Category Archives: Uncategorized

Cybersecurity and the log4j vulnerability

Posted on by

I like basic

I like simple.

There is definitely not enough of basic or simple in my business!

One of the most basic and simple strategies for cybersecurity is called the essential 8.

When implemented correctly the essential 8 improves an organisations security posture significantly.

Two of the components of the essential 8 is patching – Patch operating systems and patch applications.

That was till this week.

A little context:

A vulnerability has been discovered in a simple logging component of Java.

This identified vulnerability allows an attacker to send a simple line of code to a system.

That code is then passed to the logging system and bingo they now have full access to the device as an administrator.

In other words, a 10-year-old can hack your system and do some serious damage!

That makes it a huge internet problem, in fact, it is being labeled “the worst hack in history”

First discovered in web-based systems (Apache) it has now been identified in thousands of products that are installed on computers across the world..

This vulnerability has highlighted the fact that everyone and their dog has used this logging system and then failed to think about updating it as part of their patching process.

In some cases, the versions we are coming across have been in these systems for more than 8 years and traveled from version to version.

To counteract the problem is difficult.

We cannot just remove the problem files because the application will stop working.

We cannot just change it for the newest version because the application will stop working.

So we have to wait for the software owners to patch their software and release the patch.

In the meantime, we plan for the worst and hope for the best.

We rely on our defence in depth.

We rely on our proactive systems and contingencies.

We rely on others in the industry to find solutions that can be implemented and apply them as fast as possible.

Where to start your Business Security / Cybersecurity Journey

Posted on by

Start

Time

3-hour program

What is done

Audit on assets and risk management.

What you get

  • Report on where your organisation is in relation to business security
  • Roadmap to implement basic changes to your business organisation
  • A number of process, procedure and policy templates
  • A number of Plans templates

Tools we use

  • Care-app diagnostic tool
  • Questionnaire similar to basic SWOT
  • Proprietary diagnostic tools
  • Open-source intelligence gathering tools

What do you need to do

  • Implement changes
  • Discuss with management
  • Implement proactive responses to cybersecurity

 

Threshold

Time

8-hour program

What is done

 

What you get

  • Implementation of Internet policy
  • Implementation of online security awareness program
  • In depth Risk analysis
  • In depth Risk mitigation process
  • Full blown digital SWOT

Tools we use

 

What do you need to do

 

 

Baseline

What is done

 

What you get

 

What do you need to do

 

 

Beyond

What is done

 

What you get

 

What do you need to do

 

 

Cybersecurity: Why business security is all about increased profits, productivity and resilience

Posted on by

A bright gold "TRUST" stands atop a dark gray "FEAR" on a deep blue background with light rays shining through both words.

There is a down side to a cyber event and I can tell you, every part is down!

Our role in business security (#cybersecurity) is not to scare the crap out of you but more to educate you in the ways of the cybercriminal.

Have you ever thought what could happen to your company if you did get hacked?

If your organisation was breached by a target cyber attack?

Here are some calculations for you to think about that are factored in when discussing a breach and calculating the impact.

How much down time is too much.

Every organisation has a finite level of payments for staff and workers.

Normally it is calculated in annual, monthly or weekly terms but if we bring it down further, the average cost per hour to the business of wages is considerate.

If your staff can not work due to a cyber event then the costs quickly add up.

How much will it cost to fix

Apart from the old adage of "how long is a piece of string" working out the cost to fix a breach (back to business as normal) really does depend on the severity and the infrastructure.

A targeted attack against an company compared to a random virus infected computer are at opposite ends of the spectrum.

Either one has to be cleaned, restored, rebuilt and checked.  The most overlooked cost is the time it will take to recover.

Impact on revenue

We are all in business to make money.

When the incoming money stops then the company will starve.

If your business is making $20,000 per day and you cannot receive that income for 5 days. What is the impact?

Impact on clients and customers

What happens if you go to a shop and they tell you that they cannot do something because the computers are not working.

You customer has a choice either come back later or buy it from someone else.

Recently Woolworths had a failure in their link to the bank and could not process credit and debit cards. People were leaving trollies at the checkouts and walking out.

Impact on productivity

No matter how you look at it all of these wonderful devices we use in business are just tools.

Our computers, cloud based systems, smart devices, IoT things and phones are just tools for the business to streamline productivity.

If a carpenter cannot use his hammer, how does he hammer in the nails?

When the tools cannot be used then alternatives have to be addressed and implemented.

Impact on staff and management

Not only have you got your team sitting around doing nothing but still getting payed there is a good chance that you now also have a moral problem

There will be recriminations, frustration and anger.

It will radiate out from the team, the groups and the organisation because people are no longer doing what they are good at.

A lack of trust

Outside in the market place there are now rumours about what happened, how it happened and what information of MINE has been exposed to the bad guys.

The only way to counteract a trust issue is through communication.

And now you have a compliance and governance issue

There is a substantial reporting requirement around a breach of an organisation.

Part of the cyber compliance requirements for anyone in business today is in the event of a breach you have to report to a number of government and industry bodies.

Depending on your stance prior to a breach will also depend on how much trouble your business is now in.

Good business security will increase profits, productivity and resilience.

It does not do it as a direct impact on the organisation but it does it through proactivity and making sure that the company has well tested contingency plans.

It may not be noticeable but identifying and addressing the risks, mitigating those risks to a manageable level.

Then implementing the right systems you can avoid the additional costs to the business that a cyber event will deliver.

Secure your business!

Get proactive!

Do the scorecard!

https://caremit.scoreapp.com

How to avoid being a target of script kiddies!

Posted on by

There is a huge difference between a cyber attack generated by a script kiddy running an automated system and one where you are being targeted by a dedicated hacker.

For one, if you are targeted by a dedicated hacker then you already know that you have something worth protecting and you have, hopefully, done something about it.

The biggest problems with cyber attacks on the internet are that 95% of them are coming from an automated system controlled or managed by trainees (script kiddies).

Automated systems have three reasons they are used:

  • They are easy to get.
  • They are easy to use.
  • They are easy to make money out of.

They are easy to get!

There are a number of ways for anyone to get hold of an automated system. They can download an operating system that has an automated system running on it. Kali, Parrot OS or Black-arch are all very good examples but there are others.

Designed as penetration testing tools, these systems have all of the requirements that they need to target organisations, multinationals, or anyone connected to the digital world.

Before you ask, yes it is all legal and above board as long as you are not targeting someone else.

To make these systems more effective they allow them to either download additional components from GitHub or design and program your own applications.

They are easy to use!

The old saying that whenever anything is free you are the product rings true with these systems as well. The creators of these systems keep track of people using them and incorporate any updates into their own releases.

To set up one of these systems all you need is a computer. Once you have administrator access to a computer you can download a virtual environment (VMware if you have some money or Virtual Box for free) and you can then install these operating systems as a virtual operating system.

You can even run the operating system on a microcomputer (Raspberry Pi) for under $100.

Once set up you now have access to the tools and capabilities that, if used correctly, can rival someone who has been in the industry for years. Almost like a novice woodworker creating a dovetail joint on their first try without knowledge of what to do.

No training, just using other people’s knowledge.

In addition, and a bigger issue, what they do not know can be learned or discovered by simply searching google.

The capability and effectiveness of these systems allow them to set up the automated attack and target a huge number of vulnerable systems based on blocks of internet-based addresses.

Simply they can find out if there is a targetable vulnerability just by using facets of the automated systems.

They are easy to make money out of!

These free operating systems have the capability of making money.

To make serious money, though, you need to work with partners. Working with partners can be both beneficial as well as detrimental to their own security.

When it comes to making money it is either through selling information on the dark web, selling cryptovirus decryption keys to vulnerable people or selling access to compromised systems to leverage other attacks.

How to avoid being a target of script kiddies.

To avoid being a victim you need to implement some protective strategies.

You need to apply the CareMIT business security methodology to the organisation but to start at the basics this is what you need to do:

  • Patch and update everything – operating systems, application and to really be secure remove anything that you do not use from the system. This is applied to computers, websites, servers, and smart devices.
  • Disable macros – do not allow macros to run on the computers
  • Use complex, unique and more than 12 characters for every site, service or system in the digital world
  • Use 2 factor or multi-factor authentication. If you manage websites or other cloud-based services make sure the third level of security is in place – captcha
  • Only allow good applications to run on the system. This is called application whitelisting and only approved applications are allowed to run. There are some anti-virus systems that allow you to do this.
  • The last one is critical to your sanity – DO A BACKUP. All the bad guys have to do is win once. A backup ensures that if and when they win they have not really won.

At the basic level, the users of these automated systems are just as vulnerable as the people that they are targeting. A severe case of “user beware”, because if you do not configure the system correctly you are just as vulnerable as your targets.

At the most fundamental level, we all know that most people between 13 and 30 have a limited ethical attitude and good and bad is debatable.

That’s why we have the proliferation of these systems.

Secure your business!

Get proactive!

Do the scorecard!

Read your report!

Linkto scorecard https://caremit.scoreapp.com

#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec

Cybersecurity is everyone’s job!

Posted on by

Like every organisation, small and medium business have similar problems when it comes to getting people to focus on digital security.

These are some of the inane comments we hear when we discuss digital security with staff and management of SME’s

  • Cybersecurity is Not my problem?
  • Why should I worry about that, we have a firewall?
  • Isn’t that an IT problem?
  • My staff and management teams would never do that!
  • Everyone has the same password for our business system, why is that a problem?
  • We do not see any reason to use complex passwords!

As you can see all of these comments have one thing in common.   Digital security is someone else’s problem.

The first people who will notice a problem with their computer will be the people who are using it the most.

  • They will notice a drop in performance.
  • They will notice when something is not working at an optimum.
  • They will notice that something is not working at the precise level that is needed for them to do their job.

In today’s business world it is very important for all users to understand that they are a target of digital crime.   Being a target means that they need to do something, anything they can to protect themselves from cybercrime.

Cybercrime is what it is.

  • Get infected with a virus = cybercrime.
  • Open a link in an email and have everything encrypted = cybercrime.
  • Full-blown DDOS attack = cybercrime.
  • Just being connected to the digital world makes you a target.   The less protection you have makes you an easier target.

Get over it – anyone who has a device that connects to the digital world is a target.

  • Mobile phone = target.
  • Smart Tablet = target.
  • X-box = target.
  • Computer, server, cloud-based systems are also targets.

In addition to these comments, the digital criminals are clever, persistent and always on the lookout to compromise your system.

The Insider Threat

Posted on by

We have all heard about how the insider can wreak havoc on your business. Yet, business owners and other staff don’t understand how much actual damage they can do.

From a Business Security perspective we’ve definitely experienced people in the workplace who:

  • are self-important
  • always in a hurry
  • not focused on the business at hand.

These Insiders can also have a detrimental impact on business security.

Here are 7 types of Insider Threats who make the insider threat real to any organisation.

1. Convenience seekers – bypass protocol, too hard, too busy

We have all seen them in business.   They jump here and there and start a huge number of jobs but never finish them, or finish them haphazardly.

They are more interested in their own work, not in keeping the company safe. Passwords, Updates and scans are usually bypassed. When something goes wrong, it is never their fault. Clicking on an email link without using commonsense is a primary example.

They are the first to complain about the time it takes IT support to remove a virus. By bypassing the organisation’s Cybersecurity, they put the whole organisation in danger.

Solution – get them to slow down, their job is no more important than anyone else’s.

2. The accidental victim – makes mistakes, doesn’t think

These are the people who are too timid at work. They fear making mistakes, but, by fearing reprisals and keeping quiet, they are the victim. The company suffers as well.

The accidental victim is either an older employee, or a new starter. They are very noticeable in not for profit organisations.

Solution – Provide education and training in the use of computers. Explain what’s expected in their role within the organisation.

3. They know everything – oversharing

This person is very good at big-noting themselves. They use their knowledge of the organisation to place themselves in avoidable situations. They overshare critical and confidential information in email. They don’t think about the consequences of sharing on social media and also in meetings.

Solution – separation of information,  restrict access to the information within the organisation.

4. Untouchables – it will not happen to me

We get these type of people in all types of business.  They are the second cousin to number 1.  I am not a target of cybercrime, it will never happen to me because I have nothing worth stealing.

With technology changes over the years, a bored 14 year old can be the attacker. Access to the internet is their tool. Every internet user or business is a target. Anyone can be attacked and everyone needs to take the necessary precautions.

.Solution – providing education and training.

 5. Entitled ones – access to everything because they ‘want to know’

The Entitled employee is one of the most dangerous non-malicious insider. Their laptops or tablets have the organisations secrets and use free wifi in cafes. They have no business reason to keep all that critical information, but they have to have it.

This means that there is a greater risk of the company information either stolen or attacked.

Solution – need to know.  Stop allowing access to data by staff who don’t need it. Segregate it into public, commercial in confidence and critical.   If someone does not need the information then deny access to it.

6. Traitors – malicious insiders

Previous to this one, the insiders have been the result of stupid behaviors. The Malicious Insider is a malicious person. Their focus is on them. For whatever reason, they might intend to leave, have a grudge against the company or an employee. They won’t hesitate to go to your competition with all your corporate data.

Solution – at the first whiff of someone leaving walk them out the door. Don’t keep a bad apple in the basket. 

7. The secret insiders – the bad guys, in the first stages of an attack

These are the true bad guys, the ones you should be protecting your organisation against.  They may have infiltrated your organisation via one of the other insiders, and are now able to do damage. They could have become an insider through social media, email or web based attack. The secret insider isn’t an employee. They are not answering to your policies and procedures. They will damage your organisation, because you don’t have protections.

Solution – increase awareness, do a penetration test and review the report, then do it all again. Regularly.

These Insider Threats are the ones we have come across.   Some can be a combination of one, two or three traits.  The best way to protect yourself from the insider is to pay attention to your staff and your management.

The best way to find out what your organisation needs to do to be safe is to:

1. Use the CareMIT Digital Diagnostic Tool

2. Come to one of our regular quarterly “Security Board Meetings

Why you need a new breed of Business security

Posted on by

Introduction

In the last 20 years, there has been a slow change in how the business approaches the management of the ICT component.

As business and technology changes there have been significant changes in the management process of these systems.   The more complex and costly the systems the more dedicated the support has to be.   We have gone from onsite support from staff (I know computers) to off-site support from a service provider.

SME’s no longer have the resources available to manage their ICT and a new breed of company has been slowly taking more and more control over these parts of your business.

Managed Service Provider (MSP)

Originally these organisations were known as ICT or IT companies.   They were usually run out of hardware and software stores and were more focused on those areas.

It was eventually realized that just managing the hardware and software of small and medium business and not for profit organisations was not enough.   When technology broke, the most organisation still could not afford a technician to come to the site and an IT company need to make their resources go further.

The managed service provider did a number of additional things:

  • They had systems that remotely monitored and managed (RMM) the technology within the organisation.   This allowed them to give feedback to the clients in the way of comprehensive reports on their network
  • They had helpdesk capability to fix issues as they arose from the RMM systems or issues that arose from the users.
  • They started to become proactive, not reactive.
  • In a number of ways they even became vendor managers.  They looked after their clients from the internet down to the user.

Managed Security Service Provider (MSSP)

The business has changed and the requirements for ICT support have changed, the MSP needed to do more.

To be competitive and to be more productive they started adding on services.   These services included if not delivered by the MSP:

  • off site backup,
  • managed firewall,
  • web application firewalls,
  • web site management,
  • managed Anti Virus and many more.

In most cases, they were a bolt-on action to the MSP requirements and were supplied to maximize profit and reduce cost.   In a large number of situations, the customer was not getting value for money because the MSP was tied to a specific vendor.

In the last 5 – 10 years, the bigger the perceived problem with security was the more clients were going to purchase systems from their trusted advised – their MSP.   Once again increasing profits by reducing costs.

Any MSSP that does this is actually exposing their clients to huge problems.   Most of the service level agreements (SLA) reduce this down to “all care no responsibility”

Managed Business security service provider (MBSSP)

SME’s and NFP organisations needed to approach business security in today’s business world from a new direction.

Business security has to be approached from the top down.    Management and board members HAVE to get involved.   Your MSP or MSSP who is not recommending risk management and cybersecurity frameworks is in fact doing a huge disservice to your organisation.

Risk management and a risk management process looks at all of the risks to the organisations and allows you to think and work through the process and deliver strategies to protect the organisation.   It includes the ICT and technology area but there is so much more that has to be incorporated into a risk management plan.

The second part is a cybersecurity framework.   A framework does a number of things:

  • It focuses management on the required tasks to secure the organisation.
  • It removes knee jerk reactions to perceived threats.
  • The more you implement the framework the more secure your organisation.
  • It has to be done with the involvement of all areas of the organisation from management down and from coal face up.
  • It can be managed with reduced costs, expertise and time constraints

Most frameworks have a baseline requirement.   When you start to implement the framework you have to know how secure you are before you can start to improve.   The baseline also allows you to look at priorities within the organisation.

Conclusion

If your organisation is still using an MSP or an MSSP to manage your security without looking at the risk components or without implementing a cybersecurity framework (we recommend the National Institute of Standards and  Technology (NIST) cybersecurity framework) then you need to rethink your business security requirements.

Talk to an organisation that is focused on MBSSP capability.

Secure your business!

Get proactive!

Do the scorecard!

Read your report!

Link to scorecard https://caremit.scoreapp.com

#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec

Its just not business security you have to worry about

Posted on by

Security!   The problem with security especially cybersecurity is it is not sexy.

In most cases, it is downright boring.

Although not sexy and downright boring it is still something that every CEO, manager, owner, and board member has to focus on.

With all of the automated attack vectors available to the cybercriminals, we can no longer say we are not a target.   We cannot say we have nothing worth stealing.

The more and more reliant business has on the digital world the greater the chance that a cyber event will cripple the organisation.

What are the main things that every management type needs to focus on when it comes to prevention of a cyber event?

Here are a few!

The cost of a cyber event.

The cost of a cyber even can range from lost time and functionality within the organisation to more money than the organisation can find to pay for the breach.

Cryptovirus is an example of lost time and functionality.  If you do not have a functioning and tested backup of the data, you have to rebuild the offending device but you will also have to also replicate all of the data.

A full-blown breach by a dedicated black hat hacker can steal everything and then use your system as a platform to target your clients, suppliers and staff.   When that happens you realize that you are NOT too small to be a target

How they get into your system

The go-to weapon of most cyber attacks is social engineering.   Two parts of a very effective attack strategy.   The technology to effect change, follow a link to an infected website, click on an ad in social media or open an attachment in an email, combined with getting you to trust them where you let them in.

Either way, they are now in.

Risk and problems just compounded.

Simple ransomware for instance, the initial encryption of data is only one of the stages of the attack.   What about stage 2,3 and 4.

Wannacry showed us that a combination of 2 attack vectors allowed a single infection to traverse a whole network.  One computer is a problem for any organisation.   All of the computers is a nightmare.

The protection challenges

In most situations managers, owners, executive, and board members do not understand the digital realm.   Risk management of data (a critical component in today’s business world) is often overlooked and considered an ICT problem.

It’s not!   Today’s digital security challenge is everyone’s issue and the sooner it gets noticed as a business risk and treated as such the faster we will see a reduction in attacks.

From the largest organisations to the smallest single entities, we all keep critical data in places that are easily accessed, relatively unprotected and mobile.

What are you doing to manage the expected cyber events that could cripple your organization?

There is no single, simple fix.   If there was everyone would be safe.

It is a complex issue and one needs to dedicate some time, money and expertise to understanding the issues and risk associated with a cyber event.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

Business Security is not just IT

Posted on by

The repercussions of a cyber event will create a serious problem for your oganisation long after the initial threat has been discovered and neutralised.

The bad guys are after everything that they can get their hands on that is not theirs.   They are also targeting anything and everything that has a link to the digital world.

What does not appear in the glossy brochures relating to the next shiny new product is the vulnerabilities that come pre-configured in these new systems.

I am not being nasty, but the pressures to get things to market are enormous and the first thing that is left in the background is security.

To get systems to market they will cut corners, use insecure code or even “borrow” code from other devices bringing their inherent vulnerabilities to their new product.

The wannacry and petya attacks were both perpetrated against a vulnerability that was patched recently but also has been available in most Microsoft operating systems since Windows XP.

The subsystem targeted allows one computer to communicate with another to share files.   There have been a number of vulnerabilities found that have this profile in every operating system.

But what happens if you have succumbed to a cyber event?   How do you improve your Business Security?

There are a number of areas you now have to worry about.

  • The most pressing is the immediate threat.
  • Have they encrypted your files and if so do you have a backup?
  • Has that backup been tested?
  • If you have a back up how will you restore your information and systems?
  • If you have cleaned the system are you sure you have everything?
  • What else has been stolen/accessed?
  • Never ever EVER pay the ransom!  You are dealing with criminals and they cannot be trusted.  If you pay there is no guarantee that you will get your data back
  • I recommend that you start from scratch, but that’s just me.

Short term tactics:

  • Has the event been disclosed,
  • Are you required to tell your clients, staff, customers
  • Has the disclosure had any effect on reputation, on your finances, on your customers, clients and staff. If so what will you now do?
  • I recommend that you do a number of things,
    • change passwords,
    • monitor credit card, and bank accounts.
  • Something that is very important – tell people.

Long term Strategies:

  • Not a person for stats but 60% of SME who have a cyber event will shut their doors within 3 months, a further 50% will shut after 12 months and/or they will be a shadow of what they originally were. (Victimless crime – my arse)
  • Check your Personal Reputation – use google alerts on your name, business name, trade marks.
  • Do a credit check – in some areas you can lock your credit rating, do it!
  • Get someone else to check chat rooms, information for sale and the dark web.

Using Business Security to avoid a cyber event in the first place?   Avoidance is hard, preparation is easy.

  • Have a decent and tested backup of all critical data.
  • encrypt critical data both at rest and in motion
  • use complex, long and unique passwords,
  • PATCH IT ALL,
  • penetration testing with minimal restrictions
  • Get paranoid, be aware and use common sense.
  • Implement a framework (we use NIST),

It is not all doom and gloom, but I can tell you from experience, in the midst of a cyber event, it feels like it.

The best way to counteract a cyber event is to expect to be compromised.

Hope for the best but plan for the worst! 

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings