security – Technology News and Information by SeniorDBA

SIEM Overview

Introduction

Security information and event management (SIEM) is a software solution to take event logs collected from all supported information technology (IT) infrastructure and applications and provide actionable security intelligence. These enterprise solutions provide real-time analysis of security alerts generated by applications and network hardware, providing an interface for research and analysis of provided data and alarms, while also providing an interface for deeper investigations and tracking the full scope of an event.

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

The SIEM also provides a collection point for all logs, since a common attack profile includes an intruder attempting to cover their tracks by deleting the event logs from a compromised system. A SIEM collects the event logs in real-time, so even if the logs are deleted from the compromised system later, the events are still available for review from the SIEM copy of the logs. This helps preserve evidence and allows for detailed analysis of events even during a successful attack.

At its core, a SIEM is a data aggregator, search tool, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates all that data and makes it human accessible. With the data categorized and laid out at your fingertips, an analyst can research possible data security breaches with as much detail as needed.

Summary of Capabilities

In practice many products in this area will have a mix of log-related functions, so there will often be some overlap – and many commercial vendors also promote their own terminology. A full solution will include simple collection and storage of log messages and audit trails, long-term storage as well as analysis and reporting of collected log data, real-time monitoring of new log events, correlation of events, notifications as suspicious events are collected, and console views for graphical analysis and research.

A key focus of a solution is to monitor and help manage user and service privileges, directory services and other application or system-configuration changes; as well as providing log auditing and review, analysis of related events, and incident response.

Continue reading “SIEM Overview”

Cloud Security Best Practice

There are several things you can do to improve the security of your online cloud environment. Protect your business assets by enabling specific controls when available.

Access Control – Enable Multi-Factor Authentication (MFA) and Conditional Access when possible. This means requiring not just usernames and passwords to access your critical cloud-based systems, but also requiring multi-factor authentication. Instead of allowing user access with just something you know (password), also require a user to prove their identity with something they have (cellphone) or something they are (fingerprint). You may also be able to enable conditional access, which allows an administrator to add additional requirements to your login process, like only allowing you to log into the cloud environment using an authorized laptop, from a specific location, etc.
Improve Security Posture – Use the tools available from your cloud provider to improve your overall security posture. Microsoft Azure offers a secure score rating, showing you recommended actions and comparing your security profile to other tenants. This can drive security changes that you may not even know are possible and provide instructions specific to your environment.
Secure Your Applications – Train your developers in security best practices such as Security Development Lifecycle (SDL) and test for common development issues using OWASP as a guide. Encrypt everything possible, including all internal and external connections. All data that is stored or processed should also be encrypted. Your backups should be encrypted and stored in a secure location away from the production data. Review your relationships with all vendors to make sure it is crystal clear who is responsible for all aspects of your security. You are responsible for everything unless it is specifically stated otherwise in your vendor contract.
Understand and Mitigate Risks – Use best practice guidelines to identify threats and build processes to protect all your systems from known threats, detect any attacks that malicious groups may use in an attack in your environment, and respond to threats and attacks before your systems can be compromised. You should utilize a security information and event management (SIEM) system to collect the logs from all systems. Once the logs are in a central location you can build alerts when specific events occur, as well as identify risky behavior before the systems can be compromised.
Maintain Network Security – Even through the cloud moves systems outside of your on-premise environment, the proper configuration of your firewall is still very important. Controls still need to be in place to protect the perimeter, detect hostile activity, and respond to all possible threats. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting. Using concepts like virtual networking and subnet provisioning, you can micro-segment your network to provide additional security as you work toward zero trust networking. Enable your endpoint firewall, like Windows firewall, to properly protect the endpoints as they move outside your protected on-premise network.

While protecting your company assets from a constantly evolving threat landscape can seem an impossible (and expensive) task, some basic security processes can start you down the path towards a best-practice security environment. Don’t try to do everything at once. Start simple with the goal of constant improvement.

Common Active Directory Mistakes

Because of the need for Windows-based security, we commonly use Active Directory (AD) to manage user privileges. This also presents numerous challenges for administrators tasked with managing that environment and keeping critical business files safe and secure. Damage can be done by those accounts with elevated privileges, but sometimes vulnerabilities are introduced by administrators poorly managing AD. The best practices outlined by Sarbanes-Oxley and PCI audit requirements can help prevent some security issues, if you follow those best practices in a consistent and reliable way all the time. Sometime people make mistakes, and we have listed common mistakes:

Users as domain administrators. Non-administrative users should not have administrative rights. Even administrative users should have a normal account that they use all the time, and a separate administrative account they only use when actually performing functions requiring elevated privileges. Ignoring the concept of least privilege is a major security issue.
Accounts with elevated credentials. Most security aware organizations avoid this common mistake by giving users with elevated privileges, such as a domain administrators, a normal account to log onto their machine and a privileged account for elevated access. The main reason for the separation is to avoid security breaches such as a simple drive-by download or email attack. This also includes keeping the user accounts out of the local administrator account.
Disable Object Protection. Make sure you do not disable simple warning asking you if you are sure you want to delete objects in AD. You don’t want to accidentally delete an object if it can be avoided. A better option would be to never turn off object protection.
Keep obsolete accounts. Enabled user accounts that aren’t actively being used are one of biggest security threats in any organization. Develop a plan to disable and ultimately delete obsolete accounts within 60-90 days of inactivity. This can be accomplished with an automation script to third-party tools.
Single Expert. A mistake many small organizations make when it comes to mission critical operations is having all their eggs in the basket of a single expert who is the only one that can make changes to AD. You need to make sure at least two people understand, have access to, and can create and modify any AD settings in your environment. This prevents the single point of failure in case the person who is the expert leaves the organization or is out of town for a few days and can’t be reached in an emergency.
Poor Active Directory Design. Create a simple to understand and simple to maintain AD structure that is difficult to use incorrectly. Complexity breeds mistakes, so keep the structure and objects as simple as possible.
No Incident Recovery plans. If someone deletes 10,000 directory objects today, how quickly can you recover AD back to normal? If an automated script improperly disables thousands of users, how do you plan to recover? Planning and testing recovery options are a must for all organizations to quickly recover from mistakes. Plan for the worse possible scenarios, and hope for the best. Have a written plan, and test different scenarios at least once per calendar year.
Don’t modernize. Do not allow your core of network security to fall behind on technology. You may not want to upgrade your users to the latest version of Windows, but you should keep your AD environment up to date and never allow your environment to fall behind with the latest security improvements and features. Each and every security patch and Windows update needs to be tested and applied as a top priority.
Share Accounts. Each and every user should have their own network account. There should never be users sharing user accounts.
No Password Changes. Users will never change their password if you don’t force them to change their passwords. You should force your users to change their password at least every 90 days, especially if your compliance rules require this setting.

You can get more information about Active Directory here.

Preventing a Database Breach

One of the hardest things to do it prevent something from happening when you don’t know when it might happen or who will try to make it happen. As a Database Administrator, you have to be aware that data breaching might happen and take reasonable precautions to prevent them. According to the 2016 study by IBM, 60% of database attacks are insiders (people using approved network credentials) looking to access or steal corporate data.

There are some basic steps you should execute to help prevent unauthorized access to your database environment.

Enforce Privileges – As an employee starts their tenure at a company, they are usually given the exact correct privileges for their position. The longer the employee is with a company, the correct privileges start to vary from the effective privileges, until eventually the employee has the wrong access privileges. You need to make sure those initial access rights are correct from day one, and that you periodically review the access rights for every employee. If there is any question about the correct privileges, you should contact their supervisor and document the correct level of access.
Database Discovery – People are busy, and don’t always pay attention when new database instances are created. The people who manage the databases are often times not the people who install the software, so this can lead to an environment where there are unauthorized or poorly configured database instances. Database discovery is a crucial first step for avoiding security issues, so you should scan your environment for new database instances as often as possible. The amount of change in your environment will dictate how often you should search for new database instances, but the minimum is annually.
Connection Encryption – Encrypting the connection between the user and the database can help prevent man-in-the-middle attacks.
Strong Password – You should expect the same password strength for your databases as you expect on the network. If possible, use Windows Authentication instead of SQL Server Authentication. This will help enforce the same password strength as your network password, and you must verify that the network settings are using best practice strength requirements.
Detect Compromised Credentials – It is estimated that 60% of companies cannot detect compromised credentials, based on a study by solution vendor Rapid7. Since authorized individuals use databases in a predictable way, abnormal or unauthorized access will be detected and you can be alerted. There are security appliances that can catch unusual or unwanted user access based solely on algorithm analysis, preventing a possible data breach.

How to disable macros in Microsoft Office

Not everyone has the level of technical expertise to understand why macros are dangerous, or how to disable them. Macros are a really powerful feature in Microsoft Office, allowing you to do many difficult things with the click of a button. These complicated tasks might be formatting a spreadsheet, inserting a standard block of text in Word documents, etc. The problem is malicious code, like a macro virus, can automatically be executed as a standard macro when the user opens a document from an untrusted source.

The creators of these malicious code segments attempt to prevent users from catching on by disguising their malicious document (usually sent as an email attachment) as something seemingly routine. There are malware efforts that are actively infecting user computers right now, with examples like PowerSniff! or other examples that have been around in one form or another for many years.

There are three things will prevent about 90% of all infection attempts:

Disable macros in Microsoft Office. This is fairly easy for even non-technical users to accomplish.
Another great way to prevent infections is to never open an attachment from an untrusted source.
You should also be running anti-virus and anti-malware software on your computer.

These three simple things will prevent almost 90% of infection attempts, and they are easy and inexpensive solutions to a growing problem.

Disabling Macros in Microsoft Office

Click File > Options.
Click Trust Center, and then click Trust Center Settings.
In the Trust Center, click Macro Settings, where you can now make the change you want, and save them by clicking OK.

Enterprise Efforts

As a technical person, there are several things you can do at your company to help prevent a successful malware attack. These steps will get you closer to stopping about 100% of attack efforts.

Security Training – Make sure you create a policy that outlines user responsibilities for cybersecurity. This includes be aware of potential cyber threats, not opening attachments from untrusted sources, selecting strong passwords, etc. This includes the potential risks of opening macro-enabled office documents.
Anti-Malware and Anti-Virus – While software will never be 100% effective in detecting and blocking infections, it can be more effective than nothing.
Anti-Spam – Build rules in your spam tool to automatically restrict email attachments with a .zip or other file extensions used for compressing files.
Default Microsoft Office Security – Use the default setting of “High” for Macro security on all Microsoft Office applications.
PowerShell – Publish a Group Policy Object that restricts the use of PowerShell for most users. Allow PowerShell for specific power users on a case-by-case basis.
Monitor Activity – Look for unexpected pings from internal computers and keep an eye on unusual network activity. Only by understanding normal network activity can you detect and stop unusual activity.

Biggest Security Concerns Facing Your Business

You should be concerned about the security risks facing your company. Most business leaders seem to have decided to approach the risk of a breach by basically acknowledging that they will be eventually breached, so let’s just try everything we can to reduce the risk and how we will deal with the PR issues when it happens. Your business needs to acknowledge the need for an information security program, so you can significantly reduce the risk of a successful attack. You should also begin deciding how you will respond to an attack.

You need to understand what your business stands to lose in the event of a successful attack. Depending on the scale of the breach and the size of your business, the impact could be catastrophic. What is a risk from a successful attack?

Data Compromise – Loss of customer or vendor data crucial to your business operations.
Loss of intellectual property – You might have unique business data or knowledge that makes your business unique in your market segment, and that edge would be lost if the data is published on the internet.
Government or Regulator Fines – Breaches could lead to massive fines from business regulators and the government.
Lawsuits – Lawsuits from clients or business partners could lead to an unrecoverable financial situation.
Brand Identity – if people can’t trust your business to protect their data, they may move their business to your competitor.

If a hacker gains unrestricted access to your entire business infrastructure, you could experience some or all of these issues and it could take months (or years) to fully recover. It is also possible that the financial impact will be so severe that your business will never recover from a breach. As the risks to business security grow more sophisticated, the need for your business to be at the forefront of security initiatives is even more important. Continue reading “Biggest Security Concerns Facing Your Business”

Top 10 Database Administrator (DBA) Mistakes

Everyone makes mistakes, but a Database Administrator (DBA) shouldn’t make these common mistakes more than once. Let’s investigate some common areas of improvement to see if you can be better at your job.

Memory Management – You can run into serious trouble if you are not managing your MIN and MAX database settings. You might also have different configurations for different versions of SQL Server.
Poor Database Disk Usage – You should not place your database files in the default location and hope for the best performance. Investigate your drive configurations and performance and relocate the files to drive locations that provide the best performance while reducing contention, hot spots, and throughput issues. Make sure the drives are formatted and configured properly, and the user databases, TempDB files, and all log files are on separate drives.
Auto Shrink – If you have your database files set to Auto Shrink Enabled, you are not properly managing your database. This setting causes disk fragmentation and unwanted overhead that should be avoided in any production environment.
Bulk Imports – Do not perform bulk inserts during normal production hours. If you have to import large amounts of data and you don’t have an available maintenance window, then determine the lowest usage times and perform the import during those times, if possible.
No Backup Strategy – As a Database Administrator you are responsible for the data, yet many times you rely on someone else to make sure backups are properly scheduled and complete successfully. This is a mistake that will haunt you the first time you have a disaster and are asked to restore the databases but you find backups weren’t scheduled as you requested. Always verify the backup jobs are running and that they complete successfully. Practice your database restores at least one every calendar year.
No Server Monitoring – You should measure database and server performance, even if everything is working great. If you are taking periodic measurements, you should be able to detect issues long before users start complaining about degraded performance. Don’t wait for users to start complaining before you look for issues.
No Performance Tuning – At least 10% of your time should be spent looking at database and server performance, looking for ways to improve performance using existing hardware and software. If you can’t improve performance with improvements to stored procedures, moving of log and data files, or improved indexing then you should be looking at faster hard drives, more server memory, or faster CPUs.
No Automation – This is a really simple idea. If you are doing anything manually more than once, you should be asking yourself if it can be automated. Spend some of your time looking at facts, analyzing data, improving services. Do not spend your limited time repeatedly figuring out how to gather facts, where is the data located, how to query performance statistics, etc. Use automation to improve your productivity. Look at scripts, scheduled jobs, etc.
Using Poor SQL Code – Allowing developers to run poorly formatted or poorly designed Transact-SQL code to run on your production servers will cause serious performance issues. If you don’t have the resources to adequately check code before it goes live in production, at least monitor the performance on the production servers and provide immediate feedback to the development group.
No Security – You should limit access to production data to just the specific users that require access. Each user should have their own account, and they should not be logging into the data with one single shared account for all users. If everyone uses the same account and it has elevated privileges – you’re asking for trouble and it is just a matter of days before disaster strikes.
Bonus: Lack of Business Awareness – This bonus mistake is more career oriented than just focusing on the technical systems. You have to be aware of what is important to the business and understand when things change. This will help you focus on the critical processes and be more proactive in targeting those systems that are critical to the business.

