Monday, May 15, 2017

Ransomware SUCKS - Here are some things you can do...

By now (unless you are living under a rock) you have heard about the terrible WanaCry ransomware attacks infecting computers across the planet. Seemingly, no business type is spared, and the malware isn’t just going after businesses – lots of individuals being infected as well.

So here is a bit of info about the attack, and what individuals and businesses can do to prevent it:

What is it:  

Ransomware is software created by cyber criminals to encrypt the files on your computer, thus blocking the user from being able to use the computer without paying a fee (ransom), usually in untraceable BitCoin or in gift cards such as Amazon and iTunes.

In this latest iteration of ransomware, the bad guys used an exploit discovered and released that was part of an information leak from the NSA, one that attacks a specific communications system on Windows computers.  Microsoft released a patch for this in March 2017 to address the issue (MS17-010, which can be found here), but those without the patch are very much at risk of getting the malware on their computers.

What can individuals do:

Individuals should consider the following in regards to protecting their computer:

Windows Update: Make certain that your windows update is set to automatically download and install any critical updates.  Windows update is generally located in your control panel, but may be in a different location depending on the version of Windows that you are running. 

Install Anti-virus: While certainly not a catch everything solution, find a good anti-virus program for your computer.  There are lots of options out there – if you have high speed Internet, there is likely a free download from your Internet provider as part of your Internet service.  Check with their websites for more information about downloading and installing this free AV software.  If you do not have high speed Internet, there are still free options available.  AVG and several other companies offer very good and fast anti-virus software for your computer.  There is really no excuse NOT to have anti-virus software on your computer any longer, and it can act as a first line of defense to protect you from the bad guys.

Regular Backups: If you become infected, the only way to get your files back (without paying the ransom) is to restore from a backup of your files.  You can back up your data to the cloud – lots of very inexpensive services out there that can do this for you. Or you can try to do it yourself and backup to an external hard drive – again, very inexpensive drives are available and easy to use.  They can be found pretty much anywhere (Amazon, Wal-Mart even Sam’s Club had them on sale this past weekend). Those pictures that you took over the weekend for Mother’s Day cannot ever be replaced, so invest some time and effort on a good backup solution.

Be Aware on What You Click: Lastly, nothing mentioned above will protect you from everything the bad guys can throw at you.  You should be mindful about the websites you visit, the emails you open, and the applications you install.  If you do not know the source of an email or application, DO NOT OPEN IT! If you don’t know if the website is reputable, probably not the best site to visit. Be smart about the things you see and do on your computer – a little common sense will save you from these kinds of nasty viruses.

What IT Pros should do: 

In addition to everything listed above (which I would certainly hope is already happening in your organization), consider implementing technology that help segment your networks, making malware such as WanaCry less invasive.  Cyxtera CISO Leo Taddeo presented the Software-Defined Perimeter is a viable solution / technology to combat these kinds of threats. You can see his CNBC interview here:
Firewalls and VPNs are decades old technology, and the bad guys create their viruses to take advantage of these antiquated technologies.  A software-defined perimeter creates an individualized network, specific to the resources authorized for a specific user.  In addition to dynamic condition checking, it is designed to contain a user to only places that they are authorize to go, thus protecting a majority of your company’s resources. 

You will hear more about solutions to defend your computers and network in the coming days and weeks from every security / technology pundit out there (likely me included). Regardless of the solutions that you choose to augment your security and networks, make certain that it is one that is on the cutting edge of today’s technology, with a strong vision of how to deal with the emerging threats of the future.  

Thursday, May 4, 2017

Star Wars Day - Revisited!

It just wouldn't be a Star Wars Day without me posting something about it. And I decided to revisit and report my "Empire Information Security Failures" blog from last year, as it was extremely well received.  You can find the original post for this year's blog on the Cryptzone website here.

To celebrate Star Wars Day, I thought I would share a few ways in which Information Security best practices where not adhered to by the Empire, and enabled the Rebels to win.

To be clear: I do not support the Empire, the Sith Lords nor any other types of scum and villainy. Nor am I trying to portray the Rebel Alliance as a weird, Force wielding, Galactic Hacker consortium or something. But had the Empire not been so lax in their security controls, Emperor Palpatine and his buddies might have been able to bring their “order and peace” to the galaxy.

Social Engineering: Social engineering is an attack that uses human interactions and plays on human weaknesses to break established security procedures.

Scene: Luke and Han, dressed as Stormtroopers, escorting Chewbacca to the prison block (Star Wars IV: A New Hope).

© Disney / Lucasfilm
Lots of things going on here. First, no one wants to mess with a Wookie. So others were less likely to get involved when they saw that the Wookie was being escorted by two (only two) Stormtroopers. Luke and Han knew that if they looked like they knew what they were doing, they could walk around in plain sight without being questioned by anyone. Even after arriving at the detention block, the supervising guard did not suspect them as being bad guys, and only questioned them on a matter of paperwork. Sure, everything fell apart at that point — one of the security controls finally kicked in. But Luke, Han and Chewie were able to walk pretty much anywhere they wanted on the Death Star by exploiting social engineering flaws.

Lesson: People — not just the bad guys — exploit social engineering gaps every day. When was the last time you piggybacked someone into a controlled building? The really bad guys know this as well, using our politeness (holding a door open for someone) against us. It is extremely hard to break those habits, which is why your security guys are constantly reminding you about them. Who knows if the guy you are holding the door for is coming to blow up the building (or the Death Star)?

Identity and Access Management: Identity and access management is the system used by entities to allow and prohibit access to resources controlled by the entity.

Scene: Luke, Leia, Han and Chewie on the Shuttle trying to land on Endor (Star Wars VI: Return of the Jedi)
© Disney / Lucasfilm

The Rebels have stolen (property theft, probably due to lack of physical security controls on the part of the Empire) a small Imperial shuttle and are landing a team on Endor to blow up the shield generator protecting the second Death Star. Apart from using the Imperial shuttle, the Rebels have also stolen a security code that will allow the shuttle to land on the forest moon. There are multiple points that the code could have been rejected, with the admiral even claiming that it was an older code. Eventually, the Rebels are given clearance and allowed to land.

Lesson: Identity and Access Management is a difficult topic for most businesses. Larger business MUST have a solution for IAM in place, as their employees turn around much more frequently than in smaller companies. And unfortunately, there are always gaps — the employee who was terminated months ago still has an active security badge, because the two system are not connected, and the administrator of the badge system was not notified (or on vacation or whatever) that the employee was no longer with the company. All business need to have controls in place and audited regularly to make certain that there are as few gaps as possible.

Data Security: Data Security includes the methods used by an entity to protect all manners of data from those not authorized to use it.

Scene: Princess Leia and her crew intercept the technical plans to the Death Star (Star Wars IV: A New Hope)
© Disney / Lucasfilm
The very first scene in the very first movie (yes, the original Star Wars will ALWAYS be the first movie to me) starts with an epic space battle — the Empire is beating up a Rebel blockade runner that happens to be carrying Princess Leia and the technical plans or the first Death Star. The Rebels had intercepted those plans, and the Princess was in the process of delivering those plans back to her home world when she was captured. The Rebels had been a thorn in the side of the Empire to that point, but now they had the data necessary to severely cripple the Emperor’s plans of galactic domination using the Death Star.

Lesson: The Empire should have done a better job of securing the plans. In Rogue One: A Star Wars Story, we find out that the data was stored in the Imperial library on Scarif. We don’t know if the data drive that Jyn Erso stole was encrypted or not (another tenet of data security), but even if it was encrypted at rest, it was transmitted using an unsecured methodology, allowing the Rebel Alliance to intercept them (and break the encryption, if necessary). Most companies and entities have intellectual property / trade secrets / military secrets that they don’t want others to have. Not only should that data be encrypted and protected, but the networks and devices that send and store the data need to be protected as well.

Some of these examples are a bit convoluted, and I am sure there are some out there that would like to debate the finer details of exactly what happened in the movie (message me — we can talk specifics (I had to amend some things for brevity’s sake)). But the point is that Star Wars Day is just another opportunity to remind you (and your employees and everyone else) about the importance information security has on so many aspects of our lives. If Star Wars makes that point a little more enjoyable, then I’ve accomplished that goal!

Enjoy the day, and “May The Fourth” be with you!

Monday, May 1, 2017

Hybrid Cloud - Yes,You can!

I recently posted this blog on the Cryptzone website. You can find the original posting here.

I was recently with 7,500 of my closest Amazon AWS friends at the AWS Summit in San Francisco. Generally, when you go to an AWS conference, the talk is ONLY about AWS: the latest features, implementation and design, or optimization of the AWS configuration. And certainly – those conversations were happening. But from my vantage point in the Cryptzone booth, there was another conversation, one that I touched on a bit in my previous recap blog. People at an AWS conference are finally talking about the hybrid cloud.

The concept of a hybrid cloud is not new – in fact, it has been around long before the term was even coined. But the fact that customers / potential customers are searching for ways to integrate their AWS or public cloud infrastructure with their on premises resources is exciting to me for a number of reasons:

1. Reality Check: For years, I have been preaching the benefits of a hybrid cloud solution. It never seemed realistic to me that an established company would dump 100% of all of their business workloads on a public cloud. Sure, your company could have been “born in the cloud” and optimized from the start to use only cloud-based resources. Some of those companies exist (and are THRIVING, BTW). But most companies that I have chatted with have adopted the cloud over time, meaning that they are in the process of migrating existing on premises workloads to a cloud infrastructure. I think that is great! Testing the waters in a measured and calculated fashion is often the best and most cost productive way of taking advantage of cloud resources.  Of course, those in the public cloud space would like you to move a little faster, but conducting thorough evaluation of cloud solutions while maintaining your on premises environment just makes sense.

2. Manageability: One of the many things that has been a barrier to public cloud adoption is the ability to manage users and resources in the public cloud with the same tools used on premises. Who wants to manage multiple IAM solutions? Also, users that attach to the cloud need to be able to do so without going through a dozen authentication steps. Simply put, IT administrators are hesitant to expose their users to any additional processes or environments that will exponentially increase the IT admin’s workload. Can you blame them? On this front, the great news is that the management solutions for hybrid cloud infrastructures are becoming more mature EVERY DAY! Because of this, those IT admins are not as skeptical about adding another layer of infrastructure to their environments, especially if they can all be managed without any significant changes to how the user would consume that infrastructure.

3. Scalability: Moving workloads to a public cloud environment has always been about the ability to scale up a workload with very little effort – it is as simple as setting up an AWS account, starting up an instance, and deploying the workload. Easy peasy. Developers have realized this for a while now – creating testing environments for QA, demo and proof of concept for years. It also created a stealth IT problem (something that we will address in a different blog at some point). Traditional IT (and their risk managers, executives, and line of business decision makers) have become more and more comfortable with moving workloads to the cloud, and the ability to expand the technology footprint into this space is very appealing, not only from a time-to-market rationale, but from the enormous cost savings. And the inherent barrier of hybrid cloud integration and management preventing rapid growth has pretty much disappeared.

As an IT professional, business leader or decision maker, once you cross that hump and gain comfort with having a hybrid cloud architecture for your company, you start to realize the benefits of having that kind of environment (again, the subject of a future blog). AppGate, from Cryptzone, is the perfect tool to bridge your on premises workloads with your AWS or other cloud provider environment(s).

I challenge you to explore the tools and capabilities that are constantly be invented and revised to help your company embrace the benefits of a hybrid cloud architecture!