Skip to content

Do you need a fresh perspective?

Is your IT staff overworked? Do they get projects completed on time and under budget?

What is the true value of knowing your Cybersecurity risks and threats?

Does your IT staff have the experience to give you a proper report of your Cybersecurity compliance reports?

CISA certified means Certified Information Systems Auditor. Which means you will get a proper report after a thorough review.

We know that 25% of companies do not patch their computers within any reasonable time period, this is a very large amount of companies. We also know that 22% of companies do not backup their files.

So there is a large amount of entities not doing what they should to protect themselves and us as well.

since the problem is if they get infected, now their machines may have your email address in their address list.

And then you wonder, why is this person sending me an email?  Well, their machine was compromised and is now sending spam malware to everyone.

And guess what, the badly configured machines will get attacked again and again.

This is not like lightning - Cybersecurity strikes again and again until you fix the processes for good. although there are no guarantees at least you can make the risk minimal.

Contact Us to discuss how to check your IT staff and make sure you will stay in business even after an attack. Or to get your ship in shape before something happens.

https://www.youtube.com/edit?o=U&video_id=QNLB185u9Nw

I bet you did know you are playing Cybersecurity Russian Roulette? Do you have a 500Barrel Gun or a 1000barrel gun?

How would you find it? Well we have to find out what kind of software you have…  and the vulnerabilities they have.

Attack timeline vulnerabilities

What can be done? Patch your devices, learn how to perform risk management with all digital devices.

Don’t play Cybersecurity roulette, you can have risk management that can mitigate risks and keep things manageable.

Also posted on my Blog at Oversitesentry

 

Malware is becoming more sophisticated - and it is difficult if not impossible to catch every virus/malware that is being created constantly.

cantcatchallmalware

If this is a true statement:  "My IT department will not catch all malware that is being created"  even with anti-virus Next gen firewall and more. Now what?

 

We have to try to detect the malware as fast as possible after it affects the computer - and then react to it.

 

But you say - what do you mean - I catch all the viruses and malware...  i have anti-virus and a new firewall that inspects network traffic, I have anti-spam which removes all the known viruses.

Ok let me do this for you:   100% of all KNOWN viruses and malware are caught by your awesome people and technologies.  Known only.

Are you familiar with new attacks that can exploit software before it has been patched? Otherwise known as Zero-day or 0-day.

I have discussed this before at my blog Oversitesentry¹ Zero-days are very dangerous as there is no defense against them. So at this point I want to show you our difficulty in defense of the network and computers:

 

nevermindthedetails  from youtube Video of Pablo Breuer CircleCityCon²

For example: At any 1 point in time there are 0.001% of people that can write one 0-day exploit per year (this is a reasonable timeframe) 1 out of a 100,000.

We know China is very interested in Cyber warfare and stealing secrets - making money etc. So in China there are 1.357 Billion people in China(2013) as per Google.

So therefore there will be 13,570 0-days written in a year. So let's say 85% of these 0-days are caught by our defenses because the attack looks similar to a current known virus (which we detect) or otherwise effect.

So 85% of 13,570 = 11,535  of which consists of detected zero-days.

So unfortunately 2,036 0-day attacks will not be identified.

 

And now you know why the Attacker has the advantage  - it is hard to keep up with 2000+ new attacks per year - almost 6 per day.

I have said this before(attacker advantage)³

morepredatorsthanprey

Offense only has to be right once to penetrate successfully. Whereas the defender has to work 365 days of the year.

We have our work cut out for us - as every IT function must work just right, this is too important and thus must get audited by a separate entity like us.

Contact Me Tony Zafiropoulos 314-504-3974  to get the conversation started.  To increase your focus on the things that matter - detect and react.

  1. https://www.youtube.com/watch?v=lVkTI-3BMY8
  2. http://oversitesentry.com/newsflash-software-has-bugs-0day-vulnerabilities/
  3. http://oversitesentry.com/reviewing-all-of-the-changes-in-2015/

 

 

 

Why? Once the criminal has hacked your computers they can sell the "access" to your devices.

