Cyber Training Your Operational Security Force

NOTE: This is a repost of something I initially posted to LinkedIn on . I will be consolidating a number of older posts to my blog in the near future. Enjoy.


As I am here at the (ISC)2 Security Congress which is collocated with the ASIS International annual convention in Orlando, I am once again struck by the growing crossover between the information and physical security worlds.

For those that do not know, ASIS is an association dedicated to education and advancement of operational security professionals around the world. Their annual conference features a huge expo hall with every type of physical/operational security gadget you could ever want. There are a plethora of security cameras, gate systems, sensors and even weapons here on the ASIS side of the conference. The “3 G’s” (Guns, Gates and Guards) are the bread and butter of ASIS.

(ISC)2 on the other hand is a cybersecurity certification organization most well-known for the CISSP certification. They also have information security vendors on the expo hall floor.

These two are joined together because as the lines between traditional security and information security start to blur, both sides need to be educated. More and more, these two worlds are colliding and it makes me think about the level of training these security guards and other law enforcement individuals receive with respect to social engineering, especially on the cyber side. Why does it matter if they can spot phishing type attacks or other electronic social engineering? Well, these folks are the front line of security and more and more, their tools are living in cyberspace. These individuals can control gates, cameras and entry points remotely from 100s of miles away in a SOC. Often times, the very control of these gates, cameras or sensors is transmitted to “The Cloud” and then relayed to or from the internet-connected device that is being controlled. A large number of camera systems are IP-based, doors are even networked and controlled by computers and IP-based networking.

 

To top it off, many physical security manufacturers are not agile enough to provide patches to zero-day software vulnerabilities as quickly as infosec vendors, which leaves the devices vulnerable for extended periods of time. Often these vulnerable systems are on the same network as the rest of the organization’s information technology assets. This is a recipe for disaster, much like what happened with Target where the attack on the POS credit card machines started with vulnerabilities in the HVAC systems.

Imagine if you will, ransomware stopping an organization’s ability to control ingress and egress from buildings or parking lots or even worse, the bad guys being able to control it themselves. How about the ability to remotely deploy an active vehicle barrier system or silence the sensors on the fences?

Untrained individuals can allow this to happen by simply clicking on a malicious link or opening the wrong attachment. Once the bad guys are in, the network is their oyster. This is why, as these digital and physical worlds collide, it is more important than ever to ensure the very people who are guarding our buildings and property are aware of the electronic threats as well as the physical ones.

Cloud-based risk is nothing new to us IT folks, but for those that employ high-tech tools for your operational security, take the time to assess the risk these pose and train your employees to resist the threat they may not be aware of.

 

 

 

Erich’s “What in the (cyber security) world is going on?” 03-02-17 edition

OK, this is a VERY packed edition of the weekly wrap up of security stuff.

Amazon S3 went down for a while

There was a collective cry of pain and the echoing sound of SLAs being violated when Amazon’s S3 service went down. To top it off, their dashboard showed that all things were warm and fuzzy for quite some time. The official word was,  that the outage is due to “high error rates with S3 in US-EAST-1,”. By “high error rates”, they meant all hell was breaking loose somewhere. This prompted a lot of fun on the Twitters as folks weren’t so happy about things being up in flames around them. Imagine that.

 

Cloudpets leaked a bunch of data because they are idiots

 I’m a bit peeved at this since my youngest daughter (and therefore me) has one of these. Luckily we didn’t do much with it, but for those that have, recordings and info was leaked due to poor security. It even seems they were warned about in advance. This really does make sad because the little buggers are adorable and are a great idea for those who travel a lot, or are deployed.

 

Android Ransomware Wants Victims To Speak The Unlock Code

Lockdroid is throwing out a new twist. What could possibly go wrong here? Think about how often you have been annoyed by trying to get a machine to understand your voice. Imagine that after you have been ransomed. You are really screwed if you are Scottish (language warning)!

 

Torrent spread macOS ransomware spotted in the wild. Decryption doesn’t work even if you pay

It looks like this Mac ransomware is spreading by posing as a software license crack in torrents. The bad news is, even if you pay, the dev doesn’t have the key to decrypt the files. Another lesson to stay away from illegitimate software.

 

Spora Ransomware Chat Logs posted

This is an interesting read if you want to see what happens with the Spora ransomware chat help. Looks like no chance to negotiate price, but you can get some time.

 

Cloudbleed strikes: If You Use Any Of These Sites, Reset Your Password Now

Cloudflare had a memory leak, so if you went to any of the 5 million sites impacted between 09-22-2016 and 2-18-2017, your passwords, private messages, API keys, and other sensitive data may have been leaked. The list of affected sites is here.

 

 

 

American Senior Communities Falls For A W2 Scam. 17,000 Employees Affected

Really Monarch? Twice by the same employee?

