Over on Naked Security they have an article Have federal nuclear supercomputer? GO CRYPTOMINING! that briefly (yes, you have to wade through a bit of nastalgia to get to the actual story in the last paragraph) outlines that some Russian scientists were using a nuclear supercomputer to mine cryptocurrency. While that is shocking in and of itself, I think the more shocking comment by the author is:

       “To be fair, there isn’t much of a downside, as long as you ignore:

• The unbudgeted operating expenses from powering computers to work for someone else.
• The opportunity costs because legitimate works gets slowed down.
• The security risks from who-knows-what untrusted programs and network connections.
• The reputational and regulatory costs of reporting, investigating and explaining the intrusion.”

I’ll give the author the benefit of the doubt and assume this was a tongue-in-cheek comment. But really, there is nothing but downside to this type of activity, and it’s only going to get more prevalent as applications get easier to deploy and more plentiful. There are multiple methods for loading up such capabilities (scripts, executables, local and remote-based,etc) so where to begin with trying to mitigate against this threat (and have no doubt, foreign unauthorized apps/scripts running on your critical servers is a threat). 

Data Loss Prevention (DLP) with white listing seems like a good place to start. Only authorized applications are allowed to run within the environment. This generally takes a strong knowledge of your environment though and the ability to lock things down pretty hard, so starting off with a blacklist using known hashes seems like a much easier beginning. The downside of course is that you don’t know what you don’t know so you will have to be constantly inventorying the network to determine what is out there (which you should be doing anyway, now you have some action you can take with all that data).

Some of these programs require Admin access to install, so a stronger logging and monitoring of what the Admins are doing is also recommended (and again, should have been done anyway as part of a best practice Information Security program). 

Finally (but only because I want to limit the length of this post, not because this is the only other action you can take), user education and policy. You see, while there are thousands of vendors who will sell you some very good products to limit this sort of activity if you don’t set a baseline policy and tell your users that they shouldn’t be doing this and then educate them on what risks they are imposing on the organization, many of those tools will simply be bypassed much like this very useless gate that we’ve all seen before.

Cryptomining on equipment not owned by the user (whether its the user’s company’s equipment, or some remote hijack) is likely to move up the list of IT Security concerns in 2018, so if you haven’t already formulated a plan and put controls into place start thinking now about how you are addressing this issue and will continue to address it. 

Over on Federal Computer Weekly they have a short but meaningful commentary on an email from Harvard Business Review’s daily email newsletter. In the original email they outline how to have good meetings by not only forcing debate, but also by being more inclusive. Some of the key suggestions include:

1. Start by asking questions, not uttering your opinion.
2. Help quiet people speak up.
3. Make it safe for people to take risks.
4. Take the contrarian view.
5. Cultivate transparent advocates (and get rid of the hard sellers).

While I don’t subscribe to the original author’s use of the word ‘fight’ when he states, “When teams have a good fight during meetings, team members debate the issues, consider alternatives, challenge one another, listen to minority views, and scrutinize assumptions.” I do agree with the underlying point that leaders will get more meaningful feedback to make smarter decisions when their team feels comfortable speaking their mind, both within the team and upwards to leadership. 

As leaders we need to practice the above 5 techniques (at a minimum) to ensure team inclusivity and to give us the best opportunity to hear all ideas. Sometimes as a leader you just need to make a timely decision and there isn’t an opportunity for feedback, but when possible, take the time to hear what your people have to say as invariably they will have meaningful perspectives that will never have occurred to you. Additionally, if you are doing your job as a leader you are grooming your team for the next step in their career (to include moving into your job). Giving them these opportunities to participate in the decision-making by providing input not only helps you, but helps them as well to think things through.

MIT Technology Review has an article out entitled, “Forget Viruses or spyware – Your biggest Cyberthreat is greedy cryptocurrency miners”. It briefly discusses what cryptojacking is and why it is becoming one of the biggest current threats. Now, I’m not endorsing a specific product or service, but I find that a combination of products such as Malwarebytes Premium and AVG Internet Security’s Ultimate subscription do provide a comprehensive and inexpensive level of protection. There are free versions out there of some great products, but the little amount of money you may spend will be more than offset in most cases by the extra capabilities you will gain (You’re looking at less than $200/year to gain the ability to sleep peacefully at night knowing the unlimited licensing is watching all of your PC/Android and Apple devices).

Again, I’m not specifically endorsing these products, but I do encourage you to do your research and pick something. Often, your company will have a benefit where they offer up free or significantly discounted security software for home use. Find out more and if they do offer this benefit, take them up on it. If they don’t offer this as a benefit you are entitled to you might consider going to your boss and asking for reimbursement if you do any work at home or on your personal devices. If that isn’t offered, well I recommend investing in your personal security by just going out and buying the software out of pocket. Go, right now, do your research and get something.

We talk and hear about the security of the physical enterprise (servers/network/desktops etc) as if that is the absolute most important aspect of securing our corporate and customer data. However, with the proliferation of BYOD and remote/home-based employees,  where is the focus on securing their home networks? 

When operating from home, more likely than not, employees’ devices operate as trusted entities on their network, along with everything else from their thermostat to their kids’ cellphones, and they tend to relax and operate with a much lower sense of security awareness. 

We should be doing more as Information Security leaders (via corporate practices/policies and leading by example) to help employees secure their home networks and better educate them on the dangers. In my experience (not to say they don’t exist) I’ve yet to see a company that provides for reimbursement of home network firewalls and related equipment or that even has a self-assessment checklist. 

Think about it. We undergo quarterly or annual audits on the enterprise but almost never is the assessed boundary extended to the endpoint when it resides outside the company physical space. It’s not practical (or necessarily warranted) to physically inspect each person’s home, but why not implement some basic best practices like: 

1. Develop and implement a best practices work-at-home checklist where the employee conducts a self assessment every six months that includes: wifi security, physical security, IoT/guest network security, secure password generation and storage, etc. 

2. Provide a budget up to $200 for purchase of a home network security device like a Fingbox or similar to watch the home network and block intruders. 

Implementing just a couple simple controls like the above would enhance the overall security of our most important data either inexpensively or even free in a time when more and more of our employees are working from home. 

InfoSecurity Magazine has an article that outlines how the CoffeeMiner script allows malicious users to create a Man-in-the-Middle (MITM) attack to cause affected machines to run code that mines for the cryptocurrency Monero without the user’s knowledge. The author makes the suggestion that the best solution is to just never connect to an open wifi. While I do agree that using open wifi isn’t smart, there are times in our lives when it is the best or only option. In these cases it’s still possible to operate securely, but in order to do so, the minimum protection mechanism needed would be a Virtual Private Network (VPN). Taking the approach that the only secure system is the one not used fails to incorporate smart information security decisions into business operations.

There are multiple VPN apps on the app stores that will work just fine, both paid and free, but I recommend going for an inexpensive paid one like Express VPN because you will get outstanding service, multiple options, selectable servers and strong throughput (Disclaimer, link only works from mobile devices. I have had a paid subscription to this app for a couple years and if you go to this link and choose to also subscribe we both receive 30 free days of service). 

If you’re not interest in purchasing a solid VPN, but have an Android phone, there is also a built-in Google VPN option under Network & Internet Settings called Wi-Fi Assistant. I’ve used it a couple times, but I much prefer Express VPN over the built-in version due to my ability to select the VPN Server geographical location.

Either way, just don’t connect to open wifi without employing some form of protection. I agree with the author who concludes the article by asking, “We don’t even touch public doorknobs without a paper towel or a squirt of Purell…Why on Earth would anyone freely connect to a public Wi-Fi network?”

Ok, this was a new one for me. Business Insider outlines a policy at PC Gaming company, Riot Games, to pay any employees (within their first 60 days) 10% of their base salary (up to $25k) if they decide to leave because they find that there isn’t a fit. I think it’s a great idea that supports making all parties happy. However, as the article mentions, it would be a bit of a misstep to hire a $250k employee only to have them quit within 60 days, so I do hope they have a robust hiring process. I would expect a multi-step process that included the hiring manager, peers and direct reports (as applicable), along with both technical and cultural fit aspects.

The subject of this post is in response to a Healthcare IT News article titled, “As data Vulnerabilities Escalate, Healthcare organizations need to supercharge security efforts” that addresses the vulnerability of data in many of today’s hospitals and how they have come under increased focus from malicious actors seeking to do harm. The bad guys know that, “…It literally becomes a life or death situation” so ransomware proliferates and (some) people are shocked when it happens. 

The article goes on to talk about forms of back-ups (as you’ve seen me mention previously), knowing where the data is (that sounds familiar) and taking a holistic approach (seeing the forest through the trees). In the end though, if hospital administrators find it easier and cheaper to stock up on Bitcoin to pay the inevitable attack ransom rather than go down the much more difficult and resource consuming, but longer lasting approach, then little will change. That approach would generally look something like: work with data owners to identify your organizational and customer critical data, meta tag it, prioritize it, organize it into as few secured applications/systems/networks as necessary, then put as strong access and use controls around it as possible that still allow effective business operations using the technologies people have come to expect in this day and age. 

An important consideration when carrying out such a program must be that the security controls and practices have to not only align with regulatory guidance, but they should also support effective business operations. A secure company that goes out of business due to cumbersome customer interactions isn’t what Information Security is all about. 

It’s a vendor sponsored article to be sure, but that doesn’t decrease the message at all that security leaders need to be proactive in their approach and be prepared. Support good business and happy customers at the same time and you’ve got something that other professionals should emulate.