Do you have additional mistakes that you think should be added to this short list?

Selecting a PCI QSA Vendor

If you are a merchant that accepts credit cards, you are required to comply with the requirements of the Payment Card Industry (PCI) Data Security Standards (DSS), and you must demonstrate that compliance each calendar year to your bank.

You can find more information about what that means to your business here. Once you are ready start your compliance effort, you will need to engage a third-party team to help make sure you are making the correct decisions about demonstrating that compliance if you are a level 1 merchant. You’ll need to start working on changes as they occur to make sure you aren’t making poor security decisions, and a trained QSA will certify your compliance with a standard format report that lists why they think your environment is secure enough for customer transactions called a Report of Compliance (RoC).

It can be difficult to find the correct partner that can help guide you through this difficult and expensive process, but a little work in the beginning can save you headaches and expenses later in the process.

Continue reading “Selecting a PCI QSA Vendor”

SIEM Overview

Introduction

SIEM solutions have been around for many years, with different degrees of functionality and features depending on the product or vendor you choose.

Summary of Capabilities

Continue reading “SIEM Overview”

Building a Successful Cybersecurity Strategy

When thinking of a strategy to address cybersecurity, your strategy must be one that is driven by a top-down management emphasis to build cybersecurity into everything a company does and builds. Cybersecurity can not be an afterthought or something that is added later, but it must be designed and implemented from the first day. If you have gaps today, they must be fixed and a management system must be put into place to prevent this type of issue in the future.

The first thing you must accomplish when building a mature strategy to fix your imperfect cybersecurity status is to perform a formal risk assessment. This will allow your team to compare your existing controls against an established security framework, like NIST, SANS, or CIS. A cybersecurity framework is a predefined set of controls that are identified and defined by leading cybersecurity organizations to help you enhance cybersecurity strategies within your enterprise. This will allow you to document what cybersecurity controls are already in place and how effective they are, and what controls are missing or ineffective. Once you have accomplished this step, it allows you to focus your change effort on the controls that will have the most impact to incrementally improve security with each change to the existing environment.

Now that you have a written list of needs you have a better understanding of where your team currently stands, including what controls are currently effective and which controls are missing or poorly implemented. This will also help you determine if you have the budget and personnel to make the required changes. You’ll now have a much better idea of where the biggest security gaps exist and it helps you assign a priority and schedule to each required change.

This might also be a good time to decide if outsourcing the effort, either in part or in full, might be a better solution for your business. Do you have the time and budget to train internal resources for the effort required to resolve the items identified for remediation? If you must hire new personnel, will you have time to onboard and complete orientation or training before you can start remediation of identified security issues, or should you outsource the remediation to an external resource with the experience and skill to quickly resolve your issues?

Continue reading “Building a Successful Cybersecurity Strategy”

What is Cybersecurity?

Cybersecurity is the process of protecting networks, systems, data, and programs from digital attacks. Cyberattacks are usually organized and planned attacks intended to gain unauthortized access to business or personal computer systems to allow changing, stealing, or destroying sensitive information. This activity can lead to unplanned business interruptions or subject the victims to extortion in order to get continued access to their data or to prevent the release of sensitive data to the internet.

Understanding Cybersecurity

Cyberattacks are often launched by people employed by organized crime or malicious state actors and are constantly evolving their attacks from one technique to the next as older techniques become less effective and newly discovered vulnerabilities are weaponized.

You don’t have to be a cybersecurity expert to understand the risk and learn how to provide some basic protection for your systems and critical data. This article is intended to provise some basic guideance and to send you in the correct direction to become more effective in protecting your personal or business data.

Continue reading “What is Cybersecurity?”

Cloud Security Best Practice

There are several things you can do to improve the security of your online cloud environment. Protect your business assets by enabling specific controls when available.

