Are you using a utility that requires Zip Archive Enabled in WordPress? For me, this was the backup utility Duplicator.
And there’s the pain point. This took quite a bit longer to find than I expected! Here’s the journey to success.
1. The Issue
The issue arose because I wanted to backup my site using Duplicator with Zip archive.
Most of the documents mention changing this in WHM. This was not the case for me.
Of note: What you are about to do has the capability of totally crashing your WordPress site. Be sure to document any changes you make, and test the changes regularly in an incognito window or another computer.
2. The Fix
Log into your hosting company
Access WHM
Go to List Accounts in the left hand menu
Access the cPanel for the site in question
Click Select PHP Version
Select Extensions
Scroll down to activate Zip
Test your site in Incognito window
Go back to Duplicator to confirm it is working!
Zip backups selected, and no errors! We’ve fixed the issue.
Now you can create a Zip archive.
3. But now the question, should you?
Up until now, I’ve used Zip archives because I’ve had issues with Daf archives where the entire site would not be handled. I’m reading this shouldn’t be the case… but it just has been.
Cyberattacks on medical devices are a growing threat to patient safety. Cybersecurity threats to healthcare have increased in both frequency and severity, and continue to be clinically impactful causing healthcare delays. The security of medical devices is essential to protect patient safety and the integrity of healthcare data.
Medical devices are FDA approved solutions that pose unique security challenges when deployed in enterprise networks. There are a number of reasons why medical devices are a cybersecurity and cyber risk challenge.
1.1 Unpatched and outdated systems
Ripe for exploitable vulnerabilities, many medical devices are hosted on outdated operating systems. Medical devices are normally managed by the vendor, not by the customer. As such, the customer is not always “in the know” for when updates occur. Certainly, contractual agreements may exist, but policy safeguards do not always represent the technical landscape. Often the medical device vendor will rightfully cite “FDA approval’ for controlling the system. If an untested patch is installed by a customer, the untested system may introduce medical control issues that affect patient safety.
1.2 Security not first
Being patient focused “first”, medical devices are not normally designed as “security first”. This may be a difficult situation to negotiate with the vendor. For example, a gamma knife scheduling system compromised by malware may be marginally operational, and not affect patient safety. But a gamma knife compromised by malware or ransomware during a medical procedure may introduce lethal situations to a patient.
As security specialists, it is our job to make sure all parties understand the risks to security compromise. Ultimately, it is our job to notify the business of these risks, and the business that decides how to move forward in these situations.
1.3 Highly network connected
Another risk is that medical devices are often connected to hospital networks and potentially directly to the Internet, which means that a cyberattack on one device could spread to other devices on the directly connected network. The fact that these devices may be vulnerable (as pointed out above), and connected to the Enterprise network makes them nominal bastion hosts to jump into the network, therefore a valuable target for attack.
1.4 Sensitive patient data
Additional risk areas are that medical devices often contain sensitive patient data, which makes them directly a valuable target for hackers without even needing to jump into the rest of the network.
2 The statistics
The increasing number of cyberattacks on healthcare organizations is a major concern. In 2022, there was a 74% increase in cyberattacks on healthcare organizations worldwide. This is due to a number of factors, including the increasing use of connected medical devices, the growing sophistication of cybercriminals, and the high value of healthcare data.
The potential risks of cyberattacks on medical devices are significant. They can lead to the theft of sensitive patient data, the disruption of patient care, and even the loss of life. It is therefore essential to take steps to protect their medical devices from cyberattacks.
3 Guidance & recommendations
The following guidelines should be considered when evaluating medical devices. This guidance document is focused on patient safety and introducing medical devices to enterprise networks. The recommendations provide guidelines to safely and securely introduce vendor managed medical devices into operational enterprise networks. There are three entities involved. The customer is the hospital or medical facility; the vendor is the distributor of the medical device; and the manufacturer is the manufacturer on record with the FDA.
3.1 Fully document data system interfaces
Medical devices are often integrated with electronic medical records and other intricate patient health systems. Confirm that the entirety of the medical device data system interface is fully documented with asset information, connected data repository (data source & data destination), ports, and protocols. This information is important when evaluating whether additional protection (such as isolation or network segmentation) is practical. [reference 1]
3.2 Perform threat modeling
All networked devices are susceptible to malicious compromise. In threat modeling medical devices, expect the device is compromised and consider what the threat actor can do with the device. Consider patient safety first, and consider methods and techniques to protect the enterprise from the compromised medical device. [reference 2]
Threat model development are twofold. First is how a threat actor can manipulate the machine itself, potentially affecting patient safety. Second is if the device is compromised, how can that device affect healthcare operations. Threat modeling discussions should include the vendor since the vendor is more likely to intimately understand the vulnerabilities in the device.
While developing the threat model, consider that the hospital is likely not able to thoroughly scan the device for compromise. For example, consider that the device may have explicit but undocumented wireless internet capability (many off-the-shelf computers have built in Internet capable SIM cards), or that a vendor employee may introduce an Internet connected device for maintenance and updates, or that a threat actor could introduce an Internet connected USB leave-behind. Since the hospital is likely not able to scan and control the medical device system, the hospital needs to protect itself from these types of threats.
When performing threat modeling, consider specific examples of what a threat actor could do with the compromised device. For example, a threat actor could:
Cause patient harm: Change the device’s settings or firmware. This could cause the device to malfunction, deliver incorrect treatment, and thereby harm the patient.
Perform data theft: Access and steal sensitive patient data. This could include medical records, insurance information, or financial data.
Leverage as a bastion host: Use the device as a launchpad for attacks on other devices in the networks. This could spread malware or ransomware to other devices in the hospital network.
3.3 Request for software changes & cyber security updates
Medical devices often include general purpose computers and industry available off the shelf (OTS) operating systems. These devices are the responsibility of the manufacturer, and controlled by the manufacturers FDA approval. Untested changes to the device could pose a risk to patient safety.
The device manufacturer bears the responsibility for the continued safe and effective performance of the medical device, including the performance of OTS software that is part of the device. [reference 3, 4]
The manufacturer is responsible for validating cyber security software changes to control vulnerabilities. Any requested cyber security changes are ultimately the responsibility and authority of the manufacturer’s engagement with FDA. [reference 5] Concerns related to device security and vulnerabilities need to be addressed by external measures and compensating controls such as network segmentation.
3.4 Implement compensating controls
Due to the “hands off” nature of medical devices, compensating controls should be utilized wherever practical. For example, network segmentation is a method to improve data and system protection. [reference 6] Network segmentation can be used to protect the medical device, and also to protect the enterprise network from compromised medical devices. Creating a network segment also forces the creation of fully documented medical device data system interface (e.g., data flow diagrams), thereby enhancing the security of the engagement.
3.5 Document maintenance responsibilities and maintenance schedules
It is customary that the manufacturer maintain the medical device and associated software. However, there may be situations where operational staff are involved with portions of maintenance. Fully document manufacturer’s requests for involvement.
3.6 Document cyber security readiness
Cyber incidences happen. It is important to ensure that staff are aware of the security risks posed by medical devices and how to protect the patient from those risks. For example, device specific awareness training will guide the medical staff on actions to take during an attack. In addition, indicators of compromise should be documented and staff properly trained for awareness.
A key to successfully resolving cyber incidences is a preplanned incident response playbook (e.g., a cyber security incident response plan, or CSIRP). Document the cyber security incident response opportunities and agreements between the hospital and the vendor, including the cyber security incident response contact teams.
The cyber security protection plan should include guidelines and procedures to
Identify: Threat landscapes are continually evolving, and it is critical to recognize threats as applied to specific devices. During the device lifecycle, many changes will occur, including changes on the device itself, software patches, and connected network changes. Contractually agree to a regular cadence of “re-documenting” the system to confirm cyber security readiness.
Protect: Periodically review the security controls in place, and confirm that the controls continue to effectively protect the device from newly discovered threat vectors and vulnerabilities.
Detect: Identifying signs of compromise. It is especially important that staff be made aware of indicators of compromise, and what to do if a machine is acting as though it is compromised. For example, fully document who the staff should contact when presented with what is believed to be suspicious activity.
Respond: Methods to isolate the compromised device to prevent additional attacks. Keep in mind that these are medical devices, and immediately isolating the medical device may negatively affect patient care. It is important to understand how to respond to a cyber attack while ultimately protecting patient care.
Recover: Restore operations, restoration of patient data.
It is critical that the CSIRP be tested on a regular basis, and after any significant system change. This testing exercise confirms that the CSIRP remains valid in the dynamic operational enterprise environment.
3.7 Simplicity is the key to security
The “least burdensome approach” to maintaining and protecting medical devices should be considered. [reference 7, 8] Consider the FDA solution a complex “vendor managed solution” where forcing last minute vendor changes are neither practical nor secure. Instead, recognize the device as unmanaged (unmanaged from the customer’s point of view), with unmanaged risks and unmanaged validation, and work to implement a framework of controls around the device that protects both itself, and protects the rest of the enterprise from the device.
3.8 Informal agreements are not obligations
Remember that Emails and discussions are not contractual obligations. Consider the value of the emails and discussions, and document any fundamentally important agreements in contractual obligations. Consider whether the agreements are absolutely critical to the engagement, and apply the principles of “practical security”.
4 Conclusion
Medical devices are capable of directly affecting patient care. These devices are also connected to other infrastructure components with an ability to affect patient records, retrieve and store sensitive patient information, and be used as jump boxes to the rest of a hospital network.
When considering methods to protect the medical device system from attack by a threat actor, and to protect the hospital network from being attacked by a rogue device, the most effective methods are
To coach medical staff on cyber security readiness,
To employ methods to encapsulate and control network traffic,
To regularly revisit the vulnerability landscape for the system, and
To understand how an offensive operator can use that medical system to their benefit, to the hospitals detriment, and to the patients peril.
Medical devices & systems are a critical part of patient care, and securing these systems is essential to protecting patients and providing healthcare services.
Reference material
1 Food and Drug Administration (FDA), “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices Guidance for Industry and Food and Drug Administration Staff”, September 28, 2022, https://www.fda.gov/media/88572/download
2 MITRE, “Playbook for threat modeling medical devices”, November 30, 2021, https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf
3 Food and Drug Administration (FDA), “Guidance document, Off-The-Shelf Software Use in Medical Devices, Guidance for Industry and Food and Drug Administration Staff”, September 27, 2019 (originally issued September 9, 1999), https://www.fda.gov/regulatory-information/search-fda-guidance-documents/shelf-software-use- medical-devices
4 Food and Drug Administration (FDA), “Global Approach to Software as a Medical Device”, https://www.fda.gov/medical-devices/software-medical-device-samd/global-approach-software-medical-device
5 Food and Drug Administration (FDA), “Guidance for Industry Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, https://www.fda.gov/media/72154/download
6 National Institutes of Health (NIH), “Information Technology and Medical Technology Personnel´s Perception Regarding Segmentation of Medical Devices: A Focus Group Study”, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7151197/
7 Food and Drug Administration (FDA), “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software”, January 14, 2005, https://www.fda.gov/regulatory-information/search- fda-guidance-documents/cybersecurity-networked-medical-devices-containing-shelf-ots-software
8 Hoffer, Gregory, “Complexity is Still the Enemy of Security”, https://www.cyberdefensemagazine.com/complexity-is-still-the-enemy-of-security/
Have you ever received a phone call where the caller’s first question is, “Can you hear me?”
A lot of talk on the internet since around 2017 with people saying they were encouraged to say “Yes!” only to later have their voice used to pay for services.
Disclaimer: I am not a lawyer, and I do not play one on television. I am however familiar with social engineering. I can tell you, in my professional opinion, of all the things that never happened, this never happened the most.
But… really? Is this for real? Or is it fear mongering, which is quite common on the internet? With a simple one word answer, can someone really steal my identity, or obligate me to a purchase?
Can I be obligated with a single word?
The answer is: Probably not. Realize, you likely have dozens of video clips with you and your friends on YouTube, or Instagram, or TikTok, or Facebook. And can a single word be used to identify you? So the perpetrators of this likely hoax are saying that a bad actor can order stuff on the internet, be on a call with whoever sales person for however long they need to be on, and then at the crux of the call they will change their voice completely and insert your voice with a single word response “Yes”?
Does that even sound reasonable? Of course it doesn’t sound reasonable. But it makes for good click bait, and fear mongering creates a lot of interest. The problem is, it also distracts you from real adversaries. Distractions are sometimes fun, but distractions are usually not very good use of your time.
Why the “Hello can you hear me” then? What are more reasonable thoughts on why these calls come in with that odd question?
Confirming you are a real person
The reason for the can you hear me is most likely a robocall where the calling company doesn’t want to waste the time of a real agent. Robo companies are operating on volume – the more the calls the better, because some percentage of people will actually buy what they are selling.
If an answering machine answers, there is no reason to waste the time of a real agent. When the “just say yes or no” happens, it is because the robocall recognized a voice, but thinks it has an answering machine.
Buying time for the operator
A second reason is that the robocaller just transferred the call to a real agent, who is trying to buy themselves time in the awkwardness of having the phone answered. You may have said “Hello” or something else, and they don’t know what you said, so in order to trick you into thinking they were having phone issues they ask you to basically repeat yourself with the cue “Hello? Hello? Can you hear me?”
Final thoughts
There are many reasons that a caller would ask whether the called party can hear them, including
A delay tactic, while being transferred to a live agent.
A simple way to start a conversation and to get the other person to respond.
Allows the scammer to test the audio quality of the call and to make sure that they are able to understand the other person.
A way to gauge the other person’s interest in the scam. If the other person responds positively to the “Can you hear me?” question, the scammer is more likely to continue with the scam.
A way to confuse or startle the other person, making them more likely to fall for the upcoming scam in confusion.
A basic tactic for sales, get the potential buyer to get used to saying “yes” in the conversation.
Now that said, these are my professional opinions. And remember, just because you are paranoid doesn’t mean they aren’t out to get you, so hanging up the phone is the right thing to do.
A watering hole attack is a type of cyberattack in which the attacker targets a website or online service that is known to be frequented by the victim’s target audience. The attacker then compromises the website or service and injects malicious code into it. When the victim visits the website or uses the service, they are infected with malware.
Watering hole attacks are a more sophisticated type of attack than phishing attacks. They are also more difficult to defend against, as the victim is not actively tricked into clicking on a malicious link.
The skill of attack: How watering hole attacks work
There are two broad categories for watering hole attacks.
Opportunistic watering hole
Opportunistic watering hole
In one case, there is the opportunistic watering hole attack. In the opportunistic case, the attacker has discovered a vulnerable web site, compromises the web site, and waits for any victim to happen by.
An opportunistic watering hole attack typically follows these steps:
The attacker identifies a website or service that can be compromised.
The attacker compromises the website or service and injects malicious code into it.
Any victim visits the website or uses the service.
The malicious code is executed and the victim is infected with malware.
Targeted watering hole
Targeted watering hole
In a different attack, the watering hole is known to be used by a specific targeted victim. This is a more sophisticated attack against a known specific target.
A targeted watering hole attack typically follows these steps:
The attacker enumerates websites and online services that are known to be frequented by the targeted victim.
The attacker enumerates vulnerabilities on the websites and online services.
The attacker compromises the websites or services and injects malicious code into them.
The victim visits the website or uses the service. In order to evade detection, the attacker may include exemption code to prevent the malware from running on any targets other than the identified target.
The malicious code is executed and the victim is infected with malware.
The malware can then be used to gain access to the victim’s computer or network, or to steal data.
How to defend against watering hole attacks
There are a number of ways to defend against watering hole attacks, including:
Educating users: Educating user is almost always included as the “go to” solution for all things cyber. Novice defenders believe that “ISO Layer 8” is the easiest attack modal to compromise — and this is true, that the user is the easiest operating system to attack. That said, watering holes are a unique technique in that the end user often has to use the watering hole in their normal course of business. That being the case, how can users be educated to avoid watering holes if these watering holes are otherwise “trusted sites”? The answer is, the end user can’t be taught that basic tenant of “avoid untrusted sites”. Instead, the user needs to be made aware of anomalies that might occur when visiting otherwise known trusted sites, a much more complicated endeavor, although one that must be explored.
