Patching is one of the easiest and most effective ways of protecting security systems.
If you are patching you are removing some of the capabilities of the bad guys to gain access to your system
CareMIT Business Security & Technical Support
Cybersecurity – How can we help
I like basic
I like simple.
There is definitely not enough of basic or simple in my business!
One of the most basic and simple strategies for cybersecurity is called the essential 8.
When implemented correctly the essential 8 improves an organisations security posture significantly.
Two of the components of the essential 8 is patching – Patch operating systems and patch applications.
That was till this week.
A little context:
A vulnerability has been discovered in a simple logging component of Java.
This identified vulnerability allows an attacker to send a simple line of code to a system.
That code is then passed to the logging system and bingo they now have full access to the device as an administrator.
In other words, a 10-year-old can hack your system and do some serious damage!
That makes it a huge internet problem, in fact, it is being labeled “the worst hack in history”
First discovered in web-based systems (Apache) it has now been identified in thousands of products that are installed on computers across the world..
This vulnerability has highlighted the fact that everyone and their dog has used this logging system and then failed to think about updating it as part of their patching process.
In some cases, the versions we are coming across have been in these systems for more than 8 years and traveled from version to version.
To counteract the problem is difficult.
We cannot just remove the problem files because the application will stop working.
We cannot just change it for the newest version because the application will stop working.
So we have to wait for the software owners to patch their software and release the patch.
In the meantime, we plan for the worst and hope for the best.
We rely on our defence in depth.
We rely on our proactive systems and contingencies.
We rely on others in the industry to find solutions that can be implemented and apply them as fast as possible.
There is a huge difference between a cyber attack generated by a script kiddy running an automated system and one where you are being targeted by a dedicated hacker.
For one, if you are targeted by a dedicated hacker then you already know that you have something worth protecting and you have, hopefully, done something about it.
The biggest problems with cyber attacks on the internet are that 95% of them are coming from an automated system controlled or managed by trainees (script kiddies).
Automated systems have three reasons they are used:
There are a number of ways for anyone to get hold of an automated system. They can download an operating system that has an automated system running on it. Kali, Parrot OS or Black-arch are all very good examples but there are others.
Designed as penetration testing tools, these systems have all of the requirements that they need to target organisations, multinationals, or anyone connected to the digital world.
Before you ask, yes it is all legal and above board as long as you are not targeting someone else.
To make these systems more effective they allow them to either download additional components from GitHub or design and program your own applications.
The old saying that whenever anything is free you are the product rings true with these systems as well. The creators of these systems keep track of people using them and incorporate any updates into their own releases.
To set up one of these systems all you need is a computer. Once you have administrator access to a computer you can download a virtual environment (VMware if you have some money or Virtual Box for free) and you can then install these operating systems as a virtual operating system.
You can even run the operating system on a microcomputer (Raspberry Pi) for under $100.
Once set up you now have access to the tools and capabilities that, if used correctly, can rival someone who has been in the industry for years. Almost like a novice woodworker creating a dovetail joint on their first try without knowledge of what to do.
No training, just using other people’s knowledge.
In addition, and a bigger issue, what they do not know can be learned or discovered by simply searching google.
The capability and effectiveness of these systems allow them to set up the automated attack and target a huge number of vulnerable systems based on blocks of internet-based addresses.
Simply they can find out if there is a targetable vulnerability just by using facets of the automated systems.
These free operating systems have the capability of making money.
To make serious money, though, you need to work with partners. Working with partners can be both beneficial as well as detrimental to their own security.
When it comes to making money it is either through selling information on the dark web, selling cryptovirus decryption keys to vulnerable people or selling access to compromised systems to leverage other attacks.
To avoid being a victim you need to implement some protective strategies.
You need to apply the CareMIT business security methodology to the organisation but to start at the basics this is what you need to do:
At the basic level, the users of these automated systems are just as vulnerable as the people that they are targeting. A severe case of “user beware”, because if you do not configure the system correctly you are just as vulnerable as your targets.
At the most fundamental level, we all know that most people between 13 and 30 have a limited ethical attitude and good and bad is debatable.
That’s why we have the proliferation of these systems.
Secure your business!
Get proactive!
Do the scorecard!
Read your report!
Linkto scorecard https://caremit.scoreapp.com
#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec
Like every organisation, small and medium business have similar problems when it comes to getting people to focus on digital security.
