• IT Security Professional Home Page
  • Contact
  • About
  THE IT SECURITY PROFESSIONAL

The IT Security Professional

Helping Organizations Understand IT Security ​
​&
Best Practices

Leverage knowledge and experience

The 9 Cloud Security Best Practices You Need to Implement Today

9/30/2021

0 Comments

 
Picture
The cloud has become ubiquitous in today’s IT infrastructure as most organizations have adopted it as an integral part of their infrastructure architecture, but it continues to be difficult to implement and setup properly.  While there are controls and specific settings that can be applied to your cloud resources, it is important to understand which ones and how to do it.  This begins with choosing the right service provider and developing an overall strategy on how it will be implemented within your company.
  1. Determining the Right Service Provider
  2. Zero Trust
  3. Access Management
  4. Endpoint Security
  5. Network Monitoring
  6. Define Cloud Usage Policies/ Procedures
  7. Determine Trusted Services
  8. Manage Data
  9. Adopt a Standard


1.      Determining the Right Service Provider
​This begins with determining the right service provider.  While there are a couple of HUGE players in this area (we don’t need to drop names here).  They are not the only ones these days as there are more and more independent or affiliated providers that are becoming more competitive in the market.  When implementing cloud security, it’s not just the data center that you are evaluating.  It is the services that the provider has to offer and what types of security application resources they have to offer. 

​Understanding what you will be using the cloud infrastructure and resources for is an important part of the evaluation and implementation process.  The controls that are used to secure the cloud infrastructure will be different depending on its usage within your infrastructure.  This is a key component of securing the cloud, including the cloud as part of the network, and securing as you would those within your corporate firewalls.

2.      Zero Trust
DON’T TRUST ANYBODY! REALLY, I MEAN IT, DON’T TRUST ANYBODY!  This seems to be a great mantra these days as we find that even the slightest kink in the armor of a well-protected network can lead to a compromise.  Employing Zero Trust across your cloud infrastructure will allow you to enforce and implement security controls that require your users to validate who they are by multiple methods.

Why is this important?  Because the cloud is one of those resources that once you are able to compromise a server or application, or even a service, it is easy to pivot and try to get into other resources of the same company (yes, even if they are logically separated) or even a different one for that matter.  Zero trust allows you to be able to require and restrict all users regardless of who they say they are.  This is critical for those services that your organization depends on to deliver for your customers and clients.

3.      Access Management
Once the service provider has been determined, it is important to determine who will gain access and how will they be granted it.  The various service providers all have the capability to help determine who will be granted it.  Additionally, they may have the capability of implementing multi-factor authentication (MFA).  Logs and access events will also be recorded and documented, which is important if you want to know who is access your cloud resources and when.
Picture
4.      Endpoint Security
Securing your endpoints in the cloud is one area that most organizations do not employ when setting up and configuring their resources.  This is a mistake and these assets should be protected as much as the systems that sit in the office or in the homes of your employees.  Its important to have the same security measures in place for your cloud assets.  A majority of organizations will depend on service providers for their security controls, even when this is not the case.

​The organization pays for the hardware and the bare metal of the servers and the infrastructure for which those assets reside.  It is up to the company to employ endpoint security measures to secure those endpoints.  Whether this means employing malware detection software, or scanning those assets for vulnerabilities, it is important that those systems are managed in a similar manner as those that are on premises.
​
5.      Network Monitoring
One of the key areas of monitoring will be the network environment, this is especially true of the resources and infrastructure that your utilizing in the cloud.  This resource is something that your business will be paying for and it is important that it be utilized effectively.  Monitoring traffic, access, and utilization are all important aspects that should be monitored closely be any company.

6.      Define Cloud Usage Policies/ Procedures
No matter why you are using the cloud, defining the policies and procedures that you will use is important for your company to establish right away.  The reason for this is that resources in the cloud are finite and you may be restricted based by capacity or availability, and even monetarily.  These restrictions can be detrimental to an organization that is using the cloud infrastructure to enhance their network environment.  Establishing the guidelines for its usage is important as it will lay the groundwork for future development and utilization of those resources.
Picture
7.      Determine Trusted Services
What services are you employing using the cloud?  Setting up trusted services allows for the organization to employ automated processes to help secure those services in a timely manner.  Whether it is the deployment of certificates from a trusted certificate authority as soon as the previous one expired.  This allows your IT Security staff to be one step ahead of a potential bad actor.

Establishing the trust relationship will enable an organization to secure its perimeter by trusting that those services meet specific requirements. Its important for an organization to determine what specific factors they will want in a trust relationship and how those factors are measured.  While most cloud providers will be able to help in this process, it is important that IT Security Pros follow up and do their own evaluation.

8.      Manage Data
Understanding your data and how it will be transmitted and stored is important especially when monitoring network traffic.  Data can accumulate at a rapid pace and it can be difficult to sift through the complex and exhaustive logs and datasets.  Developing a process for how this data will be managed and monitored will help to make sure that this information is manageable.

​Depending on which industry you are working in, there may be specific requirements as to how long the data will need to be stored for.  It is important to understand these requirements as they will effect which standard your organization adopts.  With data storage, it all comes down to the capacity to store the data and how it is managed once it is collected.  Having this addressed when you setup your cloud environment will go a long way in saving headaches later on.

9.      Adopt a Standard
While there is a myriad of standards out there, it is important to pick and adopt a standard that makes sense for your organization.  This may be due to the type of work your company does, or industry specific requirements.  Whatever the reason, adopt a standard.  Here are some cloud related standards to consider:
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • CSA Star
  • HIPPA
  • NIST
  • PCI DSS
  • HITECH
Note: ISO 27001 is a baseline certification that is needed in order to qualify for both 27017 and 27018 as that standard provides the overall foundation for the security requirements that the other standards build on.
Having an established baseline to build from will help to determine configurations and settings that will be employed during the development of your cloud infrastructure.  Being compliant with these standards is different than being certified as the majority of the standards listed here require a third-party assessment in order to validate their processes.
SummaryOrganization’s are continuing to adopt cloud services in order to realize the cost savings and the flexibility that these service providers are able to offer their business.  No matter the reason that you are looking to adopt the cloud infrastructure, it is important to remember that there are things that you can do to help secure the environment and infrastructure.  By employing the 9 Cloud Security Best Practices as outlined in this article, your organization will greatly benefit from the enhanced settings and configurations outlined here.
0 Comments

Managing Network Security: Integrating Systems & Processes During a Merger or Acquisition

5/28/2021

0 Comments

 
Picture
​Companies and organizations continue to grow and develop, and as a part of that process, they end up acquiring other businesses through a merger or acquisition.  The question always comes, how do you integrate the diverse networks while still being secure?  This can be a complicated and difficult question to answer because of all of the variables and moving pieces involved in such a issue.
Whether you are the VP of IT, or the Director of IT Security, there is just not one way to tackle this issue.  There are steps and some initial guidance on how this should be approached.  While this is not a “one size fits all” type of recommendation, it can provide some of those basic aspects that you as the IT Security Pro will be facing.

​Getting a Handle on Things

So, determining how you will integrate your computer networks and determining the direction from your senior management team will help facilitate a strategy that will be employed by your organization.  This is true no matter if you are the acquiring organization or the one being acquired.  This direction will help to provide a roadmap of how the integration will be accomplished and the ultimate goals that are looking to be achieved by its implementation.

Risk Assessment & Evaluation

Since you will be integrating two different networks, it is important to understand the potential risks involved and how those risks are evaluated.  There could be quite dramatic differences between how the networks are managed and the resources that have been allocated to those requirements.  Reconciling how this is accomplished will help to determine the course of action in merging these networks.

Evaluating network security is an important part of this initial assessment in that it will provide a gap analysis as to what might be missing in one network, and what is available with the other.  Having this detailed out will also allow the IT Security Pro to determine the best course of action that needs to be taken.  This will also help those in senior management to make decisions based on what is occurring instead of guess work done by non-technical staff members.

Course of Fire

Each of the organizations have a responsibility to inform the other of what actions and process were taking place prior to the acquisition.  This area should be accomplished prior to finalization of the process, but due to the complexities that go into these sorts of deals, its not usually thought of till after the fact.  This is where the IT Security Pro will step in and help guide and provide information to all of the stakeholders involved in the network integration.
Picture
Information Integration
This can be a very difficult aspect of the merger process to handle and should be carried out with integrations from both parties of the merger.  Databases and repositories can be in diverse locations and both on premises and in the cloud.  This can cause a headache to even the most seasoned IT Security Pro.  Developing a plan on how to consolidate this information will be crucial in helping to determine the ultimate course of action that will be implemented.
There are two common methods that organizations may employ initially: with a full integration and merger coming later in the process:
  • Migrate all information into one organization’s infrastructure
  • Keep the information separate in each organization’s infrastructure
While both can be complicated to manage, and each pose their own unique issues to deal with.  These are the most common ways that this is accomplished prior to full integration.

Compliance Complicates Everything

Compliance requirements add to all the integration efforts a complication that can be very frustrating.  This is especially true if you are in healthcare dealing with HIPPA requirements or PCI DSS for those in the banking industry.  Some of these requirements and standards come into play when the organization hits specific benchmarks or capacities.  Additionally, there could be fines associated with non-compliance to these standards as well.

Integrating Standards

With diverse organizations merging, some will have certifications and others may not.  Determining what certifications to go with can or how they can be combined can pose its own difficulties.  Some of these may be overcome with the accreditation body or the certification body that one of the organizations have used for their certification process.  Also, adopting policies, procedures, and standards will have to be a course of action that should be addressed at the time of this integration process.  The IT Security Pro will need to know the processes they need to follow and how that will relate to the work that they need to accomplish.

​Making it Work

One of the most difficult aspects of this process is making everything work like it is all on the same network.  Cost savings and combining resources is a huge reason why acquisitions happen.  Once a strategy has been developed; it is up to the IT Security Pro to implement the plan and execute the various projects that can come from such a complicated project.  Organizations will greatly benefit from the efforts that are put into the planning process and the IT Security Pro will benefit with they communicate these plans and issues to all the stakeholders involved.

Summary

Merger and acquisitions of corporate networks can be challenging, it is not as daunting as it looks on the surface.  Integration needs to be planned and systematically applied across the network and its infrastructure.  The effectiveness of this planning process will come in overall cost reductions in the management of the network and the increased efficiencies that come from integrating these systems.  The roadmap to the integration should happen as soon as possible (during the negotiation period would be preferred) with both organizations providing resources and direction to the overall strategic outcome.
0 Comments

Growth of Ransomware Attacks: Strategies for Preventing & Isolating Them in Your Organization

5/24/2021

0 Comments

 
Picture
As the days continue to drag on with the most resent high-profile ransomware attack here in the US (Colonial Pipeline that started on May 6th 2021), the east coast and the south are feeling the brunt of the effects of this recent attack the most. This is not a new thing; ransomware has been around for a few years now and organizations of all sizes should be prepared for its potential effects on their business.
​
We have seen attacks against municipalities infrastructure and also governmental services as well.  Ransomware is indiscriminate in who or what they attack, and let’s be clear here, these are individuals that are out to extort money from whomever and wherever they can.  It is that plain and simple.  This was a targeted attack on a system that was vulnerable.

Preparation for Attack
One of the key aspects that is coming to light after the initial shock of it is that the infrastructure that supports the US economy is the largest target on the face of the planet for these types of attacks.  Whether it is the lack of a Patch Management Process, or simply using outdated and unsupported equipment, the attackers have done their research in preparation for the attack.  Additionally, it was also revealed that they were able to exfiltrate a large amount of data prior to the attack taking place.  Is this preparation for more to come?

Paying the Ransom or Not?
As most IT Security Pros know, the company or organization will have to determine what is in their best interests to do.  Is it to pay the ransom and get on with your business, or is it better to work to find the culprits who are behind it, or even to simply replace the systems that have been locked?  This is the biggest decision that must be made, and it can’t be made in a vacuum, it must be made in public.  But this has consequences for either decision or the potential impacts those may have on the organization.

Social Stigma

The issue that seems to come up is what sort of publicity is going to be generated by the ransomware attack?  The Colonial Pipeline attack has proven that this key infrastructure is vulnerable and that security measures must be taken in order to address them.  It’s a terrible thing to have the world know that you have lack security measures in place and that your organization has been using outdated processes and equipment on a vital piece of infrastructure.

What has come out in the last day (May 12th, 2021) is that Colonial Pipeline has told the world that they were not going to pay the ransom that was demanded of them.  But as it turns out, they actually did, to the tune of over $5 million dollars.  And when they got the key to unlock their systems, it didn’t work.  Talk about having egg on your face! How will Colonial Pipeline explain what happened?

Increasing Threats
As organizations continue to keep quite on how much they are actually paying for the ransoms of their own information, attackers are ever increasing the amounts that they are asking for.  As of the writing of this article, CNA Financial has recently disclosed that they have paid up to $40 Million dollars in order to obtain access to their information. (A link the article is provided below).  This shows that depending on the organization that is targeted, it could end up being a huge payday for the criminals involved in the extortion.

Stemming the tide of Infection
One of the key components of ransomware is that it will usually migrate from system to system depending on the type and complexity of the infection apparatus that is being utilized.  The following may be considered as ways of helping to stem the tide of infection and preventing more systems from being compromised:
  • Isolate the infected systems (this means to disconnect the device from the network, shared cloud or network files, or shared sub-nets).  While this step may seem drastic, helping to prevent additional compromises will be worth the effort.
  • Investigate the attack vector can help the organization determine how they may have been compromised in the first place and can help to identify the various forms of malware that might have been used to facilitate the attack.
  • Report the attack to Senior Management/ Legal Authorities as may be required due to the type of work being done by the organization. These outside resources may have more services that they can leverage in order to stem continued attacks, or helping other organizations prevent them as well.
  • How will you respond to such an attack?  This is the time that an organization will take in determining their overall course of action when faced with a compromising threat like ransomware.  Depending on the type of services or support the company may offer to the public may determine this outcome.
  • Restore and back-up all of the systems that may have been compromised.  This can be done on new hardware or systems that have not been online prior to the outbreak of the ransomware threat.  This process should only be completed with trusted and valued organizations.
  • Prevention of further compromises is going to be the top priority for most organizations after a ransomware attack.  Understanding the methods used to compromise the systems and then delivering the payloads will greatly enhance the effectiveness of the actions that you take during this stage.
Picture
The End User Delma
When it comes to security of the network, the key factor in all of the outbreaks of ransomware has been the end user doing or downloading something that they know they should not.  This education process comes in the form of Security Awareness training and how often it is performed.  People are creatures of habit and curiosity, and so they will perform tasks without really thinking of the consequences that it may cause them.  Here are a few of the ways that a potential ransomware attack can compromise your network:
  1. Phishing Attack (email with malicious links)
  2. SMSishing (uses text messages for links/info)
  3. Vishing (is a voicemail version of phishing or known as social engineering)
  4. Social Media (can be used to get infected payloads past detection software)
  5. Zero Day (attack or compromise)
  6. Drive-by (opening a compromised website)
  7. Network Connections (scans for vulnerabilities on other systems)
Note: While this list of potential attack vectors may seem long, it is ever changing due to the nature of the attacks that are being seen in the various business industries are markets.  What works in banking may not work in healthcare, and vice versa.
Picture
Solutions
These are current solutions or ways in which to mitigate or lesson the potential impact of a ransomware attack:
  • Use updated anti-virus software applications that update their signature sets periodically and that also include behavior analytics in their detection algorithm.
  • Make frequent backups of sensitive or business critical systems on a regular basis (and test them for accuracy) and isolate those from other parts of your network.  This would include both physical and logical separation as well.
  • Install the latest security patches and updates that have been issued by the software vendors and OEM manufacturers.  This includes all ancillary software applications like browsers, web plugins, non-traditional operating systems.
  • Setup rules and requirements around the opening and use of email attachments or utilize scanners that can detect a malicious payload in those attachments.
  • Eliminate the need for all end users to be administrators on their local systems.  Provide admin logins for specific tasks and not to whole system access.
  • Educate all the employees and staff members of your organization on the current best security practices in the prevention of malware.  Provide examples of potential phishing scams and samples and communicate with them often and provide reminders for additional training if needed.
Summary
Even with all the actions that have been provided here, organizations are still going to be compromised and will be held ransom for the data that they can’t access.  This is also an ever-evolving area of IT Security and the IT Security Pro will need to know what it takes to help prevent an outbreak to their systems.  No matter what strategy is employed by the organization, there will be a way to defeat it or work around it.  The easiest way as pointed out above, is to focus on the end user and their potential actions when provided a compromised system of file.

User education will allow the IT Security Pro to know where a potential attack may be coming from and what form it may be coming in.  Educating the end user will help to secure up the frontline in the threat of a potential ransomware attack or may end up preventing one.

Reference:
www.theverge.com/2021/5/20/22446388/cna-insurance-ransomware-attack-40-million-dollar-ransom
0 Comments

Zombies, zombies Everywhere!!!

4/21/2021

0 Comments

 

​Business Continuity Testing & Evaluation Scenarios

Picture
When it comes to Business Continuity Planning (BCP), nothing makes an IT Security Pro more nervous than testing the plan they just created.  Whether you live in the Northwestern US, or in Europe, planning for a disaster or business interruption is an important aspect of evaluating the planning process.  Whether you are looking to perform a functional test, or just a table-top test, determining the type of scenario can be a daunting task, even scary to even contemplate.

​Testing & Evaluation

As part of the evaluation process, IT Security Pros will have to test the BCP in order to determine any gaps or areas that should be addressed that may have been missed during the planning process.  This process is perhaps the most important part of planning for a disaster.  Measuring the effectiveness of the planning process will allow the organization to determine if they need additional controls or assets in order to deal with the possible incident.

Testing of the BCP should be only to the level that you need to have in order to validate the planning process.  There are several levels of testing, and I have listed a few of them here for you:
  1. Paper Test – Just a review of the plan and an evaluation against what is planned.
  2. Table-top Test – This is a full run through of the planning process and is a minimum that is required by most standards and current best practices.
  3. Partial Functional – Similar to the table-top test, but actual events are planned in order to make more realistic (network or power outages are planned during this time).
  4. Functional Testing – This is a full-on test of the plan and may directly impact customers or services that are offered by the organization. Failover testing, back-up sites, and plan communications may be exercised during this type of test.
Testing Scenario
Choosing a test scenario is important to help to establish guidance that will help the stakeholders or decision makers to “visualize” the events.  This is where some creativity may be expressed, as to how realistic you want to be.  The basic rule of thumb here is to keep it realistic enough that the company can realistically plan for dealing with the various scenario that is addressed in the testing process.  Some examples might be:
  • Earthquake (infrastructure/ network outage/ power outage)
  • Tornado (power outage/ severe building damage)
  • Hurricane (water damage/ offsite storage/ flooding)
  • Heat Event (building systems/ staffing numbers)
  • Pandemic (services/ resources/ management of changing dynamics)
  • Zombies (personnel/ infrastructure/ network & power outage)
These are only suggestions and focus areas may change depending on the needs of the company that is doing the testing and evaluation.
Picture
Evaluation
Evaluating how your business did during the testing process can be difficult do to how you set up the overall testing and evaluation strategy that you will be using.  Evaluation can take many forms, but the focus is to provide feedback to leadership as to how well the company will or won’t do in case of a significant business impacting event.  Some sample metrics are below:
  • Communication Timeframes
  • Evaluation of Event
  • Engagement of Staff
  • How well did decisions get made
  • Decision methodologies followed
  • Call Tree Notification Times
  • Client Notification Times
  • Time to respond to changing events
  • Client/customer notification times of potential impacts
These different metrics will help to provide the business the hard evidence that you will need in order to create a more responsive and comprehensive plan.

Communications

Communication in case of a disaster is one of the most important aspects that an organization should address prior to the testing and evaluation process.  Asking the following questions may help:
  • Who is our point of contact? (internal/ external)
  • How will a disaster be communicated to staff/ public?
  • How will an incident be communicated to customers/clients of the organization?
  • Who will handle medial inquires?
These questions should be documented in the planning process and all employees or staff members should understand this process and know where and how to access this specific information.  If you are not controlling this information, staff will make it up.  And chances are that this is more impactful than the company putting out the information themselves.

Summary

While you will not be able to plan for every major disaster that may occur (see zombie apocalypse/ asteroid impact).  Your BCP should be robust enough to be able to deal with multiple types of events.  Testing and evaluation of the planning process will help to validate the plan and show the business where potential improvements may need to be made.  One plan will not fit all situations, so flexibility will be the name of the game when developing your plan.

​With the focus of the plan being on the services or products that your business provides being one of the main drivers, it is also important to remember that without your employees and staff, those capabilities will not be able to be carried out.  The company can always replace equipment or where it conducts business, but you can’t replace your personnel.  
0 Comments

Compromised: Lack of Security Makes our Infrastructure Vulnerable

2/15/2021

 
Picture
​As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th.  What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers.  While the damage was little, it could have been a lot worse.

Security Failures
While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols.  These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities.  Additionally, remote management software could connect to these systems without being blocked.

Here is the list on known security failures as of this post:
  • Old Windows 7 OS used on critical systems
  • No security patches or updates for over 1 year
  • TeamViewer software allowed to connect to network
  • Weak password management policy

While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal.

Attacker Accomplished
The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes.  This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public.

Corrective Action
Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur.  But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies.  This creates vulnerabilities where it should be more secure.  Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them.

While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications.  Why didn’t the municipality head those warnings and transition to supported hardware and software applications?

​Remaining Threat
Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it.  But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running.  This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future.  

These remaining threats are going to continue to plague our technologically evolving infrastructure as well.  As mentioned in infrastructure-security-securing-the-grid-of-the-future.html there are growing threats to the use of new technologies as well as securing the already well established infrastructure by upgrading the network hardware, software, and IT Security posture.
Picture
Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow:

1.Only use supported hardware/software
This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP.  This is one of the most common mistakes organizations make, waiting to upgrade later.  Do not put it off, when it’s the end of life for a system or application, replace it.
 
2.Have a patch management program
With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization.  Have an established patch management program and update software and hardware systems as soon as the patches come out.  This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner.
 
3.Establish Strong Security Policies/ Standards
The need to establish strong policies and standards can’t be understated here.  The use of the following types of characters should be used:

  • Upper Case
  • Lower Case
  • Numbers
  • Special Characters
  • Non-dictionary Words
  • Pattern Passwords (p@$$W0rd1984!)
  • Number of Past Passwords Stored Increased
 
With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker.  While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts.
 
4.Restrict VPN Access to Key Systems
This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points.  While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place.  This should be especially true to those systems such as a water purification plant or even an electric distribution center.

Summary
While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse.  Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm.  No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector.

The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago.  Even if just upgrading and patching their systems could have helped deter a potential attack.  Some of the simplest things make the biggest difference when it comes to these sorts of events.  We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible.

Reference Site
abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550

Using Artificial Intelligence & Machine Learning to Help Protect Your Computer Network

2/9/2021

 
Picture
The use of Artificial Intelligence (AI) in IT Security is shaping up to be transformative in that it helps the IT Security Pro focus on the important aspects of the business, educating the end users.  While AI allows for extra source of intelligence in the field, the biggest fear is that it will replace IT Security Professionals and the industry. This is not the case, but there will be synergy between the human in the loop, and the machine in the response to potential threats to the corporate business network.

AI vs. Machine Learning

AI implies that there is adaptive learning involved, and actions can change based on a given set of inputs.  With Machine Learning (ML) there are a set of automated processes that are developed with a given scenario or set of inputs that match the specific criteria.  Understanding these key differences allows for the IT Security Pro to use the best technology for any given situation that they may run into.

The use of ML is common with most IDS and IPS applications as they provide quick action and prevent further issues for the network with a given a specific set of inputs.  This can be everything from disconnecting servers or preventing certain IP packets from traversing the network or to being addressed to a specific targeted IP address.  AI will take more time to determine if the behavior is malicious and may also take other inputs into account prior to acting.

Data Overload

As an IT Security Pro, your day is filled with reviewing logs and data that is collected from various sources around your computer network.  Whether these are firewall logs, or network traffic IP packets, there is a lot of data to process.  This is one of the reasons that security applications that can correlate these records are one of the key components of any well-established IT Security Program.

The need we find is having to sift through these tens of thousands of entries to find the information that is meaningful to us.  Even with this, sometimes the IT Security Pro may be overwhelmed with the amount of information they may be presented.  This is where AI and ML come into their own.  These technologies can help to sort out this data and provide the IT Security Pro actionable information and suggest a course of action depending on all the inputs that have been gathered.

Work with AI in IT Security

With the ever-complex state of IT Security these days, it is important that we use all the tools in the fight against any potential threats to our networks.  This means leveraging the strengths of AI and ML to keep up with the changing attack vectors of the adversaries we must defend against.  These are an ever-growing number of threats that the IT Security Pro must defend against and having a backup or additional support to help determine the course of action will be helpful.  Especially when we must do more with less.

​Some of these areas may be any of the following:
  • Large number of potential attack vectors to watch
  • Thousands of devices and access points to watch
  • Multiple attack vectors (network, spear phishing, Zero-day)
  • Malware Viruses/ Worms/ Trojans
  • DDoS Attacks
  • Botnets
  • Ransomware
  • SQL Injection Attack
Picture
These are just some of the issues that an IT Security Pro may have to deal with daily.  This is not mentioning the biggest threat of all, the end user.  No matter how well you have a network protected, this can always be bypassed by the employee who does not want to work within the security guidelines.

Automated Processes for AI & ML

While there are number of areas that AI and ML can help, these technologies can also help streamline or automate repetitive processes that require attention from the IT Security Pro.  These automated processes can be worked into an application or as part of a solution:
  • Detecting Assets
  • Determining Status of Assets
  • Asset Configuration Settings
  • Incident Response
  • Network Scans
These automated processes being done by AI or ML systems would free up the work of the IT Security staff to work on other pressing matters.  This would also help bring these technologies in line with being used as an extension of an IT Security Team and not a competitor for the jobs.

​Summary

While AI and ML are advancing in their skills and capabilities, it is important to remember that these two supporting technologies will help ease the load from overworked and few IT Security Pros.  Having an electronic eye on all the various operations that go on a computer network day in and day out will allow staff to address issues that they should really pay attention to, and not all of the static or background noise.  Technology should help to enable the IT Security Pro to better secure the networks that we are responsible for, and not take the jobs away from human beings.
<<Previous

    Erich Barlow

    Erich is an experienced IT Security Professional that works with businesses of all sizes to help  them understand the impact of IT Security on their organizations.

    Categories

    All
    Business Continuity
    Cloud Security
    COVID 19
    Hackers
    Incident Management
    IoT
    POS
    Ransomware
    Risks
    Social Media
    Vulnerabilities

    Archives

    May 2021
    April 2021
    February 2021
    October 2020
    August 2020
    July 2020
    May 2020
    March 2020
    February 2020
    November 2019
    October 2019
    September 2019
    August 2019
    June 2019
    May 2019
    March 2019
    January 2019
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    March 2015

    RSS Feed

Powered by Create your own unique website with customizable templates.