Geek Speak

12 Posts authored by: c1ph3r_qu33n_3

The PCI Data Security Standards define the security practices and procedures that govern the systems, services, and networks that interact with cardholder or sensitive payment authentication data. The environment in which cardholder data flows is defined as the cardholder data environment (CDE) and comprises the “people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data”. 


While some PCI deployments are simple, such as a single Point of Sale terminal directly connected to a merchant authority, other deployments, whether interacting with older systems, or deployments that have store and forward needs, or use cases where an acquirer of cardholder data needs to transmit or share data with another service provider, are more complicated. You may find yourself needing a solution that allows you to transfer cardholder data while maintaining PCI compliance.


When you need to move PCI data, whether within the CDE or for further processing outside of the CDE, you can use a managed file transfer (MFT) solution to accomplish this task. In this situation, you need to ensure that the MFT complies with all aspects of PCI DSS.


The main requirement governing data transfer is Requirement 4, which states that cardholder data must be encrypted when transmitted across open, public networks. More specifically the encryption implementation must ensure:


1. Only trusted keys and certificates are accepted.

2. The protocol in use only supports secure versions and configurations.

3. The encryption strength is appropriate for the encryption methodology in use.


For file transfer, the usual transports are either FTP over SSL, which runs the traditional FTP protocol tunneled through an SSL session, or HTTP running over SSL/TLS. Occasionally SSH2 is needed and may be used in situations where it is not possible to set up bi-directional secure transfers, or when only an interim transfer is needed.


A properly configured managed file transfer solution will enable users to:


1. Automatically transfer cardholder data for further processing

2. Support ad hoc secure transfers

3. Generate onetime use secure transfer links


However, care must be taken to adhere to new PCI DSS 3.2 authentication and encryption requirements, as well as to ensure cardholder data is kept only for the time necessary to achieve the legitimate business need. We will address each of the new PCI requirements to ensure you can safely continue to use your managed file transfer solution.


Multifactor Authentication

PCI DSS 3.2 clarifies that any administrative, non-console access to the cardholder environment must support multi-factor authentication. This means multiple passwords or passwords plus security questions are no longer valid authentication protocols.


For years web application and even SSH access has relied upon simple security questions, or even just user ID and password, to properly identify themselves to systems. Unfortunately as seen in the recent Yahoo data breach disclosure , security questions may be kept in the clear, and such questions are often chosen from a standard list.


From a PCI managed file transfer authentication requirements perspective, 3.2 multifactor authentication only impacts user to server initiated transfers, or administrative access to a server located in the cardholder data environment. If you are currently using either of these two scenarios with only password authentication, should plan for migration by February 2018.  You can read more about new PCI authentication requirements the PCI 3.2 changes blog post here:



The changes to PCI 3.2 regarding encryption are more extensive than the authentication requirements. The most common transport layer encryption used for managed file transfer will depend upon SSL/TLS protocols to deliver the security for data in motion. Early versions of SSL/TLS have known vulnerabilities that make them unsuitable for ongoing use in managed file transfer according to the new PCI standard. Although the 3.2 requirements permit the use of SSL/TLS if properly patched, configured, and managed there is no need to use these older versions of SSL/TLS in a managed file transfer environment as most systems and browsers have been updated to support TLS 1.2 for some time. That said even when configuring your server to accept the TLS 1.2 protocol and above is still the matter of which cipher suites to select. TLS 1.2 supports over 300 cipher suites and not all of them are acceptable for use with cardholder data.


PCI DSS 3.2 does not directly specify the cipher suites to use with TLS, leaving the implementer with the following requirement “The encryption strength is appropriate for the encryption methodology in use” . PCI does provide additional guidance and points to NIST publication 800-52, which was last updated in April 2014. However, since that publication date several critical vulnerabilities have been found in the implementations of certain cipher suites used by SSL/TLS and additional vulnerabilities have been found in OpenSSL, which is a commonly used library. These include:


- Freak , which forces a downgrade to an exploitable version of RSA

- Drown , which relies upon a server supporting SSLv2 to compromise a client using TLS

- Five critical vulnerabilities in the OpenSSL implementation reported September 16, 2016


From NIST 800-52 the following cipher suites for TLS 1.2 servers are recommended:









Care must be taken to ensure that null ciphers, and lower grade encryption ciphers are not configured by default, as these ciphers can be used in Man in the Middle Attacks. To mitigate this risk, OWASP  recommends using a whitelist approach, which means either limiting your server to only use certain ciphers, such as those specified above, or if you cannot whitelist your cipher suites, ensuring that you disable weak cipher suites .


The cipher suite is not the only cryptographic element of your managed file transfer solution. The SSL/TLS server also needs a private key. The private key should be generated by a known Certificate Authority, in an X.509 or PKI certificate. Furthermore, in order to be PCI compliant your certificate should meet NIST SP 800-57 key management requirements. From a practical perspective OWASP recommends server certificates should:


1. Use a key size of at least 2048 bits

2. Not use wild card certificates

3. Not use SHA-1

4. Not use self-signed certificates

5. Use only fully qualified DNS names


NIST 800-57 provides detailed guidance on protecting private keys and from a PCI perspective the important elements of key management are:


Ensuring the integrity of the private key from:

1. Accidental or intentional reuse, modification, compromise

2. Exceeding the relevant cryptographic period (how long a private is expected to be in use)

3. Incorrect configuration of a private key


It may seem like overkill to be so focused on encryption protocols, cipher suites and private keys, however if the private key is compromised, as it was with the Sony PlayStation 3 , your entire system is now vulnerable.


Storing Cardholder Data

While there are no changes to requirements around storing cardholder data in PCI 3.2, if you do use managed file transfer you are storing cardholder data. Along with the technical guidelines on storing cardholder data , consider how you are going to mitigate the risk of accidental disclosure by removing any files containing cardholder data as soon as possible after the business use is completed. Having a policy that establishes data retention, secure destruction, and logging the execution of these activities will ensure you maintain PCI compliance.


There are other requirements associated with any system or solution that operates under PCI but the new requirements for PCI 3.2 focus on authentication and encryption. By working with your IT staff in advance and detailing your PCI use cases and requirements with a focus on authentication and encryption you can confidently deploy managed file transfer in your PCI environment.


Do you use file transfer solutions today?  Are you comfortable with the security they provide for Personally Identifiable Information?

If you didn’t have a chance to join some 350+ of your fellow IT and Security Pros at our Shields Up Panel: Network Security Fundamentals, Fight! THWACKcamp session – you’re in luck, we took some notes.


Our panel was comprised of Eric Hodeen, Byron Anderson, our moderator Patrick Hubbard, and me, c1ph3r_qu33n.


Compliance v Security was the theme this year, and we tackled 4 big questions:


  • Have security practitioners and business owners figured out how to work with compliance schemes instead of fighting them? 
  • Are you more or less secure when you put compliance first?
  • What benefits (or harms) do compliance schemes and checklists offer?
  • If you are new to compliance, where do you start first? 


Our panelists felt that security and compliance teams are generally getting along better. However, there are still times when a business owner looks only at the penalties or risks of non-compliance and doesn’t consider the impact to the business of following a standard blindly. This can be especially true of highly proscriptive standards like DISA STIGS (Defense Information Systems Agency - Security Technical Implementation Guidelines)[1], or NERC CIP (North America Electric Reliability Corporation – Critical Information Protection)[2]. The challenge for IT and security pros, is to effectively communicate the potential business impacts and to give the business owner the ammunition to argue for a waiver or request a compensating control.  This way your organization can reach an optimum balance of compliance risk vs business needs.


One of the misconceptions that business owners may have is that a compliance scheme comprehends all the organizations security risk, so nothing further needs to be considered. As practitioners we know that compliance schemes are negotiated or promulgated standards that take time to change. Adjusting for changes to the threat landscape and addressing new technology innovations in a rapid fashion are challenges for compliance schemes. Furthermore no compliance standard considers every nuance of every IT environment.


So that is one of the risks of taking a compliance only approach.  But no one on the panel felt compliance schemes don’t have value.  Like other good guidelines and checklists, such as the OWASP top ten[3], or the SANS Critical Security Controls[4], compliance checklists can add value to an organization, especially as assurance.  The panel was divided however, on whether you start with a checklist, or you end with a checklist.  The answer may depend on your organizations maturity.  If you’ve been doing security for a while, using a checklist to validate your approach may add an extra layer of assurance. If you are new to security, however, a good checklist can be a great asset as you get started in this new IT discipline. 


Speaking of getting started, we all had different ideas about what is your most important first step. One of us said default passwords, which insidiously have a way of creeping back into the organization – whether it’s from a new install, or a reset of an existing device – default passwords still haunt us.  Another panelist thought end users were the biggest challenge, and maintaining good security required strong user participation. Anyone who has dealt with ransomware or phishing knows how important it is to keep users informed of likely risks and good security hygiene.


VIDEO: Shields Up Panel: Network Security Fundamentals, Fight!


We all agreed that THWACKcamp was great fun and we hope to see you all next year. If you’ve got an issue you’d like to see the experts take a stab at, post your questions and we’ll put them in the idea basket for next year.







“With me, everything turns into mathematics.”

– Rene Descartes



Ransomware is not new. Beginning as misleading ads, and warnings that your computer is infected, Symantec traces ransomware deployments (including crypto lockers) back to 2005.[1] Early crypto locking extortion scams were not that successful. However, current business owners face increasing risk of cyber extortion, and crypto locking ransomware has been on the rise over the past two years. It has become so prevalent that the FBI issued a warning highlighting the increasing threat to businesses.[2]  Given the increasing velocity of deployment, the ease of infiltration, and the dire consequences of infection, we believe ransonware is a significant risk to businesses.


There are two primary factors contributing to the rise of ransomware:


  1. More real-time business data has been digitized, especially in health care and loan processing, which has increased the available pool of targets.
  2. Anonymous payment systems make monetizing ransomware easy, efficient, and risk-free for cyber criminals.


Observed samples of ransomware in 2014 totaled almost 9 million, yet in Q2 2015 alone, samples hit 4 million. This run rate is doubling year over year. Ransomware, unlike many vulnerabilities and malware, does not require administrative privileges, as its purpose is to encrypt the files useful to the end-user. Furthermore, the same types of scams and hooks that make ransomware successful on Windows are being deployed against other platform targets. 

What systems are at risk?

Cyber criminals have built ransomware kits that target a wide range of systems, including Windows, Linux, Android, and recently (March 2016) Mac OS. While the majority of ransomware successes are still on Windows, users should be alert to the increasing risk of ransomware on Android, which is on the rise.  Android ransomware could become particularly troubling in dedicated devices used in health care, manufacturing, and retail.

How does ransomware behave?

On Windows, ransomware works to impair your computer in one of three common ways:


  1. Encrypt your files (Locky and Cerber).
  2. Prevent you from accessing in certain apps (FakeBsod – locks browser).[3]
  3. Restrict access to the operating system itself (Revton – locks PC).


On Android, ransomware falls generally into one of two types:


  1. 1. Screen locking.
  2. 2. File encrypting.


Unfortunately for Android users, both forms of ransomware are increasingly seen in the wild. The chronology of Android ransomware follows a similar pattern to the Windows chronology; it begins with a fake antivirus, then fake police demands, followed by full cryptographic file locking. Versions of Simplocker malware on Android encrypt the SIM card; versions of Lockerpin acquire administrative privileges and prevent access to the device.[4]


On Linux, the most common target is web servers. The ransomware Linux.Encoder.1 has been reported in the wild since November 2015. This variant does require root privileges, and it walks the web server file directory structure as well as nginx, /root and others.[5]  The reported ransom for this variant is one bitcoin.


Fortunately for Mac OS users, the first reported ransomware that encrypts Mac OS files has not been widely deployed or successful. With only 6500 downloads identified, Mac OS ransomware is a drop in the proverbial bucket.

What organizations are likely targets?

As mentioned above, real-time access needs for critical data create the easiest targets for ransomware. While no individual or business is free from worry, public service (police stations) and health care (hospitals) have been successfully targeted in the last 12 months. We can infer that other businesses, such as title companies, car dealerships, and other loan processors are likely targets as well. The criticality of data in these organizations is intuitive, and most cyber criminals keep the ransom amount “reasonable” (around $10,000). This amount is low enough that it appears to be economically rational for businesses that need to restore access quickly. Additionally, setting up a bitcoin wallet is relatively straightforward, with a number of YouTube how-to videos readily accessible. For an individual system, or business with less real-time critical data, the price is usually a single bitcoin.  


What defensive steps can you take?

Prevention is, of course, the goal. However, between the ranges of infection vectors (SMS on Android, browser exploitation, spam malware, and exploit kits), and the volume of ransomware samples observed in the wild, the risk of initial infection of ransomware is difficult to eliminate. Therefore a combination of preventative tactics as well as planning for incident remediation is the best risk-mitigating course of action.


Preventative Actions


  1. Educate your users on the risk. Users who process a large number of inbound attachments and emails, such as accounts receivable processors, account managers, and marketing personnel, are particularly vulnerable.
  2. Maintain patches on desktop users’ systems, as well as critical data servers.  Desktop users are often updated in a haphazard manner, or not at all, which makes them vulnerable to exploitation.
  3. Reduce or eliminate automatic mapping of drives. Recommended by thwack community member Stephen Black, eliminating automatic drive mapping means the ransomware won’t be able to walk your network from one initial infected system.
  4. Monitor for infections to prevent contagion.  If you use LEM, there is a monitoring rule you can download and use.


Incident remediation

If you find yourself in the unfortunate situation where a system has become locked with ransomware, you have limited options. While some researchers have been successful reverse engineering ransomware, the ability to do so takes time and depends on vulnerabilities in the ransomware code itself. If you were lucky enough to be hit by one of these old variants, you can use the techniques the researchers have published.[6]  But, realistically, for most situations there are only two real options:


  1. Restore from backup.
  2. Pay the ransom.


If your business fits in the class of organizations currently being targeted, or shares characteristics with organizations being targeted, it would be prudent to actually test your ability to restore from your backup media, whether that is a cloud backup, local backup, or offsite backup. Businesses with Android users are encouraged to explore mobile device backup, or at least educate your users on their options.[7] Unfortunately, the only time the restore from backup process is usually tested or validated is during an audit, or test of a business continuity or disaster recovery plan, which may be too late.


Do you have a favorite way to use LEM to look for malware? 

When did you last test your business continuity plan? 

Know anyone who has successfully recovered files after a ransomware attack?

Share your stories so we can all benefit.

[1] Symantec, Internet Security Threat Report, 2016 pg. 58







We have been watching the spread of ransomware and this malware's success with increasing concern.

Hospitals appear to be of particular interest this year.


And who hasn't had a friend or colleague call in a panic this year already.


As many of you know, most ransomware gets onto the system through a phishing attack, so Adobe's emergency update earlier this week was concerning on multiple levels.


1 - Does this mean we can expect ransomware drive-by-downloads

2 - What is the next bug in Flash that will be exploited.


If you haven't read about this update yet, you can hit any of arstechnica, macrumors and the of course the popular press.


This patch includes updates to prevent the Cerber form of ransomware and the fact that it is an emergency patch means it's been seen in the wild.

If you haven't already done so, please update flash it's windows and macOS.


And share your experiences, as we all know with ransomware - either you have a backup or you payup

I walked the show for 21K steps a day ( according to my fitbit) and these were my top takeaways:


  1. The sheer number of vendors makes remembering much of the show difficult
  2.   Innovative security solutions teams are developing new capabilities
    • heterogeneous public cloud deployments
    • new windows end point security capabilities that are managable
    • more application specific security that matches risk
  3. You can build a better mousetrap
    • new one time password solutions
    • easier to manage encryption
  4. There were more policy presentations because of Apple than Snowden


Of course we still have to security capabilities that are early in the hype cycle, and Threat Intelligence is one of those. 

We did a little write up for you on Threat Intelligence here:


What did you think of RSA? Anything you found compelling?

As we approach the end of National Cyber Security Awareness Month, it’s time to focus on ways to improve your current staff and resources. In light of our country’s current security skills shortage (more than 50 percent of 600+ companies surveyed indicated that it takes roughly three to six months to fill cyber security positions, and even then, available staff may not have the necessary skills to detect and respond to complex incidents[1]), organizations must explore ways to optimize IT and security team functions. Too often a lack of coordination between teams leads to increased inefficiency and wasted effort.


If you don’t have an efficient, streamlined patch management program in place, for example, work done in vulnerability assessment (VA) could result in a pile of unread spreadsheets. VA programs are expensive to set up and manage, and usually involve a monthly cost. This means that any month the data isn’t used will wind up being a waste of time, money, and resources. If your IT team is not ready to manage VA, consider having your security team work with them to set up good patch management tools and practices.


Sometimes different functional teams want to access data from the same sources. In other cases, data from devices being managed by different teams may not reach its desired destination. Both instances call for monitoring. Take, for example, switches and routers vs. ingress/egress devices on the network. Traditionally, ingress/egress (firewalls) are configured and managed by the security team, and internal switches and routers are managed by the networking team. However, each team would benefit from sharing information. Perhaps there should be internal firewalling between organizational teams: finance and human resources, sales and marketing, engineering and product management. If these internal firewalls are being implemented with access control lists on internal systems, does the networking team configure and manage these devices, or does security? 


Another area of best practices sharing could come from change management. In many organizations, change management is either overlooked, or not practiced consistently across teams. Look inside your organization and see which team has more maturity in process, tools, and efficiency for change management. This might be the applications team, the IT team, the networking team, the security team, or maybe even DevOps. Setting up best practices leads across functional groups encourages communication, creates a culture of cooperation rather than antagonism, and helps mitigate staff shortages.


A 2012 Chicago School survey of job satisfaction[2] indicates that an important component of job satisfaction comes from being recognized for using inherent skills and abilities. In cross-functional teams, employees are encouraged to share their skills and abilities with a broader audience, which leads to improved processes and greater job satisfaction. 


As Henry Ford stated, “Coming together is a beginning. Keeping together is progress. Working together is success.”



We are becoming an IP-connected world. Home energy, city lights, cars, television, coffee machines, IP-enabled mobile devices, home security cameras, watches, manufacturing process automation, Star Trek-like hospital monitoring beds, you name it. If it’s been built in the last five years and has any kind of management or monitoring need, the device probably connects to an IP network.


Most of these systems should be non-routable, internally controlled networks to reduce the risk of tampering or accidental or intentional data loss. But we know that even if these networks are designed to be closed, some business need, convenience, or a clever hacker could open them up to external access. Consider the Target breach via an HVAC vendor[1], or the remote hack of a Jeep Cherokee[2] via an open port on the Sprint cellular IP network. (Sprint points out that it was merely providing the connectivity and transport for the attack, and that its network did not contain the end device vulnerability[3]). 


First, maintaining a strict policy of no remote connections creates a sense of assurance.  Second, such networks can drift from their original configuration, or become out of date with respect to patches and updates. Third, closed networks are more costly to maintain. The cost of an onsite visit to resolve a configuration issue or a patch gone wrong is certainly more expensive than remote remediation. Imagine the havoc that would ensue if the new LED road lighting system being deployed by the city of Los Angeles[4] were hacked?  Still, the benefits of a connected LED lighting system, including reduced energy, better management, and real-time communication, are likely a higher priority than the risk of hackers taking over nighttime lighting. 


It’s worth reviewing the Jeep situation because it illustrates the challenges of adding systems to IP networks. First, as we add remote access to previously disconnected complex systems, the design of command and control vs. the data path needs to be carefully considered. Jeep designers believed their systems were disconnected, but researchers were able to find a connection. Once the connection was found, further engineering enabled the researchers to use the entertainment system with its necessary network connectivity to piggyback commands into the control system, radio, windshield wipers, steering, and brakes. Computers have made cars safer by giving them the ability to sense obstacles, feather the brakes, and warn the human driver when maintenance is needed. But those same computers become dangerous if accessed by unauthorized users.


As devices become increasingly interconnected, system functions and controls may be accidentally accessed. We can mitigate this risk by understanding our network baseline protocols and carefully monitoring new types of devices that appear on the network.


In the words of Arthur Conan Doyle, “Never trust to general impressions, my boy, but concentrate yourself upon details.”







Happy Columbus Day!


We all want ready access to email and other critical apps from every device, on any network, all the time.

We want to use company equipment and home equipment interchangeably because we work from different locations throughout the day. As if all this wasn’t hard enough for your IT security team, just watch them start to lose their minds when you throw in some social media platforms. Their mantra is: you can’t have all of this and still be secure. But is that really the case?  In fact, with a few restrictions, a little software, and some common sense, most positions in many organizations should be able to achieve this level of flexibility and still remain relatively secure.


Let’s start with devices. Who doesn’t use a mobile platform, phone, or iPad® to conduct at least some business during the day? Many of us use these devices to check email, run IT alert apps, or business tools, like expense management or HR apps. In fact, according to Tech Pro Research, 74% of businesses are planning to use, or are already using, Bring Your Own Device (BYOD).[1]


Most businesses use mobile devices, especially if you count business-purchased mobile phones. Fortunately, Enterprise Mobile Management (EMM) makes it easy to secure corporate data and applications. Features in EMM include the ability to encrypt corporate data, manage applications that reside on the phone, force VPN connections, force a pin, and separate personal data from corporate data. Additionally, mobile devices are commonly used as a secondary factor for authentication and authorization.[2] It is much more convenient to use your mobile device as a soft token than carry around a key fob-based token. However, in some environments, personal devices are not considered secure enough and key fobs are required.




Mobile device risks


Mobile device risk comes from two primary threat vectors. The biggest risk is loss. If a device does not have a pin or strong password, all of its data can be accessed. Even if your phone is authenticated, some good forensics packages can still extract data from it. If critical data is stored on the device, add-on encryption is essential. The second risk is malware. Malware enters a phone from two primary vectors: mobile advertising and compromised open source libraries. Because advertising on mobile devices is less controlled, malicious actors can insert malware through this application programming interface (API). Open source libraries have also been known to be compromised, as we saw with Xcode just this month.[3] EMM can help with both these risks by limiting apps in the enterprise container, and enforcing pin number and password rules.


Using a home personal computer for work is less common than using mobile devices, primarily because fewer people work on personal computers these days. Some companies are moving toward using tablets for work, and others use virtual desktops, which allow employees to use their own computers. Even companies that require employees to use laptops or desktops purchased and issued by their IT departments rely on Cloud-based applications to get work done. With Cloud-based apps, it is difficult to preclude access to personal devices.


The issues that accompany PC use are slightly more complicated than issues associated with mobile devices. The most successful remote desktop implementations are those that really only use the PC for its keyboard, video, audio, and mouse functions. If you want to allow local data storage, you need a policy around encryption (for sensitive corporate data) and a way to ensure that the home computer is as secure as a corporate device.


We are now adding social media to the equation. The issues to consider with social media include company reputation, policy restrictions, malware, and ownership. Organizations want to protect their reputation, so they write social media policies that provide guidelines on use, posting, and reporting. However, you may not know that the National Labor Relations Board has some strict guidelines on what an organization can and cannot have in its policy. There are First Amendment issues with the right to associate and discuss work issues that can conflict with certain social media policies. Check out NLRB guidelines to learn more.


Next, make sure your policy includes clear guidelines on who owns the account. If employees are allowed to post from their personal accounts, provide a disclaimer they can use to clearly show they are stating their own opinion. Require all work-related communications to be issued from organization-owned and -managed accounts.


Finally, there is malware to consider. Malware that arises on social media is the same type of malware you might see on many websites. The difference is that malware spreads quickly if it gets onto a popular topic or image on social media. This is why it is so important to ensure that nothing containing malware gets posted. Actively scan posts to make sure they don’t have images or attachments, and ensure that your browsers are up to date with the latest patches. Lastly, avoid risky programs, such as flash, if at all possible.


In the words of Mr. Universe, “You can’t stop the signal.[4]

BYOD and social media are here for the duration. If we evaluate our risks, and plan our controls, we can connect with confidence and assurance.






Remember grade school fire drills? Teachers demonstrated how to line up; they tested the door for heat; explained how dangerous smoke is; and a few times a year the obnoxiously loud bell rang and we’d all walk (not run) to the nearest exit. I’ll bet that fire safety ritual is forever etched in your mind, but do you know who to call in your organization if you suspect an information security issue? 


The challenge for organizations when it comes to information security awareness, is that most programs are a combination of once-a-year lectures, or worse, online training (complete with PowerPoint® slides) that makes online defensive driving classes seem alluring. While this type of training may meet compliance or policy guidelines, retention for non-security professionals is minimal. In fact, the low-effectivity level has prompted noted security researchers, such as Dave Atiel, to assert that security awareness is a waste of money.[1]


So what should an organization do about security awareness? Many in the security community are talking about establishing a Culture of Security, instead of imposing the “mandatory” annual training programs. Infusing security awareness as part of your organization’s culture requires commitments that are not always as easy to obtain as you might expect.


Security awareness must come from the top 

Your C suite must support all your security polices and be regarded as fully compliant. Too often, as security professionals, we write policies that the C suite ignores—something as simple as wearing a badge and requiring visitors to wear badges. Failure to adhere is noticeable and diminishes organizational respect for the security policies.


Measure and report on awareness campaigns

Often, security professionals run awareness campaigns and track who attends the classes, but do you track and report on:

  • Number of tailgaters spotted?
  • Laptops left unattended and not locked?
  • Phishing spots (up or down)?

Getting executives to report these stats in the company newsletter or all-hands meetings helps keep security top of mind.



Creativity elevates awareness and retention

As we said before, security awareness through traditional online and in-class training is useful, but the information doesn’t stick with us. Do something different.

  • Launch a security ambassador program.
  • Give out an award for best security risk identified.
  • Have a donuts (or breakfast taco) and security question station as employees arrive at work.


If you are responsible for IT security and your resources are limited, the following are some simple security awareness ideas.


See it, Say it

Set up an email alias for employees to report security risks—phishing, doors propped open, loose USB devices or laptops. You do need to respond. But at least you’ll have the information, and, over time, this is where you look for your deputies or security ambassadors.



Yes, you can “gamify” security awareness. Try hosting quarterly or monthly contests. This really works[2]. Here are some game ideas:


  1. Pass the balloon. Attach a balloon to an unsecured desk (laptop open; confidential information, car keys, purse left out …). After correcting the infraction, the balloon recipient has to find someone else to pass the balloon to. 
  2. Candy for phishing. Put up a candy jar for a week. Anyone who reports a phish gets to dip into the jar. (Added challenge: you cannot eat the candy if you want to win). At the end of the week, the person with the most candy wins a gift card, or, perhaps more appropriately, a toothbrush.


Some of these ideas may seem frivolous or juvenile, but IT security is anything but that. Your objective is to establish a security-awareness mindset among everyone in the company. With more sentries on the lookout, you lower your risks of a security breach.




Security is Everyone’s Job



“Never was anything great achieved without danger.” -Niccolo Machiavelli


As we begin National Cybersecurity Month, it's a great time to reflect on how we can all protect ourselves at work and home. Let’s look at some current risks and see what changes we can adopt to mitigate these risks.


Email - we need it, love it, live it, but it’s risky.


Phishing is still the number one risk for most of us. Whether it’s an automatic preview in our work email system, or a browser injection on Web mail, SPAM and phishing are both a security risk and an irksome annoyance.


Unfortunately, we are not winning the battle against email cybercriminals and overzealous marketers, despite almost ubiquitous deployment of spam filters. Here we are in 2015, and spam still represents >10% of our inboxes.[1]  The statistics on phishing are even worse. From 2014 to 2015, the number of phishing sites increased from about 25,000 to 33,500, according to Google[2].


Furthermore, malicious email is becoming more sophisticated by embedding macros in ordinary looking attachments. In our busy lives, it’s easy to accidentally click on an attachment or link with malicious content.


The following are some email checks to keep top of mind:


Stay in familiar territory


Make sure the to: and reply to: emails match, or are from a company you know. Email phishers will try to fool you with an email that looks like someone you know, when it isn’t.



Watch out for typosquatters


These are email domains that are just slightly different from the real company name. These are commonly used in Business Email Compromise campaigns, where fraudsters trick businesses and consumers into sending money to a bank outside the US, often China or Russia. This money is very difficult to recover because we don’t have the right legal relationships, and international banking laws don’t provide the same protection as US laws.

These transactions pose a big business risk. We’ve lost 1.2 billion dollars in recent years. Even worse, this type of fraud is on the rise, up by 270% according to the FBI results released just last month.[3]



Personal email accounts are not safe from fraudsters


Personal email account breaches are difficult to detect because the fraudulent request comes from a real account. Hackers use the compromised account to steal money from relatives and friends. Particularly vulnerable are older parents and grandparents.


Don’t be a victim. Here are some safe computing practices that can help you avert email fraud:


Keep private information private


Never share your password. If someone genuinely needs access to your account (should never happen at work), change your password, then change it back when they are done.


Add variety to your login credentials


If you use a free email account, use a unique password for this account—not the one you use for social media, websites, and especially banking. Change your password frequently—at least once a quarter. It doesn’t need to be complicated, use your current password and add a special character for each quarter (see example below), or create your own that you can remember. Also, make your change date memorable, like the beginning of the quarter, or when you pay your mortgage.


  • 1st quarter “!”
  • 2nd quarter “?”
  • 3rd quarter “&”
  • 4th quarter “%”


This makes it more difficult for password crackers to guess your password, and if there is a password leak at another site, you haven’t handed over the keys to your email house as well.


Keep your system patched


Many of the security vulnerabilities exploited by hackers to compromise accounts are old and have been fixed by the vendors. If you are in a corporation, talk to IT about automatic updates. If you can’t patch because you are running an older application, ask IT about creating a VM (virtual machine) for you to run that old application. This helps you keep your system patched and up to date. At home, make sure your operating system, pdf reader (, and browsers are set for automatic updates. Patching these three things will protect you from the majority of risks.


Educate your friends and relatives


Warn your less tech-savvy acquaintances of the dangers of cyber fraud. Remind them that no true friend would ever ask for money in an email. If they do get such a request, advise them to make a phone call to the person. Also, give them the numbers of the fraud department at their bank so they have someone to call if they need advice.


Make sure your security software is current


Make sure everyone in your house has up-to-date anti-malware software. Put it on an auto-renewing charge if needed.


You may hear a lot of talk about next generation endpoint protection. And yes, anti-malware software is not perfect, but you still brush and floss your teeth. If you can’t afford an anti-malware software package, at least run the free Windows® Essentials (for Vista to Windows 8, after Windows 8, it is called Windows Defender). For Mac users, Sophos offers a free antivirus solution.



As Albert Einstein said, “A ship is always safe at the shore - but that is NOT what it is built for.” If we want to fully utilize the Internet, a little caution and paranoia can reduce the risks.






On Friday the 13th, Kaspersky, a Russian anti-malware and research firm, released a report documenting a significant campaign to infiltrate banks worldwide to steal hard cash.  Somewhere between 300M and 1 billion dollars are estimated to have been pilfered.


Attackers entered the banks systems using phishing lures and then compromised systems that had known vulnerabilities.  The actual monetary theft came from observing the banks processes and compromising users that had the right access to the banks financial applications.


This was an extensive and coordinated operation as the cybercriminals moved electronic money through SWIFT (an international interbank transfer program), and cash through reprogrammed ATMs – essentially turning your local ATM into a Las Vegas jackpot. Clearly creating so many fraudulent receiver accounts and spewing cash required an extensive money mule network.


Given that the actual theft involved deep understanding of the target banks audit and reconciliation procedures, and actual understanding of banking software, this was a well-researched and staged attack – the essence of an Advanced Persistent Threat (APT). So if a sophisticated, regulated organization like a bank is vulnerable are there any lessons for the rest of us?


Here are a few takeaways we can all apply in our own organizations.


1. Staff security awareness


Your staff is your front line infantry in the battle against cybercrime.  Even small organizations can put together a meaningful security awareness program with open source tools.


2. Backup and Patch


If you have a good backup program, you can be more aggressive about patching.  Depending on your organization size and how mission critical your systems are, backup – test – patch is a tried and true method for avoiding infections that do not use 0-days.


3. Monitor


Use your logging, log management and Patch management systems to find:

  • Systems that aren’t patched
  • The same user ID logged into a critical systems simultaneously (especially from different IP addresses)
  • Critical Application anomalies – high rate of transactions, more logins than usual, low and slow e.g short bursts of application activity over a long period of time.
  • Suspicious software installations.
  • System file changes
  • Suspicious out bound network traffic via the firewall i.e. FTP, SMTP and other protocols that facilitate file or data transfer.


For more information see:

Kaspersky report of Carbanak APT


Free Security Awareness

If you are a security practitioner and haven’t heard about the 80 million personal records lifted from Anthem’s database yesterday you missed some exciting news, both good and bad. Clearly the loss of so many records is bad news and very troubling. However, the good new was that Anthem identified the breach themselves. Even though they caught the breach at the end of the kill chain (see below), they still did catch the breach before the records were exploited or showed up on a cyber underground sale site.


Targeted breaches such as Anthem are notoriously difficult to identify and contain, in part because the trade craft for such attacks is specifically designed to avoid traditional detection solutions such as anti-virus and intrusion detection. So as the FBI tries to determine who hijacked these records, the rest of us are trying to figure out why. Although motive, like attribution, is difficult to nail down, motive is a useful data point if you are trying to predict whether your organization is at risk.


In the absence of your own security analyst or FBI task force to determine motive or attribution, what can ordinary practitioner do to lower organizational risk?


First – Determine if your organization is a possible target


Don’t think because you are a smaller or less well know that you are not a target.  Cyber thieves not only desire data they can sell, they need compute power to launch their attacks from, and then need identities they can use to trick their ultimate target into allowing a malicious link or payload into their environment.


Who has not recently noticed a strange email from a colleague or friend that upon further inspection is not their legitimate email address? 


Second – Learn the kill chain and use it to validate your security strategy


Do you collect information from available sources across the kill chain into your SIEM?  The earlier in the kill chain you identify a potential attack, the lower the risk, and the simpler the mitigation. For example:


Collecting and reporting on unusual email activity may allow you to catch a recon attempt. An identification of such behavior might lead you to increase logging on high value targets such as privileged accounts, domain controllers, or database servers.


Another useful indicator is spikes in network traffic on sensitive segments, or increases in authorized traffic exiting the organization.


In the worst case, by evaluating all log sources and ensuring you are collecting across the kill chain – you will empower your IT or security team to conduct forensics or a post incident analysis effectively.


Finally – Have an incident response plan


It does not need to be elaborate, but executives, marketing, and IT should all know who is going to be the team coordinator, who is going to be the communicator, and who is going to be the decision maker.


By following these guidelines you are doing your part to leverage the value in your security investment, and reduce organizational risk.


About the kill chain.

The kill chain was originally conceptualized and codified by Lockheed Martin. Today it is used by cyber security professionals in many roles to communicate, plan and strategize how to effectively protect their organization.



Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.