Ransomware Response Procedures

Ransomware is a type of malicious software that encrypts your files and demands a ransom to restore them. It can cause serious damage to your data, your privacy and your finances. If you discover that your computer has ransomware, you need to act quickly and follow these 10 steps:

  1. Disconnect your computer from the internet and any other devices. This will prevent the ransomware from spreading to other machines or contacting its command-and-control server.
  2. Identify the type and variant of ransomware that infected your computer. You can use online tools such as ID Ransomware or other reputable sites to upload a ransom note or an encrypted file and get information about the ransomware.
  3. Check if there is a decryption tool available for the ransomware that infected your computer. Some security researchers and companies have created free tools that can decrypt some types of ransomware. You can find a list of such tools on various security-related websites, like Avast, Emsisoft, Kaspersky, McAfee, Trend Micro, or other solutions.
  4. If there is no decryption tool available, try not to pay the ransom. It may not be possible to recover the encrypted files, so you may feel the need to pay the ransom. Paying the ransom does not guarantee that you will get your files back, and it may encourage the attackers to target you again. Moreover, you may be breaking the law by funding criminal activity.
  5. Remove the ransomware from your computer. You can use an antivirus or anti-malware program to scan your computer and remove any traces of the ransomware. You may need to boot your computer in safe mode or use a bootable USB drive to run the scan.
  6. Restore your files from a backup, if you have one. The best way to recover from a ransomware attack is to have a backup of your important files that are stored offline or on a separate device. If you have such a backup, you can quickly restore your files after removing the ransomware from your computer.
  7. Change your passwords and enable multi-factor authentication. The ransomware may have stolen your credentials or installed a keylogger on your computer, so you should change your passwords for all your online accounts and enable multi-factor authentication where possible.
  8. Update your operating system and applications. The ransomware may have exploited a vulnerability in your software to infect your computer, so you should update your operating system and applications to the latest versions and apply any security patches.
  9. Educate yourself and others about ransomware prevention. The best way to avoid ransomware is to prevent it from infecting your computer in the first place. You should learn how to recognize phishing emails, avoid clicking on suspicious links or attachments, and use reputable security software.
  10. Report the incident to the authorities and seek professional help if needed. You should report the ransomware attack to the relevant authorities in your country or region, as they may be able to assist you or investigate the attackers. You should also seek professional help from a trusted IT expert or a security company if you need assistance with removing the ransomware or recovering your files.

5 Tips to Secure Digital Devices in High-Risk Situations

Traveling to a high-risk area can expose your electronic devices to hacking or data theft risks. Here are five recommended steps to secure your devices and protect your sensitive information.

  1. Back up your data before you travel – Make sure you have a copy of your important files and documents in a secure cloud service or an external hard drive. Don’t bring the backup to the risky area, which will help preserve a copy of critical data if your data so you can restore your data if your device is lost, stolen, or compromised.
  2. Encrypt your devices and use strong passwords – Encryption is a process that scrambles your data and makes it unreadable without a key or a password. You can encrypt your entire device or specific folders and files. Use a strong password that is hard to guess and different for each device and account. You can also use a password manager to store and generate passwords securely.
  3. Disable or remove unnecessary features and apps – Some features and apps on your devices can make you more vulnerable to hacking or data theft. For example, Bluetooth, Wi-Fi, GPS, and NFC can be used to track your location or access your data without your permission. Disable or remove these features and apps when you are not using them or when you are in a public place.
  4. Use a VPN and avoid public Wi-Fi networks – A VPN (virtual private network) is a service that creates a secure connection between your device and the internet. It encrypts your data and hides your IP address, making it harder for hackers or third parties to intercept or monitor your online activity. Avoid using public Wi-Fi networks, such as those in hotels, airports, or cafes, as they are often unsecured and can expose your data to hackers or malicious software.
  5. Be vigilant and cautious – The most important step to secure your devices is to be aware of the potential risks and take precautions to avoid them. Do not leave your devices unattended or lend them to strangers. Do not open suspicious emails or attachments or click on unknown links. Do not download or install software from untrusted sources. Do not enter sensitive information on websites that are not secure (look for the padlock icon and https in the address bar). If you notice any signs of hacking or data theft, such as unusual activity, pop-ups, or messages, disconnect from the internet and scan your device for malware.

Disabling or Uninstalling Unnecessary Services and Apps in Windows 10

Windows 10 is a powerful and versatile operating system that offers many features and functionalities. However, not all of them are necessary or useful for every user. In fact, some of the services and apps that come preinstalled or run in the background can pose security risks or slow down your system performance.

In this blog post, we will describe which unnecessary services and apps you should disable or remove from Windows 10 for security reasons. We will also explain how to do it safely and easily.

What Are Windows Services?

Windows services are programs that run in the background and provide essential functions for the operating system, such as networking, security, printing, etc. They usually start automatically when you boot up your computer and run until you shut it down.

What Are Windows Apps?

Windows apps are applications that you can install from the Microsoft Store or other sources. They are designed to work with the modern user interface of Windows 10 and offer various functionalities, such as games, productivity tools, social media, etc.

Why Should You Disable or Remove Unnecessary Services and Apps?

There are several reasons why you may want to disable or remove unnecessary services and apps from Windows 10:

  • Security – Some services and apps may have vulnerabilities that can be exploited by hackers or malware. For example, the Remote Desktop service can allow remote access to your computer if it is not configured properly. The Bluetooth service can expose your device to wireless attacks if you don’t use it. Some apps may also collect your personal data or display unwanted ads.
  • Performance – Some services and apps may consume a lot of system resources, such as CPU, RAM, disk space, etc. This can affect your system speed and responsiveness, especially if you have a low-end device or multiple programs running at the same time.
  • Privacy – Some services and apps may send your data to Microsoft or other third-party servers for various purposes, such as diagnostics, feedback, advertising, etc. This can compromise your privacy and expose your online activities to others.
  • Storage – Some services and apps may take up a lot of disk space on your device, especially if they are rarely used or updated. This can limit your available storage space for other files and programs.

Which Services and Apps Should You Disable or Remove?

Continue reading “Disabling or Uninstalling Unnecessary Services and Apps in Windows 10”

10 Steps to Securely Configuring Windows 10

Windows 10 is the most popular operating system in the world, but it also comes with some security risks. If you want to protect your data and privacy, you need to configure Windows 10 for security. Here are 10 steps you can follow to make your Windows 10 more secure.

