Ransomware

Ransomware, Stop Focusing on the Symptoms!

Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.

This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.

From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “NHS Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.

I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;

Ransomware is NOT a TECHNOLOGY problem!!

If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.

Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so sack-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.

Harsh? Yes, absolutely, because they basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;

Common sense!

  1. Don’t keep your important files on your computer –  Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can Forget the Systems, Only the Data Matters.
    o
  2. Patching – Your systems would have been immune from WannaCry if you have installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or you PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no, longer use/need, and 2) no hidden malware.
    o
  3. Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse.  External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much.
    o
  4. Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.

So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:

  1. Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
  2. Vulnerability Management – where patching sits;
  3. Incident response – where back-ups sit; and
  4. Security Awareness Training – self-explanatory

 

SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Collage

Without 3rd Party Security ‘Vendor Brokers’, AWS and Azure May Not Be For You

…at least for PCI anyway. It’s just too damned difficult to get all the security wrappers PCI requires without Vendor Brokers.

Cybersecurity has now be made too complex – by security vendors – to be able to mix-and-match with individual vendors from the AWS/Azure marketplaces. I don’t know of any single vendor who can cover even a majority of the PCI requirements related to platforms.

i.e.

  1. Firewall Management;
  2. Configuration Standard(s);
  3. Anti-Virus;
  4. Vulnerability Management;
  5. Patching;
  6. Access Control;
  7. Authentication Mechanism(s);
  8. Logging & Monitoring;
  9. Web Application Firewall; and
  10. File Integrity Monitoring

There are many reasons for this, one of which is that ever since security became a multi-billion £/$/€ a year industry, hundreds of companies have started up to try bring us the ‘silver bullet’ appliances.  Not only do silver bullets not exist in cybersecurity – and you should be shot for using the phrase in any way that’s non-derogatory – but where are the overwhelming majority of those companies now?

They either failed, or have been ‘collected’ by larger companies who have tried to duct-tape the disparate products into silver-bullet solutions.

Which have also failed.

It’s not that the original products didn’t work, some of them actually did, it’s that;

  1. Organisations threw technology at business problems without knowing why they were doing it;
  2. The big companies that collected the smaller ones tried to integrate the individual products together under one GUI, instead of unifying the functionality under a single code base; and
  3. There has never been, and there never will be, a one-size-fits-all solution to security.

But the market is still ripe for innovation, and there will continue to be companies starting up with the goal of bringing a single product to market that will catch the latest security hype/wave/buzz and make them their fortunes (UEBA for example).  They may even succeed, but only if they make their impact in the first year or two, otherwise the market will have moved on.

And if they’re VERY lucky, the larger companies will be naive / ignorant enough to buy them and save them the trouble.

Don’t get me wrong, I am not against combining single products into a larger solutions. In fact it’s the only way to go, but only if it’s done correctly.  Single product companies have 100% focus, which gives them drive, short-term goals, and a dedication to making their one product the best. The second you absorb that company however, every one of those attributes that put them on (or near) the top, are lost in the larger mix.  The functionality is diluted, innovation ceases, and the the whole thing quickly becomes obsolete.

True integration of functionality can only be accomplished with a single code base, and a single platform, which means that any organisation that absorbed the smaller companies better have a plan in mind to migrate not only the applications over to their growing solution, but they will need to consider all of the clients who bought the product prior to the M&A.  These guys often suffer from a total lack of customer service and support, and there’s no way they’ll buy into the larger program.

In my experience, the due diligence necessary to combine product companies is not overly abundant, and until it is, we should all be VERY careful when we look to resolve our security issues with multi-function solutions.

I call these Vendor Brokers ‘collage companies’, as the picture might be pretty, but it’s in no way whole.

Here are a few questions you might want to ask your potential providers;

  1. Can your solution replace some / most of my current functionality?
  2. Do you provide a consultancy ‘wrapper’ around these solutions to help us manage them against our business goals?
  3. Will the output from your solution feed into my current collection mechanism, or can my current output feed into yours?
  4. Are the various aspects / functions of your solution ‘home grown’, or obtained through acquisition?  If acquisition, how have you unified the back end code and platforms?
  5. How do you ensure that the different functions of the solution receive a similar attention to what the single product vendors provide?
  6. Do you have a single customer support process to handle all functionality questions?

Regardless of the shenanigans going on in the security product market, your choice of Vendor Broker should only be driven by what your risk assessment and gap analysis said you need, and your due diligence should cover any requirements you may have regarding integration and ongoing maintenance.

If is doesn’t, don’t expect Vendor Brokers to help, they have enough problems keeping their own houses in order. 

[If you liked this article, please share! Want more like it, subscribe!]

PCI L1 Service Provider

From FinTech Concept to PCI Compliant in 6 Months?

Anyone wanting to start a new business in FinTech/payments – digital wallets for example – has to address PCI. Like it not, payment cards are still the dominant form of non-cash payment on the planet. By far.

So what if you have a great idea in this amazing world of opportunity, but your skill-set is in payments and innovation, and not IT or cybersecurity. How do you get your service to market, AND play by the rules? Can you do this in time to be ahead of game given the incredibly short timeframe of today’s competitive advantage?

Well, you could just self assess, but you are restricting yourself to a maximum of 300,000 transaction annually.  But more importantly, would you trust your money to a service provider who self assesses? No, neither would I.

However, I’m talking about full Level 1 Service Provider compliance through a reputable QSA (yes, there are some out there). How can you set up the infrastructure, get all the documentation in place, AND get all the way through a PCI DSS Level 1 assessment in 6 months? And if you do, have you really done it properly?

The answer is yes, you can, but there are MANY caveats, and if you deviate from these steps you will not get there. I am only interested in helping organisations get compliant properly, I have no interest in adding more crap service providers to the ecosystem.

First, you have to completely ignore the PCI DSS. Any plans you make to design both your physical infrastructure and your security program from scratch must be with real security in mind. Never compliance alone. For that, many organisations turn to the ISO 27001 standard. There are others, but try finding affordable consultants who can help you implement them. As long as you realise they are all just frameworks, not step-by-step instructions, then you’re ready to start asking questions.

So What Are the Steps to Compliance?

o

  1. Get Help – This should be no surprise. I don’t perform emergency appendectomies, I’m not remotely qualified, why would you try to achieve compliance when that’s not your experience or skill-set. Yes, is can be expensive, but nowhere near as expensive as any of the alternatives. There are some very good consultants out there, do your homework and find the best one for you.
    o
  2. Outsource the Infrastructure – Unless you’re an expert in everything from hardened operating systems, to logging and monitoring, to firewall management, you will want to outsource as much of the platform as you possibly can. Unfortunately, finding a single provider who can take on anything more than physical hosting and some networking stuff is still ridiculously difficult. Amazon Web Services (AWS) for example is about as bad as you can get. Unless of course you want a dozen or so independent service providers to manage along with Amazon.
    You MUST ask the right questions, and this is where your  consultant comes into play. S/he will write your RFP, interview providers, and eventually produce a responsibility mapping of services against the PCI DSS. This will match their Attestation of Compliance, as YOU should only do business with L1 PCI compliant service providers.
    o
    You are welcome to use my mapping if you don’t have one: PCI DSS v3.2 SP Responsibility Mapping
    o
  3. Policies, Standards & Procedures – You have to start somewhere, so you will likely want to buy a Policy Set. Once again, you have to be very careful as there are dozens of options but few will be fit for purpose. In this case, ‘fit for purpose’ means the service must 1) get you through compliance, 2) provide a platform for your unique culture, and 3) be self-sustainable for the long-term.
    If you buy a Policy Set with ‘PCI’ in the title, you have already failed. Buy one that your consultant can customise on your behalf, and then teach you to manage yourself. Get one that; 1) Is already mapped to both the PCI DSS and your chosen framework (usually ISO 27001), 2) has document management built in (numbering, content standards, assigned coordination etc.), and 3) is easily distributed to the subject matter experts best placed to maintain them.
    o
    I have written a quasi-white paper on how to choose the right the right service, you use the questions as an RFP: ‘Selecting the Right Policy Set
    o
  4. Hire a Completely Independent QSA – While it may be very tempting to have your consultant take care of all the ‘PCI stuff’, bite the bullet and keep these separate. No, you don’t have to be an expert in this stuff, but if you are relying completely on your consultant you are building in a single source of failure. By all means have your consultant run with the assessment, but be involved. If you don’t, you’ll have no idea what you paid for in the first place. In fact, you may even want to build in some SLAs regarding how much remediation is required from by QSA. There will always be some, but if it involves significant scope creep or capital cost, your consultant has failed you. Remember, you have outsourced almost the entire function of PCI to your platform provider, validation of compliance should be a formality.

Of course this is oversimplified, but I’m already way over my self-imposed word limit. However, while I haven’t included any of the inevitable challenges, the process is a simple as security itself, it’s up to you to find someone who can make it simple.

[If you liked this article, please share! Want more like it, subscribe!]

Deception Technologies

Deception Technology: Only if You’re TRYING to Get Fired!

One of Sun Tzu most quoted phrases in The Art of War states; All warfare is based on deception.

Sun Tzu was not in cybersecurity.

99% of the defence against hackers has nothing to do with deception. It’s about making things too difficult to be worth attacking in the first place. Very few of you reading this are ever going to be the specific target of a state-sponsored agent, or an organised crime ring. Threats to you will therefore be mostly opportunistic in nature. Bad guys are lazy, make things difficult and they will usually move on pretty quickly.

On the other hand, expose something to an opportunistic hacker that looks easy to break, and you will have his/her attention. You would not have had their attention otherwise. To make it worse, when they find out that they have been deceived, you have done the worst thing imaginable.  You’ve pissed them off.

Now it’s personal, and for a hacker, this means they will be patient. Very patient.

This is bad.

So What is Deception Technology?o

According to TechTarget a deception technology is a; “category of security tools and techniques that is designed to prevent an attacker who has already entered the network from doing damage. The technology uses decoys to misdirect the attacker and delay or prevent him from going deeper into the network and reaching his intended target.

You’ve already failed to detect the intruder through your other security controls / technology, so you should buy another tool to slow them down?

Even the very far from perfect PCI DSS has enough security controls defined to make breaches difficult enough. From hardening standards, to encryption, to access control, to FIM, to penetration testing, very few organisations need more. The issue is not the number or even type of controls in place, it’s the complete inadequacy of their implementations.

Why Deception Technology is  a Horrible Idea

As far as I’m concerned, it should be possible to assume any organisation that implements deception technologies has or is:

  1. …completely optimised their security program – because why would you try to deceive before you’ve done your best to prevent, or detect with existing controls?;
  2. …the in-house expertise to perform the function – because who in their right mind would buy Deception-as-a-Service?;
  3. …ridiculous amounts of money to spend on cybersecurity toys – because even open source tools have a corresponding resource cost;
  4. …happy to draw the attention of the bad guys – because hackers hate a challenge, right?; and
  5. …a security chief who wants to be fired – because why else would they waste their time and the company’s money on something so pointless?

If you accept that you shouldn’t buy technology until your risk assessment process highlights a relevant functional gap, then consider this; In 15 years of performing security assessments at organisation both large and small, I have NEVER seen the need for deception technology. Never. Governance, yes. Policies and Procedures, absolutely. Incident Response, without doubt. Deception Technology, not even on the radar.

You Won’t Get Fired for Doing the Basics

Finally, every blog I have ever written harps on about the exact same thing; back to basics. If you were doing the established cybersecurity processes correctly, deception technologies would not be necessary. Every aspect of your security program must focus on baselining your environment to a known-good, and reporting exceptions. Nothing more.

But risk assessments, vulnerability management, change control, asset management etc are just not sexy enough to sell. If it’s not shiny and has a fancy new name, vendors can’t get a foot in the door. Demand generation is ruling the day, and only the vendors are seeing the benefit.

It’s not their fault though, you’re the ones buying their snake oil.

[If you liked this article, please share! Want more like it, subscribe!]

Insecurity Through Technology

Insecurity Through Technology

Some time ago I gave a presentation on BrightTalk titled ‘Insecurity Through Technology: Back to Basics‘ with the premise that the uncontrolled purchase of security technology to satisfy a perceived need may actually INCREASE your risk (go to Downloads if you just want the presentation).

Despite the crayon-esque diagrams, and the majority focus on PCI, I wanted to expand upon this concept in light of my current focus on simplifying security into “core concepts”, “appropriate / proportional security”, and “business-first”.

PCI lends itself as the perfect example of how a perceived need for technology can result in some very poor purchasing decisions.  Just look through the 12 sections of the PCI DSS and you may, in some form – and if you’re very unlucky – need ALL of the following; firewalls / routers, encryption, anti-virus, web application firewall, access control mechanisms, physical security measures, logging mechanism, vulnerability scanning, penetration testing, wireless scanning, file integrity monitoring, and a ton of ‘paperwork’.

All too often budgets are spent on items such as these at the beginning of a compliance project instead of when, and IF it’s really necessary. A lot goes into a compliance before you should be buying anything other than expert guidance or an education series.

The problem is on both sides of the sales process. The salesperson only knows how to sell either what they are being asked for, or more usually, as much as they possibly can. The purchaser has probably not done their proper due diligence and is asking the wrong questions. The best way to resolve this is if at least one side of the equation is aware of the The 6 Security Core Concepts, and follows the established good practice for the institution of a security program.

Analogy; If your doctor tells you you’re going to require an operation, you will of course learn all you can about the procedure. You may even become something of an authority in your condition (to laymen anyway). What you will NOT do is try to perform the operation yourself. Why would you treat cybersecurity any differently if you’re not an expert?

Know enough to ask the right questions, then let the experts take over. How do I…

  • choose the right technology?
  • ensure it can be integrated with current processes?
  • manage and monitor it?
  • measure it?
  • show the benefit to senior leadership?
  • …and so on…

If new technology is not properly configured, baselined, monitored, and maintained, you have added another potential vulnerability to your infrastructure. Any appliance is just another hardened server running an application of some sort, and should be treated the same way as the ones you build yourself.

Also, the more data you receive the more important baselining and tuning becomes, as you don’t want the important stuff to be obscured under layers of false positives. I do not believe there is room for Big Data analysis in security (per Don’t Get Me Started on ‘Big Data’), so integration of new technology with less-is-more security processes is paramount.

This has been, and will continue to be a theme throughout my blogs; 1) don’t buy anything until you know why you need it, 2) install nothing in production until you have figured out how to use and manage it, and 3) integrate all processes around it with a single overarching operations centre.

The threat landscape is intimidating enough without making things easier for the bad guys.

[If you liked this article, please share! Want more like it, subscribe!]