Tuesday, September 5, 2017

Malicious Authorized User

An interesting article that I have just read is talking about vulnerabilities in MongoDB. I'm not that savvy in the DB arena, but I know one or two things in patching systems. The bottom line of that article saying that "Organizations should have a documented patch management process, should scan for vulnerabilities and configuration mishaps, and discover and classify sensitive data and systems so they can properly lock them down."

I agree with that statement. As I have just learned that companies pay a great effort to have their production segments of network well protected, hardened and patched to the latest revision (once Microsoft provided security patch for XP, they are all safe), however within their enterprise network, it is a different issue. IT pays attention to the servers but ignore the workstations. A few days back, a SOC that I work with found that some 30% of an organization's workstations are using outdated software that their vulnerabilities were well documented into CVEs two to three years back.  Did this report meant something to the IT, not a bit, as they are relying on their peripheral cyber barriers to protect them? 

They probably never heard from the "malicious authorized user" the inner threat that can cause much more damage, allowing the payload to be safely found the right exploit to breed itself to the entire network.  

Image source ipa.go.jp (here)
The article that triggered this post (here)

Sunday, May 14, 2017

Hackers don't make mistakes. It is all part of the plan!

Hackers that uses tools allegedly stolen from the NSA and uses it set a 
ransomware do not make mistakes. 
The fact that one have noticed that WannaCry ransomware had a turnoff switch, I assume that it was deliberately planned like that. Waiting to see if and when someone will reverse engineer the code to find it.  Why? I can just guess that they wanted to see how fast one will "catch" them, or better, to understand how they need to react to make it more sophisticated.  
So they did. I have learned today that WannaCry 2.0 is out there without the kill switch, so it is on the loose again.
According to officials that ransomware has affected some 75000 PCs in just 24hrs, that is 22,500,000$ reasons why to try and improve it. You got it right, the profit potential after 24 hours were twenty-two million US dollars (paid with untraceable Bitcoin). How many paid? No one knows...   
when it will end? for sure the epidemic infection will be reduced once IT organizations will patch and block the SMB protocol in their networks, as it carried this virus.

Friday, April 21, 2017

Corporate Cyber Protection Methodology

Earlier this week the Israeli CERT (CERT-IL) have issued a final draft for a "Civilian Corporate Cyber Protection Methodology." in this publish they are asking for comments before making this paper official, and releasing it.  This 160-page long paper was written for providing a professional solution for the entire marketplace. The organization's protection plan derived from this document adapted to the extent of the body's dependence on cyber.

The central principle of which this defense doctrine paper was written is the organization as a whole recognizing that it is necessary to protect the continuity of the organization's functioning and to support its business objectives.
This concept is expressed in the document as follows:

A. Management Responsibility - The responsibility for protecting the information lies first and foremost with the management of the organization.

B. Protection Depending on the potential damage - the investment in the protection of each asset will be per its critical level to the functioning of the organization.

C. Defense based on Israeli knowledge and experience - the theory of defense enables the focus on the relevant risks to all
Organization and organization. As part of the activities of the National Authority for Cyber ​​Defense, periodic intelligence audits and assessments are conducted to the economy. These actions enable organizations to target specific areas of the various defense circles.

D. Proactive protection - The security controls were defined with the understanding that the organization must invest additional efforts The passive defense. This is expressed through the definition of protective controls for the stages of prevention, identification, and reaction and return to routine.

E. Multilayered Protection - Protection is a process that combines three main components: people, technology and processes (3 P's - People & Products & Processes) Defense theory defines a defensive response that is required on all these levels.

The original published document can work in for any organization. Regardless the locale of your office, I think that the third concept, mentioned above (translated from the original paper) should be read "Defense based on LOCAL knowledge and experience." The intel and assessments which are applicable for Israel might not be right for India, Mozambique or Brazil. In an organization that it is multinational and the organization's CSO need to handle with cyber aspects in each country, it is important to pay attention to the local recommendations for each branch as it was it was the only location in the network. 

There is nothing new there in this document that we don't know by now as it is based on NIST CSF (Cyber Security Framework). The ingenuity here is that this paper adjusting the standard and making it accessible to the Israeli market.