Monthly Archives

May 2019

Ransomware Attacks Are Out to Get You!!

By | Cyber Security, Defensive Tactics, Tutorials | No Comments

Business owners, home computer users, executives, government officials, non-profit agencies, and employees who use computers; you will want to read and share this story; this article applies to you!

Response to Ransomware Attacks has become more mainstream, appearing in the news almost daily. A Ransomware Attack is when your data has been illegally accessed, encrypted, then the criminal demands payment for you to recover your data. This increase in Ransomware occurrences has uncovered a disturbing commonality; every organization, whether it be non-profit, for profit, government, etc…, has not proactively made any preparation for the attack. The most prevalent feedback? They never believed they would be attacked. They were too far off the radar to be in jeopardy. Sound familiar? These attacks, and the disbelief that follows happens in ALL vertical markets and all organization sizes, from small business to large enterprise, and everywhere in between; possibly even you!

With some simple planning, you can limit your attack surface. I just received a link to the following story; https://www.baltimoresun.com/news/maryland/politics/bs-md-20190508-story.html

The article starts off with;

“Baltimore Mayor Bernard C. “Jack” Young said all city employees were at work Wednesday as IT teams tried to recover from a ransomware attack, but that “everything that we’re doing, we just have to revert back to manual.”

Having a manual process is critical to your success and the City of Baltimore should be proud that they have such a process.

The article presents the idea that these attacks are unavoidable and are just going to happen;

“I don’t care what kind of systems you put in place, they always can find a way to infect your system,” said the Democratic mayor. “I know we’re going to do all we can to solve this issue and put up other protections.”

I don’t completely agree with this statement. There are many controls to put into place that will make it difficult for these attacks to be successful. I am confident that if you manage risk appropriately, you can make these attacks very difficult, if possible, at all. The truth is, we will never have perfect security, but if you manage risk appropriately, you will enable your business for success!

Cybersecurity EXPERTS know that our role is risk management. Our risk management techniques simply involve data and systems. The risks associated with ransomware are very manageable and should be managed to a level that limits your exposure to such attacks. The costs associated with this risk mitigation are minimal. The costs associated with becoming a victim are exponentially larger than the cost of the simplistic mitigation techniques. In addition, most organizations are completely or almost wholly stopped from performing their tasks, after ransomware hits. Understand, cyber-criminals are only successful because organizations make the choice, conscious or unconscious, to minimize the risk of being targeted.

Please, do not think that this is a one size fits all article, every company is different and has different risks, risk tolerance, processes, technologies, etc. My intent is to provide some of the most common risk mitigation techniques for these issues.

Most of you, if you are like me, are asking, “Where’s the secret sauce?” Well, here is the not-so-secret sauce;

  • It is important to block or limit access to publicly facing remote desktop protocol Services and other administrative access. If they are necessary, set access control lists or other filters to only allow access from you own systems and limit that to only administrators who have a need to access them.
  • Keep all systems and applications up to date. Look for vendor patches (updates) on vendor websites. Trusting 3rd party websites to download application updates could, and often does, lead to the installation of malware, capable of bring your business to its knees.
  • Strong Passwords MUST be used for any and all accounts. We recommend using a sentence for a passphrase (password). As an example; “CyberSelf_Defenseismygo2company4cybersecurity!”  NOTE: please do not use mine, choose your own.
  • Teach employees, families and friends to avoid clicking links or attachments in email; they can use VirusTotal.com to test links and attachments.
  • Have solid, tested backups of everything that is important to you. Your backups should be synced regularly to ensure up-to-date data if/when an event occurs.
  • Please ensure that these back-ups are kept isolated from production systems and that they use different login accounts.
  • Ensure they do not allow access (login) with your normal account.
  • Use web and email proxies to limit exposure to such attacks; web and email proxies are built into many of the antivirus solutions on the market. These are inexpensive and very manageable. A proxy simply tests the links and ensure that they are relatively safe.
  • Ensure you have antivirus software installed on all systems, including all servers. Ensure that the definitions are current; definition updates are released, at minimum, weekly and more regularly during a virus outbreak. We like BitDefender; let us know if we can help you get pricing.
  • Do not have open shares set up. These are corporate drives that allow everyone access. There should be no shared drives that allow “everyone” access. You should ensure that all folders allow only the people who need access to the folder have access.
  • Ensure that system admins log in as their normal (non-administrative) user and elevate privileges as necessary. Admins should avoid logging in as their administrative accounts to only those situations that REQUIRE this type of access.
  • Limit or block access to social media sites like Facebook, gambling sites, and anything that could be construed as pornography. These sites are breeding grounds for such attacks, as well as productivity vacuums. Most companies do not need their employees to have access to these types of sites.
  • Enable the system firewall to properly protect the system. I cannot believe how many companies shut their system firewalls off, as this is a line of defense that is effective add no additional cost for the protection it provides.
  • Use application whitelisting. This methodology gives you the ability to allow only approved applications. Allowing only approved applications ensures that users cannot run inappropriate programs. This methodology is even more important if your organization has outdated and unsupported systems, like Windows XP, on the network.
  • Remove local administrative rights from end users. Require them to get IT/Security approval for all software that is installed.

Listen, I know that not everyone will be able to do everything on this list. Again, we are risk managers and the more of these things you are able to accomplish, the lower your risk levels are. It is our belief, that if you do these things, you will place your risk at a lower level and will enable the business for success. Finally, when we talk about risk management, if you do not have a comprehensive risk assessment; one that you consult, every time you make a cyber purchase, you might as well be throwing your money into the trash! If your risk assessment is not comprehensive enough to help you in these situations, you should redo it. Your risk assessment should have told you that these attacks were coming and how you could have mitigated them.

NOTE everything I presented here, works on your home computers; home computers are frequently attacked! For more information refer to our recently posted article in the CDA Press at https://www.cdapress.com/local_news/20190519/hackers_make_enemies_of_local_cybersecurity_teams.


Cyber Self-Defense is an award winning holistic pure-play cyber-security solutions provider in North America and headquartered in Northern Idaho. The company’s diverse and talented employees are committed to helping businesses, governments and educational institutions plan, build and run successful security programs through the right combination of products, services and solutions related to security program strategy, enterprise risk and consulting, threat and vulnerability management, enterprise incident management, and training. Cyber Self-Defense represents over 50 years of combined experience within the cyber-security market, successfully helping the business community, regardless of company size, from Small Business to Large Enterprise. Here are some key differentiators;

  • We teach and mentor staff as we work. It is our hope that we can teach our customers how to defend themselves.
  • We build business through cyber-security versus hampering business with unrealistic security.
  • We use a risk-based approach to cyber-security that ensures an informed process for making purchases and decisions.
  • Our leadership lives by the mantra; “cyber-security does not need to be expensive, but it must be strategic.” This is important to Cyber Self-Defense, as we see companies spending money uselessly, purchasing tools that do not help to reduce risk.
  • It is our role to aid our customers in making decisions that effectively reduce risk and provide the best return on investment; versus hampering business with unrealistic security.
  • We have never and will never hire consultants. We hire professionals who have successfully built programs and “been in your shoes”. If you have ever dealt with a consultant, you know the real value of this point!

NIST 800-171 is being enforced!

By | CISO-as-a-Service, CISO/Management, Cyber Security, Risk Management | No Comments

In October 2017 I wrote how the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 required contractors to implement NIST Special Publication 800-171 by December 31, 2017 regarding data protections and safeguards around Controlled Unclassified Information (CUI).

Similar to the first implementation of the Healthcare HIPAA regulations, we did not see an immediate attempt to audit and enforce the requirements of the mandate.  I stated then that failure to follow the requirements would result in breach of contract with the government (Department of Defense).  After the publication of NIST 800-171, there were many questions around what constituted CUI. Furthermore, if you read the language in government contracts, you will see how ambiguous the definitions of data protection requirements really are.  We’ve discovered that most contracts do not always follow the requirements of the rule; see 252.204-7012 (a);

1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Many prime contractors have told us that they are waiting to see what enforcement steps would be implemented and/or until the regulations were fully ratified (The latest version, as of today’s date, can be found at; https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final and Revisions 2 will be published soon).  These “wait and see” companies felt their partial implementation of the regulation was “good enough.”  We have pushed existing and prospective customers on the fact that there are many risks beyond simply the contractual requirements to achieve compliance and that doing so early on could save them headaches, costs, fines, etc. in the long-term.  At Cyber Self-Defense, we’ve responded to many actual data breaches across many industries which were highly preventable, and we continue to encourage customers to become compliant as soon as possible.  We encourage our customers to get ahead of the curve and develop a risk-based cybersecurity program for the sake of enabling the business’ success; noting that compliance becomes easier and less expensive when done according to the needs of the business and implemented in a manner that is compliant with regulations and contractual requirements.

Well my friends, this discussion has just turned another corner!

In January of this year, the Under Secretary of Defense, Ellen M. Lord, sent a memorandum to a large number of organizations directing them to enforce the provisions of the contracts.  (Found here, https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140-19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf

Lord asks these agencies to begin to audit ensuring compliance with the requirements.  Specifically;

To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171, I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

To ensure that a similar approach may be taken at companies for which DCMA does not administer contracts (such as the Secretary of the Navy’s ship building contracts), we will work with representatives of those communities to implement a similar solution.

So, what does this all mean?  We believe this will be similar to what happened with the implementation and enforcement of the HIPAA regulations.  Companies will wait for enforcement to begin, and there will be a mad rush to become compliant.  In the meantime, these companies will be the targets of cybercriminals, they will be the new “low hanging fruit,” and ultimately suffer the negative impact of a breach compounded by the heavy fines or contract cancellations.  We encourage you, if you are not following a cyber security plan which truly enables the business, to prioritize building a comprehensive program.  EVERYONE is an unfortunate target of criminals!

Please don’t delay. The longer you wait the greater the risk of non-compliance becomes. Let us help you solve the mystery of cybersecurity by assessing your current state program and designing and implementing compliance and data protection. Contact us today!