The scam happened in mid-January, but they didn’t realize it until employees started having trouble filing returns in mid-February. This is the third Central Indiana employer in less than a month to fall for W2 scams. Monarch Beverage Co. and Scotty’s Brewhouse also fell for it, with the employee at Monarch having done the same thing last year.

Sometimes I just want to shake people until they get it and put training and procedures in place to stop this sort of thing. It’s really not that hard or expensive to implement.

W2 scams are no joke and really mess with the employees. Please be careful when handling this sort of info.

 

Do You Know What Your Cyber Insurance Really Covers?

This is just a reminder to be aware of what is and isn’t covered by your cyber insurance. I highly recommend that you speak with an agent and do a review of the coverages BEFORE it hits the fan. I recently learned that while notification can be the most expensive part of a breach, it’s often not covered by default in the policy. To add to that, cyber insurance is still in its infancy, so coverage is rarely standardized. Don’t blame the insurance companies for this as it’s a very new type of risk, it’s your job to know, with their help, what you are paying for.


Take for example the P.F. Chang’s breach
. The $1.7 million cost of defense against customer lawsuits were covered, but the roughly $2 million in fees and fines imposed by credit card issuers to pay for notifications to cardholders, reissuance of credit cards, and other costs was not. It really pays to know what coverage you have.

 

Maine Credit Union Members Victims Of ATM Skimmer

Downeast Federal Credit Union found a skimmer on an ATM after several members called to report fraudulent charges. A skimmer was found on the ATM at the credit union’s Lincolnville Avenue branch. The Belfast Police Department has checked all Downeast FCU ATM machines and found no additional skimmers.

 

 

Ransomware recovery time is longer and more expensive than most think

Here are some pretty ugly numbers and a look in to why I am so obsessed with helping people avoid infection. The sad part is, you can protect yourself pretty well with basic “security 101” stuff like  segmenting the network, “least privilege” access, weapons-grade backups and quality awareness training/simulated phishing. You don’t need to burn money to protect yourself.

  • 85 percent of those infected had systems forced offline for at least a week
  • 1/3rd of cases resulted in data being inaccessible for a month or more
  • 15 percent found that their data was completely unrecoverable
  • 63 percent of orgs have no official ransomware policy in place
  • About 50 percent of victims paid more than £3000 ($3700) in ransom
  • SMBs usually paid  between £500 ($621) and £1500 ($1864)

 

Roxana Police Department is done cleaning up after ransomware attacks

I swear, small town police departments can’t wait to get hit by ransomware. I keep seeing it over and over again. In this case, “the work of sophisticated hackers who seek out vulnerabilities in digital networks, enter computer systems and encrypt important data…” (a.k.a. a piece of malware sent in a phishing email) was inconvenient rather than crippling. Based on the article and the lack of desire to share any info, along with the sensationalizing of the attack above, I’d say they are pretty embarrassed about it.

 

Madison, WI Requires “Unique Locking Devices” On Gas Pumps Due To Skimmers

I can’t say that I like a lot of government involvement and additional regulations, but I appreciate that they are trying to stop the issue. It’s far too easy for folks to install skimmers and while this doesn’t solve the issue or counter skimmer overlays, it does take a step to help. Locally here in Florida, I have seen attendants at more than one Speedway station checking the pumps daily and putting on tamper seals. I have told them I appreciated the effort.

 

 

 

 

VISA warns for Flokibot Spear Phishing Infections

So, it looks like a new malware variant identified as “Flokibot” is hitting the Caribbean and LATAM. The malware is focused on point-of-sale (PoS) devices and, like so many other types of malware, is being spread predominantly by phishing email. I will be personally volunteering to go look at this threat, especially in the Caribbean, on behalf of my company. It may take a while to investigate. You know, weeks, maybe months…

VISA warns for Flokibot Spear Phishing Infections

So, it looks like a new malware variant identified as “Flokibot” is hitting the Caribbean and LATAM. The malware is focused on point-of-sale (PoS) devices and, like so many other types of malware, is being spread predominantly by phishing email. I will be personally volunteering to go look at this threat, especially in the Caribbean, on behalf of my company. It may take a while to investigate. You know, weeks, maybe months…

My 2016 Unemployment Diaries Recap – Day 6 to Day 8. More to follow

Please note, this is a reposting of some previous entries made in 2016 when my position was eliminated and I found myself unexpectedly unemployed. This is being reposted here simply for the purpose of preservation as I am not maintaining the old site much. In any case, enjoy if you feel like reading it:


January 11 at 9:32am – Day 6 of unemployment

Today will be a busy one. My 8:30 webex interview started, but he had to go to a meeting, so we are going to regroup again at 11:00. I am meeting another recruiter at 3:00 for coffee and to go over my resume and discuss what she has available. I also need to pick up my stuff from the old office in there some time.

On a plus note, I just dropped my youngest off at the park from where she walks to school. I was wearing grey pinstriped suit pants, slip on shoes, a white undershirt and a black Rockstar energy drink hoodie. I think I just got some street cred from some of the moms there. I was totally rocking the “whatever was laying around” attire. If I had enough hair to put in a messy ponytail, I would already be in the club. There is always tomorrow.

Sadly though, nap time is ruined! Being unemployed suddenly feels like a lot of work. Sheesh.


January 12 – Day 7 of unemployment

Day 7 of unemployment – Once again I was denied sleeping in. I had scheduled a doctors appointment at 8:20am. What was I thinking scheduling at that time? I thought I would have more rest than this without a job.

I have however become one of the pack. Not the pack of neighbors, but the pack of animals in the house. It all started with us spending time together this morning all barking at the rather started and confused looking mailman. Then we spent some time chasing each other around the house barking. The cat was not amused. Both of the dogs are just resting peacefully on my feet and sharing space. I am the Alpha in this pack now, and I’m so happy I feel like dragging my butt across the carpet in joy!

I did have a 3rd interview at 12:30 that I think went really well. I am assuming no more than 17 interviews left to go, and I’ll know more about getting the job.

I have been pretty nervous about this and not sleeping well because of it. I found myself feeling anxious about the interview, so I started watching Making a Murderer, which has been recommended by a few friends. I’m on episode 2 now and I’m hooked.

Speaking of hooked, still no fishing has transpired and my loving wife told me last night, that it’s just too cold for her to want to fish. Who is this woman, and what have they done with my wife? I will get some fishing in if it kills me.

I will update as it happens.


Day 8 of unemployment – The Lawn Crews Cometh!

Day 8 of unemployment – Well, today it happened as I had been told it would. Laurel Ludwig, you were right, the lawn crews came today. The came like horticultural ninja’s on zero-turn mowers. It was like a botanical ballet with weed-eaters, edgers and power blowers performing a dance to rival Broadway shows. It was fascinating to watch, and ended as quickly as it started.
 
Once ended, I peered out over my lawn and realized that those little buggers had now made my lawn look like a war-torn battlefield in comparison. Dang it, now something had to be done about that.
 
I proceeded to break out the lawn implements and attacked my Jumanji-like landscape. While taking on the front yard, I found that someone let what appears to be a medium sized pony use my yard as a restroom. It was HUGE! I am not a fan of poop. I have a very week stomach and tend to do the whole “ech, ech, ack” thing as I try not to recycle my previous meal. I’m a real tough guy with the dry heaves and a plastic bag trying to sack up this unsightly fecal phenomenon.
 
After that, I hit the back yard. Here, I was surprised to see that a 100% increase in dog butts appears to have created a 500% increase in poop. I did learn something new today… If you raise the wheels high enough, the mower will just clear the poop, leaving it exposed for your kids to pick up when they return home from school. They are less thrilled about this revelation than I am, but it worked great for me :D.
 
Tomorrow I am supposed to have an interview at 8:30am. Wish me luck!

Madison, WI Requires “Unique Locking Devices” On Gas Pumps Due To Skimmers

I can’t say that I like a lot of government involvement and additional regulations, but I appreciate that they are trying to stop the issue. It’s far too easy for folks to install skimmers and while this doesn’t solve the issue or counter skimmer overlays, it does take a step to help. Locally here in Florida, I have seen attendants at more than one Speedway station checking the pumps daily and putting on tamper seals. I have told them I appreciated the effort.

 

 

 

My 2016 Unemployment Diaries Recap – Day 1 to Day 5. More to follow

Please note, this is a reposting of some previous entries made in 2016 when my position was eliminated and I found myself unexpectedly unemployed. This is being reposted here simply for the purpose of preservation as I am not maintaining the old site much. In any case, enjoy if you feel like reading it:

 

January 6 at 9:48am · For the first time in a long time, i am now unemployed


January 7 at 10:11am · So, 24 hours later I still feel a huge amount of relief…

Oh, and catching up on Mr. Robot. I’m going to catch up on Mr. Robot darnit!

And maybe do some fishing.

God is good and has a plan so I’m not scared!

 


January 8 at 9:49am · Day 3 of unemployment

There is a significant chance that will have to actually get out of my PJs today. It’s unfortunate, but I have 2 interviews scheduled. One has a very relaxed dress code, but that might be pushing it a bit.

I will now go peer out of the blinds, make a condescending sneer and retreat to my quiet domicile for a while longer.

Stay tuned for more updates later.


January 9 at 12:07pm · Day 4 of unemployment

Fishing evaded me again due to forgetting to set my alarm to go off on Saturday. I will avenge that error soon!

Until a bit later.


January 10 at 1:34pm – Day 5 of unemployment

After the shower, I actually put on clothes so I could go to church. Our church is pretty casual, but 3-day worn Arizona Cardinals pajama pants may have been pushing a bit, even there.

We are about to relinquish the pursuit to be the last family in the country to see the new Star Wars movie. We had some left over Fandango cards from Christmas that we were able to use. I was beginning to think we wouldn’t get to see it until it was released on DVD…

…while crouched in the neighbors bushes looking at their TV through their window. Not saying money is tight, but, well, ya know without a job and all, some adjustments have to made…

I have changed my focus on the war with the mouse living in the grill from simple eradication, to a potential source of meat. Things are about to get primal in the Kron lanai. Speaking of which, if you know anyone interested in purchasing mouse pelts to use for warmth this winter, let me know. I will accept pre-orders and shipping is possible.

I’ll keep you all informed of my progress. Until then, have a great day!

Roxana Police Department is done cleaning up after ransomware attacks

I swear, small town police departments can’t wait to get hit by ransomware. I keep seeing it over and over again. In this case, “the work of sophisticated hackers who seek out vulnerabilities in digital networks, enter computer systems and encrypt important data…” (a.k.a. a piece of malware sent in a phishing email) was inconvenient rather than crippling. Based on the article and the lack of desire to share any info, along with the sensationalizing of the attack above, I’d say they are pretty embarrassed about it.

Ransomware recovery time is longer and more expensive than most think

Here are some pretty ugly numbers and a look in to why I am so obsessed with helping people avoid infection. The sad part is, you can protect yourself pretty well with basic “security 101” stuff like  segmenting the network, “least privilege” access, weapons-grade backups and quality awareness training/simulated phishing. You don’t need to burn money to protect yourself.

  • 85 percent of those infected had systems forced offline for at least a week
  • 1/3rd of cases resulted in data being inaccessible for a month or more
  • 15 percent found that their data was completely unrecoverable
  • 63 percent of orgs have no official ransomware policy in place
  • About 50 percent of victims paid more than £3000 ($3700) in ransom
  • SMBs usually paid  between £500 ($621) and £1500 ($1864)

Those are pretty ugly numbers folks. My company has a free Ransomware Hostage Rescue Manual that can help prepare for this, as well as a free ransomware simulator you can use to check your endpoint protection settings and capabilities. Please, for the love of all that is good in the world, do something to prepare for ransomware attacks. No matter the size of your company, you need to be ready. Not to sound like a sales pitch, but the KnowBe4 platform starts at only about a buck per month/per user and gives you unlimited training and phishing with a really easy to use platform, so things that can make a big difference (and it really does!) aren’t even that expensive.

 

Don’t Panic: Simple ways to deal with a risk gone wrong

NOTE: This is a repost of something I initially posted to LinkedIn. I will be consolidating a number of older posts to my blog in the near future. Enjoy.

Have you ever seen someone make a bad decision in traffic, perhaps not paying attention while changing lanes or something similar, avoid an accident, then make up for it by driving like an idiot afterword? Often times this involves speeding up, weaving in and out of traffic and other less-than-careful maneuvers.

I see this happen a lot in my commute in the Florida traffic and often wonder why we as humans, after escaping or recovering from potential disaster, seem to recover by exhibiting even more risky behavior. Full disclosure here, I have been in these shoes myself and looked back at things wonder what I was thinking.

In my IT career I have seen this same phenomenon happen in incident response situations. A mistake is made during the response, and the individual overcompensates and makes poor decisions moving forward. The more the rope unravels, the worse things get.

Ransomware and CEO Fraud (aka Business Email Compromise or BEC) are certainly key concerns in today’s risk landscape. While preventing the incidents through user training is a core competency of my company and a proven method of defense, sometimes a person will accidentally click on the wrong thing. If this does happen, it is important to remain calm and not make the mistake of overcompensating. So what can you do to keep calm in these situations?

First, have a plan. If you make a plan when you are calm, it can keep you from missing steps or overlooking simple things. This plan should identify the risks and include preventative measures, like Security Awareness Training for phishing attacks, and actions in case things do happen.

Second is to have a plan for when you don’t have a plan. There will be times when the unexpected happens and you have not planned for it. The plan can be as simple as reminding yourself to calm down and assess the situation rationally, but should be written down somewhere as part of the process prior to the moment of panic.

Third, communicate clearly with others using as many facts as you can and make it clear when there are assumptions on the table. Your credibility is key to allowing leadership and your team to make correct decisions. It’s OK to mention theories, but make sure the audience knows it is just a theory until it can be proved. Don’t be the source of panic, but instead the voice of reason. This will help your entire team function better and keep you from recovering from one mistake just to make another one.

Keep these things in mind and you can keep cruising moving along in the fast lane.