Skip to content

Fixvirus posts

There are a lot of compliance Standards to keep up on:

HIPAA¹ - Health Insurance Portability Accountability Act

PCI DSS² - Payment Card Industry Digital Security Solutions

ISO 27000³ - International Organization for Standardization (HQ in Geneva, Switzerland)   I discussed ISO before : http://oversitesentry.com/ngfw-tech-half-battle-in-orgs/

Among others (Sarbanes Oxley)

 

But what if you don't even know what you have?

Have you spent the time to look at all of your digital data?

What do you use every day? Excel and Word files?

Have you had a 3rd person look at your data and review the outcome with you?

Did you set up a Risk management matrix? Likelihood -- Consequences

Maybe you don't really know what database is the most important?

riskmanagmentmatrix

This is a framework diagram from NIST document :

riskmanagamentframework

It is important to set a number from 1 to 5 to the importance of different digital properties.

Set an importance to impact to your business (low-medium-high

the ensuing matrix will tell you in a glance what you need to know for business risk and what resources you should spend and why.

Contact me Tony Zafiropoulos 314-504-3974 and I will be happy to discuss this with you as I have done this with clients.

It is good to know what you have and how to protect it.

cybersecurityloganalysis

  1. http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
  2. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
  3. https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en

 

 

Houston we have a problem - a kind of misunderstanding which leads to apathy.

Example: I wonder if you knew this week a new ransomware threat came out.  I should also say that every week new ransomware comes into the "wild", into our computers. (For example in the week of 3/28 - 4/1 we discuss in our blogpost [at Oversitesentry(5)] how to prevent the Locky ransomware and how the Petya Ransomware will now destroy your Master Boot Record (MBR) or the actual usage of the hard drive.

For the first time a program language called Javascript is now being used for Ransomware: Called Ransom32

The following picture is from an older ransomware so we can discuss what ransomware is and does.(and what to fear and be proactive about it).

ransomwarecrypto

Ransom means that the criminal has found a way to take something of yours and is now trying to extort money out of you so you can get that back. In this age we are talking data files.

Imagine that you are working on a Word document - like a proposal for a client.  Now somehow ransomware software got on your computer, once the software runs ...  it then tries to encrypt your files. Since you are still working on your proposal you try to save the file and it does not work - you cannot save the file as the file you saved to is now renamed and reconfigured(encrypted).

As you try to open other files you notice the encryption does not allow your files to be opened.

If you thought on your feet you can do a "save as" with the current file being worked on and thus at least save the current file. But hundreds maybe even thousands of the rest of your files are now encrypted.

This is obviously a problem, and can put you into a standstill. Will it matter if your files are on the cloud? Unfortunately it depends on how sophisticated the criminals will program, and it is definitely possible to get all files encrypted. The name of the game is money $$$ and if the hackers in eastern Europe are making more money as a hacker than a programmer at legitimate companies than our adversary will improve their attacks.

You cannot avoid this phenomenon for too long. The criminals are looking to make up to $7Bil dollars:

$7Bilpotentialhack$

This is easy to figure out - As of 2013 there were 220 million PC's in the USA (I'm not even counting the world). 10% of PCs are not patched correctly (from my blog post and research here at Oversitesentry.com¹ and more background²) Microsoft Statistics as they know how many PCs are being patched.

 

We know from news reports and experience that an unpatched computer is susceptible to these types of attacks. Thus I have drawn a conclusion - 22million PCs are susceptible and with that the criminal has a potential 6.6Bil$ ransomware market - and if there are a few computers that the hacker can steal more information that he can resell then one can project $7Bil ransomware market.  That is a lot of potential money...

So we can't assume the threats will be the same as last year, in fact the threats will become more sophisticated and dangerous.

Instead of throwing up our hands and giving up... the thing to do is to make sure you spend more time on security this year.

There are ways  to shore up or improve your perimeter (firewall), make sure to do patching ontime and effectively. Maybe a new firewall which can do more than filter traffic.  By filtering traffic, I mean make sure certain traffic stays out and others are allowed to run. The problem with this old model is what if the traffic is allowed (like JavaScript inside Facebook?).

Patching your computer is actually not so easy because not all updates are good updates³. So sometimes IT pros recommend to wait until the patch/update has been tested and only then will it be installed. This  process takes time even in the best run IT department. there is always some bits of time which create some vulnerability.

 

Testing your backup is also an important part of security defense. Since if Ransomware gets through you can't afford to see if the criminals wrote good Ransomware software to recover your data when you pay. Our recommendation is to never pay - assume you will lose data and backup - test the backup to make sure you will recover all data properly.

You can't get away from it these days - A company which has computers on the Internet cannot just have a regular firewall anymore - must get a NGFW (Next Generation FireWall) which now will inspect the traffic and is essentially another layer of defense.

 

PAthreat_prevention

A regular firewall cannot inspect data like Social Security numbers or Credit card numbers. set up correctly you can do many things with a NGFW(4) . Here is one:  If I see my social security numbers then  email me.   I.e. if somebody is stealing these numbers then email me!

 

 

Because the criminals have such a large budget you can't just trust your capable IT department, you have to make sure that everything is working as it should. Test the IT department

systemengineeringassecurity

I would be happy to discuss this diagram where your IT department works on the output and Fixvirus.com uses CEH(Certified Ethical Hackers) to test your environment.

 

If you want to discuss how to improve your security (audit security, test backup, and more) in 2016 contact me 314-504-3974 tonyz@fixvirus.com Tony Zafiropoulos Now.

 

 

  1. http://oversitesentry.com/happy-new-year-2016/
  2. http://oversitesentry.com/is-your-it-system-low-hanging-fruit-for-criminal-hackers/
  3. http://oversitesentry.com/are-we-falling-behind-on-patching-computers/
  4. http://oversitesentry.com/what-is-an-advanced-firewall-utm-ngfw/
  5. http://oversitesentry.com/ransomware-vaccine-can-it-be-done/

We have added many pages in the last few days.  And will continue to add pages in the coming months.

Notice how the menu opens at "Our Services"

Now there are three submenus - Offensive, Defensive Cybersecurity services, and Reports.

 

fixvirusmenu

Offensive Cybersecurity Services

We test - audit your environment to make you safer  with our 4 security service products: A(Alpha), Σ(Sigma)Ω(Omega), and Ψ(Psi)

Reports for the test audits

The Alpha(A) service   - Report Alpha

The Sigma(Σ) Service    -  Report Sigma

The Omega(Ω) Service  - Report Omega

The Psi(Ψ) Service - or Wifi - Report Psi

Defensive Cybersecurity Services

Cloud Company evaluations

Social Enginering Knowledge

Offense Has Advantage - We Must Analyze Logs

Security and PCI compliance is part of defense

Security Policies (Network, Computers, and More) 

Cybersecurity Consulting Services  (another submenu)

What does it mean Certified Ethical Hacker ?

Explaining the hacker attack cycle to understand how the criminals are battering against your castle (your network)  This section could be a bit technical.

Why Test your systems?

1

HIPAA compliance documents do not tell you exactly what to do in your network.

Instead they are a framework to fulfill, here is a link to the HHS information in case you are interested:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html   

HHS is the U.S. Department of Health & Human Services

But unfortunately the details of what should be done is opaque at best.

It is better to review the SANS website as it is a Teaching of Security organization. One of their documents has a good review of HIPAA compliance

hospitalshacked

An interesting sidenote (The Criminals do not care about compliance or security, just whether they can hack your network resources) check our blogpost: http://oversitesentry.com/website-files-ransomed-not-just-personal-files/ )

In the following standard review (from the SANS document) wireless devices were discussed:
HIPAA Standards
While the Final HIPAA rules do not necessarily deal directly with wireless or any specific network device, the regulations cover many separate areas that deal with PHI (Personal Health Information). In summary the document deals with 3 major areas:
1.  Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards.
The Administrative Safeguards section (164.308) provides regulation for the
management of healthcare organizations. Secondly, Physical safeguards
(section 164.310) regulate how physically secure the facility should be.
Finally Technical Safeguards (section 164.312) provide regulations for access control to the network, security and integrity of data/transmissions, auditing and authentication.
This section is most relevant to our situation.
In order to provide the highest
security to a wireless network, the relevant regulations need to be extracted from the HIPAA document and interpreted for use in the scenario presented. The following is a brief summary of the standards
that relate to our wireless scenario.
1. Access control (164.312(a)(1)) is simply what the name implies,
controlling who is granted access to the organization’s resources.
2. Auditing (164.312(b)) is maintaining logs of who accessed
a given resource at what time and where so that in the event of a security
compromise there will be an audit trail.
3. Integrity (164.312(c)(1)) consists of making sure that PHI is not
modified in any way by an unauthorized user during transmission
or storage.
4. Person authentication (164.312(d)) is authenticating that the person
the computer says they are is really the correct person. This could
be argued that it should be done at the server, but I think we can take it a step further and authorize the user when they transition from the wireless to the wired network.
5. Transmission security (164.312(e)(1)) is ensuring that the network
transmissions are kept private and since the media is the air this is
a high priority in wireless environments.

 

So in essence to protect PHI (Personal Health Information) as in medical data, one has to perform basic security practices. And this has to be documented for any potential audits.

Contact Us  as we help with compliance or documentation details.

Blogpost on HIPAA compliance from my blog:

http://oversitesentry.com/hipaa-enforcement-10-of-any-covered-entity-will-be-audited-says-office-for-civil-rights/  blogpost from June 2015

Notice the tidbit of 10% of all organizations will be audited by Office of Civil Rights and if they so choose they will do some serious social engineering on your org.

Always better to be pro-active. make sure you have a good security policy in place. Set up a methodology of security  not just a compliance checkbox policy.

 

Updated 01/31/2016

 

If you are not 100% certain?

Are you 95.5%?  that is 2 sigma(σ) if you want 99.9999% then that is 6 sigma(σ)

The attackers are coming

check this link:

http://oversitesentry.com/i-want-my-internet-247hackersknowthat/

The link explains what is obvious to all - we need the Internet and the criminal knows that so they will find any mistakes that you made/ are making.

evgeniybogachevfbimostwanted    Mr. Bogachev has a $3mil bounty on his head - why do you think that is?

 

The Criminals are working when you are sleeping in relatively lawless environments trying to find a way to make more money - your money.

Here is a link if you dare to check about the "Russian Carders Army"

http://carderinfo.nm.ru/cr1.swf

A video by McAfee and FBI explaining background of Russian attackers(criminals) http://bcove.me/vchfpcni

I don't know if you understand yet, if you have any problems in your defenses, the hackers will find it, and it is only a matter of time before your company will be hacked, your company will be extorted, your equipment will be used for the criminal ends.

This phenomenon is not new and will not stop.

riskmanagmenthackedmatrix

Risk management failed us - because the system that is not important may have mistakes, and once hacked allows the more important machines to be hacked as well. So risk management failed.

We can no longer make judgements with risk and say this machine is more important and can have less problems than others. ALL machines are important

 

We can help you MAKE sure that you are as close to 100% certain as possible.

 

I believe companies need to run a minimal set of vulnerability analysis

Which I explain here:

http://oversitesentry.com/tonyz/pubhtml/fixvirus/svapec/

The idea is to at least cover your basic vulnerabilities with a regular scan, because one has to be perfect, there are too many attacks heading our way for you not to test your defenses with outside help.

Of course you can (and should have a layered defense strategy) like in this link:

http://oversitesentry.com/2-steps-stops-all-cyberattacks/

 

Or with Six Sigma (σ)

we need Six Sigma Security

Six-Sigma-Certified-Image-4 (image from www.simplilearn.com)

 

And the only way to achieve it is with testing testing testing.

We perform the  (A – Σ – Ω) Solution

 

 

In QA that is how six sigma is performed to 99.9999% error free.

1

Good Security means doing good basic IT.

And sometimes it also means keeping up with new compliance initiatives by industry or government.

This year October 1, 2015 there is a new Payment Card Industry(PCI) rule going into effect. On October 1st the liability of a security breach will go to the merchant not the bank or processor.

Here is an article that discusses certain aspects of the http://news.investors.com/technology/032015-744412-latest-point-of-sale-endpoint-security-tackles-expensive-breaches.htm Point Of Sale system.

EMV (the Europay MasterCard Visa credit card standard) will come to the US by October 1st as well. And if you will get new machines anyway get ones which have point-to-point  encryption.

cardpresentvulnerabilitiesImage from visa.com
the problems in most small merchants are basic in nature. the PCI Industry has created a standard:
which is located in the following location: https://www.pcisecuritystandards.org/
  • Insecure remote access used by attackers
  • Weak or Default passwords and setting commonly used
  • Lack of network segmentation
  • Malware deployed to capture t card data.
  • Absence of antivirus tools to detect malware

 

If you add a firewall and Intrusion Prevention Systems  you will protect yourself even further.

http://oversitesentry.com/cyberwar-you-aint-seen-nothin-yet/

Then  add the Polliwall, now it will be almost impossible for the standard criminals to take your systems. None of us can defend against the nation states, but if we can defend against everyone else then we have created the defensive system for 2015.

One does not have to be on the cutting edge of technology to be secure.

But, in my hacking classes (where we try to attack other computers with Metasploit it is  obvious very quickly that with a patched machine, even a WindowsXP system it is much harder to crack.

Now of course, WindowsXP happens to be almost obsolete. On April 8th Microsoft has said it will no longer support updates to Microsoft WindowsXP operating system. Here is a link for Enterprises to help with the transition away from WindowsXP.

So other than End Of Life Oepraitng systems one does not need to stay up on the latest OS, to have a secure computer, just keep up with the patches and you will be more secure than many others.

the key is to review your systems and network environment for unknown gotchas.

Contact Us as we can help with your review process.  Our products:

(A – Σ – Ω)

 

 

News of Day: The Rowhammer and this week is Patch Tuesday.

In tip of Day segment we have a serious problem, as Rowhammer opens a new security angle which cannot be patched for some machines.dramsmall

 

Some RAM has a bit-flipping problem in certain situations which can cause an escalation of privilege, so if the hacker is on the computer, they can get admin or root access.

We need to realize that today's researchers develop exploits that then criminals use to attack our computers, and then the script kiddies use to attack the people who don't know how to use computers.

 

So we have to develop a new method of thinking - security must be built into our processes and methods. Compliance means security first. Otherwise we will get blindsided by the newest researcher attacks.

 

Remember our systems were not built for security first, the internet was not built with security in mind. So we will have many other attacks and eploits to keep in mind.

 

This is why you need a security department, somebody who is thinking about the security angle all the time.

Contact Us