10 Things Security Experts Wish End Users Knew

Introduction

Security is an essential business operation more than ever before. However, without end users improving their knowledge base and behaviors, the technology that an organization deploys is insufficient. In this white paper, I would like to discuss ten things that security experts wish end users knew. The more users understand about risk and consequence, the more likely they will adjust their behavior and assist with supporting security. These concepts are concerns that security experts want you to know. We all know that users are the weakest link. Please review and provide your thoughts in the comments.

Software Updates Should Be Installed Promptly

Security experts want you to know that software updates should be installed promptly, but not blindly. Just because a vendor has released an update does not mean it should be taken as a sign to install the update instantaneously. The new code you would be adding to your system could be flawed or could cause unexpected results in your system that the vendor did not predict. Thus, under no circumstances should you install new updates before testing them and learning from others.

Always test new updates on dedicated test systems. Then, work through all major work tasks to ensure that the changes to the lab systems do not interfere. Next, review any comments, reviews, or feedback available about the update from others. You are unlikely the first person to consider installing a new update. Thus, learning from the experiences of others can save you from downtime and repair headaches. Once you are satisfied that an update is reasonably safe and appropriate to install, take one more precaution: back up your target systems. With a system backup, if the worst happens and the update process fails, the update corrupts your system, or new unforeseen consequences arise, you have a path to restore your environment back to a functional state.

To be even clearer, software updates should be installed promptly without skipping testing. In most cases, running the most current and complete set of code available will provide you with the most security form of the product. When updates are delayed or skipped, flaws will remain in your environment, which can be discovered and exploited by attackers.

Account Authentication Strength

A regular occurrence in technology news is a story about yet another person’s account being hacked through the use of a password compromise attack. What is so frustrating about many of these stories is when the victim’s password is revealed to be something short, simple, and easy to remember. What security experts want you to know is that a password can be made securer with just a few basic steps:

1. Make your password longer. Twelve characters is a reasonably secure length, assuming you follow other good password practices.

2. Use complexity. Use three or four character types: uppercase, lowercase, numbers, and when possible, symbols.

3. Do not reuse the same or a variation of a password. Ever. Not on the same site and not on different sites.

You can further improve your online password security through the use of a credential manager, such as LastPass, KeePass, or Dashlane. These will enable you to generate random passwords with the maximum length allowed on each and every site, while securely storing those passwords for you.

It is also important to use the two-step or two-factor authentication offerings from an online site. A growing number of websites now support multi-step authentication. You should enable this feature. While it initially will be cumbersome, once you become familiar with the process, it will make your online account significantly securer. Once you have secured your online accounts to stronger passwords and/or multi-factor authentication (where available), you can rest easier knowing that the media haranguing about another account compromise will be even less likely to actually affect you.

All Software Has Flaws

In the highly competitive marketplace of computer software and related technologies, you often hear marketing and advertising messages claiming their product is secure or at least securer than some other product. Often these product slingers want you to believe that, just by installing their solution, all your security worries will disappear. What security experts want you to know is that there are no perfectly secure systems and all software has flaws.

Software is written by humans (at least for the most part). Humans are imperfect and they regularly make mistakes. When those humans are writing software code, they are inevitably going to make mistakes as they type the code. Some of those mistakes will be typos, others will be logical flaws, while still others will be errors of omission or oversight (such as failing to prevent an unwanted event rather than just planning for only expected ones). As a software product grows larger and as more programmers are involved in its development, the likelihood of errors making their way into the final version is almost guaranteed.

A modern server operating system can include over one hundred million lines of code written by hundreds of programmers. While testing, auditing, and reviewing are often performed, it is just not feasible to track down and correct every single issue. For a software product to be perfectly secure, all errors and logic flaws need to be discovered and removed. For a software product to be vulnerable, only a single error or oversight needs to be left in the code. Attackers only need a single vulnerability to exploit a system. At some point, the process of debugging code becomes too expensive. Once a vendor decides they have reached the point of exhausting the cost-effectiveness of their debugging process, they hope that they have discovered and resolved the easy-to-exploit issues and left behind only those that are difficult to detect and exploit. However, we, as the software-using public, know this process is not perfect as we are constantly installing updates and still experiencing breaches.

An important takeaway from this issue that all software has flaws is to use a multi-layered defense strategy. Rather than using a single product or even multiple products from the same vendor, we should use multiple products from multiple vendors to have overlapping security protections. This defense-in-depth approach will minimize the chance that a single flaw in a single product will result in the compromise of the entire organization. Instead, the attackers will need to find a complex gauntlet of flaws, which in turn makes it more likely their attack efforts will be detected and thwarted long before they are ultimately successful.

Every Internet Interaction Should Be Encrypted

In a world where you now know that the NSA and other international government entities are actively monitoring Internet activity, and where criminal organizations are lurking to find new victims, the fact that we will perform most of our online activity in clear view form is absurd. Security experts want you to know that you need every Internet interaction to be encrypted. The only way to combat Internet eavesdropping is to encrypt your packets.

Having every communication over the Internet be encrypted is not automatic or guaranteed. But with a few simple steps, you can encrypt a majority of your online communications. First, start using Chrome, Firefox, or Opera as your Web browser with the plugin from Electronic Frontier Foundation’s (EFF) HTTPS Everywhere (https://www.eff.org/Https-Everywhere). This browser extension converts every URL you click or type from a plain-text HTTP link into one requesting the TLS secured HTTPS version. Only if the server is unable to offer an HTTPS response will you fail back to standard plain-text HTTP.

Second, for every other service you use, such as email, file transfer, or even newsgroups (USENET), use the TLS encrypted connection option provided by the server. This usually requires that you have a software client on your system rather than using the web interface for these other forms of online communication. When a service offers secured connection options, they typically include a how-to guide that helps you through the configuration process.

Third, use a VPN. There are a wide range of free and paid VPN services online these days. Find one you like and use it. Especially, when using wireless connections outside of your own home or office. That includes Wi-Fi networks as well as mobile network operator networks. Setup the VPN to operate on your home systems, your notebook/laptop, tablet, and smart phone. Use it always.

The Cloud Is Not a Security Silver Bullet

Cloud services are the new technology addiction for companies small to large. Almost every major product vendor is offering cloud services or cloud extensions or cloud access or cloud enhancements. Security experts want you to know that the cloud is not a security silver bullet. Having another organization perform a service for you or offer a product to you that you could do yourself internally might be a good idea. Other organizations may be better at offering technical support, running websites, or performing accounting. Leveraging the skills and expertise of others is an important part of the business world today. It can be cost-effective and efficient. But it is not necessarily securer.

It is important to keep in mind the truth behind the marketing phrase "the cloud" or "cloud services." There is no cloud. There is no floating collection of magical Internet architecture hanging majestically in the stratosphere just waiting to offer you newfangled capabilities and throughput. Instead, the cloud is just remote virtualization. In other words, the cloud is a collection of computer systems located in some warehouse which run virtualization solutions in order to host numerous operating systems and relevant software products. The resources and capabilities these warehoused computers support are then sold off to customers in a remote-access / remote-use concept under the label of "cloud services."

Thus, being a cloud solution does not automatically make it a securer option than what you could have created inside your own building. You are dependent upon the cloud vendors’ security design, expertise, and experience. If they did a poor job of implementing logical and physical security, then that can directly and negatively affect your data and communications hosted on their systems. Always thoroughly investigate a cloud provider’s track record and security policy before placing the core of your organization at risk.  

A Hacker Is Not a Criminal, Criminals Are Criminals

It has become a standard and regularly occurring news story to discuss attacks and security breaches of both individuals and organizations that are attributed to hackers. Security experts want you to know that a hacker is not a criminal—criminals are criminals.

A hacker is anyone who invests time and effort into thoroughly understanding a system, solution, or device. A hacker often disassembles and reassembles, while making adjustments and modifications to learn how the system reacts or changes based on those changes. A hacker can be thought of as an enthusiast. A hacker might focus on learning and understanding, improving and adjusting, or finding flaws and holes that need addressing.

The problem is when someone uses the term hacker to always mean a criminal or malicious hacker. Without proper context and explanation, the term hacker can cause confusion as well as place blame on those who are innocent. With the terms criminal and attacker, it is direct and obvious that the individual being referred to is violating a company policy and/or a law. But with hacker, that is not necessarily obvious. If people who consider themselves hackers violate polices and the law, then they have become a criminal. However, if they stay within the confines of company policy and legal restrictions, then they are still just hackers. It is good practice to use a distinct qualifier when intending to use the term hacker for the purposes of referring to a criminal, for example an unauthorized hacker, unethical hacker, malicious hacker, or criminal hacker.

Ultimately, hackers—especially the ethical ones, not just the criminal ones—help make technology securer. Just because hackers know how to bypass security or break a system does not mean they intend to do so nor that they have the intention of causing harm. Many security researchers are effectively hackers. Most product vendors have code reviewers, auditors, and internal testers, all of which are a form of hackers. By discovering and understanding the flaws and mistakes in technology, those concerns can be patched or otherwise addressed. Hackers have the ability to think in odd and unexpected ways: they don’t have to follow the logic of the computer program; they can make unexpected assumptions or take unpredictable actions. This freedom to examine technology without being forced to abide by its rules helps hackers understand and ultimately improve that technology.

New Is Not Necessarily Secure

New software solutions and hardware products are announced at an ever more fervent pace than before. Many tout their improved reliability, efficiency, and security. But before you spend your money or place your trust in some cutting-edge technology, security experts want you to know that new is not necessarily secure.

The primary issue or concern with new products is that they have not had sufficient testing performed against them. Products that have been in the marketplace for years have had more time to be improved and matured. The new product may have modern features and faster performance, but until the world community has had the opportunity to use, abuse, and hack it, the measure of its security has yet to be taken.

Another aspect of the new is not necessarily secure thinking is that many new products may come pre-infected with malware or have known security holes. For example, in early 2015 it was revealed that a wide range of Lenovo laptop models were "pre-installed" with Superfish (a vulnerable adware product). It is not the case that computer technology becomes less secure over time. Instead, most technologies become securer over time as flaws are discovered and patched. However, once the vendor ends support for a product, it then begins to revert back into a less secure product. For example, public support for Windows XP ended on April 8, 2014, and as new flaws were discovered and exploits created for that OS, the security that Microsoft had integrated into one of its most popular OSes has been degrading ever since that date.

Another nuance in this area relates to the updates to your operating systems, updates for installed applications, and firmware updates for hardware products. In most cases, installing updates promptly is a good security practice. But what often is overlooked is the essential need to test and evaluate those updates before blindly installing them into a production system. Just because new code is released from a vendor does not guarantee that it will prevent it from introducing new problems to your systems. These problems could interrupt mission critical business tasks or otherwise make your system unusable. Always test new updates on lab systems before installing them onto production equipment.

Computer Attacks Are Rare But Overly Emphasized by the Media

It is easy to be worried and frightened by the worst computer-based criminal attacks, but these attacks are rare. But due to our fight-or-flight-tuned brain, we often over emphasize the unlikely threats and under appreciate the more likely ones. Security experts want you to know that serious computer attacks are rare, but they are over emphasized by the media. Large-scale, massively damaging cybercrimes make for great headlines and attention-grabbing thriller plot lines, but they are very rare in comparison to more mundane exploits.

Most of the issues we should be concerned about are using poor passwords, sharing too openly on social networks, and using plain-text Internet communications. The chance that an attacker will figure out your password, attempt to scam you through email, or eavesdrop on your Internet activities is much more common than having your identity stolen, your retirement accounts being emptied, or your car remotely controlled by an attacker. Plus, with just a few simple actions on your part, you can reduce these common threats. Making stronger passwords and encrypting your Internet connections were covered earlier in this paper. How to be securer online in general online, especially with social networks, is detailed in my white paper "How to Secure Online Activities."

Take steps to reduce your risks on the more common but less dramatic concerns. Then, calm you fears over the massive cyber terrorism plots you hear about from TV, movies, or the media. They are much rarer than you are assuming, and you are an unlikely target. Sorry, but unless you are Warren Buffet, Elon Musk, or Richard Branson, you are just not worth the effort.

There Is More to the Internet than What Google Can Search

Most of us experience the world through a social network and Google. We think that we can learn anything or locate something just by typing in a few keywords for a search. Well, think again. Security experts want you to know that there is more to the Internet that what Google can search.

Google and other search engines use automated spiders or robot website crawlers (both a form of web browsing software) to retrieve information about websites. This information is then stored and indexed in their massive databases. When you perform a search, your keywords are used against this collected dataset to produce the results from which you select and click to traverse to the original source. However, due to website design, authentication requirements, or web crawler restrictions (such as robots.txt), search engines are not able to travel to all possible web pages.

There is also a plethora of other content that is not web based and thus is not able to be indexed by a web-focused site crawler. This non-searchable content is known as the Deep Web. This can include file stores; older Internet communication concepts, such as gopher and USENET; as well as custom content and temporary/temporal content.

While most of what we search for is part of the surface web (i.e., the part of the web that is search engine indexed), often once we click on a search result and dive deeper into the visited site, we may be encountering a part of the Deep Web (i.e., content that is not searchable). To learn more about the Deep Web, a quick surface web search will lead you to numerous articles and how-to guides if you want to go Internet spelunking.

Keep in mind that the Deep Web is a separate concept from that of the Darknet. The Darknet is the collection of computers and services that cannot be accessed (at least not directly) from the Internet as any standard website or service can. Instead, special VPN or anonymization services must be used to gain access. Examples of Darknet Services have included Silkroad and Agora Marketplace. Often these Darknet Services are by invitation only or are exceedingly challenging to locate. One popular access portal to some Darknet Services is Tor (https://www.torproject.org/). However, this does not mean Tor is only used for Darknet access or only questionable purposes—it is just a tool.

Social Engineering Protection and Physical Security Are Just As Important As IT Security

Security is an essential business task. But it also an essential concern for individuals. It should be a company policy, and it also should be a personal lifestyle. Security experts want you to know that social engineering protection and physical security are just as important as IT security. IT security, a.k.a. technical and logical security, are all of the computer hardware and software components that we commonly associate with improving online security, such as encryption, firewalls, authentication, logging, intrusion detection systems, and deep content inspection. However, IT security is just one aspect of organizational and personal security. It is essential not to overlook social engineering protection and physical security. Without all three of these security efforts, your protection infrastructure is incomplete.

Social engineering protection is the attempt to limit or restrict the ease by which an attacker can take advantage of you through cons, scams, or hoaxes. Social engineering attacks can occur in a face-to-face encounter, over the phone, through email, or through text messages. Being aware that such attacks are possible and being on guard against them is the first step to being securer. You need to avoid the trap of automatically trusting everything that is online or electronically delivered to you. All communications can be falsified or spoofed. So, take the effort to verify identity before you depend upon your assumptions.

Physical security is also important. Even with the best IT security money can buy, if your equipment is damaged by a flood or fire or stolen during a facility break-in, your data is still in the hands of attackers. Keeping doors locked, using locked containers or tethers, tracking visitors, and using video recording systems will help improve physical security.

Paying attention to security means sufficiently addressing logical, social, and physical security concerns. Only through a well-designed and balanced effort will a security infrastructure withstand a multitude of attack attempts.

 Conclusion

Security is complicated. This has led to the many misconceptions and misunderstandings about security. By paying attention to these ten concerns that security experts want you to know, you can gain knowledge and understanding about security and be securer both at work and in your personal life.

 

 

Scam Of The Week: Insidious New IRS Social Engineering Attack

Warn your employees, friends and family...

There is a new insidious IRS scam that you need to warn your employees, friends and family about, and inform your HR department to start with. Seasoned internet criminals are sending bogus emails with attachments, text messages and even snail mail claiming to be from the IRS and using a phony Form CP 2000. This form is normally mailed by the IRS when income reported by employers does not match the income reported on the taxpayer's income tax return. To further confuse the potential victim, the letter accompanying the phony IRS form indicates that the form relates to the Affordable Care Act. This scam is being investigated by the Treasury Inspector General for Tax Administration. The real CP 2000 form is a hefty six-pager with instructions about what steps to take whether you agree or disagree with the assessment. At the moment, the crooks are extorting straight cash out of victims, but this may just as well be used as a vehicle for instant malware infections. I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit: "There is an insidious new IRS scam doing the rounds. They send you a phony IRS CP 2000 form and claim the income reported on your tax return does not match the income reported by your employer. This is meant to get you worried. To confuse you further, the bad guys claim this has something to do with the Affordable Care Act. You might receive emails with attached phony forms, text messages and even live calls to your phone about this! You need to know that the IRS will never initiate contact with you to collect overdue taxes by an email, text message or phone call. If you get any emails, text messages, old-time snail mail or even live calls about this, do not respond and/or hang up the phone. If you receive a "CP 2000" form in the mail and doubt this is legit, you can always call the IRS at 1-800-366-4484 to confirm it is a scam."

 

 

 

Ten Essential Cybersecurity Best Practices for Banking

1. Lock it up

You step away from your computer to grab another cup of coffee - did you lock your computer? While this best practice seems trivial, one would be surprised at how often it is not done in the workplace. Our computers house sensitive information and business processes and when a workstation is left unlocked there is a possibility an attacker could have unrestricted access to the system. To avoid possible information leaks, embarrassing photos being spread, or the occasional practical joker, simply remember to lock your computer before leaving your desks

Quick tip - Press the Windows Key + L to quickly lock your screen

2. Protect your machine

How do you know if your machine is safe? A firewall is the first line of defense when it comes to guarding confidential digital information. It is imperative to properly install and continually update software firewalls on every machine that contains digital information.

Patching your operating systems and applications is another vital security practice. Although patches are often released on a scheduled basis, there are times when patches are sent out "off schedule" to defend against new found threats. Keep in mind, as time passes new threats will be found, so system patching will be a constant security measure.

3. Think before you click

You just received your 50th email of the day! In your eagerness to get it out of your inbox, did you take a second to investigate the link before clicking? Once a link has been clicked there’s not going back; it is possible that malicious software can install itself on your computer. Don’t click on any link unless you know you can trust the source and you are certain of where the link will send you. If you are unsure about a link, the best thing to do is call the sender prior to clicking on the link.

4. Watch for the "S"

This message is brought to you by the letter "S". That simple letter makes a difference when it comes to secure online communication. "Http" stands for hypertext transfer protocol, while the "s" at the end stands for security. It is important to make sure that "https" is displayed as part of a URL you visit, as it shows the authenticity of the security certificate on that webpage. If you access a webpage without a certificate or one that is expired, there is a chance you are accessing a website that could be loaded with malware, viruses, trojans, or eavesdroppers.

5. Be a cautious surfer

The web can be risky if you aren’t careful. It is easy for users to pick up malicious code that can infect a computer with viruses and other unwanted malware simply by clicking on a link. It is important that you do not surf the web if you are on an account that has administrator privileges. If you pick up malware using a computer with administrator privileges, you have successfully given the malware the same administrator rights that you have on your user account.

6. Be smart with your phone

Smartphones are everywhere, and hackers know that. Although your smartphones make it far easier for you to surf the web, check emails, and look at your bank account, they have become yet another avenue for hackers to access sensitive data.

 

What you can do:

• Don't open email if you don’t know the sender
• Don’t answer text messages asking for personal information
• Use the guest Wi-Fi network at the workplace
• Using strong phone passwords
• Turn off Bluetooth when you aren’t using it or when entering sensitive data.

7. Be aware

Social engineering is a non-technical approach hackers use to get sensitive information. Social engineering techniques include phishing emails, fake phone calls, and physical impersonation. Employees must be trained to be helpful, but stern when it comes to giving out information, as well as how to identify a potential social engineering attack.


8. Passwords
Two of the most common passwords are "123456" and "password." Having more complex passwords can help protect you and your data.

 

Strong passwords should include:

• Contain at least 12 characters Include upper and lower case letters, numbers and special characters
• Be unique to one person - never be shared
• Not be reused on multiple account logins
• Change every 60 to 90 days

9. Education
Having all employees well-trained in the basics of network, system and information security is a huge step in today’s cyber world and is one of the best investments that can be made. If you have a basic understanding of security or know how to identify a potential incident you are less likely to fall victim to an attack. At the office, each employee should be kept up to date on information security policies and their role in protecting sensitive information. They should know the expectations when it comes to the limitation of personal use on company provided equipment and should sign a statement acknowledging that they understand the policies and penalties that result if guidelines are not followed.


10. Backup
Disasters that could cause data loss don’t usually give much of a warning, so consider this your friendly warning. Businesses are often not prepared for fires, floods, power failures, employee errors, or even malicious programs. In each of these instances it is entirely possible for businesses to lose some, if not all data and information stored on the computer systems. The best way to ensure all data/information is safe is to automatically backup all critical data at least once a week. Data backups should be stored in a secure, off-site location.

 

 

 

 

Four things you should never carry in your wallet.

Recently a friend posted on Facebook that her car was broken into and her purse was stolen. Now this happens everyday but what made this story worse was they were leaving on a trip in a couple of days.

