Where do you prefer to shop? Walmart is easy to get in and out. Usually without even the slightest interaction. Costco on the other hand is different. You need to have a membership card first. No card, no access.
Your computer security is similar. Generally speaking the security you are using is either the Walmart model or the Costco model. If you chose Walmart, malware can get in and out without you ever knowing. Sadly though, you are never offered the option for the Costco security model. Except here at Cybereye. Give us a call so we can tell you how it works and so you can have the peace of mind our customers rave about.
In the year 1209 the Cathars were besieged at Carcassonne in southern France. The Cathars were a religious group branded heretical by the Pope. Within the heavily fortified city the Cathars were protected but vulnerable to a supply chain attack.
The Castle Comtal within the fortified city in France’s Aude department, stands as a monumental testament to medieval military architecture and strategy. One of the most distinctive features of this castle is its portcullis with two independently controlled gates. This engineering marvel serves as an apt metaphor for the need to separate your Information Technology (IT) and Cybersecurity teams.
The Portcullis at Carcassonne
The fortified city of Carcassonne has a complex defensive system that has stood the test of time. One of its remarkable features is the portcullis, a heavy grilled door that could be dropped or raised to secure the castle’s entrance. But what sets Carcassonne’s portcullis apart is its two independently controlled gates. This means that even if one gate were compromised, the other could remain secure, providing an additional layer of defense.
Separating IT and Cybersecurity Teams: A Modern-Day Portcullis
In modern organizations, the IT and Cybersecurity teams often have different mandates but overlapping responsibilities. The IT team is generally responsible for managing the hardware, software, and networks that keep the company running. In security terms this is called “Availability”. The Cybersecurity team, on the other hand, focuses mainly on protecting the “Confidentiality” (controlling who can see what), and the “Integrity” (who can change what).
Much like the dual gates of Carcassonne’s portcullis, these teams should operate independently but in tandem. A Change Board approves software installations and updates; The Cybersecurity team updates the allow policies and the IT team implements the changes.
Advantages of Separation
1. **Focused Expertise**: Specializing allows each team to become experts in their area, leading to better performance and problem-solving.
2. **Risk Mitigation**: Separating the approval and installation of software makes it almost impossible for a disgruntled employee to wreak havoc.
3. **Checks and Balances**: Independent operations allow for internal checks, reducing the likelihood of systemic failures and oversights.
The Harmony of Independence and Interdependence
While it’s crucial for these teams to operate independently, they should not work in silos. Much like the independent but harmoniously functioning gates of Carcassonne, IT and Cybersecurity teams should have protocols for secure communication and collaboration. For instance, while the IT team may be responsible for implementing a new software platform, the Cybersecurity team should be involved in assessing its security features and updating the allow policies.
The dual-gate portcullis at the Castle at Carcassonne serves as a timeless symbol of defense in depth. In a world where cyber threats are increasingly sophisticated, the need for separate but coordinated IT and Cybersecurity teams has never been greater. By learning from the past and applying its lessons to the present, your company can fortify your castle against the ever-evolving challenges facing you.
A Cyber Parable: Imagine you are a chicken rancher. Your chicken are free-range, no antibiotics, and (most importantly) hypo-allergenic. So, people with egg allergies can use your eggs to make cookies and other goodies. If they ever inadvertently eat store bought eggs they would die. You can see the value in your eggs.
You Are At Risk: But who would even want to harm your business. You are small. You only serve a small geographic area. Imagine, you have a very elite clientele. Because your eggs are so unique, your clientele consists of some very influential and powerful people. If a criminal wanted to target a powerful person, they wouldn’t have to do it directly. All they have to do is gain access to your hen houses and plant store bought eggs. Then wait for you to deliver them to your clients. It doesn’t even matter to the criminal if they hurt others as well. Those would merely be collateral damage to the criminal. As long as their target was affected, their mission is complete.
Supply-Side Attacks: This is pretty much how supply side software attacks happen. A legitimate software vendor with lackadaisical security on their software repository (the henhouse) gets infiltrated by a threat actor. A legitimate file (your precious eggs) gets infected with malware (store bought eggs), then the threat actor simply waits for the vendor to ship out the infected file.
Does this happen? You bet it does. A few months ago, a huge software vendor named SolarWinds had this happen to them. It affected about 18,000 of their high value customers.
Try This: So now we find we can’t even trust the vendors to keep their software repositories (their hen houses) safe. But what can you do about it? Here’s what you can do. Before you install any new software or any update, you can upload the software to virustotal.com and have the file scanned for you at no cost. It’s not foolproof but will give you at least a small measure of assurance the file hasn’t been tampered with.
Some Cautionary Statements: There are two possible problems here. First, VirusTotal is a public website, so don’t upload any sensitive files. Second, VirusTotal will only report a file as malicious if: 1. VirusTotal has seen it before AND 2. The antivirus engines it uses to scan the file has verified the file is malicious. What this means to you is, if the good eggs were just switched out for bad eggs this morning, VirusTotal will not know it’s bad. And you will install malicious software. So, with this technique, your mileage may vary.
Other Options: There are other options for your protection that we have discussed in other articles like application whitelisting and ring fencing that can provide more protection. Ask us or your local cyber team about it.
Somebody Is Watching You: Imagine that there is someone following behind you day and night, watching and writing everything you do into his notebook. Now, imagine that his cohort is doing the same thing to your spouse. But it doesn’t stop there, they are also following your children. They take their information and report it to their boss. Seems pretty creepy, right? Because it is.
Big Tech Advertising: That scenario is played out every time you browse the internet, shop online, or use social media. Your activity is being monitored and tracked by the big tech companies like Google and Facebook. Have you ever wondered how Google could afford to give you free email when 20 years ago it was expensive? Or how Facebook can provide their platform for free? They can afford to do that because you, the user, are the product. They are selling your information for targeted advertising. They are getting rich by selling the browsing habits of their users or by tracking what you like or don’t like on social media or the types of videos you watch.
Eye Opening Ted Talk: In recent years, there has been increasingly louder outcries from the public once the digital stalking has been made public. In his TED Talk, Gary Kovacs used a tool in his FireFox browser called Collusion that creates a map of the different organizations that are tracking your activity. After hitting only four websites, there were 25 different trackers. On a typical day this number grew above 150. There is a plugin for Chrome and Edge called Ghostery that alerts you of the number of trackers attached to your session for each site. It also allows you to block them. Social media sites are known for having more trackers associated as compared to other sites.
Cookie Replacement: There is a push to remove these tracking files called cookies to give users more privacy. Advertisers were concerned about possibly losing this venue for targeted marketing. Google, however, has stepped in to create a new anonymous online identifier to replace cookies called Federated Learning of Cohorts (FLoC). FLoC uses your browsing history from the past week to assign you to a group, a FLoC ID, with other “similar” people around the world. Google sells access to these FLoC IDs as long as the advertisers agree to basic guidelines, which would aim to deliver users greater privacy and control over how they browse the web. This methods still contains many of the same privacy and possible discrimination issues that cookies have.
Defensive Tools: You are not alone or defenseless in this attack against your privacy. The Electronic Frontier Foundation (EFF) is a privacy advocate for the people. They have created a browser extension called Privacy Badger that works on FireFox and Chrome. It monitors third parties and ad networks that try to track you through cookies and digital fingerprinting and can even auto-block them. Another thing you can do to protect your privacy is to change your search engine. Google, Yahoo, and Bing all collect your information to “personalize” your experience. Instead use search engines designed for privacy in mind like DuckDuckGo, Qwant, and Startpage. If you want to go all out, you can use a relatively new browser called Brave that blocks ads and trackers. For complete privacy with end-to-end encryption for your messaging and phone calls, we recommend an application for both phones and computers called Signal.
Regain Your Privacy: It is time to get that stalker off of your back and regain your privacy. Check out Ghostery, Privacy Badger, DuckDuckGo and Brave while enjoying your online experience without being tracked.
Missile Controls: During the Cold War, there were hundreds of top-secret nuclear missile silos around the United States and allied countries. An example of the silo can be seen here in Arizona at the Titan Missile Museum. Many of the silos are still in use today. They are guarded with service members with extremely high- level security clearances where the details of the location and security procedures if exposed could give the enemy the upper hand.
National Security Issue: Understanding the importance to national security, what if I told you that for the last seven years, details of operations of nuclear weapons in Europe have been on the internet, freely available to anyone through flashcard-learning applications. Since 2013, flashcard applications like Quizzlet, Cheg, and Cram were created by service members at six European bases to help them memorize security protocols about US nuclear weapons and the bases. Details included the location of the exact shelters and “hot” vaults that contain the nuclear weapons. Camera positions, frequency of patrols, and unique identifiers for restricted area badges were part of the package. In addition, secret duress words that signal when a guard is being threatened were exposed.
Security Breach: A journalist from Bellingcat looked up terms associated with nuclear weapons bases, like Weapons Storage and Security Systems (WS3), associated with air bases, and the flashcard apps showed up. This was a huge security breach, and it went on for more than seven years!
Shadow IT: This is a perfect example of the risks of Shadow Information Technology(Shadow IT). Shadow IT is any technology that employees uses without approval or support from their IT department. Examples of Shadow IT include using personal emails, music streaming services, collaboration tools, and storage and sharing applications that have not been approved for use.
Circumventing the System: The flashcard-learning applications are cloud-based applications open to the public. The service members did not have a similar technology to help them memorize all the protocols, so they went to the web and used a specific free tool that helped them learn much more efficiently. The members created Shadow IT because the military did not provide a secure solution. Sometimes, Shadow IT exposes to management the tools required to perform the tasks to get the mission accomplished. If leadership acknowledged the requirement and created a secure solution, that sensitive information would have been kept secret.
Big Risks: Shadow IT is a security risk. It is projected that one-third of successful cyber-attacks are on data located in Shadow IT resources. That’s because, if the IT department does not know about it, they can’t secure it. When left unchecked, businesses risk proprietary data or customer data. If exposed, that means loss in the marketplace, downtime, fines, or damage to reputation.
How to Avoid It: To protect your business, find out all the tools that are being used by your staff. Provide amnesty to anyone using unauthorized apps. This provides insight into what is required for their tasks and gives you a chance to confer with your IT or cybersecurity professionals to determine a secure way forward. Whitelisting application tools provides insight to management into what applications are used on the work network, and management can decide what is allowable. There are no secrets when a whitelisting tool is used. Shadow IT is exposed to the light.
Moral of the Story: Whether you are protecting nuclear warhead secrets, or your company’s process to beat the competition, Shadow IT can have a negative impact on your operations. Discover what is out there and find a way to secure it.
The Greatest: Many would argue Michael Jordan was the greatest basketball player who ever lived. But are you aware he didn’t win a championship for the first SIX YEARS he played professional ball? Michael Jordan was a great individual player. But he couldn’t have achieved all he did without the help of those around him.
Can’t Do It Alone: Obviously, Jordan couldn’t win championships by himself. He needed help. Enter Scotty Pippin. Pippin was a great compliment to Jordan’s aggressive style. But even then, the Bulls still couldn’t get past the Detroit Pistons. Slowly, the team added additional players and new head coach. And they beat the Pistons.
You need to surround yourself with helpers too.
Helpers or Rivals: Helpers don’t always appear as you would expect. Sometimes, they might even look like rivals. Rivals provide friction. And friction makes you stronger.
Len Bias: Lenny Bias was friction for a young Michael Jordan. When Jordan and Bias were in college, they were opponents. On February 19, 1984 their teams faced off for what would be their last game together. Bias playing for Maryland and Jordan for the Tarheels. Jordan was more experienced. But Bias was clearly getting better by the day.
We can only speculate that the presence of Bias playing against Jordan and the Tarheels was a significant motivator for Jordan. But given Jordan’s competitive nature it wouldn’t be a stretch.
Rivalry That Wasn’t: In a USA Today article about the rivalry that wasn’t I found this quote from Michael Wilbon,
“Those of us who had the pleasure of watching him believe Bias would have been to Jordan what [Larry] Bird was to Magic [Johnson] — a true natural, equally fierce rival, the singular decade long rival Jordan never had.”
Need Friction: In life sometimes the help we need to achieve greatness comes in the form of opposition, or friction. We achieve greatness, not from a “tensionless state” as Viktor Frankl said.
Cyber Slow Down: In terms of cybersecurity, slowing things down and creating a little controlled friction is necessary so we can review software changes before they are made. Moving too fast to update a server (for example) or installing a new application without running it in a test environment can lead to disaster.
Slow Down to Go Faster and Avoid Pain: Two CyberEye clients this week experienced something like this. One client requested a new program installed. After review we found it was installing other software in the background that might be malicious. We were able to avert potential disaster. Another customer installed an update to a critical server without testing it first (against our recommendation). That outcome wasn’t trouble free. A brief test beforehand would have saved hours of headache.
Yes, Test It: When your business depends on your computers, slow down and take time to test new software. Testing your software in a controlled environment first adds a little friction to your workflow. But it just might be the friction you need.
Plague. What an ugly word. So ugly, indeed, it is rarely used to depict anything less than apocalyptic. Now another word has unmasked our distant socializing. COVID-19.
My daughter (now living in distant Texas) told me over the phone she is SICK of COVID-19. Not with. Of. She came down with a cold last week and had to get a COVID-19 test. Just to be sure. She was livid. She threw her steel water bottle at the tile floor.
Your Immune System: I spoke to a friend in the medical field last week about how the COVID-19 vaccine works, and how our immune system uses it. He explained there are several layers of defense inside the body.
The Skin: The first layer of defense is the skin. It keeps most pathogens out of the body. Problem is, there are a couple of orifices through which a pathogen may enter. Primarily the nose and mouth.
Innate & Adaptive: Once inside there are two main systems involved in eradicating the threat. The “innate” and the “adaptive”. Newborn babies are immediately protected by the innate immune cells. Innate immune cells recognize “general” danger. The other system is the “adaptive” system. It’s the one that recognizes specific pathogens.
Going Deeper: There are sublayers of these two systems. Bone marrow, the spleen, the lymphatic system among others less well-known to the general public due to social distancing I’m sure. All are critical to our survival. If any of these additional layers malfunction, or cease to function, the results can be catastrophic.
Just Like Cyber Defense: By now you are wondering, this is all fine and good, but what does it have to do with computers? Let me explain. Our physiology uses two proven methodologies to protect us. Both of which are also applicable to computer, network, and information security. One is “Defense in Depth”, the other is “Zero Trust”. It’s kind of like this. Imagine if the only defense your body had against disease was your skin. How long do you think you’d survive?
Holes in Your Defense: Your skin is like the firewall of the body. You need it for sure. And it DOES keep out a lot of pathogens. But remember the two BIG weaknesses in that defensive layer of skin? You need to eat and breathe so you can’t close those ports. They have to remain open. And generally, that’s how pathogens get in and you get sick. In like manner, the firewall you use on your network has two gaping holes. One for internet, and one for email. And generally, that’s how malware gets in and you get ransomware.
Antibodies: Once inside your body, a virus is detected as foreign and immediately attacked. Then the antibodies build a memory so if that specific virus ever comes back, the time to eradication is significantly reduced. Your Immune system can also fight pathogens your body has never seen before. Anything that isn’t known by your body to be good is immediately attacked.
The Problem with Cyber Defense: Imagine if your body only eliminated those pathogens it KNEW was BAD. The human race would never survive. Unfortunately, this is EXACTLY the approach we’ve taken with computer and information security. The expensive firewall you have at the edge of your network is like your skin. Complete with two gaping holes for internet and email access. Holes through which the pathogens enter your network. You have antivirus too. But it only stops what it KNOWS is bad. What about all the bad it doesn’t know about? There’s the problem. Because there are over 100,000 new malware variants EVERY DAY. 100,000 new malware variants your antivirus knows NOTHING about, cannot detect, and will not stop.
AppLocker: Just like the human race would never survive with that approach to pathogens, networks succumb to ransomware and other malware every day. For that very reason. They only stop what they know is bad. Fortunately, there is a solution. It’s sitting in your operating system already. It will stop about 95% of all the new malware. Even if it’s never seen it before. It’s the adaptive immune system of your computer. On Windows it’s called AppLocker. But you have to enable it. It’s turned off by default.
Contact the CyberGuys from CyberEye about how to do that at no cost to you.
How to Catch a Wild Pig: You catch wild pigs by finding a suitable place in the woods and putting corn on the ground. The pigs find it and begin to come every day to eat the free corn. When they are used to coming every day, you put a fence down on one side of the place where they gather. When they are comfortable with the fence, they begin to eat the corn again, and you put up another side of the fence. They become oblivious to that, and they start to eat again.
Continue until you have all four sides of the fence put up with a gate in the last side. The pigs, habitually coming to eat the free corn, enter through the gate to eat; you slam the gate on them and catch the whole herd. Suddenly the wild pigs have lost their freedom. They run around and around inside the fence, but they are caught.
It Happens to Us: Is this a ranching piece or the Cyber Tripwire? There is a parallel to the wild pig parable and what is known as “cybersecurity fatigue.” According to the National Institute of Standards & Technology, security fatigue is “a weariness or reluctance to deal with computer security.” When asked to make more computer security decisions than they are able to manage, people tend to experience decision fatigue, which leads to security fatigue. Every day, people on their computers are being asked to make a multitude of cybersecurity decisions: “What’s the password for this site?” “ Should I open this email?” “Is it OK to click this link?”
Collaboration Tools: Due to the pandemic, more people are working remotely, leading to the skyrocketing usage of collaboration tools, like Discord, Teams, and Slack. The users who are collaborating, sharing links, and sending files, lack the concern of whether the link is legitimate or if the file has embedded malware. (Was that a fence that just went up? Nothing to see here—it’s normal.) We’ve been lulled into thinking that we can disregard security concerns for these collaboration tools.
Hackers Take Over: Recently Talos, Cisco’s cyber intelligence division, wrote an article about how hackers are using collaboration tools to evade organizational defenses. The hackers improperly use the legitimate collaboration tool, which is not blocked, to distribute their malware. This happens because many of the security perimeter controls existing on email or web browsers are not in effect with these collaboration tools; thus, hackers prey upon employees’ cybersecurity fatigue. This fatigue works in the hackers’ favor because users are accustomed to passing information such as links and files through these chat tools thinking they are secure. (What’s that fence doing there? It’s all normal—nothing to see here.)
Your Counter Measures: Organizations should take measures to combat this, like whitelisting applications and employing endpoint detection. “Least privilege” should be employed, meaning regular users are not running as administrators. Remember: If you click on a malicious link as administrator, now that malware becomes the administrator of your system. Micro-training, another option for better cybersecurity for your employees, consists of weekly three-minute videos sent via email to keep the protection of your business in the top of their minds.
Pay Attention: Be careful while using your organization’s collaboration tools. Treat files and links in those tools just like you would in emails. Stay alert. That way, when you are happily eating your free corn in the field, and the next day there is a peculiar-looking fence, you’ll know it’s time to run!
Thriller Novel: It’s the scene from the opening of a Tom Clancy novel: An advance team of cyber hackers from an unnamed enemy of the USA, strikes first in the upcoming WWIII. This war won’t be started with a rifle shot, it is digital warfare with deadly results. The hackers infiltrate the control systems of a water treatment plant where 15,000 people get their drinking water in Smalltown, America. They take control of the chemical dosage, flooding the town’s water with poison. Thousands die before authorities determine what happened.
Not So Fictional: It sounds like a fiction action-thriller novel, but something similar happened in Oldsmar, FL last month. It could have been tragic, were it not for an alert staff member of the water treatment facility. A hacker gained access to the chemical controls of the water treatment facility for less than five minutes. In that time, he was able to change the level of sodium hydroxide from 100 parts per million to 11,100 parts per million. The staffer was at his computer, monitoring the facility when a remote user took control of his mouse and attempted to poison the water. Once the attacker relinquished control, the staffer reduced the level back to 100 before the water was impacted.
Utilities as Cyber Targets: All around the country there are thousands of gas, electric, and water facilities that are part of the critical infrastructure of the country. You may ask “How did this happen to such a critical resource?” I know I did. It turns out, this small facility had a small budget, and cybersecurity was not included.
Forget the Rules: The organization broke just about every principle of basic cybersecurity imaginable. The system was running on an unsupported version of Windows. The organization used a desktop-sharing software package called TeamViewer, which allowed the staff to monitor the system remotely. Everyone shared the same password, and the password was the manufacturer’s default password. It’s hard to say which cyber bumble was the worst, but it could have been the fact this critical infrastructure was connected directly to the internet without any type of firewall protection. One more thing – six months prior to the attack, the facility stopped using the tool, TeamViewer, but neglected to uninstall it. This is the very tool the hacker used to infiltrate their system.
Convenience over Security: This is what happens when functionality and convenience trump security. These lessons apply to every business. Password hygiene is critical. Disable the default account on all devices. Use unique passwords per user. This enables proper access control to the devices and auditing of the system. Otherwise, you don’t know who did what. Always keep your systems updated with the latest patches for both the operating system and the applications that are in use. If you are no longer using a piece of software, remove it. When someone leaves the organization, disable their account. Close your firewall, so only the required applications can pass.
Wake Up: This is a wake-up call to all the small and medium-sized utilities, letting them know they are a target. In most cases, the larger utilities do have more regulations to follow and subsequently, a larger budget. They understand their critical systems have to be separated from the rest of the organization’s network, and it is best practice to have no direct internet access.
Be Prepared: The attack on the Oldsmar Water Facility did not require the skill and resources of a major world power. It could have been a disgruntled employee who had the password. It could have been a low-grade terrorist organization that researched industrial control systems. Oldsmar made this hack extremely easy. We don’t want to live in the first chapter of a Tom Clancy novel. Our utilities and our businesses need to beef up their cyber defenses. Our lives may depend on it.
The Conflict: For years, my mother-in-law insisted on stuffing the turkey – with stuffing. She wanted the stuffing to get all the turkey deliciousness by absorbing the juices. I didn’t really like it because the stuffing was soggy, and we had to cook the bird longer. That meant dry breast meat.
The Solution: Now, our family is in charge of the thanksgiving meal. We don’t stuff the turkey. We brine it. Then smoke it. The result? Juicy turkey breast, and crisp, fluffy stuffing. I win.
The Concern: The problem is with putting stuffing in the bird, you can end up with salmonella poisoning if you don’t get the center of the bird up to 160 degrees. That’s what the experts say, anyhow. I’ve never felt like it was worth the risk to test that hypothesis. So, I just kept my mouth shut and soaked the dry breast meat in salty gravy.
Credential Stuffing: There is another stuffing that will make you sick. It’s called “Credential Stuffing.” It works like this: You read a really captivating Cyber Tripwire article about passwords. You’re instructed to make them long. Thus, you create a portmanteau of the first name of every grandchild and their birth year. Then to make it really strong, you put an exclamation point at the end. NO ONE will ever guess that! You have your new favorite password.
Just One Password: Next, you proceed to change all of your passwords to that new, really strong one. Instagram, Facebook, Bank of America, Linkedin, Gmail… the list goes on. Every website you use regularly now has a really strong password—the same password.
The Opening: All it takes is for a threat actor to get the password database from one of those sites, and they will have your email address and password for every other site, especially your email account.
Textbook Scams: What they do next is textbook. They log into your email account and send spam emails to everyone in your address book, straight from your account! One of my clients received an email this week from the victim of an attack just like this.
The email read something like, “Hey, when you get a second, I have something important to talk about. Let me know your availability.” If the recipient replied, there was an immediate response. It read, “Thanks for getting back with me. My daughter was diagnosed with cancer. I’m hoping you can help out financially. Just send me some Google Play gift cards.” This was a classic gift card scam.
The Process: Gift card scams and their variations, “The Refund Scam,” the “Fake Tech Support Scam,” almost always involve gift cards. Here are a few characteristics to watch out for:
Someone CALLS YOU on the phone promising an unexpected monetary award (refund or sweepstakes).
Maybe you get a scary pop-up screen on your computer notifying you of several viruses detected. The screen has an 800 number prominently displayed (Remember: Emotion shuts down the logic center of your brain.).
The person on the phone almost ALWAYS has a non-American accent (No prejudice here. Just fact.).
The person on the phone, or the fake tech support person “accidentally” refunds you too much money.
They need you to “help them get that overpayment back or they will lose their job” (Preying on your natural goodness.).
They instruct you to buy several thousand dollars in gift cards.
Or, they may instruct you to use Western Union to wire money.
Or, they may instruct you to get physical cash from the bank and ship it via FedEx.
Notice the Signs: No matter what the person tells you, or what you see on the computer screen, these are tell-tale signs of fraud. If you find yourself in a situation like this, immediately hang up the phone and contact the cyber guys from CyberEye BEFORE any transactions take place.
Cyber Food Poisoning: Undercooked stuffing can make you sick. Credential stuffing leading to a gift card scam is no less annoying than food poisoning.