Bite size Cyber: #1 Patching

Are you new to cyber security, and / or is it something you’ve been asked to look at for your organisation? Are you struggling to find sensible advice which is practical and pragmatic? Are you looking for some simple steps which you can follow to help get the ball rolling? Then this short series of articles is for you.

The intention is to provide some bite size nuggets of information which you can apply and which will rapidly help secure your organisation, whether its a company of 2 people or 200 (or 20,000 for that matter).

We’ll also look at other sources of information along the way, which you can read in your own time and which will help provide more context to the topics covered here.

Oh, and just as an aside, elsewhere on this site you’ll find a handy A-Z of terms, so if there’s something mentioned which you don’t know or understand, check that out. If you can’t find what you need there, please do drop me a line.

What you need to know

Let’s start with one of the basic elements when protecting systems, which is patching. When you think about a car or bike tyre, you know that occasionally they get holes in them, and the way they get fixed is by applying a patch. This is where the term patching comes from.

All software is likely to have holes in it which attackers can use to target systems. These holes are called vulnerabilities, and some are apparent from the day the software is written, and some are undiscovered for months or years. Some of these vulnerabilities are related to making the software work properly, and some are related to security issues. A software patch is a piece of code which removes the vulnerability.

Many vendors provide patches to their software on a regular basis. For example, Microsoft typically issue their patches on the second Tuesday of every month: in the industry this is known as “Patch Tuesday”. Other vendors have a different release schedule, and you can easily find out when they are.

You also need to be aware that when patches are released the manufacturer typically gives an indication of the urgency, severity or priority with which they need to be applied. Different vendors have different terms for these patches.

It’s worth remembering that many of us have mobile devices like smartphones and tablets which tell us when patches are ready to be installed. Make sure that you apply those patches when prompted.

What you need to do

  1. Check what software you have, and find out when patches are released.
  2. Ensure that all devices in your organisation have the latest patches installed. Don’t forget to include servers, mobile devices, firewalls and other network devices in the list of equipment to be patched.
  3. Develop a plan – and implement it – to download patches when they are released.
    1. Ensure that the plan includes a step to test the patches on a subset of the machines in your organisation before rolling them out to all machines.
  4. Develop a patch schedule and stick to it. Bear in mind that after a patch has been applied computers may need to be rebooted. After the reboot, check that the patch has been installed effectively.
  5. Install the patches in a timely manner. For example, urgent patches should be applied as soon as possible, but low priority patches can be applied at a more leisurely pace.

Further reading

There are a number of articles on patching around this site, but you may also want to read some “official” guidance. I always recommend the UK Government’s 10 Steps to Cyber Security as a good source of independent, industry standard, information.

You may even decide that, when the time is right, you want to put your organisation through formal security certification and the UK Government’s Cyber Essentials scheme is a good place to start with that.

Z is for …

Zero Day

The time taken between a vulnerability existing and a patch being released to fix it can be several weeks, months or even years. An exploit written to take advantage of this gap is known as a Zero Day.

The bad guys are particularly interested in carrying out attacks against systems with vulnerabilities but no patches, for obvious reasons: it’s very difficult to defend agaisnt them.

Depending on the level of access the zero day can provide, or the damage a bad actor can cause with it, will have an effect on the value of each zero day attack on the Dark Web. Some may sell for “only” a few thousands of pounds, but some can fetch well into five figures, if not more.

A very famous attack carried out using zero days is explained in the film of the same name. It tells the story of an attempt to disrupt the Iranian nuclear programme some years ago, and is well worth watching.

K is for…

Keeping it Simple

OK, so this isn’t strictly a security term, but it is hugely important. Do the simple things well, and you’ll address many of the main issues. In terms of cyber security, this really boils down to:

  • Keep your patching up to date
  • Keep your antivirus signatures up to date
  • Ensure you have good password hygiene
  • Penetration test your internet regularly
  • Ensure your staff have good security awareness training
  • Manage your joiners, movers and leavers process well

If you do only those things, you’ll be in a reasonably good place to start implementing good security practice.

Keylogger

This is either a hardware or software device which, as the name suggests, records all the keys that are pressed and either holds them in memory until the device is collected or sends them across the internet to the person who implanted the code. If you think about what you type on a keyboard, this could include passwords, passphrases, salary details, contract information etc.

10 Steps to Cyber Security – Part 1 of 2

Through discussions with various clients and perspective clients, at conferences, events and forums, it is very apparent that a lot of companies know that they need to do “something about cyber” but many, particularly in the Small and Medium Enterprise (SME) arena, are unsure of what that something should be.

My response to them is generally along the same lines, and I thought I’d share it with you now. My apologies for those of you who are seasoned cyber professionals, as you will no doubt know this subject inside out, but for those of you who are wondering just how to get started and are looking for a jargon free, pragmatic explanation, read on…

As far back as 2012 the UK government produced the 10 Steps to Cyber Security which companies should follow to help make them more secure, as part of the drive to make the UK a safe place to do business. Those were followed in 2014 by the Cyber Essentials scheme. Both the 10 Steps and Cyber Essentials have had updates over the years, but those updates relate more to guidance and clarification rather than changes to content.

This article sets out the first 5 requirements of the 10 Steps to Cyber Security: I’ll provide the remaining 5 in my next post which will be in a week or so. You will see that a number of these topics overlap, and that’s absolutely fine. There are some very blurred lines, but so long as the topics are covered then that has to be a good thing, right?

1. The first step is to set up a Risk Management regime. This sounds scary, but could be as simple as having an Excel spreadsheet or a Word document where you list all the risks to your business, determine how severe those risks are, and document how you will mitigate those risks. It doesn’t have to be onerous – it could just be your top 5 or 10 risks to start with.

  • For example, if your business relies exclusively on internet orders eg as a retail outlet, then lack of access to the internet would be a serious risk and mitigation measures could involve something like hosting your website with a specialist hosting provider which can provide protection against physical issues like flooding or power cuts and some technical measures such as denial of service attacks.
  • You should bear in mind that this is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures based on a cost benefit analysis and your company’s risk tolerance.

2. The second step is to look at Secure Configuration of your systems. All this really means is that you need to make sure that your systems are patched appropriately, that anti-virus / anti-malware software is installed, updated and running, that you have an inventory of the equipment you have and what software is installed on it, and that where possible you’ve documented a standard build for all your devices. Let’s look at those in turn, as it all sounds very complicated:

  • Patches are software updates provided by vendors to address vulnerabilities which are found in all software. These are typically graded in terms of severity from low to critical, the idea being that you apply all critical patches as fast as possible, while low severity are less important. One of the reasons the Wannacry ransomware outbreak hit people so hard in May was because a Critical patch released by Microsoft in March hadn’t been applied to the systems affected: that’s a good example of what can go wrong if you don’t keep patches up to date. Many systems allow patches to be downloaded and installed automatically and, if you don’t have an IT department, it’s a good idea to use that option.
  • Antivirus software is similar to patches, in that vendors release regular updates to tackle new viruses. With the volume of viruses increasing massively on a daily basis, it’s a good idea to install these updates as they come out – at least daily. Many of the larger virus companies such as McAfee and Symantec have products which update automatically, and are well worth considering.
  • As an aside, there are rumours that Mac devices aren’t susceptible to or targeted by viruses: this is not the case anymore so make sure those devices are protected too.
  • Keeping an inventory is sensible: if you don’t know what you’ve got, how can you protect it? And if you don’t know what software is running, how do you know you have all the licenses you need, and how do you know how to rebuild the machine if it is damaged or unavailable for some reason? It just stops you starting from the very beginning, and allows you to be more proactive. Knowing what should be on each machine also helps you to develop a strategy for removing or disabling unnecessary functionality on it. Again, going back to Wannacry in May, one of the methods used by the ransomware from machine to machine was through a network protocol which wasn’t really necessary on most machines. Maintaining an up-to-date inventory could help you identify vulnerabilities like that and close them down quickly.
  • The benefits of having a documented standard build have pretty much been covered in above. It also means that when a new machine is bought, your IT team / support company knows exactly what to install and how to configure it to meet your business needs. This saves time and effort.

