Need help - Ask Roger: Recent Episodes

View Details

Introduction to the episode

This episode we are going to focus on vulnerabilities and how they are managed

Threat actors use vulnerabilities to target us.

By exploiting vulnerabilities they can gain access to systems, networks and devices.

Vulnerabilities allow the criminals to gain a foot hold on a system.

Vulnerabilities can be bugs, malicious changes to code (solarwinds), accidents or default configurations.

Vulnerability management

What is a vulnerability

How much exposure

How can we measure it all

Before we do anything else

A vulnerability is a weakness that can be exploited in an attack

Vulnerability can allow attackers to run code, access system resources, override installation protocols, steal or change data

Vulnerabilities are the trade craft of the cybercriminal

We first need some standards

The common Vulnerability score system (CVSS)

An open framework for communicating to the security industry the characteristics and severity of software and operating systems vulnerability

Common vulnerabilities and exposures (CVE)

Is a list of vulnerabilities that include ID, Description, dates and comments

National Vulnerability Database (NVD) is a list of CVEs managed by NIST that is synchronised and provides enhanced information including patch availability.

How do they work?

CVSS - needs a calculator which is available on the internet

Takes into account

Vector - how will the vulnerability be exploited

Complexity - how easy is it to exploit the vulnerability

Authentication - how often is the exploit required to authenticate against the system

3 other areas - the impact on confidentiality, availability and integrity (CIA) of data

CVE

Anyone can add to the CVE database

Based on "publicly known" vulnerabilities (usually means that they are patched or mitigated in some way.

They are a unique number associated with the vulnerability as well as identifying the vendor of the software.

1000s of CVEs are issued daily

CVEs can be assigned before a solution but they are normally hidden from public view.

Why do we need these systems?

Security is complex,

We needed a simple and readily available way to ensure that all parties are playing on the same field.

Summary

View Details

In the last 2 episodes, we have focused on passwords - unique, complex and more than 12 characters.

We also know that account credentials can be stolen and we needed additional security

Enter 2FA or multi FA

Username = who you are

Password = what you know

2FA / Multi FA = what you have

If we need access to data then we need these systems.

But the bad guys often do not need an account to get in.

There are other ways

One is to target vulnerabilities.

To target vulnerability, we need a crash course in hacking into systems.

2 components - we need a shell and a user (that user can be a service account)

I will go further into vulnerability management, so let's just say that there is a vulnerability effectiveness scale and any one of them between 9 - 10 give us both those requirements.

Malware is used to target vulnerabilities on applications, operating systems,

How do we stop the bad guys from gaining access?

In this episode, we are going to focus on patching.

Patching, updates and why we need them

A little History

2 of the biggest issues from not patching - eternal blue and code red

What about target

Why do we need to patch

Updates vulnerabilities that have been discovered

Adds additional functionality

Protect your data against attack

Protecting others

What is patching doing

Repair vulnerabilities

Updating software

Replacing code

Stops malware from getting a foothold

Stops exploits

Minimising downtime

Compliance and governance requirements

How can we patch effectively

Best practice

Implement automation - patch management

Operating system patching

Everything needs to be patched - computers, smart devices, IoT devices, Cloud-based systems, websites, routers, switches,

Do it regularly

Have you checked your website recently?

Get into the habit of patching

Application patching

Applications including java, adobe, vendor based apps

Open, do it, close, open then patch

Automated systems can be used

Most MSPs have a patching process.

Other patching information

16.555 vulnerabilities were discovered in 2018

Vulnerability scanning - how it is used.

Large organisation automate it as much as possible and enforce it

Even larger organisation have separate systems - production and test and test updates and patches on the test environment first

What happens if there is no patch?

View Details

Last episode we focused on the dreaded password

Where did they come from

Why do we use them,

Why they are important for protecting your stuff

What they are made up of and what not to use.

This episode of the Just the basics - Ask Roger we will focus on the addition of a third level of protection around your internet based sites and services

Access to every account has a username and password - who you are and what you know

The third layer is what you have and that is called multi factor authentication or 2 factor authentication

In the same area is also the wonderful capture system.

Username and password and now prove that you are human by answering this little puzzle - traffic light, hills which animal is the right way up.

Then there is the next one - how can a tick in a box prove that I am not a robot?

So this episode we are going to focus on 2 factor, multi factor authentication and captcha

Multi factor authentication

Why do we need another layer of authentication

Password stealing

Scams

MITM attacks

A warning system for criminals accessing your account

What is 2 factor / Multi factor Authentication

A technology that allows for a third level of information to gain access to an account

SMS,

authentication app,

dongle

How does it work

Association with an account

SMS - put in your mobile number

Authenticator app - usually a Qrcode

Dongle - set up by the organisation

Which way is best

All systems have vulnerabilities

Each has its own use

SMS can be used on non smart phones

Where does capture come into this

This is to counteract the automated systems

Used to prove that it is a human

You have to pick the 3 or 4 things that are right

The other one - I am not a robot relies on the browser content

Dos and don'ts

Do set up 2 FA

Do add 2FA to your accounts - website,

Do use 2FA on all admin accounts

Do not - Never give away the code

Do change your password if you receive a code and it was not you

If more than 2 people need access there are ways to set it up

Summary

View Details

Passwords, our passport to the cyber and digital realm

For a business, password management is a major headache.

As a business you have to get people to understand that passwords are essential and good passwords are critical to protecting data, systems and people.

Ensuring that they are

This episode we are going to focus on ………..

Let's start with passwords.

History of passwords (open sesame)

Since the late 90's

Started basic and got more and more complex.

Why do we have passwords

Protect our digital assets.

Restrict access to information

Stop the bad guys getting information

What should be a passwords

Unique, complex and 12 characters

What should not be a password

What should not be a password

Names, personal information, locations

Understanding the need for a password

To stop people gaining access to PI

The more important the role in the business (administrators) the more complex and length needs to be

Convenience vs security

Small passwords are convenient for you and also for the bad guys

Password hacking, theft and scams

Interception

Brute force hacking (hashing and rainbow tables)

Searching

Manual guessing

Social engineering

Never give away your password

If it demands your password never give it away

Pop ups,

Solutions

Password managers