These are some of the inane comments we hear when we discuss digital security with staff and management of SME’s
As you can see all of these comments have one thing in common. Digital security is someone else’s problem.
The first people who will notice a problem with their computer will be the people who are using it the most.
In today’s business world it is very important for all users to understand that they are a target of digital crime. Being a target means that they need to do something, anything they can to protect themselves from cybercrime.
Cybercrime is what it is.
Get over it – anyone who has a device that connects to the digital world is a target.
In addition to these comments, the digital criminals are clever, persistent and always on the lookout to compromise your system.
We have all heard about how the insider can wreak havoc on your business. Yet, business owners and other staff don’t understand how much actual damage they can do.
From a Business Security perspective we’ve definitely experienced people in the workplace who:
These Insiders can also have a detrimental impact on business security.
Here are 7 types of Insider Threats who make the insider threat real to any organisation.
We have all seen them in business. They jump here and there and start a huge number of jobs but never finish them, or finish them haphazardly.
They are more interested in their own work, not in keeping the company safe. Passwords, Updates and scans are usually bypassed. When something goes wrong, it is never their fault. Clicking on an email link without using commonsense is a primary example.
They are the first to complain about the time it takes IT support to remove a virus. By bypassing the organisation’s Cybersecurity, they put the whole organisation in danger.
Solution – get them to slow down, their job is no more important than anyone else’s.
These are the people who are too timid at work. They fear making mistakes, but, by fearing reprisals and keeping quiet, they are the victim. The company suffers as well.
The accidental victim is either an older employee, or a new starter. They are very noticeable in not for profit organisations.
Solution – Provide education and training in the use of computers. Explain what’s expected in their role within the organisation.
This person is very good at big-noting themselves. They use their knowledge of the organisation to place themselves in avoidable situations. They overshare critical and confidential information in email. They don’t think about the consequences of sharing on social media and also in meetings.
Solution – separation of information, restrict access to the information within the organisation.
We get these type of people in all types of business. They are the second cousin to number 1. I am not a target of cybercrime, it will never happen to me because I have nothing worth stealing.
With technology changes over the years, a bored 14 year old can be the attacker. Access to the internet is their tool. Every internet user or business is a target. Anyone can be attacked and everyone needs to take the necessary precautions.
.Solution – providing education and training.
The Entitled employee is one of the most dangerous non-malicious insider. Their laptops or tablets have the organisations secrets and use free wifi in cafes. They have no business reason to keep all that critical information, but they have to have it.
Solution – need to know. Stop allowing access to data by staff who don’t need it. Segregate it into public, commercial in confidence and critical. If someone does not need the information then deny access to it.
Previous to this one, the insiders have been the result of stupid behaviors. The Malicious Insider is a malicious person. Their focus is on them. For whatever reason, they might intend to leave, have a grudge against the company or an employee. They won’t hesitate to go to your competition with all your corporate data.
These are the true bad guys, the ones you should be protecting your organisation against. They may have infiltrated your organisation via one of the other insiders, and are now able to do damage. They could have become an insider through social media, email or web based attack. The secret insider isn’t an employee. They are not answering to your policies and procedures. They will damage your organisation, because you don’t have protections.
These Insider Threats are the ones we have come across. Some can be a combination of one, two or three traits. The best way to protect yourself from the insider is to pay attention to your staff and your management.
The best way to find out what your organisation needs to do to be safe is to:
1. Use the CareMIT Digital Diagnostic Tool
2. Come to one of our regular quarterly “Security Board Meetings”
In the last 20 years, there has been a slow change in how the business approaches the management of the ICT component.
As business and technology changes there have been significant changes in the management process of these systems. The more complex and costly the systems the more dedicated the support has to be. We have gone from onsite support from staff (I know computers) to off-site support from a service provider.
SME’s no longer have the resources available to manage their ICT and a new breed of company has been slowly taking more and more control over these parts of your business.
Originally these organisations were known as ICT or IT companies. They were usually run out of hardware and software stores and were more focused on those areas.
It was eventually realized that just managing the hardware and software of small and medium business and not for profit organisations was not enough. When technology broke, the most organisation still could not afford a technician to come to the site and an IT company need to make their resources go further.
The managed service provider did a number of additional things:
The business has changed and the requirements for ICT support have changed, the MSP needed to do more.
To be competitive and to be more productive they started adding on services. These services included if not delivered by the MSP:
In most cases, they were a bolt-on action to the MSP requirements and were supplied to maximize profit and reduce cost. In a large number of situations, the customer was not getting value for money because the MSP was tied to a specific vendor.
In the last 5 – 10 years, the bigger the perceived problem with security was the more clients were going to purchase systems from their trusted advised – their MSP. Once again increasing profits by reducing costs.
Any MSSP that does this is actually exposing their clients to huge problems. Most of the service level agreements (SLA) reduce this down to “all care no responsibility”
SME’s and NFP organisations needed to approach business security in today’s business world from a new direction.
Business security has to be approached from the top down. Management and board members HAVE to get involved. Your MSP or MSSP who is not recommending risk management and cybersecurity frameworks is in fact doing a huge disservice to your organisation.
Risk management and a risk management process looks at all of the risks to the organisations and allows you to think and work through the process and deliver strategies to protect the organisation. It includes the ICT and technology area but there is so much more that has to be incorporated into a risk management plan.
The second part is a cybersecurity framework. A framework does a number of things:
Most frameworks have a baseline requirement. When you start to implement the framework you have to know how secure you are before you can start to improve. The baseline also allows you to look at priorities within the organisation.
If your organisation is still using an MSP or an MSSP to manage your security without looking at the risk components or without implementing a cybersecurity framework (we recommend the National Institute of Standards and Technology (NIST) cybersecurity framework) then you need to rethink your business security requirements.
Talk to an organisation that is focused on MBSSP capability.
Secure your business!
Get proactive!
Do the scorecard!
Read your report!
Link to scorecard https://caremit.scoreapp.com
#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec
Security! The problem with security especially cybersecurity is it is not sexy.
Although not sexy and downright boring it is still something that every CEO, manager, owner, and board member has to focus on.
The more and more reliant business has on the digital world the greater the chance that a cyber event will cripple the organisation.
Here are a few!
The cost of a cyber even can range from lost time and functionality within the organisation to more money than the organisation can find to pay for the breach.
Cryptovirus is an example of lost time and functionality. If you do not have a functioning and tested backup of the data, you have to rebuild the offending device but you will also have to also replicate all of the data.
A full-blown breach by a dedicated black hat hacker can steal everything and then use your system as a platform to target your clients, suppliers and staff. When that happens you realize that you are NOT too small to be a target
The go-to weapon of most cyber attacks is social engineering. Two parts of a very effective attack strategy. The technology to effect change, follow a link to an infected website, click on an ad in social media or open an attachment in an email, combined with getting you to trust them where you let them in.
Either way, they are now in.
Risk and problems just compounded.
Simple ransomware for instance, the initial encryption of data is only one of the stages of the attack. What about stage 2,3 and 4.
Wannacry showed us that a combination of 2 attack vectors allowed a single infection to traverse a whole network. One computer is a problem for any organisation. All of the computers is a nightmare.
In most situations managers, owners, executive, and board members do not understand the digital realm. Risk management of data (a critical component in today’s business world) is often overlooked and considered an ICT problem.
It’s not! Today’s digital security challenge is everyone’s issue and the sooner it gets noticed as a business risk and treated as such the faster we will see a reduction in attacks.
What are you doing to manage the expected cyber events that could cripple your organization?
It is a complex issue and one needs to dedicate some time, money and expertise to understanding the issues and risk associated with a cyber event.
The best way to find out how vulnerable to a cyber event your organisation is. Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings”
The repercussions of a cyber event will create a serious problem for your oganisation long after the initial threat has been discovered and neutralised.
The bad guys are after everything that they can get their hands on that is not theirs. They are also targeting anything and everything that has a link to the digital world.
What does not appear in the glossy brochures relating to the next shiny new product is the vulnerabilities that come pre-configured in these new systems.
I am not being nasty, but the pressures to get things to market are enormous and the first thing that is left in the background is security.
To get systems to market they will cut corners, use insecure code or even “borrow” code from other devices bringing their inherent vulnerabilities to their new product.
The wannacry and petya attacks were both perpetrated against a vulnerability that was patched recently but also has been available in most Microsoft operating systems since Windows XP.
The subsystem targeted allows one computer to communicate with another to share files. There have been a number of vulnerabilities found that have this profile in every operating system.
But what happens if you have succumbed to a cyber event? How do you improve your Business Security?
It is not all doom and gloom, but I can tell you from experience, in the midst of a cyber event, it feels like it.
The best way to counteract a cyber event is to expect to be compromised.
The best way to find out how vulnerable to a cyber event your organisation is. Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings“