Malicious Authorized User

An interesting article that I have just read is talking about vulnerabilities in MongoDB. I'm not that savvy in the DB arena, but I know one or two things in patching systems. The bottom line of that article saying that "Organizations should have a documented patch management process, should scan for vulnerabilities and configuration mishaps, and discover and classify sensitive data and systems so they can properly lock them down."

I agree with that statement. As I have just learned that companies pay a great effort to have their production segments of network well protected, hardened and patched to the latest revision (once Microsoft provided security patch for XP, they are all safe…), however within their enterprise network, it is a different issue. IT pays attention to the servers but ignore the workstations. A few days back, a SOC that I work with found that some 30% of an organization's workstations are using outdated software that their vulnerabilities were well documented into CVEs two to three years back.  Did this report meant something to the IT, not a bit, as they are relying on their peripheral cyber barriers to protect them? 

They probably never heard from the "malicious authorized user" the inner threat that can cause much more damage, allowing the payload to be safely found the right exploit to breed itself to the entire network.  

Credits:

Image source ipa.go.jp (here)

The article that triggered this post (here)

Hackers don't make mistakes. It is all part of the plan!

Hackers that uses tools allegedly stolen from the NSA and uses it set a 

ransomware do not make mistakes. 

The fact that one have noticed that WannaCry ransomware had a turnoff switch, I assume that it was deliberately planned like that. Waiting to see if and when someone will reverse engineer the code to find it.  Why? I can just guess that they wanted to see how fast one will "catch" them, or better, to understand how they need to react to make it more sophisticated.  

So they did. I have learned today that WannaCry 2.0 is out there without the kill switch, so it is on the loose again.

According to officials that ransomware has affected some 75000 PCs in just 24hrs, that is 22,500,000$ reasons why to try and improve it. You got it right, the profit potential after 24 hours were twenty-two million US dollars (paid with untraceable Bitcoin). How many paid? No one knows...   

when it will end? for sure the epidemic infection will be reduced once IT organizations will patch and block the SMB protocol in their networks, as it carried this virus.

x

Corporate Cyber Protection Methodology

Earlier this week the Israeli CERT (CERT-IL) have issued a final draft for a "Civilian Corporate Cyber Protection Methodology." in this publish they are asking for comments before making this paper official, and releasing it.  This 160-page long paper was written for providing a professional solution for the entire marketplace. The organization's protection plan derived from this document adapted to the extent of the body's dependence on cyber.

The central principle of which this defense doctrine paper was written is the organization as a whole recognizing that it is necessary to protect the continuity of the organization's functioning and to support its business objectives.

This concept is expressed in the document as follows:

A. Management Responsibility - The responsibility for protecting the information lies first and foremost with the management of the organization.

B. Protection Depending on the potential damage - the investment in the protection of each asset will be per its critical level to the functioning of the organization.

C. Defense based on Israeli knowledge and experience - the theory of defense enables the focus on the relevant risks to all

Organization and organization. As part of the activities of the National Authority for Cyber ​​Defense, periodic intelligence audits and assessments are conducted to the economy. These actions enable organizations to target specific areas of the various defense circles.

D. Proactive protection - The security controls were defined with the understanding that the organization must invest additional efforts The passive defense. This is expressed through the definition of protective controls for the stages of prevention, identification, and reaction and return to routine.

E. Multilayered Protection - Protection is a process that combines three main components: people, technology and processes (3 P's - People & Products & Processes) Defense theory defines a defensive response that is required on all these levels.

The original published document can work in for any organization. Regardless the locale of your office, I think that the third concept, mentioned above (translated from the original paper) should be read "Defense based on LOCAL knowledge and experience." The intel and assessments which are applicable for Israel might not be right for India, Mozambique or Brazil. In an organization that it is multinational and the organization's CSO need to handle with cyber aspects in each country, it is important to pay attention to the local recommendations for each branch as it was it was the only location in the network. 

There is nothing new there in this document that we don't know by now as it is based on NIST CSF (Cyber Security Framework). The ingenuity here is that this paper adjusting the standard and making it accessible to the Israeli market.  

Recently I have looked for web hosting services for one of my customers that needed some dedicated servers some ware on the WWW cloud.  I have found this site HostMonk to be VARY useful for comparison (and easy access to) of many new vendors and plans that I didn’t found them on regular search engines. Try it, it might save you some money. 

http://www.hostmonk.com

My web site is on AWS

My web server is a static one, meaning I have built each page separately, and therefore can change specific section. Once selected the theme and pattern that I have liked the next difficult task was to put a content into the various pages. I’m not a copywriter nor advertiser…

Next task was to look for an appropriate platform that is affordable. I have found out that AWS service might be useful for this task. Their “quickstart-website” function allows one to publish the content in no time. Hassle free.  Just zip the content, upload it and that’s it… The pages are uploaded onto “S3 bucket”, a partition that you are now the proud owner of it.  Once the files are in the S3, you get yourself a URL directing your content. Mine is http://aws-website-comitnet-1oby0.s3-website-us-east-1.amazonaws.com. The content is now safe on one of AWS servers in the US. (US-east-1 somewhere in North Virginia). To have this website responding fast enough to whoever asks to brows it, worldwide, regardless their location, I have decided to create a CDN (content delivery network), for that there is the CloudFront service. It synchronizes the data in all of AWS servers and creates new worldwide URL for the content. Mine is https://dq2b1rahx4koh.cloudfront.net . Route 53 is AWS DNS service that translates  and point each one from the URLs mentions above to the right server to show the content.

Note that some configuration is required with your DNS vendor, to point your domain name to the one provided by the cloudfront service.

AWS TAM Assignment

For an interview, I was asked to build a server on AWS platform. I was using t2.small as the designated HW profile for this one. My flavor of OS was Ubunto 14 and as web server I have installed Apache 7.

I have saved an image of the server in N.California   (us-west-1); the image is known as ami-95134af5 (RoeeBesser_AWS_TAM_Assignment). I have saved a copy also in London (eu-west-2); the image is known as ami-ac8d98c8

Have fun with it. 

The Web site is up

Even if it temporary until i will crate the right website for me, for now it is up. visit www.comit-net.com. It was build over WIX platform which i have found vary intuitive to build. It wasn't my original plan, never mind it will serve its purpose as well.

Advanced networking introduction lessons

Not long ago I was asked to build a short training to be delivered as part of a longer training program for “Cyber specialists”. A program that is being conducted by the “Technion”, The Israeli technological institute. In the program, all students are programmers that are being taught in correlation to cyber issues, mainly how to avoid leaving vulnerable exploits in their future codes. Of course, they are being taught also how to “attack” and “protect”. I have decided to split the training into two sessions.

The first session named “50 shades of Cyber in 7 layers of networking”. It is a recap of OSI model and applying the tools they have created onto the network, to the relevant layer (I.e ARP poisoning script).

The second sessions names “Cybersecurity vs. Cyber Security: Exploiting that gap”. In this lesson, we have examined existing and legitimate tunnels and encapsulation that in the wrong context will be 
at the service of an attacker.