The incident occurred when the London-based estate agency transferred personal data from its server to a partner organisation but failed to implement access controls.
This meant that tenants’ and landlords’ bank statements, salary details, passport information, dates of birth and addresses were publicly available online between March 2015 and February 2017, when Life at Parliament View learned of the breach.
During its investigation, the ICO discovered many security practices that contravened the DPA (Data Protection Act) 1998. Had the incident occurred after the GDPR (General Data Protection Regulation) took effect on 25 May 2018, Life at Parliament View would have faced a much higher penalty.
Unfortunately, many organisations are vulnerable to the same mistakes. So how can you be sure that your systems and processes are secure?
The breach at Life at Parliament View can largely be attributed to the company’s failure to turn off ‘Anonymous Authentication’ after completing its file transfer. This caused two major security issues.
First, the information was no longer subject to any kind of access control, meaning anyone who found the database was free to view or copy the information it contained.
That’s bad enough, but it also meant that those who accessed the database did so anonymously. Life at Parliament View had no way of knowing whether the people opening or amending the database were employees doing their job or whether the information had been compromised by an unauthorised person – be it another employee or a criminal hacker.
There were other security mistakes that exacerbated the issue, like a lack of encryption and poor staff awareness training to identify security lapses, but the root cause was the lack of access controls to ensure only authorised employees could access the sensitive information in question.
What are access controls?
Put simply, access controls are measures that restrict who can view data. They consist of two elements:
Authentication: a technique used to verify the identity of a user.
Authorisation: determines whether a user should be given access to data.
To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, external offices and beyond.
Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. They have several options:
Discretionary access control: employees control the programs and files they use, and determine the permissions other users have relating to that information. It is commonly referred to as a ‘need-to-know’ access model.
Mandatory access control: the administrator defines the usage and access policy, which cannot be modified by users.
Role-based access control: provides access based on a user’s role, and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can access only the information that is required for their role.
Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.
Whichever model you adopt, it’s important to keep access to your data to a minimum, as this limits the opportunities for a criminal hacker to access your information.
Access controls and Cyber Essentials
Organisations that want understand how to implement access controls should look at Cyber Essentials, a UK government assurance scheme based on “10 Steps to Cyber Security” and administered by the NCSC (National Cyber Security Centre).
Cyber Essentials has two objectives:
To set out five basic cyber security controls that can protect organisations from common cyber attacks.
To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.
It sounds crazy to the uninitiated, but organisations across the globe pay people to break into their systems and find sensitive information.
The reason they do this is simple: to catch a thief, you must think like one. Organisations hire ethical hackers to make sure they have someone who’s one step ahead of the tactics that crooks use.
What is ethical hacking?
Ethical hacking (or penetration testing) refers to the exploitation of networks and applications, with the intention of informing the organisation about the vulnerabilities you discover.
With the vulnerabilities the ethical hacker discovers, organisations can implement defences to stop criminals before they’ve had a chance to target the organisation.
What does an ethical hacker do?
Ethical hackers identify and exploit vulnerabilities using the same methods as a criminal hacker. The only difference is that ethical hackers operate within the law, and don’t use any of the information they’ve discovered maliciously.
Attacks may involve exploiting system misconfigurations, sending the organisation’s staff phishing emails, with the intention of gathering their login credentials or breaching the physical perimeter.
As the threat landscape has evolved, ethical hackers are sometimes commissioned to commit long-term cons. They will watch and analyse an organisation, looking for patterns that can be exploited. One method they might use is to leave removable devices containing malware in a public area to see if an employee plugs it into one of the organisation’s computers.
Can I trust ethical hackers?
You might be unnerved at the prospect of allowing an ethical hacker to root around in your organisation, but there’s nothing to fear as long as you hire a qualified ethical hacker through a trusted third party.
This five-day course gives you practical, hands-on experience with ethical hacking. You’ll be shown the strategies, tactics, technologies, tools and motivations of criminal hackers, and be given the opportunity to replicate their methods.
After the course, our tutor will be available to provide support and answer any questions you may have. You’ll also be given six months online access to EC-Council iLabs to further develop your skills.
When you’re ready, you can sit the CEH Practical exam, where you’ll be tested on your ability to identify and exploit vulnerabilities in operating systems, databases and networks.
Those who pass will receive the CEH (Practical) certification, which is globally recognised as the vendor-neutral qualification of choice for developing a senior career in ethical hacking and penetration testing.
However, the threat doesn’t just come from the volume of scams, but their idiosyncrasy. The measures you put in place to protect you from most cyber attacks – anti-malware, perimeter scans, vulnerability assessments, etc. – are inadequate when it comes to phishing, because fraudsters doesn’t exploit technological weaknesses.
They instead target employees using a tactic known as social engineering.
What is social engineering?
Social engineering is a collective term for the ways people are manipulated into performing certain actions.
In an information security context, it refers to the methods fraudsters use to get people to hand over sensitive information and expose themselves to malware.
Phishing is a classic example of social engineering, as the scams emulate legitimate organisations and attempt to trick people into complying with a request.
For example, many messages replicate services that possess sensitive information or are essential for the user’s quality of life. This explains the prevalence of phishing emails that relate to tax forms or entertainment services like Netflix.
A 2017 PhishMe survey found that fear was the most effective motivating factor for someone to click a link or open an attachment in a phishing email.
The organisation sent a series of benign phishing emails to respondents and found that the most successful scam spoofed a bar association that claimed that a grievance had been filed against the recipient. It tricked 44% of respondents.
A similar scam email imitating an accountancy firm that claimed a complaint had been filed against the recipient was successful 34% of the time.
Catching us off guard
Although people are always susceptible to phishing, cyber criminals increase their chances of success by sending scams at times when we are most vulnerable.
Phishing has a comparatively low success rate when the recipient is busy or thinking about something else when they receive the message. The sense of urgency is diminished on, say, Monday mornings, when employees have plenty of other urgent tasks.
When they come back to the email a few hours later, they are more likely to notice the things that seem suspicious. Or, if the message is imitating a colleague, they’ll see that person in the office, ask about their request and realise that it was a scam.
Criminals therefore try to send scams when people are most likely to take action right away, which means scheduling them for times when recipients are least likely to be busy. Fridays are sometimes considered the peak time for phishing, but you’re just as likely to fall victim during the middle of the week.
Whatever day it is, the consensus is that you’re most vulnerable during your lunch break and in the early afternoon. This is because most of us take a break from whatever task we were doing. We might use the time to check our emails, and the message may appear as we sit there with no other tasks at hand.
How vulnerable are your staff?
There’s a simple way to assess how big of a threat phishing poses to your organisation: send your employees a scam email.
This might sound reckless, but it’s perfectly safe. Our Simulated Phishing Attack service sends your employees a typical example of a phishing email without the malicious payload.
This gives you the opportunity to monitor how your employees respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?
You can use the answers to guide your information security measures and to act as a reference point when it comes to staff awareness training.
Policies and procedures are the documents that establish an organisation’s rules for handling data.
Policies provide a broad outline of the organisations principles, whereas procedures detail how, what and when things should be done.
The evolving cyber threat landscape makes it imperative that organisations regularly review their policies and procedures.
If a procedure isn’t working, it needs to be rewritten.
5) Assess and improve
Each of the steps listed here references the need to conduct regular reviews, but the assessment and improvement process is so important that it merits particular attention.
Every part of an organisation’s cyber security framework benefits from reviews of its effectiveness, but the process will inevitably take time and effort, meaning the frequency of reviews will depend on the resources you have.
How ISO 27001 can help
We recommend implementing to ISO 27001, the international standard that describes best practice for an information security management system (ISMS).
The Standard’s framework covers everything listed here, and is designed to help organisations manage their security practices in one place, consistently and cost-effectively.
We know that implementing an ISO 27001-compliant ISMS can be an intimidating task, especially if you have no prior knowledge of the Standard and don’t know where to start.
CISMP is widely regarded as the ‘qualification of choice’ for IT professionals and is recognised across the UK as an essential first rung on the ladder to a successful career.
But what exactly is it and how does it help?
What is CISMP?
CISMP provides a broad introduction to information security management, making it ideal both for those getting started in the industry and for professionals who require a deeper understanding of the subject to develop their overall business skills.
The qualification will enable you to demonstrate good knowledge and understanding of information security, risk management, legal frameworks, business continuity, security standards (like ISO 27001), people and physical security.
It’s particularly valuable to those working in the public sector, as it is part of the CESG Certified Professional (CCP) scheme, which is the government’s approved standard of competence for cyber security.
This blog has been updated to reflect industry developments. Originally published Mar 27, 2017
Phishing attacks are a persistent threat to businesses. A staggering 90% of breaches involve phishing, according to Verizon’s Data Breach Digest.
And these attacks are on the rise – Proofpoint’s 2019 State of the Phish Report reveals that 83% of survey respondents experienced phishing attacks in 2018. That’s a 76% increase from 2017.
But what makes phishing attacks so successful? A new report from Osterman Research suggests there are six key factors to blame:
1. Users are the weakest link
Most users aren’t trained to recognise phishing attempts, and so often fall prey to attack by clicking on links or opening attachments in emails without considering the potential repercussions.
According to the research, 52% of users receive training no more than twice per year, and 6% of users have never received security awareness training.
The result? IT departments are not at all confident in their users’ ability to recognise incoming threats, or in their organisation’s ability to stop phishing and related attacks.
2. Organisations aren’t doing enough
Further complicating the problem, organisations aren’t doing enough to reduce the risks associated with phishing and ransomware.
The report highlights 3 key areas of weakness:
Insufficient backup processes: In the event of a ransomware attack, most organisations have insufficient backup processes. This leaves them unable to quickly restore content on servers, user workstations and other endpoints to a healthy state.
Lack of user testing: Most organisations do not have adequate procedures in place to test their users, leaving them unable to determine which staff members are the most susceptible to an attack.
Conducting a simulated phishing attack can help you establish whether your employees are vulnerable to phishing emails, enabling you to take immediate remedial action to improve your cyber security posture.
The criminal organisations committing cyber crime are generally very well funded.
As a result, they have the technical resources to continually publish increasingly more effective variants of their malware.
4. Cyber criminals are shifting their focus
The availability of stolen data on the Dark Web has decreased its commercial value.
The price of a payment card record dropped from $25 in 2011 to $6 in 2016, so cyber criminals have had to focus on new ways to earn as much as they did in the past.
Consequently, they found a fruitful source of funds in information-holders, which they target through phishing and ransomware attacks.
Afraid of losing their data, information-holders wouldn’t think twice before paying what criminals demand.
5. Phishing tools are low-cost and widespread
There are an increasing number of tools designed to help amateurs with little IT knowledge become “hobbyist” phishers and ransomware authors.
The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) has resulted in an explosion of ransomware and other exploits coming from an ever growing network of amateur cyber criminals.
6. Malware is becoming more sophisticated
Over time, phishing and various types of malware have become more sophisticated.
The problems of phishing, spearphishing, CEO Fraud/BEC and ransomware are simply going to get worse without appropriate solutions and processes to defend against them
Protect your organisation against phishing
Educated and informed employees are your first line of defence. Empower them to make better security decisions with our complete staff awareness e-learning suite.
A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.
Included in the complete suite is the Information Security and Cyber Security Staff Awareness E-Learning Course.
Take control of your employees’ security behaviour
Cybersecurity has been moving further and further towards the top of the corporate agenda for a number of years now, and for very good reason. Yet, how much do we understand about the importance of analytics when staying protected?
According to a recent study by McAfee Labs, 480 new data security threats were discovered every minute in 2018 – and that figure will rise even further by the end of this year. Our growing reliance on mobile devices and public networks has created a staggering amount of new entry points and vulnerabilities, and many businesses are only just waking up to the sheer scale of the issue.
But it certainly isn’t just about quantity. Both the nature of cyber attacks, and approaches hackers use, are continually evolving, which poses a threat to a growing number of companies across a wider span of industries. Product managers, data engineers and business owners alike are facing an increasingly difficult challenge to safeguard their digital infrastructure and keep their data safe from any unwarranted breaches.
Those looking to maximise their defences must invest in every core method of protection in order to stay protected – but perhaps none more so than business intelligence and analytics.
We hear a lot of talk about the risks of big data and potential issues with storing sensitive information. Many people don’t realise that companies who have a tight handle on their own data put themselves in a far better position to fend off cyber attacks than those who are not. Data itself isn’t the issue; it’s whether we are in full control of it.
Having access to large amounts of proprietary data can help businesses to analyse patterns, observe irregularities and spot potential weaknesses within a network. Analytics programmes can also help classify the severity and complexity of issues, which helps businesses prioritise the areas that require the most attention. This not only reduces the time it would normally take to detect and resolve an issue, but it’s also a massive advantage when it comes to catching issues ahead of time. Prevention is the best cure, after all.
So, how exactly do you begin to manage and deploy data as part of your cybersecurity strategy? The first step is to simplify BI management to make mining and visualising analytics as easy as possible.
A business intelligence platform is a good starting point if you’re struggling to develop a system that works for your business. Companies such as Sisense offer full-stack approaches that
help build flexible data models across a wide range of sources. This helps to bridge the gap between modern BI tools and any legacy software that you’re still using. The use of embedded analytics also enables companies to integrate reports, dashboards and visualisations with key applications and workflows.
Of course, cybersecurity and data governance are both ongoing commitments that require continual attention and investment. The evolving nature of cybercrime poses many headaches for the modern business, but it’s also a huge motivation to keep their databases clean, secure and plugged into an efficient BI system at all times.
The task of keeping digital infrastructure safe is always better done ahead of time. It’s no good waiting until you’ve suffered the consequences of a major cyber attack to do something about it. Top companies understand the importance of avoiding major disruption to their operations at all costs – and that’s only possible by updating and improving every aspect of their cybersecurity strategy on a regular basis. If you keep your data protected, it will ultimately protect you.
ISO 27001 recommends that organisations take one of four actions:
Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them outside the premises. This option will make things less convenient for your employees but will drastically improve your security posture.
Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
Retain the risk. This option means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.
Selecting appropriate controls
The most common risk treatment option is to modify the risk, because it typically offers the best combination of security and cost.
Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001. It lists 114 controls, which are split into 14 sections (or ‘control sets’), each one tailored to a specific aspect of information security:
Information security policies: how policies are written and reviewed.
Organisation of information security: the assignment of responsibilities for specific tasks.
Human resource security: ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
Asset management: identifying information assets and defining appropriate protection responsibilities.
Access control: ensuring that employees can only view information that’s relevant to their job role.
Cryptography: the encryption and key management of sensitive information.
Physical and environmental security: securing the organisation’s premises and equipment.
Operations security: ensuring that information processing facilities are secure.
Communications security: how to protect information in networks.
System acquisition, development and maintenance: ensuring that information security is a central part of the organisation’s systems.
Supplier relationships: the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
Information security incident management: how to report disruptions and breaches, and who is responsible for certain activities.
Information security aspects of business continuity management: how to address business disruptions.
Compliance: how to identify the laws and regulations that apply to your organisation.
Deciding which control to use is relatively straightforward. The ISO 27001 implementation team should meet with a senior employee from the relevant department to agree on the appropriate control.
For example, communications security issues should be discussed with IT, staff awareness issues with HR, and supplier relations which whichever department the third party is working with.
As with all major security decisions, you should run your decisions past senior management.
Once you’ve finalised which controls you should use, you should refer to ISO 27002 to learn more about implementing them.
Before you begin
It’s worth remembering that your RTP must be appropriate to your organisation. Implementing controls takes time, effort and money, so you need to pick your battles carefully.
You almost certainly won’t have the resources to apply controls to every risk, even if they are small controls, such as a new process or policy.
Even a new policy requires a team of people to write and approve it, generate awareness among employees and ensure that the rules are being followed and working as intended.
That’s not to say you should abandon a control if you think that it will be expensive to implement and maintain. However, you should constantly assess whether there’s a less expensive control that could generate similar results.
Help with creating your risk treatment plan
Below is an example of what a risk-based RTP might look like, extracted from our bestselling ISO 27001 ISMS Documentation Toolkit. The toolkit also contains an asset-based RTP template.
Developed by expert ISO 27001 practitioners and used by more than 2,000 clients worldwide, the toolkit includes:
A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
Direction and guidance from expert ISO 27001 practitioners.
This is a marked improvement on the previous two years, in which 43% (2018) and 46% (2017) of businesses were breached, but it doesn’t tell the full story of the UK’s threat landscape. Although the number of organisations being targeted seems to be decreasing, those that are vulnerable to attacks are experiencing them more often, with two in five organisations saying that they come under threat at least once a month.
The threat is much higher among medium-sized businesses (60% being breached in the past year), large businesses (61%) and high-income charities (52%).
So why is this bad?
The fact that fewer organisations are being targeted by attacks is a major plus. The report says this may be because businesses and charities are going to greater lengths to become cyber secure. For example, it found that:
More businesses (57% vs 51% in 2018) and charities (43% vs 27%) update senior management on their cyber security actions at least once a quarter;
Cyber security policies are becoming more common in businesses (33% vs 27%) and charities (36% vs 21%);
Businesses (56% vs 51%) and charities (41% vs 29%) are more likely to have implemented controls in all five technical areas of the government’s Cyber Essentials scheme;
Staff awareness training is becoming more common in businesses (27% vs 20%) and charities (29% vs 15%);
Charities are getting better (60% vs 46%) at implementing measures such as health checks, audits and risk assessments; and
More medium-sized (31% vs 19%) and large businesses (35% vs 24%) have invested in cyber insurance.
However, the report suggests that it’s not as clear-cut as that, and that the seemingly positive conclusions might be hiding serious failures.
The effects of the GDPR
The report found that 30% of businesses and 36% of charities surveyed have made changes to their cyber security practices as a result of the GDPR. This is an incredibly low figure, given that the Regulation is mandatory and has been in effect for a year.
Even among those that have addressed the GDPR, very few have done so comprehensively. For example:
60% of businesses and charities have created new policies;
15% of businesses and 17% of charities have had extra staff training and communications;
11% of businesses and 4% of charities changed firewall or system configurations; and
6% of businesses and 10% of charities have created new business continuity or disaster recovery plans.
This suggests that, although the GDPR has benefited the small proportion that have implemented its requirements (at least partially), the majority of organisations have done little if anything to improve their cyber security practices.
This is probably a major reason that cyber attacks are becoming focused on a select group of organisations. Those that have implemented the GDPR’s requirements have protected themselves from most attacks, forcing cyber criminals to seek out more vulnerable targets.
The trend might also be explained by a change in the way organisations interpreted the survey’s questions. The government suggests that some organisations fear the repercussions of GDPR violations and might not admit to suffering cyber security breaches.
If this is true, those organisations are only making life harder for themselves. The GDPR was designed to improve transparency and make organisations take responsibility for cyber security.
Organisations that own up to data breaches (provided they weren’t caused by major security failures) have little to fear. Regulators and the public are becoming a lot more forgiving, and incidents occur with such regulatory that they are practically inevitable.
However, that leniency is based on the assumption that organisations will be honest when it comes to their security measures. You can try to hide your security failures, but regulators will almost certainly discover them and levy severe fines.
Demonstrate your GDPR compliance with our documentation toolkit
One of the most important steps you can take to become transparent and accountable for your data protection practices is to document them.
The Regulation specifies that organisations must be able to demonstrate that they have adopted the necessary technical and organisational security measures, which means keeping a list of everything you’ve done, justifying why it’s been done and how often you’ve reviewed your measures.
This is a big task, but you can simplify it with our GDPR Documentation Toolkit. It contains more than 80 indispensable policies, procedures, forms, schedules and guidance documents written by our expert practitioners, which you can use to prove that you have met the GDPR’s requirements.
Few would dispute the idea that an effective cybersecurity profile requires candid assessments of potential vulnerabilities. Here’s a closer look at the challenges facing the federal cybersecurity mission and the efforts of state-level agencies. Federal Though the federal government demonstrates an ongoing commitment to ramping up its cybersecurity mission with annual spending in the tens […]… Read More
One in three UK companies fell victim to cyber attacks in 2018, with the majority of the damage occurring in small businesses, according to a report by Beaming.
The study found that cyber crime cost UK organisations £17.8 billion last year, of which £13.6 billion came from small businesses.
The average cost of a cyber attack for small businesses was £65,000 per victim. This accounts for damaged assets, financial penalties and business downtime.
Small businesses are becoming more vulnerable
Large organisations have always been the most likely target of cyber attacks. That remains true, according to Beaming’s study, with 70% of large organisations falling victim to an attack in 2018, compared to 63% of small organisations. However, in 2017 only 47% of small organisations were attacked, meaning the gap is narrowing.
That, along with the fact that small organisations make up the majority of UK businesses, explains why they contributed so much towards the cost of cyber crime last year. After all, multiple small breaches are more expensive to handle than one incident affecting the same number of people because standard processes – like detection and breach notification – are largely the same regardless of the scale of the incident.
Sonia Blizzard, managing director of Beaming, said: “Our research shows that cyber criminals don’t care how big your business is, everyone is a potential victim and the cost of an attack can be devastating. Larger businesses fall victim at the greatest rate because they have more people and more potential sources of vulnerability.
“However, they also tend to have multiple layers of protection in place to limit the spread of an attack and are able to recover more quickly after one.
“Small businesses are trusting more data to the cloud and accessing it from lots of locations. This provides greater flexibility and efficiencies, but also adds to the importance of ensuring data is held and transported securely.
“A specialist ISP can help here by managing a network with the security of business traffic in mind, assisting with the implementation of additional security measures such as managed firewalls and provide advice to clients to enhance the protection on offer. When choosing cloud products, businesses should ensure they have the right connectivity to go with it.”
Other common passwords include people’s names (‘ashley’, ‘michael’, ‘daniel’, ‘jessica’ and ‘charlie’ were the most used), football teams and, bizarrely, the pop punk act ‘blink-182’.
But rather than simply castigate the British public for their ineptitude when selecting login credentials, the NCSC provides some much-needed advice on how we can better secure our accounts.
How to make your passwords stronger
When creating passwords, many experts advise using a combination of letters, numbers and special characters (which might explain the interest in Blink-182). However, the NCSC suggests that we might be better off with a combination of three random words.
The reason for this is simple. Despite the requirement for a mix of characters, most systems only require that passwords be six characters long. This might seem to be more than enough – a combination of 26 letters, 10 numerals and 33 special characters gives you 107 billion possible permutations – but reality rarely plays out this way.
For example, the number ‘1’ appears far more often than any other letter, and the special character (for there is typically only one) is almost always ‘-‘. Most of us have therefore given crooks a decent shot at two characters in your password – and they’ll typically be the last two characters.
If you try to outsmart crooks by gorging yourself on special characters, using passwords like ‘a3g^%s’, you’ve only made life harder for yourself. The password is almost impossible to memorise, and criminal hackers are aware of common substitutions, factoring them in when trying to access accounts.
However, as the NCSC advises, you can make your password much stronger simply by making it longer. Each additional letter you use makes your password 26 times harder to crack, meaning a ten-character password that uses letters alone has 141 trillion combinations.
To put it another way, How Secure Is My Password? predicts that the seemingly complex phrase ‘a3g^%s’ could be cracked in 400 milliseconds, whereas a ten-letter combination of three words, like ‘hardtocrack’, would take about a day.
That’s a decent result, but with the number of crooks in the wild churning through passwords, you can do better. Make your password a little longer, like ‘typingmypassword’, and you have a phrase that could take 35,000 years to crack – and that’s with the concession of making your password a literal description of itself.
Anyone capable of conjuring up three genuinely random words could create a password that would take trillions of years to crack without having to compromise on memorability.
The League of Legends game and human psychology are two things we don’t often associate with cybersecurity. As an avid gamer, I encountered and observed many parallels between the tactics used to win games like League of Legends and the mentality that guides human behavior in general. Thus, when I began teaching security awareness and […]… Read More
A version of this blog was originally published on 25 June 2018.
Anyone interested in getting into or advancing their career in cyber security probably knows that they will need training and qualifications. But given that the field is so broad, how are you supposed to decide which course is right for you?
A lead implementer takes charge of an organisation’s ISO 27001 compliance project. They are responsible for the big decisions, such as setting out the ISMS’s scope, and for ensuring the Standard’s requirements have been addressed.
What you learn: The nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.
Who it’s for: This course should be attended by the person responsible for ISO 27001 compliance (typically the CISO) and the person leading the project (this might be the same person). You’ll need a solid understanding of ISO 27001’s risk assessment process, and should have already taken a foundation-level ISO 27001 course.
A lead auditor can work internally or audit a second or third party’s ISMS. Their expertise is usually required when the organisation is seeking ISO 27001 certification, or if a partner organisation requests a supply chain audit.
What you learn: The first half of the course teaches you about auditing in general, and the second half covers best-practice advice for how to audit an ISMS.
Who it’s for: Anyone who wants the responsibility for implementing and maintaining their organisation’s ISMS. It’s also suitable for those who want to work for a specific auditing organisation, such as KPMG.
An internal auditor assesses the effectiveness of the organisation’s ISMS (information security management system) and whether it meets the requirements of ISO 27001, reporting their findings to senior management.
What you learn: The course begins with an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.
Who it’s for: It’s ideal for compliance managers, but it’s obviously suitable for anyone interested in conducting internal audits. You should have a decent understanding of ISO 27001, but your main strengths should be in policy reviews.
Length: Two days
What are the differences between these courses?
Even though each of these courses cover similar areas, they are geared towards specific job roles. Take the internal and lead auditor courses as an example.
An internal auditor could be an employee within the organisation (hence ‘internal’), but they ideally wouldn’t have played a major role in the ISMS’s implementation. Otherwise they are being asked to find faults in their own work, which they might be reluctant to do.
Meanwhile, a lead auditor will have the specialist knowledge required to conduct second- or third-party audits. Although the tasks involved in these two roles are similar, the day-to-day work is very different. Whereas an internal auditor only has to be familiar with their organisation’s ISMS, a lead auditor that works for an auditing company deals with many organisations and interacts with even more people.
Then we come to the lead implementer course, which teaches you how to fulfil a completely different job role. Lead implementers are the heart of the team that puts the ISMS together. As with auditors, they need a strong understanding of ISO 27001’s compliance requirements, but their job focuses on how to meet those requirements, as opposed to reviewing whether they have been implemented correctly.
Of course, consultants will need to be implementation and auditing experts. They should therefore consider our ISO27001 Lead Implementer and Lead Auditor Combination Course, which covers everything you’d learn on each course separately. You’ll move straight from one topic to the other, helping you solidify your knowledge and understand how the two roles interact.
Interested in other ISO 27001 training courses?
These courses are just the beginning when it comes to ISO 27001 training, so if you’re not sure which course is right for you, why not take a look at IT Governance’s full range of training options?
With a variety of courses available in classroom, Live Online and distance learning format, we have you covered, whether you’re an information security beginner or looking for the right qualification to boost your career.
Several experts believe the UK’s astounding resilience to ransomware is a direct result of 2017’s WannaCry attack. The ransomware tore through organisations across the globe but struck most acutely in the UK – at the NHS in particular.
The attack did little to demonstrate the financial appeal of ransomware for crooks. The incident became so high profile that most organisations learned that it wasn’t worth paying the ransom, and those behind the attack struggled to recoup the money that was paid into their Bitcoin account.
Likewise, the attack didn’t provide an accurate reflection of how incidents normally play out. The malware is usually most successful when it stays under the radar and catches out organisations that lack backup protocols, thereby seemingly forcing them to comply with the blackmailer’s request.
However, WannaCry taught the UK two huge lessons – that ransomware is dangerous and that organisations need to plan for it.
The attack prompted the UK government, along with the National Cyber Security Centre and UK-based businesses, to confront ransomware head on.
“Most of the vendors in the UK and their customers put solutions in place to protect against multiple family variants of ransomware,” said Conner.
There are two key steps to protecting your organisation from ransomware. First, you should regularly back up your important files. This enables you to delete infected files and restore them from backups.
The process will take a long time – often more than 24 hours – but the loss in productivity will almost certainly be less costly than paying a ransom. Plus, you need to factor in issues other than simply the cost of returning to business. There’s the possibility that crooks won’t keep their word once you’ve paid up. Equally, there’s the risk that complying with their demands has made yourself a target for future attacks.
It’s therefore always advisable to use backups where possible rather than paying a ransomware.
Of course, it’s even better if you don’t get infected at all, and the best way to do that is to boost staff awareness of ransomware. That brings us to the second key step to protecting your organisation.
Most ransomware (and malware generally) is delivered via phishing scams. Cyber criminals plant the malicious code in an attachment and trick employees into downloading it. If you can train your staff to spot a malicious email and report it, you can dramatically reduce the risk of becoming infected.
This ten-minute course introduces employees to the threat of phishing and ransomware, and describes the link between the two. Armed with this knowledge, your staff will be able to detect suspicious emails and know how to respond.
On the aftermath of the Mati wildfires in Greece that killed 100 people, the Greek Fire Department spokesperson made an announcement on June 2018, stating “Any manned and unmanned aircraft systems flights in an area of operations is a serious infringement and creates safety risks for flights. Any breach entails criminal and administrative liability. Excludes […]… Read More
Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.
A Connected Evolution
Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.
Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.
Moving Forward with Security Top of Mind
If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
The hospitality sector has been clamouring for technological innovation recently, with organisations eager to find novel ways to improve the customer experience.
You might have heard about Connie, a Watson-enabled robot concierge that’s been introduced at the Hilton in McLean, Virginia. But that’s just one example of cutting-edge technology sweeping the hotel industry, with many organisations leveraging IoT (Internet of Things) and other ‘smart’ tech to give customers a taste of the future.
However, there’s a growing perception that all this gadgetry is a distraction from the fundamentals of the hotel business: ensuring that guests’ privacy is intact and their information is secure.
It therefore makes sense that organisations plough whatever resources they have into addressing these concerns. This is particularly true for the hotel industry, which is one of the worst-affected by cyber crime and data breaches.
Crooks target hotels because they store large volumes of data, including names, addresses and payment information, and process the majority of transactions through POS (point-of-sale) machines, which are susceptible to malware.
Meanwhile, researchers at Symantec recently found that two out of every three hotel websites inadvertently leak guest information to third parties, giving unauthorised personnel the power to view, change or cancel bookings.
The study, which polled 1,500 hotels in 54 countries, also discovered that 67% of the hotels’ websites leaked booking reference codes and other information to advertising networks and analytics companies.
Additionally, some hotels leaked passport numbers and financial details, including the last four digits of payment cards, card types and expiration dates.
Symantec also reported several other alarming security lapses. For example, 29% of hotels didn’t encrypt initial links containing booking IDs and references to customers, which could enable crooks to eavesdrop and steal these details.
The researchers concluded that many of the hotels “have been slow to acknowledge, much less address” this risk, with 25% of the hotels’ privacy officers failing to respond to Symantec’s findings within six weeks.
Balancing security and experience
If you asked guests whether they’d rather hotels protected their personal information or gave them smart tech, we doubt there’d be much of a debate. But that’s a moot point, because there’s no reason why hotels can’t provide both. They just need to find the right balance.
Part of the issue relates to budget. Security technology is, in most cases, cheaper and simpler to implement than cutting-edge technology. ISO 27001, the international standard for information security management, and guidance related to the GDPR (General Data Protection Regulation), give straightforward instructions on how to achieve effective security.
Smart technology, by contrast, is defined by its lack of guidelines. Its appeal is in its originality, so those wanting to implement new ideas need to invest in the concept and ride out the teething problems. Once the technology is suitably affordable, it can be widely adopted – but with a severe dip in the novelty factor (and, by extension, the competitive advantage it offers).
It’s therefore not a case of what can organisations afford but what’s going to give them the best return on investment. Despite the increased attention that the public pays to information security, it’s usually impossible to know whether an organisation has lax security until it suffers a breach.
That’s hardly an effective security strategy, because customers aren’t going to turn a blind eye to a data breach just because your organisation has an Internet-enabled mini-fridge. Unfortunately, it’s a lesson that hotels are only learning after the fact.
Regardless, hotels will be equally affected if they don’t invest in innovation. A high-end hotel needs to keep up with the vanguard, and that’s becoming an increasingly uphill battle.
But this only calcifies the argument that innovation and security are not in opposition. Rather, hotels need to realise that both smart tech and cyber attacks are inevitable in the future, so their tech needs to be more secure than their competitors’.
Many hotels will rightfully argue that there are security benefits to high-end technology. Let’s go back to robot receptionists, which not only give guests a unique check-in experience but also mitigate the risk of data breaches caused by human error.
By taking the human out of the equation, hotels avoid the risk that a member of staff will provide a guest with incorrect information or enter personal data into the wrong fields. Likewise, it removes the possibility for insider misuse; guests enter their personal and payment details directly into the hotel’s systems, bypassing the possibility of a receptionist misappropriating the information.
On the face of it, there are no downsides. Automating the reception desk enables the hotel to speed up transactions, cut costs and improve its security.
In a development that shouldn’t surprise anyone (particularly fans of MichaelCrichton), things quickly went wrong.
The 243 robots were tasked with managing every aspect of guests’ experience, including check-in, luggage carrying, concierge and in-room assistance, but visitors soon began complaining and the robots were quickly terminated.
Yoshihisa Ishikawa, for example, told the Wall Street Journal that he was repeatedly awoken in the middle of the night by the in-room assistance as his snoring triggered the robot to ask, “Sorry, I couldn’t catch that. Could you repeat your request?”
The hard-of-hearing robot incident isn’t just a case of technology disrupting guests; it’s a privacy breach. The only thing that makes the public trust that personal assistance devices, like Alexa and Siri, aren’t constantly spying on us is the belief that the devices only activate when their owner utters a specific phrase.
If a machine can mistake the sound of snoring for an activation phrase, who’s to say that the technology isn’t always listening in on our conversations?
It’s one thing to have a personal device listening to you at home, but there’s something altogether more sinister about a hotel spying on its guests. Even perfectly well-intentioned consequences, like the windows opening when you mention to a fellow guest that you’re hot, seem unsettling, and that’s before you get on to the ways the tech could be used to make money from you.
It might not have been a Westworld-style nightmare, but the Weird Hotel’s pursuit of novelty created a worrying situation that other hotels need to acknowledge. Innovation cannot be the goal itself; rather, you must consider what the technology achieves and its potential unintended consequences.
But why strive for robots at all? The technology has limited capabilities, with many guests reporting communication issues, and there are plenty of other innovations that are affordable, implementable, and give guests something they actually want.
Which technologies can help?
According to a Hospitality Tech survey, the industry’s top two challenges are a lack of IT budget and outdated technology architecture. These are core principles of security, and must be addressed if any guest-facing technology is going to be effective and secure.
The technology could be used alongside or instead of key cards when accessing your room, and it could be linked to a variety of services across the hotel. With a swipe of your finger, you could add a meal to your tab or enter the VIP lounge.
For your organisation to get the most out of biometrics, or any tech, you need to ensure that it’s integrated with the rest of your systems. You cannot think of technology as a replacement for people; rather, the two support each other alongside processes as the three core aspects of information security.
A version of this blog was originally published on 9 November 2017.
Documentation is a crucial part of any ISO 27001 implementation project, and one of the most important documents you need to complete is the SoA (Statement of Applicability).
In this blog, we explain what an SoA is, why it’s important and how to produce one.
What is a Statement of Applicability?
An SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001.
Clause 6.1.3 of the Standard states an SoA must:
Identify which controls an organisation has selected to tackle identified risks;
Explain why these have been selected;
State whether or not the organisation has implemented the controls; and
Explain why any controls have been omitted.
Every control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.
Which controls do you need to implement?
Organisations are only required to implement controls that are appropriate to the risks they face. They should determine which controls apply to them by conducting an ISO 27001 gap analysis and risk assessment. These processes help organisations identify the risks they face, which they can match to the relevant control.
Annex A provides a useful outline of each control, but you’ll probably need something more in-depth when it comes to the implementation process. That’s where ISO 27002 comes in. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.
ISO 27002 provides detailed information on each control, explaining how each one works and providing advice on how to implement it.
The SoA is a useful document for everyday operational use, because it provides comprehensive coverage of your organisation’s information security measures.
You can refer to it to understand how and why your organisation is tackling certain risks and accepting others.
This is especially important when ensuring continual improvement within your organisation. You can assess whether the controls you’ve implemented are working as intended and assess whether other controls might be more suitable.
Likewise, you can review why you chose to accept risks and determine whether the threat landscape has increased significantly enough to warrant a change.
An SoA also has significant regulatory consequences. If you are investigated for a data breach, you can use your SoA to justify your information security controls and prove that your defences were implemented in line with an ISO 27001-compliant risk assessment.
How to save time writing your Statement of Applicability
Large organizations have always focused on managing risk, but the technological breakthroughs that have enhanced our world in countless ways have also transformed how leading executives engage in enterprise risk management (ERM). The pervasive and ever-expanding threat of cyber crime means that comprehensive strategies for cyber security are now absolutely essential for all organizations. After […]… Read More
Information security management remains a serious issue for the legal sector, with law firms reporting an increase in targeted attacks in 2018. Large volumes of client funds and confidential information are irresistible to cyber criminals, so it is unsurprising that 60% of law firms reported that they had suffered a security incident during the year (PwC Law Firms’ Survey 2018).
Leading law firms are tackling cyber threats head-on with ISO 27001, the international standard for information security. By implementing a best-practice ISMS (information security management system) and certifying to ISO 27001, management teams can safeguard their firm. With cyber attacks on the rise, data protection should be a high priority for all law firms.
ISO 27001 certification is increasingly demanded of law firms when tendering for major projects. Achieving accredited certification to ISO 27001 will put your firm in the running for these tenders and demonstrates that you are committed to protecting your clients’ confidential data.
What is ISO 27001?
ISO 27001 is one of the most popular information security standards in the world, with certifications growing by more than 450% in the past ten years. It sets out the requirements for an ISMS, which is a systematic approach to information security focusing on people, processes and technology that helps you protect and manage all your organisation’s information through effective risk management.
Be proactive with your firm’s information security
PwC’s 2018 survey found that 46% of law firms had a security incident related to their own staff where the firm had suffered a loss or leak of confidential information. When asked about IT disaster recovery, only 27% of respondents were very confident that their testing had completely demonstrated that their firm’s end-to-end operable services could be recovered in accordance with business recovery requirements. The survey results indicated that, in the event of a serious incident, some law firms might not be prepared to respond appropriately.
Since the GDPR (General Data Protection Regulation) came into force in May 2018, all organisations are legally required to report certain types of personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of the breach. This makes it essential for law firms to ensure that they can promptly identify and understand the nature and scale of any breaches.
Since employees can jeopardise your firm’s security with a single moment of carelessness, it is clear that addressing information security risks is about far more than simply implementing processes and installing anti-malware and antivirus software. A more proactive approach to information security is needed, and this should include ensuring that all members of the firm are adequately trained.
How will my firm benefit from ISO 27001?
ISO 27001 can help your firm protect the confidentiality, integrity and availability of your firm’s information assets, as well as those of your clients.
It helps you meet your legal and regulatory data protection obligations while improving your firm’s cyber security posture and productivity.
Your firm can achieve independently audited certification to the Standard when you implement an ISO 27001-compliant ISMS, demonstrating your firm’s information security credentials to clients, stakeholders and regulators.
Following certification to the Standard, you can specify that your key suppliers also achieve certification, ensuring that these third parties also maintain suitable levels of security. This supports GDPR compliance.
Your firm will be in good company: approximately 40,000 organisations around the world – including numerous law firms – are already certified to ISO 27001.
Get your firm on track with ISO 27001
We are pleased to have worked with many law firms to implement ISO 27001, ranging from the Magic Circle to medium-sized and smaller firms, so we are well-placed to assist you.
Fast-track your ISO 27001 project, cut your costs and save time with our implementation bundles, designed to suit firms of any size.
As I reflect upon my almost 40 years as a cyber security
professional, I think of the many instances where the basic tenets of cyber
security—those we think have common understanding—require a lot of additional
explanation. For example, what is a vulnerability assessment? If five cyber
professionals are sitting around a table discussing this question, you will end
up with seven or eight answers. One will say that a vulnerability assessment is
vulnerability scanning only. Another will say an assessment is much bigger than
scanning, and addresses ethical hacking and internal security testing. Another
will say that it is a passive review of policies and controls. All are correct
in some form, but the answer really depends on the requirements or criteria you
are trying to achieve. And it also depends on the skills and experience of the
risk owner, auditor, or assessor. Is your head spinning yet? I know mine is!
Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security
business. One auditor will look at evidence and agree you are in compliance;
another will say you are not. If you are going to protect sensitive
information, do you encrypt it, obfuscate it, or segment it off and place it
behind very tight identification and access controls before allowing users to
access the data? Yes. As we advise our client base, it is essential that we
have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start
with a canvas that has the core components of cyber security: protection,
detection, and reaction. By addressing each of these three pillars in a
comprehensive way, we ensure that the full conversation around how people,
process, and technology all work together to provide a comprehensive risk
strategy is achieved.
People Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.
Policy are established, documented, and socialized. For example, personal
laptops should never be connected to the corporate network. Also, don’t send
sensitive information to your personal email account so you can work from home.
Some examples of the barriers used to deter attackers and breaches are edge security
with firewalls, intrusion detection and prevention, sandboxing, and advanced
The average mean time to identify an active incident in a
network is 197 days. The mean time to contain an incident is 69 days.
Incident response teams need to be identified and trained, and all employees
need to be trained on the concept of “if you see something, say something.”
Detection is a proactive process.
What happens when an alert occurs? Who sees it? What is the documented process
for taking action?
What is in place to ensure you are detecting malicious activity? Is it
configured to ignore noise and only alert you of a real event? Will it help you
bring that 197-day mean time to detection way down?
What happens when an event occurs? Who responds? How do you recover? Does
everyone understand their role? Do you War Game to ensure you are prepared WHEN
an incident occurs?
What is the documented process to reduce the Kill Chain—the mean time to detect
and contain—from 69 days to 69 minutes? Do you have a Business Continuity and
Disaster Recovery Plan to ensure the ability to react to a natural disaster,
significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
What cyber security consoles have been deployed that allow quick access to
patch a system, change a firewall rule, switch ACL, or policy setting at an end
point, or track a security incident through the triage process?
All of these things are important to create a comprehensive
InfoSec Program. The science is the technology that will help you build a
layered, in-depth defense approach. The art is how to assess the threat, define
and document the risk, and create a strategy that allows you to manage your
cyber risk as it applies to your environment, users, systems, applications,
data, customers, supply chain, third party support partners, and business
More Art: Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk
responsibility or do you give your risk responsibility to someone else?” Hint:
I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also
science if you use, for example, The Carnegie Mellon risk tools. But a good
risk owner and manager documents risk, prioritizes it by risk criticality,
turns it into a risk register or roadmap plan, remediates what is necessary,
and accepts what is reasonable from a business and cyber security perspective.
Oh, by the way, those same five cyber security professional we talked about
earlier? They have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.
The art in cyber security is in the interpretation of the
rules, standards, and requirements that are primarily based on a foundation in
science in some form. The more experience one has in the cyber security
industry, the more effective the art becomes. As a last thought, keep in mind
that Connection’s Technology Solutions Group Security Practice has over 150
years of cyber security expertise on tap to apply to that art.
Security researchers have released a decryptor that enables victims of the Planetary ransomware family to recover their files for free. Released by Emsisoft, this decryptor requires a victim to have a copy of the ransom note. It’s not hard to find. Planetary ransomware, which earns its name for its use of planet-related file extensions including […]… Read More
Although organisations are devoting more resources to cyber security in order to tackle the growing threat of data breaches, 87% say they don’t have the budget to meet their needs, a new report has found.
This is a worrying trend, as it could exacerbate the problem in the future. So, how can you address it?
Protect the enterprise
The most important part of cyber security is identifying which assets are most important and where they are located. It’s only when you know what needs to be protected that you can build appropriate defences in line with your budget.
Unfortunately, EY believes that few organisations have a clear picture of this. This isn’t a surprise because, according to the survey, more than half of organisations don’t make protecting their organisation an integral part of business operations.
To rectify this, EY recommends that organisations ask:
What are our most valuable information assets?
What are our most obvious cyber security weaknesses?
What are the threats we’re facing?
Who are the potential threat actors?
Have we already been breached or compromised?
How does our protection compare with our competitors?
What are our regulatory responsibilities, and do we comply with them?
That last point is crucial, not only because of the potential penalties for non-compliance but also because legal requirements can guide you towards effective security.
The GDPR (General Data Protection Regulation), for example, includes a comprehensive list of security and privacy best practices. Granted, it’s a complex piece of legislation, and meeting all of its requirements will take time and effort, but that’s the case however you approach cyber security.
Optimise cyber security
Despite budgetary constraints, 77% of organisations say they are seeking to move beyond basic cyber security protections to fine-tune their capabilities.
Although this is good news, it might cause organisations to spread their resources too thinly. The basics – like staff awareness training and security testing – still need to be maintained, and as the threat of cyber crime continues to spiral, the cost of retaining your current level of protection grows.
EY suggests that the best approach might be to rethink your cyber security framework to look for more efficient ways of operating. There’s a good chance that, as organisations expand their defence capabilities, their practices will be duplicated or become outdated.
By making a short-term investment in updating your operations, you could reap the benefits for years to come.
You can assess the efficiency of your defences by asking:
What is our cyber security strategy?
What is our tolerance and appetite for risk?
Are there any low-value activities we could do more quickly or cheaply?
How could technologies such as robotic process automation, artificial intelligence and data analytics tools help us?
Where do we need to strengthen our capabilities?
What can we stop doing?
EY also points to the emerging challenge of data breach notification. Many organisations don’t consider this part of their cyber security strategy, because it doesn’t help prevent incidents.
However, the sheer number of threats you face means you can’t rely on your ability to prevent breaches. With an effective system for identifying and disclosing incidents, you can reduce the costs that follow breaches, protect your reputation and meet your regulatory requirements. These are the same goals as your other cyber security strategies, so you should consider it part of your overall defence strategy.
EY’s final recommendation is to look for ways to integrate security practices within business processes from the outset of any new projects.
Security by design is a fundamental principle of the GDPR, and if your organisation is to follow suit, EY says you’ll need to focus on emerging technologies and customer experience. You should also ask:
Is our entire supply chain secure?
How do we design and build new channels that are secure by design?
Where does cyber security fit into our digital transformation-enabled business model?
Could strong privacy and data protection give us a competitive advantage?
How focused on cyber security is our board as it pursues our digital ambitions?
How are our most senior executives taking ownership of, and showing leadership on, cyber security?
Do we have enough focus on cyber security in our entire ecosystem?
Many organisations now regard emerging technologies as a top priority when considering their cyber security budgets. In most cases, this simply means using the Cloud more, but EY suggests that organisations should also consider making use of robotic process automation, machine learning, artificial intelligence and the Internet of Things.
You must move forward
These three recommendations aren’t stepping stones towards security, warns EY. You can’t expect to progress from protection to optimisation to growth, because that belies the point; they must be addressed in unison as part of your overall cyber security strategy.
You must also accept that cyber security is a moving target, so there’s no need to focus too much on your security posture at any one moment in time. Instead, look for strategies that allow you to address the immediate future while remaining flexible enough to stay prepared for the long-term.
Anyone interested in finding appropriate solutions for their organisation should take a look at our range of products and services. Whether you’re looking for general advice or specific solutions geared towards legal and best practice compliance, we’re here to help.
More than 50 universities in the UK have had their lack of cyber defences exposed, with security testers breaching their systems in under two hours.
The tests were conducted by Jisc, the agency that provides Internet services to the UK’s universities and research centres. The organisation’s penetration testers were successful in every attempt, accessing personal data of students and staff, finance systems and research networks.
These are highly targeted scam emails that are sent to senior personnel in an organisation. The hackers claim to be a trusted source, such as a colleague or a third party, and attempt to lure the victim into clicking a link or downloading an attachment that contains malware.
John Chapman, the head of Jisc’s security operations centre, warned that the vulnerabilities could be a sign of an impending “disastrous data breach or network outage”.
He added: “We are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment”.
“Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.”
It’s not hard to see why Chapman would call these findings a disaster. The education sector is one of the most highly targeted by cyber criminals, with a recent freedom of information request revealing that there were more than 700 data breaches at UK schools and academies in 2018.
Meanwhile, the Times reported last year that there were 1,152 data breaches at UK universities in 2016–17, with many attacks geared towards stealing financial information and intellectual property.
Burden of responsibility
David Maguire, who chairs Jisc, says that universities “accrue huge amounts of data”, which “places a burden of responsibility on institutions, which must ensure the safety of online systems”.
Carsten Maple, the director of cyber security research at Warwick University, agrees that universities need to improve their defences urgently.
“Universities drive forward a lot of the research and development in the UK. Intellectual property takes years of know-how and costs a lot. […] Certainly somebody might attack a university and then provide that information to a nation state.”
Professor Maple added that criminals could make “a very good business case” for hacking universities because of the low costs incurred and their poor digital defences.
Dr Anton Grashion, the head of security practice at Cylance, concurs, telling the BBC that the open networks many universities run make them a “tempting and easily accessible” target.
He added: “It’s no surprise that universities are suffering from an increase in security breaches. Their network environments are some of the most challenging networks to manage, with usually smaller security and staffing budgets.”
Reducing cyber attacks through staff training
As the Jisc project demonstrates, cyber attacks are often caused by human error. Simple training can substantially reduce this risk. Our e-learning is a straightforward and cost-effective way to quickly train all staff and students in spotting threats.
Toyota has disclosed a data breach that may have affected up to 3.1 million customers. It’s the second time the car manufacturer has been breached in the last five weeks.
In a statement released on 29 March 2019, the organisation confirmed that several of its Asian subsidiaries were targeted by criminal hackers. It said that it is taking the situation seriously and will implement security measures at dealers and the entire Toyota group.
Few details have emerged about the breach, with Toyota stating that it is still investigating what data might have been breached, or if anything has been compromised at all.
The only facts that have been established are the subsidiaries that were attacked:
Toyota Tokyo Sales Holdings
Tokyo Tokyo Motor
Toyota Tokyo Corolla
Nets Toyota Tokyo
Lexus Koishikawa Sales
Toyota West Tokyo Corolla
The day after the initial announcement, Toyota subsidiaries in Vietnam and Thailand made separate statements about suspected attacks.
Both organisations said that they have “come to be aware of a possibility” of a breach, and that “while we have no evidence of customer information loss at this moment, details are currently under investigation, and we intend to share further specifics, if any, as soon as details are available”.
One of the few certainties of the incident, according to Toyota, is that no financial information was affected, although we’d push the brakes on that conclusion, given that the investigation is still ongoing.
Erring on the side of caution
You might not expect an organisation to disclose a data breach if it wasn’t sure it had even been breached, but Toyota’s decision is almost certainly influenced by the attack on Toyota Australia in February.
Either way, Toyota’s transparency can only be a good thing, as the damage – from a customer standpoint – is minimal, and the organisation’s response has been exemplary. The only thing missing is a more effective security system.
However, Zurich American says the damage was the result of an “an act of war” and therefore isn’t covered in the policy, which covers “all risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
Was NotPetya an act of war?
That’s the $100 million question. NotPetya is a Windows-based piece of ransomware that infected organisations across the globe in 2017.
The UK government and the CIA blame the attack on Russian state-sponsored hackers, claiming it was the latest act in an ongoing feud between Russia and Ukraine.
The evidence points towards this. Ukrainian organisations were among the first to be attacked, and the country accounted for 80% of all infections. Later investigations found that the virus was simply masquerading as ransomware, and was in fact designed “to exact maximum destruction and damage”.
Unfortunately, the criminal hackers had little control over which organisations would be hit beyond the initial injection. The fact that the virus focused almost exclusively on Ukraine was simply good fortune, because malware such as NotPetya and WannaCry, which ripped through the UK just weeks earlier, are specifically designed to spread as far and wide as possible.
That means there will always be many bystanders like Mondelez affected by attacks.
Who is in the right?
Most experts agree that Mondelez has a strong claim despite NotPetya’s relation to Ukraine–Russia tensions. Zurich American initially agreed, offering an initial payment of $10 million.
However, the insurer soon changed its mind, claiming an exclusion for “hostile and warlike action in time of peace and war [by] a government or sovereign power”.
Mondelez called Zurich American’s decision “unprecedented” in court papers. Terrorism and acts of war exclusions are common in insurance policies, but no insurer has ever challenged a claim based on those exemptions.
That doesn’t make it an open and shut case, but it does mean Zurich American will have its work cut out. With no precedent to cite, it will have to make an overwhelming case and prove that the Russian government was behind the attack, something investigators have thus far failed to do.
Perilous future for cyber insurance
The result of the case will have huge ramifications for cyber insurance policies. The attack is probably as close as we’ll get to the definition of an act of war in terms of cyber crime, so if Zurich American is found liable in US courts, it shuts the door on any other insurer in the country using the exemption.
We’d expect those firms – and, in all likelihood, insurers across the globe – to re-evaluate their policies to create specific exemptions for attacks such as NotPetya.
But if the court finds in favour of American Zurich, organisations will suddenly find themselves far more exposed to cyber attacks than they might have thought. This could lead to huge numbers of organisations dumping their policies and seeking specific protection against large-scale attacks.
Whatever the outcome, organisations must consider whether their cyber insurance policy is fit for purpose. We can’t think of many things worse than spending a chunk of your cyber security budget on an insurance policy only for an insurer to tell you after an attack: “It’s all there, black and white, clear as crystal. You get nothing!”
The best way to avoid that is to take the initiative when it comes to cyber security. If you spend wisely on security defences, you can prevent most attacks, respond promptly to breaches and mitigate the damage.
That’s easier said than done, but there’s a middle ground between shouldering the responsibilities of security and relying on an insurance policy.
Cyber security as a service
What if there was a way that you could access the expert knowledge and resources you need to manage cyber security threats without having to employ a full-time team? With IT Governance’s Cyber Security as a Service, you can.
Backed by years of cyber security experience and a deep understanding of the challenges organisations face, our experts will transform your organisation from ‘unsure’ to ‘cyber secure and resilient’.
If that's the case, let's talk - I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -
Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?
For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.
For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -
Q 1. Should your organization's foundational Active Directory be compromised, what could be its impact?
Q 2. Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
Q 3. If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
Q 4.If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!
You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s)?!
Today Active Directory is at the very heartof Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.
Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.
Today's post is for all executives worldwide who comprise the C-Suite at thousands of organizations worldwide.
I pen today's post with profound respect for all executives worldwide, because I understand first-hand just how important the nature of their responsibilities is, how valuable their time is, and how far-reaching the consequences of their decisions are.
A quick footnote for all C*Os : In case you're wondering who I am to be penning this, I'm former Microsoft Program Manager for Active Directory Security. Relevance? Microsoft's Active Directory is the foundation of your entire organization's cyber security. Finally, like you, I also happen to be the CEO of a $ Billion+ company.
Today's post is in the form of a simple letter, that follows (below.)
Subject - Cyber Security 101 for the C-Suite
To: Chairmen, CEOs and CFOs Worldwide
Hi, I'm Sanjay, former Microsoft Program Manager for Active Directory Security, but more importantly a sincere well-wisher who cares deeply about cyber security, and who just happens to know a thing or two about the very technology that lies at the very foundation of cyber security of your ($ Billion to $ Trillion) organization, and those of 85% of all organizations worldwide.
I write to you to bring to your attention a matter of paramount importance to your organization's foundational security.
Context - Foundational Security
Today we all engage in business in what is essentially a global digital village, wherein just about just every aspect of business, whether it be production, marketing, sales, customer-service, collaboration, finance etc. etc. substantially relies on technology.
Within our respective organizations, it is our IT infrastructure that enables and empowers our workforce to engage in business.
For instance, we all (including us C*Os) log on to a computer every day, send and receive email, and create, share and access digital assets (e.g. documents, applications, services etc.) all of which are securely stored on our organizational computers.
It is only logical then that ensuring the security of the very IT infrastructure that enables and empowers our entire workforce to engage in business digitally, and the security of our digital assets is vital. In other words, cyber security is very important.
Now, if I told you that at the very foundation of your entire IT infrastructure, and consequently at the very foundation of the security of all your digital assets lay a single high-value asset, then I think you'd agree that its security would be paramount.
At the very foundation of your organization's IT infrastructure and that of its cyber security, and by corollary the cyber security of the entirety of all your digital assets (e.g. thousands of computers, thousands of employee user accounts and passwords, every single organizational email sent and received every minute of every day, all your applications, services, Intranet portals, Internet facing applications etc.) as well as the entirety of your organization's data, lies a single technology - Microsoft Active Directory.
Most simply put, Active Directory is the database that contains, stores and protects the entirety of your organization's building blocks of cyber security - each one of thousands of user accounts and their passwords, each one of thousands of computer accounts (for all laptops, desktops, servers etc.), each one of thousands of security groups that protect all your data etc. etc.
If your organization's Active Directory were compromised, everything would immediately be exposed to the risk of compromise.
Thus as you'll hopefully agree, ensuring the security of your organization's foundational Active Directory is well, paramount.
A Provable Concern - Inadequate Protection
Now, you might most likely be thinking - Well, if that's the case, I'm sure that our CIO, our CISO and their world-class IT and Cyber Security teams know all this, and have it adequately taken care of, so why should I be concerned ?
Here's why you should be concerned - In all likelihood, not only may your world-class IT and Cyber Security teams not have this adequately covered, they may have yet to realize just how very important, and in fact paramount Active Directory security is.
Further, they likely may not know what it actually takes to adequately secure your organization's foundational Active Directory.
Now, as incredulous as that may sound, you have to trust me on this, not because I'm asking you to do so as a concerned well-wisher, but because I'm asking you to do so as arguably the world's #1 subject matter expert on Active Directory Security.
You see, prior to doing what I currently do, I was Microsoft's subject matter expert for Active Directory Security on Microsoft's Windows Server Development team. In case you're curious as to what I do currently do with all this knowledge, well, its this.
As the world's leading subject matter expert on Active Directory Security, I would highly encourage you to ask your IT and Cyber Security leadership, specifically your CIO and your CISO, just how secure they think your organization's Active Directory is.
Simple Proof - You Just Have to Ask
When you ask them about it, please do request specific answers, and here are 7 simple questions you can ask them, the answers to which will give you an indication of just how secure your organization's Active Directory actually is today -
Is the security of our foundational Active Directory deployment a top cyber security priority today?
I could suggest 50 such elemental cyber security questions, but for now these 7 simple, precise questions will suffice as there are only 2 possibilities here - either your IT and cyber security leadership have exact answers to these questions, or they don't.
If they can't give you exact answers to these questions, your organization's Active Directory is not secure - its as simple as that.
They might tell you that this is complicated or that they have a good approximation, or that this is very difficult to do, or that they have many other latest buzzword measures like Active Directory Auditing, Privileged Access Management, ATA, Just-in-Time Administration etc. in place, but none of that matters, because the truth is simple - they either have exact answers, or they don't.
(These questions are paramount to cyber security, and today there exists technology that can enable every organization in the world to answer them precisely, but because Microsoft likely forgot to adequately educate its customers, your IT personnel may likely not even know the importance of these paramount questions, let alone knowing what it takes to correctly answer them.)
If a $Billion+ organization doesn't even know exactly who has what privileged access in their Active Directory, as well as exactly who can manage each one of their privileged accounts and groups, how could their Active Directory possibly be secure?
If an organization's foundational Active Directory is not secure, how can the entirety of the organization's digital (IT) assets be secure, and if that's not case, how could an organization possibly be considered secure from a cyber security perspective?
As a member of the C-Suite, you not only have the privilege of being able to impact vital change in your organization, you also have the responsibility and the authority to demand and ensure the cyber security of the very foundation of your organization.
As a C*O, one of the most important responsibilities you shoulder is ensuring that your organization is secure, and ensuring that the very foundation of your organization's IT infrastructure and cyber security are always adequately protected, is paramount.
The Likely Reason (Optional Reading)
Here's the likely reason for why such a common-sense yet paramount matter may not be on your CIO's and CISO's radar yet.
You see, your CIO and CISO shoulder great responsibility. Unfortunately, amongst many other things, they're likely also being guided by inputs from a 1000 cyber security companies, who unfortunately may not be the best source of objective guidance.
For instance, consider CyberArk, a highly respected $ Billion+ cyber security company, that claims that over 50% of the Fortune 100's CISOs rely on them. As a subject matter expert, I can tell you that CyberArk itself may not know how to correctly assess privileged access in an Active Directory, so you see, unfortunately your CIO and CISO may not be getting the best guidance.
CyberArk is absolutely correct that "Privilege is Everywhere." However, those who know Windows Security will tell you that in a Windows network powered by Active Directory, the majority of all privileged access (delegated & unrestricted) lies inside Active Directory, but CyberArk doesn't seem to have the capability to correctly audit privileged access inside Active Directory.
The majority of all Privileged Access,including the "Keys to the Kingdom", resides inside Active Directory
CyberArk isn't alone. As unbelievable as it may sound, today even Microsoft doesn't seem to know what it takes to do so, let alone possessing the capability to help its customers correctly do so. In fact, most of the world's top IT Consulting, Audit, Cloud and Cyber Security companies also operate on Active Directory, and they too likely have neither a clue nor the capability to accurately determine exactly who has what privileged access in their own foundational Active Directory deployments.
You may find this hard to believe, but of the 1000+ cyber security companies exhibiting or presenting at the upcoming RSA Conference 2019, not a single one of them can help your organization's IT personnel fulfill such a fundamental yet paramount cyber security need - finding out exactly who has what privileged access in your organization's foundational Active Directory.
In their defense, I'll say this - if it were easy, they would've all done it by now. Unfortunately, as paramount as it is, its not easy. Thus, I know what your CIO and CISO may perhaps not yet know, or understand the paramount importance of, which is that of all the things that need to be secured, none could possibly be more important than securing your organization's foundational Active Directory, so I thought I'd share this with you, because as a member of the C-Suite, you could provide them strategic guidance and the executive support that their teams need to accomplish this paramount objective for your organization.
I only wrote this letter because we're all in this together, and I care deeply about foundational cyber security, as hopefully do you, and I felt that I could perhaps help bridge the gap between those tasked with the great responsibility of securing Active Directory (i.e. your IT personnel) and those whose executive support they need to be able to do so (i.e. you, the C-Suite.)
If any of what I shared above made sense, I would encourage you to embrace my suggestions earnestly, and act upon them, and if needed, I can prove and demonstrate every thing I've shared above, and you should feel free to take me up on this.
As for myself, all I can say is that today my work and knowledge silently help secure and defend so many of the world's most important organizations across six continents worldwide.
In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security
Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.
Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.
In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.
Hackers are working hard to find new ways to get your data. It’s not surprising that cyber security risk is top of mind for every risk owner, in every industry. As the frequency and complexity of malicious attacks persistently grows, every company should recognize that they are susceptible to an attack at any time—whether it comes as an external focused attack, or a social engineering attack. Let’s take a look at the top 5 risks that every risk owner should be preparing for.
Your Own Users. It is commonly known, in the security industry, that people are the weakest link in the security chain. Despite whatever protections you put in place from a technology or process/policy point of view, human error can cause an incident or a breach. Strong security awareness training is imperative, as well as very effective documented policies and procedures. Users should also be “audited” to ensure they understand and acknowledge their role in policy adherence. One area that is often overlooked is the creation of a safe environment, where a user can connect with a security expert on any issue they believe could be a problem, at any time. Your security team should encourage users to reach out. This creates an environment where users are encouraged to be part of your company’s detection and response. To quote the Homeland Security announcements you frequently hear in airports, “If you see something, say something!” The biggest threat to a user is social engineering—the act of coercing a user to do something that would expose sensitive information or a sensitive system.
Phishing. Phishing ranks number three in both the 2018 Verizon Data Breach Investigation Report Top 20 action varieties in incidents and Top 20 action varieties in breaches. These statistics can be somewhat misleading. For example, the first item on the Top 20 action varieties in breaches list is the use of stolen credentials; number four is privilege abuse. What better way to execute both of those attacks than with a phishing scam. Phishing coerces a user through email to either click on a link, disguised as a legitimate business URL, or open an attachment that is disguised as a legitimate business document. When the user executes or opens either, bad things happen. Malware is downloaded on the system, or connectivity to a Command and Control server on the Internet is established. All of this is done using standard network communication and protocols, so the eco-system is none the wiser—unless sophisticated behavioral or AI capabilities are in place. What is the best form of defense here? 1.) Do not run your user systems with administrative rights. This allows any malicious code to execute at root level privilege, and 2.) Train, train, and re-train your users to recognize a phishing email, or more importantly, recognize an email that could be a phishing scam. Then ask the right security resources for help. The best mechanism for training is to run safe targeted phishing campaigns to verify user awareness either internally or with a third-party partner like Connection.
Ignoring Security Patches. One of the most important functions any IT or IT Security Organization can perform is to establish a consistent and complete vulnerability management program. This includes the following key functions:
Select and manage a vulnerability scanning system to proactively test for flaws in IT systems and applications.
Create and manage a patch management program to guard against vulnerabilities.
Create a process to ensure patching is completed.
Most malicious software is created to target missing patches, especially Microsoft patches. We know that WannaCry and Petya, two devastating attacks, targeted systems that were missing Microsoft MS17-010. Eliminating the “low-hanging-fruit” from the attack strategy, by patching known and current vulnerabilities or flaws, significantly reduces the attack-plane for the risk owner.
Partners. Companies spend a lot of time and energy on Information Security Programs to address external and internal infrastructures, exposed Web services, applications and services, policies, controls, user awareness, and behavior. But they ignore a significant attack vector, which is through a partner channel—whether it be a data center support provider or a supply chain partner. We know that high-profile breaches have been executed through third partner channels, Target being the most prominent.The Target breach was a classic supply chain attack, where they were compromised through one of their HVAC vendors. Company policies and controls must extend to all third-party partners that have electronic or physical access to the environment. Ensure your Information Security Program includes all third partner partners or supply chain sources that connect or visit your enterprise. The NIST Cyber Security Framework has a great assessment strategy, where you can evaluate your susceptibility to this often-overlooked risk.
Data Security. In this day and age, data is the new currency. Malicious actors are scouring the Internet and Internet-exposed corporations to look for data that will make them money. The table below from the 2018 Ponemon Institute 2018 Cost of a Data Breach Report shows the cost of a company for a single record data breach.
Cost for a Single Record Data Breach
The Bottom Line
You can see that healthcare continues to be the most lucrative target for data theft, with $408 per record lost. Finance is nearly half this cost. Of course, we know the reason why this is so. A healthcare record has a tremendous amount of personal information, enabling the sale of more sensitive data elements, and in many cases, can be used to build bullet-proof identities for identity theft. The cost of a breach in the US, regardless of industry, averages $7.9 million per event. The cost of a single lost record in the US is $258.
I Can’t Stress It Enough
Data security should be the #1 priority for businesses of all sizes. To build a data protection strategy, your business needs to:
Define and document data security requirements
Classify and document sensitive data
Analyze security of data at rest, in process, and in motion
Pay attention to sensitive data like PII, ePHI, EMR, financial accounts, proprietary assets, and more
Identify and document data security risks and gaps
Execute a remediation strategy
Because it’s a difficult issue, many corporations do not address data security. Unless your business designed classification and data controls from day one, you are already well behind the power curve. Users create and have access to huge amounts of data, and data can exist anywhere—on premises, user laptops, mobile devices, and in the cloud. Data is the common denominator for security. It is the key thing that malicious actors want access to. It’s essential to heed this warning: Do Not Ignore Data Security! You must absolutely create a data security protection program, and implement the proper policies and controls to protect your most important crown jewels.
Cyber criminals are endlessly creative in finding new ways to access sensitive data. It is critical for companies to approach security seriously, with a dynamic program that takes multiple access points into account. While it may seem to be an added expense, the cost of doing nothing could be exponentially higher. So whether it’s working with your internal IT team, utilizing external consultants, or a mix of both, take steps now to assess your current situation and protect your business against a cyber attack. Stay on top of quickly evolving cyber threats. Reach out to one of our security experts today to close your businesses cyber security exposure gap!
2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.
Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.
Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.
Today, to give a hint for the answer to this1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
What's the World's Most Important Active Directory Security Capability?
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.
Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.
As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.
Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.
Now, you're not going to believe what happened within minutes of having clicked the Check for Updatesbutton!
Windows Update Downloaded and Installed anUntrusted Self-Signed Lenovo Device Driver on Microsoft Surface! -
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!
Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -
We couldn't quite believe this. How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?
So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)
Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -
Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!
As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.
Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -
When we opened that location, we found thirteen items, including six drivers -
Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -
Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!
Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.
If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.
To us, this is unacceptable, alarming and deeply concerning, and here's why.
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.
How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!
This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?
This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.
Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!
Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!
Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.
In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.
If I Were Microsoft, I'd Send a Plane Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.) Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.
Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that.
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.
Most respectfully, Sanjay
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.
PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.
Active Directory Security Goes Mainstream Cyber Security
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -
Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.
On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.
On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!
On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access.
On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.
Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.
On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.
On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.
Helping Defend Microsoft's Global Customer Base ( i.e. 85% of Organizations Worldwide )
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...
...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctlysecure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.
Here are the answers to the Top-5 questions I am frequently asked -
You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?
Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.
Speaking of which, how big is Paramount Defenses?
At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.
If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.
Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?
The simple answer to this question - For Security Reasons.
At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.
As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.
Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.
You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.
It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.
This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.
In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.
What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"
On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.
To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.
Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.
Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.
Why have you been a little hard on Microsoft lately?
Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.
You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.
It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.
Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.
As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.
Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.
Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.
Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.
There's so much more to share, and I will continue to do so.
A Paramount Global Cyber Security Need
Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.
Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.
The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.
Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.
Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.
There's an old saying - "Actions Speak Louder Than Words." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., the key to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.
So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.
In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.
So, that post should be out right here on this blog next week, possibly as early as Monday morning.
We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.
During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.
Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!
It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.
Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.
It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”
With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.
Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.
The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.
October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.
It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.
Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.
The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.
The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.
The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.
What can you do?
Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:
Apply patches as they are released
Pay careful attention to your wireless environment
Watch for people and technology that look out of place
Utilize a trusted VPN solution
When possible, transfer data over an encrypted channel—such as HTTPS
Restrict sensitive information that would normally pass over a wireless network
And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication
How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.
As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.
For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.
That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.
That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.
So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.
Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.
(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)
Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?
The C-Suite Meeting
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.
This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -
Chief Executive Officer (CEO)
Chief Financial Officer (CFO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.
The C-Suite then took a break for lunch.
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...
... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?" He said "Yes."
Houston, We Have a Problem
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.
He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."
He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"
The CEO asked the CIO - "What's wrong? What happened?"
The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"
The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"
The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"
The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"
The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"
The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."
The CEO asked - "What is Active Directory?"
The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"
The CEO then asked - "Wait.Can just anyone request and extract credentials from Active Directory?"
The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."
The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"
The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!" The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"
The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."
The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!
The CISO replied - "Seventeen years."
The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"
This is for Real
Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!
We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.
This Could've Been (and Can Be) Easily Prevented
This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.
Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.
Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.
Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.
Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!
Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.
All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.
The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.
I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.
PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, hereetc.etc.
Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)
You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.
A Quick and Short Background
From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.
Active Directory is the Foundation of Cyber Security Worldwide
The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.
During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.
These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.
Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.
Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.
Clearly, Microsoft Has No Answers
It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.
Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -
If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!
You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!
That said, in that post, the best Microsoft could do isconcede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."
Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.
In contrast, here's what they should have said- "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."
The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.
BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.
Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.
Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.
Fortunately There's Help and Good News For Microsoft
I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.
To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."
So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.
What Constitutes a Privileged User in Active Directory
How to Correctly Audit Privileged Users/Access in Active Directory
How to Render Mimikatz DCSync Useless in an Active Directory Environment
How to Easily Identify and Thwart Sneaky Persistence in Active Directory
How to Easily Solve The Difficult Problem of Active Directory Botnets
The World's Top Active Directory Permissions Analysis Tools(and Why They're Mostly Useless)
The Paramount Need to Lockdown Access Privileges in Active Directory
How to Attain and Maintain Least Privileged Access (LPA) in Active Directory
How to Securely Delegate and Correctly Audit Administrative Access in Active Directory
How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment
You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.
Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.
Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.
As some of you may know, over the past few weeks, I have been publicly taking the $ 550 Billion Microsoft (Nasdaq: MSFT) to Active Directory Security School (see PS3 below) because today global security literally depends on Active Directory Security.
In case you're wondering why, here's why -
The Importance of Active Directory Security
From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.
In other words, the foundational security of thousands of government and business organizations depends on Active Directory.
To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Active Directory.
Operating in the Dark Given my background, experience and whatever little I know about the subject, I have reason to believe that most organizations worldwide that operate on Active Directory are operating in the dark today, and have absolutely no idea as to exactly who has what level of privileged access in their foundational Active Directory!
Further, because over the last decade, almost 10,000 organizations from across 150+ countries worldwide have knocked at our doors unsolicited, we know exactly how much these organizations know about Active Directory Security, and we're shocked to know that 99% of them don't even know what "Active Directory Effective Permissions" are, and upon giving this due thought, we have arrived at the conclusion that the world's complete ignorance on this most paramount aspect of organizational cyber security can be attributed to the fact that Microsoft has likely not even once educated its customers about its importance!
Let There Be Light
So, I made an executive decision that we need to educate the $ 550 Billion Microsoft Corp about the paramount importance of "Active Directory Effective Permissions", so that they can in turn educate the thousands of vital business and government organizations at whose very foundation lies Active Directory about its sheer and cardinal importance.
Make no mistake about it - no organization that operates on Microsoft Active Directory today can be adequately secured without possessing the ability to determine effective permissions on the thousands of building blocks of cyber security (i.e. thousands of domain user accounts, computer accounts, security groups and policies) that reside in its Active Directory. Its really that simple.
A 1000 Cyber Security Companies!
Speaking of which, although there are supposedly over a 1000 cyber security companies in the world (, and incidentally at their very foundation too lies Microsoft Active Directory) not a single one of them has the ability, the expertise or even a single solution to help the world accurately determine "effective permissions" in Active Directory. Not a single one of them!
Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of ourGreat United States.
First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.
I'll do my best to keep this VERY simple.
Top-5 Global Security Risks
As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -
1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats
I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.
As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.
The Importance of AmericanLeadership
Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.
Sir, the elections are over.You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.
If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.
(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)
Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.
Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, todayhave the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.
[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]
The Cyber Risk Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.
(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)
Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.
It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.
Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing aCyber Security Unitwith the Russians might NOT be such a good idea, as also voiced by 1, 2, 3.
By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".
A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.
Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.
Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.
Hello. I'm Sanjay, President of Paramount Defenses. I just wanted to congratulate you on your historic win, wish you success, as did President Obama, and share VALUABLE cyber security insight that could be VITAL to your administration's success.
Before I get to it, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic U.S. citizen and a cyber security professional, and that my desire to do so publicly has been inspired by how much you Sir share publicly. Given the sheer impact of our important work across America and the world today, we are a 100% non-partisan organization.
One quick vital point - regarding all the talk of Russian hacking to influence the U.S. election, while Russia and possibly others may certainly have tried to influence it, professionally speaking i.e. as a cyber security practioner, in the grand scheme of things, it matters not as to who is trying to hack us, as much as it does that we protect ourselves from being hacked, so from that angle you're likely right that the DNC should have adequately defended itself. You see, once an entity is hacked, at that very moment the damage is done, because their data is now in someone else's hands, and the entity no longer has any control over what the perpetrators do with it. In fairness, one should also add that if indeed Russia did hack the RNC as well, but chose not to divulge their data, then reasonably speaking, that would have amounted to what is being called "an attempt to influence an election."
That said, Mr. Trump, hopefully you'll agree that given our sheer reliance and dependence on computers and technology, the success of your Presidency and your administration will GREATLY depend on the cyber security of our government agencies.
In that regard, I thought you should know that at the very foundation of cyber security of our entire U.S. Government (i.e. 600+ federal agencies) lies a single technology, Microsoft Active Directory, the cyber defense of which is paramount to our security.
You may or may not know this yet, but the White House, the U.S. Capitol, all our intelligence agencies, and virtually all our departments (e.g. Defense, State, Justice, Energy, Labor, Interior, Veterans Affairs etc.) all operate on Active Directory.
By the way, I must mention that none of this is classified information. This is all public knowledge. I just happen to know it first hand because I'm former Microsoft Program Manager for Active Directory Security, i.e. a "deep in the trenches" technical guy who possibly knows more about Active Directory security than most people on the planet. (I also happen to be an innovative American entrepreneur who built possibly the world's most relevant and important cyber security company, from the ground up.)
In fact, Active Directory is at the very foundation of cyber security of 85+% of all government and business organizations world-wide (The Americas, Europe, Asia, etc.) including at the foundation of virtually all of the tech companies whose CEOs recently visited you i.e. Microsoft, Amazon, Alphabet, IBM, Intel, Facebook, Tesla etc., as well as a little cyber company called Palantir.
It is very likely that thousands of business and government organizations in Russia too might be operating on Active Directory.
Sir, in all likelihood, the Trump Organization may also be operating on Active Directory. (Your IT folks could verify that for you.)
Mr. Trump, our cyber intelligence indicates that the foundational Active Directory deployments of most organizations worldwide may currently be exposed to an alarmingly vast attack surface, and thus may possibly be rather easily compromisable today.
The specific cyber security risk that most of them are all likely exposed to today is succinctly described in The Paramount Brief -
Password (case-sensitive): AreWeReallySecure?
If you're short on time, here's a very brief summary -
In every network powered by Active Directory, all administrative accounts i.e. the accounts of the individuals that possess the "Keys to the Kingdom" lie within Active Directory. It is a well known fact that if a perpetrator can compromise ANY one of these accounts, he/she could easily access and control everything. Thus, in every organization, ideally the number of such powerful accounts must be at an absolute bare minimum.
Unfortunately, in most organizations today, not only are there a HUGE number of privileged user accounts in Active Directory, NO ONE really knows exactly who they are and what power they possess. In other words, most organizations seem to be operating in the proverbial dark, & if breached, could likely be compromised in minutes.
In essence, a huge, unknown number of highly prized privileged accounts in Active Directory constitute a vast attack surface, and the compromise of any one of them would be tantamount to a system-wide compromise.
In our professional opinion, this poses a major cyber security risk globally, especially considering the statistics, i.e. 100% of all major recently cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account.
From our side, we can certainly (and uniquely) help organizations worldwide precisely identify and reduce their attack surface, as well as empower them to mitigate this serious risk, swiftly and cost-efficiently, but we do need them to understand it first.
I must also mention with due respect to the likes of Peter Thiel, Alex Karp, Ted Schlein & others, I doubt they're familiar with this specific risk or understand the depth of its magnitude, because this is one of those you have to be "deep in the trenches" to get.
Speaking of which, in 2016, we had directly informed the CEOs of most of the world's Top 200 companies (including most of the tech CEOs that came and met you at the Trump Tower), as well as all appropriate officials at most federal and state agencies about this risk to the foundational Active Directory deployments of their organizations; they all received The Paramount Brief.
Our intelligence further indicates that as a result, many of these organizations started to look at the security of their foundational Active Directory deployments for the first time ever. While some may have started bolstering their cyber defenses, sadly, many of these organizations likely continue to remain vulnerable, especially considering how easy it is to compromise them today.
For instance, if an intruder could breach their network (and Microsoft suggests that organizations assume breach ) in many cases, he/she could just deploy Mimikatz DCSync to instantly 0wn them. (Alex/Peter should be able to explain this to you.)
Fortunately the solutions required to swiftly, effectively and cost-effectively help all impacted organizations mitigate this critical risk exist today (e.g. 1,2). However, we're finding that many organizations do not even seem to know about this risk.
We worry that unless certain basic and fundamental cyber security measures are enacted quickly, many of our government and business organizations, as well as those of our allies worldwide, will likely remain vulnerable to cyber attacks in the near future.
From our side, we're doing what we can to educate and safeguard organizations worldwide, but much more needs to be done, and quickly so. Its in that regard that your intentions give many of us in cyber security, as well as the American people, hope...
Making America Great(er and Safer) Again In addition to making America greater, we must also make (not only) America (but also our allies) safer, not only from physical threats but also from cyber threats. In fact, given our HUGE reliance on technology, and considering how easy it is to launch a cyber attack, the cyber threat may pose a far greater threat to our national security and prosperity than do physical threats.
I've read that it is your intention to appoint a team to combat cyber attacks within 90 days of taking office. That (in your parlance) sounds WONDERFUL. I commend you for this initiative. Indeed, it is imperative and in fact paramount that we do everything we can to safeguard and adequately defend our government and business organizations from being taken out by cyber attacks.
If I had to offer some unsolicited advice, I'd suggest that one of the most important measures one could enact is Attack Surface Reduction. Simply put, the smaller one's attack surface is, the better one's chances of being able to adequately defend it.
For instance, it is so much easier to protect a building that only has one entrance than it is to protect one that has 20 entrances, and where only a few security guards have the master keys to the building, than one wherein who knows how many have them.
That's why, considering the statistics i.e. the fact that 100% of all major recent cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account, reducing the number of users that have privileged access within Active Directory to a bare minimum, then adequately protecting them, must be one of the top priorities for all organizations.
Sir, in short, provably secure (least-privileged access adherent) foundational Active Directory deployments at all our federal government agencies and at all business organizations they rely on, are likely going to be vital to your administration's success.
(As you'll likely agree, this isn't rocket science; it's common sense. If a government agency is compromised (e.g. OPM Breach), assets or initiatives it might be working on could be in jeopardy. Similarly, if a business organization (e.g. a Defense Contractor, a Builder etc.) that the government relies on for its various initiatives is compromised, those initiatives could be in jeopardy.) Thank you, and Best Wishes
In closing, thank you for your time, congrats on your bigly win and good luck as you get ready to serve the American people.
The American people have entrusted you with the great responsibility of leading our great nation, as well as the might of American power, and they're looking to you to make their lives better and to make America greater and safer again.
In God We Trust, so wish you God Speed in your efforts to fulfill your promises to make America great(er and safer) again.
PS: At Paramount Defenses, because we understand the paramount importance of cyber security to the business and national security interests of the United States and those of our allies, we care deeply about cyber security and we take it very seriously.