception – the owner that is running their business has many hats, performs many different functions.  The ultimate goal of a business is to sustain itself and grow, make a profit, perform a specific function in the marketplace. The goal of the business does not usually include a strategy to protect the business in case of disaster.  That is something that should be done but it is not in the goals of the business.

So to perform the function well and ensure that it is done it will require a concerted effort.  Otherwise as the informationweek.com article mentions: “SIM study points to Lax Focus on cybersecurity”

Cybersecurity has become more important, but the ‘paying attention’ department is a difficult one.

To some degree it is a level of understanding – should we meander our way to making things ‘right’? Or should we push and cajole the business owners to do the right thing?

How else to explain this?  It is a matter when some systems need to be upgraded  instead of just the software patch. (Some patches require a lot of changes).  But when one gets a new computer it is sometimes a wrenching change – so this decision is sometimes delayed.  This is why a Security Policy is so important by codifying the thoughts and actions of many decisions made and to be done.

The other aspect of Cybersecurity that may be challenging is the ever changing nature of it. Due to constant patch management and End of Life decisions by software and hardware companies nothing in the environment stays the same for very long.

The following image is a small snapshot of what happening in the IT world on a monthly basis.

  1. Patch Tuesday – (Microsoft releases it’s slew of patches on 2nd Tuesday of month.
  2. This month Windows7 End of Life, but all devices have an end of life.
  3. Chinese hacking groups are being uncovered again -(which means there are others)
  4. Vulnerability management  is not easy.

While your business may have marketing and cost challenges due to changes in the world, the IT world is in constant flux of new vulnerabilities, older systems, and many other issues like new adversaries.  So to make sure you do not have a disaster in your hands and control this cybersecurity beast it requires 3-4 hours per week in my opinion.  Contact Us to discuss

Psychology of Security Part 2 or “let’s try this again”

The Psychology of Security is a unique phenomenon:

Psychology of Security

Or a screenshost:

So how to explain the Psychology of Security in a new and simpler? way…

Let’s say we have a small business – we do not have a large payroll (a few employees), so the sales are also less than a million$, let’s put sales at half a million dollars. The margins of the business is not that large – so it takes all the efforts and energy of the owner and employees to keep things operational with all of the changes in the world.

So this means there really is not enough time or resources for new initiatives as the owner would like.

So now we have set the stage.

What about Cybersecurity? Well, the owner expects the IT department to take care of that (usually it is an employee that is good with technology- or a 3rd party consultant).

So should you pay more attention to Cybersecurity or leave the arrangement as is?

To pay more attention to Cybersecurity there has to be a reason. When the choice is looked at one has to spend more time and money on Cybersecurity to essentially not lose data and resources.

This choice is not easy to analyze for the business owner. Unless one has a natural disposition to security. The choice of spending money to lose less money is a choice 30% of people do not make.

The problem is that the criminals know this, and have developed ransomware for a few thousand dollars (programmers are cheap in east europe). It only takes 5 ransomware successes in a scatter shot of millions to get money back. One does not need a business degree to see that out of a million email campaign that costs $50-$100 where one receives $300-$500 for every successful attack.

We are going to receive more possible attack angles, not less.

The real choice is not losing a little bit of money, but losing your business.  IF one does not have the IT setup just right and ransomware is successful how will you recover when you lose all your data?

It is too difficult of a burden to overcome – thus many businesses give up and reincarnate as something else or forget about it altogether.

 

What do you think of this new attempt at explanation? Contact us to let us know.

October is Cybersecurity Awareness Month

In a year of many problems and issues the Department of Homeland Security decided to make October the National Cyber Security Awareness Month (NCSAM) since 2003.

https://www.dhs.gov/national-cyber-security-awareness-month

 

The Theme is Own IT. Secure IT. Protect IT.

Own IT is reminding you to travel with cybersecurity in mind (at least some of the time), Social media usage and online privacy should be connected and though about how to use social media. the Internet of things devices should be sought out and updated or reviewed to make sure they are secure.

Secure IT is typical, a focus on Strong Passwords, but we could talk about just changing default passwords would be good too.  The famous xkcd image is interesting:

passwords leads to MFA or Multi-Factor-Authentication.

MFA is required or suggested for in NIST 800-171.

Phishing we discussed in a recent blogpost: https://oversitesentry.com/top-cybersecurity-problem-for-small-business/

Securing your ecommerce may be simple or common sense…  But has to be guided by OWASP as I discussed in https://oversitesentry.com/owasp-has-new-testing-guidelines-document/

 

The Secure IT portion is a combination of things:

  • Patch your software
  • Be aware of how you share personal information of employees or customers PII (Personally Identifiable Information)

Keep in mind a simple strategy to  protect yourself and your company ZeroTrust

ZeroTrust  means do not implicitly  trust. First verify trustworthiness before doing business and granting access.

Zero Trust is used in many manufacturer network architectures, such as Cisco:

https://www.cisco.com/c/en/us/products/security/zero-trust.html

or Palo Alto:

https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

“In Zero Trust, you identify a “protect surface.” The protect surface is made up of the network’s most critical and valuable data, assets, applications and services – DAAS, for short. Protect surfaces are unique to each organization. Because it contains only what’s most critical to an organization’s operations, the protect surface is orders of magnitude smaller than the attack surface, and it is always knowable.”

 

This is a good strategy for 2019 Cybersecurity awareness… Do not assume a social media connection until verified. Email link, email attachment, phone call and many other possible attacks to your business.  Unfortunately this means sometimes mistaking or requiring a possible customer to prove who they are, but with some thought this can be done tactfully so that a potential customer can see why this is being done.

 

Contact Us to go into detail for some more awareness for you and your business.

What I got out of BlackHat and DEFCON

First I must say I did not go to Las Vegas, all I did is hunt the Internet for pieces of information and did not copy completely,  but edited to make it easier to understand when reading only (versus giving presentation within the hall):

“Controlled Chaos” the Inevitable Marriage of DevOps & Security   (Kelly Shortridge and Nicole Forsgren)  is an interesting and thought provoking presentation.

This presentation is listed at this page: https://www.blackhat.com/us-19/briefings/schedule/

Here is the relevant information in the presentation:

What are the principles of chaotic security engineering?

  1. Expect that security controls will fail & prepare accordingly
  2. Don’t try to avoid incidents – hone your ability to respond to them
  3. What are the benefits of the chaos/ resilience approach?

Time to D.I.E. instead of the C.I.A. triad, which is commonly used as a model to balance infosec priorities.

CIA first – Confidentiality – Integrity -Availability

Confidentiality: Withhold info from people unauthorized to view it.

Integrity: Data is a trustworthy representation of the original info.

Availability: Organization’s services are available to end users

But these are security values, not qualities that create security. Thus we need a model promoting qualities that make systems more secure.

D.I.E. model: Distributed, Immutable, Ephemeral

Distributed: Multiple systems supporting the same overarching goal.  This model reduces DOS attacks by design.

Immutable: Infrastructure that doesn’t change after it’s deployed and servers are now disposable “cattle” rather than cherished “pets”. The infrastructure is more secure by design – ban shell access entirely and although lack of control is scary, unlimited lives are better than nightmare mode.

Ephemeral: Infrastructure with a very short lifespan(dies after task). Where ephemerality creates uncertainty for attackers (persistence=nightmare). I.e. installing a rootkit on a resource that dies in minutes is a wasted effort.

Optimize for D.I.E. reduce your risk by design and support resilience

So what metrics are important in resilient security engineering?

TTR is equally as important for infosec as it is for DevOps.

Time Between Failure(TBF) will lead your infosec program astray.

Extended downtime is bad (makes users sad) not more frequent but trivial blips.

Prioritizing failure inhibits innovation

Instead, harness failure as a tool to help you prepare for the inevitable

TTR>TTD – who cares if you detect quickly if you don’t fix it?

Determine the attacker’s least-cost path (hint: does not involve 0day)

Architecting Chaos

 

Begin with ‘dumb’ testing before moving to ‘fancy’ testing

  • Controlling Chaos: Availability
  • Existing tools should cover availability
  • turning security events into availability events appeals to DevOps
    • Tools: chaos Monkey, Azure fault analysis, Chaos-Lambda, Kube-monkey, PowerfulSeal, Podreaper, Pumba, Blockade

 

  • Controlling Chaos: Confidentiality
  • microservices use multiple layers of auth that preserve confidentiality
  • A service mesh is like an on-demand VPN at the application level
  • Attackers are forced to escalate privileges to access the iptables layer
  • Test by injecting failure into your service mesh to test authentication controls

 

  • Controlling Chaos: Integrity
  • Test by swapping out certs in your ZTNs all transactions should fail
  • Test modified encrypted data and see if your FIM alerts on it.

