Articles by the cybersecurity community

Guest post - James Meikle - BBQing #Risks Steakments (Statements)

 Thank you to James Meikle for contributing his expertise to support the Demystify Cyber project. 

........................

BBQing Risks Steakments Statements

 

Risk statements have the power to deliver a strong message to people from all backgrounds on something bad that might happen. To be clearly understood common language should be used. There are a few different ways to formulate risk statements this is just one of the common ones.

PS: We all need an acronym swear jar!

 

As I would like to see more powerful messages and I like Aussie BBQ's. It is time for a combo!

 

Diving in at BBQs you usually need a story, keep the interest going use common tongue, use Aussie slang rarely. You tell a story, and you hope people understand it. Your feedback is provided by still having an audience and as you practice you get better at it. There is a formular for success of storytelling – its watchable if you do not do this yourself.

 

A formula is also needed for successful risk talking. Let us try a minimal one (in BBQ speak) and yes, I had to change it for the example – but it is still based on a true story in our very own Gold Coast of Australia!

 

“Our family fun day on a whale sighting trip may be ruined by naughty jet skiers that get too close scaring off whales resulting in no fun and children in tears.”

 

This is going to get a bit quirky but let us try take this apart. My rough translation of talking risk is people trying to explain the effect of uncertainty against what they want to occur so they can help the situation.

 

Event

An event is something that happens due to something else that disrupts its objective. In this example the objective is family fun, and the event is a whale sighting tour. Keep it to one event per statement.

 

“Our family fun day while on a whale sighting trip may be ruined”

 

Cause

The jet skis cannot be linked directly to kids crying their little hearts out as their effect of being there is scaring whales. Cause and event can be mixed up if you are not careful – events have objectives causes do not. There can be more than one cause.

 

“… by naughty jet skiers that get too close scaring off whales”

 

Consequence

The worst examined outcome for the day was whales not being seen on a (first-time) sightseeing tour with crying kids and ruined day. I always seem to focus on this one since it is the meaty part of why we should care about the risk. There can be more than one consequence.

 

“… resulting in no fun and children in tears”

 

Okay since my BBQ stories have happy endings when involving children, I must add this bit…

“The day was saved by instant karma when the pair were intercepted by the cops waved at by a few really happy children and camera people. Kids got to see a whale. Day Saved!”

 

It has been said before we cyber people must speak many languages but common is the most important.

 

My quick tips advice

 

1.       Use common language

2.       Use specific industry language sparingly - only if you must (Aussie Slang at BBQs!)

3.       Use an obvious formular like:
There is a risk that “Event” occurs that can be “caused by” resulting in “the bad thing”.

4.       Use your voice and read them out loud (take care of surroundings people)

5.       Use the basic one you come up with to build on what you and add to the narrative.

Break up the statement using spreadsheeting or other tools to make it easier to consume if appropriate

6.       Use ISACA’s good quality risk statement questions to sound your content:

What could happen, Why could it happen, Why do we care.

 

Helpful links

https://www.isaca.org/

 


Guest Post - Laura Jiew and Sean McIntyre from AusCERT - I got 99 problems but a vuln ain’t one


Thank you to AusCERT's Laura Jiew and Sean McIntyre for writing a guest post for the Demystify Cyber project. Cybercrime fighting is truly a team sport, and I am thrilled to have this contribution from AusCERT for the blog. The team at AusCERT have always been extremely supportive of me both professionally and with my personal projects. and volunteer work, and they are passionae about supporting the community and Nation to stand strong against cybercrime.  I recommend their blog for up to date cybersecutity information, you can get to it from this link: https://www.auscert.org.au/resources/blogs/

............

 Ninety nine problems but a vuln ain't one

If you’re having cyber problems, I feel bad for your SOC
I got ninety nine problems but a vuln ain't one, hit us!   

Okay, cheesy (revised) lyrics aside, I caught up with my colleague Sean McIntyre - Information Security Analyst at AusCERT - to discuss our shared thoughts on the common misconception that cyber criminals are “hooded / masked baddies” and we outlined some ways in which AusCERT, as a not-for-profit security group can help our members and the general public avoid the common pitfalls of falling victim to a cybercrime and/or incident. 

 

Sean, it isn’t unusual for our collective cultural community to think of cyber security in terms of tired cliches and common tropes. In your opinion, what can we do to help people understand that a cyber criminal and victim could look like anyone, including you and me. 

 

I think it’s really important to talk to folks - family, friends, neighbours even - about how cyber crime isn’t discriminatory, that it can happen to anyone. I feel it’s great that the media draws attention to cyber related incidents, it helps bring the topic to the mainframe. People relate to examples like Nine Network or domain.com.au. However, I do think we can do better at the grassroots-level. We should start talking about it with kids in schools etc., avoid making “cyber” a scary topic. I think organisations like eSafety do some good work in this space [1].

You’ve been working at AusCERT for close to 18 months now, in your opinion and observations, what cyber security challenges are the most common in terms of our membership audience? 


Personally, my top 3 observed challenges are as follows:
 

  1. Staying on top of the countless advisories, vulnerabilities and CVEs that come through daily. Identify all of your infrastructure;  systems, operating systems, patch levels, appliances, applications. This may sound elementary, but sometimes the concept of going back to the basics is a great starting point. Actually, Jess Dodson, one of our keynotes and speakers at the AusCERT2021 conference does a great job of this through her personal website, definitely worth checking out! [2]. Members, once you’ve done this audit, make sure you subscribe to the appropriate AusCERT security bulletins through our member portal function.
  2. Identifying Business Email Compromise (BEC) attempts from what can be extremely confusing email headers and what to do from there. BECs are such a common scam - so much so that the ACCC had recently reported that payment redirection scams, also known as business email compromise (BEC) scams, resulted in $128 million of losses in the year 2020 [3]. Members, the AusCERT team is always happy to assist with the analysis of phishing email attempts and headers and will contact and assist affected member organisations where a BEC has occurred. Don’t forget that public agencies such as Scamwatch can also assist [4]
  3. Domain impersonation or squatting and brand protection. This one is a particularly challenging one, as AusCERT would love to help members who find themselves in such cases - however our success in getting websites taken down relies on malicious activity such as phishing or malware delivery being present. In cases where a brand is being impersonated, registrars and website hosts will request that the owner of the trademark contacts them directly. Abuse contacts can generally be found in the ‘whois’ info of a domain. Members can always reach out to our team for assistance and we are happy to walk through the necessary steps with them. 

 

We sat down and did one of these sessions at the end of last year, when you and I presented a case study on the AusCERT Incident Management service [5]. Can you reiterate the key take-aways for our readers again?

 

Of course! For those who haven’t had a read of that piece we did together, definitely check it out on the AusCERT website [5].

If you’re an AusCERT member, definitely utilise our 24/7 Incident Hotline or email us at 
auscert@auscert.org.au for any cyber related incidents. 

 

Where possible, implement the “Essential 8” as outlined by the ACSC [6]. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

Thanks so much for the chat Sean!


.............................


AusCERT is a Cyber Emergency Response Team (CERT) based in Australia. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, we deliver 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy and posture.


..........................

 

Resources:
[1] 
https://www.esafety.gov.au/kids
[2] 
https://girl-germs.com/?p=2324 

[3] https://www.accc.gov.au/media-release/scammers-capitalise-on-pandemic-as-australians-lose-record-851-million-to-scams
[4] 
https://www.scamwatch.gov.au/types-of-scams 

[5] https://www.auscert.org.au/blog/2020-11-06-case-study-incident-management
[6] 
https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained 

Guest Post - Ross Marston - #Business cyber demystified

Thank you to Ross Marston, founder of Business Intelligence Security, for writing the below article about cybersecurity for businesses. 

.........

I’m lucky enough to get to talk to a lot of different business leaders, and I get it.  It’s daunting for many.  Particularly SME/SMBs . Most businesses are aware that cyber security has the potential to massively damage their business.  The evidence is in the news daily.  And you think to yourself, “well if they got hit, what hope do we have?”. Well, I’m here to reassure you, and offer you a lot of hope. Below is a path to cyber resilience.  It’s not a silver bullet, because they don’t exist.  It’s a solid plan.  You may need some assistance with some or all of it, but that’s okay.  The main step is that you take charge and address this risk in your business.

“I’m here to reassure you, there is a lot of hope…”

Many business leaders simply assume their I.T. department or provider has cyber covered. They don’t! And there’s many good reasons why they don’t. Not the least of which is, cyber isn’t an I.T. problem. It’s simply a business risk that the risk managers (business leaders) need to address.
It is within ANY business’ reach to be Cyber resilient.  100% secure is impossible.  So, we aim for resilience.  Having a Cyber Resilient business is the name of the game.  
It’s the like saying, “I’m 100% sure I won’t get sick”. Ridiculous!  But being resilient to disease is very achievable. Resilience is simply the ability to bounce back readily from adversity or challenge. To be resilient you need to be prepared.

“it is within ANY business’ reach to be Cyber resilient”

Let’s look at our health analogy for a moment.  Many things affect your health, from genetics right through to your immediate environment.  The main thing you can do to positively impact your health is to prepare in advance.  Something like the following…

Think about your most likely health threats. Let’s just look at Flu for example.
If it’s flu season, plenty of hand washing, and avoiding direct contact with sufferers plus a few immune boosting supplements or foods will help.
At all times, boost the immune system by eating healthy, avoid too much booze, and stay fit, plenty of sleep, plenty of positive mental health time, etc.
If you still do get sick, rest up, plenty of fluids, take it easy, don’t spread it.
Get back on track as soon as possible.

Basically, have a plan. If you have no plan, then you are just at the mercy of whatever comes along.

It’s the same for business, no plan is not a good idea.  Your business needs a plan for everything it does.  No business owner starts without a plan, and just lets whatever comes along, happen to them.  They plan, and they measure how their plan is going.
Cyber is the same.  Many factors affect your business’ cyber resilience.  So, you need a plan. It’s simply another business risk you need to plan for. It’s certainly not an IT problem.  It’s a business risk, and it needs to be managed by risk managers.  Business leaders in other words.

Where to Start

So, let’s assume for a moment that you don’t know where to start with becoming Cyber Resilient.  Well fortunately many have been there before you.  One source we are going to leverage now, for our basic plan, is the U.S. National Institute of Standards and Technology.  Or N.I.S.T. as they’re known. They produce all sorts of cool stuff from standard weights (the standard Kilogram for example) through to Cyber Security Frameworks (CSF).

What I like about the NIST CSF is its simplicity and scalability.  It can easily scale from small start-up to international enterprise behemoth, and government.  It consists of 5 simple steps that your business needs to flesh out according to its requirements. It looks like this…
 

We all know that Action Changes Things, so let’s break that down into action points…

Cyber Security Plan action list

1. Identify what is important to your business. What is most critical?
a. These are your Information Assets.
b. You need to know what’s most important, as it is no point in finding that out once it’s gone. (Reminds me of that Joni Mitchell song, Big Yellow Taxi.  “You don’t know what you’ve got ‘til it’s gone.”  Take stock before hand.  That way you know what to protect.
c. You also need to prioritise your assets.  Which ones are MOST important and critical? Rate them! (There’re standardised ways to do this easily)

 

2. Have a plan to protect those critical assets.
a. These are your controls.
b. Depending on the asset, this may be something simple like a policy or something technical like Multi Factor Authentication. Or any combination of other types of controls as well.
c. One thing is for sure, you need layers of protection.  Not just one, so you you’ll likely use multiple controls
d. Start at the most critical Assets identified in step 1, and protect them first, then move down the list.

 

3. Have a way to monitor and Detect to ensure your plan is working.
a. You wouldn’t have a financial plan and not look at your P&L to make sure it’s working. The same way you need ways to monitor that your controls are working.
b. You also need to know that things aren’t slipping through the cracks.
c. If you aren’t measuring, you have no idea if it’s working.  If you have no idea if your plans are working, why make plans?
d. Pro Tip: Discovering you’re the victim of Ransomware and your entire business is shut down is NOT monitoring! That’s disaster.

 

4. If you detect an incident despite your best efforts, how will you respond?
a. No plan is foolproof.  Hence, you need to know what you’re going to do, when you discover your plan isn’t foolproof, and you detect an event that shouldn’t be happening.
b. One thing I can guarantee, after responding to many cyber incidents. In the midst of an incident is NOT the time to be figuring out what to do.  Make a plan first!
c. Know who will be in the response team, what the communications channels are, who needs communicating with, what will be said, who’s making the decisions.  There’s a bunch of things to go in here, and again, there’s many who have trod this path before you.  Don’t re-invent the wheel.

 

5. Once we’ve responded how will we Recover, to get back to where we were with the least fuss, and be stronger than we were before?
a. We detected and incident and enacted our plan The incident is now resolved. How do we get back to where we were in the shortest possible time frame?
b. Not only back to where we were, but better.  Stronger! What did we learn about how our plans above can be improved?  Let’s fix the plan.

And there my friends, is a Simple Cyber Resilience plan.

Sure, it needs fleshing out and customising for your business.  But it’s a framework ANY business can work with. You may need help with some or all of it, but you need to be in charge.  And let’s face it, there’s a whole lot of people in the cyber security industry only too happy to assist.

If you do need to demonstrate compliance to a cyber standard, then maybe the ASD ISM  PSPF, DISP, Right Fit for Risk, or ISO/IEC27001 are more appropriate.  Or maybe you need something simple and prescriptive like the ASD Essential 8.  It’s a good starting point, but lacks any policy framework, which I think is essential. 

But if you just need to start, do the above.  It works. I have implemented it many times and it serves its design purpose, to help make your business more Cyber Resilient.

Stay Safe!
Ross Marston CISSP




Guest Post - Greg Sawyer - #Cybersecurity - The low hanging fruit is your best first step

Thank you to Greg Sawyer, Director of the CAUDIT Cybersecurity Program, for writing the below article about cybersecurity practices in a home environment. Protecting our families from cybercrime is important, and this article provides good advice on how to do this.

.........

The low hanging fruit is your best first step

Being a parent and bringing kids up in digitally connected world can seem daunting. They are increasingly expanding their connections to the digital world and wanting increasing amounts of digital engagement. What should I be discussing with them? At the other end of the scale, what should I be discussing with my parents who find all the technology daunting?

 In cybersecurity we must speak many languages. Business to break cyber down into impacts and risk. Jargon when engaging with the technical people dealing with the sharp end of cyber. Sometimes we even throw in nerd to share deep technical thoughts. The media likes to present cyber in sensational language to increase clicks on a site . An imposing world of sensational news stories, well-crafted images portraying the cyber threats as shady characters with the might of adversaries like Korea, China and Russia behind them. A language we should all speak is keeping it real. Yes, those threats are there but some simply good practices, known as cyber hygiene, can make a massive difference.

 So, my advice to my kids and parents.


1. Download and use a password manager. It might take a bit to get used to but in the long term it will prove valuable. There are plenty available but LastPass, Dashlane and 1Password as good starting points. Store your password manager password securely in a safe. That’s the only password you need to remember.

2. Use passphrases instead of passwords where possible. A passphrase is series of random words with a special character, number and capital letter that is at least 32 characters long. If you can make it even longer than that. They are easier to type in as they are a series of words.

3.  Use a different passphrase or password for each system. This ensures if you are compromised, they only get access to one of your accounts, not all.

4.  Utilise multifactor authentication where possible. Multifactor authentication is a second check to passwords when authenticating (logging in). It can be as simple as receiving a SMS with a unique code to enter in when authenticating.

5. Utilise antivirus software and the security tools that are available on most computerss. Turn these on to the recommended to default. The Australian Cyber Security Centre (ACSC) web site has some good guides to assist you.

6. Avoid clicking on links.
If in doubt with any email, SMS or website you are accessing, see if you can find another way to check it is safe. Search for their details online and call that company. Try to avoid clicking on any links if you can. Most good companies will not contact you like that.

7.  Update your systems. Turn on auto updates and if unsure ask someone who you know has the skill, talk to a professional or again use the resources from the ACSC link in this blog (or if following my advice, search for them yourself). The ACSC step by step guides are invaluable. Avoid well-meaning friends if you can. The best intentions may end up in you being worse off.

 Implementing some basic good cyber hygiene and being aware will help keep you safe online and hopefully allow you to enjoy the time connected, not fear the shadows in the background. Spend the time to complete the basics and I wish you safe browsing.

 Helpful links:

Australian Cyber Security Centre for individuals and families - https://www.cyber.gov.au/acsc/individuals-and-families

........................................................


Keep your families safe from cybercrime




#Cybercrime - cryptojacking

Have you heard of the virtual currency called cryptocurrency?  There seems to be a new one everyday! It started with Bitcoin in 2009, and in 2021 according to Investopedia * there are more than 4000. Below is a list of the five that seem to be more publically known. 

  • Bitcoin (launched 2009)
  • Litecoin ( launched 2011)
  • Dogecoin (launched 2013)
  • Monero (2014)
  • Ethereum (launched 2015)

Cryptocurrency transactions and verification involve complex calculations using a lot of computer power.  People can allow their computers to participate in this activity, like little elecronic accountants and auditors, to try to earn fractions of virtual currency as a reward for doing the calculations. This is called cryptomining. It takes a lot of computer 'brain energy' to cryptomine and actually earn anything, so criminals wanting to take advantage of the rise in virtual currency have taken to cryptojacking, 

Cryptojacking is where criminals trick someone into downloading  a type of malware that sneakily uses the infected computer to mine for virtual currency. Sometimes the cryptojacking could go on for a very long time, and the only sign it is there is that the person's computer is going slow. A computer can become infected with cryptojacking software via a variety of ways including: through malicious links in emails, inadvertantly downloading it from a compromised website, or by downloading an app that has been compromsed or is masquerading as legitmate software.

Ways to help keep your computer safer from cryptojacking

  • Use a reputable anti-virus solution and ensure it is kept up to date
  • Keep your operating system and software patched and up to date
  • Consider using a reputable browser extension that blocks cryptomining
  • Be cautious what software or apps you download
  • Be cautious about clicking links in emails

_______________________

(*) https://www.investopedia.com/tech/most-important-cryptocurrencies-other-than-bitcoin/