Finding the right VPN isn’t so simple

Never has some imperfect corporate memory been so public before now. In recent testimony before Congress, the CEO of Colonial Pipeline admitted they had forgotten about an old VPN connection that the hackers had found and exploited. “It was an oversight,” he said. I was amazed at this revelation. Yes, we all forget about things, but this was a biggie. You might recall that a few years ago Avast had an unauthorized access to an unused VPN account.

This reminded me of my own “oversight.” Turns out I had created a second user of my password manager, something that I had setup years ago and never used. This username didn’t have the appropriate password and multi-factor protections. Even within my small company, it is easy to lose track of things.

But being forgetful is just one of several different VPN problems. If you are going shopping for a VPN, you need to consider this. Some VPNs have very good digital memories and are keeping track of your digital movements, even though they claim not to log or store your data. This could be caused by the vendors who are deliberately harvesting their customers’ data. If you aren’t paying for your VPN, chances are good that is how your VPN vendor is making money.

There is another issue, that some VPNs aren’t very well constructed and contain coding errors or make use of sub-standard encryption protocol implementations. This happened several years ago, when hackers found their way into NordVPN, TorGuard and VikingVPNs. PulseSecure VPN has had its share of problems for several years, including a recent hack that enabled back doors.

Some VPNs have the potential for leaking DNS data and IP addresses of their users. Last year, a series of reports were published (one by VPNcrew, the other by VPNmentor), that demonstrated that potentially 20M users have had their private data leaked in this way.  Not helping matters is that some of the VPNs deliberately hide their corporate ownership details to disguise the fact that they have shady origins.

So how to fix this? First, find out if your VPN vendor has paid for an independent audit. McAfee’s TunnelBear, for example, does regular security audits of their code and publishes the results. My VPN of choice is ProtonVPN, which also publishes its audit results and takes things a step further by publishing its source code too. There are other open-source VPNs too.

Second, you should understand the testing rubics that the major computer publications use in their VPN ratings. If you are ready for a deeper dive, here is a detailed explanation of how rigorous your tests need to be and suggestions for testing tools. There are various tests including the DNS Leak Test and the IPLeak test. If you want to do these tests yourself, compare the output when not using any VPN to what they show when you turn on the VPN.

And you might want to review your own infosec posture, and track down “forgotten” accounts that you have created that have fallen by the wayside. You never know what you might find.

CSOonline: CSPMs explained

Every week brings another report of someone leaving an unsecured online storage container filled with sensitive customer data. Thanks to an increasing number of unintentional cloud configuration mistakes and an increasing importance of cloud infrastructure, we need tools that can find and fix these unintentional errors. That is where cloud security posture management (CSPM) tools come into play. These combine threat intelligence, detection, and remediation that work across complex collections of cloud-based applications. You can see a few of them above.

I discuss the importance of CSPMs and what you need to know to evaluate one of them for your particular circumstances in my CSOonline post.

 

Avast blog: Reimagining staffing in the cybersecurity industry

Since 1967, ISACA has been providing a centralized source of information and guidance within the IT governance and control field. ISACA’s State of Cybersecurity 2021, Part 1 report contains the organization’s update on its workforce development efforts. This is the seventh year that ISACA has surveyed its membership, and the report is based on more than 3,600 respondents from 120 countries, with more than half of them saying their primary jobs are directly in the field.

In spite of the Covid-19 pandemic, overall cybersecurity spending has dropped, which seems counterintuitive but continues to be a trend that ISACA has been documenting for several years.

You can read my analysis of their report here on Avast’s blog.

Avast blog: Time to walk away from Amazon’s Sidewalk

Amazon is releasing a new service called Sidewalk, which allows people to share their wireless network with their neighbors over a low-power Bluetooth mesh network. If you want to read more, The main benefit would be expanding the WiFi coverage for low bandwidth devices.  Amazon explains that Sidewalk would enable outdoor devices such as security cameras and smart lamps to stay connected even when wifi connection is lost as they are often at the edge of a home’s wifi coverage.  Additionally, this service can be used for Tile trackers to locate valuables.  While the service is free, there are serious privacy concerns. I’ll tell you why you should walk away in my latest blog for Avast here.

 

CSOonline: Hacking 2FA: 5 basic attack methods explained

Multi-factor authentication (MFA) continues to embody both the best and worst of business IT security practice. As Roger Grimes wrote in this article about two-factor hacks three years ago, when MFA is done well it can be effective, but when IT managers take shortcuts it can be a disaster. And while more businesses are using more MFA methods to protect user logins, it still is far from universal. Indeed, according to a survey conducted by Microsoft last year, 99.9% of compromised accounts did not use MFA at all and only 11% of enterprise accounts are protected by some MFA method. The pandemic was both good and bad for MFA uptake. I explain more about this, and touch on five ways that MFA can be compromised.

You can read more of my blog post for CSOonline here.

