Three More No-Capex Ways to Detect Network Intruders

I pre­vi­ous­ly out­lined three strate­gies for detect­ing intrud­ers on your net­work with­out the need for a large cap­i­tal expense for spe­cial­ized sys­tems. In fact, you don’t even need a man­aged ser­vice provider.

Currency stacks

Now, as promised, here are three more ways:

  1. Using time stamps and the geolo­ca­tion of the source IP address­es, look for sim­ple irreg­u­lar­i­ties in log-ins and access pat­terns. The most obvi­ous would be an account that is log­ging in from two coun­tries so close togeth­er in time that it’s unlike­ly they are both legit­i­mate. You can access geolo­ca­tion data for free or low cost.
  2. When the HTML response sizes leav­ing your net­work are much larg­er than usu­al, that’s a sign you’ve prob­a­bly been the vic­tim of a SQL injec­tion attack.
  3. Final­ly, watch for out­bound web traf­fic where 30 or 40 brows­er win­dows are open­ing all at once. This kind of behav­ior is more like­ly a sign of an auto­mat­ed ses­sion rather than a human one.

Will you have false pos­i­tives? Yes. But you’ll also under­stand what’s con­sid­ered nor­mal on your net­work much bet­ter than you do today.

Do you have any low-cost, yet auto­mat­ed, strate­gies for net­work intru­sion detec­tion?

Three No-Capex Ways to Detect Network Intruders

Orga­ni­za­tions can do a good job of detect­ing intrud­ers who have infest­ed their data net­work with­out buy­ing and oper­at­ing an expen­sive com­mer­cial net­work intru­sion detec­tion sys­tem. You don’t even have to hire an out­side man­aged net­work secu­ri­ty provider. Check out these three pow­er­ful strate­gies for deal­ing with this cyber risk:


  1. The first strat­e­gy is pos­si­bly the most pow­er­ful: Use your exist­ing admin­is­tra­tive tools to pro­duce a dai­ly report that shows all mem­ber­ship changes to all admin­is­tra­tive groups for the past 24 hours. Then assign some­one to val­i­date every change. This will tell you if some­one tries to “sneak in” through a priv­i­lege esca­la­tion.
  2. One sign that an attack­er is “bed­ding down” in your net­work to con­duct long-term sur­veil­lance is the unex­pect­ed patch­ing of sys­tems. Why? An attack­er does­n’t want anoth­er attack­er break­ing in and mess­ing up his inside access to your data net­work! So watch your vul­ner­a­bil­i­ty scans for sys­tems that don’t need a patch you nev­er pushed.
  3. To detect the stag­ing of data for exfil­tra­tion, mon­i­tor your crit­i­cal data­bas­es for sud­den, unex­plained swells in read activ­i­ty. In addi­tion, mon­i­tor all filesys­tems for large quan­ti­ties of data sud­den­ly or grad­u­al­ly appear­ing in the wrong places.

With each of these tips, I’m sure you’ll get a few false pos­i­tives. And, you’ll have to climb a learn­ing curve that keeps chang­ing as the activ­i­ty of your orga­ni­za­tion trans­forms over time. A new prod­uct launch will cause per­ma­nent changes in what’s con­sid­ered “nor­mal” on your net­work.

These are just the first three on my list. Next week I’ll give you three more. See you then!

International Use of NIST Cybersecurity Framework

A cus­tomer of mine recent­ly won­dered about how much the NIST cyber­se­cu­ri­ty Frame­work was being used inter­na­tion­al­ly. This is impor­tant because they have offices in oth­er coun­tries and want­ed to know how favor­ably they would respond to using the Frame­work to guide their own cyber­se­cu­ri­ty pro­gram.

So, I did some research. My goal was to find out how many non-US orga­ni­za­tions are using the Frame­work, or plan­ning to do so. I used open sources avail­able via Google search.

Screenshot 2016-05-27 13.38.57

I wasn’t able to find any data on the rate of adop­tion by non-US orga­ni­za­tions.

I found two reli­able data sources on Frame­work adop­tion in gen­er­al. Here are their con­clu­sions:

  • The rate of adop­tion in the US was 30% as of end of 2015 (Gart­ner)
  • By the end of 2016, CSF adop­tion in the US is expect­ed to be 43% (Dimen­sion­al Research, n=300).
  • By 2020, more than 50% of US orga­ni­za­tions will use it (Gart­ner)
  • As com­pared with ISO 27001 and SANS Top 20, the Frame­work is the most like­ly secu­ri­ty frame­work to be adopt­ed by US orga­ni­za­tions over the next year (Dimen­sion­al Research, n=300).

How­ev­er, I did see a few case stud­ies where large, US-based orga­ni­za­tions (e.g., Intel) were using the Frame­work on an inter­na­tion­al basis. There is a Japan­ese trans­la­tion of it and Italy has issued their own based on the NIST Frame­work.

Although not backed by any research, I also found indi­ca­tions that the Frame­work will soon become a require­ment for all US fed­er­al gov­ern­ment agen­cies. And I saw unsup­port­ed asser­tions that the Frame­work is being used by for­eign orga­ni­za­tions but no names were men­tioned.

Here’s my advice if you are in a sit­u­a­tion where you need to have some good PR on the Frame­work: Tell them you’re using ISO 27001. And this is easy and true because the NIST Cyber­se­cu­ri­ty Frame­work is 76% mapped to ISO 27001.

The remain­ing 24% of the non-ISO mapped sub­cat­e­gories are still easy to jus­ti­fy (RC.CO‑1: Pub­lic rela­tions are man­aged) and you prob­a­bly already do many of them (PR.IP-12: A vul­ner­a­bil­i­ty man­age­ment plan is devel­oped and imple­ment­ed).

Any­one have addi­tion­al data to help bet­ter under­stand inter­na­tion­al adop­tion of the Frame­work?

4 Reasons Why Cybersecurity Depends On Relationships

Ever won­der why cyber­se­cu­ri­ty is so hard for peo­ple to get right? And, why are cyber­se­cu­ri­ty lead­ers fail­ing to con­vince peo­ple to work more secure­ly? We can learn some great lessons by study­ing the spread of med­ical and oth­er tech­nolo­gies and then apply those lessons to cyber­se­cu­ri­ty tech­nolo­gies we know make a dif­fer­ence, such as pass­word man­agers.

For exam­ple, anes­the­sia (specif­i­cal­ly, chlo­ro­form) was in world-wide use less than a year from its intro­duc­tion in 1846. In con­trast, anti­sep­tics, which were pro­mot­ed in the 1860s, took over twen­ty years to become estab­lished in most oper­at­ing rooms. Why the dif­fer­ence?


Dr. Atul Gawande: “We yearn for fric­tion­less, tech­no­log­i­cal solu­tions. But peo­ple talk­ing to peo­ple is still the way that norms and stan­dards change.”

Here’s why: The spread of all new ideas about what’s good and how things should be is depen­dent on peo­ple talk­ing to each oth­er. Everett Rogers, who is best known for intro­duc­ing the term ear­ly adopter, tells us that “Every change requires effort, and the deci­sion to make that effort is a social process.” In oth­er words, new ideas are spread and adopt­ed pri­mar­i­ly through rela­tion­ships.

I’ve learned this les­son the hard way. Only after wast­ing $30,000 of my bud­get and a good chunk of polit­i­cal cap­i­tal try­ing to imple­ment a new, home­grown cyber­se­cu­ri­ty tool did I real­ize my lack of the right rela­tion­ships had doomed me almost from the start. Based on what I learned from my fail­ure, I take a dras­ti­cal­ly dif­fer­ent approach to intro­duc­ing change these days. My approach is more rela­tion­ship-dri­ven, which is what you should do as well, so that your change efforts will be more suc­cess­ful.

Back to anes­the­sia ver­sus anti­sep­tics. The New York­er pub­lished an arti­cle by Atul Gawande: Slow Ideas. You may remem­ber one of his well-received books, The Check­list Man­i­festo. (Save your­self some time and mon­ey: read the arti­cle upon which the book was based.)

Slow Ideas describes and pro­motes Atul’s Bet­ter Birth project. It’s an exper­i­men­tal approach to reduc­ing the rate of death among moth­ers and babies dur­ing and short­ly after child­birth in poor­er coun­tries. And, along the way, Atul also answers the ques­tion about anes­the­sia ver­sus anti­sep­tics.

It’s a fas­ci­nat­ing sto­ry that’s well worth read­ing on it’s own mer­its. But it also pro­vides keen insight on the strug­gle to cre­ate new norms, which any cyber­se­cu­ri­ty leader look­ing to pro­mote change should appre­ci­ate.

From read­ing Dr. Gawande’s arti­cle, I’ve iden­ti­fied four rea­sons why you should lead all your change efforts by first using your rela­tion­ships:

  1. Tech­nol­o­gy alone won’t get the job done. Dr. Gawande describes see­ing unused incu­ba­tors pushed into dark cor­ners, bro­ken due to lack of spare parts or switched off due to a lack of elec­tric­i­ty. As tech­no­log­i­cal­ly advanced as the units were, drop­ping them off in under­de­vel­oped coun­tries and then mak­ing no arrange­ments for inte­grat­ing them into local life speaks to the lack of rela­tion­ships.
  2. Requests, incen­tives, and penal­ties only work up to a point. Mere­ly request­ing a change will win over a cer­tain per­cent­age of the audi­ence, but prob­a­bly not as many as you want­ed. Study­ing the tax code of any coun­try will reveal incen­tives are hard to get right. Peo­ple have a way of max­i­miz­ing incen­tives for them­selves, often to the detri­ment of the stat­ed goals, and in ways the authors nev­er imag­ined.
  3. Research has shown rela­tion­ships are the most effec­tive way to bring about change. We can intro­duce a new idea to peo­ple. But, peo­ple fol­low the lead of oth­er peo­ple they know and trust when they decide whether to take it up. Everett Rogers wrote: “Every change requires effort, and the deci­sion to make that effort is a social process.”
  4. Real-world expe­ri­ences. In his arti­cle, Dr. Gawande tells a sto­ry about how drug mak­ers per­suade stub­born doc­tors to pre­scribe new med­i­cines: “Evi­dence is not remote­ly enough, how­ev­er strong a case you may have. You must also apply ‘the rule of sev­en touch­es.’ Per­son­al­ly ‘touch’ the doc­tors sev­en times, and they will come to know you; if they know you, they might trust you; and, if they trust you, they will change. Human inter­ac­tion is the key force in over­com­ing resis­tance and speed­ing change.”

I encour­age you to read the arti­cle for your­self. It’s per­sua­sive and very inspi­ra­tional. And, you’ll find out why anes­the­sia got into the oper­at­ing room faster than anti­sep­tics.

Have I con­vinced you that rela­tion­ships are the best method for improv­ing cyber­se­cu­ri­ty? If not, why not? Do you know a bet­ter way?

Two Daily Actions To Contain Data Breach Costs

A sin­gle data breach can cost your com­pa­ny a lot of mon­ey. How much? Based on the Net­Dili­gence 2015 Cyber Claims Study of actu­al insur­ance claims data, we know the aver­age cost of a large com­pa­ny data breach is US$4.8 mil­lion.

Want to min­i­mize the cost? Quick­ly iden­ti­fy the data breach.

How do I know that’s the best way? And, how do you do it quick­ly?

Here’s the first answer: Check out this data in the IBM/Ponemon 2015 Cost of Data Breach Study. This graph from page 22 of their report shows the rela­tion­ship between the mean time to iden­ti­fy a data breach and total aver­age cost:

Screenshot 2016-05-14 08.25.19

That’s a very clear con­nec­tion, don’t you think?

OK, so how can you quick­ly detect a data breach with­out spend­ing a ton of CapEx for a fan­cy intru­sion detec­tion sys­tem and then a ton of OpEx to run the thing?

Here’s how: Have your serv­er admin­is­tra­tion teams run these two dai­ly checks:

  1. Dis­cov­er when­ev­er some­one becomes a priv­i­leged user by ver­i­fy­ing all new accounts that have been added to any admin­is­tra­tor or root groups
  2. Iden­ti­fy data being staged for exfil­tra­tion by notic­ing when large amounts of data sud­den­ly show up in unusu­al places

With both these checks, the large major­i­ty of the work can be auto­mat­ed. The way you do it is use exist­ing serv­er man­age­ment tools to com­pare and high­light the major dif­fer­ences between today’s and yes­ter­day’s snap­shot of (1) all your admin/root group mem­bers and (2) the per­cent­age of free serv­er disk space.

The man­u­al work is track­ing down why those changes hap­pened and mak­ing sure it’s a legit busi­ness rea­son. This will take some sleuthing at first to know who to call and what con­sti­tutes nor­mal changes. But with­in a month you will set­tle down into a pro­duc­tive rou­tine.

What oth­er sim­ple tech­niques have you used to detect data breach­es?

Lean Into Your Cyber Risks To Thrive In The New Normal

How do you lean in? By pur­su­ing cyber resilience through mea­sure­ment, smart pri­or­i­ti­za­tion of future spend­ing, and con­tin­u­ous improve­ment. Let’s quick­ly step through the plan right now, at a high lev­el…

The rest of my blog post for today appears over at my good friend Mike Hamil­ton’s Crit­i­cal Infor­mat­ics web site.


Mike and I were chief infor­ma­tion secu­ri­ty offi­cers (CISO) at about the same time a few years ago. He was at the City of Seat­tle while I was a cou­ple miles away at PEMCO Insur­ance.

