Gregory FCA blog: Get Your Cyber Security Firm Into Any News Story

It’s a precarious life for those who make a living marketing security services. The call could come anytime. From the product side or the C-Suite. I got together with

“Why aren’t we generating more awareness? Why does the media cover our competitors and not us? What can we do to create interest so that prospects know about us and include us in RFPs?”

Maybe it’s because your pitches aren’t creative enough?

Or they fail to understand how to engage the media?

Or they simply don’t give editors and reporters what they really want–and that’s something they haven’t heard before.

Consider these approaches:

1.  Fear sells and it’s a primary driver of media reporting. While the mass media is well aware of the Dark Web, they still don’t know enough and should report more on it to help protect their readers and viewers. What’s a cyber security firm to do? How about partnering with media on a story with a pitch that reads:

Subject: “We just did a Dark Web search on your three of your anchors, and what we found should scare you and your viewers.” 

The mass media–especially TV–loves it when their anchors or reporters personalize a story and put themselves in the shoes of their viewers. A smart PR campaign targets the media with that in mind, does the research and heavy lifting upfront and then offers to frame and work with them on the story.

2.  Crypto is all the rage. The media is desperately searching for clever ways to cover it and to engage and interest their readers and viewers in it. Cyptomining malware combines too big, fat scary angles to interest reporters with pitches like:

Subject: “How criminals are using your phone to make millions by mining bitcoins without you even knowing it.”

This angle brings to light an under reported threat that impacts general consumers and plays well to a wide range of media–everything from business magazines and TV news to popular magazines and morning network TV talk shows. A well constructed pitch that explains this threat and offers expert advice on protecting against it is exactly the kind of on-trend pitch the media jumps on.

3.  Make it contemporary. The very word NEWS comes from the root of NEW. The media loves to tie their stories to what’s happening in popular culture–even the trade and B2B media are open to the approach. Referencing entertainment, the news or pop culture provides a touchstone that immediately conveys meaning. Here’s a pitch that accomplishes all that and more:

Subject: “Liam Neeson they’re not. More companies are paying ransomware than trying to restore data from dated backup technologies.”

Where would you take your pitch from there? How about:

So you think you’re a tough guy like Liam Neeson in one of those hookey kidnap thrillers? And you’re ready to fight back if someone should hold ransom over your data?

No you’re not.

Increasingly companies are capitulating to data thieves and simply paying the ransom rather than from their own backup systems. Why? Many backup systems are simply too old and unreliable to…“.

So the next time you get that call questioning your PR strategy, remember, the media is often a willing partner in reporting on cyber security topics that impact the world. The key is to relate to the media on their terms, offering them creative angles that attract more viewers and readers to their online, print and broadcast properties. The undeniable pitch is for real and only limited by your own imagination and creativity or that of your PR partner.

CSOonline: How Risk-Based Authentication has become an essential security tool

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplifying a patchwork of numerous legacy banking technologies.

Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods. RBA has also become more compelling as the typical enterprise attack surface has expanded and evolved.

In this article for CSOonline, I discuss some of these compelling reasons for RBA, some of the leading RBA vendors, and what potential buyers should consider.

Veeam papers on ransomware

I wrote a series of papers for TechTarget, sponsored by Veeam, mainly about ransomware. Here are links to download each paper (reg. req.):

