Category Archives: Best Practices

Regulators Update Cyber Security Regs for Electric Utilities

Very few of my readers run electric utilities – those are the ones that these regulations apply to directly.

Then there are folks who are suppliers to utilities.  And suppliers to those suppliers.  The new regs require that utilities have a decent vendor cyber risk management program.  That increases the pool of interested parties a bit.

Then there are those folks who use electricity and would appreciate it if their lights stay on.  Except for those who run their own wind or solar farms, that is the rest of us.

And of course, last, but not least, there are other regulators who are going to watch and say “hey, that sounds like a good regulation;  I think I will adopt it for people who do business in my industry or my state”.

So what is in the new regs?

The regulator is NERC – The North American Electric Reliability Corporation.  NERC is a quasi-governmental agency that sets forth standards for the electric utilities to follow.  They call the rules Critical Infrastructure Protection (CIP).

Note that I am only going to touch on the tip of the regulatory iceberg here, but I will give you a link to all of the CIP regs at the end in case you want to steal some of their ideas.

CIP 005-6 Electronic Security Perimeter

Note all the leading zeros in the rule number.  Room for up to a thousand rules.  Plus the sub-rules.  That’s pretty scary.

This rule adds detailed requirements for firewalls, DMZs and network segmentation.  Probably a good idea for everyone.   This includes a requirement to be able to know how many active vendor remote sessions you have (as opposed to employees) and have a way to disable them.  Again, probably a good idea for everyone.

CIP 010-3 Configuration Change Management and Vulnerability Assessments

Again, change control and vulnerability assessments should be things that everyone is doing anyway.  One thing this requires is that you be able to validate that every piece of software in your supply chain.  Can you do that?  Do you even know what software is in your supply chain.  Think of this as software bill of materials (BOM) on steroids.  Once you do know what software is in your supply chain then that helps with vulnerability assessments.  But how do you “validate” each piece of software?  They suggest with crypto checksums for everything.  Ask Equifax.  It is not as easy as it sounds.

CIP 013-1 Supply chain risk management

This may well be the most complex part.  Most companies have a lot of suppliers.  Big companies have thousands.  Small companies have hundreds.  The number of vendors is amazing.  They require a written program and remember, those vendors have vendors.  And the whole process has to be signed off on by an executive who’s head is on the proverbial chopping block.

Check these CIPs out and see if any of them make sense to you.  Then adopt them.

All of NERC’s CIP standards can be found here.

And, just in case you are thinking this is just some private regulator with no clout.  Last year they fined an unnamed regulator (which everyone knows is Duke Energy) $10 million for violating the rules.

Facebooktwitterredditlinkedinmailby feather

Your Home Internet Router – Are You Inviting Hackers to the Party?

Your home Internet connection router or modem is the front line of defense against Internet intruders.

Think of it as soldiers “manning the wall”, armed to the teeth, ready to repel intruders.

At least, hopefully repelling intruders.

But what if, instead of that scenario, your guards had turned into Benedict Arnold and were working for the other side?

Probably not intentionally, but in fact.

So what should you do to keep your Internet “guard” on your side rather than on the other side?

Here is a list of recommendations.  At least part 1.

Many times, the Internet gateway, if it is provided by your ISP (internet service provider), is not a great piece of hardware.  Sometimes it is okay, but often not so much.

If you have the option to provide your own device, that is likely a much more secure solution. 

In either case, change the password that you were given for the device.  Many times, for ISP provided devices, they have a back door, so changing the password doesn’t help much, but it might.

If your ISP has a device on your network that they can get into, likely they can see most of your traffic, both local and on the Internet.  Even if it is encrypted, although that is harder.

Next make sure the firmware (software) in the device is up to date.  Typically, if you can log into the device, you can find a menu option to check for software updates.  A couple of years ago I was working on a device for a customer and discovered the firmware was 7 years old.  And there were no updates.  This qualifies as one of those “not so much” devices.  It just means that the manufacturer doesn’t care about security because they are not liable.

If you do go out and buy your own modem or router, check the vendor’s history on software updates.  If  in general, they are pushing out regular updates, likely they will do so for the device that you buy.  Also check out reviews online.

Sometimes Internet providers don’t isolate you from the Internet at all – they don’t care either;  they are not responsible.  Probably somewhere in the fine print it warns you.  In a place you don’t read.

You can find out if your computer is on the Internet directly, but that is beyond the scope of this blog post – you may need to ask one of your geeky friends to do that for you. 

A better way to protect yourself is to add your own hardware firewall between your ISP’s device and all of your computers.  That way you are in control.  If possible, select a firewall that updates it’s software automatically.  We can provide recommendations.

Assuming that you don’t live alone – and even if you do – there are likely many devices on your network at home.  Could be as simple as your cable set top box or a Ring video doorbell.  Or it could be your kids’ computers.  Or any number of other devices.  Those devices can also represent a security risk.  Make sure they are all patched too.  Sometimes that is hard.  You really have to do it anyway.

If you can isolate your work device from the rest of those other devices, that is really best.  It may take some IT support to do it, but if security is important, it is worth it.  It could be as simple as buying a dedicated WiFi access point for your work computer or plugging it into a different port on the firewall  – it will likely take some expertise to figure it out, but only one time.

These are some basics;  there are a lot more, but start there.  Another day, more on the subject.

Of course, you can always contact us for assistance.

Facebooktwitterredditlinkedinmailby feather

FBI: Building Digital Defense with Browsers

As more of our computing world lives inside a browser, the risk goes up.

As we move to Work From Home, the risk goes up again because we no longer have corporate infrastructure to chop off the top few layers of attacks.  Also many of us have kids that either share our computer or share our network.

The FBI has launched an initiative to protect political campaigns and voters from foreign influence campaigns and cyber attacks called Protected Voices.

The Portland office of the FBI adapted some of the recommendations from that program into recommendations for everyone.

Before I give you the list, let me warn you that it is going to expose that always issue – security or convenience – PICK JUST ONE!

Here are the FBI’s recommendations:

Note: How you implement these will be browser and system specific

  • Disable AUTOFILL
  • Disable remember passwords
  • Disable browsing history

Disabling these features makes it more difficult for malware on your system to steal sensitive data

  • Do not accept cookies from third parties

Note that some browsers do this by default.  Doing this reduces the ability of third parties to track you and aggregate your browsing habits.  And sell them.

  • Clear browsing history when you close your browser or use incognito mode

Note that this means that you actually have to close your browse.  Again, this reduces your fingerprint and makes it more difficult for advertisers (and hackers) to track you.

  • Block ad tracking
  • Enable do not track (there has to be at least one site on the web that honors this)

There are a number of good ad blockers.  Apple and Firefox have built in ad blocking.  Not only does this make it harder to track you but it stops malware laden ads from running on your system.

  • Disable browser data collection

All browsers like your digital exhaust;  that is why they collect it, but it is none of their business.

  • Make sure that if a web site wants your digital certificate, you have to approve each request

Your digital certificate *IS* your signature.   Protect it.

  • Disable caching

Caching makes browsing faster, but apps and web pages can find out what is in the cache and figure out what you are doing and where you have been.

  • Enable browser features to block malicious, deceptive and dangerous content.  Different browsers do this in different ways; some more privacy friendly than others.

What is true about all of these features is that they will have some impact on your browsing experience.  You don’t have to implement all of them, but each one makes things a little more difficult for the bad guys.

It is your call.

Source: FBI

Facebooktwitterredditlinkedinmailby feather

What Happens When Your Fintech Provider Gets Hacked?

Fintech is a term, that refers, loosely, to all of those companies that want to “help” you manage your financial data in the cloud and are not banks.  Examples are Mint, Chime, Credit Karma, Coinbase, Kabbage and hundreds of others.  Fintech can also include service providers to banks.

Here is the problem.

Fintechs are not banks.  Banks are regulated.  For the most part, fintechs are not regulated.

Okay, so why am I talking about this?  Today?

Finastra provides a wide range of tech solutions to the banking industry and apparently operates as an online service provider.

On Friday they announced that they were shutting down key systems but did not say why.

Finastra is not a startup.  They have 10,000 employees and 9,000 customers  in 130 countries, including nearly all of the top 50 banks globally.

So you would think their security is pretty good.

Just not good enough.

Initially they said that they saw “anomalous activity” so they shut down systems to protect themselves.

That was a couple of days ago.  Today they said it was ransomware.

So what does all this mean?

Well, a couple of things.  People are using more fintech technology.  Mobile apps.  Data aggregators.  Many other things.

These apps and web sites have your financial data.

Maybe they have decent security.  Maybe not.  For the most part, they are not regulated.

The ones that are under contract with your local bank, like Finestra, are likely better than many because banks like Chase and Wells and other top 50 banks know that it is THEIR reputation that is going to take a hit if one of their vendors gets hacked.  I know;  I was one of those vendors and they take the problem very seriously.

Finestra has been less than forthcoming with what is going on.  Many ransomware variants steal data in addition to encrypting it.  Was this one of those?  We don’t know.

In this case, their disaster recovery strategy apparently worked out reasonably well because they have already started bringing systems back up.  Likely, as a $2 billion company they probably have “cold sites” – data centers with hardware in them but powered off, just for situations like this.  These data centers are off line in addition to being powered off.  As a result, they are virtually impossible to infect with ransomware – at least until they are brought online.

Obviously, for your bank, this is very important.  For your bank, it is both inconvenient and embarrassing to tell a client who walks into a branch or logs on online “gee, our systems are down; come back another day”.

Moving back to consumer grade fintech, the problem is, if they are hacked, for example, is the security of your bank account compromised?  Could a hacker empty your bank account?

If a hacker breaks into your bank and steals your money, almost always, as a consumer, federal law forces the bank to eat the loss.  Even if the bank fails and goes out of business, consumer deposits of up to $250,000 per consumer are guaranteed by one of many parts of the federal government.

Under this scenario, the law requires the bank to give you back your money now and figure out what happened later.

This is not the case with fintechs.  You could be arguing for a while.  Worst case, you might have to sue them.  You might not win in court.  It could take years to sort out.

We have already seen this with some of the cryptocurrency exchanges that have been hacked.  They don’t have the money or the insurance to make their clients whole.  They file for bankruptcy and you are just another unsecured creditor.

All this does not mean that you should not use financial technology and keep your money in your mattress.

It does mean, however, that you should be smart.  Understand the risk.  Protect yourself. Become knowledgeable about the solutions you choose to use.

BECAUSE THE LAW IS WAY BEHIND – AND I MEAN WAY BEHIND – ON THIS.

Just sayin’.

Source: Brian Krebs

Facebooktwitterredditlinkedinmailby feather

Sometimes Fixing A Breach is Not Easy

Nutribullet, the company that makes those fancy blenders, has a problem.

In general, the problem is not a lot different than a lot of other companies.  Their website was hacked and one of the magecart family of credit card skimmers was installed.  It turns out that was only the beginning of their problem.

The first infection was discovered on February 20th and was removed on March 1.  While 10 days seems quick, in this case it seems a little long.  But it did not end there.

Five days later another credit card skimmer was found on the website.  The security firm RiskIQ worked with AbuseCH and Shadowserver  to get the command and control server taken down.

But on March 10th yet another skimmer was found, pointing to a different command and control server to send the stolen credit cards to.

But here is the problem.

Removing the skimmer – or skimmers – is not enough.

Taking down the command and control servers is not enough.

The first attack compromised a JQuery JavaScript library.  This particular compromise has been detected on over 200 websites.

The second attack compromised a different JQuery resource.

And the third attack compromised yet another script.

At the time RiskIQ made the announcement of the breach they had tried to reach someone at Nutribullet for three weeks with no luck.  In the announcement they told people not to use the web site.

Finally on March 17th, someone at Nutribullet got the message and the spin doctors in their PR department said that IT team sprung into action upon hearing about the breach.  Three weeks late to the party.

ZDNet reached out to Nutribullet for a comment but has not heard back.  Source: ZDNet

Okay.  Lets see if we can learn some lessons here.  What went wrong?

I often ask how come security researchers can contact a company and they ignore them?  Lets talk about your company.  How would some employee deal with that?  Is there a process?  Is it documented? 

After all of the Magecart attacks over the last year why are they still happening?

How did the hackers get in there in the first place to modify the web pages and libraries?  There are two likely possibilities – compromised credentials or missing patches.  It is always possible that there is a zero day – an unknown, unpatched vulnerability, but that is the least likely.

More likely than a zero day is that the website could be accessed by support people using only a userid and password?  It is not that hard to phish an employee’s credentials.  What about your websites?  Do you require two factor authentication for all admin access?

Alternatively, maybe there is a missing patch.  Are you confident that every single library on your web server is current with every single available patch?  Equifax missed one and it didn’t turn out so good for them.

And of course being able detect malware in realtime, as I wrote in the client alert last night – that is pretty important.

Right now it looks like the hackers are winning.  Companies like Nutribullet will come out the other side of this battered and bruised but they will survive.

What about you?  How would you fare?

Facebooktwitterredditlinkedinmailby feather

Working from Home Security Challenges / Coronavirus

The bad guys did not waste any time using the Coronavirus pandemic to attack folks who are suddenly Working From Home (WFH) or Studying From Home (SFH).  Here is some information to help those of you who are WFH to navigate the perilous path.

Given that many WFH programs were created out of nothing in almost zero time or scaled up from zero to 60, it is no surprise that there might be a security hole or two.

This applies not only to employees working from home but also to students attending school from home.

First of all, hackers are pumping out tons of malicious emails themed around Coronavirus.  The malicious emails are compromising systems with password stealing malware and remote access back door software, among other goodies.  And don’t forget that old favorite – ransomware.  More on that later in this post.

Given how stressed people are, they are likely to forget their security training.

Another challenge for WFH/SFH – making sure that all devices are fully patched.  That is going to fall more on the end user now.  Companies who have fully automated that are in better shape, but lots of organizations are not set up for that.  THIS INCLUDES PHONES AND TABLETS!

Another problem is home and public WiFi.  At work, the company can control the setup of company WiFi, but at home it is a bit of the wild west.

For example, when was the last time you patched your WiFi server and your Internet router, modem or firewall?

When did you last have a security expert check the security configuration of those devices?

If your company uses older, in the office systems, they likely do not work very well for remote workers.  There is no quick fix for this.  It is fixable, but the fix requires new hardware and employee training.

Companies who are in regulated industries such as healthcare, finance or defense have additional problems.  How do you continue to comply with the security laws and regulations that these industries have to comply with?  In fact, in many of these industries employees are not allow to work remotely by regulation or law.

To make matters worse, in many cases, IT doesn’t have the right tools to securely assist workers who are no longer at the office.  If an employee uses a virtual private network (VPN) to connect to their work network, it usually makes it even more difficult for IT to securely connect back to them in order to provide tech support.  Even in cases where it does work technically, many times the company has not bought the right support tools to make this possible.

Of course employees who are using their mobile devices more open up yet another attack vector.  Many phones and tablets are horribly out of date when it comes to security patches.  Many phone manufacturers do a crappy job or releasing patches and for older phones – say more than 2 years old – many times the manufacturer says they are no longer supported and leave the user wide open to a whole raft of attacks.

Companies need to conduct a risk assessment of the remote work environment to make sure that they understand what new risks the company is accepting.

Companies need to consider whether they even have enough security software licenses such as VPN connections.  Employees will create unsafe workarounds if the company can’t provide them tools that are secure.

Here is a screenshot of a malicious email.  It pretends to be from the CDC, but the email address in the red box shows that this is not the real CDC.  The URL in the second red box looks like it is from the CDC, but if you hover over it, it turns out that it is not.

Cybercriminals sent this coronavirus phishing email, which was designed to look like it came from the U.S. Centers for Disease Control and Prevention. Courtesy of Kapersky.

The spam emails might claim to provide information on the Coronavirus or perhaps provide a way for people to contribute to those who need help.  Unfortunately, the only one these people are helping are themselves.

KnowBe4 published a picture of an email containing a QR bar code asking for donations (see below).  If you want to make the folks in China or North Korea rich, you should donate.

coronavirus_donation-1

This piece of spam, also from KnowBe4, asks you to watch a Coronavirus video.

covid19_spam-scam-1a

It promises secret information that the government isn’t telling you.  If you buy their book for $37.00.

That is actually good because some of them tell you that you need to update your software in order to view this secret video.  In fact the update is software that infects your computer, steals your passwords, empties your bank account, encrypts all of your data or some combination of the above.

In the following email, if you just click on the link, some  dude will tell you everything you need to know about the Coronavirus and how to stay alive.  NOT!

coronavirus_info-1a

Suffice it to say, this is a bit of a mess and it is not likely to get any better soon.

Companies will, unfortunately in this time of uncertainty, need to up their security spending.  The alternative might be a bit of a train wreck.

If you do need help or have security questions.  Please reach out to us.  After all, we are staying home to stay safe :).

Information for this post came from Threatpost, GCN, the US Secret Service and KnowBe4.

Facebooktwitterredditlinkedinmailby feather