May 2020 - Fractional CISO

How Secure Are Your Employees’ Home Networks?

May 21, 2020

Everyone: “Rob, why don’t you deposit checks from your phone?”

Me, Pre-Pandemic: “Use the app on my phone? Are you crazy? The bank is right around the corner. It’s so easy to deposit checks there. If my phone were stolen, the attacker would have a leg up on getting my banking information. I feel safer at the bank.”

Me, Post-Pandemic: “Go to the bank? Are you crazy? My phone is right here in my pocket. If I go to the bank, I have to touch all of the buttons on the ATM. I feel safer at home.”

In case you hadn’t notice, times have changed. No more so than in the way business is being conducted. Anyone who can work from home, is. Which means there is a lot of data — much of it confidential — passing back and forth among your employees, customers, vendors and others.

Changing Risk Models

Over the past several weeks, we have had many interesting conversations with our clients regarding their corporate networks. In short, there is extraordinarily little data on them.

All the laptops have left the building and, other than some manufacturing operations and other need-specific uses, it’s mostly just a bunch of lonely printers wondering where everybody went in such a hurry.

And yet, despite the huge shift in data traffic from internal networks to home networks, we continue to see a focus among our clients’ customers on the former, as they remain primarily concerned with internal cybersecurity compliance.

Of course, security of the corporate network is still important. But the risk model has changed dramatically over the past couple of months. Better questions (and ones we hear from our clients, if not yet the compliance departments of their large customers) include:

How secure are our employees’ home networks?
How do we protect against whatever younger children and teenagers may be doing?
How insulated are the laptops that we issue?
Is it okay for employees to use their personal computers for corporate work? (I’ll answer that one here: “No.”)

Of course, there is a lot of “it depends” in the answers to these and other security-related questions. That said, here are five of the best things you can do to secure your data in our new, work-from-home world:

#1. Maximize encryption. Hopefully, most businesspeople are aware by now of the dangers of free Wi-Fi in a coffee shop, hotel room, or other public place. But the network in your home, if left unencrypted, is just as vulnerable to the prying eyes of a hacker in the apartment next door or in a car parked across the street.

Encryption, while not perfect, guards against all that. There are several types and they are steadily getting better, but at a minimum, your employees should be using something called WPA2 (WPA3 is even better, but not yet universally available).

#2. Update your router’s firmware. A router, like your computer, has software running inside of it (“firmware”). This needs to be updated regularly to ensure maximum protection. Some routers update on their own, automatically. Others need this done manually. You can learn more about keeping your router up to date, here.

#3. Change your router’s password. Every router comes with a default administrative username and password. In most cases, it’s printed on the side of the device. That’s convenient, but it also means that unless you built it yourself in the basement, somebody(s) else may have access to that username/password combination.

Change both of these and keep them in a secure location (like your password manager).

#4. Set up a guest network. This is exactly as the name suggests: a network intended specifically for guests in your home. Absent one of these, you’ll need to share your network password with every friend, relative, neighbor, cable technician, etc., who comes by and asks to jump on.

This type of network promiscuity can lead to the inadvertent introduction of malware and viruses into your home, as well as infiltration by bad actors.

#5. Keep all devices up to date. Most home networks have several devices connected to them in addition to computers — things like printers, smart TVs, game consoles, electronic picture frames and, of course, our scary friend Alexa and her counterparts.

In addition to removing those you no longer use, and putting those you still do on your guest network, these need to be kept up to date (“patched”) in order to help the network stay secure.

Final Thoughts

Telecommuting has been around for a long time. Decades, actually. But today, with so many of us working from home and so many laptops and other devices tossed into the mix, it’s vital that deliberate steps be taken to ensure the safety of our data.

Does all this seem like a lot of work? Maybe. But it’s nothing compared to the time, effort and cost of recovering from a security breech.

Now if you’ll excuse me, I’m off to the bank to deposit some checks. Oh wait, I stopped doing that…

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Starting your cybersecurity program

May 20, 2020

How do you get your cybersecurity program started?

We know of a lot of mid-sized companies that struggle with getting their cybersecurity program going. Before you hire cybersecurity experts there is significant progress that an organization can make on its own. Don’t believe me?

Even when you hire an expert, you will need a team to help the program be successful.

The first and most important role is…

Check out the video.

FCISO

May 18, 2020

Why when you search for FCISO doesn’t the Fractional CISO website come up? I’ll tell you why…

Up until this point, we haven’t cared about the FCISO search term. However, now we are going to start using #FCISO for our LinkedIn hashtag so we do care about it.

Fractional CISO provides FCISO services to its clients.

