Thursday, April 2, 2020

Guest Blogger - Stuart Barker on Cybersecurity

<h1>ISO 27 I don’t think so</h1>
<a href="https://hightable.io/iso-27001/">ISO 27001</a> is the international standard for information security and there is one thing most technical security professionals can agree on it: it won’t stop you getting hacked. Now I agree to some extent with that sentiment but is not intended for that purpose. What ISO 27001 is is an information security management system. What that means in practical terms is it is a management system backed by a lot of documents. You can be looking in the region of <a href="https://hightable.io/iso-27001-documents/">27 core documents</a> for the ISMS and some<a href="https://hightable.io/iso-27001-policies/"> 23 policies</a> depending on what your products and services are. As a standard it covers managing information security not out of the box securing your business. What does cover securing your business is Annex A, often referred to as <a href="https://hightable.io/iso-27001-controls/">ISO 27002</a>. This is a list of 114 controls that cover all aspects, disciplines, departments and parts of your business as they relate to thing you are trying to secure. These are a list to chose from formulated by industry experts as the low level entry and most commonly agreed controls. The standard doesn’t tell you how to implement the controls and that is where the magic of network security professionals comes in but it does look at the common controls that you would want. By way of example:

13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.

13.1.1
Network controls
Networks shall be managed and controlled to protect information in systems and applications.

13.1.2
Security of network services
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.

An <a href="https://hightable.io/iso-27001-certification/">ISO 27001 certification</a> is usually a requirement of your clients and customers. No one is going to the hassle for the laugh. There is a compelling commercial reason to do it. The way it works is that the certification body will audit you against the standard AND the controls that you say you have. Let's face facts, no all auditors are experienced in all aspects. It is likely technically you can run rings around them when it comes to network security. That isn't in the spirit of what is intended but it is possible to bamboozle an auditor into these are the droids he is looking for and pass. The upshot is that yes, ISO 27001 on its own does not stop a business being hacked or make it inherently more secure. But it gets a business to think about it and demonstrate to those customers that you take it seriously and someone has checked it. For me it makes senses when the clients and customers say it makes sense.

<h2>Author: Stuart Barker - The Data Security Guy</h2>
<span class="lt-line-clamp__raw-line">Stuart at <a href="https://hightable.io">High Table</a> specialises in fin tech and financial services companies with over two decades of experience delivering legal and regulatory compliance for data. He specialises in getting and keeping companies compliant for data security which usually means <a href="https://hightable.io/iso-27001/">ISO 27001</a>, <a href="https://hightable.io/pci-dss/">PCI DSS</a>, <a href="https://hightable.io/soc/">SOC 1 and SOC 2</a> certification and regulations like the <a href="https://www.handbook.fca.org.uk">FCA regulations</a> for data security.</span>

He started, built and successfully sold a cyber security business. Now he advises companies and builds data security capability allowing them to meet the needs of their customers, the needs of their funders and the needs of the law. Usually in that order.

He is also a driver in addressing isolation, wellbeing and mental in business and building emotionally intelligent people networks.

Thursday, February 27, 2020

WiFi Attacks

What is Wireless? There are masses of standards, protocols, and techniques that can be considered ‘Wireless.’ Like, Cell Phones, Bluetooth, Wireless Networking, and even Cordless Phones (Remember those)? Wireless communications grow and expand at light speed, (like my learning curve) 😉. Considering that it’s the year 2020, most businesses if not all have some sort of Wireless infrastructure deployed, even if its just a WiFi Router at a Nail Salon.

Ugh I want a pedicure now. Anywho, I’m not going to delve deep into T1 Circuits, ISPS, WAN Communication, and other explanations about how wireless signals communicate. Rather, I figured I’d just let you in on a few small WiFi Attacks that have existed in the past, present, and future. Have a home security system on the internet? Use Snapchat or TikTok daily? I know you’re on Instagram. Enjoy yourself, but do ensure you are protected while you scroll. Let’s get started.

Have you ever heard of the legacy attack ‘War Dialing?’ It’s pretty straightforward, all of the numbers in a prefix are dialed in your area code, which results in a number of active computer modems. The act of War Driving is very similar. War Driving is an attack where a person seeks to find WiFi Networks that they are not permitted to access. Once the Hacker finds your WiFi network, he/she will verify whether or not you’re using Encryption, the Encryption Type, and whether or not it can be compromised. Once said Hacker has made that determination, he/she uses cracking tools to force an entry into the connection to conduct MITM attacks. Watch my Webinar to learn exactly how these Hackers (who drive around in vans all day looking for your WiFi signals…) HACK.

While we are on the topic of War, I thought I would introduce another Attack, War Chalking. War Chalking is an area that is physically marked with info about a WiFi signal being present. Yes, this sounds prehistoric, because it is. This method was used from about ’97 to ’02 (hey that was the year before I started High School). Hackers would mark a closed circle to indicate a closed/secured WiFi network, and to back-to-back half circles would stand for an open network. Obvi, this is not necessary anymore, since all we need to do to find a WiFi signal is check our mobile phones.

Next up, Replay Attacks. Replay attacks mainly focus on the abuse of authentication at initial setup. When a new connection request comes in, client server, the Hacker will capture the request and then replay that connection by fooling the server and making it believe that it is a kosher connection. Lol, its like dating. You meet someone new and you think he’s the man, but then later on you learn that he provided false pretenses at initial authentication.

