#cybersecurity - 5 points about vulnerabilities and patching

Software and technology evolve fast, and at times they may have an inadvertent flaw in them. Vulnerabilities in technology or software code can be exploited by criminals to gain access to a person’s computer or phone, or a company’s system. The reason why software companies release security patches is to fix or mitigate security flaws that have been discovered in their code

 

Five points about vulnerabilities and patching:

1. Vulnerabilities – A flaw in code, hardware or systems may be exploited by criminals to gain access to restricted systems

2. Zero day - A vulnerability that is not widely known about, except by the criminals exploiting it, and where there is yet no known fix, is called a zero-day exploit.

3. Exploits - Criminals can exploit vulnerabilities in applications and use these to steal passwords, gain access to networks and install malware

4. Patches - Software companies release security patches is to fix or mitigate security flaws.

5. Patching - All users of technology, whether individuals or corporate entities need to ensure they keep their systems and software current and patched as this helps to protect the technology from criminal exploitation.

Guest Post - Ella Donald - How do I spot a #phishing scam? #cybersecurity

Thank you to my lovely colleague, Ella Donald, for generously taking time to write this article supporting the demystifying cyber project and helping people to stay safer from cybercrime.

How do I spot a phishing scam?

As society becomes more digitised, our lives are increasingly conducted online. We must give our banking details, identifying information, and more to many sources, and may be prompted to provide them again. Our email inboxes are, more than ever, a receptacle of sensitive information. So, if many organisations – from our bank, to gym, to phone company, postal service, and government – have our details, how can we tell that an email from them is legitimate?

Phishing scams are attempts by an attacker to extract personal information from a victim. This information can include banking and credit card details, passwords, and other personal details; and can be done through emails, phone calls, and text messages. Phishing scams can also install malicious software (eg. Ransomware) on a computer. These scams are becoming increasingly common and complex in this digital age, with attackers impersonating trusted brands and organisations from Australia Post, to the Australian Taxation Office, to Netflix. How can we keep our information safe in these circumstances? Below, learn how to spot a phishing scam, and how you can stay safe online.

Navigate to the website yourself to check

Phishing scams usually have a sense of urgency – for example, an email telling you that your account or computer has been compromised, or a call informing you of a charge on your credit card. Attackers have recently posed as Amazon and Microsoft to carry out scams like these, designed to elicit a knee-jerk reaction from the victim. When receiving a message such as this, it's important to not panic and respond to the call, message, or email – and never open a link or attachment on an email that has this tone. This could trigger ransomware or another malicious software to be installed on your computer.

Instead, open your web browser and navigate to the website of the organisation or brand that the email claims to be from. Then log into your account, and check your details, transactions, or other information that the message is claiming to be compromised. If you can’t access their website, ring their official number (not that listed on the email, or the number that called you) and ask to speak to a representative, who will be able to verify the legitimacy of the message. This will ensure that you’re accessing a legitimate website and are avoiding any possible viruses.

Check the email address it is coming from

Official emails – whether from PayPal, Google, the government, Netflix, or a bank – will come from an address that includes the official domain name (eg. ‘(name)@google.com’, ‘(name)@paypal.com’). When receiving an email that asks for banking or other personal information, click on the sender to check the address it is coming from. If the address doesn’t match the official domain name (you can always navigate to the organisation’s website yourself to check what it is), and is perhaps a mess of letters and numbers, this is an indication that the message is a phishing scam. Again, you can always log into your account on their official website or give them a call to check. Better safe than sorry.

Look out for misspellings and other imperfections

One hallmark of phishing emails is their subtle imperfections, that may not be immediately noticeable to the panicked eye but are obvious upon closer inspection. These can be everything from slightly pixelated images, to a misspelled domain name, to poor grammar in the email text. Alternatively, it may be that the layout and style of the message doesn’t fit previous communications you’ve received. These are a sign of a phishing scam, caused by the use of translation programs (that can provide a word without the proper context) and templates. If something looks not quite right, delete the email, and get in touch with the company through another method.


Ella Donald works with The University of Queensland’s Data Strategy and Governance team, and has a background in journalism and communications.

Guest Post - Simon Stahn - So, you want a new IOT device in your home ... #cybersecurity #IoT

Thank you to the well-respected data governance and information security expert, Simon Stahn, founder of  consultancy and advisory company, Adrenalan, for writing this article and supporting the demystifying of all things cyber. If you are deciding whether or not to get your home interconnected, or already have IoT in your home, this is the article for you to read.

\

So, you want a new IOT device in your home… how do you go about evaluating its risks to you and your environment?

Let’s reduce this to the questions you should be asking yourself to discover enough about the device / manufacturer / cloud-app before you let this 'thing' into your home?

When I approach new things, the first question I think about is:

Why do I need this device and what benefit(s) is it bringing me?

I think of the ’why’ as the key to my internal business case. This why determines both the benefit it (might) bring as well as qualifying what we are balancing the risk of having the device join our network and share in our data.

If we’ve established the why, we need to establish the risks of having the device in our lives and on our network. To get a feel for the risks, as yourself the following questions:

• Firstly, what data will the device actually be collecting and/or using to provide you a service? This is pretty crucial to the overall use case - if the device is measuring the temperature of your living room and that data gets out… 🤷‍♂️ well that’s likely not a big issue. But if it’s video and audio of the baby monitor and it’s being handled by a country that is not ‘legally friendly’ with Australia (I.e. any misdeeds with that data cannot be punished in any way) then it might be a bigger issue for you.

• What info does the device or corresponding app need about me (or my family/business/staff) in order to function, or even set it up? Is this device ‘personal info’ that, if it fell into the wrong hands, could be used against me in some way?

o As a sub-question, can I give the device false info and still achieve my objectives of having the device? I.e. it’s not a law enforcement, government or financial sector device or app where it might not be legal to provide false details.

• Where is my data stored? The answer to this will determine whether or not you could do anything about it if the organisation you, or your devices, gives the data to has a data breach.

• Can I delete my data? If your new device has a one-way flow of data out to some cloud service, can you ensure that data is removed/deleted from the service after a given time period?

• What is the likelihood of my data being breached? Evaluating this question as a “non techie” is very, very difficult. Even inside the info security industry, it is difficult to determine all the factors needed to make an educated guess at the probability of the data “getting out” to somewhere unintended. However, what I mean here is, for most people reading this, is that if you’ve heard of the big name (think Microsoft, Google, Amazon Web Services) then there is an inherent safety factor in that most of those companies spend a lot of money to protect themselves and their client data within their systems - because they will be held accountable when something goes wrong. On the other hand “Mom & Pop’s Corner Data Mart” that are based in a different country may have little to no repercussions for them.

• How does the device connect to the internet/cloud? Is it through your wifi or a built-in mobile data service?

• Can I use a unique email address for sign-up in order to provide some traceability if the gathering party misuses my data? e.g. with Gmail you can setup an email with a ‘+’ in it, to provide you some easy tracking if your email address is used for something other than what you gave consent to.

• If the software (device or cloud app) isn't updated or 'patched' regularly, what does this do for the my risks? 

The term 'risk' used here is combination of the likelihood of something happening (usually untoward or it would be an opportunity, not a risk!) and the impact of that something happening. There are usually also mitigations that help reduce the overall risk.

A brief, simplistic example would be of a baking tray in a hot oven. If you open the oven and take out the tray with your hand, the likelihood of your skin coming into contact with the tray is 'almost certain' and the impact of coming into contact with the hot tray may be 'major' (i.e. being burnt). Combining the likelihood and impact we might end up with a 'high' risk to your health and safety. However, a simple mitigation of wearing a heat-proof oven mitt would lower (i.e. 'mitigate') the likelihood of your skin coming into contact to 'very rare' and may decrease the impact slightly as well, to say 'minor' (by decreasing the possible surface area of skin that may be affected during contact). Thus, the resultant risk with the mitigating mitt would be 'low'.

CHECKLIST

For those of you still reading who like checklists, my thinking is along the lines of understanding the following:

 Why do I need this device; what benefit does it bring me?

 What data will the device be collecting/using?

 What info does the device or corresponding app need about me? How could this info be used against me?

 Where is my data stored? And can I delete my data if I want to?

 What’s the likelihood of my data being breached, and what is the impact to me?

 How does the device connect to the internet/cloud, and how does data get in/out of your environment?

 How is the device maintained / patched, and how regularly?

Practical Application

Let’s put this into practice and weigh up a use case I have just gone through - getting an IOT device to check pool chemical levels. For those that don't own a pool, there are various chemical levels that need to be 'in balance' for a domestic swimming pool to stay clean, sanitary and nice to swim in. Typically, pool owners use either test strips bought from the local pool shop or hardware, they take water to a pool shop for testing, or they pay someone to come around regularly to maintain their pool. I've been in the 'test strips' group but with an interest in home automation and a bit of a data geek, I could see the point in something a little higher tech, more accurate, and less wasteful of those little chemical strips; i.e. more sustainable, reliable and consistent.  

Context / aka 'use case': The test strips, and replacements I've been using, have provided unreliable, inconsistent data to me about the condition of the pool - namely pH, chlorine and salt levels. This has meant I've been treating the pool incorrectly (based on incorrect data) and have been spending too much money. The core problems are consistency and accuracy (within the limits of a pool testing device, but not a scientific tool for research) to cut financial losses in chemical costs. The pool is also inconveniently placed for me to do testing on a daily basis (i.e. I'm lazy and don't like going out in the cold and dark of a winter's morning!) to ensure I get my data.

 

Solution: a device that test for the core levels (pH, free chlorine, salinity) with enough accuracy that I can make decisions and see trends (like pH rising over a week). And being a techno geek of some sort, I would like that delivered to my smartphone or email.

What benefit(s) does it bring me?

The device + cloud app brings me the ability to know what my pool chemical levels are like, updated on an hourly basis. This allows me to make decisions (like adding pool acid) based on not only instantaneous data (like using a pool testing strip) but on historical data over the whole day or week. In turn, this drives down the cost of making pool chemical errors, lessens wastage of both chemicals and testing strips; leading in turn to more swimming time and less swearing at the state of the pool.

What info will the device be collecting?

The device I put on my short list detects and collects pH, free chlorine, salinity, and temperature. There's no location data, other than what I choose to tell the app so it can give me weather predictions. 

For the purposes of a basic "can this data be used against me" analysis… well, you can tell how bad I am at managing our pool but in real terms, there is not much an attacker could do with this info. (Please get in touch if you think that the pH level of my pool could be used against me in something other than a public shaming of my pool maintenance because I'd legitimately love to hear another angle!)

All in all, I'm comfortable with what the device collects and sends away to be stored. (I am hopefully it will show that I will get better at pool maintenance… but that trend will only be visible with hindsight!)

 

Moving on - what info does the device need to operate?

It turns out that the setup of this device is app + bluetooth based (info I obtained from the website prior to purchase). I had made an unvalidated assumption that the device would then default to wifi connection, in order to upload its data to a cloud app.

It turns out I completely missed the fact it can use wifi but only does so when the Sigfox network is not available in the installed area. The what-fox-network!?! Standing there with the installer drilling holes in my pool piping, I realised I had never heard of the Sigfox network… I had a quick decision to make - do I let this install go ahead or stop it now?

I made a quick mental risk calculation - the device will be connected to 'some other network' but not mine and transfer minimal data (basically a few data points, every hour or so) to a cloud service. Thus, it should not be "a way in" to my network, so I let the install continue.

(As a side note - I actually have an IoT zone on my wifi network for such devices as this and had the details ready for the installer.)

Going back to answer the question though - the device only needs enough 'data' of mine to link/sync up with your account in the cloud app… so I'm happy enough with that.

 

Moving on from the shock of discovering a type of network I had not heard of yet that has coverage in my backyard… 

 

What data does the corresponding app need?

When setting up the app, I created an email address unique for this install in the format of myname+devicename@example.gmail.com which is simply delivered to the myname@example.gmail.com mailbox I already use. However, if the cloud app provider ever has a data 'leak' (or sells the data) then I might find spam coming to that particular myname+devicename address, so I at least know where the leak happened. 

Note that this is not 'protection' but it is a form of 'detection' in the language of security. I also used my password manager to generate a unique, long, complex passphrase that I'll never have to remember, because the password manager does that for me (topics for a different post, I'm sure!).

The app also wanted my location (via smartphone location/GPS) as a one-time set of location, to sync up weather patterns that may be helpful when determining pool conditions. I ‘corrected’ the app’s location data and set it for a park near my house - close enough for weather purposes - but not my actual home address.

 

So far, so good - nothing I wouldn't expect, given what the device needs to do to provide me with my benefits. It has asked for no credit card numbers, photos of my driver's license or requests for my mother's maiden name or birthday. 👍

As a side note, this lack of pumping me for information is refreshing but correlates nicely with the manufacturer being European and having to conform with GDPR. Having the manufacturer conforming to this privacy legislation provides me with comfort that they will uphold some basic privacy principles like not storing or using my data for purposes other than what I have consented to.

What’s the likelihood of my data being breached and the impact to me?

Looking at what I know so far about the device and cloud app, I decided that the likelihood was effectively irrelevant as the impact of a data breach to me would be basically non-existent. 

Said another way, there is only pool water data and a unique user+password combo being held by the company providing me with the service – any breach of this data should cause me no harm, so I’m not going to invest time and effort investigating exactly where and how the company is storing my data.

How does the device connect to the internet/cloud, and how does data get in/out of your environment?

As evaluated earlier, the device connects outside of my home network. I can connect directly to it from my phone, using Bluetooth, to request an immediate water check, however this only provides an attack vector to my smartphone. As I’m using an up-to-date iOS device to run the app, using the IoT device (and its very limited compute power) to ‘attack’ me via my smartphone would be a very esoteric and costly way of ‘getting in’ to my environment. 

While valid for some threat models, I’m going to discount them for the typical ‘home user’ and this post. Why? Because they’re theoretical attacks around a completely different threat model to the target audience (please excuse the pun). If the device was, for example, a set-top box that is connected to a home’s core network and uses/stores your credentials to access your home computers for videos and music, there is a far more credible threat to be thought through based around the data and access of that particular IoT device.

Lastly, let’s look at how the device maintained / patched, and how regularly?

For this IoT device, I’m not even sure it can get software updates as it is a very basic device. If it does, it will likely require a local Bluetooth connection from the smartphone. The Sigfox network seems to exist more for transferring captured data points, not maintaining software/patch-levels.

The supporting cloud app seems to be patched through the smartphone’s app store for bugs and features, and the cloud server side is invisible to me. As covered earlier, if this device gathered info that I was more concerned about, I would investigate the server side more.

Summary

In summary, while I did look at my list of key points to evaluate, the lack of the device and related cloud app gathering any data of use to anyone but me, along with the benefits the device should realise made it a quick decision to approve the device for install.

Now if only someone would break into the device, see the trend of my pool’s pH levels rising on a daily basis and tell me exactly how I can solve that problem… now that’s a ‘hack’ I could get behind!

#cybersecurityFAQ - Does HTTPS mean the site is safe?

The Cybersecurity FAQ series, in the Demystify Cyber project's blog, looks at some commonly asked questions about cybersecurity and cybercrime. If you have a query you would like covered in a future blog post please contact Demystify Cyber via the contact form.

________________________________________

QUESTION: If the website has HTTPS does that mean it is safe?

ANSWER: HTTPS means the web traffic is encyrpted for data transmission security but does not mean the website is safe.

The Hypertext Transfer Protocol Secure (HTTPS),  first used in 1994,  places a layer of encryption over HTTP to help prevent sensitive data, like payment details, being eavesdropped or leaked. This means that a site using HTTPS is encrypted and private, however just because a website is using HTTPS does not mean the site is safe from being compromised, nor does it prevent a site from dropping malware on its visitors' computers or being used to phish for credentials. In fact criminals may purchase their own certificates to create malicious websites using HTTPS. 

Do not be lulled into a false sense of security when you see a site is using HTTPS, it may be encrypted but that doesn't mean the site is not being used by criminals.

10 cybersecurity essentials for individuals

If you use connected or connectable technology in any form it is essential you do what is in your power to help protect your information, finances and accounts. Although cyber security can seem daunting, it is just another avaneue of life we need to learn to be secure in. From a young age you may have learned about keys and locking doors, or looking both ways before crossing a street, let's make cybersecurity as easy to understand! 

Here is a list of some achievable basic cybersecurity essentials to consider.

1. Keep software patched
2. Use reputable and up to date antivirus software
3. Use strong unique passwords – do not reuse passwords
4. Use 2FA or MFA wherever possible
5. Be vigilant about phishing, vishing and smishing scams, and those seeking to groom you or your children
6. Protect your Personally Identifiable Infomration (often reffered to as PII) and understand how to help others protect theirs
7. Be cautious what you download or on what links you click
8. Back up data regularly and store offline
9. Review online accounts and credit reports
10. Take care what you post online about your job, accesses, location

Guest Post - Laura Jiew and Sean McIntyre from AusCERT - I got 99 problems but a vuln ain’t one

Thank you to AusCERT's Laura Jiew and Sean McIntyre for writing a guest post for the Demystify Cyber project. Cybercrime fighting is truly a team sport, and I am thrilled to have this contribution from AusCERT for the blog. The team at AusCERT have always been extremely supportive of me both professionally and with my personal projects. and volunteer work, and they are passionae about supporting the community and Nation to stand strong against cybercrime.  I recommend their blog for up to date cybersecutity information, you can get to it from this link: https://www.auscert.org.au/resources/blogs/. 

............

 Ninety nine problems but a vuln ain't one

If you’re having cyber problems, I feel bad for your SOC

I got ninety nine problems but a vuln ain't one, hit us!   

Okay, cheesy (revised) lyrics aside, I caught up with my colleague Sean McIntyre - Information Security Analyst at AusCERT - to discuss our shared thoughts on the common misconception that cyber criminals are “hooded / masked baddies” and we outlined some ways in which AusCERT, as a not-for-profit security group can help our members and the general public avoid the common pitfalls of falling victim to a cybercrime and/or incident. 

 

Sean, it isn’t unusual for our collective cultural community to think of cyber security in terms of tired cliches and common tropes. In your opinion, what can we do to help people understand that a cyber criminal and victim could look like anyone, including you and me. 

 

I think it’s really important to talk to folks - family, friends, neighbours even - about how cyber crime isn’t discriminatory, that it can happen to anyone. I feel it’s great that the media draws attention to cyber related incidents, it helps bring the topic to the mainframe. People relate to examples like Nine Network or domain.com.au. However, I do think we can do better at the grassroots-level. We should start talking about it with kids in schools etc., avoid making “cyber” a scary topic. I think organisations like eSafety do some good work in this space ^[1].

You’ve been working at AusCERT for close to 18 months now, in your opinion and observations, what cyber security challenges are the most common in terms of our membership audience? 

Personally, my top 3 observed challenges are as follows:
 

1. Staying on top of the countless advisories, vulnerabilities and CVEs that come through daily. Identify all of your infrastructure;  systems, operating systems, patch levels, appliances, applications. This may sound elementary, but sometimes the concept of going back to the basics is a great starting point. Actually, Jess Dodson, one of our keynotes and speakers at the AusCERT2021 conference does a great job of this through her personal website, definitely worth checking out! ^[2]. Members, once you’ve done this audit, make sure you subscribe to the appropriate AusCERT security bulletins through our member portal function.
2. Identifying Business Email Compromise (BEC) attempts from what can be extremely confusing email headers and what to do from there. BECs are such a common scam - so much so that the ACCC had recently reported that payment redirection scams, also known as business email compromise (BEC) scams, resulted in $128 million of losses in the year 2020 ^[3]. Members, the AusCERT team is always happy to assist with the analysis of phishing email attempts and headers and will contact and assist affected member organisations where a BEC has occurred. Don’t forget that public agencies such as Scamwatch can also assist ^[4]. 
3. Domain impersonation or squatting and brand protection. This one is a particularly challenging one, as AusCERT would love to help members who find themselves in such cases - however our success in getting websites taken down relies on malicious activity such as phishing or malware delivery being present. In cases where a brand is being impersonated, registrars and website hosts will request that the owner of the trademark contacts them directly. Abuse contacts can generally be found in the ‘whois’ info of a domain. Members can always reach out to our team for assistance and we are happy to walk through the necessary steps with them. 

 

We sat down and did one of these sessions at the end of last year, when you and I presented a case study on the AusCERT Incident Management service ^[5]. Can you reiterate the key take-aways for our readers again?

 

Of course! For those who haven’t had a read of that piece we did together, definitely check it out on the AusCERT website ^[5].

If you’re an AusCERT member, definitely utilise our 24/7 Incident Hotline or email us at auscert@auscert.org.au for any cyber related incidents. 

 

Where possible, implement the “Essential 8” as outlined by the ACSC ^[6]. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.

Thanks so much for the chat Sean!

.............................

AusCERT is a Cyber Emergency Response Team (CERT) based in Australia. We help members prevent, detect, respond and mitigate cyber-based attacks. As a not-for-profit security group based at The University of Queensland Australia, we deliver 24/7 service to members alongside a range of comprehensive tools to strengthen their cyber security strategy and posture.

..........................

 

Resources:
[1] https://www.esafety.gov.au/kids
[2] https://girl-germs.com/?p=2324 

[3] https://www.accc.gov.au/media-release/scammers-capitalise-on-pandemic-as-australians-lose-record-851-million-to-scams
[4] https://www.scamwatch.gov.au/types-of-scams 

[5] https://www.auscert.org.au/blog/2020-11-06-case-study-incident-management
[6] https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained 

Guest Post - Ross Marston - #Business cyber demystified

Thank you to Ross Marston, founder of Business Intelligence Security, for writing the below article about cybersecurity for businesses. 

.........

I’m lucky enough to get to talk to a lot of different business leaders, and I get it.  It’s daunting for many.  Particularly SME/SMBs . Most businesses are aware that cyber security has the potential to massively damage their business.  The evidence is in the news daily.  And you think to yourself, “well if they got hit, what hope do we have?”. Well, I’m here to reassure you, and offer you a lot of hope. Below is a path to cyber resilience.  It’s not a silver bullet, because they don’t exist.  It’s a solid plan.  You may need some assistance with some or all of it, but that’s okay.  The main step is that you take charge and address this risk in your business.

“I’m here to reassure you, there is a lot of hope…”

Many business leaders simply assume their I.T. department or provider has cyber covered. They don’t! And there’s many good reasons why they don’t. Not the least of which is, cyber isn’t an I.T. problem. It’s simply a business risk that the risk managers (business leaders) need to address.

It is within ANY business’ reach to be Cyber resilient.  100% secure is impossible.  So, we aim for resilience.  Having a Cyber Resilient business is the name of the game.  

It’s the like saying, “I’m 100% sure I won’t get sick”. Ridiculous!  But being resilient to disease is very achievable. Resilience is simply the ability to bounce back readily from adversity or challenge. To be resilient you need to be prepared.

“it is within ANY business’ reach to be Cyber resilient”

Let’s look at our health analogy for a moment.  Many things affect your health, from genetics right through to your immediate environment.  The main thing you can do to positively impact your health is to prepare in advance.  Something like the following…

• Think about your most likely health threats. Let’s just look at Flu for example.

• If it’s flu season, plenty of hand washing, and avoiding direct contact with sufferers plus a few immune boosting supplements or foods will help.

• At all times, boost the immune system by eating healthy, avoid too much booze, and stay fit, plenty of sleep, plenty of positive mental health time, etc.

• If you still do get sick, rest up, plenty of fluids, take it easy, don’t spread it.

• Get back on track as soon as possible.

Basically, have a plan. If you have no plan, then you are just at the mercy of whatever comes along.

It’s the same for business, no plan is not a good idea.  Your business needs a plan for everything it does.  No business owner starts without a plan, and just lets whatever comes along, happen to them.  They plan, and they measure how their plan is going.

Cyber is the same.  Many factors affect your business’ cyber resilience.  So, you need a plan. It’s simply another business risk you need to plan for. It’s certainly not an IT problem.  It’s a business risk, and it needs to be managed by risk managers.  Business leaders in other words.

Where to Start

So, let’s assume for a moment that you don’t know where to start with becoming Cyber Resilient.  Well fortunately many have been there before you.  One source we are going to leverage now, for our basic plan, is the U.S. National Institute of Standards and Technology.  Or N.I.S.T. as they’re known. They produce all sorts of cool stuff from standard weights (the standard Kilogram for example) through to Cyber Security Frameworks (CSF).

What I like about the NIST CSF is its simplicity and scalability.  It can easily scale from small start-up to international enterprise behemoth, and government.  It consists of 5 simple steps that your business needs to flesh out according to its requirements. It looks like this…

 

We all know that Action Changes Things, so let’s break that down into action points…

Cyber Security Plan action list

1. Identify what is important to your business. What is most critical?

a. These are your Information Assets.

b. You need to know what’s most important, as it is no point in finding that out once it’s gone. (Reminds me of that Joni Mitchell song, Big Yellow Taxi.  “You don’t know what you’ve got ‘til it’s gone.”  Take stock before hand.  That way you know what to protect.

c. You also need to prioritise your assets.  Which ones are MOST important and critical? Rate them! (There’re standardised ways to do this easily)

 

2. Have a plan to protect those critical assets.

a. These are your controls.

b. Depending on the asset, this may be something simple like a policy or something technical like Multi Factor Authentication. Or any combination of other types of controls as well.

c. One thing is for sure, you need layers of protection.  Not just one, so you you’ll likely use multiple controls

d. Start at the most critical Assets identified in step 1, and protect them first, then move down the list.

 

3. Have a way to monitor and Detect to ensure your plan is working.

a. You wouldn’t have a financial plan and not look at your P&L to make sure it’s working. The same way you need ways to monitor that your controls are working.

b. You also need to know that things aren’t slipping through the cracks.

c. If you aren’t measuring, you have no idea if it’s working.  If you have no idea if your plans are working, why make plans?

d. Pro Tip: Discovering you’re the victim of Ransomware and your entire business is shut down is NOT monitoring! That’s disaster.

 

4. If you detect an incident despite your best efforts, how will you respond?

a. No plan is foolproof.  Hence, you need to know what you’re going to do, when you discover your plan isn’t foolproof, and you detect an event that shouldn’t be happening.

b. One thing I can guarantee, after responding to many cyber incidents. In the midst of an incident is NOT the time to be figuring out what to do.  Make a plan first!

c. Know who will be in the response team, what the communications channels are, who needs communicating with, what will be said, who’s making the decisions.  There’s a bunch of things to go in here, and again, there’s many who have trod this path before you.  Don’t re-invent the wheel.

 

5. Once we’ve responded how will we Recover, to get back to where we were with the least fuss, and be stronger than we were before?

a. We detected and incident and enacted our plan The incident is now resolved. How do we get back to where we were in the shortest possible time frame?

b. Not only back to where we were, but better.  Stronger! What did we learn about how our plans above can be improved?  Let’s fix the plan.

And there my friends, is a Simple Cyber Resilience plan.

Sure, it needs fleshing out and customising for your business.  But it’s a framework ANY business can work with. You may need help with some or all of it, but you need to be in charge.  And let’s face it, there’s a whole lot of people in the cyber security industry only too happy to assist.

If you do need to demonstrate compliance to a cyber standard, then maybe the ASD ISM  PSPF, DISP, Right Fit for Risk, or ISO/IEC27001 are more appropriate.  Or maybe you need something simple and prescriptive like the ASD Essential 8.  It’s a good starting point, but lacks any policy framework, which I think is essential. 

But if you just need to start, do the above.  It works. I have implemented it many times and it serves its design purpose, to help make your business more Cyber Resilient.

Stay Safe!

Ross Marston CISSP

Business Intelligence Security

Guest Post - Greg Sawyer - #Cybersecurity - The low hanging fruit is your best first step

Thank you to Greg Sawyer, Director of the CAUDIT Cybersecurity Program, for writing the below article about cybersecurity practices in a home environment. Protecting our families from cybercrime is important, and this article provides good advice on how to do this.

.........

The low hanging fruit is your best first step

Being a parent and bringing kids up in digitally connected world can seem daunting. They are increasingly expanding their connections to the digital world and wanting increasing amounts of digital engagement. What should I be discussing with them? At the other end of the scale, what should I be discussing with my parents who find all the technology daunting?

 In cybersecurity we must speak many languages. Business to break cyber down into impacts and risk. Jargon when engaging with the technical people dealing with the sharp end of cyber. Sometimes we even throw in nerd to share deep technical thoughts. The media likes to present cyber in sensational language to increase clicks on a site . An imposing world of sensational news stories, well-crafted images portraying the cyber threats as shady characters with the might of adversaries like Korea, China and Russia behind them. A language we should all speak is keeping it real. Yes, those threats are there but some simply good practices, known as cyber hygiene, can make a massive difference.

 So, my advice to my kids and parents.

1. Download and use a password manager. It might take a bit to get used to but in the long term it will prove valuable. There are plenty available but LastPass, Dashlane and 1Password as good starting points. Store your password manager password securely in a safe. That’s the only password you need to remember.

2. Use passphrases instead of passwords where possible. A passphrase is series of random words with a special character, number and capital letter that is at least 32 characters long. If you can make it even longer than that. They are easier to type in as they are a series of words.

3.  Use a different passphrase or password for each system. This ensures if you are compromised, they only get access to one of your accounts, not all.

4.  Utilise multifactor authentication where possible. Multifactor authentication is a second check to passwords when authenticating (logging in). It can be as simple as receiving a SMS with a unique code to enter in when authenticating.

5. Utilise antivirus software and the security tools that are available on most computerss. Turn these on to the recommended to default. The Australian Cyber Security Centre (ACSC) web site has some good guides to assist you.

6. Avoid clicking on links. If in doubt with any email, SMS or website you are accessing, see if you can find another way to check it is safe. Search for their details online and call that company. Try to avoid clicking on any links if you can. Most good companies will not contact you like that.

7.  Update your systems. Turn on auto updates and if unsure ask someone who you know has the skill, talk to a professional or again use the resources from the ACSC link in this blog (or if following my advice, search for them yourself). The ACSC step by step guides are invaluable. Avoid well-meaning friends if you can. The best intentions may end up in you being worse off.

 Implementing some basic good cyber hygiene and being aware will help keep you safe online and hopefully allow you to enjoy the time connected, not fear the shadows in the background. Spend the time to complete the basics and I wish you safe browsing.

 Helpful links:

Australian Cyber Security Centre for individuals and families - https://www.cyber.gov.au/acsc/individuals-and-families

........................................................

Keep your families safe from cybercrime

#Cybersecurity - three ways malware can gain persistence

The purpose of the Demystify Cyber project, is to bring cybersecurity and cybercrime awarenss to all users of technology. Part of that includes explaining terms commonly used by cybersecurity practitioners, that may seem a little myserious to everybody else. Given that cybercrime can impact anyone cybersecurity should not be kept a mystery.

Let's look at malware persistence

When a criminal has taken all that effort to get some nasty piece of malware on your computer, they want it to stay there and do its thing for as long as possible.  Ways to  keep malware active on a compromised device, even after rebooting, is referred to as malware persistence. 

'How do criminals get their malware to have persistence on a computer?'  - do I hear you ask?

Well I am glad you raised this, because there are many ways, and understanding a bit about them can help everyone who uses technology stay just that little bit safer from cybercrime.

The below is a very brief list, written in as non-tech terms as I could achieve on an afternoon after work and without sufficient coffee, covering three ways malware can gain persistence on a compromised computer.

Three ways malware can gain persistence

1. Compromised accounts

If the account used for the computer has been comprmosed (such as via a phishing email) the criminal could use the accoutn details to ensure the computer remains infected.

2. Start up folder / launch agents

As a computer starts, it automatically runs through processes to ensure everything is operating and connected for the user. The Windows operating system keeps these processes in a start up folder. and in Apple computers, the MacOS uses launch agents If malware edits the start up folder, or launch agents everytime the computer is started the malware will start as well.

3. Malicious browser extensions

A criminal may create what appears to be a legitimate browser extension, however once installed it is used to infect and gain malware persstence of a compromised computer.

Want to know more about malware persistence?

The Mitre ATT&CK site has an indepth look at malware persistence yu can access it via this link (or look up 'Mitre ATT&CK malware persistence' in the search engine of your choice) Link: https://attack.mitre.org/versions/v9/tactics/TA0003/

How to stay safer from malware

• Use a reputable and up to date anti-virus application and run regular as well as active scans on your computer.
• Keep your operating system and software patched
• Only install browser extensions from reputable stores, and be cautious even then 
• Take care not to click links in unsolicited emails
• Do not put your account credentials into a link you arrived at via an email - navigate to the site yourself to log in
• Consider using multi-factor authentication (MFA) wherever possible
• Take care to only instal legitimate sofware from official sources

This image has been created by the Demystify Cyber blog author (c) A. Turner 2021

Where to go for help

If you are impacted by cybercrime or want more information about cybersecurity please have a look at the resources below.

Australia

• AusCERT www.auscert.org.au
• ACSC  www.cyber.gov.au/
• Report cybercrime www.cyber.gov.au/report
• Identity theft support  www.idcare.org
• Australian Privacy Commissioner www.oaic.gov.au/
• Scam Watch www.scamwatch.gov.au
• eSafety commissioner www.esafety.gov.au
• Think U Know www.thinkuknow.org.au
• AFP  www.afp.gov.au
• Have I been Pwned Haveibeenpwned.com

* * *

USA

• US-CERT  www.us-cert.gov
• Report identity theft identitytheft.gov
• Cyber safety information www.dhs.gov/stopthinkconnect

* * *

United Kingdom

• NCSC www.ncsc.gov.uk
• Report cybercrime report.ncsc.gov.uk
• Cyber safety information getsafeonline.org
• Information Commissioner’s Office  ico.org.uk

* * *

Useful links - International

• Computer vulnerabilities and exposures (CVE) list cve.mitre.org
• NIST cyber security www.nist.gov/topics/cybersecurity
• Krebs on Security - https://krebsonsecurity.com/
• ISO - www.iso.org

* * *

Protect yourself from #cybercrime - seasonal scams

Any significant retail event or seasonal holiday makes for great hashtagcybercrime attempts!

While people are looking forward to seasonal holidays, buying gifts and getting bagains, criminals are looking forward to exploit them.

Looking for online bargains? Please check the spelling of the link you are on as criminals buy and register web domains with common typos of well known stores. Just to trick shoppers and steal their PII and money.

So many successful seasonal sales on legitimate websites, leads to criminals creating faked retailer pages to trick shoppers into sharing their money and details with them. Criminals are known to buy website domain names that are typos of legitimate sites and also to buy certificates to ensure the website is ‘HTTPS’ making it appear legitimate. For example, say that a major retailer has a site called ‘https happysales com’, a criminal may purchase a site with security certification and words that look similar, ‘https happysalles com’. They may even send spam emails spoofing well known retailers and direct people to their site where they phish for credit card details and personal information.

When taking advantage of seasonal sales and bargains don't let criminals take advantage of you!

• Check website addresses before you enter any details.
• Only enter financial information on secured connections and also do not enter any personal or financial detail while on free WiFi.
• Do not provide more information than needed. Do they really need your fill birth date to sell you a magazine subscription?
• Be wary of discounts that sound too good to be true – because they probably are!

Guest Post - Mike Ouwerkerk | Mythical Cyber Security = Unacceptable Risk

I am very pleased that the very well-respected informtion security professional, Mr Mike Ouwerkerk, founder of Web Safe Staff, has agreed to provide a guest post. Please see his post and bio below, and if you want to know more about the innovative awareness training his company provide please have a look at their website Web Safe Staff. Thanks Mike!

Mythical Cyber Security = Unacceptable Risk

The Fantasy World

What is this mystical cyber security beast? “IT looks after that”, and “I’m not a target” people say. Anyway, it’s all a bunch of hardcore hackers sitting in dark rooms with their hoodies, powerful laptops and illegal software. They furiously type out their malicious code looking to crack the incredibly complex IT security systems of large multinational corporations.

So yay, we can relax knowing that we’re not the primary target, and anyway our company has great technical solutions in place to protect the data and systems from external threats. Everyone gets a free IT security blanket and can feel all warm and fuzzy!

The Real World

OK snap out of it - that’s total fantasy! This is the real world we all face:

·      If you are breathing, you are almost certainly being targeted by scammers.

·      They will try to trick you into giving out your money or data.

·      Your data can be used to make money (from you and others).

·      They don’t usually waste their time on hacking IT systems, because people are easy to trick.

So yes, the unfortunate reality is that you are a massive target. Basically, everyone you know is a massive target. Your company, your job, your colleague’s jobs, your personal information, your kids information, your bank accounts, your identify – they’re all at risk, and there are countless automated drag net operations trying to catch millions of people at a time. Cross your fingers that they don’t actually do some research on you and make a scam incredibly believable because that’s how the scammers get the big paydays!

Sadly, many companies are either oblivious to the risks, or ignorant of the risks faced by their staff. They rely on technical solutions to stay safe, but statistics tell us that this just doesn’t work because most breaches are via people.

The Impact

The mythical cyber security beast quickly disappears when a breach happens. When you don’t suitably address risk, it is more likely to occur, it will occur more often, and the impact can be greater. Suddenly the impact is real, and the financial implications for companies can be staggering when considering recovery costs, downtime, mandatory reporting, reputation damage and lost customers. This is what we need to avoid, and to achieve this we need people to understand the real world, and be able to deal with the threats posed in the real world!

Demystifying Cyber Security

We need to demystify cyber security so companies get their heads out of the sand and see what’s really going on. So all staff become aware of the scams they are faced with and know that they need to be suspicious and stop to think before they act. So everyone knows they are a target, and with good knowledge they can make a massive difference by protecting their company, themselves and their family. And ultimately so that we can massively reduce the success rate of IT scams, and start winning the war against the criminals.

There are no grey areas here, this is a war worth fighting and winning!