3. The third step concerns Network Security. Again there are some jargon words around what this means and what has to be done, but I’ve broken it down as follows:

  • One of the reasons for network security is to protect your networks from attack. A simple way of checking to see how well the network is protected is by engaging a company such as the one I work for to run a penetration test against all your public facing connections. All that this means is that a trusted person, with your permission, tries to see how far they can get into your network: they then report back to you with details of the vulnerabilities they found and how these can be fixed / remediated. They are actually using the same tools and techniques as hackers, but because they have your permission this is known as ethical hacking.
  • Another area to look at in network security is defending your network perimeter. This means that you should have firewalls installed and configured correctly: the penetration test mentioned just now is one way of ensure that they are. Firewalls are typically installed at the place where your internal network meets the internet, often in a specially segregated area called a DMZ or “De-militarised zone”. It’s a way of stopping traffic from the internet getting directly on to your network.
  • As part of firewall configuration, you should ensure that unauthorised access and malicious content is filtered out. There are a range of companies which provide solutions for this sort of thing, but in simple terms your penetration test will help identify the biggest areas of concern. Network protocols are the ways in which computers talk to each other, and run across a range of different ports. You can think of the firewall as a giant colander, where you block up most of the holes (ports) other than those which are needed for passing a specific strand of spaghetti through a specific hole (port).
  • Last and not least in this section is the requirement to monitor and test security controls. We’ve already talked about testing – penetration testing – and monitoring is a way of measuring the effectiveness of your controls. There are a lot of monitoring toolsets available, ranging from reasonably cheap to quite expensive. It’s worth working out what you want to monitor / measure before starting to look for tools to help. This is one area where engaging a consultant may be beneficial.

4. We’ve already talked a little about Malware Prevention, the fourth step, when we talked about Secure Configuration above. What we didn’t mention is that it’s important to develop a policy around how you will use anti-malware software. For example, what happens when a virus is detected. Should it be deleted automatically or perhaps quarantined for analysis? Is there a process for testing removable media such as USB sticks for malware before connecting them to corporate systems (this is often called a sheepdip process). It’s also important that anti-malware software is running on all devices connected to your business environment: monitoring and measurement will help confirm this.

5. Overlapping malware prevention is the fifth step, Removable Media Control. This again requires specific policy statements about the use of removable media: do you allow it or not, are only specific users in specific roles allowed to use it etc, and also sets out the requirements for scanning media for malware, perhaps using the sheepdip process outlines in 4 above.

Hopefully this all makes sense. Please look out for the next installment when I’ll cover the remaining 5 steps, which are:

6. User education and awareness

7. Managing User Privileges

8. Incident Management

9. Monitoring

10. Home and Mobile Working

How does your security measure up?

I published this article on LinkedIn on Monday 3rd July 2017, and I’ve copied it here for you.

If you don’t know what you have, how can you measure it?

We read a lot these days about equipment and training to help combat cyber attacks and reduce risks, but I don’t see much about today’s topic. It’s really good that you have controls in place, with defence in depth etc, but how do you know they’re working?

