Cybersecurity Certification Training and Comprehensive Penetration Testing Solutions.
![]() The new European Union (EU) Regulation 2016/679 GDPR (General Data Protection Regulation) have gone into effect May 25, 2018. This will have a far-reaching effect and identify many possible repercussions for any organization collecting, processing, and/or storing any EU citizen’s information. Your company need not be located in any of the EU countries; rather if your company collects any EU citizen’s information, your company must adhere to and be complaint to the new regulation. The essential characteristics of the regulation are to protect personal data as a fundamental right and that privacy is to be respected as an expectation of the GDPR. The GDPR creates a greater level of harmonization across the EU for the sharing and exchange of data. Implementation of the GDPR requirements necessitates a greater level of protection of a person’s digital identity. The reason for such an increased worldwide emphasis on compliance is due to the imposed fines that can be applied if you fail to manage the privacy data appropriately. Fines are set at 4% of the noncompliant organization’s global revenue Who is Responsible for GDPR?There are two specific roles that are defined in the regulations, the first is the data controller and the other position is the data processor. A data controller is the collector of the data for internal or outsourced processing. The expectation is that an individual’s consent is required to collect the information. This role is responsible for documenting the format of how the data is to be utilized throughout its lifecycle within the organization, privacy policies, and the ability to process requests for data portability, rectification, objection, etc. The duties that are required for this role include compliance to protect the data subject’s rights. Examples of data controllers include social media organizations, education institutions, health organizations, banks, etc. If your organization determines how the data is to be processed and the purpose of that processing, this indicates a data controller. A data processor is a natural or legal person, public authority, agency or other body responsible for managing and storing data on behalf of the controller. Specific clauses within the regulation require the same technical and organizational measures to be applied to the controller as well as the processor. An example would be an outsourced payroll company; the data controller tells the payroll organization who to pay and what amount. If you are not making these decisions and just acting on a request, this indicates a data processor. The required liability flows through the chain of data processing. Specifically, the data controller has liability if a data processor fails to fulfill his obligations. What data is in scope?Article 4(1) states: “‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Elements of data types could include IP addresses, cookie data, or a photograph associated to an account. In many cases, personal customer data will be in multiple formats and forms in CRMs (Customer Relationship Management systems), contracts, sales contact databases, etc. How CIS can helpSpecific to the data controller and the data processor roles, responsibilities are to “implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the regulation.” CIS offers a multitude of best practices and cybersecurity solutions to help organizations on the path to GDPR compliance. A strong starting point is to utilize a CIS SecureSuite Membership, which includes access to tools such as CIS-CAT Pro and remediation kits, to assess and harden systems. “Hardening” is the process of limiting vulnerabilities in a system to reduce cyber threats. Hardening systems to the CIS Benchmarks™, secure configuration guidelines for over 150 technologies, provides a platform for compliance and is a recognized foundation to build your remaining data infrastructure. Measure system conformance to the CIS Benchmarks with CIS-CAT Pro Assessor, our configuration assessment tool which provides assurance that the target system is hardened to the standard. It is not sufficient to simply state compliance to a particular benchmark – measure and prove it with the dynamic reporting features of CIS-CAT Pro Dashboard. ![]() If you are working in the cloud, the CIS controls offer pre-hardened virtual machines on the Microsoft Azure Marketplace and Google Cloud Platform (GCP), and Amazon Machine Images (AMIs) on Amazon Web Services in the AWS Marketplace, including the AWS GovCloud (US) region and IC region. CIS Hardened Images conform to the applicable security standards of the CIS Benchmarks, bringing on-demand security to cloud computing environments. The CIS Controls are a prioritized set of cybersecurity best practices to help organizations improve their security posture. Version 7 of the CIS Controls was released in March 2018 and contains following guidance that can be applied to GDPR compliance. The CIS Controls can serve both as a measurement process to encourage compliance as well as for implementing a security control framework within your organization. In many cases, the entire CIS Controls can be applicable to implement a structured and measured approach to compliance and security for the organization. GDPR will require a complete understanding and visualization of the data flows for personal information throughout your enterprise. The regulation extends to data controllers and processors. It may seem challenging at first, but with due diligence, documented plans, and help from the cybersecurity resources available from CIS, the road to compliance is achievable. Why is this applicable to companies in the United States?Why is this applicable to companies in the United States if your company is not doing any business with EU countries? California will soon be implementing the California Consumer Protection Act (CCPA) in July of 2020. California’s CCPA mirrors the EU Regulation 2016/679 for GDPR. Companies in New York doing business with companies in California and collecting consumer data will be required to meet the CCPA. Companies need to move forward and begin the process on GDPR compliance. Here are three key areas in which to move ahead with compliance readiness:
GDPR will ultimately lead to companies gathering just enough data from individuals in order to complete any type of conversion, transaction, or order agreement. But the optimistic viewpoint is that with greater clarity of data protection and privacy controls, consumers will become more comfortable with emerging digital practices, and when working with companies, will be able to form trust with these companies to hold their personal information in high regard. Author Bio![]() Doug, shredding a solo. Doug Stewart is a Senior Sales Manager. Doug brings a wealth of experience and is focused on sales and business development activities. Doug strives to help businesses meet the demands of their on-going cybersecurity requirements and helps them be adequately protected against cyber intrusions. Doug is located in Colorado where he majored in Music and played hockey at Denver University. He played in a highly competitive hockey league for 24 years post college, and coached his children’s soccer and hockey teams for 12 years. Music is still a strong passion which he pursues professionally with his band. He and his wife are the proud grandparents to three grand kids. via Tumblr General Data Protection Regulation (GDPR) Overview
0 Comments
![]() It’s no question that in cybersecurity, defense is the best offense. In the constantly changing threat landscape, the tie often goes to the attacker, and businesses are forced to act like turtles putting up shells of security to ward off threats. That is not always a bad thing; using a well-constructed defense- in- depth plan can greatly limit the likelihood of a successful attack. I would like to believe we can get to a 99.99% level of security. Even if that were true, that extra .01% keeps me up at night. What do we do if the controls fail? How do we respond then? What do we do the other 1% of the time? Once we find out that our emails have been hacked, or our money has been stolen is not the time to ask, “what now?” Even worse, what do you do when you suspect that an insider has embezzled funds and the evidence is located on their computer? Though we invest in and rely on our security controls, it is unfortunately not always enough. We must have a plan for the .01%. Those Who Fail to Plan, Plan to Fail.In the world of cybersecurity, one of the biggest reasons companies find themselves becoming victims is because they fail to plan for their IT growth, especially for security. Often small to medium business put little to no thought into cybersecurity until after they have become a victim. As a business grows the need to protect that growth comes with a lot of hard decisions. Many times, a balance must be struck between expanding revenue, generating sources like equipment, and personnel and infrastructures like email servers and IT staff. Many businesses quickly find themselves outgrowing their IT infrastructure before they even realize it has happened. They often don’t realize they have a problem until a compromise or critical failure takes place. What’s At Stake?It is imperative to consider what is at stake. The answer is possibly more than you think. Recently a client asked me to give them some case studies to show what the costs of not being properly prepared could be. In one case a small business had $1.5M stolen from their bank accounts over a period of three days using a fairly straightforward cyberattack. Within a few weeks, they were forced to lay off employees and file bankruptcy. Other less obvious risks arise that business may not know how to deal with until it is too late. What happens if an employee uses a personal device on the company network for illegal activity? Is the company protected? What if an employee embezzles funds from a partner corporation and millions in contracts are tied up in litigation? What do you do with that employee’s computers and devices? These are the types of situations that we see on a daily basis and represent that .01 % of cases in which one wrong move could mean the difference between liquidation and salvation. Obviously, we cannot plan for everything, but having a well-laid incident response plan and a trained team in place to execute can prevent a lot of grief in the long run. What is an Incident Response Plan (IRP)?The goal of an incident response plan is to have an answer prepared for those “what if” situations. The type of situation can vary from a power outage to a data breach, and the depth of the incident response planning should be based on the likelihood of an event taking place and the severity and level of impact if it does. The incident response plan will outline important information about communications during critical events; it may go as far as to outline authority and decision making matrices to ensure that risk is accepted at the appropriate level. Key Areas to CoverIncident response planning can be a daunting task at first glance. There is no end to the number of circumstances that can arise. The real key is to outline how to respond to incidents in a methodical manner, as well as identify who is responsible for acting during a crisis (see Incident Response Team below). The process of incident response is generally broken into 6 areas. Specific checklists and policies can be created for known risks, but these same steps can be used when an event you are unprepared for arises. 1. Preparation – Creating policies and establishing standards for what constitutes an incident. Practicing and conducting drills or exercises to respond to incidents. 2. Identification/ Detection – Tactics techniques and procedures to detect an incident in progress. 3. Containment – Taking steps to prevent the spread or continuation of a breach or incident. This could be as simple as segregating a computer from a network or as complex as removing access to major systems. 4. Eradication – Remove any corrupt or infected files, restore backups, ensure no other systems have been impacted. Restore or replace affected systems. 5. Recovery – Return all systems to full operation. 6. Review Lessons Learned – Identifying what went right or wrong from the incident for future use. These steps may seem simple at first glance but can quickly become complicated. For example, If an IT staff member determines that a website has been infiltrated does that member then have the authority to take the web server offline while further investigation is conducted? How much revenue will be lost during the outage? Will other system be impacted? What are the risks of operating with a potentially compromised system? Outlining how much risk is acceptable and what level of management is responsible for accepting that risk is critical prior to an incident taking place. Also of note, the preservation of evidence should be kept at the forefront during all of these stages, especially if there are legal or financial implications for the company or its employees. In some cases, evidence can be destroyed or made useless by something as simple as turning off a computer. Therefore training staff on what to do in these situations is so important. If there are any legal or financial implications, it may be worth bringing in a certified digital forensics team to assist with the protection of evidence. If that is a function that doesn’t exist in-house, bringing in an outside cyber forensics team should be part of the IRP. Incident Response Team (IRT)![]() An important aspect of incident response planning is the establishment and training of an IRT. The IRT will be the boots on the ground that will lead the efforts during a cyber incident. While they may not do all the work themselves, these will be the key players who will oversee and coordinate the response to cyber incidents. It may be unrealistic to have all staff trained to handle an incident, so having a team of staff identified and trained ahead of time is key to proper indecent handling. The team should be small enough to be agile, as well as contain multidiscipline employees to allow for perspective and cross-functionality. Ideally, the team will be led by the CISO and contain members of the IT staff. It may also be wise to consider having personnel from other business units, especially legal, HR, and public relations. Practice, Practice, Practice.Having an incident response plan sounds good on paper (pun intended), but it is important to test the plan on a regular basis. This will ensure that the team is still current on their responsibilities, able to identify holes in the plan, and give you an opportunity to update for any changes since the last time the IRT was practiced or used. I recommend testing IRP at least semiannually and revisiting it anytime major changes are made to the business or its infrastructures. It’s Dangerous to Go AloneIt’s ok not to be the expert at everything. You are already great at what you do! If you would like help with security control audits, incident response planning, digital forensics, incident response, or any other cybersecurity service, Alpine Security is just a click away. Often it is more cost effective and less stressful to bring in a consulting team to help whip an organization into shape than try and go it alone. Author Bio![]() Isaac (on the left) hiking in Vietnam Isaac Wright is a Cybersecurity Analyst and Trainer with Alpine Security. A veteran of the US Air Force, Isaac has more than 15 years’ experience in electronics maintenance and security. He holds degrees in Electronics Systems and Education and Training Management as well as a master instructor certification. Isaac has a long history of maintaining, hacking, modding, and using electronics systems from networks and computers to radios and consumer electronics. Isaac has leveraged his expertise to advise CIOs in large multi-site organizations on vulnerability management and risk mitigation. When not teaching or analyzing network traffic, Isaac loves to play board games with family, fish, camp, and experience everything the world has to offer. An avid traveler, Isaac has been to more than 15 countries and especially enjoys Asia. via Tumblr Incident Response Plan: The Tool You Hope You Never Need ![]() The new European Union (EU) Regulation 2016/679 GDPR (General Data Protection Regulation) have gone into effect May 25, 2018. This will have a far-reaching effect and identify many possible repercussions for any organization collecting, processing, and/or storing any EU citizen’s information. Your company need not be located in any of the EU countries; rather if your company collects any EU citizen’s information, your company must adhere to and be complaint to the new regulation. The essential characteristics of the regulation are to protect personal data as a fundamental right and that privacy is to be respected as an expectation of the GDPR. The GDPR creates a greater level of harmonization across the EU for the sharing and exchange