M&A Network Security Due Diligence

Everyone knows that merging to companies is all about due diligence! When companies do mergers and acquisitions, most of the due diligence is around financials and legal risks, and in many cases intellectual property, still. What I don’t see is companies focusing on the cyber and information due-diligence by digging deeper into whether the company has a breach or a compromise.

In 2017 Avast had a nasty surprise when it acquired Piriform. Hackers compromised its CCleaner application, which ultimately led to 2.27 million downloads of the corrupt CCleaner version, putting millions of users at risk. In 2018, Marriott merged with Starwood, where hackers had access over 500 million customers’ data because of a security breach on the Starwood’s network.

These will undoubtedly change the merger and acquisition processes from now on, or at least they should. If they included a focus on cyber and information security during their due diligence, I’m sure they would have been able to find at least some indication, that things were amiss.

When merging any two networks, even internal ones, there is a need to catalog and inventory; Open Audit is a good start. Also, the ISO/IEC 19770 Information Technology – IT Asset Management standard series will considerably improve accountability in a trust but verify approach.

In your proactive approach to security download the Network Security Toolkit for best of breed Open Source Network Security Applications to monitor and help secure all the networks before their merger; and make the NST part and parcel of your network security process and procedure. Another good website to visit is INSECURE.ORG; a repository of the top 125 network security tools for vulnerability scan and penetration testing, among many other useful tools and applications to help keep your network secure.

Remember it is an ugly world out there, be proactive with your security, always!

Reference: The CIO’s M&A Blog

Compliance is good for business!

When the EU’s General Data Protection Regulation Experiment (GDPR) went into effect in May 2018, many companies were caught flat-footed. Eight months later, it looks like many organizations have caught up. According to Cisco, around 60% of organizations surveyed have met most or all of the GDPR. A further 30% of organizations are expected to reach the regulations in the next year. That last 10% estimated that GDPR-compliance was more than a year away.

Half a year into the GDPR experiment, and it turns out that following GDPR have a positive effect on improving a company’s data security and resilience in the face of cybersecurity threats.

The GDPR focuses on privacy regulations for companies located in and doing business with the European Union. It imposes strict rules to protect personal information, with hefty fines attached to companies that break the rules. Additionally, it ensures that data breaches are made known to authorities within 72 hours.

A recent study of over three thousand security professionals from Cisco’s Data Privacy Benchmark Survey found that being GDPR-compliant has some positive downstream effects beyond avoiding a costly fine from the EU Commission, like:

  • Enhance Your Cybersecurity (Better data security with better alignment with evolving technologies)
  • Improve Data Management (greater decision making)
  • Increase Marketing Return On Investment (reduce maintenance costs)
  • Boost Audience Loyalty And Trust (Improved consumer confidence)

For clients (consumers) the benefits are also excellent.

  • Right to marketing consent
  • Right to be forgotten (erased)
  • Freedom to change data
  • Right to portability, and of course
  • Right to access

Wow! It turns out the EU regulators knew what’s what!

Reminder: Privacy is personal, meaning something we create for ourselves (which in the natural world we do with clothing and shelter, both of which lack equivalents in the digital world). Privacy is not something supplied by the grace of privacy policies and terms of service that differ with every company, and over which none of us have control.” Doc Searls, editor-in-chief, Linux Journal.

Cyber and Information Security Standards Sources

Here is a list of the significant cyber and information security standards organizations. It is not extensive as many governments now offer cyber and information security portals to attract more awareness to cyber threats, crimes, and dangers. So have a look what your government is providing.

These sites should be in front of your digital Rolodex. These organizations publish materials that will help protect your cyber and information-environments. Additionally, they are a great start in finding the right content in your proactive security knowledge quest.

The International Organization for Standardization (ISO) is a consortium of national standards institutes from 157 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world’s largest developer of standards. Here is a concise list:

  • ISO 15443: Information Technology – Security Techniques – A Framework for IT Security Assurance,
  • ISO-20000: Information Technology – Service Management,
  • ISO/IEC 22301: Societal Security – Business Continuity Management Systems – Requirements,
  • ISO/IEC 27001: Information Technology – Security techniques – Information Security Management Systems – Requirements,
  • ISO/IEC 27002: Information Technology – Security Techniques – Code of Practice for Information Security Management, 
  • ISO/IEC 27031: Guidelines for Information and Communication Technology Readiness for Business Continuity,
  • ISO/IEC 27032: Information Technology — Security Techniques — Guidelines for Cybersecurity,
  • ISO/IEC 27035: Information Security Incident Management.