 

  • Controlling Chaos: Distributed
  • Distributed overlaps with availability in context of infrastructure
  • Multi-region services present a fun opportunity to mess with attackers
  • Shuffle IP blocks regularly to change attackers’ lateral movement

 

  • Controlling Chaos: Immutable
  • Immutable infrastructure is like a phoenix – it disappears and comes back
  • Volatile environments with continually moving parts raise the cost of attack
  • Create rules like: “If there is a write to disk, crash the node”
  • Attackers must stay in-memory, which hopefully makes them cry
  • Metasploit Meterpreter and webshell: Touch passwords.txt & gone
  • Mark Garbage files as “unreadable” to craft enticing bait for attackers
  • Possible goals: Architect immutability turtles all the way down

 

  • Controlling Chaos: Ephemeral
  • Infosec bugs are stated-related so get rid of state, get rid of bugs
  • Reverse uptime: longer host uptime adds greater security risk
  • Test: change API tokens and test if services still accept old tokens
  • Test: inject hashes of old pieces of data to ensure no data persistence
  • Use “arcade tokens” instead of using direct references to data
  • Leverage lessons from toll fraud – cloud billing becomes security signal
  • Test: exfil TBs or run a cryptominer to inform billing spike detection

How should infosec and DevOps come together and develop all of these concepts?

Has to be done as a cultural “marriage” cultivate buy-in for resilience and chaos engineering.

This is a marathon not a sprint and changing culture : change what people do , not what they think.

———————————————

There are a lot more suggestions, but the main themes that I took out of this presentation slides is that you can make your defense more resilient and tougher by making it a little bit chaotic.  I.e. Immutable and ephemeral are some good concepts to think about and use in your infrastructure. Every environment is different and will require co-ordination and rethinking of how things work, but it is good to work some of the concepts into your environment.

Here is a great piece of thinking: Don’t keep your systems up as long as possible, as it is also a security risk (besides patching and other issues).

Using  short lifespan hardware with frequent rebooting (relatively – like every day for example) makes the attacker’s life much more difficult. Of course patching requires some rebooting, but monthly or quarterly reboots are not frequent enough.

Also here are some links from DEFCON

First the Media presentation  webpages: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/

(I always include the full link instead of Media.defcon.org link so one can see where it will go)

First I look at the Speaker’s bio and quick overview of the presentation given at this link: https://www.defcon.org/html/defcon-27/dc-27-speakers.html

Then I download the information freely available on the Internet.  I will have more posts on the presentations at DEFCON and Blackhat.

 

 

Why Are Hackers Successful?

The Number 1 reason is: “We do not do an adequate job of patching and paying attention to security!”

Again and again we can find reports and stories of entities not doing basic tasks:

Above image is from Protiviti report

 

Why are the basics not being done?

Because a concerted effort to manage IT tasks month after month is not easy, and in fact it is a difficult challenge.  What is difficult about regular every day life in patching hundreds of systems on a monthly basis at minimum?

Well, let’s list a few problems that arise:

  1. Personnel challenges – sickness, vacation, doctor visits, kids, parents, brothers, sisters, and spouse conflicts.
  2. So many things can go wrong with the actual device itself even when used correctly…  Or if this is a laptop, then it has to be plugged into the network with VPN or directly on the network for it to download and get updated.
  3. Above 2 are the normal challenges, how about abnormal challenges? What about somebody installing a new software that conflicts with the patch? Now the patch does not install correctly and the system is vulnerable to attack.

 

So knowing some of these items means management has to schedule and account for potential problems which means it costs more resources sometimes than anticipated.   This may be a problem, and then management  pushes back onto IT to say no more OT this month!

In basic terms – stuff happens and then patches are not applied. If this management process is more broken than fixed there will be plenty of chances for hackers to attack.

It depends on the maturity of management thoughts and actions. Is management more willing to make sure the patches are applied or are they willing to let patches slide for a little while?

The answer is to create processes to fulfill compliance mandates and do not deviate from this method.

I.e. quarterly meetings at minimum with required review and testing of all systems that are important and potential other systems.

Contact Us to discuss this with you

Punch line? Hackers are successful due to the failure of management actions and thoughts in regards to cybersecurity.