Bite size Cyber: #1 Patching

Are you new to cyber security, and / or is it something you’ve been asked to look at for your organisation? Are you struggling to find sensible advice which is practical and pragmatic? Are you looking for some simple steps which you can follow to help get the ball rolling? Then this short series of articles is for you.

The intention is to provide some bite size nuggets of information which you can apply and which will rapidly help secure your organisation, whether its a company of 2 people or 200 (or 20,000 for that matter).

We’ll also look at other sources of information along the way, which you can read in your own time and which will help provide more context to the topics covered here.

Oh, and just as an aside, elsewhere on this site you’ll find a handy A-Z of terms, so if there’s something mentioned which you don’t know or understand, check that out. If you can’t find what you need there, please do drop me a line.

What you need to know

Let’s start with one of the basic elements when protecting systems, which is patching. When you think about a car or bike tyre, you know that occasionally they get holes in them, and the way they get fixed is by applying a patch. This is where the term patching comes from.

All software is likely to have holes in it which attackers can use to target systems. These holes are called vulnerabilities, and some are apparent from the day the software is written, and some are undiscovered for months or years. Some of these vulnerabilities are related to making the software work properly, and some are related to security issues. A software patch is a piece of code which removes the vulnerability.

Many vendors provide patches to their software on a regular basis. For example, Microsoft typically issue their patches on the second Tuesday of every month: in the industry this is known as “Patch Tuesday”. Other vendors have a different release schedule, and you can easily find out when they are.

You also need to be aware that when patches are released the manufacturer typically gives an indication of the urgency, severity or priority with which they need to be applied. Different vendors have different terms for these patches.

It’s worth remembering that many of us have mobile devices like smartphones and tablets which tell us when patches are ready to be installed. Make sure that you apply those patches when prompted.

What you need to do

  1. Check what software you have, and find out when patches are released.
  2. Ensure that all devices in your organisation have the latest patches installed. Don’t forget to include servers, mobile devices, firewalls and other network devices in the list of equipment to be patched.
  3. Develop a plan – and implement it – to download patches when they are released.
    1. Ensure that the plan includes a step to test the patches on a subset of the machines in your organisation before rolling them out to all machines.
  4. Develop a patch schedule and stick to it. Bear in mind that after a patch has been applied computers may need to be rebooted. After the reboot, check that the patch has been installed effectively.
  5. Install the patches in a timely manner. For example, urgent patches should be applied as soon as possible, but low priority patches can be applied at a more leisurely pace.

Further reading

There are a number of articles on patching around this site, but you may also want to read some “official” guidance. I always recommend the UK Government’s 10 Steps to Cyber Security as a good source of independent, industry standard, information.

You may even decide that, when the time is right, you want to put your organisation through formal security certification and the UK Government’s Cyber Essentials scheme is a good place to start with that.

Working From Home during the pandemic: a simple guide for companies and individuals alike

There’s a lot of talk at the moment about enabling staff to work from home due to coronavirus / covid19. There are probably a lot of organisations that would like to make this happen, but who don’t know how to do this securely. These organisations may also have staff who will be working from home for the first time, so they probably need to provide some guidance and support to those staff too.

The intention of this article is to provide some high level suggestions of things to look at, which will have the most impact in terms of reducing the risk of security breaches and helping employees stay productive.

What can the organisation do?

The following points may help those with little knowledge in information security, or with little access to anyone with knowledge, to know where to start in order to keep themselves secure. It’s not an exhaustive list, and you may need to talk to your IT provider / security team for assistance with some of these.

