Category: Security

executive buy-in

Importance of Business Goals and Objectives for Information Security

I recently accomplished a long-time goal of mine, to become a published author. I had the opportunity to write for Packt Publishing which is a wonderful company to work with. In my book, Executives Cybersecurity Program Handbook, I cover quite a bit of content. From information security program development, IT governance, and infrastructure security. However, one of the more important topics throughout the book is the need to ensure that you are aligning the information security program against organizational goals and objectives. It is also important to establish coworker relationships early on in your tenure. This is to make it easier for you as the head of security to work through issues you may run into either now or in the future.

Coworker relationships

It does not matter whether you are a seasoned CISO or a security analyst, it is important to establish relationships early on with your coworkers. These relationships will help establish a rapport with those you work with on a daily occurrence. Many times information security is looked upon as the department of ‘No!’ Meaning that the information security department more than likely holds up projects, causing delays. We must be an enabler for the business!

Building these relationships will promote healthy discussions around information security. It will assist with breaking down barriers between information security, IT, and the business. Coworkers will feel comfortable explaining their hardships when changes are made or new policies are written.

Aligning with the business

Another important aspect of your position is to build relationships with senior management. These relationships will eventually move you toward a better understanding of business goals and objectives. Once you understand what is important to the organization, you can begin to craft your security program around what is important.

Without this step, you might possibly be tackling non-issues, wasting time, money, and effort. All too often I have seen companies be directed by managed security service providers to implement changes or purchase new IT resources without understanding business goals. This can lead to frustration and doubt about the effectiveness of controls.

Getting executive buy-in

Once you have established relationships with your coworkers and understood business objectives, it is time to get executive buy-in. This buy-in is needed to ensure that your information security strategy aligns with the business goals. Without buy-in from the business, your program could go nowhere. This is one of the most important steps and should not be overlooked. Many people say that the budget will make or break the department. Without executive buy-in, you may never get the budget.

Where do we go from here?

You must crawl before you can walk. Building relationships, aligning with business goals and objectives, and getting executive buy-in are what is needed during this initial stage.

Remember, build relationships early on. Hold 1 on 1’s with your staff and fellow managers, directors, and C-suite employees. Build a rapport with them so they can come to talk with you without hesitation.

When building relationships, ask questions to familiarize yourself with how the business functions. Understand what is important and how it conducts operations. This will help you in understanding what is important to tackle first.

As you work on building relationships and understanding the business, work with the executive teams to get buy-in. Without buy-in, the department will ultimately go nowhere.

Building a Successful Cybersecurity Program

Over the years I have had the opportunity to develop successful cybersecurity programs for many organizations. When creating a cybersecurity program, an organization must know where it is at and where it wants to go. Though not a requirement, cybersecurity frameworks or standardization documents written by experts in the field are helpful in designing a program and roadmap. Without this, the cybersecurity program will have no direction and will not achieve the organizations goals.

Get Executive Buy-In

You were just hired into an organization or promoted to work on their cybersecurity program. Congratulations! Now what? You need to gain executive buy-in for the program. This can be easy or extremely challenging. Chances are if you were hired as their first cybersecurity employee, the organization is taking this seriously. However, this does not mean it will be smooth sailing. You may need to teach cybersecurity best practices to those in the executive suite. This will ensure that the program is well understood and can be prioritized within the organization.

In addition to gaining executive buy-in for the program, you need to provide reoccurring status updates. This can be in the form of sending out email statements to having monthly meetings with executive stakeholders. This is needed to provide updates on where the organization is at with the cybersecurity program. It is also a perfect time to solicit feedback from the leadership team of how they see the program has progressed, any shortcomings, or express any concerns they may have. A continuous feedback loop is needed to ensure that the security program is meeting objectives set out by the business.

Pick a Cybersecurity Framework

There are plenty of cybersecurity frameworks to choose from, but which one is right for your organization? First, you must decide whether you need to aim for a certification for a given framework such as the ISO 27000 series. If certification is not a top priority, you can choose from some of the other well known cybersecurity frameworks such as the NIST Cybersecurity Framework or those developed by the Australian Cyber Security Centre.

