Skip to content

Why do Cybersecurity? Can you take a chance on your Info Technology being  attacked by nefarious actors?

There are a lot of attackers looking for a way into your computers:

allyourbasesbelongtous Including Alias "little Japanese"

These criminals have honed their skills.  "All Your Bases belong to Us" is a video gaming term - where 2 gamers are fighting each other and attempt to take over their opponent's bases, the term mean that when it was first used but it has morphed as many other things have on the net.

In this case I take it to mean in broken English how Criminals in other countries will take over your computers. They are crafty and have learned their way around computer weaknesses. The hackers are getting better all the time.

So if you decide yes we _will_ improve our security situation ... now what?

How much time and resources should be spent on Cybersecurity prevention?

Is it about 10%? For simplicity let's say 10% is the  minimum amount of time and resources that should be spent.

So out of 2000 work hours spent in a year - (i.e. not including all the time sleeping and taking time off) 200 hours per year should be spent on various activities to save your personal and business data from calamity.

Now the big question is what to do with the time and resources to be spent on Cybersecurity?  200 hours is not a lot for the year and it should not be used up all at once as there are other things to do.  So if we divide 200 by 12 it equals 16 2/3 hours per month. we can round it to 17 hours per month. it can be about 4 hours per week.

The interesting item as Anthony Christie¹ says:  “Our security people spend 60% of their time optimizing documentation and 40% of their time doing the work,” said Anthony Christie, chief marketing officer for Level 3 Communications (a networking company).

So let's say 2.4 hours on documentation and 1.6 on actual security work.

Documentation is important that is why 60% of time should be spent on it.

This is where Fixvirus.com can help you we are familiar with compliance standards including HIPAA, PCI, NASD, Sarbanes Oxley, GLBA and more.

But what should your IT department actually do? Update your systems - make sure they have the latest patches. Updating your systems is not easy peasy.

Before doing an update one has to test the patch to make sure it will not harm the rest of your software that is run in your standard environment.

PCI Compliance² is important if you take credit card payments.

HIPAA compliance is important if you handle or are near patient data.

Sarbanes Oxley if a public company (Or thinking of becoming one)

Various Financial Regulations require cybersecurity as well for any financial institution.

The consumer rights division is getting more aggressive so needless to say there are many government entities regulating more and more Cyber activities, and _when_ there are more attacks there will be more regulations not less (when have you seen less regulations from the government?).  The Federal Trade Commission got a ruling in the Wyndham case³ data security:

"The FTC sued the hospitality company and three subsidiaries, alleging that data security failures led to three data breaches at Wyndham hotels in less than two years. According to the complaint, those failures resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards – and the transfer of hundreds of thousands of consumers’ account information to a website registered in Russia."

You can see that as an executive overseeing an IT department one can look at the budget and spend in many directions, including technology.

Remember that technology is just one piece of the puzzle:

Security-privacy-balance

Privacy and civil liberties versus Security needs to be taken into account, your risk assessment must be done by qualified individuals.  There is no such thing as 100% security, only "more secure" and "less secure"

riskanalysis

The likelihood of an attack and the impact of the attack (what would happen if criminals are successful) should set your risk and then you can gauge your "Risk appetite" to decide where to spend your budget.

As I have discussed in my blog Website Oversitesentry.com(4)

1000gunbarrels

Here is another way of looking at risk management:

Imagine playing Russian roulette with a 1000 or 500 barrel gun (depends on circumstances)

Every day we are revolving the barrels (1 has a bullet) so we have a 1 in 500 chance(or 1 in a 1000) for something bad to happen. Hopefully the odds are 1 in 500 or 1 in 1000.  But imagine the worst possible experience - your customer data is now in the hands of a criminal. Now what?

Whether you know it or not, there are risks just for using your computers and being connected to the Internet. So unless you want to disconnect there will be risks. So what will you do to reduce your risks?

Contact us to discuss

 

 

  1. http://fortune.com/2016/05/20/no-cure-for-cybersecurity-threats/
  2. https://fixvirus.com/security-and-pci-compliance/
  3. https://www.ftc.gov/news-events/blogs/business-blog/2015/08/third-circuit-rules-ftc-v-wyndham-case
  4. http://oversitesentry.com/do-you-have-a-500barrel-riskgun-or-a-1000barrel-riskgun/

The first thing that happens is we know that the IT personnel are working overtime and are still not keeping up with problems.

How you say can this possibly be happening?

How about this for a headline:

"Developers have To Fix a Vulnerability(Badlock) for the April 12th patch Tuesday" (says Microsoft) Security Affairs¹ has the story.

Badlock is a vulnerability in Samba and Windows File Services technologies.

This means that a hacker can create some code (also called malware - MALicious SoftWARE) that if run on the affected machines will be taken over by the hacker.

So from(3/23)  now until 4/12 at least there is no fix for this problem. And if a hacker somehow gets into your windows systems the only way to know is if you can track the hacker movements.

Samba² software has been updated already to 4.1.7 this vulnerability has been known in the hacker world since February 23rd (from the CVE-2015-0240, so this is a well known exploitable vulnerability in the hacker world.

How do we know? Because there are markets  where the hackers can sell their malware to other criminals which use them to attack us.  Darknet³ is a marketplace of hackers and criminals selling and buying various sections of the attack and exploit into our environments.

The reason things have gotten worse is that the attackers have gotten better and better while we have improved marginally, and the reality is it is easier to attack and succeed only once instead of defending 365x days per year 24x hours per day.

pluggedinwiressmall

So what can be done?

It is important to get started like in this page we have created: https://fixvirus.com/patching-your-computers-consistent-policy-defends-against-attackers/  on our page.

Getting started on proper Cybersecurity has to be started sometime. So don't be overwhelmed and start writing a security policy so that your employees know what their role is. good communication is a must.

Contact Us to help you with writing a Security policy, notice we do not have previous client names on this site since the confidentiality of our clients is important. (we can give you specific referrals but that takes time). Let's start with an initial visit which is free.

Once you have a program in place - and people looking at logs and more, then you can create a methodology to find the hackers when they are in the environment -

Find them when they try to execute code that does not belong. when the code tries to communicate to their command and control servers.

exploitprogram

Once the  plan is in place then create new scripted methods to find unknown malware.

Why wait until security policy is in place? Because one has to know what is on the systems and what is good before you can stop the malware. And it is always better when documentation is available.

 

 

 

  1. http://securityaffairs.co/wordpress/45579/hacking/badlock-windows-samba-flaw.html
  2. https://www.samba.org/samba/history/samba-4.1.17.html
  3. http://oversitesentry.com/darknet-know-it-learn-it/

Please consider taking this survey as we are interested in your cybersecurity needs and are exploring products (apps etc.) to create and fulfill market needs.

fixvirus-logo300x200  Survey

What Do I mean when I say "Start With Some Cybersecurity"?

At Fixvirus.com we will help you design your own Cybersecurity department, or help you with just enough Cybersecurity.

What do i mean 'with just enough Cybersecurity'?

 

I think it is safe to say that most of us do not think about the security of our phones, computers and tablets. As a whole people want their electronic devices to work.

Is this indicative of what we want in our companies? Do we expect the IT department to keep us safe and secure?  We don't want to think about this we just want it to happen.

So what to do? Why does the IT department need oversight? Because testing their abilities in a nice way tells them they are doing a good job and tells you the IT job is being done well.

You can still get hacked, but at least the i's were dotted and T's crossed.

The key in our environments anyway is what happens after the hacker is in. You don't want them to steal anything and get away with it. You have to set up methods to track down when a hacker is doing their work and shut down the exfiltration (or stealing of data to an external machine).

 

So to start we have to audit the environment and count all the computers before doing the next steps.

  1. audit environment - count the computers, find out what is running on the computers. (count computers = find them all and review what is running on them)
  2. Audit the software since just knowing what hardware or in virtual machines, the instances of servers is not enough. We must know the type and version of software running, since a vulnerability alert can cause PCI compliance to be in jeopardy. The criminal hacker is looking for your software, so you should know what is in your environment as well.
  3. Doing vulnerability assessments means trying to uncover unpatched software in your environment. ( just like the criminal hacker would do and like you are supposed to do for PCI compliance - HIPAA compliance and all other governance) as it only makes sense.
  4. What about the Zero-day attacks? the attacks that cannot be patched? Since the hackers found a problem that can be exploited. Well for these situation we have to have a detect and monitor program. Check the logs, check the network traffic (which means a SIEM - Security Information Event Manager) and IPS (Intrusion Prevention System).
    1. Although  the SIEM-IPS systems will not prevent all attacks, they will prevent a lot and with vigilance we can keep up with attacks on our environment with enough resources.

 

riskmanagamentframework

[Image from NIST(National Institute of Standards and Technology) 800-37 documents¹]

If risk management is to work properly in an entity it must be assessed given enough time to review all your data and usage of computers.

So yes the first thing one must do is to find out what and how your Info tech is being used. so don't just learn what is running on each computer, but rate each item to its risk factor:

You must classify data from High importance, to Low importance.

riskmanagmentmatrix

High Importance data can then be properly classified in Cyber Risk categories.

We will review each step of the path to better Cybersecurity again and again as that is what we are all about.

Contact us to discuss Contact me Tony Zafiropoulos 314-504-3974

 

Our hashtag #testYourSecurity should be everyone's hashtag that wants more Cybersecurity.

cropped-cropped-Header-logowordpress1600x320.png

 

 

 

 

  1. http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

As Robert Graham says in his blog Errata¹ It is Human nature to do a number of Cybersecurity No No including fall for Phishing scams (even the experts fall for them). A well crafted email will look like it is coming from a trusted source not from a stranger.  So to avoid phishing scams one needs to look for more than just "is this email from someone I know?"

  1. A phishing Scam is where an unsuspecting email user clicks on a fake email and on it's attachment. The attachment then infects the computer due to the malicious software(malware) actually hiding within the attachment.
  2. Password reuse - due to laziness and bad practices employees use the same passwords on several sites. When a weak security site is hacked the hacker has your password and now can guess where else you might use it (banks, email account, and more)
  3. SQL injection (for programmers).   This is a computer programmer topic.

Consistently reusing passwords across many sites is human nature (laziness). But doing so in your hobby site and using the same password in your email account and facebook is a recipe for disaster.

Once a hacker has your email account they can change everything.

For the programmer it requires more work to sanitize data input and to make sure that an attacker won't use an ingenious method to insert some malicious code

Is Robert right? Are people really 'stupid' regarding these 3 items?

I would not be so harsh as to call everyone Stupid.

 

As a society we will be hacked in one form or another, but the reason is not stupidity, as most people understand the basics that hacking means to use ingenious ways to get around the standard.

Another thought that is wrong in general is the false belief that  we could design something that is foolproof, or at least it does not have to be worked on constantly.

I think we need to assume that we will need to consistently patch and fix our computers. we also need to see that the computer is a tool written by humans and used by humans.

Unless one has the mindset of the attacker and the tools and setup of sophisticated attacks one cannot really see the potential dangers under every rock. The IT people in every company are busy trying to connect and work on every system in your network. They do not spend every day researching new attack methods. Attacking test computers

You have to have a separate group of people with a separate pair of eyes to review your network defense, computer system setup and more.

Let me explain it for you if you still have questions.

Tony Zafiropoulos - 314-504-3974

systemengineeringassecurity

  1. http://blog.erratasec.com/

There are a lot of compliance Standards to keep up on:

HIPAA¹ - Health Insurance Portability Accountability Act

PCI DSS² - Payment Card Industry Digital Security Solutions

ISO 27000³ - International Organization for Standardization (HQ in Geneva, Switzerland)   I discussed ISO before : http://oversitesentry.com/ngfw-tech-half-battle-in-orgs/

Among others (Sarbanes Oxley)

 

But what if you don't even know what you have?

Have you spent the time to look at all of your digital data?

What do you use every day? Excel and Word files?

Have you had a 3rd person look at your data and review the outcome with you?

Did you set up a Risk management matrix? Likelihood -- Consequences

Maybe you don't really know what database is the most important?

riskmanagmentmatrix

This is a framework diagram from NIST document :

riskmanagamentframework

It is important to set a number from 1 to 5 to the importance of different digital properties.

Set an importance to impact to your business (low-medium-high

the ensuing matrix will tell you in a glance what you need to know for business risk and what resources you should spend and why.

Contact me Tony Zafiropoulos 314-504-3974 and I will be happy to discuss this with you as I have done this with clients.

It is good to know what you have and how to protect it.

cybersecurityloganalysis

  1. http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
  2. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
  3. https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en

 

 

Houston we have a problem - a kind of misunderstanding which leads to apathy.

Example: I wonder if you knew this week a new ransomware threat came out.  I should also say that every week new ransomware comes into the "wild", into our computers. (For example in the week of 3/28 - 4/1 we discuss in our blogpost [at Oversitesentry(5)] how to prevent the Locky ransomware and how the Petya Ransomware will now destroy your Master Boot Record (MBR) or the actual usage of the hard drive.

For the first time a program language called Javascript is now being used for Ransomware: Called Ransom32

The following picture is from an older ransomware so we can discuss what ransomware is and does.(and what to fear and be proactive about it).

ransomwarecrypto

Ransom means that the criminal has found a way to take something of yours and is now trying to extort money out of you so you can get that back. In this age we are talking data files.

Imagine that you are working on a Word document - like a proposal for a client.  Now somehow ransomware software got on your computer, once the software runs ...  it then tries to encrypt your files. Since you are still working on your proposal you try to save the file and it does not work - you cannot save the file as the file you saved to is now renamed and reconfigured(encrypted).

As you try to open other files you notice the encryption does not allow your files to be opened.

If you thought on your feet you can do a "save as" with the current file being worked on and thus at least save the current file. But hundreds maybe even thousands of the rest of your files are now encrypted.

This is obviously a problem, and can put you into a standstill. Will it matter if your files are on the cloud? Unfortunately it depends on how sophisticated the criminals will program, and it is definitely possible to get all files encrypted. The name of the game is money $$$ and if the hackers in eastern Europe are making more money as a hacker than a programmer at legitimate companies than our adversary will improve their attacks.

You cannot avoid this phenomenon for too long. The criminals are looking to make up to $7Bil dollars:

$7Bilpotentialhack$

This is easy to figure out - As of 2013 there were 220 million PC's in the USA (I'm not even counting the world). 10% of PCs are not patched correctly (from my blog post and research here at Oversitesentry.com¹ and more background²) Microsoft Statistics as they know how many PCs are being patched.

 

We know from news reports and experience that an unpatched computer is susceptible to these types of attacks. Thus I have drawn a conclusion - 22million PCs are susceptible and with that the criminal has a potential 6.6Bil$ ransomware market - and if there are a few computers that the hacker can steal more information that he can resell then one can project $7Bil ransomware market.  That is a lot of potential money...

So we can't assume the threats will be the same as last year, in fact the threats will become more sophisticated and dangerous.

Instead of throwing up our hands and giving up... the thing to do is to make sure you spend more time on security this year.

There are ways  to shore up or improve your perimeter (firewall), make sure to do patching ontime and effectively. Maybe a new firewall which can do more than filter traffic.  By filtering traffic, I mean make sure certain traffic stays out and others are allowed to run. The problem with this old model is what if the traffic is allowed (like JavaScript inside Facebook?).

Patching your computer is actually not so easy because not all updates are good updates³. So sometimes IT pros recommend to wait until the patch/update has been tested and only then will it be installed. This  process takes time even in the best run IT department. there is always some bits of time which create some vulnerability.

 

Testing your backup is also an important part of security defense. Since if Ransomware gets through you can't afford to see if the criminals wrote good Ransomware software to recover your data when you pay. Our recommendation is to never pay - assume you will lose data and backup - test the backup to make sure you will recover all data properly.

You can't get away from it these days - A company which has computers on the Internet cannot just have a regular firewall anymore - must get a NGFW (Next Generation FireWall) which now will inspect the traffic and is essentially another layer of defense.

 

PAthreat_prevention

A regular firewall cannot inspect data like Social Security numbers or Credit card numbers. set up correctly you can do many things with a NGFW(4) . Here is one:  If I see my social security numbers then  email me.   I.e. if somebody is stealing these numbers then email me!

 

 

Because the criminals have such a large budget you can't just trust your capable IT department, you have to make sure that everything is working as it should. Test the IT department

systemengineeringassecurity

I would be happy to discuss this diagram where your IT department works on the output and Fixvirus.com uses CEH(Certified Ethical Hackers) to test your environment.

 

If you want to discuss how to improve your security (audit security, test backup, and more) in 2016 contact me 314-504-3974 tonyz@fixvirus.com Tony Zafiropoulos Now.

 

 

  1. http://oversitesentry.com/happy-new-year-2016/
  2. http://oversitesentry.com/is-your-it-system-low-hanging-fruit-for-criminal-hackers/
  3. http://oversitesentry.com/are-we-falling-behind-on-patching-computers/
  4. http://oversitesentry.com/what-is-an-advanced-firewall-utm-ngfw/
  5. http://oversitesentry.com/ransomware-vaccine-can-it-be-done/

We have added many pages in the last few days.  And will continue to add pages in the coming months.

Notice how the menu opens at "Our Services"

Now there are three submenus - Offensive, Defensive Cybersecurity services, and Reports.

 

fixvirusmenu

Offensive Cybersecurity Services

We test - audit your environment to make you safer  with our 4 security service products: A(Alpha), Σ(Sigma)Ω(Omega), and Ψ(Psi)

Reports for the test audits

The Alpha(A) service   - Report Alpha

The Sigma(Σ) Service    -  Report Sigma

The Omega(Ω) Service  - Report Omega

The Psi(Ψ) Service - or Wifi - Report Psi

Defensive Cybersecurity Services

Cloud Company evaluations

Social Enginering Knowledge

Offense Has Advantage - We Must Analyze Logs

Security and PCI compliance is part of defense

Security Policies (Network, Computers, and More) 

Cybersecurity Consulting Services  (another submenu)

What does it mean Certified Ethical Hacker ?

Explaining the hacker attack cycle to understand how the criminals are battering against your castle (your network)  This section could be a bit technical.

Why Test your systems?

1

HIPAA compliance documents do not tell you exactly what to do in your network.

Instead they are a framework to fulfill, here is a link to the HHS information in case you are interested:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html   

HHS is the U.S. Department of Health & Human Services

But unfortunately the details of what should be done is opaque at best.

It is better to review the SANS website as it is a Teaching of Security organization. One of their documents has a good review of HIPAA compliance

hospitalshacked

An interesting sidenote (The Criminals do not care about compliance or security, just whether they can hack your network resources) check our blogpost: http://oversitesentry.com/website-files-ransomed-not-just-personal-files/ )

In the following standard review (from the SANS document) wireless devices were discussed:
HIPAA Standards
While the Final HIPAA rules do not necessarily deal directly with wireless or any specific network device, the regulations cover many separate areas that deal with PHI (Personal Health Information). In summary the document deals with 3 major areas:
1.  Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards.
The Administrative Safeguards section (164.308) provides regulation for the
management of healthcare organizations. Secondly, Physical safeguards
(section 164.310) regulate how physically secure the facility should be.
Finally Technical Safeguards (section 164.312) provide regulations for access control to the network, security and integrity of data/transmissions, auditing and authentication.
This section is most relevant to our situation.
In order to provide the highest
security to a wireless network, the relevant regulations need to be extracted from the HIPAA document and interpreted for use in the scenario presented. The following is a brief summary of the standards
that relate to our wireless scenario.
1. Access control (164.312(a)(1)) is simply what the name implies,
controlling who is granted access to the organization’s resources.
2. Auditing (164.312(b)) is maintaining logs of who accessed
a given resource at what time and where so that in the event of a security
compromise there will be an audit trail.
3. Integrity (164.312(c)(1)) consists of making sure that PHI is not
modified in any way by an unauthorized user during transmission
or storage.
4. Person authentication (164.312(d)) is authenticating that the person
the computer says they are is really the correct person. This could
be argued that it should be done at the server, but I think we can take it a step further and authorize the user when they transition from the wireless to the wired network.
5. Transmission security (164.312(e)(1)) is ensuring that the network
transmissions are kept private and since the media is the air this is
a high priority in wireless environments.

 

So in essence to protect PHI (Personal Health Information) as in medical data, one has to perform basic security practices. And this has to be documented for any potential audits.

Contact Us  as we help with compliance or documentation details.

Blogpost on HIPAA compliance from my blog:

http://oversitesentry.com/hipaa-enforcement-10-of-any-covered-entity-will-be-audited-says-office-for-civil-rights/  blogpost from June 2015

Notice the tidbit of 10% of all organizations will be audited by Office of Civil Rights and if they so choose they will do some serious social engineering on your org.

Always better to be pro-active. make sure you have a good security policy in place. Set up a methodology of security  not just a compliance checkbox policy.

 

Updated 01/31/2016