Monday

Tag: hackers

SIEM Overview

Introduction

Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Understanding the NIST Cybersecurity Framework

Summary

The Cybersecurity Framework Set was an optional standard created by the National Institute of Standards and Technology under the United States Commerce Department. This set of guidelines for private sector companies is intended to help them be  better prepared in identifying, detecting, and responding to cyber-attacks. It also includes some guidelines on how to prevent and recover from a cyberattack.

The NIST Cybersecurity Framework is intended to address the lack of standards when it comes to cybersecurity. As with almost everything else that deals with technology, there are currently major differences in the way companies are using technology to detect and remediate attacks from hackers, malicious users, and ransomware.

With the complexity and frequency of cyberattacks growing each day, the task of detecting and preventing cyberattacks has gotten too difficult and complex to be left to chance, and a lack of a strategy among most organizations only makes this effort more difficult.

Continue reading “Understanding the NIST Cybersecurity Framework”

8 Small Business Cybersecurity Tips

There are about 80 million businesses worldwide who meet the “small or medium business” (SMB) definition. Businesses with less than 300 employees can’t always afford someone to tell them what they can do to develop a more mature security posture or how to educate employees to be smarter about their cybersecurity practices. Most of the successful cybersecurity attacks are with small businesses and small government entities. Since the average cyberattack will cost them about $200k and a ransomware attack can force them out of business, we should talk about the basics of cybersecurity defense.

  1. Make sure you require complex passwords for every system. This means changing any vendor default passwords, not allowing simple or common passwords, and teaching your employees how to select a good password.
  2. Configure Multi-Factor Authentication (MFA) on all accounts. Just by requiring MFA to access business accounts you can prevent about 99% of all online attacks. The hackers might steal or guess your password, but it is much harder to access something like your cellphone.
  3. Use a separate account for performing administrative tasks for all your on-premise and cloud business accounts. Use this new account to only perform administrative actions, not to browse the internet or check email, and your risk of account compromise is significantly reduced.
  4. Install, properly configure, and use an antivirus solution that accesses the cloud to better protect your systems from the internet threats. This includes all your user computers and all servers.
  5. Backup your important files to the cloud. Using an automated solution to automatically backup your files to the cloud can prevent a successful ransomware attack from locking you out of your critical files.
  6. Don’t allow your users to configure email auto-forwarding rules in O365. If your account is hacked, one of the first things the attacker will do is configure auto-forwarding rules to exfiltrate your data to their systems across the internet. If you prevent this activity, it will slow down the attack and allow you more time to react. With alerts configured, you will get an email when the attacker attempts to create a new rule, giving you notice that an attack is underway.
  7. Use your available online tools to get tips and suggestions. Things like the Microsoft O365 Secure Score can be a really helpful source of useful tips and techniques for leveraging many more security settings to improve your overall security, and these tips are free just for having an O365 account.
  8. Educate your users about the threats on the internet. Billions of users have internet access, and not all of them have your best interests in mind. Warn users about sharing too much personal information on social media, discuss how to identify phishing emails, and provide guidance on who they need to contact if they aren’t sure about clicking on a link.

You need to think about how you use the services and systems that you have access to each day and determine what data you share has value, what processes are at a high risk, and how a malicious user might monetize your activity. A little work today can pay big dividends during an attack.

Follow these simple tips to start getting some confidence around your security posture, and build on each item as threats and systems change.

IT Security: Ways to Tell an Insider Has Gone Rogue

When you are looking for ways to protect your network from attack, you should also consider how you will protect assets from users with authorized access. Employees and contractors with legitimate access to your business systems and data could be responsible for more data breaches than you might assume. Most insider data breaches are caused by accidental or negligent access, but you must consider how you would detect malicious access because the results can be disastrous to your business and even your career.

If you look at the caches of documents and data provided to the public in recent years, it has been provided by insiders with elevated access. These disgruntled  employees collected all the data they could find and shared them with the public, which could disclose business intelligence or even customer data like credit card or health data. A 2017 Verizon survey puts the number of insider-led data breaches at 77 percent.

Most security solutions focus on protecting enterprise assets from outsiders, with little information on how to block legitimate insiders from unauthorized access to critical data. The key to dealing with insider threats is to log all activities by personnel accessing your most sensitive data and to identify indicators of malicious intent. Once you have identified the personnel and their potentially malicious behavior (copying data, exfiltrating sensitive files, etc.)  you can alert the proper personnel to execute actions to cut off access and begin remediation, which could include legal action.

Continue reading “IT Security: Ways to Tell an Insider Has Gone Rogue”

SIEM Overview

Introduction

Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Building a Successful Cybersecurity Strategy

Photo by Pixabay on Pexels.com

When thinking of a strategy to address cybersecurity, your strategy must be one that is driven by a top-down management emphasis to build cybersecurity into everything a company does and builds. Cybersecurity can not be an afterthought or something that is added later, but it must be designed and implemented from the first day. If you have gaps today, they must be fixed and a management system must be put into place to prevent this type of issue in the future.

The first thing you must accomplish when building a mature strategy to fix your imperfect cybersecurity status is to perform a formal risk assessment. This will allow your team to compare your existing controls against an established security framework, like NIST, SANS, or CIS. A cybersecurity framework is a predefined set of controls that are identified and defined by leading cybersecurity organizations to help you enhance cybersecurity strategies within your enterprise. This will allow you to document what cybersecurity controls are already in place and how effective they are, and what controls are missing or ineffective. Once you have accomplished this step, it allows you to focus your change effort on the controls that will have the most impact to incrementally improve security with each change to the existing environment.

Now that you have a written list of needs you have a better understanding of where your team currently stands, including what controls are currently effective and which controls are missing or poorly implemented. This will also help you determine if you have the budget and personnel to make the required changes. You’ll now have a much better idea of where the biggest security gaps exist and it helps you assign a priority and schedule to each required change.

This might also be a good time to decide if outsourcing the effort, either in part or in full, might be a better solution for your business. Do you have the time and budget to train internal resources for the effort required to resolve the items identified for remediation? If you must hire new personnel, will you have time to onboard and complete orientation or training before you can start remediation of identified security issues, or should you outsource the remediation to an external resource with the experience and skill to quickly resolve your issues?

Continue reading “Building a Successful Cybersecurity Strategy”

What is Cybersecurity?

Cybersecurity is the process of protecting networks, systems, data, and programs from digital attacks. Cyberattacks are usually organized and planned attacks intended to gain unauthortized access to business or personal computer systems to allow changing, stealing, or destroying sensitive information. This activity can lead to unplanned business interruptions or subject the victims to extortion in order to get continued access to their data or to prevent the release of sensitive data to the internet.

Understanding Cybersecurity

Cyberattacks are often launched by people employed by organized crime or malicious state actors and are constantly evolving their attacks from one technique to the next as older techniques become less effective and newly discovered vulnerabilities are weaponized.

You don’t have to be a cybersecurity expert to understand the risk and learn how to provide some basic protection for your systems and critical data. This article is intended to provise some basic guideance and to send you in the correct direction to become more effective in protecting your personal or business data.

Continue reading “What is Cybersecurity?”

Understanding the NIST Cybersecurity Framework

Summary

The Cybersecurity Framework Set was an optional standard created by the National Institute of Standards and Technology under the United States Commerce Department. This set of guidelines for private sector companies is intended to help them be  better prepared in identifying, detecting, and responding to cyber-attacks. It also includes some guidelines on how to prevent and recover from a cyberattack.

The NIST Cybersecurity Framework is intended to address the lack of standards when it comes to cybersecurity. As with almost everything else that deals with technology, there are currently major differences in the way companies are using technology to detect and remediate attacks from hackers, malicious users, and ransomware.

With the complexity and frequency of cyberacttacks growing each day, the task of detecting and preventing cyberattacks has gotten too difficult and complex to be left to chance, and a lack of a strategy among most organizations only makes this effort more difficult.

Continue reading “Understanding the NIST Cybersecurity Framework”

12 Cybersecurity Tips to Stay Secure on the Internet

The internet is a wonderful place full of free information, endless entertainment, and useful ways to communicate with you family and friends. There are also people that want to use that wonderous virtual environment to attack the cyber-weak and take what they have for their own profit. You see the news stories almost weekly, where another company has been breached and their customer data has been stolen, stores where companies have been attacked with ransomware and all their files are encrypted until they meet their attackers demands, or just average users bombarded with phishing emails or robocalls.

People don’t always know what they can do protect themselves, so I have collected 10 simple tips that will help guide the average user to a safer cybersecurity profile that will help protect their valuable systems and data from cybercriminals.

Basically speaking, when you want to secure a user, a family, or an entire company you have to first secure the perimeter, then secure the data that enters and exits through that perimeter. Just a few years ago that perimeter was much smaller and easily defined, but with todays services relying on the internet for almost all information like news, weather, movies, emails, file storage, gaming, etc. that perimeter is larger than ever before.