Access Control – Enable Multi-Factor Autherntication (MFA) and Conditional Access when possible. This means requiring not just usernames and passwords to acccess you critical cloud-based systems, but also requiring multi-factor authentication. Instead of allowing user access with just something you know (password), also require a user to prove their identify with something they have (cellphone) or something they are (fingerprint). You may also be able to enable conditional access, which allows an administrator to add additional requirements to your login process, like only allowing you to log into the cloud envirnment using an authorized laptop, from a specific location, etc.
Improve Security Posture – Use the tools available from your cloud provider to improve your overall security posture. Microsoft Azure offers a secure score rating, showing you recommended actions and comparing your security profile to other tenants. This can drive security changes that you may not even know are possible and provide instructions specific to your environment.
Secure Your Applications – Train your developers in security best practices such as Security Development Lifecycle (SDL) and test for common development issues using OWASP as a guide. Encrypt everything possible, including all internal and external connections. All data that is stored or processed should also be encrypted. Your backups should be encrypted and stored in a secure location away from the production data. Review your relationships with all vendors to make sure it is crystal clear who is responsible for all aspects of your security. You are responsible for everything unless it is specifically stated otherwise in your vendor contract.
Understand and Mitigate Risks – Use best practice guidelines to identify threats and build processes to protect all your systems from known threats, detect any attacks that malicious groups may use in an attack in your envirnment, and respond to threats and attacks before your systems can be compromised. You should utilize a security information and event management (SIEM) system to collect the logs from all systems. Once the logs are in a central location you can build alerts when specific events occur, as well as identify risky behavior before the systems can be compromised.
Maintain Network Security – Even through the cloud moves systems outside of your on-premise environment, the proper configuration of your firewall is still very important. Controls still need to be in place to protect the perimeter, detect hostile activity, and respond to all possible threats. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting. Using concepts like virtual networking and subnet provisioning, you can micro-segment your network to provide additional security as you work toward zero trust networking. Enable your endpoint firewall, like Windows firewall, to properly protect the endpoints as the move outside your protected on-premise network.

While protecting your company assets from a constantly envolving threat landscape can seem an impossible (and expensive) task, some basic security processes can start you down the path towards a best-practice security environment. Don’t try to do everything at once. Start simple with the goal of constant improvement.

PCI DSS 4.0 – Coming Soon

In the upcoming request for comments (RFC) for the first draft of the PCI Data Security Standard Version 4.0 (PCI DSS v4.0), there are some new and exciting changes. PCI DSS v4.0 has been in the works for a while, so a discussion of what is coming is important to anyone who has to meet the standards required to maintain their compliance with the payment card industry.

The October RFC documents will include the first draft of the new PCI DSS v4.0 standard as well as a sample of the new reporting template. This will help everyone understand the new validation method to help support business implementations. There is also a Summary of Changes document that will outline the changes in the draft as well as guidance for everyone on how to review the documents and provide feedback with any issues or questions.

This draft of PCI DSS v4.0 was crafted with feedback received during prior drafts and attempts to reflect changes in security technologies, customer environments, and payment industry changes. These updates to the standard are intended to strengthen security while also adding some flexibility to how the standards are implemented.

The 12 core PCI DSS requirements remain essentially the same while several new requirements are proposed to address evolving threats to significantly reduce the overall risk to payment data. The idea is to give more flexibility to organizations so that companies can use different methodologies and solutions to meet the intent of PCI DSS requirements.

Continue reading “PCI DSS 4.0 – Coming Soon”

5 Steps to Prevent Ransomware

In recent years a new term has entered the vocabulary of cybersecurity experts: Ransomware. Wikipedia says: “Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it.” This basically means a computer system is attacked, the user files are encrypted, and the user must pay a fee to regain access to their critical files. While there is a long history of minor attempts by hackers to create this type of malware, the most well known version of this type of malware is known as “Cryptolocker“, that was released in late 2013.

Most ransomware attacks were opportunistic and targeted at individual computers, but recently there has been a change in the threat landscape to target entire organizations. The ransom demands have also transitioned from the equivalent of a few hundred dollars for an individual to millions of dollars for an entire organization.

The impact of a successful ransomware attack are more extensive than just the cost of the ransom. Your organization can suffer the impact of lost productivity, inconvenience to your customers, decreased sales, and even the permanent loss of essential data.

Tips on preventing this type of infection in your organization:

Continue reading “5 Steps to Prevent Ransomware”

Preventing a Database Breach

One of the hardest thing to do it prevent something from happening when you don’t know when it might happen or who will try to make it happen. As a Database Administrator, you have to be aware that data breaching might happen and take reasonable precautions to prevent them. According to the 2016 study by IBM, 60% of database attacks are insiders (people using approved network credentials) looking to access or steal corporate data.

There are some basic steps you should execute to help prevent unauthorized access to your database environment.

Enforce Privileges – As an employee starts their tenure at a company, they are usually given the exact correct privileges for their position. The longer the employee is with a company, the correct privileges start to vary from the effective privileges, until eventually the employee has the wrong access privileges. You need to make sure those initial access rights are correct from day one, and that you periodically review the access rights for every employee. If there is any question about the correct privileges, you should contact their supervisor and document the correct level of access.
Database Discovery – People are busy, and don’t always pay attention when new database instances are created. The people who manage the databases are often times not the people who install the software, so this can lead to an environment where there are unauthorized or poorly configured database instances. Database discovery is a crucial first step for avoiding security issues, so you should scan your environment for new database instances as often as possible. The amount of change in your environment will dictate how often you should search for new database instances, but the minimum is annually.
Connection Encryption – Encrypting the connection between the user and the database can help prevent man-in-the-middle attacks.
Strong Password – You should expect the same password strength for your databases as you expect on the network. If possible, use Windows Authentication instead of SQL Server Authentication. This will help enforce the same password strength as your network password, and you must verify that the network settings are using best practice strength requirements.
Detect Compromised Credentials – It is estimated that 60% of companies cannot detect compromised credentials, based on a study by solution vendor Rapid7. Since authorized individuals use databases in a predictable way, abnormal or unauthorized access will be detected and you can be alerted. There are security appliances that can catch unusual or unwanted user access based solely on algorithm analysis, preventing a possible data breach.

Infosec Infographic Collection

I did not create these informative images, but I thought you would appreciate them:

Continue reading “Infosec Infographic Collection”

Bringing Cybersecurity to Work

Many businesses want a better cybersecurity posture at work, but they don’t know what to do or how to do it. If you want to be successful at implementing cybersecurity changes to your workplace, there are a few simple steps you can perform today to move towards a stronger security stance as you face increased attacks from cyber-criminals.

Knowing that most small to medium businesses can’t withstand a successful cybersecurity attack, you should be aware that a modern business needs to perform specific steps to bring awareness to the workforce.

Criminals like the easy target, and that is true if we are talking about a subway mugging or a cyber-attack to your email. Cybersecurity is all about making your business less of an easy target and helping everyone at your company understand risky behavior so they can help prevent your business from becoming a target by malicious attackers.

Top-Down Acknowledgement – Start with the boss, and have them acknowledge that cybersecurity is important. If they embrace the need and start behaving like cybersecurity is important, the entire company will accept the changes and participate in educating the workforce. This may include communications from leadership speaking about the importance of cybersecurity to the entire team, but also making sure any efforts are properly funded and supported. If the boss avoids the new plan, everyone will think they have the as option.
Policies and Procedures – Written policies and procedures are thee first step in documenting what everyone is supposed to do in your organization. The polices state what is acceptable, and who is responsible for each section of the required response. The procedures describe how to be compliant with the policies. If the policy says everyone is responsible for reporting phishing emails, the procedures describe how to identify and report a phishing email.
Security Awareness Program – Once everyone agrees that your company needs to be more cybersecurity aware, there needs to be a formal program to implement training and awareness programs. This could include formal classroom training, online training videos, periodic emails, etc. It really depends on what you think will work at your company, and one right answer doesn’t mean that process won’t change as your employee needs change. Be flexible and target a solution that works. This will take serious effort month-after-month to keep an effective program as employees needs change, but the program must also change as the threat profile of your attackers change.
Work on the Basics – From a technology perspective, start with the basics and work towards a more robust and sophisticated solutions. Start with basic network security around how your network is designed, and worry about more complicated solutions once you have the basics in place. You don’t need complicated and expensive security systems in place if you don’t have basic security tools configured. These first steps can include some common techniques such as enforcing strong and complex passwords, using multi-factor authentication, installing anti-virus utilities on every computer, applying vendor security patches within 30 days, enforcing least-privilege access to corporate systems and file shares, and blocking employee access to risky internet sites.
Make IT the “Yes” Team – The IT department is often seen as the team that always says no when other departments have ideas. This is usually because the ideas don’t include realistic expectations or even any planning for cybersecurity risk. But if you pivot and provide ideas to fix the other team’s ideas with suggestions on how to make their ideas work you can help them realize their ideas while not breaking any cybersecurity rules. This strategy will take much more work, but you’ll see that IT will be included in more planning meetings if you are seen as someone who can tweak less than perfect ideas instead of someone who always shoots down half-baked schemes.
Accept that Things Change – As the business changes, an effective cybersecurity plan must constantly evolve. As employees rely more on cloud applications, social media, and working remotely you must change your cybersecurity toolkit to protect users in that new disconnected environment. You do this by selecting vendors that understand and value cybersecurity, as well as training employees that being on the road can also mean they have to take more responsibility for their own cybersecurity.
People Resist Change – You may have some fairly major alterations to your IT environment planned to bring your organization into modern thinking on the concept of cybersecurity, but you must understand the organization may fight you every step of the way. Employees may fight the implementation of stronger passwords, and they may hate you blocking internet sites that are attempting to steal their personal data. What seems obvious to you may be seen as overstepping the boundaries of modern computing by at least a minority of your employees, and even some of the IT department. Be prepared to deal with those people who are willing to undermine your efforts and are willing to side-step any cybersecurity controls to implement. Don’t take it personal, but have a plan to bring the non-compliant employees into an acceptable level of compliance.
Measure to Improve – Be prepared to measure your success if you ever want to improve the process. Your gut may tell you that blocking a social media site has helped the business, but you need to measure the before and after to demonstrate success. If you feel employees are wasting their time and potentially posting too much corporate data on Facebook then you monitor Facebook for a few weeks to gather some data on specifics, then measure again after the site is blocked. Did your change really make the employees more productive, or did they just start using a different social media site. Did they really stop posting company data or just share the data using a different tool?
Seek Experts – If you aren’t sure what to do next, engage an expert to analyze your cybersecurity posture and recommend specific changes. This can be as easy as asking you questions for a few hours, or a more complicated analysis could include a penetration test to validate if your network controls are properly configured to keep out potential cyber-intruders. You can also think about bringing a security-specific member onto your technology team.
Responding to a Bear Attack – In a bear attack, your first instinct is to run from the bear. You don’t have to be the fastest runner when fleeing a bear attack, just faster than someone else in your group. Your slower friend will get caught by the bear and you will get away. Cybersecurity is similar in that you don’t have to spend millions of dollars buying the very best in security tools, you just have to spend just enough to be more secure than most other companies. When the cyber-criminals attack, you don’t have to be the most secure in the country, you just have to be more secure than their other targets so they get compromised and you get away.

