Network Security Basics

🚨CISA Releases Guidance on Modern Approaches to Network Security🚨 The Cybersecurity and Infrastructure Security Agency (CISA), America's Cyber Defense Agency, and several partners have just released a comprehensive guide on modern approaches to network access security. This report emphasizes the limitations and vulnerabilities of traditional VPN solutions and advocates for adopting more robust and fine-grained security models like Secure Access Service Edge (SASE) and Secure Service Edge (SSE). Key Takeaways: 🔹 VPN Challenges: VPNs are prone to limitations while providing encrypted tunnels for remote access. These issues can expose organizations to significant risks and breaches. 🔹 Value of SASE & SSE: SASE and SSE focus on secure access to web services and applications, combining capabilities like Zero Trust Network Access, secure web gateways, and cloud access security brokers, ensuring all access is continuously verified. Together, they streamline security policies and offer seamless, secure access to data across hybrid environments. 🌐🔒 🔹 Implement Network Segmentation: Network segmentation is crucial for limiting the spread of attacks within an organization. Organizations can contain potential breaches and minimize the impact on critical systems by dividing the network into smaller, isolated segments. 🔀 🔹 Validate Vulnerability Scans on All Public-Facing Enterprise Assets: Regular vulnerability scans on public-facing assets are essential to identify and remediate potential security gaps. Ensuring that these scans are thorough and validated helps maintain a robust security posture and protects against external threats. 🛡️ Organizations transitioning from traditional VPNs to modern network access solutions can significantly benefit from the strategies and best practices outlined in this guide. Implementing these modern approaches strengthens security and aligns with Zero Trust principles, ensuring a more secure and resilient infrastructure. (Full disclosure: I participated in initial discussions about this guidance before leaving CISA earlier this year. Having been in the networking space for almost 30 years, this type of guidance is critical to help shape discussions on how network security is evolving and supports a Zero Trust mindset in new ways). #ZeroTrust #Technology #CloudComputing #SoftwareEngineering

Your home and office devices can be used in cyberattacks. Here’s what to do. The US government disrupted a Chinese hacking operation that utilized compromised small office and home office network equipment, including routers, firewalls, and VPN hardware to route their traffic.  But employing simple cyber hygiene we will discuss below can keep your home, your business and/or your company safe. How Hackers Invaded: Hackers exploited vulnerabilities in outdated devices, especially those nearing "end-of-life" status and no longer receiving security updates. They then used known weaknesses to gain control and reroute their malicious traffic through these devices, making it harder to detect their real targets. Why They Do It: These compromised devices act as "stepping stones," hiding the hackers' tracks and making it harder to pinpoint their true intentions. It's similar to the 2016 attack on internet provider Dyn, when hackers launched a massive internet outage affecting websites such as Amazon, PayPal, Walgreens, Visa, CNN, Fox News, Wall Street Journal, and the New York Times. At that time, hackers took control of routers, cameras, Printers, and other devices by using the default password coming out of the factory. 🛡 Simple Steps to Secure Your Home and Office: ➡️ Update, Update, Update: Regularly update your router, firewall, VPN, and all connected devices with the latest security patches. Most devices offer automatic updates - enable them! ➡️ Ditch the old tech:  If your router or other devices are nearing end-of-life, invest in newer, secure models. ➡️ Password Power: Set strong, unique passwords for all your devices and enable two-factor authentication wherever possible. Hackers love easy prey, make them work for it! ➡️ Firewall Fortitude: Enable your firewall and anti-virus and configure both to detect and block suspicious activity. Think of it as a security guard for your digital life. For Companies: While the above advice works for both individuals and companies, companies should assume they will be hacked and be prepared.  The preparation must include at least: ♦︎ Off-network backup, ♦︎ Incident response action plan ♦︎ Disaster recovery plan What are you doing to keep your home equipment and your company secure? #cyberdefence #cybersecurity #levelUpYourLi _______________ ➡️ I am Talila Millman, a fractional CTO,  a management advisor, a keynote speaker, and an executive coach. I help CEOs and their C-suite grow profit and scale through optimal Product portfolio and an operating system for Product Management and Engineering excellence.  📘 My book The TRIUMPH Framework: 7 Steps to Leading Organizational Transformation will be published in Spring 2024. You can preorder a signed copy on my website Image credit: Bing AI powered by DALL-E3

