Three More No-Capex Ways to Detect Network Intruders

I pre­vi­ous­ly out­lined three strate­gies for detect­ing intrud­ers on your net­work with­out the need for a large cap­i­tal expense for spe­cial­ized sys­tems. In fact, you don’t even need a man­aged ser­vice provider.

Currency stacks

Now, as promised, here are three more ways:

  1. Using time stamps and the geolo­ca­tion of the source IP address­es, look for sim­ple irreg­u­lar­i­ties in log-ins and access pat­terns. The most obvi­ous would be an account that is log­ging in from two coun­tries so close togeth­er in time that it’s unlike­ly they are both legit­i­mate. You can access geolo­ca­tion data for free or low cost.
  2. When the HTML response sizes leav­ing your net­work are much larg­er than usu­al, that’s a sign you’ve prob­a­bly been the vic­tim of a SQL injec­tion attack.
  3. Final­ly, watch for out­bound web traf­fic where 30 or 40 brows­er win­dows are open­ing all at once. This kind of behav­ior is more like­ly a sign of an auto­mat­ed ses­sion rather than a human one.

Will you have false pos­i­tives? Yes. But you’ll also under­stand what’s con­sid­ered nor­mal on your net­work much bet­ter than you do today.

Do you have any low-cost, yet auto­mat­ed, strate­gies for net­work intru­sion detec­tion?

Three No-Capex Ways to Detect Network Intruders

Orga­ni­za­tions can do a good job of detect­ing intrud­ers who have infest­ed their data net­work with­out buy­ing and oper­at­ing an expen­sive com­mer­cial net­work intru­sion detec­tion sys­tem. You don’t even have to hire an out­side man­aged net­work secu­ri­ty provider. Check out these three pow­er­ful strate­gies for deal­ing with this cyber risk:


  1. The first strat­e­gy is pos­si­bly the most pow­er­ful: Use your exist­ing admin­is­tra­tive tools to pro­duce a dai­ly report that shows all mem­ber­ship changes to all admin­is­tra­tive groups for the past 24 hours. Then assign some­one to val­i­date every change. This will tell you if some­one tries to “sneak in” through a priv­i­lege esca­la­tion.
  2. One sign that an attack­er is “bed­ding down” in your net­work to con­duct long-term sur­veil­lance is the unex­pect­ed patch­ing of sys­tems. Why? An attack­er does­n’t want anoth­er attack­er break­ing in and mess­ing up his inside access to your data net­work! So watch your vul­ner­a­bil­i­ty scans for sys­tems that don’t need a patch you nev­er pushed.
  3. To detect the stag­ing of data for exfil­tra­tion, mon­i­tor your crit­i­cal data­bas­es for sud­den, unex­plained swells in read activ­i­ty. In addi­tion, mon­i­tor all filesys­tems for large quan­ti­ties of data sud­den­ly or grad­u­al­ly appear­ing in the wrong places.

With each of these tips, I’m sure you’ll get a few false pos­i­tives. And, you’ll have to climb a learn­ing curve that keeps chang­ing as the activ­i­ty of your orga­ni­za­tion trans­forms over time. A new prod­uct launch will cause per­ma­nent changes in what’s con­sid­ered “nor­mal” on your net­work.

These are just the first three on my list. Next week I’ll give you three more. See you then!

Wi-Fi Security During Business Trips & Conferences

Although it’s often easy to use pub­lic Wi-Fi when you’re trav­el­ing, it’s also easy for some­one to eaves­drop on your Inter­net ses­sions, even with Wi-Fi encryp­tion enabled.


For exam­ple, the free net­work man­age­ment tool Wire­shark has a built-in func­tion that auto­mat­i­cal­ly decrypts net­work traf­fic as long as you input the Wi-Fi pass­word, which is typ­i­cal­ly post­ed on a sign for every­one to see.

Why do peo­ple want to view Wi-Fi traf­fic? The moti­va­tions are sim­i­lar to why peo­ple attack com­put­ers in gen­er­al: To steal mon­ey or steal secrets (e.g., pass­words, social secu­ri­ty num­bers, pend­ing busi­ness deals) that can be sold for mon­ey. Oth­ers with polit­i­cal agen­das also steal data to fur­ther their cause.