How can I say that?

Kaspersky¹ and others have found a "market" of hacked machines at xDedic.

This means that for $6 a criminal can buy access to some servers in various parts of the world. So with a cheap purchase such as that what could you do with it?

With this purchase one could install Ransomware which may result in $300 - $500  return.

So this could be a 50x or 83x return.   Spend $6 and install your Ransomware software to get $300 to $500. Nice 5000% or 8300% return

$7Bilpotentialhack$  Remember this image from our post on Jan 6? (2)

 

So the criminal does not have to learn how to hack machines, just has to know existence of these criminal marketplaces where for a small fee one can obtain access to servers.

So if your machine received Ransomware and you did not know how it got there - maybe it was installed by a hacker at an odd time and your IT people never saw anything.

 

This is why it is imperative to follow the advice of Kaspersky and others (like us 🙂

Kaspersky Lab advises organizations to:

• Install a robust security solution as part of a comprehensive, multi-layered approach to IT infrastructure security
• Enforce the use of strong passwords as part of the server authentication process
• Implement a continuous process of patch management
• Undertake a regular security audit of the IT infrastructure
• Consider investing in threat intelligence services which will keep the organization informed of emerging threats and offer an insight into the criminal perspective to help them assess their level of risk.

Notice number 4: "Undertake regular security audit of the IT infrastructure"

It is a good idea to perform security audits since your IT department does a good job, but just has to tighten a few items. Or maybe needs a little help here and there. It is human nature unfortunately not to ask for help when needed. So contact an auditor (like us)

Of course we have discussed all of these points on this site and on our Blog Website Oversitesentry.com

Tony Zafiropoulos 314-504-3974  tonyz"@"fixvirus.com

We can perform vulnerability scanning with our Alpha and Sigma Scan service products or more sophisticated pentests with our partners in the Omega Scan service product.

At minimum an Alpha scan will find basic problems and is relatively inexpensive (compared to losing your data).

Also Contact us on our form page

 

 

 

 

  1. http://www.kaspersky.com/about/news/virus/2016/Who-Else-is-Using-your-Servers
  2. https://fixvirus.com/how-to-deal-with-constant-new-ransomware-threats/

 

What does it mean to be PCI compliant? Are You Secure if you passed compliance standards?

If you update your software as you are supposed to be PCI compliant what happens if the update breaks your environment or is actually not secure?

Do you need an example? How about from our blogpost¹:

donttrustandverifyallplugins

In our blogpost we mention a plugin that was hijacked by a criminal then he installed his own malicious code in the plugin.

Now he said "Upgrade your plugin" to WordPress which caused WordPress program organization through it's upgrade mechanism tells all the users of the plugin to upgrade.

If the unsuspecting users upgrade then they are automatically hacked - Upgrading is normally good, but there has to be a reason for an upgrade and it has to be tested.  But for "PCI compliance" you have to upgrade and keep your systems patched for example requirement 6.2 in the latest v3.2 PCI standard²:

pci6.2-3

Requirement 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

So the Requirement has no mention of fake upgrades only to upgrade your software that is necessary for the systems that need it.

This is why one has to test the upgrade first, make sure it is what it claims to be before placing it in production.

 

Another problem can be if you are compliant for all "Known" vulnerabilities that means unknown vulnerabilities can hack you even if you are compliant³.

As in the post from Dec 10, 2015 new exploits are found which cause you to get hacked and then you still lose a lot of money even though you have the latest patches. Even in the latest firewalls (like in the post mentioned) certain NGFW Next Generation FireWalls can get hacked with a specific method.

nextgenfirewallflawdiagram

 

fixvirussystemengineering

 

So to answer the question above (are you secure if PCI compliant) not necessarily. In the end PCI compliance is a specific standard for the credit card numbers.  You can be compliant for the credit card numbers  or Primary Account Numbers(PAN). And still fail to provide security on other systems. Or you can claim to pass the PCI compliance online while not actually performing all the functions.

Testing your network for security vulnerabilities should be done by a separate pair of eyes.

  1. http://oversitesentry.com/new-pci-compliance-v3-2-now-published/
  2. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
  3. http://oversitesentry.com/nextgen-firewall-flaw-uncovered/

Contact me at 314-504-3974 Tony Zafiropoulos to discuss

 

If you want to use the Internet then you must know now you are within arms length of all people with a computer in this world, which is more than 3Billion people.

internetusersimage from website¹

Can you imagine being within a block of 3 Billion people (good and bad).

You must understand that whenever you use the Internet you are connected to 3 Billion people which means what?

It means that if 2% of the people are criminals in the seediest parts of the world then you are connected to 60 million criminals and some of these are _very_ sophisticated criminals. So everyone that connects to the Internet must have a sophisticated operation or it is a matter of time before disaster approaches.

 

As I have explained on my blog oversitesentry.com² - it is as if you are loading a X barrel gun (the X is dependent on how serious you are in your defense).

1000gunbarrelsis it a 500 barrel gun? or 1000barrels?

If you are loading a 500 barrel gun then every time you connect you are playing Cybersecurity roulette. Boom - missed today. whew...

But tomorrow is another day - will you have a vulnerability? Or go on a bad(infected) website?

The more computers you have the more risk you have.  the more you use the Internet the more risk you bear.

What have the criminals done? They are putting resources into areas which make them more money:

ransomware3500percent

Above image from DarkReading.com³

So this is a problem - we need the Internet in 2016 and beyond, but we are also connecting to many bad elements.  A business needs to be sophisticated as well. You need a high degree of defense to keep up with the attackers, there is no way around it.

riskmanagmentmatrix

It has to do with risk analysis, next gen firewall, patching your systems on a timely basis, anti-virus, vulnerability analysis, testing your systems and more.

Contact Us to discuss all these details.

 

  1. http://www.internetlivestats.com/internet-users/
  2. http://oversitesentry.com/do-you-have-a-500barrel-riskgun-or-a-1000barrel-riskgun/
  3. http://www.darkreading.com/cloud/ransomware-domains-up-by-3500--in-q1-/d/d-id/1325748?_mc=RSS_DR_EDT

 

Why do Cybersecurity? Can you take a chance on your Info Technology being  attacked by nefarious actors?

There are a lot of attackers looking for a way into your computers:

allyourbasesbelongtous Including Alias "little Japanese"

These criminals have honed their skills.  "All Your Bases belong to Us" is a video gaming term - where 2 gamers are fighting each other and attempt to take over their opponent's bases, the term mean that when it was first used but it has morphed as many other things have on the net.

In this case I take it to mean in broken English how Criminals in other countries will take over your computers. They are crafty and have learned their way around computer weaknesses. The hackers are getting better all the time.

So if you decide yes we _will_ improve our security situation ... now what?

How much time and resources should be spent on Cybersecurity prevention?

Is it about 10%? For simplicity let's say 10% is the  minimum amount of time and resources that should be spent.

So out of 2000 work hours spent in a year - (i.e. not including all the time sleeping and taking time off) 200 hours per year should be spent on various activities to save your personal and business data from calamity.

Now the big question is what to do with the time and resources to be spent on Cybersecurity?  200 hours is not a lot for the year and it should not be used up all at once as there are other things to do.  So if we divide 200 by 12 it equals 16 2/3 hours per month. we can round it to 17 hours per month. it can be about 4 hours per week.

The interesting item as Anthony Christie¹ says:  “Our security people spend 60% of their time optimizing documentation and 40% of their time doing the work,” said Anthony Christie, chief marketing officer for Level 3 Communications (a networking company).

So let's say 2.4 hours on documentation and 1.6 on actual security work.

Documentation is important that is why 60% of time should be spent on it.

This is where Fixvirus.com can help you we are familiar with compliance standards including HIPAA, PCI, NASD, Sarbanes Oxley, GLBA and more.

But what should your IT department actually do? Update your systems - make sure they have the latest patches. Updating your systems is not easy peasy.

Before doing an update one has to test the patch to make sure it will not harm the rest of your software that is run in your standard environment.

PCI Compliance² is important if you take credit card payments.

HIPAA compliance is important if you handle or are near patient data.

Sarbanes Oxley if a public company (Or thinking of becoming one)

Various Financial Regulations require cybersecurity as well for any financial institution.

The consumer rights division is getting more aggressive so needless to say there are many government entities regulating more and more Cyber activities, and _when_ there are more attacks there will be more regulations not less (when have you seen less regulations from the government?).  The Federal Trade Commission got a ruling in the Wyndham case³ data security:

"The FTC sued the hospitality company and three subsidiaries, alleging that data security failures led to three data breaches at Wyndham hotels in less than two years. According to the complaint, those failures resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards – and the transfer of hundreds of thousands of consumers’ account information to a website registered in Russia."

You can see that as an executive overseeing an IT department one can look at the budget and spend in many directions, including technology.

Remember that technology is just one piece of the puzzle:

Security-privacy-balance

Privacy and civil liberties versus Security needs to be taken into account, your risk assessment must be done by qualified individuals.  There is no such thing as 100% security, only "more secure" and "less secure"

riskanalysis

The likelihood of an attack and the impact of the attack (what would happen if criminals are successful) should set your risk and then you can gauge your "Risk appetite" to decide where to spend your budget.

As I have discussed in my blog Website Oversitesentry.com(4)

1000gunbarrels

Here is another way of looking at risk management:

Imagine playing Russian roulette with a 1000 or 500 barrel gun (depends on circumstances)

Every day we are revolving the barrels (1 has a bullet) so we have a 1 in 500 chance(or 1 in a 1000) for something bad to happen. Hopefully the odds are 1 in 500 or 1 in 1000.  But imagine the worst possible experience - your customer data is now in the hands of a criminal. Now what?

Whether you know it or not, there are risks just for using your computers and being connected to the Internet. So unless you want to disconnect there will be risks. So what will you do to reduce your risks?

Contact us to discuss

 

 

  1. http://fortune.com/2016/05/20/no-cure-for-cybersecurity-threats/
  2. https://fixvirus.com/security-and-pci-compliance/
  3. https://www.ftc.gov/news-events/blogs/business-blog/2015/08/third-circuit-rules-ftc-v-wyndham-case
  4. http://oversitesentry.com/do-you-have-a-500barrel-riskgun-or-a-1000barrel-riskgun/

The first thing that happens is we know that the IT personnel are working overtime and are still not keeping up with problems.

How you say can this possibly be happening?

How about this for a headline:

"Developers have To Fix a Vulnerability(Badlock) for the April 12th patch Tuesday" (says Microsoft) Security Affairs¹ has the story.

Badlock is a vulnerability in Samba and Windows File Services technologies.

This means that a hacker can create some code (also called malware - MALicious SoftWARE) that if run on the affected machines will be taken over by the hacker.

So from(3/23)  now until 4/12 at least there is no fix for this problem. And if a hacker somehow gets into your windows systems the only way to know is if you can track the hacker movements.

Samba² software has been updated already to 4.1.7 this vulnerability has been known in the hacker world since February 23rd (from the CVE-2015-0240, so this is a well known exploitable vulnerability in the hacker world.

How do we know? Because there are markets  where the hackers can sell their malware to other criminals which use them to attack us.  Darknet³ is a marketplace of hackers and criminals selling and buying various sections of the attack and exploit into our environments.

The reason things have gotten worse is that the attackers have gotten better and better while we have improved marginally, and the reality is it is easier to attack and succeed only once instead of defending 365x days per year 24x hours per day.

pluggedinwiressmall

So what can be done?

It is important to get started like in this page we have created: https://fixvirus.com/patching-your-computers-consistent-policy-defends-against-attackers/  on our page.

Getting started on proper Cybersecurity has to be started sometime. So don't be overwhelmed and start writing a security policy so that your employees know what their role is. good communication is a must.

Contact Us to help you with writing a Security policy, notice we do not have previous client names on this site since the confidentiality of our clients is important. (we can give you specific referrals but that takes time). Let's start with an initial visit which is free.

Once you have a program in place - and people looking at logs and more, then you can create a methodology to find the hackers when they are in the environment -

Find them when they try to execute code that does not belong. when the code tries to communicate to their command and control servers.

exploitprogram

Once the  plan is in place then create new scripted methods to find unknown malware.

Why wait until security policy is in place? Because one has to know what is on the systems and what is good before you can stop the malware. And it is always better when documentation is available.

 

 

 

  1. http://securityaffairs.co/wordpress/45579/hacking/badlock-windows-samba-flaw.html
  2. https://www.samba.org/samba/history/samba-4.1.17.html
  3. http://oversitesentry.com/darknet-know-it-learn-it/

Please consider taking this survey as we are interested in your cybersecurity needs and are exploring products (apps etc.) to create and fulfill market needs.

fixvirus-logo300x200  Survey

What Do I mean when I say "Start With Some Cybersecurity"?

At Fixvirus.com we will help you design your own Cybersecurity department, or help you with just enough Cybersecurity.

What do i mean 'with just enough Cybersecurity'?

 

I think it is safe to say that most of us do not think about the security of our phones, computers and tablets. As a whole people want their electronic devices to work.

Is this indicative of what we want in our companies? Do we expect the IT department to keep us safe and secure?  We don't want to think about this we just want it to happen.

So what to do? Why does the IT department need oversight? Because testing their abilities in a nice way tells them they are doing a good job and tells you the IT job is being done well.

You can still get hacked, but at least the i's were dotted and T's crossed.

The key in our environments anyway is what happens after the hacker is in. You don't want them to steal anything and get away with it. You have to set up methods to track down when a hacker is doing their work and shut down the exfiltration (or stealing of data to an external machine).

 

So to start we have to audit the environment and count all the computers before doing the next steps.

  1. audit environment - count the computers, find out what is running on the computers. (count computers = find them all and review what is running on them)
  2. Audit the software since just knowing what hardware or in virtual machines, the instances of servers is not enough. We must know the type and version of software running, since a vulnerability alert can cause PCI compliance to be in jeopardy. The criminal hacker is looking for your software, so you should know what is in your environment as well.
  3. Doing vulnerability assessments means trying to uncover unpatched software in your environment. ( just like the criminal hacker would do and like you are supposed to do for PCI compliance - HIPAA compliance and all other governance) as it only makes sense.
  4. What about the Zero-day attacks? the attacks that cannot be patched? Since the hackers found a problem that can be exploited. Well for these situation we have to have a detect and monitor program. Check the logs, check the network traffic (which means a SIEM - Security Information Event Manager) and IPS (Intrusion Prevention System).
    1. Although  the SIEM-IPS systems will not prevent all attacks, they will prevent a lot and with vigilance we can keep up with attacks on our environment with enough resources.

 

riskmanagamentframework

[Image from NIST(National Institute of Standards and Technology) 800-37 documents¹]

If risk management is to work properly in an entity it must be assessed given enough time to review all your data and usage of computers.

So yes the first thing one must do is to find out what and how your Info tech is being used. so don't just learn what is running on each computer, but rate each item to its risk factor:

You must classify data from High importance, to Low importance.

riskmanagmentmatrix

High Importance data can then be properly classified in Cyber Risk categories.

We will review each step of the path to better Cybersecurity again and again as that is what we are all about.

Contact us to discuss Contact me Tony Zafiropoulos 314-504-3974

 

Our hashtag #testYourSecurity should be everyone's hashtag that wants more Cybersecurity.

cropped-cropped-Header-logowordpress1600x320.png

 

 

 

 

  1. http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf