Leadership

Tabletop: “you have 400 servers; 800 users and your…

CISO Tabletop Scenario Intro

I thought it would be fun to explore what people do with regards to Cyber Securityleadeship, budgets, contraints and realities of business change. So here’s a blog post to supliment my thread on twitter:

MrR3b00t | #StandWithUkraine #DefendAsOne on Twitter: “Tabletop: you have 400 servers, 800 users and your cyber security budget is 100K…. what do you do? https://t.co/Nw0Pd7rH8L” / Twitter

please note: the list below is based on experiance, it’s also a list I made whilst drinking about half a cup of tea so it’s not complete or “the answer” it’s just some observations about an approach I advocate.

Read more “Tabletop: “you have 400 servers; 800 users and your cyber security budget is 100K…. what do you do?””
Leadership

Why do “we” suck so badly at digital security…

Everything is fine until it’s not

I’ve been travelling to different organisations and visiting different networks for a while and whilst each organisation is unique (they really are) their operating models, technology challenges and weak security postures generally aren’t as unique as the organisational itself.

One thing that does spring to mind however is that there is a massively common pattern we find with organisations.

  • Those that invest well have better postures, better technology experiences and an improved security posture.
  • Those that don’t historically invest well, well they have quite the opposite:
    • They don’t train staff
    • They have very weak postures
    • They carry an extraordinary volume of business risk

One thing that is common though, is that all of this tends to link to financial investments, so executives and boards usually have some idea if they are spending or not in this space, what they commonly don’t have a good view on is they getting what they “thought they were buying”. Sadly, too often what they assumed was “in the box” with the “IT provision” with regards to quality and cyber security just simply isn’t the case. Everything is fine, until you look… then it’s less than fine! So, what can we do about it?

Read more “Why do “we” suck so badly at digital security ?”
Defense

CVE-2022-26809 – Critical Windows RPC Vulnerability

Vulnerability Information

RatingCritical
CVEcve-2022-26809
MITRECVE – CVE-2022-26809 (mitre.org)
CVSSCVSS:3.1 9.8
ImpactRemote Code Execution (RCE)
Exploit in the wildCurrently not observed
Difficulty to Exploit (if PoC available)Very Low
Network PositionTCP/IP Routable or Network Adjacent
Authentication Required to ExploitNo
AffectedWindows Client/Server OS
Typical Service PortsTCP 135,139,445
Vendor Patch AvailableYes
Exploitable in Default OOB (out of the box) configurationUnknown
Exploitable Client/ServerBelieved to be client and server side exploitable
Read more “CVE-2022-26809 – Critical Windows RPC Vulnerability”
Leadership

Cyber Realities: Impacts of Cyber to Business

Introduction

This post stated out as a technical post about commonalities found in the field that vary based on business operating model, IT capability and vectors used by threat actors. Whilst writing this it led more into business leadership, governance and investment risks. How do these two subjects’ interface? Well to be honest they are the same thing from a different lens.

In this post we are going to look at:

  • Common Technology Deployment Models and the associated threats/risks/vulnerabilities
  • Common challenges I find in organisations
  • And finally, a question… is this the business outcome that you want
Read more “Cyber Realities: Impacts of Cyber to Business”
Architecture

The difference between what can be vs what often…

I’ve travelled all over the internet, I’ve worked with logs of organisations from banks through to small ISVs and one thing I would say is fairly universally true. What can be isn’t what is.

There’s a lot of different operating models and technologies in the world. There’s logs of differen’t specifics. This diagram here is not mean’t as a refrence architecture but more as an indicator.

There is also a massive reality people must understand, cyber good most definatley costs more at the point of deployment than cyber bad. Cyber bad’s ROI is truly variable and in mind mind is too hard to measure. For one org with cyber bad can experiance a significant breach (and cost) and another may have lady luck on their side.

Read more “The difference between what can be vs what often is – Cyber Architecture”
Log4Shell Defense

Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)

TLDR

Go and run this on the connection servers:

https://github.com/mr-r3b00t/CVE-2021-44228

It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you have process logging go and check for suspicious child processes over the period. Once you have checked, run a backup, then if they aren’t patched, patch the servers! (i know patching isn’t as simple as just patch!)

Read more “Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)”
Defense

Post Business Email Compromise actions for Office 365 Users

If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.

Read more “Post Business Email Compromise actions for Office 365 Users”
Copyright (c) Xservus Limited