  1. Update Windows 10 regularly – Windows 10 updates often include security patches and bug fixes that can prevent hackers from exploiting vulnerabilities in your system. To check for updates, go to Settings > Update & Security > Windows Update and click on Check for updates. If there are any available updates, install them as soon as possible.
  2. Use a strong password and a PIN – A strong password is one that is long, complex, and unique. It should include a mix of uppercase and lowercase letters, numbers, and symbols. A PIN is a four-digit code that you can use to unlock your device instead of typing your password. To set up a password and a PIN, go to Settings > Accounts > Sign-in options and choose Password and PIN. Make sure you don’t use the same password or PIN for other accounts or devices.
  3. Enable BitLocker encryption – BitLocker is a feature that encrypts your hard drive, making it unreadable to anyone who doesn’t have the right key. This can protect your data in case your device is lost, stolen, or hacked. To enable BitLocker, go to Settings > System > About and click on Device encryption. If your device supports BitLocker, you will see a Turn on button. Click on it and follow the instructions.
  4. Use Windows Defender Firewall and antivirus – Windows Defender Firewall is a feature that blocks unauthorized network connections, preventing hackers from accessing your device or data. Windows Defender antivirus is a feature that scans your device for malware and removes any threats. To use Windows Defender Firewall and antivirus, go to Settings > Update & Security > Windows Security and click on Firewall & network protection and Virus & threat protection. Make sure they are both turned on and up to date.
  5. Enable two-factor authentication – Two-factor authentication is a feature that adds an extra layer of security to your online accounts. It requires you to enter a code or use an app on your phone after entering your password, verifying your identity. To enable two-factor authentication, go to Settings > Accounts > Sign-in options and click on Security key or Windows Hello. Follow the instructions to set up your preferred method of two-factor authentication.
  6. Use a VPN service – A VPN service is a feature that encrypts your internet traffic, hiding your IP address and location from prying eyes. This can protect your privacy and security when you use public Wi-Fi or access geo-restricted content. To use a VPN service, you need to download and install a VPN app from the Microsoft Store or a trusted website. Then, launch the app and connect to a server of your choice.
  7. Disable unnecessary services and apps – Some services and apps that come with Windows 10 may not be essential for your needs, but they can consume resources and pose security risks. To disable unnecessary services and apps, go to Settings > Apps > Apps & features and click on the service or app you want to uninstall or modify. You can also go to Settings > Privacy and review the permissions that each app has access to.
  8. Use a secure browser and extensions – A secure browser is one that protects your online activity from trackers, ads, and malicious websites. A secure extension is one that enhances the functionality of your browser without compromising your security or privacy. To use a secure browser and extensions, you can choose one of the following options:
    • Use Microsoft Edge, which is the default browser for Windows 10. It has features like SmartScreen, Tracking Prevention, InPrivate mode, and Password Monitor that can improve your security and privacy.
    • Use Google Chrome, which is the most popular browser in the world. It has features like Safe Browsing, Incognito mode, Password Checkup, and Sync that can improve your security and privacy.
    • Use Mozilla Firefox, which is the most privacy-focused browser in the world. It has features like Enhanced Tracking Protection, Private Browsing mode, Lockwise, and Monitor that can improve your security and privacy.
  9. Backup your data regularly – Backing up your data is a feature that copies your files to another location, such as an external hard drive or a cloud service. This can protect your data from accidental deletion, corruption, or ransomware attacks. To protect your data regularly, go to Settings > Update & Security > Backup and click on Add a drive or Backup options. Choose where you want to store your backup files and how often you want to backup.
  10. Educate yourself on cyber threats and best practices – The most important feature for securing your Windows 10 is your own knowledge and awareness. You need to learn how to recognize and avoid common cyber threats, such as phishing, malware, or social engineering. You also need to follow best practices, such as using strong passwords, updating your software, and locking your device when not in use. You can find more information and tips on how to secure your Windows 10 on the Microsoft website or other reputable sources.

History and Status of the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was created in response to the rapid growth of credit card transactions in the 1990s causing thousands of small companies to start storing credit card data and processing consumer transactions on unprotected networks.  Since many of these small businesses didn’t know how to properly secure these credit card transactions, it also led to a rapid increase in data theft and a growing concern from banks and credit card companies about ways to protect their brand and consumer accounts. In an effort to resolve the growing concern around payment card fraud and cybercrime in general, industry leaders such as Visa, MasterCard, and American Express got together and created a global security standard to protect online card payments.

The PCI DSS standard was established to set basic guidelines and requirements around how businesses must create a safer cardholder data environment, using basic requirements to drive minimum requirements around security that would lead to more secure business systems. As the standard evolved and procedures more refined, PCI DSS became an internationally accepted standard for all merchants and service providers.

PCI DSS History

PCI DSS was introduced in December 2004, after Visa and other brands had introduced their own standards.  These brand-specific standards weren’t well received by merchants and service providers, since these were small companies that didn’t need the confusion of multiple standards.

Continue reading “History and Status of the PCI DSS”

How to Create a Secure Windows 10 Workstation for Beginners

If you are new to Windows 10 and want to create a secure workstation for your personal or professional use, this blog post is for you. In this post, I will show you how to set up a Windows 10 workstation with some basic security features that will help you protect your data and privacy. Here are the steps you need to follow:

Continue reading “How to Create a Secure Windows 10 Workstation for Beginners”

IT Security Manager Responsibilities

What are the day-to-day responsibilities of an IT Security Manager?

An IT Security Manager is a technology professional who oversees the security of an organization’s information systems and networks. They are responsible for planning, implementing, and monitoring security policies and procedures to protect the organization from cyber threats and ensure compliance with relevant regulations and standards.

An IT Security Manager requires a combination of technical skills, such as knowledge of network security, encryption, firewalls, antivirus software, etc., and soft skills, such as communication, leadership, problem-solving, teamwork, etc. An IT Security Manager typically has a bachelor’s degree in computer science, information technology, cybersecurity or equivalent business experience. They may also have relevant certifications (CISSP, CISM, Security+, CASP+, CEH, etc.) to demonstrate specific skills and knowledge. An IT Security Manager may work for various types of organizations, such as government agencies, corporations, nonprofits, educational institutions, etc., depending on their industry and size.

Continue reading “IT Security Manager Responsibilities”

Top 10 Cybersecurity Team Effectiveness Metrics

What are the top 10 metrics used to measure cybersecurity team effectiveness?

Cybersecurity is a vital aspect of any organization that relies on digital systems and networks. However, measuring the effectiveness of a cybersecurity team can be challenging, as there are many factors and variables involved. In this blog post, we will explore some of the most common and useful metrics that can help assess how well a cybersecurity team is performing and where they can improve.

1. Mean time to detect (MTTD) – This metric measures how quickly a cybersecurity team can identify a potential threat or incident. The lower the MTTD, the better, as it means that the team can respond faster and minimize the damage.
2. Mean time to respond (MTTR) – This metric measures how quickly a cybersecurity team can contain and resolve a threat or incident. The lower the MTTR, the better, as it means that the team can restore normal operations and reduce the impact.
3. Mean time to recover (MTTR) – This metric measures how quickly a cybersecurity team can restore the affected systems and data after a threat or incident. The lower the MTTR, the better, as it means that the team can resume business continuity and reduce the downtime.
4. Number of incidents – This metric measures how many threats or incidents a cybersecurity team has to deal with in a given period. The lower the number of incidents, the better, as it means that the team has a strong security posture and can prevent most attacks.
5. Severity of incidents – This metric measures how serious or damaging a threat or incident is for an organization. The lower the severity of incidents, the better, as it means that the team can mitigate most risks and protect the most critical assets.
6. Incident response rate – This metric measures how many threats or incidents a cybersecurity team can successfully handle in a given period. The higher the incident response rate, the better, as it means that the team has enough resources and capabilities to deal with all challenges.
7. Incident resolution rate – This metric measures how many threats or incidents a cybersecurity team can successfully resolve in a given period. The higher the incident resolution rate, the better, as it means that the team has effective processes and tools to eliminate all threats.
8. Cost of incidents – This metric measures how much money an organization loses due to threats or incidents in a given period. The lower the cost of incidents, the better, as it means that the team can minimize the financial losses and optimize the security budget.
9. Customer satisfaction – This metric measures how satisfied an organization’s customers are with its security performance and service quality. The higher the level of customer satisfaction, the better, as it means that the team can meet or exceed customer expectations and build trust and loyalty.
10. Employee satisfaction – This metric measures how satisfied an organization’s employees are with its security culture and environment. The higher the employee satisfaction, the better, as it means that the team can foster a positive and collaborative atmosphere and retain talent.