What FCISO does

Fractional CISO helps organizations successfully complete and maintain various standards, certifications and attestations such as SOC 2, ISO 27001, ISO 27017, HIPAA, NIST 800-171, NIST 800-53, CIS Controls, Privacy Shield, PCI DSS and many others.

Fractional CISO establishes and maintains organizations’ cybersecurity program. The activities include technical and gap assessments, risk assessments, plans, policies, procedures, program and project management.

Many of our clients’ utilize AWS or Azure to host their solutions and products. We are often reviewing their access controls, backups, monitoring solutions and other technical controls to help them minimize their cybersecurity risk.

For more details about our FCISO offerings check out our About Us page.

FCISO key differentiators

There are three areas that we differentiate ourselves from others in the marketplace.

We develop tailored solutions to meet clients’ needs. We are not tied to any vendor. We engage clients with high value interactions.
We are quantitative. We help our clients invest wisely based on their budget and risk tolerance.
We have a team approach. Every project and client has at least two team members assigned, an FCISO and an analyst. That gives our clients higher availability, broader skillsets, and the ability to deliver content in parallel.

What on FCISO can do for you

Are your large customers and prospects demanding that you improve your cybersecurity program? Many of our clients are in the same boat! Your FCISO will assess your organization, build a plan and help you execute toward the plan.

To receive great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

How to set up Threat Intelligence via Slack for Free

May 14, 2020

Threat Intelligence in Slack

Are you finding it hard to keep up with new major cybersecurity vulnerabilities that could affect your environment?

Unless cybersecurity is your full-time job, you’re probably not spending a lot of time wading through blog posts and listening to hours of podcasts just to keep up with every breaking story.

Most of us really just need to stay informed about the next “big one”, so that we can react quickly when our businesses are at risk. (Citrix Netscaler, anyone?). But how do you get the news you need without feeling overwhelmed?

The US Cybersecurity & Infrastructure Security Agency (CISA) is a reliable source for easily digestible security alerts and notices about major software products. They publish a manageable number of alerts, on average around one or two per day, which you can easily skim for items relevant to your environment. You can get these alerts on their website or in email, but it’s even easier if you add their RSS feed to a dedicated channel in Slack:

Visit the CISA’s US-CERT website to learn about the different types of notifications they have available. (Tip: “Alerts” is the most important, but it’s easiest to subscribe to all)

Visit their Mailing Lists and Feeds page and copy the RSS feed link for “All NCAS products”, or just the specific notifications you wish to receive (right-click and “Copy Link Address”, for example). You will paste the links in Step 5. If preferred, you can also subscribe to email alerts on this page.

Optional, but recommended: Create a new, dedicated channel in Slack to receive the feed. For example, “#us_cert”.

In a browser, Enable RSS feeds in Slack

Follow the instructions in Step 4 to access your RSS administration webpage and “Add a Feed”.

To receive all US-CERT feeds, use https://www.us-cert.gov/ncas/all.xml

Don’t be surprised if it takes a day or two for the first alert to appear!

SOC 2 vs ISO 27001

May 11, 2020

Should you get a SOC 2 or ISO 27001? We get that question all of the time.

The answer is simple…

It depends.

A SOC 2 is an attestation report that a CPA firm evaluates for effective security controls.

ISO 27001 is a certification that says that an organization is following a set of cybersecurity standards.

Both have significant overlap. If your organization has received your SOC 2 or ISO 27001 then clearly you have done a lot of work on your cybersecurity program. Both evaluations focus on good processes such as managing access control, change control and many good technical controls.

Check out the video to hear three of the key differences.

How to Gamify Your Incident Response Planning (And Make It Fun)

May 7, 2020

Zombies are attacking the perimeter.

They’ve made it past the outer defense wall and are trying to breach the inner wall. You’ve bolstered your gateway defenses, but the flood of zombies found a weakness. Their attack breaks through. What do you do?

Roll for initiative.

No, this isn’t one of those Dungeons and Dragons articles or some Walking Dead game.

I’m talking about how to inject some fun into your incident response planning with gamification.

A necessary evil

In theory, we all recognize the importance of practicing incident response. Practice makes perfect, am I right? But when a real security incident is happening, it’s probably not the ideal time to discover the effectiveness of an incident response plan.

Many cybersecurity frameworks — as well as cybersecurity industry certifications —recommend at least one incident response plan tabletop exercise per year.

In reality, however, we know how dreadfully boring that practice can be. Reading through a bunch of policies, procedures, and playbooks in a conference room for hours is hardly anybody’s idea of a good time.

It’s a necessary task we grin and bear.

It doesn’t have to be this way.

It’s time to D&D the IRP

While listening to a security podcast recently, I heard an intriguing idea about turning an incident response tabletop exercise into a tabletop game — which made perfect sense to me.

I mean, let’s be real, many of us in cybersecurity are self-aware enough to know we are a bunch of nerds. How many of us can say we haven’t geeked out on Dungeons and Dragons or other fantasy tabletop games at some point in our lives? (Definitely not me).

Incident response practice in the form of a “Knights of the Round Tabletop exercise” adds a randomness factor simulating real-life scenarios that don’t always play out according to plan. This strategy could be a great way to cut down on the monotony of those incident response exercises.

For anyone unfamiliar with the game Dungeons and Dragons, D&D is a tabletop role-playing game much like a choose-your-own-adventure book. It features players who make up fictional characters for their desired roles in the game, a main storyteller (the dungeon master) and an assortment of dice. The dungeon master is in charge of setting the stage and progressing the storyline of the game. The players choose their own actions within the story, but the success or failure of those actions is determined by the outcome of various dice rolls.

In a gamified incident response scenario, here’s what it might look like:

Incident Master (IM): An employee reports a phishing email. How do you respond?

Incident Responder(IR): Investigate the email.

IM: Are there procedures in place for handling reported phishing emails?

IR: No.

IM: Note lack of procedures. How do you investigate the email?

IR: Check to see if there are any links in the email.

IM: Please roll.

IM: Yes, there was a link in the email.

IR: Ok, then I put the link URL into VirusTotal to see if it is a known malicious link.

IM: Please roll.

IM: The link is reported as known malware.

IR: Did the employee click the link?

IM: Do employees take security training?

IR: Yes.

IM: Add modifier for employee security training. Roll for outcome.

IM: No, the employee did not click the link. What do you do next?

IR: Find out if any other employees received the same email.

IM: Please roll.

…and the scenario continues.

Knights of The Round Tabletop for your company

For the seasoned D&D player, it probably isn’t a big stretch to formulate a D&D style game around an incident response tabletop exercise.

For those who haven’t played or are mere novices in the dungeons and dragons realm like myself, here are two resources I found to help with the process.

The first, “Cubicles and Compromises,” has a one-page, reasonably simple set of rules and gameplay. It makes use of a single d20 (20-sided die) as opposed to the traditional set of seven dice used in D&D. In this game format, it’s up to the dungeon master to come up with the storyline or incidents. This is a simple version of a tabletop game, making it easy for everyone to follow. As such, not every participant requires experience playing a tabletop game, but the facilitator should have solid D&D skills for this to run smoothly.

The other resource I found is called “Oh Noes! An adventure through cyberz and $#*!”

This game provides a free out-of-the-box downloadable starter kit. The kit comes with a guidebook, guide sheet, character sheets, and slide decks. Making use of character sheets means the rules become more like traditional D&D gameplay and a bit more complicated, so there is a bit of a higher learning curve. The guidebook provides detailed instructions for the facilitator along with the gameplay rules. The slide decks provide a structured walk-through to guide the flow of the exercise, as well as numerous pre-written incidents.

The pre-written incidents are a great resource, but probably not applicable out of the box for most organizations, so they’ll need to be customized to fit the organization’s environment. While it does help to have an “Incident Master” with D&D experience, it isn’t entirely necessary due to the amount of content and structure included.

Here at Fractional CISO, the team will be rolling out our own Knights of the Round Tabletop exercise for our next client’s annual tabletop in the upcoming months. And for the first time ever, I can actually say I’m looking forward to participating in an incident response tabletop exercise!

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Correct Horse Battery Staple Review – Password Advice

May 1, 2020

Correct Horse Battery Staple Review from xkcd

The “Correct Horse Battery Staple” piece at xkcd is still so popular! I guess if you want something to live on then make a comic about it…

In the comic, you have an example of the type of password that we’ve been taught to create by IT systems over the past couple of decades (Tr0ub4dor&3). All of its little nuances are diagrammed to show how complicated it is to generate one of these passwords

In the next two frames, you see that the statistical difficulty of being predicted is relatively compared to the “correct horse battery staple” approach, where using random words makes a password longer and greatly increases the computing power needed to guess it in a brute force attack. Then you have a person using a mnemonic device to effortlessly remember that ‘word-based’ password…

I wrote about how this was an “okay” idea three years ago. (meh) My advice now is largely the same, but several things have changed, so here is an updated Correct Horse Battery Staple Review.

Users Should Not Be Creating Passwords

Part of the problem is that users are still making up their own passwords, which, by and large, is an inefficient and problematic way to do cybersecurity.

Here’s the problem – any time you allow end users to choose their own passwords, many of them are always going to try to dumb it down to make it easier to remember, and no matter what the protocol is, you’re going to end up with relatively weak passwords. That’s why you see so many corporate systems scolding the user when they start to type in a new user-created password – use a special character! Use a capital letter!

Unimpressed by this nanny state password advice, people might put in things like “get into my computer” or “help me login” when they should really be inputting things like “eldritch foster peace mothballs.”

So (as you’ll see in the rest of this Correct Horse Battery Staple review) users should not be creating passwords for the most part. Instead, it makes more sense for companies to be using a password manager.

Password Manager instead of Correct Horse Battery Staple

A password manager doesn’t eliminate password threats, but it does reduce the attack surface for users who might otherwise leave themselves (and the company secrets that they have access to) pretty exposed and vulnerable.

Using a password manager changes user behaviors. It actually takes some of the responsibility from the end user, which is generally a good thing for everyone involved. Most people don’t come to a company wanting to be their own cybersecurity expert – they don’t want to have to be guided into creating their own ideal security apparatus! When they can get help, many of them are grateful for it. As our digital world evolves, we’re moving toward the point where fewer users will be creating and maintaining their own passwords.

If you are not with me on the password manager decision, check out this article. Or Google “password manager” and read advice from many top cybersecurity minds.

A password manager reduces an attack surface significantly for most use cases. The password manager is most effective with these tips:

pick a unique monster password for your password manager
never reuse or share the master password. (I mean never.)

When we do create passwords, it should be for the aforementioned password manager. We should also create passwords for our devices. Otherwise, we should delegate password creation and management to our password manager.

Bad Guys Read xkcd Too!

The “Correct Horse Battery Staple” password is now a widely-known concept. That also makes it less effective in some ways.

When creating password dictionaries, bad guys can use Correct Horse Staple Battery style passwords. As a matter of fact, the best password crackers combine dictionary words in their attacks. Ars Technica’s following of Nate Anderson’s newb crack at password piracy is just one example! Can you even believe it is possible to easily crack “”momof3g8kids”?

If you are stuck with the conventional password system, when you need to memorize a password, using a mnemonic device is absolutely good, because computers can’t re-create that kind of thinking. Hackers can program computers to use dictionary words, but they are less likely to excel at predicting the kinds of random things that people can commit to memory using a relational mnemonic device like the one in the comic so you’re usually fairly safe there. Still, there are other problems with the “random word” approach that are concerning.

Correct Horse Battery Staple Review of Dictionary Size

In our previous review, I criticized the dictionary size of “Correct Horse Battery Staple.” It turns out that I was not harsh enough!

According to experts, most adult native English speakers know 20,000 to 35,000 words, but that includes higher-level vocab that might rarely get used when you let end users put in their own passwords. What are the chances that a user-submitted passphrase would be “Grommet Addend Esoteric Tautology”? The evidenced trend is that people are more likely to select from around 3,000 very common words, and that means hackers have a lot fewer combos to run!

Our password complexity with four words at this level of vocab is now 3,000 to the power of 4, or 81 trillion possibilities. If you used a 9-character password made up of 26 lower case and 10 special characters you would have 101 trillion possible passwords. Alternatively, an 8-character password comprised of lower, upper and special characters will have 218 trillion possibilities.

With average hardware today, a cracker could break these types of passwords within a day using password dictionaries.

Word Correlation – Correct Horse Battery Staple Review

Following on from the above – with the problem of limited vocab, and the problem of user group behavior, you have scenarios where everybody is going to type in “Log me in please” instead of “avocado streetlight porch mercury.”

If the words are truly random, then the difficulty is much higher. But what if the words are tightly correlated? “Log me in please” would become the new “Password” or “123456.” You just can’t stop great minds from thinking alike!

Long Passwords Are Tough to Type

Also, let’s discuss user-friendliness, user error, and user fatigue. Do you know how many times I mistyped “Correct Horse Battery Staple” when writing this review? A bunch. Typing long words leads to errors, which are pretty annoying. The resulting confusion and frustration can reduce productivity, lock users out of systems, and lead to various kinds of chaos.

To Recap

The bottom line here is that phrase-style passwords are okay, but not great. For those few times that you need to memorize a password, create a unique sentence whose first letters result in something more than 16 characters. Otherwise, use a password manager to create and manage long passwords.

Permission to reprint xkcd comic is generously provided under https://xkcd.com/license.html Thanks, xkcd.

To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Monthly Archives: May 2020