I pre­vi­ous­ly out­lined three strate­gies for detect­ing intrud­ers on your net­work with­out the need for a large cap­i­tal expense for spe­cial­ized sys­tems. In fact, you don’t even need a man­aged ser­vice provider.

Now, as promised, here are three more ways:

1. Using time stamps and the geolo­ca­tion of the source IP address­es, look for sim­ple irreg­u­lar­i­ties in log-ins and access pat­terns. The most obvi­ous would be an account that is log­ging in from two coun­tries so close togeth­er in time that it’s unlike­ly they are both legit­i­mate. You can access geolo­ca­tion data for free or low cost.
2. When the HTML response sizes leav­ing your net­work are much larg­er than usu­al, that’s a sign you’ve prob­a­bly been the vic­tim of a SQL injec­tion attack.
3. Final­ly, watch for out­bound web traf­fic where 30 or 40 brows­er win­dows are open­ing all at once. This kind of behav­ior is more like­ly a sign of an auto­mat­ed ses­sion rather than a human one.

Will you have false pos­i­tives? Yes. But you’ll also under­stand what’s con­sid­ered nor­mal on your net­work much bet­ter than you do today.

Do you have any low-cost, yet auto­mat­ed, strate­gies for net­work intru­sion detec­tion?

Orga­ni­za­tions can do a good job of detect­ing intrud­ers who have infest­ed their data net­work with­out buy­ing and oper­at­ing an expen­sive com­mer­cial net­work intru­sion detec­tion sys­tem. You don’t even have to hire an out­side man­aged net­work secu­ri­ty provider. Check out these three pow­er­ful strate­gies for deal­ing with this cyber risk:

1. The first strat­e­gy is pos­si­bly the most pow­er­ful: Use your exist­ing admin­is­tra­tive tools to pro­duce a dai­ly report that shows all mem­ber­ship changes to all admin­is­tra­tive groups for the past 24 hours. Then assign some­one to val­i­date every change. This will tell you if some­one tries to “sneak in” through a priv­i­lege esca­la­tion.
2. One sign that an attack­er is “bed­ding down” in your net­work to con­duct long-term sur­veil­lance is the unex­pect­ed patch­ing of sys­tems. Why? An attack­er does­n’t want anoth­er attack­er break­ing in and mess­ing up his inside access to your data net­work! So watch your vul­ner­a­bil­i­ty scans for sys­tems that don’t need a patch you nev­er pushed.
3. To detect the stag­ing of data for exfil­tra­tion, mon­i­tor your crit­i­cal data­bas­es for sud­den, unex­plained swells in read activ­i­ty. In addi­tion, mon­i­tor all filesys­tems for large quan­ti­ties of data sud­den­ly or grad­u­al­ly appear­ing in the wrong places.

With each of these tips, I’m sure you’ll get a few false pos­i­tives. And, you’ll have to climb a learn­ing curve that keeps chang­ing as the activ­i­ty of your orga­ni­za­tion trans­forms over time. A new prod­uct launch will cause per­ma­nent changes in what’s con­sid­ered “nor­mal” on your net­work.

These are just the first three on my list. Next week I’ll give you three more. See you then!

I’m sure you know that phish­ing is a lead­ing method of exploit­ing peo­ple by online crim­i­nals. In fact, it’s the way $47 mil­lion was stolen from Ubiq­ui­ti Net­works in 2015 and $54 mil­lion was stolen from Austria’s FACC (a parts sup­pli­er to com­pa­nies such as Boe­ing and Air­bus) in 2016.

Chances are, either you or your orga­ni­za­tion has suf­fered a phish­ing attack. The ques­tion is, what should you do to keep from becom­ing a vic­tim?

More than any­thing else, you need to train all your peo­ple, includ­ing (par­tic­u­lar­ly?) the CEO and their direct reports. And the best way I know to do that is to actu­al­ly send them test phish­ing attacks. There are com­mer­cial ser­vices you can sub­scribe to like Phishme or KnowBe4. Obvi­ous­ly, these ser­vice cost real, green dol­lars. And, you need to test peo­ple in a way that will encour­age them to trust man­age­ment. (I guar­an­tee that sur­prise test­ing fol­lowed by pub­lic sham­ing will destroy trust.)

But now there’s anoth­er way that I just dis­cov­ered: gophish an open source phish­ing test frame­work that was launched in ear­ly Jan­u­ary 2016. gophish appears to be espe­cial­ly good for orga­ni­za­tions that have a “do it your­self” cul­ture and an intense desire to avoid spend­ing mon­ey with­out a “no-brain­er” busi­ness case.

By the way, in case you need help to make your busi­ness case, here are some cur­rent phish­ing stats I found over at the PCI Secu­ri­ty Stan­dards Coun­cil blog:

• 13% of the annu­al cyber­crime cost glob­al­ly for com­pa­nies is due to phish­ing and social engi­neer­ing.
• Phish­ing costs the aver­age U.S. orga­ni­za­tion more than $3.7 mil­lion annu­al­ly.
• Every day 80,000 peo­ple fall vic­tim to phish­ing scams from 156 mil­lion phish­ing emails sent glob­al­ly ‒ 16 mil­lion of which cir­cum­vent spam fil­ters ‒ result­ing in 8 mil­lion scam emails being opened.

Any­one out there want to take gophish out for a spin? Let me know what hap­pens…

Ready for the next step to up your Inter­net secu­ri­ty game? Our goal with this step is to keep your pass­word from being a sin­gle point of fail­ure.

Not too long ago, Google launched a free two-fac­tor authen­ti­ca­tion ser­vice, called “2‑Step Ver­i­fi­ca­tion” (2SV). The Google Authen­ti­ca­tor app is one way to use 2SV.

I took a cau­tious approach to imple­ment­ing Google Authen­ti­ca­tor (GA). I was con­cerned about lock­ing myself out of an account, so I invest­ed a lit­tle time up front to study it.

GA is just one option with­in Google’s 2SV pro­gram. You can make a choice of how you want to get the codes (each con­sist­ing of a six dig­it num­ber) when you need them:

1. Sent to you by text mes­sage (SMS)
2. By receiv­ing a phone call
3. Via the Google Authen­ti­ca­tor app
4. Using a list of pre-print­ed codes you can car­ry in your wal­let

Also, dur­ing sign in, you can tell Google not to ask for a code again on that web brows­er. This will cut down on your work­load and is fine if you don’t share your com­put­er.

I went to the iPhone App Store, searched for “Google Authen­ti­ca­tor” and installed it. There are also Android and Black­Ber­ry ver­sions.

Then, I fol­lowed the instruc­tions to enroll my Gmail account. As a pre­cau­tion to los­ing my phone, I set a back­up phone num­ber (my wife’s) and I also got some pre-print­ed codes that I’ve put in a safe place.

Having cho­sen 1Password and made my ini­tial con­fig­u­ra­tions, I now use it in my dai­ly work­flow.

Ini­tial­ly, this change wasn’t easy. But, Cyber Risk lead­ers need to be good at chang­ing their atti­tudes and behav­iors. If noth­ing else, you must be able to set a good exam­ple for oth­ers.

Dis­clo­sure: I have no rela­tion­ship with the mak­er of 1Password oth­er than as a cus­tomer who paid entire­ly for his own licens­es. If you decide to pur­chase 1Password, there is no com­pen­sa­tion in it for me. Anoth­er good choice is Last­Pass, which I strong­ly con­sid­ered.

Rather than do tuto­ri­als and read the help doc­u­ments, I learned how to use 1Password by play­ing around with it in my web brows­er: Cre­at­ing new accounts at a few sites. I want­ed to judge how eas­i­ly I could pick it up just through using it.

I tried easy things first: Migrat­ing some exist­ing pass­words from my Chrome pass­word cache (which I stopped using and delet­ed all the records). Then, I fig­ured out how to gen­er­ate new, strong pass­words using 1Password.

I quick­ly learned I need­ed to install the brows­er exten­sions. This is for con­ve­nience as well as a bit more secu­ri­ty against key­stroke log­gers. With­out the exten­sions, you have to either man­u­al­ly type the pass­words at each site (which I’m not going to do) or use your browser’s pass­word man­age­ment fea­ture (bad idea).

Here are some oth­er tips:

1. While 1Password will offer up to 50 char­ac­ters for a pass­word, you quick­ly real­ize which sites won’t allow sup­port more than 8 char­ac­ters or strict­ly lim­its the kinds of char­ac­ters you can use. I sus­pect these sites are either using a main­frame on their back end or have cod­ed their own authen­ti­ca­tion. So, I use the most char­ac­ters I can.
2. Because I got bit a cou­ple times in the begin­ning, I always copy 1Pass­word-gen­er­at­ed pass­words into a tem­po­rary text file until I’m sure it’s safe­ly stored in the data­base.
3. Make sure you can find all the spe­cial char­ac­ters on the soft key­boards of all your devices. Iso­late any prob­lem keys or reject them by enabling the “Avoid ambigu­ous char­ac­ters” fea­ture in the Strong Pass­word Gen­er­a­tor.

With 1Password inte­grat­ed into my dai­ly work­flow, I moved on to some oth­er new behav­iors to up my online secu­ri­ty game: Pass­word reset secu­ri­ty ques­tions, two-step ver­i­fi­ca­tion, and a cou­ple of oth­ers. More next week.

Ques­tions for you: Are you using 1Password? How well does it work for you?