Feed on
Posts
Comments

My team managers asked me what to look for in a security specialist CV. The quick and direct answer they got from me was: ‘A valid CISSP certification’.

As you could imagine they looked like living question marks so I had to explain it a bit more. A CISSP certification is a very strong certification in the security market. It shows that you both have five years of full-time experience and that you have the skills to manage to answer a very tough set of questions.

Another thing that’s important is that it is very easy to verify that the certification is valid. By entering the candidates full name and Certification number here you get a quick reply on the candidate’s current certification status. As you hopefully are aware of a CISSP is only valid for three years, after that you need to either do the test again or show that you have spent enough time either giving back to the community or educated yourself. Many do take the certification but fails to do the work needed to keep it. Hence a verification should always be made.

If a candidate fails to give you his Certification number, you could bet he has lost their CISSP.

This is how it looks like.

My challenge this month have been conducting a large risk analysis at a client. The challenge has been the estimate of the analysis as it turned out that when lifting all the rocks we found more than our share of cans of worms. This is not an unusual situation however. Many times an organisation think they have good security, especially if they have a security officer that has been working for a number of years. This month challenge for me is mainly explaining for him that the security architecture he is working with is outdated and creates bigger risks. Already 2005 I was saying that the firewall is crumbling. Still to this day he is challenging me at every turn that his firewalls are state of the art and impenetrable. I have to give him credit that the firewalls are very well maintained. Nothing else is however. I hope that he understands this time as we will conduct a live hacking session as part of our presentation.

I have started to device a set of security mechanism that will end up as a pattern in the month to come. However, I think you all are interested in the reasoning how to protect yourself?

First of all, you need to start looking at access paths, how does the ransomware hit you. The access paths are mainly the same as for any other Trojan, hacked websites or files in your mail or through an USB-stick.
If we take the mail path first with the attached file the first thing to do is blocking executables and files that normally isn´t sent through mails like flash files, avi etc. Of course you need to check with your organisation first so that you don’t block any functionality.

After that I would use a chamber to quarantine the file and conduct automated sandbox testing before I let it through to the user.

When it comes to links I would put them through sandbox testing there as well in conjunction with a ‘known malware spreading site register’ like Smart Screen in Internet Explorer Edge.
Files on a USB-stick is a bit tougher though but there are good tools in the AV that could check for those. I´ll have to look further on for this one.

Mars Challenge

I have to say that I really hate ransomware. It´s just like the old times when a henchman placed himself outside your store and blocked your customers from coming in but without the satisfaction of beating him with a bat to make him go away.

A client of mine was targeted with a ransomware and had to restore 1 TB of files (mostly Word, Excel and PowerPoint). You could just image the time it took to restore all the files from backup!

Gladly this company have listened to my advice regarding backups and made sure that they were fully functioning but they still lost three days of work. Today I have been tasked with devising a way to protect against this menace. If you got an idea or two, please feel free to drop me a mail and let’s discuss it.

It comes to no one surprise that ransomware is striking everywhere. There is a lot of money in a successful operation as well. Cryptolocker managed to get paid $200M before it was closed down for good, still there is a spread of infections of Cryptolocker but now there is no possibility to get an unlock key.

Recently we have seen a new type of ransomware that strikes at Active Directory encrypting the AD. It takes a bit more to create a successful attack but when it strikes it kills of the whole company just a key was turned. Anyone who has ever tried to make a full restoration of your AD knows that it’s a very painful process and you have the ransomware active on a computer in your network your restoration is to no avail as it will be encrypted again.

One of my readers wanted to know more of what type of challenges I´m facing when I´m at my clients to more understand what I do as a security architect.

This month challenge is therefore how to justify a cloud strategy based on security requirements. Working at a client they asked me about cloud security mechanisms (see my previous post) and how they should argue that going to the cloud was more secure than having the servers on premise.

At first I was a bit unsure how to tackle the problem as a cloud service normally has the same security as an internal setup if both are setup right. But the solution became apparent as soon as I started looking at the timeline of setting up new cloud services compared to fixing the current infrastructure.

As this client has a rather old infrastructure they have multiple challenges when it comes to patching and hardening the servers. They still have a number of Windows 2003 servers outsourced and the contract runs for another year.

In short, only way to secure the current infrastructure is to throw it all away and install new hardware and software in updated versions. The investment for this (100+ servers) is high, to say the least, compared to do it all in an Amazon cloud. So even if the security of both ways are more or less the same the investment cost for having it internally is a lot higher than using cloud services. The cloud also offers DDOS protection and scalability that own infrastructure cannot provide.

I have been asked to do a presentation at a client regarding cloud security mechanisms and have started to give this some thought. There of course is a huge amount of material but I´ll try to keep in simple.

The core components of cloud security are: Identity, SIEM, Encryption, Mobility, Federation and Trust. Of course there are other non-functional requirements as well but not taking my list into account will create problems later on.

The identity takes everything from setting up an IAM services to managing access control into account. Without a proper identity it is impossible to manage security in the first place.

SIEM is a rather strict setup but I use the term rather loosely as logging security events and acting on them is a rather broad concept. But with the new data protection act from EU you need to make sure that you could report incidents within 72 hours and without a SIEM solutions, or even better, a SOC, this will be impossible to do.

Encryption is the third generation firewall. First generation was the network firewall and after that followed the second generation that was device firewalls. Nowadays we need protection on information object level and that type of firewall is spelled encryption. With encryption comes a very high protection level but also demands on strict processes to manage the encryption keys.

Mobility is not a security mechanism per see but an extension of the network that you need to manage. All solutions today must encompass mobility as a factor as we have moved to use our mobiles as computers nowadays.
Federations are a way of managing access without managing the identity. To enable a working cloud security you need to make sure that you manage the identities in some other more efficient way.

Trust is the last component and that is of far more importance with the new data privacy act in EU. You have to make sure that you could trust an entity and that means both contractually but also that they can prove that they are secure enough.

A report from ’Trusselsvurderingsenheden ved Center for Cybersikkerhed’ in Denmark shows that the threat level against Denmark’s authorities and private companies are very high. According to Thomas Lund-Sørensen, manager for Center for Cybersikkerhed, this means that hacks are occurring. This comes as no surprise for anyone working in this field but the interesting questions are rather: Why is the threat level high? Why are hacks happening?

The answer is both simple and not. First of all cyber security has not been seen as a real problem. Hacking has been something that only 15-year old kids with pimples have been doing for fun and to create a bit of extra work but nothing more. The shift to organised crime and military operations has been silent but that´s where we are today. Organised cybercrime costs the world about €400 Billion yearly and still many companies and authorities don´t take the threat seriously and still thinks that a simple firewall and antivirus is enough.

Companies that decide to take the threat serious and are taking steps to prevent it finds themselves bogged down with investigations, time consuming configurations and slow processes. It´s not uncommon for a patch process to be allowed to take 30 days giving the hackers 29 days and 20 h to try to hack you with a zero day.

Another shift that´s happened is the mobile and digital. We are now doing a lot of work outside the office and we are moving process after process fully online exposing the organisation´s systems for anyone to hack. The secure office network is dead and security mechanisms need to move to the device instead and information needs to be protected where ever it resides. New systems needs to be security tested as if they are exposed on the internet because that’s where they end up anyway.

It may sound as a large struggle but in fact it´s not. There are several patterns that describes how you should create a secure company but the problem is often that outdated policies and used to implement outdated technology instead of using modern policies that mandates security mechanisms that in turn are implemented with technology and processes.

It is possible to be agile in a secure way but to be able to do that you need to stop protecting against everything and instead be quick to manage incidents and stop the hacker dead in its tracks. Go agile securely.

I´m currently spending no money of getting Wi-Fi on-board as there apparently was a glitch of some kind. My Wi-Fi connection just started without me having to pay. Currently I´m flying over to US and just wanted to say that a CEO is having a phone meeting on route and is discussing a hostile takeover. I will notify my colleagues in US that a company I´m aware of is in dire need of a security training session. Have happy holidays!

What better way is there than to celebrate your birthday doing a social engineering test? Nothing put you more on edge than the possibility to spend you birthday waiting to get released from a holding cell. Gladly that didn´t become the case but my client will get a report on the lax security they have. I was tasked with getting into a building where they have a rather strict security. After poking around for some time I realised that I will not be able to enter there. So I took a walkabout, reached the loading bay and found an open door. I peeked in and saw that no one was monitoring the access. I quickly entered the small office located there. Put my WIFI-dongle in a network jack and went out again. Now my colleagues have to do their magic. 🙂

Older Posts »