It's a scenario that unsettles most people; the loss or theft of your wallet or purse. Your ID cards, all your credit and debit cards, receipts, any number of other valuable documents, even pictures with sentimental value might be lost. While there's no way to completely protect oneself from the sting of such a loss, the best way to reduce such difficulty is to ensure that only the things you really need with you all the time are the things you carry, and to leave the rest at home. The difference between a temporary headache and a life-long issue can sometimes boil down to what you did or didn't have in that purse or wallet. Below are four things you should NEVER carry around in a purse or wallet:

Social Security Card (or any piece of paper with the SSN written on it): This is one of the biggest mistakes, and generates many calls to the ITRC. Identity theft springing from a stolen social security card carried in a wallet or purse is among the most common ways people become victims. If you lose your wallet and the Social Security card was in it, unlike a credit or debit card, you cannot simply cancel the card and change the number. This number is what's known as a "unique identifier," meaning that number is unique to you, and only you, and cannot be changed in all but the rarest of cases. With that Social Security number and little else, a criminal can take over your identity, open new accounts in your name, work under your name, create new drivers licenses or state ids in other states, and on and on. Unless you have need of your Social Security card THAT DAY, do not carry your Social Security card around in your purse or wallet. This document, more than any other, changes the loss of a wallet from a temporary hurdle to a life of constant increased vigilance and paranoia.

Birth Certificate: Possibly the only thing more damaging than losing a Social Security card is the loss of a birth certificate. Your certificate of live birth is the first and fundamental document issued by the government and it is the document from which all other documents spring. A birth certificate can get you a replacement Social Security card, a passport, a driver's license, and many other forms of identification, virtually anything. Since this document is considered by government and financial institutions as the bedrock identifying document, once a thief has possession of it, it is virtually impossible to prevent fraud. At that point, your only recourse is to try and clean up the mess after fraud has already occurred. This document is the single most destructive one in existence if it falls into the wrong hands. Obviously, something like this should never be carried around where it could be easily lost or stolen.


Account and Routing Numbers: If you're not going to the bank today, why are you carrying around the account and routing number to your checking account? In the wrong hands these numbers can be used by a thief to clean you out, overdraw you, and leave you stuck with the financial loss. Unlike the loss of a check or credit card, simply canceling the card will not prevent a thief with access to your account numbers from making use of your account. One must actually close the account and open an entirely new one. In the interim, you will have to file a police report and dispute with the bank any fraudulent charges. You may get your money returned after the conclusion of an investigation, but in the mean time you no longer have access to your money. Avoid carrying these numbers around unless really necessary. If you do lose an account number, immediately set up a verbal password with your bank to protect against any unauthorized access to your account.


Password Cheat Sheets: I know, in today's highly integrated electronic society, you might have as many as 10-12 passwords you need to remember for various accounts. More than you can probably remember on your own. To give yourself a little help, you wrote them down in one place you'll know to look in the event you can't remember one of them. Good trick, but DON'T leave it in your wallet. Even if the passwords aren't linked on paper to any particular account, it's a GREAT cheat sheet for any thief looking to do additional damage. Keep your password cheat sheet where it belongs, at home. Passports: A passport is the quintessential document necessary for international travel. This document, because it is government-issued is also useful in acquiring a new Social Security card, driver's license or state ID card, and can be used as an identifying document in acquiring a loan or opening a new credit account. Unless you're leaving the country today, leave that passport at home.


Please check those purses and wallets. Recovering from identity theft is a long arduous ordeal.
Any questions or comments, please let me know.

Essential log sources

13 Essential log collection sources and alerts that can help support the infrastructure security of an automated log management system

 

ANTI-MALWARE SOFTWARE

These logs can indicate malware detection, disinfection attempt results, file quarantines, when file-system scans were last performed, when anti-virus signature files were last updated, and when software upgrades have taken place.

 

AUTHENTICATION SERVERS

Servers typically log each and every authentication attempt and show the originating user ID, destination system or application, date and time, and success/failure details.

 

FIREWALLS

These very detailed and informative logs can show what activity was blocked according to security policies.

 

NETWORK ACCESS CONTROL SERVERS

These logs can provide useful information about both successful/permitted and unsuccessful quarantined network connections.

 

OPERATING SYSTEMS

Beyond typical log entries, operating system logs can contain information from security software and system applications that can help identify suspicious activity involving a particular host.

 

VULNERABILITY MANAGEMENT SOFTWARE

Scanning and patch management software log entries such as configuration, missing software updates, identified vulnerabilities, and patch/scan currency downloads.

 

WEB PROXIES

Web proxy logs record user activity and URLs accessed by specified users.

 

APPLICATIONS

Logs can include account changes, user authentication attempts, client and server activity, and configuration changes.

 

INTRUSION DETECTION & PROTECTION

These systems record detailed information about suspicious behavior and detected attacks as well as actions taken to halt malicious activity in progress.

 

NETWORK DEVICES

Logs from network devices like routers and switchers can provide information on network communication activity and what types of traffic were blocked.

 

VIRTUAL PRIVATE NETWORKS (VPNs)

VPN logs record both successful and failed connection attempts, date and time of connects and disconnects, and the types and amount of data sent and received during a session.

 

WEB APPLICATION FIREWALLS

WAFs generate “deny logs” which identify blocked application requests, useful in identifying attempted attacks that included applications as a possible attack vector.

 

CLOUD-SPECIFIC SOURCES

New sources of log data from specific public cloud environments such as Amazon Web Services (AWS), Microsoft Azure, and Rackspace Public Cloud must be considered for collection. (Example: CloudTrail logs in AWS)

Adobe and Microsoft Push Out New Updates

Adobe has issued security updates to fix weaknesses in its PDF Reader, while pointing to an update to be released later this week for its ubiquitous Flash Player browser plugin. Microsoft meanwhile today released 16 update bundles to address dozens of security flaws in Windows, Internet Explorer and related software.

Microsoft’s patches includes updates for “zero-day” vulnerabilities (flaws that attackers figure out how to exploit before the software maker does) in Internet Explorer (IE) and in Windows. Half of the 16 patches that Redmond issued today earned its “critical” rating, meaning the vulnerabilities could be exploited remotely through no help from the user, save for perhaps clicking a link, opening a file or visiting a hacked or malicious Web site.

Anytime there’s a .NET Framework update available, I always uncheck those updates to install and then reboot and install the .NET updates; I’ve had too many .NET update failures muddy the process of figuring out which update borked a Windows machine after a batch of patches to do otherwise, but your mileage may vary.

On the Adobe side, the pending Flash update fixes a single vulnerability that apparently is already being exploited in active attacks online. However, Shavlik says there appears to be some confusion about how many bugs are fixed in the Flash update. “If information gleaned from [Microsoft’s account of the Flash Player update] MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th,” Shavlik wrote. “With this in mind, the recommendation is to roll this update out immediately.”

Adobe says the vulnerability is included in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS, and that the flaw will be fixed in a version of Flash to be released May 12. As far as Flash is concerned, the smartest option is probably best to hobble or ditch the program once and for all — and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player. If you use Adobe Reader to display PDF documents, you’ll need to update that, too. Alternatively, consider switching to another reader that is perhaps less targeted. Adobe Reader comes bundled with a number of third-party software products, but many Windows users may not realize there are alternatives, including some good free ones. For a time I used Foxit Reader, but that program seems to have grown more bloated with each release. My current preference is Sumatra PDF; it is lightweight (about 40 times smaller than Adobe Reader) and quite fast.

Finally, if you run a Web site that in any way relies on Adobe’s Cold Fusion technology, please update your software soon. Cold Fusion vulnerabilities have traditionally been targeted by cyber thieves to compromise countless online shops.

Top 10 data breaches since 2008

Data breaches by the numbers


Heartland Payment Systems (2008-2009)              130 million records
Target Stores (2013)                                               110 million records
Sony online entertainment systems (2011)            102 million records
National Archive and Records Admin (2008)        76 million records
Anthem (2015)                                                        69-80 million records
Epsilon (2011)                                                        60-250 million records
Home Depot (2014)                                               56 million records
Living Social (2013)                                              50+ million records
TJX Companies (2006-2007)                                46+ million records
Sony Pictures Entertainment (2014)                     Company inner workings


Cyber crime - average cost - $8 million per company in 2015




To keep up-to-date on the latest breaches please view the following site:
http://www.privacyrights.org/data-breach




US-CERT to Windows Users: Dump Apple Quicktime

 Apple has finally posted a support document online that explains QuickTime 7 for Windows is no longer supported by Apple. See the full advisory here.

Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched.

Over half a billion personal records were stolen or lost in 2015

Symantec Corporation released a report which stated that in 2015 many companies avoided disclosing the full details of their data breaches after researchers found that over 429 million records were lost or stolen and that data breaches grew by 85 percent compared to data breaches in 2014. In addition, the report stated that 75 percent of popular Web sites had major vulnerabilities; of which, 15 percent were considered as critical flaws.

Source: http://news.softpedia.com/news/over-half-a-billion-personal-records-were-stolen-or-lost-in-2015as-502858.shtml

PCI 3.2 is coming

In our Preparing for PCI DSS 3.2:  Lets take a look at key dates to help organizations plan for PCI Data Security Standard (PCI DSS) 3.2

April 2016

• PCI DSS 3.2 is scheduled for publication at the end of April. Publication will include a summary of changes document and webinar that provides an overview of 3.2 and the timeline and resources for putting it into place.
• PCI DSS 3.2 supporting documents including Self-Assessment Questionnaires (SAQ), Attestation of Compliance (AOC) forms, Report on Compliance (ROC) templates, Frequently Asked Questions (FAQ) and Glossary will also be available at the end of the month.

October 2016

• PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and at this time all assessments will need to use version 3.2.

February 2018

• The new requirements introduced in PCI DSS will be considered best practices until 31 January 2018. Starting 1 February 2018 they are effective as requirements.

Questions, comments, concerns, please let me know by emailing me at: jncsousa@outlook.com

The Rising Cost of CyberSecurity

Since the early 2000's information security has always been mistaken for something you can buy or something you can do to prevent breaches and data compromises. The latest headlines have proven otherwise. The cost of data breaches are expected to reach 2.1 trillion by 2019, with the average cost of each breach exceeding $150 million by 2020.


Costly Attacks We know from past data breaches from Home Depot in 2014 that personal information from up to 60 million consumers was compromised. The Home Depot breach is still being calculated, but costs could reach $3 billion. Unfortunately, this type of attack had been seen before in an earlier Target attack Sony hack and could have been avoided all together.

The fallout from the 2013 Target compromise has cost the company $148 million for the breach, $100 million for better security and $86 million to settle with Visa and MasterCard for a total direct cost of $334 million. Indirect costs include the loss of their CEO, a class-action litigation filed against the board of directors for negligence, loss of an unknown number of customers, and making themselves a prime target for a hacker who wants to claim the trophy for breaking past their new defenses.


Is Human Error to Blame I have been monitoring and investigating various cyber-attacks since 2010 and I have found all compromises are the direct result of human failure at all levels. Not one data breach has ever been attributed to hardware, operating system, or application failures. In 2013 it took an average of 229 days to discover a breach, with only 33 percent of those finding the breach themselves, and 37 percent finding the breach with help from third parties. Here is my 5 second pitch to ensure you have proper logging in place. Ensure these logs are being monitored on a daily basis.


Always a Constant Process What most organizations fail to understand about information security is that defense is a process you must apply diligently with constant improvements over time. The process is a simple three-step focus of prevention, detection, and response. Every organization should continue to attempt to prevent attacks and compromises; just realize that history has proven that no matter what you do or spend to prevent a compromise, it will fail. When you compare the cost of data breaches to the cost to prevent a compromise, it is easy to understand that consumers and organizations both will have to find a way to cover or transfer those risks and costs. To do this, more effort and budget dollars must be put into the detection of attacks and data breaches.


In order to determine the best ways to cover or transfer cost, you must know exactly what happened. In the response phase of the process, knowing exactly what happened is imperative to making an informed decision. Of course, making an informed decision to do nothing can be acceptable. The information gathered during the detection or monitoring phase will be used to handle incidents internally through human resources, self-insure losses, dealings with authorities, or knowing which insurance policy could be used to transfer losses to. Regulatory compliance, potential litigation, and lost revenues all add unknown cost into your response.

Top 10 Network Security Tools

Hacking tools here means the tools or the software used to gather information of network or website. These tools could also be used by most of the hackers. There are a number of tools for different purposes. The tools listed here widely used. Moreover make sure you have the permission to run these tools otherwise it is illegal.

1. Nmap (Network Mapper): To explore the networks Nmap is mostly used tool. Nmap is a free and also an open source tool. Security auditing could be easy with the use of this tool. Rapidly scanning of network is its major task. With the use of IP packets it determines what type of hosts are present in a network along with information on the applications being used by them. Nmap also gives information about the operating systems used by the networks. It is helpful to identify the firewalls in a network and many more other characteristics of any given host.

2. Wireshark: Wireshark is a packet analyzer. It is a free and also an open-source. A network engineer use wireshark for troubleshooting, network analysis, education, software and communication protocol development. It’s original named was Ethereal, but in May 2006 the project was renamed with a new name Wireshark. It happens only due to trademark issue.

3. Nessus: Nessus Remote Security Scanner has become closed source software in the year 2005, but the engine that runs the software is still free of cost. 75000 organizations world-wide are using the Nessus Security Scanner. So Nessus has been become the world’s most popular scanner. Many have befitted from this software and it is being used extensively in auditing critical enterprise devices.

4. Kismet: For 802.11 wireless LANs, Kismet works as network detector, packet sniffer, and intrusion detection system. It is also compatible with all the wireless cards, which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. This is available for Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. Kismet is also available for Microsoft Windows in GUI version. Aside from all external drones, Kismet is only supported wireless hardware available as packet source.

5. LCP: In Windows NT/2000/XP/2003, LCP could be used for user account passwords auditing and recovery, Brute force session distribution, Hashes computing and Passwords recovery. It is very good free alternative to L0phtcrack.

6. Yersinia: In different Layer 2 protocols there are some weaknesses. So this network tool has been designed to take advantage of these weaknesses. It acts like a solid framework for analyzing and testing the deployed networks and systems, but in actual it is not a framework. Currently, the following network protocols are implemented: IEEE 802.1q, Spanning Tree Protocol (STP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP), Cisco Discovery Protocol (CDP).

7. Nikto: It is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. The plugins used by it needs to be update at proper timess and it could be updated automatically.

8. SuperScan: SuperScan is a very powerful tool which works as connect-based TCP port scanner, pinger and hostname resolver. This program is extremely fast and versatile due to multithreaded and asynchronous techniques which developers used to make it. For network administrators, this is first and foremost tool. Do not scan those systems which are not under your control. It will be illegal. To use this program against computers on the Internet that you have no right to scan since you are highly likely to be tracked down and attract the attention of your ISP, possibly resulting in your account being terminated.

9. John the Ripper: John the Ripper is a fast password cracker, currently available for many flavours of Unix, DOS, Win32, BeOS, and OpenVMS. The weak passwords of any operating system could be crack by using it. Besides several crypt password hash types most commonly found on various Unix flavours, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

10. Cain and Abel: In Microsoft Operating Systems Cain and Abel works as a password recovery tool. With the help of decoding scrambled passwords, recording VoIP conversations, sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, uncovering cached passwords, recovering wireless network keys, revealing password boxes, and analyzing routing protocols, it allows easy recovery of various type of passwords

Microsoft and Adobe Adobe Push Critical Updates

Microsoft today pushed out 13 security updates to fix at least 39 separate vulnerabilities in its various Windows operating systems and software. Five of the updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site.

The bulk of the security holes plugged in this month’s Patch Tuesday reside in either Internet Explorer or in Microsoft’s flagship browser — Edge. As security firm Shavlik notes, Microsoft’s claim that Edge is more secure than IE seems to be holding out, albeit not by much. So far this year, Shavlik found, Edge has required 19 fixes versus IE’s 27.

Windows users who get online with a non-Microsoft browser still need to get their patches on: Ten of the updates affect Windows — including three other critical updates from Microsoft. As always, Qualys has a readable post about the rest of the Microsoft patches. If you experience any issues with the Windows patches, please share your experience in the comments below.

As it is known to do on patch Tuesday, Adobe issued security updates for its Reader and Acrobat software. Alas, there appears to be no update for Adobe’s Flash Player plugin as per usual on Patch Tuesday. However, an Adobe spokesperson has advised through various news channels that the company will be issuing a Flash Player update on Thursday morning.

If you would like to see more detailed information on monthly patches, please leave a comment and I will look at adding it to the blog.

Be Safe and for god sake, please patch!

Organizational controls for Cyber Risk

How do I ensure that my organization has controls to protect itself from cyber risk? In other words, what are the key controls that my company must implement to protect itself from cyber risk? There are excellent security frameworks available as public documents that can be used as cybersecurity baseline controls.

Here is my list of essential controls:

Patch management—it is essential to have a structured patch management process. It does not mean that all patches have to be applied, but the enterprise has to make a conscious decision on which to apply and which not to apply. Patch management should be done as a priority for critical applications. While many enterprises apply patches for their IT infrastructure on a priority basis, it is common knowledge that the same rigor is not applied to patch management for software applications.

Administrative privilege control—it is key to remove administrative privileges from all and grant them only to a select few as determined by job need. Some individuals see it as a status symbol to hold admin privileges. Local admin rights must be removed for a significant majority of users.

Dynamic analysis—conducting dynamic analysis, which uses behavior-based detection capabilities instead of the conventional approach of relying on the use of signatures, helps enterprises to detect malware that is yet to be identified. Such dynamic analysis can be undertaken at the enterprise’s main gateway, the end point or the cloud, depending on the specific, relevant scenario. Customized sandboxes will help perform structured dynamic analysis.

Host-based intrusion protection/detection system (IPS/IDS)—Host-based IPS/IDS’s detection strength is based on behavior instead of conventional signatures.

Segmenting—segmenting the network based on business criticality is yet another essential control. Active Directory and other authentication servers should be able to be administered only from a selected number of intermediary servers called “jump hosts.” Jump hosts must be well secured, and jump host access must be limited to a predefined list of users and network devices/equipment. Ideally, jump hosts will have no Internet access.

Multifactor authentication—though a number of users view it as painful, it is essential to implement multifactor authentication in the interest of the enterprise.

Internet access—Direct Internet access from all end points/desktops/laptops must be denied and must instead be processed through a proper proxy.

Passphrase policy—for service accounts and privileged accounts, it is essential to implement a passphrase policy instead of a password policy; this is yet another area of common resistance.

Web site access—Access to web sites must be via their domain names and not by IP addresses.

Removable storage media—Usage of removable storage media must be appropriately controlled—though any restrictions on these are viewed by users as a loss of rights. Any enterprise keen to protect its sensitive information from leakage must restrict access and grant it based on a business need.

User education—it is not necessarily for all business users, but about educating the developers to write secure code and infrastructure experts to manage it in a secure manner. While users from the business appreciate the risk to the business, it is these experts from the IT world who require more convincing.

External email exchange management—when emails are exchanged with entities external to the enterprise, it is essential to adopt and implement protocols such as transport layer security (TLS).

Strong asset management—In terms of having an inventory of authorized devices, equipment and software are essential. Asset management is another area that does not get accorded its due priority.

Web application testing—whether the web applications are developed in-house or by a third-party, it is essential to test them for vulnerabilities. They must also be tested via simulated attack scenarios.

The staging environment—Security testing such as a vulnerability assessment or a penetration test must be done in a replica of the production environment; otherwise, the gap between the environments becomes the weakest link in the chain.

Wireless networks management—Access must be granted on a need basis with adequate restrictions, and sundries must not be allowed to connect in an unrestricted manner. Ideally, network admission controls mechanisms must be in place.

This is a very indicative list and must not be deemed as exhaustive. Please choose a security framework relevant and apt to your enterprise and use it. These days, cyber risk insurers also provide guidance documents that they consider prerequisites for any enterprise to buy cyber risk insurance policies.

In my opinion, it is essential to identify relevant controls and implement them in the most appropriate manner rather than implementing a huge list of controls that are irrelevant and inappropriate. And, of course, the best controls rely on competent professionals to make them work effectively.

4 Steps the SMB can take to improve Cyber Security

So what exactly can SMBs do to minimize the changes of being a victim of cyber crime?  

My recommendations are incredibly simple, but highly effective.  This is the beauty of this message.  It boils down to awareness, education, cyber monitoring and damage control.  

Awareness - small organizations are focused on building their business, not fighting invisible threats.  A range of actions can be taken by business owners to stay informed about the current threat landscape and relevant risks to their industry.  Cyber risk assessments, self-served or partner-led are available and affordable for the SMB now.  This is one of the first steps the SMB can take to begin the process of understanding what is at risk.  The important point to take away from this is to stay plugged in to the basics and remain diligent.   

Education - as a small organization becomes successful, they add employees.  It is critical to educate all staff on the full range of physical and cyber security risks on a continual basis.  This is not a discussion on the first day of employment and never thought of again. With the blurred lines of personal and business use of technology assets (e.g., smart phones, tablets, laptops, etc.) this places the organization at significant risk ranging from malware to target phishing exploits.  A regular education process is critical to help employees understand the proper actions and behaviors.  

Cyber Monitoring - monitoring for active and real-time threats in a smaller organization isn't likely one of the first things that an entrepreneur or business owner thinks about in the morning.  The good news is that they don't have to because their are credible cybersecurity firms that do this for them at an incredibly affordable price.  Having visibility at the network layer for malicious activity is the first step to long-term success in a smaller organization.  Think of this as the safety net when employees are lured into malicious attacks or as a means to reveal the activities that are happening inside the network that no one can see.  There are plenty of verifiable data to confirm the inability of a smaller organization to recover from a serious cyber incident.  Monitoring for malicious activity on a continual basis is something that a small organization could never effectively do on their own.  

Damage Control - small organizations should have a cyber breach recovery plan. Even if it is as simple as having identified the proper authorities to contact and a local firm to provide guidance through the process, it is important to plan ahead.  

Questions, comments thoughts. Email me at jncsousa@outlook.com