These are some of the most common and useful metrics that can help measure cybersecurity team effectiveness. However, they are not exhaustive or definitive, and each organization may have different goals and priorities when it comes to security. Therefore, it is important to customize and adapt these metrics according to each organization’s specific needs and context.

How to Detect a New Domain Controller in Your Network

Some malware can create a Domain Controller to infect your network and steal data. DCShadow is a late-stage kill chain attack that allows an attacker with compromised privileged credentials to register a rogue Active Directory (AD) domain controller (DC). Then the adversary can push any changes they like via replication — including changes that grant them elevated rights and create persistence. It can be extremely difficult to detect a new Domain Controller, so you need to know how to find one if you suspect an infection.


A domain controller is a server that manages the security and authentication of users and computers in a domain. A domain is a logical grouping of network resources that share a common name and directory database. A new domain controller can be added to a domain for various reasons, such as increasing redundancy, improving performance, or expanding the network.

However, a new domain controller can also pose a security risk if it is not authorized or configured properly. An unauthorized domain controller can compromise the security of the entire domain by granting access to unauthorized users or computers, or by intercepting and modifying network traffic. Therefore, it is important to detect and monitor any new domain controllers in your network.

In this blog post, we will show you how to detect a new domain controller in your network using some simple tools and techniques. We will assume that you have administrative privileges on your network and that you are familiar with basic Windows commands and PowerShell.

Use the Netdom Command

The netdom command is a Windows command-line tool that can be used to manage domains and trust relationships. One of the functions of the netdom command is to list all the domain controllers in a domain. To use the netdom command, you need to open a command prompt as an administrator and type the following command:

netdom query dc

This command will display all the domain controllers in your current domain. You can also specify a different domain name after the dc parameter if you want to query another domain. For example:

netdom query dc example.com

The output of this command will look something like this:

List of domain controllers with accounts in the domain:

DC1DC2DC3The command completed successfully.

You can compare this output with your previous records or expectations to see if there is any new or unexpected domain controller in your domain. If you find one, you should investigate further to determine its origin and purpose.

Use the Get-ADDomainController PowerShell Cmdlet

The Get-ADDomainController PowerShell cmdlet is another tool that can be used to retrieve information about domain controllers in a domain. To use this cmdlet, you need to open a PowerShell window as an administrator and type the following command:

Get-ADDomainController -Filter *

This command will display all the domain controllers in your current domain along with some additional information, such as their name, site, operating system, IP address, and roles. You can also specify a different domain name after the -Server parameter if you want to query another domain. For example:

Get-ADDomainController -Filter * -Server example.com

The output of this command will look something like this:

DistinguishedName : CN=DC1,OU=Domain Controllers,DC=eexample, DC comDNSHostName : DC1.example.comEnabled : TrueName : DC1ObjectClass : computerObjectGUID : 12345678-1234-1234-1234-123456789012SamAccountName : DC1$SID : S-1-5-21-1234567890-1234567890-1234567890-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : : fe80::1234:5678:90ab:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}DistinguishedName : CN=DC2,OU=Domain Controllers,DC=example, DC ComDNSHostName : DC2.example.comEnabled : TrueName : DC2ObjectClass : computerObjectGUID : 23456789-2345-2345-2345-234567890123SamAccountName : DC2$SID : S-1-5-21-2345678901-2345678901-2345678901-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : : fe80::1235:5678:90ac:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}

You can also use Event ID 4742 in your Security log to monitor the changes to your registered Domain Controllers. This event shows which user initiated the change, so you know which Domain Administrator account is being used to perform the attack.

How to Report Smishing to Your Cell Phone Service Provider

Smishing is a type of phishing scam that targets your cell phone through text messages. The goal of smishing is to trick you into clicking on a malicious link, downloading a harmful attachment, or revealing your personal or financial information.

Smishing can be very dangerous and costly, as it can expose you to identity theft, fraud, malware, or unwanted charges on your phone bill. It is important to know how to report smishing to your cell phone service provider if you receive a suspicious text message.

Here are the step-by-step instructions for reporting smishing to your cell phone service provider:

Continue reading “How to Report Smishing to Your Cell Phone Service Provider”

O365 Security Overview

Office 365 is a popular cloud-based productivity suite that offers many benefits for businesses of all sizes. These Top 5 Security Settings in O365 should help you get started on your path towards a more secure cloud. However, with great power comes great responsibility. As an O365 administrator, you need to ensure that your organization’s data and users are protected from cyber threats and unauthorized access. In this blog post, we will share with you the top 5 security settings in O365 that you should configure to enhance your security posture and reduce your risk exposure.

1. Enable multi-factor authentication (MFA). MFA is a simple but effective way to prevent account compromise by requiring users to provide an additional factor of authentication besides their password, such as a code sent to their phone or email, or a biometric verification. MFA can stop attackers from accessing your O365 account even if they have your password. You can enable MFA for all users or specific groups in the Azure Active Directory portal.

2. Set up conditional access policies. Conditional access policies allow you to control who can access what resources in O365 based on certain conditions, such as location, device, app, or risk level. For example, you can block access to O365 from untrusted locations or devices, or require MFA for high-risk sign-ins. You can create and manage conditional access policies in the Azure Active Directory portal.

3. Configure data loss prevention (DLP) policies. DLP policies help you prevent sensitive data from leaving your organization or being shared with unauthorized parties. You can define what types of data are sensitive, such as credit card numbers, social security numbers, or health records, and what actions are allowed or blocked when such data is detected in O365 apps, such as Outlook, SharePoint, OneDrive, or Teams. You can create and manage DLP policies in the Microsoft 365 compliance center.

4. Enable audit logging and alerts. Audit logging and alerts help you monitor and respond to suspicious or malicious activities in your O365 environment. You can view and search audit logs for various events, such as user sign-ins, file downloads, mailbox access, password changes, or admin actions. You can also set up alerts to notify you when certain events occur, such as a user logging in from an unusual location or a file containing sensitive data being shared externally. You can access audit logs and alerts in the Microsoft 365 security center.

5. Review and update your security settings regularly. Security is not a one-time task but an ongoing process. You should review and update your security settings regularly to keep up with the changing threat landscape and best practices. You can use the Microsoft Secure Score tool to assess your current security posture and get recommendations on how to improve it. You can also use the Microsoft Security Roadmap to plan and prioritize your security initiatives. You can access both tools in the Microsoft 365 security center.

These are some of the most important security settings in O365 that you should configure to protect your organization’s data and users. By following these steps, you can enhance your security posture and reduce your risk exposure in the cloud.

Active Directory Security Overview

Active Directory (AD) is a directory service that manages the identities and access rights of users and devices in a network. AD security settings are the policies and configurations that define how AD objects, such as users, groups, computers, and organizational units, are protected from unauthorized access or modification.

AD security settings are essential for any organization that uses AD as their directory service. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management. However, not all AD security settings are equally important. Some settings have a greater impact on the security posture and compliance status of the network than others.

In this post, I will discuss the importance of the top 5 security settings in AD, namely:

  • Password policy
  • Account lockout policy
  • Group policy
  • Permissions and auditing
  • Kerberos policy

Password Policy

Password policy is the set of rules that govern how passwords are created, changed, and stored in AD. Password policy affects the security of user accounts and the authentication process. A strong password policy should enforce the following requirements:

  • Minimum password length
  • Password complexity
  • Password history
  • Password expiration
  • Password encryption

A strong password policy helps prevent password cracking, guessing, or phishing attacks by making passwords harder to break or steal. It also reduces the risk of password reuse or sharing by requiring users to change their passwords regularly and use different passwords for different accounts. You should look at minimum password length of 10-12 characters with complexity requirements enabled, remembering at least the last 5 passwords, etc.

Account Lockout Policy

Account lockout policy is the set of rules that govern how AD responds to failed logon attempts. Account lockout policy affects the security of user accounts and the authentication process. A reasonable account lockout policy should enforce the following requirements:

  • Account lockout threshold
  • Account lockout duration
  • Account lockout reset

A reasonable account lockout policy helps prevent brute force attacks by locking out accounts after a certain number of failed logon attempts. It also reduces the risk of denial-of-service attacks by unlocking accounts after a certain period of time or by allowing administrators to manually reset them. You should look at disabling a user account if they guess their password incorrectly 10 times in 30 minutes, and automatically enabling their account after it has been locked for 30 minutes.

Group Policy

Group policy is the set of rules that govern how AD objects are configured and managed. Group policy affects the security of users, devices, and data. A comprehensive group policy should enforce the following requirements:

  • Security settings
  • Software settings
  • Administrative templates
  • Preferences

A comprehensive group policy helps enforce consistent and secure configurations across the network by applying security settings to users, devices, and data. It also helps automate and simplify the deployment and management of software, policies, and preferences across the network.

You should minimize any GPOs linked at the root domain level as these policies will apply to all users and computers in the domain. You should also avoid blocking policy inheritance and policy enforcement.

Permissions and Auditing

Permissions and auditing are the set of rules that govern how AD objects are accessed and monitored. Permissions and auditing affect the security of users, devices, and data. A granular permissions and auditing policy should enforce the following requirements:

  • Least privilege principle
  • Role-based access control
  • Object ownership
  • Inheritance and propagation
  • Audit policy

A granular permissions and auditing policy helps ensure the confidentiality, integrity, and availability of AD objects by granting only the necessary access rights to authorized users or groups based on their roles and responsibilities. It also helps detect and deter unauthorized access or modification by recording and reporting any changes or activities on AD objects.

Kerberos Policy

Kerberos policy is the set of rules that govern how AD uses Kerberos as its primary authentication protocol. Kerberos policy affects the security of user accounts and the authentication process. A secure Kerberos policy should enforce the following requirements:

  • Ticket lifetime
  • Ticket renewal
  • Maximum tolerance for computer clock synchronization

A secure Kerberos policy helps prevent replay attacks by limiting the validity and renewability of Kerberos tickets. It also helps prevent man-in-the-middle attacks by requiring a close synchronization of computer clocks within the network. It’s advisable to set Maximum lifetime for service ticket to 600 minutes and Maximum lifetime for user ticket renewal to 7 days.

In conclusion, AD security settings are vital for any organization that uses AD as their directory service. Among them, password policy, account lockout policy, group policy, permissions and auditing, and Kerberos policy are the most important ones. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management.

Starting Your Cybersecurity Career

Cybersecurity as part of an overall Information Systems environment has existed for many years, but recent cyber-attacks have forced companies of all sizes to focus on cybersecurity to enhance security, protect sensitive customer and employee data, and to prevent damage to their corporate brand. Maybe you are looking to jump into a cybersecurity career? I have some basic tips to help you make the leap to a rewarding career in cybersecurity.

  1. Skills – A company only wants to hire the best employees, usually for the lowest wage possible. Your salary is usually based on your skills, experience, and the local market. If you haven’t got any relevant experience, and you can’t demonstrate relevant skills, you may never get a cybersecurity job and you’ll definitely be underpaid if you do get a job. The best way to demonstrate skills without experience is an industry recognized certification. While having a degree in cybersecurity will open some doors, an EC-Council Certified Ethical Hacker (CEH), CompTIA Security+, or many other certifications will help demonstrate you have the knowledge and skills to tackle the complexities of cybersecurity. Look at job postings to see what types of certifications are needed or common for the type of job you want to pursue. You can get a free certification called Certified in Cybersecurity from (ISC)², the same cybersecurity professional organization known for the popular CISSP certification. Just sign up as an (ISC)² Candidate. When you’re ready to sit for the exam, you can find your exam promo code on the Candidates benefits page. Please note that you may only use the exam promo code once. To register for your exam at a Pearson VUE test center, visit https://www.isc2.org/Register-for-Exam
  2. Experience – This can be the most difficult thing for a beginner to accomplish. How can you be expected to gain experience if you can’t get a job without experience? You can try internships, a part-time job, freelancing for a few friends or associates, volunteering at a local non-profit, or complete Capture-the-Flag (CTF) challenges. These are all great ways to gain hands-on experience in cybersecurity, maybe without giving up your normal job. These initial experiences will not only help you determine if this career is right for your personality and lifestyle, but it will also build your skills and experience to enhance your resume.
  3. Awareness – Most of what is happening in cybersecurity isn’t mainstream news. You need to follow some basic industry news sites (securityweek.com, thehackernews.com, bleepingcomputer.com, etc.) to learn about new attack methods, attend cybersecurity conferences to listen to experts and vendors, participate in free webinars to learn new skills, and join online or local communities to meet your future coworkers. These relationships and information are usually free (or low-cost) ways to stay informed about emerging threats, hacking tools, and industry best practices in the field. Being a well-informed cybersecurity professional adds value to your portfolio and can attract interest from an organization during an interview.
  4. Relationships – By networking and building professional relationships, you can create a strong professional network that can possibly offer you mentorships, job referrals, information about recent job posting, or just someone to talk to when you need a pep talk.
  5. Attitude – You’ll probably meet a few people who still think of security professionals as teenagers living in their parent’s basement trying to hack into the Pentagon or the local video game store. You’ll need to demonstrate your professionalism in actions and appearance. Cybersecurity professionals have access to critical and sensitive business information, so you’ll need to demonstrate you can handle that responsibility with the highest standards of conduct, ethical behavior, and professional demeanor. This includes while at a job interview, attending a conference, and while talking to colleagues or friends. Don’t give anyone a reason to second-guess the opportunity to recommend you for a job.
  6. Focus – Learn everything you can and stay focused on the prize. Don’t take half steps toward getting that dream job in cybersecurity. There are entry-level jobs out there, you just need to be persistent and patient to find the hiring manager willing to give you a chance. The more you know, the more you’ll find out how much you don’t know about cybersecurity. Accept your limitations and lean into finding an entry-level position. Stay curious and accept you have a ton to learn, but demonstrate a willingness and ability to learn.

These are the basic building blocks to finding a rewarding career in cybersecurity. Some people find it easy and get an entry-level job a few weeks into their job search, while others can spend months without any luck. It doesn’t mean you are doing something wrong. Stay positive and focused and you’ll eventually find success.

SIEM Overview


Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Understanding the NIST Cybersecurity Framework


The Cybersecurity Framework Set was an optional standard created by the National Institute of Standards and Technology under the United States Commerce Department. This set of guidelines for private sector companies is intended to help them be  better prepared in identifying, detecting, and responding to cyber-attacks. It also includes some guidelines on how to prevent and recover from a cyberattack.

The NIST Cybersecurity Framework is intended to address the lack of standards when it comes to cybersecurity. As with almost everything else that deals with technology, there are currently major differences in the way companies are using technology to detect and remediate attacks from hackers, malicious users, and ransomware.

With the complexity and frequency of cyberattacks growing each day, the task of detecting and preventing cyberattacks has gotten too difficult and complex to be left to chance, and a lack of a strategy among most organizations only makes this effort more difficult.

Continue reading “Understanding the NIST Cybersecurity Framework”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Windows Security Checklist for Home Systems

While your IT Department may have a handle on enterprise security, not everyone is technical enough to feel confident that their home computer systems are secure from attack. Many people wonder where is the best place to start, what steps they can take that will make the most impact, and which systems are most likely to need attention.

While there are literally hundreds of settings you can alter and fine tune to adjust your specific system settings, we are going to focus on general security actions you can look into, each helping build a general security mindset that will hopefully get you started without feeling overwhelmed. As you begin with general security changes, you will become more confident in your abilities and less worried that you are breaking anything.

General Considerations

  1. Router – All the devices on your home network communicate with the router. This is the device usually supplied by your internet provider, that allows your home computers to access the internet. This is the access point where most attacks are going to come from, so you want to start here to make sure you have a secure connection to the internet.
    • The router has an administrator-level account, and you must change the default password so that an attacker can’t access your router and disable any security settings.
    • You’ll also want to check if the router is updated with the latest firmware. As vulnerabilities are discovered, the router vendor will provide updated software and you want to make sure your router is patched. This can usually be configured so the router will automatically install new patches, but sometimes this must be manually performed. You’ll want to make sure you investigate these settings and configure them appropriately.
    • You should also disable remote administrator access to your router. This will prevent an attacker from logging into your router unless they are directly connected to the router from your home network. If you need help from your internet provider, they will contact you anyway, so you can grant them access if you need their remote help.
    • You can search the internet with the specific make and model of your router to get the user’s manual or recommended settings.
  2. Wi-Fi Security Settings – Many routers include Wi-Fi, which allows your home computers to connect to the router wirelessly so you can easily access the internet. You’ll need to check the security on your wireless network to enable the basic security features.
    • In Security Settings, create a name for the Wi-Fi network (SSID) and a complex password, and then select a type of encryption, like WAP2. Do not name your Wi-Fi network something that can easily be associated with you, such as your last name or address.
    • When possible, you’ll want to use AES on top of WPA2. Advanced Encryption Standard is a newer encryption standard that should be available on routers built after 2006.
    • Wi-Fi Protected Setup (WPS) was created with the intention of making the user experience easier and quicker when connecting new devices to the network. It works on the idea that you press a button on the router and a button on the device. This makes both devices attempt to pair automatically. You’ll want to disable this feature, if possible, because it has a history of security issues.
    • You can also sometimes create a separate guest Wi-Fi network, if supported by your router. A separate guest network has some advantages, like not having access between the two networks. It not only provides your guests with a unique SSID and password, but it also restricts guests from accessing your primary network where your connected devices live. You never have to disclose your main Wi-Fi network password to guests or visitors since they only need to know the guest Wi-Fi password. You can easily change the guest Wi-Fi password when your guest leaves without having to log all your other devices back into the network.
    • You might also want to consider the Wi-Fi signal power. If people can detect your Wi-Fi from across the street or in a nearby home, there is a risk that they will also attempt to log into your network. You can sometimes adjust the router signal strength or physical placement of the hardware to reduce that risk.
  3. System Update – Now that you have a relatively secure network, you can start looking at the devices connected to that network. It used to be a network used from a laptop or desktop computer, but today you can have a multitude of devices that are connected for internet access. You can have a smart thermostat, doorbell camara, video game console, cellphone, coffeemaker, etc.
    • For each system involved, you’ll need to log into the device and make sure you understand how to check for firmware and operating system updates and attempt to configure the device to automatically check for and apply vendor updates, if possible.
    • For each system involved, review the available security and privacy settings to make sure the device meets recommended settings. Vendor websites are a good resource to help you complete this step.
    • This might also be a good time to determine if the device really needs internet access. If the device is using internet access just to allow you to remotely access the device from the internet, for example, you need to ask yourself if you ever plan on using this feature. If you don’t need the feature, you may be able to disconnect the device from your network and reduce your overall risk profile.
  4. Security Suite – For your major devices like laptops and desktops, you should install and properly configure anti-malware and anti-virus software. There are various free versions available, so research a few vendors and find a solution that meets your needs. Make sure you use a vendor that you can trust.
    • Installing an anti-virus solution with default settings is rarely enough to really protect your computer. You’ll want to look at the available settings and properly configure the solution to provide the security you are expecting. Many vendors will guide you to using the best settings.
  5. Installed Programs – Review each program installed on the computers on your network and determine if those programs are still needed.
    • Maybe you installed a game a few years ago and haven’t used it since that one boring weekend. Now is a good time to uninstall or delete all the unneeded programs that are not essential.
    • If the program doesn’t look like something you need, and an internet search doesn’t answer the question around why it is installed, now is a good time to remove the program. It can be difficult to research something you don’t recognize, but a good internet search should answer your questions.
    • Now that you know what should be installed, a periodic check would help you quickly recognize when something new and unauthorized has been installed. If you do a periodic visual scan of installed applications every couple of months, this will be an easy security check to keep the device as clean and secure as possible.
  6. Program Updates – On your computer, you probably have several programs installed that you may not use very frequently. This could include word processing or spreadsheet suites, but it might also include specialized utilities or even games. All of these need to be patched because vendors periodically update their software to add new features and remove security vulnerabilities.
    • Check each application to see if patching can be automated. There should be a way to manually check for updates, but an automated check will make this process much easier.
    • If the program is older or doesn’t support regular updates, you should consider uninstalling or deleting the application. Each situation is unique, but you need to evaluate the risk if that one old program were compromised and allowed remote access to your computer.
  7. Password Hygiene – Now is also a good time to determine if you need to change your passwords. Easy to remember passwords are usually easy to guess passwords. You should really think about what makes a good password and make sure you change all your passwords to meet current best practice guidelines.
    • You can read more about selecting a better password here. You’ll want to select a really good and unique password for every account. You may need a password manager to store all your passwords, which can encourage longer and more random password selection.
    • Never use the same password for two different accounts. If you are using the same password for LinkedIn as you use for Netflix, if one account is compromised the attacker can use that same password to log into potentially sensitive information from a different account.
    • If you haven’t changed the password recently (within the last 90 days) then change the password now. That will make sure that starting today you are following best practice with your password selection.
    • If you hear one of your online accounts may have been compromised, don’t wait for the service to contact you with the bad news. It takes only a couple of minutes to change a password.
    • If you no longer use the online service, see if the online account allows you to delete or disable the account to reduce your online risk profile.
  8. Firewall Rules – Each computer you use probably has a firewall installed. The Windows Firewall is rarely used and it can be a great tool for limiting online access to your computer. You can essentially use the Windows Firewall to block remote access to your computer using specific ports and protocols, which can make a remote attack very difficult. It can be a little technical on how to configure the Windows Firewall correctly, so make sure you do your research and take notes on any changes you make so you can undo the changes if you find something has stopped working.
    • You can read more about how to get started with the Windows Firewall here. Don’t be afraid to do some internet searches to find some recommended settings.
  9. File Backup – So you have your home network secured, and the devices on that network are also more secure, and the accounts used to log into those devices are more secure. That is all great news, and you can continue to improve on that security as you learn more and have more technical confidence. But you are not completely safe, because a determined attacker is probably more technical than you and knows more tricks to successfully attack your systems. All is not lost, because you can create a fail-safe plan for recovery even if your files are deleted, scrambled, or encrypted to prevent your immediate access.
    • Backup your important files to a safe location. You can manually backup your files to an external disk drive or thumb drive. While not perfect, it can be a cheap and effective way to keep an external copy of important files where an attacker can’t find them. Just be sure to remove the external drive every time you finish the manual backup. Some people store the external drive in a fireproof safe.
    • An online backup service can make automated backups to a secure folder on the internet fast, easy, and low cost. While the amount of space available and cost can vary widely, a little shopping around can allow your entire family to back up their computers for about $100 a year. That is an inexpensive insurance policy if things go sideways.
  10. New Devices – While all the about steps will take some time and energy, you have to remember that this isn’t a one-time effort. As you add new devices to your home network, you have to review these steps again to make sure the new device isn’t the weakest link in your home network.

Protecting your family starts with taking responsibility for your home security, and that includes your home network. If you perform all these steps, you are well on your way to a safer and more reliable home network.

5 Reasons to Consider Insider Threats

If you look at studies about how businesses really operate, you’ll find statistics that indicate many users share their passwords with friends and coworkers and that about a 1/3 of terminated employees still have access to their former accounts.

That should concern your company leadership team as well as IT management. Organizations spend a lot of time and money implementing security controls in an effort to manage user permissions, and they still don’t always get them correct.

Another statistic that should worry you is the growing instances of insider incidents in the past couple of years. The rate of attacks attributed to internal employees has risen sharply, with some statistics showing a 44% increase in these types of difficult to detect and highly effective kinds of attacks. If this can happen in your organization, what about your business partners, suppliers, and consulting companies?

Facts to Consider:

  1. The cloud doesn’t make detection easier – Most technology professionals will tell you that cloud-based applications make it even harder to detect malicious activity. Insiders with malicious intent can gain temporary or permanent access to your most critical applications in a cloud environment (IaaS, SaaS, PaaS) and cause havoc.
  2. Trusted Access Means Easier Attacks – Just because your key employees might need elevated permissions to perform their daily functions doesn’t mean they should be doing whatever they want whenever they want. Management needs to build structure to normal daily activity and structure alerts and reporting around abnormal behavior. This allows management to ask questions and detect fraud before major damage can happen.
  3. Guard Sensitive Data – Sensitive data (employee data, employee data, credit card data, corporate secrets, etc.) is usually the target of malicious attackers, even insiders. They may want to collect and sell the information to competitors, foreign governments, protesters, or to other hackers to help them with their future attacks. They could just want the data for blackmail, thinking they can never be fired if they hold copies of all your sensitive data.
  4. Breaches Happen Slowly – Data breaches rarely happen in one night, with a hacker breaking into your network and stealing your data while you sleep. Data stolen by insiders usually happens over weeks, months, or even years. You also probably won’t detect that data has been copied or deleted overnight. It can take many organizations months or years to even detect that something is wrong.
  5. Insider Threats are Huge – If a trusted and valuable employee turns rogue, just think of all the systems, file shares, data, and files they have access to each day. If they decided to start stealing your files and data, how long might it take for you to detect their activity, or even if you did detect something was wrong, how long would it take before you suspected that valued employee?

How to identify an insider threat: Continue reading “5 Reasons to Consider Insider Threats”

Cybersecurity Tips for Your Family

You often see cybersecurity tips and techniques for corporate environments, but what about tips for your friends and family? What are the basic ways your family can stay safe while online? Share these tips with you friends and family, including your older family members.

The important thing to remember is the internet is a collection of people from all over the world, including criminals. They will prey on the weak and uninformed to steal everything from them, and a little awareness can prevent someone you care about from being a victim of crime.

  • Think Before Clicking – While using the internet on your personal computer, tablet, or cellphone always think before you click that link in an email or text message. Do you know where that link with take you, and does it contain potential malware? Links in mails and text messages that claim to be password recovery solutions or links to online bank statements are among the most popular methods used by hackers to trick you and gain your personal information. When in doubt, don’t click suspicious links.
  • Use Strong Passwords – People have a tendency to underestimate the importance of passwords and will often select weak passwords. Your password is much like the deadbolt used to secure your home. That security feature is something you need to use in order to keep criminals out of your house. Your password is the deadbolt to your online accounts. You should select a long and complex password for your online accounts, and each account should have a unique password. Don’t use weak passwords or the same password on two or more accounts. A strong password is one that is really hard for someone to guess and is at least 10 characters long, with lots of numbers, letters, and symbols.
  • Use a Password Manager – A password manager is a program that saves all your passwords in one place, and those passwords are secured with encryption. You can access them with one long password. This makes it easy to create very long complex passwords for every online account, and you don’t have to worry about remembering them or writing them down. For those people that are technology averse, you can get a password book at the local bookstore to jot down their passwords. While not as easy as one on your device, it may be a suitable alternative for some people.
  • Set up Multi-factor Authentication (MFA) – If I can guess someone’s password, there is nothing that keeps me from logging into your account as you, but just setting up MFA makes that type of attack really hard. When possible, enable MFA on all your online accounts. It is a simple way to prevent unauthorized access to your accounts. MFA is usually a message or code copied from your cellphone as a second method of authenticating you to a website. It sounds much harder to use than it really is, and it can save your private data from being stolen.
  • Apply Updates – When a vendor is notified that there is a security issue with their software, they will usually issue a patch within a few weeks to block those types of future attacks. You should frequently check for patches for your devices and apply them as soon as you can because this will help keep the bad guys out of your laptop, tablet, or cellphone.
  • Use Anti-Virus Software – You can do everything correctly and you still might get malware onto your laptop. A good anti-virus program can be your last line of defense to block the execution of the malware and save your data. While not 100% effective, it is a layer of defense that can save you at the very last second when you really need help.
  • Avoid Debit Cards for Online Payments – When paying online, avoid using a debit card. If the debit card number is stolen, a fraudulent charge can empty your checking account, causing other payments to fail. Yes, you can work with your bank to have the fraudulent charges reversed, but this can take several days. During this time, you may not have access to other sources of cash, leading to major headaches.
  • Social Media is Dangerous – Reading and posting on social media sites can be educational and informative. It can also be very dangerous. People often aren’t who they say they are, and they will attempt to commit fraud. They will lie to you to steal your money, identity, or personal data. Limit what you say on social media. Avoid sharing personal details, like your home or work address, birthdays, information about your children, sensitive photographs, or images of identifying documents like airline tickets or driver’s licenses. Even a picture of your house key can invite an unwanted visitor to your home.
  • Backup Your Data – If it is important to you, you should have a copy of the data somewhere safe. All those pictures on your cellphone could be deleted by malware in seconds. Tax documents could be encrypted and you might have to pay thousands to get them back. By making a copy of the data, usually by copying the data to the cloud, you can avoid those concerns and feel safer in the process.

Just having a brief conversation about these topics with someone you care about can help them avoid a major issue down the road. Wouldn’t you rather answer a few questions about how to avoid phishing emails than a few questions about how to get their deleted files back?

Hacking Attack Prevention Tips

The volume and sophistication of cyber attacks has increased in the last several years, and you should be worried if you have done enough to protect your personal and business assets from attacks by hackers on the internet. Companies of all sizes, including even small government agencies, have all been the target of malicious hackers lately.  With increased publicity comes increased awareness by the general public about how dangerous data breaches can be so there has also been increased interest in preventing hacker attacks.

Just to be clear, any device with internet access is subject to attack. This includes your cellphone, tablet, and laptop. With the increase in small devices with internet access, like thermostats, toasters, video cameras, etc. the huge numbers of devices subject to attack has made securing all devices from all attacks a huge undertaking.

There are a few things that you can constantly do to minimize your risk of an attack from a random attacker looking for an easy target.

  1. Apply Updates – No system is immune from flaws in the software and firmware used by your device. Flaws are found every day, sometimes in systems that have been working correctly for many years. When these flaws are found, patches are released to remove the vulnerability and make the system safer. Once a vulnerability is found and made public, many hackers start looking for system specifically missing the vendor patch so they can successfully attack the vulnerable system and gain entry into the system so they can collect your money.  The easiest way to prevent these easy attacks is to apply vendor updates as soon as they are available.
  2. Password Security – Passwords are the key to access into your systems. The more complex the key, the harder it is to bypass the lock. Use complex passwords (at least 10 characters long, include uppercase, lowercase, numbers, and at least one special character), don’t use the same password on more than one site or application, and change your passwords often. If possible, enable multi-factor authentication. This allows you to use a username and password (something you know) with a special code sent to your cellphone (something you have). If a hacker steals or guesses your password, he still has the extra hurdle of getting the code from your cellphone. While not foolproof, it will slow down casual attacks.
  3.  Email Phishing Awareness- Everyone knows email is the easy entry point for malware into your business and personal systems.  We all have email accounts, and we often read and respond to email without really spending time to verify the email was sent from the person we think it was sent from before we open the attachments or click on embedded links. Hackers know this and target you with fake emails intended to get users to allow malware into their systems or to provide credentials that can be stolen before we realize what happened. Training on how to spot and delete phony emails is important.
  4. Anti-Virus Software – A good anti-virus program will help protect your system from virus programs, malware, phishing attacks, drive-by downloads, malicious attachments, and ransomware. You should use anti-virus software on all systems, including servers, laptops, desktops, and even MacOS and Linux systems. While no tool will make you 100% safe from malware and other attacks, they will stop most automated attacks with little or no work required from the user.
  5. Network Segmentation – When a hacker attacks an exposed endpoint, that endpoint is rarely the intended final target. The target is the entire network, with your laptop as the entry point so they can move from your laptop to any other endpoint, including servers and databases that contain company assets, customer data, bank accounts, credit cards, etc. Network segmentation is attempting to build virtual walls around groups of systems to prevent uncontrolled access between laptops and servers, and to better protect those systems that contain sensitive data. This is work normally done by a trained IT staff.
  6. File Backups – While you may still be a victim of a successful attack even if you make just one mistake, the impact of that attack will be much smaller if you have consistent backups of your important data. A ransomware attack can encrypt all the files on your laptop and cost you thousands of dollars to recover them from the hacker. With a simple backup of your files, if you are attacked with ransomware, you can format the drive and reinstall your operating system, then recover your files from the backup without paying the hacker any money.
  7. Detection and Alerting – Building systems into your network that will alert you when an abnormal condition exists is important to alerting you as an attack is happening. Having a system that collects and analyzes system logs (SIEM) and can alert you in real-time as malicious activity is occurring is essential to reacting to an attack before they have compromised your network. Most social media sites will also alert you to abnormal or suspicious activities, so don’t ignore those messages.

While you will never be 100% protected from cyber-attacks as long as you use the internet, it is important that you learn how to protect yourself to reduce the risk of a successful attack.

Windows Sandbox in Windows 10

Added to Windows 10 version 1903 (May 2019 Update), Microsoft introduced the Windows Sandbox feature. Windows Sandbox feature helps you run programs in isolation without affecting your Windows 10 host. The Sandbox feature is designed to allow you to test unknown or suspicious programs in an environment that cannot make changes to the Windows 10 host or the data on that host machine.

Using the Sandbox

Step 1: Launch typing “Windows Sandbox” in the Start/Taskbar search field and then hitting the Enter key.

Step 2: After the Sandbox is launched, copy and paste the program setup file that you want to run into Sandbox. You can also use the Edge browser in the Sandbox to download the program you want to test.

Step 3: Run the setup file and install any program. Use the Start menu in the Sandbox to launch any program. Use any program like you would do in the regular desktop environment.

Step 4: Once you are done testing the program, just close the Sandbox to delete any program installed in the Sandbox. This will also delete any data from the Sandbox. Any program or file that you downloaded during the Sandbox session will be removed permanently.

Note: If you cannot find the Windows Sandbox, it’s likely because the feature is turned off or you don’t have a version of Windows 10 that includes this feature.

How to disable macros in Microsoft Office

Not everyone has the level of technical expertise to understand why macros are dangerous, or how to disable them. Macros are a really powerful feature in Microsoft Office, allowing you to do many difficult things with the click of a button. These complicated tasks might be formatting a spreadsheet, inserting a standard block of text in Word documents, etc. The problem is malicious code, like a macro virus, can automatically be executed as a standard macro when the user opens a document from an untrusted source.

The creators of these malicious code segments attempt to prevent users from catching on by disguising their malicious document (usually sent as an email attachment) as something seemingly routine. There are malware efforts that are actively infecting user computers right now, with examples like PowerSniff! or other examples that have been around in one form or another for many years.

There are three things will prevent about 90% of all infection attempts:

  • Disable macros in Microsoft Office. This is fairly easy for even non-technical users to accomplish.
  • Another great way to prevent infections is to never open an attachment from an untrusted source.
  • You should also be running anti-virus and anti-malware software on your computer.

These three simple things will prevent almost 90% of infection attempts, and they are easy and inexpensive solutions to a growing problem.

Disabling Macros in Microsoft Office

  1. Click File > Options.
  2. Click Trust Center, and then click Trust Center Settings.
  3. In the Trust Center, click Macro Settings, where you can now make the change you want, and save them by clicking OK.

Enterprise Efforts

As a technical person, there are several things you can do at your company to help prevent a successful malware attack. These steps will get you closer to stopping about 100% of attack efforts.

  • Security Training – Make sure you create a policy that outlines user responsibilities for cybersecurity. This includes be aware of potential cyber threats, not opening attachments from untrusted sources, selecting strong passwords, etc. This includes the potential risks of opening macro-enabled office documents.
  • Anti-Malware and Anti-Virus – While software will never be 100% effective in detecting and blocking infections, it can be more effective than nothing.
  • Anti-Spam – Build rules in your spam tool to automatically restrict email attachments with a .zip or other file extensions used for compressing files.
  • Default Microsoft Office Security – Use the default setting of “High” for Macro security on all Microsoft Office applications.
  • PowerShell – Publish a Group Policy Object that restricts the use of PowerShell for most users. Allow PowerShell for specific power users on a case-by-case basis.
  • Monitor Activity – Look for unexpected pings from internal computers and keep an eye on unusual network activity. Only by understanding normal network activity can you detect and stop unusual activity.

Biggest Security Concerns Facing Your Business

You should be concerned about the security risks facing your company. Most business leaders seem to have decided to approach the risk of a breach by basically acknowledging that they will be eventually breached, so let’s just try everything we can to reduce the risk and how we will deal with the PR issues when it happens. Your business needs to acknowledge the need for an information security program, so you can significantly reduce the risk of a successful attack. You should also begin deciding how you will respond to an attack.

You need to understand what your business stands to lose in the event of a successful attack. Depending on the scale of the breach and the size of your business, the impact could be catastrophic. What is a risk from a successful attack?

  • Data Compromise – Loss of customer or vendor data crucial to your business operations.
  • Loss of intellectual property – You might have unique business data or knowledge that makes your business unique in your market segment, and that edge would be lost if the data is published on the internet.
  • Government or Regulator Fines – Breaches could lead to massive fines from business regulators and the government.
  • Lawsuits – Lawsuits from clients or business partners could lead to an unrecoverable financial situation.
  • Brand Identity – if people can’t trust your business to protect their data, they may move their business to your competitor.

If a hacker gains unrestricted access to your entire business infrastructure, you could experience some or all of these issues and it could take months (or years) to fully recover. It is also possible that the financial impact will be so severe that your business will never recover from a breach. As the risks to business security grow more sophisticated, the need for your business to be at the forefront of security initiatives is even more important. Continue reading “Biggest Security Concerns Facing Your Business”

Limit SMB Traffic in Windows Environments

Microsoft recently posted an article talking about reducing your SMB traffic, and thereby reducing the risk of compromise on your systems. Before you think we’re saying this one change is the solution to all network security issues, even Microsoft states “We are not trying to make the entire network impervious to all threats. We are trying to make your network so irritating to an attacker that they just lose interest and go after some other target.”

Many times we know a security change doesn’t completely fix an issue, we are just making another small change in a series of small changes to make things slightly more secure. A group of small changes often work together to create an overall more secure environment.

If nothing else you’ll have a better understanding of what systems need SMB enabled and where SMB traffic is common on your network.

Server Message Block (SMB) Traffic

Reducing your SMB traffic can really help your risk profile. Server Message Block (SMB) traffic is a communication protocol for providing shared access to files, printers, and serial ports between devices on your network. It also provides an authenticated inter-process communication (IPC) mechanism. There are also security issues in Microsoft’s implementation of the protocol. Many vendors have security vulnerabilities in their solutions because of their lack of support for newer authentication protocols like NTLMv2 and Kerberos. Recent attacks show that SMB is one of the primary attack vectors for many intrusion attempts. Recently two SMB high-severity vulnerabilities were disclosed which can provide RCE (Remote Code Execution) privileges to systems that allow SMB traffic.

  1. Block inbound SMB access at the corporate firewalls – This means block inbound SMB traffic at the corporate firewall before it is on your LAN. This is usually the easiest way to block unauthorized traffic to your network and corporate systems. This will not work for remote systems that aren’t behind a managed firewall, but you can use this to help protect servers and other devices on the corporate network.
  2. Block outbound SMB access at the corporate firewall with exceptions for specific IP ranges – Sometimes, rarely, you need outbound SMB traffic. If you don’t know, block the traffic and monitor logs for anything that might break.
  3. Inventory for SMB usage and shares – It is understandable that employees need to connect to file servers to access file shares, as one example. Great, then allow inbound SMB traffic to just those servers, and block inbound SMB traffic to all Windows 10 clients or other servers. Start looking at your environment and begin blocking traffic unless it is required.
  4. Configure Windows Defender Firewall to block inbound and outbound traffic on the workstations – Use the  client firewall to block traffic except to required devices. There are several references to how to make this work, but it is past the time to start working out the details.
  5. Disable SMB Server if unused – If you know the device doesn’t require SMB services, you may be able to stop the SMB Server service on Windows clients and even many of your Windows Servers.
  6. Test at a small scale – Test the changes and make sure you understand the impact before you just deploy changes into production and break everything. As always, test twice and make sure you understand the changes (and have a rollback plan) before you deploy any changes into production.

8 Small Business Cybersecurity Tips

There are about 80 million businesses worldwide who meet the “small or medium business” (SMB) definition. Businesses with less than 300 employees can’t always afford someone to tell them what they can do to develop a more mature security posture or how to educate employees to be smarter about their cybersecurity practices. Most of the successful cybersecurity attacks are with small businesses and small government entities. Since the average cyberattack will cost them about $200k and a ransomware attack can force them out of business, we should talk about the basics of cybersecurity defense.

  1. Make sure you require complex passwords for every system. This means changing any vendor default passwords, not allowing simple or common passwords, and teaching your employees how to select a good password.
  2. Configure Multi-Factor Authentication (MFA) on all accounts. Just by requiring MFA to access business accounts you can prevent about 99% of all online attacks. The hackers might steal or guess your password, but it is much harder to access something like your cellphone.
  3. Use a separate account for performing administrative tasks for all your on-premise and cloud business accounts. Use this new account to only perform administrative actions, not to browse the internet or check email, and your risk of account compromise is significantly reduced.
  4. Install, properly configure, and use an antivirus solution that accesses the cloud to better protect your systems from the internet threats. This includes all your user computers and all servers.
  5. Backup your important files to the cloud. Using an automated solution to automatically backup your files to the cloud can prevent a successful ransomware attack from locking you out of your critical files.
  6. Don’t allow your users to configure email auto-forwarding rules in O365. If your account is hacked, one of the first things the attacker will do is configure auto-forwarding rules to exfiltrate your data to their systems across the internet. If you prevent this activity, it will slow down the attack and allow you more time to react. With alerts configured, you will get an email when the attacker attempts to create a new rule, giving you notice that an attack is underway.
  7. Use your available online tools to get tips and suggestions. Things like the Microsoft O365 Secure Score can be a really helpful source of useful tips and techniques for leveraging many more security settings to improve your overall security, and these tips are free just for having an O365 account.
  8. Educate your users about the threats on the internet. Billions of users have internet access, and not all of them have your best interests in mind. Warn users about sharing too much personal information on social media, discuss how to identify phishing emails, and provide guidance on who they need to contact if they aren’t sure about clicking on a link.

You need to think about how you use the services and systems that you have access to each day and determine what data you share has value, what processes are at a high risk, and how a malicious user might monetize your activity. A little work today can pay big dividends during an attack.

Follow these simple tips to start getting some confidence around your security posture, and build on each item as threats and systems change.

%d bloggers like this: