Friday, April 12, 2019

Surviving a Ransomware Attack in Healthcare

Ransomware in Healthcare

The rising instances of ransomware attacks is harrowing to say the least. Attackers seek to achieve quick financial gains through the use of this tactic and to be frank, it is working.

Ransomware is a type of malware that is spread through many different avenues. Organizations may run into a situation where an employee was sent a phishing email with a malicious link in it that redirects web traffic and downloads the ransomware to the user’s machine automatically. This is the most common tactic attackers will use to spread their ransomware, coming just ahead of using a spoofed website as seen in the image below:

Source: Ponemon Institute, https://www.ponemon.org/local/upload/file/Ransomware%20Report%20Final%201.pdf

Source: Ponemon Institute, https://www.ponemon.org/local/upload/file/Ransomware%20Report%20Final%201.pdf

Ransomware sample display screen

How Does the Ransomware Work?

Once the ransomware is present on a machine, it starts the process of encrypting the hard drive, leaving the user with no access to any of the documents that they were working with, or that were present on the machine at all. The attackers retain access to the encryption keys and are essentially holding the organization’s data hostage until payment is received, or the organization ignores the request because they have full and accurate back-ups of all data. Typically, in these attacks, the storage on the machine is encrypted immediately, leaving the user with a screen that looks much like this:

Ransomware statistics showing targeted industries

What is the Attacker Looking to Gain?

In the case of a healthcare environment such as a hospital, this can be extremely challenging because there is no flexibility in the availability of these files. Health care providers must have them. There are times when the ability to access these documents is literally life or death. This forces the hand of the health care organization into paying the fee the attackers request. Many organizations have started to keep intermediary organizations to quickly initiate these payments in Bitcoin (which is what is typically used for these ransomware attacks). 

The attackers in this case are extremely knowledgeable about the financial aspect of this type of attack, and they understand that the organizations that are targeted will likely not pay the ransom if it is too high. They have found a sweet spot in the amount of ransom to charge, and according to (Ponemon, 2017), that amount is $2,500. That is the amount that most companies are willing to pay in order to have their data decrypted and returned to the original state. In speaking specifically about health care organizations, this amount is tiny when thinking of the devastating effects that could come from not paying the attackers.  

How to Protect your Organization’s Data

The first thing to do to ensure that your organization is protected from ransomware and most other types of attacks is to educate your employees about the importance of computer security and malicious links. Intelligent employees can identify and report suspicious emails to the proper authorities and ensure that there is no initial vector for the ransomware at all. Secondly, preparation is key in this situation. Preparing for the inevitable attack is the best mindset to have, and this can be in the form of mail filtering, proxies, and firewall rules. In the event that something does happen, all organizations should have a plan in place. Who do you call if you log into your computer at work and that ransomware screen pops up? There is nothing wrong with holding a tabletop exercise with your employees and walking through exactly what needs to happen. With an approach that encompasses these important aspects along with your local tactics and techniques, you can sleep well at night knowing that although you can never say that you’ve won the war, your organization has done its due diligence in preparing for the battle.

Photo - John Tagita Jr.jpg

Author Bio

John Tagita Jr. is a Sr. Cybersecurity Engineer intern with Alpine Security.  He holds a variety of industry certifications including CISSP, GIAC, GCFA, and CCFE.  John has a passion for forensic investigations and breach response cases, application security, penetration testing, and blockchain technology.  He holds degrees in Information Technology, Cyber Security, and Criminal Justice.  John is currently active duty in the US Air Force service as a Cyberwarfare Training Chief.

When John is not working in the cyber security arena, you may find him developing Capture the Flag competitions, such as Hacktober or Hack The Arch, or competing himself.  He also is passionate about security research and networking with other like-minded hackers.  John loves spending the rest of his down-time with his beautiful wife and his four devilishly handsome sons.

Link up with John on social media at https://twitter.com/attackd0gz on Twitter, and https://www.linkedin.com/in/netsecspecialist on LinkedIn.

Sunday, April 7, 2019

CIS Control 2: Are You Running Software Unaware?

CIS Control 2

My prior blog on CIS control 1 noted the importance of knowing every hardware device connected to a network. CIS control 2 also speaks to this type of basic security hygiene, only it is software and application specific. Often, attackers will look for unpatched or unsupported software to target, regardless of the system it is running on, or the type of business using it. It is a bootless errand to make sure everything hardware related is hardened as effectively as possible when deprecated or infected applications may be running in the background, allowing the point of attack all the previous hard work was meant to deny.   

CIS Control 2:  Inventory and Control of Software Assets 

Critical Control 2 states: “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution” (CISv7).  This control is intended to prevent such things as zero-day exploits, when a previously unknown vulnerability is exploited, and other attacks through unpatched, known vulnerabilities in software applications. In order to successfully defend the software on a network, it is of vital importance to conduct a thorough and definitive software asset inventory. Like the physical asset inventory, the software asset inventory must be a live document that is constantly maintained and updated, possibly in concurrence with a patch and update list. At minimum this inventory should include the name of software and applications, along with known vulnerabilities and a system for keeping track of updates and patches. Like Control 1, Control 2 is subdivided into sub-controls to make adoption less onerous.

CIS Control 2:  Sub-Controls

Sub-control 2.1:  Maintain Inventory of Authorized Software. 

Best practices are to use only authorized software that is supported by the vendor

This sub-control addresses the necessity of maintaining an up-to-date list of all authorized software necessary for an organization to run business systems for business purposes.  Machines that have not been searched for all software are more likely to be running applications that may not be for business purposes, introducing an unnecessary risk.  Unmonitored machines are more likely to harbor undetected malware.  Once a single network foothold has been found, attackers will exfiltrate sensitive data and leverage this infected machine into several infected machines and networks as well.  The infected machines may also be used as part of a DoS/DDoS campaign.  Sustained and managed software control plays a critical role in executing backup, as well as planning and implementing incidence response and recovery. 

Sub-control 2.2:  Ensure Software is Supported by Vendor. 

When software is supported by the vendor, that means there will be published lists of vulnerabilities and patches, and these will be offered to the users.  When software is no longer supported by the vendor, then these patches and updates do not occur, leaving a system at risk.  Many attackers will search for outmoded software usage and attack through known vulnerabilities.  If any software is running that is unsupported, it should be noted in the inventory, and alternatives considered where possible. 

Sub-control 2.3:  Utilize Software Inventory Tools. 

This will greatly simplify the software documentation process.  Offerings run from commercial to open source and encompass a range of prices, so that there is a product for budget. 

Sub-control 2.4:  Track Software Inventory Information Software. 

As previously mentioned, the inventory should record the name, version, publisher and date of installation, as well as state the authorized operating systems. 

Sub-control 2.5:  Integrate Hardware and Software Asset Inventories.

It is recommended to tie the hardware and software asset inventories to each other so they may be managed from one central location, for ease of management. 

Sub-control 2.6:  Address Unapproved Software. 

This is a good point in the process to address the issue of any unauthorized software that may have been found.  It is good if there is a company policy for unauthorized software usage, but for our purposes the software should be either removed or added to the inventory. 

Sub-control 2.7:  Utilize Application Whitelisting.

Application whitelisting is the creation of an allowable software list.  Only software on this list will start and run on the system.  Anything not on the list will be prevented from starting and running.  

Sub-control 2.8:  Implement Application Whitelisting of Libraries. 

This is the process of allowing only certain types of software to run, such as “dll.”, “ocx.”, etc.  These specifications can help prevent malicious versions of acceptable software from running. 

Sub-control 2.9:  Implement Application Whitelisting Scripts. 

Application whitelisting must also protect the system against any unauthorized scripts. 

Sub-Control 2.10:  Physically or Logically Separate High-Risk Applications. 

High-Risk Applications can lead to viruses

Some applications may be needed to conduct business, but are inherently riskier than other applications.  These applications should be isolated by segmentation or with a dedicated operating system and workstation. 

At this time, whitelisting programs are often being bundled with firewalls and IDS/IPS. Most offer customizable whitelisting, and some allow for “gray” list functions, such as allowing administration to determine what programs can use what resources at what time of day.

CIS Control 2 and Beyond 

Of course, implementing the CIS controls is not something that can be accomplished in a short amount of time, and many seek specialized help. Alpine Security offers assistance to businesses of any size to ascertain how far they have already complied, and in what areas they may still need to make changes.  If the list seems long and the task ahead daunting, our specialists can help break things down and give your organization a roadmap to completion.  Alpine Security always offers a free consultation on our Enterprise Security Audit (ESA) Service. The ESA is based on the Top 20 Critical Controls published by the Center for Internet Security. The ESA is intended to provide a comprehensive picture of where an organization currently falls in Critical Control Implementation, while also delineating a roadmap for full implementation. With the increase in variety and methods of attack on organizations of all sizes and types, running malicious software unaware can become much more costly than the time spent making sure an organization knows everything that should be running on their system, and more easily able to spot when something should not be.

Author Bio

Mary, striking a Yoga Tree Pose

Mary, striking a Yoga Tree Pose

Mary Thierry is a Cybersecurity Analyst and Office Manager with Alpine Security.  She is earning her Master’s Degree in Cybersecurity from Maryville University in Missouri.  Mary was raised in rural Illinois on a farm, in a town with 500 people in it.  If you ask her nicely, Mary will tell you how to start heavy machinery on a cold morning, the best types of fertilizer, and the best places to build a deer stand.  Earlier in her career, Mary taught special education, and then worked as a higher education facilitator for disadvantaged teens.  Mary has a disabled daughter and is an advocate for persons with disabilities.  Outside work, Mary loves to spend time with her family, bake, read Science Fiction/Horror and attend Yoga classes.

Wednesday, March 27, 2019

Vulnerability Assessment With Nessus Home - Part 1

Part One of a Two-Part series

Introduction

If you work in the field of Information Technology, you have probably heard of Vulnerability Assessment (VA). VA is a process of identifying security vulnerabilities in a system. It is recommended that you conduct a VA against your organization's network every quarter, and if your organization follows certain policy and standards, such as PCI DSS, VA is a requirement. However, organizations should not be the only ones conducting VAs against their network; average home users should also conduct vulnerability assessment against their network. In this blog, I will guide you through the process of performing a VA against your network using Nessus Home.

What Is Nessus?

Nessus is a vulnerability scanner developed by Tenable and there are two versions of it: Nessus Home and Nessus Professional. Basically, the major differences between the two are that you can only scan up to 16 IP addresses per scanner, and you won’t be able to perform compliance checks and content audits with Nessus Home. Most average users will not have more than 16 systems, and there is no need to run compliance checks or content audits on your home systems.

Vulnerability assessments are typically done by running authenticated scans, which means the scanner will authenticate against the systems its scanning. The scan will then come back with much more detailed information about a system. With Nessus, you can perform authenticated scans against different operating systems such as Windows, Linux, and Mac OS via different methods such as SMB, SSH, SNMP, Telnet, etc.

Installing and Setting Up Nessus

For demonstration purposes, I will walk you through the process of installing and setting up Nessus and performing an authenticated scan against Windows 10.

To use Nessus, you need to obtain an activation code on Tenable's website, which is (https://www.tenable.com/products/nessus-home). Use your name and email address, and the code will be sent to your email.

Registering for an Activation Code

Registering for an Activation Code

  Emailed Activation Code

Emailed Activation Code

Once you receive your code, go to this page (https://www.tenable.com/downloads/nessus) and download Nessus. Choose the appropriate package. In my case, I'm going to download the package for Windows 10 (64-bit).

Downloading Nessus

Downloading Nessus

Install Nessus. During the installation, Nessus will install a tool called WinPcap, which will allow Nessus to capture live network traffic. Check Automatically start the WinPcap driver at boot time option and install WinPcap.

Nessus installer

Nessus installer

  Nessus Setup Wizard

Nessus Setup Wizard

  Select the start the WinPcap driver at boot option

Select the start the WinPcap driver at boot option

Nessus runs on TCP Port 8834 on your local machine. To access the web console, open a browser and navigate to https://localhost:8834. Once the installation is complete, your default browser will open, and it will ask you to connect via SSL. Click Connect via SSL and your browser will display a warning saying that the certificate cannot be trusted. This is normal since Nessus uses a self-signed certificate. Proceed by clicking Go on to the webpage (Different browsers will have different wording, but they will give you an option to accept the risk and proceed).

Welcome to Nessus!

Welcome to Nessus!

  Certificate Warning, Select Go on to the webpage

Certificate Warning, Select Go on to the webpage

Create your account. Make sure you use a strong password! Once you create an account, you will be asked to enter your activation code that was sent to your email. After you enter the code and click Continue, Nessus will start to set up the plugins and other files that it needs to perform a scan. This process will take a while so take a break and come back in an hour or so. After the setup is complete, you’ll be greeted by the web console.

Creating a Nessus account

Creating a Nessus account

Registering the scanner

Registering the scanner

Initializing Nessus

Initializing Nessus

Nessus using Localhost and Port 8834

Nessus using Localhost and Port 8834

You can create a new scan by clicking New Scan on the upper right corner. You’ll see that certain templates aren’t available until you upgrade to Nessus Professional, but you still have access to templates such as Advanced Scan, Basic Network Scan, Host Discovery, Malware Scan, Spectre and Meltdown, and WannaCry Ransomware. It is straight forward to use these templates; you give it the IP addresses you want to scan, and credentials if you want to perform the recommended authenticated scan. Setting up a scan and properly performing an authenticated scan will be covered in Part II.

Listing of Scan Templates for Nessus

Listing of Scan Templates for Nessus

Useful Tips and Tricks

Now, I would like to share how some tips and tricks that I’ve acquired using Nessus for about a year. This is a personal preference, so you do not have to follow my suggestions. It will involve tweaking some settings and if you don’t want to, that’s fine. It won’t affect the performance of the Nessus scans.

By default, Nessus will automatically start and run in the background on boot on Windows. I don’t like how it’s running when I don’t need it (On Linux, Nessus does not start automatically by default and you need to start it manually, which is what I prefer!). In order to prevent Nessus starting on boot, open Services and find Tenable Nessus on the list. You will see that it is set to Automatic. To change this, right click on it and set Startup type to Manual. Nessus won’t start on boot anymore and you’ll have to manually start/stop it. To do so, open a Command Promptor PowerShell and type net stop/start “Tenable Nessus”.

Windows Services

Windows Services

Configuring Nessus to manual start using Windows Services

Configuring Nessus to manual start using Windows Services

Net Start/Stop of Nessus

Net Start/Stop of Nessus

According to Tenable, they release more than 100 plugins weekly. This means that you will have to update Nessus frequently in order to use those new plugins. If there is an update available, Nessus will let you know when you log into the GUI. However, I prefer updating it from the command line. To do this, open a Command Prompt or PowerShell as an administrator and navigate to C:\Program Files\Tenable\Nessus directory. Once you are there, type .\nessuscli.exe update –all (.\ is not needed if you are doing this from the Command Prompt). Nessus will download the updates from nessus.org. Make sure to restart Nessus after you update it.

Nessus Directory

Nessus Directory

  Nessus Update from command line

Nessus Update from command line

Lastly, Nessus rates the findings with its severity levels: Critical, High, Medium, Low, and Informational. Prior to Nessus v8, it listed the findings by severity but now it “groups” certain findings. I find this feature not very helpful and annoying, so I disabled it right away. To do so, click on Settings next to Scans, go to Advanced, and type groups. This will return two settings: Use Mixed Vulnerability Groups and Use Vulnerability Groups. Set the values to No. You are welcome.

Nessus Groups

Nessus Groups

Nessus Advanced Settings

Nessus Advanced Settings

Conclusion

Nessus Home is a great vulnerability scanner that everyone should be using, not just cybersecurity professionals. In this blog, I’ve demonstrated installing and setting up Nessus on Windows. In Part II, I will demonstrate how to set up an authenticated scan and tweak some settings on Windows to allow Nessus to perform an authenticated scan.

Author Bio

Joseph Choi is a Cybersecurity Analyst with Alpine Security. He holds several security-related certifications, including Certified Ethical Hacker (CEH), EC-Council Certified Security Analyst (ECSA), CyberSec First Responder (CFR), Security+, and Network+. Joseph is a graduate from Truman State University with a B.S. in Business Administration.

Joseph's cybersecurity experience began at Alpine and includes penetration tests, vulnerability assessments, and wireless penetration tests. He was born and raised in South Korea until the age of 10 when he moved to Mexico. It wasn't until 2007 that his family moved to the States where he completed his high school and college education. He is a fan of Mr. Robot, and in his spare time he enjoys spending time with his girlfriend, taking long walks around the park, and going to the gym.

Mr. Robot Walkthrough (Vulnhub)

Source: USA Network

Source: USA Network

Anyone who is inspired to partake in a challenging course such as the Offensive Security Certified Professional (OSCP), or Licensed Penetration Tester-Master (LPT (Master)), knows that practice makes you a better hacker. Vulnhub is a great resource to find purpose-built virtual machine images to practice on. This image is based on a popular TV show, and we are going to walk through exploiting it together.

The first step in the hacker’s methodology is enumeration, so that is where we will start, with an Nmap scan of our target’s IP.

Nmap scan performing enumeration of the target

Nmap scan performing enumeration of the target

We have found a web service, as well as SSH running. We will look deeper at the web service to see if there is anything there that we can take advantage of.

Mr. Robot based scenario - #fsociety

Mr. Robot based scenario - #fsociety

No typical commands work here, so I choose to run Nikto against the server to see if there are any glaring vulnerabilities.

Found a possible vulnerability

Alright, we can see the directory contents. There is a file there, so let us grab it.

Captured the dictionary file but still need usernames

Captured the dictionary file but still need usernames

We've found a dictionary file for a password attack, but we do not have any usernames yet... let us keep looking.

Running Nikto reveals that a WordPress site is being hosted at that IP, which is obviously a high-value target any time we find it.

Nikto is web server scanner which performs comprehensive tests against web servers.

Nikto is web server scanner which performs comprehensive tests against web servers.

We can jump right in to the WPSCAN and see what we can come up with.

WPSCAN is a WordPress vulnerability scanner.

WPSCAN is a WordPress vulnerability scanner.

There are tons of vulnerabilities and I am not positive any are going to lead anywhere, so I will start a brute force on the user "root" while I do some more enumeration.

Brute force attack against the system administrator account or “root”.

Brute force attack against the system administrator account or “root”.

Through our Nikto results, we saw a few more pages to check out. At /readme (grammatical mistake is courtesy of the page).

image8.png

Based on prior WP knowledge, we know that there should be a login page, so let us check it out at /wp-login:

WordPress login page

WordPress login page

Now that we have a login page and a dictionary file, let us try to login. This time, we will use WPScan again, and we will use the file as a user file and a pass file. And... we are in.

Successful credentialed login using the dictionary file.

Successful credentialed login using the dictionary file.

We can do a lot more to the server now that we have credentialed access.

Since the environment I am in does not lend itself to a reverse shell, and I am unable to upload a php file, I must be a bit more creative.

There is a project called the WordPress Exploit Framework (WPXF) that I have not had a chance to play around with, so this might be a good opportunity. After a brief break for configuration and installation, we have WPXF running on Kali.

WordPress Exploit Framework (WPXF)

WordPress Exploit Framework (WPXF)

This worked well, and I was able to find a new user, "robot", and a password of "abcdefghijklmnopqrstuvwxyz". Now we will jump into ssh and see if we can figure the rest of this challenge out.

SSH using robot as the user name

SSH using robot as the user name

Since we have found 2 of 3, we know there is one more key out there. Now we will try a search using regex to find the file.

Without root access, we are not going to find it, but luckily Doc Sewell just reminded me that Nmap runs as root during our LPT-M class, and I saw that Nmap is present, so we will try to exploit this.

Found key 3 using Nmap

Found key 3 using Nmap

So, that is all there is to this machine. Using the knowledge that we have from the LPT-M and general hacker’s methodology, we were able to easily exploit the box and find all three keys. If you are interested, check out the VM at https://www.vulnhub.com/entry/mr-robot-1,151/ and give it a shot.

Photo - John Tagita Jr.jpg

Author Bio

John Tagita Jr. is a Sr. Cybersecurity Engineer intern with Alpine Security. He holds a variety of industry certifications including CISSP, GIAC, GCFA, and CCFE. John has a passion for forensic investigations and breach response cases, application security, penetration testing, and blockchain technology. He holds degrees in Information Technology, Cyber Security, and Criminal Justice. John is currently active duty in the US Air Force service as a Cyberwarfare Training Chief.

When John is not working in the cybersecurity arena, you may find him developing Capture the Flag competitions, such as Hacktober or Hack The Arch, or competing himself. He also is passionate about security research and networking with other like-minded hackers. John loves spending the rest of his down-time with his beautiful wife and his four devilishly handsome sons.

Link up with John on social media at https://twitter.com/attackd0gz on Twitter, and https://www.linkedin.com/in/netsecspecialist on LinkedIn.

Tuesday, March 26, 2019

Incident Response Plan: The Tool You Hope You Never Need

Cybersecurity and threat defenses

It’s no question that in cybersecurity, defense is the best offense. In the constantly changing threat landscape, the tie often goes to the attacker, and businesses are forced to act like turtles putting up shells of security to ward off threats.  That is not always a bad thing; using a well-constructed defense- in- depth plan can greatly limit the likelihood of a successful attack.  I would like to believe we can get to a 99.99% level of security.  Even if that were true, that extra .01% keeps me up at night. What do we do if the controls fail? How do we respond then? What do we do the other 1% of the time? Once we find out that our emails have been hacked, or our money has been stolen is not the time to ask, “what now?” Even worse, what do you do when you suspect that an insider has embezzled funds and the evidence is located on their computer? Though we invest in and rely on our security controls, it is unfortunately not always enough.  We must have a plan for the .01%.

Those Who Fail to Plan, Plan to Fail.

In the world of cybersecurity, one of the biggest reasons companies find themselves becoming victims is because they fail to plan for their IT growth, especially for security. Often small to medium business put little to no thought into cybersecurity until after they have become a victim. As a business grows the need to protect that growth comes with a lot of hard decisions. Many times, a balance must be struck between expanding revenue, generating sources like equipment, and personnel and infrastructures like email servers and IT staff. Many businesses quickly find themselves outgrowing their IT infrastructure before they even realize it has happened. They often don’t realize they have a problem until a compromise or critical failure takes place.

What’s At Stake?

It is imperative to consider what is at stake.  The answer is possibly more than you think. Recently a client asked me to give them some case studies to show what the costs of not being properly prepared could be. In one case a small business had $1.5M stolen from their bank accounts over a period of three days using a fairly straightforward cyberattack. Within a few weeks, they were forced to lay off employees and file bankruptcy. Other less obvious risks arise that business may not know how to deal with until it is too late. What happens if an employee uses a personal device on the company network for illegal activity? Is the company protected? What if an employee embezzles funds from a partner corporation and millions in contracts are tied up in litigation? What do you do with that employee’s computers and devices? These are the types of situations that we see on a daily basis and represent that .01 % of cases in which one wrong move could mean the difference between liquidation and salvation. Obviously, we cannot plan for everything, but having a well-laid incident response plan and a trained team in place to execute can prevent a lot of grief in the long run.

What is an Incident Response Plan (IRP)?

The goal of an incident response plan is to have an answer prepared for those “what if” situations. The type of situation can vary from a power outage to a data breach, and the depth of the incident response planning should be based on the likelihood of an event taking place and the severity and level of impact if it does. The incident response plan will outline important information about communications during critical events; it may go as far as to outline authority and decision making matrices to ensure that risk is accepted at the appropriate level.

Key Areas to Cover

Incident response planning can be a daunting task at first glance. There is no end to the number of circumstances that can arise. The real key is to outline how to respond to incidents in a methodical manner, as well as identify who is responsible for acting during a crisis (see Incident Response Team below). The process of incident response is generally broken into 6 areas. Specific checklists and policies can be created for known risks, but these same steps can be used when an event you are unprepared for arises.

1.       Preparation – Creating policies and establishing standards for what constitutes an incident. Practicing and conducting drills or exercises to respond to incidents.

2.       Identification/ Detection – Tactics techniques and procedures to detect an incident in progress.

3.       Containment – Taking steps to prevent the spread or continuation of a breach or incident. This could be as simple as segregating a computer from a network or as complex as removing access to major systems.

4.       Eradication – Remove any corrupt or infected files, restore backups, ensure no other systems have been impacted. Restore or replace affected systems.

5.       Recovery – Return all systems to full operation.

6.       Review Lessons Learned – Identifying what went right or wrong from the incident for future use.

These steps may seem simple at first glance but can quickly become complicated. For example, If an IT staff member determines that a website has been infiltrated does that member then have the authority to take the web server offline while further investigation is conducted? How much revenue will be lost during the outage? Will other system be impacted? What are the risks of operating with a potentially compromised system? Outlining how much risk is acceptable and what level of management is responsible for accepting that risk is critical prior to an incident taking place.

Also of note, the preservation of evidence should be kept at the forefront during all of these stages, especially if there are legal or financial implications for the company or its employees. In some cases, evidence can be destroyed or made useless by something as simple as turning off a computer. Therefore training staff on what to do in these situations is so important. If there are any legal or financial implications, it may be worth bringing in a certified digital forensics team to assist with the protection of evidence. If that is a function that doesn’t exist in-house, bringing in an outside cyber forensics team should be part of the IRP.

Incident Response Team (IRT)

Incident Response Team to respond to cyber incidents

An important aspect of incident response planning is the establishment and training of an IRT. The IRT will be the boots on the ground that will lead the efforts during a cyber incident. While they may not do all the work themselves, these will be the key players who will oversee and coordinate the response to cyber incidents. It may be unrealistic to have all staff trained to handle an incident, so having a team of staff identified and trained ahead of time is key to proper indecent handling. The team should be small enough to be agile, as well as contain multidiscipline employees to allow for perspective and cross-functionality. Ideally, the team will be led by the CISO and contain members of the IT staff. It may also be wise to consider having personnel from other business units, especially legal, HR, and public relations.

Practice, Practice, Practice.

Having an incident response plan sounds good on paper (pun intended), but it is important to test the plan on a regular basis. This will ensure that the team is still current on their responsibilities, able to identify holes in the plan, and give you an opportunity to update for any changes since the last time the IRT was practiced or used. I recommend testing IRP at least semiannually and revisiting it anytime major changes are made to the business or its infrastructures.

It’s Dangerous to Go Alone

It’s ok not to be the expert at everything. You are already great at what you do! If you would like help with security control audits, incident response planning, digital forensics, incident response, or any other cybersecurity service, Alpine Security is just a click away. Often it is more cost effective and less stressful to bring in a consulting team to help whip an organization into shape than try and go it alone.

Author Bio

Isaac (on the left) hiking in Vietnam

Isaac (on the left) hiking in Vietnam

Isaac Wright is a Cybersecurity Analyst and Trainer with Alpine Security. A veteran of the US Air Force, Isaac has more than 15 years’ experience in electronics maintenance and security.  He holds degrees in Electronics Systems and Education and Training Management as well as a master instructor certification.  Isaac has a long history of maintaining, hacking, modding, and using electronics systems from networks and computers to radios and consumer electronics.  Isaac has leveraged his expertise to advise CIOs in large multi-site organizations on vulnerability management and risk mitigation. 

When not teaching or analyzing network traffic, Isaac loves to play board games with family, fish, camp, and experience everything the world has to offer.  An avid traveler, Isaac has been to more than 15 countries and especially enjoys Asia.

General Data Protection Regulation (GDPR) Overview

General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that applies in the United States if collecting EU citizen information

The new European Union (EU) Regulation 2016/679 GDPR (General Data Protection Regulation) have gone into effect May 25, 2018. This will have a far-reaching effect and identify many possible repercussions for any organization collecting, processing, and/or storing any EU citizen’s information.  Your company need not be located in any of the EU countries; rather if your company collects any EU citizen’s information, your company must adhere to and be complaint to the new regulation. 

The essential characteristics of the regulation are to protect personal data as a fundamental right and that privacy is to be respected as an expectation of the GDPR. The GDPR creates a greater level of harmonization across the EU for the sharing and exchange of data. Implementation of the GDPR requirements necessitates a greater level of protection of a person’s digital identity. The reason for such an increased worldwide emphasis on compliance is due to the imposed fines that can be applied if you fail to manage the privacy data appropriately. Fines are set at 4% of the noncompliant organization’s global revenue

 

Who is Responsible for GDPR?

There are two specific roles that are defined in the regulations, the first is the data controller and the other position is the data processor. A data controller is the collector of the data for internal or outsourced processing. The expectation is that an individual’s consent is required to collect the information. This role is responsible for documenting the format of how the data is to be utilized throughout its lifecycle within the organization, privacy policies, and the ability to process requests for data portability, rectification, objection, etc. The duties that are required for this role include compliance to protect the data subject’s rights. Examples of data controllers include social media organizations, education institutions, health organizations, banks, etc. If your organization determines how the data is to be processed and the purpose of that processing, this indicates a data controller.

A data processor is a natural or legal person, public authority, agency or other body responsible for managing and storing data on behalf of the controller. Specific clauses within the regulation require the same technical and organizational measures to be applied to the controller as well as the processor. An example would be an outsourced payroll company; the data controller tells the payroll organization who to pay and what amount. If you are not making these decisions and just acting on a request, this indicates a data processor. The required liability flows through the chain of data processing. Specifically, the data controller has liability if a data processor fails to fulfill his obligations.

 

What data is in scope?

Article 4(1) states: “‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Elements of data types could include IP addresses, cookie data, or a photograph associated to an account. In many cases, personal customer data will be in multiple formats and forms in CRMs (Customer Relationship Management systems), contracts, sales contact databases, etc.

 

How CIS can help

Specific to the data controller and the data processor roles, responsibilities are to “implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the regulation.” CIS offers a multitude of best practices and cybersecurity solutions to help organizations on the path to GDPR compliance.

A strong starting point is to utilize a CIS SecureSuite Membership, which includes access to tools such as CIS-CAT Pro and remediation kits, to assess and harden systems. “Hardening” is the process of limiting vulnerabilities in a system to reduce cyber threats. Hardening systems to the CIS Benchmarks™, secure configuration guidelines for over 150 technologies, provides a platform for compliance and is a recognized foundation to build your remaining data infrastructure. Measure system conformance to the CIS Benchmarks with CIS-CAT Pro Assessor, our configuration assessment tool which provides assurance that the target system is hardened to the standard. It is not sufficient to simply state compliance to a particular benchmark – measure and prove it with the dynamic reporting features of CIS-CAT Pro Dashboard. 

GDPR

If you are working in the cloud, the CIS controls offer pre-hardened virtual machines on the Microsoft Azure Marketplace and Google Cloud Platform (GCP), and Amazon Machine Images (AMIs) on Amazon Web Services in the AWS Marketplace, including the AWS GovCloud (US) region and IC region. CIS Hardened Images conform to the applicable security standards of the CIS Benchmarks, bringing on-demand security to cloud computing environments.

The CIS Controls are a prioritized set of cybersecurity best practices to help organizations improve their security posture. Version 7 of the CIS Controls was released in March 2018 and contains following guidance that can be applied to GDPR compliance. The CIS Controls can serve both as a measurement process to encourage compliance as well as for implementing a security control framework within your organization. In many cases, the entire CIS Controls can be applicable to implement a structured and measured approach to compliance and security for the organization.  GDPR will require a complete understanding and visualization of the data flows for personal information throughout your enterprise. The regulation extends to data controllers and processors. It may seem challenging at first, but with due diligence, documented plans, and help from the cybersecurity resources available from CIS, the road to compliance is achievable.

 

Why is this applicable to companies in the United States?

Why is this applicable to companies in the United States if your company is not doing any business with EU countries? California will soon be implementing the California Consumer Protection Act (CCPA) in July of 2020. California’s CCPA mirrors the EU Regulation 2016/679 for GDPR.  Companies in New York doing business with companies in California and collecting consumer data will be required to meet the CCPA.  Companies need to move forward and begin the process on GDPR compliance. Here are three key areas in which to move ahead with compliance readiness: 

  • Analyze, develop, and execute GDPR programs across your organization’s systems, processes, people, and policies

  • Make it a team effort - Get all of your relevant teams working together 

  • Ensure buy-in from your management to stay on top of GDPR compliance 

GDPR will ultimately lead to companies gathering just enough data from individuals in order to complete any type of conversion, transaction, or order agreement. But the optimistic viewpoint is that with greater clarity of data protection and privacy controls, consumers will become more comfortable with emerging digital practices, and when working with companies, will be able to form trust with these companies to hold their personal information in high regard.

Author Bio

Doug, shredding a solo.

Doug, shredding a solo.

Doug Stewart is a Senior Sales Manager. Doug brings a wealth of experience and is focused on sales and business development activities. Doug strives to help businesses meet the demands of their on-going cybersecurity requirements and helps them be adequately protected against cyber intrusions.

Doug is located in Colorado where he majored in Music and played hockey at Denver University. He played in a highly competitive hockey league for 24 years post college, and coached his children’s soccer and hockey teams for 12 years. Music is still a strong passion which he pursues professionally with his band.  He and his wife are the proud grandparents to three grand kids.