Skip to content

Month: June 2016

Published on

Malware is becoming more sophisticated - and it is difficult if not impossible to catch every virus/malware that is being created constantly.

cantcatchallmalware

If this is a true statement:  "My IT department will not catch all malware that is being created"  even with anti-virus Next gen firewall and more. Now what?

 

We have to try to detect the malware as fast as possible after it affects the computer - and then react to it.

 

But you say - what do you mean - I catch all the viruses and malware...  i have anti-virus and a new firewall that inspects network traffic, I have anti-spam which removes all the known viruses.

Ok let me do this for you:   100% of all KNOWN viruses and malware are caught by your awesome people and technologies.  Known only.

Are you familiar with new attacks that can exploit software before it has been patched? Otherwise known as Zero-day or 0-day.

I have discussed this before at my blog Oversitesentry¹ Zero-days are very dangerous as there is no defense against them. So at this point I want to show you our difficulty in defense of the network and computers:

 

nevermindthedetails  from youtube Video of Pablo Breuer CircleCityCon²

For example: At any 1 point in time there are 0.001% of people that can write one 0-day exploit per year (this is a reasonable timeframe) 1 out of a 100,000.

We know China is very interested in Cyber warfare and stealing secrets - making money etc. So in China there are 1.357 Billion people in China(2013) as per Google.

So therefore there will be 13,570 0-days written in a year. So let's say 85% of these 0-days are caught by our defenses because the attack looks similar to a current known virus (which we detect) or otherwise effect.

So 85% of 13,570 = 11,535  of which consists of detected zero-days.

So unfortunately 2,036 0-day attacks will not be identified.

 

And now you know why the Attacker has the advantage  - it is hard to keep up with 2000+ new attacks per year - almost 6 per day.

I have said this before(attacker advantage)³

morepredatorsthanprey

Offense only has to be right once to penetrate successfully. Whereas the defender has to work 365 days of the year.

We have our work cut out for us - as every IT function must work just right, this is too important and thus must get audited by a separate entity like us.

Contact Me Tony Zafiropoulos 314-504-3974  to get the conversation started.  To increase your focus on the things that matter - detect and react.

  1. https://www.youtube.com/watch?v=lVkTI-3BMY8
  2. http://oversitesentry.com/newsflash-software-has-bugs-0day-vulnerabilities/
  3. http://oversitesentry.com/reviewing-all-of-the-changes-in-2015/

 

 

 

Published on

Why? Once the criminal has hacked your computers they can sell the "access" to your devices.

How can I say that?

Kaspersky¹ and others have found a "market" of hacked machines at xDedic.

This means that for $6 a criminal can buy access to some servers in various parts of the world. So with a cheap purchase such as that what could you do with it?

With this purchase one could install Ransomware which may result in $300 - $500  return.

So this could be a 50x or 83x return.   Spend $6 and install your Ransomware software to get $300 to $500. Nice 5000% or 8300% return

$7Bilpotentialhack$  Remember this image from our post on Jan 6? (2)

 

So the criminal does not have to learn how to hack machines, just has to know existence of these criminal marketplaces where for a small fee one can obtain access to servers.

So if your machine received Ransomware and you did not know how it got there - maybe it was installed by a hacker at an odd time and your IT people never saw anything.

 

This is why it is imperative to follow the advice of Kaspersky and others (like us 🙂

Kaspersky Lab advises organizations to:

• Install a robust security solution as part of a comprehensive, multi-layered approach to IT infrastructure security
• Enforce the use of strong passwords as part of the server authentication process
• Implement a continuous process of patch management
• Undertake a regular security audit of the IT infrastructure
• Consider investing in threat intelligence services which will keep the organization informed of emerging threats and offer an insight into the criminal perspective to help them assess their level of risk.

Notice number 4: "Undertake regular security audit of the IT infrastructure"

It is a good idea to perform security audits since your IT department does a good job, but just has to tighten a few items. Or maybe needs a little help here and there. It is human nature unfortunately not to ask for help when needed. So contact an auditor (like us)

Of course we have discussed all of these points on this site and on our Blog Website Oversitesentry.com

Tony Zafiropoulos 314-504-3974  tonyz"@"fixvirus.com

We can perform vulnerability scanning with our Alpha and Sigma Scan service products or more sophisticated pentests with our partners in the Omega Scan service product.

At minimum an Alpha scan will find basic problems and is relatively inexpensive (compared to losing your data).

Also Contact us on our form page

 

 

 

 

  1. http://www.kaspersky.com/about/news/virus/2016/Who-Else-is-Using-your-Servers
  2. https://fixvirus.com/how-to-deal-with-constant-new-ransomware-threats/

 

Published on

What does it mean to be PCI compliant? Are You Secure if you passed compliance standards?

If you update your software as you are supposed to be PCI compliant what happens if the update breaks your environment or is actually not secure?

Do you need an example? How about from our blogpost¹:

donttrustandverifyallplugins

In our blogpost we mention a plugin that was hijacked by a criminal then he installed his own malicious code in the plugin.

Now he said "Upgrade your plugin" to WordPress which caused WordPress program organization through it's upgrade mechanism tells all the users of the plugin to upgrade.

If the unsuspecting users upgrade then they are automatically hacked - Upgrading is normally good, but there has to be a reason for an upgrade and it has to be tested.  But for "PCI compliance" you have to upgrade and keep your systems patched for example requirement 6.2 in the latest v3.2 PCI standard²:

pci6.2-3

Requirement 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

So the Requirement has no mention of fake upgrades only to upgrade your software that is necessary for the systems that need it.

This is why one has to test the upgrade first, make sure it is what it claims to be before placing it in production.

 

Another problem can be if you are compliant for all "Known" vulnerabilities that means unknown vulnerabilities can hack you even if you are compliant³.

As in the post from Dec 10, 2015 new exploits are found which cause you to get hacked and then you still lose a lot of money even though you have the latest patches. Even in the latest firewalls (like in the post mentioned) certain NGFW Next Generation FireWalls can get hacked with a specific method.

nextgenfirewallflawdiagram

 

fixvirussystemengineering

 

So to answer the question above (are you secure if PCI compliant) not necessarily. In the end PCI compliance is a specific standard for the credit card numbers.  You can be compliant for the credit card numbers  or Primary Account Numbers(PAN). And still fail to provide security on other systems. Or you can claim to pass the PCI compliance online while not actually performing all the functions.

Testing your network for security vulnerabilities should be done by a separate pair of eyes.

  1. http://oversitesentry.com/new-pci-compliance-v3-2-now-published/
  2. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
  3. http://oversitesentry.com/nextgen-firewall-flaw-uncovered/

Contact me at 314-504-3974 Tony Zafiropoulos to discuss

 

Published on

If you want to use the Internet then you must know now you are within arms length of all people with a computer in this world, which is more than 3Billion people.

internetusersimage from website¹

Can you imagine being within a block of 3 Billion people (good and bad).

You must understand that whenever you use the Internet you are connected to 3 Billion people which means what?

It means that if 2% of the people are criminals in the seediest parts of the world then you are connected to 60 million criminals and some of these are _very_ sophisticated criminals. So everyone that connects to the Internet must have a sophisticated operation or it is a matter of time before disaster approaches.

 

As I have explained on my blog oversitesentry.com² - it is as if you are loading a X barrel gun (the X is dependent on how serious you are in your defense).

1000gunbarrelsis it a 500 barrel gun? or 1000barrels?

If you are loading a 500 barrel gun then every time you connect you are playing Cybersecurity roulette. Boom - missed today. whew...

But tomorrow is another day - will you have a vulnerability? Or go on a bad(infected) website?

The more computers you have the more risk you have.  the more you use the Internet the more risk you bear.

What have the criminals done? They are putting resources into areas which make them more money:

ransomware3500percent

Above image from DarkReading.com³

So this is a problem - we need the Internet in 2016 and beyond, but we are also connecting to many bad elements.  A business needs to be sophisticated as well. You need a high degree of defense to keep up with the attackers, there is no way around it.

riskmanagmentmatrix

It has to do with risk analysis, next gen firewall, patching your systems on a timely basis, anti-virus, vulnerability analysis, testing your systems and more.

Contact Us to discuss all these details.

 

  1. http://www.internetlivestats.com/internet-users/
  2. http://oversitesentry.com/do-you-have-a-500barrel-riskgun-or-a-1000barrel-riskgun/
  3. http://www.darkreading.com/cloud/ransomware-domains-up-by-3500--in-q1-/d/d-id/1325748?_mc=RSS_DR_EDT