Example #1: March 28, 21 - Sick.codes has the information and chronology of a disturbing vulnerability found in some software.
If one looks at the details of this vulnerability and how it was found (by accident) and what was found was that some software (that includes netmask) it is included in the npm package in Unix/Linux systems or other operating Systems.
A CVE has been issued CVE-2021-28918 . Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
Does the above explanation make sense to non-systems or programmer people?
Interesting to note that
So what does this vulnerability mean to your systems and devices?
It means that there may be software that incidentally has been downloaded 278,000 times which has this arcane problem. So we have to find out whether it will affect and then upgrade. It may not affect your program, it depends (as the sick.codes post explains.
How do we fix this? We have to have a system of upgrading/patching and testing your devices to find out if your systems are vulnerable.
Most people do not want to talk about Cybersecurity for a variety of reasons (nod your head if you agree)
Many people (some say 30%) are not doing what is necessary to protect their machines properly.
Managers or owners are not aware of the dangers they are in, think they are not a target(too small to get attacked) or another reason. Psychology of Security: 30% of people are unwilling to spend money on the chance they will lose less money. they think it is a gamble that is worth it.
No communication of problems or when one needs help, no problems here, causes a lot of people to not pay attention (especially when they just keep operating as normal and nothing happens)
This causes problems for the rest of us as the machines with problems will be used to attack everyone.
Thus the Catch22 - People which do think they have a problem - even if they get a problem will not ask for help except when it is too late already (after a successful attack it is too late)
What will actually make everyone that needs it perform preventative measures (spend money to possibly lose less money)
This is why I have written a book that will be released shortly - within the first quarter of 2021 - as we are finalizing editing and other publishing tasks. Get on our mail list to learn more about the book: mail list link.
I agree with Bruce Schneier that the ransomware attacks are more intense and sophisticated , the requested fee in 2018 was $5000 and in 2020 it went up to $200,000. The criminal attackers are doing research and going after larger targets. And the ransom might not only be computers and the data it may be information that the hacker will unload to the public unless you pay them.
It behooves everyone to start dotting the i's and crossing the t's because the hackers are not staying still. Maybe you were not targeted in 2020 or in 2019, but that may not be the same in 2021 or 2022. It is nigh time to make sure and make things as difficult as possible for the hacker attackers.
I am putting the finishing touches on a book in 2021 that will help small businesses manage cybersecurity.
As I wrote in my blogsite www.oversitesentry.com PCI compliance is a good way to get started if you have not yet done so on the path of creating good Cybersecurity in your organization.
IF you are accepting credit cards, then you _should_ be PCI compliance standard capable. So it is a lot to take on if you have nothing, but it can be easier if you do not develop computer code so that you accept credit cards.
My slightly simplified headings:
First inventory all your systems (software and hardware).
Firewall maintenance (set up proper procedures to edit the ACL - Access Control List)
Change your default passwords (and create a password policy)
Protect stored cardholder data (if you are not developing software or have a website that you are developing - this may not be necessary)
Encrypt Cardholder data - i.e. use devices that encrypt cardholder data (or develop this properly)
Protect all systems against malware (using anti-virus software)
Develop and maintain secure applications (only if you are developing software)
Restrict access to cardholder data (if developing authenticate before giving access)
Identify and authenticate access to system components
Authentication physical access (only qualified people should access credit card systems)
Track and monitor all access to network resources and cardholder data (log systems)
regularly test security systems and procedures
Maintain a policy that addresses security information for all personnel
So from this point one can remove step 6 if there is no computer code helping you accept credit cards.
Step 4 should be handled by the credit card processor devices
Step 3,7,8, and 9 is easier with no coding.
Now all you have to focus on is 1,2,3,5,10,11, and 12 which you should be doing already, maybe you have no documentation, but it is being done (or should be).
If you ask me, 1,2,5,10,11,12 should be done no matter whether you have credit card processing or not. Someone should be accumulating bits and pieces until you have a proper security policy.
THAT is what we do!! We can help you with creating a security policy from scratch. Contact Us
The Image is trying to make a point that governance includes PCI compliance and can be a basis of making proper IT decisions with the future in mind. Where the focus of compliance and regulations efforts are on specific actions and data, governance can be all encompassing and most important create an environment where proper decisions are made with the right people in the room. Nothing is missed, whereas the compliance efforts are only doing what they have to.
Is it important to focus on Security? How much should we pay attention to Computer Security? Can we relegate Computer Security or as some coin the phrase 'Cybersecurity' to an afterthought? Or at least a small line item in the plan for 2019!
So 'IF' there is a ransomware attack on the most important data that we use, and we cannot recover the data(for whatever reason) is that important enough to pay more attention?
As the image above notes in six months we could be out of business if we did not prepare properly setting up backups for our data. Sometimes ransomware just destroys data and it cannot be recovered.
Contact us to get someone to review your backup plans and more to make sure that your business will be viable even after a ransomware attack.
What does it mean to be PCI compliant? Are You Secure if you passed compliance standards?
If you update your software as you are supposed to be PCI compliant what happens if the update breaks your environment or is actually not secure?
Do you need an example? How about from our blogpost¹:
In our blogpost we mention a plugin that was hijacked by a criminal then he installed his own malicious code in the plugin.
Now he said "Upgrade your plugin" to WordPress which caused WordPress program organization through it's upgrade mechanism tells all the users of the plugin to upgrade.
If the unsuspecting users upgrade then they are automatically hacked - Upgrading is normally good, but there has to be a reason for an upgrade and it has to be tested. But for "PCI compliance" you have to upgrade and keep your systems patched for example requirement 6.2 in the latest v3.2 PCI standard²:
Requirement 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.
So the Requirement has no mention of fake upgrades only to upgrade your software that is necessary for the systems that need it.
This is why one has to test the upgrade first, make sure it is what it claims to be before placing it in production.
Another problem can be if you are compliant for all "Known" vulnerabilities that means unknown vulnerabilities can hack you even if you are compliant³.
As in the post from Dec 10, 2015 new exploits are found which cause you to get hacked and then you still lose a lot of money even though you have the latest patches. Even in the latest firewalls (like in the post mentioned) certain NGFW Next Generation FireWalls can get hacked with a specific method.
So to answer the question above (are you secure if PCI compliant) not necessarily. In the end PCI compliance is a specific standard for the credit card numbers. You can be compliant for the credit card numbers or Primary Account Numbers(PAN). And still fail to provide security on other systems. Or you can claim to pass the PCI compliance online while not actually performing all the functions.
Testing your network for security vulnerabilities should be done by a separate pair of eyes.