, , ,

Het belang van informatiebeveiliging voor KMO’s

Dit is de eerste blog van een reeks blogs met als focus ‘informatiebeveiliging bij KMO’s’. In deze blogs leggen we stapsgewijs uit hoe KMO’s de beveiliging van hun informatie kunnen optimaliseren. Deze eerste blog kadert alvast het belang van informatiebeveiliging bij KMO’s. In de opvolgblogs gaan we dieper in op de aanpak.


Het is vandaag ook voor KMO’s ondenkbaar dat ze zonder informatietechnologie en toegang tot het internet kunnen functioneren, laat staan concurrentieel kunnen blijven met de grotere ondernemingen en multinationals die stevig inzetten op digitale innovatie in een wereld waarin producten en diensten sneller en continu beschikbaar moeten zijn via de digitale snelweg.

Er zijn tal van voordelen, maar ook risico’s verbonden aan informatietechnologie. Zo kunnen hackers, concurrenten en kwaadwillige medewerkers uw bedrijfsvoering op tal van manieren schade toe brengen.
Zo kan men:
• uw informatie stelen waardoor u een concurrentieel voordeel verliest.
• uw informatie ook lekken waardoor uw reputatie een deuk krijgt en u mogelijks ook onderzocht zal worden door een toezichthouder (bv. gegevensbeschermingsautoriteit) met boetes als gevolg.
• uw gegevens versleutelen (ransomware).
• uw website/systemen doen uitvallen waardoor de bedrijfscontinuïteit in gedrang komt.

De waarschijnlijkheid, het effect en de zichtbaarheid van informatiebeveiligingsincidenten zijn de laatste jaren alleen maar toegenomen. Bovendien lopen KMO’s een hoger risico aangezien ze over minder IT budget, personeel en expertise beschikken dan grotere ondernemingen.
Het belang van de juiste expertise neemt bovendien voortdurend toe omwille van de toenemende complexiteit van het IT en informatiebeveiliging landschap.
Cybercriminelen beseffen maar al te goed dat kleinere ondernemingen sterk afhankelijk zijn van hun informatie (middelen) en minder goed beveiligd zijn en focussen hun aandacht dan ook vaak op deze gemakkelijke prooien. Dit werd onder meer bevestigd door een onderzoek van Symantec waaruit bleek dat 60% van de cyberaanvallen gericht waren op KMO’s.
Hier tegenover staat (onterecht) dat KMO’s zichzelf als onaantrekkelijke doelwitten zien voor cyberaanvallen en de kans om ooit slachtoffer te zijn als (heel) laag inschatten. Hierdoor blijven KMO’s structureel te weinig investeren in informatieveiligheid.
Vaak begint men pas te investeren nadat men slachtoffer is geweest van een cyberincident. Zoals vaak geldt ook hier dat voorkomen beter is dan genezen en dat men met een aantal gerichte ingrepen de waarschijnlijkheid en impact van incidenten sterk kan beperken.

In de volgende blogpost gaan we dieper in op hoe KMO’s hun risico’s optimaal kunnen beperken, terwijl we rekening houden met de beperktere middelen die KMO’s ter beschikking hebben.

Contacteer je ons liever meteen voor advies op maat van jouw onderneming? Leer ons kennen en stuur een vrijblijvend mailtje.

, , ,

OWASP BeNeLux Days 2018

I love working with OWASP because I strongly believe in the values of knowledge sharing and community building. I personally started the OWASP Belgium chapter in Belgium in 2005. Today, I am also very active as co-leader on the OWASP SAMM project.

When I started my company Toreon (cyber security consulting), I tried to instil the same values to the business. I attracted people with the same mind set of knowledge sharing. Now many of my colleagues are active at OWASP and Toreon’s Steven Wierckx is the project leader on the OWASP Threat Modeling Project.

We believe that donating time and money to open source projects and the OWASP community can really improve the overall security of software (realising Toreon’s mission of ‘Creating trust for a safer digital society’).

At the same time we learn a lot by being active in these projects and we build a network of specialists and friends within the OWASP community.
We also put our money where our mouth is: Toreon is a proud sponsor of the OWASP Belgium chapter and the upcoming OWASP BeNeLux Days on the 29th and 30th of November in Mechelen, Belgium, which has great free trainings and line-up: check it out here.
Make sure to come to the conference and if you can, become a (personal or corporate) OWASP member! And please tell all your friends and colleagues about OWASP.

At the conference, come and say hi at our booth! You can win a book from Adam Shostack on Threat Modeling or a Google AI do-it-yourself kit with an intelligent camera and Raspberry PI.

, ,

Belgian Cyber Security Challenge CTF: A Junior’s View

The Belgian Cyber Security Challenge is a Capture-The-Flag game that’s focused on cybersecurity. The event is organised by Toreon’s friends NVISO.

Timeline:
Wednesday 10 am started my team’s 32 hour adventure; capturing as many flags as we could possibly find.

10:30 am: first blood! After half an hour we already found a first flag that placed us in the top five on the scoreboard.