Give your boss this cybersec quiz

We all know that management needs to get smarter about cybersecurity. Just take any headline of the past couple of weeks to see mistakes made by some very large organizations who have been hit with ransomware, had to deal with public data exposure, or found evidence that hackers had been living inside their networks for months. So in the interests of public service, feel free to distribute this short quiz. You can grade it on a curve, or use it as a teachable moment, for better cybersecurity practice.

  1. Which is the best password security policy?
    1. Everyone’s passwords must be replaced after 60 days
    2. You can’t reuse one of the same passwords you used in the last year
    3. All passwords must be at least 16 characters long and contain symbols too
    4. Users don’t need to know their passwords because we have SSO logins
  2. Have you ever searched for potential data breaches about you or your company on the dark web?
    1. No, what is the dark web?
    2. Yes, using Tor and Onion sites
    3. Yes, and I track this using a third-party security service in near real-time
    4. Yes, we have developed our own tracking tools for this purpose
  3. How often do you run phishing simulations and awareness drills?
    1. We built our own and run them every week
    2. We built our own a year ago, but no one knows how to run them
    3. We use a third-party vendor and run them every quarter
    4. We were told by our auditors to run them but haven’t implemented them yet
  4. Who provides your DNS services for your company?
    1. Your ISP
    2. Your cloud provider (Google Cloud DNS, AWS Route 53, Microsoft Azure DNS or similar)
    3. Google Public DNS, Cisco/OpenDNS, Quad9 or similar
    4. Cloudflare, Akamai’s Enterprise Threat Protector, NS1 Domain Security Suite or similar
    5. Don’t know the answer
  5. Which is the most secure password?
    1. “Every good boy deserves favor” (passphrase)
    2. “E!bTzQZK4TCjadS4” (random collection of 16 or more characters)
    3. “Fido1234” (my dog’s name with some numbers appended, something easy to recall)
    4. Any password secured with a one-time code generator like Google Authenticator
    5. Any password secured with an SMS code
  6. When an employee leaves my company, you do the following:
    1. I have an automated way to audit my Active Directory listings and other network access controls
    2. Someone on my staff sends an email HR to terminate their login sometime after their last workday
    3. I have automated mechanisms that outboard their access
    4. I use manual methods to terminate their access on my SSO
    5. None of the above
  7. Check how many of these authentication options you personally use for your account logins
    1. SMS texts of one-time codes
    2. Authenticator smartphone apps (like Google Authenticator, Duo or Authy)
    3. Hardware keys such as SecurID or Yubikey
    4. FaceID, TouchID or equivalent on your smartphone
    5. Risk-based methods that use geolocation or other factors
    6. None other than your user name and password
  8. A cyberconsultant calls saying your software contains malware. What do you do next?
    1. Call your lawyer
    2. Call your PR department
    3. Call your IT department
    4. Call the FBI
    5. Ignore the call
  9. What part of your computer infrastructure are protected by CASB and CSPM products?
    1. Servers in your data center
    2. Servers in your cloud
    3. Laptops that you brought home at the beginning of the pandemic
    4. I don’t know what you are talking about
  10. One of your end-users is hit with ransomware. What is your next step?
    1. Call your lawyer
    2. Open a Bitcoin account pronto and get ready to transfer funds
    3. Call your PR department
    4. Call your IT department
    5. Call the FBI
  11. What is DLP?
    1. Data Loss Prevention
    2. Data level parallelism
    3. Dark Lord Potter
    4. Data leak protection
    5. Data link protocols
  12. You get an email from your IT department with a note saying you have to update critical network software, and please install the attached file. What do you?
    1. Click on the attachment and install it.
    2. Call your friend in another department and check and see if they got a similar email.
    3. Call your IT person to make sure the email is legit.
    4. Delete the email immediately.
  13. Do you have the following people on retainer?
    1. Cybersecurity law firm
    2. MSSP to handle ransomware response
    3. Accountant with a bitcoin access
    4. None of the above
  14. When was the last time you looked at your cybersecurity insurance policy terms?
    1. Last year when we got hacked
    2. Every year when it is time to renew it to ensure the terms are acceptable
    3. We don’t have such a policy
    4. Our corporate parent has a policy but I don’t know the specific terms
  15. Do you know what aspect of your cybersecurity refer to DKIM, SPF and DMARC?
    1. Your web servers
    2. Your email servers
    3. Your programmers writing more secure code
    4. Your personnel database servers
    5. I have no idea what you are talking about
  16. How did you test your disaster recovery plan?
    1. We simulated a partial cloud failure and saw what needed fixing
    2. We simulated a partial app failure and saw what needed fixing
    3. We have a full-fledged disaster recovery site and conducted an all-hands drill offsite
    4. We did none of these things
    5. We did all of these things
  17. What is a watering hole attack?
    1. When your laptop computer is infected with malware while you are at the water cooler.
    2. When your laptop computer crashes because you left some questionable content on it
    3. When your laptop computer visits a questionable website and you get infected with malware.
  18. What does a red team do?
    1. Put out management fires between conflicting policies or employees
    2. Find malware that is a potential threat
    3. Find employees that are downloading porn
  19. What additional security measures have you put in place since the beginning of the pandemic?
    1. VPNs
    2. Zero-trust networks
    3. Passwordless access using biometrics
    4. Encrypted emails
    5. None of the above

Avast blog: Can AI tell your age?

While social justice issues involving algorithms receive attention, there’s little discussion around ageist algorithmic bias. Algorithms are under attack, but so far, the score seems to be Machines: 1, Humans: 0. While we haven’t quite reached the point of Skynet Armageddon, the machines are making significant strides in keeping track and taking advantage of the various carbon-based life forms on the planet. While the social justice issues involving algorithms continue to receive some attention, there is little discussion around ageist algorithmic bias. I explore this issue and provide several links to illustrate the problem.

You can read more with my post for Avast’s blog here.

Avast blog: The Verizon data breach report for 2021

This year’s report records a rise in ransomware as well as a jump in social engineering-based breaches

What a year it has been. Nothing delineates things more than reviewing the annual Verizon Data Breach Investigations Report (DBIR), which was published earlier this month. To no surprise, phishing increased from 25% of breaches in 2019 to 36% in 2020, aided by the various Covid-themed lures. Also, ransomware loomed large and doubled its frequency from 2019 to 2020 to 10% of the breaches, as you can see in the below chart.

You can read my summary of the report here on Avast’s blog.

Avast blog: what’s up with FragAttacks?

A new series of attacks against almost every Wi-Fi router has been posted called FragAttacks. Anyone who can receive radio signals from your router or Wi-Fi hotspot can use these vulnerabilities and steal data from your devices. The issue is the design of the Wi-Fi protocols themselves, along with programming errors to certain Wi-Fi devices. Some products have multiple issues and a dozen different CVEs have been posted that document them.

You can read my blog post for Avast here.

Can we really reduce ransomware attacks?

A new report from the Ransomware Task Force — what we once called blue-ribbon panel of cybersecurity experts and non-profit organizations — was released last week. It has a long list of recommended actions to try to reduce this scourge. And while it is great that the tech industry has made the effort, it is largely misplaced.

The co-chairs of the various committees say right up front that tackling this problem won’t be easy, there aren’t any silver bullets to fix it, and no single entity has the needed resources to make much of an impact. Many of the recommendations concern actions by the federal government to try to stop it, I think public/private partnerships are going to see more success here.

Here are a few of their suggestions that captured my attention.

Action #2.1.2 recommends that cryptocurrency exchanges and other operators to follow the same “know your customer” and anti-money laundering rules as regular financial institutions, and aggressively targeting those exchanges that do not. This would restrict criminals from cashing out their ransom payouts. I think this is a worthwhile goal, but not sure how it could be enforced or even identified. There is always some semi-shady operator that will skirt the rules. Still, perhaps some crypto blogger or analyst could offer a summary of those operators that make more effort and those that just pay lip service to these very basic rules.

Action #2.3.1: Increased government sharing of ransomware intelligence with the private sector.

Action #4.2.2: Create a standard format for ransomware incident reporting.

These are both good suggestions. There are already common threat reporting formats, such as STIX and Taxii, that are used to share threat intelligence that are machine-readable and easily fit into automation solutions. But there are two issues: First, will victims be required to report incidents? Many times we only hear about attacks months or years later and many never come forward at all. Or victims post some rather gauzy information-free notices. The second issue is who will act as the central repository of this information. That brings up the following:

Action #4.2.1: Establish a Ransomware Incident Response Network.

This is another good idea. The only issue is who is going to be in charge. Part of the problem in infosec is that we have far too many organizations that overlap or operate at cross-purposes. MITRE would probably be my first choice: it is the keeper of other cybersec threat data.

Action #4.1.2 Create a federal cyber response and recovery fund to help state and local governments or critical infrastructure companies respond to ransomware attacks. This approach would be similar to the Terrorism Risk Insurance Program, which was enacted after 9/11 and has been used, albeit, infrequently, since then. It provides for a shared public and private compensation for certain insured losses resulting from a certified act of terrorism that is split 90/10 between the federal government and insurers. It could be tricky to implement, because having a definition of a ransomware attack might prove to be even more difficult than having a definite terrorist incident.

One part of the report that I found helpful and instructive was an appendix that describes the cyber insurance market, including a summary of common policy components and why you might need them. There are a series of suggestions to help improve insurance underwriting standards too, I would urge anyone who is reviewing their own corporate cyber policies to take a closer look at this portion of the report.

The report concludes with these dire words: “Ransomware actors will only become more malicious, and worsening attacks will inevitably impact critical infrastructure. Future attacks could easily combine techniques in ways that cause the infections to spread beyond their intended targets, potentially leading to far-reaching consequences, including loss of life.”