  1. Make sure that you have implemented two factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
  2. Make sure that all devices have been patched and have antivirus software installed and active. This is often achieved by using Network Access Control to carry out a health check on devices, only permitting access when they meet specific control requirements. Devices are held in quarantine while remedial action is carried out.
  3. Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties, and helps ensure remote access for legitimate users is maintained.
  4. Consider stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period where higher numbers than usual of remote users are going to be experienced.
  5. Make sure that users know whether they can print when at home / out of the office and, if they are permitted to do so, they need to know how to securely dispose of any sensitive documentation they print off. For example, using a cross cut shredder may be acceptable while putting confidential documents in a recycle bin at home is probably not the sort of behaviour you want to encourage.
  6. Review your business continuity and disaster recovery plans. Are there key personnel who have to have corporate devices, and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
  7. If users are allowed to use personal devices, consider enforcing Network Access Control in the same manner as in point 2 above. Also, make a risk based decision whether non-corporate devices can be used if they do not have full disk encryption installed. It may be that a temporary waiver can be granted for these extraordinary times, or it may be desirable to issue users with corporate devices if they don’t usually have one at home instead, even though the device may not have the full specification the user is used to. 
  8. Consider issuing staff with privacy filters, so that if there are other people in the house / room, confidential data is not visible on screen to all. These are relatively cheap, and are a good idea for staff who often work away from the office anyway.
  9. Check contracts with clients to conform whether remote working is permitted, and under what conditions. If it is specifically excluded, talk to clients to develop appropriate acceptable working practices while we deal with the initial outbreak.

As mentioned at the beginning, this is not an exhaustive list, but may help focus on the important things from a business perspective.

What about the individuals?

Now, what about the employees who are now potentially going to work from home for the first time? They will also need support and guidance. As someone who has worked from home for many years, I’d suggest that the following are all points which staff may benefit from knowing.

  1. If at all possible, create a separate dedicated workspace, ideally in a room where you can close the door at the end of the working day. This will help keep work and personal life separate. Not everyone will be able to do this, so an alternative of setting up somewhere which is out of the normal areas of high use / footfall within the house is perhaps the next best option. For example, it is a good idea not to set up in the kitchen if possible, because other people in the house will regularly come in for food and drink. This will disturb you and could possibly lead to a breach of security if unauthorised people (i.e. family and friends) can see what you are working on.
  2. Make sure you take regular breaks. In the office you probably don’t think about going to grab a coffee, and working at home is no different. The regular break encourages you to get up and move around, to stretch and perhaps speak to others in the house: this is healthy for you. Take care not to spend all day chatting, obviously, but it’s very easy to fall into the trap of sitting still for hours at an end. I have a smartwatch which prompts me to get up and move every hour, and I find that very helpful.
  3. Try to stick to regular mealtimes, as you would do in the office. Many people go out at lunch to sandwich bars, cafes etc, and it may be that you can’t do that when at home. It’s a good idea to know what your normal lunch break would be and try to repeat it at home, bearing in mind you may have to prepare your food in that time too.
  4. Make technology work for you. Have video calls / voice calls as necessary. Some people find that switching on video and connecting to several colleagues, then leaving the video running, helps feel like you’re still in the same office. You don’t necessarily have to talk to your colleagues, but some find it helpful just to see and hear other people in the background.
  5. There’s always a question of whether to have the TV, radio or music on in the same room, or as background noise. That’s a personal choice: some people work well with that additional sound, others don’t. I find that I can’t work when there are those distractions, and I’ve been in offices where the radio is on all day and people seem to be able to work fine with it. Whatever works best for the individual is the right answer.
  6. Make sure you finish when you normally would, or at least when you would normally get home. It’s really important to have a break between work and personal time, so try to stick to your normal routine in terms of start and finish times.

These are some of my thoughts. I hope they’ve been useful. What works for you?

Shadow IT

Have you heard of Shadow IT? Do you worry about it?

Many organisations have a defined IT policy and processes surrounding it. They may outsource provision to a Third Party, or they may have their own IT department, even if that’s just Billy sitting in the corner, who is totally self taught.

The organisation may have a standard build for all their equipment, and may use only one brand of equipment, which should make managing security risks quite well defined and limited.

However, there may be individuals or whole teams that don’t use the company standard. There might be an MD who really wants to do everything on a tablet device, but the company has a strict “no tablet” policy. There might be a team that installs its own network connection “just in case the company one fails”. And then there’s George in Marketing who prefers to use his Mac to the standard Windows machines.

The MD goes ahead and connects her tablet to the corporate network. The team with their own network connection leave it live and accessible 24×7: there’s no firewall and no way of blocking traffic coming in or going out. George brings in his own Mac and plugs it in to the network. None of these involve the IT or security teams, consequently the risk is unknown and therefore not managed.

These are all examples of Shadow IT – the unknown equipment attached to the corporate network which has little or no security controls in place. Many organisations have a problem with the proliferation of Shadow IT devices.

I think that we’re rapidly approaching – or may already have passed – the moment when we have to stop thinking of it as Shadow IT, and makes sure that our controls can take the plethora of unofficial devices and configurations.

For example, it may be prudent to create a kind of “internal guest network”, for non-standard / uncontrolled devices. This could be easy to connect to but provides an additional layer of control. Using some kind of Mobile Device Management (MDM) solution allows you to provide some services to personal mobile devices, while also giving the ability to remotely wipe the data on them if necessary.

I think we need to be having that conversation in the organisations we work in or encounter. Rather than calling it “rogue” or Shadow IT, call it uncontrolled then work out how to control it.

Careers in Cyber

Does this sound familiar?  You keep seeing headlines about cyber security, about information security, usually when there’s been a loss of passwords or data, sometimes about large fines being levied on companies for poor practice. You’ve heard that there are lots of vacancies in the world of cyber and would like to look at a career in security. But you don’t know what choices there are, you don’t have good IT skills and you don’t know what skills you need.

This article will answer some (though probably not all) of your questions.

Before looking at what roles there are, let’s get the first big concern out of the way shall we? Do you need to be an IT ninja to work in information security?  The answer is a resounding NO (though for some – not all – roles it helps). Read on to find out why…

Broadly speaking, cyber security is split into three main role groups:

  • governance, risk and compliance (GRC), which relates to policies, processes, and, in some cases, training. These roles include consultants, analysts, auditors and trainers
  • offensive security, also known as red teaming, with the aim of trying to get unauthorised access to systems. Roles in this group include ethical hackers (penetration testers), social engineers etc
  • defensive security, also known as blue teaming, with the aim of trying to stop those trying to get unauthorised access to systems. Roles in this group include digital forensics, incident response, Security Operations analysts etc

GRC roles

These roles typically require little to no technical skills, though an understanding of technology helps.

People in these roles will probably spend their time writing and reviewing policies and other documentation, carrying out audits to ensure the organisation is complying with policies and / or industry standards, working with other staff to help them understand and implement the policies. At a more senior level they also encompass consultancy, working with clients to help them understand and improve their security posture.

It’s likely that people in GRC roles will spend time looking at industry standards such as ISO 27001 and NIST, regulations such as GDPR and industry specific requirements such as PCI DSS.

In terms of training, people in this group will be more likely to develop and perhaps deliver general security training rather than specific courses for highly technical staff.

In terms of training, a good basis would be the BCS Certificate in Information Security Management Principles (CISMP), and if you’d like to add some technical knowledge passing the CompTIA Net+ and Sec+ exams would be really good grounding.  There are courses around data privacy which are becoming more common too. Ultimately you’d be aiming for something like the ISACA Certified Information Security Manager (CISM), (ISC)2 Certified Information Systems Security Professional (CISSP) or EC-Council Certified Chief Information Security Officer (C|CISO) qualifications, but they require at least 5 years of practical experience as well as an exam pass.

Red Team (Offensive Security)

This is where many people think the really exciting part of security sits, being paid to test other companies’ defences and helping them improve their security. This is the realm of the ethical hacker, more properly called a penetration (pen) tester.

Pen testers are, by necessity, quite technical. Typically they’ll be able to write scripts and code in several different languages, including Bash and Python.  They’ll understand toolsets such as Metasploit, which is available for free on Kali Linux. (Incidentally, the bad guys will use pretty much the same toolsets for much of their work, and both groups will probably learn a lot about how to use them from YouTube!) They’ll also be able to write exploits, perhaps for use in Metasploit or elsewhere.  Oh, and they better understand network protocols and how firewalls work too.  Essentially, they need to know a lot about a lot of things in order to be very proficient, though it is possible to run a lot of these tools with very little knowledge.

There is a form of red teaming where people try to physically get access to premises and systems using social engineering techniques.  This typically involves carrying out research on the target company using OSINT techniques, before creating some kind of pretext (cover story) or getting in through open doors and windows.  The goal may be to try to access a data centre or other sensitive room in a building, or it may be to leave some kind of listening / communications device in a meeting room, or to see what documentation can be obtained. This is the sort of work that you may have seen in films like Sneakers, where teams of people are testing an organisation’s security capabilities. Skills needed for this type of role are more related to acting / improv, calmness under pressure and the ability to think quickly.  A good understanding of human psychology, empathy, body language and non-verbal communication is really helpful in this field.

Training for the red team can be very technical, or not technical at all. If technical, you probably need to look at something like CompTIA Net+ and Sec+ as a basic grounding, before then looking at something like the Offensive Security Certified Professional (OSCP) or CHECK Team Member (if in the UK). It’s worth saying that when it comes to the technical aspects, lots of practice with different packages, scripting languages and exploits is probably more beneficial than lots of certifications, though having at least one industry respected certification will be helpful.

It’s also worth noting that many red team members will have experience of operating as a blue team member (and vice versa), and the skills gained there will be useful for them in trying to defeat their opponents.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
– Sun Tzu, The Art of War

If looking at the non-technical courses, then typically psychology and sociology are very useful. Experience of acting / talking to lots of different people is also helpful, and an understanding of verbal and non-verbal communications is also very useful.

Blue Team (Defensive Security)

The defensive teams are also likely to have some very technical people in them. They may not write exploits like some pen testers, but some do need to have a very deep and detailed understanding of how things work.

Digital forensics is a highly specialised field, and there are individual specialities within it. For example, someone may only deal with mobile devices, so will need to understand Android, iOS (for Apple devices) and Windows Mobile, amongst others. Some may look mainly at memory stores, or disk drives etc. They also need to know how to capture, store and examine data in a methodical way which can be replicated in court, using the ACPO Good Practice Guide for Digital Forensics (in the UK – other countries may have other standards).

SOC (Security Operations Centre) Analysts look at information coming from a range of sources such as log files, and are skilled at looking at the big picture to identify attacks or other threats.  They need to understand networks, protocols and firewalls, how systems are configured and how the whole network interoperates.  They also need to understand patching and malware, to evaluate likely effects and the best methods of combating those threats.

Training courses vary, though SANS are renowned for their very detailed courses, particularly in the forensics arena.  Again, CompTIA Net+ and Sec+ are good courses to start with before building up experience and looking at the more technical material available. Many courses will relate to the toolsets that the team member uses e.g. when using a Security Information and Event Management (SIEM) application, firewall apps etc. Blue team members may also take some of the same courses that the red team members do – remember Sun Tzu!

Summary

There is a lot of scope for people who are not technical – and have no desire to be technical – to work in Information Security.  In many cases, the key skills / attributes include patience, attention to detail, concentration, focus, diligence and curiosity, as well as people skills like empathy and communication.

As someone who has worked in the industry for over 30 years, since before it was even called security, I’d recommend it to anyone. There are so many opportunities, so many different roles, that there is bound to be something for everyone!

I should also mention that the company I work for, PGI, runs many of the courses mentioned above, or equivalents of them: I’m one of the instructors on the awareness courses…

World Password Day

Did you know that today, May 2nd, is World Password Day?  To mark the event, I thought I’d post a quick update, based on a new approach to password management.

Both the UK National Cyber Security Centre (NCSC) and US National Institute of Standards and Technology (NIST) have published changes to their recommendations for managing passwords in the past two or three years.

  1. Whereas previously we were advised that changing passwords regularly eg every 30 or 60 days was a good thing, they both now suggest only changing them when they are compromised (i.e. if you think someone else might know your password). I have to confess this doesn’t sit easily with me, but I understand their reasoning. We all have so many passwords to remember that changing them less often means we’ll have a better chance of remembering them.
  2. Use a different password for every account, for every website etc. This is more tricky, and both NIST and NCSC suggest using a Password Manager (this is an app for your phone or that you can run from your laptop / desktop) which helps you track and maintain your passwords.
  3. Rather than using long, difficult to remember collections of upper and lower case letters, numbers and symbols, use three unrelated words and make sure the total length is more than 12 or 14 characters (I prefer a minimum of 15). The reasoning for this is simple. Suppose you used P4$$w0rd as your password: it meets all the criteria for complexity, but it’s obviously not secure. A simple to remember phrase like SunnyTreeRoad is not as easy to guess, and is less likely to appear on one of the many lists of known / common passwords.
  4. Enable Two Factor Authentication on your key accounts like email and banking / finance. This means the bad guys would have to have your phone or other source for 2FA as well as your password to get in to your account.

If you’d like to know more, check out the NCSC article here, or the NIST video here. They’re both short and won’t take much time.

Also, if you want to see examples of bad passwords, the NCSC have published details of the most hacked passwords here.

Finally, if you want to see whether your email password has already been hacked, head to https://haveibeenpwned.com/ and sign up. This free service will tell you if your account has ever been compromised, and will also alert you in future if someone hacks it in future,

A new approach for 2019

I know it’s a bit hackneyed, but making New Year’s resolutions is part and parcel of this time of year. Wouldn’t it be great if everyone in security could all make the same one, to commit to doing the same thing? We’d need to bring others with us, like our IT colleagues, our enthusiastic amateur friends, and also particularly the media and marketing people around the globe.

Let’s try to see, report on and celebrate the positives, not just focus on the negatives.

The press and online media seems to be full of stories about data breaches, ransomware, data losses and other information security related catastrophes. When these occur, my LinkedIn, Twitter and Instagram feeds fill up with people talking about the breaches, how terrible they are, how companies can allow things like this to happen etc. I’m sure you’ve noticed it too. It’s almost like people are glorying in, celebrating even, the misfortunes of others.

Yes, we security professionals have a responsibility to identify weaknesses in systems and people, and try to mitigate those weaknesses. However, I think we have a greater responsibility to provide encouragement and support to our colleagues, acquaintances, friends and family. They’ve become much more aware now of the impact of their online actions, as illustrated in this story from the BBC. But many people have little or no idea how to protect themselves effectively.

If it feels like we keep having to repeat the same messages over and over, there’s a very good reason for that, which Rik Ferguson highlighted in a podcast with Jenny Radcliffe last year (2017). He said “Every day is someone’s first day online”. This is true, and I think we often forget that fact. This is why we have to keep repeating the basics, because these are new to people, and will continue to be so for years to come.

How do we change the narrative, from highlighting the negatives, to emphasizing the positives? Rather than say “there was a breach because such-and-such happened”, can we say “the breach could have been worse, but controls x, y and z helped make sure it wasn’t”? Rather than castigating individuals for missing a patch, can we not praise them for applying as many as they do? Those in the know already appreciate how hard it is to do even the simple things consistently well over the course of a year, and some things are bound to slip through the net.

I think it’s time for change. I think it’s time we recognised the excellent work so many people do. I think it’s time to shine the light on the positives.

Let’s try to see, report on and celebrate the positives, not just focus on the negatives.

Z is for …

Zero Day

The time taken between a vulnerability existing and a patch being released to fix it can be several weeks, months or even years. An exploit written to take advantage of this gap is known as a Zero Day.

The bad guys are particularly interested in carrying out attacks against systems with vulnerabilities but no patches, for obvious reasons: it’s very difficult to defend agaisnt them.

Depending on the level of access the zero day can provide, or the damage a bad actor can cause with it, will have an effect on the value of each zero day attack on the Dark Web. Some may sell for “only” a few thousands of pounds, but some can fetch well into five figures, if not more.

A very famous attack carried out using zero days is explained in the film of the same name. It tells the story of an attempt to disrupt the Iranian nuclear programme some years ago, and is well worth watching.

X is for …

X-rated

It’s well known that the internet hosts a wide variety of pornography sites, from the legal on the surface web to the illegal on the dark web.

But what of other adult only material, which is also x-rated and may be illegal. Sites showing gore, mutilation, torture and worse? Again, they’re split between the legal and illegal, and hosted on the surface and dark webs.

Many companies use a technology called content filtering to prevent access to this sort of material. Automated tools trawl the surface web and categorise the websites they come across. Companies block access to certain categories, to help protect their employees.

You can usually do something similar at home. Service providers often allow you to add parental controls, which prevent access to sites showing adult material. Some antimalware providers also have add-ons for web browsers which can alert on or block access to potentially adult rated material.

Unhelpful media headlines

Earlier this week an article appeared on the BBC website called How can we stop being cyber idiots?. I took umbrage at this for a number of reasons.

First, why alienate readers by calling them idiots? Most people who use computers (I won’t call them users because, as a friend of mine pointed out, users has negative connotations around drug and alcohol abuse) generally try to do the right thing. This doesn’t make them idiots.

Second, if people haven’t been educated about the risks of their actions, they may not understand the consequences of not following any guidance theyve been given. This is a failure on the part of information security professionals, not providing meaningul education which reaches everyone, and which informs on and encourages good behaviour. It doesn’t make the people using computers idiots.

Third, why assume that everyone knows what is right and wrong? As Rik Ferguson pointed out on a podcast I listened to last year, every day is someone’s first day online. So every day someone needs to be told the basics of information security. This doesn’t make those people idiots.

There seems to be a general assumption that everyone knows everything they need to about good cyber security practice, but that’s just not true. It’s an every day and ongoing challenge to help people understand the consequences of their actions. The risks are constantly changing and evolving, so security professionals like me need to make sure we’re spreading the right messages in the right way.

 

V is for …

VPN

A virtual private network (VPN) is a form of network connection between two points which is encrypted. This helps protect the network traffic from being intercepted by others, and helps to keep the message secure.

It’s a really good idea to use a VPN if you’re away from home eg in cafes or using other public WiFi connections. There are quite a few available, for mobile phones as well as for laptops etc, they’re quite easy to find, and there are free as well as paid for versions on the market.

Virus

A computer virus is a form of malware which can carry different payloads. Just like a virus which infects people, a computer virus is designed to infect devices by a number of different methods. Using antivirus software, and keeping the software updated, as well as regularly applying patches, is a good way of reducing the risk of infection.

Vishing

Vishing is a form of phishing which is done over the phone (voice phishing) rather than by email. It’s often used in conjunction with phishing to add credibility to the email which was sent, and to try to improve the chances of the target being successfully socially engineered.

Vulnerabilities

Almost all software has faults in it, which may take some time to discover. These faults are called vulnerabilities, and they are fixed when patches are issued.

Vulnerability scan

A vulnerability scan is similar to a penetration test, but doesn’t go into as much detail. It’s the equivalent of a burglar trying the doors and windows on a house to see if they’re open – and then not going into the house (which would be a penetration test).

All it does is identify how an application, website or other system is vulnerable, but it doesn’t tell you what you could do if you exploited the vulnerability.