Archive for the 'fun' Category

Lessons from NERC CIP

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are a set of mandatory cybersecurity standards that apply to the bulk power system in North America. There are currently 13 CIP standards that cover a range of cybersecurity requirements. Here is a brief overview of each standard:

CIP-001 – Sabotage Reporting: Requires the development of a procedure to report any suspicious activities that could lead to physical damage to the Bulk Electric System (BES).

CIP-002 – Critical Cyber Asset Identification: Defines the criteria for identifying and categorizing assets that are essential to the reliable operation of the BES.

CIP-003 – Security Management Controls: Requires the development of security management controls that establish a framework for managing the security of critical cyber assets.

CIP-004 – Personnel and Training: Requires the development of a training program for personnel with access to critical cyber assets.

CIP-005 – Electronic Security Perimeter(s): Requires the development of policies and procedures to protect the electronic security perimeter of critical cyber assets.

CIP-006 – Physical Security of Critical Cyber Assets: Requires the development of physical security measures to protect critical cyber assets from unauthorized access.

CIP-007 – System Security Management: Requires the development of a system security management plan that outlines the processes and procedures used to identify, assess, and correct security issues.

CIP-008 – Incident Reporting and Response Planning: Requires the development of a plan for reporting and responding to cybersecurity incidents.

CIP-009 – Recovery Plans for Critical Cyber Assets: Requires the development of a recovery plan for critical cyber assets in the event of a cybersecurity incident.

CIP-010 – Configuration Change Management and Vulnerability Assessments: Requires the development of a configuration change management and vulnerability assessment program for critical cyber assets.

CIP-011 – Information Protection: Requires the development of policies and procedures to protect sensitive information related to critical cyber assets.

CIP-012 – Cyber Security Information Protection: Requires the development of a plan to protect sensitive cybersecurity information.

CIP-013 – Supply Chain Risk Management: Requires the development of a supply chain risk management program to ensure the security of equipment, software, and services that are part of the BES.



Juice Jacking

Don’t charge your phone in one of those kiosks at the airport.

Bring a power brick and use that or use your own outlet plug and cable if you can find a regular old outlet to charge.

https://www.androidauthority.com/juice-jacking-3311056/



Cybersecurity operations center (SOC)

A Cybersecurity Operations Center (SOC) is a centralized unit responsible for detecting, analyzing, and responding to security incidents within an organization’s network. Here are the essentials of a SOC:

People: A SOC is staffed by a team of trained and experienced security professionals who monitor network traffic, analyze security alerts, and respond to security incidents. These professionals include security analysts, incident responders, threat intelligence analysts, and SOC managers.

Processes: A SOC operates based on well-defined processes that outline how security incidents are detected, investigated, and remediated. These processes include incident response procedures, change management policies, and security incident management workflows.

Technology: A SOC relies on a range of security technologies to detect and respond to security incidents. These technologies include security information and event management (SIEM) systems, intrusion detection and prevention systems (IDPS), vulnerability scanners, and endpoint detection and response (EDR) tools.

Threat Intelligence: A SOC must have access to the latest threat intelligence to stay ahead of evolving threats. This intelligence can come from internal sources, such as network logs and threat intelligence feeds, or external sources, such as industry reports and threat sharing communities.

Metrics and Reporting: A SOC must track and report on key security metrics to ensure its effectiveness and to justify its existence to upper management. Metrics might include the number of incidents detected and remediated, the mean time to detect and respond to incidents, and the effectiveness of security controls.

The SOC is a critical component of your cybersecurity strategy, providing a centralized location for monitoring and responding to security incidents, and helping to prevent data breaches and other cyber threats.



Government Spying

There are several tools and technologies used by governments for surveillance and tracking of people. Here are few famous examples:

Pegasus: Pegasus is a spyware developed by an Israeli cybersecurity company, NSO Group. It can be installed on a target’s mobile device, allowing the operator to monitor their communications, track their location, and access their personal data.

Facial recognition technology: Governments use facial recognition technology to identify and track individuals through cameras installed in public places. This technology uses algorithms to compare facial features captured in real-time against a database of known faces.

GPS tracking: Governments may use GPS tracking devices to monitor the movements of individuals. These devices can be attached to vehicles or mobile devices and can track the location of a target in real-time.

Stingray: Stingray is a device used by law enforcement agencies to intercept and track mobile phone signals. It can mimic a cell phone tower, allowing it to capture data from nearby mobile phones.

Internet surveillance: Governments may monitor internet traffic to track the online activities of individuals. This can include monitoring emails, social media activity, and other online communications.

There are various software products and technologies used by governments to surveil people online.  A few of these are below

XKeyscore: XKeyscore is a data collection tool used by the United States National Security Agency (NSA) to collect and analyze internet traffic. It allows the NSA to track the online activities of individuals, including their search history, emails, and online chats.

FinFisher: FinFisher is a spyware developed by a British company, Gamma Group. It can be used to monitor the activities of individuals online, including their emails, chats, and social media activity.

Carnivore: Carnivore is a surveillance tool developed by the Federal Bureau of Investigation (FBI) in the United States. It can be used to intercept and monitor internet traffic, including emails, chats, and other online communications.

PRISM: PRISM is a program developed by the United States government to collect and analyze internet communications. It allows the government to access data from internet companies such as Google, Facebook, and Microsoft.

DCSNet: DCSNet is a system developed by the FBI to intercept and monitor internet traffic. It allows the FBI to access email messages, chats, and other online communications in real-time.



Common Cybersecurity software solutions


With the rise of cyberattacks and data breaches, it is crucial for organizations to invest in cybersecurity software solutions to protect their sensitive data and assets. There are several common cybersecurity software solutions that organizations can implement to protect themselves from cyber threats.

Antivirus Software: Antivirus software is perhaps the most common cybersecurity software solution. It is designed to detect, prevent, and remove malware, viruses, and other malicious software from computer systems. Antivirus software works by scanning files, emails, and other digital assets for known threats, and then either removing or quarantining them.

Firewalls: Firewalls are another common cybersecurity software solution that organizations use to protect their networks. Firewalls work by monitoring and controlling incoming and outgoing network traffic based on a set of predefined rules. They can be implemented as either software or hardware solutions and help prevent unauthorized access to a network.

Intrusion Detection and Prevention Systems (IDPS): IDPS is a cybersecurity software solution that is used to monitor networks and systems for signs of suspicious activity. It can detect and prevent attacks in real-time by analyzing network traffic and behavior to identify potential threats.

Virtual Private Networks (VPNs): VPNs are a cybersecurity software solution that organizations use to protect their data when it is being transmitted over the internet. A VPN encrypts the data and creates a secure tunnel between the user’s device and the network they are connecting to, making it difficult for hackers to intercept the data.

Data Encryption Software: Data encryption software is used to protect sensitive data by converting it into an unreadable format that can only be decrypted with a specific key or password. It is commonly used to protect data when it is being transmitted or stored, and can prevent unauthorized access to sensitive data.

Web Application Firewalls (WAFs): WAFs are a cybersecurity software solution that is designed to protect web applications from attacks. They work by monitoring and analyzing incoming traffic to identify and block potential threats, such as SQL injection attacks, cross-site scripting (XSS) attacks, and others.

Identity and Access Management (IAM) Software: IAM software is used to manage user access to systems, networks, and applications. It is designed to ensure that only authorized users have access to sensitive data and resources, and can help prevent data breaches and other cybersecurity threats.

These are just a few of the most common cybersecurity software solutions that organizations use to protect themselves from cyber threats. However, it is important to note that implementing these solutions alone is not enough to guarantee cybersecurity. Organizations must also have a comprehensive cybersecurity strategy that includes employee education, regular security updates and patches, and continuous monitoring and risk assessments.

These among other software solutions are essential in protecting organizations from cyber threats. By implementing antivirus software, firewalls, IDPS, VPNs, data encryption software, WAFs, and IAM software, you can significantly reduce the risk of cyberattacks and data breaches. But, it is important to remember that these solutions are only part of a comprehensive cybersecurity strategy that must also include employee education, regular security updates and patches, and continuous monitoring and risk assessments.



Cybersecurity defense in depth


Cybersecurity “defense in depth” is a critical concept. The idea of implementing multiple layers of security controls to protect against cyber attacks. The goal of defense in depth is to provide a multi-layered defense that can withstand attacks from different vectors.