For organizations who are just starting off and looking for a well rounded framework to choose I recommend using both the NIST Cybersecurity Framework along with the Centers for Internet Security Top 20 Security Controls. Why two you ask? The NIST Cybersecurity Framework is a great framework to standardize the organizations administrative controls. These would be considered your policies, standards, procedures, and guidelines. The Centers for Internet Security Top 20 Security Controls is a framework for your technical controls. These controls aim at how servers or networks are configured, having antivirus deployed, or a robust patching cadence. These two frameworks complement each other well and provide the foundation for how you want your security program.

Perform An Audit

The audit stage is critical as it will determine the outcome of your organizations current and future states for the cybersecurity program. Take plenty of time to review the selected framework as this will guide you through the audit process. Prior to performing the audit you must gather as much information as possible about the organization and its IT resources. Gathering documentation, architectural drawings, application flow drawings, policies, standards, and procedures, along with reviewing previous audits will help you gain insight into the environment.

Once the collection and review of documentation is complete, you then begin the interview process. The interview process is designed to gain additional insight into the environment that was not discovered during the document collection phase. When performing the interviews one must first consider their audience. Are they technical or non-technical? Will they understand what is being asked? Taking that into consideration will assist in getting to the answers you are looking for.

Determine Your Current State

When the audit is complete, it is time to perform a Gap analysis. The Gap analysis will help to determine the current state of your cybersecurity and information technology programs. Cybersecurity objectives from the framework that the organization met mean you can close that objective out. Any deficiencies found during the audit will become findings. The contrast between the objectives that you meet versus the ones you do not will be the outcome of the Gap analysis. This analysis will be the current state of your program. This current state report is what is to be presented to senior management or a steering team committee.

Develop A Future State Cybersecurity Roadmap

Now that the current state is defined, its time to define the strategic roadmap or future state of your cybersecurity program. The future state is where you would like to see your cybersecurity program 6 months – 5 years out. The Gap analysis performed when developing the current state will help define this for you. Objectives which are easy to implement can be put in place fairly quickly, ones that take a fair amount of planning and funding to implement will be placed on a strategic roadmap for future implementations.

Determining where to start can be daunting however there are two places to look for assistance. If you chose to use the Centers for Internet Security framework, this is already laid out for you. The Top 20 controls are in order of what should be implemented within the environment. The first 6 controls are what they call, “Basic.” As the name implies, these controls build the basic controls of the program which include:

Centers for Internet Security – Basic Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

If you decided to choose a different framework do not worry, there are other ways to determine your starting point. This will include the help of the Board of Directors or executive management. By understanding the business requirements, needs, and wants will drive the direction of your cybersecurity program, however push back where it makes sense.

Restrict AWS Console Access Based On Source IP Address

Zero trust, or risk-based authentication, can be hard to achieve (You can read more about it here). Organizations must trust the identity being used and the location from where the user is authenticating. Many cloud-based services, like AWS, have functionality built in to help protect your account. This is a must in preventing account takeover (ATO) while protecting the confidentiality, integrity, and availability of your AWS systems.

AWS’ built-in tools help protect your account which is easy to use. It is an automated process to validate that your Root account has multifactor authentication turned on, the Root account does not have programmatic access, etc. One function that is missing from the GUI is protecting accounts from untrusted networks. To do this, go to IAM and click on Policies. Create a new policy and use the JSON editor to paste the following:

  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {"NotIpAddress": 
    {"aws:SourceIp": [
      "Source IP Address"

Replace “Source IP Address” with your source IP address(es) of your corporate network.

Once the policy has been created, attach the policy to either a user account or a group that users are apart of. Now when someone tries to log in, from outside the network, the person will receive an “Access Denied” while trying to access any AWS resources.

For the latest on this policy, or other AWS policies, please check out the GitHub Repo.

Building Zero Trust in Authentication

Building Zero Trust

When you think of zero trust, you tend to think of network segmentation. Creating communities of interest (COI’s) and segmenting servers away from each other to prevent lateral movement within one’s network. Network segmentation is just the first step in a zero-trust model. Others include authentication, segregation of duties, and cryptographic certificates. Though all are important, authentication is a difficult one to get right.

Secure Shell, or SSH, is an authentication mechanism used for remote connectivity mainly to UNIX and Linux based operating systems. SSH creates a secure, encrypted, connection between the administrator’s endpoint to a server. Though SSH is heavily used for connectivity it does have one major flaw, you must trust the certificate presented to you upon the first login. Trust On First Use, or TOFU, requires the administrator to initially trust the server they are connecting to without knowing the validity of the certificates being presented. Once trust is given to an unknown certificate, the administrator is allowed to continue with their username and password.

