Naga Cyber Defense

Trusted Security for all of Indonesia

You are here: Home / Archives for Blog

Cybersecurity Is Not a Job

by

Cybersecurity is not my job.

Cybersecurity is not my concern.

Cybersecurity is not my responsibility!

How many times have you heard those words from co-workers, bosses, family or friends?

I love the ones that say Cybersecurity is not worth the expense. I’ve seen family fortunes stolen and businesses and universities go bankrupt because of this attitude. I’ve watched people at the cash register as they see credit and debit cards refused one by one, as they call their banks and check the mobile apps to see their balances are now zero.

I’ve had family call me to tell me that hackers have stolen 100s of thousands of USD from their life saving accounts, asking “What do we do now?” Some of these could have been prevented if the right personal security had been applied. In the case of my family, the business holding the funds was responsible because they did not have security done right and they had to repay the money stolen.

Here in Indonesia getting security right is easiest if you are in Jakarta and are a big business with a BIG network. You have more tools to apply that will work in Jakarta because they have better access to the world there. Though would you say Jakarta is really doing it any better than the rest of the nation? Unfortunately not all tools work here in Indonesia, most are VERY CLOUD managed and the time the cloud needs to respond is too long, so the hacker wins the race for control of the server or pc.

For Indonesia our tools must work best when the Internet is GONE, not the INTRANET of Indonesia, but that World Wide Web. As a member of Purple team, I was taught that the first way to take control of any business requires the blocking/managing of outside services. You must take ownership of the outside support services like DNS, VPN and access to all services providers that have any security responsibility such as Cloud EDR/XDR, Active Directory or a Managed Service Provider.

We built a company in Indonesia to make this type of attack nearly impossible and hoped businesses would see the need. What I didn’t take into account was that in Indonesia, just because there have been laws and regulations for Cybersecurity in place for decades, does not mean businesses are aware of them.

We keep getting told that Cybersecurity is not my job, concern or responsibility by Board Directors and Senior Officers across Indonesia. They say that “Cybersecurity is too expensive” even with us cutting costs from 50% to 90% below the best price from the vendors. While at the same time we are providing an adaptive security maturity service based solution covering the full gambit of International Best Practices and Standards as directed by Indonesian Law and Regulations.

This is not OUR RESPONSIBILITY, so this is still too expensive for us to undertake at this time is the reply. PDP is hopefully right around the corner but business avoids worrying or planning for it. Though the KOMINFO regulation #20/2016 for PII has been pushing 70% of PDP for 6 years. Most if not all Government agencies and major businesses do not have PII and Data Lost Prevent (DLP) guidance or protections in place today. If the protections as required by MOCI #20/2016 PII were deployed via Data Lost Protections (DLP) across the nation, the last two years worth of breaches would have been smaller and identified by the impacted parties as they happened as such reducing if not preventing the data losses from happening.

When we can get a business or agency to see the need to up their security game their usual reply very much worries me, “We DON’T have people qualified to support you in protecting us.” We explain our mentoring and support processes to grow their staff but that does not work for them. They want to hire the Indonesian Unicorn, a fully qualified and certified team of Cybersecurity Analysts with years of experience to work with us. Well that sale is postponed for years to come.

BSSN has in the last few years discussed in public presentations and whitepapers about the limited availability of full Cybersecurity training in Indonesia as well as the large gap in availability of staff members to perform these tasks. Even worse, we see a larger gap in the number of non-cyber persons that DON’T understand their Roles and Responsibilities to perform cybersecurity tasks on a daily basis as part of their normal job functions.

Cybersecurity in the 21st Century is as important as Clean Water was to the nation over a 100 years ago and today. Without a clean cyber data stream we are all impacted and poisoned on a daily basis. We almost all drink bottled water because the water around us is not fit to drink. Why do we assume the World Wide Web is clean to play in? We know that we can’t see the human malware in bad water even if it looks clean. Why we don’t understand that we can’t see computer malware either is so hard to remember for folks. We teach our kids not to drink dirty water, but we will let them out to play on the dirty internet everyday without protection.

Personal education on safe Internet usage and the impact of malware on both humans and computers living in the Internet needs to start as soon as we place a phone in our kids’ hands. From the day a business is born and until it is closed every person in the business should be trained on their role in protecting the business from Cyber Crime and the poisons throughout the Internet’s streams. Just like the watering holes of the past would poison a drinker, a watering hole on the internet can do the same to you.

Every PERSON in Indonesia has a Role in cybersecurity for Themselves, their family, their Businesses, and the Nation. Every department in a business has direct Responsibilities and/or Accountable actions / tasks related to cybersecurity to perform on a daily basis. Cybersecurity does not only belong to IT nor does IT have all of the accountability for the protection of the business. As an individual you are responsible for yourself, as a society / nation we are responsible for each other, as the nation and society is responsible to protect us individually and as a whole.

The ability for a business to perform these tasks successfully day in and day out without failure is defined as Security Maturity.

Are ALL your People, Processes and Technology aligned for the best return on investment?

Does Every Organization and Person within your business understand the reasons Why, What, When, Where and How Cybersecurity is to be performed?

Remember the WHO is always “ALL OF THEM’!

It is not a question of will you get a data breach, the question is does your business know how to Respond and if needed Recover from an event. You have 5 minutes to win it, can you?

NOTE: IF you think your last Pen Test defined the Security Maturity of your business. I’m sorry to be the one to inform you but you are incorrect. A Pen Test fits in your DEV/SEC/OPS workflow and should be a daily part of your business’s Constant Monitoring program, but sadly it has a limited impact on the true Maturity of your Cybersecurity program.

If you want the solutions to these problems in a timely manner and with the best Return on your Investment. Please contact us at Sales@nagacybersecurity.com or +628112652249 via WHATSAPP or SIGNAL or just call us directly.

CKC Recon

by

To follow up for the article on TIME.

We’ve talked about the impact of time on the attacker and the defender. This led us to the Cyber Kill Chain (CKC) and a very quick introduction into how this can buy the defender more time during an engagement. CKC provides a way to explain the steps associated with an attack in a simplified manner.

Figure 1: Lockheed Martin Cyber Kill Chain

It looks simple right, well of course it’s not. Each step has a lot of thought behind it and both parties, the attacker and the defender have a role to play at each step.

The first phase of the kill chain is Reconnaissance which is more than its name implies. First it is as much about Social Engineering and Human Malware as it is about Electronic Surveillance and Penetration Testing your environment and defenses in advance of the attack exploitation. Your business most likely does not apply Operations Security aka OPSEC in your day to day business dealings or outside communications.

You may have agreed to give a referral to your Vendors including your Security Vendors about how much their product keeps your company safe. Your name and or company logo is now recorded on the Internet as using their products to protect you. You have posted want ads on sites requesting IMMEDIATE hiring of new employees to work with such and such Security Tool or to work as part of your SOC team at different skill levels with specific applications or OS backgrounds.

This is the second piece of information your future attacker needs to know about you. First they’ve researched your business to include your market share, revenue and employees. They will map you and identify weaknesses in your team and operations model to exploit against you. All of these to create the business plan they use to profit off of you via a Business Email Compromise (BEC), Ransomware or worse using Remote Administration Trojan (RAT) attack to steal or modify company secrets.

The tweets, chats, stories and text messages of your employees will be collected from Social Media and other sources. Your staff may be offered a job to interview and asked about what they do now plus the tools or issues they see each day. All to know you better and to simplify the attack. This all sounds like fantasy or a Mission Impossible script but this happens everyday worldwide including here in Indonesia. Milyars are lost weekly if not daily across the country by successful attacks based on these steps.

Why would you ask someone to go through all of this work? Simple for the Money, Intellectual Property or simple power over you, your business or our county. Advanced Persistent Threats or APTs are Criminal or Nation State Organizations that use these techniques to profit off the ill prepared. The mass scale hacks of opportunity will also use some of the techniques like this to tune or target their attacks on a broader regional or national population. On the other hand the APT will use these tactics and techniques like a great surgeon to cut through your protections. One is simple brute force and one is an extreme sneak thief, either way if you don’t prepare for them you will lose.

Prepared? Are you? That is the big question. IF you are the average business I’ve met in Indonesia with a Stateful Firewall and an unmanaged Antivirus only solution. Sorry you are UNDER PREPARED like a person trying to win a long range missile battle with a knife, you are outclassed in this war. The Cybersecurity Framework (CSF) that is the standard for Security Maturity referenced by BSSN is more comprehensive than ISO 27001 with an additional 134 controls required. ISO 27001 is the beginning of the solution needed for Cybersecurity but is just the first step and CSF covers all of ISO 27001. Businesses need to complete ISO 27001 but they must understand that this is only 56% of the controls via People, Policy and Technology required to be performed today for Security 4.0 protection.

Back to that Stateful Firewall and the impact of change. When we first started to use firewalls back in the 1990’s they were the first way to protect our network providing wonderful Layer 2-3 protection above what our routers could effectively do without performance loss. The Attack Surface (the way we got hacked back then) has changed massively since the 1990s but most implementations of firewalls have not.

Firewalls and other network protections in the 1990s such as Network Intrusion protection systems as they got added. Had an ability then that they don’t have today. Visibility of the data on the Network. Today the Layer 2-3 data is still in the clear but the content of the package Layer 4-7 is encrypted more and more each day by SSL and TLS. The only system by default with clear text access to the data is each end of the data session. his lack of visibility degrades the performance of the Firewall as more and more established sessions are created the Firewall does its job and allows the new sessions to grow as they were part of the “TRUSTED” first connection started by the internal endpoint.

Layer 7 Gateways and Application level firewall go far to provide the required protections but they themselves are not best for Data Center protections as they only watch the outbound session and not the new inbound sessions to your servers. A Reverse-Proxy in addition to the Internet Access Gateway should be added to the Data Center for full Network to Application level protection.

At the Endpoint you need to have a full Application Layer 7 Firewall service installed that has access to Real-Time changes in their protection rules. The Internet changes extremely fast and in the future will move even faster. Your protections against Reconnaissance at the Network layer has to be able to defend you against over 40 years of tactics and techniques that criminal hackers have to draw on. You can not forget the old and only protect against the latest threats. We see daily at the endpoint level attack against systems from the 90s and early 20s that are bypassing the customers Network protections. TOO MUCH TRUST is given to incoming traffic from the internet.

The Firewall should be allowing your environment to go to the Internet and provide NAT (Network Address Translation) on all outbound traffic. The systems needing to be communicated from the outside need to be in DMZ completely away from the other endpoints. Region protections should be in place, if your users are only in Indonesia then there’s no reason why you are accepting incoming traffic from Eastern Europe. Even better is that communications should be on a VPN or Best on a Virtual LAN based on a VL2 system. NOTHING should be able to see or touch your Internal systems from Layer 2 to 7 without a security inspection. Hiding scripts and other malicious actions inside an established session is 100% normal for Criminal Hackers today.

Reconnaissance by a successful APT starts with you and your businesses permanent Internet Record. Once they have determined the best way to make money off you, they will migrate to their digital mapping of your environment to verify the earlier data. From here step two will begin with the Weaponization or creation of the tools to move through your Network for delivery.

Weaponization and Delivery will be covered in detail in the next article. Please look at how you are protecting yourself today. Are you still using best practices from the 1990 or have you moved to protections based on current best practices like CSF, MITRE ATT&CK and CKC? Is your architecture and applications including TOGAF and OWASP as part of your design and development planning? Or is this the first time you are seeing these terms. First CKC but we will be providing articles about these topics in future articles. Good Luck and Stay Safe

BIO Data:

Frank Rand Boatwright III (CISSP) is the COO and Chief Geek for PT. DNA which dba Naga Cyber, Naga Cybersecurity and Naga Cyber Defense. With 41 years of experience in IT and 34 years of Cybersecurity experience across the full spectrum of Cyber as a Presenter, Teacher and Enterprise Security Solutions Architect working in the Americas, Europe, Middle East and Asia for the Global 2000 Businesses and Governments as a part of Intel, Intel Security, McAfee, Citadel, Micromuse, GTEI, MCII and the USAF.

Why Does Time Matter So Much To CyberSecurity?

by

Why do we worry about Time.
Time is our worst nightmare.
Time is our worst enemy.

Time you have none, the bad actor – the bad guy owns it all.

How do you gain time?
How do you earn time from them?

What is this? What am I talking about?

In Cybersecurity the defender, the protector and the target have a major disadvantage. The advantage of time belongs to the attacker. We must look at an attack as what it really is. In some cases these are attacks of opportunity and in others they are planned, coordinated and targeted directly at your business or your personal life with tons of preparation.

Why do so many successful attacks seem to be happening these days? Are the defenders getting worse or are the attackers doing more reconnaissance, planning, development and weaponization before the attack? In the cases of these planned attacks, planning means they spent time determining how to best achieve their goals. They’ve spent time being you and learning how to beat you.

Time is the difference, time. Why does time make the difference? It’s simple really when you think about what happens on the playing field. The team that spends the most time practicing. The team that works the hardest getting their skills better. Is usually the team that will win. Sometimes luck has a hand in the game, but normally skill, talent and experience beats luck any day.

In Cybersecurity time has one other disadvantage. The defender never knows when the attack is coming. So the state of alert, the state of defense has to stay high 24 x 7 all year every year. The defender never gets a day off time to relax. This can lead to mistakes being made by the defender so the attacker wins, earns and takes a holiday and starts all over again. The defender never sleeps, never gets that holiday, that day off.

I’m going to keep this simple and utilize the game of darts is an example. You have a player, some darts and the dartboard. As simple as it gets. Just three elements: an attacker, something to attack with, and the target.

The Target Is static, never moving, never changing. Kind of like most business computing systems. It is really easy for the attacker to pick up 5, 10 or 15 or even a billion darts and try to throw them for a bull’s-eye. This is an attack of opportunity. Work to overload the security work to push through it. Don’t care if you’re seen you don’t care if you’re noticed. All you care about is hitting the target.

What if you didn’t want to be seen? What if you wanted to install something, steal something, move something and not have anyone recognized you ever touched the target. Wouldn’t it be just easier to just make a copy of the playing field and practice in privacy? Do it over and over again, so that every time you do it you’re always successful in your practice. You remove all of the opportunity for mistakes. You learn muscle memory for throwing the dart perfectly. You hit the target every time even with your eyes closed. You have all the time in the world to practice before you try for real.

That’s how the attacker wins, practice, practice, and more practice. They learn the playing field, they learn your environment, they learn your behavior as they learn more about YOU. They modify their throwing game, the way they hold the dart, the strength they use. The location they will attack from. Until they never can fail. Time is on their side. They pick and choose the place and time of the attack. The defender never has a say.

But what if the defender can move the target and keeps the target moving? Well if the targets move in a constant repeatable pattern,they just learn the pattern. They update their attacks, they update their model. They figure out your weakest spot, the spot you stop on and hold on. Like the maintenance window or the service time when the user is away but the system is on.

If the movement pattern is random enough and difficult enough, then the attacker has to decide if they have enough time to deal with this defender. Is this worth their effort? Am I going to make enough money to get a return on my investment? This is how the defender wins, by making it harder and harder for the attacker to have enough resources to be able to attack and still earn something from the attack.

For the defender to win,layers of security, layers of barriers that cost the attacker resources and more importantly gains the defender TIME,need to be applied in front of the hackers’ target. Each layer is designed to shift the view from the outside and make the ability to reach the target harder and harder. NEVER expect a single layer of protection to keep an attacker out. That is just a great way to advertise HACK ME.

If you allow the attacker to control the game to control the clock you lose. You must remove the control from the attacker to place control of time back with your defender. Managing your security to enforce the KILL during the first 3 phases of the Cyber Kill Chain (Reconnaissance, Weaponization and Delivery) is always best. Worst case ALWAYS catch them at Exploitation or Installation. Stopping the attacker at the Command & Control or Actions on Objective phases. Meaning while they are modifying your database or Exchange server means the attacker was successful. You are now in clean up mode and trying to reduce the impact of the attack to the minimum. You don’t want to have an attacker that far down into your systems.

Don’t expect a Firewall and maybe a layer of Malware protection to defend you. Those are not enough to stop an attack of opportunity, let alone an planned attack. In my next article I will cover the methods of protections needed today in Indonesia to successfully protect your business and personal life. Just know that what worked in 1995 does not work 95% then, let alone today. Be Safe Out There.