Bite size Cyber: #1 Patching

Are you new to cyber security, and / or is it something you’ve been asked to look at for your organisation? Are you struggling to find sensible advice which is practical and pragmatic? Are you looking for some simple steps which you can follow to help get the ball rolling? Then this short series of articles is for you.

The intention is to provide some bite size nuggets of information which you can apply and which will rapidly help secure your organisation, whether its a company of 2 people or 200 (or 20,000 for that matter).

We’ll also look at other sources of information along the way, which you can read in your own time and which will help provide more context to the topics covered here.

Oh, and just as an aside, elsewhere on this site you’ll find a handy A-Z of terms, so if there’s something mentioned which you don’t know or understand, check that out. If you can’t find what you need there, please do drop me a line.

What you need to know

Let’s start with one of the basic elements when protecting systems, which is patching. When you think about a car or bike tyre, you know that occasionally they get holes in them, and the way they get fixed is by applying a patch. This is where the term patching comes from.

All software is likely to have holes in it which attackers can use to target systems. These holes are called vulnerabilities, and some are apparent from the day the software is written, and some are undiscovered for months or years. Some of these vulnerabilities are related to making the software work properly, and some are related to security issues. A software patch is a piece of code which removes the vulnerability.

Many vendors provide patches to their software on a regular basis. For example, Microsoft typically issue their patches on the second Tuesday of every month: in the industry this is known as “Patch Tuesday”. Other vendors have a different release schedule, and you can easily find out when they are.

You also need to be aware that when patches are released the manufacturer typically gives an indication of the urgency, severity or priority with which they need to be applied. Different vendors have different terms for these patches.

It’s worth remembering that many of us have mobile devices like smartphones and tablets which tell us when patches are ready to be installed. Make sure that you apply those patches when prompted.

What you need to do

  1. Check what software you have, and find out when patches are released.
  2. Ensure that all devices in your organisation have the latest patches installed. Don’t forget to include servers, mobile devices, firewalls and other network devices in the list of equipment to be patched.
  3. Develop a plan – and implement it – to download patches when they are released.
    1. Ensure that the plan includes a step to test the patches on a subset of the machines in your organisation before rolling them out to all machines.
  4. Develop a patch schedule and stick to it. Bear in mind that after a patch has been applied computers may need to be rebooted. After the reboot, check that the patch has been installed effectively.
  5. Install the patches in a timely manner. For example, urgent patches should be applied as soon as possible, but low priority patches can be applied at a more leisurely pace.

Further reading

There are a number of articles on patching around this site, but you may also want to read some “official” guidance. I always recommend the UK Government’s 10 Steps to Cyber Security as a good source of independent, industry standard, information.

You may even decide that, when the time is right, you want to put your organisation through formal security certification and the UK Government’s Cyber Essentials scheme is a good place to start with that.

Good Social Media Hygiene

We’ve all started to get used to our “new normal” of working from home. There have been a lot of posts about how to do this effectively, and some of you may even have used some of the guidance I recently published on here. (A big thank you if you have!)

A quick heads up is probably in order here. As with my previous article, this one isn’t necessarily intended for cyber professionals: rather, it’s aimed at those who don’t work in the industry and will hopefully give them some insight into how to help their online health.

We now know that this is going to be how we live and work for – probably – months to come, so we best settle in and make the best / most of it.

It’s been great to see how we are making more use of collaboration tools, and there are any number of posts and videos about the pros and cons of the different solutions, as well as the creative ways teams are coming together. I’m not going to talk about that in this post. What I do want to talk about is how we use social media.

We’ve all (hopefully) got the message from our government that washing hands for 20 seconds is a good starting point in our efforts to slow the transmission of the coronavirus. We’re seeing initiatives such as supermarkets provide antibac wipes and gel so you can clean the handles on trolleys before going in. On my rare forays away from the house I’ve noticed so many more people cleaning their hands, and that’s been very reassuring.

But it seems to me that all this time at home has also led to much more engagement on social media, with many more helpful and inclusive posts on neighbourhood forums for example. There seem to me to be so many more people joining in online conversations etc, which seems to be helping build more of a community spirit. (Yes, I still see the backbiting and trolling too, but much more infrequently recently.)

Talking of people being online, it seems like every day we’re hearing about new scams, new ways which the bad guys and gals (I’m going to call them bad actors from here) are trying to get access to our systems and to our details.

I believe that now is a good time to apply good hygiene to our online selves, as well as our physical selves. With all this additional engagement, but also increase in time spent online, I think now is a good opportunity to encourage people to check their privacy settings and reduce them where appropriate.

Just as antibac wipes and handwashing help protect your physical health against the pandemic that’s assaulting us, locking down your social media profiles helps protect your online health against the bad actors mentioned above.

Restricting who can see your friends lists, or your latest posts, reduces the open sources intelligence (OSINT) gathering opportunities for the bad actors: this in turn reduces the information they have to try to use against you in phishing and spear phishing attacks for instance.

How do you do this? For each of your social media accounts the process will be slightly different, and if you’re unsure where to start, open Google (or any other search tool) on your internet browser and search for “privacy settings” and the name of the app you’re using. It should then be a case of following the instructions, but bear in mind that these could vary depending on whether you’re accessing your account from a PC, a laptop, an Android phone, an iPhone or other devices.

For most applications, it’s worth bearing in mind that they automatically open up your account as much as possible and may reset your settings every so often without warning. In general terms, making sure you use two factor authentication on each account, and restricting who can view your profile / posts to people you know are good things to do. For information on what each setting does, check them out on the application’s web site.

For example, I use an iPhone, and the initial steps are:

  • Facebook – Open the app, click on the three horizontal bars at the bottom right of the screen (next to the bell icon that shows you you have notifications), scroll down to Settings & Privacy and then click on Privacy Shortcuts. Go through each of the topics there in turn and amend your settings.
  • Twitter – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), and click on Settings and Privacy. Again, go through each of the topics and amend your settings.
  • Instagram – Open the app, click on your account icon in the bottom right corner (the icon is a person, next to the heart icon), click on the three horizontal bars at the top right of the screen, then click on Settings. Go through each of the topics under Privacy and also under Security and make changes as necessary.
  • LinkedIn – Open the app, click on your account icon in the top left corner (typically that’s your profile picture), click on Settings, then amend the relevant items under the Account and Privacy tabs.

Repeat the process for other apps, but by now you should get the idea I hope. I appreciate that these appear to be convoluted and time consuming, but in reality they don’t take long and they help to reduce the amount of information you share, and who you share it with.

Shadow IT

Have you heard of Shadow IT? Do you worry about it?

Many organisations have a defined IT policy and processes surrounding it. They may outsource provision to a Third Party, or they may have their own IT department, even if that’s just Billy sitting in the corner, who is totally self taught.

The organisation may have a standard build for all their equipment, and may use only one brand of equipment, which should make managing security risks quite well defined and limited.

However, there may be individuals or whole teams that don’t use the company standard. There might be an MD who really wants to do everything on a tablet device, but the company has a strict “no tablet” policy. There might be a team that installs its own network connection “just in case the company one fails”. And then there’s George in Marketing who prefers to use his Mac to the standard Windows machines.

The MD goes ahead and connects her tablet to the corporate network. The team with their own network connection leave it live and accessible 24×7: there’s no firewall and no way of blocking traffic coming in or going out. George brings in his own Mac and plugs it in to the network. None of these involve the IT or security teams, consequently the risk is unknown and therefore not managed.

These are all examples of Shadow IT – the unknown equipment attached to the corporate network which has little or no security controls in place. Many organisations have a problem with the proliferation of Shadow IT devices.

I think that we’re rapidly approaching – or may already have passed – the moment when we have to stop thinking of it as Shadow IT, and makes sure that our controls can take the plethora of unofficial devices and configurations.

For example, it may be prudent to create a kind of “internal guest network”, for non-standard / uncontrolled devices. This could be easy to connect to but provides an additional layer of control. Using some kind of Mobile Device Management (MDM) solution allows you to provide some services to personal mobile devices, while also giving the ability to remotely wipe the data on them if necessary.

I think we need to be having that conversation in the organisations we work in or encounter. Rather than calling it “rogue” or Shadow IT, call it uncontrolled then work out how to control it.

X is for …

X-rated

It’s well known that the internet hosts a wide variety of pornography sites, from the legal on the surface web to the illegal on the dark web.

But what of other adult only material, which is also x-rated and may be illegal. Sites showing gore, mutilation, torture and worse? Again, they’re split between the legal and illegal, and hosted on the surface and dark webs.

Many companies use a technology called content filtering to prevent access to this sort of material. Automated tools trawl the surface web and categorise the websites they come across. Companies block access to certain categories, to help protect their employees.

You can usually do something similar at home. Service providers often allow you to add parental controls, which prevent access to sites showing adult material. Some antimalware providers also have add-ons for web browsers which can alert on or block access to potentially adult rated material.

V is for …

VPN

A virtual private network (VPN) is a form of network connection between two points which is encrypted. This helps protect the network traffic from being intercepted by others, and helps to keep the message secure.

It’s a really good idea to use a VPN if you’re away from home eg in cafes or using other public WiFi connections. There are quite a few available, for mobile phones as well as for laptops etc, they’re quite easy to find, and there are free as well as paid for versions on the market.

Virus

A computer virus is a form of malware which can carry different payloads. Just like a virus which infects people, a computer virus is designed to infect devices by a number of different methods. Using antivirus software, and keeping the software updated, as well as regularly applying patches, is a good way of reducing the risk of infection.

Vishing

Vishing is a form of phishing which is done over the phone (voice phishing) rather than by email. It’s often used in conjunction with phishing to add credibility to the email which was sent, and to try to improve the chances of the target being successfully socially engineered.

Vulnerabilities

Almost all software has faults in it, which may take some time to discover. These faults are called vulnerabilities, and they are fixed when patches are issued.

Vulnerability scan

A vulnerability scan is similar to a penetration test, but doesn’t go into as much detail. It’s the equivalent of a burglar trying the doors and windows on a house to see if they’re open – and then not going into the house (which would be a penetration test).

All it does is identify how an application, website or other system is vulnerable, but it doesn’t tell you what you could do if you exploited the vulnerability.

Social Engineering and Human Nature

I’m often asked, particularly by new entrants into cyber, what books they should read, and what podcasts they should listen to. The list of both is endless, but I thought I’d share some titles with you. Before we start though, a word about my relationship with books…

I’m a passionate reader, and a compulsive purchaser of books. So I have a lot on my shelves that I’ve not yet read, but loads that I have.  I had cause to sit and ponder today and reckon I’ve over 25m of bookshelves at home, which are mostly full – and a pile of books by my bed, and another on my desk.

For some reason, I group my books by subject matter and height order, and have recently moved away from keeping all by the same author together to having them grouped by colour. (My LPs are stored in alphabetical order, by artist then by album title: this is something I’ve done since I was a teenager!)

The picture with this post shows my “social engineering” shelf, which includes titles on microexpressions (Paul Ekman) and the psychology of persuasion (Robert Cialdini). Interestingly, the author of the Cyber Effect, Mary Aiken, was a producer and consultant for the show CSI: Cyber, and was in fact the inspiration for Patricia Arquette’s character in the programme.  (Beware though, once you start watching, you’ll watch the entire series in one sitting!)

It’s not possible to be a good social engineer, to gain people’s trust and ask them to do things to help you, without understanding human psychology. Ditto if you’re carrying out phishing attacks, you need to know what will make people click on links etc.

Microexpressions give away how someone is really feeling, so it’s really important that social engineers understand and recognise these. If you want to know how they can be used, you might want to watch the show Lie To Me. Paul Ekman was a consultant on the show, and his work is explained particularly well in season 1.   (Another binge watch alert here!)

It’s impossible to talk about social engineering without mentioning Kevin Mitnick. Once one of the FBI’s top 10 Most Wanted fugitives, Mitnick is one of the foremost authorities in the world on social engineering. I have already written a post about his book, Ghost in the Wires.

I’ll share information on some of the other books on my shelf another time. These should be a good starter for you if you’re interested in the meantime!

Gatwick Continuity Planning

It was reported on the BBC today that flight departure screens had failed at Gatwick airport for much of the day. The airport authorities implemented their contingency plans – whiteboards – and apparently no flights were delayed or cancelled. Some passengers have complained about a lack of information, but I think that the fact no flights had to be cancelled is a real credit to all involved.

This is a great example of good contingency planning in action. The authorities had obviously thought about what they’d do in advance, so when the screens were unavailable they knew what to do. I can’t imagine they had whiteboards and pens etc just sitting waiting to be used, but it’s a really good effort nonetheless.

What can we learn about this from an Information Security perspective? Business Continuity Planning is vital, but it doesn’t always hinge on having spare technology available. Take it back to basics: what is needed to keep the business running? In this case, electronic boards were replaced with whiteboards and marker pens, but what would be your equivalent?

Try to think about what could happen, and what you could do to react if there was a problem.

Q is for …

Quantum computing

You probably know by now that typical computers function by using 1s and 0s, using binary maths. The transistors in them are either off (0) or on (1), with data being held as binary digits (bits).

In quantum computing, quantum mechanics form the basis of the machine. Rather than bits and bytes, quantum computers use quantum digits (qubits). I have to confess that I don’t understand the maths involved, but the two things to bear in mind are these:

  • There are more than just 1s and 0s: qubits can be in multiple states at the same time
  • Viewing the state of a qubit changes it
  • What these mean is that quantum computers have the potential to be incredibly fast, but it’s difficult to make use of their multiple states because looking at their state changes them.
  • Some organisations eg IBM have built small prototype quantum computers, but the technology is in its infancy. It will probably be several years before this sort of processing becomes commercially available.
  • When they are finally built, processing speeds will be massively increased, which also means that existing cryptography techniques will be at risk because even brute force attacks will be able to be carried out so much faster. A new form of quantum cryptography will have to be developed and implemented.
  • US names arrested Fin7 cyber-gang suspects

    This story appeared recently on the BBC website.

    Three members of a notorious hacking group, variously called Fin7, Carbanak and JokerStash, have been arrested and named. The three individuals were arrested in Germany, Poland and Spain: one has already been extradited to the US and extradition proceedings have begun against the other two. The hacking group had attacked targets in the US, UK, France and Australia, and is still active today.

    The remarkable thing about these arrests is that law enforcement had to overcome one of the largest obstacles to law enforcement in the digital age: legal jurisdiction.  Where computers are connected to each other globally, with actions being carried out from different countries, often in different continents, it’s hard to know which laws have been broken, and which law enforcement agency takes priority / precedence.

    In this case, those answers appear to have been solved. There has been a lot of collaboration between the various law enforcement agencies in the US and Europe, resulting in these arrests. It is to be hoped that this level of collaboration becomes the norm, and that countries are able to work together to bring criminals to justice, wherever they are active and irrespective of where their targets are.

    Town dusts off typewriters after cyber-attack

    This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.

    It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.

    This incident immediately raises a number of questions:

    • How did the organisation allow all machines to get infected?
    • Did they have an incident response plan and did it include this scenario?
    • Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
    • Does the organisation have a standard build, and were the build states of all 500 devices known?
    • If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
    • What scanning of incoming attachments was carried out?
    • What training have staff had in respect of phishing emails and incident response procedures?

    From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.