Infosec Consulting
  • Home
  • Blog
  • Services and Products
    • Top 10 Assessment
    • Cyber Risk Assessment
  • Book an Appointment
  • Home
  • Blog
  • Services and Products
    • Top 10 Assessment
    • Cyber Risk Assessment
  • Book an Appointment

As featured on the RocketMSP Podcast

5/29/2020

Comments

 
I am honored to have been featured on the RocketMSP Podcast.
Here's my favorite clip, dealing with fake math (risk matrices) vs realistic estimations of risk when it comes to making very expensive decisions... RocketMSP #22 (26:15)
Comments

Making Security Make Sense

2/12/2020

Comments

 
If you're having trouble conveying the significance of appropriate cybersecurity investment, maybe our Making Security Make Sense presentation will help.
This presentation is most powerful if YOU can give it to your own clients, and especially if you can do it live, on a whiteboard, rather than with a slide deck and speaker notes!

If you'd like to learn HOW to give this presentation, watch this training video.
If you want a copy of the slide deck, please request it from [email protected]
Comments

It's OK for Some Things to be Hard

8/12/2019

Comments

 
Watch for bold keywords which make excellent talking points with technical advisers.
When I speak about using secure passwords, it’s often met with eye rolling, sighing, or recounting of frustrations with remembering passwords. I get it, but I can’t really change my message. It’s a core tenant of basic security practices. But people are dismissive of more than just long passwords; it’s security-related inconvenience in general — especially when related to computers and accounts.
​I’d like to highlight the value of difficulty and hopefully alter your paradigm.
Let’s start with a story
It’s raining and you arrive home and have a double-armload of groceries to carry into the house. Approaching the door, you’ve forgotten to get your house key out, so you dig for it. Struggling and juggling, a glass jar and several other items crash to the ground. Soaked, you finally find the key. Once you get the door unlocked, you sop inside, frustrated with the whole process.


An alternate story
It’s raining and you arrive home with the same armload of groceries. Getting inside quickly is no sweat, since you left the front door wide open to make it easy to get in and out. You hurry inside, barely wet, and put away your groceries, patting yourself on the back for how convenient you’ve made your life.


I'm sure you see where I’m going. Essentially, it’s OK for some things to be hard. If you came home to see your front door open, what would you feel in the pit of your stomach? Would you call the police? We keep our homes and cars locked, even though it might cause us to be stuck in the rain or we might lose our keys and be locked out. We do this because it is an acceptable inconvenience. We see the value of locks, despite the extra effort required. Security is all about making something difficult for others to access. So if a slight inconvenience to you adds significant difficulty for an attacker, there's really no more evaluation needed.
​Why don’t we feel the same about securing our computers as we do about securing our homes? 
How sensitive or critical is the information accessible from your computer, your phone, and your online accounts? Isn’t that worth some effort protecting? If an attacker can get into your email, he can use it to reset all your online account passwords while you sleep. How much of your life could be controlled from just your email account?
Here’s an oversimplified security value formula: The difference between an attacker’s work effort and your work effort to access the same thing is the benefit of a particular security measure. Security measures range from physical access restrictions to long passwords and more.
Picture
Of course, there is deeper value for you and your business. Following security best practices may yield lower cyber insurance insurance premiums and protect against actual and reputational damage or fines. Demonstrable competence in security can also boost client or employee confidence (tip: avoid security theater, which leads to a false sense of security). The benefits of security are myriad, though are often difficult to quantify, especially from your IT guy; for an insightful read, lookup “Security’s Value Proposition” from CSO Online.
​

So, what to do now? To begin with, if you can be considered important in any way, you should be using 2-factor authentication on every account you can. Do this today. As for your business, request a discussion with your IT department or service provider about the CIS Top 20 Controls, which lists the most effective controls to reduce security risk. Agree on one at a time and pursue each as a little project. Quarter-by-quarter, this will drastically reduce your business' risk.

A last thought: 
insurance is not a substitute for security. Insurance cannot bring back your data or reputation, so it’s important to protect and maintain it properly.

Comments

Weighted Decision Matrix

8/4/2019

Comments

 
When it's time to make an important decision, you should lean on proven methods. This is one of those methods.
​View our actual SOCaaS Weighted Decision Matrix here. Feel free to make a copy and use it for yourself.
Picture
​The winner of our SOCaaS WDM process was Perch Security. The next-closest was only 80% of Perch's score. 
Watch the video here. (If you end up pursuing a relationship with them, please mention us as your referral source!)
If you need to evaluate SOCaaS providers, have a look at the actual weighted decision matrix we used to make our decision. Since even a 19% margin of difference between your requirements/scoring and ours still leaves Perch in the lead, if your evaluation crieteria are anything close to ours, we've probably saved you a lot of work. Just go with Perch. 
What's for dessert?
Here's a simpler version of a weighted decision matrix for you to copy and play around with: Choosing Dessert for a Date
Comments

DMARC Records for Email Authentication

8/4/2019

Comments

 
(This article is a part of a series on email and domain protection)
DMARC's role is twofold: 1) It is used to specify what to do with incoming messages, based on whether they align with SPF and DKIM records of a given domain; and 2) It generates reports back to a domain owner regarding email volume, sources, and what policies were applied to those messages.
While there are plenty of how-to guides out there, the purpose of this article is to give a helpful overview of exactly what DMARC is and why it's important for everyone to implement on every domain.  
Without SPF and/or DKIM records in place, DMARC still has some value (reporting), but no power to accomplish anything.  At a minimum, an SPF record is required in combination with DMARC in order for receiving servers to apply any policies to inbound messages.
Picture
DMARC Message delivery workflow

  1. A message from me.com is received by you.com's mail server
  2. You.com's server checks me.com's public DNS for any that apply: SPF/DKIM/DMARC
    • If the message aligns with either SPF or DKIM, no DMARC policy is applied
    • If the message fails SPF and DKIM, the specified DMARC policy of "none/quarantine/reject" is applied to the message
  3. The message is delivered to the user's inbox, spam folder, or not delivered at all (also subject to the spam policies of the recipient server)
  4. The recipient server generates and sends back a cumulative report for all messages received from me.com for the day

For domains that send mail, DMARC is a huge step in protecting not only IP-based reputation, but also domain-based reputation.  The domain administrator publishes an SPF or DKIM record (preferably both), then a DMARC record.  The DMARC record specifies what to do with messages that don't align with SPF or DKIM, as well as where to send reports on the quantity and sources of email received on behalf of the administrator's domain.
For any domain that sends mail, it is recommended to start with a DMARC policy of "none," which does nothing to break any mailflow, but allows for reporting.  The often-underrated significance of this reporting is that the administrator gets to see how many messages are coming from his domain as a whole, including servers not under his control.  Anyone can read the logs of their own equipment, but when, for example, a Russian spam server is sending mail from that same domain without permission, there is no other way to get reporting on that than DMARC.  DMARC allows receiving servers to report back to domain owners exactly what is being sent on their behalf.
These reports help domain owners to understand what email is being sent in their name, both legitimate and illegitimate.  These reports can be used to ensure all legitimate sources of mail have been accounted for before tightening down the SPF policy from ~all to -all.  The reports continue to be useful in fine-tuning DMARC policy when switching from "none" to "quarantine" and again from "quarantine" to "reject."
After accurately accounting for all legitimate sources of mail and accommodating them in SPF/DKIM records, the DMARC record can be changed from "none" to "quarantine."  Note, as in the illustrated example above, the policy is only applied to messages that fail both SPF and DKIM.  If both exist and the message aligns with either of them, the DMARC policy is not applied.
Quarantining a message generally means shoving it into a SPAM folder.  For the smoothest application of a policy of "quarantine" or "reject," DMARC allows for the policy to be applied to any percentage of messages, rather than all of them.  For example: when quarantining messages, it's prudent to start with 1% and wait for reporting to come in, then use the forensic reporting to view the raw HTML body of the affected messages.  Once comfortable that all the quarantined messages are illegitimate, the percentage can be increased so more and more messages are delivered to the spam folder instead of the inbox.  Gradually, this percentage is increased until all messages not aligning with SPF/DKIM are quarantined, then the process is restarted with a policy of "reject."

​Domains that send no mail should have both a "null" SPF policy and a DMARC policy of "reject."

One domain (which is not supposed to send any mail) of the more than 40 I administer was sending over 500,000 fraudulent messages per week.  The null SPF record with a -all and the DMARC policy of "reject" put an immediate stop to all of it.  I had no idea anything was being sent "from" that domain whatsoever, but now I know nothing is landing in peoples' inboxes.
Again: across >40 domains, one domain was sending over 500K fraudulent messages per week. That's over 2,000,000 per month! Fully 72% of my mail volume was fraudulent!
Picture
Further monitoring revealed a peak fraudulent output of >6 million messages in a month, 99.99% of which were being blocked.
Comments

SPF Records

8/3/2019

Comments

 

SPF - Sender Policy Framework

SPF (v1) provides a framework for domain owners to effectively whitelist authorized email sources (servers by IP, not persons who send) for a given domain.

Picture
All domains should have an SPF record.  
Why? Effective use of SPF can help protect domains against various forms of abuse, such as spoofed FROM address.  Example: badguy.com sends a message from his own or a compromised server and changes the FROM address to "goodguy.com" --> Goodguy.com gets "credit" for whatever spam, phishing, and/or malware is reported to be coming from [any_address]@goodguy.com.  
Because of this, Goodguy.com's domain reputation falls, and if unchecked, eventually even his legitimate emails are dumped into others' spam folders or rejected outright, simply because too many of the messages reportedly coming from Goodguy.com are being marked as spam.
What about domains that don't send mail?  All domains need an SPF record.  It's simple: create a "null" SPF record to specify that nobody is authorized to send mail from that domain.  It's a whitelist that's blank, thereby eliminating the opportunity for malicious persons/organizations to send fraudulent mail on behalf of a legitimate domain.  Just because a business or person doesn't USE a domain to send mail doesn't mean someone else can't maliciously spoof the FROM as that domain.  Why leave it unprotected when a 2-minute task can secure it?
Create a "null" SPF record: 
  • Visit your domain registrar, navigate to edit DNS, and create a new TXT record
    • Leave host empty or "@"
    • Set the "value" to: v=spf1 -all
What does that do?  Literally, that says "The only authorized email senders on behalf of [whatever_domain.com] are the following: _[blank list]_.  Reject all others."  In other words, "nobody is allowed to send mail for [whatever_domain.com]."
Picture

Create standard SPF record: 
  1. Enumerate all legitimate sources of mail for the given domain.  Be thorough: survey all departments in order to accurately discover any 3rd parties who do or may send email for the given domain.  Example: goodguy.com sends direct mail from GSuite, and mass-marketing via ConstantContact, and a private mail server located at a static IP (123.234.255.255) but no other entities are authorized to send on behalf of goodguy.com
  2. Lookup SPF "inclusions" for each source and compile.  These are usually publicly available, however some entities are not up-to-speed or require a support ticket to provide any help.
  3. Build the SPF record.  For the example above, GSuite's SPF record is: include:_spf.google.com and Constant Contact's SPF record is: include:spf.constantcontact.com.  Therefore, the SPF record for goodguy.com is:
    v=spf1 ip4:123.234.255.255 include:spf.constantcontact.com include:_spf.google.com ~all 
  4. Publish the amalgamation as a TXT record.  NOTE: Do not use the SPF record type, as it is now depreciated and may not be honored.
NOTE: These instructions for a sending domain end with ~all instead of -all as this is the recommended method until there exists absolute certainty about the whitelist of authorized senders.  Small organizations with 100% certainty they only use a few specific sources can publish a -all at the end of their record.
Larger organizations or those who think there is even a chance there is another 3rd party sending legitimate emails on their behalf (think: confirmation emails, receipts, marketing departments that don't coordinate with the IT department, etc) should use the ~all instead, as it will not cause messages to be rejected.  Messages from sources not whitelisted in the record receive a "soft-fail" mark which increases their chance of being delivered to spam if there are any other red flags in the message source, subject, or body.
Until additional visibility into mailflow and sending sources can be obtained, it is recommended to keep the soft-fail mechanism in place.

The next step in protecting a domain's reputation and preventing spoofed messages is either DKIM, DMARC, or both.  DMARC provides reporting on all mail purporting to be from a given domain, and gives excellent insight into sources that may not have been known by the IT department.  It can be used for a thorough "discovery" process and SPF/DKIM records can be adjusted before rejection policies are made strict.  This process preserves legitimate mailflow alongside the illegitimate, but prevents legitimate messages from being rejected or stuffed into spam folders.
Comments

Intro to Cryptography

5/14/2019

Comments

 

Intro to Cryptography

Caleb Christopher gave a talk on cryptography at SecKC in May 2019.
Here's a little quiz for you...
-----BEGIN TALK DESCRIPTION-----
QW4gb3ZlcnZpZXcgb2Ygb3VyIG5lZWQgZm9yIGNyeXB0b2dyYXBoeSwgd2hhdCBpdCBpcywgYW5kIGhvdyBpdCB3b3JrcyB3aXRoIHNvbWUgcHJhY3RpY2FsIGV4YW1wbGVzLg==
-----END TALK DESCRIPTION-----
Comments

Discovering and Defeating Email Fraud with DMARC

11/1/2017

Comments

 

DMARC for the win

​Email is critical for business operations. If your emails don’t land reliably in peoples’ inboxes, business can grind to a halt.

In 1972 email was originally designed to enable communication. It has ever since. Communication – not security – was the focus when it was designed. That is why I can install a simple, free mail server software on any computer and start sending messages, claiming they’re from anyone I want – even you. Spoofing is the act of masquerading as another, and with email it’s incredibly easy if protections aren’t activated. In its various forms, spoofing fuels phishing and other fraud. Spoofing preys upon the legitimate reputation of an organization, and that organization gets the reputational “credit” for anything done in its name. Your business could be “sending” spam campaigns right now.

What if I told you there was a three-step method to:
  • Protect your company's digital reputation and decrease the likelihood of your emails being marked as spam;
  • Show how many unauthorized emails are being fraudulently sent "from" [email protected];
  • Tell recipients what to do with messages that don’t actually come from your business?

What if I sent you an email about it? From yourself. Sometimes that’s what it takes for my message to land impactfully in the mental inbox of some managers. Whenever I have the opportunity while conducting vulnerability assessments, I make sure to send myself a noteworthy email from an executive within the organization. I do this without ever touching their equipment, or logging into their systems simply because I can – anyone can. That’s my point.

Security as an afterthought is almost always clumsy and usually requires manual
configuration. Here’s why I even have this job: security is rarely included in project/product
design phases and IT guys rarely turn on the security options available.


So, what’s the fix? My three-step plan?
I stumbled upon it while researching email authentication. There are three public DNS records you should publish for each domain you own: SPF (Sender Policy Framework), DKIM (Domain-Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Here’s the short version: SPF specifies which IP addresses can send mail as @yourbusiness.com; DKIM adds a unique digital signature to prove the message came from you (and is unmolested); and DMARC is twofold: it adds reporting and defines an action policy for unauthenticated messages.

DMARC is where email security gets traction. Without it, email could be reasonably
secure (tip: it usually isn’t), but previously there was no way to know whether your domain is
being misused. The Reporting component is revolutionary, making it now possible to discover 
how many emails are being sent on your behalf and where from, even from systems you don’t own or control.

DMARC has been mainstream-usable since early 2015, but for lack of awareness most
businesses have not yet begun using it. I have spoken at regional information security conferences on it and I find a majority of IT professionals are unaware of or don’t yet understand DMARC. On that note, a word of caution: DMARC is powerful and can block all the fraudulent emails, but can also block the good ones. A careful plan is essential.

I have deployed DMARC for more than 40 domains. One of those domains was sending more than two million fraudulent emails per month. The client indicated that domain should not be  sending any email, so a quick forensic investigation into the content of the messages yielded evidence of phishing campaigns, links to hacked websites, myriad erectile dysfunction ads, and so on. This company was getting the reputational credit for having sent these emails. I published a DMARC policy to reject any mail from that domain, and now 99.9991% of those messages being blocked. At one point, the volume spiked to greater than 5.9 million in a month. All blocked!

Another client’s members recently received a fraudulent message “from” a staff member requesting donations for another real member’s fake sick child on a GoFundMe site, complete with sad pictures and fake quotes from other members. I connected with their IT service provider to assist with damage control and remediation.

So how long does it take; how much does it cost?
The answer is, “it depends.”
Simple environments can be done in less than a month with little capital outlay. Complex environments can take months and cost thousands.
In my experience, most SMBs are relatively simple environments.

Secure your email.
You’re likely in the majority who aren’t being actively impersonated, but if you were, wouldn’t you like to know? And wouldn’t you like to properly configure things so it can’t happen?
Comments

A Hole In One

9/1/2017

Comments

 

A Hole In One (Club After Another)

This is a variation of the article published in The BoardRoom magazine, Sept/Oct 2017
Unintended Confidences

As a cybersecurity and risk assessor in the Club space, time and again I find Clubs' cyber defenses are practically non-existent, and they don't even know it.  They've got the framework, but it's not being leveraged. We've got a firewall; we're solid, right?  "Cyber" is this distant intangible--and it's the IT department's job to handle anyway.
Without fail, when I'm invited to give a wake-up-and-smell-the-cyber seminar to overview the kinds of real problems I find at nearly every Club I visit, Club representatives come up to me afterward stammering things like, "I never knew the risks!" or, "I never even thought a computer breach could allow a hacker to do that."   They feel compelled to go tell others; so do I and that is why this is what I do.
When It Finally Hits Home
When I brief a Club's board of directors at the close of a vulnerability assessment, the abstract risk they saw at my seminar becomes real life. Imagine your face as I show you video footage from your own security cameras which my hacking team was able to access from anywhere in the world… or a copy of your member database. How does your stomach feel as you contemplate mass identity theft becoming the legacy of your Club? Just lookup "Chicago Yacht Club Hacked" and read quotes from former members.  Really. Or, right now, go lookup "Country Club Hacked" and find current results--the hackers are leaving their signatures on Clubs' websites.  Make sure your Club isn't on that list.
But How Did It Get This Way?
Clubs often have just an IT guy. Unless specifically tasked with security, the primary focus of that IT "department" is to keep things working.  That makes sense, because convenient, functional information systems for workers allow fast service to members.  Unfortunately, convenience and security are inversely related; if one increases, the other necessarily decreases.  Without additional resources (personnel, training, or outside support), the existing IT department can usually only trade one for the other.  Like an old radio-tuner slider. Increased security measures may result in scenarios such as a helpdesk call for a password reset while a member has to stand, waiting. For some, this is untenable.
Simply opting for convenient system operation is by default a forfeiture of security, which is a notion that hasn't occurred to most Clubs—or even most other small organizations in general.  Additionally, existing IT departments often lack either the manpower or the expertise to implement reasonable levels of information security in their Clubs. Without an infusion for the IT department (whether more IT staff, better educating current staff, or augmenting the department by bringing in a team of outside experts with a fresh set of eyes to conduct a vulnerability assessment), this paradigm won't change.
What About Cyber Insurance?
Cyber insurance is one of the fastest growing segments in the insurance industry, however it's not the safety net many people think it is.   Many insurance policies are based on subjective questionnaires, focusing on the existence of policies and procedures, without verifying whether the insuree follows through with its own policies.
Without objective risk profile analysis, insurance policies tend to vary wildly in cost, cover very specific incidents, and have sweeping exclusions.  Many organizations have a very hard time making a collectible claim on cyber insurance after an incident. Insurers don't exist to be a safety net for organizations who don't care to take basic steps to secure themselves against events.
Wake Up and Smell the Cyber
The fact is this: Clubs have an incredibly high hack value, and most seem not to have taken reasonably prudent measures to secure their systems and their members' confidential data against a breach.  Club members already trust you to protect their personally-identifiable-information (PII).  If they didn't they wouldn't be members. Is that trust misplaced?
Prudent managers no longer dismiss cyber security, saying, "Oh that's the IT department's job." They're asking themselves, "How, and from whom do I want to find out how vulnerable my club is?"
Comments

About Us

Competencies

Book an appointment
We believe there is a better way.

Contact Us
​913-204-0227

Blog