Tag: companies

Cybersecurity tactics for small teams – Hardware Device Security – part 1

September 1, 2021 /

Please check the previous part – here.

After we already discussed how to assure your physical security and your network perimeter. The topic for the following two parts is the security of your hardware devices. And especially, I shall give you some ideas on how to secure your personal computer and your mobile phone. I shall provide a sample budget for a security-oriented personal computer, laptop, and mobile phone at the end of the parts. In the budget, I shall put the software appliances as well.

But before doing this, let’s have a short discussion of what a computer is and how we use it. The formal definition of a computer is:

A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform generic sets of operations known as programs. These programs enable computers to perform a wide range of tasks.

In other words, we have a machine, which works with data and can perform operations on it. It is similar to what our brains do for us but in a different way. In terms of computer security, it is essential to understand that your computer is a data carrier and data generator. The goal of your security awareness model is to protect the data and the generator logic. So we have to treat our computers the same way we treat our brains when we don’t want to share data. Aka by making sure we took all the necessary steps to secure access to our information.

So let’s do it. We start with:

Personal Computer/Laptop

We shall discuss the security of laptop computer because it has a more significant amount of attack vectors. We can apply the same list of attacks to workstations.

By definition – A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. It is important to note that a laptop is a total nightmare for your computer security policy in the physical security realm. It inherits the traits of all the hardware devices, including the ones related to garbage. Securing laptops is almost impossible, and a dedicated attacker most probably will manage to penetrate the defenses of your laptop one way or another. But let’s list the different attack vectors your laptop has.

On the diagram, you can see a standard data exfiltration workflow. The attacker makes the victim network sending data to a malicious service and, after that, reroute the data to his/her infrastructure
  • Theft: By being mobile, any laptop is a mobile data carrier similar to your paper documents and USB flash sticks. And by that, a dedicated attacker can steal the computer and gain access to your data. It is essential to mention that any encryption mechanism can slow down your attacker, but you can not determine whether it will stop him.
  • Location-based attacks: Companies such as Hak5 promote an exciting set of tools used for location-based attacks. They can penetrate your WiFi network, and even there are devices named RubberDucky. They look like a standard USB flash, but essentially they are cheating your computer that they are keyboard devices and execute a penetration script.
  • Malware: There are many types of malware, but these are most dangerous in terms of cybersecurity: trojan horses and ransomware. Both of them steal your data. In case of ransomware, you have to pay, and at least you receive notification that something wrong happened. In the case of trojan horses, you have no idea what is going on with your data.
  • Misconfiguration: Most of the laptops do not come with proper security configuration by default. Users without formal training can not configure the system, and it remains unsafe until a hacker penetrates it.
  • Pirated Software: Torrent trackers are a terrible place to download software. Usually, the cracked versions of the popular software come with already preinstalled malware. It is highly advisable to use open source or paid products.

Listed threats are only part of a long list of attack vectors an organization must take care of. Still, they are a good starting point, and if your small team manages to stop them, it can reach a good cybersecurity level.

Smartphones

After the introduction of IBM Simon, the smartphone industry had rapid growth. These days, devices are as powerful as a ten-year-old computer and can perform various tasks, which people kept only for computers for a long time. It is fantastic, but they are even worse in terms of cybersecurity than your laptop. They inherit all of your laptop’s problems with even smaller size and limited control over the hardware. They are a nightmare in terms of computer security. But let me list the different attack vectors which your smartphone can introduce:

  • Outdated Operating System: To further push technical progress, hardware vendors usually discount older than four years old devices. And by discount, it means that these devices do not receive security patches and the latest version of their operating system. This approach leaves thousand of people without proper cybersecurity defenses.
  • Laptop Attack Vectors: As a less powerful computer, every smartphone inherits a laptop’s security problems. Even worse, once you store your data in your smartphone’s internal memory, it is almost impossible to erase it securely.
  • Conversation Sniffing: Hackers can use your smartphone to sniff your daily conversations by being constantly held near to you. Many hardware vendors implement security measures versus this kind of attack, but people must still be aware that such an attack is possible.

Next part is here

Cybersecurity tactics for small teams – Physical Security – part 2

June 1, 2021 /

Please check the previous part – here.

The same concerns as to real estate apply to all vehicle-related threats. Hackers can use your vehicle to track your activities and to decide when to execute an attack towards you. As a final list of perils, I would like to mention the dangers related to garbage. Most people do not consider their garbage as a cybersecurity threat. However, the truth is – this is usually the best source of intel for a given hacker organization. Let me list the different threats your garbage generates, and after that, we can create a simple budget of how to keep your and your devices secure:

  • Paper: Every paper document with personal data, addresses, or buying preferences leads to information leaks, which any hacker group can use to penetrate your defenses. A paper retention policy is a must for every organization these days.
  • Hard Drives: Techniques for data forensics become more and more advanced. Hackers can use these techniques to retrieve data from hard drives and SSD drives found in the garbage. It is better to treat your Hard and SSD drives as paper documents and not resell or throw them away.
  • Mobile Phones: Modern mobile phones are computers. Deleting data from them is pretty tricky. To keep your organization safe, you must treat them similarly to paper documents and hard drives. 
  • Electronic Devices: Every smart device in your home and office is a low-level mini-computer that stores and records data. Hackers can read the storage chips of these devices with proper machinery. They can use the data stored there for malicious activities.
You can see a diagram showing how a small organization or even a freelancer handles their priorities in terms of cybersecurity. Everything starts with the digital garbage and its retention policy.