There are several layers of security that can be implemented as part of a defense in depth strategy. These layers include:

Perimeter Security: The first layer of defense is perimeter security. This involves securing the outer boundary of the network, such as firewalls and intrusion prevention systems (IPS).

Network Security: The second layer of defense is network security. This involves securing the internal network, such as network segmentation and access controls.

Endpoint Security: The third layer of defense is endpoint security. This involves securing individual devices, such as antivirus software and host-based intrusion detection systems (HIDS).

Application Security: The fourth layer of defense is application security. This involves securing the applications themselves, such as web application firewalls (WAFs) and secure coding practices.

Data Security: The fifth layer of defense is data security. This involves securing sensitive data, such as encryption and access controls.

By implementing multiple layers of security controls, organizations can create a strong defense in depth strategy that can withstand attacks from different vectors. This approach is particularly effective in defending against advanced persistent threats (APTs) and other sophisticated attacks that target multiple layers of the security infrastructure.

However, implementing a defense in depth strategy is not without its challenges. It requires a significant investment in time, resources, and expertise to implement and maintain multiple layers of security controls. Additionally, it can be challenging to ensure that all the layers of the security infrastructure are working together effectively.

To overcome these challenges, organizations should take a strategic approach to implementing a defense in depth strategy. This includes:

Conducting a risk assessment to identify the organization’s most critical assets and the threats that are most likely to target them.

Developing a security architecture that outlines the layers of security controls and how they will work together to provide a multi-layered defense.

Implementing security controls that are appropriate for the organization’s risk profile and budget.

Continuously monitoring and updating the security infrastructure to ensure that it remains effective in the face of evolving threats.

Your company defense in depth is a critical concept in the world of cybersecurity. By implementing multiple layers of security controls, your organization can create a strong defense that can withstand attacks from different vectors. However, implementing a defense in depth strategy requires a significant investment in time, resources, and expertise. To be effective, organizations must take a strategic approach to implementing a defense in depth strategy that is tailored to their risk profile and budget.



The incident response plan

Today the threat of cyber attacks is ever-present, and businesses of all sizes need to have a solid incident response plan in place. A cybersecurity incident response plan is a critical element in ensuring that a company can respond effectively to a cyber attack.

Cybersecurity incident response refers to the process of identifying, investigating, and responding to cyber security incidents in a manner that limits the impact of the attack. Incident response is an essential aspect of any cybersecurity program, and it requires a coordinated effort across different parts of the organization.

An incident response plan is a set of procedures that guides an organization’s response to a cybersecurity incident. The plan outlines the steps that need to be taken to identify, contain, eradicate, and recover from an incident. It also defines the roles and responsibilities of the incident response team and other stakeholders.

A typical incident response plan consists of six phases: preparation, identification, containment, eradication, recovery, and lessons learned.

The first phase, preparation, involves creating an incident response plan and establishing an incident response team. The team should consist of individuals from different parts of the organization, such as IT, legal, and public relations. The team should also have access to the necessary tools and resources, including incident response software and communication systems.

The second phase, identification, involves detecting and analyzing the incident. This may involve monitoring network traffic, reviewing logs, and conducting interviews with employees. Once the incident is identified, the incident response team should classify it based on its severity and potential impact.

The third phase, containment, involves taking steps to limit the impact of the incident. This may involve isolating affected systems or networks, disabling user accounts, or shutting down systems altogether. The goal of containment is to prevent the incident from spreading and causing further damage.

The fourth phase, eradication, involves removing the threat from the affected systems or networks. This may involve removing malware, restoring data from backups, or rebuilding systems from scratch. The goal of eradication is to ensure that the incident is fully resolved and that the organization can resume normal operations.

The fifth phase, recovery, involves restoring systems and data to their normal state. This may involve testing systems and networks to ensure that they are functioning properly and restoring data from backups. The goal of recovery is to minimize the impact of the incident on the organization and its customers.

The final phase, lessons learned, involves reviewing the incident response process and identifying areas for improvement. This may involve conducting a post-mortem analysis of the incident, documenting lessons learned, and updating the incident response plan accordingly.

A cybersecurity incident response plan is critical to the success of any organization’s cybersecurity program. Having a well-defined plan in place, an organization can minimize the impact of a cyber attack and quickly return to normal operations. The incident response plan should be regularly reviewed and updated to ensure that it remains effective in the face of evolving threats. With the right incident response plan and a dedicated incident response team, organizations can ensure that they are prepared to respond to any cybersecurity incident that may arise.



CISCO kid

There have been several incidents of CISCO router hacking over the years, some of which have resulted in significant data breaches and network disruptions. Here are a few notable examples:

  1. Shadow Brokers: In 2017, a group calling themselves the Shadow Brokers released a trove of hacking tools allegedly stolen from the NSA. Among these tools were exploits targeting vulnerabilities in CISCO routers. The exploits, dubbed “EPICBANANA” and “EXTRABACON,” could allow attackers to gain access to the routers and take control of the network.

The tools were believed to have been used by the NSA’s elite hacking team, the Tailored Access Operations (TAO), and included a range of exploits and vulnerabilities targeting various software and hardware systems.

The release of the NSA tools caused widespread concern among security experts and government agencies, as the tools could be used by cybercriminals and state-sponsored hackers to launch sophisticated attacks against targets around the world. The Shadow Brokers claimed that they were auctioning off the remaining tools to the highest bidder, but it’s unclear if they were able to sell them or if they are still in possession of them.

The incident highlights the risks associated with the development and stockpiling of offensive cyber tools by government agencies. While these tools can be useful for intelligence gathering and national security purposes, they can also be stolen, leaked, or otherwise compromised, potentially causing significant damage to the security and stability of private networks, the internet, and global networks.

  • Vault 7: In 2017, WikiLeaks published a series of documents allegedly detailing the CIA’s hacking capabilities. Among the tools described were exploits targeting CISCO routers.

The documents, believed to have been leaked by an insider, provided an unprecedented glimpse into the world of cyber espionage and the tools and techniques used by the CIA to carry out their operations.

Among the tools described in the Vault 7 leaks were several exploits targeting vulnerabilities in CISCO routers, which are widely used in enterprise networks and critical infrastructure systems. These exploits, codenamed “CherryBlossom” and “CherryBomb,” could allow the CIA to monitor and manipulate network traffic passing through the routers.

The Vault 7 leaks caused widespread concern among security experts and government agencies, as they revealed the extent to which intelligence agencies can carry out sophisticated cyber attacks against targets around the world. The leaks also raised questions about the legality and ethics of government-sponsored hacking, considering the potential for collateral damage and unintended consequences within their own countries and allies.

In response to the leaks, CISCO released a statement urging customers to ensure that their software was up-to-date and to implement strong security practices to defend against cyber attacks. This incident reinforces the importance of strong cybersecurity practices, watching the government in their work, and keeping your networks secure with patching, and monitoring.

  1. VPNFilter: In 2018, a malware campaign dubbed VPNFilter was discovered to be targeting CISCO routers, among other devices. The malware could allow attackers to spy on network traffic, steal sensitive data, and even render the routers inoperable. The campaign was believed to be the work of a Russian state-sponsored hacking group.
  2. SolarWinds: In 2020, it was discovered that a supply chain attack on software provider SolarWinds had resulted in the compromise of numerous government agencies and private sector organizations. Among the targets were CISCO routers, which were exploited to move laterally within networks and gain access to sensitive data.

Vulnerabilities exploited in CISCO routers had been previously discovered and addressed by the company. Right now, many organizations had not applied the necessary security patches or updates, leaving their networks vulnerable to attack. This is a reminder of the importance of keeping software up-to-date and implementing robust security practices. Also a reminder to keep an eye on your own government, as they sometimes are the biggest problem.



More Ransomware – Be careful

https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/



Everyone KNOWS TikTok shouldn’t be used

https://justthenews.com/politics-policy/fbi-director-wray-again-warns-national-security-threat-tiktok-poses?videoPosition=aniplayer_AV62cf06064203de29964ba1d6-1678379886131&videoId=78813

https://justthenews.com/politics-policy/fbi-director-wray-again-warns-national-security-threat-tiktok-poses




You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.