CALL TO ACTION: Can you be a part of the SOLUTION?

By Cyber Security No Comments

 

Today, a meeting of the United States Senate Committee is holding a hearing on “Big Tech Censorship”.  Over the last several months, this has become a very big issue.  With the internet being a primary source of information for many people, it is critical that people have accurate, complete, and accurate data.  WITHOUT getting into political aspects of this; as we all have our own opinions; I would like to see if we, as a community, can help to make suggestions and recommendations regarding this issue.  I believe that as Privacy and Security professionals, one of our roles is to ensure that data integrity and privacy is appropriate across the internet.

 

At the center of this discussion, is Section 230 of the Communications Decency Act.  As I am not an attorney, I will not attempt to interpret the law.  What I will do is provide some of the details and a link to a legal resource I use frequently, Cornell Law School.  It is my understanding that Section 230 is a reference to 47 U.S. Code § 230 – Protection for private blocking and screening of offensive material (https://www.law.cornell.edu/uscode/text/47/230).

 

This law opens with the following.

(a) The Congress finds the following:

(1) The rapidly developing array of Internet and other interactive computer services available to individual Americans represent an extraordinary advance in the availability of educational and informational resources to our citizens.

(2) These services offer users a great degree of control over the information that they receive, as well as the potential for even greater control in the future as technology develops.

(3) The Internet and other interactive computer services offer a forum for a true diversity of political discourse, unique opportunities for cultural development, and myriad avenues for intellectual activity.

(4) The Internet and other interactive computer services have flourished, to the benefit of all Americans, with a minimum of government regulation.

(5) Increasingly Americans are relying on interactive media for a variety of political, educational, cultural, and entertainment services.”

(b) Policy

It is the policy of the United States—

(1) to promote the continued development of the Internet and other interactive computer services and other interactive media.

(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.

(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services.

(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and

(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer.”

 

This law goes on to talk about.

(c)Protection for “Good Samaritan” blocking and screening of offensive material

(1) Treatment of publisher or speaker

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

(2) Civil liability

No provider or user of an interactive computer service shall be held liable on account of—

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B)any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).[1]

(d)Obligations of interactive computer service

A provider of interactive computer service shall, at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections (such as computer hardware, software, or                  filtering services) are commercially available that may assist the customer in limiting access to material that is harmful to minors. Such notice shall identify, or provide the customer with access to information identifying, current providers of such protections.

(e)Effect on other laws

(1) No effect on criminal law

Nothing in this section shall be construed to impair the enforcement of section 223 or 231 of this title, chapter 71 (relating to obscenity) or 110 (relating to sexual exploitation of children) of title 18, or any other Federal criminal statute.

(2) No effect on intellectual property law

Nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.

(3) State law

Nothing in this section shall be construed to prevent any State from enforcing any State law that is consistent with this section. No cause of action may be brought, and no liability may be imposed under any State or local law that is inconsistent with this section.

(4) No effect on communications privacy law

Nothing in this section shall be construed to limit the application of the Electronic Communications Privacy Act of 1986 or any of the amendments made by such Act, or any similar State law.

(5) No effect on sex trafficking law

Nothing in this section (other than subsection (c)(2)(A)) shall be construed to impair or limit—

(A)any claim in a civil action brought under section 1595 of title 18, if the conduct underlying the claim constitutes a violation of section 1591 of that title.

(B)any charge in a criminal prosecution brought under State law if the conduct underlying the charge would constitute a violation of section 1591 of title 18; or

(C)any charge in a criminal prosecution brought under State law if the conduct underlying the charge would constitute a violation of section 2421A of title 18, and promotion or facilitation of prostitution is illegal in the jurisdiction where the defendant’s promotion or facilitation of prostitution was                           targeted.”

 

The sections of the law are directly copied from the Cornell Law School site that I cited above.

In the spirit of being great cybersecurity professionals, I would like to ask each of us to weigh in on this concern and issue in a nonpolitical manner and a judge free mentality (without attacks and offensive responses).

In your response, I ask that we all answer the following questions.

  1. Is this a cybersecurity/privacy professional concern?
  2. Is this an issue that we face in the world today?
  3. Should private organizations have the responsibility or authority to control the messages that are being delivered to the world?
  4. How do we, as a community of security and privacy professionals, come together and help to ensure the integrity of free information, while ensuring that everyone is safe and free of offensive material?

 

I would also ask that you tag your US Senator https://www.senate.gov/senators/index.htm and your US Congress member https://www.congress.gov/members?searchResultViewType=expanded

 

Lets become part of the SOLUTION and show our value!

 

Are you a U.S. Government Contractor (or Planning to be) and Do You have Questions About the CMMC Certification Process?

By Cyber Security No Comments

 

Cyber Self-Defense has been receiving a large number of calls regarding the CMMC process for Government (especially DOD related contracts). Many of the questions involve the following:

  • Do I need to get certified?
    • Starting in 2021 the DOD will phase in RFI’s that require companies to achieve a level of CMMC certification.
  • How do I get certified?
    • Assessments will be performed by Licensed Certified Assessors who work for licenses CMMC Third Party Assessment Organizations (C3PAOs).  These C3PAOs will be listed on the CMMC AB website when available.
  • How hard is it to build a program?
    • The CMMC is based on NIST 800-171, and most of the practices have been available for years.  Depending on level it could be fairly simple (level 1) or more complicated (level 3+).  “Hard” is dependent on current state.
  • Who can get us certified?
    • A Licensed C3PAO will manage the entire process
  • What is the cost?
    • It’s dependent on size and complexity.  A level 1 for a small company is estimated at 1 day, but size, number of networks, level of complexity, whether a company handles CUI, etc. all require more time to assess.

If you are doing government contracting, you likely have a ton of questions and need them answered. The reality is that there are still many unknowns. Cyber Self-Defense has done a considerable amount of research and we are following the CMMC process VERY closely, as we hope to be one of the first companies to become certified in this process.  It is something we highly support and believe in.  We have believed in such a process since well before CMMC was officially established!

Here are our interpretations, based on our research, of some key aspects of the CMMC process.

  • Currently, there are NO COMPANIES OR AUDITORS who can certify you! We know that the CMMC board is working hard to get companies and auditors trained, but this is a time-consuming process and one that will not happen overnight.
    • We have received MANY claims from MANY companies saying that they can get you certified; this is FALSE! While we are working towards certification, we (nor anyone else!) can claim the ability to certify anyone.
    • There are Provisional Assessors; they have a defined scope and our understanding is that they will NOT be able to immediately conduct audits outside of their current scope. We have heard that this is still being negotiated, but currently, nobody and no person cam conduct these audits for anyone outside the current scope.
  • The DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices.
  • Initially, the CMMC pertains only to DoD contracts. We have heard rumors that many other government entities are looking to adopt this process.
  • We KNOW that the CMMC WILL be based on 48 CFR 52.204-21, NIST SP 800-171 (the framework says revision one, we believe it will be version 2), and the Draft of NIST SP 800-171B (the framework says NIST SP 800-171B, we believe it will be version NIST SP 800-172).
    • This means that you CAN and SHOULD begin building your program. We recommend that you begin now; when we build programs for companies, it takes time. Training must be done, policies written, risk assessment completed, identity and access reviews completed, etc. There is a great deal of work that goes into this and waiting until the last minute will not be to your advantage.
    • Another point we would like to make is that these requirements are based on good business practices; we recommend these preparations to ensure the success of your business. What is being asked (at least in the first three stages) is the minimum that ANY company should achieve. Many have talked about the high cost of CMMC.  It’s really the potential for costs related to basic cyber security that are at issue.

If you or your executives would like a one-on-one presentation of what we KNOW or can reasonably assume, we would be happy to discuss this with you. This would not be a sales presentation and would be free, simply a way to help you started in the right direction.  Please send an E-Mail to info@cyberselfdefense.com

 

 

Ransomware in The News Again: Why Are You Not Prepared?

By Cyber Security No Comments

Most of us are sick of seeing ransomware in the news.  Ransomware continues to plague our world and cause major issues for companies of every size and shape and for companies in every industry.  Every time I read about or investigate these attacks, I ask “why?”! Why did the company not prepare themselves?

A Forbes article written by Bob Zukis in June of this year, points out that “Ransomware is a rapidly growing cyber threat, and attacks overall were up 25% in Q1.” https://www.forbes.com/sites/bobzukis/2020/06/18/ransomware-has-a-new-and-very-valuable-hostage-in-sight/#6a5c9461170f

Bob Zukis adds; “The average ransomware payment is up 33% from Q4 of 2019 to $111,605. But the real cost is the impact on business, such as lost revenue or employee productivity or the impact to public services. The average business downtime due to a ransomware attack is 15 days.”

This morning, I came across an article that discusses the Lazarus (Hidden Cobra, MATA, ZINC) ransomware that appears to have been written by the North Koreans.  While this ransomware is primarily being used in non-US countries, I believe that it is common sense that the virus will be seen in US Companies. Japanese CERT personnel have been able to analyze Lazarus and have identified some key features of the malware and the Command and Control communication between an infected system and the criminal Command and Control systems.  https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html

The article states,

“The communication is performed in the mostly same format as mentioned earlier. It is confirmed that the module offers multiple functions including the following: (See Appendix C for details.)

  • Operation on files (create a list, delete, copy, modify time created)
  • Operation on processes (create a list, execute, kill)
  • Upload/download files
  • Create and upload a ZIP file of arbitrary directory
  • Execute arbitrary shell command
  • Obtain disk information
  • Modify system time”

The bottom line is that this ransomware can be used to do anything the criminals program it to do; including searching databases, network and local shares, and anything not properly locked down for information and then exfiltrate the information.  Since the malware can also delete files, all log files can be destroyed, and it could become extremely difficult to investigate.

This is a very timely article; last night I spoke to Jeff Longo from Fortinet and heard that Fortinet is hearing from many people; asking for assistance in preventing these attacks.  Jeff explained their sandboxing tools and several other tools to mitigate the risks.  In May of 2019, I wrote an article called, “Ransomware Attacks Are Out to Get You!!”  https://www.cyberselfdefense.com/ransomware-attacks-are-out-to-get-you/

 

You have the information you need to significantly reduce your risk; why would you risk falling victim?

Please reach out if you have questions, comments, or concerns.

Cyber Self-Defense’s Input into a Well Written Article by Jeff Elder of Business Insider

By Cyber Security No Comments

Last week, I talked about risk management.  https://www.cyberselfdefense.com/covid-19-has-created-cybersecurity-issues-for-my-company-help/

This morning, Business Insider presented an article that was of immense value to most companies.  https://www.businessinsider.com/microsoft-poll-zero-trust-cybersecurity-pandemic-2020-8

During this pandemic, we are seeing more people online.  This presents some real concerns for IT and security staff in EVERY organization.  If it does not cause concerns, there is likely something wrong with the program.  The question, is how do I build a world class cybersecurity program, while keeping costs low?  The answer was discussed in the article I presented last week.  Any good cybersecurity or executive will tell you that risk management is critical to the success of the business.

In this article, Jeff Elder, presents the idea that all companies are talking about “Zero Trust”, a concept that alludes to the fact that nobody is trusted.  While I agree with the concept, I think that the technology is still just a concept.  The reality is that people MUST be trusted.  We can and should limit their access, we can and should force multifactor authentication, we can and should validate their security controls when accessing the network, and we should employ all of the other security tools, processes, training, controls, etc.  The reality though, is that for me to say that I do not trust a high-ranking person like a CEO and have tools to enforce this model/concept is not complete.  The first time I allow the CEO access to any system, application, document, etc., I am trusting him/her! I used to present the idea when publicly speaking that I can place a computer into a room with infinitely thick walls, ceilings, and floors, post armed security around it, ensure that the computer is not connected to ANY external source and has no wireless signals; as soon as a person enters the room (trusted or not) we have the potential for a security breach.

So, what does this all mean?  It means that we have to find a way in which we can balance the needs of the business through the enablement of the business, keep costs manageable, and build quality security.  The ONLY way this is possible is through a formal risk management process.

The Microsoft poll in this article presents the idea that “…while more than half of the business leaders (58%) reported budget increases for security and 65% for compliance, 81% also reported feeling pressure to lower overall security costs.”  I believe that these pressures come from security teams making educated guesses, following the advice of salespeople who sell “a magic button” that stops security breaches, and who fail to properly assess and manage risk.  If you are spending the right amount of money on your program, your risk assessment should help you to show your executives that your program is fine-tuned and operating efficiently.

 

COVID-19 Has Created Cybersecurity Issues for My Company; HELP!!

By CISO/Management, Cyber Security, Defensive Tactics, Risk Management One Comment

Cybersecurity is always a balancing act.  Good security personnel find ways in which to implement security controls that enable business users and the business.  Good Security leaders make decisions based on quality risk management techniques, ensuring that costs are managed.  What happens when we identify risk that cannot be appropriately mitigated?

With COVID-19, our world has changed, and we have been forced to make decisions.  I have heard from security professionals who say that they are ready to quit their jobs because COVID-19 has opened up a world of insecurity and that “the execs don’t care”.  I submit to you that the executive teams DO care, these professionals simply have not presented the information in a manner that allows for an appropriate decision.

This article is not one that is designed to have people migrate from any specific device or to create stir in the Android community, it is one of finding ways in which to balance risk.  The Android platform is a great example.

Before I get into the risk management part, let’s use an example that you are likely facing;

Some years back, we (the company I worked for and myself) implemented a Mobile Device Management (MDM) solution.  We then allowed select users (a small test group) to connect their (company owned) devices to segregated parts of the network.  My SIEM quickly lit up, telling me that many (almost all) of the Androids were compromised and communicating with nefarious servers.  I also began to receive complaints from end users that ranged from data being overwritten, to their phones not ringing, after the MDM encrypted the company data on the phones.  Needless to say, we began to investigate and identify problems.  We had to conduct a large amount of research and ultimately concluded that we could not use the MDM solution if our users could not receive great service.  We also could not allow these devices to connect to our network as the data we were accountable for would be placed at risk.

We discovered that applications (apps) were being downloaded from the App store that were wrought with malware.  We also found that the devices were almost all different with different parts, different versions of Android, and a variety of problems.  Here is an example story about hacked apps; https://www.forbes.com/sites/kateoflahertyuk/2019/10/30/new-google-android-threat-malicious-app-installed-by-40-million-play-store-users/#759b0b50511e

This morning, I read a Wired article about Qualcomm releasing a fix that will affect around 90% of US user’s Android devices.  The article presents the idea that “A BILLION OR more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.”  The article can be found here;  https://www.wired.com/story/over-a-billion-android-devices-are-at-risk-of-data-theft/

Risk Management

In this situation, we have some choices that MUST be made;

  1. We can ignore the issue, citing the fact that users have to be able to perform their jobs.
  2. We can ban the devices.
  3. We can add compensating controls (which must be tested and validated).
  4. We can limit the user experience and lock the devices down.
  5. We can elevate our concerns to management and ask for guidance.

What is the correct answer?  Often, we make assumptions about what other people think that are wrong.  Those Cybersecurity people who are ready to quit can breathe a sigh of relief; so can your executives!

As we deal with this situation, or any other situation, it is critical that we follow basic risk management techniques because the answer is going to depend upon the company, culture, type of data, and a variety of other factors.

As security professionals, we have an obligation to ensure that the company is successful and that the business is enabled through the use of cybersecurity.  With COVID-19, this becomes a widespread concern.  I hear this from customers and other decision makers daily.  They ask me about how they should build secure home environments as their users are working from home.  My answer is ALWAYS, “Consult your risk assessment!”  If your risk assessment does not help you with an answer, I would recommend that you conduct a more mature risk assessment.

Proper risk management begins with discussions about the definitions of risk; each company is different.  This flows into a process of understanding the risk tolerance of the organization.  We then look at the business and determine the risks (this is a lengthy process that should be pages, not lines).  We identify the likelihood and criticality of the risk being realized (I like to score the areas of Compliance Risk, Confidentiality Risk, Integrity Risk, Availability Risk, AND Company Image Risk).  We then calculate the effectiveness of the controls we have in place that mitigate the risk to determine the residual risk.

Here is where it gets fun.  We now must put together a comprehensive plan to address the risks.  This should include multiple options for treating the risk, including the acceptance of risk.  As security professionals, we are accountable to treat the risks we identify when they are within our ability to treat them.  When they fall outside of our reach, we escalate them to management; not with a story of how we will be hacked, but with a discussion about the true concerns surrounding the risk.  We then allow them to make an informed decision.  We document their decision and move on; readdressing the risk when changes occur or upon agreed upon intervals.  This is a cyclical process that must be done anytime something changes and at least annually.

When this process is followed, your risk assessment will guide you.  Security practitioners will be relieved to know that they are not accountable with risk outside their control and executives will know that the security program is not just a money pit, it is a tool for the successful enablement of the business.

FBI Releases Guidance on Social Engineering: Email Phishing

By Cyber Security No Comments

As we all (hopefully) know, Phishing is one of the most prevalent and likely risk to compromise for ALL organizations. The FBI just released the following information about a major threat;https://www.ic3.gov/media/2019/190610.aspx

This has some great information! We, at Cyber Self-Defense would like to help you further mitigate risks like this. We offer the following suggestions;

1.      It is no longer an option to conduct security awareness training. Your company should be talking to staff about cybersecurity and enabling your employees’ success through knowledge. Sorry to say, in our experience, online training alone does not work. People do not get excited about sitting at their computer and watching/interacting with a monotone computer. Employees want and need to be energized through real world experiences. They want to hear stories, they want to ask questions. We recommend at least an annual in-person training session. This can be supplemented with additional training but cannot replace the in-person training.

2.     Your training should include a section on how to identify phishing and social engineering (con-man/woman schemes).

3.     Use https://www.virustotal.com/gui/home/upload to test links and attachments.

4.     Consider (based on your risk assessment) web and email proxies.

5.     Test your employees; hire a company to conduct phishing and social engineering testing. Our experience shows that hacking systems (overall) is about 20% effective. Social engineering is 80% effective.

6.     Reward employees for quickly reporting issues; their early reporting can save your company.

7.     Have policies that require non electronic approval for ANY money movement. We see a ton of companies hit by wire transfer schemes that are “coordinated” through email.

8.     Encourage staff to send suspicious emails to IT for proper review.

9.     Establish a second look process where employees are encouraged to ask for a second person review of any suspicious telephone calls, emails, or visitors.

10. Validate anyone who wants access to your facilities and accompany them at all times.

As business people, we tend to treat people really well.  I pride myself on trying to treat everyone well. Unfortunately, we don’t often receive the education and knowledge to learn where and when to stop. We do not always understand that we can say “No” in a polite manner.

Corona Virus (COVID-19) Scams

By Cyber Security No Comments

Criminals seldom let a good opportunity evade their pursuits to further their criminal enterprises. We are beginning to hear from a variety of our customers that the COVID-19 scams have begun. Please educate your staff that these scams are coming in and they will cause you problems. Feel free to share this email: It is critical that while we are preoccupied with COVID-19, we do not allow criminals to profit from others’ tragedies!

Here are a couple of examples;

  • I received a call from the IRS and FBI (same call, one person) telling me that the US government cares about the success of my business; they wanted to give me money to help keep my business running. They needed my ACH information to send the money. Because it is such an emergency, they don’t even need an application.
  • I received a call from a customer last night stating that “A very legit-sounding lady” is calling their staff, saying: “Hello, this is Nurse Jen calling to follow up on your tests from yesterday. Unfortunately, you DID test positive for coronavirus. No need to panic but call us back with your credit card handy so we can overnight you your antibiotics. It’s important that you and any family or roommates STAY HOME. Call us so we can get you your meds and give you further quarantine instructions.”
  • There are also a ton of calls regarding the sale of test kits and other items that relate to this virus.

These scams are coming via email, text messages, online, and telephone calls. Please take the following precautions;

Personnel Related

  • Teach employees to avoid clicking links or attachments in email; they can use www.VirusTotal.com to test links and attachments.
  • Calls, text messages, and emails that sound too good to be true; usually are;
  • The government is not going to call you and ask you to provide account information so they can send money to you!
  • You do not likely have relatives in countries you cannot pronounce. If you have a relative who is traveling; contact him, her, or them directly through a number you KNOW to be accurate.
  • The government is not giving out free iPhones to help in communications.
  • If you are ill and you went to the hospital for a test, please check with the hospital directly. If they call you, make an appointment to go in.
  • Hospitals and real pharmacies are the only trustworthy source of anything medical.
  • Be wary of any link that purports to tell you anything about the COVID-19 virus. Please visit proper news sites; CNN.com, foxnews.com, msn.com, etc.
  • The Federal Trade Commission (FTC) says;
  • “Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying they have information about the virus. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
  • Ignore online offers for vaccinations. There currently are no vaccines, pills, potions, lotions, lozenges or other prescription or over-the-counter products available to treat or cure the Novel Coronavirus disease 2019 (COVID-19) — online or in stores.
  • Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it. ”
  • Employees should validate any emails they were not expecting by calling the person.
  • Many of these emails have good indicators such as misspelled words, capital letters in places we do not usually place them, conflicting attachments (e.g. attachments that include an invoice and a contract. Shouldn’t the contract be in place prior to an invoice?), orders to immediately send money to someone who is higher up in the company than you, language problems (misuse of the English language), etc.
  • Any email that directs a person to make a payment should be validated by calling the person (at a phone number you know, not the one in the email) and validating their request. We recommend a company policy against the use of email for ANY transactional events; the email could be easily spoofed.
  • When in doubt, the users should have a known number to call for reporting the event; we recommend rewarding such reports. A simple $1 certificate and quarterly “Phish finder” award enables a positive reinforcement of good behavior.
  • We also recommend that users be trained that anytime an email, an embedded web link, or any other factor of an email requesting a password, they immediately report it and that they not provide their username and password.

