Blogs

Check Yourself Before You Assess Yourself

7 Questions to Achieve Awareness of the Security Posture of Your Environment After working as a consultant for several years, I sometimes think back to my days as a SCADA security analyst for an oil and gas company.  If I knew then what I know now, how would I have done things differently? If I were responsible for keeping an oil and gas company’s assets, processes, and people safe from cyber threats, how would I go about doing that? Where [...]

The Three Critical Misses of a Tool-focused Cybersecurity Investment Strategy

As cybersecurity consultants, we see this scenario way too often: Company X has a wakeup call regarding cybersecurity. This often comes in the form of a compromise or breach but sometimes can be more subtle such as discovery of malware in a sensitive environment or a board-level mandate. Immediate action calls are made for 30, 60, or 90 day action plans. Budgets are made available and those in charge go shopping for tools and technology to help solve the problem. Fast [...]

Preventing a Meltdown: Recommendations for the Meltdown / Spectre Vulnerabilities

Meltdown and Spectre Overview Meltdown and Spectre are kernel vulnerabilities that can result in the loss of system confidentiality through access to unauthorized memory locations on the local system. Meltdown (CVE-2017-5754) affects Intel chips – mostly impacting PCs. Spectre is broader and is based on two separate vulnerabilities (CVE-2017-5753 and CVE-2017-5715) and also impacts AMD and ARM chips, so most PCs, Apple devices, and smartphones are also impacted. Cloud and virtualized environments can also leak memory outside the running virtual [...]

Data Security, APT Activity, and Inherited Risk for ICS

In traditional IT security, there is heavy focus on data — data security, data breaches, data loss. It has often been said “it’s all about the data.” This generally isn’t the case for Industrial Control Systems (ICS). There are a few exceptions, but you will often hear discussion about the C-I-A triad for ICS where ‘C” (confidentiality) takes a lower priority position behind Availability and Integrity. I’d like to challenge this notion, not from the angle of data within [...]

Validating Security Controls and Countermeasures with Penetration Testing

It’s been a few weeks and the dust is starting to settle following the reported data breach in September 2017 at Equifax, one of the big three credit reporting agencies. While other major data breaches have been the result of advanced methods possibly utilizing leaked classified attack techniques, this attack was performed by exploiting a well-known vulnerability within a popular web application. Although this vulnerability had a corrective software patch available, it was not applied to the vulnerable servers. In [...]

Three Reasons to Add a Discovery Phase to Your Next OT Security Assessment

Many of us have accepted that having a 100% accurate inventory of “all the things” (networks, assets, data flows, etc.) is a pipe dream. To put it in NIST CSF terms, if you wait until you master the IDENTIFY function before you do anything in the remaining functions (PROTECT, DETECT, RESPOND, RECOVER), you will likely fail at securing even the most basic environments. So, the condition that Jeremiah Grossman describes in the Tweet below is the reality that we [...]

ICS Cybersecurity: 3 Reasons Why Periodic Technical Assessment (Still) Matters

“Our SCADA communications use AES256 and are 100% secure so we don’t worry too much about security.” That’s a real quote from a real Industrial Control System (ICS) manager from this decade. A technical assessment of that system proved otherwise—there were in fact real cybersecurity vulnerabilities that required immediate and long-term remediation. With all the headlines and activity around cybersecurity for ICS, owners and operators of this technology are challenged to determine what they should be doing to manage their [...]

Practical Steps for Petya Ransomware Protection

You may have heard that there is a new ransomware campaign leveraging the EternalBlue (MS17-10) exploit from the recent Vault 7 leaks. In less than 36 hours, Petya has had a global impact. Initial reports indicate Petya was targeted at banks and power companies in Ukraine. However, it has spread globally, affecting pharmaceutical companies in the UK, oil shipping companies in Russia, multiple companies across North America and Europe, and transport ships operating in international waters. Revolutionary Security has been [...]