Simplifying Cyber Month - July 18 Fileless Malware Simplified (Kind of) Traditional viruses are like stupid criminals who break in and leave behind tools or footprints (in this case, actual files) that antivirus can spot and clean up. But fileless malware is like an invisible ghost that gets embedded in your computer's short-term memory or hides inside legitimate programs, doing its dirty work (like stealing data) without ever dropping a detectable file. Here's how it basically works: 1) Attackers exploit vulnerabilities in everyday software (like your browser or email app) to inject malicious code directly into the system's volatile memory, where it runs without writing anything to disk. 2) Once inside, it leverages trusted, built-in system tools, like PowerShell on Windows or scripts in other OS' to execute commands, steal information, or spread further. 3) This "living off the land" approach means it uses what's already there, leaving no new files or footprints for traditional antivirus to detect. It often enters your system through shady emails, malicious websites, or compromised trusted apps, making it highly covert on your system and hard for basic AV tools to catch. But doing some simple things can reduce the chances of being infected this way. 1) Keep Everything Updated: Regularly update your operating system, browsers, and apps. These patches often fix vulnerabilities that fileless malware exploits. 2) Be Email and Web Smart: Avoid clicking suspicious links or attachments; use browser extensions that block malicious sites. (Bad guys win because someone ALWAYS clicks a link) 3) For businesses: Use Behavior-Focused Security: Opt for antivirus tools that monitor unusual activity (like "endpoint detection" features) rather than just scanning files. 4) Limit Administrator Privileges: Run your daily tasks without full admin rights to prevent malware from gaining deep access. 5) (As Always) Enable Multi-Factor Authentication (MFA): Adding this extra login step everywhere possible to block unauthorized access even if malware sneaks in. Why This Matters: Without visible traces, fileless attacks can linger undetected, leading to data theft or worse. If you have any other tips post them below. Repost/Share, tickle the algorithm (if you want to - no pressure) #knowledgeisprotection #Cybersecurity #SimplifyingCyberMonth #InvisibleThreats #filelessmalware #cybereducation

#Cybersecurity Strategies for #Retail - Effective cybersecurity embraces basic principles. Prioritize the threats. Maximize the impact of each investment. Keep it simple. Some suggestions to consider: 1.) Implement basic cyber hygiene 2.) Protect critical systems against ransomware and zero-day 3.) Protect devices that can't protect themselves 4.) Segment your remote network 5.) Respond to alerts promptly. 6.) Restrict employees access on a "need-to-know" basis. 7.) Simplify 1.) Implement basic cyber hygiene - Conduct regular employee training to mitigate the phishing threat, keep software up-to-date, backup data, implement multi-factor authentication #MFA, etc. 2.) Protect critical systems against #ransomware and #zeroday - While the POS is often protected with P2PE encryption, the store manager's PC is often overlooked. Install Endpoint Protection (#EPP) on the store manager's PC to check every incoming file for ransomware and zero-day threats before they can threaten the business. 3.) Protect devices that can't protect themselves - As retail becomes increasingly dependent on technology, every networked device increases the threat landscape. Please pay particular attention to those devices that can't defend themselves. Video cameras, thermostats, and IoT appliances typically don't support cybersecurity software agents. Use Network Detection and Response (#NDR) to analyze network traffic to detect and identify dangerous threats. 4.) Segment your remote network - Segmentation will provide additional protection if a data breach occurs. Use a Managed Firewall to isolate systems virtually and physically, according to their impact on the business. 5.) Respond to alerts promptly. Unfortunately, all efforts to detect an intruder are wasted without an appropriate response. Employ Managed Detection and Response (#MDR) services to act immediately when a threat is detected. 6.) Restrict employees access on a "need-to-know" basis. Providing employees with unnecessary access to critical systems undermines the business's cybersecurity posture. Implement Secure Access Service Edge (#SASE) and Zero Trust Network Access (#ZTNA) to limit employees (and the cyber threats) to only what is necessary to fulfill their responsibilities. 7.) Simplify - The more vendors and technologies involved, the more complicated the infrastructure and the operations. Where possible, consolidate. The simpler the operations, the more effective and sustainable the cyber defensive posture. Make proportionate investments in cyber as your business grows. If your business's value grows beyond your cyber defenses' capability, bad actors will become increasingly motivated to monetize the gap. #TimTang Hughes #NRFBigShow #NRF2024

The #1 cyber security control in ICS/OT to stop attackers? Secure network architecture. It might be one "control," but it has many parts. 1. IT-OT DMZ Most ICS/OT networks have some communication with the IT network. A DMZ with two layers of firewalls implemented between the IT and OT networks. The DMZ helps limit the flow of traffic between the two main networks. Forcing the traffic through systems that act as intermediaries. Intermediaries that can help enforce security. Ultimately, the DMZ limits the damage that can be done WHEN an attacker gains access to the IT network. The main goals here are to: -> Prevent an attacker from moving into the OT network from IT -> Limit communication from the OT network to IT side -> Ensure DMZ hosts are hardened against attack -> And monitor for potential attacks 2. OT Network Segmentation Besides the IT-OT DMZ, further network segmentation should be performed within the OT network. As a starting part, many reference the expanded Purdue Model. Even though this was not its intent (and you should jump to "Zones and Conduits" below). An attacker could gain access to the IT network, but placing additional segmentation through firewalls and ACLs on switches can limit them. The goals here are to: -> Provide necessary communication for the plant to operate -> Limit damage in the event an attacker gains access -> Give systems the ability to spot malicious activity -> Slow down an attacker in the OT network 3. Zones and Conduits As organization mature, they look to ISA/IEC 62443 as the gold standard for building an ICS/OT cyber security program. A main focus of ISA/IEC 62443 is to break up the OT network overall into zones. Zones are logical groupings of assets that share the same function and/or security requirements. Conduits help reflect the paths of communication between assets in different zones. Zones help segment the network further and allow operators to wrap Access Control Lists around those zones. Only allowing required traffic to communicate between zones. That HMI needs to talk to that PLC? Great! That HMI doesn't need to talk to anything else? Then don't let it! Give your assets what they need. No more. No less. If you give more, an attacker will take advantage of it one day! 4. Further Microsegmentation Zones can help limit communication between parts of the network. But they do not limit traffic between hosts within the same zone. Just like above, we want to limit pathways an attacker could use against us. If an attacker gained a foothold in the DMZ, would they have access to the other hosts? And then the pathways accessible to those hosts? Perhaps they cannot directly access a PLC or DCS from the DMZ. But is there a pathway through other zones and hosts from the DMZ that would allow it? Is there a pathway that would allow access to your SIS? P.S. What else would you include or change? #CyberSecurity #Automation #Engineering #ICS #Technology

🚨🔒 Security Alert: Living off the Land Threats Hello and welcome to this helpful PDF file on common living off the land (LOTL) techniques and cyber defense capabilities! 📅 Publication Date: February 7, 2024 🌐 Authoring Agencies: 🔹U.S. Cybersecurity and Infrastructure Security Agency (CISA) 🔹U.S. National Security Agency (NSA) 🔹U.S. Federal Bureau of Investigation (FBI) 🔹U.S. Department of Energy (DOE) 🔹U.S. Environmental Protection Agency (EPA) 🔹U.S. Transportation Security Administration (TSA) 🔹Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) 🔹Canadian Centre for Cyber Security (Cyber Centre) 🔹United Kingdom National Cyber Security Centre (NCSC-UK) 🔹New Zealand National Cyber Security Centre (NCSC-NZ) 📝 Summary: This joint guide by leading cybersecurity agencies sheds light on common living off the land (LOTL) techniques and vulnerabilities in cyber defense systems. Cyber actors, including state-sponsored ones like the People’s Republic of China and Russian Federation, exploit LOTL to infiltrate and persist within critical infrastructure. The guide offers insights derived from joint advisories, incident responses, red team assessments, and collaborative efforts with industry. 🛡️ Why LOTL is a Threat: LOTL involves leveraging native tools and processes, camouflaging malicious activity within normal system behavior. This makes detection challenging, especially in environments lacking robust security practices. Cyber actors abuse LOTL across various IT landscapes, from on-premises to cloud environments, exploiting common operating systems like Windows, Linux, and macOS. 🔍 Detection and Mitigation Strategies: To combat LOTL threats, the guide advocates for: 1. Detailed logging and centralized log aggregation. 2. Baseline establishment and continuous monitoring. 3. Automation for anomaly detection. 4. Fine-tuning alerts and leveraging user behavior analytics. 5. Implementing security hardening measures and network segmentation. 6. Prioritizing authentication and authorization controls. 🔒 Secure by Design Recommendations: Software manufacturers are urged to enhance security by: 🔹Disabling unnecessary protocols. 🔹Restricting network reachability. 🔹Limiting processes with elevated privileges. 🔹Enabling phishing-resistant multi-factor authentication. 🔹Providing robust logging and eliminating default passwords. For comprehensive insights and recommendations, refer to the complete guide. ⬇️ Download the PDF from the post or the CISA website. 📲 Mobile device: - Tap the book image - Tap the download icon on the upper right 💻 Desktop: - Mouse over the book icon - Click in the box on the lower right - Click the download icon on the upper right 💡Educate yourself, stay vigilant, and share to strengthen our collective defense! 🌐🔒 #cybersecurity #threatdetection #cybermandan

According to Aqua Security's report, fileless malware increased by 1,400% in 2023. Fileless malware is a sneaky bug that gets into your computer without you even knowing because it doesn't leave any footprints. Here's how it works: The cybercriminal tricks you into letting them in. They might use fake emails or websites or steal passwords. Once they're in, they start messing with your computer by using your own software against you. Next, they make sure they can keep coming back by creating a secret door into your system. Finally, they do all sorts of criminal stuff like stealing your data or messing with your files. It's one of the biggest business threats today, and it's hard to spot. Small businesses are especially at risk because they often don't have strong security. But there are things you can do to protect yourself: 1. 𝐑𝐞𝐠𝐮𝐥𝐚𝐫𝐥𝐲 𝐛𝐚𝐜𝐤𝐮𝐩 𝐜𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐝𝐚𝐭𝐚: Ensure that all important business data is backed up regularly and stored securely, preferably off-site or on a cloud service with strong security measures. This way, if your systems are compromised, you can restore your data without paying a ransom or losing vital information. 2. 𝐀𝐝𝐨𝐩𝐭 𝐚 𝐳𝐞𝐫𝐨 𝐭𝐫𝐮𝐬𝐭 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐦𝐨𝐝𝐞𝐥: Operate on the principle of “never trust, always verify.” This means not automatically trusting anything inside or outside your network. Implement strict access controls and verify the identity of every user and device before granting access to your systems and data. 3. 𝐊𝐞𝐞𝐩 𝐚𝐧 𝐞𝐲𝐞 𝐨𝐧 𝐛𝐮𝐢𝐥𝐭-𝐢𝐧 𝐬𝐲𝐬𝐭𝐞𝐦 𝐭𝐨𝐨𝐥𝐬: Fileless attacks use normal processes, so watch for strange activity in these processes, like PowerShell. Look for things like changes in user rights that weren’t allowed, unknown processes running in the main memory, remote commands being run through PowerShell, and odd changes in the Windows registry. 4. 𝐋𝐨𝐨𝐤 𝐟𝐨𝐫 𝐬𝐢𝐠𝐧𝐬 𝐨𝐟 𝐚𝐧 𝐚𝐭𝐭𝐚𝐜𝐤, 𝐧𝐨𝐭 𝐬𝐢𝐠𝐧𝐬 𝐨𝐟 𝐜𝐨𝐦𝐩𝐫𝐨𝐦𝐢𝐬𝐞: Instead of looking for harmful files, watch your system for any unusual or suspicious behavior. Your vigilance, your updates, and your proactive measures are the weapons that can keep this enemy at bay. Don't just survive in this digital battlefield; thrive and conquer.

In 2016, the leader of the NSA's Tailored Access Operations told me exactly how to keep nation-state hackers like his team out of my organization, and I'm going to share it with you because it's still 100% true. In January of 2016, Rob Joyce presented to the just established Enigma Conference a presentation called "Disrupting Nation State Hackers". It was a surprise- we didn't know it was going to happen. But we took great notes. 1. The nation-state will learn exactly what devices are on your network, and subsequently all their vulnerabilities. Will you put in the energy to understand and configure the devices securely? Do you *really* know what's on your network? Red-team it even if you think you do. 2. Act on the results of pen-tests, audits, and assessments. Most of the time, a couple years later, the same openings exist. 3. Don't assume any crack is too small. Nation-state hackers need one vulnerability, not many. Nation-state attacks will wait for the right time. Don't assume you can open a maintenance door just for a moment. 4. Consider that your attack surface includes all of your company's trusted devices and vendors, not just what's inside your on-prem network. Shore up your trust boundary wherever it goes. 5. Nation-state hackers use zero-days MUCH less than they use known, more productive CVEs. Patch relentlessly. Automatic patching should be used wherever possible. 6. Nation-state phishing is very well built. Assume someone will click on a phishing link and lock the end-point down accordingly. 7. Document and use a best practice secure host baseline. 8. Use MFA everywhere, but also look for accounts not operating under the norms of those credentials and always give access based on least privilege. 9. Never put admin credentials in scripts. 10. Application allow-listing makes persistence and privilege escalation hard. Good endpoint software with a reputation service is helpful where allow-listing is hard. 11. Segment your network relentlessly. Not just an external firewall and a DMZ. 12. Remote access should require comply-to-connect (such as Intune). 13. Have an incident response plan for an inside-the-network attack and rehearse it. 14. Have off-site back-ups and test them regularly. Oh wait, is this the BASICS? Has any of these controls lost it's effectiveness over the last decade? How many buzz-words did he mention? Not a one. At Skycrane, we love the value of the timeless cybersecurity basics, and we're big fans of the CIS Top 18 Controls and the SANS Top 5 OT/ICS controls. We're taking what we've learned from the NSA and rapidly maturing cyber programs. DM me with any questions.

While it is unlikely to ever secure IT and #OT environments 100%, risk reduction strategies can be put into place to prevent cyberattacks from becoming successful. Organizations should understand and prioritize the most critical operational functions that, if disrupted by a direct #cyberattack or the loss of a key third-party service, would have a significant impact on the ability to operate. For instance, if a single facility accounts for 90% of a company’s revenue or a single #substation services a key #nationalsecurity site in a remote location, these assets are likely top priorities to keep operational and reduce downtime. Once these critical functions are identified, the organization can map the IT and OT network pathways that support these systems and implement security or engineering controls to reduce risks of downtime or failure. Identifying and mitigating known vulnerabilities are also critical steps in the risk reduction process. Organizations can make significant gains by simply closing gaps that are widely known to exist. Installing cybersecurity sensors for 24/7 monitoring can also lead to faster mitigation action to limit damage from a cyberattack. Cyberattacks can occur at any time and having a dedicated team available on call to identify and respond to an incident can limit downtime and the potential for the event becoming a more widespread issue. Closing vulnerabilities and implementing #networkmonitoring are effective measures for reducing cyber risks in existing #criticalinfrastructure but to really get ahead of the risks presented by a growing #attacksurface, #cybersecurity and resilience should be addressed at the earliest design and planning phases of new projects. This kind of collaboration, commonly referred to as Cyber-Informed Engineering, consists of discussions among cybersecurity professionals, engineers and project designers to identify and address cyber risks in the control and safety of automated systems. When done at the front end, this approach can make the implementation of cybersecurity controls more effective, efficient and cost-effective rather than trying to add these measures on after the capital project is completed. Write up by Victor Atkins #ICSsecurity #SCADAsecurity #OTsecurity #IndustrialSecurity