The entire ISO/IEC 27000 series is of great interest to those who believe to be proactive with their cyber and information security endeavours.

ISO website: www.iso.org

The US National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. The NIST Computer Security Division develops standards, metrics, tests and validation programs as well as publishes rules and guidelines to increase secure IT planning, implementation, management and operation. NIST is also the custodian of the U.S. Federal Information Processing Standard publications (FIPS). NIST best work is its special publications (SP) 800 and 1800 series. The SP 1800 series documents present practical, usable, cybersecurity solutions to the cybersecurity community. These solutions demonstrate how to apply standards-based approaches and best practices. The SP 1800 document can map capabilities to the Cybersecurity Framework and outline steps needed for another entity or organization to recreate an example solution. The SP 800 series present information of interest to the computer security community. SP 800 comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.

NIST website: nist.gov
FIPS webpage: https://www.nist.gov/itl/itl-publications/federal-information-processing-standards-fips
Special Publication (SP) 800 series webpage: https://www.nist.gov/itl/nist-special-publication-800-series-general-information
Special Publication (SP) 1800 series webpage: https://www.nist.gov/itl/nist-special-publication-1800-series-general-information

The Internet Society is a professional membership society with more than 100 organizations and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the internet, and it is the organizational home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). The ISOC hosts the Requests for Comments (RFCs) which includes the Official Internet Protocol Standards and the RFC-2196 Site Security Handbook.

Internet Society website: http://www.internetsociety.org/
IETF website: https://www.ietf.org/
Site Security Handbook, RFC 2196
Users’ Security Handbook, RFC 2504

The Information Security Forum (ISF) is a global nonprofit organization of several hundred leading organizations in financial services, manufacturing, telecommunications, consumer goods, government, and other areas. It researches information security practices and offers advice in its biannual Standard of Good Practice and more detailed advisories for members.

ISF website: http://www.securityforum.org/
The standard of Good Practice for Information Security 2018 webpage: https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/

The German Federal Office for Information Security (in German Bundesamt für Sicherheit in der Informationstechnik (BSI)) BSI-Standards 100-1 to 100-4 are a set of recommendations including “methods, processes, procedures, approaches and measures relating to information security.” The BSI-Standard 100-2 IT-Grundschutz Methodology describes how information security management can be implemented and operated. The standard includes a precise guide, the IT Baseline Protection Catalogs (also known as IT-Grundschutz Catalogs). The Catalogs are a collection of documents useful for detecting and combating security-relevant weak points in the IT environment (IT cluster). The collection encompasses as of September 2013 over 4,400 pages with the introduction and catalogues. The IT-Grundschutz approach aligns with to the ISO/IEC 2700x family.

BSI website: https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html
Technical Publications download page: https://www.bsi.bund.de/EN/Service/Downloads/downloads_node.html

The European Telecommunications Standards Institute is an independent, not-for-profit, standardization organization in the telecommunications industry (equipment makers and network operators) in Europe, headquartered in Sophia-Antipolis, France, with worldwide projection. ETSI produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and internet technologies. ESTI standardized a catalogue of information security indicators (ISI), headed by the Industrial Specification Group (ISG) ISI.

ESTI website: https://www.etsi.org/
ESTI ISI webpage: https://www.etsi.org/technologies-clusters/technologies/information-security-indicators

Here is a list of some government websites related to cyber and information security:

Also, you will find that there are dozens of organizations offering cyber and information security qualification frameworks; have a look here: https://en.wikipedia.org/wiki/List_of_computer_security_certifications.

Never Trust, Always Verify

Zero Trust networking works well as long as you don’t have a traitor inside your network. It is rooted in the principle of “never trust, always verify.” It is designed to address lateral threat movement within the system by leveraging micro-segmentation and granular perimeters enforcement, based on user, data and location.

Use Zero Trust to gain access based on the context for all traffic, across user, device, location and application, plus zoning (segmentation) capabilities for access into internal traffic. To gain traffic access based on context, it needs to go through a firewall and servers environment (applications, services, etc.) with decryption capabilities. The firewall and all servers enable micro-segmentation of perimeters and acts as border control within the organization. While it’s necessary to secure the external perimeter border, it’s even more crucial to gain access to verify traffic as it crosses between the different functions within the network. Adding two-factor authentication and other verification methods will increase the ability to authenticate users correctly. Leverage a Zero Trust approach to identify business processes, users, data, data flows, and associated risks, and set policy rules that can be updated automatically, based on associated risks, with every iteration.

Note, In addition to the micro-segmentation that allows trusting upon verification (do you belong here?), it is best to establish an automated crypto key exchange between every machine on the network based on a recognized (whitelisting) list, no key exchange no interaction. (Best to use OpenBSD, with its OpenSSH, and OpenBSD PF as your netwsork baseline.)

Remember security is not for the passive! It is an ugly world out there, you must me proactive with all your security.

What is an act of war in cyberspace?

The Mondelez vs. Zurich case raises the question of what is cyber war exactly? Are North Korean hackers breaking into Pentagon computers or Chinese cybercriminals breaching the computer systems of major US military contractors an act of war? Is an anonymous hackers’ cyberattack on a nation’s financial system an act of war? Insurance companies could label all the acts above “act of war” to avoid paying claims. Is it enough for insurance companies to point to a government’s statements as proof positive that an individual or nationwide cyber attack was an act of war? The burden of proof falls on the insurance company. In this case, Zurich needs to prove that NotPetya was, indeed, an act of cyberwar. Simpler said than done. It is immensely difficult to track the origin of any hacker attack of any computer system. Would intelligence agencies have to provide proof in courts, thus likely revealing trade secrets?

In the case of NotPetya intelligence agencies in five countries blamed Russia for the attacks. However, none provided proof that the Russian government was responsible for the attack.

The escalating size and scope of cyber attacks in the last couple of years as escalated to astronomical heights. In the case of NotPetya, the total cost of the related to the ransomware cleanup is close to $80 billion. Beside Mondelez’s massive bill for the cyber attack, Maersk and FedEx project that their losses are in the neighbourhood of $300 million, each. So there should be little surprise that insurance companies are trying to wiggle out from paying by invoking the “act of war” clause.  

The world of cyber security is changing much more quickly than policies, regulations and insurer products can keep up with, Zurich’s refusal to pay for losses from the NotPetya ransomware attack, claiming it was an “act of cyber war” sets a nasty precedent for the insured. In any event, it should be a warning to organizations that, in the fact of a major cyber attack, they must have a proactive information security management (ISM) system in place to defend and protect themselves rather than count on their insurance policies to bail them out.

Cyber adds new and significant uncertainty to warfare, justice, and insurance making it difficult to respond adequately. To this effect, an International Attribution Consortium consisting of a “broad team of international experts would provide an independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (1) technical experts from cybersecurity and information technology companies, as well as academia, and (2) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academic and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”[i]

All organizations should consider a Zero Trust architecture based on the likes of OpenBSD, OpenSSH, OpenBSD PF, and a long list of other smart, open source vetted software as the foundation for your ISM. It is an ugly world out there where security is not of the passive! In this cyber world it is important to remember, you must outrun to outlast!

[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica, CA: RAND Corporation, 2017. https://www.rand.org/pubs/research_reports/RR2081.html

Top Network Security Tools

For more than a decade, the Nmap Project has been cataloguing the network security community’s favourite tools. Since 2011 the site offers ratings, reviews, searching, and sorting. The SecTools.org website provides information on open source and commercial tools on any platform. You can also find tools they maintain on its Nmap.org website (such as the Nmap Security ScannerNcat network connector, and Nping packet manipulator).

I highly recommend perusing the category list. Click any category for details on related applications.

How to Stay Up-to-Date on Vulnerabilities

Security requires proactive pre-emptive operations, continuously; it means acting in anticipate and oppose attacks involving your computers and networks. So, keeping track of security alerts and advisories, daily, gives the necessary information for maintaining up-to-date systems and preventing falling victim to vulnerabilities.

As part of your computer security prevention measures efforts start with your Computer Emergency Response Team (CERT), (click on the link to see a list). Your CERT is the first place to look, many countries have CERT, AKA Computer Emergency Readiness Team and Computer Security Incident Response Team (CSIRT), and most are a member of Forum of Incident Response and Security Teams (FIRST). They have up-to-date vulnerability information for the most popular products.

Also, check if your country has a National Vulnerability Database (NVD). For example, the US National Institute of Standards and Technology (NIST) provides one of the best vulnerability database around. You can also look at this catalog of vulnerability databases.

Another good place to check is Full Disclosure, it is one of the oldest available vulnerability databases. It provides a detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and industry gossip. More importantly, new vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

And there is Security Focus, it has a feed with recent advisories for almost every product. Note that some feeds are not frequently updated.