Like me, Mike and his team pro­vide cyber­se­cu­ri­ty con­sult­ing ser­vices. But what makes his team dif­fer­ent is their net­work secu­ri­ty man­aged ser­vice, called Crit­i­cal Insight. I’ve learned how they serve their cus­tomers with it and I wish I had it when I was CISO. Check it out! (After you read my post for today, of course.)

Any­way, here’s the link to my week­ly post. You’ll find plen­ty of insights and action­able tips on how to thrive in The New Nor­mal.

What To Do About Reputable Websites Delivering Malware?

Did you know that rep­utable web­sites (like Forbes, The New York Times, and oth­ershave been caught try­ing to install mal­ware on their vis­i­tors com­put­ers and smart­phones?  This isn’t new, but it’s a trend that’s been get­ting worse when it should be get­ting bet­ter.

NYT tweet

These rep­utable web­sites are not delib­er­ate­ly try­ing to hijack your com­put­ers, of course. It’s the net­works that serve up the ads that have been com­pro­mised. Known as malver­tis­ing (mali­cious adver­tis­ing), it is, accord­ing to cyber­se­cu­ri­ty expert Lenny Zeltser:

…attrac­tive to attack­ers because they can be eas­i­ly spread across a large num­ber of legit­i­mate web­sites with­out direct­ly com­pro­mis­ing those web­sites.

This type of attack relies on Adobe Flash and Microsoft Sil­verlight con­fig­ured in your brows­er to auto play the ads. This has been going on since at least 2007 but it got much worse in 2015 and con­tin­ues to get big­ger. And, it appears to be cross­ing over to mobile devices.

The recent arti­cle in The Reg­is­ter did­n’t say it, but I will: Why should­n’t orga­ni­za­tions of all sizes install an ad-block­er (I sug­gest uBlock Ori­gin) across all desk­tops and mobile devices? At least until this ad-net­work mess gets cleaned up.

Is there some oth­er, eas­i­er thing we should be doing?

Boeing Supplier Lost $54 Million to CEO Fraud

Did you know that Busi­ness Email Com­pro­mise (BEC), also known as CEO Fraud, is still a threat? And, it’s not just the stolen mon­ey that caus­es exec­u­tive headaches. It can dam­age your stock price and rep­u­ta­tion with major cus­tomers. And, in the case of FACC, it cost the CFO, Min­fen Gu, her job.


Here’s what Com­put­er Week­ly said about the fraud, announced on Jan­u­ary 19th:

A $54m cyber fraud against Austria’s FACC has sent the air­craft supplier’s share price reel­ing. The company’s share price fell near­ly 17% in response to news of the company’s loss, which is one of the great­est loss­es to date caused by cyber fraud, accord­ing to Bloomberg. The loss report­ed by the sup­pli­er to com­pa­nies such as Boe­ing and Air­bus is way above the aver­age cost of the worst breach­es in the UK of between$1.9m and $4.4m, report­ed by Price­wa­ter­house­C­oop­ers (PWC) in 2015.

So, how do you pre­vent these attacks from suc­ceed­ing?

In my expe­ri­ence, most com­pa­nies are over spend­ing on tech­nol­o­gy to pre­vent data and mon­ey theft while down­play­ing the peo­ple, process, and man­age­ment aspects. As with FACC, the recent theft of W‑2 infor­ma­tion from Mon­eytree was suc­cess­ful most­ly because of weak inter­nal process­es and poor­ly trained peo­ple. And there’s a lot you can do in these areas for lit­tle or no added expense.

Train­ing peo­ple to detect and resist attempts to trick them into send­ing mon­ey (or sen­si­tive data) to crim­i­nals is a top action every­one should be tak­ing right now. A good approach is to com­bine a strong inter­nal com­mu­ni­ca­tions cam­paign in con­junc­tion with a soft­ware-as-a-ser­vice anti-phish­ing test­ing ser­vice, such as PhishMe or one of its com­peti­tors. Expect to pay about $20 per user, per year.

On that note, orga­ni­za­tions need to make sure their man­age­ment team ful­ly sup­ports their cyber­se­cu­ri­ty pro­gram, espe­cial­ly first line super­vi­sors. Why? When peo­ple hear about their respon­si­bil­i­ty to pre­vent cyber crime, their first ques­tion will be “is this for real?” and then they will won­der “how will this affect me?” Their super­vi­sor will either encour­age peo­ple to join the pro­gram, or kill it, depend­ing on how they answer.

Final­ly, peo­ple have to feel safe to respect­ful­ly chal­lenge any sus­pi­cious requests. Oth­er­wise, they will be stuck between the fear of being fired for not imme­di­ate­ly com­ply­ing with the request and the fear of mak­ing a big mis­take.

What else would you do to pro­tect your orga­ni­za­tion from CEO Fraud?

Phishing Training Without Recurring Fees

I’m sure you know that phish­ing is a lead­ing method of exploit­ing peo­ple by online crim­i­nals. In fact, it’s the way $47 mil­lion was stolen from Ubiq­ui­ti Net­works in 2015 and $54 mil­lion was stolen from Austria’s FACC (a parts sup­pli­er to com­pa­nies such as Boe­ing and Air­bus) in 2016.

Chances are, either you or your orga­ni­za­tion has suf­fered a phish­ing attack. The ques­tion is, what should you do to keep from becom­ing a vic­tim?

More than any­thing else, you need to train all your peo­ple, includ­ing (par­tic­u­lar­ly?) the CEO and their direct reports. And the best way I know to do that is to actu­al­ly send them test phish­ing attacks. There are com­mer­cial ser­vices you can sub­scribe to like Phishme or KnowBe4. Obvi­ous­ly, these ser­vice cost real, green dol­lars. And, you need to test peo­ple in a way that will encour­age them to trust man­age­ment. (I guar­an­tee that sur­prise test­ing fol­lowed by pub­lic sham­ing will destroy trust.)

But now there’s anoth­er way that I just dis­cov­ered: gophish an open source phish­ing test frame­work that was launched in ear­ly Jan­u­ary 2016. gophish appears to be espe­cial­ly good for orga­ni­za­tions that have a “do it your­self” cul­ture and an intense desire to avoid spend­ing mon­ey with­out a “no-brain­er” busi­ness case.

By the way, in case you need help to make your busi­ness case, here are some cur­rent phish­ing stats I found over at the PCI Secu­ri­ty Stan­dards Coun­cil blog:

  • 13% of the annu­al cyber­crime cost glob­al­ly for com­pa­nies is due to phish­ing and social engi­neer­ing.
  • Phish­ing costs the aver­age U.S. orga­ni­za­tion more than $3.7 mil­lion annu­al­ly.
  • Every day 80,000 peo­ple fall vic­tim to phish­ing scams from 156 mil­lion phish­ing emails sent glob­al­ly ‒ 16 mil­lion of which cir­cum­vent spam fil­ters ‒ result­ing in 8 mil­lion scam emails being opened.

Any­one out there want to take gophish out for a spin? Let me know what hap­pens…

Five Data Breach Trends For 2016

A few day ago over at the CFO Net­work group on LinkedIn, Scott Ernst (VP at Wells Far­go Insur­ance Ser­vices) post­ed a link to an arti­cle by Michael Bruem­mer, VP of Exper­ian Data Breach Res­o­lu­tion. The arti­cle, based on Expe­ri­an’s annu­al Data Breach Indus­try Fore­cast, sum­ma­rizes five data breach trends busi­ness lead­ers need to be on the look­out for head­ing into 2016.

Data Breach Word Cloud

It’s worth a few min­utes to read the arti­cle, but in case you’re pressed for time, here’s Michael’s list:

  1. The EMV Chip and PIN lia­bil­i­ty shift will not stop pay­ment breach­es.
  2. Big health­care hacks will make the head­lines but small breach­es will cause the most dam­age.
  3. Cyber con­flicts between coun­tries will leave con­sumers and busi­ness­es as col­lat­er­al dam­age.
  4. 2016 U.S. pres­i­den­tial can­di­dates and cam­paigns will be attrac­tive hack­ing tar­gets.
  5. Hack­tivism will make a come­back.

These trends make sense to me so I won’t be sur­prised to see them emerge over the com­ing year. And, Micheal’s right that the best way to pre­pare is to

update … response plans accord­ing­ly

Aside from the large expense of a data breach, orga­ni­za­tions also need to be ready for the most­ly suc­cess­ful attempts at steal­ing mon­ey via busi­ness email com­pro­mise (BEC), which exploits peo­ple and process more than tech­nol­o­gy. This tech­nique has result­ed in about $1.2 bil­lion stolen in just the last cou­ple of years world­wide. For one high pro­file exam­ple, see the sto­ry Bri­an Krebs pub­lished about the $46 mil­lion stolen from Ubiq­ui­ti Net­works in 2015.

The good news is all these risks can be sig­nif­i­cant­ly low­ered with a rea­son­able amount of effort. There are many good risk man­age­ment frame­works you could choose to help guide the work. Right now I real­ly like the NIST Cyber­se­cu­ri­ty Frame­work (CSF) which I’ve been using a lot late­ly.

What cyber­se­cu­ri­ty trends are you watch­ing?