Category: Blog

Cyber threats to buildings/data centers include data issues: compromise, exfiltration and denial-of-service. Control system cyber threats to data centers have focused on the Internet-connected building control systems. However, there are other control system cyber threats to data centers that have not been addressed and have actually caused data center damage.

Read more, https://www.realcomm.com/advisory/904/1/control-system-cybersecurity-and-what-it-means-to-buildings.

I get a lot of spam. A lot of phishing attacks. Gmail does a pretty good job of filtering them out. Last week the prevalent phishing attack was an attempt to get you to ‘complete the process of unsubscribing’. This attempt at social engineering was obviously timed to coincide with the European deadline for GDPR compliance, which led many individuals to unsubscribe rather than opt-into marketing.

This week brings us a phishing attack that might scare your pants off, at first glance. Most Americans have probably had their username and password leaked at some point. So, when you receive an email that starts off by listing your password, you might sit up and take notice. I received this email because one of my accounts was associated with a password breach, so I know this has to be circulating big time! (It was for a password I also changed over a year ago.)

Many Americans have visited an adult website at some point in the past. When you marry up the two, you have a very convincing phishing email that then requests you send a cryptocurrency ransom to prevent a video of what you supposedly were watching along with footage from your computer’s camera. Here is an example phishing email:

Don’t fall for this scam. But, what you can do is to visit a site like Have I Been Pwned to see if your email is associated with any breaches, so you can be sure to change any passwords that might have been leaked in the past. Stay safe and secure!

 

I have a thought that blockchain and PKI could provide election integrity.

The goal would be to provide one vote per citizen, and some ideal blockchain method would ensure this. Along with PKI (some hash or encryption which is unique) every citizen would be able to validate how they voted (it could be a receipt with a code/QR code which they could retain). The government could not reverse that and see how any individual voted, only that they voted one time. There would need to be a process for a voter to dispute their vote, in the case it is falsified.

The devil is in the details. I think this would need to be a distributed blockchain managed by the government, but which citizens could also participate in, or a third party.

There are political and technical issues to overcome, clearly. However\, I believe that it is possible. It would mean a national standard for elections, but it could also maintain voting at voting stations as well as voting online.

This may come close to essentially having a Voter ID (no more intrusive than having a Social Security Number or Drivers License), however it could also be validated at the polling place. The more nodes involved, the harder it would be to cheat the system.

I am investigating this with experts. If the answer is that the technology will not support what I envision, that is fine. I think that we have experts and the technology to pull it off. At the same time, I recognize that any connected/networked system can be vulnerable to attack. I believe that the more we have a distributed ledger of election transactions, the harder it is to subvert the system.

This would involve a change to how we vote, to a degree, and certainly a change to the underlying technology used nationally. States would need to buy into the process and when technology needs to be replaced, it is not necessarily inexpensive. But, I think we have the technology to ensure people cast their vote and it is properly counted. I am working with experts to contemplate how this might be done.

This does not solve the problem of voters being influenced to vote a certain way, but I think it could provide a secure and immutable way to have votes counted. One vote per person.

What do you think? Nothing is perfect, but I think this would be an improvement and very difficult to subvert on a large scale. There would be some forensic record of tampering, since there would be many distributed nodes recording transactions, with appropriate anonymity.

Artificial intelligence (AI) and machine learning (ML) have been increasingly used as product marketing buzzwords. Nevertheless, I feel certain that AI is an integral part of how we approach cybersecurity in the future, with particular applications for securing manufacturing environments.

See John’s earlier article on Securing the Industrial Internet of Things.

Machine learning is a functional subset of AI. With large data sets, and expert training, machine learning can help to identify cybersecurity threats in the same way your GPS app can identify the best route home, during rush hour. In the cases where ML has proven its ability to accurately distinguish known and unknown threats across the stages of the kill chain, it can help you to detect and respond to threats faster and better. ML can provide meaningful insights and even actionable information to cybersecurity analyst, to aid in incident triage and reduce the impact of incidents on your organization.

The manufacturing floor in a factory is often filled with special purpose equipment, legacy systems and industrial Internet of things (IIoT) devices. Automation is leveraged for moving parts down the production line. Robots cut metal, assemble parts and spray paint. As opposed to the office environment, which is more likely to follow IT standards for the configuration of computers and printers and applications, the manufacturing environment is usually less well understood and less easily managed, due to the variety of systems in use.

In the manufacturing environment, specialized IIoT devices may communicate using special, non-IT protocols. Compared to office computers, they will often lack the security, management and ability to be patched. If they can be patched, it may require local access. These devices may not have unique passwords, or they may require passwords be changed manually with special equipment. Often times, a factory will not have a detailed inventory of all manufacturing assets.

In addition to the variety and manageability of manufacturing systems, they may sometimes have special requirements. They may require unauthenticated Internet access, or require support by external vendors. They may run software which requires older and sometimes unsupported OS versions. They may be specialized or embedded systems, without the ability to run requisite desktop security software. They may be turned off for months at a time, or they may reboot every time a piece of equipment is turned on and not have persistent memory. Another factory consideration is often the agreed upon rules for wage employees using manufacturing systems and software. Production line computers may be forced to use shared passwords or rely on auto-logon.

The factory environment can be quite different than the office environment, however, a manufacturing company cannot afford for their production line to go down. They need to manage the environment, and still prevent viruses, attacks and misconfigurations which could stop production. Of course, the CISO needs to protect the entire large, complex enterprise network, of which the factory is just a subset.

There are two ways to do this. The first is to segment the network, to allow legitimate traffic to flow, but to isolate systems so a specialized or legacy system that is attacked will not affect other factory or corporate systems. When you are dealing with a large, legacy network (with perhaps many other factories around the world), that is easier said than done.

You may be able to implement policies (often manually configured) and IP segmentation, to reduce the risk of abuse (e.g. malicious USB, downloads from Internet). Network segmentation with firewalls is probably untenable, so another approach relying on the ability to monitor, detect and respond may be the most effective. This relies on the ability to collect network data, establish what is normal traffic and detect inappropriate or malicious behavior and misconfigurations. [pullquote]Visibility to existing data sources, such as Netflow, proxy and DNS can be used to identify attacks that would otherwise fly under the radar, or be lost in the noise.[/pullquote]

Anomaly detection alone can be very noisy. Potentially devastating threats could fly under the radar. It seems the best way to deal with a diverse environment and unique and unexpected traffic is to additionally leverage machine learning to look for the specific East-West traffic indicative of malicious actors, viruses and misconfigurations which could bring your production line to a grinding halt. Along with automation and orchestration, the impact can be minimized and the extent of an attack can be presented to more quickly quarantine systems and recover.

This solution needs to be scalable, across factories and across the large and complex enterprise network. This means the ability to aggregate and analyze network data across silos is a much more scalable and affordable solution, compared to purchasing and deploying hardware.

While there is no doubt that many CISOs will roll their eyes when they hear certain buzzwords, the manufacturing environment is unique and would benefit from an AI solution to monitor logs and traffic, and uncover malicious activity which might otherwise be lost in the noise. When you are not able to simply segment and isolate systems, the ability to intelligently monitor their communications and provide detailed, actionable information to security analysts seems the best approach to securing the manufacturing environment.

Why are we paying attention to our online privacy now? In March 2018, it was discovered that Cambridge Analytica had been harvesting Facebook user information, and using it to build voter profiles which they then sold off to groups who wanted to influence the 2016 Presidential Election.

The issues we are facing today aren’t new. The Internet puts your personal information at risk: on your computer and mobile devices, in email and social media. It just becomes harder to protect your privacy and personal information, as the Internet and social media become more complex.

Link: Mark Zuckerberg Testifies Before Senate

Another reason we are paying more attention to privacy is that the European data privacy regulation (GDPR) goes into effect in May 2018. In Europe, consumers must explicitly opt in to get email and agree in advance to share their personal information. In the US, the common practice was “let the buyer beware”: US consumers often had to opt out to avoid having their personal information collected and shared. In the US, consumers have liability limited to $50 if a credit card is stolen, so they have a more lax attitude toward protecting financial information. In the EU, consumers are responsible for protecting their information and take privacy much more seriously. The US is starting to realize that personally identifiable information (PII) can include many items which when linked together can expose our habits and preferences, our personal health history and much more.

Consumers need to be aware of what they are sharing, and with whom. Companies like Facebook need to make it easier to make informed decisions. Security and privacy need to be the default, but don’t be naive, if companies like Facebook and Google are forced by regulators to change how they gather and use personal and marketing information, it may come at a cost to consumers.

Consumers are eager to take something for free, and without reading the terms and conditions when they sign up, they either don’t realize or don’t care that companies like Google and Facebook base their business model on selling your information. Now they are starting to revisit their online choices to better secure their PII as well as to secure their children.

Attacks on privacy, bullying and cyberstalking can occur due to our social media presence. Even children are affected, as they use social media, messaging and picture sharing apps. We all need to understand that our identity and safety are at risk, if we don’t understand the threats and implement better security controls.

In addition to our concerns over our privacy, or lack thereof, malware is still rampant, with 39% of malware being ransomware. The malware that infects our computers often comes from phishing emails and malicious links on websites. There are many other threats to our security and privacy in the world today, and it is the consumer’s responsibility to stay informed and take the basic steps to protect themselves and their loved ones. The government won’t do it for you.

Link: QC Cybersecurity Alliance Online Privacy & Security Resources

On behalf of the Quad Cities Cybersecurity Alliance, let me share some advice and best practices on security and privacy settings and tools, for your home computer, mobile devices and social media accounts.

Top 10 Steps to Protect Your Privacy and Secure Your Devices

1. Back up your data: If you have a safe external backup, it will help you recover from a virus or ransomware better. Even keeping your files in secure online storage like Dropbox can help you recover. Just makes sure to choose strong login options so someone else can’t steal or guess your password. Home backup solutions reviewed Read More

If you don’t have a reliable and authoritative repository of the devices connected to your network, their posture and the use of privileged accounts, it is difficult to believe that you really have any hope of managing them well to protect your organization’s sensitive information. If you are not managing IT security risk well, it will have an effect on all aspects of enterprise risk. This is why situational awareness needs to be a top enterprise focus.

The first category in the NIST Cybersecurity Framework is “Identify”. The first 5 CIS controls related to discovery, inventory and posture of endpoints, software and privileges.

The 20 CIS controls are the fundamental steps that every organization should work on to address the majority of cybersecurity exposure that an organization faces. Yet, many organizations fail to maintain a good inventory of assets, posture (software and configurations) and privileges.

There are many reasons why a central, easy to use inventory system is beneficial.

– You should know what business assets you are responsible for, as a fiscal responsibility.

– You should know what assets you have, especially when they connect to your network or access sensitive corporate information. Where are they? What software are they running? Are they compliant (patches, secure baseline configurations…)? What value is the data on these assets? What is their exposure? Read More

The NIST Cybersecurity Framework has five categories for enterprise security: Identify, Protect, Detect, Respond, Recover. There is a lot of focus on Detect and Respond as the new shiny. Let’s be honest, every company should be doing their due diligence in all five of these categories. While traditional  protection controls are less effective, we still need to be doing what we can to identify and protect (let’s face it, we used to rely on static antivirus and today it is laughable to suggest static AV is anywhere adequate protection for endpoints).

I’ve heard people say that we don’t need defense in depth, we need to detect in depth. I’m not sure what that means. I agree we need to do a better job of detecting faster and responding better, but we only have two options here, DEFENSE and OFFENSE. I really don’t hear enterprise CISOs suggesting we attack back. Not sure the general counsel would agree on that either. Read More