It seems to me that we often forget to take into account the requirement to measure key components on our systems, so that we know when things are working well and when they’re not. This isn’t about audit, which gives you a snapshot, a point in time view. This is about consistent, regular (possibly even real-time) monitoring and reporting on systems.
The first step in this process is to identify what matters to you most – in many, if not all, cases this will be the data your systems hold. 
Then, look at the controls you have in place, and think about what information would give you assurance that your controls are effective. 
For example, if you have highly sensitive data on all your laptops, knowing which devices are not encrypted might be a really key measurement for you. In this instance, you may decide it is unacceptable for any laptops to be unencrypted, or you may decide you’re happy with a tolerance of 5% or 10%.
One of the fundamental features of reporting is knowing what you have, where it is, and what software is loaded on it. If we look at the recent ransomware outbreaks of Wannacry and Petya, we know that these malware packages make use of specific vulnerabilities which were addressed by specific patches. If your inventory is up to date, you can check for the devices missing those specific patches, and target them immediately, rather than checking every single machine. The same held true with Heartbleed and other outbreaks of a similar nature. 
Some would say that regular reporting on critical patches which have not been installed is a waste of time: personally, I think it’s a good metric and invaluable in deploying resources effectively. You should already have a patch schedule, but does it take into account Critical patches? If not, time to start thinking about being proactive with them and pushing them out outside the patch schedule.  
Similarly, you will probably want to know what devices have aged (out of date) antivirus signatures: if they’re not within a couple of days release then in this day and age you’re running a risk. Report / alert on devices where this is the case, or where AV isn’t running at all. (While you’re at it, you might want to investigate ways of determining whether AV is running but not scanning anything – I have seen this on several occasions.)
You will also probably want to baseline the traffic profile coming into and out of your network so that you know what looks normal, making it easier to spot unusual activity. Pay attention to the days and times that traffic is present: if you get a lot of traffic at 3 in the morning, why is that? 
Finally, when presenting this information to your senior management, don’t leave it as raw figures. Present it in terms of risk and impact, from a financial and reputational viewpoint. That makes it easier to understand why something needs to be done and should help with getting additional resources to address those risks. 

If you don’t measure what you have, how can you improve it?

Patching – what’s all the fuss about?

I suppose this falls under Security 101, one of the most basic things we’re all encouraged to do with our technology, but there’s always a reason to postpone it:

  • My machine slows down while it’s downloading the latest patches
  • I’m worried that things won’t work afterwards
  • I keep having to reboot my machine, sometimes several times during one set of updates
  • I’m busy just now, can I not just do it later?
  • I don’t use the Internet much, so my device can’t be infected
  • I’m not using Microsoft, so there’s no need to patch
  • ….and, well, you know how it goes on….

I’m sure you’ve got your own versions of these, but the point is that these are all just excuses for something that should just be part of your normal experience – in my opinion.

Should we patch absolutely everything? I.e. should we install all updates for all products as soon as they’re available? No, I don’t think so. We should base our patching strategy on a risk assessment. If you find out about a patch for one software programme – let’s say Microsoft PowerPoint – but don’t have PowerPoint on your device, do you need to apply that patch? Not if it only addresses vulnerabilities in PowerPoint, as your device doesn’t have that vulnerability. But if the patch includes other packages which you do have installed eg Excel, then yes, you should.

Why am I picking on Microsoft? Just in order to use program names that we’re most likely to be familiar with. The same principles apply equally to other vendors and other software packages. Software has vulnerabilities, it’s inevitable. If there are none on the day it is released someone somewhere will find some soon afterwards. And the more valuable the data you access through the software, the more likely someone is try to create an exploit for that vulnerability.

In my opinion, you should patch regularly i.e. keep patches up to date. Apart from anything else, this lessens the amount of time spent downloading updates, as you’re keeping on top of things (in many respects, the same goes for antivirus updates too). Patch what you have to, but eg if the patch is for a Mac and you’re using Linux, why apply a Mac patch unless the patch also applies to Linux devices.

Not using the Internet often is no protection either. The only truly secure device (from Internet attack anyway) is one which does not have any form of external interface (wifi, wired, serial cable, whatever) and which is never connected. Some well known legitimate websites have been targeted and have had malicious code embedded in them, infecting users who are only browsing (because no software is totally secure, right?). Botnets are out there looking (in an automated way) for vulernable machines, so you only need to connect once to run the risk of infection. It’s a bit like contraception – if you don’t ever have sex, you’re unlikely to get pregnant, but do it just once without any form of protection and pregnancy is a very real risk.

If you’re only looking at your personal / home PC / laptop / tablet etc, then you’re unlikely to have a test environment. This is the best place to try out new patches, but if you’re a home user then you probably don’t have the luxury of testing things there. In any event, its notoriously difficult to configure your test environment to exactly match your real, live environment, down to version numbers of DLLs and other components, so you’re probably just testing in a representation of your live environment and there will still be some risk when you deploy for real. So what should you do?

This is where having a good, robust (and tested) backup regime comes in. More on that in a future post, so watch this space…