Additionally, many vendors have their advisories feed (see partial list below) or you can use www.cvedetails.com, it provides an easy to use web interface to CVE vulnerability data. You can browse for vendors, products and versions and view CVE entries, vulnerabilities, related to them. You can view statistics about vendors, products and versions of products.

So, by combining your asset management list, along with information and advisories from your national CERT (or equivalent), and other sources, like MITRE‘s Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE), you should have a list of alerts and advisories for your products. It should be checked proactively daily so that you and your vendors are able to follow what needs immediate attention or patches closely.

For example here is a very short list of vendors with vulnerability advisories page, remember be proactive with your security:

Microsoft’s Security Advisories and Bulletins
Cisco Security Advisories and Alerts
ASUS Product Security Advisory
Fortinet Product Security Incident Response Team (PSIRT) Advisories
SAP Security Patch Day
Netgear Product Security
Oracle Critical Patch Updates, Security Alerts and Bulletins
Intel Official Security Advisory
WordPress Security Release
VMware Security Advisories
Mozilla Foundation Security Advisories 

SECURITY NOW!

Leo Laporte and Steve Gibson- Security Now

Security Now! is a weekly podcast hosted by Steve Gibson and Leo Laporte. It was the second show to premiere on the TWiT Network, launching in summer 2005. The first episode, “As the Worm Turns,” was released on August 19, 2005.

The show consists of a discussion between Gibson and Laporte on issues of computer security and, conversely, insecurity. Covered topics have included security vulnerabilitiesfirewalls,
password security,  spywarerootkitsWi-Fivirtual private networks, and virtual machines. The show is well worth your time.

Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte.

Records live every Tuesday at 4:30 pm Eastern /1:30 pm Pacific / 21:30 UTC, but download are available 24/7 audio only here: https://twit.tv/shows/security-now#subscribe-wrapper-audio, and video here: https://twit.tv/shows/security-now#subscribe-wrapper-video

Organizational Controls Perspective (Part 3/3)

Part 1/3 covered the Basic CIS Controls, and Part 2/3 overviewed the Foundational CIS Controls found in the Center for Internet SecurityCritical Security Controls for Effective Cyber Defense implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

The Organizational CIS Controls are less focused on technical aspect of controls and more focused on people and processes. The Organizational CIS Controls are pervasive need consideration across the entire enterprise and all of the previously presented Basic and Foundational CIS Controls. Their measurements and metrics of success are driven more by observations about process steps and outcomes, and less by technical data gathering.

These final four CIS Controls demands much attention to achieve certifiable cybersecurity compliance, but it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with all security aspect for one’s data, information, and systems.

CIS Control 17: Implement a Security Awareness and Training Program

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills and abilities needed to support the defence of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

CIS Control 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

CIS Control 19: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CIS Control 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defence (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

I hope these three parts peeked your interests to form a cybersecurity defense-in-depth based best practices that mitigate the most common attacks against systems and networks. Always remember cyberspace and our world are full of danger requiring all of us to be proactive with security.

Download CIS Control V7 here: https://learn.cisecurity.org/20-controls-download

Foundational First Step Toward Cybersecurity Compliance (Part 2/3)

Part 1/3 covered the Basic CIS Controls found in the Center for Internet Security Critical Security Controls for Effective Cyber Defense implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

No cyber defence approach can effectively address cyber risk without a means to address fundamental vulnerabilities. Organizations often use multiple regulatory frameworks to guide their cybersecurity strategy. No matter which frameworks an organization chooses to work toward, foundational cybersecurity is an excellent first step toward compliance. However, it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with security.

These CIS controls can help protect systems from some of the most pervasive attacks by cybercriminals.

CIS Control 7: Email and Web Browser Protections

Minimize the attack surface and the opportunities for attackers to manipulate human behaviour through their interaction with web browsers and email systems.

CIS Control 8: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defence, data gathering, and corrective action.

CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices to minimize windows of vulnerability available to attackers.

CIS Control 10: Data Recovery Capabilities

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings.

CIS Control 12: Boundary Defense

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

CIS Control 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

CIS Control 14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

CIS Control 15: Wireless Access Control

The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.

CIS Control 16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – to minimize opportunities for attackers to leverage them.

In Part 3 of 3: 4 Organizational Critical Security Controls

Download CIS Control V7 here: https://learn.cisecurity.org/20-controls-download