Trust On First Use

TOFU is nothing new in terms of security and is widely used throughout information technology. Take for instance setting up a new firewall or other types of security appliances. Security appliances are designed to encrypt administrative connections to the management plane. Most, if not all major players use self-signed certificates in order to encrypt that communication. This is another example of TOFU where a firewall administrator must first accept an unknown security certificate prior to being allowed to connect to the device. Accepting unknown, or unverified, TLS certificates are something we tell end users not to do all the time. So why is it Ok for us to do so? How do we know whether our connections are trusted and not being compromised by a man in the middle attack?

How Do I Trust My Connections?

Unfortunately, there is no easy answer to this question. Systems are designed to create new private and public certificates upon installation. This is to ensure that no two private certificates are identical and not re-used between systems. When these certificates are generated for the first time, an administrator has no other option but to trust the certificate being handed out.

Cryptographically signing certificates is one such way that could be used to overcome this problem. This is performed on software package installation and patching. Microsoft, Red Hat, Ubuntu, and Apple all cryptographically sign their software. This prevents the operating system from installing applications that could have been created by a malicious user, potentially infecting one’s machine.

Organizations can perform the same level of trust for authentication. Creating an internal Public Key Infrastructure, or PKI, can reduce that uncertainty. PKI’s can provide validity in those connections as one has to first trust the root certificate authority. Once trust has been established, certificates generated and signed by the root certificate authority will also be trusted by the system. Though getting it right the first time might seem to be difficult. Once established, it can prove to be one of the best assets security professionals have in their arsenal.

Password Rotation And The Problem Of Not Doing It

Since the release of NIST SP 800-63-3 I have been asked, “Why does our company still perform password rotation?” This question is easier said than done. It is one that requires user awareness training, implementation of auditing and alerting software, and most importantly – multifactor authentication. All of which are necessary, though it can take months to years to implement depending on a companies resources and regulatory requirements.

User Awareness

We still seem to be failing at user awareness training. Our parents, grandparents, kids, co-workers, and yes even us still use easily guessable passwords. Studies have shown that for the past 5+ years the top passwords being used on the internet are, “123456”, “password”, “qwerty”, and “111111.” Talk show host Jimmy Kimmel and his television crew have shown how easy it is to social engineer someone to give up their password. These episodes also show the simplicity of the password with some saying their password is a pets name and a birth date.
Companies such as Microsoft have developed ways to prevent its users from picking simplistic passwords. With its new, “Password Protection for Azure AD” service, it prevents users from creating easily guessable passwords. This is performed by Microsoft’s massive database of commonly used passwords. If a user were to pick a password that was found in the database, the service presents an error message and the user must pick another one.

Auditing and Alerting Software

People often make mistakes, that is a given. Companies make similar mistakes as well. Facebook recently announced that the company was storing user passwords in clear text. What can be worse than that you ask? That database had been queried over 9 million times by Facebook staff. Facebook has been on the defensive stating that this was not a breach. While technically no it was not a breach, it shows how lacking they are in their security and privacy.

There are similar cases where companies lax in their security policies. It certainly opens the question of how we can protect ourselves online. With users picking easily guessable passwords, and the reuse of those passwords, auditing and alerting tools are a necessity. Organizations need tools in place to be able to send alerts when an account is being brute forced. They also need to alert when someone is logging in from a country where there is no organizational presence. These are key indicators of account takeovers. Without this in place, a security operations team will never know if an account has been compromised.

What Is Multifactor Authentication

Multifactor (also known as 2 factor) is defined as:

  • Something you have
  • Something you know
  • Something you are

To suffice this definition, one must utilize two of the three listed. Something you have and something you are is the most common. How does this protect against account take overs? If one were to use a semi-guessable password and configured multifactor authentication, account take over would be extremely difficult to pull off. The reason is that even if someone were to have your password, that person could still not log into the account as the second factor has not been met. The second factor in most instances is something that you have. Examples of this are a smart app on your mobile device, a hardware device such as a YubiKey, or a text message. Though using text messages as a form of second factor is now highly discouraged. Without having physical access to any of these devices, it can be nearly impossible to log into an account. There is a website dedicated to help in configuring multifactor authentication by heading on over to Two Factor Auth List. This website will show you which popular online services allow for multifactor authentication, and if they do not, you are able to send a message to the service asking them to enable it.

Final Thoughts

Password rotation is an evil necessity without properly thinking things through. Yes it does not prevent an account take over, however rotation will eventually keep an attacker from logging in. The use of multifactor authentication, auditing and alerting, coupled with user awareness training are essential to good password hygiene. Without these in place, the organization will be stuck on rotation – like a broken record.

Facebook Exposes Millions of Passwords in Clear Text

Facebook has been under the spot light for quite some time now for its poor security and privacy practices. With this latest privacy blunder, its obvious that the company has not learned from its past. Last week it was uncovered that the company is storing passwords in clear text. This not only affects Facebook users, but InstaGram users too. It was not revealed as to why these passwords were stored in clear text, however what is known is that it affects millions of the company’s users.

In a Facebook blog post by Pedro Canahuati, VP Engineering, Security and Privacy mentioned that the company uncovered the error in January during a routine security review. Canahuati also stated that these clear text passwords were only viewed by those who worked for the company.

At least LinkedIn has your back… Oh nevermind.

Let’s not forget the many security breaches which affected passwords in the past. LinkedIn in 2012 had millions of passwords stolen from the company by hackers. In the breach, the passwords had been hashed, but with a low grade hashing algorithm. At least in LinkedIn’s case we can say the passwords were somewhat protected. In Facebook’s instance, they did not even bother to encrypt the passwords. If the passwords were ever stolen we would see another Yahoo! breach in the making.

Protecting Yourself Online

Canahuati did not mention in his post how to remedy the issue other than to say that the passwords are hashed and salted when an account is created. I would still suggest that everyone change their passwords anyway along with activating multifactor authentication for their account. This way even if someone were to have the password, they would not have the secret token generated by a smart app or hardware token like YubiKey. This also includes those who have InstaGram accounts as well since they were also affected.

One cannot trust the privacy and security that a service provider offers. We must take it upon ourselves to better protect our online identities from mishaps of the services we use. By using password managers to ensure we do not reuse the same password between services to ensuring multifactor authentication is used on every service that offers it is the only way to protect ourselves.

State Sponsored Probing Internet of Things Devices

In order to beef up security of consumer based Internet of Things devices, Japan will now scan IoT devices within its borders. Beginning mid-February, the National Institute of Information and Communications Technology will attempt to break into an estimated 200 million devices. The institute has compiled a list of generic usernames and passwords commonly used by manufacturers for default login credentials. Is this a good thing?

In 2018, the FBI warned citizens of a potential threat to their home routers to reset them (Why the FBI wants you to reboot your router — and why that won’t be enough next time). In 2016 Duetsche Telekom in Germany was down due to an infection of consumer based routers which affected 900,000 consumers (900,000 Routers Knocked Offline in Germany amid Rumors of Cyber-Attack). It took the telecom provider two days to get the word out as most, if not all, of its customers used it for data and voice. Why did it take so long and how did 900,000 routers get infected? One simple answer, the management interface was exposed to the public internet. This allowed the botnet to quickly infect consumer based routers. Once a router became infected, it then scanned the internet looking for other routers to infect.

Japan’s attempt to detect unsecured IoT devices is a good thing, to a point. The Institute has not come out to say what they will do when an unsecured device is detected. Will they send notices to citizens? How will manufacturers be held accountable? What types of fines will be given for poorly secured consumer IoT devices? This is definitely a step in the right direction however it does not appear at this time that they have fully thought through the repercussions.

2019 State of Password and Security Behaviors

This year Yubico teamed up with the Ponemon Institute to deliver the 2019 State of Password and Authentication Security Behaviors report. The report was sampled from around 15,000 participants from around the globe which touched on topics which included privacy and security. The report depicts the grim reality of which we still live in today with regards to passwords and their use. For instance, 69% of respondents share passwords with their co-workers. That number equates to 10,350 of the 15,000 people who responded to the survey. Other statistics show:

  • 51% reuse passwords across business and personal accounts
  • 67% do not use multifactor authentication (or 2 factor authentication)
  • 57% have experienced a phishing attack and never changed their password

Though the report depicts what security professionals have stated for years of what not to do, respondents were asked what their 3 top concerns for data security and privacy:

  • Social Security Numbers or Citizen ID’s
  • Payment Account Details
  • Health Information

Their top reasons for the concerns were:

  • Government Surveillance
  • Connected Devices
  • Growing Use of Mobile Devices

The report also when on to state that the annual loss due to employee misuse of password and poor authentication averages around $5.2M. Again, we need to start doing a better job at evangelizing security best practices to our family, friends, and co-workers on what to do to better protect themselves. You can read the full report at the following link Yubico Authentication Report.

The Need for Better Transparency In Data Breaches

We hear of new data breaches almost everyday, so many that we have reached the pinnacle of “breach fatigue.” A feeling where consumers are tired of hearing about theft of personal information due to carelessness on part of a company. From Equifax, Yahoo!, to Cambridge Analytica, our personal, sensitive information is out on the public internet. Poor cyber security practices is just one of the main issues of data theft among organizations. The second is how companies respond after a breach occurred.

Google is now part of a long standing problem we see today and that is hiding information from consumers with regards to a data breach. This latest breach affecting the Google+ platform, exposed half a million user records through a flaw in their API. A flaw in which the company knew about since 2015. To make matters worse, Google knew of the breach in March of 2018 and yet it did not disclose this information until October 8.This is not the first time a company failed to disclose a data breach. Yahoo! was fined $35 million for not disclosing its breach which occurred in 2014. Why was there such a delay in the announcement and why do law makers allow this to continue?

The U.S. does not have a federal law which protects consumer privacy. This need for protection has been left up to the states to enact privacy laws, which most states have done. However, more oversight is needed to ensure better transparency between companies and consumers. Without additional oversight, this unfortunate practice of withholding breach information will only continue.

So what is next for Google? The typical, “…the implementation of better privacy and security protections.” We have heard this story before. The surprising action is that Google is now shutting down Google+ for good. Google+ could have been a great platform though the market is saturated with social networking sites. Hopefully Google will make true to their word and congress will have a wake up call.

For more information on Google’s breach head over to the Wall Street Journal – Google Exposed User Data, Feared Repercussions of Disclosing to Public.

Russian Hackers Targeting US and UK Critical Infrastructure

Over the last few weeks, Russian hackers have coordinated attacks against personal, government, corporations, and Internet Service Providers. These attacks are currently being directed toward IoT devices, home based modems, and corporate routers, switches and firewalls. This is in an attempt to create an organized attack against the US and UK and potentially bring down critical infrastructure.

There are a couple of reasons why these attacks are occurring against these two countries. First, the exile of diplomats from Russian embassy’s after a Russian spy was poisoned in the UK. Second, in early April, hackers went after Russian network equipment using a known Cisco configuration tool that was exposed to the public Internet. Once hackers had access to the network equipment, they were able to not only delete the configurations, but the hackers also left behind a message saying, “Don’t mess with our elections” and a picture of the American flag.

There are simple changes that you can make to your company infrastructure, even your home equipment, to safeguard assets that you own.

  • Change default passwords – The default username and password on most Cisco equipment is cisco/cisco. This credential provides administrative access to the router or switch and must be changed prior to placing the device into production. Changing the default password on all equipment should be the very first thing you do.
  • Maintain system level updates – Ensure that you are patching your network equipment at least quarterly if not sooner depending on the types of known vulnerabilities. The Cisco configuration tool that was used to hack into the Russian routers, had a known vulnerability.
  • Place access lists on management interfaces – There is no reason to have a way to log into a piece of equipment from anywhere in the world. There are ways of placing firewall rules on network equipment to only allow authentication attempts from known trusted networks.
  • Replace end of life/end of support equipment – High end network equipment can cost hundreds of thousands of dollars. Ensure that your organization is budgeting for replacement of aging devices so that you can continue to apply patches to your network and security equipment. A breach of information, or a complete network outage, could have significantly higher costs to fix the issues due to downtime than it would have if you purchased newer equipment with support and maintenance.
  • Stop using clear text protocols – Most legacy equipment only support Telnet or clear text web traffic. This equipment should either be pulled out of production and placed into a lab, or discarded altogether. It is a requirement nowadays to use encryption for all remote administration and even network monitoring protocols such as SNMP. If you cannot remove the equipment out of production, it is recommended that a project plan is in place to replace older legacy equipment. If replacement cannot be performed in a timely manner, the use of compensating controls such as authenticating from known trusted networks to creating an out-of-band management network is advisable.

There are definitely some quick wins that you can put in place to better protect your network equipment from being attacked, whereas others may take a while to implement due to budget constraints. In either case, these tips will help create a heightened layer of security for your overall network equipment.

Powered by WordPress & Theme by Anders Norén