You can notice that the number of attack vectors to your persona is quite significant. And we are only in the physical security realm, without mentioning any digital space. As promised at the beginning of the article, I shall present a simple list of tools and activities, together with a budget. Using them, you can set up your cyber defenses on a limited budget:

  • Hardware toolkit (100$): This toolkit will give you the availability to disassemble all of your electronic devices and destroy them. If you have better knowledge of electronics, you can cut the power of your laptop microphone and camera. 
  • Paper Shredder (50$): A shredding machine can destroy paper documents, credit cards, and everything which looks like a paper-sized card. Still, cutting through the papers is just a first step, but not enough.
  • Camping Gear (50$): There is no better way of document destruction than burning them. With camping gear, you can go to the woods, have a barbecue, and meanwhile destroy all of your not-needed documents.
  • Safe (500$): Paper is the ultimate data storage. With proper care, it can survive over 100 years or more. Still, you must keep the paper somewhere, and there is no better place than a safe. For this money, you can get a safe the size of a standard desktop drawer unit. It is more than enough to store all of your documents.
  • Home And Vehicle Security Systems (4000$): Still using security systems without a network system can be pretty advantageous for you. An isolated security system can send you SMS messages when an event happens. Sure it is a little bit more expensive, but the only way of disabling such systems is by bringing a Faraday cage.

With a total budget of around 4700$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. To break a safe, you should cut through it. And this generates sound. Sound is terrible for attackers, and it can alert neighbors.

In conclusion, just one more piece of advice. When you choose electronic devices (including a car) for your home, please research how smart the device is. The more intelligent it is, the more prone it is to hacking. Devices without Internet access are the best because the chance of hacking is relatively low or nearly zero.

Next part – here.

Photo of my last garbage destruction event. You can see the old paper documents burned.

Are law firms high value target for hackers?

May 20, 2021 /

New York-based law firm fell victim to a cyber attack. That wasn’t only unfortunate for the firm alone, but for the countless celebrity clients, they represent. Their client list comprises many A-level celebrities.

All these people fell victim to hackers.

The hacker group that carried out the attack remained unnamed. It got dubbed REvil because that’s the ransomware used by the group.

The cybercriminals targeted the law firm’s internal data systems. They managed to get away with 756 gigabytes of data, which they deemed was worth $21 million in ransom. When the law firm stated they had no intention of paying a dime in ransom, the criminals released a statement that they’re doubling their ransom request to the staggering $42 million.

After the firm refused to comply with the ransom demand, the hackers released an astonishing 2.4 gigabyte batch of data. It included private files and all sorts of sensitive information: contracts, non-disclosure agreements, promotional agreements, and expense sheets, among others.

The data dump wasn’t the only bombshell the cybercriminals dropped. They claimed to have an ace up their sleeve. They had private documents belonging to the American President. The law firm was quick to deny having any business dealings with the President. They only claimed that his name only got mentioned in some of their documents connected to their other clients.

Due to the hack’s success and the massive breach of privacy, the FBI got involved. They advised against paying the ransom as, in most such cases, payment doesn’t do much besides cost the victim money.

If you’re a victim of cybercriminals, you’re in a lose-lose situation. If you refuse to pay them, they can release the information they stole if that’s what they wish, and the victims get left to deal with the consequences. To pay the ransom they demand means you’re accepting their promise to destroy the data they stole.

You can see a standard distribution for malware types on the diagram and how the malware authors target their victims. In the case of organizations, the main approaches for crime making are data steal and ransomware

Can you trust the word of hackers? No, you can’t. However, it is essential to know that if the criminals do not hold their word, no one will pay the ransom to have this final option. Unfortunately, paying the ransom usually motivates more and more criminal groups to execute such operations.

This hack wasn’t their first attempt to score big. The attackers carried an attack on a foreign currency dealer as well. However, the ransom demand they went with paled compared to the $42, or even $21, million they demanded from the law firm. In this case, they asked for $6 million under threat to delete customer data. After a few weeks of having their services kept offline, the dealer caved and coughed up $2.3 million as payment.

Especially with COVID-19, more and more law and financial companies can become a target to attackers. It is essential to understand that blind fate into your cloud provider is only part of the equation. Every organization must take care of its defenses and upgrade them as much as it can. Only doing this can make attackers’ life harder.