Category Archives: cyber security

NordVPN Breach FAQ – What Happened and What’s At Stake?

NordVPN, one of the most popular and widely used VPN services out there, yesterday disclosed details of a security incident that apparently compromised one of its thousands of servers based in Finland. Earlier this week, a security researcher on Twitter disclosed that "NordVPN was compromised at some point," alleging that unknown attackers stole private encryption keys used to protect VPN users

Protect yourself and your customers from formjacking

Online retailers and other organisations using ecommerce functionality must prepare for the threat of formjacking, Symantec has warned, after detecting 3.7 million instances of the attack method in 2018.

Formjacking works by inserting malicious JavaScript code into the payment form of an organisation’s online checkout and siphoning off customers’ card details.

It’s particularly dangerous because there’s almost no way to spot whether a page has been compromised. The payment proceeds as normal, and the only way a customer will know they’ve been attacked is when charges show up on their bank statement or the organisation discloses a breach.

Who is being targeted?

Any organisation that accepts online payments is vulnerable to formjacking, but crooks tend to target smaller organisations that have less sophisticated defence mechanisms. This makes it easier to plant malware and for it to remain undetected on the organisation’s systems for longer.

According to Symantec, organisations that work with large companies are particularly vulnerable, as crooks can use them to conduct supply chain attacks. This involves exploiting a vulnerability in a system that’s used to provide services to a third party.

Supply chain attacks were the cause of several high-profile formjacking attacks in 2018, including those against Ticketmaster, British Airways, Feedify and Newegg.

Why are organisations being attacked?

John Moss, CEO of English Blinds, says:

Formjacking has been on the rise in recent months for a combination of reasons. First of all, the well-publicised success of Magecart groups across several high-profile attacks have served as something of an endorsement to others, but the greater part of the problem is that most businesses are simply unprepared for attacks of this type, and have no protocols in place to identify and mitigate them.

Additionally, it is almost impossible to identify if the JavaScript code of a page has been compromised as the intended payments are also processed as normal, and so a significant amount of jacks may take place before a problem is flagged, making it a highly lucrative and reasonably safe attack method for well-prepared antagonists.

To protect and mitigate against formjacking attacks, organisations first of all need to recognise the fact that they pose a real threat in the first place, and that no organisation is too small or low profile as to serve as a completely unappealing target.

Setting up protocols to execute regular penetration tests and vulnerability scans is vital for any organisation, and will ensure that potential threats are identified and eradicated before they can become a problem.

Shayne Sherman, CEO of TechLoris adds:

Hackers are looking for the quick, big win – and of course, a challenge. Identity theft is useful only if you can either a) use the identity stolen or b) sell that information. For those able to hack into larger databases of information, they can collect a larger amount of data that can then be sold. They run a smaller risk as they won’t be caught using a stolen identity. Someone else will then take that risk.

Who is behind the attacks?

The majority of formjacking attacks have been blamed on Magecart, which is believed to be a collection of cyber crime groups.

However, Magecart’s methods aren’t unique. Attacks don’t require any specialist knowledge or technology, meaning any crook could conduct one.

With a single piece of payment card information fetching about $45 (about £34) on the dark web, formjacking is an incredibly lucrative option. Its popularity may only grow further following the declining interest in cryptocurrency, which had previously sparked an increase in cryptojacking attacks.

Protect your business by paying attention

Sherman continues:

Hackers are successful because they are subtle. Making big changes sends up red flags, but by making small changes to source code, a hacker can infiltrate your system. If you’re checking these codes regularly, you’re more likely to catch these hackers before the damage is done.

You can detect malicious code and vulnerabilities that would allow crooks to plant that code by conducting regular vulnerability scans and penetration tests.

Vulnerability scans are automated tests that look for weaknesses in organisations’ systems and applications.

Organisations can use a variety of off-the-shelf tools to conduct vulnerability scans, each of which runs a series of ‘if–then’ scenarios that identify system settings or features that may contain known vulnerabilities.

Meanwhile, penetration testing is essentially a controlled form of hacking in which an ethical hacker, working on behalf of an organisation, looks for vulnerabilities in the same way that a criminal hacker would.

The objective of penetration testing is similar to vulnerability scanning, but it is more thorough and requires expertise and human interaction.

Find out how IT Governance can help meet your penetration testing and vulnerability scanning requirements >>


A version of this blog was originally published on 5 March 2019.

The post Protect yourself and your customers from formjacking appeared first on IT Governance Blog.

How to protect your organisation after a ransomware attack

So, your computer screen has been hijacked by ransomware and the criminals behind the attack are demanding money to return your systems. Now what?

That’s a question countless organisations are asking themselves nowadays, with more than 100 ransomware attacks reported so far in 2019.

If you think that doesn’t sound so bad, the true scale of the issue is much bigger than this. The majority of organisations that are struck by ransomware don’t report the issue.

This might be because they think it will make them look as if they weren’t adequately prepared to protect themselves from ransomware.

Alternatively, they might fear that announcing an attack will lead to other criminals launching similar attacks against them.


What is ransomware?

Ransomware is a specific type of malware that encrypts the files on a computer, essentially locking the owner out of their systems.

Once this has happened, the ransomware will display a message demanding that the victim make a ransom payment to regain access to their files.

Criminals generally plant the malware on victim’s computers by hiding it in an attachment contained within a phishing email.


Many ransomware victims feel obliged to pay up, because it’s the quickest and least expensive way to get back to business as usual.

However, experts generally urge organisations not to negotiate, because ransom payments help fuel the cyber crime industry.

But what’s the alternative? Take a look at our seven-step guide to find out.

1. Prepare for an attack by backing up your data

The only way to avoid paying ransoms and avoid catastrophic delays is to make sure you have a second, uninfected copy of your sensitive information. That way, when crooks encrypt your systems, there’s no need to worry. Let them keep the decryptor. You can just wipe those files and upload clean duplicates.

Because you are continuously creating new files and amending old ones, backups should be performed regularly.

You don’t need to do everything in one go; instead, look at each folder and determine how often substantial changes are made. The more frequently things are added or amended, the more often you should back them up.

Once you’ve determined that, you should set up a backup schedule, saving your work on an isolated local device or in the Cloud.

2. Identify that the attack is ransomware

Don’t assume that the person who has spotted the attack knows that it’s ransomware.

The attack method is more well-known than ever – thanks in part to WannaCry – but many people wouldn’t be able to identify the attack.. This means you could be wasting valuable time identifying the problem.

You can avoid this by teaching staff about ransomware and establishing a line of communication in the event of security incidents. That way, the employee who first discovered the malware can immediately contact someone who can identify what the threat is and initiate response measures.

3. Disconnect infected devices from the network

Now that you’re sure that you’ve been hit by ransomware, you should isolate the infection by taking affected devices offline.

This will stop the ransomware spreading, giving you partial functionality and time to implement the next steps.


a business will fall victim to a ransomware attack every 14 seconds in 2019, and every 11 seconds by 2021.


4. Notify your employees

Employees will quickly notice that something is amiss. Even if their computers haven’t been infected, they’ll see that others have and that certain systems are unavailable.

Whether or not they are aware that the disruption has been caused by ransomware, staff are liable to worry. Is it just their team that’s affected? How are they supposed to do work? Are their bosses aware of the problem?

That’s why you should explain the situation to your employees as soon as possible. Let them know which areas of the organisation have been infected and how you are going to manage in the meantime.

Many ransomware victims use pen and paper instead of computers where possible. If that’s possible in this situation, you should help out as much as you can. For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.

5. Photograph the ransom note

You can use this as evidence of the attack when submitting a police report.

This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing a cyber insurance claim.

If you don’t already have cyber insurance, it’s worth considering. Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.

You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.


See also:


6. Find out what kind of ransomware it is

Identifying the ransomware strain used in the attack might save you a lot of time and effort. Some strains have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.

The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help you identify it. Try uploading the encryption file type, the way the ransom demand is phrased and the URLs within it to a website such as ID Ransomware, which can help you determine the strain you’ve been attacked with.

7. Remove the ransomware from your device

If the ransomware behind your attack has been cracked, you can use an online decryptor to remove the infection. Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.

But what if it’s the real thing?

Fortunately, that’s not much more complicated. The safest way to remove ransomware is to restore your infected devices to factory settings. You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.

If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.

Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.

Once your computer has been restored, you can transfer the duplicate files back onto your device. Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.

However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.

What should you do when you’re under attack? 

When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.

That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.

With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.

Find out more


A version of this blog was originally published on 11 June 2019.

The post How to protect your organisation after a ransomware attack appeared first on IT Governance Blog.

Secure IT: Shop Safe Online

Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?

It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:

  1. Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.

  2. Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.

  3. Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate?

    Look up in your browser title bar.

  4. It will display the URL you are connecting to.

    Hover over and click on the lock icon

    Note that the information says the certificate is valid. But let’s verify that. Hover over and click on the certificate icon.

    Certificate is issued to Amazon from a valid Certificate Authority and is valid until 12/15/2019. Excellent.

  5. Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.

  6. Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.

We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.

To recap:

  • Visit and use sites you know and trust
  • Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
  • Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
  • Look for anything that is not familiar to your known experience with the site.
  • If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
  • Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
  • If a site offers a second factor to authenticate you, use it.
  • Check all your payment card statements regularly to look for rogue purchases.
  • Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.

Safe shopping!

The post Secure IT: Shop Safe Online appeared first on Connected.

A Comprehensive Guide On How to Protect Your Websites From Hackers

Humankind had come a long way from the time when the Internet became mainstream. What started as a research project ARPANET (Advanced Research Projects Agency Network) funded by DARPA has grown exponentially and has single-handedly revolutionized human behavior. When WWW (world wide web) came into existence, it was meant to share information over the Internet, from there part through natural

Phorpiex Botnet Sending Out Millions of Sextortion Emails Using Hacked Computers

A decade-old botnet malware that currently controls over 450,000 computers worldwide has recently shifted its operations from infecting machines with ransomware or crypto miners to abusing them for sending out sextortion emails to millions of innocent people. Extortion by email is growing significantly, with a large number of users recently complaining about receiving sextortion emails that

7 steps to a successful ISO 27001 risk assessment

Risk assessments are at the core of any organisation’s ISO 27001 compliance project.

They are essential for ensuring that your ISMS (information security management system) – which is the end-result of implementing the Standard – is relevant to your organisation’s needs.

What is an information security risk assessment?

An information security risk assessment is the process of identifying, resolving and preventing security problems.

Your organisation’s risk assessor will identify the risks that your organisation faces and conduct a risk assessment.

The risk assessment will often be asset based, whereby risks are assessed relative to your information assets. It will be conducted across the whole organisation.

ISO 27001 is explicit in requiring that a risk management process be used to review and confirm security controls in light of regulatory, legal and contractual obligations.

So, how should you get started?

How to conduct an ISO 27001 risk assessment

Conducting a risk assessment can be daunting, but we have simplified the process into seven steps:

1. Define your risk assessment methodology

ISO 27001 does not prescribe a specific risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.

2. Compile a list of your information assets

If opting for an asset-based risk assessment, you should work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.

3. Identify threats and vulnerabilities

Identify threats and vulnerabilities that apply to each asset. For example, the threat could be ‘theft of mobile device’.

4. Qualify the extent of the risk

Assign impact and likelihood values of the risk occurring.

5. Mitigate the risks to reduce them to an agreed and acceptable level

ISO 27001 suggest four ways to treat risks: ‘Terminate’ the risk by eliminating it entirely, ‘treat’ the risk by applying security controls, ‘transfer’ the risk to a third party, or ‘tolerate’ the risk.

6. Compile risk reports

ISO 27001 requires your organisation to produce a set of reports for audit and certification purposes, the most important being the SoA (Statement of Applicability) and the RTP (risk treatment plan).

7. Review, monitor and audit

ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working optimally and adjusts to the constantly changing threat environment.

Learn more about risk assessments

We provide a more detailed breakdown of these steps in our free green paper: Risk Assessment and ISO 27001. It also explains:

  • The relationship between ISO 27001 and ISO 31000, the international standard that describes best practices for risk management;
  • Things to avoid when performing a risk assessment;
  • The importance of risk assessments to the ISO 27001 Statement of Applicability; and
  • How to make your risk assessments as cost-effective as possible.

Those looking for hands-on help conducting a risk assessment should take a look at our risk assessment software, vsRisk™. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.

Its integrated risk, vulnerability and threat database eliminates the need to compile a list of potential risks, and the built-in control helps you comply with multiple frameworks.


A version of this blog was originally published on 19 September 2017.

The post 7 steps to a successful ISO 27001 risk assessment appeared first on IT Governance Blog.