Wher­ev­er you are, avoid pub­lic Wi-Fi in favor of a portable hot spot. Often, you can acti­vate one on your mobile phone if you have that fea­ture from your car­ri­er. If you have no oth­er choic­es and must be online, turn on a vir­tu­al pri­vate net­work (VPN) as soon as you can after con­nect­ing to some­one else’s Wi-Fi. If your com­pa­ny does­n’t have a VPN, you can get one your­self, often for free, from a provider such as the high­ly rat­ed CyberGhost VPN.

Final thought: Just because Star­bucks, or some oth­er trust­ed brand, offers free Wi-Fi does­n’t mean their Wi-Fi is as trust­wor­thy as their paid prod­ucts and ser­vices. Data thieves count on this con­fu­sion in the minds of con­sumers to steal data from every­where they can!

Two Daily Actions To Contain Data Breach Costs

A sin­gle data breach can cost your com­pa­ny a lot of mon­ey. How much? Based on the Net­Dili­gence 2015 Cyber Claims Study of actu­al insur­ance claims data, we know the aver­age cost of a large com­pa­ny data breach is US$4.8 mil­lion.

Want to min­i­mize the cost? Quick­ly iden­ti­fy the data breach.

How do I know that’s the best way? And, how do you do it quick­ly?

Here’s the first answer: Check out this data in the IBM/Ponemon 2015 Cost of Data Breach Study. This graph from page 22 of their report shows the rela­tion­ship between the mean time to iden­ti­fy a data breach and total aver­age cost:

Screenshot 2016-05-14 08.25.19

That’s a very clear con­nec­tion, don’t you think?

OK, so how can you quick­ly detect a data breach with­out spend­ing a ton of CapEx for a fan­cy intru­sion detec­tion sys­tem and then a ton of OpEx to run the thing?

Here’s how: Have your serv­er admin­is­tra­tion teams run these two dai­ly checks:

  1. Dis­cov­er when­ev­er some­one becomes a priv­i­leged user by ver­i­fy­ing all new accounts that have been added to any admin­is­tra­tor or root groups
  2. Iden­ti­fy data being staged for exfil­tra­tion by notic­ing when large amounts of data sud­den­ly show up in unusu­al places

With both these checks, the large major­i­ty of the work can be auto­mat­ed. The way you do it is use exist­ing serv­er man­age­ment tools to com­pare and high­light the major dif­fer­ences between today’s and yes­ter­day’s snap­shot of (1) all your admin/root group mem­bers and (2) the per­cent­age of free serv­er disk space.

The man­u­al work is track­ing down why those changes hap­pened and mak­ing sure it’s a legit busi­ness rea­son. This will take some sleuthing at first to know who to call and what con­sti­tutes nor­mal changes. But with­in a month you will set­tle down into a pro­duc­tive rou­tine.

What oth­er sim­ple tech­niques have you used to detect data breach­es?

Lean Into Your Cyber Risks To Thrive In The New Normal

How do you lean in? By pur­su­ing cyber resilience through mea­sure­ment, smart pri­or­i­ti­za­tion of future spend­ing, and con­tin­u­ous improve­ment. Let’s quick­ly step through the plan right now, at a high lev­el…

The rest of my blog post for today appears over at my good friend Mike Hamil­ton’s Crit­i­cal Infor­mat­ics web site.


Mike and I were chief infor­ma­tion secu­ri­ty offi­cers (CISO) at about the same time a few years ago. He was at the City of Seat­tle while I was a cou­ple miles away at PEMCO Insur­ance.

Like me, Mike and his team pro­vide cyber­se­cu­ri­ty con­sult­ing ser­vices. But what makes his team dif­fer­ent is their net­work secu­ri­ty man­aged ser­vice, called Crit­i­cal Insight. I’ve learned how they serve their cus­tomers with it and I wish I had it when I was CISO. Check it out! (After you read my post for today, of course.)

Any­way, here’s the link to my week­ly post. You’ll find plen­ty of insights and action­able tips on how to thrive in The New Nor­mal.

