By Greg Johnson, CEO Webcheck Security



Recently, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal

Bureau of Investigation (FBI) posted this notice: US think tank organizations were being

targeted by advanced persistent threat (APT) actors. The resultant list of mitigations, though directly suggested to strengthen the affected orgs’ cyber posture, applies equally to most businesses. The mitigations, or controls as most would call them, are divided into three categories: Leaders, Users/Staff, and IT Staff/Cybersecurity Personnel.


Leaders

The first mitigation, and in fact the only one suggested for the Leaders category, was

the implementation of a cyber awareness training program. Such a program is critical to stave off the onslaught of vishing and phishing success which fraudsters are perpetrating.


Minutes ago I was on a call with a large organization hit by a fraudster in an email and voice call

scam. The bad actor had gained root access to the unsuspecting user’s machine, spanning a

couple of hours. Finally the user realized he was being taken and notified IT, who immediately

“pulled the plug” by disconnecting from all network sources and initiated a forensic

investigation with our team.


Fortunately, no access to other servers was apparent and very little data of consequence

exfiltrated, but a few minutes more on the network and the results, including ransomware and

other malware introduction, might have been disastrous. The moral here is to take CISA

seriously – implement a training program!


Users/Staff

Next, CISA recommends the following six controls which in my mind are foundational and should be had in all organizations:


1) Log off remote connections when not in use.

2) Be vigilant against tailored spearphishing attacks targeting corporate and personal

accounts (including both email and social media accounts).

3) Use different passwords for corporate and personal accounts.

4) Install antivirus software on personal devices to automatically scan and quarantine

suspicious files.

5) Employ strong multi-factor authentication for personal accounts, if available.

6) Exercise caution when: 

-Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.

-Using removable media (e.g., USB thumb drives, external drives, CDs).


IT Staff/Cybersecurity Personnel

Finally, these controls will help round out a more robust cyber security program, especially if documented into policy and put into practice:


-Segment and segregate networks and functions.

-Change the default username and password of applications and appliances.

-Employ strong multi-factor authentication for corporate accounts.

-Deploy antivirus software on organizational devices to automatically scan and

quarantine suspicious files.

-Apply encryption to data at rest and data in transit.

-Use email security appliances to scan and remove malicious email attachments or links.

-Monitor key internal security tools and identify anomalous behavior. Flag any known

indicators of compromise or threat actor behaviors for immediate response.

-Organizations can implement mitigations of varying complexity and restrictiveness to

reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out

malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on Defending Against

Malicious Cyber Activity Originating from Tor for mitigation options and additional

information.

-Prevent exploitation of known software vulnerabilities by routinely applying software

patches and upgrades. Foreign cyber threat actors continue to exploit publicly

known—and often dated—software vulnerabilities against broad target sets, including

public and private sector organizations. If these vulnerabilities are left unpatched,

exploitation often requires few resources and provides threat actors with easy access to

victim networks. Review CISA and FBI’s Top 10 Routinely Exploited Vulnerabilities and

other CISA alerts that identify vulnerabilities exploited by foreign attackers.

-Implement an antivirus program and a formalized patch management process. Block certain websites and email attachments commonly associated with malware (e.g. .scr, .pif, .cpl, .dll, .exe).

-Block email attachments that cannot be scanned by antivirus software (e.g. .zip files).

-Implement Group Policy Object and firewall rules.

-Implement filters at the email gateway and block suspicious IP addresses at the firewall.

-Routinely audit domain and local accounts as well as their permission levels to look for

situations that could allow an adversary to gain wide access by obtaining credentials of a

privileged account.

-Follow best practices for design and administration of the network to limit privileged

account use across administrative tiers.

-Implement a Domain-Based Message Authentication, Reporting & Conformance

(DMARC) validation system.

-Disable or block unnecessary remote services.

-Limit access to remote services through centrally managed concentrators.

-Deny direct remote access to internal systems or resources by using network proxies,

gateways, and firewalls.

-Limit unnecessary lateral communications.

-Disable file and printer sharing services. If these services are required, use strong

passwords or Active Directory authentication.

-Ensure applications do not store sensitive data or credentials insecurely.

-Enable a firewall on agency workstations, configured to deny unsolicited connection

requests.

-Disable unnecessary services on agency workstations and servers.

-Scan for and remove suspicious email attachments; ensure any scanned attachment is

its "true file type" (i.e., the extension matches the file header).

-Monitor users web browsing habits; restrict access to suspicious or risky sites. Contact

law enforcement or CISA immediately regarding any unauthorized network access

identified.


Many organizations have the governance and IT support to implement all of the mitigations

listed above, but many don’t. Webcheck Security not only has partnerships with wonderful IT

augmentation groups but can lease a CISO or what is called a Fractional Information Security

Officer (FISO) to guide the prioritization, policy and implementation of the above initiatives. For

more information, please contact Webcheck Security at GetInTouch@webchecksecurity.com


If you’re a managed service provider (MSP) or IT provider/consultancy, a surfing analogy may apply to you! A friend of mine recently described a return to surfing. He was frustrated to note that a few decades and pounds past his glory days, he had a hard time catching the waves. He said they would just roll by and leave him in the dust. So, he adapted and did some body surfing, then knee surfing for a while, re-acquainting himself with balance and timing. 


Similarly, we find that many MSPs are “missing the wave” by leaving revenue on the table and not catching the cybersecurity surf. For a long time, businesses across Corporate America have tried to rely upon their own IT Departments in order to meet both their technological and security needs.  While this may serve its purpose, the world today is fast evolving into something that has never been imagined before – primarily fueled by the COVID19 pandemic.  


Rather than simply deploying the latest and greatest security tools/technologies and walking away until something goes wrong, the MSP of 2020 is trying to help their clients adopt a proactive mindset to Cybersecurity, including “leasing” them a CISO through partner companies like Webcheck Security.  


Webcheck calls this FISO, or Fractional Information Security Officer, services. This involves the creation of plans that will help businesses greatly mitigate the chances of being hit by a security breach.  We are all at risk of becoming a victim, there is no question about that.  But the key here is what are the necessary steps a business can take so that the statistical odds of being impacted in the first place are as low possible?



According to Earl Foote, the CEO & Founder of Nexus IT Consultants of Salt Lake City, Utah, for an MSP to make the transition from the break- fix model to one which provides a long-term relationship with the client takes a fundamental mind shift.  In other words, it takes a huge cultural change in which the MSP has to align their value proposition with the needs of the customer.  


The MSP must make themselves an extension of the customer and fulfill all of their contractual obligations.  For Nexus IT Consultants, this has been very easy to do with Webcheck Security, as they have been able to offer various Penetration Testing and FISO services to Nexus clients in meeting their compliance needs.


As CEO Earl Foote has summed it up:

Working with Greg and his Team at WebCheck Security has been a refreshing experience that has allowed us to add a stable, responsive, value-added offering to our client relationships.  Finding a reliable pen-testing and accredited auditing partner in our local market has been challenging.  

We are an organization that prides ourselves on our white-glove, high-touch client care approach.  Greg and his team have dovetailed nicely into those ideals and take very good care of our clientele.

 Adding WebCheck’s pen-testing, auditing and consulting services to our lineup of offerings has enhanced and solidified client relationships and provided for an additional revenue stream that naturally fits into our model of cybersecurity and compliance centric solutions.”


By partnering with Webcheck Security, the MSP can offer the following services to instill that proactive mindset for your clients, and to keep up the differential advantage:


FISO Services:


Fractional Information Security Officer, or leasing a “CISO”, ensures the company has governance, prioritized cyber alignment with business risks and objectives, and the business model. The FISO can attend vendor and client meetings where an understanding of security posture must be discussed. FISOs can also serve to augment or fill Risk and Compliance Officer roles, ensuring that corporations are adequately prepared for annual SOC 2, PCI, HIPAA, NIST, HITRUST, ISO 27001 or other audits or compliance. 



Penetration Testing:


This is the only sure-fire way to know what the unknown vulnerabilities, gaps, and weaknesses are in your client’s IT and Network Infrastructure.  In many ways, this is like conducting an angiogram on the heart.  You simply do not know where the blockages lie in the coronary arteries until you inject dye into them.  The Webcheck team is made up of top-notch Pen Testers, with years of experience.  Not only do they have the technical knowledge to quickly ascertain what is wrong, but they also have the needed business acumen to convey solutions to the client so that it is very easy to understand, and that can be deployed in just a matter of a few hours.  


Data Privacy:


Let’s face it, this is a hot button topic that is never going away.  It is going to be around for a long time to come. Now, more than ever before, consumers across the United States and even the European Union, have the powers to get answers as to what is being done with Personal Identifiable Information (PII) datasets.  This has been primarily brought on by the recent passages of both the GDPR and the CCPA.  Not only can consumers ask questions, but businesses can face audits at a whim and face some very hefty fines and penalties if they are not found to be in compliance.  Organizations of all types want to know how they can avoid all of this. Many MSPs really do not offer these compliance services, but at Webcheck Security, we can offer this to you! This will give you a huge differential advantage amongst other MSPs when it comes to your cybersecurity offerings.  