System/Corporate Related

  • Incident response is CRITICAL; if you receive a report of a phishing attempt of another security issue; you must respond quickly.
  • While providing a complete Incident Response playbook is out of the scope for this alert, when dealing with these types of attacks, you should profile the attack and block anything that can be blocked. For example, I could block the domain the email came from, the website it is taking me to, the IP address range of the attacker(s), etc.
  • The information gathered, should be used to alert the rest of your company and to search for users who fell for the scam. For example, if there is an embedded link in the email, you can search your web proxy and/or firewalls to see who went to the site. You can search email proxies for who sent email to the person.
  • Any passwords that were shared with the criminals should be changed; many times, end users fail to tell us that they sent their password(s). You should ask them and ensure they know that they will not be in trouble if they tell you.
  • Have solid, tested backups of everything that is important to you. Please ensure that these back-ups are kept isolated from production systems and that they use different credentials.
  • Use web and email proxies to limit exposure to such attacks.
  • Keep systems patched.
  • Block VBA/Macro Code; preferably at the network level.
  • Ensure you have antivirus software installed on all systems, including all servers. Ensure that the definitions are current.
  • Do not have open shares set up. There should be no shared drives that allow “everyone” access. You should ensure that all folders allow only the people who need access to the folder have access.
  • Ensure that system admins log in as their normal (non-administrative) user and elevate privileges as necessary. Admins should avoid logging in as their administrative accounts to only those situations that REQUIRE this type of access.
  • Limit or block access to social media sites like Facebook; these sites are breeding grounds for such attacks.
  • Enable the system firewall; to properly protect the system.
  • Use application whitelisting; this methodology allows you to allow only approved applications. Allowing only approved applications ensures that users cannot run inappropriate programs.
  • Remove local administrative rights from end users.

If you need assistance, please let us know; we have decades of experience in these situations and have a fully established incident response team with the tools to assist. We also know how to limit the effectiveness of such attacks. We are here to help you!

https://www.cyberselfdefense.com/

https://www.linkedin.com/company/18025324

Online Child Safety

By Cyber Security No Comments

With many people working from home and many more children taking classes online, I had someone reach out to me about a KHQ news story I did a few years ago. I forgot about the story, but think it is very important to share it again.

Your kid’s (and your) homework tonight and tomorrow should/could be https://www.netsmartzkids.org/ or https://www.safeandsecureonline.org/

 # hashtagnews hashtagroundup hashtagcybersecurityawareness hashtagcybersecurity hashtagprotectyourfamily hashtaginformationsecurity

 

Ransomware Attacks Are Out to Get You!!

By Cyber Security, Defensive Tactics, Tutorials One Comment

Business owners, home computer users, executives, government officials, non-profit agencies, and employees who use computers; you will want to read and share this story; this article applies to you!

Response to Ransomware Attacks has become more mainstream, appearing in the news almost daily. A Ransomware Attack is when your data has been illegally accessed, encrypted, then the criminal demands payment for you to recover your data. This increase in Ransomware occurrences has uncovered a disturbing commonality; every organization, whether it be non-profit, for profit, government, etc…, has not proactively made any preparation for the attack. The most prevalent feedback? They never believed they would be attacked. They were too far off the radar to be in jeopardy. Sound familiar? These attacks, and the disbelief that follows happens in ALL vertical markets and all organization sizes, from small business to large enterprise, and everywhere in between; possibly even you!

With some simple planning, you can limit your attack surface. I just received a link to the following story; https://www.baltimoresun.com/news/maryland/politics/bs-md-20190508-story.html

The article starts off with;

“Baltimore Mayor Bernard C. “Jack” Young said all city employees were at work Wednesday as IT teams tried to recover from a ransomware attack, but that “everything that we’re doing, we just have to revert back to manual.”

Having a manual process is critical to your success and the City of Baltimore should be proud that they have such a process.

The article presents the idea that these attacks are unavoidable and are just going to happen;

“I don’t care what kind of systems you put in place, they always can find a way to infect your system,” said the Democratic mayor. “I know we’re going to do all we can to solve this issue and put up other protections.”

I don’t completely agree with this statement. There are many controls to put into place that will make it difficult for these attacks to be successful. I am confident that if you manage risk appropriately, you can make these attacks very difficult, if possible, at all. The truth is, we will never have perfect security, but if you manage risk appropriately, you will enable your business for success!

Cybersecurity EXPERTS know that our role is risk management. Our risk management techniques simply involve data and systems. The risks associated with ransomware are very manageable and should be managed to a level that limits your exposure to such attacks. The costs associated with this risk mitigation are minimal. The costs associated with becoming a victim are exponentially larger than the cost of the simplistic mitigation techniques. In addition, most organizations are completely or almost wholly stopped from performing their tasks, after ransomware hits. Understand, cyber-criminals are only successful because organizations make the choice, conscious or unconscious, to minimize the risk of being targeted.

Please, do not think that this is a one size fits all article, every company is different and has different risks, risk tolerance, processes, technologies, etc. My intent is to provide some of the most common risk mitigation techniques for these issues.

Most of you, if you are like me, are asking, “Where’s the secret sauce?” Well, here is the not-so-secret sauce;

  • It is important to block or limit access to publicly facing remote desktop protocol Services and other administrative access. If they are necessary, set access control lists or other filters to only allow access from you own systems and limit that to only administrators who have a need to access them.
  • Keep all systems and applications up to date. Look for vendor patches (updates) on vendor websites. Trusting 3rd party websites to download application updates could, and often does, lead to the installation of malware, capable of bring your business to its knees.
  • Strong Passwords MUST be used for any and all accounts. We recommend using a sentence for a passphrase (password). As an example; “CyberSelf_Defenseismygo2company4cybersecurity!”  NOTE: please do not use mine, choose your own.
  • Teach employees, families and friends to avoid clicking links or attachments in email; they can use VirusTotal.com to test links and attachments.
  • Have solid, tested backups of everything that is important to you. Your backups should be synced regularly to ensure up-to-date data if/when an event occurs.
  • Please ensure that these back-ups are kept isolated from production systems and that they use different login accounts.
  • Ensure they do not allow access (login) with your normal account.
  • Use web and email proxies to limit exposure to such attacks; web and email proxies are built into many of the antivirus solutions on the market. These are inexpensive and very manageable. A proxy simply tests the links and ensure that they are relatively safe.
  • Ensure you have antivirus software installed on all systems, including all servers. Ensure that the definitions are current; definition updates are released, at minimum, weekly and more regularly during a virus outbreak. We like BitDefender; let us know if we can help you get pricing.
  • Do not have open shares set up. These are corporate drives that allow everyone access. There should be no shared drives that allow “everyone” access. You should ensure that all folders allow only the people who need access to the folder have access.
  • Ensure that system admins log in as their normal (non-administrative) user and elevate privileges as necessary. Admins should avoid logging in as their administrative accounts to only those situations that REQUIRE this type of access.
  • Limit or block access to social media sites like Facebook, gambling sites, and anything that could be construed as pornography. These sites are breeding grounds for such attacks, as well as productivity vacuums. Most companies do not need their employees to have access to these types of sites.
  • Enable the system firewall to properly protect the system. I cannot believe how many companies shut their system firewalls off, as this is a line of defense that is effective add no additional cost for the protection it provides.
  • Use application whitelisting. This methodology gives you the ability to allow only approved applications. Allowing only approved applications ensures that users cannot run inappropriate programs. This methodology is even more important if your organization has outdated and unsupported systems, like Windows XP, on the network.
  • Remove local administrative rights from end users. Require them to get IT/Security approval for all software that is installed.

Listen, I know that not everyone will be able to do everything on this list. Again, we are risk managers and the more of these things you are able to accomplish, the lower your risk levels are. It is our belief, that if you do these things, you will place your risk at a lower level and will enable the business for success. Finally, when we talk about risk management, if you do not have a comprehensive risk assessment; one that you consult, every time you make a cyber purchase, you might as well be throwing your money into the trash! If your risk assessment is not comprehensive enough to help you in these situations, you should redo it. Your risk assessment should have told you that these attacks were coming and how you could have mitigated them.

NOTE everything I presented here, works on your home computers; home computers are frequently attacked! For more information refer to our recently posted article in the CDA Press at https://www.cdapress.com/local_news/20190519/hackers_make_enemies_of_local_cybersecurity_teams.


Cyber Self-Defense is an award winning holistic pure-play cyber-security solutions provider in North America and headquartered in Northern Idaho. The company’s diverse and talented employees are committed to helping businesses, governments and educational institutions plan, build and run successful security programs through the right combination of products, services and solutions related to security program strategy, enterprise risk and consulting, threat and vulnerability management, enterprise incident management, and training. Cyber Self-Defense represents over 50 years of combined experience within the cyber-security market, successfully helping the business community, regardless of company size, from Small Business to Large Enterprise. Here are some key differentiators;

  • We teach and mentor staff as we work. It is our hope that we can teach our customers how to defend themselves.
  • We build business through cyber-security versus hampering business with unrealistic security.
  • We use a risk-based approach to cyber-security that ensures an informed process for making purchases and decisions.
  • Our leadership lives by the mantra; “cyber-security does not need to be expensive, but it must be strategic.” This is important to Cyber Self-Defense, as we see companies spending money uselessly, purchasing tools that do not help to reduce risk.
  • It is our role to aid our customers in making decisions that effectively reduce risk and provide the best return on investment; versus hampering business with unrealistic security.
  • We have never and will never hire consultants. We hire professionals who have successfully built programs and “been in your shoes”. If you have ever dealt with a consultant, you know the real value of this point!

NIST 800-171 is being enforced!

By CISO-as-a-Service, CISO/Management, Cyber Security, Risk Management No Comments

In October 2017 I wrote how the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 required contractors to implement NIST Special Publication 800-171 by December 31, 2017 regarding data protections and safeguards around Controlled Unclassified Information (CUI).

Similar to the first implementation of the Healthcare HIPAA regulations, we did not see an immediate attempt to audit and enforce the requirements of the mandate.  I stated then that failure to follow the requirements would result in breach of contract with the government (Department of Defense).  After the publication of NIST 800-171, there were many questions around what constituted CUI. Furthermore, if you read the language in government contracts, you will see how ambiguous the definitions of data protection requirements really are.  We’ve discovered that most contracts do not always follow the requirements of the rule; see 252.204-7012 (a);

1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Many prime contractors have told us that they are waiting to see what enforcement steps would be implemented and/or until the regulations were fully ratified (The latest version, as of today’s date, can be found at; https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final and Revisions 2 will be published soon).  These “wait and see” companies felt their partial implementation of the regulation was “good enough.”  We have pushed existing and prospective customers on the fact that there are many risks beyond simply the contractual requirements to achieve compliance and that doing so early on could save them headaches, costs, fines, etc. in the long-term.  At Cyber Self-Defense, we’ve responded to many actual data breaches across many industries which were highly preventable, and we continue to encourage customers to become compliant as soon as possible.  We encourage our customers to get ahead of the curve and develop a risk-based cybersecurity program for the sake of enabling the business’ success; noting that compliance becomes easier and less expensive when done according to the needs of the business and implemented in a manner that is compliant with regulations and contractual requirements.

Well my friends, this discussion has just turned another corner!

In January of this year, the Under Secretary of Defense, Ellen M. Lord, sent a memorandum to a large number of organizations directing them to enforce the provisions of the contracts.  (Found here, https://www.acq.osd.mil/dpap/pdi/cyber/docs/USA000140-19%20TAB%20A%20USD(AS)%20Signed%20Memo.pdf

Lord asks these agencies to begin to audit ensuring compliance with the requirements.  Specifically;

To effectively implement the cybersecurity requirements addressed in DFARS Clause 252.204-7012 and NIST SP 800-171, I have asked the Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:

  • Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
  • Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

To ensure that a similar approach may be taken at companies for which DCMA does not administer contracts (such as the Secretary of the Navy’s ship building contracts), we will work with representatives of those communities to implement a similar solution.

So, what does this all mean?  We believe this will be similar to what happened with the implementation and enforcement of the HIPAA regulations.  Companies will wait for enforcement to begin, and there will be a mad rush to become compliant.  In the meantime, these companies will be the targets of cybercriminals, they will be the new “low hanging fruit,” and ultimately suffer the negative impact of a breach compounded by the heavy fines or contract cancellations.  We encourage you, if you are not following a cyber security plan which truly enables the business, to prioritize building a comprehensive program.  EVERYONE is an unfortunate target of criminals!

Please don’t delay. The longer you wait the greater the risk of non-compliance becomes. Let us help you solve the mystery of cybersecurity by assessing your current state program and designing and implementing compliance and data protection. Contact us today!