Never Trust, Always Verify

Zero Trust networking works well as long as you don’t have a traitor inside your network. It is rooted in the principle of “never trust, always verify.” It is designed to address lateral threat movement within the system by leveraging micro-segmentation and granular perimeters enforcement, based on user, data and location.

Use Zero Trust to gain access based on the context for all traffic, across user, device, location and application, plus zoning (segmentation) capabilities for access into internal traffic. To gain traffic access based on context, it needs to go through a firewall and servers environment (applications, services, etc.) with decryption capabilities. The firewall and all servers enable micro-segmentation of perimeters and acts as border control within the organization. While it’s necessary to secure the external perimeter border, it’s even more crucial to gain access to verify traffic as it crosses between the different functions within the network. Adding two-factor authentication and other verification methods will increase the ability to authenticate users correctly. Leverage a Zero Trust approach to identify business processes, users, data, data flows, and associated risks, and set policy rules that can be updated automatically, based on associated risks, with every iteration.

Note, In addition to the micro-segmentation that allows trusting upon verification (do you belong here?), it is best to establish an automated crypto key exchange between every machine on the network based on a recognized (whitelisting) list, no key exchange no interaction. (Best to use OpenBSD, with its OpenSSH, and OpenBSD PF as your netwsork baseline.)

Remember security is not for the passive! It is an ugly world out there, you must me proactive with all your security.

What is an act of war in cyberspace?

The Mondelez vs. Zurich case raises the question of what is cyber war exactly? Are North Korean hackers breaking into Pentagon computers or Chinese cybercriminals breaching the computer systems of major US military contractors an act of war? Is an anonymous hackers’ cyberattack on a nation’s financial system an act of war? Insurance companies could label all the acts above “act of war” to avoid paying claims. Is it enough for insurance companies to point to a government’s statements as proof positive that an individual or nationwide cyber attack was an act of war? The burden of proof falls on the insurance company. In this case, Zurich needs to prove that NotPetya was, indeed, an act of cyberwar. Simpler said than done. It is immensely difficult to track the origin of any hacker attack of any computer system. Would intelligence agencies have to provide proof in courts, thus likely revealing trade secrets?

In the case of NotPetya intelligence agencies in five countries blamed Russia for the attacks. However, none provided proof that the Russian government was responsible for the attack.

The escalating size and scope of cyber attacks in the last couple of years as escalated to astronomical heights. In the case of NotPetya, the total cost of the related to the ransomware cleanup is close to $80 billion. Beside Mondelez’s massive bill for the cyber attack, Maersk and FedEx project that their losses are in the neighbourhood of $300 million, each. So there should be little surprise that insurance companies are trying to wiggle out from paying by invoking the “act of war” clause.  

The world of cyber security is changing much more quickly than policies, regulations and insurer products can keep up with, Zurich’s refusal to pay for losses from the NotPetya ransomware attack, claiming it was an “act of cyber war” sets a nasty precedent for the insured. In any event, it should be a warning to organizations that, in the fact of a major cyber attack, they must have a proactive information security management (ISM) system in place to defend and protect themselves rather than count on their insurance policies to bail them out.

Cyber adds new and significant uncertainty to warfare, justice, and insurance making it difficult to respond adequately. To this effect, an International Attribution Consortium consisting of a “broad team of international experts would provide an independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (1) technical experts from cybersecurity and information technology companies, as well as academia, and (2) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academic and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”[i]

All organizations should consider a Zero Trust architecture based on the likes of OpenBSD, OpenSSH, OpenBSD PF, and a long list of other smart, open source vetted software as the foundation for your ISM. It is an ugly world out there where security is not of the passive! In this cyber world it is important to remember, you must outrun to outlast!

[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica, CA: RAND Corporation, 2017.

Top Network Security Tools

For more than a decade, the Nmap Project has been cataloguing the network security community’s favourite tools. Since 2011 the site offers ratings, reviews, searching, and sorting. The website provides information on open source and commercial tools on any platform. You can also find tools they maintain on its website (such as the Nmap Security ScannerNcat network connector, and Nping packet manipulator).

I highly recommend perusing the category list. Click any category for details on related applications.

How to Stay Up-to-Date on Vulnerabilities

Security requires proactive pre-emptive operations, continuously; it means acting in anticipate and oppose attacks involving your computers and networks. So, keeping track of security alerts and advisories, daily, gives the necessary information for maintaining up-to-date systems and preventing falling victim to vulnerabilities.

As part of your computer security prevention measures efforts start with your Computer Emergency Response Team (CERT), (click on the link to see a list). Your CERT is the first place to look, many countries have CERT, AKA Computer Emergency Readiness Team and Computer Security Incident Response Team (CSIRT), and most are a member of Forum of Incident Response and Security Teams (FIRST). They have up-to-date vulnerability information for the most popular products.

Also, check if your country has a National Vulnerability Database (NVD). For example, the US National Institute of Standards and Technology (NIST) provides one of the best vulnerability database around. You can also look at this catalog of vulnerability databases.

Another good place to check is Full Disclosure, it is one of the oldest available vulnerability databases. It provides a detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and industry gossip. More importantly, new vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

And there is Security Focus, it has a feed with recent advisories for almost every product. Note that some feeds are not frequently updated.

Additionally, many vendors have their advisories feed (see partial list below) or you can use, it provides an easy to use web interface to CVE vulnerability data. You can browse for vendors, products and versions and view CVE entries, vulnerabilities, related to them. You can view statistics about vendors, products and versions of products.

So, by combining your asset management list, along with information and advisories from your national CERT (or equivalent), and other sources, like MITRE‘s Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE), you should have a list of alerts and advisories for your products. It should be checked proactively daily so that you and your vendors are able to follow what needs immediate attention or patches closely.

For example here is a very short list of vendors with vulnerability advisories page, remember be proactive with your security:

Microsoft’s Security Advisories and Bulletins
Cisco Security Advisories and Alerts
ASUS Product Security Advisory
Fortinet Product Security Incident Response Team (PSIRT) Advisories
SAP Security Patch Day
Netgear Product Security
Oracle Critical Patch Updates, Security Alerts and Bulletins
Intel Official Security Advisory
WordPress Security Release
VMware Security Advisories
Mozilla Foundation Security Advisories 


Leo Laporte and Steve Gibson- Security Now

Security Now! is a weekly podcast hosted by Steve Gibson and Leo Laporte. It was the second show to premiere on the TWiT Network, launching in summer 2005. The first episode, “As the Worm Turns,” was released on August 19, 2005.

The show consists of a discussion between Gibson and Laporte on issues of computer security and, conversely, insecurity. Covered topics have included security vulnerabilitiesfirewalls,
password security,  spywarerootkitsWi-Fivirtual private networks, and virtual machines. The show is well worth your time.

Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte.

Records live every Tuesday at 4:30 pm Eastern /1:30 pm Pacific / 21:30 UTC, but download are available 24/7 audio only here:, and video here:

Organizational Controls Perspective (Part 3/3)

Part 1/3 covered the Basic CIS Controls, and Part 2/3 overviewed the Foundational CIS Controls found in the Center for Internet SecurityCritical Security Controls for Effective Cyber Defense implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

The Organizational CIS Controls are less focused on technical aspect of controls and more focused on people and processes. The Organizational CIS Controls are pervasive need consideration across the entire enterprise and all of the previously presented Basic and Foundational CIS Controls. Their measurements and metrics of success are driven more by observations about process steps and outcomes, and less by technical data gathering.

These final four CIS Controls demands much attention to achieve certifiable cybersecurity compliance, but it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with all security aspect for one’s data, information, and systems.

CIS Control 17: Implement a Security Awareness and Training Program

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support the defence of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

CIS Control 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

CIS Control 19: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CIS Control 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defence (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

I hope these three parts peeked your interests to form a cybersecurity defense-in-depth based best practices that mitigate the most common attacks against systems and networks. Always remember cyberspace and our world are full of danger requiring all of us to be proactive with security.

Download CIS Control V7 here:

Foundational First Step Toward Cybersecurity Compliance (Part 2/3)

Part 1/3 covered the Basic CIS Controls found in the Center for Internet Security Critical Security Controls for Effective Cyber Defense implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

No cyber defence approach can effectively address cyber risk without a means to address fundamental vulnerabilities. Organizations often use multiple regulatory frameworks to guide their cybersecurity strategy. No matter which frameworks an organization chooses to work toward, foundational cybersecurity is an excellent first step toward compliance. However, it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with security.

These CIS controls can help protect systems from some of the most pervasive attacks by cybercriminals.

CIS Control 7: Email and Web Browser Protections

Minimize the attack surface and the opportunities for attackers to manipulate human behaviour through their interaction with web browsers and email systems.

CIS Control 8: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defence, data gathering, and corrective action.

CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices to minimize windows of vulnerability available to attackers.

CIS Control 10: Data Recovery Capabilities

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings.

CIS Control 12: Boundary Defense

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

CIS Control 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

CIS Control 14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

CIS Control 15: Wireless Access Control

The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.

CIS Control 16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – to minimize opportunities for attackers to leverage them.

In Part 3 of 3: 4 Organizational Critical Security Controls

Download CIS Control V7 here:

Building a Foundation for Cyber Integrity (Part 1/3)

The Center for Internet Security Critical Security Controls for Effective Cyber Defense is an implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

The guidelines consist of 20 key actions, called critical security controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give practical, actionable recommendations for cybersecurity, written in language that’s easily understood.

Goals of the guidelines include to:
• Leverage cyber offence to inform cyber defence, focusing on high payoff areas,
• Ensure that security investments are focused on counterring the top threats,
• Maximize the use of automation to enforce security controls, thereby negating human errors, and
• Use consensus process to collect the best ideas.

Building cyber integrity is a significant effort but does not need to be costly beyond current outlays for a team that believes proactive security. The Center for Internet Security (CIS) Critical Security Controls provide a valuable, practical framework for establishing cyber integrity presented in three categories: Basic, Fundamental, and Organizational.

These six basic CIS are the first step toward cybersecurity compliance, but it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with security. The six Basic Critical Seucity Controls (CSC) are:

CIS Control 1: Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CIS 2 Control: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

CIS Control 3: Continuous Vulnerability Management

Continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

CIS Control 4: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings.

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

In Part 2 of 3: 10 Foundational Critical Security Controls

Download CIS Control V7 here:

China and Cyber: Attitude, Strategies, and Organization

This thought-provoking NATO CCD COE report “China and Cyber: Attitudes, Strategies, and Organization” by Mikk Rand gives an overview China’s approach to cyberspace and its use to its benefit and to fulfil its mandates, tasks and competencies for its political and strategic doctrine regarding cyberspace.

China is developing greater depth and sophistication in cyberspace its cyber and hybrid warfare techniques and strategies have led to some truly beneficial operations. To date, China’s efforts in cyberspace are primary towards national security, assuring its regime survival, defending national sovereignty and territorial integrity, and establishing China as both a regional and international power.

Principally, China engages in cyber operations to extract information from diplomatic, economic and defence industrial base sectors to support its defence, economic, and technological programs. In this context, one can view China’s cyber operations as being more about trying to strengthen China’s core and less about diminishing others’ power.

Consequently, in the past few years, China’s strategies are to target industries across the world that will shorten reaching its set goals in space, technology, infrastructure, energy (especially clean energy), nuclear power, biotechnology, and healthcare. Also China reinforces its cyber activities with form of hybrid warfare that include Psychological Warfare,[i] and Legal Warfare (Lawfare),[ii] and Public Opinion/Media Warfare.[iii]

Currently, China’s cyber operations are more about attaining a more significant status in the world and one day ascends to the Number One Economy throne, effectively dislodging the US; all without engaging in military conflicts that require bullets, tanks, missiles, warships, and jet fighters.

Raud, Mikk. China and Cyber: Attitude, Strategies, Organization. Tallin: NATO CCD COE, 2016.

[i] To undermine an enemy’s ability to conduct combat operations through operations aimed at deterring, shocking, and demoralizing the enemy military personnel and supporting civilian populations.

[ii] Uses international and domestic law to claim the legal high ground or assert Chinese interests. It can be employed to hamstring an adversary’s operational freedom and shape the operational space. Legal warfare is also intended to build international support and manage possible political repercussions of China’s military actions.

[iii] Influences domestic and international public opinion to build support for China’s military actions and dissuade an adversary from pursuing actions contrary to China’s interests.

FireEye 2019 cybersecurity predictions

A good read. Top discussion points from the FireEye 2019 cybersecurity predictions report includes:

Threats Targeting the Aviation Industry

While it’s important to stay attuned to cyber-enabled physical threats to aircraft and supporting systems, a far more common threat that security teams in the aviation industry must be prepared to defend against is cyber espionage.

Image result for FireEye FACING FORWARD Cyber Security in 2019 and Beyond

The Restructuring of Chinese Cyber Espionage

Notable restructuring in the Chinese cyber espionage apparatus has taken place since at least 2016, resulting in a resumption in the pace of activity. This reorganization should inform the growth and geographic expansion of Chinese cyber espionage activity through 2020 and beyond. Cyber espionage activity related to China’s Belt and Road Initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavour, it may be a catalyst for emerging nation-state cyber actors to use their capabilities.

Attackers Eyeing the Cloud

Adversaries go where the money is, and 2019 promises to offer an increasing number of opportunities for attackers in the cloud. With the cloud, there’s a new, and often expanding attack surface that can be left unprotected or without the proper safeguards in place to protect essential data.

Supply Chain as a Weakness

In 2019, an increase in both state-sponsored and financially motivated supply chain attacks is expected. As organizations have improved their posture and built up their perimeter defences, attackers will shift their focus to compromising third-party vendors, customers or partners with the goal of gaining access to a target’s network.

Cyber Capabilities of Nation States

In 2019 and beyond, FireEye expects to see more nations developing offensive cyber capabilities. As seen with the rise of Iran, North Korea, and Vietnam over the past few years, many other emerging cyber countries are expected to come to the forefront in 2019. Iranian attackers, in particular, will continue to improve capabilities, even as new, less capable groups emerge supporting Iranian government goals.

The Rise in Breaches Due to Lack of Attribution and Accountability

Attribution and accountability are two of the most significant sticking points when it comes to winning the war in cyberspace. Without risks and repercussions for the malicious activity carried out on the internet, attackers will keep attacking, and organizations will keep getting breached.

The Widening Skills Gap and Lack of Trained Experts to Fill Security Roles

According to various industry estimates, there are at least two million cybersecurity jobs that will go unfilled by the year 2020. However, the critical meltdown point has not quite been hit yet, when it comes to staffing. The good news is that the thinking around this challenge is changing.

A copy of the report is available here: