Diving into the world of web hosting can feel like navigating a complex network, a bit like the physical landscapes of wilderness paths and waterfalls I often hike. I’m searching for that stable, secure hosting company that not only keeps my online presence running smoothly and sets up a reliable foundation for sharing my experiences with you.
Speaking from my perspective, both stability and security are paramount. I don’t want to hear about compromised hosting, defaced web sites, exploited accounts, and downtime. In this case, when it comes to hosting with HostMantis, the deafening silence has been golden. No alarms, no breaches, no unexpected outages, just consistent uptime and reliable service. For someone involved in computer network operations and vigilantly aware of potential vulnerabilities, this “no news” scenario is the ultimate reassurance. It means HostMantis is doing its job, allowing me to focus on other priorities. In the case of a business owner, it is to get sales from my site; in the case of a newspaper, it is to share newsworthy articles with readers. In my case those priorities are wanting my website to work flawlessly so I can tend to the issues of sharing life and my experiences with valuable readers like you.
For the past four years, I’ve relied on HostMantis to provide hosting services. Their service has consistently exceeded, my expectations. In this review, I’ll share my experience, outlining why HostMantis has been a solid hosting provider and why it might be the stable, dependable, and effective solution you’ve been searching for. From my viewpoint.
A few notes on my baseline site hosting and configuration, including a background on URL and Domains vs Hosting.
My domains are registered somewhere else, I keep the domain registration separate from hosting. Here are a few reasons:
Pro: Avoid vendor lock-in, increased portability: Domain registration is a somewhat static task that is very well defined, and costs are generally constant. Hosting on the other hand is a bit more messy. There are plenty of bad hosting providers. Keeping my domains separate, with a separate billing account, reduces the opportunity for cross issues.
Pro: Security: Separating services can reduce the risk of losing both the domain and hosting if one provider has issues.
Pro: Email control: I maintain a separate Domain Name System (DNS) in order to route mail most definitively. If integrated correctly, mail can be routed directly to a public high availability mail service like Microsoft, Google, or even Yahoo instead of through a web host who then forwards the mail. This avoids any issues with hosting downtime.
Con: Additional costs. Separate renewal fees, and often the host provider will “give” a domain registration with the cost of hosting
Con: Complex management: Yes, it is true, this increases complexity (an enemy of security), but in my experience this is worth the lift.
2. HostMantis Account Configuration
HostMantis provides two factor authentication with any 2FA app. I’ve tried it with Microsoft Authenticator, Twilio Authy, and Google Authenticator. All three worked flawlessly.
Account security appears to be an area that HostMantis takes seriously.
I have not validated their “break glass” system; that is, if I’ve lost access to my account due to hijacking or lost authenticator token (for example, if your phone blows up), I’m unclear what the break glass back door is. I expect calling them would allow them to unlock my account. But, again it has not been tested.
For the package I own, login starts as a Reseller account into a general HostMantis page.
From there, enter the WHM (WebHost Manager) console. WHM is an industry standard from the makers of cPanel and is adopted by every hosting company I’ve used that use cPanel. WHM is where creation and management of individual web pages happens. Creating sites is straightforward.
Migrating Sites Into HostMantis
Migrating active sites into HostMantis proved flawless. I used Duplicator in my old hosting company, downloaded my zip files, and uploaded and ran the php installer. Everything was more than perfect.
SSL Certificates
HostMantis makes HTTPS is available on all sites through the free service Let’s Encrypt, a platform I’ve been using since its official launch in 2016. As a background, in the early days of Let’s Encrypt, securing sites with ssl/tls required cron jobs and other manually configured automation. HostMantis’ solution is integrated in a button.
I would strongly recommend avoiding any hosting providers that do not provide free SSL.
3. Performance and Reliability
PageSpeed Insights
PageSpeed has remained exceptional throughout my tenure with HostMantis. Seeing a 97 on a site makes there not much else to report!
Uptime has been excellent. I test uptime with a test of whether the opening page opens, tested every five minutes. Over the course of two years, according to Uptime Robot, my primary site has experienced four incidents of downtime totaling 8 hours.
Downtime incidents
However, I was not able to corroborate this data point. At each of the downtime reports, by the time I tried to manually test the sites, they were all active again. It may have been an issue with Uptime Robot, not saying it was, but I am not able to assign “real” downtime to HostMantis.
Response times
The UpTime Robot response times are not nearly as stellar as the PageSpeed Insights. I’ll have to defer here to others who may be able to “make this make sense”. If you happen to understand where the discrepancy between the two exists please get in touch with me.
4. Customer Support: Always There When You Need Them
Every one of the minimal tickets that I’ve created has been answered in timely fashion, definitely nothing but admiration for the team.
Pricing and Value
HostMantis does not come cheap, but the uptime and reliability value is baked into the cost.
5. Overall Experience: A Highly Recommended Hosting Company
Considering the excellent performance I’ve experienced from this company, based on my experience over the last few years, I would fully recommend HostMantis as a web hosting company.
Cyberattacks on medical devices are a growing threat to patient safety. Cybersecurity threats to healthcare have increased in both frequency and severity, and continue to be clinically impactful causing healthcare delays. The security of medical devices is essential to protect patient safety and the integrity of healthcare data.
Medical devices are FDA approved solutions that pose unique security challenges when deployed in enterprise networks. There are a number of reasons why medical devices are a cybersecurity and cyber risk challenge. For example, many medical devices are hosted on outdated operating systems. Also, being patient focused “first”, they may not have been designed with security in mind. Another risk is that medical devices are often connected to hospital networks, which means that a cyberattack on one device could spread to other devices on the directly connected network. Additional risk areas are that medical devices often contain sensitive patient data, which makes them a valuable target for hackers.
The increasing number of cyberattacks on healthcare organizations is a major concern. In 2022, there was a 74% increase in cyberattacks on healthcare organizations worldwide. This is due to a number of factors, including the increasing use of connected medical devices, the growing sophistication of cybercriminals, and the high value of healthcare data.
The potential risks of cyberattacks on medical devices are significant. They can lead to the theft of sensitive patient data, the disruption of patient care, and even the loss of life. It is therefore essential to take steps to protect their medical devices from cyberattacks.
These guidelines are focused on patient safety while introducing medical devices to the enterprise network. The document provides guidelines to safely and securely introduce vendor managed medical devices into operational enterprise networks. There are three entities involved. The customer is the hospital or medical facility; the vendor is the distributor of the medical device; and the manufacturer is the manufacturer on record with the FDA.
3. Guidance & recommendations for deploying medical devices
The following guidelines should be considered when evaluating medical devices
3.1 Fully document data system interfaces
Medical devices are often integrated with electronic medical records and other intricate patient health systems. Confirm that the entirety of the medical device data system interface is fully documented with asset information, connected data repository (data source & data destination), ports, and protocols. This information is important when evaluating whether additional protection (such as isolation or network segmentation) is practical. [1]
3.2 Perform threat modeling
All networked devices are susceptible to malicious compromise. In threat modeling medical devices, expect the device is compromised and consider what the threat actor can do with the device. Consider patient safety first, and consider methods and techniques to protect the enterprise from the compromised medical device.
Threat model development are twofold. First is how a threat actor can manipulate the machine itself, potentially affecting patient safety. Second is if the device is compromised, how can that device affect healthcare operations. Threat modeling discussions should include the vendor since the vendor is more likely to intimately understand the vulnerabilities in the device. [2]
While performing the threat model, consider that the hospital is likely not able to thoroughly scan the device for compromise. For example, consider that the device may have explicit but undocumented wireless internet capability (many off-the-shelf computers have built in Internet capable SIM cards), or that a vendor employee may introduce an Internet connected device for maintenance and updates, or that a threat actor could introduce an Internet connected USB leave-behind. Since the hospital is likely not able to scan and control the medical device system, the hospital needs to protect itself from these types of threats.
When performing threat modeling, consider specific examples of what a threat actor could do with the compromised device. For example, a threat actor could:
Cause patient harm: Change the device’s settings or firmware. This could cause the device to malfunction, deliver incorrect treatment, and thereby harm the patient.
Perform data theft: Access and steal sensitive patient data. This could include medical records, insurance information, or financial data.
Leverage as a bastion host: Use the device as a launchpad for attacks on other devices or networks. This could spread malware or ransomware to other devices in the hospital network.
3.3 Request for software changes & cyber security updates
Medical devices often include general purpose computers and industry available off the shelf (OTS) operating systems. These devices are the responsibility of the manufacturer, and controlled by the manufacturers FDA approval. Changes to the device could pose a risk to patient safety.
The device manufacturer bears the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device. [3, 4]
The manufacturer is responsible for validating cyber security software changes to control vulnerabilities. Any requested cyber security changes are ultimately the responsibility and authority of the manufacturer’s engagement with FDA. Concerns related to device security and vulnerabilities need to be addressed by external measures and compensating controls such as network segmentation.
3.4 Implement compensating controls
Due to the “hands off” nature of medical devices, compensating controls should be utilized wherever practical. For example, network segmentation is a method to improve data and system protection. [6] Network segmentation can be used to protect the medical device, and also to protect the enterprise network from compromised medical devices. Creating a network segment also forces the creation of fully documented medical device data system interface (e.g., data flow diagrams), thereby enhancing the security of the engagement.
3.5 Document maintenance responsibilities and maintenance schedules
It is customary that the manufacturer maintains the medical device and associated software. However, there may be situations where operational staff are involved with portions of maintenance. Fully document manufacturer’s requests for involvement.
3.6 Document cyber security readiness
Cyber incidents happen. It is important to ensure that staff are aware of the security risks posed by medical devices and how to protect the patient from those risks. For example, device specific awareness training will guide the medical staff on actions to take during an attack. In addition, indicators of compromise should be documented and staff properly trained for awareness.
A key to successfully resolving cyber incidences is a preplanned incident response playbook (e.g., a cyber security incident response plan, or CSIRP). Document the cyber security incident response opportunities and agreements between the hospital and the vendor, including the cyber security incident response contact teams.
The cyber security protection plan should include guidelines and procedures for
Identify: Threat landscapes are continually evolving, and it is critical to recognize threats as applied to specific devices. During the device lifecycle, many changes will occur, including changes on the device itself, software patches, and connected network changes. Contractually agree to a regular cadence of “re-documenting” the system to confirm cyber security readiness.
Protect: Periodically review the security controls in place, and confirm that the controls continue to effectively protect the device from newly discovered threat vectors and vulnerabilities.
Detect: Identifying signs of compromise. It is especially important that staff be made aware of indicators of compromise, and what to do if a machine is acting as though it is compromised. For example, fully document who the staff should contact when presented with what is believed to be suspicious activity.
Respond: Methods to isolate the compromised device to prevent additional attacks. Keep in mind that these are medical devices, and immediately isolating the medical device may negatively affect patient care. It is important to understand how to respond to a cyber attack while ultimately protecting patient care.
Recover: Restore operations, restoration of patient data.
The CSIRP should periodically be tested.
3.7 Simplicity is the key to security
The least burdensome approach to maintaining and protecting medical devices should be considered. [7, 8] Consider the FDA solution a complex “vendor managed solution” where forcing last minute vendor changes are neither practical nor secure. Instead, recognize the device as unmanaged, with unmanaged risks and unmanaged validation, and work to implement a framework of controls around the device that protects both itself, and protects the rest of the enterprise from the device.
3.8 Informal agreements are not obligations
Emails and discussions are not contractual obligations. Consider the value of the emails and discussions, and document any fundamentally important agreements in contractual obligations. Consider whether the agreements are absolutely critical to the engagement, and apply the principles of practical security.
4. Conclusion
Medical devices are capable of directly affecting patient care. These devices are also often connected to other infrastructure components with an ability to affect patient records, retrieve and store sensitive patient information, and be used as jump boxes to the rest of a hospital network.
When considering methods to protect the medical device system from attack by a threat actor, and to protect the hospital network from being attacked by a rogue device, the most effective methods are
To coach medical staff on cyber security readiness,
To employ methods to encapsulate and control network traffic,
To regularly revisit the vulnerability landscape for the system, and
To understand how an offensive operator can use that medical system to their benefit, to the hospitals detriment, and to the patients peril.
Medical devices & systems are a critical part of patient care, and securing these systems is essential to protecting patients from harm.
——————
References
[1] Food and Drug Administration (FDA), “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices Guidance for Industry and Food and Drug Administration Staff”, September 28, 2022, https://www.fda.gov/media/88572/download
[5] Food and Drug Administration (FDA), “Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, https://www.fda.gov/media/72154/download
[6] National Institutes of Health (NIH), “Information Technology and Medical Technology Personnel´s Perception Regarding Segmentation of Medical Devices: A Focus Group Study”, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151197/
Cyberattacks on medical devices are a growing threat to patient safety. Cybersecurity threats to healthcare have increased in both frequency and severity, and continue to be clinically impactful causing healthcare delays. The security of medical devices is essential to protect patient safety and the integrity of healthcare data.
Medical devices are FDA approved solutions that pose unique security challenges when deployed in enterprise networks. There are a number of reasons why medical devices are a cybersecurity and cyber risk challenge.
1.1 Unpatched and outdated systems
Ripe for exploitable vulnerabilities, many medical devices are hosted on outdated operating systems. Medical devices are normally managed by the vendor, not by the customer. As such, the customer is not always “in the know” for when updates occur. Certainly, contractual agreements may exist, but policy safeguards do not always represent the technical landscape. Often the medical device vendor will rightfully cite “FDA approval’ for controlling the system. If an untested patch is installed by a customer, the untested system may introduce medical control issues that affect patient safety.
1.2 Security not first
Being patient focused “first”, medical devices are not normally designed as “security first”. This may be a difficult situation to negotiate with the vendor. For example, a gamma knife scheduling system compromised by malware may be marginally operational, and not affect patient safety. But a gamma knife compromised by malware or ransomware during a medical procedure may introduce lethal situations to a patient.
As security specialists, it is our job to make sure all parties understand the risks to security compromise. Ultimately, it is our job to notify the business of these risks, and the business that decides how to move forward in these situations.
1.3 Highly network connected
Another risk is that medical devices are often connected to hospital networks and potentially directly to the Internet, which means that a cyberattack on one device could spread to other devices on the directly connected network. The fact that these devices may be vulnerable (as pointed out above), and connected to the Enterprise network makes them nominal bastion hosts to jump into the network, therefore a valuable target for attack.
1.4 Sensitive patient data
Additional risk areas are that medical devices often contain sensitive patient data, which makes them directly a valuable target for hackers without even needing to jump into the rest of the network.
2 The statistics
The increasing number of cyberattacks on healthcare organizations is a major concern. In 2022, there was a 74% increase in cyberattacks on healthcare organizations worldwide. This is due to a number of factors, including the increasing use of connected medical devices, the growing sophistication of cybercriminals, and the high value of healthcare data.
The potential risks of cyberattacks on medical devices are significant. They can lead to the theft of sensitive patient data, the disruption of patient care, and even the loss of life. It is therefore essential to take steps to protect their medical devices from cyberattacks.
3 Guidance & recommendations
The following guidelines should be considered when evaluating medical devices. This guidance document is focused on patient safety and introducing medical devices to enterprise networks. The recommendations provide guidelines to safely and securely introduce vendor managed medical devices into operational enterprise networks. There are three entities involved. The customer is the hospital or medical facility; the vendor is the distributor of the medical device; and the manufacturer is the manufacturer on record with the FDA.
3.1 Fully document data system interfaces
Medical devices are often integrated with electronic medical records and other intricate patient health systems. Confirm that the entirety of the medical device data system interface is fully documented with asset information, connected data repository (data source & data destination), ports, and protocols. This information is important when evaluating whether additional protection (such as isolation or network segmentation) is practical. [reference 1]
3.2 Perform threat modeling
All networked devices are susceptible to malicious compromise. In threat modeling medical devices, expect the device is compromised and consider what the threat actor can do with the device. Consider patient safety first, and consider methods and techniques to protect the enterprise from the compromised medical device. [reference 2]
Threat model development are twofold. First is how a threat actor can manipulate the machine itself, potentially affecting patient safety. Second is if the device is compromised, how can that device affect healthcare operations. Threat modeling discussions should include the vendor since the vendor is more likely to intimately understand the vulnerabilities in the device.
While developing the threat model, consider that the hospital is likely not able to thoroughly scan the device for compromise. For example, consider that the device may have explicit but undocumented wireless internet capability (many off-the-shelf computers have built in Internet capable SIM cards), or that a vendor employee may introduce an Internet connected device for maintenance and updates, or that a threat actor could introduce an Internet connected USB leave-behind. Since the hospital is likely not able to scan and control the medical device system, the hospital needs to protect itself from these types of threats.
When performing threat modeling, consider specific examples of what a threat actor could do with the compromised device. For example, a threat actor could:
Cause patient harm: Change the device’s settings or firmware. This could cause the device to malfunction, deliver incorrect treatment, and thereby harm the patient.
Perform data theft: Access and steal sensitive patient data. This could include medical records, insurance information, or financial data.
Leverage as a bastion host: Use the device as a launchpad for attacks on other devices in the networks. This could spread malware or ransomware to other devices in the hospital network.
3.3 Request for software changes & cyber security updates
Medical devices often include general purpose computers and industry available off the shelf (OTS) operating systems. These devices are the responsibility of the manufacturer, and controlled by the manufacturers FDA approval. Untested changes to the device could pose a risk to patient safety.
The device manufacturer bears the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device. [reference 3, 4]
The manufacturer is responsible for validating cyber security software changes to control vulnerabilities. Any requested cyber security changes are ultimately the responsibility and authority of the manufacturer’s engagement with FDA. [reference 5] Concerns related to device security and vulnerabilities need to be addressed by external measures and compensating controls such as network segmentation.
3.4 Implement compensating controls
Due to the “hands off” nature of medical devices, compensating controls should be utilized wherever practical. For example, network segmentation is a method to improve data and system protection. [reference 6] Network segmentation can be used to protect the medical device, and also to protect the enterprise network from compromised medical devices. Creating a network segment also forces the creation of fully documented medical device data system interface (e.g., data flow diagrams), thereby enhancing the security of the engagement.
3.5 Document maintenance responsibilities and maintenance schedules
It is customary that the manufacturer maintain the medical device and associated software. However, there may be situations where operational staff are involved with portions of maintenance. Fully document manufacturer’s requests for involvement.
3.6 Document cyber security readiness
Cyber incidences happen. It is important to ensure that staff are aware of the security risks posed by medical devices and how to protect the patient from those risks. For example, device specific awareness training will guide the medical staff on actions to take during an attack. In addition, indicators of compromise should be documented and staff properly trained for awareness.
A key to successfully resolving cyber incidences is a preplanned incident response playbook (e.g., a cyber security incident response plan, or CSIRP). Document the cyber security incident response opportunities and agreements between the hospital and the vendor, including the cyber security incident response contact teams.
The cyber security protection plan should include guidelines and procedures to
Identify: Threat landscapes are continually evolving, and it is critical to recognize threats as applied to specific devices. During the device lifecycle, many changes will occur, including changes on the device itself, software patches, and connected network changes. Contractually agree to a regular cadence of “re-documenting” the system to confirm cyber security readiness.
Protect: Periodically review the security controls in place, and confirm that the controls continue to effectively protect the device from newly discovered threat vectors and vulnerabilities.
Detect: Identifying signs of compromise. It is especially important that staff be made aware of indicators of compromise, and what to do if a machine is acting as though it is compromised. For example, fully document who the staff should contact when presented with what is believed to be suspicious activity.
Respond: Methods to isolate the compromised device to prevent additional attacks. Keep in mind that these are medical devices, and immediately isolating the medical device may negatively affect patient care. It is important to understand how to respond to a cyber attack while ultimately protecting patient care.
Recover: Restore operations, restoration of patient data.
It is critical that the CSIRP be tested on a regular basis, and after any significant system change. This testing exercise confirms that the CSIRP remains valid in the dynamic operational enterprise environment.
3.7 Simplicity is the key to security
The “least burdensome approach” to maintaining and protecting medical devices should be considered. [reference 7, 8] Consider the FDA solution a complex “vendor managed solution” where forcing last minute vendor changes are neither practical nor secure. Instead, recognize the device as unmanaged (unmanaged from the customer’s point of view), with unmanaged risks and unmanaged validation, and work to implement a framework of controls around the device that protects both itself, and protects the rest of the enterprise from the device.
3.8 Informal agreements are not obligations
Remember that Emails and discussions are not contractual obligations. Consider the value of the emails and discussions, and document any fundamentally important agreements in contractual obligations. Consider whether the agreements are absolutely critical to the engagement, and apply the principles of “practical security”.
4 Conclusion
Medical devices are capable of directly affecting patient care. These devices are also connected to other infrastructure components with an ability to affect patient records, retrieve and store sensitive patient information, and be used as jump boxes to the rest of a hospital network.
When considering methods to protect the medical device system from attack by a threat actor, and to protect the hospital network from being attacked by a rogue device, the most effective methods are
To coach medical staff on cyber security readiness,
To employ methods to encapsulate and control network traffic,
To regularly revisit the vulnerability landscape for the system, and
To understand how an offensive operator can use that medical system to their benefit, to the hospitals detriment, and to the patients peril.
Medical devices & systems are a critical part of patient care, and securing these systems is essential to protecting patients and providing healthcare services.
Reference material
1 Food and Drug Administration (FDA), “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices Guidance for Industry and Food and Drug Administration Staff”, September 28, 2022, https://www.fda.gov/media/88572/download
2 MITRE, “Playbook for threat modeling medical devices”, November 30, 2021, https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf
3 Food and Drug Administration (FDA), “Guidance document, Off-The-Shelf Software Use in Medical Devices, Guidance for Industry and Food and Drug Administration Staff”, September 27, 2019 (originally issued September 9, 1999), https://www.fda.gov/regulatory-information/search-fda-guidance-documents/shelf-software-use- medical-devices
4 Food and Drug Administration (FDA), “Global Approach to Software as a Medical Device”, https://www.fda.gov/medical-devices/software-medical-device-samd/global-approach-software-medical-device
5 Food and Drug Administration (FDA), “Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, https://www.fda.gov/media/72154/download
6 National Institutes of Health (NIH), “Information Technology and Medical Technology Personnel´s Perception Regarding Segmentation of Medical Devices: A Focus Group Study”, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151197/
7 Food and Drug Administration (FDA), “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, January 14, 2005, https://www.fda.gov/regulatory-information/search- fda-guidance-documents/cybersecurity-networked-medical-devices-containing-shelf-ots-software
8 Hoffer, Gregory, “Complexity is Still the Enemy of Security”, https://www.cyberdefensemagazine.com/complexity-is-still-the-enemy-of-security/
Are you an experienced Python programmer? Then this article is absolutely for you. On the other hand, if you are a new Python programmer, or new to programming? Then this article is DEFINITELY for you!
Colaboratory, or Colab, is a game-changer for anyone who wants to code with Python. It’s a free, cloud-hosted Jupyter notebook environment that lets you write and execute Python code right in your browser, without any setup required. Whether you’re a seasoned data scientist, a curious student, or just someone who wants to tinker with code, Colab has something to offer you.
What is Colab?
Colab is a virtual machine running in the cloud. It comes pre-installed with all the popular Python libraries, including NumPy, Pandas, TensorFlow, and PyTorch. You can access it from any device with a web browser, making it incredibly versatile and accessible.
What can you do with Colab?
The possibilities with Colab are endless. Here are just a few things you can do:
Data science and machine learning: Analyze data, build machine learning models, and train them on powerful GPUs
Deep learning: Experiment with deep learning frameworks like TensorFlow and PyTorch without having to install anything on your own computer
Scientific computing: Perform numerical computations and simulations
Education: Learn Python and data science in an interactive environment
Web development: Build and deploy web applications using Python frameworks like Flask and Django
Getting started with Colab
Getting started with Colab is easy. Just visit https://colab.research.google.com/ and click “New notebook.” You’ll be up and running in seconds, with a blank notebook ready for your Python code.
Benefits of using Colab
There are many benefits to using Colab, including:
Free to use: You don’t need to pay anything to use Colab
No setup required: Just open your browser and start coding
Accessible from anywhere: Use Colab from any device with a web browser
Powerful hardware: Colab runs on Google’s cloud infrastructure, giving you access to powerful GPUs and CPUs
Pre-installed libraries: No need to install any Python libraries yourself
Collaborative: Share your notebooks with others and work together on projects
Final thoughts
Colab is a valuable tool for anyone who wants to code with Python. It’s free, easy to use, and powerful.
Future parts of this post
…may include…
Tips and tricks for using Colab
Examples of cool things you can do with Colab
A comparison of Colab to other Jupyter notebook environments
A watering hole attack is a type of cyberattack in which the attacker targets a website or online service that is known to be frequented by the victim’s target audience. The attacker then compromises the website or service and injects malicious code into it. When the victim visits the website or uses the service, they are infected with malware.
Watering hole attacks are a more sophisticated type of attack than phishing attacks. They are also more difficult to defend against, as the victim is not actively tricked into clicking on a malicious link.
The skill of attack: How watering hole attacks work
There are two broad categories for watering hole attacks.
Opportunistic watering hole
Opportunistic watering hole
In one case, there is the opportunistic watering hole attack. In the opportunistic case, the attacker has discovered a vulnerable web site, compromises the web site, and waits for any victim to happen by.
An opportunistic watering hole attack typically follows these steps:
The attacker identifies a website or service that can be compromised.
The attacker compromises the website or service and injects malicious code into it.
Any victim visits the website or uses the service.
The malicious code is executed and the victim is infected with malware.
Targeted watering hole
Targeted watering hole
In a different attack, the watering hole is known to be used by a specific targeted victim. This is a more sophisticated attack against a known specific target.
A targeted watering hole attack typically follows these steps:
The attacker enumerates websites and online services that are known to be frequented by the targeted victim.
The attacker enumerates vulnerabilities on the websites and online services.
The attacker compromises the websites or services and injects malicious code into them.
The victim visits the website or uses the service. In order to evade detection, the attacker may include exemption code to prevent the malware from running on any targets other than the identified target.
The malicious code is executed and the victim is infected with malware.
The malware can then be used to gain access to the victim’s computer or network, or to steal data.
How to defend against watering hole attacks
There are a number of ways to defend against watering hole attacks, including:
Educating users: Educating user is almost always included as the “go to” solution for all things cyber. Novice defenders believe that “ISO Layer 8” is the easiest attack modal to compromise — and this is true, that the user is the easiest operating system to attack. That said, watering holes are a unique technique in that the end user often has to use the watering hole in their normal course of business. That being the case, how can users be educated to avoid watering holes if these watering holes are otherwise “trusted sites”? The answer is, the end user can’t be taught that basic tenant of “avoid untrusted sites”. Instead, the user needs to be made aware of anomalies that might occur when visiting otherwise known trusted sites, a much more complicated endeavor, although one that must be explored.
Maintain updated systems: Updates and patches must be maintained on the enterprise systems. Maintaining updated and patched software reduces the opportunity for exploits to successfully land on the enterprise.
URL filtering: Use URL filtering software that tests the URL destination for malware before it loads into a potential victim’s browser.
Continuous website monitoring: Organizations should monitor websites that are frequented by their employees or customers for signs of compromise. This can be done using web application firewalls or other security tools. When compromise is identified, block access to the web site and proactively contact the web provider.
Using security software: Security software can help to detect and block malicious code. Security software should be kept up to date with the latest virus definitions.
Using intrusion detection systems: Intrusion detection systems (IDSs) can help to detect malicious activity on a network. IDSs should be configured to detect watering hole attacks.
Conclusion
Watering hole attacks are a serious threat to organizations and individuals. By taking steps to educate users, use security software, monitor websites, and use intrusion detection systems, organizations can help to protect themselves from these attacks.
tl;dr? My video solution is Davinci Resolve, my go to non linear video editor.
Along with their static reading blog cousins, vlogs (Video Logs) have been all the rage for a few years now. I’m sure you have seen a few. In fact, if you have ever looked at any video on YouTube, you were likely looking at a vlog. Vlogs are often shot on phones or other minimal capture devices, then edited in a video editor.
HostMantis is a web hosting company that has been providing reliable and affordable hosting services since 2014. They offer a range of hosting solutions, including shared hosting, reseller hosting, VPS hosting, and dedicated servers.
One of the standout features of HostMantis is their excellent uptime guarantee. They promise 99.9% uptime, and many users report that their sites are up and running smoothly without any issues.
HostMantis also offers fast and responsive customer support. They have a support team available 24/7, and users can contact them via live chat, phone, or support ticket. Many users report that the support team is knowledgeable and helpful, and they always go the extra mile to solve any issues that arise.
Another great thing about HostMantis is their user-friendly control panel. The cPanel interface makes it easy to manage your website, set up email accounts, and install popular applications like WordPress.
HostMantis also provides a range of security features to keep your site safe from cyber threats. They offer free SSL certificates, daily backups, and malware scanning and removal.
Configuring a new host is meaningfully time consuming. Do the right thing today, and there should be smooth sailing tomorrow.
HostMantis proved extremely efficient at setup and installation. Website installation through ftp was flawless, and there was sufficient compute site services to perform the unpacking and installation of WordPress zip files.
I did not use the service, but HostMantis offers free website migration services for customers who want to transfer their website from another hosting provider. Their migration team handles the entire process, including transferring files, databases, and DNS settings, making it easy for website owners to switch to HostMantis without any hassle.
Uptime testing
Uptime guarantees are a contractual Service Level Agreement. In these agreements, the vendor will promise to compensate the buyer if uptimes are not adequately provided. The problem is, you as a consumer usually aren’t interested in uptime guarantees, you are interested in uptime for your customers.
Say you own a restaurant. You’ve contracted with a company to provide “99% uptime guarantee, or we will refund your entire month of service!” Well, that sounds good, if they experience less than 99% uptime, you will be refunded the $100/month service fee they charged you. But how is this going to affect your company? 99% uptime is 8 hours downtime per month. This means your restaurant could experience two four hour downtimes during the most busy days you have, and they’ve met their contractual obligation. How is that going to work out for you? What are your business continuity plans for the eight hours of downtime? Even worse, if they exceed the 8 hours, their only obligation is going to be the $100 fee they’ve charged you.
Testing process
We will be testing HostMantis uptime over the next two years, and report back to you on findings.
Testing the uptime guarantee of a web hosting service can be a tricky and time-consuming task, but it is an essential aspect to consider before choosing a hosting provider. The uptime guarantee is the percentage of time that a web hosting service promises to keep your website up and running without any interruptions. Most reputable web hosting providers offer an uptime guarantee of at least 99.9%.
To test the uptime guarantee, you need to monitor your website’s uptime continuously over a period of time using a reliable monitoring tool. These tools check your website’s availability at regular intervals and alert you if it goes down. Some popular monitoring tools include Pingdom, Uptime Robot, and StatusCake.
When monitoring your website’s uptime, you should set up alerts for downtime and track the uptime percentage over time. This will give you an idea of how often your website experiences downtime and whether it meets the uptime guarantee promised by your hosting provider.
It’s important to keep in mind that downtime can be caused by factors outside the hosting provider’s control, such as internet outages or server maintenance. However, if your website experiences downtime frequently or for extended periods, it may be a sign of poor server performance or inadequate resources, and you may need to consider switching to a more reliable hosting provider.
HostMantis uptime results
Testing after two years was unexpected and impressive. Two different uptime monitors were used through the two years of hosting through HostMantis.
The results were that HostMantis provided 100% uptime through the terms of service.
Security is critical to success
Web site security is critical to success. Whether you are running a multinational corporation, or a home based business, web security is going to be reviewed by your customers.
TLS/SSL (Secure Sockets Layer) is an essential technology for securing online communications and protecting sensitive information on the internet. SSL is a protocol that establishes a secure, encrypted connection between a website and a user’s browser. This encryption ensures that any data transmitted between the user’s browser and the website is protected from being intercepted by hackers or other malicious actors.
The importance of SSL cannot be overstated, especially in today’s digital age, where online security threats are becoming more prevalent and sophisticated. Without SSL, sensitive information such as login credentials, credit card numbers, and personal data are vulnerable to interception, which can lead to identity theft, fraud, and other security breaches.
In addition to protecting sensitive information, SSL also provides website visitors with assurance that the website they are visiting is legitimate and trustworthy. SSL certificates are issued by trusted Certificate Authorities (CAs), who verify the identity of the website owner and ensure that the SSL certificate is legitimate. This verification process gives website visitors confidence that the website they are visiting is not a phishing site or a fraudulent site impersonating a legitimate website.
Having an SSL certificate is also important for search engine optimization (SEO). In 2014, Google announced that SSL was a ranking factor in their search algorithm. This means that websites with SSL certificates are more likely to rank higher in search engine results pages (SERPs) than websites without SSL certificates.
HostMantis SSL included
HostMantis provides an excellent SSL (Secure Sockets Layer) certificate service that offers reliable and secure encryption for websites. SSL certificates are essential for protecting sensitive information such as login credentials, credit card numbers, and personal data from being intercepted by hackers or other malicious actors.
HostMantis offers free SSL certificates for all of their hosting plans, which is a significant benefit for website owners who want to secure their website without incurring additional costs. Their SSL certificates are issued by Let’s Encrypt, a well-known and respected certificate authority, which ensures that your website’s encryption is both secure and reliable.
HostMantis SSL certificates are easy to install and integrate with your website. They offer a range of SSL certificate types, including Domain Validated (DV), Extended Validation (EV), and Wildcard certificates, depending on your website’s needs.
Stress testing
Stress testing is an essential part of web development and website maintenance. It involves simulating heavy traffic and high user loads on a website to evaluate its performance under extreme conditions. The purpose of stress testing is to identify potential bottlenecks and weaknesses in the website’s infrastructure before it goes live.
To perform a stress test, a testing tool or software is used to simulate large volumes of traffic to a website. The tool sends multiple requests to the website, emulating the behavior of a large number of users accessing the website simultaneously. The requests are designed to simulate a range of user actions, such as loading pages, submitting forms, and downloading files.
During the stress test, website performance metrics such as response time, CPU usage, memory usage, and server load are monitored and measured. These metrics help identify any potential bottlenecks or performance issues that may arise under heavy user loads.
Once the stress test is complete, the data collected is analyzed to identify any areas of weakness or performance issues. These issues can then be addressed through optimization and performance tuning to ensure that the website can handle high traffic loads without experiencing downtime or slow performance.
Stress testing is particularly important for websites that experience high volumes of traffic or that are critical to business operations. By identifying and addressing performance issues before they occur, website owners can ensure that their website remains available and responsive even under extreme conditions.
HostMantis stress testing
HostMantis is an exceptional web hosting provider that delivers reliable and efficient web hosting services. Their commitment to performance and stability is evident in their ability to handle stress testing for up to 1000 users.
A recent stress test on a website hosted by HostMantis demonstrated exceptional performance under extreme traffic loads. Throughout the test, the website remained stable and responsive with minimal slowdowns or errors.
HostMantis’ proactive approach to performance optimization was noteworthy. They provided detailed performance metrics and optimization recommendations that helped fine-tune the website for optimal performance under heavy user loads.
Customer support
Customer support cannot be overstated. You don’t need them… until you need them. It is like the fire department. Do you think about the fire department when you are driving to work or having dinner with your family? Probably not. You only think about them… when you need them.
No different than customer support in web hosting. Customer support is a critical aspect of any web hosting provider, and HostMantis sets a high standard in this area. Their commitment to customer satisfaction is evident in their comprehensive and responsive customer support. The support team is available 24/7 via live chat, phone, or ticketing system and is highly knowledgeable and professional. Their technical expertise and willingness to go the extra mile to resolve customer issues promptly are impressive.
As a customer, it is reassuring to know that any issues or questions can be addressed promptly and efficiently. HostMantis’ customer support provides a seamless and stress-free hosting experience, ensuring that any concerns or problems are resolved quickly and effectively.
The importance of customer support cannot be overstated, and HostMantis delivered exceptional customer support that prioritizes customer satisfaction. Their commitment to providing a reliable and stress-free web hosting experience is evident in their comprehensive and responsive customer support.
Concluding remarks
So far, HostMantis has proven to be an effective and efficient web hosting company. Continued monitoring and testing over the next months and years will be reported. If you have any particular concerns or questions about HostMantis, feel free to send me a note. Otherwise, stay tuned to this channel for more information as it evolves!
Free internet fax options allow you to send and receive faxes over the internet without the need for a fax machine or a dedicated phone line. These services are often referred to as “online fax services” or “virtual fax services.”
There are several benefits to using free internet faxing, including:
Cost Savings: Free internet faxing eliminates the need for a physical fax machine and dedicated phone line, which can save you money on equipment, maintenance, and phone bills.
Convenience: With internet faxing, you can send and receive faxes from anywhere with an internet connection. This means you can send faxes from your computer, tablet, or smartphone, making it easier to manage your faxing needs on-the-go.
Efficiency: Internet faxing allows you to send and receive faxes quickly and easily, without the need to print out documents or wait for them to be delivered. This can save you time and help you stay productive.
Security: Many internet faxing services use encryption and other security measures to ensure that your faxes are transmitted securely. This can help protect your sensitive information and reduce the risk of identity theft or other types of fraud.
Environmental Benefits: By eliminating the need for a physical fax machine, internet faxing can help reduce paper waste and save trees. This can be a positive step towards a more sustainable future.
Overall, free internet faxing can be a convenient, cost-effective, and eco-friendly solution for businesses and individuals who need to send and receive faxes on a regular basis.
Here are a few free internet fax options. These intentionally exclude “free for a month after you give us your payment card information”, and other gimmicks.
FaxZero: FaxZero allows you to send up to five free faxes per day, with a maximum of three pages per fax. However, there are advertisements included on the cover page.
HelloFax: HelloFax offers a free plan that allows you to send up to five faxes per month. The service also includes a digital signature feature.
Commentary on image:
HelloFax didn’t identify this during signup, but while trying to send a fax, the system reported that faxes are limited to three pages, plus the cover sheet.
And there is a five page per month limit, not a five fax per month.
GotFreeFax: GotFreeFax allows you to send up to two faxes per day, with a maximum of three pages per fax. There are no advertisements included on the cover page.
Dead links are absolutely “no good” for your SEO, and even worse they are no good for your visitors!
There are two kinds of dead links. Links to external sites need to be monitored since the external site might change their structure, or they might even go out of business. In either case, new related articles need to be discovered, or simply kill the dead link.
Links to your own site sometimes go dead because of site structure changes. For example, if you’ve moved WordPress to a “different” subdirectory while migrating to a new hosting company, site destinations may have changed.
This article outlines a few free link checker sites that will review a site for dead links.
Emergency situations call for emergency preparedness. The term “breakglass access” derives from the world of emergency alarms (such as fire alarms) that are protected by “break glass” stations, where once the alarm is activated it cannot be “turned off” without replacing a part of the station. Sometimes the fire alarm has a glass or plastic insert that has to be replaced after the alarm is activated. In any case, a responder is going to immediately recognize that the alarm has been pulled.
In computing, “break glass” is the procedure to access a system that bypasses normal security controls during critical emergency situations. Break glass procedures rely on pre-staged emergency user accounts that are documented, tested, and managed. For example, a “break glass” admin account may be created for situations when network based authentication/authorization services (such as Active Directory) have become unavailable. The break glass accounts should be made in a way that they rely on (1) the user and (2) the target system, with very little tertiary system involvement.
Of course, in all break glass situations, be aware that the break glass accounts can also be weaponized by threat actors. Since the break glass accounts bypass potential mitigation steps, a threat actor may be able to use them. For example, break glass accounts rarely enable conditional access policies such as MFA. Without a second factor to security, a threat actor has easier access to the systems that are being protected.
It is also important to note that “break glass” access is not always a “break glass” account. Break glass access might be a method or procedure. For example,
Break glass in a data center might mean that there are methods to boot the affected system in a Safe Mode container that provides properly authenticated access
Break glass in a cloud environment might mean that there are procedures available to call the service provider and have a new account created.
B. Retain role based security – Emergency access to particular levels of “the stack”
Software is a many faceted beast, including infrastructure (networks & servers), platforms (operating systems), and software (reference AAS sisters). Emergency special access rights need to be configured for all three layers of the beast.
For example, let’s say you have a website built on WordPress deployed on a web hosting server. There are several break glass opportunities and scenarios. To outline a few, there are (1) the website, for example, where new articles are created; (2) the WordPress deployment, for example, where new users are created; and (3) the web hosting login, where a new WordPress might be created. There are of course many others.
But there is no reason to get carried away with break glass accounts. As a reasonable starting point, understand what each break glass account is capable of doing. Do you really need this many break glass accounts? Probably not if you control the entire stack.
If access to the website account is lost, the normal WordPress Admin account authorizations can be used to change the website account password.
If access to the WordPress Admin account is lost, a new account can be created by the normal web hosting login.
If access to the web host is lost, a reasonable break glass procedure might be to call the hosting provider and have the access credentials reset.
C. Use cases: When emergency access is required
To better understand how to protect systems with break glass access, let’s explore why emergency access may be required. To name a few, emergency access may be required in the following situations:
Cyber attack (insider or external) has deleted or removed access to all accounts. In this way, the system is unavailable by all methods other than break glass.
Accounts are federated, and the identity provider is not available. For example, if access to AD has been compromised by way of a cyber attack, or a network outage has prevented access to AD, the system is unavailable by all methods other than break glass.
Multi factor is enabled on all accounts, and the Multi factor grid is not accessible or has become compromised. For example, in a global phone outage (text based MFA), or if an MFA app provider has become compromised. In this situation, the system is unavailable by all methods other than break glass.
Remembering that break glass access can also be weaponized by a threat actor. It is best to restrict the number of methods to gain access, to reduce the vulnerability exposures.
D. Emergency access suggestions
Break glass access is typically either
by way of system access procedures, for example, console access;
by way of contacting a provider company that has access (for example, in a cloud hosted environment);
by way of an account.
In any of the scenarios, the process should be documented and well tested. You don’t want to try to “figure it out” during a real outage that is affecting your users and customers.
Here are suggestions for emergency access:
Top five criteria for all emergency access methods
Fail proof – it has to work 100% of the time
Sufficiently privileged – in order to recover from every situation
Perpetual – not subject to lockout under any circumstance. Cannot be deleted, expired, nor deactivated, so that if a malicious user gains access to the system, the malicious user cannot execute a Denial of Service to the Break Glass account.
Not used for any access other than absolute emergencies – these are not daily access accounts
Regularly tested – triggered by time (say every 90 days), upgrades, updates, new break glass users, terminated break glass users
Additional criteria for emergency access
Simple – since the accompanying emergent situations is already increasing stress levels
Audited – with no ability to destroy audit trails, so that a “break glass” event is evident to observers
Protected – access methods should be stored in a manner in which if the method is accessed, the access is easily identified. For example, if break glass account, store the credentials in an envelope in a locked firesafe where the envelope itself has to be destroyed in order to access the credentials. In this way, anyone who has access can identify if the account information has been accessed.
Monitored – so that if the method is used, every user becomes immediately aware. For example, every admin is immediately notified that the break glass process has been invoked. Keep in mind if an adversary has gained admin access and admin notification occurs, the adversary will then immediately be notified that Break Glass has occurred.
Minimum necessary privilege to recover – for example, the ability to create and manage Admin accounts, where then the admin account can be used for the rest of the recovery process.. Remember, Break Glass is to regain access. The person who logs into the Break Glass account is not likely the person who manages daily access to the system. In a large environment, the Break Glass action is going to be used to establish a “fix beachhead” that is then used to regain global access for multiple other users.
Protected against single person insider threats – for example, requiring more than one person to gain access
Not assigned to an individual – since emergency access is to recover from an emergency, and the individual may be a contributing reason for the emergency (an insider threat bad actor)
Procedures kept current for any new versions or deployments of infrastructure, platforms, or software
Does not require reset, so that if part way through recovery another situation is encountered, the same break glass method can be used
Intentional – to protect against “accidental break glass”
Special considerations for “break glass” accounts
Not multi factor – because multi factor may be a contributing reason for emergency access
Local account – not relying on any centralized authentication or authorization services
Username/Password stored in a container where access is easy to identify and requires “new glass” (such as an envelope) to reset, that is, cannot be easily reversed.
Explicitly excluded from automated cleanup and lockout – cannot be locked out, ever
Explicitly excluded from lockout due to failed passwords – since an adversary could simply DOS the account to lockout break glass access during an attack
Access passwords or password locations changed when staff changes
Bonus: Password separated into two or three parts stored separately, with potentially different people having access to different parts of the password. Remember, breaking a password into separate pieces reduces the cryptographic complexity of the password. For example, if a 12 character password is broken into two 6 character segments, the resulting security is only that of a six character password. If an adversary obtains half of the password, only the second half needs to be cracked.
Other notes on methods and accounts
Of course, “ideal” break glass methods typically require cooperation and configuration from the vendor. For example, with regard to break glass accounts, most vendors provide administration authorization that is universal administration, not limiting the account authorizations to “only account creation and management”. With this in mind, be conscientious in creating break glass methods that can be implemented on the systems that are being managed.
E. Concluding remarks
Dealing with adverse situations is the foundation of business continuity planning. The situation of losing access to a system or server is no different than any other adversity. Break glass access methods are part of the recipe of a comprehensive recovery plan.
I hope this article has been helpful! If you have any recommendations please drop me a line.
Abstract: Have you ever wondered about Link tracking and who clicked my link, fake link to see who clicks, link that tells you who clicked it, or just how to know if someone clicked on your link. However it is asked, the answer is the same! This article will help with your request.
There are times that you’ll want to know if someone has “clicked the link” that you’ve shared. Say, for example, you have interest that “a scammer” is up to no good, and you’d like to know where that scammer is. This article is going to show you some tools available for click tracking.
If you have a web site you’ll likely be using Google Analytics or one of the other “site visitor” trackers. That’s good stuff! But sometimes it isn’t a site visitor that you are looking to track. Of course, this goes hand in hand with the first rule of computer security: “Be aware“.
In comes: Link trackers!
As always, we are only interested in the free link trackers. Here are a few.
Bitly is one of the “original” logger/shortener sites. The free version is “generous”, with up to 1000 different tracked links per month, and a 30 day retention on click through. 2FA is available for those of you who are security conscious — which should be everyone who reads my posts! 🙂
2. Grabify IP Logger
works reasonably well. You provide a web url, and it creates a tracking url.
Grabify logger Create Link page
Grabify works great, and it provides detailed information on your clickers.
Grabify Link Information page
Pros and cons:
(pro) The results page is easy to understand.
(pro) As a bonus, if requested, Grabify will send you an email whenever anyone clicks one of your links.
(negative) Be aware, there are a LOT of advertisements on Grabify. One of the “benefits” to having a free service!
(con) Also be aware that as of the time of this writing, the base domains are all “non normal”. This may or may not be a consideration for you.
(con) there is a lot of delay before the link unwraps to the real URL. Your users may get tired of waiting.
3. IP Logger
IPLogger is another choice in IP Logging. The user interface is cluttered but functional.
4. Wow Link
Wow Link is another excellent choice in IP Logging. The dashboard is clean and modern.
Note though that Wow Link has a lifetime limit of 5000 links and 10,000 total visitors that can be monitored. For a casual user it will take awhile to get there, with a maximum of 25 links per month.
Wow Links limitations with “Free” plan
Final words
It was difficult to find the first few, but once I found a few (as in, replacing goo.gl), it opened up a river of options. My recommendations are to
find one with generous Free allotments, and
start using it.
Once you figure out if you really want to go to all the trouble, then consider doing more research to find a potentially “better” one. But nearly any of these will do.
Oh, and because there are a lot of scam sites out there, I’d recommend using a throw away email address.
Let’s be safe out there!
References
there are a lot of ways to ask about fake link to see who clicks, or link that tells you who clicked it, or even the simplest few words of who clicked my link, wikipedia does a decent job of describing the technique: https://en.wikipedia.org/wiki/Click_tracking
Searching for a photo of the Empire State Building from a plane? A whale breaching the surface of the ocean? It is often difficult to take your own “perfect” photo for your posts. And you can’t just “take” an image from someone else’s web site — or you’ll potentially face a DMCA takedown notice and demand letter.
So what do you do?
Well, for starters, always document where you find your images! And second, whenever reasonably possible (which is almost always!), find images that are identified as sharable, public domain, and no attribution required. Why no attribution? For sure, you should provide attribution! But when attribution is required, there are potentially difficult ways in which the documentation has to be referenced. I’m all for attribution, but don’t make it difficult.
Here’s a collection of web sites that provide free photos, videos, images, and other media. But be careful! Some of the sites also have “paid” offerings that are mixed with the free ones.
Be careful with Pixabay though. There are “sponsored links” and otherwise non allowed photos. Follow the download rules and you’ll be fine, but make sure the photos that you are downloading are actually the “free” photos promised.
Pixabay “sponsored link” photos — be careful about the downloads!
Pros and cons
+ Great free photos
– There are “sponsored links”. Make certain that you are downloading an official “free” image.
The photos are of excellent quality, beautiful images and are free for any purpose. You just should not appropriate the authorship of the photo. They have an open license, that is, they are for public use. That is, for personal, commercial use, modify and distribute without permission. Totally recommendable. Your email will not be required.
They have a universal license, that is, an open license to copy, distribute, modify, work commercially without having to ask for permission to do so. The logical thing is that you do not credit yourself because this would be wrong, I say very wrong. His gallery is small but what you will find there is of very good quality and very beautiful.
The photos are of excellent quality, beautiful images and are free for any purpose. You just should not appropriate the authorship of the photo. Recommended although its gallery is quite limited. To download an image you must accept the terms and conditions agreement which is extremely short and easy to understand.
This portal is very, very good. Photos of excellent quality, very beautiful. You download the photo without giving data or anything for the summer. It also has a lovely premium section. It is in a word great. I loved this portal. They do not have a CC0 license, so I recommend you read beforehand about what you can do and what you should not do with these images.
This portal is the best of all this group to which I have made my evaluation. It is spectacular. Yes, its free. Your data will not be required and the photos are of the highest quality. The gallery is great and you can also use it on your blogs or commercially, edit them, copy them. They will invite you to do an accreditation to the author but it is not mandatory at all. It is phenomenal. The gallery is immense and it is one of the most recognized portals of free images of high definition and excellent quality. Highly recommended.
Just avoid these
In my experience, these sites do not provide free artifacts. In my opinion, just avoid them. This is only my opinion.
(avoid) bigstockphoto . com
This is not a free photos portal, you must pay to get them without a watermark. You must leave your email and card details to access a 7-day free sample. The standard license has countless clauses. The photos are beautiful but expensive.
(avoid) freefoto . com
Some are free but I particularly think they don’t have a nice variety of photos. You must leave your email and accept an agreement so that you can download the photo. Many rules. In addition, it is mandatory that you prove authorship and place the link where the photo is on the portal or the home link of freefoto.com. Very complicated for the user.
(avoid) classroomclipart . com
You will not find free images on this portal. You can download them for free but will have the watermark. I wonder, what is it for?
Operational enterprise environments are tempermental. Touch one thing, break another. Replace a server, break the interfaces to that server. Increase the security posture of the organization by changing an operational firewall? Well, we don’t want to think about that!
Wait. Actually, we do want to think about increasing the organization’s security posture.
This article focuses on protecting enterprises with outbound firewall rules. We’ll also explore network based threat hunts, how netflow models can trigger Hunt alerts, and how the models provide valuable metrics for hunters.
Firewalls are security devices that protect enterprises from uncontrolled network flows, in much the same way as dams protect towns from uncontrolled water flows. Most enterprises recognize firewalls as “inbound protection devices”. But firewalls are much more than inbound protection devices. Configured correctly, firewalls protect against unauthorized inbound traffic AND unauthorized outbound traffic.
What does this mean? Consider an adversary (possibly an insider) that has landed on your network. This is already a bad situation — something has happened that allowed the adversary to wind up on the network.
This is where your outbound firewall configuration comes in. Without a firewall, the adversary is able to exfiltrate your sensitive data without you even knowing. That said, a properly configured firewall can make it more difficult for the adversary to exfiltrate data from your network. Even though the adversary is on the network, getting sensitive data out of the network can be made more difficult with the use of firewalls.
Define your network
Dealing with thousands of individual objects is a difficult task. When presented with thousands of individual objects, our minds work to categorize the objects.
Network objects are no different. Combining dozens of objects on a small network quickly become complex. Consider your home network. Probably pretty simple. You might have a half dozen cameras, an Internet ready doorbell, WiFi keypad locks, a couple of computers between you and the family, several phones, a WiFi thermostat or two, printers, WiFi smart watches, network enabled refrigerator, and several other devices. Even in this “pretty simple” environment, simple means dozens of devices.
Dozens of devices potentially means at least dozens of Firewall rules. And every new device means reconfiguring the Firewall. This effort can become unwieldy quite quickly.
So how to proceed? First, recognize that this process is iterative. Each iteration is a brand new opportunity to refine the solution.
Grouping network objects based on “service”
Dealing with large numbers of diverse objects is difficult. It is much better to group objects into “similar” or at least “similar enough”. When it comes to networks, shiny objects are not all created equal. One easy grouping of devices might be based on the “nature of network access”. For example, the groups might include:
(a) INTERNET ACCESS devices that need outbound connected Internet access, but no Internet device needs to initiate access into these devices. These devices include computers, laptops, and phones.
(b) INTERNET BLOCKED devices that do not need Internet access. They never need to communicate to the Internet, and the Internet never needs to initiate traffic to them. These devices include individual cameras that connect to a local DVR, WiFi enabled thermostats that are controlled only by phones that are on the network, and printers. Remember to consider that the devices will not be able to update themselves either, since they will not have direct access to the Internet. Creating a workflow for updating the devices is important, and usually handled by manual updates or by having a local server they’ll attach to that will allow updates.
(c) DMZ DEVICES devices that need to be controlled or accessed by the Internet. These devices require firewall routes from the internet “into” your network. The devices might include a web server if you are locally hosting web sites. This class of device are typically deployed in DMZs (network demilitarized zones) and will not be covered in this short tutorial.
To summarize, a simple categorization or segmentation is (a) devices that can access the Internet, and (b) devices that do not access the Internet.
It is easy to argue that “This binary Yes/No, Open/Blocked network segmentation is insufficient!” And yes, that is an accurate statement. Build as many different groups of devices as you wish, and remember this is an iterative process. At some point you’ll need to get started.
Deploying firewalls in new enterprises
Greenfield
Configuring firewalls in new environments is a much simpler task than configuring firewalls in operational environments. In a new environment, the firewall can start life with outbound connections set to Block All. Each new device, each new service, can be assessed for traffic requirements. For example, you know your employees need to access web sites? Open outbound TCP 80 and 443 for the workstation endpoint IPs. You know a server engineer needs to sftp to a remote server? Open outbound TCP 22 for that server IP.
In the Groupings solution defined above, onboarding each new device requires that the device is categorized as either (a) Internet access necessary or (b) Internet access is blocked. It is quite valuable to have subcategories as well. For example, the workstation endpoints should not necessarily have 22 open. On the other hand, Server endpoints often do not have 80 & 443 open (you don’t want your Server engineer to browse potentially nefarious web sites and download malware).
One thing to remember is to create policies & processes for onboarding new devices. Each new device should be attached to a group that will allow the appropriate and reasonable amount of Internet traffic.
Deploying firewalls in operational environments
Operational environments require a bit more planning and diligence. The problem is that blocking all ports is going to break everything — suddenly, nothing will work.
Complexity is the enemy to security
The basis of this recommendation is: Make a plan! Whatever you are going to do, make sure you’ve developed a plan, and make sure the plan includes backout steps.
Here is an operational plan for changing firewall rules that will work in every environment.
1. Monitor and capture netflows
Goal: Identify each (a) device that is communicating to the Internet, and (b) the remaining devices that have no need to access the Internet.
Understanding basic network metrics is the best place to start in protecting an existing environment with firewalls. Users are not impacted during the monitor and capture phase since traffic shaping does not occur during the monitor phase.
The monitor phase should continue for at least a month, more reasonably at least a quarter. The reason for this extended timeframe is to capture as much “known traffic” as practical. For example, vendor software updates are normally scheduled at least quarterly. By monitoring for at least a quarter, the capture will include vendor software update flow. To note, Microsoft and other vendors initiate the infamous “Patch Tuesday“.
The monitor phase metrics results in two useful artifacts.
First, ports that are not used during the normalization phase can be considered for blocking (explained in the next phase).
Second, the netflows can be used during threat hunts. The way this is used during a hunt is that the hunters have a model for “normal” traffic, and thereby can also recognize “not normal” traffic.
Know that this step is not going to stop an existing bad actor that has already infiltrated your network. In fact, you aren’t even going to be made aware of a bad actor during this step.
Bird of prey
Threat hunting
Recognizing “not normal” traffic is a key to network threat hunting. During a threat hunt, the team is looking for anomalies, for traffic that doesn’t belong. If a “disallowed” netflow shows up in a capture, the netflow might be an indicator of compromise, a key sign of trouble that needs to be investigated by the threat hunt team.
To explore this a bit, network modeling is not “binary”. That is, it isn’t just the “disallow” list that is important to modeling netflows. Ports that wind up on the “allow” list should continue to be monitored for excess traffic. An artful threat hunt includes investigating abnormal traffic spikes. If a port model demonstrates a certain daily traffic volume, then suddenly experiences a traffic spike, the excess traffic should result in a Security Alert.
2. Explicitly allow “active” netflows; explicitly deny all others
The second phase of tuning the outbound firewall rules is to only allow the “known active” ports. This is performed by explicitly Allowing netflows that were observed during Phase 1 Monitoring, and explicitly Denying all other flows.
Active block in a previously open enterprise is likely to introduce issues. The team needs to have a plan and procedure ready to “unblock” required flows. This step of “Explicit block” should be delayed until the policies and procedures are available. Blocking netflows in large complex enterprises should be handled delicately since these environments may require flows opened that simply didn’t show up during the analyze phase.
For complex poorly documented operational environments, it may be more reasonable to “alert on unused ports” instead of “block unused ports” during the early parts of the transition. However at some point the phase of “explicit deny” must conclude with “block unused ports”.
Threat hunting
Advanced organizations might consider replacing simple “blocks” with redirects. For organizations that actively threat hunt, redirecting an unallowed/unused flow to a honeypot can quickly alert the crew to call Hunt On! Unused ports are easily identified in the Netflow capture since the unused ports simply will not show up in the list. For example, if Port 3389 (a port associated with Remote Desktop Connection) doesn’t show up during the monitor phase, and the team knows that there are no reasonable and acceptable outbound remote desktop connections, then an advanced team might consider redirect 3389 to a honeypot. If any devices wind up landing on that honeypot, the hunt team needs to search for the rogue device and user.
3. Refactor “active” netflows
Once the “known unused” ports have been handled successfully and the organization defaults to “Block” or “Redirect to Honeypot”, it is time to move on to refactoring the “active” netflows.
Refactoring reduces the firewall ruleset. If there are 150,000 endpoints in an environment, it is likely a good idea to distill those into different types of endpoints — for example, Workstations, Servers, Phones, and Cameras. The simplest refactoring will identify “all <specific types of> endpoints” allowed outbound traffic to “all destinations” over “listed ports”. For example, “<all Workstations> allowed outbound traffic to <all Internet destinations> over port 80 & 443”. However, this is just the beginning of this phase of tightening down the firewall.
In operational environments, refactoring operational ports is likely a multi-phased approach; one phase covering workstation endpoints; another phase covering servers; and several phases covering “other endpoints” like phones, cameras, and keypads/door entry systems. Eventually the firewall will have a collection of rules for many different types of endpoints.
Example: SMTP
For example, say that Ports 25, 465, and 587 show up in the “operational port” report. These ports are associated with SMTP (also known as Simple Mail Transport Protocol). While it is reasonable for a mail relay such as an Exchange server to communicate over these ports, it is less reasonable that a workstation/user endpoint relay their own mail. The ruleset should Allow the Exchange server and Deny all other systems.
Example: Web traffic
Another example exists for web traffic over 80 and 443. While it may be reasonable to open web traffic for all endpoints, an adversary can use those allowed flows to exfiltrate traffic. One might consider, is it reasonable for a Server to contact web sites over 80 & 443, or only Workstation endpoints configured for user traffic? Even moreso, is it appropriate for even the Workstation endpoints to communicate out directly, or is there a web proxy protecting the end users from visiting known malicious web sites?
Threat hunters are in a constant battle with threat actors. The more data available for the hunt, the more likely the hunt will succeed.
Threat hunters need data, and netflows are an invaluable form of data to a hunter. Continue monitoring netflows even after the firewalls have been normalized. The continuous monitoring provides data that is useful for computer network defenders and threat hunters. Identifying anomalies is a bases for alert generation, and identifying anomalous traffic volumes is an event that should trigger an alert.
Conclusion and after thoughts
Firewalls are “moderators to the real world”, they defend against inbound malicious traffic, and they defend against adversaries who are trying to exfiltrate traffic on outbound ports. Defending your precious sensitive data requires a fully operational bi-directional firewall.
Managing operational environments is a task in balancing many parts of a complex puzzle, from satisfying user demands, to enforcing security, to addressing Cxx level board room concerns. Managing underused firewalls in these operational environments can be an undoubtedly perilous concern, and managing firewalls is equally necessary to properly protect the environment.
As always, Prior planning prevents poor performance, and this adage holds true for deploying Firewall changes in operational environments. Make a plan, and stick to it. But what happens if the plan has too many edge cases? If the need arises to deviate from the Firewall Protection Plan, change the plan itself and restart instead of deviating from the plan.
LinkedIn is the worlds largest professional network, an incredibly diverse social platform both for job seekers and for companies wishing to fill open positions. In a way similar to how Facebook and Instagram connects people in a personal way, LinkedIn offers an opportunity for professionals to engage with one another and with the companies they represent.
Especially today, in the world of social distancing, optimizing your job search is incredibly important. Regardless of your discipline, social media is going to play a key role in finding new work.
We’ll look at a few basic steps involved with maximizing your exposure on LinkedIn.
Before embarking on your LinkedIn journey, it is good to understand how other people — read this, “how recruiters and hiring managers!” — find their candidates on LinkedIn. If you understand the search strategy, you’ll better understand how to leverage that opportunity in your favor.
LinkedIn is a Searchable database
Detective
LinkedIn is a search platform with half a billion resumes. Your goal is going to be to stand out in those searches.
Case study: Searching for an accountant
Let’s consider you are a hiring manager. Say that you are searching for someone with a certain skill set, for example someone with (1) experience in accounting. You wind up with 150 million candidates. Of course this is just too many people. So it is time to refine those requests.
To further refine the search, say the business is focused on (2) ultra-high-net-worth estate planning where many clients have (3) foreign interests and some clients wind up (4) wanting to research their heirs before establishing their trusts. Now our search includes “accounting”, “estate planning”, “international”, and “forensic”. Now we’ve refined our 150 million candidate profile into something a little more manageable.
Keeping up on refining our candidate pool, we know this is an advanced level position, and we are going to provide an aggressive relocation package. But because of antitrust issues, we can only hire domestic employees. We therefore limit the search only to our own country.
Case study: Flip the script!
Now flip the script. Say you are that forensic accountant with international estate planning experience. Make sure to include all of these key words in your profile. In this way you will be more likely to show up in recruiter searches!
2. Get created!
Creating your LinkedIn profile is easy, but there are quite a few options and many ways to do this imperfectly.
Create yourself!
Be careful about the personal information that you put on LinkedIn. Each piece of you can help create an opportunity for identity theft. Remember, this is a social media platform, and it is open to the internet. Consider whatever you put on LinkedIn is available to the world — and forever. For example, my recommendation is to not put your personal home address on LinkedIn anywhere. Once it is up there, it is up there forever. Wonderful people use the Internet. But remember, there are also not so good people. Even people you’d rather not have contact with will have contact with you. Just be careful out there.
Computer security starts with you
Let’s start with these areas on your LinkedIn profile.
Picture
They say a picture is worth a thousand words, so start your profile with a great picture. A headshot is perfect in most situations. If you have a particular industry where something other than a headshot is beneficial, consider your options. For example if you are a race car driver, you might want a race car in the image. If you are a model or in an industry where multiple photographs are important then have a separate web site with additional photos.
Headline
You have 120 characters to entice a reader to read more about you, make it count!
Summary
You have 2000 characters to tell your story. Be sure to explain who you are. Be vibrant, and be honest!
Experience
Include relevant experience, both paid and unpaid engagements.
Education
List your education. If you’ve completed high school, list that as an accomplishment. If you have an advanced degree, list that as well.
Awards
List awards. Make your profile stand out!
3. Get connected!
Get connected!
LinkedIn is all about being connected, and being an influencer. Wherever you can get connected to others, do so.
LinkedIn emails are only free for connected individuals. If you are directly connected, then you can email. If you are not directly connected, then you cannot email to that person.
LinkedIn Open Networker
LinkedIn Open Networkers, sometimes known as LION, are a special animal who seek to get to know people where their first connection is through an online social media platform. You may never meet them in person, but you can get to know them by their posts, and they will equally know you by your posts.
LinkedIn used to frown on LIONs. At the time, you were only supposed to connect with people you knew in person. Of course, this becomes quite difficult at times. LinkedIn has relaxed the rules on “open networking”. Take advantage of the opportunity!
Connect with groups
Find groups that represent what you do and where you see your career going.
When you search for groups you’ll be able to see “how many” people are in each particular group. Connecting with low member groups isn’t going to hurt, but connecting with highly-active, high-member-count groups is definitely beneficial.
Are you part of the intelligence community? Join highly popular intelligence community groups. Are you looking for a marine career? Join highly popular marine groups. As you start looking for groups you’ll better understand which groups make sense and which just don’t.
Connect with individuals
Individual connections are the LinkedIn cornerstone. Connect with those you know, connect with those who respond back to your content, connect wherever is reasonable.
5. Get creative!
Paper
Finally, like all great endeavors on the Internet, LinkedIn circles around content. Create great content!
Post the content to your blog. Post the content to your page. Post the content to your groups.
6. Concluding remarks
LinkedIn is a special kind of social media platform. The platform is used by companies, by hiring managers, by specialists looking for gig opportunities, and by candidates looking for work. It isn’t a Facebook, and unless your job is specifically related to politics, religion, or animals; that type of content shouldn’t be there.
Here’s the key takeaways. 1. Create an account. 2. Get connected. 3. Post content. Most of all, have fun!
If you tell all your friends about that great five or six character domain name, and they tell their friend, and they tell their friends before you actually register it? Right. Someone else might just register it before you can.
But it is worse. It has been my experience that searching for a domain name on the internet, looking at various whois registries, asking if a domain is available to your favorite domain registrar, that someone somehow intercepts the information and poof, registers the domain before you do! Then they’ll gladly sell you the front run domain at their price. This practice is known as Domain Name Front Running, it is a real thing, and Network Solutions even admitted to the practice.
The places to go for domain search
So where is it safe to search? In my experience, I use two different engines, and avoid everything else.
Don’t work with red hot dealers! They may be front running you!
GoDaddy? In my opinion just say no
My experience, and this is just one of my experiences. At one point in my history of life, I used to use Go Daddy as my domain registrar. I was looking for a new domain name, so I of course went to Go Daddy to do the searching. I entered hundreds of different names, most of which were already taken. But there were a few great short domains that I came up with! I was excited! I decided to sleep on it. A couple of days later, the domains were registered by someone else, of course the domains were using private registration, and the domains were parked on Go Daddy “This domain is for sale” pages.
I of course cannot confirm that Go Daddy systemically takes potentially popular domains from the sea of domains for which their customers search, and it is completely possible that the domains were just cool names that someone else also thought about at the same time I thought about them. It is also possible that a disgruntled Go Daddy employee decided to search for the search terms their customers were using and decided to steal the domain — not really stealing, maybe more being opportunistic, but it sure felt like a stealing at the time.
Note that Go Daddy claims they are not involved with front running here, and here, and here, and I am not accusing anyone of front running, not even Go Daddy. I just know I had a bad experience with front running, and it is reasonably easy to avoid being front run.
The Coronavirus quarantining and social distancing has resulted in tight quarters. More of us have combined working and living in the same physical spaces now, working remotely or working in other unusual spaces. There is not the same “clean separation” between Work and Personal space where you leave your home and drive to your work. However, separating your “Work Identity” and “Personal Identity” remains very important, both for your protection and for the security of your company.
LinkedIn is a personal social media site. Use your personal email address for personal sites
When you create online accounts, consider whether the account is something that you wish to retain if you separate from your company, or whether the company needs to retain the account information. Also consider whether you want your company to monitor everything about the account.
For example, a B2B supplier would likely be a “Work Identity” account. For those accounts, use your Business email.
On the other hand, a LinkedIn account, Facebook account, or account at your child’s school are “Personal Identity”. For those accounts, use your Personal email.
Take away
Personal identity and Work identity need to remain separated, for both your personal security and the security of your company. Only use your Work email address when representing the company and when necessary for company business. Use your Personal email address for your personal online identity.
The COVID19 Coronavirus situation has affected our families, our homes, and our work environments. Our children are home, some people are new at working remotely, others have to be extra vigilant in keeping their areas clean and sterile, and even more are stressed and overworked with more caseloads and more patient care than is common.
During these stressful times, the Internet Bad Guys are going to do their best to trick you. They are working hard to entice you to do the wrong thing. The Bad Guys are going to strike your nerves with Fear, Uncertainty, and Doubt, three of the most powerful influencers ever used against mankind.
How can you protect yourself? The same methods you use to keep you safe “in real life” will also secure your digital world — be aware! Know your contacts, know your computer, and know your context. Let’s take a look.
Know your contacts (your people, your connections)
Do not open links from unknown contacts! Do not open files! Are you receiving more emails about “COVID19”? Information about your stimulus check? Brand new “Preventions” and “Cures”? Source for Toilet Paper and Masks? Do not click those links unless you know the sender, and do not open attachments. These social engineering techniques are known as Phishing attacks.
Are you receiving phone calls asking for information? Spoofing Caller ID is easy; do not rely on Caller ID alone to identify the caller. Be especially vigilant with odd requests such as sending money, or a caller suggesting that you open a web page. These social engineering techniques are known as Vishing attacks.
Did you receive a USB memory stick in the mail or find one while shopping? “Free Gift” from Best Buy or your favorite shopping site? “Proprietary Information” from your employer? Just toss it in the garbage. USBs can be used to spread viruses. If you do not know its origin, it is not worth risking a computer virus infection. These social engineering techniques are known as USB Drop attacks.
Know your computer (your systems)
Be aware when things are not working correctly, or seem particularly slow. Contact your manager or help desk if you notice anything that “doesn’t seem right”.
Keep your computers and phone software up to date. Install all security updates when they are available. Make sure your virus protector is on and updated.
Know your context (your surroundings, your work environment)
Just like in the real world, know your surroundings. Be aware of who is around. Be especially aware when discussing sensitive information. Our environments are rapidly changing, and our work lives and home lives are now more tightly integrated than just a few weeks ago. Know who is around when you are discussing sensitive information, whether it be financial information, patient data, or anything else that should be kept private.
Famous last words
Take care of yourself
Remember, security starts with you. Be aware, be conscious of your surroundings, and be knowledgeable about your rapidly changing work environment.
Fear, uncertainty, and doubt: Three powerful influencers especially at times like today when our physical health is threatened. Let’s be careful out there.
Tell me more! What are your safety tips? How can we all be safe out there?
Have you received a threatening call from the government? The urgent message will demand that you pay an immediate fine or tax or penalty; or else face imminent arrest by the IRS, or revocation of your medical credentials, or something even worse.
These calls are known as “vishing” campaigns in the espionage and social engineering subculture. Vishing is a social engineering technique very similar to the familiar email “phish”. However, instead of the now familiar email phish, vish rely on voice calls and voicemails.
As with phishing emails, vishing voice calls take many forms. In all the forms, you will receive a time-sensitive message alerting you to impending doom. Let’s take a look at a few common vish campaigns.
1. Jail threats with the DEA or IRS
A popular vish is the Drug Enforcement Administration (DEA), calling to explain that there has been suspicious drug prescription activity or some other anomaly associated with your medical license. If you deny having any association with the fraud, the caller may demand to validate that you are actually you. They’ll need you to provide your medical license number, maybe your home address and a credit card with your name on it. Or they may demand that you pay a fine or face revocation of your license. If you don’t pay, the caller will have to immediately notify the hospitals where you have privileges. Of course, the fine can be paid by way of Western Union or MoneyGram.
Another vish is the Internal Revenue Service (IRS), calling about delinquent tax liens. In this scenario, the caller may claim to be at your address waiting for you, but of course you are at work or at another location. They may have your home address, and the caller ID will normally be spoofed to be a real government agency such as a local police station. In this scenario, the caller will give you the option of either paying the debt or being arrested. The caller may demand that you call an “agent” at another phone number to make arrangements for payment.
2. Bank, telephone, or company
Banks and other companies are also popular vish. The caller ID may actually show your bank’s number (do not believe the caller ID!). The scheme may describe how there has been suspicious activity on your account, or maybe even an upgraded card that is now available to you. The caller may have the last four digits of your account number (fairly easy to find since it is on nearly every receipt). To prove that you have the card in your hand, the caller will ask you to verify the remaining digits, or to verify your billing address, or provide the three-digit code on the back of the card. In general, just say no. If you believe the call is actually from your bank, then call the bank back on the number on the back of your card.
3. Hospital or school emergency
Another vish is the emergency call from a hospital or school. Your child, mother, or spouse has been involved in an accident, and the caller needs your permission to treat your loved one. In order to verify your identity over the phone, they’ll need some form of personal identification such as your birthdate, or your social security number, or a bank card number.
B. Vishing: Don’t be a victim
Vish are ever evolving. There is no way to know what tomorrow’s vish will be. That said, here are a few tips to help you avoid being a victim.
1. Be suspicious!
Avoid responding to phone calls unless you know the caller and understand the implications. Research the caller’s identity. If you call the caller back, avoid using the contact information provided by the caller. Instead, use a known valid number if at all possible, such as the number on your bankcard, or a known contact number for the government agency from which the caller is claiming association.
Do not go to websites the caller provides since the website may be infected with malware. Instead, go to the official websites that you know are valid and use the official phone numbers available to you.
2. Keep secrets secret!
Often the vish is used to get “just a little more” information about you for an even bigger fraud like identity theft or creating credit cards in your name. Therefore, avoid confirming or providing personal information to the caller. Sensitive information like account numbers, Social Security Number, addresses, passwords, birthdates, and even mother’s maiden name can be used against you.
3. Maintain your personal, financial, and professional contacts!
Update your mailing addresses, phone numbers, and email addresses with important organizations. Notify your employers, banks, and legal institutions when personal contact information changes.
4. If you think you are a victim?
Report the situation to affected parties. Contact your leader if you have been vished at work or if the vish regards a work related context such as your medical license. Contact your bank if your financial accounts are compromised. Change all passwords for accounts that are compromised. Watch for signs of identity theft. Consider reporting the phone call to the police if you feel physically threatened.
5. Most of all, be alert!
Social engineering attacks take many forms, and not all forms are easy to spot. Technology safeguards alone cannot protect you. You must be able to outsmart “the bad guy”. Look for signs of trouble, question everything, and ask probing questions instead of answering them.
Remember, security starts with you.
C. The Trojan horse
Sometimes all that glitters is not gold. A little cuddly teddy bear might be vicious ransomware instead
Social Engineering is a confidence fraud and takes many forms. A classic social engineering swindle happened during the Trojan War. As the story goes, after ten years in an exhausting and unsuccessful siege against Troy, the Greek army packed their bags and set sail leaving an enormous wooden horse to the Trojans – a gift seemingly to say, “We lose, you win”.
The Trojans wheeled their new bounty into the gates and celebrated their victory with food, drink, and glad hearts! Only, this horse was not a gift. Greek warriors filled the horse, warriors who waited patiently until the Trojans fell asleep. The warriors then violently took over the city.
Today, Trojan software is a particular class of malware that tricks users by appearing to perform legitimate operations while actually doing something nefarious. In the world of vishing, the Trojan caller is the caller masquerading their identity as the bank, IRS, or hospital; when in fact, the caller is really part of a scam. Note to self: Do not fall prey to the deceptive Trojan horse!
In today’s world of privacy, with regulations surrounding PHI/HIPAA, PCI, and SOX, you may be surprised to know that your company is required to keep records of your using their computers — everything you do on their computers. For example, your company likely monitors and records Internet access from any of their computers when you are shopping online, when you are browsing for training videos or research articles, when you are accessing personal Gmail or Yahoo accounts, and even when you are accessing your child’s school website or sending what you believed to be “personal” notes to family and friends.
Okay, so what? You are thinking, you aren’t doing anything “wrong”, so what, who cares, you are only using the computer during lunch or after the end of the day. You might think that, but you really should rethink that. Sure, those records are available to management, and you don’t care.
Stalker much?
But here’s the issue. Your records are also available to lawyers and the courts during discovery (going through a divorce?), your records are available to hackers who breach your company’s assets, and most nefariously your very personal records are also available to rogue coworkers who want to “know more about you”. Stalker much?
How can you keep private matters private? Here are a few “privacy safe” ideas!
Personal contact information
Use personal contact information for personal business. Do not use your employer’s email account. Use your personal email, your personal cell phone, and your personal physical mail address. When in doubt? Use your personal contact information.
Personal internet
When you need to access the internet or your emails, use your personal cell phone or wait until you can get to your home computer instead of using your employer’s computers.
Personal devices
Integrating your cell phone with your business? Be careful! Many times, your company has the ability to “observe” your personal data on your personal phone. Why? To catch what is called “data loss”, such as when an employee inadvertently downloads sensitive information to their phone. How to avoid this snafu? Just use a second phone. Simply, either (1) add a phone to your existing cell phone account, or (2) use an old phone and attach via WiFi hotspot to your primary phone. Best advice is to keep business and personal information separated.
Do you remember when domain names were free? Then you had a domain before I did! Yes, they were free before 1995.
Do you remember paying more than $100 for two years of domain name registration, and self hosting the sites on your own servers? Then you’ve been in the domain business as long as I have, since the late 1990s. And over the course of twenty years, you have likely wound up using many different hosting companies. If you recall, in the late 1990s and early 2000s, it was most common to host your own websites on your own servers on your own DSL line or some other self hosting configuration.
Nowadays I’m a big proponent of cloud services. Find yourself a good “As a service” vendor, and host there. And yes, sometimes it is finding a “good enough” hosting vendor.
My last vendor of many years went out of business, so I was left with a dozen personal sites that I run — and no host. Out went proposals, and came up on top of my list.
This article last updated after a year of hosting with InMotion.
1. In the beginning
Establishing an account with InMotion went very smoothly. Sales set everything up perfectly. The documentation provided is extensive, and support is available 24×7 via chat and phone.
However, there were technical issues with establishing the package. The first day, I was informed that there was a database platform problem that would not be resolved until the next day. Okay, these things happen. So I waited 24 hours and started again.
Then there were problems with AutoSSL. At the time of setup, InMotion was using Comodo. Truly, in the day of free SSL through LetsEncrypt, I was surprised to see Comodo. Accounts with InMotion are set up to auto renew SSL though, so it really doesn’t matter to the end user.
But the problems persisted. For four days.
While the help desk is available 24×7, it was difficult to get anyone to do anything other than change passwords and tell me to “wait 24 hours”. Finally, through the course of so many chat sessions it felt like I was social engineering myself into a solution, I wound up with someone who was actually able to fix the problem. According to the representative, there was a queuing problem on InMotion’s cPanel configuration that was affecting all users, including his own accounts. He explained that earlier in the week there was a cPanel update on their servers that appears to not have gone smoothly.
2. Since the beginning
Since that first week, InMotion services have been working smoothly but erratically. Uptimes have not been great. Seven day average for one WordPress domain was 90%, with 30 day uptime around 97%.
Example Uptimerobot monitor
To put “uptime” in perspective:
There are 168 hours in a week. Uptime at 90% is 16 hours DOWN in one week. That is two full 8 hour working days down in a five day work week, or of course it might have been three hours each night for five days when no one was accessing the site, but when dealing with uptime one should consider worst case scenarios.
There are 720 hours in 30 days. Uptime at 97% is 21 hours DOWN in 30 days. That is three full 8 hour working days down in a 20 day working month.
Here’s a stat clip:
A demonstrated instance of more than 14 hour downtime
To note, these are WordPress sites, and the test is against having a text artifact on the WordPress site completely load. In creating a monitor that loads a simple text file, the uptime response was much higher (not 100%), but testing a single file load doesn’t help identify “site uptime” when the site is hosted in WordPress. Think of it this way: If the first few bytes of your WordPress site load fine, but the WordPress engine itself cannot render your site because of server constraints, then your users and customers still cannot interact with your site.
3. Logging in
In my opinion, logging in and managing sites was made more difficult than necessary.
Login to management site
Logging into the main site (or Management Site) Login page works as one expects. Go to and click Login.
Login to cpanel site
To login to a cpanel, go to https://yoursite/cpanel
But of course this requires yoursite to already resolve in DNS.
4. Speed and responsiveness
Websites seem to have periodic issues with speed tests. Going to the inmotionhosting main web site is always very fast, but the hosted sites are not necessarily fast. Let’s take a look.
Duplicator backups
Resource constraints seem to be a common occurrence. For example, I use (and recommend) Duplicator for backups. However, the sites under test on inmotionhosting aren’t easily backed up with Duplicator.
Pagespeed insights
Google’s Pagespeed Insights (PSI) is an invaluable tool for identifying poorly performing sites. Why Pagespeed Insights? Because Google is going to judge you on the speeds they experience!
Here are a couple of clips of this page with PSI
Adding gzip compression in .htaccess did not materially change PSI.
A common error message obtained was a server response timeout in Lighthouse. Trying the test several times eventually bypassed the problem.
Email
I have not tested email capabilities. Since the uptime was not near 100%, I chose to not configure inbound email capabilities on the sties. Instead, the domain registrar (Google Domains) allows configuring the MX records to manage emails directly and independently of the web host. I also do not use inmotion for outbound emails. Instead I use a relay where I can add monitoring capabilities to my emails.
Remember, emails are important, and important emails are more important. You need as close to 100% email capability, regardless of whether your web site is alive. If your web host goes down, you want to continue to send and receive emails!
Security
I’ve experienced no security issues with inmotion hosting.
Two factor is limited to specific carrieres for SMS and to Google Authenticator. No other 2FA is available. This is a limitation, especially in the current security world, since there are many authenticator apps available. If you are using one particular authenticator app that happens to not be Google Authenticator, you are forced to use Google just for this one company.
5. Concluding thoughts
I used the InMotion Hosting service for about two years.
There were some technical issues in configuring the account, but everyone was professional — including the help desk fellow who kept trying to get me to call back to someone else. Okay, maybe that one was not quite as professional as the rest! 🙂 . Eventually the services were created (about a week), and I’ve been running on those servers since then.
Speed and resource constraints were common. Had to identify different methods to perform backups, for example.
Uptime was poor. The InMotion engineers contacted claimed 100% “server” uptime, while running WordPress resulted in poor uptime results. If you are using WordPress, be aware of this limitation.
” Florida gas pump thefts rise as credit-card skimmers get more savvy ” [Orlando Sentinel]
” Men from Florida charged with using stolen credit card numbers ” [WHNT]
Seems every day there are new reports of payment and credit card theft. Lest one consider these news reports as overhyped, read the statistics: In 2016 alone, fraud losses topped $16 Million. Nearly 50% of us in North America have been a victim of payment card fraud. Of those who have been defrauded nearly 2/3rds lost money in the process. That means, if you have not experienced payment card fraud, statistics say your neighbor has.
This paper will explore payment card theft techniques, then make a case on how to protect yourself from payment card theft, and finally provide a few interesting statistics and quotes related to payment cards.
In order to understand how to protect yourself from payment card theft, first consider a few ways card information is compromised.
Data breaches
Pixabay – Data breaches are never as beautiful as this humpback whale breaching
The most newsworthy payment card theft is data breaches, with retailers such as Target, Home Depot, Whole Foods, Delta, and Best Buy being recent targets where their customers were the victims.
Skimming/shimming
Skimming
A less impactful but equally common situation is payment card skimming/shimming. In this malevolent technique, the bad actor places a secondary reader over the existing point of sale terminal that captures individual (per transaction) payment card track information and uses that information to replicate the cards.
Online interception
A similar “skimming” technique happens with online merchants, where a bad actor intercepts credit card information in transit to the merchant.
Physical interception
Physical interception of the card itself is another technique. In this process, the bad actor steals the payment card information during the point of sale transaction, such as a cashier or restaurant worker making a copy of the card information before returning it to the owner.
2. How to avoid being a victim
Now that you know some of the basic methods of payment card theft, let’s consider how to avoid being a victim. Here are a few ideas:
Real time alerts
Pixabay – real time alerts
Add real time alerts on cards and bank accounts! While this will not prevent the “very first” transaction, you will quickly know someone is using your payment cards. If unexpected transactions come through, quickly call your credit card company.
Reconcile payment card bills
Check your transactions! Reconcile your transactions weekly or monthly, so you know the charges against your accounts.
Use credit cards
Use credit cards if possible! Avoid using debit cards for retail and online transactions. Be sure to understand your liabilities in either case. With most credit cards, the consumer is not liable for fraudulent activity if the issuer is notified quickly. With debit cards, fraudulent activity loss is normally capped at no more than $50 if the issuer is notified quickly. However, if a thief controls a debit card attached to your checking account, your funds could be (at least temporarily) depleted. The problem is that while the bank is likely to replenish the losses, if you need that money to clear checks before being restored, you may wind up overdrawn or having checked returned with non-sufficient funds (known as NSF). The bank may reimburse their own overdrawn fees, but the merchants you have paid may not be as forgiving.
Be alert!
Most of all be alert! Look for skimmers at point of sale transactions, and look for HTTPS leading the web address with online transactions. In general, look for signs of trouble. Use higher traffic machines if possible, since more people will have had the opportunity of identifying “not so right” situations. If you have nagging questions about a physical machine or an online merchant, “just say no” and find a different merchant. Remember, security starts with you.
3. Did you know?
Only 10% of the words currency is physical money. The rest exists on computers!
Electronic payment company ACI Worldwide estimates that 46% of Americans have had their card information compromised at some point in the past 5 years.
The U.S. adopted EMV in 2015, a technology that makes counterfeiting cards more difficult. While EMV helps with reducing in-store fraud, it does not help online fraud. In addition, with the difficulty in counterfeiting cards, fraudsters now target new accounts (as opposed to existing accounts). By the end of 2015, there was a 113% increase in new account fraud, which accounted for 20% of all fraud losses.
In 65% of fraud cases, credit card fraud results in a direct or indirect financial loss for the victim.
Florida tops the list of Federal Trade Commission fraud reports, with over 300,000 fraud complaints filed in 2015 alone.
Credit card fraud losses topped $24.71 billion in 2016 according to The Nilson Report, a 12% increase over the previous year.
There is a new identity theft victim every two seconds according to a report from Javelin Strategy, and many of the incidents involve credit cards.
Almost half of the world’s credit card fraud (47%) happens here in the United States according to a report from Barclays.
Your website is a huge part of your identity. When it comes to protecting your identity, is there ever enough security? Well, it depends.
This article is going to explain how to add a host hardening layer of protection by password protecting the WordPress login script, the “wp-login.php” file — all for free.
To better understand the task at hand, “wp-login.php” is a special login script associated with logging into WordPress. A brute force “password knowledge” attack is going to start by navigating to “www.yourdomain.com/wp-login.php”. Once there, the attacker will have the option of logging directly into your WordPress host.
As with any lock, the goal here is to make it just a little more difficult for the attacker. In this case, we’ll password protect the WordPress php login script itself. In this way, the attacker will have to circumvent the file system’s password protection before even being presented the opportunity of circumventing wp-login. It is just yet another step to reduce the number of driveby attacks.
Here are the steps to wrapping wp-login.php with file system protection:
1. Update .htpasswd file
The .htpasswd file is the password repository. For those familiar with Unix based systems, it is similar in structure to the old school /etc/passwd file, with each line affiliated with a single user. Here’s the process to create or update the .htpasswd file.
a. Identify base location for .htpasswd file
This is a rather simple but vital step. You can use a tool to identify the .htaccess base location. Place the following code in a php file (such as “path.php“) in the directory structure wherever .htaccess should be placed.
<?php
$dir = dirname(__FILE__); # NOTE double underscores on either side of FILE
echo "<p>Path to this directory: " . $dir . "</p>";
echo "<p>Path to .htpasswd file: " . $dir . "/.htpasswd" . "</p>";
?>
Then execute the php code from a web browser like Chrome:
https://www.<sitename>.com/path.php
The output will resemble
Path to this directory: /home/<sitename>/public_html
Path to .htpasswd file: /home/<sitename>/public_html/.htpasswd
b. Create .htpasswd file
There are many options available on the internet or even downloadable applications. You might need to google “htpasswd generator”. Here is one option: http://www.htaccesstools.com/htpasswd-generator/
Create at least one username and password pair. I’ve used “special-username” as my login name. The file is going to look something like this:
Ready to show off a new domain? Want to use a “personalized” domain for a new customer, but don’t wish to buy the domain until the customer actually engages you with a contract? Sometimes having a free domain is of benefit.
I’ve updated this article quite a bit from how it looked at the start. Before? I recommended free second level domains like those found with *.tk (such as “marksatterfield.tk). Today? My attitude is much different. My experiences with *.tk helped to solidify my new recommendation: Just Say No!
The problem with free domain registrars is that you are likely not the owner of the domain. If the company goes out of business, your url likely disappears with the company.
What are your options? One option is to buy a domain for each of your tests. This can get quite expensive.
Other options? One other option is that you buy a single second level domain (for example, marksatterfield.com), and then host subdomains such as “salestemplate.marksatterfield.com” and “wootemplate.marksatterfield.com”. In this way, you wind up owning the primary domain, and controlling the subdomains as well. Need a temporary one for the new pizza store around the corner? Show it off on “joespizza.marksatterfield.com”.
Not recommended: Freenom
Freenom is the registrar for a number of free sites, including those associated with the TLD .tk, registering through dot(.)tk.
Snip of a portion of dot tk’s welcome page used for educational purposes
I thought dot(.)tk was a great resource in the past. However, it seemed as though my domains would be randomly deleted. When trying to re-register I’d receive what appears to be the now infamous
At this moment we are unable to register any domains or other services in this account. Please contact support for more information. Error code 0x08823.
Through searching for options, I found any number of people who have also had problems with Freenom. According to many reviews, it seems that Freenom grabs back their domains (you don’t own them after all) when the site starts receiving a certain number of hits per month. Going back to Freenom, you have the option of buying the site back … or, well, hitting the road. Kind of felt a bit like front running .
You can google search for other comments on Freenom. Please note that these are based on my experiences. Your experiences may differ.
Not recommended: Site builders free URL
Any number of “free website builders” are available. But almost every one of them lock you into a proprietary web experience.
In my experience, I recommend building your site with WordPress or other transferable site builder. Being “stuck” in a proprietary system is no fun.
Conclusion
My recommendation is to buy a “testing” domain like “mytestcompany.com”, and placing all of our test companies as subdomains to that, like “joespizza.mytestcompany.com”. You’ll pay less than $20/year for the domain mytestcompany, and you’ll be left owning that domain.
This article is going to help you change the built in WordPress 2019 Gutenberg Featured Image shading.
“I say there is no darkness but ignorance.”
William Shakespeare, Twelfth Night
William Shakespeare warned us that there is no darkness but ignorance. Applying the quote to this blog post, there are two darknesses — ignorance, and also the darkness that envelops the Featured Image on the newly released Twenty Nineteen theme!
Darkened and Color Enhanced by default Featured Image
Introduction
As many of my colleagues followed suit, I was excited with the most recent WordPress offering! I quickly update to WordPress 5.x, and Gutenberg blocks, and Twenty Nineteen … and bam, gosh I do not like those darkened Featured Images! While I am sure it is just that I am not yet used to them, this Darkness Factor must go! Another reason is that I have folks complaining because they didn’t ask for this “new shading” darkness, it just showed up.
In this article I’m going to show you the easy way to get rid of those colored Featured Images. Stick with me, it is just a few steps.
Before we start, let me mention there is some amount of controversy over changing this darkening behavior. The reason for the default darkening behavior has to do with contrast, and making sure the text on your main page shows up adequately. After you have completed this task, make sure your text shows up reasonably well.
In my opinion, it is always good to have options. As you get more familiar with the 2019 theme, you may even want to change the behavior back to default. It is easy enough to do. Enough said, here is how to updated the WordPress 2019 Featured Image default color enhancement.
There are only two configuration items to make all this happen. The first is to turn off the 2019 Filter. The second is to add CSS to remove shading.
1. Log in as Administrator
Login to WordPress as Administrator
First thing you’ll have to do is log in as Administrator. If you’ve read my blog post on Security, I’ll expect that the username is NOT admin! 🙂
You actually don’t have to be Admin, you just have to have the ability to change the Appearances section of WordPress.
2. Disable 2019 filter
The first step is to disable the filter.
Go to Customizer
WordPress menu – Appearance > Customize
Click through to the 2019 Theme Customizer.
Go to Colors
Active Theme 2019 > Colors
Click through to the Colors menu.
Disable Filter
Colors Primary Color Default & Disable Filter
Uncheck “Apply a filter to featured images using the primary color”.
While you change the default, keep a note of this option! You might even consider dabbling in the Custom Color area just to get a better understanding of what this option accomplishes.
Before you continue with the next step you should go check your Featured Image. It might be to your liking! Here is what mine looked like.
Darkened but not color enhanced Featured Image
3. Add nobackground CSS
The second step is to update the CSS.
Open the Additional CSS editor
WordPress 2019 Theme Additional CSS editor
We’ll be adding a little code to the CSS editor here. CSS editing in WordPress is not complicated, so don’t get worried!
On the Twenty Nineteen theme Customizer page, there is a link to “Additional CSS”. This allows you to modify CSS attributes in a controlled environment. If anything goes wrong, you can just go right back into this area and delete any customizations. The rest of CSS will remain intact! This “Additional CSS” area basically adds to and overwrites any competing CSS attributes.
Add featured image CSS
Additional CSS editor
In the Additional CSS Editor, add the following CSS
Computer security incidents happen. Why? Because computer defense is reactive. Regardless of the expansive and proactive nature of any particular defensive team, the Computer Network Defense (CND) job must include Computer Security Incident Response.
A properly running CND team includes a Red Team subgroup of Attack and Exploitation experts. The Red Team actively looks for vulnerabilities in your network. However, that subgroup is dwarfed by the number of active attackers in the world.
So what should a CND team do? The team should prepare for incident handling and response. As it turns out, when it comes to incident handling and response, prior planning provides utmost performance.
In the beginning was ARPA. And the Internet was with ARPA. And the Internet was ARPA.
History of the Internet
The Advanced Research Projects Agency (ARPA, later known as DARPA) network was established in 1969. ARPANET was developed with guaranteed delivery, high availability, multi connection, and multi path in mind. ARPANET was the precursor of what we now know as the Internet.
Internet expansion to universities
In the early and mid 1980s, NSF (the National Science Foundation) established a network of supercomputers at colleges and universities around the United States. NSFNET brought DARPANET to a more general and wide reaching audience, expanding the usefulness of the connected network to sharing tens of thousands of very high cost computer assets.
Robert Morris worm
In 1988, a young Cornell student named Robert Morris created an application intended to search the interconnected network for all computer assets, and report back what it could find out about each of the end nodes. The intent was to gauge the size of the “internet” by replicating the application to each of a particular computer’s peers using a sequence of weak passwords and services available universally known at the time. The application then called back to a central server to identify “node alive” status.
Pixabay nasty computer worm!
Unfortunately, Morris poorly crafted his application. Instead of replicating on peers forward, the application replicated on every peer of every site repeatedly. That is, if two peers were available to a particular node, each of those nodes would be infected by the originating source. What happened instead was that the targets infected their peers, and also reinfected the source node. Eventually every interconnected node reinfected to full saturation and was no longer able to respond resulting in a Denial of Service.
Even worse, when a network engineer or systems administrator rebooted the machine to regain access, the nearby computers would quickly reinfect the machine. Recovery was not a simple task, and the Internet came to a screaming halt.
Morris made international history by this simple coding mistake. The infectious application became known as the Morris Worm.
Computer Emergency Response Team
At the time, DARPA and the Defense Department were positioning the Internet to provide a guaranteed delivery, always available information network. The Morris Worm realize the vulnerability of the Internet, and DARPA’s response was to create the Computer Emergency Response Team (now known as CERT[tm]) hosted under the Software Engineering Institute (SEI) at Carnegie Mellon University. The charter for CERT was to be a coordination center for computer network operations defenders in the United States and around the world.
2. NIST incident handling guide
NIST’s Computer Security Incident Handling Guide (NIST Special Publication 800-61r2) is an excellent source of how to organize and design a Computer Security Incident Response Capability. Realize, it will take some time to digest the entire document. You’ll have to forget some ideas you’ve likely held on to, and learn new techniques that have been proven in the art of incident response.