12:00 am: finally a second flag we could submit to the platform!
As all team members finished working, we gathered on voice chat to discuss strategies and started brainstorming around the challenges. At first sight it seemed like NVISO had stepped up their game, since the challenges last year were not as difficult as in this edition.

6:00 pm: it had been six hours since we last submitted a flag. Other teams caught up with us and we started to lose all hope. But then we started to understand how certain challenges were built and where we should look for the flags.

6:30 pm: new flag, back on track! We were frustrated since a lot of people had found the flag of the so called ‘ModBusted’ challenge, inspired by Industrial Control Systems. Two of our team members had already done some research on ICS-systems in the past but we just couldn’t find that one easy flag that everyone else did.

07:45 pm: Yeahaa! We found it! This flag took us from 61th place all the way back to 22nd! At this point we were so happy and filled with new hope.

09:30 pm: We lost too much time on this one. This was probably the last easy one we found.

11:00 pm: We put our heads together to solve the ‘Whistle’ challenge and – yes! – we were the third ones to solve it. Our first big win: 90 points!

01:45 am: last flag for this session. It took us a while to figure out where the flag was hidden since this was a forensics exercise.

Until 4 am we kept searching but we were all too tired to keep on digging for flags so we took a nap to continue with clear heads the next morning.

11:15 am: submitted the new flag! What’s next? The time is ticking guys! The contest would end in only seven hours. We had to come back to this one ‘XYZ-adventures.com Data Exfiltration’ challenge several times. The organisation provided us with data capture files and we had to find where the flag was hidden in that giant pile of data. One team member found credentials that were sent while capturing the data. With these plain text credentials we could log into his mail account and retrieve a word document from his mailbox.

12:45 pm: The flag was found in the document properties.

05:15 pm: We submitted the flag we just found but we needed to find some others.

06:00 pm: END of competition, Team BlumBlumShub ranked 24th place on the scoreboard.

During the competition we heard only the first eight would qualify to compete in the finals, afterwards we received a mail that said the top fourtyfive can join a second CTF in two weeks and compete for another eight places in the finals.
So stay tuned for more in a few weeks!

, ,

Why the IT-OT Convergence is all about knowledge sharing

After attending the fifth Cyber and SCADA Security for Oil & Gas Industry conference, it became apparent lots of companies are having a hard time with the mingling of IT staff in the OT/ICS environments; the so-called IT-OT Convergence.

My personal opinion is that the involvement of the IT people in OT environments is a very positive thing, as both typically have their strong points:
– IT environments often have a broader experience of assessing cyber threats and their associated attack vectors as they have long left the ideology where they could protect all information systems by merely ensuring the physical security of the building they are placed in.
– Both IT and OT face increasing numbers of targeted attacks towards their environments, like Zeus, NotPetya, Trisis, BlackEnergy…
– Lots of IT-targeted attacks created collateral damage in the OT environments due to the type of malware and their attack vectors (e.g. the numerous ransomware attacks that were seen on SCADA and ICS systems, which were spread by infected USB devices or just because the system had direct internet access).
– OT people often have far more experience in risk and safety analysis, as they have been doing it for the better part of a century.

When combining these strong points, we might just create an acceleration in the ever-so-slow development cycle of the OT environments. However, we must also keep a few important things in mind:
– OT and IT have very different goals regarding what they want to protect from cyber-attacks. IT is typically all about confidentiality and privacy, where the OT environment is all about (personal) safety, reliability and availability.
– Some technologies in IT seem like a good fit for particular problems within OT, but they might break more than they fix. OT environments often contain legacy systems dating from the eighties or even before, using proprietary protocols and might even be retrofitted to be able to communicate over IP networks. Some automated network scans could e.g. break an older RTU by just trying to ping it.

With OT environments undergoing a skill drain, there are important challenges ahead that might require innovative approaches and efficiency gains.

I would strongly advise to keep putting the IT people in OT environments and vice versa, but solely to act as advisors to one another. Both have years or even decades of experience in their respective areas and now that they are facing similar challenges, time has come to join forces and go for a safer tomorrow!

, , ,

Using ‘Embrace Cybersecurity’ to check on security progress

In a previous blog posts (Business and IT aligned with Cybersecurity and Baselining Cybersecurity), I introduced our ‘Embrace Cybersecurity’ (EC) model for gathering security requirements that can be used to create an information security policy.

Using this method makes it easy to then also follow up on progress. We can do this by creating the right KPIs. From the question ‘How do we meet the goals we chose to aim for?’, we can also define the KPIs. In the EC model this is represented by the ‘Keyword’ cards.

The Toreon security expert drills down on the chosen keyword to define the right metrics. These metrics become the KPIs to measure the security controls put in place.

However, reporting is not enough. The output of the EC model needs to be translated into the right management practices. How this is done, will be discussed in another blog post.

During the adoption of the information security policy, you might come across a misalignment between what the business and IT want as goals. Another blog post will detail how to identify this misalignment and how to get everyone on the same page.

This is key for a functional information security policy.

, , ,

Business and IT aligned with cybersecurity

The owner of information

In today’s organisation, information is primarily managed and processed by IT. The IT department is very often also made responsible for securing the information in the systems that the business uses. Reports of recent cybersecurity incidents tell us this is definitely not right and recent legislations like the GDPR agree.
A holistic information security policy needs to start with the owners of the information, the business. They have to tell you what is important to the business; what needs to be protected. Then business and IT need to be aligned with those requirements. We can do this by helping them use the same frameworks and language.

Gathering security requirements

The challenge of gathering requirements lies in:

  • getting agreement on the goals of IT and business.
  • using and combining different IT and security frameworks like COBIT, ISO 2700K, SABSA to define and align those goals.
  • bridging the different vocabularies in IT and Business so both clearly understand the goals you want to achieve with your information security policy.

 

To get this done, we at Toreon created the ‘Embrace Cybersecurity’ approach. This approach helps IT and business to come together to figure out the cybersecurity objectives of the organisation, how they want to achieve them and also which risks they face in order to achieve them.

This information is gathered in workshops that are supported by playing cards, themed: ‘Enterprise goals’, ‘IT goals’, ‘Keywords’, ‘Risks’ and ‘Actors’. The cards help collect information from the different departments in the organisation about what they see as goals, how IT should work and what security risks there might be.

The output is then combined in the overall risk register, so mitigation actions based on ISO 27001 standard can be defined. These mitigation actions lead to the creation of the information security policy that is both aligned with business and IT.

Theory and expertise behind ‘Embrace Cybersecurity’

The Embrace Cybersecurity approach uses the frameworks COBIT 5, ISO 27000, SABSA and the expertise of the Toreon security experts is glue that brings it all together. This seems like a lot of  different frameworks and you might wonder how they can be combined to deliver actionable results. We dissected the different frameworks picked only those aspects that work best to gather the most complete and correct information. And of course this includes using the correct vocabulary for both business and IT.

Reference for the owner of information.

,

7 ways to secure your Microsoft network for free

Cybersecurity is a hot topic. The rules are getting increasingly strict – look at the GDPR – and attackers are becoming ever more inventive. So robust protection is vital. Luckily, an acceptable level of protection doesn’t need to cost very much. If you use Microsoft, you have access to all kinds of free tools included in the existing Windows licences. Here are seven ways to secure your network for free:

  1. Windows Event Forwarding

By gathering useful logs from workstations and servers on a central collection server, you increase visibility on these machines. This enables you to detect attackers. This function, ‘Windows Event Forwarding’ (WEF), does not require an extra licence, making it a free alternative to other log centralisation solutions. By combining this with a free log analysis tool such as ELK, you can create a powerful solution to detect attacks while they happen and collect evidence after an incident. There is one drawback, WEF is limited to Microsoft platforms.

  1. Privileged Access Workstations

Securing administrative IT tasks is one of the most important mainstays of a secure IT environment. A new solution – Privileged Access Workstations – is available in Windows 10 Enterprise. PAWs provide extra protection against attacks for workstations that are used for privileged access. There are no extra licences needed, so this tool is also completely free.

  1. Local Administrator Password Solution

In most business environments, the built-in local administrator account remains active on all workstations so that it’s possible to have emergency access at any time even when the Windows domain is not available or reachable. In many cases, this local account has the same password on all the workstations. That is practical until the password is leaked and attackers suddenly have access to all your workstations. Enterprise password managers may provide a solution here, but they often require extra equipment or paid licences from external software vendors. The built-in Local Administrator Password Solution offered by Microsoft stores the password in an active directory. These passwords can be generated automatically and at random, and are only accessible by authorised persons.

  1. Hard disk encryption: BitLocker

Many companies are embracing remote working and the BYOD principle. As a result, laptops, tablets and smartphones with sensitive information are more frequently outside the familiar business environment. When a laptop is stolen, the thief also has access to all the information saved on the local hard disk. Microsoft has a solution for this. BitLocker encrypts the hard drive with full disk encryption. External media can also be encrypted in the same way. This solution is included in the licences for Windows Professional and Enterprise. Moreover, key management can be centralised in a business environment so that an administrator can still decrypt the information if the user loses their key.

  1. Secure Boot

Physical access to workstations can be even further protected with Secure Boot. This prevents hackers from installing infected firmware on the system, which can cause damage before the operating system is even loaded.

  1. Device Guard

New types of malware are appearing every day, which means that the traditional signature-based detection is no longer enough. Using techniques like polymorphism it is child’s play to get around traditional anti-virus detection. Device Guard is a combination of technologies that ensure that only trusted applications can be run on the system, and it is included in the licences for Windows 10 and Windows Server 2016. Code integrity policies block programs that do not have a digital signature from the developer or whose digital signature is not on the list of permitted applications. This ensures that only reliable software can run on the system and malware can’t get a foothold.

  1. Credential Guard

Credential Guard uses virtualisation techniques for extra protection of the passwords and access tokens that are stored in memory. This is information that attackers are looking for when they take over a system and want to move laterally on the network. Credential Guard makes it more difficult for attackers to find and use credentials and hashes in memory. Without this information, the attacker is more easily contained on a single system.

Interested to learn more? Get in touch.