  1. Understanding different types of phishing attacks. As we all know by now, all it takes is just one phishing message to slip by our defenses to ruin our day. Just one click, and an attacker can be inside our network, connecting to that single endpoint and trying to leverage that access to plant additional malware, take control over our critical servers, and find something that can be used to harm our business and steal data and money from our bank accounts. In this paper, I talk about the many different variety of phishing attacks and their increasing sophistication.
  2. How the role of backups have changed in the era of ransomware. The role of backups has changed in the modern era and this paper describes this evolution. As attackers are getting smarter and more focused, IT managers have to also change with the times. Attackers are getting more adept at penetrating networks, necessitating that backups have to become more sophisticated and cover a multitude of circumstances, threat models, and conditions. And as we change the way we work, the way we consume data, the way we build our business computing systems and the way they depend on more complex online systems, we need to change the way we make backups too.
  3. Tips on defending your network against ransomware. Defending your network and preventing your users from getting infected with ransomware means more than just implementing various firewalls and network intrusion systems. It is about creating a culture of being resilient.  It is developing a concerted backup and recovery process that will cover your systems and your data assets, so they will be protected when an attack happens and your business can return to an operational state as quickly and as inexpensively as possible. In this paper, I share some tips for making your systems more resilient.
  4. Fighting ransomware with tape and cloud: a backup field guide. The old standby of data protection, tape backups, is still alive and well in many IT shops. Ironically, it is making a resurgence because of ransomware and other malware attacks. We don’t know what tomorrow’s threats will look like, and there is a lot of risk to having something online that is connected to a network with these types of threats today. While tape has had a long history as a backup medium, the cloud can complement tape backups too, as I describe in this paper.
  5. Steps to an effective phishing defense program. When it comes to defending your network, many enterprise IT managers tend to forget that it is the people behind the keyboards that can make or break their security posture, and sometimes the people matter more than the machines. Phishing is happening all the time, to every organization. The trick is understanding this dynamic. I describe four different steps you can take to improve your defenses.
  6. The story of how the city of Atlanta reacted against a ransomware attack at the end of March 2018 is instructive both in terms of what not to do and how expensive such an attack can become. The city actually experienced two separate attacks, one that began March 22 and another on April 5. My paper describes the series of events and how the city got attacked.

CSOonline: Honeypots as deception solutions: What to look for and how to buy

Honeypots are once again in the news. If you stopped by the Watchguard booth at last month’s RSA Conference in San Francisco, chances are good that you connected with one of its Wifi hotspots. Those hotspots were there to log how many people would try to connect to an open network. Watchguard found that the average length of time spent connected was more than enough to compromise the connection. Recently, researcher Doug Rickert has been experimenting with the open source Cowrie SSH honeypot, writing about it on Medium. He found an average of at least 200 daily attempts, a few of them from serious hackers who tried to penetrate his honeypot further.

In this post for CSOonline, I talk about what makes honeypots so compelling as a security solution, what are some things to look for when you are thinking about purchasing a more thorough commercial deception package, different types of honeypots, and a table that links to some of the more popular solutions.

Keeping your home safe from the Internet of Bad Things

Back before we had nearly universal broadband Internet in our homes, the only safety electrically-powered device that we had to worry about was to replace the batteries in our smoke detectors every six months. With the Internet of Things, we now have a lot more capabilities, but a lot more worries.

Some friends of mine have 23 connected devices to their home network: a Nest thermostat, security cameras, Alexa, smart TVs, network printers, gaming systems, smart watches and their computers. I am sure I have forgotten a few others. All of them can be exploited and used for evil purposes. Think of them as that back door to your home that is wide open.

This exploit for smart TVs was a news item last year. It uses a special digital broadcast signal to gain access to your TV’s firmware. I have been trying to update my firmware for weeks with no success, but I guess hackers are more adept. Still, this is a major concern for IoT devices both in the home and in the workplace. Many device makers don’t have any firmware update mechanism, and those that do don’t make it easy or automatic for users to do it. And devices are usually not monitored on corporate endpoint protection tools, which are usually designed for Windows, Mac and Linux machines.

Part of the problem is that the number of IoT devices continues to climb, with estimates in the tens of billions in the coming years. These devices are seemingly everywhere. And they are an attractive target for hackers. Hajime, Mirai, Reaper, Satori and Amnesia are all IoT-based malware that has been seen in the past couple of years. The hackers understand that once you can discover the IP address of a device, you can probably gain entry to it and use it for evil purposes, such as launching attacks on a corporate target or to leverage access to a corporate network to steal information and funds.

So what can you do? One friend of mine is so concerned about his home network that he runs his own firewall and has two different network-attached storage devices that make copies of his data. This enables him to get rid of having any data on his computers and removes all at-risk programs on them to further secure them. That is probably more than most of us want to do, but still it shows the level of effort that you need to keep things safe.

If you aren’t willing to put this much effort into your home network, here are a few easier steps to take. First, make sure you change all of your devices’ default passwords when you first install them – if you can. Some products have a hard-coded password: if security is a concern, toss them now. Second, if you don’t have a firewall/router on your home network (or if you are using the one supplied by your broadband provider), go out and get one. They now cost less than $100 and are worth it if you can take the time to set them up properly to limit access to your networked devices. Next, make sure your Wifi network is locked down appropriately with the latest protocols and a complex enough password. If you have teenagers, setup a guest network that limits their friends’ access.

Granted, this is still a lot more work than most of us have time or the patience for. And many of us still don’t even replace our smoke detector batteries until they start beeping at us. But many of you will hopefully be motivated to take at least some of these steps.

Learning about what data your social networks keep about you

Brian Chen’s recent piece about social media privacy in the NY Times inspired me to look more closely at the information that the major social networks have collected on me. Be warned: once you start down this rabbit hole, you can’t unlearn what you find. Chen says it is like opening Pandora’s box. I think it is more like trying to look at yourself from the outside in. There is a lot of practical information and tips here, you might want to file this edition of Web Informant away for future reference when you have the time to absorb all of it.

Why bother? For one thing, the exercise is interesting, and will give you insights into how you use social media and whether you should change what and how you post on these networks in the future. It also shows you how advertisers leverage your account – after all, they are the ones paying the bills (to the news of some US Senators). And if you are concerned about your privacy or want to leave one or more of these networks, it is a good idea to understand what they already know about you before you begin a scrub session to limit the access of your personal information to the social network and its connected apps. Also, if you are thinking about leaving, it would be nice to have a record of your contacts before you pull the plug.

None of the networks make obtaining this information simple, and that is probably on purpose. I have provided links to the starting points in the process, but you first will want to login to each network before navigating to these pages. In all cases, you initiate the request, which will take hours to days before each network replies with an email that either contains a download link or an attached file with the information. You need to download the file(s) within a certain time limit, otherwise the links will expire and you will have to issue another request.

The results range from scary to annoyingly detailed and almost unreadable. And after you get all this data, there are additional activities that you will probably want to do to either clean up your account or tighten your privacy and security. Hang on, and good luck with your own journey down the road to better social network transparency about your privacy.

Facebook:  https://www.facebook.com/dyi?x=AdkA0Kau6MLj_7I0

Facebook sends you an HTML collection of various items, some useful and some not. You download a ZIP archive. There is a summary of your profile, a collection of your posts to your timeline, a list of all of your friends (including those who have left Facebook) and when you connected with them, and any videos and photos that you have posted. Two items that are worth more inspection are a list of advertisers that have your information: I noticed quite a few entries to more than a dozen different state chapters of Americans for Prosperity PACs that are funded by the Koch brothers. Finally, there is a list of your phone’s contacts that it grabbed if you ran its Messenger application, which it justifiably has been getting a lot of heat for doing. Note that this is different from your friend list.

LinkedIn:   https://www.linkedin.com/psettings/member-data

LinkedIn sends you a ZIP collection of CSV files that you can open in separate spreadsheets that contain different lists. There are your contacts (which they call your connections), your messages that you have exchanged with other LinkedIn members, recommendations that you have made and have been sent to you, and other items. Most of the files contained just a single line of data, which made looking at all of them tedious. LinkedIn actually sends you two collections of files: you should ignore the first one (which you get almost immediately) and wait for the “final” archive, which is more complete and arrives several hours later. Most of this data is rather matter-of-fact. One file contains a summary of your profile that is used for ad targeting, but there is no list of advertisers like with the other networks. Another file contains the IP addresses and dates of your last 50 logins, and another contains the dates and names of people that you have searched for on the network. What bothered me the most about my list of LinkedIn connections was the number of them differed by two percent from what is displayed on my LinkedIn home page and in the spreadsheet itself. Why the difference? I have no idea.

Google:  Takeout.google.com

Google operates somewhat differently and more opaquely than the others mentioned here. First, you go to the link above, which is a separate service that will collect your Google archive. The screen shot shows you just some of the dozens of different Google services that you can select to use in the gathering process. In my experiment this process took the longest: more than three days, whereas the others took minutes to several hours. Even before you get your archive, scanning this list and selecting which services you want included in your report is a depressingly lengthy activity.  When I finally got my archive, it spanned three ZIP files and more than 17GB in total, which is more than all the others combined.

However, that is just the beginning. When you bring up a web page that shows the various Google services, you have to separately extract the data for each service individually and each service uses it own data format that you then need to view in a particular application: for example, your calendar items are in iCal format, your email data is in MBOX format, and others are extracted in JSON format. Analyzing all this information can probably take a data scientist the better part of a few days, let alone you and I, who don’t have the tools, dedication or time. If you are thinking of de-Googling your life, you will have to do more than just switch to an iPhone and give up Gmail.

But wait, there is more: emails that you delete or find their way into your Spam folder are still part of your archive. In the Googleplex, everything is accounted for. Note that if you have uploaded any music to Google Play Music, this data isn’t part of your archive and you’ll have to download that separately.

Twitter: https://twitter.com/settings/account

Twitter will send you two files: one that is a PDF attachment that contains a list of all the advertisers that have your information, but the advertisers’ names are shown in their Twitter IDs and thus not very meaningful. The second document is an Html collection of all your tweets, and you can bring up your browser or access the data via in two formats: JSON and CSV exports by month and year. Notice that there is nothing mentioned about downloading all of your Twitter followers: you will have to use a third-party service to do this. One thing I give Twitter props for is that you have a very clear series of settings menus that might be useful to study and change as well, including connected apps and privacy settings. Facebook and LinkedIn constantly are rearranging these menus and make changes to their structure and importance, which makes them more difficult to find when you are concerned about them. But Twitter at least give you more control over your privacy settings and tries to make it more transparent.

Action items

So what should you do? First, delete the Facebook Messenger phone app right away, unless you really can’t live without it. You contacts are still preserved by Facebook, but at least going forward you won’t have them snooping over your shoulder. You can still send messages in the Web app, which should be sufficient for your communications.

Second, start your pruning sessions. As I hinted in the Twitter entry above, you should examine the privacy-related settings along with the connected apps that you have selected on each of the four networks. The privacy settings are confusing and opaque to begin with, so take some time to study what you have selected. The connected apps is where Facebook got into trouble (see Cambridge Analytica) earlier this month, so make sure you delete the apps that you no longer use. I usually do this annually, since I test a lot of apps and then forget about them, so it is nice to keep their number as small as possible. In my case, I turned off the Facebook platform entirely, so I lost all of these apps. But I figured that was better than their hollow promises and apologies. Your feelings may be similar.

Third, protect your collected data. Don’t leave this data that you get from the social networks on any computer that is either mobile or online (which means just about every computer nowadays). I would recommend copying it to a CD (or in Google’s case, several DVDs) and then deleting it from your hard drive. Call me paranoid, or careful. There is a lot of information that could be used to compromise your identity if this gets into the wrong hands.

Finally, think carefully about what information you give up when you sign up for a new social network. There is no point in leaving Facebook (or anyone else) if you are going to start anew and have the same problems with someone else down the road. In my case, I never gave any network my proper birthday – that seems now like a good move, although probably anyone could figure it out with a few careful searches.

CSOonline: 4 open source red-team ATT&CK-based tools reviewed

In an article that I wrote last week for CSOonline, I described the use of a red team framework from Mitre called ATT&CK. in my post this week, I compare four free open source tools that leverage this framework and how they can be deployed to help expose your network vulnerabilities. The four tools are:

  • Endgame’s Red Team Automation (RTA),
  • Mitre’s own Caldera,
  • Red Canary’s Atomic Red, and
  • Uber’s Metta

Each have their good and bad points. You can read my review here.

FIR B2B #94 podcast: Panera Dread

Panera Bread’s reaction to a breach of its customer records is a classic example of what not to do on so many levels that it’s hard to know where to start. Officials lied to reporters about the nature and extent of the breach, treated the security experts that knew what actually happened with disdain, took months to recognize the existence of the breach only after others revealed it to the public, told people that the leak was fixed when it wasn’t and glossed over the real issue: a major IT flaw in its application program interface specs that caused the breach to begin with (as well as another this week at P.F. Chang’s). It didn’t help matters that the chief information security officer at Panera came there from a similar job at Equifax in 2013.

The reaction from Ragan is a good summary of what happened and how the situation was mis-handled, and if you want more specifics from the security researcher that first found out about the flaw last August, can read this post on Medium. That latter link reproduces the email messages that showed how the company ignored the researcher’s notification. Firms need to hold themselves to better accountability, have breach plans in place, and make it easier for security researchers to submit vulnerability disclosures in a non-threatening and simple way.

My 14 min. podcast with Paul Gillin can be played here.

Security insider: Ben Rothke, Nettitude Group

Ben Rothke is a Principal Security Consultant at the Nettitude Group and is a CISSP, CISM and PCI QSA. He has over 15 years of industry experience in information systems security and privacy. He is the author of Computer Security: 20 Things Every Employee Should Know, and authors The Security Meltdown blog for CSOonline.

I first met him in Israel on a tour of infosec companies and he always has something thoughtful and interesting to say. Given his tenure, it isn’t surprising that his first major security issue that he can recall was a misconfigured firewall that was letting a whole lot of Internet traffic in. It took him a few hours to figure out the correct configuration. As he said, “everything old is new again when it comes to information security!”

Since he does a lot of PCI compliance work, his go-to tool is Ground Labs Card Recon tool for cardholder data discovery. He also uses tools from Skyhigh Networks and the native AWS security services as well. “The native AWS controls do go a long way to help configure and debug security configurations of their cloud services.” Another tool that he personally uses is Norton Mobile Security to protect his mobile devices. He also uses LastPass for managing his password collection. “I was concerned when they had their breach about putting all my eggs into one basket, so yes, you have to be prepared for that.”

“Nowadays you pretty much know when someone is trying to social engineer you,” he says. You can tell when you get an odd Facebook message or some dopey email, such as someone’s wallet has been stolen while on a trip and you haven’t heard from that person in ten years.” But the attackers have the odds in their favor: “All it takes is a couple of folks to click on the bait and they are living the high life.”

Over the last 18 months he has personally seen three different ransomware cases. For two of them, “they had good backups and ignored the ransom demands and were fine,” he said. The clients were able to reimage their machines and went about their business. However, with one client, “they had no leverage and had to pay the $600 ransom and learn from it. But now they have good backups, they took the attack as a wakeup call.” We commiserated on the fact that “you can’t have too many backups. Now that we have the cloud, it is easier, you can have a huge amount of data backed up without any tapes anymore.”

“Sometimes I see clients that have some rivalry between two different IT divisions,” he says. “It is like the competition between the police and fire departments. But they have to work together, and try to avoid finger pointing, and let them work it out and work together and understand each other’s point of view. Some companies are integrated better than others.” He says there isn’t any real magic to this integration. “It is more of a culture issue. If you are part of the same team, and guys are sitting near each other on the same floor, it is easier for one person to hand off to another and interact with them and build mutual trust.”

Part of the challenge is that everyone needs to be operating “from the same playbook, and understand the same collection of systems. After all, they are all supporting the same business goals and understanding the same endgame,” he says. “The challenge is that it takes a good executive at the top, whether that be a CIO, CTO or a CISO, for everyone to work well together and for this harmony to trickle down. Without this leadership, the conflicts trickle down too.”

You can subscribe now to my Inside Security newsletter and get information such as this interview and updated security news delivered regularly to your inbox.

CSOonline: What is Mitre’s ATT&CK framework and what red teams need to know

The ATT&CK framework, developed by Mitre Corp., has been around for five years and is a living, growing document of threat tactics and techniques that have been observed from millions of attacks on enterprise networks. The funky acronym stands for Adversarial Tactics, Techniques, and Common Knowledge. It began as an internal project and morphed into this behemoth of a public knowledge base. In this post for CSOonline, I discuss what ATT&CK is, how it can be used, and how some of the numerous security vendors and consultants have picked up on using it.