But why would you want to rewicker your incident handling policies, plans, and procedures? This is a costly endeavor, no? Well, yes, it is. But it is going to help your organization prepare for incident response, will help in the process of incident response and recovery, and may even help in preventing an incident in the first place.
If your management is resistant to reviewing the policies, plans, and procedures in place, you might want to help them reconsider their position. If you happen to work in an industry or at a company who is responsible to external validation, or maintaining information that requires response to incidents (read this: just about everyone, including those who handle SOX, PHI, PII, PCI, and nearly any other data), you might want to make sure your policies, plans, and procedures follow NIST or some other industry accepted guidance platform, even if not strictly required. When you are breached (and it is a when, not an if), your adherence to NIST or other standard is likely to go a very long way in reducing your fines.
3. Reviewing the NIST guide
The NIST Computer Security Incident Handling Guide SP800-61r2 is a comprehensive industry accepted incident handling guide. The following sections take abstracted quotes from the NIST guide.
Executive summary
Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services. To that end, this publication provides guidelines for incident handling, particularly for analyzing incidentrelated data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Establishing an incident response capability should include the following actions:
Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT) office within the Department of Homeland Security (DHS).
Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications
Organizations should document their guidelines for interactions with other organizations regarding incidents
Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors
External/Removable Media: An attack executed from removable media (e.g., flash drive, CD) or a peripheral device.
Attrition: An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
Web: An attack executed from a website or web-based application.
Email: An attack executed via an email message or attachment.
Improper Usage: Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the above categories.
Loss or Theft of Equipment: The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.
Other: An attack that does not fit into any of the other categories.
Organizations should emphasize the importance of incident detection and analysis throughout the organization
Organizations should create written guidelines for prioritizing incidents
Organizations should use the lessons learned process to gain value from incidents
Chapter 1: Introduction
This document has been created for computer security incident response teams (CSIRTs), system and network administrators, security staff, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and others who are responsible for preparing for, or responding to, security incidents.
1.1 Authority
1.2 Purpose and Scope
1.3 Audience
1.4 Document Structure
Chapter 2: Organizing a Computer Security Incident Response Capability
Organizing an effective computer security incident response capability (CSIRC) involves several major decisions and actions. One of the first considerations should be to create an organization-specific definition of the term “incident” so that the scope of the term is clear. The organization should decide what services the incident response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. Incident response plan, policy, and procedure creation is an important part of establishing a team, so that incident response is performed effectively, efficiently, and consistently, and so that the team is empowered to do what needs to be done. The plan, policies, and procedures should reflect the team’s interactions with other teams within the organization as well as with outside parties, such as law enforcement, the media, and other incident response organizations. This section provides not only guidelines that should be helpful to organizations that are establishing incident response capabilities, but also advice on maintaining and enhancing existing capabilities.
2.1 Events and Incidents
2.2 Need for Incident Response
2.3 Incident Response Policy, Plan, and Procedure Creation
2.4 Incident Response Team Structure
2.5 Incident Response Team Services
2.6 Recommendations
Chapter 3: Handling an Incident
The incident response process has several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after controls are implemented. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. This section describes the major phases of the incident response process—preparation, detection and analysis, containment, eradication and recovery, and post-incident activity—in detail. Figure 3-1 illustrates the incident response life cycle.
3.1 Preparation
3.2 Detection and Analysis
3.3 Containment, Eradication, and Recovery
3.4 Post-Incident Activity
3.5 Incident Handling Checklist
Chapter 4: Coordination and Information Sharing
The nature of contemporary threats and attacks makes it more important than ever for organizations to work together during incident response. Organizations should ensure that they effectively coordinate portions of their incident response activities with appropriate partners. The most important aspect of incident response coordination is information sharing, where different organizations share threat, attack, and vulnerability information with each other so that each organization’s knowledge benefits the other. Incident information sharing is frequently mutually beneficial because the same threats and attacks often affect multiple organizations simultaneously.
As mentioned in Section 2, coordinating and sharing information with partner organizations can strengthen the organization’s ability to effectively respond to IT incidents. For example, if an organization identifies some behavior on its network that seems suspicious and sends information about the event to a set of trusted partners, someone else in that network may have already seen similar behavior and be able to respond with additional details about the suspicious activity, including signatures, other indicators to look for, or suggested remediation actions. Collaboration with the trusted partner can enable an organization to respond to the incident more quickly and efficiently than an organization operating in isolation.
This increase in efficiency for standard incident response techniques is not the only incentive for crossorganization coordination and information sharing. Another incentive for information sharing is the ability to respond to incidents using techniques that may not be available to a single organization, especially if that organization is small to medium size. For example, a small organization that identifies a particularly complex instance of malware on its network may not have the in-house resources to fully analyze the malware and determine its effect on the system. In this case, the organization may be able to leverage a trusted information sharing network to effectively outsource the analysis of this malware to third party resources that have the adequate technical capabilities to perform the malware analysis.
This section of the document highlights coordination and information sharing. Section 4.1 presents an overview of incident response coordination and focuses on the need for cross-organization coordination to supplement organization incident response processes. Section 4.2 discusses techniques for information sharing across organizations, and Section 4.3 examines how to restrict what information is shared or not shared with other organizations.
4.1 Coordination
4.2 Information Sharing Techniques
4.3 Granular Information Sharing
4.4 Recommendations
Appendix A: Incident Handling Scenarios
Incident handling scenarios provide an inexpensive and effective way to build incident response skills and identify potential issues with incident response processes. The incident response team or team members are presented with a scenario and a list of related questions. The team then discusses each question and determines the most likely answer. The goal is to determine what the team would really do and to compare that with policies, procedures, and generally recommended practices to identify discrepancies or deficiencies. For example, the answer to one question may indicate that the response would be delayed because the team lacks a piece of software or because another team does not provide off-hours support.
The questions listed below are applicable to almost any scenario. Each question is followed by a reference to the related section(s) of the document. After the questions are scenarios, each of which is followed by additional incident-specific questions. Organizations are strongly encouraged to adapt these questions and scenarios for use in their own incident response exercises.
A.1 Scenario Questions
A.2 Scenarios
Appendix B: Incident-Related Data Elements
Organizations should identify a standard set of incident-related data elements to be collected for each incident. This effort will not only facilitate more effective and consistent incident handling, but also assist the organization in meeting applicable incident reporting requirements. The organization should designate a set of basic elements (e.g., incident reporter’s name, phone number, and location) to be collected when the incident is reported and an additional set of elements to be collected by the incident handlers during their response. The two sets of elements would be the basis for the incident reporting database, previously discussed in Section 3.2.5. The lists below provide suggestions of what information to collect for incidents and are not intended to be comprehensive. Each organization should create its own list of elements based on several factors, including its incident response team model and structure and its definition of the term “incident.”
B.1 Basic Data Elements
B.2 Incident Handler Data Elements
Appendix G: Crisis Handling Steps
This is a list of the major steps that should be performed when a technical professional believes that a serious incident has occurred and the organization does not have an incident response capability available. This serves as a basic reference of what to do for someone who is faced with a crisis and does not have time to read through this entire document.
1. Document everything. This effort includes every action that is performed, every piece of evidence, and every conversation with users, system owners, and others regarding the incident.
2. Find a coworker who can provide assistance. Handling the incident will be much easier if two or more people work together. For example, one person can perform actions while the other documents them.
3. Analyze the evidence to confirm that an incident has occurred. Perform additional research as necessary (e.g., Internet search engines, software documentation) to better understand the evidence. Reach out to other technical professionals within the organization for additional help.
4. Notify the appropriate people within the organization. This should include the chief information officer (CIO), the head of information security, and the local security manager. Use discretion when discussing details of an incident with others; tell only the people who need to know and use communication mechanisms that are reasonably secure. (If the attacker has compromised email services, do not send emails about the incident.)
5. Notify US-CERT and/or other external organizations for assistance in dealing with the incident.
6. Stop the incident if it is still in progress. The most common way to do this is to disconnect affected systems from the network. In some cases, firewall and router configurations may need to be modified to stop network traffic that is part of an incident, such as a denial of service (DoS) attack.
7. Preserve evidence from the incident. Make backups (preferably disk image backups, not file system backups) of affected systems. Make copies of log files that contain evidence related to the incident.
8. Wipe out all effects of the incident. This effort includes malware infections, inappropriate materials (e.g., pirated software), Trojan horse files, and any other changes made to systems by incidents. If a system has been fully compromised, rebuild it from scratch or restore it from a known good backup.
9. Identify and mitigate all vulnerabilities that were exploited. The incident may have occurred by taking advantage of vulnerabilities in operating systems or applications. It is critical to identify such vulnerabilities and eliminate or otherwise mitigate them so that the incident does not recur.
10. Confirm that operations have been restored to normal. Make sure that data, applications, and other services affected by the incident have been returned to normal operations.
11. Create a final report. This report should detail the incident handling process. It also should provide an executive summary of what happened and how a formal incident response capability would have helped to handle the situation, mitigate the risk, and limit the damage more quickly
No matter where you live, you’ve probably heard about the many breaches of data that have occurred over the last few years. It is even worse than what you read: identity theft is on the rise. Just to name a few (and no, I’m not singling out any particular companies):
Phishing is a real problem, and that problem is only increasing in frequency.
Phish attacks come in many different forms. Everyone is affected by phishing. Whether it be that a credit card number is stolen from your family member, or your friend gets their Facebook account hijacked, or you have your company web site blacklisted for SPAM, we are all affected by phishing attacks. Some of those attacks are worse than others.
Exploitation is an attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders
Social engineering is a confidence trick, an attack vector that relies on human interaction to take advantage of tricking people into doing something that is likely not in their best interest
Social Engineering is an attempt to take advantage of the vulnerability called the Human OS
Phishing is the attempt to take advantage of social and emotional constructs to obtain sensitive information by disguising as a trustworthy entity in an electronic communication
Comparison to SPAM
SPAM are unsolicited or unwanted emails, often related to product endorsement
Unsolicited mail predates computers; SPAM is electronic unsolicited mail
Phish are pretextual lies intended to dupe the victim into providing something private or valuable, or inadvertently providing command and control access to a computer
Pretexting predates computers; a pretext is something that is put forward to conceal a true purpose
Let me ask an honest question. Would you rather be doing business with “bobrx153@hotmail.com” or “bob@randolf.com” ? Which one looks more professional? Which one looks more trustworthy?
WordPress is an incredible Content Management System — and it is free! WordPress off the shelf is just that — a content management system. The best part of WordPress is that it is extensible.
This post is a part of the WordPress Plugins discussion threads and focuses on Plugins that increase the Security of your WordPress site. Just as with all WordPress Plugin recommendations, only “free” Plugins will be considered.
First, a definition for this very important section. Security is protecting the Confidentiality, Integrity, and Availability of a system. We’ll be examining WordPress Plugins that help to achieve:
Confidentiality: Protecting information so as it is only available to those who have permission to know. Protecting information against observation from every other user.
Integrity: Does it relate to hackers defacing a web site? Can it look like one person is posting, when in fact someone else is posting? Can attribution of the information change? Are there controls in place to confirm the identity of the person interacting with the web site?
Availability: Is the information protected against System outages? Is the data available within an allowable speed constraint?
This article is part of the WordPress collection. The article details how to configure and install Mailjet on your WordPress instance. The procedure will be similar if you decide to use a different outbound mail relay.
Have you notice that WordPress saves post revisions for you? It is a great feature. Try it out yourself. Edit a post, click “Update”, and voila, you have Post Revisions.
The term Artificial Intelligence (or AI) was coined in the mid 1950s. AI technology was heavily funded by the Department of Defense for many years. Unfortunately, the practitioners at the time were overly optimistic and failed to overcome some of the difficulties that they faced. By the mid 1970s, funding was largely cut in favor of more promising projects.
This article explores basic business planning ideas that you should keep in mind as you are starting or continuing your business. It is intended to provoke deeper thoughts for you and your executive team. From business continuity, to free coffee and free WiFi, we’ll look into ideas that are important to businesses… and to customers.
Cloud service providers are in the news every day. Whether it be that Disney or the NFL is “moving to the cloud”, or that a vendor is forcing Cloud adoption with their offerings, Cloud is newsworthy. And for providers, whether it be Microsoft’s Office365, Amazon Web Services (AWS), or a vertical market solution, Cloud Computing is here to stay.
But the first step to adoption is getting rid of the “fear factor” associated with change. And we all understand, cloud computing is a gigantic change. Cloud is changing the boardroom cost and revenue profiles, it is changing the management staffing profiles, and it is changing the individual contributor’s job profile. Just like every industrial change, Cloud requires a changed mindset. And this article is intended to help reduce those fears!
Think cloud!
This article focuses on understanding how “as a service” can help your business. First, we’ll define the continuum of primary “as a service” technologies. Next, we’ll explore some of the many cloud computing advantages and disadvantages – for there are many! Finally, we’ll apply Cloud Computing architecture and describe how real, live businesses use “the cloud”.
Information Warfare (hackers) v the Software Developer
I hear you fancy yourself a software developer? Great! Me too. But what is your take on hackers and the craft of cyber warfare? Do you think you write hack safe code? Fact is, people are out there that want to
Cyber crime hacks
Remotely control systems that you control,
Exfiltrate your data, and
Otherwise compromise the integrity of your technology.
What they want to to is all fine and dandy, but surely this can’t happen to my code, right? Well, wrong.
If you are writing router software or Operating System software, you know the importance of creating safe, secure code. But how about a game programmer? Is it really necessary to put the extra effort in to make your code safe? You bet it is.
Maybe your code is just the way the hacker gets on the system, looking for more gold at the end of the tunnel. We’ll talk more about this and examine even more questions you may have about hackers and protecting your code and your customers in this paper. Remember, the best security is built into the system, not bolted onto the system.
Safe coding practices & Development rules of thumb
Complexity is the enemy of security
Keep your code as simple as possible
Avoid obscure code and undefined behavior
Use minimal privileges for deployed applications
Don’t require user to have root priv if not strictly required
Catch all bugs and questionable results
Your software needs to catch anomalies
Test & apply tools early and often
Protect at the unit level, plus protect again anywhere you like (like in the client side browser), but keep the unit level protections (e.g., don’t trust the user!)
Never trust the client nor user
nor network nor file system nor DLLs nor cookies nor anything else that is not part of your executable, and sometimes not even that (hacker could nop the authentication routine)
This includes both inputs and outputs
Perform sanity checks on server side, not client
Don’t volunteer too much information
Expect adversity, even if your program is simple
Your program may simply be the vector into the intended system
Happy reading! And remember, let’s be safe out there… you are part of the cyberwar.
Content Filtering companies have gained quite a bit of traction in the Computer Network Defense (CND) industry. The goal of content filtering is to attempt to stem the carnage that malicious sites can wreak on unsuspecting individuals and companies by blocking access to malware and other forms of ransomware.
The filtering engines work by way of proxying requests between the end user and the destination site. They are performing a “man in the middle” attack between the user and the destination by a number of different ways such as DNS cache poisoning (Cisco’s Umbrella), and content interception (Symantec’s Bluecoat). Filtering engines use a combination of human control and machine learning to differentiate safe sites from malicious sites. Even more than static understanding of sites, filtering engines can identify when a safe site is hijacked and will block traffic when that known safe site is compromised.
Identifying safe sites is not precise nor exact — the task is all a best effort. The beginning of the best effort is listing your site in the filtering engines. If you don’t have your site listed as “safe” by the content filter company, you will likely be blocked!
Most of us are familiar with files, directories, and subdirectories. In the art of computer science, directories are a way to organize files into a meaningful hierarchy. WordPress relies on hierarchical file systems to organize the thousands of required files in a WordPress instance.
History lesson! Hierarchical file systems were introduced in Microsoft’s world with DOS 2.0!
When installing WordPress, it is reasonable to place the installation itself into a subdirectory instead of in the primary web accessible directory (often called “./public_html/”). It is easier to manage the WordPress installation if installed in a simple subdirectory such as “/wp/”. Ease of maintenance is especially important when you are faced with something as drastic as a reinstallation. It is also just a whole lot cleaner, and you can even install multiple WordPress instances on your domain this way.
“You don’t know me, but I know your password. Let me get right to the point. I have access to your computer. I recorded you through your camera. You can pay me in bitcoin and I will disappear. If you don’t pay me I will send the video to everyone on your distribution list.”
Popular online scam
Have you ever received a threatening email by an unknown assailant who claims they have access to your accounts and have collected damaging information about you? Well sure, the email might be just a scare email with no real “meat” to it, or… it could be a bit more insidious. How can you know for sure whether this hacker really has control of your computer, or really recorded a video of you?
Managing multiple WordPress sites is no easy task. While managing a single WordPress site in itself can seem difficult at times, managing many WordPress sites concurrently requires keeping track of multiple security updates, different Plug-In updates, Theme updates, backups, usernames and credentials, and Firewall settings.
Fortunately, this is a common problem for many WordPress managers. Why is this fortunate? Because you don’t have to reinvent anything! But you will have to work through the slew of management platforms that exist. This article is here to help you identify the best WordPress management platform for all your sites.
Before exploring the opportunity of managing your own WordPress site instances, hiring someone else to manage the sites should be considered.
This option is simply to pay someone else to manage all your WordPress instances. This obviously doesn’t meet the “free” criteria, but paying someone to manage your sites should be seriously considered.
If you don’t have the time, then this is the option for you. There are quite a few vendors available to manage your WordPress site, well beyond the scope of this document. Managed WordPress should be considered if you are not sure how to manage your own site, or you don’t have the time to reasonably manage your site. Send me a note if you decide to hire out WordPress management.
1. Success criteria
“The best is the enemy of the good”
Voltaire
As we get into reviewing the options, it is going to quickly become apparent that finding the “best” platform is difficult at best. Lowering one’s expectation to “the good enough” is one of the more important exercises as we search through the hundreds of available WordPress management platforms.
The following are the requirements and criteria for success.
Free
Must be free. At least the basic offering must be free. This article is going to focus on the “free” part of the offering, and judge usefulness based only on that free part.
Site count limits
Some of the central management platforms are going to limit the number of sites that can be managed. It is important to know the limits in place as you begin using the toolsets.
User management
User management is an important part of WordPress, and is an important part of centralized management.
Installations & updates
Updating Plugins, Themes, and Core files are critical to WordPress security. Centralizing these tasks allows more timely update management.
Uptime monitoring
It is important to know when your site is not available.
Performance checks
Uptime is only a part of the user experience. Performance checks validate performance usability for your sites.
Multiple managers
As your sitebase grows, there will come a time when you need to have more than one person managing the collection of sites. Some platforms allow this with unique usernames assigned to each manager. It is generally a bad idea to share credentials between multiple users.
Multi factor authentication
That is, multi factor security (MFA/2FA) to log into the central management system. Multi factor is important to prevent the management system itself from being a critical admin level security vulnerability.
2. The candidates
As mentioned, there are hundreds of options available when it comes to centralized WordPress management. Here we’ll cover some of the more popular options that are common in the industry.
Recommended: MainWP
MainWP at first looks like a paid site, but quickly you’ll find that it is a FREE solution with many free options available.
MainWP Free Feature List
This is self hosted and open source, hosted on your private WordPress instance. It isn’t a third party cloud solution. MainWP is actually hosted on your own WordPress. This means that you control the platform security.
MainWP – Self hosted, Open source, Private
Understand that the domain under which MainWP will be running is the master key to all of your sites. The particular WordPress instance controls all of your other sites. In this, I recommend the following:
Minimize the vulnerability footprint
Purchase a brand new URL for this domain
Host no other utility, no other sites, no anything on this domain other than MainWP. Every additional site
Do not install any PlugIns that are not absolutely necessary. PlugIns increase the vulnerability landscape and generally make the site less secure.
Lockdown
Lock down the instance as much as practical
Harden the host
Enforce multi factor authentication for all users
Alerts
Create login alerts for all users — when anyone logs into the site, you need to know about it
With those recommendations you’ll be in a better position to protect all of your sites. Centralized management will also enhance your site security by allowing central control of updates and other management tasks.
Runner up: ManageWP
ManageWP is a popular centralized management platform. The free tier allows unlimited sites, but there are limits to what is “free”.
Example Freemium option in ManageWP
Getting started with ManageWP is a breeze, but you will encounter “freemium” options quickly.
For a very long time I was using ManageWP. It is great! Software as a service tool, no installation required, everything is cloud based. But, there are significant limitations. At least for the free version, you could not have multiple users managing the collection of web sites. This is a problem if you have a few people on your staff that rotate duties. But the worst part of the toolset is that it is cloud based in someone else’s cloud. If the site is compromised, I may or may not find out about it in a timely manner, and anyone who captured my credentials on the main page would then have control of all of the WordPress sites in my control. This had been a difficult pill to swallow.
Consideration: Jetpack Manage
You likely already have JetPack installed on your website, why not use JetPack to manage WordPress? Installation is automatic, JetPack Manage comes with the installation.
The features are a little more difficult to control across the collective of managed web sites. For example, adding a user across all web sites is a manual step to add a user to each of the websites sequentially. That said, it is free.
Not recommended: InfiniteWP
InfiniteWP is unique in this bunch in that it is not a Cloud offering. InfiniteWP is a program that you download and host on your own servers.
However, the free offering is quite limited. Considering the complexity of having to stand up your own server and the limited features in the free offering, I’ve personally skipped the install.
InfiniteWP — limited free offering
Just say no: Maekit (formerly WP Remote)
As you start looking at management options, WP Remote will come up as a friendly platform. Formerly WP Remote, the toolset is now marketed under the Maekit moniker. As of this writing, the Helper Plugin hasn’t been updated in more than a year. As such, this platform cannot be recommended at all.
WP Remote maekit — no updates in over a year
Just say no: CMS Commander
The first thing I noticed is that CMS Commander lands on a “not secure” URL. Being security minded, I did a double check on that, and sure enough the site is not HTTPS.
But even more important to this study, CMS Commander limits the free offering to only 30 days. Just say no.
CMS Commander … is not free
Just say no: iControlWP
Remaining with our mandated Free Only offerings, iControlWP does not meet that demand. Recommendation is to keep looking.
iControlWP is not free
Just say no: WPPipeline
The first thing I noticed about WP Pipeline is that it looked like a website I built back in the 1990s. It appears to not have a free offering, so it does not meet the minimum requirements of our review.
WP Pipeline —
3. Recommendations
I’ve used several of the tools listed in this article. One thing for sure, there are many great tools available.
MainWP came under review while investigating the toolsets this year and writing this paper. I tested MainWP on a few sites and appreciated the suite. More importantly though, MainWP is hosted on WordPress itself, and on your own instance of WordPress that you control and you protect. It can be locally hosted on your local server, or cloud hosted on your own server, or hosted on any WordPress instance.
After a few weeks of testing, I expanded the test to include a couple of dozen sites. So far, I’ve found the MainWP system to be exceptional. The toolset itself is free, meeting the requirements set forth in this article. The company makes money when you need special PlugIns and feature sets.
With all that said, in my experience you are unlikely to go wrong with using MainWP.
4. References
“Manage all your WordPress sites with the MainWP Dashboard”, https://mainwp.com/
Hackers have a few things in their favor when it comes to getting into your network and stealing data. One of those things is the elusive zero day. When it comes to hacking, a zero day is an “exploitation against a publicly unknown vulnerability”. But hackers don’t need a zero day. They only need a “zero to me day”. What does that even mean?
So you’ve looked at your local phone bill and it was… oh my, I’m paying that much for a simple landline phone number? This doesn’t seem right! How can I be paying $40 a month for a landline phone (base price around $15/month, plus “options” price like call waiting around $20/month, plus taxes around 22%, plus plus plus)?
Business Continuity Planning (BCP) is the pre-planning effort put in to make sure your business continues to operate even during adverse situations. BCP is the work put in before those imperfect days, in order to smoothly transition between “normal” operations and “backup” operations.
A backhoe digs through the internet cables, the electricity goes out, a computer stops working, the delivery truck is involved in an accident. In all of these situations, what is the backup plan?
A car accident can wreck your business (photo courtesy Pixabay)(more…)
Putting your computer in chains is one way of hardening the system
Computer Security. Kind of scary, actually. With the likes of Target going down to hackers in late 2013, and a large attack on Home Depot in 2014, what can the rest of us do? If Home Depot can be compromised, how can I protect myself?
The bad news — you are a target. Why though? Well, let’s consider:
Do you have any financial data on your computer? You are a target.
Does your company operate a health care agency with HIPAA/HITECH protected data? You are a target.
Do you have a point of sale system where you perform credit card transactions? You are a target.
Are you attached to the Internet? You are a target. What? That is crazy sounding. Why am I a target just because I am using the Internet? Because a hacker can use your computer as a relay to attack other computers!
At this point you are likely thinking, oh great, thanks for making my day. But remember, we are trying to make your computers safer. Before we get into that though, let’s take a look at how malware gets on your computer in the first place.
You may think, hey, the only way malware can get on my system is through the network. A firewall is sufficient to protect against those blasted attacks!
Hey look! I have a new email! But… is that email a virus?
Unfortunately, not all malware infects systems the same way. Certainly, network attacks are one attack vector, but there are others.
There are email attack vectors, mp3 attack vectors, html attacks, mpeg attacks, apk attacks, over privilege attacks, Excel attacks, Word attacks, PDF attacks, and in fact the list never ends. An attack is possible anytime there is an interface to a computer. Sure an mp3 attack may come through a network or USB, but it isn’t a network attack. It is an attack on the software that is rendering the mp3. Exploring attack surfaces is well beyond the purpose of this paper, and will not be fully discovered in this paper.
Pixabay – Laugh is on them! But wait, not exactly. Don’t think that your data is safe, and neither think that your data is not worth stealing
One thing to note though. You might think hey, I don’t really care if someone exploits my mpeg player. That is a risk I’m willing to take! What are they going to get? A movie? The laugh’s on them!
Well… not exactly. The way system exploitation works is, exploit a low hanging fruit and get a shell on that system. Once an attacker has a root shell? Game over. He owns you. Even worse, he may own your network, depending on perimeter defenses that are in place. Think: defense in depth.
How to protect your computer
Alright already, we’ve covered enough. You may be thinking, this is way too much to pick up. You are right, it is! The short question is, what can you do to make your computer more safe? Let’s explore a few ways to help protect you from an attack.
1. Update your operating system software
Nothing lasts forever! It might be time to retire your system if you can no longer receive patches and updates
The first thing you should do is to make sure you are using a modern operating system if at all possible. Sure, sometimes this isn’t possible — for example, some programs, especially embedded programs, are still operating on XP. If that is the case for you, you’ll have to make other concessions to safeguard your systems, your networks, and your data.
You may be thinking is, why in the world should I pay to update my operating system? I paid for a version, it is working fine, so why should I update? Because hackers know that there is a delay between the time a patch comes out and the time it is fully adopted in the community. What happens when a patch comes out, especially a security patch, is that hackers are going to reverse engineer those updates to determine how an existing installation can be compromised. And compromise they will.
Again, if at all possible, upgrade your operating system to a modern x64 bit solution and keep that operating system patched. Are you using an outdated version of Windows and don’t wish to pay for an operating system? Then use a free operating system such as Ubuntu or one of the other Linux platforms. If that is not possible, then realize you are providing a fluid and rich attack surface and do what you can to protect perimeter systems.
2. Update your application software
Is your application software end of life? Might be time to find a new software solution!
Are you still using a x16 or x32 bit application? Do what you can to upgrade that application.
In the same way as outdated operating system software present security vulnerabilities, outdated user applications present security vulnerabilities in a very bad way. Each time an application is updated, hackers are very likely to review the updates to identify vulnerabilities in the existing installed user base.
Freeware software
Do you use an outdated version of Firefox? Or an outdated Adobe reader? My suggestion is: Don’t. But how about if our company forces you to use an outdated version of one of these applications? Yes, that can be an issue. You can only do so much especially if these decisions are above your pay grade. If you are forced to use outdated software, realize that those are reasonable attack vectors. Being aware is the first step to security.
Paid commercial software
But what about paid applications, you might ask? You paid nearly $5000 for your AutoCAD solution and more than a thousand for Adobe, is paying for an updated version really necessary? The answer is yes. You happen to be using a coveted piece of software. If you spent thousands for AutoCAD, it is likely that you have drawings and blueprints that are worth thousands more. Someone could use those drawings, especially if they can freely exfiltrate them from your computer.
How about layered applications like Internet Information Services, or IIS, used to serve web pages to the world? Well, you picked up on an easy target! IIS is a common attack vector, in part because it is easy to thumbprint the version that is being used on a network. Once an attacker identifies that an old version of IIS is being used, the attacker only needs to find a known vulnerability with that particular version of IIS to compromise the server.
Keeping your application software updated will go far in protecting your systems. Will it cost money? Yes, it likely will cost. I am a big proponent for open source software and the Free Software Foundation, so I’m not supporting the idea of having to spend money on new software. If you can find an equivalent open source software package that can do an equally good job for you, I’d suggest migrating to that open source software. Otherwise, yes, you’ll have to pay for that update.
Software updates or compensating controls
If an application cannot be updated, do what you can to find a different and more modern application to use in its place, or add some other compensating controls to the software deployment
3. Use a virus protector
A lot of people are going to discount virus protection as part of the solution. Why? Because virus protectors provide a false sense of security. Virus protectors only protect against “known” viruses.
This is true. Virus protectors do provide a false sense of security. That said, virus protectors do provide protection against known viruses, so why not use one?
There are several free solutions, one of which is Windows Defender.
4. Download only from known good sites
This is a really important artifact. Download only from known good sites.
For example, are you looking for an HP printer driver? Then go to the HP web site for the download. Do what you can to avoid “third party” driver sites.
Are you looking for a game or a program? Download from downloads.com / cnet.com, or from another known good source. There are web sites that are devoted to providing you excellent software — with associated trojan or other form of malware attached.
Are you looking for a free Hollywood movie or free APK sideload of the latest Android software through The Pirate Bay? Then be aware that the free download may also have a free Trojan attached. How will you know whether that illegal download is malware? You likely won’t know, even if you run it through the Cuckoo Sandbox automated malware analysis software.
5. Behavior modification
Don’t be Pavlov’s dog! If your behavior is “security unsavory”, then it is time to change your behavior
Wait a second, behavior modification? I’m not looking for a psychologist! I don’t want to be Pavlov’s Dog! Well, that is not exactly what I mean by behavior modification.
Be careful about downloading software that you are not absolutely sure about. Downloading it to your primary computer, especially if you use that computer for financial transactions, is doubly dangerous. Set up a second computer or a Virtual Machine where you can run any questionable programs,. If those programs perform unexpected actions your financial records will not be compromised.
You know those sweet popups that promise the first thousand who click on the banner will win a free iPad? Yeah, you aren’t going to get a free iPad. What you will get is infected. Don’t click that ad. Sadly, that the ad even popped up may be very bad news, you may already be infected.
6. Use reasonable passwords
It might be better said as: Don’t use unreasonable passwords.
Protect your passwords! Writing them down in a conspicuous place is not suffiicent
What does this warning mean anyway? One of the ways a hacker attempts to gain access to a system is through password cracking. Password cracking is a method to gain access to a system by way of basically “guessing” the password. A trained hacker will use one of the many password cracking software suites.
Is it reasonable to use abc123 or 1234 for a password? Probably not. Is it reasonable to use a single dictionary word? Probably not. Once a hacker has identified a username these types of passwords are very quickly guessed.
So what are more reasonable passwords? Throw in a few upper case letters and maybe symbols. For example, @bC123* is going to be a much less likely guess compared to abc123, and a long passphrase like Mygr3atsecretpa$$w0rd is better still.
7. Periodic scans
Another great safeguard is to run periodic full scans of your system. Run Microsoft Defender/Security Essentials full scans, but also run other scans such as the free Trend Micro Housecall.
8. (Advanced) Use a two way firewall
This might not at first sound reasonable. Why would I need a two way firewall? Because if a Trojan or other rogue executable finds its way on your computer, a bidirectional firewall will be able to alert you that the software is trying to communicate.
A great free solution is ZoneAlarm Free Firewall.
The five word solution!
With regard to computer security and systems hardening, there is no easy answer
So what is the solution to keep me and my data safe from attackers? The answer is: There Is No Easy Answer. There are things you can do to make yourself more protected, and there are things to avoid that would make you less protected. Some of them have been covered in this paper.
The best advice available is: Be aware. Your data and your systems are costly, and compromises to your systems can be even more costly.
If you need personal advice on how to protect your data and your systems, feel free to contact me.