Digital Forensics:


After a Cyberattack has occurred, one of the first questions that gets asked is:  “How did this happen???”  This can only be truly answered by conducting a deep dive analysis, and this is where Digital Forensics comes into play.  Many MSPs do not offer these kinds of investigative services, but at Webcheck Security we offer them, and can also extend this to your practice as well.  We do, not only the investigative piece, but we also help you to write up a report for your client. This report answers not only how exactly the breach precipitated in the first place, but steps that they can take to help mitigate the possibilities of it happening again.


The move to the Cloud:


As mentioned at the very beginning of this article, with the advent of the Remote Workforce, many businesses are now starting to deploy their entire IT and Network Infrastructures into leading Cloud platforms such as those of the AWS and Microsoft Azure.  Many MSPs today help their clients migrate their current On Prem assets here, but where they often fail is that they neglect to make sure all is secure.  The fallacy in this thinking is the Cloud providers will do all of this. While they do offer a huge plethora of security tools that your client can use, the bottom line is that they are not accountable for anything that may go wrong. It is your client’s ultimate responsibility to do this!!!  This is yet one more area in which MSPs have not filled in their piece of their Cybersecurity pie. At Webcheck Security, we can offer this huge slice to you, by conducting quarterly security assessments of your client’s Cloud deployments.


In Summary, don’t miss the wave! IT Providers and MSPs can find solid partners to deliver the cyber services which they don’t. Some of it, such as recurring FISO services, can also provide a monthly billing opportunity add value and great “relationship cement” or stickiness with customers. 



Testing and Securing Web Applications

By Greg Johnson, CEO of Webcheck Security

Cybersecurity is a multi-faceted pie with multiple pieces, independent yet connected. Each piece of the pie, whether dealing with policy, business continuity, anomalous alerts or signatures, is a critical component. Similarly, each piece of the critical pie becomes important as it relates to web applications.

We all use them – web applications – from QuickBooks to Microsoft Office or Google Suite, from banking apps, information portals, or SalesForce to Qualtrics; each application is supported by the critical pieces of the pie.

Testing and Securing Web Applications is a book touching not just on the web application itself, but the whole cloud infrastructure that supports it. Indeed, it is a book about cybersecurity in general. The book is laid out in the following manner:

Chapter 1. Network Security. Chapter 2. Cryptography Chapter 3. Penetration Testing Chapter 4. Threat Hunting Chapter 5. Conclusion

From network protocols and infrastructure to the cryptography algorithms protecting data in transmission or storage, the base of the web application’s infrastructure is explored.

Next, the key elements of penetration testing – or benevolent hacking – are explored in detail. Tools and technologies, methods, even a step-by-step test process is described in detail. The “art” of pen testing is examined with its many components – not the least of which is skill at writing and documenting findings in a way which is helpful to developers.

Finally, hunting for threats by experienced analysts is explored in the context of a Security Operations Center or SOC. A SOC is a combination of technology and expert analysts. Such analysts are the professionals that find needles in a haystack, but these needles that can compromise the system and lead to data breach.

Testing and Securing Web Applications  is written for both layman and practitioner, and could serve as a course text. Chapter beginnings lay out and define concepts, and deeper descriptions await those wanting to learn. The inexperienced can choose to read chapter beginnings and paragraph introductions. The practitioner or those wishing to delve deeper can digest it all.

About the Author(s)

Ravi Das is a Business Development Specialist for The AST Cybersecurity Group, Inc., a leading Cybersecurity content firm located in the Greater Chicago area. Ravi holds a Master of Science of Degree in Agribusiness Economics (Thesis in International Trade), and Master of Business Administration in Management Information Systems. He has authored five books, with two forthcoming ones on artificial intelligence in cybersecurity, and cybersecurity risk and its impact on cybersecurity insurance policies.

Greg Johnson is the CEO of the penetration test company, Webcheck Security. Greg started Webcheck Security after serving on several executive teams and a long sales and management career with technology companies such as WordPerfect/Novell, SecurityMetrics, A-LIGN, and Secuvant Security. A Brigham Young University graduate, Greg began his career in the days of 64k, 5.25" floppy drives and Mac 128k’s. As the industry evolved, Greg moved into the cyber arena and provided his clients with solutions surrounding compliance, digital forensics, data breach and response, and in 2016 earned the PCI Professional (PCIP) designation. In several business development roles, Greg consulted, guided and educated clients in compliance guidelines and certifications for standards including PCI, HIPAA, ISO 27001, NIST, SOC 1 and SOC 2, GDPR/CCPA, and FedRAMP.

When he is not providing cyber solutions for his clients, he can be found spending time with his wife Kelly, playing with his grandchildren, and rehearsing or performing with the world-renowned Tabernacle Choir on Temple Square.




To order your copy click here!


To learn more about services at Webcheck Security click here.

Fill out this form and tell us how we may serve you!