Tag: Risk

Defense

Changing a security posture requires changing your own behaviours

I’m sure you will have had a marketing firm or some random sales person on Linkedin tell you that security should be simple and that their product will save you from all the ATPs and nation state hax0rs under the sun. However let’s get real, thats almost certainly not true and also security isnt simple or we’d all be out of jobs and everyon woulndn’t be getting owned all the time.

Getting real
I think there’s a huge honestly part that needs to occur if you are going to actually improve a companies security posture.

Leading and acting in a manner which doesn’t contradict the message

Don’t be unrealistic – absolute security doesn’t exist, if someone is talking in those terms they are probably bullshitting and are highly unlikely to be an actual practitioner

Sort out the commmon vectors, phishing and exposed insecure configurations are clearly areas to focus on but also you should assume breach and harden the inside of your networks! (too many people don’t do this)

People like efficiencies, improvements when they don’t have to be the change, chaning behaviours is really hard.

Technology costs money, I hate to break it to people but if your approach to technology management is solely on the bottom line that is going to have a significant impact not only on your business operational capabilities but from a security point of view you are likely going to be in a weak posture. Don’t get me wrong you don’t need to buy ALL the things but expertise, logging, monitoring and management tools/technical tools cost money. Don’t shoot the messenger but don’t expect the moon on the stick either (it’s just not realistic).

Cyber Criminals operate in all time zones, your staff likely use company computing assets across a range of hours and probably sometimes in the evenings and weekends. Your security operations capability needs to be able to cover this (accepting the risk entirely is a bonkers idea, at least put people on call, oh and that means paying them too!)

The biggest improvement step to me is the cultural one, it’s the change from ignoring, assuming it ‘won’t happen to me’ and when people who are in leadership and management positions stop using bad practises. Being honest and recognising security is a challenge, it’s not a project, it’s a way or running and managing technology services.

By having a strong security posture you will need far deeper knowledge of your business, it’s assets and it’s customers. This sounds like a massive business advantage to me!

Defense

The grass is always greener, until it is not

A PwnDefend Story – Day 7

It is a blur so far, I figured after the last place the grass would be greener, surely no one else has that many security challenges. I did some due diligence during the interview process, they seemed very confident about having certifications and that they took security seriously. hell, that should have set some red flags off but even the cynical sometimes hope that it is as someone says.

I have started to work myself around the board and I am making friends with people, my diary is filled with zoom calls and my notebook is already many pages deep.

You cannot make this stuff up though, day two and I’ve dealing with a business email compromise incident, the phishing page was not even in good English but then it only takes a second or so whilst in a meeting to not quite realise your running on autopilot so you cannot blame people. Hell, the branding was copied so we know it was a targeted phish. It would have been nice to at least had centralised logs for the team to analyse though. Read more “The grass is always greener, until it is not”

Defense

Field Notes – Just Patch

Windows update stuck at 0% download status

Often is we find an environment missing software updates it’s easy for someone without hands on experience to say, ‘just patch’. Outside of change requests, outside of authorisation, maintenance windows, roll back plans, communications etc. there is also the fact that ‘just patching’ isn’t that simple. Even for fairly standard patching tasks using Windows Updates you sometimes hit a snag. Today I’m looking at exactly that issue on a server, so I thought I’d post the steps to resolve an issue but also, I think this is a nice way to highlight the realities of patching.

We show a GUI and command line (PowerShell) method to achieve this result (the PowerShell isn’t fancy but I figured you could go away and upgrade that if you fancied some fun). Windows update sometimes has issues (does not all software!) and it is sometimes that we need to help it along the way, so let’s get too it! Read more “Field Notes – Just Patch”

Breach

Extortion and Ransomware – A lethal Combination

A Brief History of Ransomware

Ransomware is not that new, I remember back during the msblaster incident I said to a friend, it is a good job whoever wrote this worm was not evil because they would have simply encrypted or deleted all the data post infection. Hell, I can barely remember when that was, I think it was late 2003. Ransomware has been around since the 1980s but not quite in its modern form (it started with the AIDS malware scam). Fast forward to the mid 2000’s and criminals were using encryption but that wasn’t a norm and things only really started to take a bad turn around 2012/2013 with Cryptolocker. The next major global events were WannaCry, NotPetya and Badrabbit. Read more “Extortion and Ransomware – A lethal Combination”

Defense

Vulnerability Management Realities

Trust but verify

Someone tells you they have fixed something, now go and check! You might find that it is not actually fixed, or that the ‘fix’ made the issue worse (or makes new vulnerabilities appear). You might however also find that the vuln is gone.

