Compromised data included names, addresses, dates of birth and Social Security numbers – data that could be used to commit fraud and identity theft.
RMCB (the Retrieval-Masters Creditors Bureau) – the parent company of AMCA (the American Medical Collection Agency) – listed assets and liabilities of up to $10 million and estimated that it had between 100 and 199 creditors.
The company’s founder and CEO Russell H. Fuchs said in a court declaration that the breach had prompted a “cascade of events” resulting in “enormous expenses that were beyond [its] ability […] to bear”.
These included spending more than $3.8 million on notifying more than 7 million individuals that their personal data had potentially been compromised – $2.5 million of which Fuchs loaned the company himself.
Chapter 11 filings help businesses restructure their debts and assets, and wind up their affairs in an orderly manner.
Undetected data breach
AMCA was hacked over an eight-month period from 1 August 2018 to 30 March 2019.
Gemini Advisory, which alerted it to the incident, explains that it first identified information stolen from the company on 28 February.
The next day, it “made several unsuccessful attempts to contact AMCA in order to alert the victims” before informing federal law enforcement.
Databreaches.net first reported the incident on 10 May, using information provided by Gemini Research, but was unable to elicit any comment from AMCA.
As part of your training regimen, you’ll receive weekly emails describing the steps you must take to secure your organisation and repel enemy forces. They will instruct you on how to:
Cover the basics
Your first task will be to shield your organisation against the most urgent threats with the help of the Cyber Essentials scheme. Backed by the UK government, the scheme identifies essential measures that can secure the majority of weaknesses.
Drill your troops
Help your employees understand the threats they face with the help of regular staff awareness training. An effective training course will help them navigate threats more carefully, avoiding costly mistakes and tackling threats appropriately.
Perimeter defences aren’t enough when it comes to your most sensitive data. You must therefore review risks to critical assets and develop policies and processes to ensure someone is always keeping an eye on them.
Fortify your processes
So far, so good, but now isn’t the time to get complacent. Attackers will keep coming back, armed with the knowledge of their previous battles. That’s why you must regularly review and update your defence strategy to stay one step ahead of the enemy.
Are you ready to fight back?
You can find out more about our strategy for defending your organisation by enlisting in our boot camp.
Those who sign up will receive a free copy of The Cyber Security Combat Plan, as well as weekly emails containing in-depth advice on how to complete each task.
Unsurprisingly, respondents were far more likely to open phishing emails that preyed on fear, urgency and curiosity than they thought.
PhishMe’s simulated phishing email warning about an apparent Ebola outbreak was opened by 27.9% of respondents.
An email purportedly from an accountancy firm that claimed a complaint had been filed against the recipient was opened by 34.2% of respondents, and a message saying the recipient was eligible for medical insurance was clicked by 39.2% of recipients.
The most successful phishing attack spoofed a bar association, and claimed that a grievance had been filed against the recipient. It was opened by 44% of respondents.
These weren’t the only types of phishing scam that proved successful, though. Simulated attacks imitating holiday e-cards were opened by 24.8% of respondents, apparent adverts for rewards programmes were opened by 22.3% of respondents, and various other celebratory e-cards and employee satisfaction surveys were opened by 17.2% of respondents.
In some ways, it’s seems impossible that phishing attacks remain so successful. Most people are aware of their existence, many scams do a poor job of imitating their target, and popular targets like Amazon have dedicated phishing prevention pages.
Unfortunately, no matter how obvious phishing emails may be, it’s hard to spot those clues the moment you read them. The manufactured sense of urgency and our fear and curiosity often override our better judgement, and even if it’s for a moment, the damage has been done.
How can you prevent phishing emails?
There’s another reason people fall for phishing emails, and it presents an opportunity to help us fall victim less often.
That so many respondents mistakenly believed they were unlikely to fall for fraudsters’ tactics suggests that victims’ downfall is partly because of overconfidence. We are certain that we can spot a phishing email when we see one, and because our alarm bells didn’t ring when we saw this email, it can’t be malicious.
This online course uses example attacks to explain how phishing emails work and the damage they can cause. It also shows you how to identify malicious messages and what to do if you think you’ve received one.
Phishing is one of the most longstanding and dangerous methods of cyber crime. It uses deceptive messages to trick victims into clicking bogus links, downloading malicious attachments or sending sensitive information.
In this blog, we use real-life examples to demonstrate five clues to help you spot phishing scams.
1. The message is sent from a public email domain
No legitimate organisation will contact you from an address that ends ‘@gmail.com’.
Not even Google.
With the exception of independent workers, every organisation will have its own email domain and company accounts. For example, emails from Google will read ‘@google.com’.
If the domain name (the bit after the @ symbol) matches the apparent sender of the email, the message is probably legitimate. The best way to check an organisation’s domain name is to type the company’s name into a search engine.
This makes detecting phishing seem easy, but cyber criminals have plenty of tricks up their sleeves to deceive you.
Look at the email address, not just who the email is from
Many of us don’t ever look at the email address that a message has come from. Your inbox displays a name, like ‘IT Governance’, and the subject line. When you open the email, you already know (or think you know) who the message is from and jump straight into the content.
When crooks create their bogus email addresses, they often have the choice to select the display name, which doesn’t have to relate to the email address at all. They can therefore use a bogus email address that will turn up in your inbox with the display name Google.
But criminals rarely depend on their victim’s ignorance alone. Their bogus email addresses will use the spoofed organisation’s name in the local part of the address. Take this example of a scam mimicking PayPal:
This is a nearly flawless scam email. It uses PayPal’s logo at the top of the message, it is styled professionally and the request is believable.
But as much as it attempts to replicate a genuine email from PayPal, there’s one huge red flag: the sender’s address is ‘email@example.com’.
A genuine email from PayPal would have the organisation’s name in the domain name, indicating that it had come from someone at (@) PayPal. That PayPal isn’t in the domain name is proof that this is a scam.
Alas, simply including PayPal anywhere in the message is often enough to trick people. They might glance at the word PayPal in the email address and be satisfied, or simply not understand the difference between the domain name and the local part of an email address.
2. Domain names are misspelled
There’s another clue hidden in domain names that provide a strong indication of phishing scams – and it unfortunately complicates our previous clue.
The problem is that anyone can buy a domain name from a registrar. And although every domain name must be unique, there are plenty of ways to create addresses that are indistinguishable from the one that’s being spoofed.
The Gimlet Media podcast ‘Reply All’ demonstrated how difficult it can be to spot a spoofed domain in the episode What Kind Of Idiot Gets Phished?. Phia Bennin, the show’s producer, hired an ethical hacker to phish various employees.
The hacker bought the domain ‘gimletrnedia.com’ (that’s r-n-e-d-i-a, rather than m-e-d-i-a) and impersonated Bennin. His scam was so successful that he tricked the show’s hosts, Gimlet Media’s CEO – who had previously claimed that “only bumbling Mr Magoos” would fall victim – and its president.
You don’t need to fall victim to help criminal hackers
As Bennin went on to explain, you don’t even need to fall victim for a criminal hacker to gain vital information.
In this scam, the ethical hacker, Daniel Boteanu, could see when the link was clicked, and in one example that it had been opened multiple times on different devices. He reasoned that the target’s curiosity kept bringing him back to the link but that he was suspicious enough not to follow its instructions.
I’m guessing [the target] saw that something was going on and he started digging a bit deeper and […] trying to find out what happened […]
And I’m suspecting that after, [the target] maybe sent an email internally saying, “Hey guys! This is what I got. Just be careful. Don’t click on this […] email.
Boteanu’s theory is exactly what had happened. But why does that help the hacker? Bennin elaborates:
The reason Daniel had thought [the target] had done that is because he had sent the same email to a bunch of members of the team, and after [the target] looked at it for the fourth time, nobody else clicked on it.
And that’s okay for Daniel because he can try, like, all different methods of phishing the team, and he can try it a bunch of different times. [And] since [the target is] sounding alarm bells, he probably won’t include [him] in the next phishing attempt.
Therefore, in many ways, criminal hackers often still win even when you’ve thwarted their initial attempt. That means it’s often not enough to just about stop a phishing scheme; to keep you and your organisation safe, you should be able to confidently spot a scam upon first seeing it.
3. It’s poorly written
You can often tell if an email is a scam if it contains unusual phrases and grammatical errors.
Many people will tell you that such errors are part of a ‘filtering system’ in which cyber criminals target only the most gullible people. The theory is that, if someone ignores clues about the way the message is written, they’re less likely to pick up clues during the scammer’s endgame.
However, this really only applies to outlandish schemes like the oft-mocked Nigerian prince scam, which you really do have to be incredibly naive to fall victim to.
That, and scams like it, are manually operated: once someone takes to the bait, the scammer has to reply. As such, it benefits the crooks to make sure the pool of respondents contains only those who might believe the rest of the con.
But this doesn’t apply to phishing.
With phishing, scammers don’t need to monitor inboxes and send tailored responses. They simply dump thousands of crafted messages on unsuspecting people.
As such, there’s no need to filter out potential respondents. Doing so would not only reduce the likelihood that an attack would be successful but also help those who didn’t fall victim to alert others to the scam, like we saw in the earlier example with Gimlet Media.
So why are so many phishing emails poorly written? The most obvious answer is that the scammers aren’t very good at writing. Remember, many of them are from non-English-speaking countries and from backgrounds where they will have limited access or opportunity to learn the language.
With this in mind, it becomes a lot easier to spot the difference between a typo made by a legitimate sender and a scam.
Look for grammatical mistakes, not spelling mistakes
When crafting phishing messages, scammers will often use a spellchecker or translation machine, which will give them all the right words but not necessarily in the right context.
No individual word is spelled incorrectly, but the message is full of grammatical errors that a native speaker wouldn’t make, like “We detected something unusual to use an application”, and a string of missed words, such as in “a malicious user might trying to access” and “Please contact Security Communication Center“.
These are consistent with the kinds of mistakes people make when learning English. Any supposedly official message that’s written this way is almost certainly a scam.
That’s not to say any email with a mistake in it is a scam, though. Everyone makes typos from time to time, especially when they’re in a hurry.
It’s therefore the recipient’s responsibility to look at the context of the error and determine whether it’s a clue to something more sinister. You can do this by asking:
Is it a common sign of a typo (like hitting an adjacent key)?
Is it a mistake a native speaker shouldn’t make (grammatical incoherence, words used in the wrong context)?
Is this email a template, which should have been crafted and copy-edited?
Is it consistent with previous messages I’ve received from this person?
If you’re in any doubt, you should look for examples of the other clues we list here or try to contact the sender using an alternative method (in person, by phone, via their website, an alternative email address or through an instant message client).
4. It includes suspicious attachments or links
Phishing emails come in many forms, but the one thing they all have in common is that they contain a payload. This will either be an infected attachment that you’re asked to download or a link to a bogus website that requests login and other sensitive information.
What is an infected attachment?
An infected attachment is a seemingly benign document that contains malware. In a typical example, like the one below, the phisher claims to be sending an invoice:
It doesn’t matter whether the recipient expects to receive an invoice from this person or not, because in most cases they won’t be sure what the message pertains to until they open the attachment.
When they open the attachment, they’ll see that the invoice isn’t intended for them, but it will be too late. The document unleashes malware on the victim’s computer, which could perform any number of nefarious activities.
We advise that you never open an attachment unless you are fully confident that the message is from a legitimate party. Even then, you should look out for anything suspicious in the attachment.
For example, if you receive a pop-up warning about the file’s legitimacy or the application asks you to adjust your settings, then don’t proceed. Contact the sender through an alternative means of communication and ask them to verify that it’s legitimate.
You can spot a suspicious link if the destination address doesn’t match the context of the rest of the email. For example, if you receive an email from Netflix, you would expect the link to direct you towards an address that begins ‘netflix.com’.
Unfortunately, many legitimate and scam emails hide the destination address in a button, so it’s not immediately obvious where the link goes to.
In this example, you would probably know that something was suspicious if you saw the destination address in the email. Unfortunately, the rest of the message is pretty convincing, and you might click the link without giving it a second thought.
To ensure you don’t fall for schemes like this, you must train yourself to check where links go before opening them. Thankfully, this is straightforward: on a computer, hover your mouse over the link and the destination address appears in a small bar along the bottom of the browser.
On a mobile device, hold down on the link and a pop-up will appear containing the link.
5. The message creates a sense of urgency
Scammers know that most of us procrastinate. We receive an email giving us important news, and we decide we’ll deal with it later.
But the longer you think about something, the more likely you are to notice things that don’t seem right. Maybe you realise that the organisation doesn’t contact you by that email address, or you speak to a colleague and learn that they didn’t send you a document.
Even if you don’t get that ‘a-ha’ moment, coming back to the message with a fresh set of eyes might help reveal its true nature.
That’s why so many scams request that you act now or else it will be too late. This has been evident in every example we’ve used so far. PayPal, Windows and Netflix all provide services that are regularly used, and any problems with those accounts could cause immediate inconveniences.
The business depends on you
The manufactured sense of urgency is equally effective in workplace scams. Criminals know that most of us will drop everything if our boss emails us with a vital request, especially when other senior colleagues are supposedly waiting on you. A typical example looks like this:
Phishing scams like this are particularly dangerous because, even if the recipient did suspect foul play, they might be too afraid to confront their boss. If they were wrong, they have not only failed to meet their boss’ urgent request but also implied that there was something unprofessional in the way the email was written.
An organisation that values cyber security would accept that it’s better to be safe than sorry and perhaps even congratulate the employee for their caution. However, unless the organisation explicitly tells staff to remain vigilant, they might not be willing to speak up.
Prevent phishing by helping your employees
The advice in this blog shows how important it is for individuals to recognise signs of phishing. Spam filters will never be fully effective, so it’s up to each of us to read the context of messages and look for anything suspicious.
Organisations must therefore encourage employees to understand and analyse the way phishing works and what to do if they receive a malicious email.
A version of this blog was originally published on 15 August 2017.
We often talk about the benefits of ISO 27001 certification but don’t always expand on the more immediate benefits associated with implementing an ISMS (information security management system).
We aim to put that right in this blog, explaining how an ISMS works and the ways it helps your organisation.
What is an ISMS?
A centrally managed framework for keeping an organisation’s information safe.
A set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information.
Either applied to the entire organisation or only a specific area where the information it seeks to protect is segmented (the scope).
Includes not only technical controls but also controls to treat additional, more common risks related to people, resources, assets and processes.
Based on a risk assessment across the organisation that considers internal and external risks. This means all risks are assessed, analysed and evaluated against a set of predetermined criteria before risk treatments (controls) are applied. Controls are applied based on the likelihood and potential impact of the risks.
A framework that helps you make appropriate decisions about the risks that are specific to your business environment.
Dependent on support and involvement from the entire business – not just the IT department – from the cleaner right up to the CEO.
Not an IT function but a business management process.
An ISMS can be certified to the international best-practice information security standard ISO 27001. Achieving accredited certification to the Standard demonstrates to your clients, customers, regulators and stakeholders that your organisation is following information security best practice and your data is sufficiently protected.
Where does ISO 27001 fit in?
The best practices for an ISMS are laid out in the ISO 27001 standard, which covers the compliance requirements. These are expanded upon in ISO 27002, which covers the guidelines and general principles for implementing and maintaining those requirements.
As such, certifying to the Standard ensures that your organisation’s security measures are as effective as possible.
Why implement an ISMS?
An ISO 27001-compliant ISMS does more than simply help you comply with laws and win business. It also:
Secures your information in all its forms: An ISMS helps protect data in all its forms, including digital, paper-based and in the Cloud.
Increases your resilience to cyber attacks: Implementing and maintaining an ISMS will significantly increase your organisation’s resilience to cyber attacks.
Provides a centrally managed framework: An ISMS provides a framework for keeping your organisation’s information safe and managing it in one place.
Creates a new way of thinking about information security, helping your employees become more aware of their responsibilities and the steps they must take to keep information secure.
Offers organisation-wide protection: An ISMS protects your entire organisation from technology-based risk and other, more common threats, such as poorly informed staff and ineffective procedures.
Helps you respond to evolving security threats: Risks are continually evolving, but an ISMS reduces the threat by constantly adapting to changes both in the environment and inside the organisation.
Reduces costs associated with information security: The risk assessment and analysis approach of an ISMS means organisations can reduce spending on defensive technology that might not work.
Protects the confidentiality, integrity and availability of data: An ISMS offers a set of policies, procedures and physical controls to protect the confidentiality, integrity and availability of information.
Improves company culture: ISO 27001’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.
Is ISO 27001 compliance a legal requirement?
Although there are no laws requiring organisations to implement ISO 27001, compliance is often essential for an organisation to succeed.
One reason for this is the increasing demand from suppliers and clients for the organisations they work with to demonstrate effective security. Certifying to the Standard enables organisations to do this, giving them a competitive advantage.
Neither the GDPR nor NIS Regulations specify how to meet their requirements, but their similarities to ISO 27001 mean that many requirements can be met by following the Standard’s instructions.
Get help with your ISMS
Implementing an ISMS can be hard work, and it will involve your whole organisation. The project can take anywhere from three months to a year, and however you proceed, you need to factor in your organisation’s size, the threats it faces and the measures it already has in place.
Our ISO 27001 Certified ISMS Lead Implementer course teaches you everything you need to know to put in place an effective ISMS, as real-world practitioners show you how to tackle an ISMS project from start to finish.
Not ready for a training course?
If you want to learn more about implementing an ISMS but aren’t ready to commit to a training course, you might prefer our free guide, ISO 27001: The Facts.
Two thousand unauthorized access attempts in 48-hours, that is how New Zealand’s Treasury Secretary in coordination with the National Cyber Security Centre described the budget information record hacking incident that happened this week. New Zealand’s new public spending law dubbed “well-being budget” is expected to be publicly disclosed in full on Thursday, May 30, 2019. But prior to that, the National party which is serving as the opposition partly released snippets of the budget prior to the official release date.
“Following this morning’s media reports of a potential leak of Budget information, the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked. The Treasury takes the security of all the information it holds extremely seriously. It has taken immediate steps today to increase the security of all budget-related information and will be undertaking a full review of information security processes. There is no evidence that any personal information held by the Treasury has been subject to this hacking,” explained Gabriel Makhlouf, Treasury Secretary.
National Party’s leader, Simon Bridges denied insinuations that the opposition has something to do with the hacking incident, he also accused the administration party of performing an alleged witch-hunt to discredit them. “There has been no hacking under any definition of that word … there has been nothing illegal or even approaching that. We have acted legally, appropriately, without any hacking or anything approaching that by the National Party. Or indeed what Grant Robertson is saying, that’s how we’ve got it, he is wrong. They [the government] are not in control of what they are doing, so they are lashing out and they are having a witch-hunt.” emphasized Bridges.
The government of New Zealand, through its Treasury Department, is still confirming the continuation of the budget disclosure on the same original date as planned prior to the massive hacking incident. The National Party leadership squarely place the blame to the incompetence of the Treasury officials, more particularly of Makhlouf for mishandling government data and him calling the assistance of police as if cybercrime is a typical street crime. The opposition leader refused to explain how did they were able to secure a copy of the well-being budget.
“There’s this potential talk around cybersecurity and so on — I was a minister in charge of cybersecurity for Bill English and what I know is departments like the Treasury, with big organizations, there are attempts at hacking and so on, if not every day, very commonly. I don’t know what the situation with that is, but they wouldn’t have called in the police if that was what they were worried about,” concluded Bridges.
New Zealand’s well-being budget aims to change the fiscal priorities of the government, with stronger focus with funding actions against domestic abuse, better mental health care system and protection against child labor practices due to poverty. With social services taking a lion share of the budget, the government of New Zealand is distancing itself from more economic growth compared to previous years. The administration believes that domestic protection should receive more focus this year.
Under the new requirements, which came into effect on 7 May, anyone who registers for an online gambling site needs to provide proof of their age, name and address. However, this could be an extra incentive for cyber criminals to target gambling organisations, as the additional personal details alongside financial data is a potent combination for conducting fraud.
Why are gambling operators asking for this information?
Previously, it had been possible to create an account with a gambling operator without having to verify your identity and date of birth. You would only need to provide this information if you were trying to withdraw money from your account.
The new rules require gambling operators to confirm this information before users deposit funds or access free-to-play games. According to the Gambling Commission, operators can generally find the necessary information by matching the details that users give to them with existing databases.
However, it adds that “there may be occasions when this information is not enough to be sure who you are. For example, if information has been spelt wrongly or people with similar names live at the same address.
“In these situations you may be asked to provide copies of documents that prove who you are. This could include passports, driving licences and household bills.”
These checks are primarily intended to ensure the user is old enough to gamble, but they can also help operators see whether the user has self-excluded from the gambling company’s site and that they aren’t using criminal proceeds.
They are also part of a wider move to better regulate the gambling industry. The UK recently cut the maximum bet on fixed-odds betting terminals from £100 to £2 and is now turning its attention to gambling on credit. In a report published last year, the Gambling Commission said it would consider “whether gambling on credit should continue to be permitted” as it “increases the risk that consumers will gamble more than they can afford”.
Culture Secretary Jeremy Wright has called on banks and bookmakers to meet to discuss gambling industry regulations. “Protecting people from the risks of gambling-related harm is vital and all businesses with connections to gambling – be that bookmakers, social media platforms or banks – must be socially responsible,” he said.
“The government will not hesitate to act if businesses don’t continue to make progress in this area and do all they can to ensure vulnerable people are protected.”
Is your personal data at risk?
Any time a system requires organisations to access more personal data, the risks associated with that information increase. The risk of data breaches also increases whenever financial records are involved, because they are more valuable to cyber criminals.
Whereas most personal data is worth only what someone is willing to pay for it on the dark web, financial information can be used to access funds directly. In many instances, all crooks need to do is transfer and then launder the money. This tactic has become increasingly popular in recent years as the value of personal data decreases on the dark web due to the surplus in supply.
Depending on the additional information that online gambling companies use to verify an account, crooks could potentially have a route into users’ bank accounts. At the very least, they’ll probably have enough information to launch a sophisticated phishing attack.
As such, it’s essential that gambling operators introduce appropriate technical and organisational measures to protect the information they obtain to verify a user’s identity.
Want to know whether your organisation is doing enough?
This paper is essential reading for any gambling operator that wants to ensure their organisation complies with the Gambling Commission’s remote gambling and software technical standards. It covers the security requirements you need to meet and offers guidance on the steps you should take to pass your audit.
Earlier this month, two major pharmaceutical giants issued warnings about phishing emails targeting job hunters.
GlaxoSmithKline and AstraZeneca say they are victims of recruitment scams, in which crooks create fake job adverts to obtain people’s personal and financial details. The bogus ads can be hard to spot, because they use legitimate logos and material, and hide the scammers’ email addresses effectively.
How the scam works
Based on AstraZeneca and GlaxoSmithKline’s statements, this is a fairly standard case of recruitment fraud. Job seekers find the fake advert on a recruitment site and provide their CV, which will typically include the applicant’s name, email address, current employer and other personal details.
The scammers will then email the applicant to say they are being considered, before offering them a job. At this point, one of two things will happen.
The scammers might refer the victim to an employment agent (also fake), who will ask for money to complete registration fees. Alternatively, the victim might report directly to the HR department of the bogus employer.
Either way, the final step of the crooks’ plan is to ask for financial details to pay the employee’s salary into. They will instead use the details to steal money, before cutting all ties with the victim.
Why it’s so successful
Recruitment fraud seems like one of the more obvious scams to spot. How could anyone’s alarm not be raised if they are offered a job without an interview?
Unfortunately, red flags like that are ignored in all kinds of phishing scams, and this scheme is a perfect example of why that happens. Most of us know how disheartening it is to send off application after application knowing that you probably won’t ever hear anything back. It’s therefore completely understandable that curiosity and/or hope might get the better of you when you hear that you’re not only in consideration but have also been offered a job.
Sure, you’re likely to be a little suspicious, but it’s a highly respected organisation like GlaxoSmithKline or AstraZeneca, so it must be legitimate, right?
It’s only in retrospect that you see all the clues that should’ve confirmed your suspicions.
What should you be looking for?
GlaxoSmithKline says job hunters can determine the legitimacy of an advert by asking:
Are there major spelling or grammatical errors in the communication?
What is the sender’s email address? Does this seem consistent with previous communications?
Who is sending the email? Search the name online to determine whether it’s a real employee and whether they are the appropriate person to be managing the application process.
It adds that an advert posted by a third party isn’t necessarily fraudulent, but recommends that job hunters research the company to see if they represent the organisation.
It’s not the end of the world if you don’t spot a scam during the application process. The crooks will have your contact details and any other information on your CV, but at least they won’t have your financial details. Preventing that from happening is simple, provided you remain cautious.
AstraZeneca and GlaxoSmithKline remind job hunters that they never ask for money during the recruitment process (no legitimate organisation would). The latter adds that:
If you receive a genuine job offer of a job with us, whether the offer is made directly by us or through an agency, you will not be required to pay any money towards administration fees.
We also recommend that you do not disclose personal or financial details to anyone you do not know.
As is standard, GlaxoSmithKline says that interviewees or those who have been offered jobs might be asked to provide passport information or other personal identification, such as a National Insurance number.
If you receive and accept a job offer, you will obviously have to provide financial information; this will typically be at the same time as you sign your employee contract. However, you should only be asked for account information, which is used to deposit funds, rather than the card number, which is used to withdraw funds.
Can you spot a phishing scam?
The warnings issued by AstraZeneca and GlaxoSmithKline show just how big of a threat phishing poses. The methods for spotting and preventing it are the same no matter what form the scam takes, yet millions of people fall victim in both personal and work environments.
When it comes to recruitment scams, it’s up to individuals to protect their own data, but organisations have a lot more at stake. An employee who can’t spot a malicious email is liable to hand over vast amounts of sensitive information or expose the organisation to further threats. For example, most ransomware attacks are spread via phishing emails.
It was only a few years back that cloud technology was in its infancy and used only by tech-savvy, forward-thinking organisations. Today, it is commonplace. More businesses than ever are making use of cloud services in one form another. And recent statistics suggest that cloud adoption has reached 88 percent. It seems that businesses now […]… Read More
If you’ve recently had a missed call on WhatsApp from a number you didn’t recognise, cyber criminals might be spying on you.
The Facebook-owned app has admitted that cyber criminals have exploited a major vulnerability in its voice call function and are planting spyware on users’ phones. This enables crooks to turn on devices’ cameras and microphones, read emails and instant messages, and collect users’ location data.
The breach was discovered earlier this month, and WhatsApp released an update addressing the issue on Friday. The messaging service is now urging users to install the patch to ensure they don’t fall victim. Updates are often installed automatically, but it’s worth checking that this feature is enabled.
Who is responsible for the attack?
The technology behind the attack was developed by the Israeli cyber surveillance organisation NSO Group, but the firm has denied playing a part in the breach. It said that the Pegasus spyware is licenced to authorised government agencies “for the sole purpose of fighting crime and terror” and that it doesn’t use it itself.
WhatsApp believes the “attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems”.
The identity of that company is currently unclear, but we would guess the attack was politically motivated. The spyware has been planted on a relatively small number of devices, which wouldn’t be the case if crooks were trying to obtain personal information for financial gain, and those who have reported being targeted hold politically and socially important roles, such as human rights activists, journalists and lawyers.
The severity of the breach means an investigation is bound to be launched, but we doubt that the perpetrators’ identity will ever be discovered. It’s incredibly difficult to investigate sophisticated attacks like this, and it’s even harder to find the necessary evidence to bring about a conviction.
Things should improve as new technologies become available to cyber crime investigators like the National Crime Agency, the FBI and Europol. They will also be helped by organisations paying greater attention to cyber security and engaging in threat intelligence sharing, but it’s always worth remembering that the best defence is prevention. By making it harder for crooks to breach your systems, you’ll make cyber crime a less prosperous endeavour and reduce the likelihood of being targeted.
This blog has been updated to reflect industry updates. Originally published 1 December 2017.
A lot of organisations have experienced cyber attacks, but how are they actually hit? There are many types of cyber attack, and the one the criminal hacker chooses depends on what they are trying to do. Some want data, whereas others want a ransom to be paid.
The most common types of cyber attack are malware and vectors. Malware is designed to disrupt and gain unauthorised access to a computer system. There are the main forms:
Ransomware one of the fastest-growing forms of cyber attacks and has been behind a number of high-profile breaches, including the massive NHS data breach in 2017. It is a type of malicious software that encrypts a victim’s files and demands a payment to release them. However, paying the ransom does not guarantee the recovery of all encrypted data. Staff awareness is the best strategy to manage ransomware threats.
DDoS (distributed denial-of-service) attack
A DDoS attack is a malicious attempt to disrupt normal web traffic and take a site offline. This is done by flooding a system, server or network with more access requests than it can handle. DDoS attacks are often launched from numerous compromised devices, and are usually distributed globally through botnets.
Social engineering deceives and manipulates individuals into divulging sensitive information by convincing them to click malicious links or grant access to a computer, building or system. Two examples of social engineering are:
Phishing– this is an attempt to access sensitive information such as passwords and bank information by posing as a trusted individual. This is done via electronic communication, most commonly by email, and can inflict enormous damage on organisations.
Pharming– this is an attack that redirects a website’s traffic to a fake website, where users’ information is then compromised.
A virus is a piece of malicious code that is loaded onto a computer without the user’s knowledge. It can replicate itself and spread to other computers by attaching itself to another computer file.
Worms are similar to viruses in that they are self-replicating, but they do not need to attach themselves to a program. They continually look for vulnerabilities and report back any weaknesses that are found to the worm author.
Spyware/adware can be installed on your computer without your knowledge when you open attachments, click links or download infected software. It then monitors your computer activity and collects personal information.
A Trojan is a type of malware that disguises itself as legitimate software, such as virus removal programs, but performs malicious activity when executed.
Attack vectors are used to gain access to a computer or network in order to infect them with malware or harvest stolen data. Vectors have four main forms:
A drive-by cyber attack targets a user through their Internet browser, installing malware on their computer as soon as they visit an infected website. It can also happen when a user visits a legitimate website that has been compromised by criminal hackers, either infecting them directly or redirecting them to a malicious site.
MITM (man in the middle)
An MITM attack is where an attacker alters the communication between two users, impersonating both victims in order to manipulate them and gain access to their data. The users are not aware that they are actually communicating with an attacker rather than each other.
The use of outdated (unpatched) software (e.g. Microsoft XP) opens up opportunities for criminal hackers to take advantage of known vulnerabilities that can bring entire systems down. A zero-day exploit can occur when a vulnerability is made public before a patch or solution has been rolled out by the developer. Patch management is one of the five basic cyber security controls proposed by the UK government’s Cyber Essentials scheme.
An SQL (Structured Query Language) injection occurs when an attacker inserts malicious code into a server that uses SQL. SQL injections are only successful when a security vulnerability exists in an application’s software. Successful SQL attacks force a server to provide access to or modify data.
Any one of these cyber attacks can be easily implemented if your organisation does not have the proper cyber security in place. It is vital to assess your organisation’s level of cyber security in order to see where your weaknesses are, and how you can ensure that you are fully protected.
The most effective strategy to mitigate and minimise the effects of a cyber attack is to build a solid foundation upon which to grow your cyber security technology stack.
Solution providers often tell their clients that their applications are 100% compatible and will operate seamlessly with the current IT infrastructure, which, for the most part, is true. The problem arises when organisations add IT security solutions from different manufacturers regardless of the granularity of their configuration settings, and technology gaps are exposed.
Technology gaps appear for one simple reason: developers always keep certain portions of their code proprietary to retain their competitive advantage, meaning applications from different developers are never completely compatible. It is through the resulting gaps that attacks usually occur.
Robust cyber security will help you identify these gaps and mitigate the risk of an attack.
Start your journey to being cyber secure today
IT Governance has a wealth of experience in the cyber security and risk management fields. We’ve worked with hundreds of organisations in a range of industries for more than 15 years, and all of our consultants are qualified, experienced practitioners.
Our services can be tailored for organisations of all sizes in any industry and location. Browse our wide range of solutions below to kick-start your cyber security project.
Most of us use social media to keep in touch with friends, read interesting content or share photos, but we also know it comes with risk. How private our data really is and whether or not “they” are listening is constantly in the news, but do you know the risks of personal social media use to your business?
In Techworld’s recent article summarising some of the most infamous data breaches in the UK, Facebook, Google+ and Reddit are all featured. Even though your staff may be using social media in their private time, the associated risks could lead to problems for your organisation.
Why your employee’s social media use is an information security risk
Many people don’t think twice before sharing something about themselves, but staff should take a moment to consider the repercussions of their posts or whether the content of a post is meant for public consumption.
Does a photo taken at work reveal something confidential in the background? Are the thoughts or interests being shared aligned with company values? There are abundant examples of people’s tweets coming back to haunt them years later.
Staff should also be careful not to include too much personal information on social media profiles. In addition to their name and date of birth being on their profile, location tags may reveal addresses, and even who clients are. Employees may think nothing of revealing they are on-site with a client, but the client may not appreciate this information being made public.
Staff should be educated about the possible consequences of sharing their activities or location.
Malicious attackers often set up scams using social media, deliberately preying on naive users and luring them in with something attractive. False investment opportunities, lotteries and online romances are often used to pique a victim’s interest, before tricking them into clicking malicious links. If the victim is using a company device at the time, such scams can be used to gain access to company information or to install malware.
Teach staff that if something looks too good to be true, it probably is.
Mitigate social media risk
It is possible to prevent such incidents from occurring. By educating staff members on the dangers of social media, your company assets (including your employees) are likely to stay safe.
Our new Social Media Staff Awareness Human Patch E-learning Course is designed to combat the information security risks of social media use by employees. It provides staff with the knowledge required to prevent common social media mistakes and malicious attacks. Such mishaps include accidental sharing of private company information on social media profiles, and inadvertently sending log-in details to a malicious third party.
The course consists of four modules covering:
Social media as a concept;
Social media risks and their consequences;
Mitigation techniques; and
Recognising, reporting and managing social media risks.
At the end of the course, employees are asked ten random questions based on the content, which they can retake until they reach the pass mark of 8/10.
Using this engaging, informative and relevant content to educate employees will greatly reduce your organisation’s risk relating to social media usage.
This is the third in the “Human Patch” series of courses, which are designed to be short, easy-to-follow online learning courses preventing common staff-related incidents or mistakes.
ISO 27001 recommends that organisations take one of four actions:
Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them outside the premises. This option will make things less convenient for your employees but will drastically improve your security posture.
Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
Retain the risk. This option means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.
Selecting appropriate controls
The most common risk treatment option is to modify the risk, because it typically offers the best combination of security and cost.
Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001. It lists 114 controls, which are split into 14 sections (or ‘control sets’), each one tailored to a specific aspect of information security:
Information security policies: how policies are written and reviewed.
Organisation of information security: the assignment of responsibilities for specific tasks.
Human resource security: ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
Asset management: identifying information assets and defining appropriate protection responsibilities.
Access control: ensuring that employees can only view information that’s relevant to their job role.
Cryptography: the encryption and key management of sensitive information.
Physical and environmental security: securing the organisation’s premises and equipment.
Operations security: ensuring that information processing facilities are secure.
Communications security: how to protect information in networks.
System acquisition, development and maintenance: ensuring that information security is a central part of the organisation’s systems.
Supplier relationships: the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
Information security incident management: how to report disruptions and breaches, and who is responsible for certain activities.
Information security aspects of business continuity management: how to address business disruptions.
Compliance: how to identify the laws and regulations that apply to your organisation.
Deciding which control to use is relatively straightforward. The ISO 27001 implementation team should meet with a senior employee from the relevant department to agree on the appropriate control.
For example, communications security issues should be discussed with IT, staff awareness issues with HR, and supplier relations which whichever department the third party is working with.
As with all major security decisions, you should run your decisions past senior management.
Once you’ve finalised which controls you should use, you should refer to ISO 27002 to learn more about implementing them.
Before you begin
It’s worth remembering that your RTP must be appropriate to your organisation. Implementing controls takes time, effort and money, so you need to pick your battles carefully.
You almost certainly won’t have the resources to apply controls to every risk, even if they are small controls, such as a new process or policy.
Even a new policy requires a team of people to write and approve it, generate awareness among employees and ensure that the rules are being followed and working as intended.
That’s not to say you should abandon a control if you think that it will be expensive to implement and maintain. However, you should constantly assess whether there’s a less expensive control that could generate similar results.
Help with creating your risk treatment plan
Below is an example of what a risk-based RTP might look like, extracted from our bestselling ISO 27001 ISMS Documentation Toolkit. The toolkit also contains an asset-based RTP template.
Example of the risk treatment plan template included in the ISO 27001 ISMS Documentation Toolkit
Developed by expert ISO 27001 practitioners and used by more than 2,000 clients worldwide, the toolkit includes:
A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
Direction and guidance from expert ISO 27001 practitioners.
This is a marked improvement on the previous two years, in which 43% (2018) and 46% (2017) of businesses were breached, but it doesn’t tell the full story of the UK’s threat landscape. Although the number of organisations being targeted seems to be decreasing, those that are vulnerable to attacks are experiencing them more often, with two in five organisations saying that they come under threat at least once a month.
The threat is much higher among medium-sized businesses (60% being breached in the past year), large businesses (61%) and high-income charities (52%).
So why is this bad?
The fact that fewer organisations are being targeted by attacks is a major plus. The report says this may be because businesses and charities are going to greater lengths to become cyber secure. For example, it found that:
More businesses (57% vs 51% in 2018) and charities (43% vs 27%) update senior management on their cyber security actions at least once a quarter;
Cyber security policies are becoming more common in businesses (33% vs 27%) and charities (36% vs 21%);
Businesses (56% vs 51%) and charities (41% vs 29%) are more likely to have implemented controls in all five technical areas of the government’s Cyber Essentials scheme;
Staff awareness training is becoming more common in businesses (27% vs 20%) and charities (29% vs 15%);
Charities are getting better (60% vs 46%) at implementing measures such as health checks, audits and risk assessments; and
More medium-sized (31% vs 19%) and large businesses (35% vs 24%) have invested in cyber insurance.
However, the report suggests that it’s not as clear-cut as that, and that the seemingly positive conclusions might be hiding serious failures.
The effects of the GDPR
The report found that 30% of businesses and 36% of charities surveyed have made changes to their cyber security practices as a result of the GDPR. This is an incredibly low figure, given that the Regulation is mandatory and has been in effect for a year.
Even among those that have addressed the GDPR, very few have done so comprehensively. For example:
60% of businesses and charities have created new policies;
15% of businesses and 17% of charities have had extra staff training and communications;
11% of businesses and 4% of charities changed firewall or system configurations; and
6% of businesses and 10% of charities have created new business continuity or disaster recovery plans.
This suggests that, although the GDPR has benefited the small proportion that have implemented its requirements (at least partially), the majority of organisations have done little if anything to improve their cyber security practices.
This is probably a major reason that cyber attacks are becoming focused on a select group of organisations. Those that have implemented the GDPR’s requirements have protected themselves from most attacks, forcing cyber criminals to seek out more vulnerable targets.
The trend might also be explained by a change in the way organisations interpreted the survey’s questions. The government suggests that some organisations fear the repercussions of GDPR violations and might not admit to suffering cyber security breaches.
If this is true, those organisations are only making life harder for themselves. The GDPR was designed to improve transparency and make organisations take responsibility for cyber security.
Organisations that own up to data breaches (provided they weren’t caused by major security failures) have little to fear. Regulators and the public are becoming a lot more forgiving, and incidents occur with such regulatory that they are practically inevitable.
However, that leniency is based on the assumption that organisations will be honest when it comes to their security measures. You can try to hide your security failures, but regulators will almost certainly discover them and levy severe fines.
Demonstrate your GDPR compliance with our documentation toolkit
One of the most important steps you can take to become transparent and accountable for your data protection practices is to document them.
The Regulation specifies that organisations must be able to demonstrate that they have adopted the necessary technical and organisational security measures, which means keeping a list of everything you’ve done, justifying why it’s been done and how often you’ve reviewed your measures.
This is a big task, but you can simplify it with our GDPR Documentation Toolkit. It contains more than 80 indispensable policies, procedures, forms, schedules and guidance documents written by our expert practitioners, which you can use to prove that you have met the GDPR’s requirements.
Few would dispute the idea that an effective cybersecurity profile requires candid assessments of potential vulnerabilities. Here’s a closer look at the challenges facing the federal cybersecurity mission and the efforts of state-level agencies. Federal Though the federal government demonstrates an ongoing commitment to ramping up its cybersecurity mission with annual spending in the tens […]… Read More
One in three UK companies fell victim to cyber attacks in 2018, with the majority of the damage occurring in small businesses, according to a report by Beaming.
The study found that cyber crime cost UK organisations £17.8 billion last year, of which £13.6 billion came from small businesses.
The average cost of a cyber attack for small businesses was £65,000 per victim. This accounts for damaged assets, financial penalties and business downtime.
Small businesses are becoming more vulnerable
Large organisations have always been the most likely target of cyber attacks. That remains true, according to Beaming’s study, with 70% of large organisations falling victim to an attack in 2018, compared to 63% of small organisations. However, in 2017 only 47% of small organisations were attacked, meaning the gap is narrowing.
That, along with the fact that small organisations make up the majority of UK businesses, explains why they contributed so much towards the cost of cyber crime last year. After all, multiple small breaches are more expensive to handle than one incident affecting the same number of people because standard processes – like detection and breach notification – are largely the same regardless of the scale of the incident.
Sonia Blizzard, managing director of Beaming, said: “Our research shows that cyber criminals don’t care how big your business is, everyone is a potential victim and the cost of an attack can be devastating. Larger businesses fall victim at the greatest rate because they have more people and more potential sources of vulnerability.
“However, they also tend to have multiple layers of protection in place to limit the spread of an attack and are able to recover more quickly after one.
“Small businesses are trusting more data to the cloud and accessing it from lots of locations. This provides greater flexibility and efficiencies, but also adds to the importance of ensuring data is held and transported securely.
“A specialist ISP can help here by managing a network with the security of business traffic in mind, assisting with the implementation of additional security measures such as managed firewalls and provide advice to clients to enhance the protection on offer. When choosing cloud products, businesses should ensure they have the right connectivity to go with it.”
Other common passwords include people’s names (‘ashley’, ‘michael’, ‘daniel’, ‘jessica’ and ‘charlie’ were the most used), football teams and, bizarrely, the pop punk act ‘blink-182’.
But rather than simply castigate the British public for their ineptitude when selecting login credentials, the NCSC provides some much-needed advice on how we can better secure our accounts.
How to make your passwords stronger
When creating passwords, many experts advise using a combination of letters, numbers and special characters (which might explain the interest in Blink-182). However, the NCSC suggests that we might be better off with a combination of three random words.
The reason for this is simple. Despite the requirement for a mix of characters, most systems only require that passwords be six characters long. This might seem to be more than enough – a combination of 26 letters, 10 numerals and 33 special characters gives you 107 billion possible permutations – but reality rarely plays out this way.
For example, the number ‘1’ appears far more often than any other letter, and the special character (for there is typically only one) is almost always ‘-‘. Most of us have therefore given crooks a decent shot at two characters in your password – and they’ll typically be the last two characters.
If you try to outsmart crooks by gorging yourself on special characters, using passwords like ‘a3g^%s’, you’ve only made life harder for yourself. The password is almost impossible to memorise, and criminal hackers are aware of common substitutions, factoring them in when trying to access accounts.
However, as the NCSC advises, you can make your password much stronger simply by making it longer. Each additional letter you use makes your password 26 times harder to crack, meaning a ten-character password that uses letters alone has 141 trillion combinations.
To put it another way, How Secure Is My Password? predicts that the seemingly complex phrase ‘a3g^%s’ could be cracked in 400 milliseconds, whereas a ten-letter combination of three words, like ‘hardtocrack’, would take about a day.
That’s a decent result, but with the number of crooks in the wild churning through passwords, you can do better. Make your password a little longer, like ‘typingmypassword’, and you have a phrase that could take 35,000 years to crack – and that’s with the concession of making your password a literal description of itself.
Anyone capable of conjuring up three genuinely random words could create a password that would take trillions of years to crack without having to compromise on memorability.
A version of this blog was originally published on 25 June 2018.
Anyone interested in getting into or advancing their career in cyber security probably knows that they will need training and qualifications. But given that the field is so broad, how are you supposed to decide which course is right for you?
A lead implementer takes charge of an organisation’s ISO 27001 compliance project. They are responsible for the big decisions, such as setting out the ISMS’s scope, and for ensuring the Standard’s requirements have been addressed.
What you learn: The nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.
Who it’s for: This course should be attended by the person responsible for ISO 27001 compliance (typically the CISO) and the person leading the project (this might be the same person). You’ll need a solid understanding of ISO 27001’s risk assessment process, and should have already taken a foundation-level ISO 27001 course.
A lead auditor can work internally or audit a second or third party’s ISMS. Their expertise is usually required when the organisation is seeking ISO 27001 certification, or if a partner organisation requests a supply chain audit.
What you learn: The first half of the course teaches you about auditing in general, and the second half covers best-practice advice for how to audit an ISMS.
Who it’s for: Anyone who wants the responsibility for implementing and maintaining their organisation’s ISMS. It’s also suitable for those who want to work for a specific auditing organisation, such as the BSI.
An internal auditor assesses the effectiveness of the organisation’s ISMS (information security management system) and whether it meets the requirements of ISO 27001, reporting their findings to senior management.
What you learn: The course begins with an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.
Who it’s for: It’s ideal for compliance managers, but it’s obviously suitable for anyone interested in conducting internal audits. You should have a decent understanding of ISO 27001, but your main strengths should be in policy reviews.
Length: Two days
What are the differences between these courses?
Even though each of these courses cover similar areas, they are geared towards specific job roles. Take the internal and lead auditor courses as an example.
An internal auditor could be an employee within the organisation (hence ‘internal’), but they ideally wouldn’t have played a major role in the ISMS’s implementation. Otherwise they are being asked to find faults in their own work, which they might be reluctant to do.
Meanwhile, a lead auditor will have the specialist knowledge required to conduct second- or third-party audits. Although the tasks involved in these two roles are similar, the day-to-day work is very different. Whereas an internal auditor only has to be familiar with their organisation’s ISMS, a lead auditor that works for an auditing company deals with many organisations and interacts with even more people.
Then we come to the lead implementer course, which teaches you how to fulfil a completely different job role. Lead implementers are the heart of the team that puts the ISMS together. As with auditors, they need a strong understanding of ISO 27001’s compliance requirements, but their job focuses on how to meet those requirements, as opposed to reviewing whether they have been implemented correctly.
Of course, consultants will need to be implementation and auditing experts. They should therefore consider our ISO27001 Lead Implementer and Lead Auditor Combination Course, which covers everything you’d learn on each course separately. You’ll move straight from one topic to the other, helping you solidify your knowledge and understand how the two roles interact.
Interested in other ISO 27001 training courses?
These courses are just the beginning when it comes to ISO 27001 training, so if you’re not sure which course is right for you, why not take a look at IT Governance’s full range of training options?
With a variety of courses available in classroom, Live Online and distance learning format, we have you covered, whether you’re an information security beginner or looking for the right qualification to boost your career.
Several experts believe the UK’s astounding resilience to ransomware is a direct result of 2017’s WannaCry attack. The ransomware tore through organisations across the globe but struck most acutely in the UK – at the NHS in particular.
The attack did little to demonstrate the financial appeal of ransomware for crooks. The incident became so high profile that most organisations learned that it wasn’t worth paying the ransom, and those behind the attack struggled to recoup the money that was paid into their Bitcoin account.
Likewise, the attack didn’t provide an accurate reflection of how incidents normally play out. The malware is usually most successful when it stays under the radar and catches out organisations that lack backup protocols, thereby seemingly forcing them to comply with the blackmailer’s request.
However, WannaCry taught the UK two huge lessons – that ransomware is dangerous and that organisations need to plan for it.
The attack prompted the UK government, along with the National Cyber Security Centre and UK-based businesses, to confront ransomware head on.
“Most of the vendors in the UK and their customers put solutions in place to protect against multiple family variants of ransomware,” said Conner.
There are two key steps to protecting your organisation from ransomware. First, you should regularly back up your important files. This enables you to delete infected files and restore them from backups.
The process will take a long time – often more than 24 hours – but the loss in productivity will almost certainly be less costly than paying a ransom. Plus, you need to factor in issues other than simply the cost of returning to business. There’s the possibility that crooks won’t keep their word once you’ve paid up. Equally, there’s the risk that complying with their demands has made yourself a target for future attacks.
It’s therefore always advisable to use backups where possible rather than paying a ransomware.
Of course, it’s even better if you don’t get infected at all, and the best way to do that is to boost staff awareness of ransomware. That brings us to the second key step to protecting your organisation.
Most ransomware (and malware generally) is delivered via phishing scams. Cyber criminals plant the malicious code in an attachment and trick employees into downloading it. If you can train your staff to spot a malicious email and report it, you can dramatically reduce the risk of becoming infected.
This ten-minute course introduces employees to the threat of phishing and ransomware, and describes the link between the two. Armed with this knowledge, your staff will be able to detect suspicious emails and know how to respond.
Thirty years ago, Tim Berners-Lee set out to accomplish an ambitious idea – the World Wide Web. While most of us take this invention for granted, we have the internet to thank for the technological advances that make up today’s smart home. From smart plugs to voice assistants – these connected devices have changed the modern consumer digital lifestyle dramatically. In 2019, the Internet of Things dominates the technological realm we have grown accustomed to – which makes us wonder, where do we go from here? Below, we take a closer look at where IoT began and where it is headed.
A Connected Evolution
Our connected world started to blossom with our first form of digital communication in the late 1800s –– Morse code. From there, technological advancements like the telephone, radio, and satellites made the world a smaller place. By the time the 1970s came about, email became possible through the creation of the internet. Soon enough the internet spread like wildfire, and in the 1990s we got the invention of the World Wide Web, which revolutionized the way people lived around the world. Little did Berners-Lee know that his invention would be used decades, probably even centuries, later to enable the devices that contribute to our connected lives.
Just ten years ago, there were less than one billion IoT devices in use around the world. In the year 2019, that number has been projected to skyrocket to over eight billion throughout the course of this year. In fact, it is predicted that by 2025, there will be almost twenty-two billion IoT devices in use throughout the world. Locks, doorbells, thermostats and other everyday items are becoming “smart,” while security for these devices is lacking quite significantly. With these devices creating more access points throughout our smart homes, it is comparable to leaving a backdoor unlocked for intruders. Without proper security in place, these devices, and by extension our smart homes, are vulnerable to cyberattacks.
Moving Forward with Security Top of Mind
If we’ve learned one thing from this technological evolution, it’s that we aren’t moving backward anytime soon. Society will continue to push the boundaries of what is possible – like taking the first a picture of a black hole. However, in conjunction with these advancements, to steer in the right direction, we have to prioritize security, as well as ease of use. For these reasons, it’s vital to have a security partner that you can trust, that will continue to grow to not only fit evolving needs, but evolving technologies, too. At McAfee, we make IoT device security a priority. We believe that when security is built in from the start, user data is more secure. Therefore, we call on manufacturers, users, and organizations to all equally do their part to safeguard connected devices and protect precious data. From there, we can all enjoy these technological advancements in a secure and stress-free way.
Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.
As I reflect upon my almost 40 years as a cyber security
professional, I think of the many instances where the basic tenets of cyber
security—those we think have common understanding—require a lot of additional
explanation. For example, what is a vulnerability assessment? If five cyber
professionals are sitting around a table discussing this question, you will end
up with seven or eight answers. One will say that a vulnerability assessment is
vulnerability scanning only. Another will say an assessment is much bigger than
scanning, and addresses ethical hacking and internal security testing. Another
will say that it is a passive review of policies and controls. All are correct
in some form, but the answer really depends on the requirements or criteria you
are trying to achieve. And it also depends on the skills and experience of the
risk owner, auditor, or assessor. Is your head spinning yet? I know mine is!
Hence the “three parts art.”
There is quite a bit of subjectivity in the cyber security
business. One auditor will look at evidence and agree you are in compliance;
another will say you are not. If you are going to protect sensitive
information, do you encrypt it, obfuscate it, or segment it off and place it
behind very tight identification and access controls before allowing users to
access the data? Yes. As we advise our client base, it is essential that we
have all the context necessary to make good risk-based decisions and recommendations.
Let’s talk about Connection’s artistic methodology. We start
with a canvas that has the core components of cyber security: protection,
detection, and reaction. By addressing each of these three pillars in a
comprehensive way, we ensure that the full conversation around how people,
process, and technology all work together to provide a comprehensive risk
strategy is achieved.
People Users understand threat and risk, and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.
Policy are established, documented, and socialized. For example, personal
laptops should never be connected to the corporate network. Also, don’t send
sensitive information to your personal email account so you can work from home.
Some examples of the barriers used to deter attackers and breaches are edge security
with firewalls, intrusion detection and prevention, sandboxing, and advanced
The average mean time to identify an active incident in a
network is 197 days. The mean time to contain an incident is 69 days.
Incident response teams need to be identified and trained, and all employees
need to be trained on the concept of “if you see something, say something.”
Detection is a proactive process.
What happens when an alert occurs? Who sees it? What is the documented process
for taking action?
What is in place to ensure you are detecting malicious activity? Is it
configured to ignore noise and only alert you of a real event? Will it help you
bring that 197-day mean time to detection way down?
What happens when an event occurs? Who responds? How do you recover? Does
everyone understand their role? Do you War Game to ensure you are prepared WHEN
an incident occurs?
What is the documented process to reduce the Kill Chain—the mean time to detect
and contain—from 69 days to 69 minutes? Do you have a Business Continuity and
Disaster Recovery Plan to ensure the ability to react to a natural disaster,
significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?
What cyber security consoles have been deployed that allow quick access to
patch a system, change a firewall rule, switch ACL, or policy setting at an end
point, or track a security incident through the triage process?
All of these things are important to create a comprehensive
InfoSec Program. The science is the technology that will help you build a
layered, in-depth defense approach. The art is how to assess the threat, define
and document the risk, and create a strategy that allows you to manage your
cyber risk as it applies to your environment, users, systems, applications,
data, customers, supply chain, third party support partners, and business
More Art: Are You a Risk Avoider or Risk Transference Expert?
A better way to state that is, “Do you avoid all risk
responsibility or do you give your risk responsibility to someone else?” Hint:
I don’t believe in risk avoidance or risk transference.
Yes, there is an art to risk management. There is also
science if you use, for example, The Carnegie Mellon risk tools. But a good
risk owner and manager documents risk, prioritizes it by risk criticality,
turns it into a risk register or roadmap plan, remediates what is necessary,
and accepts what is reasonable from a business and cyber security perspective.
Oh, by the way, those same five cyber security professional we talked about
earlier? They have 17 definitions of risk.
As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.
When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive, and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government.
The art in cyber security is in the interpretation of the
rules, standards, and requirements that are primarily based on a foundation in
science in some form. The more experience one has in the cyber security
industry, the more effective the art becomes. As a last thought, keep in mind
that Connection’s Technology Solutions Group Security Practice has over 150
years of cyber security expertise on tap to apply to that art.
If that's the case, let's talk - I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -
Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?
For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.
For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -
Q 1. Should your organization's foundational Active Directory be compromised, what could be its impact?
Q 2. Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
Q 3. If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
Q 4.If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!
You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s)?!
Today Active Directory is at the very heartof Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.
Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.
Today's post is for all executives worldwide who comprise the C-Suite at thousands of organizations worldwide.
I pen today's post with profound respect for all executives worldwide, because I understand first-hand just how important the nature of their responsibilities is, how valuable their time is, and how far-reaching the consequences of their decisions are.
A quick footnote for all C*Os : In case you're wondering who I am to be penning this, I'm former Microsoft Program Manager for Active Directory Security. Relevance? Microsoft's Active Directory is the foundation of your entire organization's cyber security. Finally, like you, I also happen to be the CEO of a $ Billion+ company.
Today's post is in the form of a simple letter, that follows (below.)
Subject - Cyber Security 101 for the C-Suite
To: Chairmen, CEOs and CFOs Worldwide
Hi, I'm Sanjay, former Microsoft Program Manager for Active Directory Security, but more importantly a sincere well-wisher who cares deeply about cyber security, and who just happens to know a thing or two about the very technology that lies at the very foundation of cyber security of your ($ Billion to $ Trillion) organization, and those of 85% of all organizations worldwide.
I write to you to bring to your attention a matter of paramount importance to your organization's foundational security.
Context - Foundational Security
Today we all engage in business in what is essentially a global digital village, wherein just about just every aspect of business, whether it be production, marketing, sales, customer-service, collaboration, finance etc. etc. substantially relies on technology.
Within our respective organizations, it is our IT infrastructure that enables and empowers our workforce to engage in business.
For instance, we all (including us C*Os) log on to a computer every day, send and receive email, and create, share and access digital assets (e.g. documents, applications, services etc.) all of which are securely stored on our organizational computers.
It is only logical then that ensuring the security of the very IT infrastructure that enables and empowers our entire workforce to engage in business digitally, and the security of our digital assets is vital. In other words, cyber security is very important.
Now, if I told you that at the very foundation of your entire IT infrastructure, and consequently at the very foundation of the security of all your digital assets lay a single high-value asset, then I think you'd agree that its security would be paramount.
At the very foundation of your organization's IT infrastructure and that of its cyber security, and by corollary the cyber security of the entirety of all your digital assets (e.g. thousands of computers, thousands of employee user accounts and passwords, every single organizational email sent and received every minute of every day, all your applications, services, Intranet portals, Internet facing applications etc.) as well as the entirety of your organization's data, lies a single technology - Microsoft Active Directory.
Most simply put, Active Directory is the database that contains, stores and protects the entirety of your organization's building blocks of cyber security - each one of thousands of user accounts and their passwords, each one of thousands of computer accounts (for all laptops, desktops, servers etc.), each one of thousands of security groups that protect all your data etc. etc.
If your organization's Active Directory were compromised, everything would immediately be exposed to the risk of compromise.
Thus as you'll hopefully agree, ensuring the security of your organization's foundational Active Directory is well, paramount.
A Provable Concern - Inadequate Protection
Now, you might most likely be thinking - Well, if that's the case, I'm sure that our CIO, our CISO and their world-class IT and Cyber Security teams know all this, and have it adequately taken care of, so why should I be concerned ?
Here's why you should be concerned - In all likelihood, not only may your world-class IT and Cyber Security teams not have this adequately covered, they may have yet to realize just how very important, and in fact paramount Active Directory security is.
Further, they likely may not know what it actually takes to adequately secure your organization's foundational Active Directory.
Now, as incredulous as that may sound, you have to trust me on this, not because I'm asking you to do so as a concerned well-wisher, but because I'm asking you to do so as arguably the world's #1 subject matter expert on Active Directory Security.
You see, prior to doing what I currently do, I was Microsoft's subject matter expert for Active Directory Security on Microsoft's Windows Server Development team. In case you're curious as to what I do currently do with all this knowledge, well, its this.
As the world's leading subject matter expert on Active Directory Security, I would highly encourage you to ask your IT and Cyber Security leadership, specifically your CIO and your CISO, just how secure they think your organization's Active Directory is.
Simple Proof - You Just Have to Ask
When you ask them about it, please do request specific answers, and here are 7 simple questions you can ask them, the answers to which will give you an indication of just how secure your organization's Active Directory actually is today -
Is the security of our foundational Active Directory deployment a top cyber security priority today?
I could suggest 50 such elemental cyber security questions, but for now these 7 simple, precise questions will suffice as there are only 2 possibilities here - either your IT and cyber security leadership have exact answers to these questions, or they don't.
If they can't give you exact answers to these questions, your organization's Active Directory is not secure - its as simple as that.
They might tell you that this is complicated or that they have a good approximation, or that this is very difficult to do, or that they have many other latest buzzword measures like Active Directory Auditing, Privileged Access Management, ATA, Just-in-Time Administration etc. in place, but none of that matters, because the truth is simple - they either have exact answers, or they don't.
(These questions are paramount to cyber security, and today there exists technology that can enable every organization in the world to answer them precisely, but because Microsoft likely forgot to adequately educate its customers, your IT personnel may likely not even know the importance of these paramount questions, let alone knowing what it takes to correctly answer them.)
If a $Billion+ organization doesn't even know exactly who has what privileged access in their Active Directory, as well as exactly who can manage each one of their privileged accounts and groups, how could their Active Directory possibly be secure?
If an organization's foundational Active Directory is not secure, how can the entirety of the organization's digital (IT) assets be secure, and if that's not case, how could an organization possibly be considered secure from a cyber security perspective?
As a member of the C-Suite, you not only have the privilege of being able to impact vital change in your organization, you also have the responsibility and the authority to demand and ensure the cyber security of the very foundation of your organization.
As a C*O, one of the most important responsibilities you shoulder is ensuring that your organization is secure, and ensuring that the very foundation of your organization's IT infrastructure and cyber security are always adequately protected, is paramount.
The Likely Reason (Optional Reading)
Here's the likely reason for why such a common-sense yet paramount matter may not be on your CIO's and CISO's radar yet.
You see, your CIO and CISO shoulder great responsibility. Unfortunately, amongst many other things, they're likely also being guided by inputs from a 1000 cyber security companies, who unfortunately may not be the best source of objective guidance.
For instance, consider CyberArk, a highly respected $ Billion+ cyber security company, that claims that over 50% of the Fortune 100's CISOs rely on them. As a subject matter expert, I can tell you that CyberArk itself may not know how to correctly assess privileged access in an Active Directory, so you see, unfortunately your CIO and CISO may not be getting the best guidance.
CyberArk is absolutely correct that "Privilege is Everywhere." However, those who know Windows Security will tell you that in a Windows network powered by Active Directory, the majority of all privileged access (delegated & unrestricted) lies inside Active Directory, but CyberArk doesn't seem to have the capability to correctly audit privileged access inside Active Directory.
The majority of all Privileged Access,including the "Keys to the Kingdom", resides inside Active Directory
CyberArk isn't alone. As unbelievable as it may sound, today even Microsoft doesn't seem to know what it takes to do so, let alone possessing the capability to help its customers correctly do so. In fact, most of the world's top IT Consulting, Audit, Cloud and Cyber Security companies also operate on Active Directory, and they too likely have neither a clue nor the capability to accurately determine exactly who has what privileged access in their own foundational Active Directory deployments.
You may find this hard to believe, but of the 1000+ cyber security companies exhibiting or presenting at the upcoming RSA Conference 2019, not a single one of them can help your organization's IT personnel fulfill such a fundamental yet paramount cyber security need - finding out exactly who has what privileged access in your organization's foundational Active Directory.
In their defense, I'll say this - if it were easy, they would've all done it by now. Unfortunately, as paramount as it is, its not easy. Thus, I know what your CIO and CISO may perhaps not yet know, or understand the paramount importance of, which is that of all the things that need to be secured, none could possibly be more important than securing your organization's foundational Active Directory, so I thought I'd share this with you, because as a member of the C-Suite, you could provide them strategic guidance and the executive support that their teams need to accomplish this paramount objective for your organization.
I only wrote this letter because we're all in this together, and I care deeply about foundational cyber security, as hopefully do you, and I felt that I could perhaps help bridge the gap between those tasked with the great responsibility of securing Active Directory (i.e. your IT personnel) and those whose executive support they need to be able to do so (i.e. you, the C-Suite.)
If any of what I shared above made sense, I would encourage you to embrace my suggestions earnestly, and act upon them, and if needed, I can prove and demonstrate every thing I've shared above, and you should feel free to take me up on this.
As for myself, all I can say is that today my work and knowledge silently help secure and defend so many of the world's most important organizations across six continents worldwide.
In days to come, I'm going to answer both, the most important, and the second most important question in all of Cyber Security
Today though, I just wanted to ask a simple (rhetorical) cyber security question, so that CEOs, CIOs, CISOs and IT Directors at organizations worldwide realize just what lies at the very foundation of the cyber security of their multi-billion $ organizations.
Consequently, it logically follows that all organizations that operate on Microsoft Active Directory are only as secure as are their foundational Active Directory deployments. After all, no matter how tall, every skyscraper is only as strong as its foundation.
In days to come, I'll share with you just how secure foundational Active Directory deployments are worldwide today - right here.
Hackers are working hard to find new ways to get your data. It’s not surprising that cyber security risk is top of mind for every risk owner, in every industry. As the frequency and complexity of malicious attacks persistently grows, every company should recognize that they are susceptible to an attack at any time—whether it comes as an external focused attack, or a social engineering attack. Let’s take a look at the top 5 risks that every risk owner should be preparing for.
Your Own Users. It is commonly known, in the security industry, that people are the weakest link in the security chain. Despite whatever protections you put in place from a technology or process/policy point of view, human error can cause an incident or a breach. Strong security awareness training is imperative, as well as very effective documented policies and procedures. Users should also be “audited” to ensure they understand and acknowledge their role in policy adherence. One area that is often overlooked is the creation of a safe environment, where a user can connect with a security expert on any issue they believe could be a problem, at any time. Your security team should encourage users to reach out. This creates an environment where users are encouraged to be part of your company’s detection and response. To quote the Homeland Security announcements you frequently hear in airports, “If you see something, say something!” The biggest threat to a user is social engineering—the act of coercing a user to do something that would expose sensitive information or a sensitive system.
Phishing. Phishing ranks number three in both the 2018 Verizon Data Breach Investigation Report Top 20 action varieties in incidents and Top 20 action varieties in breaches. These statistics can be somewhat misleading. For example, the first item on the Top 20 action varieties in breaches list is the use of stolen credentials; number four is privilege abuse. What better way to execute both of those attacks than with a phishing scam. Phishing coerces a user through email to either click on a link, disguised as a legitimate business URL, or open an attachment that is disguised as a legitimate business document. When the user executes or opens either, bad things happen. Malware is downloaded on the system, or connectivity to a Command and Control server on the Internet is established. All of this is done using standard network communication and protocols, so the eco-system is none the wiser—unless sophisticated behavioral or AI capabilities are in place. What is the best form of defense here? 1.) Do not run your user systems with administrative rights. This allows any malicious code to execute at root level privilege, and 2.) Train, train, and re-train your users to recognize a phishing email, or more importantly, recognize an email that could be a phishing scam. Then ask the right security resources for help. The best mechanism for training is to run safe targeted phishing campaigns to verify user awareness either internally or with a third-party partner like Connection.
Ignoring Security Patches. One of the most important functions any IT or IT Security Organization can perform is to establish a consistent and complete vulnerability management program. This includes the following key functions:
Select and manage a vulnerability scanning system to proactively test for flaws in IT systems and applications.
Create and manage a patch management program to guard against vulnerabilities.
Create a process to ensure patching is completed.
Most malicious software is created to target missing patches, especially Microsoft patches. We know that WannaCry and Petya, two devastating attacks, targeted systems that were missing Microsoft MS17-010. Eliminating the “low-hanging-fruit” from the attack strategy, by patching known and current vulnerabilities or flaws, significantly reduces the attack-plane for the risk owner.
Partners. Companies spend a lot of time and energy on Information Security Programs to address external and internal infrastructures, exposed Web services, applications and services, policies, controls, user awareness, and behavior. But they ignore a significant attack vector, which is through a partner channel—whether it be a data center support provider or a supply chain partner. We know that high-profile breaches have been executed through third partner channels, Target being the most prominent.The Target breach was a classic supply chain attack, where they were compromised through one of their HVAC vendors. Company policies and controls must extend to all third-party partners that have electronic or physical access to the environment. Ensure your Information Security Program includes all third partner partners or supply chain sources that connect or visit your enterprise. The NIST Cyber Security Framework has a great assessment strategy, where you can evaluate your susceptibility to this often-overlooked risk.
Data Security. In this day and age, data is the new currency. Malicious actors are scouring the Internet and Internet-exposed corporations to look for data that will make them money. The table below from the 2018 Ponemon Institute 2018 Cost of a Data Breach Report shows the cost of a company for a single record data breach.
Cost for a Single Record Data Breach
The Bottom Line
You can see that healthcare continues to be the most lucrative target for data theft, with $408 per record lost. Finance is nearly half this cost. Of course, we know the reason why this is so. A healthcare record has a tremendous amount of personal information, enabling the sale of more sensitive data elements, and in many cases, can be used to build bullet-proof identities for identity theft. The cost of a breach in the US, regardless of industry, averages $7.9 million per event. The cost of a single lost record in the US is $258.
I Can’t Stress It Enough
Data security should be the #1 priority for businesses of all sizes. To build a data protection strategy, your business needs to:
Define and document data security requirements
Classify and document sensitive data
Analyze security of data at rest, in process, and in motion
Pay attention to sensitive data like PII, ePHI, EMR, financial accounts, proprietary assets, and more
Identify and document data security risks and gaps
Execute a remediation strategy
Because it’s a difficult issue, many corporations do not address data security. Unless your business designed classification and data controls from day one, you are already well behind the power curve. Users create and have access to huge amounts of data, and data can exist anywhere—on premises, user laptops, mobile devices, and in the cloud. Data is the common denominator for security. It is the key thing that malicious actors want access to. It’s essential to heed this warning: Do Not Ignore Data Security! You must absolutely create a data security protection program, and implement the proper policies and controls to protect your most important crown jewels.
Cyber criminals are endlessly creative in finding new ways to access sensitive data. It is critical for companies to approach security seriously, with a dynamic program that takes multiple access points into account. While it may seem to be an added expense, the cost of doing nothing could be exponentially higher. So whether it’s working with your internal IT team, utilizing external consultants, or a mix of both, take steps now to assess your current situation and protect your business against a cyber attack. Stay on top of quickly evolving cyber threats. Reach out to one of our security experts today to close your businesses cyber security exposure gap!
2018 marks the 15th year of National Cyber Security Awareness Month (NCSAM). The Internet touches every aspect of our lives, and keeping it safe and secure is everyone’s responsibility. You can make a difference by remaining diligent and staying cyber aware. Be part of something big this month. Learn more, be aware, and get involved.
Connection is an official Champion of NCSAM. We’re dedicating the month of October to spreading the word about the importance of cyber security, and providing tools and resources to help you stay safe and secure online.
Each week during October highlights a different cyber security theme, addressing specific challenges and opportunities for change. Stay tuned for information about the top cyber security threats, careers in cyber security, and why it’s everyone’s job to ensure online safety. What are you doing to keep the Internet safer and more secure? Be sure to check back each week to stay informed, and get tips from our experts about how you can participate in keeping everyone safe online.
Today, to give a hint for the answer to this1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -
What's the World's Most Important Active Directory Security Capability?
Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.
Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.
Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.
As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.
Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.
Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.
So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -
The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.
I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.
Now, you're not going to believe what happened within minutes of having clicked the Check for Updatesbutton!
Windows Update Downloaded and Installed anUntrusted Self-Signed Lenovo Device Driver on Microsoft Surface! -
Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!
Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -
We couldn't quite believe this. How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft Surface device?
So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -
We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)
Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -
Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -
It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!
As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.
Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -
When we opened that location, we found thirteen items, including six drivers -
Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -
Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -
Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!
Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.
If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.
It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!
How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?
Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.
To us, this is unacceptable, alarming and deeply concerning, and here's why.
We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!
We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.
How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)
In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!
This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?
This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?
In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.
Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?
I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!
Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!
Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.
With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.
In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.
If I Were Microsoft, I'd Send a Plane Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.
If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.) Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package
Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.
In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -
Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.
Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that.
All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."
For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.
Most respectfully, Sanjay
PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.
PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?
As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.
This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!
I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.
Active Directory Security Goes Mainstream Cyber Security
Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -
Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.
On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?" From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.
On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.
On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!
On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access.
On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.
Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.
On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.
On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.
Helping Defend Microsoft's Global Customer Base ( i.e. 85% of Organizations Worldwide )
Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...
...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctlysecure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.
I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.
Here are the answers to the Top-5 questions I am frequently asked -
You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?
Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.
In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.
As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.
Speaking of which, how big is Paramount Defenses?
At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.
If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.
Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?
The simple answer to this question - For Security Reasons.
At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.
As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.
Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.
You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.
It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.
Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.
This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.
In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.
What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"
On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.
To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.
Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.
Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.
Why have you been a little hard on Microsoft lately?
Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.
In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.
You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.
It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.
Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.
As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.
Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.
Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.
Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.
There's so much more to share, and I will continue to do so.
A Paramount Global Cyber Security Need
Today, I wanted to take a moment to touch upon one (not so) little aspect of cyber security that today profoundly impacts the foundational security of 85% of all business and government organizations worldwide, including most cyber security companies.
Folks, I am talking about empowering organizations worldwide identify exactly who holds the proverbial "Keys to the Kingdom" i.e. helping them accurately identify exactly who actually possesses what privileged access in Active Directory deployments.
The reason this is so important is because 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise and misuse of guess what - just ONE Active Directory Privileged User Account.
Since we've been silently working on this 2006, we've a head start of about a decade. Over the last few months, we've seen several prominent vendors finally realize the importance of doing so, and we've seen them share guidance to this subject.
Unfortunately, just about every piece of advice out there, whether it be from prominent cyber security experts or billion dollar cyber security companies, on how to actually correctly audit privileged access in Active Directory, is dangerously inaccurate.
There's an old saying - "Actions Speak Louder Than Words." While there's no dearth of talk by so many big names out there on how to improve cyber security, identify privileged users etc., the key to actually (demonstrably and provably) enhancing cyber security lies in actually helping organizations do so, and we've been silently at work for a decade to help organizations do so.
So, in days to come, right here on this blog, I'm going to (hopefully for one last time), share exactly how organizations worldwide can today accurately and efficiently identify privileged access in their foundational Active Directory deployments worldwide.
In doing so, we will yet again demonstrate Thought Leadership in the Cyber Security space. By the way, this is neither about us, nor about pride. I've already said I'm just a nobody (, whose work possibly impacts everybody.) This is about a desire to help.
So, that post should be out right here on this blog next week, possibly as early as Monday morning.
We’ve made it to week five of National Cyber Security Awareness Month (NCSAM)! The theme this week is “Protecting Critical Infrastructure from Cyber Threats.” The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.
During the last week of NCSAM, the experts at Connection would like to remind you of the importance of identifying current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.
Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!
It’s Week 5 of National Cyber Security Awareness Month (NCSAM). This week, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when. Let’s celebrate this last week of NCSAM by staying aware and being prepared.
Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency. For some expert insight on securing your critical infrastructure, give us a call and discover the Connection difference.
It’s week 4 of National Security Awareness Month (NCSAM). Each week of NCSAM is dedicated to a specific cybersecurity theme. The theme this week is “The Internet Wants YOU: Consider a Career in Cyber Security.”
With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.
Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.
The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.
October is National Cyber Security Awareness Month, which is an annual campaign to raise awareness about the importance of cyber security. Week 4 of NCSAM is all about the growing field of cyber security and why you might want to consider this career.
It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.
Connection is committed to promoting cyber security and online safety. Join Connection during Week 4 of NCSAM, as we explore cyber security as a viable and rewarding profession and encourage people from all backgrounds to see information security as an essential career path.
The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.
The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.
The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.
What can you do?
Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:
Apply patches as they are released
Pay careful attention to your wireless environment
Watch for people and technology that look out of place
Utilize a trusted VPN solution
When possible, transfer data over an encrypted channel—such as HTTPS
Restrict sensitive information that would normally pass over a wireless network
And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication
How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.
As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.
For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.
That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.
That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.
So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.
Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.
(A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)
Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."
With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?
The C-Suite Meeting
Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.
This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -
Chief Executive Officer (CEO)
Chief Financial Officer (CFO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.
After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.
The C-Suite then took a break for lunch.
The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...
... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.
Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?" He said "Yes."
Houston, We Have a Problem
The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!
He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.
He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."
He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"
The CEO asked the CIO - "What's wrong? What happened?"
The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"
The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"
The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"
The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"
The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"
The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"
The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."
The CEO asked - "What is Active Directory?"
The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"
The CEO then asked - "Wait.Can just anyone request and extract credentials from Active Directory?"
The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."
The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"
The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!" The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"
The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."
The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!
The CISO replied - "Seventeen years."
The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?! Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"
This is for Real
Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!
We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.
This Could've Been (and Can Be) Easily Prevented
This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.
Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.
Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.
Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.
Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!
Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.
All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.
The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.
I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.
PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, hereetc.etc.
Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.
PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)
You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.
A Quick and Short Background
From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.
Active Directory is the Foundation of Cyber Security Worldwide
The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.
During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.
These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.
Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.
Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.
Clearly, Microsoft Has No Answers
It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.
Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -
If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!
You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!
That said, in that post, the best Microsoft could do isconcede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."
Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.
In contrast, here's what they should have said- "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."
The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.
BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.
Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.
Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.
Fortunately There's Help and Good News For Microsoft
I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.
To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."
So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.
What Constitutes a Privileged User in Active Directory
How to Correctly Audit Privileged Users/Access in Active Directory
How to Render Mimikatz DCSync Useless in an Active Directory Environment
How to Easily Identify and Thwart Sneaky Persistence in Active Directory
How to Easily Solve The Difficult Problem of Active Directory Botnets
The World's Top Active Directory Permissions Analysis Tools(and Why They're Mostly Useless)
The Paramount Need to Lockdown Access Privileges in Active Directory
How to Attain and Maintain Least Privileged Access (LPA) in Active Directory
How to Securely Delegate and Correctly Audit Administrative Access in Active Directory
How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment
You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.
Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.
Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.
As some of you may know, over the past few weeks, I have been publicly taking the $ 550 Billion Microsoft (Nasdaq: MSFT) to Active Directory Security School (see PS3 below) because today global security literally depends on Active Directory Security.
In case you're wondering why, here's why -
The Importance of Active Directory Security
From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.
In other words, the foundational security of thousands of government and business organizations depends on Active Directory.
To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Active Directory.
Operating in the Dark Given my background, experience and whatever little I know about the subject, I have reason to believe that most organizations worldwide that operate on Active Directory are operating in the dark today, and have absolutely no idea as to exactly who has what level of privileged access in their foundational Active Directory!
Further, because over the last decade, almost 10,000 organizations from across 150+ countries worldwide have knocked at our doors unsolicited, we know exactly how much these organizations know about Active Directory Security, and we're shocked to know that 99% of them don't even know what "Active Directory Effective Permissions" are, and upon giving this due thought, we have arrived at the conclusion that the world's complete ignorance on this most paramount aspect of organizational cyber security can be attributed to the fact that Microsoft has likely not even once educated its customers about its importance!
Let There Be Light
So, I made an executive decision that we need to educate the $ 550 Billion Microsoft Corp about the paramount importance of "Active Directory Effective Permissions", so that they can in turn educate the thousands of vital business and government organizations at whose very foundation lies Active Directory about its sheer and cardinal importance.
Make no mistake about it - no organization that operates on Microsoft Active Directory today can be adequately secured without possessing the ability to determine effective permissions on the thousands of building blocks of cyber security (i.e. thousands of domain user accounts, computer accounts, security groups and policies) that reside in its Active Directory. Its really that simple.
A 1000 Cyber Security Companies!
Speaking of which, although there are supposedly over a 1000 cyber security companies in the world (, and incidentally at their very foundation too lies Microsoft Active Directory) not a single one of them has the ability, the expertise or even a single solution to help the world accurately determine "effective permissions" in Active Directory. Not a single one of them!
Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of ourGreat United States.
First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.
I'll do my best to keep this VERY simple.
Top-5 Global Security Risks
As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -
1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats
I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.
As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.
The Importance of AmericanLeadership
Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.
Sir, the elections are over.You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.
If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.
(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)
Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.
Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, todayhave the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.
[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]
The Cyber Risk Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.
(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)
Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.
It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.
Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing aCyber Security Unitwith the Russians might NOT be such a good idea, as also voiced by 1, 2, 3.
By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".
A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.
Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.
Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.
Hello. I'm Sanjay, President of Paramount Defenses. I just wanted to congratulate you on your historic win, wish you success, as did President Obama, and share VALUABLE cyber security insight that could be VITAL to your administration's success.
Before I get to it, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic U.S. citizen and a cyber security professional, and that my desire to do so publicly has been inspired by how much you Sir share publicly. Given the sheer impact of our important work across America and the world today, we are a 100% non-partisan organization.
One quick vital point - regarding all the talk of Russian hacking to influence the U.S. election, while Russia and possibly others may certainly have tried to influence it, professionally speaking i.e. as a cyber security practioner, in the grand scheme of things, it matters not as to who is trying to hack us, as much as it does that we protect ourselves from being hacked, so from that angle you're likely right that the DNC should have adequately defended itself. You see, once an entity is hacked, at that very moment the damage is done, because their data is now in someone else's hands, and the entity no longer has any control over what the perpetrators do with it. In fairness, one should also add that if indeed Russia did hack the RNC as well, but chose not to divulge their data, then reasonably speaking, that would have amounted to what is being called "an attempt to influence an election."
That said, Mr. Trump, hopefully you'll agree that given our sheer reliance and dependence on computers and technology, the success of your Presidency and your administration will GREATLY depend on the cyber security of our government agencies.
In that regard, I thought you should know that at the very foundation of cyber security of our entire U.S. Government (i.e. 600+ federal agencies) lies a single technology, Microsoft Active Directory, the cyber defense of which is paramount to our security.
You may or may not know this yet, but the White House, the U.S. Capitol, all our intelligence agencies, and virtually all our departments (e.g. Defense, State, Justice, Energy, Labor, Interior, Veterans Affairs etc.) all operate on Active Directory.
By the way, I must mention that none of this is classified information. This is all public knowledge. I just happen to know it first hand because I'm former Microsoft Program Manager for Active Directory Security, i.e. a "deep in the trenches" technical guy who possibly knows more about Active Directory security than most people on the planet. (I also happen to be an innovative American entrepreneur who built possibly the world's most relevant and important cyber security company, from the ground up.)
In fact, Active Directory is at the very foundation of cyber security of 85+% of all government and business organizations world-wide (The Americas, Europe, Asia, etc.) including at the foundation of virtually all of the tech companies whose CEOs recently visited you i.e. Microsoft, Amazon, Alphabet, IBM, Intel, Facebook, Tesla etc., as well as a little cyber company called Palantir.
It is very likely that thousands of business and government organizations in Russia too might be operating on Active Directory.
Sir, in all likelihood, the Trump Organization may also be operating on Active Directory. (Your IT folks could verify that for you.)
Mr. Trump, our cyber intelligence indicates that the foundational Active Directory deployments of most organizations worldwide may currently be exposed to an alarmingly vast attack surface, and thus may possibly be rather easily compromisable today.
The specific cyber security risk that most of them are all likely exposed to today is succinctly described in The Paramount Brief -
Password (case-sensitive): AreWeReallySecure?
If you're short on time, here's a very brief summary -
In every network powered by Active Directory, all administrative accounts i.e. the accounts of the individuals that possess the "Keys to the Kingdom" lie within Active Directory. It is a well known fact that if a perpetrator can compromise ANY one of these accounts, he/she could easily access and control everything. Thus, in every organization, ideally the number of such powerful accounts must be at an absolute bare minimum.
Unfortunately, in most organizations today, not only are there a HUGE number of privileged user accounts in Active Directory, NO ONE really knows exactly who they are and what power they possess. In other words, most organizations seem to be operating in the proverbial dark, & if breached, could likely be compromised in minutes.
In essence, a huge, unknown number of highly prized privileged accounts in Active Directory constitute a vast attack surface, and the compromise of any one of them would be tantamount to a system-wide compromise.
In our professional opinion, this poses a major cyber security risk globally, especially considering the statistics, i.e. 100% of all major recently cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account.
From our side, we can certainly (and uniquely) help organizations worldwide precisely identify and reduce their attack surface, as well as empower them to mitigate this serious risk, swiftly and cost-efficiently, but we do need them to understand it first.
I must also mention with due respect to the likes of Peter Thiel, Alex Karp, Ted Schlein & others, I doubt they're familiar with this specific risk or understand the depth of its magnitude, because this is one of those you have to be "deep in the trenches" to get.
Speaking of which, in 2016, we had directly informed the CEOs of most of the world's Top 200 companies (including most of the tech CEOs that came and met you at the Trump Tower), as well as all appropriate officials at most federal and state agencies about this risk to the foundational Active Directory deployments of their organizations; they all received The Paramount Brief.
Our intelligence further indicates that as a result, many of these organizations started to look at the security of their foundational Active Directory deployments for the first time ever. While some may have started bolstering their cyber defenses, sadly, many of these organizations likely continue to remain vulnerable, especially considering how easy it is to compromise them today.
For instance, if an intruder could breach their network (and Microsoft suggests that organizations assume breach ) in many cases, he/she could just deploy Mimikatz DCSync to instantly 0wn them. (Alex/Peter should be able to explain this to you.)
Fortunately the solutions required to swiftly, effectively and cost-effectively help all impacted organizations mitigate this critical risk exist today (e.g. 1,2). However, we're finding that many organizations do not even seem to know about this risk.
We worry that unless certain basic and fundamental cyber security measures are enacted quickly, many of our government and business organizations, as well as those of our allies worldwide, will likely remain vulnerable to cyber attacks in the near future.
From our side, we're doing what we can to educate and safeguard organizations worldwide, but much more needs to be done, and quickly so. Its in that regard that your intentions give many of us in cyber security, as well as the American people, hope...
Making America Great(er and Safer) Again In addition to making America greater, we must also make (not only) America (but also our allies) safer, not only from physical threats but also from cyber threats. In fact, given our HUGE reliance on technology, and considering how easy it is to launch a cyber attack, the cyber threat may pose a far greater threat to our national security and prosperity than do physical threats.
I've read that it is your intention to appoint a team to combat cyber attacks within 90 days of taking office. That (in your parlance) sounds WONDERFUL. I commend you for this initiative. Indeed, it is imperative and in fact paramount that we do everything we can to safeguard and adequately defend our government and business organizations from being taken out by cyber attacks.
If I had to offer some unsolicited advice, I'd suggest that one of the most important measures one could enact is Attack Surface Reduction. Simply put, the smaller one's attack surface is, the better one's chances of being able to adequately defend it.
For instance, it is so much easier to protect a building that only has one entrance than it is to protect one that has 20 entrances, and where only a few security guards have the master keys to the building, than one wherein who knows how many have them.
That's why, considering the statistics i.e. the fact that 100% of all major recent cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account, reducing the number of users that have privileged access within Active Directory to a bare minimum, then adequately protecting them, must be one of the top priorities for all organizations.
Sir, in short, provably secure (least-privileged access adherent) foundational Active Directory deployments at all our federal government agencies and at all business organizations they rely on, are likely going to be vital to your administration's success.
(As you'll likely agree, this isn't rocket science; it's common sense. If a government agency is compromised (e.g. OPM Breach), assets or initiatives it might be working on could be in jeopardy. Similarly, if a business organization (e.g. a Defense Contractor, a Builder etc.) that the government relies on for its various initiatives is compromised, those initiatives could be in jeopardy.) Thank you, and Best Wishes
In closing, thank you for your time, congrats on your bigly win and good luck as you get ready to serve the American people.
The American people have entrusted you with the great responsibility of leading our great nation, as well as the might of American power, and they're looking to you to make their lives better and to make America greater and safer again.
In God We Trust, so wish you God Speed in your efforts to fulfill your promises to make America great(er and safer) again.
PS: At Paramount Defenses, because we understand the paramount importance of cyber security to the business and national security interests of the United States and those of our allies, we care deeply about cyber security and we take it very seriously.