of data. Implementation of the GDPR requirements necessitates a greater level of protection of a person’s digital identity. The reason for such an increased worldwide emphasis on compliance is due to the imposed fines that can be applied if you fail to manage the privacy data appropriately. Fines are set at 4% of the noncompliant organization’s global revenue Who is Responsible for GDPR?There are two specific roles that are defined in the regulations, the first is the data controller and the other position is the data processor. A data controller is the collector of the data for internal or outsourced processing. The expectation is that an individual’s consent is required to collect the information. This role is responsible for documenting the format of how the data is to be utilized throughout its lifecycle within the organization, privacy policies, and the ability to process requests for data portability, rectification, objection, etc. The duties that are required for this role include compliance to protect the data subject’s rights. Examples of data controllers include social media organizations, education institutions, health organizations, banks, etc. If your organization determines how the data is to be processed and the purpose of that processing, this indicates a data controller. A data processor is a natural or legal person, public authority, agency or other body responsible for managing and storing data on behalf of the controller. Specific clauses within the regulation require the same technical and organizational measures to be applied to the controller as well as the processor. An example would be an outsourced payroll company; the data controller tells the payroll organization who to pay and what amount. If you are not making these decisions and just acting on a request, this indicates a data processor. The required liability flows through the chain of data processing. Specifically, the data controller has liability if a data processor fails to fulfill his obligations. What data is in scope?Article 4(1) states: “‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Elements of data types could include IP addresses, cookie data, or a photograph associated to an account. In many cases, personal customer data will be in multiple formats and forms in CRMs (Customer Relationship Management systems), contracts, sales contact databases, etc. How CIS can helpSpecific to the data controller and the data processor roles, responsibilities are to “implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the regulation.” CIS offers a multitude of best practices and cybersecurity solutions to help organizations on the path to GDPR compliance. A strong starting point is to utilize a CIS SecureSuite Membership, which includes access to tools such as CIS-CAT Pro and remediation kits, to assess and harden systems. “Hardening” is the process of limiting vulnerabilities in a system to reduce cyber threats. Hardening systems to the CIS Benchmarks™, secure configuration guidelines for over 150 technologies, provides a platform for compliance and is a recognized foundation to build your remaining data infrastructure. Measure system conformance to the CIS Benchmarks with CIS-CAT Pro Assessor, our configuration assessment tool which provides assurance that the target system is hardened to the standard. It is not sufficient to simply state compliance to a particular benchmark – measure and prove it with the dynamic reporting features of CIS-CAT Pro Dashboard. ![]() If you are working in the cloud, the CIS controls offer pre-hardened virtual machines on the Microsoft Azure Marketplace and Google Cloud Platform (GCP), and Amazon Machine Images (AMIs) on Amazon Web Services in the AWS Marketplace, including the AWS GovCloud (US) region and IC region. CIS Hardened Images conform to the applicable security standards of the CIS Benchmarks, bringing on-demand security to cloud computing environments. The CIS Controls are a prioritized set of cybersecurity best practices to help organizations improve their security posture. Version 7 of the CIS Controls was released in March 2018 and contains following guidance that can be applied to GDPR compliance. The CIS Controls can serve both as a measurement process to encourage compliance as well as for implementing a security control framework within your organization. In many cases, the entire CIS Controls can be applicable to implement a structured and measured approach to compliance and security for the organization. GDPR will require a complete understanding and visualization of the data flows for personal information throughout your enterprise. The regulation extends to data controllers and processors. It may seem challenging at first, but with due diligence, documented plans, and help from the cybersecurity resources available from CIS, the road to compliance is achievable. Why is this applicable to companies in the United States?Why is this applicable to companies in the United States if your company is not doing any business with EU countries? California will soon be implementing the California Consumer Protection Act (CCPA) in July of 2020. California’s CCPA mirrors the EU Regulation 2016/679 for GDPR. Companies in New York doing business with companies in California and collecting consumer data will be required to meet the CCPA. Companies need to move forward and begin the process on GDPR compliance. Here are three key areas in which to move ahead with compliance readiness:
GDPR will ultimately lead to companies gathering just enough data from individuals in order to complete any type of conversion, transaction, or order agreement. But the optimistic viewpoint is that with greater clarity of data protection and privacy controls, consumers will become more comfortable with emerging digital practices, and when working with companies, will be able to form trust with these companies to hold their personal information in high regard. Author Bio![]() Doug, shredding a solo. Doug Stewart is a Senior Sales Manager. Doug brings a wealth of experience and is focused on sales and business development activities. Doug strives to help businesses meet the demands of their on-going cybersecurity requirements and helps them be adequately protected against cyber intrusions. Doug is located in Colorado where he majored in Music and played hockey at Denver University. He played in a highly competitive hockey league for 24 years post college, and coached his children’s soccer and hockey teams for 12 years. Music is still a strong passion which he pursues professionally with his band. He and his wife are the proud grandparents to three grand kids. via Tumblr General Data Protection Regulation (GDPR) Overview O’Fallon, IL - Alpine Security (“Alpine”), a leading cybersecurity training, penetration testing, and audit firm, announces the launch of their Cyber Infinity Training Program. ![]() ![]() The Alpine Security Cyber Infinity Programs consists of 12 months of unlimited certification training for $9,995. Included in the fee for the Cyber Infinity program are all course materials, remote labs, one exam voucher per class, and the Alpine Security exam pass guarantee. The Alpine Security Exam Pass guarantee allows students to retake a class free of charge if they do not feel ready for the exam after going through the training, or if they do not pass the exam in their first attempt. All Alpine Security’s certification training course offerings are included in the program. “We are excited to introduce this new addition to our training programs,” says Cecilie Kreiner, Alpine Security’s Director of Training. “Whether new to the field or validating current skills via credentials, we encourage our students to map out their career path. The unlimited training in the Cyber Infinity Program allows you to customize your certification track with your personal career goals in mind. Whether you want to specialize in the offensive or defensive tracks, focus on cybersecurity management or cyber forensics, or create a well-rounded package with a variety of cybersecurity certifications, our wide selection of certification training classes can help you reach your goals.“ Alpine Security offers certification training courses from CompTIA, EC-Council, and (ISC)2, as well as hands-on, technical training in a variety of topics such as Wireshark training and malware analysis. Alpine is a CompTIA Authorized partner and EC-Council Accredited Training Center, and was awarded the EC-Council Best Newcomer of the Year in 2017. Alpine offers the complete CompTIA Cybersecurity Track, starting with the Core Skills Certification Security+. The CompTIA cybersecurity track provides a clear path for those starting a career in cybersecurity and for seasoned cybersecurity professionals looking to advance their career by proving their knowledge, skills, and abilities through certifications. Alpine’s EC-Council offerings include Computer Hacking Forensic Investigator (CHFI), Certified CISO, as well as the complete EC-Council Penetration Testing Track, from Certified Ethical Hacker (CEHv10) to LPT Master. Alpine Security’s (ISC)2 course offerings include CISSP and CAP. For more information on the Cyber Infinity Training Program, please visit: https://www.alpinesecurity.com/training/cyber-infinity-program ABOUT ALPINE SECURITYAlpine Security, a Service Disabled Veteran Owned Small Business, offers a comprehensive suite of cybersecurity services and cybersecurity training. Alpine Security’s instructors are all practitioners who work as penetration testers, incident response handlers, forensic analysts, auditors, and more. This allows them to bring practical, real-world, and up-to-date experience into the classroom. Alpine Security mandates continuous training and certifications for everyone on their team, and all trainers have had to pass their rigorous Train-the-Trainer course as well as recurring courses on effective training and communication. via Tumblr Alpine Security Launches Cyber Infinity Training Program O’Fallon, IL - Alpine Security (“Alpine”), a leading cybersecurity training, penetration testing, and audit firm, announces the launch of their Cyber Infinity Training Program. ![]() ![]() The Alpine Security Cyber Infinity Programs consists of 12 months of unlimited certification training for $9,995. Included in the fee for the Cyber Infinity program are all course materials, remote labs, one exam voucher per class, and the Alpine Security exam pass guarantee. The Alpine Security Exam Pass guarantee allows students to retake a class free of charge if they do not feel ready for the exam after going through the training, or if they do not pass the exam in their first attempt. All Alpine Security’s certification training course offerings are included in the program. “We are excited to introduce this new addition to our training programs,” says Cecilie Kreiner, Alpine Security’s Director of Training. “Whether new to the field or validating current skills via credentials, we encourage our students to map out their career path. The unlimited training in the Cyber Infinity Program allows you to customize your certification track with your personal career goals in mind. Whether you want to specialize in the offensive or defensive tracks, focus on cybersecurity management or cyber forensics, or create a well-rounded package with a variety of cybersecurity certifications, our wide selection of certification training classes can help you reach your goals.“ Alpine Security offers certification training courses from CompTIA, EC-Council, and (ISC)2, as well as hands-on, technical training in a variety of topics such as Wireshark training and malware analysis. Alpine is a CompTIA Authorized partner and EC-Council Accredited Training Center, and was awarded the EC-Council Best Newcomer of the Year in 2017. Alpine offers the complete CompTIA Cybersecurity Track, starting with the Core Skills Certification Security+. The CompTIA cybersecurity track provides a clear path for those starting a career in cybersecurity and for seasoned cybersecurity professionals looking to advance their career by proving their knowledge, skills, and abilities through certifications. Alpine’s EC-Council offerings include Computer Hacking Forensic Investigator (CHFI), Certified CISO, as well as the complete EC-Council Penetration Testing Track, from Certified Ethical Hacker (CEHv10) to LPT Master. Alpine Security’s (ISC)2 course offerings include CISSP and CAP. For more information on the Cyber Infinity Training Program, please visit: https://www.alpinesecurity.com/training/cyber-infinity-program ABOUT ALPINE SECURITYAlpine Security, a Service Disabled Veteran Owned Small Business, offers a comprehensive suite of cybersecurity services and cybersecurity training. Alpine Security’s instructors are all practitioners who work as penetration testers, incident response handlers, forensic analysts, auditors, and more. This allows them to bring practical, real-world, and up-to-date experience into the classroom. Alpine Security mandates continuous training and certifications for everyone on their team, and all trainers have had to pass their rigorous Train-the-Trainer course as well as recurring courses on effective training and communication. via Tumblr Alpine Security Launches Cyber Infinity Training Program IntroductionToday we all communicate constantly over the internet. Some people say we spend too much time on our mobile devices, and we do not interact enough with the world, and with the people around us. However, that is a discussion for another time. In this blog post we want to discuss how we keep our internet communications secure from eavesdropping. ![]() Let us start with the granddaddy of internet communications protocols: E-Mail. Almost before there was any other way of communicating over the internet, there was E-Mail. It ran over a protocol called Post Office Protocol, or POP. The final version of the protocol is POP3. There was only one way to access our email, and that was using an E-Mail client such as Microsoft’s Outlook or Netscape Communicator (old school!) or Eudora (double old school!). Back in the day there were only a couple of ways to keep your email secure, and that was through encryption. There were a couple of different ways to encrypt email using either a digital certificate or a software suite such as Pretty Good Privacy (PGP). There was also an open source version called Gnu Privacy Guard (GPG). Both methods are still around and are still effective, although PGP has evolved a bit. It is now owned by Symantec and is part of their Endpoint Security suite solution. Even though the methods for protecting our email communications have evolved, they are still there, and still important. We still send a variety of sensitive information via E-Mail, and we need to protect it. The easiest way to encrypt our email is to use a digital certificate, also known as a Public Key Certificate . There are a range of options available to obtain an E-Mail digital certificate which is then installed into your E-Mail client and allows you to sign and encrypt email. The drawbacks are that you must be using a dedicated E-Mail client such as Outlook, Apple Mail, or Mozilla Thunderbird , and the people you are communicating with must also have a digital certificate. The same applies if you are using PGP/GPG. Everyone must be using it for it to be effective. Fortunately, our E-Mail providers are also looking out for us. Companies like Google and Microsoft that provide E-Mail services use end-to-end transport encryption to help make our communications more secure. MessagingAll the proceeding brings us to the new kid on the block of internet communications: instant messaging. Or just “messaging” as it’s called now. Messaging started out on our early mobile phones as text messages, which are not and never were secure. However, today we have a variety of ways we can message each other securely from the Messages app in iOS to Whatsapp to Signal to Slack, etc. “How are these mobile apps secure?”, I can hear you asking. It is a good question. They all use encryption to make sure no one else can eavesdrop on your messages with your friends, family, and business contacts. Apple was one of the first to do this for its customers when it started encrypting the messages between iCloud users. The drawback is, (and you knew one must be coming), the encryption only works between iCloud users. When you send a message, using the Messages app in iOS, to your friend who uses a smart phone that runs a different mobile operating system, such as Android, the message is a plain, unencrypted text message. Which brings us to the other mobile apps that will help us communicate securely. There are a lot of them out there, but two that we would like to mention are Signal and Whatsapp. Many, many people use these apps daily to communicate securely and if you communicate with people who use a variety of mobile devices you should too. Some of these apps will even let you make encrypted phone calls, which is a big plus. There is also another kind of solution. VPNs![]() One of the other ways to secure your communications is to use a Virtual Private Network (VPN). Many of us, like me, are used to being able to take our laptops down to the local coffee shop, or with us when we travel, connect to any ‘ole Wi-Fi, and then keep doing what we always do on the internet. What you may not be aware of however, is that unlike our home Wi-Fi networks which are encrypted, open, public Wi-Fi that we get at coffee shops, libraries, airports, etc., are not encrypted. Anything done on those wireless networks can be intercepted by nefarious people. A good rule of thumb is, if you don’t have to enter a passphrase to connect to the wireless, it is not secure. So how do you secure wireless? I’m glad you asked! It is secured by using a VPN. As with the encryption methods for E-Mail and messaging, there are a variety of VPN providers out there that do not cost a lot of money. An individual or organization should research and decide which one is best for their respective needs. It is not recommended to use a free VPN provider. Free VPN providers can be iffy because they get much of their funding via pushing ads to their users. One way they do that is by tracking what you do, which kind of defeats the purpose of using a VPN in the first place. Returning to how a VPN can protect your communications, we could go into a lot of detail about what a VPN does, but we will keep it simple instead. Unlike the secure solutions above, which are very specific, a VPN works by creating a tunnel between you and a remote server. This tunnel is encrypted, which means that everything you send through it is protected from eavesdropping. This can be especially useful if you are working at the aforementioned coffee shop or airport. SummaryAll the information included in this blog is really our way of getting you to think about how, and who, you are communicating with on the internet, and what data you are sending. The bad guys are out there, and they are always watching and trying to get anything they can. If you are planning a birthday party for your best friend or sending your bank information to your CPA at tax time, do it securely. Do not make it easy for the bad guys! Author Bio![]() Michael with his foster pit bull, Toby. Michael Allbritton is a Cybersecurity Analyst and Trainer with Alpine Security. He holds several security-related certifications, including Certified Information Systems Security Professional (CISSP), Network+, Security+ and CyberSec First Responder (CFR). Michael has many years of experience in software testing, professional services, and project management. He is equally comfortable working with software engineers on testing and design and with sales to meet and manage customer expectations. Michael’s cybersecurity experience with Alpine includes penetration testing, vulnerability assessments, and social engineering engagements for various clients as well as teaching courses for the above-mentioned certifications. In his spare time Michael is an enthusiastic amateur photographer, diver, and world traveler. He has photographed wildlife and landscapes in the United States, Africa, Central America, West, and East Europe and has amassed several hundred dives as a PADI Divemaster. via Tumblr Protecting Internet Communications IntroductionToday we all communicate constantly over the internet. Some people say we spend too much time on our mobile devices, and we do not interact enough with the world, and with the people around us. However, that is a discussion for another time. In this blog post we want to discuss how we keep our internet communications secure from eavesdropping. ![]() Let us start with the granddaddy of internet communications protocols: E-Mail. Almost before there was any other way of communicating over the internet, there was E-Mail. It ran over a protocol called Post Office Protocol, or POP. The final version of the protocol is POP3. There was only one way to access our email, and that was using an E-Mail client such as Microsoft’s Outlook or Netscape Communicator (old school!) or Eudora (double old school!). Back in the day there were only a couple of ways to keep your email secure, and that was through encryption. There were a couple of different ways to encrypt email using either a digital certificate or a software suite such as Pretty Good Privacy (PGP). There was also an open source version called Gnu Privacy Guard (GPG). Both methods are still around and are still effective, although PGP has evolved a bit. It is now owned by Symantec and is part of their Endpoint Security suite solution. Even though the methods for protecting our email communications have evolved, they are still there, and still important. We still send a variety of sensitive information via E-Mail, and we need to protect it. The easiest way to encrypt our email is to use a digital certificate, also known as a Public Key Certificate . There are a range of options available to obtain an E-Mail digital certificate which is then installed into your E-Mail client and allows you to sign and encrypt email. The drawbacks are that you must be using a dedicated E-Mail client such as Outlook, Apple Mail, or Mozilla Thunderbird , and the people you are communicating with must also have a digital certificate. The same applies if you are using PGP/GPG. Everyone must be using it for it to be effective. Fortunately, our E-Mail providers are also looking out for us. Companies like Google and Microsoft that provide E-Mail services use end-to-end transport encryption to help make our communications more secure. MessagingAll the proceeding brings us to the new kid on the block of internet communications: instant messaging. Or just “messaging” as it’s called now. Messaging started out on our early mobile phones as text messages, which are not and never were secure. However, today we have a variety of ways we can message each other securely from the Messages app in iOS to Whatsapp to Signal to Slack, etc. “How are these mobile apps secure?”, I can hear you asking. It is a good question. They all use encryption to make sure no one else can eavesdrop on your messages with your friends, family, and business contacts. Apple was one of the first to do this for its customers when it started encrypting the messages between iCloud users. The drawback is, (and you knew one must be coming), the encryption only works between iCloud users. When you send a message, using the Messages app in iOS, to your friend who uses a smart phone that runs a different mobile operating system, such as Android, the message is a plain, unencrypted text message. Which brings us to the other mobile apps that will help us communicate securely. There are a lot of them out there, but two that we would like to mention are Signal and Whatsapp. Many, many people use these apps daily to communicate securely and if you communicate with people who use a variety of mobile devices you should too. Some of these apps will even let you make encrypted phone calls, which is a big plus. There is also another kind of solution. VPNs![]() One of the other ways to secure your communications is to use a Virtual Private Network (VPN). Many of us, like me, are used to being able to take our laptops down to the local coffee shop, or with us when we travel, connect to any ‘ole Wi-Fi, and then keep doing what we always do on the internet. What you may not be aware of however, is that unlike our home Wi-Fi networks which are encrypted, open, public Wi-Fi that we get at coffee shops, libraries, airports, etc., are not encrypted. Anything done on those wireless networks can be intercepted by nefarious people. A good rule of thumb is, if you don’t have to enter a passphrase to connect to the wireless, it is not secure. So how do you secure wireless? I’m glad you asked! It is secured by using a VPN. As with the encryption methods for E-Mail and messaging, there are a variety of VPN providers out there that do not cost a lot of money. An individual or organization should research and decide which one is best for their respective needs. It is not recommended to use a free VPN provider. Free VPN providers can be iffy because they get much of their funding via pushing ads to their users. One way they do that is by tracking what you do, which kind of defeats the purpose of using a VPN in the first place. Returning to how a VPN can protect your communications, we could go into a lot of detail about what a VPN does, but we will keep it simple instead. Unlike the secure solutions above, which are very specific, a VPN works by creating a tunnel between you and a remote server. This tunnel is encrypted, which means that everything you send through it is protected from eavesdropping. This can be especially useful if you are working at the aforementioned coffee shop or airport. SummaryAll the information included in this blog is really our way of getting you to think about how, and who, you are communicating with on the internet, and what data you are sending. The bad guys are out there, and they are always watching and trying to get anything they can. If you are planning a birthday party for your best friend or sending your bank information to your CPA at tax time, do it securely. Do not make it easy for the bad guys! Author Bio![]() Michael with his foster pit bull, Toby. Michael Allbritton is a Cybersecurity Analyst and Trainer with Alpine Security. He holds several security-related certifications, including Certified Information Systems Security Professional (CISSP), Network+, Security+ and CyberSec First Responder (CFR). Michael has many years of experience in software testing, professional services, and project management. He is equally comfortable working with software engineers on testing and design and with sales to meet and manage customer expectations. Michael’s cybersecurity experience with Alpine includes penetration testing, vulnerability assessments, and social engineering engagements for various clients as well as teaching courses for the above-mentioned certifications. In his spare time Michael is an enthusiastic amateur photographer, diver, and world traveler. He has photographed wildlife and landscapes in the United States, Africa, Central America, West, and East Europe and has amassed several hundred dives as a PADI Divemaster. via Tumblr Protecting Internet Communications Before getting into cybersecurity, I was a software developer for many years. Although I had heard about security vulnerabilities introduced to software via poor coding practices, I, like many of my colleagues, did not take security all that seriously. Hacking seemed like an arcane art, only mastered by those willing to spend years pouring over dusty tomes of x86 assembly language manuals and protocol RFCs. It did not occur to us that many of the vulnerabilities could be exploited by anyone with basic web development coding skills and the willingness to spend a few hours on research. One of these mysterious incantations was the dreaded “SQL Injection” attack. What exactly could one do with a SQL Injection attack, anyway? No one was quite sure, but since our software was going into a secure military installation, we were pretty sure that the perimeter defenses would prevent anyone from harming it. SQL Injection is a vulnerability that is introduced when software developers do not check data entered by users for validity and suitability to purpose. A malicious user can enter unexpected special characters to modify the structure of a SQL query. This can happen when the developer pastes together pieces of a query with “unsanitized” user input. The unsanitized input contains special characters that modify the structure of the query before it is passed to the query parser. For example, consider a query in a PHP snippet that tests whether a user entering credentials at a login page is a valid user in the database:
In this example, the variables username and password are retrieved from the HTTP POST that was submitted by the user. The strings are taken as-is and inserted, via string interpolation, into the query string. Since no validation is done on the input, the user can enter characters that will modify the structure of the query. For example, if the user enters ‘ or 1=1; # for the username, and nothing for the password, the variable sql will now equal:
In the MySQL database engine, the “#” sign is a comment, so everything that comes after it is ignored in the query. There are no users with a blank username, but the condition “1=1” is always true, so the query will always succeed, returning all user IDs in the database. The subsequent code will likely only check that at least one record was returned, and it will likely grab just the first ID, which in most cases, will be that of the administrative user. Doing SQL injection manually requires a fair bit of knowledge of how SQL works. On top of that, there are many different SQL engines, each with slight variations in syntax, such as PostgreSQL, MySQL, Microsoft SQL Server, Oracle, IBM DB2, and others. SQL Injection “cheat sheets” can help pentesters figure out the required syntax for testing a web application, but SQL Injection is still a very time-consuming attack to carry out. Enter sqlmap. sqlmap is a program that automates tests for SQL Injection. Not only does it work with many different SQL engines, when used against vulnerable applications, it can:
Let’s perform a demo attack against the Mutillidaeintentionally-vulnerable web application as it is hosted on the OWASP Broken Web Applicationvirtual machine. We will launch an attack against Mutillidae’s login page. ![]() Multillidae Login Page sqlmap has many command line parameters, but we are going to set up the attack the easy way. The first thing we must do is to set FireFox’s proxy to run through Burp Community Edition running on localhost on port 8080. Then, we are going to enter a bogus login and password, such as admin / canary. We capture the request in Burp before it goes to the server, as shown below. ![]() Capturing the HTTP POST Request for the Mutillidae Login (Bottom Pane) Copying the POST request from the bottom pane, we save the request to a text file. In this case, the file is called mutillidae-req.txt, as shown below. ![]() Saving the POST request We can then run sqlmap using the text file by passing it with the “-r” command line parameter. We also pass “-p username” to give it the name of the parameter we would like to attack.
The first command will do some enumeration of the database to tell us that the database engine is MySQL 5.0 or above. ![]() sqlmap Running ![]() Database Identified as MySQL Once we have the database engine, we can run sqlmap again, telling it what the engine is, so it does not have to guess again. Also, we will ask sqlmap to get a list of databases on the server by using the following command:
![]() Enumerating the Databases on the Database Server Looking at the results, we notice that there is a database called wordpress that we would like to attack. The WordPress blogging platform can be abused to allow an attacker to install malicious PHP code, as long as the attacker has the administrative credentials. Running sqlmap again, we ask it to enumerate the tables in the wordpress database using the following command:
Below, we can see the results of the WordPress database’s table enumeration. ![]() WordPress Database Table Enumeration The most interesting table appears to be the wp_users table. We will ask sqlmap to dump the contents of the table with the following command:
![]() sqlmap Dumps the wp_user Table sqlmap runs, and as a bonus, it asks us if we want to save credentials that we have found, and if we would like to attempt to crack any password hashes with a dictionary attack. Why YES, please DO! :D ![]() sqlmap Asks if We’d Like to Crack Passwords When we take the defaults, sqlmap runs a dictionary attack with its default dictionary of about 1.4 million passwords. We could also have chosen our own dictionary. In short order, sqlmap recovers passwords for two WordPress users: admin (daniel1984) and user (zealot777). ![]() sqlmap Cracks the WordPress Passwords Once we have the admin password, we login to the WordPress admin page using the credentials admin / daniel1984. ![]() Logging in to the WordPress Admin Page ![]() Logged in to the WordPress Admin Page Once logged in as admin, we can modify the searchform.php page for the default theme, as shown in the screenshots below. ![]() Editing the searchform.php File in the WordPress Default Theme We replace the searchform.php code with that of the excellent b374k Web Shell. ![]() searchform.php Page Code Replaced by Malicious b374k Web Shell Code Once we have replaced the searchform.php code with the web shell code, we can simply browse to the searchform.php file directly with the following URL: http://192.168.115.128/wordpress/wp-content/themes/default/searchform.php The b374k web shell page is displayed, and we login with the password provided when we created the b374k PHP file. ![]() Logging in to the b374k Web Shell Once logged in, we are presented with the File Explorer page. We can browse to any page that the web server has permissions to read, and we can inspect its contents. ![]() b374K Web Shell File Explorer Here, we view the /etc/passwd file. ![]() Using B374k to View the /etc/passwd File We can do many other things with b374k, such as create a remote shell from the victim web server back to our attacking computer, as shown in the following screenshot: ![]() Using b374k to Create a Remote Shell As you can see, sqlmap is an incredibly useful tool to demonstrate to web developers and project managers alike that SQL Injection is indeed a serious vulnerability, one that deserves their full attention. SQL Injection can lead to complete system compromise. I am often told after a demo of sqlmap that it is “the scariest thing you have shown us yet”. Learn more about sqlmap and other hacking tools in one of our Penetration Testing Courses. ![]() Doc Sewell in Dandong, China, across the Yalu River from Shinuiju, North Korea Author BioDaniel “Doc” Sewell is CTO and Trainer for Alpine Security. He currently holds many security-related certifications, including EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (Master), Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP). Doc has many years of experience in software development, working on web interfaces, database applications, thick-client GUIs, battlefield simulation software, automated aircraft scheduling systems, embedded systems, and multi-threaded CPU and GPU applications. Doc’s cybersecurity experience includes penetration testing a fighter jet embedded system, penetration testing medical lab devices, creating phishing emails and fake web sites for social engineering engagements, and teaching security courses to world-renowned organizations such as Lockheed Martin and the Hong Kong Police Department. Doc’s hobbies and interests include home networking, operating systems, computer gaming, reading, movie watching, and traveling. via Tumblr sqlmap: Sucking Your Whole Database Through a Tiny Little Straw Before getting into cybersecurity, I was a software developer for many years. Although I had heard about security vulnerabilities introduced to software via poor coding practices, I, like many of my colleagues, did not take security all that seriously. Hacking seemed like an arcane art, only mastered by those willing to spend years pouring over dusty tomes of x86 assembly language manuals and protocol RFCs. It did not occur to us that many of the vulnerabilities could be exploited by anyone with basic web development coding skills and the willingness to spend a few hours on research. One of these mysterious incantations was the dreaded “SQL Injection” attack. What exactly could one do with a SQL Injection attack, anyway? No one was quite sure, but since our software was going into a secure military installation, we were pretty sure that the perimeter defenses would prevent anyone from harming it. SQL Injection is a vulnerability that is introduced when software developers do not check data entered by users for validity and suitability to purpose. A malicious user can enter unexpected special characters to modify the structure of a SQL query. This can happen when the developer pastes together pieces of a query with “unsanitized” user input. The unsanitized input contains special characters that modify the structure of the query before it is passed to the query parser. For example, consider a query in a PHP snippet that tests whether a user entering credentials at a login page is a valid user in the database:
In this example, the variables username and password are retrieved from the HTTP POST that was submitted by the user. The strings are taken as-is and inserted, via string interpolation, into the query string. Since no validation is done on the input, the user can enter characters that will modify the structure of the query. For example, if the user enters ‘ or 1=1; # for the username, and nothing for the password, the variable sql will now equal:
In the MySQL database engine, the “#” sign is a comment, so everything that comes after it is ignored in the query. There are no users with a blank username, but the condition “1=1” is always true, so the query will always succeed, returning all user IDs in the database. The subsequent code will likely only check that at least one record was returned, and it will likely grab just the first ID, which in most cases, will be that of the administrative user. Doing SQL injection manually requires a fair bit of knowledge of how SQL works. On top of that, there are many different SQL engines, each with slight variations in syntax, such as PostgreSQL, MySQL, Microsoft SQL Server, Oracle, IBM DB2, and others. SQL Injection “cheat sheets” can help pentesters figure out the required syntax for testing a web application, but SQL Injection is still a very time-consuming attack to carry out. Enter sqlmap. sqlmap is a program that automates tests for SQL Injection. Not only does it work with many different SQL engines, when used against vulnerable applications, it can:
Let’s perform a demo attack against the Mutillidaeintentionally-vulnerable web application as it is hosted on the OWASP Broken Web Applicationvirtual machine. We will launch an attack against Mutillidae’s login page. ![]() Multillidae Login Page sqlmap has many command line parameters, but we are going to set up the attack the easy way. The first thing we must do is to set FireFox’s proxy to run through Burp Community Edition running on localhost on port 8080. Then, we are going to enter a bogus login and password, such as admin / canary. We capture the request in Burp before it goes to the server, as shown below. ![]() Capturing the HTTP POST Request for the Mutillidae Login (Bottom Pane) Copying the POST request from the bottom pane, we save the request to a text file. In this case, the file is called mutillidae-req.txt, as shown below. ![]() Saving the POST request We can then run sqlmap using the text file by passing it with the “-r” command line parameter. We also pass “-p username” to give it the name of the parameter we would like to attack.
The first command will do some enumeration of the database to tell us that the database engine is MySQL 5.0 or above. ![]() sqlmap Running ![]() Database Identified as MySQL Once we have the database engine, we can run sqlmap again, telling it what the engine is, so it does not have to guess again. Also, we will ask sqlmap to get a list of databases on the server by using the following command:
![]() Enumerating the Databases on the Database Server Looking at the results, we notice that there is a database called wordpress that we would like to attack. The WordPress blogging platform can be abused to allow an attacker to install malicious PHP code, as long as the attacker has the administrative credentials. Running sqlmap again, we ask it to enumerate the tables in the wordpress database using the following command:
Below, we can see the results of the WordPress database’s table enumeration. ![]() WordPress Database Table Enumeration The most interesting table appears to be the wp_users table. We will ask sqlmap to dump the contents of the table with the following command:
![]() sqlmap Dumps the wp_user Table sqlmap runs, and as a bonus, it asks us if we want to save credentials that we have found, and if we would like to attempt to crack any password hashes with a dictionary attack. Why YES, please DO! :D ![]() sqlmap Asks if We’d Like to Crack Passwords When we take the defaults, sqlmap runs a dictionary attack with its default dictionary of about 1.4 million passwords. We could also have chosen our own dictionary. In short order, sqlmap recovers passwords for two WordPress users: admin (daniel1984) and user (zealot777). ![]() sqlmap Cracks the WordPress Passwords Once we have the admin password, we login to the WordPress admin page using the credentials admin / daniel1984. ![]() Logging in to the WordPress Admin Page ![]() Logged in to the WordPress Admin Page Once logged in as admin, we can modify the searchform.php page for the default theme, as shown in the screenshots below. ![]() Editing the searchform.php File in the WordPress Default Theme We replace the searchform.php code with that of the excellent b374k Web Shell. ![]() searchform.php Page Code Replaced by Malicious b374k Web Shell Code Once we have replaced the searchform.php code with the web shell code, we can simply browse to the searchform.php file directly with the following URL: http://192.168.115.128/wordpress/wp-content/themes/default/searchform.php The b374k web shell page is displayed, and we login with the password provided when we created the b374k PHP file. ![]() Logging in to the b374k Web Shell Once logged in, we are presented with the File Explorer page. We can browse to any page that the web server has permissions to read, and we can inspect its contents. ![]() b374K Web Shell File Explorer Here, we view the /etc/passwd file. ![]() Using B374k to View the /etc/passwd File We can do many other things with b374k, such as create a remote shell from the victim web server back to our attacking computer, as shown in the following screenshot: ![]() Using b374k to Create a Remote Shell As you can see, sqlmap is an incredibly useful tool to demonstrate to web developers and project managers alike that SQL Injection is indeed a serious vulnerability, one that deserves their full attention. SQL Injection can lead to complete system compromise. I am often told after a demo of sqlmap that it is “the scariest thing you have shown us yet”. Learn more about sqlmap and other hacking tools in one of our Penetration Testing Courses. ![]() Doc Sewell in Dandong, China, across the Yalu River from Shinuiju, North Korea Author BioDaniel “Doc” Sewell is CTO and Trainer for Alpine Security. He currently holds many security-related certifications, including EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (Master), Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP). Doc has many years of experience in software development, working on web interfaces, database applications, thick-client GUIs, battlefield simulation software, automated aircraft scheduling systems, embedded systems, and multi-threaded CPU and GPU applications. Doc’s cybersecurity experience includes penetration testing a fighter jet embedded system, penetration testing medical lab devices, creating phishing emails and fake web sites for social engineering engagements, and teaching security courses to world-renowned organizations such as Lockheed Martin and the Hong Kong Police Department. Doc’s hobbies and interests include home networking, operating systems, computer gaming, reading, movie watching, and traveling. via Tumblr sqlmap: Sucking Your Whole Database Through a Tiny Little Straw The CIS Critical Controls were developed as a framework to not only ensure the successful realization of basic cybersecurity hygiene, but to lead to the planning and implementation of a robust security protocol. To build any cybersecurity protection schemata, it is necessary to know the extent of what it is you are protecting. This is the stated purpose of Control 1. CIS Control 1 Overview: Inventory of Authorized and Unauthorized DevicesCritical Control 1states: “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access” (CISv.7). This control is not so much intended to prevent unauthorized access, although a complete inventory with attendant policy enforcement will do just that. Instead, it is devised so an organization may be certain of what devices are on the network, so they may be effectively defended. Then these devices will not be the unknown gap in the defensive perimeter that allows a devastating attack to execute on an unsuspecting network. Compiling a detailed asset inventory may seem like an intimidating task for an organization of any size, especially if this is a first-time endeavor. However, Control 1 is segmented into eight subcontrols designed to give form to the mission at hand. CIS Control 1 Subcontrols 1.1 - 1.5 (Click to Enlarge) CIS Control 1 SubcontrolsSubcontrols 1.1 and 1.2 recommend the use of both active and passive automated tools to identify device assets so they may be updated as needed and added to the hardware asset inventory. Anything with an IP address must be counted. This includes printers, copy machines, and even automated vending machines if they connect to the network. This asset inventory is also not limited to what is always attached to the network. Virtual Private Networks (VPNs) and mobile devices must also be inventoried, and these types of connections typically come and go on a network. Whether physical or virtual, if it has an IP address and ever connects to the network, it should be included as an asset. There are many such tools at varying price points, so that an organization will typically be able to devise a method that both works within their current framework and is financially feasible as well. Subcontrol 1.3 advises Dynamic Host Configuration Protocol (DHCP) to be used to assign IP addresses. This automates IP allocation and is no small part of an IP address management system that aids in updating the hardware asset inventory and helps keep it updated. Subcontrols 1.4 and 1.5 focus on the maintenance of a detailed hardware asset inventory, whether or not the device is connected and whether or not the device is authorized to be connected. An inventory should at least indicate if an asset is portable, the name of the device, and the IP number. Including MAC addresses and serial numbers is a good practice to start with and maintain and can also be used to prove ownership for insurance purposes. Whatever information an organization deems necessary to keep in the asset inventory, it must be noted that this procedure is dynamic and ongoing for the lifecycle of any device. Records must also be kept of devices as they are deprecated and removed from the network or recommissioned and returned to the network. This is a priority on par with keeping updated blueprints and maintenance information for an organization’s physical and logical topology. CIS Control 1 Subcontrols 1.6 - 1.8 (Click to Enlarge) Subcontrol 1.6 suggests steps to take in dealing with unauthorized devices. When an organization obtains the actual number of unauthorized devices currently connected to their network, they may also discover the need to update current policies and procedures for IoT (Internet of Things) devices. Such policies and procedures may take the form of employee education of various types, as well as clearly delineated employee agreements as to what is, and is not allowed on the network. ATP (Advanced Persistent Threats) and other hackers wait on the internet for such unauthorized devices to gain an entry point into a network, or to use as a pivot point if the network is already compromised. It is unfortunate but true that attack avenues are always evolving, and one of the most commonly used avenues of malware delivery is via email spear-phishing campaigns aimed at the unwary employee, or through the connection of an unauthorized and unprotected device such as a smart phone or laptop. Once this inventory is complete, subcontrols 1.7 and 1.8 mention steps to take towards ensuring company control of which devices are authorized to connect to the network. Port-level controls are a necessity, along with proper switch configurations, and both should be tied to the device asset inventory. This should help ensure only authorized devices may connect to the network. Certainly this is a task that requires time, attention to detail, and commitment. It is not as exciting as other defensive processes, but proper implementation will lead to the best execution of the other 19 Controls, as well as add to the overall improvement of an organization’s defense posture by increasing efficiency and response time and reducing the network attack surface. Conclusion and Next StepsThe CIS Critical Controls are not rigid, but may be implemented in the ways that best suit an organization’s needs and acceptable risk. Neither are the CIS Critical Controls weighted equally. Critical Control 1 is as important and essential to the support of any cybersecurity posture as a foundation is to the support of a house. A variety of studies show that CIS Control implementation is proven to prevent around 90% of network attacks. That renders the return on investment undeniable, and the importance cannot be overstated to management and board members. Alpine Security remains committed to fostering cybersecurity awareness globally and locally while providing our specialized services to organizations and individuals alike. Pursuant to that commitment, Alpine Security offers a free consultation on our Enterprise Security Audit (ESA) Service. The ESA is based on the Top 20 Critical Controls published by the Center for Internet Security. The ESA is intended to provide a comprehensive picture of where an organization currently falls in Critical Control Implementation, while also delineating a roadmap for full implementation. With the increase in variety and methods of attack on organizations of all sizes and types, defensive uncertainty is a luxury no security-conscious entity can afford. via Tumblr CIS Control 1: The Beginning of Basic Cybersecurity |