You Need A New Strategy on Malware

IT secu­ri­ty firm Web­root just released their 2016 Threat Brief. One of the high­lights was that:

…97 per­cent of the mal­ware encoun­tered by its user base in 2015 was unique.

That means hack­ers are rely­ing almost exclu­sive­ly on mal­ware that is con­stant­ly cre­at­ing new vari­ants to avoid detec­tion by sig­na­ture based anti-virus tools.

Source: Wikipedia

Source: Wikipedia

Web­root said the num­ber of mal­ware fam­i­ly vari­ants sky­rock­et­ed from 14,000 in 2014 to 130,000 in 2015. Sim­i­lar­ly, the num­ber of observed fam­i­ly vari­ants of adware, spy­ware and oth­er unwant­ed non-mal­ware apps jumped from 1,000 in 2014 to 90,000 in 2015. 

This sug­gests attack­ers are mak­ing their code:

…more dif­fi­cult to detect, using poly­mor­phic dis­tri­b­u­tion mod­els and rapid new vari­ant gen­er­a­tion to cir­cum­vent tra­di­tion­al detec­tion meth­ods…

Mean­ing, the bad guys are work­ing real­ly hard to bypass end­point secu­ri­ty prod­ucts to phish, social engi­neer, and oth­er­wise exploit your end-user.

What’s the big take­away? Detect­ing mal­ware on your end­points is almost a lost bat­tle. It’s still worth doing, but your best next move is to get very good at detect­ing the con­se­quences of bad infec­tions: The attempt­ed theft of mon­ey or data BEFORE it gets tak­en.

Ask your­self: What are the indi­ca­tors of com­pro­mise? How can I detect them? Am I ready to respond at a moments notice?

If you don’t have these answers, you need to get them. Soon.

Phishing Training Without Recurring Fees

I’m sure you know that phish­ing is a lead­ing method of exploit­ing peo­ple by online crim­i­nals. In fact, it’s the way $47 mil­lion was stolen from Ubiq­ui­ti Net­works in 2015 and $54 mil­lion was stolen from Austria’s FACC (a parts sup­pli­er to com­pa­nies such as Boe­ing and Air­bus) in 2016.

Chances are, either you or your orga­ni­za­tion has suf­fered a phish­ing attack. The ques­tion is, what should you do to keep from becom­ing a vic­tim?

More than any­thing else, you need to train all your peo­ple, includ­ing (par­tic­u­lar­ly?) the CEO and their direct reports. And the best way I know to do that is to actu­al­ly send them test phish­ing attacks. There are com­mer­cial ser­vices you can sub­scribe to like Phishme or KnowBe4. Obvi­ous­ly, these ser­vice cost real, green dol­lars. And, you need to test peo­ple in a way that will encour­age them to trust man­age­ment. (I guar­an­tee that sur­prise test­ing fol­lowed by pub­lic sham­ing will destroy trust.)

But now there’s anoth­er way that I just dis­cov­ered: gophish an open source phish­ing test frame­work that was launched in ear­ly Jan­u­ary 2016. gophish appears to be espe­cial­ly good for orga­ni­za­tions that have a “do it your­self” cul­ture and an intense desire to avoid spend­ing mon­ey with­out a “no-brain­er” busi­ness case.

By the way, in case you need help to make your busi­ness case, here are some cur­rent phish­ing stats I found over at the PCI Secu­ri­ty Stan­dards Coun­cil blog:

  • 13% of the annu­al cyber­crime cost glob­al­ly for com­pa­nies is due to phish­ing and social engi­neer­ing.
  • Phish­ing costs the aver­age U.S. orga­ni­za­tion more than $3.7 mil­lion annu­al­ly.
  • Every day 80,000 peo­ple fall vic­tim to phish­ing scams from 156 mil­lion phish­ing emails sent glob­al­ly ‒ 16 mil­lion of which cir­cum­vent spam fil­ters ‒ result­ing in 8 mil­lion scam emails being opened.

Any­one out there want to take gophish out for a spin? Let me know what hap­pens…

How To Use Google Authenticator

Ready for the next step to up your Inter­net secu­ri­ty game? Our goal with this step is to keep your pass­word from being a sin­gle point of fail­ure.

Not too long ago, Google launched a free two-fac­tor authen­ti­ca­tion ser­vice, called “2‑Step Ver­i­fi­ca­tion” (2SV). The Google Authen­ti­ca­tor app is one way to use 2SV.


I took a cau­tious approach to imple­ment­ing Google Authen­ti­ca­tor (GA). I was con­cerned about lock­ing myself out of an account, so I invest­ed a lit­tle time up front to study it.

GA is just one option with­in Google’s 2SV pro­gram. You can make a choice of how you want to get the codes (each con­sist­ing of a six dig­it num­ber) when you need them:

  1. Sent to you by text mes­sage (SMS)
  2. By receiv­ing a phone call
  3. Via the Google Authen­ti­ca­tor app
  4. Using a list of pre-print­ed codes you can car­ry in your wal­let

Also, dur­ing sign in, you can tell Google not to ask for a code again on that web brows­er. This will cut down on your work­load and is fine if you don’t share your com­put­er.

I went to the iPhone App Store, searched for “Google Authen­ti­ca­tor” and installed it. There are also Android and Black­Ber­ry ver­sions.

Then, I fol­lowed the instruc­tions to enroll my Gmail account. As a pre­cau­tion to los­ing my phone, I set a back­up phone num­ber (my wife’s) and I also got some pre-print­ed codes that I’ve put in a safe place.

My first big sur­prise came when I tried to check my email from the Gmail app on my iPhone. With­in the app I got prompt­ed for my user ID and pass­word, and then for my 2SV code. Here are some tips:

  1. You can switch over to Google Authen­ti­ca­tor by dou­ble-click­ing on your iPhone but­ton and scrolling to the right.
  2. Or, you can press the but­ton once and then tap on the icon wher­ev­er it is on your iPhone desk­top.
  3. Note that the codes change every 30 sec­onds. The codes them­selves turn red when they are about to change. There is also a small count-down clock on the right-side of the screen (see screen shot below) so you can get an idea of when the codes will change.
  4. Quick­ly mem­o­rize the six-dig­it code, then switch back to the Gmail app, and enter it.


The next day I noticed my Cal­en­dar iPhone app wasn’t updat­ing. I quick­ly real­ized 2SV was stop­ping me, but I didn’t know how to enter a code. Turns out I had to enroll my Mail and Cal­en­dar apps by using an appli­ca­tion-spe­cif­ic pass­word. It’s not very dif­fi­cult so just fol­low the sim­ple instruc­tions.

Are you ready to imple­ment Google Authen­ti­ca­tor? Why not? If you did already, how did it go for you?

How I Use 1Password

Having cho­sen 1Password and made my ini­tial con­fig­u­ra­tions, I now use it in my dai­ly work­flow.

Ini­tial­ly, this change wasn’t easy. But, Cyber Risk lead­ers need to be good at chang­ing their atti­tudes and behav­iors. If noth­ing else, you must be able to set a good exam­ple for oth­ers.


Dis­clo­sure: I have no rela­tion­ship with the mak­er of 1Password oth­er than as a cus­tomer who paid entire­ly for his own licens­es. If you decide to pur­chase 1Password, there is no com­pen­sa­tion in it for me. Anoth­er good choice is Last­Pass, which I strong­ly con­sid­ered.

Rather than do tuto­ri­als and read the help doc­u­ments, I learned how to use 1Password by play­ing around with it in my web brows­er: Cre­at­ing new accounts at a few sites. I want­ed to judge how eas­i­ly I could pick it up just through using it.

I tried easy things first: Migrat­ing some exist­ing pass­words from my Chrome pass­word cache (which I stopped using and delet­ed all the records). Then, I fig­ured out how to gen­er­ate new, strong pass­words using 1Password.

I quick­ly learned I need­ed to install the brows­er exten­sions. This is for con­ve­nience as well as a bit more secu­ri­ty against key­stroke log­gers. With­out the exten­sions, you have to either man­u­al­ly type the pass­words at each site (which I’m not going to do) or use your browser’s pass­word man­age­ment fea­ture (bad idea).

Here are some oth­er tips:

  1. While 1Password will offer up to 50 char­ac­ters for a pass­word, you quick­ly real­ize which sites won’t allow sup­port more than 8 char­ac­ters or strict­ly lim­its the kinds of char­ac­ters you can use. I sus­pect these sites are either using a main­frame on their back end or have cod­ed their own authen­ti­ca­tion. So, I use the most char­ac­ters I can.
  2. Because I got bit a cou­ple times in the begin­ning, I always copy 1Pass­word-gen­er­at­ed pass­words into a tem­po­rary text file until I’m sure it’s safe­ly stored in the data­base.
  3. Make sure you can find all the spe­cial char­ac­ters on the soft key­boards of all your devices. Iso­late any prob­lem keys or reject them by enabling the “Avoid ambigu­ous char­ac­ters” fea­ture in the Strong Pass­word Gen­er­a­tor.


With 1Password inte­grat­ed into my dai­ly work­flow, I moved on to some oth­er new behav­iors to up my online secu­ri­ty game: Pass­word reset secu­ri­ty ques­tions, two-step ver­i­fi­ca­tion, and a cou­ple of oth­ers. More next week.

Ques­tions for you: Are you using 1Password? How well does it work for you?

How I Got Started With A Password Manager

I use 1Password to keep my online secu­ri­ty game strong.Cyber Risk lead­ers need to set a good exam­ple for oth­ers, so you should use a pass­word man­ag­er, too. Let me show you how I got start­ed.


Dis­clo­sure: I have no rela­tion­ship with the mak­er of 1Password oth­er than as a cus­tomer who paid entire­ly for his own licens­es. If you decide to pur­chase 1Password, there is no com­pen­sa­tion in it for me. Anoth­er good choice is Last­Pass, which I strong­ly con­sid­ered, am will­ing to use, and has been bat­tle-test­ed.

After spend­ing some time play­ing around with 1Password, I com­mit­ted to this approach:

1. I use one unique pass­word for each web site.

2. Each of my pass­words is long and com­plex with a good mix of upper/lower case let­ters, num­bers, and sym­bols. Like this:


3. Typ­ing pass­words like these sev­er­al times each day isn’t prac­ti­cal, so I use the auto­mat­ed pass­word entry fea­ture via the web brows­er plug-in.

4. I installed the app on my iPhone and all of my com­put­ers so my pass­words are avail­able every­where I work.

5. I make my cur­rent pass­word data­base avail­able on all my devices by using the built-in file sync fea­ture of Drop­box.

6. Final­ly, although this isn’t a pass­word man­ag­er func­tion, I’ve add two-fac­tor authen­ti­ca­tion using Google Authen­ti­ca­tor at those web sites that offer it.

Play­ing with 1Password was easy because of their 30-day tri­al. Then I bought the 1Password Mac + Win­dows Bun­dle. I also bought 1Password for iOS through the App Store. (There are Android and Win­dows ver­sions, too, but I haven’t used them.)

After installing 1Password, the first step is to set a mas­ter pass­word. Over the course of a day I thought about what my mas­ter pass­word should be. Since I would be typ­ing it a lot, I want­ed to choose some­thing secure but would­n’t be too tough to enter on my iPhone key­board. Ulti­mate­ly, I took a passphrase approach and cre­at­ed an obscure sen­tence that nice­ly bal­ances strength against the effi­cien­cy of typ­ing it.

I feel com­fort­able using Drop­box for sync­ing my pass­word data­base. Why? Because the data­base is strong­ly encrypt­ed and all the encryp­tion func­tions are done on my local com­put­er. So, even if Drop­box is hacked (again) my pass­words will remain safe. Alter­nate­ly, you can use iCloud or local WiFi for file sync­ing.

Next week, I’ll tell you how I use 1Password in my dai­ly work­flow. Lat­er, I’ll tell you more about Google Authen­ti­ca­tor.

Are you using a pass­word man­ag­er? Why not?