Weekend is here. How about 2 min of #infosec learning?
Today’s #infosec Word of the Day #5 is
#duediligence 😇
In #infosec due diligence means doing one’s homework, taking precautions, doing the right thing and making sure that appropriate controls and countermeasures in place to avoid harm to other persons or their property.
I found this PwC publication which describes cyber due diligence.
“successful cyber due diligence should yield not only a road map of critical remediation items but also the responsibility for, cost of and timeline for resolving each item.”
That was it for today, follow me for more tidbits and hit that like button on this post to automatically engage in a conversation and keep #learning!
Thank you for your feedback and comments. Let us get down a little deeper in #Infosec today.
Today’s #infosec Word of the Day #4 is
#PKI 📃 – Public Key Infrastructure
If you work for any organization today, most likely in the role of asset owners, risk managers, principal engineers and various positions who are responsible for your organizations systems, products and solutions, you will come across this term #PKI. It stands for Public Key Infrastructure.
Simply put, a PKI is a system of software, hardware, creation, storage, and distribution of digital certificates.
The core of most security systems is authentication and access control and the digital certificates give us the ability to identify people and machines behind the information that is presented either on the screen or to other systems for further processing.
They also provide the ability to secure sensitive electronic information as it is passed back and forth between two parties, and provides each party with a key to encrypt and decrypt the digital data
#sslcertificates are one prime example of these. As an exercise of your cyber-hygiene, go ahead and click on the 🔓 icon on any website, and see which PKI Organization issued the SSL Certificate.
That was it for today, follow me on LinkedIn and hit that like button on this post to automatically engage in a conversation and keep #learning!
One of the buzz word thrown around in many discussions around best practices in #Infosec with respect to the security culture in a company.
Cyber hygiene is the cybersecurity equivalent to the concept of personal hygiene in public health.
The European Union’s Agency for Network and Information Security (ENISA) states that “cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organization will be simple daily routines, good behaviors, and occasional checkups to make sure the organization’s online health is in optimum condition”.
ENISA even published a report in 2016 -https://lnkd.in/e5kkdbd
That was it for today, follow me on LinkedIn and hit that like button on this post to automatically engage in a conversation and keep #learning!
Today’s #infosec Word of the Day #2 : #PASTA 🍝 (-threat modelling methodology)
This PASTA is for a different kind of appetite, the one associated with threats aka #Riskappetite.
PASTA is a threat modelling methodology to identify threats in a very systematic way. It stands for Process for Attack Simulation and Threat Analysis , a 7 step risk centric method to identify threats.
That was it for today, follow me on LinkedIn and hit that like button on this post to automatically engage in a conversation and keep #learning! #riskmanagement#threatassessment#cybersecurityawareness#cybersecurity #INFOSECWOTD
Today’s Word of the Day #1: #Sneakernet (also sneaker net) :- Sneaker 👟- Net 🌐
Sneakernet, is an informal term for the transfer of information (data) by use of a physical media such as USB flash drives, optical discs, or external hard drives between computers, rather than transmitting it over a computer network. #INFOSECWOTD
Here are some of the headlines for the end of the week on 11/29.
Digitally Signed Malware which goes by the name Bandook, which literally means , Shotgun in Arabic and Hindi, a retooled version of a decade old Backdoor Trojan, unleashes a new wave of attacks against multitudes of Industries. These include Governments, financial, energy , healthcare, IT and Legal institutions located primarily in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey & the US. The attackers behind this malware are linked to Lebanese and Kazakh Governments. For a detailed report, check out Checkpoint’s research website and search for Bandook for more details.
WordPress, that started its Journey in 2003 from the death of its predecessor version of blogging software called b2/cafelog, has come a long way from few hundreds of installations in 2004 to nearly 35% of the internet powered by it. Which obviously interests the bad actors. Attackers probe the internet for vulnerable plugins on these wordpress sites, the pieces of codes that makes the wordpress so useful and popular and using techniques such as SQL injection, broken access control, Cross-site request forgery and 10s of more types of exploitation of various application security risks, these attackers are then able to compromise these websites for their benefit. So if you are interested in keeping upto date on these vulnerabilities, check out WebARX’s WordPress Vulnerability NEWS, which seems to be kept upto date frequently.
Now for some Fake News and by the way it is real. It has always been there while its affects were minimal with Print media and televisions and more over the NEWS people took it upon themselves to verify the news before they blurted it out. While most NEWS outlets continue to follow this strict regime of verifications, the millions of online news outlets, which include mom and pop type blogs, to Facebook groups and some even affiliated to major print and television news outlets, have started promoting or pushing fabricated NEWS. With COVID-19, this problem has grown to cost more money and most importantly affecting lives of people.
In UK, a member of parliament, Mr Khalid Mahmood, during a Westminster Forum Conference on tackling fake news and online misinformation, said, that I quote ” is totally negated from platforms where someone can put whatever they want and move forward” and trying to trace that back and address that is becoming increasingly difficult as platforms take time to deal with it.” he said. It will be interesting to see other countries take more steps to deal with Fake news. I believe it is not just the responsibility of the service providers such as google, facebook, twitter, etc but policies and guidelines from various governments and law enforcement working together with Healthcare organizations to publish and provide accurate and correct information so users can verify and make the right choice whether it is deciding to take precautions or to make the right choice when dealing with COVID-19 and its challenges.
If you are interested in learning more about Misinformation and how to deal with it, check out New York Times guide on how to deal with misinformation.
Before we head into CVEs or latest from US CERT’s latest notifications, we are going to cover one more headline, which is more of a good NEWS and definitely worth the mention especially due to nature of the cybercrimes and the challenges there is in nabbing the suspects.
Business Email Compromise, something that we have been dealing since email became the primary medium for businesses to communicate. So I first found out about this from Graham Cluley’s article on tripwire.com. Three were arrested after an year long investigation , which was code named Falcon, into Phishing emails, mass mailing campaigns which these attackers used to carryout extensive Business Email compromise scams. These attackers, who are Nigerian Nationals, were involved in various criminal activities. Criag Jones, INTERPOLs cybercrime director, said, I quote ” This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation”. Check out Interpols NEws and Events page for more details such as the tools, malware and other malicious activities that this group was involved.
Now lets get a little more useful shall we, in this segment, I will go over some of the new security alerts and information that you can digest and actually use for your security needs.
We have the following to cover,
Fortinet FortiOS System File Leak This is CVE 2018-13379, Base Score is 9.8 Critical, that was issued by Fortinet Inc in May of 2019, after two DEVCORE Security researchers, Meh Chang and Orange Tsai, discovered and reported this vulnerability. A path traversal vulnerability in the FortiOS SSL VPN Web portal may allow an Unauthenticated Attacker to download FortiOS System Files through specially crafted HTTP resource requests.
Fortinet has issued some mitigation steps for the affected FortiOS versions. So if you are on the FortiOS 6.0 (6.0.0-6.0.4) or 5,6 (5.6.3 – 5.6.7) and FortiOS 5.4 – (5.4.6-5.4.12) then you have an option to upgrade to the latest in each of the main versions, namely 6.0, 5.6 and 5.4.
The temporary workaround, which will affect the functionality of your VPN service, is to totally disable SSL-VPN Service.
Drupal Releases Security Updates for Tar and other vulnerabilities CVE-2020-28949 & CVE-2020-28948, released by Drupal, by the way the analysis for these CVE’s are still being processed, however from Drupal’s Security Advisory, they have deemed it Critical. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them. To mitigate this vulnerability, Drupal advises its users to upgrade to the latest versions. If you are using Drupal 8 or prior then you will most likely continue to be vulnerable as this version and prior are end of life. For more details, check out Drupal’s security advisory page:
CVE-2020-4006, which is still being analyzed by NIST. VMWare’s Security Advisory, VMSA, has issued it to be a critical vulnerability. A command injection vulnerability was privately reported to VMware. A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.
Workarounds are available to address this vulnerability in affected VMware products. And the impacted products include VMWare Workspace one Access and Access Connector, VMWare Identity Manager and Connector, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
VMware is currently working on patches which are forthcoming. For details on this Vulnerability and patches check out the security advisory page of VMware.
Ok. That was all the important headlines and its details but now let me take you to the first recorded DoS Attack of 1988 by Robert Morris. Robert Morris, a student of Cornell University. He released the worm from MIT rather than his alma mater.
The worm exploited several vulnerabilities to gain entry to targeted systems,. According to Morris, the purpose of the worm was to gauge the size of the precursor “Internet” of the time – ARPANET – although it unintentionally caused denial-of-service (DoS) for around 10% of the 60,000 machines connected to ARPANET in 1988.
So what did the worm exploit?
A bug in debug mode of the Unix sendmail program
A buffer overflow bug in the fingerd network services
Remote Shell or Remote Shell execution in Unix by guessing weak passwords or no passwords.
In 1989, Morris was indicted for violating United States Code Title 18 (18 U.S.C.§ 1030), the Computer Fraud and Abuse Act (CFAA). He was the first person to be indicted under this act. In December 1990, he was sentenced to three years of probation, 400 hours of community service, and a fine of $10,050 plus the costs of his supervision. While Morris did not write the worm to cause damage but it replicated excessively, causing damages estimated upwards of $100,000.
That’s all I have time for this First Episode. Next week, I will get you some interesting security bits and continue to evolve. Please provide me your feedback by reaching out on my twitter. All the links to anything I have described is in episode is in the description below.
Make sure you subscribe to simplified security episodes available as podcast and on youtube. Go to icsbits.com/simplified for more details. I am your host Durgesh Kalya. Catch me on my next episode on your favorite podcast app or youtube, until then be safe and think before you click.
DK
If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.
Before you start reading and understanding the core concepts in the context of BCP – Business Continuity Planning, DRP – Disaster Recovery Planning and Contingency Planning, make sure you understand that these are very important concepts and are interpreted differently by different organizations, individuals and security professionals. The main reason is that we as humans may think differently in terms of countermeasures, we have different risk appetite and so are the organizations that the individuals are made of and are in key positions to propose, accept and finalize on various business and operational contingency plans.
Before we begin, let us understand some of the core concepts.
What is a Plan?
Oxford Dictionary defines Planning as “an intention or decision about what one is going to do”.
So what is Contingency planning?
“A contingency plan is a plan devised for an outcome other than in the usual (expected) plan” – From Wikipedia.
Before we get into what is included in each of the plans, let us look into some definitions.
According to the NIST Special Publication 800-34, IT contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption.
Contingency planning generally includes one or more of the approaches to restore disrupted IT services: - Restoring IT operations at an alternate location (Example: Hot Site, Warm Site and Cold Site) - Recovering IT operations using alternate equipment (Example: Secondary Server, High Availability Configuration) - Performing some or all of the affected business processes using non-IT (manual) means. (Example: Manually collect a customer’s credit card information through phone)
Because Contingency Plan includes broad scopes for recovery, continuity and response to business needs, business threats and emergencies, it is important to note that an organization may choose to implement the Contingency Plan in many different ways. This is when we start talking about BCP, DRP, COOP, IRP, etc. There are more. See Appendix A for expansion of these acronyms.
For a CISSP, it is important to understand the main differences between various types of plans.
What is a BCP?
Business Continuity Planning (BCP) is a process of creating or putting in place, systems and mechanisms for prevention and recovery of business systems to deal with potential threats to a business goal.
Business Continuity Plan is a formal document consisting of a set of processes, drawings, flow charts, ordered lists etc. that will help a business navigate through a business interruption(s) by providing tested and proven methods to recover and prevent a potential threat to the existence of the business. A BCP can have other plans included as part of its scope.
What is a DRP?
Disaster Recovery Plan (DRP) is a very detailed, hands on plan when compared to a Business Continuity Plan. It is highly reactive. It contains detailed instructions on how to respond to unplanned incidents such as hurricanes, flooding, earthquakes, power outages, cyber attacks and any other event that will cause disruptions to the business operations. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.
CISSP Tip
Contingency plans help you continue to operate or sustain your business goals and can be reactive such as BCP, DRP and BRP. Parts of these plans can be proactive as well. For example, if you have servers configured in the High Availability (HA) mode, then you will limit downtime and improve performance. This is a proactive approach. If you have a backup server or a warm site, then you are making sure you can continue to operate when servers are down, this represents a reactive approach.
Appendix A
BCP : Business Continuity Planning
DRP : Disaster Recovery Planning
BRP : Business Recovery Planning
COOP : Continuity of Operations Plan
IRP : Incident Response Plan
OEP: Occupant Emergency Plan
This was chapter 1 on Contingency Planning. If you have any comments or questions, leave them below or message me!
Over and Out! Stay safe, think before you click (anywhere).
DK
If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.
No it is not. The ISC2’s CISSP Exam was a very intense exam even for someone with 15+ years in IT Industry with having applied IT Security in day to day job duties (yeah that is me 😉).
The last time I heard entry level means someone is at the lowest level in an employment hierarchy, just means that they are starting out, that could be 1 to 3 years of industry experience. If someone says or writes about CISSP being an entry level certification, please refer them to me. I will get the CISSP community to weigh in and will reach out to them and do our due diligence. Or simply direct them to ISC2’s requirements section. (Required Experience)
So why was this post necessary? It is because of CIO.com’s recently published article which claims CISSP is an entry level Certification. Below is a tweet of that article.
Why I am writing this post? Because CISSP is not an entry level certification and it takes 5+ years of experience in two (out of eight) of the security domains to get this credential next to one’s name. The exam is also not as easy or simple. It takes more than just knowing the IT Security concepts to answer the 150 questions in three hours.
Without real understanding of IT Security concepts and without having sufficient experience applying these various security concepts in the real world scenarios, will leave you playing Eeny, meeny, miny, moe and will give you just under 2% success rate according to these math geeks. (Link)
Why the Click Bait? If you saw a post or a NEWS article claiming CISSP is an entry level certification, then it is definitely a click bait, just look at the views on this post 😊 (I am guessing it must be in its hundreds by now, it was only posted on 10/4/2020). Just demonstrating… or am I?
Post Views:746
What does ISC2 have to say about all this? Here is ISC2 Tweet responding to an individual, confirming they are also aware of this incorrect classification of CISSP Certification in the specific CIO’s article:
Still not convinced? Then I suggest you to join this Discord group called Certification Station. No, this is not an advertisement and they are not selling anything, but it is a group of professionals in IT Security who like to hangout and learn together. Check them out here: https://certificationstation.org/
Certification Station
DK, CISSP
If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.
Who is OFAC? What is the deal here? You will learn all of that in a minute. But first, let us focus on this word Ransom, what is it?
Paying a ransom is not something new. It has been used in the early 1800s to pay for release of a prisoner. In today’s day and age, this word is very widely used in the Cybersecurity space with billions of dollars in Bitcoin being paid as a ransom for release of information that was encrypted or stolen by the bad actors (the bad guys/gals) every year.
While it is very natural for an organization or individual to make payments in the hopes of getting their sensitive data back, often times promises are not kept and there are other issues such as repeat of the same attack.
Here are few examples of ransoms that was paid 2019 to the bad guys where the organization paying the ransom was able to get its data back.
2019
Park DuValle Community Health Center, Kentucky, USA Amount paid: $70,000
La Porte County, Indiana, USA Amount paid: $130,000
Jackson County, Georgia, USA Amount paid: $400,000
Lake City, Florida, USA Amount paid: $500,000
There are many more…
Most of these organizations used Cyber Insurance and were able to use some part of its payout as payment to the cyber criminal. Also, most of these organizations contacted FBI or other US Agencies and worked directly or indirectly to negotiate and process the payments.
The big question to be answered comes when you are at the crossroads of whether to pay the ransom or simply accept that the data is lost and then plan to spend millions of dollars in recovering from such an incident. While the answer to this question is not straight forward like any other decision in the Cybersecurity space. It is often answered in a haste or without considering all risks. Take the example of City of Atlanta,
The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin.
Newman, L. (2018, April 24). Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare. Retrieved October 03, 2020, from https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/
Then there are other considerations such as organization’s reputation, continuing business operations and putting proper counter measures in place to prevent this from happening in the future. There is however one more thing that you have to consider in the form of this simple question.
Are you violating any rules and regulations of the U.S Department of Treasury’s by making a payment to the bad guys?
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently put out an advisory – Ransomware Advisory (Link) bringing up several important things to consider for organizations affected by ransomware or companies* who are assisting organizations hit by ransomware.
* These companies include Law firms, Cybersecurity insurance companies, or Financial institutions facilitating the ransomware payments.
Let us look at a few highlights of this Advisory:
OFAC states that these ransom payments could facilitate the bad actors and the states they may represent to support their illegal activities.
Ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.
U.S. Department of the Treasury. (2020, September 28). Retrieved October 03, 2020, from https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001
OFAC has designated these malicious actors, aka our bad guys, under its cyber-related and other sanctions programs. OFAC uses these sanctions to effectively enforce foreign policies and national security goals.
So what does it really mean? If you or an organization were to pay the ransom in any way or form to an cyber-criminal, aka bad guy, and this individual or entity happens to be in one of the sanctioned countries , then you will be violating OFAC’s regulations. Simply put these payments with the sanctions nexus (associated or connected with the sanctions) threatens the U.S. National Security Interests.
So what should an organization that actively dealing with a ransomware attack do?
The OFAC’s Ransomware Advisory encourages victims and those involved with addressing ransomware attacks to contact OFAC immediately. At the end of the document, it lists all the departments that you may need to contact, such as:
U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
Financial Crimes Enforcement Network (FinCEN)
Cybersecurity and Infrastructure Security Agency (us-cert.cisa.gov)
Homeland Security Investigations Field Office (ice.gov)
Federal Bureau of Investigation Cyber Task Force (fbi.gov)
U.S. Secret Service Cyber Fraud Task Force (secretservice.gov)
In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous, adding to the various risks that an organization should consider when planning their Business Continuity and Disaster Recovery programs. While this article focused on United States and affects US Persons and Non-US Persons. It will be worthwhile to research regulations and laws in your regions of business operations.