You need to think about how you use the services and systems that you have access to each day and determine what data you share has value, what processes are at a high risk, and how a malicious user might monetize your activity. One basic example is you may use your personal computer to access your bank to transfer money from checking to savings.  The risk is your computer may be compromised and that might allow a hacker to gain access to your bank account to transfer your money to their bank account. A hacker might just gain access to your password and is then able to use your email address and stolen password to log into your bank account from anywhere in the world to open new accounts to borrow massive amounts of money in your name. Continue reading “12 Cybersecurity Tips to Stay Secure on the Internet”

Simple Cybersecurity for 2020

There are about 80 million businesses worldwide who meet the “small or medium business” (SMB) definition. Businesses with less than 300 employees can’t always afford someone to tell them what they can do to develop a more mature security posture or how to educate employees to be smarter about their cybersecurity practices. Most of the successful cybersecurity attacks are with small businesses and small government entities. Since the average cyberattack will cost them about $200k and a ransomware attack can force them out of business, we should talk about the basics of cybersecurity defense.

  1. Make sure you require complex passwords for every system. This means changing any vendor default passwords, not allowing simple or common passwords, and teaching your employees how to select a good password.
  2. Configure Multi-Factor Authentication (MFA) on all accounts. Just by requiring MFA to access business accounts you can prevent about 99% of all online attacks. The hackers might steal or guess your password, but it is much harder to access something like your cellphone.
  3. Use a separate account for performing administrative tasks for all your on-premise and cloud business accounts. Use this new account to only perform administrative actions, not to browse the internet or check email, and your risk of account compromise is significantly reduced.
  4. Install, properly configure, and use an antivirus solution that accesses the cloud to better protect your systems from the internet threats. This includes all your user computers and servers.
  5. Backup your important files to the cloud. Using an automated solution to automatically backup you files to the cloud can prevent a successful ransomware attack from locking you out of your files.
  6. Don’t allow your users to configure email auto-forwarding rules. If your account is hacked, one of the first things the attacker will do is configure auto-forwarding rules to exfiltrate your data to their systems across the internet. If you prevent this activity, it will slow down the attack and allow you more time to react. With alerts configured, you will get an email when the attacker attempts to create a new rule, giving you notice that an attack is underway.
  7. Use your available online tools to get tips and suggestions. Things like the Microsoft O365 Secure Score can be a source of useful tips and techniques for leveraging many more security settings to improve your overall security, and these tips are free just for having an O365 account.

You need to think about how you use the services and systems that you have access to each day and determine what data you share has value, what processes are at a high risk, and how a malicious user might monetize your activity. A little work today can pay big dividends during an attack.

Follow these simple tips to start getting some confidence around your security posture, and build on each item as threats and system change.

Infosec Infographic Collection

I did not create these informative images, but I thought you would appreciate them:

Continue reading “Infosec Infographic Collection”

May PowerShell: Remove PowerShell V.2

Note: For the month of May 2019, I’m focusing on PowerShell information that could help you better utilize this powerful scripting tool in your environment.

Microsoft recommends you no longer use PowerShell V.2 for security reasons, but it is probably installed on your computers.

Microsoft has done a great job of recently adding powerful new security features in PowerShell. It is also obvious that the security features integrated in the latest versions of PowerShell do not apply to the older versions of PowerShell, which makes its use by malicious attackers to target PowerShell v.2 a risk to your computers. The older version of PowerShell does not have native logging capabilities, it remains undetected, and offers stealth in malicious operations so it is often used for lateral movement and persistence techniques.

For these reasons Microsoft decided that PowerShell v.2 is deprecated from the more recent versions of Windows, so it is also highly recommend to check and remove PowerShell v.2 from your environment.

You can check whether Windows PowerShell 2.0 is installed by running the following (as an administrator). Continue reading “May PowerShell: Remove PowerShell V.2”

WannaCry Ransomware Update

The WannaCry ransomware that starting compromising system last year  consists of multiple components that arrive in the form of a dropper, a self-contained program that extracts the other application components embedded within the ransomware package.

Luckily the program code is not obfuscated and was relatively easy for security pros to catalog and analyze as we try to better understand the risks.

Once launched if WannaCry can’t access a hard-coded URL kill switch it proceeds to search for and encrypt files matching a list of vital formats, including documents, images, music files, etc. It then displays a ransom notice demanding $300 USD in Bitcoin to decrypt the user files. If you don’t pay, the files can not be recovered.

We posted detailed information here.

Continue reading “WannaCry Ransomware Update”

IT Security: Ways to Tell an Insider Has Gone Rogue

 

When you are looking for ways to protect your network from attack, you should also consider how you will protect assets from users with authorized access. Employees and contractors with legitimate access to your business systems and data could be responsible for more data breaches than you might assume. Most insider data breaches are caused by accidental or negligent access, but you must consider how you would detect malicious access because the results can be disastrous to your business and even your career.

If you look at the caches of documents and data provided to the public in recent years, it has been provided by insiders with elevated access. These disgruntled  employees collected all the data they could find and shared them with the public, which could disclose business intelligence or even customer data like credit card or health data. A 2017 Verizon survey puts the number of insider-led data breaches at 77 percent.

Most security solutions focus on protecting enterprise assets from outsiders, with little information on how to block legitimate insiders from unauthorized access to critical data. The key to dealing with insider threats is to log all activities by personnel accessing your most sensitive data and to identify indicators of malicious intent. Once you have identified the personnel and their potentially malicious behavior (copying data, exfiltrating sensitive files, etc.)  you can alert the proper personnel to execute actions to cut off access and begin remediation, which could include legal action.

Continue reading “IT Security: Ways to Tell an Insider Has Gone Rogue”

Tesla Model S Hack Explained

There has been several media stories lately about the ability of Chinese hackers to compromise the technology systems on a Tesla and demonstrate their ability to partially control the vehicle. Most of these stories don’t provide much technical details, so I thought it might be helpful to provide some of the details to help you understand how the hack was performed, and what the hackers were able to control during their demonstration.

The demonstrated exploit works by compromising the car’s CAN bus by having a user inside the vehicle access a malicious Wi-Fi network via the car’s built-in web browser. The group also demonstrated how they were able to remotely control the hacked Model S by showing they were able to open the trunk, adjust the sunroof, adjust the mirrors, and apply the brakes while the vehicle is in motion.

This demonstration illustrates how cybersecurity weaknesses can impact internet-connected vehicles, and is a call to vehicle manufacturers to redouble their efforts to address these concerns. Tesla already patched the exploit before it was publicly announced with the Firmware 7.1 update. Let’s hope future vulnerabilities are addressed by the various brands before someone is injured or killed.

Video of the hacking demonstration:

 

Secrets of Hackers

There are a few things you can do to make your internet experience a little safer. This isn’t everything you can or should do, but these two things will enhance your everyday security without it taking a lot of effort to complete.

Disable your wireless router’s remote administration feature

This can be a very effective measure to prevent a hacker from taking over your wireless network. Many wireless routers have a setting that allows you to administer the router via a wireless connection or over the internet. This means that you can access all of the routers security settings and other features without having to be on a computer that is plugged into the router using an Ethernet cable. While this seems very convenient for being able to administer the router remotely, it provides another point of entry for the hacker to get to your security settings and change them to something a little more hacker friendly. While many people never change the factory default admin passwords to their wireless router, which makes things even easier for the hacker, you should also change the default admin password.

Beware of “Free” Wi-Fi

If you use public hotspots you are an easy target for man-in-the-middle and session hijacking attacks. Hackers can use simple tools to perform “man-in-the-middle” attacks where they can insert themselves into the wireless connection between you and the host of the free connection. Once they have successfully inserted themselves into the connection, they can harvest your transmissions, picking up the network packets that contain account passwords, e-mail, back account information, etc.  It is recommended that you use a commercial VPN service provider to protect all of your traffic when you are using free Wi-Fi networks. Costs for these commercial services start at a few dollars a month, but you can always try a free service to see how you like it. A secure VPN provides an additional layer of security that is extremely difficult to defeat unless the hacker is extremely determined.

A determined hacked can probably defeat your basic efforts to secure a wireless signal, but 99% of the time you just have to be a difficult target. When you are attacked by a bear, you don’t have to be the fastest runner, just fast than the friends around you. A similar thing can be said for Wi-Fi security. You don’t have to be the most secure user on the network, you just have to be more secure than those people around you at the time.

How to NOT be the next Sony

I guess holiday cheer was in short supply for employees of Sony Pictures Entertainment this past Christmas. The November 2014 cyberattack on Sony was really bad, but the worse part of the story from Sony was the discovery that its company-wide security practices were embarrassingly bad.

The scary news about Sony Pictures is that they are not the only company that needs to improve its security procedures. Your company might not be the target of hackers, but you’ll still want to review these basic security tips before it is too late.

Entry

How do hackers gain access to your corporate network? Sure, there are disgruntled employee or former employees that could either access your network using an authorized account. You do have policies and procedures in place to make sure that terminated employees and contractors lose access the moment it is no longer needed, right?

Are employees given basic security training, like not giving their passwords to anyone, including someone who says they are from IT Support and need their password to help them? Do they know the basics of creating a good password, not writing the password down or storing their password in a text file on the network, and what kinds of internet sites to trust or not to trust?

Do you have physical access controls in place to prevent unauthorized personnel from freely entering the building, particularly after hours or in super-secure areas like the server room or switch closets?

Network Access

Do you have controls at your company that limits user access to just the security each person requires to perform their job responsibilities? You don’t just make everyone an administrator or their laptop or network server, right? You might be surprised what level of security a normal user might have, based on their membership in selected groups in Active Directory or local server security settings. If you are an administrator-level user, you might be accustomed to unlimited access, but have you logged in as a “normal” user lately and checked out what you can or can’t do on the network? What systems do you have remote desktop or administrator-level access when logged into the network as just a “normal” user?

Have you reviewed what users have remote access to your network? Do all of these users “need” remote access? If their account is compromised, what privileges would be granted to that remote user (who might be a hacker located in North Korea or China)?

Internet Accounts

There are also resources outside of your company. Do you know who has usernames and passwords to access the corporate web site, Twitter feed, Facebook account, etc. How secure are the passwords used for these accounts, and how often are they changed? Do you have vendors connecting to your servers via FTP or other connections? Are you positive those connections are secure and only allow access to the files they need under your contract agreements?

Massive Attacks

A dedicated group of hackers can assault your company connections and find your weak points fairly quickly. Using known vulnerabilities and standard attack tools you can become a fairly easy target, unless you have taken some basic safeguards to prevent the easy attacks.

The easiest safeguard is keeping your software updated, which will prevent those known vulnerabilities from allowing an easy breach of your network.

The user community is also a source of failure. Make sure users know what kinds of contact to report to you, like unsolicited telephone calls from people needing remote access to their laptops or other devices. Make sure they know that they should never give their passwords to anyone, how to create a good password, and that you systematically require them to change their passwords every 90 days.

Like the old joke goes, when chased by a bear you don’t have to be the fastest runner, you just have to be faster than your friends. To prevent a random hacker attack you don’t have to be the most secure network, just more secure than their other targets. You want a hacker to fight for every piece of information. They shouldn’t compromise a users laptop and that access then allow them access to the entire network and all network resources.

Email

Assume any email could be made public one day. Don’t put anything in an email they you would be embraced to say in public, like during an investigation by the FBI or local police. Assume anything and everything you put in an email will eventually be read by anyone. Don’t include racist, sexist, or other unacceptable commentary or jokes to be in any of your emails. If someone sends you an email that includes this type of content, don’t forward or reply to the email. Print it out and carry it to HR for them to address.

Don’t include sensitive information in emails. Hackers may compromise your emails one day, but what information would they collect? If there is nothing there that is useful or embarrassing, what have they stolen?

Summary

What ideas do you have? What steps have you taken to prevent becoming the next Sony?

 

The Common Mistakes That Make Your Passwords Weak

In a post by Jeff Fox on State of the Net points out, what is pretty much common knowledge these days is hackers use software to crack your passwords, and the longer the password the harder it is for them to crack. But just because you use a long password does not insure that you have selected a secure password. Turns out there are common patterns that people use that end up making passwords more obvious. Don’t be a victim in 2015, learn to create and use better passwords.

Common Mistakes:

• Starting with an upper case letter followed by lower case letters
• When a password isn’t long enough, adding a letter or two to the base word
• Putting digits, especially two or four of them, before or after the letters
• When a special character is required, using “!” and putting it at the end
• Not using two special characters in the same password

Best Practices:

• Avoid beginning the password with an upper case letter—or maybe even any letter
• Create an acronym using the first letter of each word in a memorable sentence, as suggested by security expert Bruce Schneier: Example: t2cmlp,@yh (“Try to crack my latest password, all you hackers”) 
• Resist your natural tendency to mimic familiar words and phrases
• Use multiple special characters (@, ?, !, ~, &, etc.) in the same password
• Don’t always place digits adjacent to each other

%d bloggers like this: