Online retailers and other organisations using ecommerce functionality must prepare for the threat of formjacking, Symantec has warned, after detecting 3.7 million instances of the attack method in 2018.
It’s particularly dangerous because there’s almost no way to spot whether a page has been compromised. The payment proceeds as normal, and the only way a customer will know they’ve been attacked is when charges show up on their bank statement or the organisation discloses a breach.
Who is being targeted?
Any organisation that accepts online payments is vulnerable to formjacking, but crooks tend to target smaller organisations that have less sophisticated defence mechanisms. This makes it easier to plant malware and for it to remain undetected on the organisation’s systems for longer.
According to Symantec, organisations that work with large companies are particularly vulnerable, as crooks can use them to conduct supply chain attacks. This involves exploiting a vulnerability in a system that’s used to provide services to a third party.
Supply chain attacks were the cause of several high-profile formjacking attacks in 2018, including those against Ticketmaster, British Airways, Feedify and Newegg.
Why are organisations being attacked?
John Moss, CEO of English Blinds, says:
Formjacking has been on the rise in recent months for a combination of reasons. First of all, the well-publicised success of Magecart groups across several high-profile attacks have served as something of an endorsement to others, but the greater part of the problem is that most businesses are simply unprepared for attacks of this type, and have no protocols in place to identify and mitigate them.
To protect and mitigate against formjacking attacks, organisations first of all need to recognise the fact that they pose a real threat in the first place, and that no organisation is too small or low profile as to serve as a completely unappealing target.
Setting up protocols to execute regular penetration tests and vulnerability scans is vital for any organisation, and will ensure that potential threats are identified and eradicated before they can become a problem.
Shayne Sherman, CEO of TechLoris adds:
Hackers are looking for the quick, big win – and of course, a challenge. Identity theft is useful only if you can either a) use the identity stolen or b) sell that information. For those able to hack into larger databases of information, they can collect a larger amount of data that can then be sold. They run a smaller risk as they won’t be caught using a stolen identity. Someone else will then take that risk.
Who is behind the attacks?
The majority of formjacking attacks have been blamed on Magecart, which is believed to be a collection of cyber crime groups.
However, Magecart’s methods aren’t unique. Attacks don’t require any specialist knowledge or technology, meaning any crook could conduct one.
With a single piece of payment card information fetching about $45 (about £34) on the dark web, formjacking is an incredibly lucrative option. Its popularity may only grow further following the declining interest in cryptocurrency, which had previously sparked an increase in cryptojacking attacks.
Protect your business by paying attention
Hackers are successful because they are subtle. Making big changes sends up red flags, but by making small changes to source code, a hacker can infiltrate your system. If you’re checking these codes regularly, you’re more likely to catch these hackers before the damage is done.
You can detect malicious code and vulnerabilities that would allow crooks to plant that code by conducting regular vulnerability scans and penetration tests.
Vulnerability scans are automated tests that look for weaknesses in organisations’ systems and applications.
Organisations can use a variety of off-the-shelf tools to conduct vulnerability scans, each of which runs a series of ‘if–then’ scenarios that identify system settings or features that may contain known vulnerabilities.
Meanwhile, penetration testing is essentially a controlled form of hacking in which an ethical hacker, working on behalf of an organisation, looks for vulnerabilities in the same way that a criminal hacker would.
The objective of penetration testing is similar to vulnerability scanning, but it is more thorough and requires expertise and human interaction.
A version of this blog was originally published on 5 March 2019.
The post Protect yourself and your customers from formjacking appeared first on IT Governance Blog.
So, your computer screen has been hijacked by ransomware and the criminals behind the attack are demanding money to return your systems. Now what?
That’s a question countless organisations are asking themselves nowadays, with more than 100 ransomware attacks reported so far in 2019.
If you think that doesn’t sound so bad, the true scale of the issue is much bigger than this. The majority of organisations that are struck by ransomware don’t report the issue.
This might be because they think it will make them look as if they weren’t adequately prepared to protect themselves from ransomware.
Alternatively, they might fear that announcing an attack will lead to other criminals launching similar attacks against them.
What is ransomware?
Ransomware is a specific type of malware that encrypts the files on a computer, essentially locking the owner out of their systems.
Once this has happened, the ransomware will display a message demanding that the victim make a ransom payment to regain access to their files.
Criminals generally plant the malware on victim’s computers by hiding it in an attachment contained within a phishing email.
Many ransomware victims feel obliged to pay up, because it’s the quickest and least expensive way to get back to business as usual.
However, experts generally urge organisations not to negotiate, because ransom payments help fuel the cyber crime industry.
But what’s the alternative? Take a look at our seven-step guide to find out.
1. Prepare for an attack by backing up your data
The only way to avoid paying ransoms and avoid catastrophic delays is to make sure you have a second, uninfected copy of your sensitive information. That way, when crooks encrypt your systems, there’s no need to worry. Let them keep the decryptor. You can just wipe those files and upload clean duplicates.
Because you are continuously creating new files and amending old ones, backups should be performed regularly.
You don’t need to do everything in one go; instead, look at each folder and determine how often substantial changes are made. The more frequently things are added or amended, the more often you should back them up.
Once you’ve determined that, you should set up a backup schedule, saving your work on an isolated local device or in the Cloud.
2. Identify that the attack is ransomware
Don’t assume that the person who has spotted the attack knows that it’s ransomware.
The attack method is more well-known than ever – thanks in part to WannaCry – but many people wouldn’t be able to identify the attack.. This means you could be wasting valuable time identifying the problem.
You can avoid this by teaching staff about ransomware and establishing a line of communication in the event of security incidents. That way, the employee who first discovered the malware can immediately contact someone who can identify what the threat is and initiate response measures.
3. Disconnect infected devices from the network
Now that you’re sure that you’ve been hit by ransomware, you should isolate the infection by taking affected devices offline.
This will stop the ransomware spreading, giving you partial functionality and time to implement the next steps.
4. Notify your employees
Employees will quickly notice that something is amiss. Even if their computers haven’t been infected, they’ll see that others have and that certain systems are unavailable.
Whether or not they are aware that the disruption has been caused by ransomware, staff are liable to worry. Is it just their team that’s affected? How are they supposed to do work? Are their bosses aware of the problem?
That’s why you should explain the situation to your employees as soon as possible. Let them know which areas of the organisation have been infected and how you are going to manage in the meantime.
Many ransomware victims use pen and paper instead of computers where possible. If that’s possible in this situation, you should help out as much as you can. For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.
5. Photograph the ransom note
You can use this as evidence of the attack when submitting a police report.
This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing a cyber insurance claim.
If you don’t already have cyber insurance, it’s worth considering. Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.
You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.
- How does ransomware infect your systems?
- Organisations are getting better at preventing ransomware
- Moral victory for Norsk Hydro following £60 million ransomware attack
6. Find out what kind of ransomware it is
Identifying the ransomware strain used in the attack might save you a lot of time and effort. Some strains have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.
The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help you identify it. Try uploading the encryption file type, the way the ransom demand is phrased and the URLs within it to a website such as ID Ransomware, which can help you determine the strain you’ve been attacked with.
7. Remove the ransomware from your device
If the ransomware behind your attack has been cracked, you can use an online decryptor to remove the infection. Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.
But what if it’s the real thing?
Fortunately, that’s not much more complicated. The safest way to remove ransomware is to restore your infected devices to factory settings. You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.
If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.
Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.
Once your computer has been restored, you can transfer the duplicate files back onto your device. Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.
However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.
What should you do when you’re under attack?
When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.
That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.
With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.
A version of this blog was originally published on 11 June 2019.
The post How to protect your organisation after a ransomware attack appeared first on IT Governance Blog.
Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?
It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:
Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.
Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.
Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate?
Look up in your browser title bar.
Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.
Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.
It will display the URL you are connecting to.
Hover over and click on the lock icon
Note that the information says the certificate is valid. But let’s verify that. Hover over and click on the certificate icon.
Certificate is issued to Amazon from a valid Certificate Authority and is valid until 12/15/2019. Excellent.
We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.
- Visit and use sites you know and trust
- Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
- Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
- Look for anything that is not familiar to your known experience with the site.
- If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
- Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
- If a site offers a second factor to authenticate you, use it.
- Check all your payment card statements regularly to look for rogue purchases.
- Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.
Risk assessments are at the core of any organisation’s ISO 27001 compliance project.
They are essential for ensuring that your ISMS (information security management system) – which is the end-result of implementing the Standard – is relevant to your organisation’s needs.
What is an information security risk assessment?
An information security risk assessment is the process of identifying, resolving and preventing security problems.
Your organisation’s risk assessor will identify the risks that your organisation faces and conduct a risk assessment.
The risk assessment will often be asset based, whereby risks are assessed relative to your information assets. It will be conducted across the whole organisation.
ISO 27001 is explicit in requiring that a risk management process be used to review and confirm security controls in light of regulatory, legal and contractual obligations.
So, how should you get started?
How to conduct an ISO 27001 risk assessment
Conducting a risk assessment can be daunting, but we have simplified the process into seven steps:
1. Define your risk assessment methodology
ISO 27001 does not prescribe a specific risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.
2. Compile a list of your information assets
If opting for an asset-based risk assessment, you should work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.
3. Identify threats and vulnerabilities
Identify threats and vulnerabilities that apply to each asset. For example, the threat could be ‘theft of mobile device’.
4. Qualify the extent of the risk
Assign impact and likelihood values of the risk occurring.
5. Mitigate the risks to reduce them to an agreed and acceptable level
ISO 27001 suggest four ways to treat risks: ‘Terminate’ the risk by eliminating it entirely, ‘treat’ the risk by applying security controls, ‘transfer’ the risk to a third party, or ‘tolerate’ the risk.
6. Compile risk reports
ISO 27001 requires your organisation to produce a set of reports for audit and certification purposes, the most important being the SoA (Statement of Applicability) and the RTP (risk treatment plan).
7. Review, monitor and audit
ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working optimally and adjusts to the constantly changing threat environment.
Learn more about risk assessments
We provide a more detailed breakdown of these steps in our free green paper: Risk Assessment and ISO 27001. It also explains:
- The relationship between ISO 27001 and ISO 31000, the international standard that describes best practices for risk management;
- Things to avoid when performing a risk assessment;
- The importance of risk assessments to the ISO 27001 Statement of Applicability; and
- How to make your risk assessments as cost-effective as possible.
Those looking for hands-on help conducting a risk assessment should take a look at our risk assessment software, vsRisk. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.
Its integrated risk, vulnerability and threat database eliminates the need to compile a list of potential risks, and the built-in control helps you comply with multiple frameworks.
A version of this blog was originally published on 19 September 2017.
Organisations are always looking for ways to improve their cyber security defences, but they often overlook the value of enrolling their employees on cyber security training courses.
According to a study by Centify, 77% of UK workers say they have never received any form of cyber skills training Given that, it’s no surprise that so many people exercise such poor security practices.
For example, the survey also revealed that 27% of employees use the same passwords for multiple accounts and 14% leave their credentials written down in a notebook or on their desk.
It’s easy to scoff at people for making basic mistakes, but if employers don’t teach them otherwise, they’re inviting trouble.
With October being European Cyber Security Awareness Month, what better time is there to boost your organisation’s knowledge of effective information security practices?
Here are three reasons to consider it:
1. You’ll reduce the risk of data breaches
If you want to keep your organisation secure, you need your employees to know what they’re doing. Almost all data breaches are caused by a mistake somewhere in the organisation.
That doesn’t only mean negligence – it could also be mistakes that you don’t even know are mistakes, such as gaps in your policies, ineffective processes or a lack of proper technological defences.
Placing staff on information security training courses will help them understand the mistakes they’re making and teach them to work more effectively.
This is especially useful if you intend to commit to a framework such as ISO 27001, the international standard for information security, as there are specific courses that teach you how to follow the Standard’s requirements.
2. You’ll meet compliance requirements
Cyber security laws and regulations inevitably contain complex requirements, so organisations need employees with specialist knowledge to achieve compliance.
For example, organisations that are required to appoint a DPO (data protection officer) under the EU GDPR (General Data Protection Regulation) must find someone with an in-depth understanding of data protection law.
The stakes associated with the position are huge; if the DPO doesn’t perform their tasks in accordance with the GDPR’s requirements, the organisation is liable to face regulatory action.
It’s therefore paramount that the DPO is given every resource available to do their job properly, and training courses should always be sought where possible.
They are not only the quickest way of studying but also usually include exams, which reassures employers that the individual is qualified.
The same advice applies for individuals in roles that involve compliance with the NIS Regulations (Network and Information Systems Regulations 2018), the PCI DSS (Payment Card Industry Data Security Standard), ISO 27001 or any other law or framework.
3. You’ll foster career growth
Training courses enable employees to pick up new skills and gain more advanced qualifications, which will help them move into more senior roles. This isn’t only beneficial for them but also their employers. It’s getting increasingly hard to find qualified information security professionals, with one report estimating that there will be 3.5 million unfilled jobs in the industry by 2021.
Finding qualified personnel isn’t the only problem. A small pool of skilled workers also means job candidates can command a higher salary and more benefits. As such, organisations might not be able to afford qualified professionals even if they can find them.
They should therefore do whatever they can to support employees who want to go on training courses. Organisations will almost certainly benefit from the extra knowledge, and it eases the pressure of finding skilled personnel in the job market.
Which course is right for you?
Cyber security is a broad industry, so you need to decide which area suits you best. To help you make that choice, here are some of our most popular training courses:
Knowledge of ISO 27001, the international standard for information security, is an absolute must for anyone who handles sensitive data. We offer several ISO 27001 courses, including an introduction to the Standard and guidance on specific roles, such as internal auditor and lead implementer.
ISO 22301 is the international standard for business continuity. Organisations that follow its framework can be sure that they’ll continue operating when disaster strikes.
Any organisation that transmits, processes or stores payment card data must comply with the PCI DSS. Our training courses help you understand the basics of the Standard, implement its requirements and complete the SAQ (self-assessment questionnaire).
The GDPR is the most significant update to information security law in more than twenty years. Anyone who handles personal data or is responsible for data protection needs to comply with its requirements.
Regular staff should familiarise themselves with the Regulation via our Foundation-level course, senior staff would benefit from our Practitioner course and those looking to fulfil the DPO role should enrol on our Certified DPO training course.
A version of this blog was originally published on 31 October 2018.
Do you want to know why behavioral analytics is vital to your enterprise? Are you even aware of what behavioral analytics is? What are the threats that it can detect quickly? Is your business in danger because of these threats?
As your company grows, you also need to add more assets and users to your enterprise network. Your business workflows undergo permanent changes as you add applications and databases. These upgrades mean more efficiency and collaboration that will result in more profitability. However, they also translate to more liabilities in terms of cybersecurity.
Each user, digital asset, or application can be an accessible doorway for hackers to invade your network. Also, faulty programming or malice perpetrated by any user can be a threat inside your business. In both cases, they can damage not only your network but your business processes as well.
What can you do? Monitoring every user can be frustrating and overwhelming. Even if you have the workforce, your IT security team can’t sustain the demand. Maintaining visibility on applications and users is close to impossible as your enterprise grows. Is there hope? Yes, there is!
Behavioral analytics can help solve your dilemma efficiently and magnificently. Let us take you to a thorough discussion about the topic.
The Basics of Behavioral Analytics
Behavioral Analytics analyzes patterns, activities, and trends of applications and users. It searches for any quirk or habit in your workflows. Moreover, each user has its profile in the system. For instance, your employee, Arthur, uses “Database A” four times a day. Because of next-generation technology, behavioral analytics can also notice the endpoint he uses when he requests for access. It can record and store them in a behavioral baseline.
This behavioral baseline can establish if Arthur, for example, requests for access to Database B for ten times on a specific workday. Moreover, it can determine if he makes the request thousands of miles from his usual location. Your cybersecurity perceives both behaviors that are outside of Arthur’s baseline.
Moreover, the cybersecurity can prohibit the requests for access and alert your IT security team so it can perform the necessary investigation. Arthur may be on a business trip on that day and need to access some information not relevant to his position. Your team can inform your cybersecurity about any unusual circumstances to allow Arthur to access the files.
This scenario can also demonstrate a possible hacking using Arthur’s credentials and accessing sensitive enterprise data. If this is the case, your IT security team can trigger incident response and terminate the hacking procedure to return the account to Arthur’s control. Moreover, it can fix any vulnerability that it may discover. It will also follow the same process for data traffic, movements, and requests for applications.
Behavioral analytics leverages statistical analysis and machine learning to monitor the behaviors of your users and search for anomalies.
Why Is Behavioral Analytics Critical to Cybersecurity?
Jack Vance wrote The Moon Moth. It is a famous short story in the science-fiction genre. The plot revolves around an imposter who can alter his appearance but can’t conceal his habits and tastes.
This observation is also valid for actual hackers. In a report by Centrify, a privileged access management supplier, 74% of business transgressions start with a weakened privileged account. Moreover, some studies show that at least 80% of breaches start with jeopardized accounts. It means that hackers prefer to disguise themselves using one of your users.
The damage caused by hackers can be overwhelming. In theory, these hackers can cause reputational loss and downtime, especially when they destroy your network. They can tamper your users’ baseline behaviors. They can try to cause damage, but whenever they do so, behavioral analytics can sanction the attempts and stop them. It can trigger a response from your IT team to intervene.
Moreover, this cybersecurity must-have relieve your IT security of too much burden. The group may feel overworked with threat hunting and user requests. A cybersecurity staffing crisis may occur if things get out of control. Fortunately, behavioral analytics operates automatically and helps your IT staff streamline its investigations to save time.
Deploying Business Analytics
For your organization, you must first consider your size, user base, IT infrastructure, industry, and applications. Furthermore, you must think of your future growth and scaling plans for the next five years. It must be your initial step in any selection of cybersecurity solutions. Unfortunately, many companies neglect it.
A majority of the enterprises don’t select optimal performance over speed. They choose the solution that can solve their immediate problems adequately. Because of this way of thinking, you’ll realize that your IT infrastructure has many solutions with serious integration issues.
If you want long-term solutions to your cybersecurity issues, you must consider behavioral analytics. If you’ve decided to incorporate it in your enterprise, your next step is choosing a robust Security Information and Event Management (SIEM) solution.
Why Do You Need a SIEM solution?
A SIEM solution is the next-generation version of our topic. It includes user and entity behavioral analytics (UEBA). Furthermore, you can avail of threat intelligence feeds to help you detect any modern or expanded threats quickly.
You may think that a SIEM solution is complicated. You’re right! Moreover, the system works as a tool for log management and analysis that adds a behavioral analysis layer. Cybersecurity recognizes that it can’t deflect 100% of threats because the digital perimeters can’t do it. However, with a SIEM system, you’re able to detect threats that can wreak havoc to your enterprise.
Hackers are everywhere and waiting for an opportunity to strike. If you want to monitor and stop them, you can do so with the next-generation analytics and cybersecurity capabilities. A SIEM solution with UEBA and other significant capabilities is an excellent strategy to catch these hackers. It prevents them from intruding and cause severe downtime, which can compromise your reputation to the business world.
The post Behavioral Analytics: What It Is Significant to Enterprise CyberSecurity appeared first on .
In a month where many people’s biggest concerns are pumpkin-related, you might consider putting equal effort into something more substantial. October is National Cyber Security Awareness Month, where people are encouraged to brush up on their everyday information security practices.
With an estimated 2 million cyber attacks last year costing victims £36 billion, there is a lot to be gained from tightening up the way you handle sensitive information.
What is European Cyber Security Month?
Cyber Security Month is an EU awareness campaign that promotes cyber security in the workplace and at home.
It aims to make people understand the threat of cyber crime and the way our actions help or hinder attacks.
Our shared responsibility
The theme of this year’s campaign is “cyber security is a shared responsibility”, which can be interpreted in a couple of ways.
First, it refers to the three aspects of cyber security: people, processes and technology. IT departments must implement software and other security controls to remove vulnerabilities, organisations must create processes that explain to employees how to keep information secure, and people must follow those instructions.
If anyone fails to perform their role, the chance of a data breach increases dramatically.
Cyber security is equally everybody’s responsibility in that no one is exempt from best practices. Senior employees might delegate responsibility or complain that they are too busy to follow certain processes. Similarly, some employees might assume that one person won’t make a difference and so they can cut corners when it comes to things like password management or doing work on a public Wi-Fi.
But if everyone obeys that logic, no one will be following the organisation’s processes. Cyber security best practices can certainly be inconvenient at times, but it only takes one mistake to jeopardise the entire organisation.
What else does Cyber Security Month cover?
The first two weeks cover cyber hygiene, which involves your daily routines and general behaviour when handling sensitive information.
The second half of the month is dedicated to emerging technologies and the way they protect or threaten our security.
This is one of the biggest talking points in the cyber security industry, thanks to the controversial use of biometric data.
Although fingerprints and retinal scans provide a much more secure authentication system than passwords, they also threaten people’s privacy, and breaches of such information have major repercussions.
After all, you can change a password if it’s disclosed but you can’t change your fingerprints.
How you can get involved
There are four events in the UK over the next few weeks that are aligned with European Cyber Security Month:
- Security of Data: 1 October 2019
Technology experts will gather at this event, hosted in Newport, to highlight the threats that organisations face and how they should address their vulnerabilities.
- Dorset Cyber Security Awareness Event: 16 October 2019
A series of short presentations explaining the threat of cyber crime, the role of law enforcement and what we can do to protect ourselves.
- CYBERISLE 2019: 23 October 2019
The Isle of Man government’s inaugural cyber security conference features keynote speakers and networking opportunities between the public and private sectors.
- Security Summit North: 21 November 2019
This one-day event takes place in Manchester, featuring speeches on how to implement strong security measures and how technological advancements create opportunities and challenges for staying secure.
What are we doing for Cyber Security Month?
At the risk of sounding trite, every month is cyber security awareness month at IT Governance. We are committed to helping people improve their cyber security practices, through our blog, webinars, green papers, tools and services.
October is no exception. We’ll be linking to resources that can help keep you and your organisation secure, and sharing cyber security tips and stats to remind you of what you’re up against.
You wouldn’t ignore a medical expert’s advice. Why risk your cyber health?
Don’t risk it, cyber secure it this Cyber Security Month. Find out how to keep your organisation healthy with our dedicated tips.
The post What are you doing for European Cyber Security Month? appeared first on IT Governance Blog.
Cybersecurity is becoming more of a common tongue term in today’s industry. It is being passed around the executive meetings along with financial information and projected marketing strategies. Here are some common attack vectors plaguing the industry when it comes to network infrastructure. It does not really matter the infrastructure type you have. If there […]… Read More
At this year’s ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”
Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation? Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.
But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.
A brief summary of the GDPR
The GDPR works like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address, whether it’s a personal or work account.
To GDPR outlines a list of steps organisations must take to protect that information. It also contains eight data subject rights that give individuals more control over the way organisations use their personal data.
- The right to access the personal information organisations store on them;
- The right to request that organisations rectify any information that’s inaccurate or incomplete;
- The right to erase personal data when it’s no longer necessary or the data was unlawfully processed; and
- The right to object to processing if the individual believes the organisation doesn’t have a legitimate reason to process information.
Organisations that fail to meet these requirements face fines of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater.
GDPR compliance in schools
Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.
Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.
If that’s the case, the data processor must account for requirements concerning:
Can you use consent?
Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.
This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.
Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.
This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.
Online services offered to children
In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.
The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.
Schools aren’t GDPR-compliant
These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.
The number of security incidents increased from 355 in the second quarter of 2017–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.
The ICO found that common disclosure issues included:
- The loss or theft of paper or digital files;
- Emailing information to the wrong recipient; and
- Accidental verbal disclosure.
There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.
Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.
“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”
The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.
GDPR checklist for schools
Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.
Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.
A version of this blog was originally published on 28 March 2019.
The post Is your school GDPR compliant? Use our checklist to find out appeared first on IT Governance Blog.
The threat of cyber attacks and other security incidents looms over all organisations. There are simply too many things that can go wrong – whether it’s a cyber attack, a technical malfunction or another delay – to assume that operations will always be functional.
But that doesn’t mean you need to accept that delays are inevitable. You should be constantly assessing what might go wrong and how you would deal with it, because the way you respond to an incident may well be the difference between a minor disruption and a major disaster.
Every second counts
The longer it takes an organisation to detect a vulnerability, the more likely it is that it will lead to a serious security incident. For example, perhaps you have an unpatched system that’s waiting to be exploited by a cyber criminal, or your anti-malware software isn’t up to scratch and is letting infected attachments pass into employees’ inboxes.
Criminals sometimes exploit vulnerabilities as soon as they discover them, causing problems that organisations must react to immediately.
However, they’re just as likely to exploit them surreptitiously, with the organisation only discovering the breach weeks or months later – often after being made aware by a third party.
It takes 175 days on average to identify a breach, giving criminals plenty of time to access sensitive information and launch further attacks.
As Ponemon Institute’s 2019 Cost of a Data Breach Study found, the damages associated with undetected security incidents can quickly add up, with the average cost of recovery being £3.17 million.
If your organisation is to reduce financial losses and stay in control of the situation, you must have an incident response plan. This allows you to mitigate the damage and reduce the delays and costs that come with disruptions.
But incident management isn’t only good business sense, as we discuss next.
The GDPR and the NIS Regulations
Incident response management is a key requirement of the GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems Regulations).
Failure to implement adequate response protocols could therefore not only endanger your organisation’s long-term productivity but also lead to substantial penalties. Breaches of the NIS Regulations can attract fines of up to £17 million, and the stakes are even higher when it comes to the GDPR, with penalties reaching €20 million (about £17.8 million) or 4% of the organisation’s global annual turnover – whichever is greater.
So, what do you need to do to stay compliant? Article 32 of the GDPR states that organisations must take necessary technical and organisational measures to ensure a high level of information security.
This includes implementing an incident response plan to contain any damage in the event of a data breach and to prevent future incidents from occurring.
Doing so also helps you comply with Article 33 of the Regulation, which requires organisations to contact their supervisory authority if they suffer a breach that poses a risk to the rights and freedoms of individuals.
The notification must be made within 72 hours of becoming aware of the breach, and should include as much detail about the breach as possible.
It should also describe the measures taken, or proposed to be taken, to address the breach, including steps to mitigate possible adverse effects.
Meanwhile, the NIS Regulations require organisations to produce:
- Detection processes and procedures, which should be regularly monitored to ensure that they are up to date and effective;
- Processes and policies for reporting vulnerabilities and security incidents;
- Procedures for documenting the response to cyber security incidents; and
- Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.
The incident response lifecycle
We recommend that your incident response plan draws on ISO 27001, the international standard for information security, and ISO 27035, which contains principles and guidelines for incident management.
You might also be interested in our approach to incident response, which combines those elements with processes to help you prepare for incidents and aspects of business continuity.
You can adopt this approach by following these eight steps:
1. Identify risks, vulnerabilities and threat exposure
You can’t plan for disaster if you don’t know what might be coming, so the first step is to identify risks by conducting a risk assessment.
This process will also give you an idea of how much of a threat each risk poses and whether it’s worth addressing. For example, if you decide that a risk is highly unlikely to occur or will only cause minimal damage, planning for it might be more trouble than it’s worth.
2. Review cyber security controls
Your organisation more than likely already has certain controls in place; these could be as basic as antivirus software or firewalls.
Such measures could also stretch to existing policies or procedures, e.g. maintaining a schedule for regularly updating devices and software, or even physical security, such as CCTV.
These controls and measures should be reviewed to make sure they are still up to date, and ultimately capable of saving you any unnecessary work – if an existing measure suffices, ensure it is documented and cross it off the to-do list.
3. Conduct a business impact analysis
A BIA (business impact analysis) is a process that uses critical activities to determine priorities for recovery following an incident.
A BIA will also help you work out how quickly each activity needs to be resumed following an incident. Importantly, the analysis will give you an RTO (recovery time objective) for each activity, which is the ‘acceptable’ length of time it takes to get your systems up and running again.
4. Form the incident response team
A dedicated incident response team analyses information about incidents, discusses observations, coordinates activities, and shares important findings internally.
The team could include a director or senior manager, information security manager, facilities manager and IT manager.
Whatever the exact roles are, the team needs to have enough authority to act quickly in response to incidents, and sufficient access to information and expertise to make sure decisions are made on the basis of the best information available.
5. Develop incident response plans
Your plan should focus on the identified critical assets – including the risks to those assets, asset owners and asset locations – as well as the summarised results of the BIA.
You also need to put a reporting process or communication plan in place to ensure that both the incident response team and relevant stakeholders will be informed of any incidents.
For that process to work, you need to include contact details – both of team members and relevant authorities – and call trees, as well as checklists or steps to be taken in the case of specific scenarios.
6. Test incident scenarios
To be sure that the checklists or steps for specific scenarios actually work, you must test them.
Testing these steps at least biannually ensures that they are and remain effective, but also enables the documented plan to be as detailed as possible. And no matter how familiar staff are with the plan, theory is no substitute for practical experience.
Testing does not simply confirm that the plan works, but also trains staff to respond as efficiently as possible. All lessons learned should be documented, and resulting improvements incorporated into the scenarios as necessary.
7. Conduct incident response training
Human error and process failures are the underlying reasons for the majority of security incidents.
To reduce this risk, you must teach your staff about the importance of effective security and how they can avoid making mistakes.
Employees with incident response duties should receive additional training in relation to their role, whether this concerns incident notification, reporting or classification, or scenario testing.
Those with business continuity duties should also receive appropriate training.
8. Establish a continual improvement framework
Like any framework, incident response processes must be regularly reviewed to take into account emerging threats and areas where the current framework isn’t working as intended.
As such, the steps outlined here should be repeated annually or whenever there are major changes to your organisation.
Experiencing a cyber security incident?
If you’re facing a disaster or worried about what will happen when an incident occurs, you should turn to IT Governance.
Our experts help you take immediate action no matter what the situation. We can mitigate the damage if you’re in a crisis or optimise your existing resources and provide support where needed.
Following the incident, we aim to get you back to business, armed with the knowledge to manage your risks and improve your security posture.
A version of this blog was originally published on 14 May 2018.
The post What is incident response management and why do you need it? appeared first on IT Governance Blog.
When companies fall victim to a cyberattack, the first thing they do is eliminate the threat. But for cybersecurity investigators, that’s just the first part of their job. Like real-world investigators, cybersecurity experts need to gather and analyze evidence of the attack to improve cybersecurity policies or to present it in court during a hearing. Cyber investigators do their evidence gathering through memory forensics.
What Is Memory Forensics?
Memory forensics is the process of collecting memory dumps and analyzing them for evidence of how a cybercrime happened or to find the origins of a malware breach. This is usually done after a cyberattack, but cybersecurity specialists can also do this as a routine check-up for malicious injections that could be running in the system.
Memory forensics is a way to backtrack events that led to a successful security breach and to help specialists know how to improve their company’s cybersecurity.
What Is Memory Forensics? — How Is Memory Forensics Done?
Memory forensics, also known as memory analysis, can be broken down into three parts: retrieval, analysis, and documentation.
The first part of memory forensics is the retrieval phase. Because all activities done and actions taken in a computer are recorded in the system’s memory, cyber investigators need to retrieve the system memory to see when and where the cyberattack began. It’s like retrieving an airplane’s black box after a crash.
To retrieve the system’s memory, cyber investigators perform a memory dump. This is a procedure where data in a system’s RAM is read and transferred to a storage device. Retrieving RAM data is important, since this is “volatile” data, meaning that it is only retained when the system is on and disappears once the system is turned off.
If there is no cyberattack or breach, memory dumps can help IT specialists understand a crash event and how it happened. There are many kinds of memory dump tools available in the market.
The second phase is memory analysis. This is the part where cyber investigators look through the system’s memory dump for signs of malicious activities. Investigators take memory analysis seriously, and they will search for hidden folders and retrieve deleted or encrypted files.
Memory analysis can take days or months to complete. Retrieved memory dumps are examined using different analyzing tools and software.
The last phase of memory forensics is the documentation phase. All pieces of evidence and significant activities discovered during memory analysis are recorded. Once the collected memory dumps are thoroughly analyzed, investigators take note of every detail of the event and carefully create a report.
This report is then validated by running tests on the system and checking for inconsistencies. After validation, the report is ready for presentation in court and other legal proceedings or to company management to help improve cybersecurity.
No matter how strong a company’s cybersecurity is, they can still be victims of a cyberattack. And when that happens, it’s crucial to know when and how the cyberattack happened so vulnerabilities can be addressed and cybercriminals can be tracked down.
If you’re worried about your cybersecurity, now is a good time to do your own memory forensics to see if you have been compromised.
The post Memory Forensics: The Key to Better Cybersecurity appeared first on .
‘Do we really need to spend a load of money on cyber security software?’ you might ask. You have built-in antivirus, so won’t that do?
No. Cyber security is about more than preventing viruses and malware. Criminals have plenty of other tricks for breaking into your organisation, so you must purchase software to close as many gaps as possible.
Why cyber security software is so important
Over the past few years, organisations and individuals have acknowledged the severity of the threat posed by cyber crime. We tracked 557 data breaches last year alone, with organisations of all sizes coming under attack.
Meanwhile, the introduction of the GDPR (General Data Protection Regulation) has raised the stakes when it comes to effective security. Organisations that fail to secure data properly, or that violate individuals’ privacy rights, face fines of up to €20 million (about £18 million) or 4% of their annual global turnover.
If organisations are to avoid suffering data breaches, they need to protect their systems. Many people believe that refers to technological solutions – but although that’s our focus here, it’s only one way to secure your organisation.
After all, it’s no good purchasing cyber security software if no one knows how to use it or employees expose data in other ways. That’s why technology must always be complemented with security policies and staff awareness training, in what is often known as the people–processes–technology model.
The reason so many people focus on technology, as opposed to people or processes, is that it does a lot of the heavy lifting in a security framework.
Most data breaches are the result of basic mistakes that all three parts of the model address, but whereas ‘people’ and ‘processes’ are designed to change poor security habits – something that takes time and effort – security software can be plugged straight into the system.
It doesn’t address the root cause of the problem, but it prevents breaches from occurring.
For example, access controls, which limit who can view certain information, doesn’t stop an employee from wanting to view sensitive information (or even explain why this is a security concern), but it does ensure that a breach doesn’t occur.
There are myriad programs designed to protect your organisation in ways like this. In the next section, we run through some of the most common types of software and how they work.
Examples of cyber security software
- Antivirus and anti-malware
Antivirus software is the quintessential example of cyber security technology. It was originally designed to root out viruses, but modern software now generally includes protection against a broad range of malicious programs, including malware, ransomware, keyloggers, Trojan horses, worms, adware and spyware.
The software scans your computers, looking for files that match its built-in database of known viruses and malware, and either deletes them or alerts you to their presence.
Antivirus and anti-malware software are essential for all businesses that use online systems. Malicious programs are hidden in all kinds of files, and it’s only a matter of time before an employee downloads something harmful or a criminal otherwise infects your organisation.
Firewalls create a buffer between your IT systems and external networks. They monitor network traffic, and identify and block unwanted traffic that could damage your computers, systems and networks.
Implementing firewalls helps protect organisations from criminal hackers trying to break into their networks, and from outgoing traffic originating from a virus.
- System monitoring
There are several inexpensive tools you can use to detect suspicious activity on your organisation’s networks.
Such activity includes attempts to access privileged information (whether from an employee or external actor), login attempts from unusual locations, and unusual activity related to the way information was viewed.
Monitoring this information gives you a head start when it comes to active or attempted system compromises.
- Access controls
Access controls ensure that staff can only view information that’s relevant to their job. For example, someone in marketing must be able to view contact information for those who have signed up for a service, but they won’t need access to, say, HR files and payroll data.
Walling off those parts of the system ensures that staff can’t compromise that data, either accidentally or maliciously. It also protects organisations should a criminal hacker break into an employee’s account, as they will only be able to view a select amount of data.
How do you know which software is necessary?
The examples we’ve listed will be essential for almost every organisation, as they address universal issues. But what about other types of software, like encryption programs? Should you invest in those?
The answer can be found by conducting a risk assessment. This is a process in which you identify, analyse and evaluate security risks and determine appropriate solutions.
If, once you’ve completed the assessment, you decide that certain software is necessary, then you should purchase it. If you don’t need it, then invest your money elsewhere.
A software solution to help you decide
There’s a lot at stake when you conduct a risk assessment, so it’s a good idea to get expert advice. That’s where vsRisk Cloud comes in.
This online tool helps you conduct an information security risk assessment aligned with ISO 27001, the international standard for information security.
With vsRisk Cloud, you’ll get repeatable, consistent assessments year after year. Its integrated risk, vulnerability and threat database eliminates the need to compile a list of risks, and the built-in controls helps you comply with multiple frameworks, including the GDPR.
Last month, Life at Parliament View was fined £80,000 by the ICO (Information Commissioner’s Office) after security errors exposed 18,610 customers’ personal data for almost two years.
The incident occurred when the London-based estate agency transferred personal data from its server to a partner organisation but failed to implement access controls.
This meant that tenants’ and landlords’ bank statements, salary details, passport information, dates of birth and addresses were publicly available online between March 2015 and February 2017, when Life at Parliament View learned of the breach.
During its investigation, the ICO discovered many security practices that contravened the DPA (Data Protection Act) 1998. Had the incident occurred after the GDPR (General Data Protection Regulation) took effect on 25 May 2018, Life at Parliament View would have faced a much higher penalty.
Unfortunately, many organisations are vulnerable to the same mistakes. So how can you be sure that your systems and processes are secure?
The breach at Life at Parliament View can largely be attributed to the company’s failure to turn off ‘Anonymous Authentication’ after completing its file transfer. This caused two major security issues.
First, the information was no longer subject to any kind of access control, meaning anyone who found the database was free to view or copy the information it contained.
That’s bad enough, but it also meant that those who accessed the database did so anonymously. Life at Parliament View had no way of knowing whether the people opening or amending the database were employees doing their job or whether the information had been compromised by an unauthorised person – be it another employee or a criminal hacker.
There were other security mistakes that exacerbated the issue, like a lack of encryption and poor staff awareness training to identify security lapses, but the root cause was the lack of access controls to ensure only authorised employees could access the sensitive information in question.
What are access controls?
Put simply, access controls are measures that restrict who can view data. They consist of two elements:
- Authentication: a technique used to verify the identity of a user.
- Authorisation: determines whether a user should be given access to data.
To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, external offices and beyond.
Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. They have several options:
- Discretionary access control: employees control the programs and files they use, and determine the permissions other users have relating to that information. It is commonly referred to as a ‘need-to-know’ access model.
- Mandatory access control: the administrator defines the usage and access policy, which cannot be modified by users.
- Role-based access control: provides access based on a user’s role, and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can access only the information that is required for their role.
- Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.
Whichever model you adopt, it’s important to keep access to your data to a minimum, as this limits the opportunities for a criminal hacker to access your information.
Access controls and Cyber Essentials
Organisations that want understand how to implement access controls should look at Cyber Essentials, a UK government assurance scheme based on “10 Steps to Cyber Security” and administered by the NCSC (National Cyber Security Centre).
Cyber Essentials has two objectives:
- To set out five basic cyber security controls that can protect organisations from common cyber attacks.
- To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.
The post How to avoid the security mistakes that cost an estate agency £80,000 in fines appeared first on IT Governance Blog.
It sounds crazy to the uninitiated, but organisations across the globe pay people to break into their systems and find sensitive information.
The reason they do this is simple: to catch a thief, you must think like one. Organisations hire ethical hackers to make sure they have someone who’s one step ahead of the tactics that crooks use.
What is ethical hacking?
Ethical hacking (or penetration testing) refers to the exploitation of networks and applications, with the intention of informing the organisation about the vulnerabilities you discover.
With the vulnerabilities the ethical hacker discovers, organisations can implement defences to stop criminals before they’ve had a chance to target the organisation.
What does an ethical hacker do?
Ethical hackers identify and exploit vulnerabilities using the same methods as a criminal hacker. The only difference is that ethical hackers operate within the law, and don’t use any of the information they’ve discovered maliciously.
Attacks may involve exploiting system misconfigurations, sending the organisation’s staff phishing emails, with the intention of gathering their login credentials or breaching the physical perimeter.
As the threat landscape has evolved, ethical hackers are sometimes commissioned to commit long-term cons. They will watch and analyse an organisation, looking for patterns that can be exploited. One method they might use is to leave removable devices containing malware in a public area to see if an employee plugs it into one of the organisation’s computers.
Can I trust ethical hackers?
You might be unnerved at the prospect of allowing an ethical hacker to root around in your organisation, but there’s nothing to fear as long as you hire a qualified ethical hacker through a trusted third party.
How to become an ethical hacker
You can gain all the skills you need to become an ethical hacker by taking our Certified Ethical Hacker (CEH) Training Course.
This five-day course gives you practical, hands-on experience with ethical hacking. You’ll be shown the strategies, tactics, technologies, tools and motivations of criminal hackers, and be given the opportunity to replicate their methods.
After the course, our tutor will be available to provide support and answer any questions you may have. You’ll also be given six months online access to EC-Council iLabs to further develop your skills.
When you’re ready, you can sit the CEH Practical exam, where you’ll be tested on your ability to identify and exploit vulnerabilities in operating systems, databases and networks.
Those who pass will receive the CEH (Practical) certification, which is globally recognised as the vendor-neutral qualification of choice for developing a senior career in ethical hacking and penetration testing.
A version of this blog was originally published on 2 May 2017.
The post What is ethical hacking? A guide to white-hat attacks and penetration tests appeared first on IT Governance Blog.
With 3.4 billion malicious emails sent every day, phishing poses a massive risk to organisations of all sizes.
However, the threat doesn’t just come from the volume of scams, but their idiosyncrasy. The measures you put in place to protect you from most cyber attacks – anti-malware, perimeter scans, vulnerability assessments, etc. – are inadequate when it comes to phishing, because fraudsters doesn’t exploit technological weaknesses.
They instead target employees using a tactic known as social engineering.
What is social engineering?
Social engineering is a collective term for the ways people are manipulated into performing certain actions.
In an information security context, it refers to the methods fraudsters use to get people to hand over sensitive information and expose themselves to malware.
Phishing is a classic example of social engineering, as the scams emulate legitimate organisations and attempt to trick people into complying with a request.
How do phishing scams manipulate us?
In some ways, it seems impossible that people could fall for phishing. Awareness is at a record high, popular targets like Amazon have dedicated phishing prevention pages and many bogus emails do a poor job of imitating their target.
Yet phishing is as successful as ever. Why? Because it taps into people’s fears to such an extent that they can’t spot the signs of bogus emails.
For example, many messages replicate services that possess sensitive information or are essential for the user’s quality of life. This explains the prevalence of phishing emails that relate to tax forms or entertainment services like Netflix.
A 2017 PhishMe survey found that fear was the most effective motivating factor for someone to click a link or open an attachment in a phishing email.
The organisation sent a series of benign phishing emails to respondents and found that the most successful scam spoofed a bar association that claimed that a grievance had been filed against the recipient. It tricked 44% of respondents.
A similar scam email imitating an accountancy firm that claimed a complaint had been filed against the recipient was successful 34% of the time.
Catching us off guard
Although people are always susceptible to phishing, cyber criminals increase their chances of success by sending scams at times when we are most vulnerable.
Phishing has a comparatively low success rate when the recipient is busy or thinking about something else when they receive the message. The sense of urgency is diminished on, say, Monday mornings, when employees have plenty of other urgent tasks.
When they come back to the email a few hours later, they are more likely to notice the things that seem suspicious. Or, if the message is imitating a colleague, they’ll see that person in the office, ask about their request and realise that it was a scam.
Criminals therefore try to send scams when people are most likely to take action right away, which means scheduling them for times when recipients are least likely to be busy. Fridays are sometimes considered the peak time for phishing, but you’re just as likely to fall victim during the middle of the week.
Whatever day it is, the consensus is that you’re most vulnerable during your lunch break and in the early afternoon. This is because most of us take a break from whatever task we were doing. We might use the time to check our emails, and the message may appear as we sit there with no other tasks at hand.
How vulnerable are your staff?
There’s a simple way to assess how big of a threat phishing poses to your organisation: send your employees a scam email.
This might sound reckless, but it’s perfectly safe. Our Simulated Phishing Attack service sends your employees a typical example of a phishing email without the malicious payload.
This gives you the opportunity to monitor how your employees respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?
You can use the answers to guide your information security measures and to act as a reference point when it comes to staff awareness training.
A version of this blog was originally published on 23 November 2016.
Remember after last month’s relatively serene cyber security scene we said this wasn’t the beginning of the GDPRevolution?
July was bound to be a bounce-back month, but we couldn’t have expected the frighteningly high total of 2,359,114,047 breached records.
Granted, a big chunk of those come from a single incident – a mammoth breach involving a Chinese smart tech supplier – but as unimaginative football commentators say, ‘they all count’.
Let’s take a look at the full list:
- Tennessee-based hospice notifies patients and next of kin of cyber attack (unknown)
- ‘Silence’ hackers steal more than $3 million from banks in Bangladesh, Sri Lanka and Kyrgyzstan (unknown)
- Hackers steal names and Social Security numbers from Maryland Department of Labour (78,000)
- Croatian government targeted by mysterious hackers (unknown)
- Philadelphia Federal Credit Union confirms security breach (unknown)
- State-sponsored hackers breach Greece’s top-level domain registrar (unknown)
- Chinese job recruiting site hacked, with CVs for sale on dark web (160,000)
- Los Angeles Co. Department of Health Services email hacked exposing patient data (14,591)
- ME-based Penobscot Community Health Center says it was affected by AMCA hack (13,000)
- Japanese cryptocurrency exchange Bitpoint loses $32m in cyber attack (unknown)
- Crooks steal Bulgarians personal details and email them to local media (5 million)
- US telecoms company Sprint says it was breached via vulnerability in Samsung website (unknown)
- University of Alabama discovers 10-year-old account breach (1,400)
- Pennsylvania-based software firm and healthcare provider accuse each other of data theft (unknown)
- TX-based Wise Health reports data breach caused by phishing attack (35,899)
- OH-based Edgepark Medical Supplies notifies patients after a ‘password spray attack’ (6,572)
- Computer files at Bahamas’ Ministry of Tourism corrupted by virus (unknown)
- Taiwan’s 1111 Job Bank says online customers details were hacked by “tomholland” (20,000)
- South Carolina’s Midlands Technical College breached by virus (unknown)
- Hackers publish list of Discord credentials they accessed in phishing scam (2,500)
- Hackers breach SyTech, a contractor for Russia’s national intelligence service (unknown)
- Henry Co., GA, networks offline for five days after malware attack (unknown)
- Lancaster University students caught out in phishing attack (unknown)
- Alabama-based school says its systems have been wiped out, but won’t confirm whether ransomware is to blame (unknown)
- Hackers target the City of Concord Anson County and Lincoln County Sheriff’s office in overnight attacks (unknown)
- LAPD officers and applicants stolen by hacker (20,000)
- What’s been taken from your wallet? Capital One says credit card applicants’ data stolen (100 million)
- J’Syracuse? School District blames ransomware for power outage (unknown)
- Georgia court agency hacked in ransomware attack (unknown)
- Key Biscayne becomes third Florida city to be hit by ransomware (unknown)
- LaPorte, Indiana, government pays $132 after its systems crippled by ransomware (unknown)
- Humboldt State University radio station goes silent after ransomware attack (unknown)
- Hackers demand $2 million after infecting NY-based Monroe College with ransomware (unknown)
- Gila Co., AZ, experiences week-long disruption after ransomware attack (unknown)
- New Bedford, MA, and Syracuse, NY, governments also hit by ransomware (unknown)
- Lyon Co., NV, becomes latest US government to be hit by ransomware (unknown)
- Northwest Indian College suffered major file loss in Ryuk ransomware (unknown)
- Libraries in Onondaga Co., NY, hit by ransomware attack (unknown)
- FBI investigating after Collierville, TN, hit by ransomware attack (unknown)
- Tampa-based community radio station WMNF hit by ransomware (unknown)
- QuickBooks Cloud hosting firm iNSYNQ recovering after ransomware attack (unknown)
- Butler Co. Federated Library System working on its online system following a ransomware attack (unknown)
- Maitland, FL, dentist says five months of patient records encrypted by ransomware (unknown)
- New Haven Public School district has ‘restored all critical functions’ after ransomware attack (unknown)
- Mobile, AL-based Springhill Medical Center goes quiet after ransomware attack (unknown)
- Washington-based Grays Harbor Community Hospital still treated patients despite ransomware attack (unknown)
- Synology NAS devices hit by ransomware after brute-force password attacks (unknown)
- Kentucky-based non-profit health centre pays $70,000 after ransomware attack (unknown)
- University of Western Australia alerts former students about potential data theft after laptop theft (100,000)
- Two Puerto Rico hospitals report ransomware attacks (520,000)
- Steel plant Blastech becomes second Mobile-based organisation to be hit by ransomware this month (unknown)
- Chinese smart home vendor Orvibo involved in password dump (2 billion)
- Indian government website is leaking pensioner’s data; official says it won’t be fixed until 31 July (unknown)
- American Land Title Association informed of data breach (600)
- Chinese government leaves unsecured databased on the Internet (58,364,777)
- DNA testing service Vitagene left customer records online for years (3,000)
- K12 Inc. database of student data was left unprotected online (19,000)
- Former Desjardins president falls victim to identity theft after data breach (1)
- Canadian police sent an account of someone’s suicide attempt to the wrong people (1)
- Maryland Department of Education left students’ and teachers’ personal details on unencrypted database (1.6 million)
- Another massive database of victims from Evite data breach discovered (101 million)
- Hospitality tech company Aavgo left an unprotected server online for three weeks (unknown)
- University of Nebraska-Lincoln offering ID protection after laptop was stolen (900)
- Texas-based Clinical Pathology Lab informed that it was affected by AMCA hack (34,500)
- Employee at SC-based Medico Inc. left protected health info on unprotected database (300,000)
- Researchers discover massive data leak in a server belonging to unnamed Chinese company (4.6 million)
- More healthcare providers release details of AMCA data breach (939,050)
- Swedish cryptocurrency exchange QuickBit says it left database publicly available online (300,000)
- Tennessee high school students at risk after data breach at Higher Education Commission vendor (unknown)
- Isle of Man government ‘mislays’ personal data of home care residents (33)
- Browser extensions are causing data breaches at US-based healthcare software companies (unknown)
- Commission investigating Australian police informant accidentally shares her handlers’ personal details with underworld clients (unknown)
- YouHodler misconfiguration exposes crypto loan details onto the web (86 million)
- Security lapse at email marketing company FormGet exposes user-uploaded documents (43,000)
- Unprotected server at Brazilian financial services provider exposes customer data (unknown)
- National Australia Bank notifying customers after data service companies misuse personal data (13,000)
- Family who adopted a child were forced to move home and change names after lawyers accidentally shared personal details with birth parents (3)
- Third-party breach exposes personal data of students at Connecticut school (unknown)
- Vancouver tour company apologises after dumping personal information in recycling bin (unknown)
- Sephora says database of Asian, Australian and New Zealand customers’ personal data was leaked (unknown)
- ‘Procedural error’ as Glasgow council leaked details of low-income families (+30)
- Arlington Co. says cyber criminals penetrated its payroll system (unknown)
- MYOB blames glitch after it sends payslips to the wrong people (220)
Malicious insiders and miscellaneous incidents
- Florida Department of Children and Family Services accuses employee of leaking sensitive data (2,000)
- Former employees at India-based Magnasoft Consulting accused of stealing data (unknown)
- Fired IT employee at Baltimore government gains access to sensitive areas (unknown)
- Attackers break into journalist’s home, kills her dogs and steal reporting records (unknown)
In other news…
- Lake City fires employee after paying ransom in malware attack
- St John Ambulance praised for its response to ransomware attack
- Break-in at medical centre was behind discovery of personal records in Donegal park
- US mayors’ group agrees not to pay any more ransoms to criminal hackers
The post List of data breaches and cyber attacks in July 2019 – 2.3 billion records leaked appeared first on IT Governance Blog.
As I reflect upon my almost 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning, and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start with a canvas that has the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.
Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.
Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.
Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection.
The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.
Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.
What happens when an alert occurs? Who sees it? What is the documented process for taking action?
What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?
What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
What cyber security consoles have been deployed that allow quick access to patch a system, change a firewall rule, switch ACL, or policy setting at an end point, or track a security incident through the triage process?
All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.
More Art: Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk responsibility or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier? They have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.
The art in cyber security is in the interpretation of the rules, standards, and requirements that are primarily based on a foundation in science in some form. The more experience one has in the cyber security industry, the more effective the art becomes. As a last thought, keep in mind that Connection’s Technology Solutions Group Security Practice has over 150 years of cyber security expertise on tap to apply to that art.
This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -
If that's the case, let's talk - I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -
Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?
For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.
For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -
- Q 1. Should your organization's foundational Active Directory be compromised, what could be its impact?
- Q 2. Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
- Q 3. If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
- Q 4. If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!
You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!
Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.
Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.
PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.
PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?
Today's post is for all executives worldwide who comprise the C-Suite at thousands of organizations worldwide.
I pen today's post with profound respect for all executives worldwide, because I understand first-hand just how important the nature of their responsibilities is, how valuable their time is, and how far-reaching the consequences of their decisions are.
A quick footnote for all C*Os : In case you're wondering who I am to be penning this, I'm former Microsoft Program Manager for Active Directory Security. Relevance? Microsoft's Active Directory is the foundation of your entire organization's cyber security. Finally, like you, I also happen to be the CEO of a $ Billion+ company.
Today's post is in the form of a simple letter, that follows (below.)
Subject - Cyber Security 101 for the C-Suite
Hi, I'm Sanjay, former Microsoft Program Manager for Active Directory Security, but more importantly a sincere well-wisher who cares deeply about cyber security, and who just happens to know a thing or two about the very technology that lies at the very foundation of cyber security of your ($ Billion to $ Trillion) organization, and those of 85% of all organizations worldwide.
I write to you to bring to your attention a matter of paramount importance to your organization's foundational security.
Context - Foundational Security
Today we all engage in business in what is essentially a global digital village, wherein just about just every aspect of business, whether it be production, marketing, sales, customer-service, collaboration, finance etc. etc. substantially relies on technology.
Within our respective organizations, it is our IT infrastructure that enables and empowers our workforce to engage in business.
For instance, we all (including us C*Os) log on to a computer every day, send and receive email, and create, share and access digital assets (e.g. documents, applications, services etc.) all of which are securely stored on our organizational computers.
It is only logical then that ensuring the security of the very IT infrastructure that enables and empowers our entire workforce to engage in business digitally, and the security of our digital assets is vital. In other words, cyber security is very important.
Now, if I told you that at the very foundation of your entire IT infrastructure, and consequently at the very foundation of the security of all your digital assets lay a single high-value asset, then I think you'd agree that its security would be paramount.
At the very foundation of your organization's IT infrastructure and that of its cyber security, and by corollary the cyber security of the entirety of all your digital assets (e.g. thousands of computers, thousands of employee user accounts and passwords, every single organizational email sent and received every minute of every day, all your applications, services, Intranet portals, Internet facing applications etc.) as well as the entirety of your organization's data, lies a single technology - Microsoft Active Directory.
Most simply put, Active Directory is the database that contains, stores and protects the entirety of your organization's building blocks of cyber security - each one of thousands of user accounts and their passwords, each one of thousands of computer accounts (for all laptops, desktops, servers etc.), each one of thousands of security groups that protect all your data etc. etc.
If your organization's Active Directory were compromised, everything would immediately be exposed to the risk of compromise.
Thus as you'll hopefully agree, ensuring the security of your organization's foundational Active Directory is well, paramount.
A Provable Concern - Inadequate Protection
Now, you might most likely be thinking - Well, if that's the case, I'm sure that our CIO, our CISO and their world-class IT and Cyber Security teams know all this, and have it adequately taken care of, so why should I be concerned ?
Here's why you should be concerned - In all likelihood, not only may your world-class IT and Cyber Security teams not have this adequately covered, they may have yet to realize just how very important, and in fact paramount Active Directory security is.
Further, they likely may not know what it actually takes to adequately secure your organization's foundational Active Directory.
Now, as incredulous as that may sound, you have to trust me on this, not because I'm asking you to do so as a concerned well-wisher, but because I'm asking you to do so as arguably the world's #1 subject matter expert on Active Directory Security.
You see, prior to doing what I currently do, I was Microsoft's subject matter expert for Active Directory Security on Microsoft's Windows Server Development team. In case you're curious as to what I do currently do with all this knowledge, well, its this.
As the world's leading subject matter expert on Active Directory Security, I would highly encourage you to ask your IT and Cyber Security leadership, specifically your CIO and your CISO, just how secure they think your organization's Active Directory is.
Simple Proof - You Just Have to Ask
When you ask them about it, please do request specific answers, and here are 7 simple questions you can ask them, the answers to which will give you an indication of just how secure your organization's Active Directory actually is today -
- Is the security of our foundational Active Directory deployment a top cyber security priority today?
- Do we know exactly what the Top-5 security risks to our foundational Active Directory are?
- Do our Active Directory Admins know what Active Directory Effective Permissions are?
- Do we know exactly who possesses what level of privileged access in our Active Directory?
- Do we know exactly who can control/manage each one of our Active Directory privileged accounts and groups?
- Do we know exactly who can run Mimikatz DCSync against our Active Directory today?
- Can you tell me exactly who can reset my domain user account's password to then be able to login as me?
I could suggest 50 such elemental cyber security questions, but for now these 7 simple, precise questions will suffice as there are only 2 possibilities here - either your IT and cyber security leadership have exact answers to these questions, or they don't.
If they can't give you exact answers to these questions, your organization's Active Directory is not secure - its as simple as that.
They might tell you that this is complicated or that they have a good approximation, or that this is very difficult to do, or that they have many other latest buzzword measures like Active Directory Auditing, Privileged Access Management, ATA, Just-in-Time Administration etc. in place, but none of that matters, because the truth is simple - they either have exact answers, or they don't.
(These questions are paramount to cyber security, and today there exists technology that can enable every organization in the world to answer them precisely, but because Microsoft likely forgot to adequately educate its customers, your IT personnel may likely not even know the importance of these paramount questions, let alone knowing what it takes to correctly answer them.)
If a $Billion+ organization doesn't even know exactly who has what privileged access in their Active Directory, as well as exactly who can manage each one of their privileged accounts and groups, how could their Active Directory possibly be secure?
If an organization's foundational Active Directory is not secure, how can the entirety of the organization's digital (IT) assets be secure, and if that's not case, how could an organization possibly be considered secure from a cyber security perspective?
As a member of the C-Suite, you not only have the privilege of being able to impact vital change in your organization, you also have the responsibility and the authority to demand and ensure the cyber security of the very foundation of your organization.
As a C*O, one of the most important responsibilities you shoulder is ensuring that your organization is secure, and ensuring that the very foundation of your organization's IT infrastructure and cyber security are always adequately protected, is paramount.
The Likely Reason (Optional Reading)
Here's the likely reason for why such a common-sense yet paramount matter may not be on your CIO's and CISO's radar yet.
You see, your CIO and CISO shoulder great responsibility. Unfortunately, amongst many other things, they're likely also being guided by inputs from a 1000 cyber security companies, who unfortunately may not be the best source of objective guidance.
For instance, consider CyberArk, a highly respected $ Billion+ cyber security company, that claims that over 50% of the Fortune 100's CISOs rely on them. As a subject matter expert, I can tell you that CyberArk itself may not know how to correctly assess privileged access in an Active Directory, so you see, unfortunately your CIO and CISO may not be getting the best guidance.
CyberArk is absolutely correct that "Privilege is Everywhere." However, those who know Windows Security will tell you that in a Windows network powered by Active Directory, the majority of all privileged access (delegated & unrestricted) lies inside Active Directory, but CyberArk doesn't seem to have the capability to correctly audit privileged access inside Active Directory.
|The majority of all Privileged Access,including the "Keys to the Kingdom", resides inside Active Directory|
CyberArk isn't alone. As unbelievable as it may sound, today even Microsoft doesn't seem to know what it takes to do so, let alone possessing the capability to help its customers correctly do so. In fact, most of the world's top IT Consulting, Audit, Cloud and Cyber Security companies also operate on Active Directory, and they too likely have neither a clue nor the capability to accurately determine exactly who has what privileged access in their own foundational Active Directory deployments.
You may find this hard to believe, but of the 1000+ cyber security companies exhibiting or presenting at the upcoming RSA Conference 2019, not a single one of them can help your organization's IT personnel fulfill such a fundamental yet paramount cyber security need - finding out exactly who has what privileged access in your organization's foundational Active Directory.
In their defense, I'll say this - if it were easy, they would've all done it by now. Unfortunately, as paramount as it is, its not easy.
Thus, I know what your CIO and CISO may perhaps not yet know, or understand the paramount importance of, which is that of all the things that need to be secured, none could possibly be more important than securing your organization's foundational Active Directory, so I thought I'd share this with you, because as a member of the C-Suite, you could provide them strategic guidance and the executive support that their teams need to accomplish this paramount objective for your organization.
I only wrote this letter because we're all in this together, and I care deeply about foundational cyber security, as hopefully do you, and I felt that I could perhaps help bridge the gap between those tasked with the great responsibility of securing Active Directory (i.e. your IT personnel) and those whose executive support they need to be able to do so (i.e. you, the C-Suite.)
As for myself, all I can say is that today my work and knowledge silently help secure and defend so many of the world's most important organizations across six continents worldwide.
Thank you for your time.
Chairman and CEO,
PS: Please know that I am also doing my bit to help Microsoft and the World better Understand Active Directory Security
In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security
Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.
|Microsoft Active Directory|
Today, at the very foundation of organizational cyber security worldwide, lie their foundational Active Directory deployments.
Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.
In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.
Hackers are working hard to find new ways to get your data. It’s not surprising that cyber security risk is top of mind for every risk owner, in every industry. As the frequency and complexity of malicious attacks persistently grows, every company should recognize that they are susceptible to an attack at any time—whether it comes as an external focused attack, or a social engineering attack. Let’s take a look at the top 5 risks that every risk owner should be preparing for.
- Your Own Users. It is commonly known, in the security industry, that people are the weakest link in the security chain. Despite whatever protections you put in place from a technology or process/policy point of view, human error can cause an incident or a breach. Strong security awareness training is imperative, as well as very effective documented policies and procedures. Users should also be “audited” to ensure they understand and acknowledge their role in policy adherence. One area that is often overlooked is the creation of a safe environment, where a user can connect with a security expert on any issue they believe could be a problem, at any time. Your security team should encourage users to reach out. This creates an environment where users are encouraged to be part of your company’s detection and response. To quote the Homeland Security announcements you frequently hear in airports, “If you see something, say something!” The biggest threat to a user is social engineering—the act of coercing a user to do something that would expose sensitive information or a sensitive system.
- Phishing. Phishing ranks number three in both the 2018 Verizon Data Breach Investigation Report Top 20 action varieties in incidents and Top 20 action varieties in breaches. These statistics can be somewhat misleading. For example, the first item on the Top 20 action varieties in breaches list is the use of stolen credentials; number four is privilege abuse. What better way to execute both of those attacks than with a phishing scam. Phishing coerces a user through email to either click on a link, disguised as a legitimate business URL, or open an attachment that is disguised as a legitimate business document. When the user executes or opens either, bad things happen. Malware is downloaded on the system, or connectivity to a Command and Control server on the Internet is established. All of this is done using standard network communication and protocols, so the eco-system is none the wiser—unless sophisticated behavioral or AI capabilities are in place. What is the best form of defense here? 1.) Do not run your user systems with administrative rights. This allows any malicious code to execute at root level privilege, and 2.) Train, train, and re-train your users to recognize a phishing email, or more importantly, recognize an email that could be a phishing scam. Then ask the right security resources for help. The best mechanism for training is to run safe targeted phishing campaigns to verify user awareness either internally or with a third-party partner like Connection.
- Ignoring Security Patches. One of the most important functions any IT or IT Security Organization can perform is to establish a consistent and complete vulnerability management program. This includes the following key functions:
- Select and manage a vulnerability scanning system to proactively test for flaws in IT systems and applications.
- Create and manage a patch management program to guard against vulnerabilities.
- Create a process to ensure patching is completed.
Most malicious software is created to target missing patches, especially Microsoft patches. We know that WannaCry and Petya, two devastating attacks, targeted systems that were missing Microsoft MS17-010. Eliminating the “low-hanging-fruit” from the attack strategy, by patching known and current vulnerabilities or flaws, significantly reduces the attack-plane for the risk owner.
- Partners. Companies spend a lot of time and energy on Information Security Programs to address external and internal infrastructures, exposed Web services, applications and services, policies, controls, user awareness, and behavior. But they ignore a significant attack vector, which is through a partner channel—whether it be a data center support provider or a supply chain partner. We know that high-profile breaches have been executed through third partner channels, Target being the most prominent.The Target breach was a classic supply chain attack, where they were compromised through one of their HVAC vendors. Company policies and controls must extend to all third-party partners that have electronic or physical access to the environment. Ensure your Information Security Program includes all third partner partners or supply chain sources that connect or visit your enterprise. The NIST Cyber Security Framework has a great assessment strategy, where you can evaluate your susceptibility to this often-overlooked risk.
- Data Security. In this day and age, data is the new currency. Malicious actors are scouring the Internet and Internet-exposed corporations to look for data that will make them money. The table below from the 2018 Ponemon Institute 2018 Cost of a Data Breach Report shows the cost of a company for a single record data breach.
Cost for a Single Record Data Breach
The Bottom Line
You can see that healthcare continues to be the most lucrative target for data theft, with $408 per record lost. Finance is nearly half this cost. Of course, we know the reason why this is so. A healthcare record has a tremendous amount of personal information, enabling the sale of more sensitive data elements, and in many cases, can be used to build bullet-proof identities for identity theft. The cost of a breach in the US, regardless of industry, averages $7.9 million per event. The cost of a single lost record in the US is $258.
I Can’t Stress It Enough
Data security should be the #1 priority for businesses of all sizes. To build a data protection strategy, your business needs to:
- Define and document data security requirements
- Classify and document sensitive data
- Analyze security of data at rest, in process, and in motion
- Pay attention to sensitive data like PII, ePHI, EMR, financial accounts, proprietary assets, and more
- Identify and document data security risks and gaps
- Execute a remediation strategy
Because it’s a difficult issue, many corporations do not address data security. Unless your business designed classification and data controls from day one, you are already well behind the power curve. Users create and have access to huge amounts of data, and data can exist anywhere—on premises, user laptops, mobile devices, and in the cloud. Data is the common denominator for security. It is the key thing that malicious actors want access to. It’s essential to heed this warning: Do Not Ignore Data Security! You must absolutely create a data security protection program, and implement the proper policies and controls to protect your most important crown jewels.
Cyber criminals are endlessly creative in finding new ways to access sensitive data. It is critical for companies to approach security seriously, with a dynamic program that takes multiple access points into account. While it may seem to be an added expense, the cost of doing nothing could be exponentially higher. So whether it’s working with your internal IT team, utilizing external consultants, or a mix of both, take steps now to assess your current situation and protect your business against a cyber attack. Stay on top of quickly evolving cyber threats. Reach out to one of our security experts today to close your businesses cyber security exposure gap!
2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.
Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.
Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.
The post October Is National Cyber Security Awareness Month: Be Part of Something Big appeared first on Connected.
Today, to give a hint for the answer to this 1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
I sincerely hope that someone (anyone) at Microsoft, or that some CISO (any ONE) out there, will answer this ONE question.
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.
Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.
As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.
Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.
In particular, regardless of its respected heritage, for us, Lenovo wasn't an option, since it is partly owned by the Chinese Govt.
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.
Now, you're not going to believe what happened within minutes of having clicked the Check for Updates button!
Windows Update Downloaded and Installed an Untrusted
Self-Signed Lenovo Device Driver on Microsoft Surface! -
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!
Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -
We couldn't quite believe this.
How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?
So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)
Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -
Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!
As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.
Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -
When we opened that location, we found thirteen items, including six drivers -
Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -
Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!
Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.
If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.
Unacceptable and Deeply Concerning
To us, this is unacceptable, alarming and deeply concerning, and here's why.
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.
How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!
This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?
This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.
Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!
Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!
Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.
In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.
If I Were Microsoft, I'd Send a Plane
Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.)
Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
- I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
- I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
- I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
- I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
- I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -
Also, speaking of Microsoft's ecosystem, it indeed is time to help safeguard Microsoft's global ecosystem. (But I digress,)
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.
Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that.
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."
By the way, I happen to be former Microsoft Program Manager for Active Directory Security, and I care deeply for Microsoft.
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.
PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.
Active Directory Security Goes Mainstream Cyber Security
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -
- Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
- On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.
- On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.
- On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!
- On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access.
- On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.
- Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.
- On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.
- On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.
- From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9 above, lies in Active Directory Effective Permissions and Active Directory Effective Access.
Helping Defend Microsoft's Global Customer Base
( i.e. 85% of Organizations Worldwide )
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...
...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.
This year, I ( / we) ...
- conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation
- showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory
- helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory
- helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory
- helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense
- showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory
- helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory
- helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets
- helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation
- Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security
In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.
All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)
In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.
Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.
PS: Why I do, What I Do.
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.
Here are the answers to the Top-5 questions I am frequently asked -
- You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?
Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.
- Speaking of which, how big is Paramount Defenses?
At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.
If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.
- Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?
The simple answer to this question - For Security Reasons.
At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.
As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.
Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.
- What do you intend to accomplish by blogging?
The intention is to help organizations worldwide understand just how profoundly important Active Directory Security is to organizational cyber security, and how paramount Active Directory Effective Permissions are to Active Directory Security.
That's because this impacts global security today, and here's why -
You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.
It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.
This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.
In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.
What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"
On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.
To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.
Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.
Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.
- Why have you been a little hard on Microsoft lately?
Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.
You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.
It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.
Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.
As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.
Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.
Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.
Hope you're all well. Last year I had said that it was time for us to provide Thought Leadership to the Cyber Security space.
Since then, I've penned over 50 blog posts, on numerous important topics,
and helped 1000s of organizations worldwide better understand -
A Paramount Global Cyber Security Need
Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.
Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.
The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.
Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.
Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.
So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.
In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.
So, that post should be out right here on this blog next week, possibly as early as Monday morning.
We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.
During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.
Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!
The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.
It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.
Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.
The post NCSAM, Week Five: Protecting Critical Infrastructure appeared first on Connected.
It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”
With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.
Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.
The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.
October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.
It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.
Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.
Read this next:
- WPA2 Hacks and You – 7 Things You Can Do to Stay Safe
- The Critical Importance Of Patch Management
- Shut Down Unlikely Attack Vectors In Your Organization
- Cyber Security In The Workplace Is Everyone’s Business
- Challenges Multiply As Enterprise Mobility Grows
The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.
The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.
The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.
What can you do?
Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:
- Apply patches as they are released
- Pay careful attention to your wireless environment
- Watch for people and technology that look out of place
- Utilize a trusted VPN solution
- When possible, transfer data over an encrypted channel—such as HTTPS
- Restrict sensitive information that would normally pass over a wireless network
- And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication
How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.
Read this next:
As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.
For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.
That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.
That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.
So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.
Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.
The post Shut Down Unlikely Attack Vectors in Your Organization appeared first on Connected.
Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?
The C-Suite Meeting
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.
This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.
The C-Suite then took a break for lunch.
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?" He said "Yes."
Houston, We Have a Problem
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.
He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."
He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"
The CEO asked the CIO - "What's wrong? What happened?"
The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"
The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"
The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"
The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"
The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"
The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."
The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"
The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"
The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"
The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."
The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!
The CISO replied - "Seventeen years."
The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"
All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.
The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.
I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.
CEO, Paramount Defenses
PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here etc. etc.
PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."
Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)
PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory
You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.
A Quick and Short Background
From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.
Active Directory is the Foundation of Cyber Security Worldwide
The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.
During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.
These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.
Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.
Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.
Clearly, Microsoft Has No Answers
It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.
Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -
If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!
You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!
That said, in that post, the best Microsoft could do is concede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."
Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.
In contrast, here's what they should have said - "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."
The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.
BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.
Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.
Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.
Fortunately There's Help and Good News For Microsoft
I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.
To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."
So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.
Specifically, in days to come, as a part of our 30-Day Active Directory Security School, you can expect the following posts -
- What Constitutes a Privileged User in Active Directory
- How to Correctly Audit Privileged Users/Access in Active Directory
- How to Render Mimikatz DCSync Useless in an Active Directory Environment
- How to Easily Identify and Thwart Sneaky Persistence in Active Directory
- How to Easily Solve The Difficult Problem of Active Directory Botnets
- The World's Top Active Directory Permissions Analysis Tools (and Why They're Mostly Useless)
- The Paramount Need to Lockdown Access Privileges in Active Directory
- How to Attain and Maintain Least Privileged Access (LPA) in Active Directory
- How to Securely Delegate and Correctly Audit Administrative Access in Active Directory
- How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment
You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.
So, over the next few days, I'll pen the above, and you'll be able to access them at the Active Directory Security Blog.
In fact, this cannot wait, so let us begin with the "actual" insight on Active Directory ACLs that all organizations worldwide must have today -
Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.
CEO, Paramount Defenses
Formerly Program Manager,
Active Directory Security,
PS: Microsoft, you're welcome. Also, I don't need anything from you, except a Thank you note.
As some of you may know, over the past few weeks, I have been publicly taking the $ 550 Billion Microsoft (Nasdaq: MSFT) to Active Directory Security School (see PS3 below) because today global security literally depends on Active Directory Security.
In case you're wondering why, here's why -
The Importance of Active Directory Security
From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.
In other words, the foundational security of thousands of government and business organizations depends on Active Directory.
To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Active Directory.
Operating in the Dark
Given my background, experience and whatever little I know about the subject, I have reason to believe that most organizations worldwide that operate on Active Directory are operating in the dark today, and have absolutely no idea as to exactly who has what level of privileged access in their foundational Active Directory!
Further, because over the last decade, almost 10,000 organizations from across 150+ countries worldwide have knocked at our doors unsolicited, we know exactly how much these organizations know about Active Directory Security, and we're shocked to know that 99% of them don't even know what "Active Directory Effective Permissions" are, and upon giving this due thought, we have arrived at the conclusion that the world's complete ignorance on this most paramount aspect of organizational cyber security can be attributed to the fact that Microsoft has likely not even once educated its customers about its importance!
Let There Be Light
So, I made an executive decision that we need to educate the $ 550 Billion Microsoft Corp about the paramount importance of "Active Directory Effective Permissions", so that they can in turn educate the thousands of vital business and government organizations at whose very foundation lies Active Directory about its sheer and cardinal importance.
Make no mistake about it - no organization that operates on Microsoft Active Directory today can be adequately secured without possessing the ability to determine effective permissions on the thousands of building blocks of cyber security (i.e. thousands of domain user accounts, computer accounts, security groups and policies) that reside in its Active Directory. Its really that simple.
A 1000 Cyber Security Companies!
Speaking of which, although there are supposedly over a 1000 cyber security companies in the world (, and incidentally at their very foundation too lies Microsoft Active Directory) not a single one of them has the ability, the expertise or even a single solution to help the world accurately determine "effective permissions" in Active Directory. Not a single one of them!
Well, except ONE.
PS: If you can find even ONE cyber security company in the world that can help the world do this, you let me know.
PS2: Microsoft, before you respond, please know this - I've conquered mountains, and I'm likely your best friend.
PS3: To help the world easily follow Active Directory Security School for Microsoft, here are each day's lessons -
- Day 0 – A Trillion Dollar Letter to Microsoft concerning Cyber Security Worldwide
- Day 1 – How Well Does Microsoft Understand Cyber Security?
- Day 2 – The Importance of Active Directory Security
- Day 3 – The Impact of an Active Directory Security Breach
- Day 4 – The Active Directory Attack Surface
- Day 5 – The Top-5 Security Risks to Active Directory Deployments
- Day 6 – A Trillion Dollar Active Directory Privilege Escalation Example
- Day 7 – Lack of Gravitas at Organizations + Risks of Amateur Tooling
- Day 8 – An Ocean of Access Privileges in Active Directory Deployments
- Day 9 – A Most Important Microsoft Video on Defending Active Directory
- Day 10 – Active Directory Effective Permissions – Paramount to Cyber Security
- Day 11 - A Trillion $ Question to Microsoft regarding “Identities” and Cyber Security
- Day 12 - How to Correctly Audit Who can Create User Accounts in Active Directory
- Day 13 - Microsoft, How Do Organizations Prevent this Denial-of-Service Attack on Active Directory?
- Day 14 - How to Audit Who can Delete an Organizational Unit in Active Directory
- Day 15 - A Trillion $ Question to Microsoft regarding Domain Security Groups
- Day 16 - How to Audit Who can Change Group Memberships in Active Directory
- Day 17 - Implications of An Unauthorized Change to a Service Connection Point in Active Directory
- Day 18 - How to Audit Who Can Change/Control/Delete a Service Connection Point in Active Directory
- Day 19 - Implications of an Unauthorized Change to Domain Computer Accounts in Active Directory
and How to Audit Who Can Make Changes to Domain Computer Accounts in Active Directory
- Day 20 - Microsoft, Have 1000s of Major Organizations Been Furnishing Inaccurate Evidence to Demonstrate Compliance of Access Rights in Active Directory?
Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our Great United States.
First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.
I'll do my best to keep this VERY simple.
Top-5 Global Security Risks
As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -
1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats
I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.
As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.
The Importance of American Leadership
Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.
Sir, the elections are over. You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.
If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.
(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)
Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.
Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, today have the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.
[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]
The Cyber Risk
Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.
(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)
Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.
It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.
Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing a Cyber Security Unit with the Russians might NOT be such a good idea, as also voiced by 1, 2, 3.
By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".
A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.
Mr. President, you may likely already have some of the world's best inputs and advice when it comes to cyber security, so I'd just like to share paramount cyber security insight with you - Trillion-Dollar Cyber Security Insight for President Donald Trump.
Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.
Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.
Hello. I'm Sanjay, President of Paramount Defenses. I just wanted to congratulate you on your historic win, wish you success, as did President Obama, and share VALUABLE cyber security insight that could be VITAL to your administration's success.
Before I get to it, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic U.S. citizen and a cyber security professional, and that my desire to do so publicly has been inspired by how much you Sir share publicly. Given the sheer impact of our important work across America and the world today, we are a 100% non-partisan organization.
One quick vital point - regarding all the talk of Russian hacking to influence the U.S. election, while Russia and possibly others may certainly have tried to influence it, professionally speaking i.e. as a cyber security practioner, in the grand scheme of things, it matters not as to who is trying to hack us, as much as it does that we protect ourselves from being hacked, so from that angle you're likely right that the DNC should have adequately defended itself. You see, once an entity is hacked, at that very moment the damage is done, because their data is now in someone else's hands, and the entity no longer has any control over what the perpetrators do with it. In fairness, one should also add that if indeed Russia did hack the RNC as well, but chose not to divulge their data, then reasonably speaking, that would have amounted to what is being called "an attempt to influence an election."
That said, Mr. Trump, hopefully you'll agree that given our sheer reliance and dependence on computers and technology, the success of your Presidency and your administration will GREATLY depend on the cyber security of our government agencies.
In that regard, I thought you should know that at the very foundation of cyber security of our entire U.S. Government (i.e. 600+ federal agencies) lies a single technology, Microsoft Active Directory, the cyber defense of which is paramount to our security.
You may or may not know this yet, but the White House, the U.S. Capitol, all our intelligence agencies, and virtually all our departments (e.g. Defense, State, Justice, Energy, Labor, Interior, Veterans Affairs etc.) all operate on Active Directory.
By the way, I must mention that none of this is classified information. This is all public knowledge. I just happen to know it first hand because I'm former Microsoft Program Manager for Active Directory Security, i.e. a "deep in the trenches" technical guy who possibly knows more about Active Directory security than most people on the planet. (I also happen to be an innovative American entrepreneur who built possibly the world's most relevant and important cyber security company, from the ground up.)
In fact, Active Directory is at the very foundation of cyber security of 85+% of all government and business organizations world-wide (The Americas, Europe, Asia, etc.) including at the foundation of virtually all of the tech companies whose CEOs recently visited you i.e. Microsoft, Amazon, Alphabet, IBM, Intel, Facebook, Tesla etc., as well as a little cyber company called Palantir.
It is very likely that thousands of business and government organizations in Russia too might be operating on Active Directory.
Sir, in all likelihood, the Trump Organization may also be operating on Active Directory. (Your IT folks could verify that for you.)
Mr. Trump, our cyber intelligence indicates that the foundational Active Directory deployments of most organizations worldwide may currently be exposed to an alarmingly vast attack surface, and thus may possibly be rather easily compromisable today.
The specific cyber security risk that most of them are all likely exposed to today is succinctly described in The Paramount Brief -
If you're short on time, here's a very brief summary -
In every network powered by Active Directory, all administrative accounts i.e. the accounts of the individuals that possess the "Keys to the Kingdom" lie within Active Directory. It is a well known fact that if a perpetrator can compromise ANY one of these accounts, he/she could easily access and control everything. Thus, in every organization, ideally the number of such powerful accounts must be at an absolute bare minimum.
Unfortunately, in most organizations today, not only are there a HUGE number of privileged user accounts in Active Directory, NO ONE really knows exactly who they are and what power they possess. In other words, most organizations seem to be operating in the proverbial dark, & if breached, could likely be compromised in minutes.
In essence, a huge, unknown number of highly prized privileged accounts in Active Directory constitute a vast attack surface, and the compromise of any one of them would be tantamount to a system-wide compromise.
In our professional opinion, this poses a major cyber security risk globally, especially considering the statistics, i.e. 100% of all major recently cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account.
From our side, we can certainly (and uniquely) help organizations worldwide precisely identify and reduce their attack surface, as well as empower them to mitigate this serious risk, swiftly and cost-efficiently, but we do need them to understand it first.
I must also mention with due respect to the likes of Peter Thiel, Alex Karp, Ted Schlein & others, I doubt they're familiar with this specific risk or understand the depth of its magnitude, because this is one of those you have to be "deep in the trenches" to get.
Speaking of which, in 2016, we had directly informed the CEOs of most of the world's Top 200 companies (including most of the tech CEOs that came and met you at the Trump Tower), as well as all appropriate officials at most federal and state agencies about this risk to the foundational Active Directory deployments of their organizations; they all received The Paramount Brief.
Our intelligence further indicates that as a result, many of these organizations started to look at the security of their foundational Active Directory deployments for the first time ever. While some may have started bolstering their cyber defenses, sadly, many of these organizations likely continue to remain vulnerable, especially considering how easy it is to compromise them today.
For instance, if an intruder could breach their network (and Microsoft suggests that organizations assume breach ) in many cases, he/she could just deploy Mimikatz DCSync to instantly 0wn them. (Alex/Peter should be able to explain this to you.)
Fortunately the solutions required to swiftly, effectively and cost-effectively help all impacted organizations mitigate this critical risk exist today (e.g. 1,2). However, we're finding that many organizations do not even seem to know about this risk.
We worry that unless certain basic and fundamental cyber security measures are enacted quickly, many of our government and business organizations, as well as those of our allies worldwide, will likely remain vulnerable to cyber attacks in the near future.
From our side, we're doing what we can to educate and safeguard organizations worldwide, but much more needs to be done, and quickly so. Its in that regard that your intentions give many of us in cyber security, as well as the American people, hope...
Making America Great(er and Safer) Again
In addition to making America greater, we must also make (not only) America (but also our allies) safer, not only from physical threats but also from cyber threats. In fact, given our HUGE reliance on technology, and considering how easy it is to launch a cyber attack, the cyber threat may pose a far greater threat to our national security and prosperity than do physical threats.
I've read that it is your intention to appoint a team to combat cyber attacks within 90 days of taking office. That (in your parlance) sounds WONDERFUL. I commend you for this initiative. Indeed, it is imperative and in fact paramount that we do everything we can to safeguard and adequately defend our government and business organizations from being taken out by cyber attacks.
If I had to offer some unsolicited advice, I'd suggest that one of the most important measures one could enact is Attack Surface Reduction. Simply put, the smaller one's attack surface is, the better one's chances of being able to adequately defend it.
For instance, it is so much easier to protect a building that only has one entrance than it is to protect one that has 20 entrances, and where only a few security guards have the master keys to the building, than one wherein who knows how many have them.
That's why, considering the statistics i.e. the fact that 100% of all major recent cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account, reducing the number of users that have privileged access within Active Directory to a bare minimum, then adequately protecting them, must be one of the top priorities for all organizations.
Sir, in short, provably secure (least-privileged access adherent) foundational Active Directory deployments at all our federal government agencies and at all business organizations they rely on, are likely going to be vital to your administration's success.
(As you'll likely agree, this isn't rocket science; it's common sense. If a government agency is compromised (e.g. OPM Breach), assets or initiatives it might be working on could be in jeopardy. Similarly, if a business organization (e.g. a Defense Contractor, a Builder etc.) that the government relies on for its various initiatives is compromised, those initiatives could be in jeopardy.)
Thank you, and Best Wishes
In closing, thank you for your time, congrats on your bigly win and good luck as you get ready to serve the American people.
The American people have entrusted you with the great responsibility of leading our great nation, as well as the might of American power, and they're looking to you to make their lives better and to make America greater and safer again.
In God We Trust, so wish you God Speed in your efforts to fulfill your promises to make America great(er and safer) again.
PS: At Paramount Defenses, because we understand the paramount importance of cyber security to the business and national security interests of the United States and those of our allies, we care deeply about cyber security and we take it very seriously.
As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. During this period, Locky was the most dominant ransomware distributed in spam email. Now, Locky distribution has returned to the level seen during the first half of 2016.
Figure 1. Locky spam activity in 2016
Figure 2 shows that the majority of Locky spam email detections between June 21 and June 23 of this year were recorded in Japan, the United States and South Korea.
Figure 2. Locky spam by country from June 21 to June 23 of this year
Figure 3. Locky spam email
- Iterates over an array of URLs hosting the Locky payload.
- Uses a custom XOR-based decryption routine to decrypt the Locky payload.
- Ensures the decrypted binary is of a predefined size. In Figure 4 below, the size of the decrypted binary had to be greater than 143,360 bytes and smaller than 153,660 bytes to be executed.
5. Checks (Figure 5) that the first two bytes of the binary contain the “MZ” header signature.
Figure 5: MZ header check
6. Executes the decrypted payload by passing it the command line parameter, “123”.
Locky Payload Updates
Figure 6. Command line parameter check
Figure 7. Decryption routine
If no command line parameter is passed, then the constant for the decryption routine is incorrect. This results in program crash as the decrypted code is invalid. In Figure 8 and Figure 9, we can see the decrypted code sections with and without the command line parameter, respectively.
Figure 8. Correct decrypted code
Figure 9. Incorrect decrypted code
By using this technique, Locky authors have created a dependency on the first stage downloader for the second stage to be executed properly. If a second stage payload such as this is directly analyzed, it will result in a crash.
As of today, the Locky spam campaign is still ongoing, with an added anti-analysis / sandbox evasion technique. We expect to see additional Locky spam campaigns and will remain vigilant in order to protect our customers.
[Updated on December 30, 2012] On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised
at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.
We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability. We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.
if(h!="zh-cn" && h!="en-us" && h!="zh-tw" && h!="ja" && h!="ru" && h!="ko")
Also, the exploit used browser cookies to ensure that the exploit is only delivered once for every user:
where DisplayInfo() essentially tracked when the page was last visited through browser cookies:
var expdate = new Date();
expdate.setTime(expdate.getTime() + (24 * 60 * 60 * 1000*7 ));
if(!(visit = GetCookie("visit")))
visit = 0;
SetCookie("visit", visit, expdate, "/", null, false);
Once the browser is exploited, Prior to downloading the exploit, the browser appears to download “xsainfo.jpg” into the browser cache (aka "drive-by cache attack"), which is the dropper encoded using single-byte XOR (key: 0x83, ignoring 0x00 and 0x83 bytes). Once the exploit succeeds, the JPG file is decoded as a DLL, which is written to the %TEMP% folder as "flowertep.jpg", the sample (MD5: 1e90bd550fa8b288764dd3b9f90425f8) (MD5: 715e692ed2b48e455734f2d43b936ce1) appears to contain debugging information in the metadata of the file:
The simplified Chinese <文件说明> translates to <File Description>. It looks like the malware author included additional metadata in the file, referencing "test_gaga.dll" as the internal name of this sample.
[Update: December 30, 2012]
Additionally, another binary "shiape.exe" (MD5: a2e119106c38e09d2202e2a33e64adc9) is initially dropped to the %TEMP% folder and executed, which appears to perform code injection activity against the standard IE "iexplore.exe" process and installs itself as "%PROGRAMFILES%\Common Files\DirectDB.exe", using the HKLM\SOFTWARE\STS\"nck" registry key to maintain state information. We can also confirm Jamie Blasco's (AlienVault) findings, where the malware registers "DirectDB.exe" through the active setup registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\, so that this executable starts once per user upon subsequent login. However, while AlienVault's IOC mentions a process handle name of "&!#@&", we have actually found the "shiape.exe" process generates a mutex of \BaseNamedObjects\&!#@& upon execution, as well.
As of December 29, Microsoft released a security advisory (2794220), which provides initial details of the zero-day vulnerability. Additionally, CVE-2012-4792 has been assigned to track this vulnerability over time.
Simultaneously, Metasploit developers have analyzed the vulnerability and Eric Romang released details of the CDwnBindInfo Proof of Concept Vulnerability demonstration for independent verification.
Lastly, Cristian Craioveanu and Jonathan Ness with MSRC Engineering posted further technical details on MS Technet about ways to mitigate CVE-2012-4792, in the meantime.
One interesting side-note that MSRC mentioned is:
GET /%E0%B4%8C%E1%82%ABhttps://www.example.com HTTP/1.1
As you can see, the value 0x10AB0C0D is encoded in UTF8 and sent as part of the HTTP request. The real-world exploits do not use example.com and the heap spray address will vary depending on targeted OS platform and exploit mechanism but if you see encoded memory addresses in your proxy log, you should investigate to determine whether your organization has been targeted.
Yet, in the wild, we have seen cases where a successfully compromised endpoint generates an equivalent encoded pattern:
... and still beacons (via HTTP POST) to the initial command and control infrastructure at [REDACTED].yourtrap.com. Therefore, we encourage security operations analysts to fully investigate endpoints that generate the encoded heap spray network traffic, rather than simply assuming those systems are not compromised.
We will continue to update this blog with further details, as we discover new information about this attack.