Being the holiday week things were a little slow, so I took the family out to lunch today and while at the restaurant I saw an inspirational sign. It wasn’t a new sign or message, but it contained a particularly meaningful series of thoughts as we enter the New Year. The sign said, “Work for a cause, not for applause. Live life to express, not to impress. Don’t strive to make your presence noticed, just make your absence felt”.

These are three tenants that I fully agree with and will work to embrace even more in the coming year. When we make aspects of our work and life about serving others and not all about ourselves, then life (and work) becomes so much more meaningful and fulfilling. I’m not saying we should neglect or completely subjugate ourselves, but when we only seek to shine the line on “me, myself and I” in the long run it generally ends up resulting in the complete opposite effect.

NOVA has an article out that claims the internet is making us less secure due to all of the hacks we’ve undergone in 2017 and will continue to be subject to in the coming year. 

In most cases we were never entirely secure to begin with,  but we’re seeing progress in many areas. In my humble opinion, things that still need improving in 2018 include (my point of view generalizations of course):

– Improving the role, focus, scope and reporting structure of the CISO. 

– Encryption needs to be deployed to 100% of the enterprise

– Two Factor Authentication (2FA) needs to become the norm both for professional and personal logins. 

– Increased used of password managers to allow for highly complicated passwords (I purposely don’t even know most of my passwords,  so no opportunity for repeating them, making them easy to remember or writing them down) 

– Backups. No organization should be subject to the embarrassing, time consuming and avoidable effects of ransom ware. Build architectures that provide for offline out-of-band backups that are consistently validated to allow for near real time recovery

– Identification of where the organization’s most critical data is, metatag it, put policies around it then deploy Data Loss Prevention (DLP), Host Intrusion Prevention (HIPS) and related tools to increase the security and privacy around the access to and use of the data. 

-Additional synchronized defense-in-depth security strategy that provides layers from the perimeter to the network, the endpoint and the server (cloud portion of the architecture as well where applicable). It’s better to have a strategy that is cohesive and that closes the gaps even if each component isn’t the best of its product line than to have a best of breed suite of tools that don’t function well together…. Perfection is the enemy of good… 

2018 will likely bring us a ramped up threat landscape. As we go back into the office re-energized and ready for the new year we need to use this time to prepare and justify our security posture expenditures both financial and those that require non-monetary resources.

Identify the gaps, prioritize the responses and align with budgets. For those items that are free or within budget there’s no time like the present to “get ‘er done”. For those that require unallocated funds put together a solid justification first then don’t be afraid to ask. Depending upon your organizational culture you may want to get everything in writing as well regardless of the outcome of your discussions. 

Apparently Vietnam has a surplus of cyber labor that they can leverage to “seek to battle ‘wrong’ views online” according to a report today by the Financial Times. The Vietnamese military is building a 10,000 person cyber unit to crack down on domestic bloggers, activists and others that may report on or speak out against government policies. 

Here in America, and in many if not most first world nations, building a trained and skilled cyber workforce is a challenge, let alone having 20k spare eyes just to watch its own citizens, looking for dissent. I can only imagine the good that could be done with that scope of skilled cyber labor force elsewhere. 

As you’ve seen on my Interests & Hobbies page, not only am I into IT and Information Security, but I’m also interested in cryptocurrencies. Throughout the past couple of years Ransomware has really started to come into the mainstream, and with that rise one of the emerging trends here at the end of 2017 is the wholesale buying of cryptocurrencies by corporations in preparation for an eventual incident. McAfee sees an evolution in the nature and application of ransomware that is only going to increase in 2018. 

The Security-minded side of me is of course disdainful of the whole Ransomware practice and what it all entails, and nothing justifies the actions of the malicious actors. The cryptocurrency lover in me though does appreciate the speculative returns that the increased volume brings to the market.

As a security leader I think every one of us must be prepared in advance for that moment in time when a Ransomware incident occurs. Not if, but when. How will we approach it, what will we do? What is our frame of mind? To sit on the sidelines and not have a plan these days is unacceptable. More importantly, we must be thinking more proactively about not so much how will we respond, but rather what are we doing in advance of an incident to either eliminate or strongly mitigate the risk? What practices like encrypted out-of-band backups, two factor authentication, employee aniti-phishing education programs etc are we putting in place to lessen the damage and decrease the time to restore operations when something happens.

With a week left in the year it’s never too late to start thinking about your professional New Year’s Resolution and how you are going to take your organization to the next level in the coming year. On the last business day before the holiday, I wish you all a Merry Christmas.

Welcome to my personally hosted professional presence on the internet. Today is my first post as I build out this site. I’ll be sharing thoughts and creative ideas, generally around Information Technology and Information Security that I either see elsewhere and would like to comment on, or that I generate myself.