Blog

Posted on

Being a Virtual CISO (vCISO)

Almost 7 years ago I started my journey as a Virtual CISO, or vCISO. At that time, this term hadn’t even been invented.

I had to develop a framework of creating custom security programs (and security teams) for very diverse types of businesses. Startups are not a “one-size-fits-all” kind of deal. Some are struggling for cash, some get lavish investments, some founders have an appetite for risk, some don’t…

One of the first tasks in front of me was to develop a list of “what works” kind of tools. On a limited budget, you don’t have the luxury of trial and error, so my experience from the trenches served me really well.

Another thing I had to get good at was to understand the companies’ goals – did they want to become compliant with some regulation, did they care about security, what kind of risk posture were they looking for?

After that, I could write the right policies to help them achieve these goals. A startup has to be nimble to succeed, so you can’t add a lot of policy and process overhead, or you’ll lose your founder’s support very quickly.

Lastly, I had to have very clear communication with the executive team on the risks – explaining what could happen to the business if something gets or doesn’t get done. Sometimes, the naked truth hurts – some people could see a security scorecard as “finger pointing” (especially devops teams), but it is not. Its purpose is to show weaknesses that can be exploited. Breaches happen, and when they do the CISO must explain why – because people will “forget” that they didn’t allocate time for patching, security alerts investigation and so on…

Take all this and multiply it by a few clients and soon you’ll need to manage your time extremely carefully so you don’t drop any balls. A virtual CISO must be always on, no matter what – so the laptop and Internet connection becomes part of your vacation and work never really stops.

Would I go back to my days of being tied to a desk and daily commute? Never. If there are any good things that came out of the pandemic, it is the freedom of working remotely – or on-site, if one chooses, but nevertheless a freedom that wasn’t there before. Let’s hope this trend will continue and that soon startup founders will realize that a great vCISO, even if part time, is much better than an average full time one.

Posted on

AI and Information Security – should we be afraid of it?

By now, every teenager who needs help with homework got their access to ChatGPT πŸ™‚ Also, some of my developer friends are trying to cut down on debugging time by using it. But many people are afraid of artificial intelligence – will it escape our control and start fighting us? Will it create more (and credible) fake news?

What will it do to Information Security? Will I be able to ask “is X company secure” and get a detailed answer? Most likely, especially if that company has been in the news for security breaches. But most importantly, AI will become, in the future, a second pair of eyes over our shoulders and see what we missed, because we humans are far from perfect…

Will a hacker be able to learn detailed techniques quicker? I asked the “machine” and here is what I got back:

Q: Show me a SQL injection code

A: As an AI language model, I cannot provide you with an actual SQL injection code since such code can be used for malicious purposes. SQL injection is a type of cyber attack that exploits vulnerabilities in the application layer to execute malicious SQL statements. It can cause significant harm to a website or a database and put sensitive information at risk.

It’s important to note that SQL injection is illegal and unethical, and any attempt to exploit such vulnerabilities can result in serious consequences, including legal action.

Instead of providing a SQL injection code, I would recommend developers and website owners to take proactive measures to prevent SQL injection attacks. This includes using prepared statements with parameterized queries, validating user input, and implementing input sanitization techniques to ensure that user input does not contain malicious code.

As we can see, we are safe so far – the system is not malicious πŸ™‚ Therefore, the answer is that AI will be what we want it to be – good or bad. Let’s hope it will stay on the good side!

Posted on

Security in the time of COVID-19

It’s almost 2021 and we’ve experienced something unthinkable this year… A devastating pandemic, lives turned upside down, social relationships changed forever. While we learned how to deal with this new reality and tried to protect our health, let’s think a bit of how it impacted IT security.

Most of us who can, now work from home. Many businesses had to learn how to quickly allow their employees to do it. And with that, of course came security issues. Issues with video conferencing platforms like Zoom, with how to secure remote premises and so on.

Many managers had to quickly update their thinking and accept that people can actually be productive when working remotely. Or maybe they were forced to accept it for now only… Life is short, and some commutes are really hard – so when would we start putting people first? Not only during pandemics hopefully.

How did it go on the breaches side? Ransomware attacks have become the norm, affecting schools and hospitals, some of the online newbies of the pandemic world. Is this issue with applying patches so difficult to tackle? What about running an anti-malware program? It’s almost as basic as washing hands and wearing masks, but it can save us from a lot of trouble. Unfortunately, just as controversial and ignored in many places. “We’re too busy to apply patches” – but do we prefer to pay ransom to hackers instead?

Working remotely means your endpoints (employee laptops) should be secure and ready to work in any environment. It means your corporate apps and communications software have to offer encryption of all remote access, and you should actually verify it is in place end to end. Vendor management should include security due diligence, so you can discover any issues before signing on the dotted line… Multi-factor authentication should become a must and the zero trust model quickly adopted – can I trust an employee’s personal device knowing it could be infected with malware?

Many new lessons here… solutions are always there. And a new year is around the corner – so let’s hope for the best!

Posted on

The anatomy of a good security program

How do you know when you have a good security program in place? There are many ways to self check your security program, some based on methodology and some on results.

You can use the CIS Top 20 Critical Security Controls (CIS standards or benchmarks are one of my best go-to resources) or you can start measuring the quality of the info on incidents and vulnerabilities given by your security tools.

The Top 20 Controls will make sure you covered all angles, while assessing your tools will verify you made the right investment choices. Unfortunately, after many years in this field I have to say that a lot of the security tools on the market don’t work, are difficult to set up, some requiring huge amounts of consulting dollars, and in the end they don’t pay off.

One big example are SIEMs. They come with high price tags, claiming they can ingest any possible logs, but then you have to write your own content to see basic things like invalid logins. Another one are network intrusion detection tools. With most of the traffic encrypted, they give very little information, except if you are able to correlate the IP addresses seen with some sort of threat intelligence feed to check if you are talking to any “bad” guys.

The breakthrough comes from some very innovative tools that apply big data techniques to try to reduce the complexity of the log data and show you what’s really important. Making sense of your log data (network traffic and operating system events in particular) is one of the first things you need to do – if you don’t know what goes on in your network, you will never know when you had a breach.

Second most important are vulnerability and patch management. If Microsoft, Apple, Google, or Amazon spend money to develop patches, is it not silly not to take advantage of them and instead let the hackers do it? Most breaches are caused by unpatched vulnerabilities or basic misconfigurations. So a tool that gives accurate info on the patch situation is critical.

Last, application security. Here the situation is quite challenging because there are very few good vendors who can find real vulnerabilities. This is mostly because the approach taken (black box testing or static analysis) is not looking at “code running in a distributed environment”. It’s like your doctor poking at your body here and there, instead of doing an ECG, X-ray etc. It works with very few diseases.

Although there is some hope with IAST, most app sec vendors price their products way too high, making them beyond the reach of a startup, and some also require a lot of resources and time to be able to run. So the only good thing to do with your money is to hire a great pen tester, until the situation improves.

So, here is my mantra:

  • Know your network
  • Patch your vulnerabilities
  • Try to secure (and pen test) your apps as much as you can

If you do these things, and do them well, you have a chance to survive πŸ™‚

Posted on

What do we learn from WannaCry

For the past week, WannaCry has made tons of news in the security world. Critical infrastructure has been shut down, systems have been crippled, people suffered disruptions…

Why is this possible? What are we doing wrong? I will try to answer this from the perspective of a security guy who’s been in the trenches for many years…

One of the good security practices a company should put in place is called “defense-in-depth”, which means not to rely on one single defense mechanism.

So, here are a few things that could have stopped it:

  • A good anti-malware solution installed on Windows computers (running a good anti-virus, and not just something to check a box on a compliance list, is a must these days)
  • A good vulnerability management program, addressing critical patches in a timely manner (yes, sysadmins are busy, and very often the approach to patching is “who cares”)
  • A good network security architecture, which should not expose critical infrastructure systems to outside threats (“it’s behind the firewall, it’s safe” – I hear many times, but the firewall allows insecure ports and protocols in)

Companies that are good at automation will succeed and survive in the current threat environment – one needs to automate deployment of tools, installing updates etc. Companies that rely on manual labor will suffer. Unfortunately, large companies tend to be in the latter category because of legacy issues.

What do you do with the old win2k server still running some code that nobody maintains and yet it’s still needed? Do you at least isolate it so it could not infect your good apples?

What about the good old VPN that allows full access into the data center from employee owned computers, where the kids may have accidentally downloaded the latest malware? Do you know what anti-virus it runs?

A good analogy for a successful security program is the so-called “broken windows policy” that turned New York City around – address small problems before they become huge.

So, if you don’t WannaCry no more, call us and we can help assess and prioritize your security program.

Posted on

Cloud security basics

Moving to the cloud is a tremendous step towards streamlining systems operations through automation and standardization. What can be said about cloud security? Will it match what you had in the brick and mortar data center? Below is some basic advice.

Spinning up a new server (VM) and deploying an application in a cloud environment will become much easier and will not require as much manual labor from your sysops team. Β It is however very important to set things up properly right from the beginning, because any mistakes will affect your entire environment.

Where do you start? Before starting to spin up VMs and storing sensitive code or data on them, make sure the access to your infrastructure is secure. There are a few notorious cases of companies that have fallen pray to hackers who took control of their cloud management consoles and held them for ransom. In some cases they deleted their infrastructure and some went out of business as a result… Sounds scary? It is… but you can avoid their mistakes.

AWS provides a set of powerful APIs that can be used to manage the infrastructure. Securing access to these APIs and the AWS console itself becomes therefore very important. Amazon helps quite a bit, by pointing out good practices upon setting up your console access – like implementing two factor authentication and securing access to API keys. We strongly suggest implementing MFA (multi-factor authentication). No matter how good your password is, there are many ways it can be stolen…

Amazon’s hints however will only go so far, which is why organizations like the Center for Internet Security came up with an Amazon Web Services Foundations Benchmark. It is a good read, and will require quite a bit of work to implement. There are a few cloud security scanning vendors who are developing compliance tests against this benchmark, which can highlight errors or omissions. We can help you pick and implement one – why not contact us for some advice?

Posted on

What you need to know about regulatory compliance

If you are a startup or a small business owner, you may not know what regulation or legislation you need to comply with.

Here are a few pointers:

1. Do you use Google Analytics and/or Adwords? Do you track your web site users? If the answer is yes, Google requires you to have a privacy policy in place and this policy should contain certain information.

2. Do you do business in Europe? Then you must comply with the EU cookie and/or privacy laws.

3. Do you process credit cards online and/or in store? Then you need to have a PCI (Payment Card Industry) compliance strategy in place, and depending on the amount of credit cards processed you need to submit certain compliance documents to your credit card processor(s).

4. Do you know what to do in case of a security breach? If your site gets hacked, you are required to send certain notifications to your customer base.

5. Do you host health data on your site? Then you may need Β to comply with the HIPAA legislation, which should be taken very seriously.

Confused about all these compliance requirements? You are not alone. We’re here to help! Email us at [email protected] for a free consultation.

 

Posted on

How to set up your own website

If you are thinking of setting up your own website, using AWS is the best way to learn about the cloud – there is a free tier service level for one year!
Amazon also provides great tutorials on how to install Apache, PHP and MySQL (aka LAMP).
There are many hosting providers available, which can be more friendly to work with in the short term, but you will start seeing their limitations very quickly. By that time, it may be hard to migrate away from them…
Once you get your web server running, installing WordPress is another simple exercise, and then you are in business!
If you feel good about your technical skills, you can proceed to installing SSL (the encryption layer) on your website. This will boost your Google rankings and your customer’s confidence. There are cheap solutions available, such as domain validation only certificates, offered by companies like Comodo. While they are not suitable for an e-commerce site, they will do for your blog πŸ™‚
Now you are a webmaster – next on to learning about how to manage your site and elevate your online profile, the wonderful world of search engine optimization (SEO)… This may be a full time job and you may want to hire a professional. Just be aware of the many scammers out there, and if they sound too good to be true they probably are. Ask them for results from other customers to be safe.
Using the web to grow your business is fantastic and it works, but it needs constant care and feeding…
Welcome to the virtual world!