Start small and you can quickly accelerate your cybersecurity efforts as you can demonstrate success. Small incremental changes can help limit resistance and generate momentum to your cybersecurity efforts while also keeping risk low.

5 Steps to Prevent Ransomware

Continue reading “5 Steps to Prevent Ransomware”

Data Analysis of PIN Numbers

Data is an interesting topic of exploration. In this example, we are looking at the data as it relates to PIN numbers. PIN numbers are usually all that stands between your bank account and a determined hacker. They can clone your debit card, but they can’t clone your PIN number used to authorize your transactions. But maybe, if you use a common PIN, they can easily guess your PIN.

In this article by Nick Berry on DataGenetics is an interesting read to better understand the power on data analysis and why data is important when trying to solve a problem. In this case, the problem is trying to solve the question of the most common PIN numbers, and why some PIN combinations are more common than others.

Continue reading “Data Analysis of PIN Numbers”

Preventing a Database Breach

One of the hardest thing to do is prevent something from happening when you don’t know when it might happen or who will try to make it happen. As a Database Administrator, you have to be aware that a data breach might happen and you must take reasonable precautions to prevent them. According to the 2016 study by IBM, 60% of database attacks are insiders (people using approved network credentials) looking to access or steal corporate data.

There are some basic steps you should execute to help prevent unauthorized access to your database environment.

Enforce Privileges – As an employee starts their tenure at a company, they are usually given the exact correct privileges for their position. The longer the employee is with a company, the correct privileges start to vary from the effective privileges, until eventually the employee has the wrong access privileges. You need to make sure those initial access rights are correct from day one, and that you periodically review the access rights for every employee. If there is any question about the correct privileges, you should contact their supervisor and document the correct level of access.
Database Discovery – People are busy, and don’t always pay attention when new database instances are created. The people who manage the databases are often times not the people who install the software, so this can lead to an environment where there are unauthorized or poorly configured database instances. Database discovery is a crucial first step for avoiding security issues, so you should scan your environment for new database instances as often as possible. The amount of change in your environment will dictate how often you should search for new database instances, but the minimum is annually.
Connection Encryption – Encrypting the connection between the user and the database can help prevent man-in-the-middle attacks.
Strong Password – You should expect the same password strength for your databases as you expect on the network. If possible, use Windows Authentication instead of SQL Server Authentication. This will help enforce the same password strength as your network password, and you must verify that the network settings are using best practice strength requirements.
Detect Compromised Credentials – It is estimated that 60% of companies cannot detect compromised credentials, based on a study by solution vendor Rapid7. Since authorized individuals use databases in a predictable way, abnormal or unauthorized access will be detected and you can be alerted. There are security appliances that can catch unusual or unwanted user access based solely on algorithm analysis, preventing a possible data breach.

Daily Responsibilities of a Successful Database Administrator

Each work day, you have responsibilities as a Database Administrator (DBA). Those responsibilities vary, based on the type of business, type of administrator, and type of databases. Generally speaking, there are specific responsibilities that you should include in your daily activities, which you can customize to your specific environment.

1. Checking on Servers

Whether you’re responsible for the hardware or not, there are plenty of things you’ll want to do to check on your servers each day. Checking Windows Event, SQL Server Logs, and reviewing the SQL Server Agent are daily activities:

DBAs and the SQL Server Agent
DBAs and SQL Server Logs
DBAs and Windows Event Logs (not always accessible to you as a DBA)

In some environments as a DBA you may not have enough time to review details for every server every day. If so, set up a schedule where you make sure to keep looking at your most important (most mission critical) servers daily and then cycle through them daily or weekly, with reviews of non-essential servers based on priority, etc.

Continue reading “Daily Responsibilities of a Successful Database Administrator”

What Security Threat Are You Overlooking?

A recent european IDC survey of more than 400 organizations discovered that many companies fail to address one of the main causes of data exposure, which is an insider threats. The report shows that most security attacks are caused by users unintentionally using outdated credentials to access secure systems. The problem is only 12 percent of companies surveyed considered insider threats as “highly concerning”, with common threats like viruses, phishing, ransomware, etc. listed as bigger threats requiring more attention.

This gap in security thinking can lead organizations to misunderstand users and miss opportunities to detect intentional user breaches.

Businesses need to shift their security focus away from the actions that must happen after a breach, like dealing with the aftermath of ransomware or removing a new virus, and focus on the true source of the problem which is mostly user behavior. Education can go a long way to reduce activity that leads to dangerous behavior, as well as reducing the events that lead to unintentional misuse of user credentials. This should reduce the threats from multiple sources and allow your security team to focus on those users that need additional attention, as well as those users that have attempted the intentional misuse of user credentials.

It is really an effort to stop reacting to attacks caused by uneducated users doing silly things and be proactive on those threats that you can control.

Cybersecurity Certifications

Some people really believe in IT certifications, but sometimes struggle to select the best certification for their specific career or interests. This list of security certifications by HackingLoops contains the certification description, exam structure, exam costs, and training costs.

Path Towards Certification

If you are an IT professional interested in network security, a certification can be helpful in demonstrating your commitment to the subject matter, regardless of your work experience. In this article by hackingloops, we get some advice on which certification you might need to look at based on the direction of your career and interests.

To succeed in any I.T. discipline, there’s three main things you need: a degree, certifications, and experience. And of those three qualifications, experience reigns king. That said, degrees and certifications certainly have their importance on a resume as well. The problem is that some young go-getters think that college degrees and certifications will propel them to the front of the job-hunting pack, and instantly gratify them with a high salary.

But that isn’t the case, because you need all three factors in order to secure a high paying job. A college degree will certainly help you qualify for better positions, whether you are studying for a Bachelors Degree or a Masters Degree. If you have the time and energy during your studies at a college or university, it would be highly advantageous for you to get a few entry level certifications under your belt (as we’ll discuss next).

If you can land an entry level job out of the gate, then the future is going to be a lot easier, because you’ll have your foot in the door and can start building up the most important qualification: experience. You don’t necessarily need certifications to land an entry level position. However, today’s job market is extremely competitive, and certifications could be the deciding factor between you and another entry level candidate.

Just remember this key distinction: certifications do not guarantee a job position or a salary. Instead, they help show employers that you’re serious enough about your career to pursue certifications on your own and they help validate your knowledge of crucial industry topics and concepts. Nevertheless, now we need to ask ourselves an important question. Where on earth should you begin your certification journey?

Comptia A+ – not the most impressive certification, but a great place for newbies with little to no knowledge to start building a foundation of hardware concepts
Comptia Security+ – an entry level certification that will help job seekers understand high level security concepts
Comptia Network+ – like all Comptia certifications, the Network+ is vendor neutral and serves as an introduction to networking design, operating, configuration, and more
Comptia Linux+ – any competent hacker or penetration tester is going to need to know their way around Linux systems, and this cert offers introductory and foundational knowledge regarding the wide world of Linux
Entry Level LPI Certifications – there are many various Linux Professional Institute certifications, and they’ll look good on your resume if you need to use network mapping tools, vulnerability scanners, and similar tools from a Linux command line in real world scenarios
Cisco CCNA – The CCNA is typically more highly regarded than the Comptia certifications, and serves as the first stepping stone to other Cisco certifications
CEH – the Certified Ethical Hacker certification is a great way for future penetration testers to build their skills, though it is a little more challenging than the Comptia examinations

4 Steps to being a Security Awareness Example

It can be difficult to get your average user to care about true security awareness. The best way to get your users to care is for you to set an example while at work and at home. People usually follow the example of the people they respect. Children naturally follow the example of their parents, and your colleagues will usually follow the example set by co-workers that they trust. There are three important aspect to setting an example when it comes to security awareness.

Security Starts at Home – Start with computer security at home by helping people understand the risks they take at home by not configuring their routers, navigating to risky web sites, clicking on links and attachments in their personal emails, and not understanding the risks to their children by online predators. Once they understand their personal risk at home, it is easier for them to understand the greater risk to corporate assets and transfer their security mindset from home to their work environment.
Publish Security Guidelines – Never assume people understand their security requirement without telling them how they share the responsibility for corporate cybersecurity. You must have written security policies, procedures, and guidelines that is share with every employee, and make sure they are updated at least annually. There should also security training for each new employee, and annual refresher training for every employee. Employees at your company should never misunderstand the security requirements that they are expected to comply with each day.
Set the Example – You should never set rules for someone that you don’t expect to follow. Don’t create rules and then configure systems or controls that you expect to bypass. If you block access to dangerous websites, as an example, but allow your login to bypass these security controls you have set yourself up for professional failure. People will not respect someone who makes rules for them and then not follow them during their normal day.
Be Flexible – When it comes to cybersecurity, you must be firm but flexible. This means you must listen when people complain that one of your security rules is causing them a problem in during their normal duties or being an innovator. You will sometimes have to change your approach to solving a security issue. You don’t want to be so inflexible in your security rules that you make your company less competitive or too slow to respond to a business idea.

Introduction

Summary of Capabilities

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Disabling Macros in Microsoft Office

Enterprise Efforts

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Introduction

Summary of Capabilities

Share this:

Like this:

Share this:

Like this:

Understanding Cybersecurity

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

1. Checking on Servers

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: