Monday, March 28, 2022

Learn How To Take An Offensive Cyber Strategy For Your Business

 


Hey Everybody,

Given the geo-political turbulence that is happening right with Russia and the Ukraine, the threat of some real devastating Cyberattacks could soon become a reality.  Luckily nothing of that magnitude has hit our shores yet, so now is the best time to be more prepared than ever before.  But to a business owner, especially of that of an SMB, this can be quite a daunting task to accomplish.

What can be done?  Well, your best option in this case would be to hire what is known as an MSP or an MSSP.  These are the IT companies which can not only implement the right controls that are needed to further beef up your lines of defense, but they can keep on eye on them for on a 24 X 7 X 365 basis for you.  In other words, they become outsourced IT department, but at a very affordable cost.

In this podcast, we have both the honor and privilege of interviewing Sean Founder and Owner of NaviSec, LLC.  They offer a myriad of solutions, ranging from Penetration Testing to SOC Services to even making CMMC compliant.  Btu what separates them from the rest of the crowd is that not only do they offer defensive solutions, but they also offer offensive ones as well.  Many SMBs fail to recognize the need for this approach as well.

Listen in to this podcast to learn how you can take that much needed offensive posture as well.  You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB11E3B58KST5W

Sunday, March 27, 2022

The 10 Hidden Secrets Of Successful Red Teaming

 


The world of Cybersecurity is a very broad one, and encompasses many areas of technologies.  If somebody tells you that they are a master of it all, you can tell for sure that they are lying through their teeth. 

The same thing holds true abut the technical writing aspect of Cybersecurity.  Anybody can claim that they can write anything, but it takes a great talent to do that.

While I have written on quite a broad range of topics, one of the areas that I love to write on and am very passionate about is Pen Testing.  I have studied and reviewed this topic quite a bit these last few years, and in fact, it is a huge chapter in one my books.  I am by no means a practitioner into this art, but I do love writing about it.

So with this in mind, this is the topic for today’s article.  A lot of you might be asking, “Well, what is Penetration Testing”?  In very simple terms, this is where a group of ethical hackers take the mind of a Cyberattacker, and break down your walls of defenses from the external environment going inwards to see where all of your vulnerabilities and gaps exist at.

From here, a report or security brief is then compiled for the client as to what was discovered, as well as solutions that can be undertaken to remediate, or fix them.  The size of a Pen Testing team can be just a few individuals or even as large as 10-12 people, depending upon the scope of the work that needs to be done and how large your organization is.

Typically a Pen Testing team is broken down into three sub teams:

*The Red Team:  As just mentioned, these are the ethical hackers;

*The Blue Team:  These are the team members and are deemed to be the “good guys”.  They work closely with the IT Security team in order to thwart off the attacks launched by the Red Team.

*The Purple Team: This is composed of members of both the Red Team and the Blue Team, and this these group of people keep a system of checks and balances of the other two teams.

We will look at the last two teams in further detail in future articles, but on this one, the focus will be on the Red Team.  As both a company that is creating it and the client that will be hiring them, there are a number of key factors that you need to take into consideration, and are as follows:

1)     Assemble the team:

You will of course want to hire the best of the best.  The thing about Pen Testing is that it can be done remotely from anywhere in the world, at any time set forth by the client.  But, you want to select a group of people who not only have a lot of experience, but also have strong coding skills (as there could possibly be a lot of scripting that will need to be done), and have worked with the latest tools, such as Nessus, Metasploit, etc.  Although it is not a requirement, you should also give serious consideration to those candidates that have the Certified Ethical Hacker (“CEH”) cert.

2)     Utilize a framework:

While your Red Team will know more or less exactly what to do from the get go based upon their level of experience, it is important to first adopt a framework to keep your work organized as well as prioritized.  Thus, you need to pick a certain type of methodology to help your Red Team humming in a seamless fashion.  Some of the most popular frameworks are those found in OWASP, NIST, etc.  The links for these are respectively as follows:

https://owasp.org/www-project-top-ten/

https://www.nist.gov/

Also by adopting one of these frameworks, it will give a good image to your customer, as you will be using well established standards and protocols.

3)     Decide what will be ethically hacked:

Obviously, your Red Team will want to get through each and every digital asset.  But keep in mind that there are resource limitations here.  You can only go as long as your team still remains focused, and the budget that your client has set forth.  Therefore, in consultation with the client, you should strategically pick and choose those targets that are most vulnerable.  But this can only be revealed by a Risk Assessment.  Keep in mind also that it is not just the digital assets you will be going after.  If there is the need, it is quite likely that you will also be launching Social Engineering attacks against the employees of your client as well.

4)     Keep track of the work that is being done:

As you check off all of the stuff that your Red Team is hacking through, this needs to be recorded in detail as well as the possible solutions that can be implemented to fix the issues.  Not only will you need this information and data to compile the final report for your client, but you will also need to have an exhaustive record in case you are ever audited, for example by the CCPA or the GDPR.

5)     Communications is key:

This is one of the most important pieces of any Pen Testing exercise, and a siloed approach must be avoided at all costs.  For example, the Red Team needs to communicate clearly with the Blue Team, and vice versa.  But in the end, it is really the job of the Purple Team to make sure that all of lines of communications remain open and transparent.  In terms of your client, you need to explain what is going on to them in clear, layman terms without using any fancy lingo or technojargon.  This is especially important when you compile that final report for them.

My Thoughts On This:

Keep in mind that the bulk of this article was written with the business owner in mind that offers Pen Testing services.  But for you the client, there are a number of steps that you need to take into consideration as well, which are as follows:

*Always hire an extremely reliable Pen Testing company.  They should have been around for a long time, and always ask for references!!!

*As mentioned, numerous times, the Red Team will be giving you a final report.  Make sure you understand what they have written, and if you cannot, always ask questions, or have them keep rewriting the final report until you can finally understand it.

*This report will also contain a list of solutions that you should take to remediate the problems found.  Typically, the Red Team will not implement these, but rather, they will refer you to an MSSP to get this part of the job done.  In this regard, and for considerations fo your budget, it might even be wiser to hire an MSSP that not only has the Red Team to do the Pen Testing, but they can also work with you to implement the needed controls.

*Try to hire locally.  Avoid hiring Red Teams that are based overseas, especially in those geographic regions where there are nation state threat actors.  Better yet, you should have direct, face to face contact of the Red Team that you will be working with.

*Always make sure that that a contract will be signed, laying out the roles and responsibilities of all that is going to happen.  Also make sure that your Red Team is insured, in case something goes unexpectedly wrong.

Finally, keep in mind that Pen Testing is really about the only way to go to see truly what is going in your IT and Network Infrastructure.  With more than 50% of all businesses being Cyberattacked each week, this is a risk that you cannot afford to take.

Saturday, March 26, 2022

9 Golden Tips To Stay Cyber Safe In The Online Betting World

 


With the threat of COVID-19 now decreasing here in the United States for a short period of time, and with summer coming up, many people are now planning their vacations.  Some will prefer to stay closer to home, or some will want to travel even further away to places that they never have been to before.  As for me, I have some road trips planned later on.

But one thing is for sure that from the last two years, people have saved some serious money by pretty much working from home, and cutting back going out, in an effort not to get the virus.  So with this new founded money, there are other ways that people are looking for to spend their dough.

In fact, the casinos and online gambling industries will probably see a huge uptick.  Gambling for your favorite sports teams, or even placing bets can be done in a variety of different ways.  For example, you can visit Las Vegas and visit the brick-and-mortar places, or you can simply use the mobile apps on your wireless devices.

But whatever way in which you choose to spend that extra dough, be careful.  To the Cyberattacker, this is just yet another arena in which they can tap into, because in all honesty, the security systems are still not up to par, at least with regards to protecting digital assets. 

For instance, the gambling industry brought in a total of $53 billion, which is a staggering 76.7% growth rate.  The online version of gambling garnered in about $3.71 billion, which represents a 614% growth rate.

Although casinos have a large amount of cash on hand to fulfill the bets placed, quite surprisingly there has been no large-scale robbery attempts.  Probably the main reason for this is that physical access security has long been a huge concern for this industry, so thus the appropriate controls have been put into place. 

But now, focus has to place upon training your staff and customers from the digital form of attacks.  How can you get started on this, if you are a casino or online betting platform owner?  Here are some tips:

1)     Segment out the network:

In the end, all of the devices that are found in a casino are all interconnected together, and form literally own huge Internet of their own.  While having this kind of configuration might keep things easy from a management standpoint, it is just one huge attack surface for the Cyberattacker.  For example, most casinos still Perimeter Security, and if a hacker were to break through that, he or she will have access to everything.  Instead, do what the rest of Corporate America is trying to do:  Break up your entire network into smaller ones.  This is technically known as “Subnetting”.  The idea here is that each little segment will have its own layer of protection, and if a Cyberattacker were to break through, there is only so far that they can go.  But don’t ever attempt to go at this alone, get the help of an MSSP to do this.  The main benefit of this is that not only with they do the proper subnetting for you, but they can keep an eye on your IT and Network infrastructure on 24 X 7 X 365 basis, and alert you in real if there is a potential security breach that is occurring.

2)     Install more sophisticated monitoring:

Not only should you have security guards keeping an eye things, but you also need to get a bird’s eye view as well.  In this regard, consider deploying CCTV cameras at strategic locations.  Although this a fairly common practice, the difference here is that you should get those cameras that Biometrics implemented into them, such as that of Facial Recognition (FR).  For instance, if you spot somebody suspicious, you can compare those images with the FR system on a real time basis.  If you can, try to take it even one step further.  Try also to find those technologies that have Computer Vision embedded into them as well.  All of these layers will provide an irrefutable piece of evidence against the suspect you have just apprehended.

3)     Online is the way to go:

As it was stated before, many people are now placing sports related bets straight from the comforts of their wireless devices.  But this takes a mobile app which you have to create.  Mobile apps have long been a favored target for the Cyberattacker, because the coding that goes into creating them is often unchecked for any security holes or vulnerabilities.  Therefore, if you are creating a mobile especially for this, you have to take the responsibility to make sure that the source code you compile is safe and secure, and you have to convince your customers of that as well. If possible, try to use the Apple Store to upload your betting apps, as they have very stringent security measures, this providing an extra layer of assurance to your customer.

4)     Have training programs:

Before your customers enter your brick-and-mortar location, or even place bets online, it should be a requirement that they need to have some sort of security awareness training.  Now, this does not have to be anything like a corporate based security awareness training program for employees, but even a short, ten-minute orientation will do.  In these training programs, you should teach your customers as to what to look out for in case they see anything suspicious, and have them report that ASAP.  In this regard, you should also have a dedicated 24 X 7 X 365 hotline for such kinds of incident reporting.

5)     Customers have a role too:

The customers of gambling and online betting also have a key responsibility here.  For example, they should keep a close on their accounts, and immediately report any kind of fraudulent activity.  Also, Phishing still remains to be the favored attack vector, so your customers need to be aware of what to look out for, and delete anything that is suspicious.  Also, do not download anything with an attachment or a click on a link that you do not know!!! If you have any doubts about an email that you received, always contact the sender to see if they really sent it.

My Thoughts On This:

Other tips that you should consider using:

*Watch for repeated, failed login attempts.

*Always use Multifactor Authentication (MFA) as you break out your network into smaller ones.

*Keep an eye for any account takeover attempts.

*Offer a One Time Password (OTP) to dimmish the risk of SIM card swapping.

Once again, the best line of defense is to simply be proactive.  Always trust your gut.  If something doesn’t feel right, then it probably isn’t.

Sunday, March 20, 2022

How To Evaluate The Short Term & Long Term Consequences Of Making A Ransomware Payment

 


As I wrote yesterday, things with the Ukraine are starting to heat.  And with this, comes the even greater chance of far nastier Ransomware attacks than we have ever seen before.  I have written about this topic and even talked about it with podcast guests about the one fundamental question:  Should you pay the Cyberattacking group or not?

Overall, people seem to agree with me that no, you should not pay it up.  But, quite surprisingly, in a recent market which was conducted by ThycoticCentrify, found the following:

*83% of the respondents claimed that they had no choice but to pay the actual ransom;

*90% of them have even allocated a special budget to pay ransom in case they were hit;

*66% of the respondent say that they would much rather pay the ransom so they can move on and minimize any further losses.

This study can be found at this link:

https://thycotic.com/resources/ransomware-survey-and-report-2021/

But, even despite this, there are still compelling reasons why you should not pay a ransom to the Cyberattacker.  Here are some of them:

1)     There is no guarantee:

The rationale is that if you do make a payment, then the Cyberattacker will send you the decryption keys so that you unlock your computer and retrieve your files.  But don’t count on this ever happening, if you take into account these stats:

*Only 51% of victims were able to successfully retrieve their data;

*46% were able to access their data, but much of it was altered or corrupted;

*Another study found that only 8% of victims got their data back in its whole;

*50% of the respondents could only gain access to just 65% of their data.

SOURCES:

https://www.cybereason.com/press/new-cybereason-ransomware-study-reveals-true-cost-to-business

https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/

2)     You could be hit again:

If you have been hit, and you pay up, the chances are that are even greater that you will be hit again, at some other point down the road.  Look at this:

*80% of those companies polled in another survey said that they were hit again, after paying the ransom.

SOURCE:

https://www.cybereason.com/press/new-cybereason-ransomware-study-reveals-true-cost-to-business

The reason for this is simple:  The Cyberattacker now knows where your weak spots (even after you have totally remediated them) are, and they know you will pay up even a higher amount the second time around.

3)     It will lead to greater levels of sophistication:

At the present time, it appears that the Cyberattacker still uses the basic methodologies in which to craft new Ransomware variants.  In other words, they are simply building a better mousetrap. But with more money coming from ransom payments, they now have more $$$ to actually conduct research and development in order to create much sophisticated variants, right from scratch.  One example of this is known as the “BlackCat”, and more information about this can be seen here at this link:

https://unit42.paloaltonetworks.com/blackcat-ransomware/#Technical-Details

4)     The “Doxing” effect:

This is when a Cyberattacker throws a double whammy at you:  Not only do you lose your files and devices, but they also threaten you by exposing those PII datasets to the outside world, and even selling them on the Dark Web. This is also technically known as “Double Extortion” attacks, and in fact, in just the last two years since 2019, there has been a 935% increase in this kind of attack.

SOURCE:

https://blog.group-ib.com/hive

But, once again here, don’t count the Cyberattacker to keep their promise.  For instance, even if you do pay up, there is still a strong likelihood that they will still sell the PII datasets on the Dark Web, or expose them out to the public.

5)     You could be held for treason:

Just recently, the United States Federal Government has enacted a series of laws which would make it actually illegal for you to even make a ransom payment.  This was brought on by the Office of Foreign Assets Control, also known as “OFAC”.  In numerous bulletins they have sent out over the course of last year, they have made it clearly known that both individuals and businesses have been sanctioned and fined.  They also have recently what is known as the Trading with the Enemy Act, also known as the “TWEA”.  This law essentially prohibits US citizens from making ransom payments to known Cyberattacker groups that can be found on the so called Specially Designated Nationals and Blocked Persons List, also known as the “SDN”. Also, any future ransom payments will be scrutinized heavily by the Financial Crimes Enforcement Network, also known as the “FinCEN”.  This is a branch of the US Department of Treasury.

More information about this can be seen at the following links:

https://www.darkreading.com/risk/us-treasury-warns-of-sanctions-violations-for-paying-ransomware-attackers

https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf

My Thoughts On This:

Well, there you have it, five key reasons why you should not pay the Cyberattacker, backed up with some hard-core statistics.  I still hold to my position that one should never pay up.  Companies are now using the logic that is far less expensive to pay the Cyberattacker than to do deal with the long-term financial impacts. However, this is short, sided thinking. 

The bottom line is that one has to think for the long term as well, and that indicates one should never up at all.

Saturday, March 19, 2022

How To Keep Your IT Security Sane: 4 Golden Tips

 


Well, as political conflict still continues in the Ukraine, the number of news headlines coming out about possible, huge Cyberattacks coming out against the United States is also growing in large numbers.  But to the best of my knowledge, nothing has happened yet, and if it has, it has been in the usual amounts like last year.  But that does not mean to say that something big won’t happen, and we have to keep our guard up.

We should never fall into the thinking that because it has never happened to me that it never will.  Unfortunately, that is still the line of thinking that most businesses take today, which is just putting themselves at far greater risk versus those that are trying to be proactive.

Despite all of the latest tools and gadgets that we have out there, we are still dependent upon the human element, which is essentially the IT Security teams in Corporate America.  As of now, they are totally taxed and overburdened, and believe it or not, it is not from fighting off the threat variants. 

Rather, it is from all of the alerts and warnings that they have to filter through, which at the end of the day, a bulk of them are simply false positives.

Because of this, the real warnings and alerts often get overlooked, and these are the ones that need to be paid attention to.  Just trying to keep up with all of this has become now infamously known as “Alert Fatigue”, and it is something that is only going to get worse.

But there are ways of controlling and leveling off the sheer amount of warnings and alerts that do come through. Here are some tips that perhaps you could use for your business:

1)     Turn off those systems:

While in theory every alert and warning merits attention, this is simply not the case.  Therefore, you and your IT Security team should carefully conduct an audit of those systems (such as firewalls, network intrusion devices, routers, etc.) in an effort to determine which one of those is producing the highest number of false positives.  Once you have determined where the spikes are, then simply turn off those devices for a brief period of time.  Or, as an alternative, you can also set up special filters and rules to reduce the total amount of false positives that are coming through from them. 

2)     Establish a prioritization scheme:

If the first step has been successful, then you should be receiving a lesser amount of false positives.  Now, a bulk of them coming in should be the real ones.  Now, the question often gets asked is bluntly:  What to do next?  Well, the knee jerk reaction would be to act on it immediately. But unfortunately, that is not the case, as there will be many other alerts and warnings that will need your full attention as well.  So in this case, you need to set up some sort of triaging system that will let you prioritize which of those alerts and warnings need immediate attention. For example, those messages that relate to your mission critical operations should get the first and most immediate attention.  But if you think about it, this is also a function of the Risk Assessment that you should have done prior to this.  Although the primary objective of this is to  determine what controls need to go where, this is your opportunity to also determine where your most vulnerable digital assets lie at.  This is in turn, can then be used to set up your prioritization system for the real warnings and alarms that are coming through.

3)     Take a layered approach:

Today, many businesses are getting rid of what is known as “Perimeter Security”.  This simply means that there is a huge circle of defense encircling the business, protecting you from the external threats.  But what about the internal based ones?  This can pose a huge problem with this kind of thinking.  As a result, many entities are now adopting what is known as the “Zero Trust Framework”, and this is where nobody is trusted whatsoever.  Your IT and Network Infrastructures are broken down into smaller segments, and each of them has their own layers of authentication that an end user must go through before they can be granted access to the shared resources.  You can also use this same line of thinking in order to help triage those real one warnings.  For example, along with the prioritization scheme, you should also include some sort of labeling structure as well, to help your IT Security team keep better track of things.  A possible one could look something like this:

*Impacts coming from the Physical Layer:  This would include main access points, doors, and even other sensitive areas in your business where direct contact is required.

*Impacts coming from Technical Controls:  This would include primarily all of your network security devices.

*Impacts coming from Administrative Controls:  This would include any employee misuse, whether it is intentional or not.

4) Make use of modern stuff:

               By this, I mean use the latest and greatest and like AI and ML.  These tools have been designed   to help you specifically with task automation, especially when it comes to filtering out for the         false positives.  Initially, they will take some time to get set up, because you have to train them                from past attack signature profiles, so that they can be on the lookout.  Also, you will need to              keep them constantly fed with data, so that they can keep learning as to what a false positive              really is.  But equally important is this is that your IT Security team needs to be able to see               everything from a single, or holistic point of view. This is where a SIEM can come into play.    Although setting up an ML or AI system may sound complicated and expensive, the truth of the        matter is that they are not.  For example, Microsoft Azure has a great set of tools to create this,        and even has a great SIEM as well than you can literally just deploy right out of the box.

My Thoughts On This:

In the end, just don’t simply rely upon technology to solve your Alert Fatigue problems.  It’s going to take the human element as well.  Keep in mind that there will always be a good amount of alerts and warnings that your IT Security team will have to filter through, the goal here is to reduce the amount of workload, so that only the authentic messages come through, thus easing up the burden to a certain degree.

Sunday, March 13, 2022

Will There Ever Be A Quick Fix To The Cyber Issues On Critical Infrastructure???

 


As the war in the Ukraine rages on, the threats of Cyberattacks are growing at an exponential rate, so much so, that even the IT Security teams are having a hard time just trying to filter through all of these warnings and alerts. 

This is even despite the fact that a majority of them are using some of the advanced tools possible to filter for all of this, including the use of SIEMs and even AI and ML.  While we have the ability now to combat most kinds of digital threats (provided that we know about them with some time to spare), there is one area that still pervades us: Our Critical Infrastructure.

This is a topic in which I have written numerous articles on, but the threat is real today.  Both CISA and the FBI have out various alerts on this, warning those businesses to try to take a proactive stance as much as possible.  But unfortunately, there is not a lot one can do.  One of the main reasons for this is that the major components of our Critical Infrastructure were built way back in the 1970s.

During that timeframe, nobody even thought of the word “Cybersecurity”. Most of the worries back then were about physical access entry, which meant that only authorized individuals could enter into the premises. 

While our Critical Infrastructure has been hardened with this in mind, the same cannot be said of Cybersecurity.  Many of the security protocols still remain outdated, so you cannot simply apply software patches and upgrades.  And if you can, you have to make sure that they will intermingle “nicely” to what is already in place.

The thought then comes to mind why not just rip out the old Critical Infrastructure, and put in a new one.  Once again, this is far easier said than done.  Many of the other components still rely upon these legacy systems, so if one were to take this approach, it would mean a huge amount of downtime, that could last for days or even weeks.  Nobody wants to go through that.

To paint an even bleak picture even bleaker, consider some of these stats about Critical Infrastructure that were just released:

*The total number of attacks increased by 52% to a whopping 1,440 cases in 2021;

*21 out of the 82 vendors that participated in this survey had issues with the latest software patches and/or upgrades that they just installed;

*Nearly 60% of the Critical Infrastructure pieces could be quite easily accessed remotely by a Cyberattacker.

These stats are illustrated below:


(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/industrial-systems-see-more-vulnerabilities-greater-threat)

Probably of the starkest of a Cyberattack on our Critical Infrastructure was the Colonial Gas Pipeline, which occurred late last year.  This forced the company to shut down all of their pipelines, and halt all deliveries to their suppliers. 

But this had huge ripple effects, as the commodity prices for both natural gas and oil spiked up drastically for a short period of time.  In the end, a huge ransom was paid out, in an effort to get things going again.

But as the year goes on and as the situation in Ukraine continues to unfold, the attacks on Critical Infrastructure will more likely be in the form of Ransomware.  The main catalyst for this is that we rely upon this for our every day lives, even more so that the digital technology.  Imagine not having water or food for days on end? 

Because of this, there will be a much greater tendency to pay up, and this will only serve as a huge motivator for other similar kinds of Ransomware attacks to continue – because the Cyberattacker knows that they will get an almost immediate payout. 

This is totally unlike a Ransomware attack on digital assets, where the recovery time is much shorter, and there are also ways in which paying a ransom can be circumvented.

In fact, according to the report, only 70% of the businesses could fully patch to varying degrees their pieces of Critical Infrastructure.  While this can be considered as good news, keep in mind that it, for a lack of a better term, literally forever to get these software patches and upgrades to be fully operational with the other legacy based systems that were in place. 

But also keep in mind that there are still the remaining 30% of the respondents that have not even patched their systems yet.

My Thoughts On This:

The fundamental question to be here asked now is will there ever be a time and a place where we can patch up our legacy Critical Infrastructure just as quickly as we can deploy software patches and upgrades to our digital assets?  I think we can, but it is going to take a long time, just given how old these pieces are. 

It will take large, dedicated teams to handle this, and keep in mind that we are dealing with resources whose suppliers are even no longer in existence.

Also keep in mind that the Industrial Internet of Things (IIoT) is also making a mess of things as well.  This can be viewed as a subset of the IoT, but its geared primarily towards the industrial sector.  There are vendors now out there who make products for this area, and very often they are not even secure themselves. 

Not only does this make an existing problem even worse, but it is also greatly increasing the attack surface as well, leaving many more backdoors for the Cyberattacker to penetrate into.

Now I am by no means a Critical Infrastructure expert, but based upon the research and the writing that I have done, there is no immediate solution on how to protect our Critical Infrastructure.  We just have to keep our fingers crossed, and literally hope for the best. 

And if a Ransomware attack does occur, the best option might be in the end (and keep in mind I am not at all in favor of this), is to simply pay the ransom in order to get our mission critical operations up and running again, so that innocent American citizens do not have too endure a lot of pain and suffering.

Finally, more details about the study on attacks to Critical Infrastructure can be downloaded at this link:

https://www.claroty.com/2h21-biannual-report/


Saturday, March 12, 2022

Can Electronic Design Automation Be Used To Help Compile Secure Source Code???

 


It seems like recently, software development and the security issues that go along with this process have been in the news lately.  I am assuming that it is perhaps because of the heightened tensions on a global basis, and the much-increased threat of more Cyberattacks originating from Russia and other close by regions. 

But whatever it is, having secure source code in any type or kind of application that you write and compile these days must be as safe and secure as possible.

If not, there are many backdoors that can be left wide open which simply means easy penetration for the Cyberattacker.  Now, there probably will never be a thing as 100% secure code.  But the efforts must be undertaken now to try to make this goal a reality perhaps even.

I have written about this topic quite a bit before, and even other people have written about and published about this very topic offering their own suggestions.  Some of these have included using the code development check lists that are available from both the OWASP and NIST, and from, me I have recommended Pen Testing source code at a modular level.

Now, there might be a newer tool that could come out to help software developers.  It’s already in existence in other industries, but its application for Cybersecurity would be totally brand new.  This tool is called Electronic Design Automation, or “EDA” for short.

It is currently being used in the electronics industry to help develop new chips, semiconductors, etc.  But the key here is that it is used in real time, not after the fact.

So, the thinking here is could the EDA be used like a virtual assistant of sorts to help a software development team track down issues in their source code in real time as well, thus perhaps even saving more time?  In order for this to happen, there has to be some key issues that need to be considered first. They are as follows:

1)     Lots of data must be used:

The thinking here is that as the source code is being developed, the EDA can offer feedback on a real time basis as to the robustness of it.  But in order for this, it must first make use of either an AI or ML based system, and for that matter, it must be sophisticated.  Then, literally tons of data must be fed into first so that it can build profiles as to what a robust line of source code should look like.  From here, further data must be continually fed into it so that it can then provide some valuable recommendations to the development team.  In this regard, various sorts of metrics and reporting tools have to be created and deployed into the EDA system in order for this kind of feedback to actually happen.  Also, various dashboards will have to be created for quicker viewing.

2)     Understanding the context:

By this, I mean the EDA has to understand what the goals are of the Web app that is being developed.  For example, is it an online store?  Is it a knowledge repository?  Is it just a basic website?  Is it a place where a Web scanning tool will be hosted to scan for a client’s website for any weaknesses?  As you can tell, there are a ton of applications that the EDA system may have to learn before it can really provide any real feedback.  An idea here is to use the principles along the lines of Siri and Cortana. You can simply talk to them to tell them what you want done.  In this instance, you could potentially tell the EDA system in your own voice what the Web app is all about.  But again, this will take quite some to develop further.

3)     Understanding intent:

In this regard, the goal here is for the EDA system to understand why the software developer wrote a particular line of code the way he or she did, versus another, more standardized approach.  This can be classified as a behavioral mechanism, which even today AI and ML systems can only offer at best at a very simplistic level.  We don’t need the system to tell the software developer at each and every step what should be done better.  It should only be done when it is absolutely necessary.  But for something like this to happen, the EDA system is going to have think and react like another software developer, and this is still something far off into the future.

4)     Providing feedback:

It’s one thing for the EDA system to point out to a software developer where there is a security gap or where line of code could perhaps be made better.  Then it’s the other thing for it offer suggestions and recommendations as to how that line of code could be written in a much more robust fashion or how it could be made more secure.  This is again following the example of Siri or Cortana.  For example, if we are driving, and either one of them provide a recommendation for a restaurant, and we don’t like it, they will offer other alternatives.  The reason that it can do this is that over time, they have learned about you by building up a profile about you over a long period of time.  This is also the hope for any future EDA system.  In fact, there are even certain areas within Microsoft Azure that will even offer how to best remediate the possibilities of being attacked by a threat variant.

5)     It must keep learning:

Just as much as the Cyber Threat Landscape is evolving, so is the software development world.  Now I am by nowhere even remotely close to being one, I know from my conversations with others and even visiting the forums that there are new ideas and innovations that are always coming up.  Therefore, the EDA system has to keep up with all of this well, across all of the development languages, in order to provide the best recommendations possible, assuming that we are even close in theory to approaching that stage.  For example, it will have to learn all about the Python, PERL, PHP, etc.  which are most popular programming languages today.

My Thoughts On This:

Keep in mind that all I have written here is just in theory alone, but the way the world is going, it is quite possible that using an EDA system in this way could become a reality.  And if it does, it could be of great help, because all of this will be done on a real time basis.  In other words, there will be no need to take certain downtime to run a Pen Test on a source code module, etc. 

Perhaps the best way to get started first is with #1.  We must first attempt to get the EDA system to learn as much as it can first, and then start with providing very basic feedback at least on a ranking or some of other categorization scale (such as #1 being not secure at all to #10 being most secure as possible, etc.).

Tuesday, March 8, 2022

For The SMB Owner: Learn About The Ins & Outs About Cyber Insurance

 


Hey Everybody,

There is no doubt that the world of Cybersecurity has definitely been a challenging one this year, especially with what is happening now in Russia and the Ukraine.  The threats of Cyberattacks are very real, especially risks posed to our Critical Infrastructure, which includes that of our water supplies, national electrical grid, food distribution system, nuclear facilities, etc.

Even businesses in Corporate America are impacted on this, both large and small, no matter what the industry is.  In this regard, getting Cybersecurity Insurance is a huge must.  But truth be to told, getting this is not as easy as getting car insurance.  Even filing a claim and getting the whole payout can be even more challenging. 

There are many nuances one has to take into account, and in today’s podcast, we will be interviewing Marco Alcala, of Alcala Consulting, and MSP located in the Bay Area.  He has worked directly with SMB owners one on one in helping them figure out the maze of paperwork that is involved.  Listen in so you can great some great tips so that when you apply to get your Cyber Insurance Policy, you will be better prepared.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB11C7C15AHPIK

Sunday, March 6, 2022

How To Efficiently Analyze Cyber Data: A 4 Step Model

 



Let’s face it, in the digital world that we live in today, one of the cornerstones of all businesses in Corporate America is that of data.  Whether its medical data, E-Commerce related data, market research data, etc.  we depend upon the collection and secure storage of it for subsequent uses.  In fact, even the world of Cybersecurity is known to collect tons of data. 

Unfortunately, in our world, much of this data gets overlooked, because our IT Security teams are so inundated with trying to put out the fires on the threat landscape.

For example, unless some sophisticated tool is being used such as SIEM, AI, or ML, it is almost impossible to comb through all of those alerts and warnings, and determine what is for real and what is fake. 

Therefore, you need and your IT Security team need to have some kind of focus as what kind of data needs to be collected, especially in the way in the way of intelligence, so that future threat vectors can be predicted with some accuracy.

So how does one go about doing this?  Here are some quick tips that you could quite possibly make use of:

1) 1)   Establish what really needs collection:

As a CISO or even a vCISO, the first answer that will come to mind is “We need everything”.  So, does this mean even including the proverbial kitchen sink? LOL.  In Cyber, all data is very important.  But since there is so much of it that is coming in on a daily basis, you need to focus in on really what employees need.  For example, if you are threat researcher, you are going to need intel related data.  If you are on the combat team fighting the threat variants, then you will need information about those threats that are inbound, what is coming in the next few days.  Or if you are running a SOC, you will need to have even more global data as to find out what is happening around the world, especially of you have clients and/or offices located in different countries.  This part of the process, which is honing down on what you really need is technically known as “Prioritized Intelligence Requirements”, or “PIR” for short.

2)  2)   Determining the actual sources:

Once you have decided what you are going to focus for either the short or long term, the next step is how you are now going to collect this data.  For example, if you are a threat researcher, you are going to need an exhaustive dataset of past variants and their signatures.  From here, you can then map out the correlations amongst the deadlier ones, and from that, try to project or extrapolate what the future threat variants will look like.  One key you advantage you have here is that the Cyberattacker hardly ever comes up with a totally new, brand-new variant.  There always based on some sort of previous attack vector, and all they are doing is simply building a better mousetrap in order to avoid detection and hide covertly for even longer periods of time.  But however, trying to do this all on your own can be a very time-consuming mind-numbing process.  That’s why you should use either AI or ML.  These tools can do this in just a matter of minutes.

3)   3)  Determine the analysis:

Once you have identified what types and kinds of data need to be collected, as well as their sources, the next thing you need to do is decide how it will be analyzed.  You have two choices, here.  They are the human approach or the automated approach.  With the former, you are going to have to hire more than just person, and this can be a costlier proposition, given the fact that you are going to have to pay them something.  Also, there is the time factor.  While humans are no doubt amongst one of the smartest creatures on the planet, it will still take a lot of time to make any sort of prediction, and humans are also more prone to making errors.  Keep in mind that in the world of Cyber, time is everything.  For example, you will need to know in a matter of hours of what the Cyber threat landscape could like tomorrow.  Thus, the latter choice, which is that of automation, will be best bet here. 

4)   4)  Determine the Call To Action:

Now that you and your IT Security team have analyzed all of the data and have derived logical conclusions from it, the final step in this process is how to take action on it.  In the case of dealing with all of the alerts that are coming in on a minute-by-minute basis, the CTA here would be to procure some sort SIEM based software package, and feed this data into it.  That way, it can very quickly and easily filter through all of the warnings and messages, and only present the real and legitimate ones to the IT Security team.  From here, they can be triaged and escalated in a quick and efficient manner, while reducing the amount of errors that are being made in the process.

My Thoughts On This:

This methodology just reviewed can be seen in the illustration below:

(SOURCE:  https://www.darkreading.com/threat-intelligence/4-simple-steps-to-a-modernized-threat-intelligence-approach).

In this article, I have eluded to quite a bit of using AI and ML tools.  Given just how dynamic the Cyber threat landscape is these days, you are going to have use these tools in order to quickly analyze the data you are getting. 

Although it may sound complex, it really is now.  If you make use of a Cloud based platform such as that of the AWS or Microsoft Azure, the tools are right there for you to literally build an AI or ML machine in just a matter of minutes, for a fixed, monthly price.

But also keep in mind that as you further explore your AI and ML options, the algorithms that you create for them have to be optimized on a regular basis.  If not, they can go stale, and not produce the desired outputs. 

Secondly, you have to make sure that the datasets you are using have been “cleansed” as well.  This simply means that there are no outliers in them, and that they are properly categorized so that your AI or ML machine can easily process them.

If you need help with any of this, there are plenty of AI vendors out there who can help you.  A Google search can reveal this as well.  Or you can also contact me at ravi@ravidas.tech for further assistance.

 

Saturday, March 5, 2022

3 Golden Keys To Unlock Protection From The Dropper App

 


Now that the weather is getting warmer outside, and with the huge anticipation of receiving a timely tax refund (this is assuming of course, you file electronically), many Americans will now want to get instant access to any and or all of their financial accounts (even including credit card) to make sure that they have enough to do things on the whim.  A lot of this can be done via the mobile apps, which are either available on the Apple Store or Google Play.

Or very often, the financial institution may even offer a link as to where you can download their particular app.  Studies have even shown that almost 87% of the American population now uses some kind of mobile app on their smartphone to get access to this kind of information. 

But of course, as something gets popular in usage, it can only mean one thing on the flip side:  The Cyberattacker is going to be there.

In fact, mobile app theft, as it relates to your financial app, has increased by a whopping 600% since 2015.  This means that 1/20 apps will be prone to an attack in which your personal data will be stolen. 

But just because you downloaded an app from a reputable source does not meant that you are completely out of the woods. The Cyberattacker has now found a new way in which to deploy a malicious payload onto it.

These are known technically as “Dropper Apps”.  This is occurs when the hacker can drop pieces of it over periods of time, without you noticing it. 

Once all of it has been collected and assembled back into its original state, the malicious payload will then remain dormant for long period of time, collecting all of your personal information, and sending that back to the Cyberattacker.

So while you may think you may be safe because you are at encrypted website, there could be a probability that your mobile could be infected with this kind of malicious payload, and sending all of your keystroke patterns back to malicious third party. 

In fact, these Dropper Apps are so covert any traditional anti-virus software that you may use on your wireless probably will not even pick it up.

It is important to note here that this hacks have mostly originated from the mobile apps that have been downloaded from Google Play, when compared to Apple, is known to have much laxer security standards. 

Although this platform has automated tools that routinely scan for any lines of malicious source code once the app has been uploaded by the software development team, it has come to the point now where the Cyberattacker can misdirect these scans in certain areas.

And it is here where these Dropper Apps are then deployed, going undetected.  So thus, once the end user has downloaded this app, he or she basically has infected machine.  But interestingly enough, these Dropper Apps are not completely activated until the victim actually updates their particular mobile app.

Once they are initiated, the Dropper Apps can then deploy keylogging software, attempt to gain root access to the wireless device, launch smaller bits of malicious code, and even misdirect the victim to a phony website, which to them, will look like the real thing.

Yes, this does sound scary. But what can be done to prevent this from happening?  Truthfully, no matter how much a bank does, there will always be some sort of risk.  Keep in mind that both Google Play and Apple Store are recipients of literally of thousands of mobile apps in a single day. 

Software developers are constantly creating new ones, and the push do upload more to these platforms becomes even greater.  Thus, even these automated scanning also have their limits.  There is only so much scanning they can do in a pre-defined time limit, and if they are overloaded, they too can break down.

But this is where the responsibility of both Google and Apple come in.  They need to keep continually upgrading their automated tools in order to make sure that all apps that are accepted for uploading are as secure as possible. 

As I have mentioned earlier, Apple has a very strong record in this regard. They will not let any software development team upload their newly created app until it has been thoroughly vetted by the requirements set forth by Apple.

Unfortunately, Google does not have requirements that are so high.  Thus, software developers have greater liberties to pretty much upload whatever they have created.  This is where most of the Dropper Apps have originated from. 

The next line of responsibility comes from the financial institutions themselves.  In the rush to save costs, many of them now outsource their software code development to other places, where security is not such a high priority. 

In my view, this thinking needs to be changed.  It all comes down the old proverbial statement, “You get what you pay for”. 

Perhaps it would be far better to pay more $$$ to have the source code development for the mobile app done locally, where the CISO can detail and enforce the security details that are required for creating a safe mobile app.  One of these should be testing for any vulnerabilities in the source code at a modular level, and rectifying the situation at that point, so it does not all get bottlenecked at the end. 

Also, after the mobile app has been created, the IT Security team of the financial institution should then check it in a sandboxed environment to make sure that all vulnerabilities and gaps are remediated.  Once this is done, only then should it be released to Google or Apple, or even both.

Finally, you the, the customer have a role to play in this as well.  You need to take extra precautions as well to make sure that you are downloading a safe mobile app, to the best of your ability.  This means doing a Google search on the app to see if it has received any negative, reviews, and even contacting the financial institution to make sure that their app you want to download has been completely tested. 

If possible, always try to download what you need from the Apple Store.

My Thoughts On This:

Another key thing that you can do is reduce the attack surface on your wireless device.  This simply means that do not go crazy and download every app that you want. Only get those which you will absolutely need on a daily basis, for both your personal and professional uses.  I know of plenty of people who have gone “app crazy”, their screens have become nothing but squares.  This only opens the door to the Cyberattacker to penetrate through, given the plethora of choices they now have.

In the end, always trust your gut.  If something seems not right, then simply don’t download it.  There are other ways to get to what you need to access.

Finally, more technical information about the Dropper App can be seen here at this link:

https://www.darkreading.com/application-security/malware-operator-employs-new-trick-to-upload-its-dropper-into-google-play

 

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...