Adobe Releases Out-of-Band Security Patches for 82 Flaws in Various Products

No, it's not a patch Tuesday. It's the third Tuesday of the month, and as The Hacker News shared an early heads-up late last week on Twitter, Adobe today finally released pre-announced out-of-band security updates to patch a total of 82 security vulnerabilities across its various products. The affected products that received security patches today include: Adobe Acrobat and Reader Adobe

Apple Under Fire Over Sending Some Users Browsing Data to China’s Tencent

Do you know Apple is sending iOS web browsing related data of some of its users to Chinese Internet company Tencent? I am sure many of you are not aware of this, neither was I, and believe me, none of us could expect this from a tech company that promotes itself as a champion of consumer privacy. Late last week, it was widely revealed that starting from at least iOS 12.2, Apple silently

3 reasons cyber security training is essential

Organisations are always looking for ways to improve their cyber security defences, but they often overlook the value of enrolling their employees on cyber security training courses.

According to a study by Centify, 77% of UK workers say they have never received any form of cyber skills training Given that, it’s no surprise that so many people exercise such poor security practices.

For example, the survey also revealed that 27% of employees use the same passwords for multiple accounts and 14% leave their credentials written down in a notebook or on their desk.

It’s easy to scoff at people for making basic mistakes, but if employers don’t teach them otherwise, they’re inviting trouble.

With October being European Cyber Security Awareness Month, what better time is there to boost your organisation’s knowledge of effective information security practices?

Here are three reasons to consider it:

1. You’ll reduce the risk of data breaches

If you want to keep your organisation secure, you need your employees to know what they’re doing. Almost all data breaches are caused by a mistake somewhere in the organisation.

That doesn’t only mean negligence – it could also be mistakes that you don’t even know are mistakes, such as gaps in your policies, ineffective processes or a lack of proper technological defences.

Placing staff on information security training courses will help them understand the mistakes they’re making and teach them to work more effectively.

This is especially useful if you intend to commit to a framework such as ISO 27001, the international standard for information security, as there are specific courses that teach you how to follow the Standard’s requirements.

2. You’ll meet compliance requirements

Cyber security laws and regulations inevitably contain complex requirements, so organisations need employees with specialist knowledge to achieve compliance.

For example, organisations that are required to appoint a DPO (data protection officer) under the EU GDPR (General Data Protection Regulation) must find someone with an in-depth understanding of data protection law.

The stakes associated with the position are huge; if the DPO doesn’t perform their tasks in accordance with the GDPR’s requirements, the organisation is liable to face regulatory action.

It’s therefore paramount that the DPO is given every resource available to do their job properly, and training courses should always be sought where possible.

They are not only the quickest way of studying but also usually include exams, which reassures employers that the individual is qualified.

The same advice applies for individuals in roles that involve compliance with the NIS Regulations (Network and Information Systems Regulations 2018), the PCI DSS (Payment Card Industry Data Security Standard), ISO 27001 or any other law or framework.

3. You’ll foster career growth

Training courses enable employees to pick up new skills and gain more advanced qualifications, which will help them move into more senior roles. This isn’t only beneficial for them but also their employers. It’s getting increasingly hard to find qualified information security professionals, with one report estimating that there will be 3.5 million unfilled jobs in the industry by 2021.

Finding qualified personnel isn’t the only problem. A small pool of skilled workers also means job candidates can command a higher salary and more benefits. As such, organisations might not be able to afford qualified professionals even if they can find them.

They should therefore do whatever they can to support employees who want to go on training courses. Organisations will almost certainly benefit from the extra knowledge, and it eases the pressure of finding skilled personnel in the job market.

Which course is right for you?

Cyber security is a broad industry, so you need to decide which area suits you best. To help you make that choice, here are some of our most popular training courses:

Knowledge of ISO 27001, the international standard for information security, is an absolute must for anyone who handles sensitive data. We offer several ISO 27001 courses, including an introduction to the Standard and guidance on specific roles, such as internal auditor and lead implementer.

ISO 22301 is the international standard for business continuity. Organisations that follow its framework can be sure that they’ll continue operating when disaster strikes.

Our Foundation-level course covers the essentials of the Standard, but we also offer advanced courses for those that want to lead an implementation project or audit.

Any organisation that transmits, processes or stores payment card data must comply with the PCI DSS. Our training courses help you understand the basics of the Standard, implement its requirements and complete the SAQ (self-assessment questionnaire).

The GDPR is the most significant update to information security law in more than twenty years. Anyone who handles personal data or is responsible for data protection needs to comply with its requirements.

Regular staff should familiarise themselves with the Regulation via our Foundation-level course, senior staff would benefit from our Practitioner course and those looking to fulfil the DPO role should enrol on our Certified DPO training course.


A version of this blog was originally published on 31 October 2018.

The post 3 reasons cyber security training is essential appeared first on IT Governance Blog.

SIM Cards in 29 Countries Vulnerable to Remote Simjacker Attacks

Until now, I'm sure you all might have heard of the SimJacker vulnerability disclosed exactly a month ago that affects a wide range of SIM cards and can remotely be exploited to hack into any mobile phone just by sending a specially crafted binary SMS. If you are unaware, the name "SimJacker" has been given to a class of vulnerabilities that resides due to a lack of authentication and

Apple iTunes and iCloud for Windows 0-Day Exploited in Ransomware Attacks

Watch out Windows users! The cybercriminal group behind BitPaymer and iEncrypt ransomware attacks has been found exploiting a zero-day vulnerability affecting a little-known component that comes bundled with Apple's iTunes and iCloud software for Windows to evade antivirus detection. The vulnerable component in question is the Bonjour updater, a zero-configuration implementation of network

New Comic Videos Take CISO/Security Vendor Relationship to the Extreme

Today's CISOs operate in an overly intensive environment. As the ones who are tasked with the unenviable accountability for failed protection and successful breaches, they must relentlessly strive to improve their defense lines with workforce education, training their security teams and last but definitely not least — looking for products that will upgrade and adjust their security against

RCMP charges two in Montreal over Bell customer data theft

RCMP arrested two Montrealers on charges of stealing Bell customer data. Nana Koranteng and Jesiah Russel-Francis were arrested by RCMP on Oct. 8th, 2019, on charges of unauthorized use of a computer, fraud over $5000, conspiracy to commit fraud, laundering proceeds of crime, identity theft, and identity fraud. In 2018, RCMP initiated an investigation after…

You Gave Your Phone Number to Twitter for Security and Twitter Used it for Ads

After exposing private tweets, plaintext passwords, and personal information for hundreds of thousands of its users, here is a new security blunder social networking company Twitter admitted today. Twitter announced that the phone numbers and email addresses of some users provided for two-factor authentication (2FA) protection had been used for targeted advertising purposes—though the company

vBulletin Releases Patch Update for New RCE and SQLi Vulnerabilities

After releasing a patch for a critical zero-day remote code execution vulnerability late last month, vBulletin has recently published a new security patch update that addresses 3 more high-severity vulnerabilities in its forum software. If left unpatched, the reported security vulnerabilities, which affect vBulletin 5.5.4 and prior versions, could eventually allow remote attackers to take

Adobe Suspends Accounts for All Venezuela Users Citing U.S. Sanctions

I have really bad news for Adobe customers in Venezuela… California-based software company Adobe on Monday announced to soon ban accounts and cancel the subscriptions for all of its customers in Venezuela in order to comply with economic sanctions that the United States imposed on the Latin American country. The Trump administration issued an executive order on 5th August 2019, targeting

Using the Cloud Securely: A conversation between two cybersecurity leaders

Laura Payne, Director Information Security Services, BMO Lakshmi Hanspal, CISO, Box When Box CISO Laksmi Hamspal and BMO Director of Information Security Services Laura Payne struck up a conversation at a recent security conference in Toronto, the connection was immediate. These two women not only shared a passion for cyber security in a space still…

How SMBs Can Mitigate the Growing Risk of File-based Attacks

Cases of document-based malware are steadily rising. 59 percent of all malicious files detected in the first quarter of 2019 were contained in documents. Due to how work is done in today's offices and workplaces, companies are among those commonly affected by file-based attacks. Since small to medium businesses (SMBs) usually lack the kind of security that protects their larger counterparts,

Comodo Forums Hack Exposes 245,000 Users’ Data — Recent vBulletin 0-day Used

If you have an account with the Comodo discussion board and support forums, also known as ITarian Forum, you should change your password immediately. Cybersecurity company Comodo has become one of the major victims of a recently disclosed vBulletin 0-day vulnerability, exposing login account information of over nearly 245,000 users registered with the Comodo Forums websites. In a brief

Behavioral Analytics: What It Is Significant to Enterprise CyberSecurity

Do you want to know why behavioral analytics is vital to your enterprise? Are you even aware of what behavioral analytics is? What are the threats that it can detect quickly? Is your business in danger because of these threats?

As your company grows, you also need to add more assets and users to your enterprise network. Your business workflows undergo permanent changes as you add applications and databases. These upgrades mean more efficiency and collaboration that will result in more profitability. However, they also translate to more liabilities in terms of cybersecurity.

Each user, digital asset, or application can be an accessible doorway for hackers to invade your network. Also, faulty programming or malice perpetrated by any user can be a threat inside your business. In both cases, they can damage not only your network but your business processes as well.

What can you do? Monitoring every user can be frustrating and overwhelming. Even if you have the workforce, your IT security team can’t sustain the demand. Maintaining visibility on applications and users is close to impossible as your enterprise grows. Is there hope? Yes, there is!

Behavioral analytics can help solve your dilemma efficiently and magnificently. Let us take you to a thorough discussion about the topic.

The Basics of Behavioral Analytics

Behavioral Analytics analyzes patterns, activities, and trends of applications and users. It searches for any quirk or habit in your workflows. Moreover, each user has its profile in the system. For instance, your employee, Arthur, uses “Database A” four times a day. Because of next-generation technology, behavioral analytics can also notice the endpoint he uses when he requests for access. It can record and store them in a behavioral baseline.

This behavioral baseline can establish if Arthur, for example, requests for access to Database B for ten times on a specific workday. Moreover, it can determine if he makes the request thousands of miles from his usual location. Your cybersecurity perceives both behaviors that are outside of Arthur’s baseline.

Moreover, the cybersecurity can prohibit the requests for access and alert your IT security team so it can perform the necessary investigation. Arthur may be on a business trip on that day and need to access some information not relevant to his position. Your team can inform your cybersecurity about any unusual circumstances to allow Arthur to access the files.

This scenario can also demonstrate a possible hacking using Arthur’s credentials and accessing sensitive enterprise data. If this is the case, your IT security team can trigger incident response and terminate the hacking procedure to return the account to Arthur’s control. Moreover, it can fix any vulnerability that it may discover. It will also follow the same process for data traffic, movements, and requests for applications.

Behavioral analytics leverages statistical analysis and machine learning to monitor the behaviors of your users and search for anomalies.

Why Is Behavioral Analytics Critical to Cybersecurity?

Jack Vance wrote The Moon Moth. It is a famous short story in the science-fiction genre. The plot revolves around an imposter who can alter his appearance but can’t conceal his habits and tastes.

This observation is also valid for actual hackers. In a report by Centrify, a privileged access management supplier, 74% of business transgressions start with a weakened privileged account. Moreover, some studies show that at least 80% of breaches start with jeopardized accounts. It means that hackers prefer to disguise themselves using one of your users.

The damage caused by hackers can be overwhelming. In theory, these hackers can cause reputational loss and downtime, especially when they destroy your network. They can tamper your users’ baseline behaviors. They can try to cause damage, but whenever they do so, behavioral analytics can sanction the attempts and stop them. It can trigger a response from your IT team to intervene.

Moreover, this cybersecurity must-have relieve your IT security of too much burden. The group may feel overworked with threat hunting and user requests. A cybersecurity staffing crisis may occur if things get out of control. Fortunately, behavioral analytics operates automatically and helps your IT staff streamline its investigations to save time.

Deploying Business Analytics

For your organization, you must first consider your size, user base, IT infrastructure, industry, and applications. Furthermore, you must think of your future growth and scaling plans for the next five years. It must be your initial step in any selection of cybersecurity solutions. Unfortunately, many companies neglect it.

A majority of the enterprises don’t select optimal performance over speed. They choose the solution that can solve their immediate problems adequately. Because of this way of thinking, you’ll realize that your IT infrastructure has many solutions with serious integration issues.

If you want long-term solutions to your cybersecurity issues, you must consider behavioral analytics. If you’ve decided to incorporate it in your enterprise, your next step is choosing a robust Security Information and Event Management (SIEM) solution.

Why Do You Need a SIEM solution?

A SIEM solution is the next-generation version of our topic. It includes user and entity behavioral analytics (UEBA). Furthermore, you can avail of threat intelligence feeds to help you detect any modern or expanded threats quickly.

You may think that a SIEM solution is complicated. You’re right! Moreover, the system works as a tool for log management and analysis that adds a behavioral analysis layer. Cybersecurity recognizes that it can’t deflect 100% of threats because the digital perimeters can’t do it. However, with a SIEM system, you’re able to detect threats that can wreak havoc to your enterprise.

Hackers are everywhere and waiting for an opportunity to strike. If you want to monitor and stop them, you can do so with the next-generation analytics and cybersecurity capabilities. A SIEM solution with UEBA and other significant capabilities is an excellent strategy to catch these hackers. It prevents them from intruding and cause severe downtime, which can compromise your reputation to the business world.

The post Behavioral Analytics: What It Is Significant to Enterprise CyberSecurity appeared first on .

What are you doing for European Cyber Security Month?

In a month where many people’s biggest concerns are pumpkin-related, you might consider putting equal effort into something more substantial. October is National Cyber Security Awareness Month, where people are encouraged to brush up on their everyday information security practices.

With an estimated 2 million cyber attacks last year costing victims £36 billion, there is a lot to be gained from tightening up the way you handle sensitive information.

What is European Cyber Security Month?

Cyber Security Month is an EU awareness campaign that promotes cyber security in the workplace and at home.

It aims to make people understand the threat of cyber crime and the way our actions help or hinder attacks.

Our shared responsibility

The theme of this year’s campaign is “cyber security is a shared responsibility”, which can be interpreted in a couple of ways.

First, it refers to the three aspects of cyber security: people, processes and technology. IT departments must implement software and other security controls to remove vulnerabilities, organisations must create processes that explain to employees how to keep information secure, and people must follow those instructions.

If anyone fails to perform their role, the chance of a data breach increases dramatically.

Cyber security is equally everybody’s responsibility in that no one is exempt from best practices. Senior employees might delegate responsibility or complain that they are too busy to follow certain processes. Similarly, some employees might assume that one person won’t make a difference and so they can cut corners when it comes to things like password management or doing work on a public Wi-Fi.

But if everyone obeys that logic, no one will be following the organisation’s processes. Cyber security best practices can certainly be inconvenient at times, but it only takes one mistake to jeopardise the entire organisation.

What else does Cyber Security Month cover?

The first two weeks cover cyber hygiene, which involves your daily routines and general behaviour when handling sensitive information.

The second half of the month is dedicated to emerging technologies and the way they protect or threaten our security.

This is one of the biggest talking points in the cyber security industry, thanks to the controversial use of biometric data.

Although fingerprints and retinal scans provide a much more secure authentication system than passwords, they also threaten people’s privacy, and breaches of such information have major repercussions.

After all, you can change a password if it’s disclosed but you can’t change your fingerprints.

How you can get involved

There are four events in the UK over the next few weeks that are aligned with European Cyber Security Month:

Technology experts will gather at this event, hosted in Newport, to highlight the threats that organisations face and how they should address their vulnerabilities.

A series of short presentations explaining the threat of cyber crime, the role of law enforcement and what we can do to protect ourselves.

The Isle of Man government’s inaugural cyber security conference features keynote speakers and networking opportunities between the public and private sectors.

This one-day event takes place in Manchester, featuring speeches on how to implement strong security measures and how technological advancements create opportunities and challenges for staying secure.

What are we doing for Cyber Security Month?

At the risk of sounding trite, every month is cyber security awareness month at IT Governance. We are committed to helping people improve their cyber security practices, through our blog, webinars, green papers, tools and services.

October is no exception. We’ll be linking to resources that can help keep you and your organisation secure, and sharing cyber security tips and stats to remind you of what you’re up against.

You wouldn’t ignore a medical expert’s advice. Why risk your cyber health?

Don’t risk it, cyber secure it this Cyber Security Month. Find out how to keep your organisation healthy with our dedicated tips.

Take a look

cyber security awareness month

The post What are you doing for European Cyber Security Month? appeared first on IT Governance Blog.

Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

Watch out Windows users! There's a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it. Why? That's because, first, it's an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its

DoorDash Breach Exposes 4.9 Million Users’ Personal Data

Do you use DoorDash frequently to order your food online? If yes, you are highly recommended to change your account password right now immediately. DoorDash—the popular on-demand food-delivery service—today confirmed a massive data breach that affects almost 5 million people using its platform, including its customers, delivery workers, and merchants as well. DoorDash is a San

Outlook for Web Bans 38 More File Extensions in Email Attachments

Malware or computer virus can infect your computer in several different ways, but one of the most common methods of its delivery is through malicious file attachments over emails that execute the malware when you open them. Therefore, to protect its users from malicious scripts and executable, Microsoft is planning to blacklist 38 additional file extensions by adding them to its list of file

1-Click iPhone and Android Exploits Target Tibetan Users via WhatsApp

A team of Canadian cybersecurity researchers has uncovered a sophisticated and targeted mobile hacking campaign that is targeting high-profile members of various Tibetan groups with one-click exploits for iOS and Android devices. Dubbed Poison Carp by University of Toronto's Citizen Lab, the hacking group behind this campaign sent tailored malicious web links to its targets over WhatsApp,

Russian APT Map Reveals 22,000 Connections Between 2000 Malware Samples

Though Russia still has an undiversified and stagnant economy, it was one of the early countries in the world to realize the value of remotely conducted cyber intrusions. In recent years, many Russia hacking groups have emerged as one of the most sophisticated nation-state actors in cyberspace, producing highly specialized hacking techniques and toolkits for cyber espionage. Over the past

Microsoft Releases Emergency Patches for IE 0-Day and Windows Defender Flaw

It's not a Patch Tuesday, but Microsoft is rolling out emergency out-of-band security patches for two new vulnerabilities, one of which is a critical Internet Explorer zero-day that cyber criminals are actively exploiting in the wild. Discovered by Clément Lecigne of Google's Threat Analysis Group and tracked as CVE-2019-1367, the IE zero-day is a remote code execution vulnerability in the

3 Types of Network Attacks to Watch Out For

Cybersecurity is becoming more of a common tongue term in today’s industry. It is being passed around the executive meetings along with financial information and projected marketing strategies. Here are some common attack vectors plaguing the industry when it comes to network infrastructure. It does not really matter the infrastructure type you have. If there […]… Read More

The post 3 Types of Network Attacks to Watch Out For appeared first on The State of Security.

IT Firm Manager Arrested in the Biggest Data Breach Case of Ecuador’s History

Ecuador officials have arrested the general manager of IT consulting firm Novaestrat after the personal details of almost the entire population of the Republic of Ecuador left exposed online in what seems to be the most significant data breach in the country's history. Personal records of more than 20 million adults and children, both dead and alive, were found publicly exposed on an unsecured

The Definitive RFP Templates for EDR/EPP and APT Protection

Advanced Persistent Threats groups were once considered a problem that concerns Fortune 100 companies only. However, the threat landscape of the recent years tells otherwise—in fact, every organization, regardless of vertical and size is at risk, whether as a direct target, supply chain or collateral damage. The vast majority of security decision-makers acknowledge they need to address the

How Cloud-Based Automation Can Keep Business Operations Secure

The massive data breach at Capital One – America's seventh-largest bank, according to revenue – has challenged many common assumptions about cloud computing for the first time. Ironically, the incident, which exposed some 106 million Capital One customers' accounts, has only reinforced the belief that the cloud remains the safest way to store sensitive data. "You have to compare [the cloud]

Is your school GDPR compliant? Use our checklist to find out

At this year’s ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”

Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation? Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.

But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.

A brief summary of the GDPR

The GDPR works like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address, whether it’s a personal or work account.

To GDPR outlines a list of steps organisations must take to protect that information. It also contains eight data subject rights that give individuals more control over the way organisations use their personal data.

These include:

  • The right to access the personal information organisations store on them;
  • The right to request that organisations rectify any information that’s inaccurate or incomplete;
  • The right to erase personal data when it’s no longer necessary or the data was unlawfully processed; and
  • The right to object to processing if the individual believes the organisation doesn’t have a legitimate reason to process information.

Organisations that fail to meet these requirements face fines of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater.

GDPR compliance in schools

Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.

Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.

If that’s the case, the data processor must account for requirements concerning:

Can you use consent?

Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.

This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.


Understand your consent requirements >>


Privacy notices

Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.

This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.


Find out more about privacy notices >>


Online services offered to children

In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.

The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.

Schools aren’t GDPR-compliant

These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.

The number of security incidents increased from 355 in the second quarter of 2017­­–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.

The ICO found that common disclosure issues included:

  • The loss or theft of paper or digital files;
  • Emailing information to the wrong recipient; and
  • Accidental verbal disclosure.

There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.

Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.

“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”

The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.

GDPR checklist for schools

Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.

Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.


A version of this blog was originally published on 28 March 2019.

The post Is your school GDPR compliant? Use our checklist to find out appeared first on IT Governance Blog.

New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS

Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS. Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards

What is incident response management and why do you need it?

The threat of cyber attacks and other security incidents looms over all organisations. There are simply too many things that can go wrong – whether it’s a cyber attack, a technical malfunction or another delay – to assume that operations will always be functional.

But that doesn’t mean you need to accept that delays are inevitable. You should be constantly assessing what might go wrong and how you would deal with it, because the way you respond to an incident may well be the difference between a minor disruption and a major disaster.

Every second counts

The longer it takes an organisation to detect a vulnerability, the more likely it is that it will lead to a serious security incident. For example, perhaps you have an unpatched system that’s waiting to be exploited by a cyber criminal, or your anti-malware software isn’t up to scratch and is letting infected attachments pass into employees’ inboxes.

Criminals sometimes exploit vulnerabilities as soon as they discover them, causing problems that organisations must react to immediately.

However, they’re just as likely to exploit them surreptitiously, with the organisation only discovering the breach weeks or months later – often after being made aware by a third party.

It takes 175 days on average to identify a breach, giving criminals plenty of time to access sensitive information and launch further attacks.

As Ponemon Institute’s 2019 Cost of a Data Breach Study found, the damages associated with undetected security incidents can quickly add up, with the average cost of recovery being £3.17 million.

If your organisation is to reduce financial losses and stay in control of the situation, you must have an incident response plan. This allows you to mitigate the damage and reduce the delays and costs that come with disruptions.

But incident management isn’t only good business sense, as we discuss next.

The GDPR and the NIS Regulations

Incident response management is a key requirement of the GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems Regulations).

Failure to implement adequate response protocols could therefore not only endanger your organisation’s long-term productivity but also lead to substantial penalties. Breaches of the NIS Regulations can attract fines of up to £17 million, and the stakes are even higher when it comes to the GDPR, with penalties reaching €20 million (about £17.8 million) or 4% of the organisation’s global annual turnover – whichever is greater.

So, what do you need to do to stay compliant? Article 32 of the GDPR states that organisations must take necessary technical and organisational measures to ensure a high level of information security.

This includes implementing an incident response plan to contain any damage in the event of a data breach and to prevent future incidents from occurring.

Doing so also helps you comply with Article 33 of the Regulation, which requires organisations to contact their supervisory authority if they suffer a breach that poses a risk to the rights and freedoms of individuals.

The notification must be made within 72 hours of becoming aware of the breach, and should include as much detail about the breach as possible.

It should also describe the measures taken, or proposed to be taken, to address the breach, including steps to mitigate possible adverse effects.

Meanwhile, the NIS Regulations require organisations to produce:

  • Detection processes and procedures, which should be regularly monitored to ensure that they are up to date and effective;
  • Processes and policies for reporting vulnerabilities and security incidents;
  • Procedures for documenting the response to cyber security incidents; and
  • Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.

The incident response lifecycle

We recommend that your incident response plan draws on ISO 27001, the international standard for information security, and ISO 27035, which contains principles and guidelines for incident management.

You might also be interested in our approach to incident response, which combines those elements with processes to help you prepare for incidents and aspects of business continuity.

You can adopt this approach by following these eight steps:

1. Identify risks, vulnerabilities and threat exposure

You can’t plan for disaster if you don’t know what might be coming, so the first step is to identify risks by conducting a risk assessment.

This process will also give you an idea of how much of a threat each risk poses and whether it’s worth addressing. For example, if you decide that a risk is highly unlikely to occur or will only cause minimal damage, planning for it might be more trouble than it’s worth.

2. Review cyber security controls

Your organisation more than likely already has certain controls in place; these could be as basic as antivirus software or firewalls.

Such measures could also stretch to existing policies or procedures, e.g. maintaining a schedule for regularly updating devices and software, or even physical security, such as CCTV.

These controls and measures should be reviewed to make sure they are still up to date, and ultimately capable of saving you any unnecessary work – if an existing measure suffices, ensure it is documented and cross it off the to-do list.

3. Conduct a business impact analysis

A BIA (business impact analysis) is a process that uses critical activities to determine priorities for recovery following an incident.

A BIA will also help you work out how quickly each activity needs to be resumed following an incident. Importantly, the analysis will give you an RTO (recovery time objective) for each activity, which is the ‘acceptable’ length of time it takes to get your systems up and running again.

4. Form the incident response team

A dedicated incident response team analyses information about incidents, discusses observations, coordinates activities, and shares important findings internally.

The team could include a director or senior manager, information security manager, facilities manager and IT manager.

Whatever the exact roles are, the team needs to have enough authority to act quickly in response to incidents, and sufficient access to information and expertise to make sure decisions are made on the basis of the best information available.

5. Develop incident response plans

Your plan should focus on the identified critical assets – including the risks to those assets, asset owners and asset locations – as well as the summarised results of the BIA.

You also need to put a reporting process or communication plan in place to ensure that both the incident response team and relevant stakeholders will be informed of any incidents.

For that process to work, you need to include contact details – both of team members and relevant authorities – and call trees, as well as checklists or steps to be taken in the case of specific scenarios.

6. Test incident scenarios

To be sure that the checklists or steps for specific scenarios actually work, you must test them.

Testing these steps at least biannually ensures that they are and remain effective, but also enables the documented plan to be as detailed as possible. And no matter how familiar staff are with the plan, theory is no substitute for practical experience.

Testing does not simply confirm that the plan works, but also trains staff to respond as efficiently as possible. All lessons learned should be documented, and resulting improvements incorporated into the scenarios as necessary.

7. Conduct incident response training

Human error and process failures are the underlying reasons for the majority of security incidents.

To reduce this risk, you must teach your staff about the importance of effective security and how they can avoid making mistakes.

Employees with incident response duties should receive additional training in relation to their role, whether this concerns incident notification, reporting or classification, or scenario testing.

Those with business continuity duties should also receive appropriate training.

8. Establish a continual improvement framework

Like any framework, incident response processes must be regularly reviewed to take into account emerging threats and areas where the current framework isn’t working as intended.

As such, the steps outlined here should be repeated annually or whenever there are major changes to your organisation.

Experiencing a cyber security incident?

If you’re facing a disaster or worried about what will happen when an incident occurs, you should turn to IT Governance.

Our experts help you take immediate action no matter what the situation. We can mitigate the damage if you’re in a crisis or optimise your existing resources and provide support where needed.

Following the incident, we aim to get you back to business, armed with the knowledge to manage your risks and improve your security posture.


A version of this blog was originally published on 14 May 2018.

The post What is incident response management and why do you need it? appeared first on IT Governance Blog.

Memory Forensics: The Key to Better Cybersecurity

When companies fall victim to a cyberattack, the first thing they do is eliminate the threat. But for cybersecurity investigators, that’s just the first part of their job. Like real-world investigators, cybersecurity experts need to gather and analyze evidence of the attack to improve cybersecurity policies or to present it in court during a hearing. Cyber investigators do their evidence gathering through memory forensics.

What Is Memory Forensics?

Memory forensics is the process of collecting memory dumps and analyzing them for evidence of how a cybercrime happened or to find the origins of a malware breach. This is usually done after a cyberattack, but cybersecurity specialists can also do this as a routine check-up for malicious injections that could be running in the system.

Memory forensics is a way to backtrack events that led to a successful security breach and to help specialists know how to improve their company’s cybersecurity.

What Is Memory Forensics? — How Is Memory Forensics Done?

 Memory forensics, also known as memory analysis, can be broken down into three parts: retrieval, analysis, and documentation.

  1. Retrieval

The first part of memory forensics is the retrieval phase. Because all activities done and actions taken in a computer are recorded in the system’s memory, cyber investigators need to retrieve the system memory to see when and where the cyberattack began. It’s like retrieving an airplane’s black box after a crash.

To retrieve the system’s memory, cyber investigators perform a memory dump. This is a procedure where data in a system’s RAM is read and transferred to a storage device. Retrieving RAM data is important, since this is “volatile” data, meaning that it is only retained when the system is on and disappears once the system is turned off.

If there is no cyberattack or breach, memory dumps can help IT specialists understand a crash event and how it happened. There are many kinds of memory dump tools available in the market.

  1. Analysis

 The second phase is memory analysis. This is the part where cyber investigators look through the system’s memory dump for signs of malicious activities. Investigators take memory analysis seriously, and they will search for hidden folders and retrieve deleted or encrypted files.

Memory analysis can take days or months to complete. Retrieved memory dumps are examined using different analyzing tools and software.

  1. Documentation

 The last phase of memory forensics is the documentation phase. All pieces of evidence and significant activities discovered during memory analysis are recorded. Once the collected memory dumps are thoroughly analyzed, investigators take note of every detail of the event and carefully create a report.

This report is then validated by running tests on the system and checking for inconsistencies. After validation, the report is ready for presentation in court and other legal proceedings or to company management to help improve cybersecurity.

Conclusion

 No matter how strong a company’s cybersecurity is, they can still be victims of a cyberattack. And when that happens, it’s crucial to know when and how the cyberattack happened so vulnerabilities can be addressed and cybercriminals can be tracked down.

If you’re worried about your cybersecurity, now is a good time to do your own memory forensics to see if you have been compromised.

Related Blogs:

What You Need to Know About Cloud Forensics

Top 10 Computer Forensics Tools For Analyzing A Breach

 

The post Memory Forensics: The Key to Better Cybersecurity appeared first on .

Is cyber security software worth the investment?

‘Do we really need to spend a load of money on cyber security software?’ you might ask. You have built-in antivirus, so won’t that do?

No. Cyber security is about more than preventing viruses and malware. Criminals have plenty of other tricks for breaking into your organisation, so you must purchase software to close as many gaps as possible.

Why cyber security software is so important

Over the past few years, organisations and individuals have acknowledged the severity of the threat posed by cyber crime. We tracked 557 data breaches last year alone, with organisations of all sizes coming under attack.

Meanwhile, the introduction of the GDPR (General Data Protection Regulation) has raised the stakes when it comes to effective security. Organisations that fail to secure data properly, or that violate individuals’ privacy rights, face fines of up to €20 million (about £18 million) or 4% of their annual global turnover.

If organisations are to avoid suffering data breaches, they need to protect their systems. Many people believe that refers to technological solutions – but although that’s our focus here, it’s only one way to secure your organisation.

After all, it’s no good purchasing cyber security software if no one knows how to use it or employees expose data in other ways. That’s why technology must always be complemented with security policies and staff awareness training, in what is often known as the people–processes–technology model.

The reason so many people focus on technology, as opposed to people or processes, is that it does a lot of the heavy lifting in a security framework.

Most data breaches are the result of basic mistakes that all three parts of the model address, but whereas ‘people’ and ‘processes’ are designed to change poor security habits – something that takes time and effort – security software can be plugged straight into the system.

It doesn’t address the root cause of the problem, but it prevents breaches from occurring.

For example, access controls, which limit who can view certain information, doesn’t stop an employee from wanting to view sensitive information (or even explain why this is a security concern), but it does ensure that a breach doesn’t occur.

There are myriad programs designed to protect your organisation in ways like this. In the next section, we run through some of the most common types of software and how they work.

Examples of cyber security software

  • Antivirus and anti-malware

Antivirus software is the quintessential example of cyber security technology. It was originally designed to root out viruses, but modern software now generally includes protection against a broad range of malicious programs, including malware, ransomware, keyloggers, Trojan horses, worms, adware and spyware.

The software scans your computers, looking for files that match its built-in database of known viruses and malware, and either deletes them or alerts you to their presence.

Antivirus and anti-malware software are essential for all businesses that use online systems. Malicious programs are hidden in all kinds of files, and it’s only a matter of time before an employee downloads something harmful or a criminal otherwise infects your organisation.

  • Firewalls

Firewalls create a buffer between your IT systems and external networks. They monitor network traffic, and identify and block unwanted traffic that could damage your computers, systems and networks.

Implementing firewalls helps protect organisations from criminal hackers trying to break into their networks, and from outgoing traffic originating from a virus.

  • System monitoring

There are several inexpensive tools you can use to detect suspicious activity on your organisation’s networks.

Such activity includes attempts to access privileged information (whether from an employee or external actor), login attempts from unusual locations, and unusual activity related to the way information was viewed.

Monitoring this information gives you a head start when it comes to active or attempted system compromises.

  • Access controls

Access controls ensure that staff can only view information that’s relevant to their job. For example, someone in marketing must be able to view contact information for those who have signed up for a service, but they won’t need access to, say, HR files and payroll data.

Walling off those parts of the system ensures that staff can’t compromise that data, either accidentally or maliciously. It also protects organisations should a criminal hacker break into an employee’s account, as they will only be able to view a select amount of data.

How do you know which software is necessary?

The examples we’ve listed will be essential for almost every organisation, as they address universal issues. But what about other types of software, like encryption programs? Should you invest in those?

The answer can be found by conducting a risk assessment. This is a process in which you identify, analyse and evaluate security risks and determine appropriate solutions.

If, once you’ve completed the assessment, you decide that certain software is necessary, then you should purchase it. If you don’t need it, then invest your money elsewhere.

A software solution to help you decide

There’s a lot at stake when you conduct a risk assessment, so it’s a good idea to get expert advice. That’s where vsRisk Cloud comes in.

This online tool helps you conduct an information security risk assessment aligned with ISO 27001, the international standard for information security.

With vsRisk Cloud, you’ll get repeatable, consistent assessments year after year. Its integrated risk, vulnerability and threat database eliminates the need to compile a list of risks, and the built-in controls helps you comply with multiple frameworks, including the GDPR.

The post Is cyber security software worth the investment? appeared first on IT Governance Blog.

How to avoid the security mistakes that cost an estate agency £80,000 in fines

Last month, Life at Parliament View was fined £80,000 by the ICO (Information Commissioner’s Office) after security errors exposed 18,610 customers’ personal data for almost two years.

The incident occurred when the London-based estate agency transferred personal data from its server to a partner organisation but failed to implement access controls.

This meant that tenants’ and landlords’ bank statements, salary details, passport information, dates of birth and addresses were publicly available online between March 2015 and February 2017, when Life at Parliament View learned of the breach.

During its investigation, the ICO discovered many security practices that contravened the DPA (Data Protection Act) 1998. Had the incident occurred after the GDPR (General Data Protection Regulation) took effect on 25 May 2018, Life at Parliament View would have faced a much higher penalty.

Unfortunately, many organisations are vulnerable to the same mistakes. So how can you be sure that your systems and processes are secure?

Anonymous access

The breach at Life at Parliament View can largely be attributed to the company’s failure to turn off ‘Anonymous Authentication’ after completing its file transfer. This caused two major security issues.

First, the information was no longer subject to any kind of access control, meaning anyone who found the database was free to view or copy the information it contained.

That’s bad enough, but it also meant that those who accessed the database did so anonymously. Life at Parliament View had no way of knowing whether the people opening or amending the database were employees doing their job or whether the information had been compromised by an unauthorised person – be it another employee or a criminal hacker.

There were other security mistakes that exacerbated the issue, like a lack of encryption and poor staff awareness training to identify security lapses, but the root cause was the lack of access controls to ensure only authorised employees could access the sensitive information in question.

What are access controls?

Put simply, access controls are measures that restrict who can view data. They consist of two elements:

  1. Authentication: a technique used to verify the identity of a user.
  2. Authorisation: determines whether a user should be given access to data.

To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, external offices and beyond.

Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. They have several options:

  • Discretionary access control: employees control the programs and files they use, and determine the permissions other users have relating to that information. It is commonly referred to as a ‘need-to-know’ access model.
  • Mandatory access control: the administrator defines the usage and access policy, which cannot be modified by users.
  • Role-based access control: provides access based on a user’s role, and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can access only the information that is required for their role.
  • Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.

Whichever model you adopt, it’s important to keep access to your data to a minimum, as this limits the opportunities for a criminal hacker to access your information.

Access controls and Cyber Essentials

Organisations that want understand how to implement access controls should look at Cyber Essentials, a UK government assurance scheme based on “10 Steps to Cyber Security” and administered by the NCSC (National Cyber Security Centre).

Cyber Essentials has two objectives:

  1. To set out five basic cyber security controls that can protect organisations from common cyber attacks.
  2. To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.

Access control is one of the five basic controls outlined in Cyber Essentials, along with secure configuration, boundary firewalls and Internet gateways, patch management, and malware protection.

Find out more about Cyber Essentials >>

The post How to avoid the security mistakes that cost an estate agency £80,000 in fines appeared first on IT Governance Blog.

What is ethical hacking? A guide to white-hat attacks and penetration tests

It sounds crazy to the uninitiated, but organisations across the globe pay people to break into their systems and find sensitive information.

The reason they do this is simple: to catch a thief, you must think like one. Organisations hire ethical hackers to make sure they have someone who’s one step ahead of the tactics that crooks use.

What is ethical hacking?

Ethical hacking (or penetration testing) refers to the exploitation of networks and applications, with the intention of informing the organisation about the vulnerabilities you discover.

With the vulnerabilities the ethical hacker discovers, organisations can implement defences to stop criminals before they’ve had a chance to target the organisation.

What does an ethical hacker do?

Ethical hackers identify and exploit vulnerabilities using the same methods as a criminal hacker. The only difference is that ethical hackers operate within the law, and don’t use any of the information they’ve discovered maliciously.

Attacks may involve exploiting system misconfigurations, sending the organisation’s staff phishing emails, with the intention of gathering their login credentials or breaching the physical perimeter.

As the threat landscape has evolved, ethical hackers are sometimes commissioned to commit long-term cons. They will watch and analyse an organisation, looking for patterns that can be exploited. One method they might use is to leave removable devices containing malware in a public area to see if an employee plugs it into one of the organisation’s computers.

Can I trust ethical hackers?

You might be unnerved at the prospect of allowing an ethical hacker to root around in your organisation, but there’s nothing to fear as long as you hire a qualified ethical hacker through a trusted third party.

How to become an ethical hacker

You can gain all the skills you need to become an ethical hacker by taking our Certified Ethical Hacker (CEH) Training Course.

This five-day course gives you practical, hands-on experience with ethical hacking. You’ll be shown the strategies, tactics, technologies, tools and motivations of criminal hackers, and be given the opportunity to replicate their methods.

After the course, our tutor will be available to provide support and answer any questions you may have. You’ll also be given six months online access to EC-Council iLabs to further develop your skills.

When you’re ready, you can sit the CEH Practical exam, where you’ll be tested on your ability to identify and exploit vulnerabilities in operating systems, databases and networks.

Those who pass will receive the CEH (Practical) certification, which is globally recognised as the vendor-neutral qualification of choice for developing a senior career in ethical hacking and penetration testing.

Find out more >>


A version of this blog was originally published on 2 May 2017.

The post What is ethical hacking? A guide to white-hat attacks and penetration tests appeared first on IT Governance Blog.

The psychology behind phishing attacks

With 3.4 billion malicious emails sent every day, phishing poses a massive risk to organisations of all sizes.

However, the threat doesn’t just come from the volume of scams, but their idiosyncrasy. The measures you put in place to protect you from most cyber attacks – anti-malware, perimeter scans, vulnerability assessments, etc. – are inadequate when it comes to phishing, because fraudsters doesn’t exploit technological weaknesses.

They instead target employees using a tactic known as social engineering.

What is social engineering?

Social engineering is a collective term for the ways people are manipulated into performing certain actions.

In an information security context, it refers to the methods fraudsters use to get people to hand over sensitive information and expose themselves to malware.

Phishing is a classic example of social engineering, as the scams emulate legitimate organisations and attempt to trick people into complying with a request.

How do phishing scams manipulate us?

In some ways, it seems impossible that people could fall for phishing. Awareness is at a record high, popular targets like Amazon have dedicated phishing prevention pages and many bogus emails do a poor job of imitating their target.

Yet phishing is as successful as ever. Why? Because it taps into people’s fears to such an extent that they can’t spot the signs of bogus emails.


See also:


For example, many messages replicate services that possess sensitive information or are essential for the user’s quality of life. This explains the prevalence of phishing emails that relate to tax forms or entertainment services like Netflix.

A 2017 PhishMe survey found that fear was the most effective motivating factor for someone to click a link or open an attachment in a phishing email.

The organisation sent a series of benign phishing emails to respondents and found that the most successful scam spoofed a bar association that claimed that a grievance had been filed against the recipient. It tricked 44% of respondents.

A similar scam email imitating an accountancy firm that claimed a complaint had been filed against the recipient was successful 34% of the time.

Catching us off guard

Although people are always susceptible to phishing, cyber criminals increase their chances of success by sending scams at times when we are most vulnerable.

Phishing has a comparatively low success rate when the recipient is busy or thinking about something else when they receive the message. The sense of urgency is diminished on, say, Monday mornings, when employees have plenty of other urgent tasks.

When they come back to the email a few hours later, they are more likely to notice the things that seem suspicious. Or, if the message is imitating a colleague, they’ll see that person in the office, ask about their request and realise that it was a scam.

Criminals therefore try to send scams when people are most likely to take action right away, which means scheduling them for times when recipients are least likely to be busy. Fridays are sometimes considered the peak time for phishing, but you’re just as likely to fall victim during the middle of the week.

Whatever day it is, the consensus is that you’re most vulnerable during your lunch break and in the early afternoon. This is because most of us take a break from whatever task we were doing. We might use the time to check our emails, and the message may appear as we sit there with no other tasks at hand.

How vulnerable are your staff?

There’s a simple way to assess how big of a threat phishing poses to your organisation: send your employees a scam email.

This might sound reckless, but it’s perfectly safe. Our Simulated Phishing Attack service sends your employees a typical example of a phishing email without the malicious payload.

This gives you the opportunity to monitor how your employees respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?

You can use the answers to guide your information security measures and to act as a reference point when it comes to staff awareness training.

Find out more >>


A version of this blog was originally published on 23 November 2016.

The post The psychology behind phishing attacks appeared first on IT Governance Blog.

List of data breaches and cyber attacks in July 2019 – 2.3 billion records leaked

Remember after last month’s relatively serene cyber security scene we said this wasn’t the beginning of the GDPRevolution?

July was bound to be a bounce-back month, but we couldn’t have expected the frighteningly high total of 2,359,114,047 breached records.

Granted, a big chunk of those come from a single incident – a mammoth breach involving a Chinese smart tech supplier – but as unimaginative football commentators say, ‘they all count’.

Let’s take a look at the full list:

Cyber attacks



Ransomware


a business will fall victim to a ransomware attack every 14 seconds in 2019, and every 11 seconds by 2021.


Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

The post List of data breaches and cyber attacks in July 2019 – 2.3 billion records leaked appeared first on IT Governance Blog.

Cyber Security: Three Parts Art, One Part Science

As I reflect upon my almost 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning, and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.

Let’s talk about Connection’s artistic methodology. We start with a canvas that has the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.

Protection:

People
Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.

Process
Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.

Technology
Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection.

Detection:

The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.

People
Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.

Process
What happens when an alert occurs? Who sees it? What is the documented process for taking action?

Technology
What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?

Reaction:

People
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?

Process
What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?

Technology
What cyber security consoles have been deployed that allow quick access to patch a system, change a firewall rule, switch ACL, or policy setting at an end point, or track a security incident through the triage process?

All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.

More Art: Are You a Risk Avoider or Risk Transference Expert?

A better way to state that is, “Do you avoid all risk responsibility or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.

Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier? They have 17 definitions of risk.

As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.

When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.

The art in cyber security is in the interpretation of the rules, standards, and requirements that are primarily based on a foundation in science in some form. The more experience one has in the cyber security industry, the more effective the art becomes. As a last thought, keep in mind that Connection’s Technology Solutions Group Security Practice has over 150 years of cyber security expertise on tap to apply to that art.

The post Cyber Security: Three Parts Art, One Part Science appeared first on Connected.

A Simple Trillion$ Cyber Security Question for the Entire RSA Conference

Folks,

This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -


Image Courtesy RSA Conference. Source: https://www.rsaconference.com/

If that's the case, let's talk -  I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -

Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?

For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.



For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -


  • Q 1.  Should your organization's foundational Active Directory be compromised, what could be its impact?
  • Q 2.  Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
  • Q 3.  If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
  • Q 4.  If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!

You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!


Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.


Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.

Best wishes,
Sanjay


PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.

PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?

Cyber Security 101 for the C-Suite – Active Directory Security is Paramount

Folks,

Today's post is for all executives worldwide who comprise the C-Suite at thousands of organizations worldwide.


I pen today's post with profound respect for all executives worldwide, because I understand first-hand just how important the nature of their responsibilities is, how valuable their time is, and how far-reaching the consequences of their decisions are.

A quick footnote for all C*Os : In case you're wondering who I am to be penning this, I'm former Microsoft Program Manager for Active Directory Security. Relevance? Microsoft's Active Directory is the foundation of your entire organization's cyber security. Finally, like you, I also happen to be the CEO of a $ Billion+ company.

Today's post is in the form of a simple letter, that follows (below.)

Thanks,
Sanjay


<Begin Letter>

Subject - Cyber Security 101 for the C-Suite


To: Chairmen, CEOs and CFOs Worldwide



Dear C*O,

Hi, I'm Sanjay, former Microsoft Program Manager for Active Directory Security, but more importantly a sincere well-wisher who cares deeply about cyber security, and who just happens to know a thing or two about the very technology that lies at the very foundation of cyber security of your ($ Billion to $ Trillion) organization, and those of 85% of all organizations worldwide.

I write to you to bring to your attention a matter of paramount importance to your organization's foundational security.



Context - Foundational Security

Today we all engage in business in what is essentially a global digital village, wherein just about just every aspect of business, whether it be production, marketing, sales, customer-service, collaboration, finance etc. etc. substantially relies on technology.


Within our respective organizations, it is our IT infrastructure that enables and empowers our workforce to engage in business.

For instance, we all (including us C*Os) log on to a computer every day, send and receive email, and create, share and access digital assets (e.g. documents, applications, services etc.) all of which are securely stored on our organizational computers.

It is only logical then that ensuring the security of the very IT infrastructure that enables and empowers our entire workforce to engage in business digitally, and the security of our digital assets is vital. In other words, cyber security is very important.

Now, if I told you that at the very foundation of your entire IT infrastructure, and consequently at the very foundation of the security of all your digital assets lay a single high-value asset, then I think you'd agree that its security would be paramount.

At the very foundation of your organization's IT infrastructure and that of its cyber security, and by corollary the cyber security of the entirety of all your digital assets (e.g. thousands of computers, thousands of employee user accounts and passwords, every single organizational email sent and received every minute of every day, all your applications, services, Intranet portals, Internet facing applications etc.) as well as the entirety of your organization's data, lies a single technology - Microsoft Active Directory.


Most simply put, Active Directory is the database that contains, stores and protects the entirety of your organization's building blocks of cyber security - each one of thousands of user accounts and their passwords, each one of thousands of computer accounts (for all laptops, desktops, servers etc.), each one of thousands of security groups that protect all your data etc. etc.

If your organization's Active Directory were compromised, everything would immediately be exposed to the risk of compromise.

Thus as you'll hopefully agree, ensuring the security of your organization's foundational Active Directory is well, paramount.



A Provable Concern - Inadequate Protection

Now, you might most likely be thinking - Well, if that's the case, I'm sure that our CIO, our CISO and their world-class IT and Cyber Security teams know all this, and have it adequately taken care of, so why should I be concerned ?


Here's why you should be concerned - In all likelihood, not only may your world-class IT and Cyber Security teams not have this adequately covered, they may have yet to realize just how very important, and in fact paramount Active Directory security is.

Further, they likely may not know what it actually takes to adequately secure your organization's  foundational Active Directory.

Now, as incredulous as that may sound, you have to trust me on this, not because I'm asking you to do so as a concerned well-wisher, but because I'm asking you to do so as arguably the world's #1 subject matter expert on Active Directory Security.

You see, prior to doing what I currently do, I was Microsoft's subject matter expert for Active Directory Security on Microsoft's Windows Server Development team. In case you're curious as to what I do currently do with all this knowledge, well, its this.

As the world's leading subject matter expert on Active Directory Security, I would highly encourage you to ask your IT and Cyber Security leadership, specifically your CIO and your CISO, just how secure they think your organization's Active Directory is.



Simple Proof - You Just Have to Ask

When you ask them about it, please do request specific answers, and here are 7 simple questions you can ask them, the answers to which will give you an indication of just how secure your organization's Active Directory actually is today -


  1. Is the security of our foundational Active Directory deployment a top cyber security priority today?

  2. Do we know exactly what the Top-5 security risks to our foundational Active Directory are?

  3. Do our Active Directory Admins know what Active Directory Effective Permissions are?

  4. Do we know exactly who possesses what level of privileged access in our Active Directory?

  5. Do we know exactly who can control/manage each one of our Active Directory privileged accounts and groups?

  6. Do we know exactly who can run Mimikatz DCSync against our Active Directory today?

  7. Can you tell me exactly who can reset my domain user account's password to then be able to login as me?

I could suggest 50 such elemental cyber security questions, but for now these 7 simple, precise questions will suffice as there are only 2 possibilities here - either your IT and cyber security leadership have exact answers to these questions, or they don't.


If they can't give you exact answers to these questions, your organization's Active Directory is not secure - its as simple as that.


They might tell you that this is complicated or that they have a good approximation, or that this is very difficult to do, or that they have many other latest buzzword measures like Active Directory Auditing, Privileged Access Management, ATA, Just-in-Time Administration etc. in place, but none of that matters, because the truth is simple - they either have exact answers, or they don't.

(These questions are paramount to cyber security, and today there exists technology that can enable every organization in the world to answer them precisely, but because Microsoft likely forgot to adequately educate its customers, your IT personnel may likely not even know the importance of these paramount questions, let alone knowing what it takes to correctly answer them.)

If a $Billion+ organization doesn't even know exactly who has what privileged access in their Active Directory, as well as exactly who can manage each one of their privileged accounts and groups, how could their Active Directory possibly be secure?

If an organization's foundational Active Directory is not secure, how can the entirety of the organization's digital (IT) assets be secure, and if that's not case, how could an organization possibly be considered secure from a cyber security perspective?



Driving Change

As a member of the C-Suite, you not only have the privilege of being able to impact vital change in your organization, you also have the responsibility and the authority to demand and ensure the cyber security of the very foundation of your organization.


As a C*O, one of the most important responsibilities you shoulder is ensuring that your organization is secure, and ensuring that the very foundation of your organization's IT infrastructure and cyber security are always adequately protected, is paramount.




The Likely Reason (Optional Reading)

Here's the likely reason for why such a common-sense yet paramount matter may not be on your CIO's and CISO's radar yet.

You see, your CIO and CISO shoulder great responsibility. Unfortunately, amongst many other things, they're likely also being guided by inputs from a 1000 cyber security companies, who unfortunately may not be the best source of objective guidance.

For instance, consider CyberArk, a highly respected $ Billion+ cyber security company, that claims that over 50% of the Fortune 100's CISOs rely on them. As a subject matter expert, I can tell you that CyberArk itself may not know how to correctly assess privileged access in an Active Directory, so you see, unfortunately your CIO and CISO may not be getting the best guidance.

CyberArk is absolutely correct that "Privilege is Everywhere." However, those who know Windows Security will tell you that in a Windows network powered by Active Directory, the majority of all privileged access (delegated & unrestricted) lies inside Active Directory, but CyberArk doesn't seem to have the capability to correctly audit privileged access inside Active Directory.


The majority of all Privileged Access,including the "Keys to the Kingdom", resides inside Active Directory

CyberArk isn't alone. As unbelievable as it may sound, today even Microsoft doesn't seem to know what it takes to do so, let alone possessing the capability to help its customers correctly do so. In fact, most of the world's top IT Consulting, Audit, Cloud and Cyber Security companies also operate on Active Directory, and they too likely have neither a clue nor the capability to accurately determine exactly who has what privileged access in their own foundational Active Directory deployments.

You may find this hard to believe, but of the 1000+ cyber security companies exhibiting or presenting at the upcoming RSA Conference 2019, not a single one of them can help your organization's IT personnel fulfill such a fundamental yet paramount cyber security need - finding out exactly who has what privileged access in your organization's foundational Active Directory.

In their defense, I'll say this - if it were easy, they would've all done it by now. Unfortunately, as paramount as it is, its not easy.

Thus, I know what your CIO and CISO may perhaps not yet know, or understand the paramount importance of, which is that of all the things that need to be secured, none could possibly be more important than securing your organization's foundational Active Directory, so I thought I'd share this with you, because as a member of the C-Suite, you could provide them strategic guidance and the executive support that their teams need to accomplish this paramount objective for your organization.



In Conclusion

I only wrote this letter because we're all in this together, and I care deeply about foundational cyber security, as hopefully do you, and I felt that I could perhaps help bridge the gap between those tasked with the great responsibility of securing Active Directory (i.e. your IT personnel) and those whose executive support they need to be able to do so (i.e. you, the C-Suite.)

If any of what I shared above made sense, I would encourage you to embrace my suggestions earnestly, and act upon them, and if needed, I can prove and demonstrate every thing I've shared above, and you should feel free to take me up on this.

As for myself, all I can say is that today my work and knowledge silently help secure and defend so many of the world's most important organizations across six continents worldwide.

Thank you for your time.

Respectfully,
Sanjay Tandon.

Chairman and CEO,
Paramount Defenses



PS: Please know that I am also doing my bit to help Microsoft and the World better Understand Active Directory Security



<End Letter>

What Lies at the Foundation of Organizational Cyber Security Worldwide?

Folks,

In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security

Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.

Microsoft Active Directory

Today, at the very foundation of organizational cyber security worldwide, lie their foundational Active Directory deployments.

Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.

In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.

Best wishes,
Sanjay

Businesses Beware: Top 5 Cyber Security Risks

Hackers are working hard to find new ways to get your data. It’s not surprising that cyber security risk is top of mind for every risk owner, in every industry. As the frequency and complexity of malicious attacks persistently grows, every company should recognize that they are susceptible to an attack at any time—whether it comes as an external focused attack, or a social engineering attack. Let’s take a look at the top 5 risks that every risk owner should be preparing for.

  1. Your Own Users. It is commonly known, in the security industry, that people are the weakest link in the security chain. Despite whatever protections you put in place from a technology or process/policy point of view, human error can cause an incident or a breach. Strong security awareness training is imperative, as well as very effective documented policies and procedures. Users should also be “audited” to ensure they understand and acknowledge their role in policy adherence. One area that is often overlooked is the creation of a safe environment, where a user can connect with a security expert on any issue they believe could be a problem, at any time. Your security team should encourage users to reach out. This creates an environment where users are encouraged to be part of your company’s detection and response. To quote the Homeland Security announcements you frequently hear in airports, “If you see something, say something!” The biggest threat to a user is social engineering—the act of coercing a user to do something that would expose sensitive information or a sensitive system.
  2. Phishing. Phishing ranks number three in both the 2018 Verizon Data Breach Investigation Report Top 20 action varieties in incidents and Top 20 action varieties in breaches. These statistics can be somewhat misleading. For example, the first item on the Top 20 action varieties in breaches list is the use of stolen credentials; number four is privilege abuse. What better way to execute both of those attacks than with a phishing scam. Phishing coerces a user through email to either click on a link, disguised as a legitimate business URL, or open an attachment that is disguised as a legitimate business document. When the user executes or opens either, bad things happen. Malware is downloaded on the system, or connectivity to a Command and Control server on the Internet is established. All of this is done using standard network communication and protocols, so the eco-system is none the wiser—unless sophisticated behavioral or AI capabilities are in place. What is the best form of defense here? 1.) Do not run your user systems with administrative rights. This allows any malicious code to execute at root level privilege, and 2.) Train, train, and re-train your users to recognize a phishing email, or more importantly, recognize an email that could be a phishing scam. Then ask the right security resources for help. The best mechanism for training is to run safe targeted phishing campaigns to verify user awareness either internally or with a third-party partner like Connection.
  3. Ignoring Security Patches. One of the most important functions any IT or IT Security Organization can perform is to establish a consistent and complete vulnerability management program. This includes the following key functions:
  • Select and manage a vulnerability scanning system to proactively test for flaws in IT systems and applications.
  • Create and manage a patch management program to guard against vulnerabilities.
  • Create a process to ensure patching is completed.

Most malicious software is created to target missing patches, especially Microsoft patches. We know that WannaCry and Petya, two devastating attacks, targeted systems that were missing Microsoft MS17-010. Eliminating the “low-hanging-fruit” from the attack strategy, by patching known and current vulnerabilities or flaws, significantly reduces the attack-plane for the risk owner.

  1. Partners. Companies spend a lot of time and energy on Information Security Programs to address external and internal infrastructures, exposed Web services, applications and services, policies, controls, user awareness, and behavior. But they ignore a significant attack vector, which is through a partner channel—whether it be a data center support provider or a supply chain partner. We know that high-profile breaches have been executed through third partner channels, Target being the most prominent.The Target breach was a classic supply chain attack, where they were compromised through one of their HVAC vendors. Company policies and controls must extend to all third-party partners that have electronic or physical access to the environment. Ensure your Information Security Program includes all third partner partners or supply chain sources that connect or visit your enterprise. The NIST Cyber Security Framework has a great assessment strategy, where you can evaluate your susceptibility to this often-overlooked risk.
  2. Data Security. In this day and age, data is the new currency. Malicious actors are scouring the Internet and Internet-exposed corporations to look for data that will make them money. The table below from the 2018 Ponemon Institute 2018 Cost of a Data Breach Report shows the cost of a company for a single record data breach.

Cost for a Single Record Data Breach

The Bottom Line

You can see that healthcare continues to be the most lucrative target for data theft, with $408 per record lost. Finance is nearly half this cost. Of course, we know the reason why this is so. A healthcare record has a tremendous amount of personal information, enabling the sale of more sensitive data elements, and in many cases, can be used to build bullet-proof identities for identity theft. The cost of a breach in the US, regardless of industry, averages $7.9 million per event. The cost of a single lost record in the US is $258.

I Can’t Stress It Enough

Data security should be the #1 priority for businesses of all sizes. To build a data protection strategy, your business needs to:

  • Define and document data security requirements
  • Classify and document sensitive data
  • Analyze security of data at rest, in process, and in motion
  • Pay attention to sensitive data like PII, ePHI, EMR, financial accounts, proprietary assets, and more
  • Identify and document data security risks and gaps
  • Execute a remediation strategy

Because it’s a difficult issue, many corporations do not address data security. Unless your business designed classification and data controls from day one, you are already well behind the power curve. Users create and have access to huge amounts of data, and data can exist anywhere—on premises, user laptops, mobile devices, and in the cloud. Data is the common denominator for security. It is the key thing that malicious actors want access to. It’s essential to heed this warning: Do Not Ignore Data Security! You must absolutely create a data security protection program, and implement the proper policies and controls to protect your most important crown jewels.

Cyber criminals are endlessly creative in finding new ways to access sensitive data. It is critical for companies to approach security seriously, with a dynamic program that takes multiple access points into account. While it may seem to be an added expense, the cost of doing nothing could be exponentially higher. So whether it’s working with your internal IT team, utilizing external consultants, or a mix of both, take steps now to assess your current situation and protect your business against a cyber attack. Stay on top of quickly evolving cyber threats. Reach out to one of our security experts today to close your businesses cyber security exposure gap!

The post Businesses Beware: Top 5 Cyber Security Risks appeared first on Connected.

October Is National Cyber Security Awareness Month: Be Part of Something Big

2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.

Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.

Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.

The post October Is National Cyber Security Awareness Month: Be Part of Something Big appeared first on Connected.

A Trillion $ Cyber Security Question for Microsoft and CISOs Worldwide

Folks,

Today, to give a hint for the answer to this 1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -


What's the World's Most Important Active Directory Security Capability?




Those who don't know why this is the world's most important cyber security question may want to connect one, two and three

I sincerely hope that someone (anyone) at Microsoft, or that some CISO (any ONE) out there, will answer this ONE question.

Best wishes,
Sanjay.

Alarming! : Windows Update Automatically Downloaded and Installed an Untrusted Self-Signed Kernel-mode Lenovo Driver on New Surface Device

Folks,

Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.


Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.

Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.


As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.

Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.

Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.

In particular, regardless of its respected heritage, for us, Lenovo wasn't  an option, since it is partly owned by the Chinese Govt.

So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -

Microsoft Surface



The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.

I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.


Now, you're not going to believe what happened within minutes of having clicked the Check for Updates button!



Windows Update
Downloaded and Installed an Untrusted
Self-Signed Lenovo Device Driver on Microsoft Surface! -

Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!

Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -


We couldn't quite believe this.

How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft  Surface device?

So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -


We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)

Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -



Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -


It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!

As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.

Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -



When we opened that location, we found thirteen items, including six drivers -


Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -


Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -


Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!

Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.

If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.

It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!

How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?

Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.



Unacceptable and Deeply Concerning

To us, this is unacceptable, alarming and deeply concerning, and here's why.


We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!

We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.

How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)

In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!

This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?

This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?

In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.

Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?

I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!

Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!

Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.

With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.

In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.



If I Were Microsoft, I'd Send a Plane

Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.


If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.)

Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
  1. I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
  2. I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
  3. I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
  4. I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
  5. I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package 

Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.


In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -



Also, speaking of Microsoft's ecosystem, it indeed is time to help safeguard Microsoft's global ecosystem. (But I digress,)



In Conclusion

Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.


Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that. 

All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."


By the way, I happen to be former Microsoft Program Manager for Active Directory Security, and I care deeply for Microsoft.

For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.

Most respectfully,
Sanjay


PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.

PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?

2017 – The Year The World Realized the Value of Active Directory Security

Folks,

As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!


I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



Active Directory Security Goes Mainstream Cyber Security

Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -


  1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.

  2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.

  3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.

  4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!

  5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 

  6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.

  7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.

  8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.

  9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.

  10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.





Helping Defend Microsoft's Global Customer Base
( i.e. 85% of  Organizations Worldwide )

Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...


...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

This year, I ( / we) ...

  1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation

  2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory

  3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory

  4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory

  5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense

  6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory

  7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory

  8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets

  9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation

  10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security


In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





Summary

All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.


Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

Best wishes,
Sanjay.

PS: Why I do, What I Do.

Why I Do, What I Do

Folks,

I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.


Here are the answers to the Top-5 questions I am frequently asked -

  1. You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?

    Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.

    In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.

    As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.




  2. Speaking of which, how big is Paramount Defenses?

    At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.

    If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.




  3. Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?

    The simple answer to this question - For Security Reasons.

    At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.

    As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.

    Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.




  4. What do you intend to accomplish by blogging?

    The intention is to help organizations worldwide understand just how profoundly important Active Directory Security is to organizational cyber security, and how paramount Active Directory Effective Permissions are to Active Directory Security.

    That's because this impacts global security today, and here's why -




    You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.

    It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.

    Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.

    This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.

    In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.

    What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"

    On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.

    To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.

    Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.

    Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.




  5. Why have you been a little hard on Microsoft lately?

    Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.

    In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.

    You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.

    It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.

    Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.

    As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.

    Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.

    Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.


Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.

Best wishes,

Time to DEMONSTRATE Thought Leadership in the Cyber Security Space

Folks,

Hope you're all well. Last year I had said that it was time for us to provide Thought Leadership to the Cyber Security space.


Since then, I've penned over 50 blog posts, on numerous important topics,
and helped 1000s of organizations worldwide better understand -

  1. The Importance of Active Directory Security

  2. Insight into Active Directory ACLs - Attack and Defense

  3. How to Defend Active Directory Against Cyber Attacks

  4. How to Mitigate the Risk Posed by Mimikatz DCSync

  5. How to Thwart Sneaky Persistence in Active Directory

  1. How to Identify Stealthy Admins in Active Directory

  2. Understand Windows Elevation of Privilege Vulnerability

  3. Illustrate Active Directory Privilege Escalation

  4. Correctly Identify Privileged Users in Active Directory

  5. Importance of Active Directory Effective Permissions
There's so much more to share, and I will continue to do so.





A Paramount Global Cyber Security Need

Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.

Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.


The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.

Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.

Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.





Thought Leadership

There's an old saying - "Actions Speak Louder Than Words." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., the key to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.

So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.


In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.

So, that post should be out right here on this blog next week, possibly as early as Monday morning.

Best wishes,
Sanjay

Protecting Critical Infrastructure from Cyber Threats

We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

NCSAM, Week Five: Protecting Critical Infrastructure

It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.

The post NCSAM, Week Five: Protecting Critical Infrastructure appeared first on Connected.

The New Security Reality

It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The New Security Reality appeared first on Connected.

Cyber Security Careers Are in High Demand

October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.

Read this next:

 

The post Cyber Security Careers Are in High Demand appeared first on Connected.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:

 

The post WPA2 Hacks and You appeared first on Connected.

Shut Down Unlikely Attack Vectors in Your Organization

As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.

For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.

That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.

That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.

So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.

Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.

The post Shut Down Unlikely Attack Vectors in Your Organization appeared first on Connected.

A Massive Cyber Breach at a Company Whilst it was Considering the ‘Cloud’

(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)


Folks,

Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."

With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?



The C-Suite Meeting

Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.


This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -

  1. Chief Executive Officer (CEO)

  2. Chief Financial Officer (CFO)
  1. Chief Information Officer (CIO)

  2. Chief Information Security Officer (CISO)

 Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.




Meeting In-Progress

After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.

The C-Suite then took a break for lunch.

The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...

... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.

Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?"  He said "Yes."





Houston, We Have a Problem

The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!


He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.

He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."

He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"




Its Over

The CEO asked the CIO - "What's wrong? What happened?"

The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"


The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"

The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"

The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"

The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"

The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"




Mimikatz DCSync 

The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."


The CEO asked - "What is Active Directory?"

The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"

The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"

The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."

The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"

The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"

The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"

The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."



The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!

The CISO replied - "Seventeen years."

The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?!  Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"




This is for Real

Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!


We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.




This Could've Been (and Can Be) Easily Prevented 

This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.


Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!

Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.

Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.


Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.

Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!




Fast-Forward Six Months

Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.


All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.





Summary

The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.


I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.

Best wishes,

CEO, Paramount Defenses



PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here  etc.  etc.



PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."

Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.



PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)

PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory

Some Help & Good News for Microsoft regarding Active Directory Security


Folks,

You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.



A Quick and Short Background

From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.


Active Directory is the Foundation of Cyber Security Worldwide

The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.

During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.

These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.

Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.





Clearly, Microsoft Has No Answers

It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.


Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -



If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!

You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!

That said, in that post, the best Microsoft could do is concede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."

Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.


In contrast, here's what they should have said - "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.

BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.



Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.

Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.





Fortunately There's Help and Good News For Microsoft

I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.


To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."

So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

Specifically, in days to come, as a part of our 30-Day Active Directory Security School, you can expect the following posts -


  1. What Constitutes a Privileged User in Active Directory

  2. How to Correctly Audit Privileged Users/Access in Active Directory

  3. How to Render Mimikatz DCSync Useless in an Active Directory Environment

  4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory

  5. How to Easily Solve The Difficult Problem of Active Directory Botnets

  6. The World's Top Active Directory Permissions Analysis Tools (and Why They're Mostly Useless)

  7. The Paramount Need to Lockdown Access Privileges in Active Directory

  8. How to Attain and Maintain Least Privileged Access (LPA) in Active Directory

  9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory

  10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.

Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.

So, over the next few days, I'll pen the above, and you'll be able to access them at the Active Directory Security Blog.

Until then, you may want to go through each one of the 20 days of posts that I've already shared there, as well as review this.



In fact, this cannot wait, so let us begin with the "actual" insight on Active Directory ACLs that all organizations worldwide must have today -


Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


Best wishes,
Sanjay

CEO, Paramount Defenses

Formerly Program Manager,
Active Directory Security,
Microsoft Corporation


PS: Microsoft, you're welcome. Also, I don't need anything from you, except a Thank you note.

Teaching the $ 550 Billion Microsoft Corp about Active Directory Security

Folks,

As some of you may know, over the past few weeks, I have been publicly taking the $ 550 Billion Microsoft (Nasdaq: MSFT) to Active Directory Security School (see PS3 below) because today global security literally depends on Active Directory Security.


In case you're wondering why, here's why -



The Importance of Active Directory Security

From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.


In other words, the foundational security of thousands of government and business organizations depends on Active Directory.

To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Active Directory.




Operating in the Dark

Given my background, experience and whatever little I know about the subject, I have reason to believe that most organizations worldwide that operate on Active Directory are operating in the dark today, and have absolutely no idea as to exactly who has what level of privileged access in their foundational Active Directory!


Further, because over the last decade, almost 10,000 organizations from across 150+ countries worldwide have knocked at our doors unsolicited, we know exactly how much these organizations know about Active Directory Security, and we're shocked to know that 99% of them don't even know what "Active Directory Effective Permissions" are, and upon giving this due thought, we have arrived at the conclusion that the world's complete ignorance on this most paramount aspect of organizational cyber security can be attributed to the fact that Microsoft has likely not even once educated its customers about its importance!




Let There Be Light

So, I made an executive decision that we need to educate the $ 550 Billion Microsoft Corp about the paramount importance of "Active Directory Effective Permissions", so that they can in turn educate the thousands of vital business and government organizations at whose very foundation lies Active Directory about its sheer and cardinal importance.


Make no mistake about it - no organization that operates on Microsoft Active Directory today can be adequately secured without possessing the ability to determine effective permissions on the thousands of building blocks of cyber security (i.e. thousands of domain user accounts, computer accounts, security groups and policies) that reside in its Active Directory. Its really that simple.




A 1000 Cyber Security Companies!

Speaking of which, although there are supposedly over a 1000 cyber security companies in the world (, and incidentally at their very foundation too lies Microsoft Active Directory)  not a single one of them has the ability, the expertise or even a single solution to help the world accurately determine "effective permissions"  in Active Directory. Not a single one of them!


Well, except ONE.

Best wishes,
Sanjay


PS: If you can find even ONE cyber security company in the world that can help the world do this, you let me know.

PS2: Microsoft, before you respond, please know this - I've conquered mountains, and I'm likely your best friend.




PS3: To help the world easily follow Active Directory Security School for Microsoft, here are each day's lessons -





A Letter to President Donald Trump regarding Global and Cyber Security

Dear President Trump,

Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our Great United States.

First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.

I'll do my best to keep this VERY simple.



Top-5 Global Security Risks

As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -


1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats

I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.

As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.




The Importance of American Leadership

Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.


Sir, the elections are over. You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.

If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.

(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)

Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.

Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, today have the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.

[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]





The Cyber Risk

Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.


(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)

Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.

It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.


Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing a Cyber Security Unit with the Russians might NOT be such a good idea, as also voiced by 1, 23.

By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".

A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.


Mr. President, you may likely already have some of the world's best inputs and advice when it comes to cyber security, so I'd just like to share paramount cyber security insight with you - Trillion-Dollar Cyber Security Insight for President Donald Trump.


Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.


Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.

Respectfully,
Sanjay.

Trillion-Dollar Cyber Security Insight for President Donald Trump

Dear Mr. Trump,

Hello. I'm Sanjay, President of Paramount Defenses. I just wanted to congratulate you on your historic win, wish you success, as did President Obama, and share VALUABLE cyber security insight that could be VITAL to your administration's success.

Before I get to it, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic U.S. citizen and a cyber security professional, and that my desire to do so publicly has been inspired by how much you Sir share publicly. Given the sheer impact of our important work across America and the world today, we are a 100% non-partisan organization.

One quick vital point - regarding all the talk of Russian hacking to influence the U.S. election, while Russia and possibly others may certainly have tried to influence it, professionally speaking i.e. as a cyber security practioner, in the grand scheme of things, it matters not as to who is trying to hack us, as much as it does that we protect ourselves from being hacked, so from that angle you're likely right that the DNC should have adequately defended itself. You see, once an entity is hacked, at that very moment the damage is done, because their data is now in someone else's hands, and the entity no longer has any control over what the perpetrators do with it. In fairness, one should also add that if indeed Russia did hack the RNC as well, but chose not to divulge their data, then reasonably speaking, that would have amounted to what is being called "an attempt to influence an election."


That said, Mr. Trump, hopefully you'll agree that given our sheer reliance and dependence on computers and technology, the success of your Presidency and your administration will GREATLY depend on the cyber security of our government agencies.

Attribution: Mr.. Trump's photo: Michael Vadon >

In that regard, I thought you should know that at the very foundation of cyber security of our entire U.S. Government (i.e. 600+ federal agencies) lies a single technology, Microsoft Active Directory, the cyber defense of which is paramount to our security.

You may or may not know this yet, but the White House, the U.S. Capitol, all our intelligence agencies, and virtually all our departments (e.g. Defense, State, Justice, Energy, Labor, Interior, Veterans Affairs etc.) all operate on Active Directory.

By the way, I must mention that none of this is classified information. This is all public knowledge. I just happen to know it first hand because I'm former Microsoft Program Manager for Active Directory Security, i.e. a "deep in the trenches" technical guy who possibly knows more about Active Directory security than most people on the planet. (I also happen to be an innovative American entrepreneur who built possibly the world's most relevant and important cyber security company, from the ground up.)

In fact, Active Directory is at the very foundation of cyber security of 85+% of all government and business organizations world-wide (The Americas, Europe, Asia, etc.) including at the foundation of virtually all of the tech companies whose CEOs recently visited you i.e. Microsoft, Amazon, Alphabet, IBM, Intel, Facebook, Tesla etc., as well as a little cyber company called Palantir.

It is very likely that thousands of business and government organizations in Russia too might be operating on Active Directory.

Sir, in all likelihood, the Trump Organization may also be operating on Active Directory. (Your IT folks could verify that for you.)


Mr. Trump, our cyber intelligence indicates that the foundational Active Directory deployments of most organizations worldwide may currently be exposed to an alarmingly vast attack surface, and thus may possibly be rather easily compromisable today.

The specific cyber security risk that most of them are all likely exposed to today is succinctly described in The Paramount Brief -


Password (case-sensitive): AreWeReallySecure?


If you're short on time, here's a very brief summary -
In every network powered by Active Directory, all administrative accounts i.e. the accounts of the individuals that possess the "Keys to the Kingdom" lie within Active Directory. It is a well known fact that if a perpetrator can compromise ANY one of these accounts, he/she could easily access and control everything. Thus, in every organization, ideally the number of such powerful accounts must be at an absolute bare minimum.
Unfortunately, in most organizations today, not only are there a HUGE number of privileged user accounts in Active Directory, NO ONE really knows exactly who they are and what power they possess. In other words, most organizations seem to be operating in the proverbial dark, & if breached, could likely be compromised in minutes.
In essence, a huge, unknown number of highly prized privileged accounts in Active Directory constitute a vast attack surface, and the compromise of any one of them would be tantamount to a system-wide compromise. 

In our professional opinion, this poses a major cyber security risk globally, especially considering the statistics, i.e. 100% of all major recently cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account.

From our side, we can certainly (and uniquely) help organizations worldwide precisely identify and reduce their attack surface, as well as empower them to mitigate this serious risk, swiftly and cost-efficiently, but we do need them to understand it first.


I must also mention with due respect to the likes of Peter Thiel, Alex Karp, Ted Schlein & others, I doubt they're familiar with this specific risk or understand the depth of its magnitude, because this is one of those you have to be "deep in the trenches" to get.

Speaking of which, in 2016, we had directly informed the CEOs of most of the world's Top 200 companies (including most of the tech CEOs that came and met you at the Trump Tower), as well as all appropriate officials at most federal and state agencies about this risk to the foundational Active Directory deployments of their organizations; they all received The Paramount Brief.

Our intelligence further indicates that as a result, many of these organizations started to look at the security of their foundational Active Directory deployments for the first time ever. While some may have started bolstering their cyber defenses, sadly, many of these organizations likely continue to remain vulnerable, especially considering how easy it is to compromise them today.

For instance, if an intruder could breach their network (and Microsoft suggests that organizations assume breach ) in many cases, he/she could just deploy Mimikatz DCSync to instantly 0wn them. (Alex/Peter should be able to explain this to you.)

Fortunately the solutions required to swiftly, effectively and cost-effectively help all impacted organizations mitigate this critical risk exist today (e.g. 1,2). However, we're finding that many organizations do not even seem to know about this risk.

We worry that unless certain basic and fundamental cyber security measures are enacted quickly, many of our government and business organizations, as well as those of our allies worldwide, will likely remain vulnerable to cyber attacks in the near future.

From our side, we're doing what we can to educate and safeguard organizations worldwide, but much more needs to be done, and quickly so. Its in that regard that your intentions give many of us in cyber security, as well as the American people, hope...



Making America Great(er and Safer) Again

In addition to making America greater, we must also make (not only) America (but also our allies) safer, not only from physical threats but also from cyber threats. In fact, given our HUGE reliance on technology, and considering how easy it is to launch a cyber attack, the cyber threat may pose a far greater threat to our national security and prosperity than do physical threats.

I've read that it is your intention to appoint a team to combat cyber attacks within 90 days of taking office. That (in your parlance) sounds WONDERFUL. I commend you for this initiative. Indeed, it is imperative and in fact paramount that we do everything we can to safeguard and adequately defend our government and business organizations from being taken out by cyber attacks.


If I had to offer some unsolicited advice, I'd suggest that one of the most important measures one could enact is Attack Surface Reduction. Simply put, the smaller one's attack surface is, the better one's chances of being able to adequately defend it.

For instance, it is so much easier to protect a building that only has one entrance than it is to protect one that has 20 entrances, and where only a few security guards have the master keys to the building, than one wherein who knows how many have them.

That's why, considering the statistics i.e. the fact that 100% of all major recent cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account, reducing the number of users that have privileged access within Active Directory to a bare minimum, then adequately protecting them, must be one of the top priorities for all organizations.

Sir, in short, provably secure (least-privileged access adherent) foundational Active Directory deployments at all our federal government agencies and at all business organizations they rely on, are likely going to be vital to your administration's success.

(As you'll likely agree, this isn't rocket science; it's common sense. If a government agency is compromised (e.g. OPM Breach), assets or initiatives it might be working on could be in jeopardy. Similarly, if a business organization (e.g. a Defense Contractor, a Builder etc.) that the government relies on for its various initiatives is compromised, those initiatives could be in jeopardy.)


Thank you, and Best Wishes

In closing, thank you for your time, congrats on your bigly win and good luck as you get ready to serve the American people.

The American people have entrusted you with the great responsibility of leading our great nation, as well as the might of American power, and they're looking to you to make their lives better and to make America greater and safer again.

In God We Trust, so wish you God Speed in your efforts to fulfill your promises to make America great(er and safer) again.

Most Respectfully,
Sanjay


PS: At Paramount Defenses, because we understand the paramount importance of cyber security to the business and national security interests of the United States and those of our allies, we care deeply about cyber security and we take it very seriously.

Locky is Back Asking for Unpaid Debts

On June 21, 2016, FireEye’s Dynamic Threat Intelligence (DTI) identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign.

As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. During this period, Locky was the most dominant ransomware distributed in spam email. Now, Locky distribution has returned to the level seen during the first half of 2016.

Figure 1. Locky spam activity in 2016

Figure 2 shows that the majority of Locky spam email detections between June 21 and June 23 of this year were recorded in Japan, the United States and South Korea.

Figure 2. Locky spam by country from June 21 to June 23 of this year

The spam email – a sample shown is shown in Figure 3 – purports to contain an unpaid invoice in an attached ZIP archive. Instead of an invoice, the ZIP archive contains a Locky downloader written in JavaScript.

Figure 3. Locky spam email

JavaScript based Downloader Updates

In this campaign, few updates were seen in both the JavaScript based downloader and the Locky payload.

The JavaScript downloader does the following:

  1. Iterates over an array of URLs hosting the Locky payload.
  2. If a connection to one of the URLs fails, the JavaScript sleeps for 1,000 ms before continuing to iterate over the array of URLs.
  3. Uses a custom XOR-based decryption routine to decrypt the Locky payload.
  4. Ensures the decrypted binary is of a predefined size. In Figure 4 below, the size of the decrypted binary had to be greater than 143,360 bytes and smaller than 153,660 bytes to be executed.

Figure 4. Payload download function in JavaScript

5.     Checks (Figure 5) that the first two bytes of the binary contain the “MZ” header signature.

Figure 5: MZ header check

6.     Executes the decrypted payload by passing it the command line parameter, “123”.

Locky Payload Updates

The Locky ransomware downloaded in this campaign requires a command line argument to properly execute. This command line parameter, “123” in the analyzed sample, is passed to the binary by the first stage JavaScript-based downloader. This command line parameter value is used in the code unpacking stage of the ransomware. Legitimate binaries typically verify the number of arguments passed or compare the command line parameter with the expected value and gracefully exit if the check fails. However in the case of this Locky ransomware, the program does not exit (Figure 6) and the value received as a command line parameter is added to a constant value defined in the binary. The sum of the constant and the parameter value is used in the decryption routine (Figure 7). If no command line parameter is passed, it adds zero to the constant.

Figure 6. Command line parameter check

Figure 7. Decryption routine

If no command line parameter is passed, then the constant for the decryption routine is incorrect. This results in program crash as the decrypted code is invalid. In Figure 8 and Figure 9, we can see the decrypted code sections with and without the command line parameter, respectively.

Figure 8. Correct decrypted code

Figure 9. Incorrect decrypted code

By using this technique, Locky authors have created a dependency on the first stage downloader for the second stage to be executed properly. If a second stage payload such as this is directly analyzed, it will result in a crash.

Conclusion

As of today, the Locky spam campaign is still ongoing, with an added anti-analysis / sandbox evasion technique. We expect to see additional Locky spam campaigns and will remain vigilant in order to protect our customers.

Email Hashes

2cdf62f8aae20026418f143895c769a2009e6b9b3ac59bfa8fc79ca2f326b93a

1fd5c1f0ecc1d54324f3bdc327e7893032482a13c0914ef6f531bd93caef0a06

0ea7d59d7f1494fce8f45a1f35abb07a456de6d8d65327eca8ff84f307a49a06

22645be8553628574a7af3c32a45178e201e9af33b20b36d29b9c012b731da4c

198d8d1a89221c575d957c1f4342741f3675ebb10f95ffe3371150e124f4850e

 

CFR Watering Hole Attack Details

[Updated on December 30, 2012] On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised

at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.

We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.

In the meantime, the initial JavaScript hosting the exploit has some interesting features. To start, it appears the JavaScript only served the exploit to browsers whose operating system language was either English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian:

var h=navigator.systemLanguage.toLowerCase();
if(h!="zh-cn" && h!="en-us" && h!="zh-tw" && h!="ja" && h!="ru" && h!="ko")
{
  location.href="about:blank";
}

Also, the exploit used browser cookies to ensure that the exploit is only delivered once for every user:

var num=DisplayInfo();
if(num >1)
{
  location.href="about:blank";
}

where DisplayInfo() essentially tracked when the page was last visited through browser cookies:

function DisplayInfo()
{
    var expdate = new Date();
    var visit;
    expdate.setTime(expdate.getTime() +  (24 * 60 * 60 * 1000*7 ));
    if(!(visit = GetCookie("visit")))
    visit = 0;
    visit++;
    SetCookie("visit", visit, expdate, "/", null, false);
    return visit;
}

Once those initial checks passed, the JavaScript proceeded to load a flash file "today.swf", which ultimately triggered a heap spray in Internet Explorer in order to complete the compromise of the endpoint.

Once the browser is exploited, Prior to downloading the exploit, the browser appears to download “xsainfo.jpginto the browser cache (aka "drive-by cache attack"), which is the dropper encoded using single-byte XOR (key: 0x83, ignoring 0x00 and 0x83 bytes). Once the exploit succeeds, the JPG file is decoded as a DLL, which is written to the %TEMP% folder as "flowertep.jpg", the sample (MD5: 1e90bd550fa8b288764dd3b9f90425f8) (MD5: 715e692ed2b48e455734f2d43b936ce1) appears to contain debugging information in the metadata of the file:

Cfr-figure1

The simplified Chinese <文件说明> translates to <File Description>. It looks like the malware author included additional metadata in the file, referencing "test_gaga.dll" as the internal name of this sample.

[Update: December 30, 2012]

Additionally, another binary "shiape.exe" (MD5: a2e119106c38e09d2202e2a33e64adc9) is initially dropped to the %TEMP% folder and executed, which appears to perform code injection activity against the standard IE "iexplore.exe" process and installs itself as "%PROGRAMFILES%\Common Files\DirectDB.exe", using the HKLM\SOFTWARE\STS\"nck" registry key to maintain state information. We can also confirm Jamie Blasco's (AlienVault) findings, where the malware registers "DirectDB.exe" through the active setup registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed

Components\, so that this executable starts once per user upon subsequent login. However, while AlienVault's IOC mentions a process handle name of "&!#@&", we have actually found the "shiape.exe" process generates a mutex of \BaseNamedObjects\&!#@& upon execution, as well.

As of December 29, Microsoft released a security advisory (2794220), which provides initial details of the zero-day vulnerability. Additionally, CVE-2012-4792 has been assigned to track this vulnerability over time.

Simultaneously, Metasploit developers have analyzed the vulnerability and Eric Romang released details of the CDwnBindInfo Proof of Concept Vulnerability demonstration for independent verification.

Lastly, Cristian Craioveanu and Jonathan Ness with MSRC Engineering posted further technical details on MS Technet about ways to mitigate CVE-2012-4792, in the meantime. 

One interesting side-note that MSRC mentioned is:

On systems where the vulnerability is not present, this Javascript snippet will have the side effect of initiating an HTTP GET request with the encoded heap spray address in it. A network log or proxy log would reveal the following HTTP requests:

GET /exploit.html HTTP/1.1

GET /%E0%B4%8C%E1%82%ABhttps://www.example.com HTTP/1.1

As you can see, the value 0x10AB0C0D is encoded in UTF8 and sent as part of the HTTP request. The real-world exploits do not use example.com and the heap spray address will vary depending on targeted OS platform and exploit mechanism but if you see encoded memory addresses in your proxy log, you should investigate to determine whether your organization has been targeted.

Yet, in the wild, we have seen cases where a successfully compromised endpoint generates an equivalent encoded pattern:

Cfr-figure2

... and still beacons (via HTTP POST) to the initial command and control infrastructure at [REDACTED].yourtrap.comTherefore, we encourage security operations analysts to fully investigate endpoints that generate the encoded heap spray network traffic, rather than simply assuming those systems are not compromised.

We will continue to update this blog with further details, as we discover new information about this attack.