Wow so many options, but the reality is with this space is that you have to keep checking, you also need to validate.

Validation is key, people do not say that think it is fixed because they have not done something, we all have scenarios where we make a change, assume it works and then find out later that maybe a bit more testing would have helped (I have this too!). Read more “Vulnerability Management Realities”

Defense

Everything must be agile but is that really always…

A lot of people talk about AGILE but the normally mean ‘agile’ however when it comes to security testing and penetration testing (to me there is most certainly a difference) we need to be mindful of the different approaches, so we select the right one for the context, scenario, and objectives.

In this post we take a brief look at what we recommend for a range of scenarios and we look at the key differences and what some constraints might mean when it comes to approach selection.

Read more “Everything must be agile but is that really always the best way?”
Digital Butterfly Defense

Change Management 101

Managing Change (and releases)

This is an area that I think some might be interested in. I have worked with orgs of all shapes and sizes and one central area I find people struggle with is change management. I am not talking about organisational change management (that is another) but I am talking about the change of information systems or security controls.

Now you might be familiar with ITILv3/2011 and the PROCESS of change management or you might be in the new practise world of ITIL4 where it is called change enablement, or you might have no idea what I am rabbiting on about. That is ok that is why we are here!

The purpose of change management is (according to ITIL) to help minimise the risk of change for IT services.

Read more “Change Management 101”
Defense

Active Directory Security: Securing the crown jewels with PingCastle…

Securing the crown jewels

At the heart of most organisations are a Windows server active directory domain (or multiple of these), yet one of the most common findings when we review organisations security postures are there are significant weaknesses in their active directory deployments, both from an architectural, operational and security perspectives.

Active directory provides a range of functionality to organisations, from authentication, authorisation as well as supporting services such as printer and share listing, DNS, people/information lookups and integration for 3rd party services. It’s the very hub that links most modern networked systems together and now it’s expanded beyond the corporate walls into the cloud with integration into Azure Directory Services as part of Azure or Office 365.

Essentially Active Directory can be considered a castle whereby crown jewels are held! This may be in the form of credentials/identity or by nature of granting access to business systems that hold sensitive data (such as using AD integration to log into an HR or Finance system). Read more “Active Directory Security: Securing the crown jewels with PingCastle 2.8.0.0”

Threat Intel

Welcome to Threat Week!

Welcome to the first instalment of threat week, the concept of threat week is to provide regular updates on threats, vulnerabilities, security news to provide you with a service that cuts through the noise and enables you to improve the security of your organisation.

To give people an idea of the content we will be producing we’ve published the following below. The concept is to tailor the content to your specific organisation as we’ve been doing with our customers. To start this process, after your subscribe one of the team will be in touch to discuss your specific requirements.

Vulnerabilities

Vmware releases patches for ESXi, Fusion and Workstation to remove data leakage vulnerabilities!

https://www.vmware.com/uk/security/advisories/VMSA-2018-0016.html

Hackers are targeting CISCO CVE-2018-0296

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Threat Trends

Threat Trend – Ransomware declines whilst Crypto mining malware becomes king of the hill for attackers

http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145

Security News

Ticketmaster breach – Most of you will be aware that Ticketmaster was involved in a cyber incident. The NCSC has published guidance for customers who suspect their account have been compromised.

https://www.ncsc.gov.uk/guidance/ncsc-advice-ticketmaster-customers

Read more “Welcome to Threat Week!”