Monday, February 10, 2020

Injection Attacks | Remote Code Execution


First and foremost, let’s get straight to the point. Microsoft has identified a vulnerability that exists in their Excel application. This information comes to us (the general public) courtesy of MITRE’s CVE (common vulnerability and exposures). Essentially, the way the attack works is a hacker who has exploited the vulnerability running malicious code as if he or she were the current user. Also, say that user had admin rights – the hacker could completely take control of the system that’s been affected. Once the hacker is in, he or she is in control. There is an array of stuff for him/her to do, but most likely he will install programs, modify or delete important data, even create new accounts with full admin creds (user rights) - which would allow him to grant himself access to the system under a seemingly appropriate alias. If you are an Excel user, I encourage you to install Microsoft’s latest update to ensure that you are protected.

The title of this specific vulnerability is Remote Code Execution, but this is AKA an Injection Attack, and there are many of these types of attacks that exists. An Injection Attack is an exploitation where an attacker can send code to a target system with the aim of altering its processes, and/or corrupting its data set. Many exist, but one of the most common is a SQL Injection, which is an attack that stays in business by relying on SQL query statements and gathering information about your system’s database structure from those errors. 

This is actually one of the most common web-based hacking practices. Not to mention, that code inject could potentially destroy your entire database. Me specifically, I like to respond to spam texts with SQL Injections – because you shouldn’t bring a knife to a gun fight. Among other injection attacks we have XSS (Cross Site Scripting) which is not as much of a risk as SQL Injections because XSS targets customers and visitors to websites, whereas SQL injections target organizational assets. 

Join my next Webinar to learn more about Code Injections including SQL Injection in more detail, XSS Cross Site Scripting, Command injections, HTML Injections, Code Injections and File Injections! And remember to patch your systems!

Wednesday, October 23, 2019

Software Development Security | Polymorphic Viruses

What is a Virus?

Simply put, a virus can be an application or an actual string of code that intends to poison software. Viruses can affect code the same way that they can affect human beings. You catch a virus, it spreads, and your sick. All it takes to get into your system is to “catch” it. Once the virus gets in it can and will spread to multiple segments of your system or code.

One example of a virus is a Polymorphic Virus. I like this one because it relates to polymorphism which also makes me think of metamorphism, (another attack but for now we will stick to poly). This particular type of computer virus is amongst the most complicated because it duplicates/recreates itself and is also self-encrypted. While most of us are using AntiVirus (AVR) software to detect these types of intrusions, this virus can completely bypass your scanner because of the creation of itself in multiple variants. 

What is the best approach for protection?

While it is highly recommended that you employ some time of AVR in your network, there is a bigger picture approach that will help “stave” off these malicious code attacks. Think in terms of Layered Security, what else can you do besides JUST having a virus scanner? Have you considered utilizing Antimalware as well? Yes, AVR scans for viruses, but Antimalware is actually designed to defend against actual malware attacks (malicious code attacks), what about Threat Detection? Do you have Email Security? Just some food for thought. 

Ashley J. Oliver
Oliver COM Solutions, d/b/a

Thursday, October 17, 2019

Identity and Access Management | Single-Sign On (SSO) | Kerberos Single-Sign on (SSO)

Okay first, what is it? SSO is a capability that enables end users to enter their credentials one time; then they ca

The most commonly used authentication protocol on the market at present is Kerberos. Fun fact: if the name sounds familiar to you it’s because it is named after Cerberus, (Greek Mythology), the three-headed dog that guards the entrance (gates) to the underworld. MIT is so clever! So, essentially Kerberos was created (by MIT) – food for thought – Cerberus doesn’t only guard the gate, he also prevents the dead from leaving. (disclaimer: I always make learning fun so you will repeatedly see puns and references on my blog, there is no reason learning needs to be boring)! 

 Why am I even saying this to you? Lol, think for a moment – every Cybersecurity Practitioner, regardless of Job Title, knows that “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then I have my doubts.” —Eugene H. Spafford. Clearly, we need to use our computers, mobile phones, tablets, what have you during the day to complete our work and business tasks, so this is an unrealistic expectation. However, Kerberos was brilliantly thought up by MIT in order to do just the same – protect your internal system (assets) from the extremely unsecured use of the internet.

How does it work? So, Kerberos uses Symmetric Cryptography in order for a client to verify it’s identity to a server, known as a KDC. The KDC then acts as an automated distribution center which operates by storing, distributing, and maintaining session and secret keys. The KDC then generates a ticket from the Ticket Granting Service (TGS). Long story short, this TGS operates on a set of principles which is known as a realm in Kerberos. I won’t go into detail here but if you want to learn more about the potential of using Kerberos in your network and its advantages – by all means send me an email and we can talk! I also want to point out before we leave that Kerberos was developed as a part of MIT’s “Project Athena,” Which makes perfect sense considering the clever name of the best SSO technology available to us. Thank you, MIT. (I am a frequent Redhat Linux user, so this definitely resonates with me)

Ashley J. Oliver
Oliver COM Solutions, d/b/a

n access resources in both primary and secondary network domains. Why is this relevant? Well, time is essential, especially in the Cybersecurity realm, and we need a product that can speed up that authentication time!

Guest Blogger - Stuart Barker on Cybersecurity

<h1>ISO 27 I don’t think so</h1> <a href="https://hightable.io/iso-27001/">ISO 27001</a> is the internat...