Maintain updated systems: Updates and patches must be maintained on the enterprise systems. Maintaining updated and patched software reduces the opportunity for exploits to successfully land on the enterprise.
URL filtering: Use URL filtering software that tests the URL destination for malware before it loads into a potential victim’s browser.
Continuous website monitoring: Organizations should monitor websites that are frequented by their employees or customers for signs of compromise. This can be done using web application firewalls or other security tools. When compromise is identified, block access to the web site and proactively contact the web provider.
Using security software: Security software can help to detect and block malicious code. Security software should be kept up to date with the latest virus definitions.
Using intrusion detection systems: Intrusion detection systems (IDSs) can help to detect malicious activity on a network. IDSs should be configured to detect watering hole attacks.
Conclusion
Watering hole attacks are a serious threat to organizations and individuals. By taking steps to educate users, use security software, monitor websites, and use intrusion detection systems, organizations can help to protect themselves from these attacks.
The COVID19 Coronavirus situation has affected our families, our homes, and our work environments. Our children are home, some people are new at working remotely, others have to be extra vigilant in keeping their areas clean and sterile, and even more are stressed and overworked with more caseloads and more patient care than is common.
During these stressful times, the Internet Bad Guys are going to do their best to trick you. They are working hard to entice you to do the wrong thing. The Bad Guys are going to strike your nerves with Fear, Uncertainty, and Doubt, three of the most powerful influencers ever used against mankind.
How can you protect yourself? The same methods you use to keep you safe “in real life” will also secure your digital world — be aware! Know your contacts, know your computer, and know your context. Let’s take a look.
Know your contacts (your people, your connections)
Do not open links from unknown contacts! Do not open files! Are you receiving more emails about “COVID19”? Information about your stimulus check? Brand new “Preventions” and “Cures”? Source for Toilet Paper and Masks? Do not click those links unless you know the sender, and do not open attachments. These social engineering techniques are known as Phishing attacks.
Are you receiving phone calls asking for information? Spoofing Caller ID is easy; do not rely on Caller ID alone to identify the caller. Be especially vigilant with odd requests such as sending money, or a caller suggesting that you open a web page. These social engineering techniques are known as Vishing attacks.
Did you receive a USB memory stick in the mail or find one while shopping? “Free Gift” from Best Buy or your favorite shopping site? “Proprietary Information” from your employer? Just toss it in the garbage. USBs can be used to spread viruses. If you do not know its origin, it is not worth risking a computer virus infection. These social engineering techniques are known as USB Drop attacks.
Know your computer (your systems)
Be aware when things are not working correctly, or seem particularly slow. Contact your manager or help desk if you notice anything that “doesn’t seem right”.
Keep your computers and phone software up to date. Install all security updates when they are available. Make sure your virus protector is on and updated.
Know your context (your surroundings, your work environment)
Just like in the real world, know your surroundings. Be aware of who is around. Be especially aware when discussing sensitive information. Our environments are rapidly changing, and our work lives and home lives are now more tightly integrated than just a few weeks ago. Know who is around when you are discussing sensitive information, whether it be financial information, patient data, or anything else that should be kept private.
Famous last words
Take care of yourself
Remember, security starts with you. Be aware, be conscious of your surroundings, and be knowledgeable about your rapidly changing work environment.
Fear, uncertainty, and doubt: Three powerful influencers especially at times like today when our physical health is threatened. Let’s be careful out there.
Tell me more! What are your safety tips? How can we all be safe out there?
Content Filtering companies have gained quite a bit of traction in the Computer Network Defense (CND) industry. The goal of content filtering is to attempt to stem the carnage that malicious sites can wreak on unsuspecting individuals and companies by blocking access to malware and other forms of ransomware.
The filtering engines work by way of proxying requests between the end user and the destination site. They are performing a “man in the middle” attack between the user and the destination by a number of different ways such as DNS cache poisoning (Cisco’s Umbrella), and content interception (Symantec’s Bluecoat). Filtering engines use a combination of human control and machine learning to differentiate safe sites from malicious sites. Even more than static understanding of sites, filtering engines can identify when a safe site is hijacked and will block traffic when that known safe site is compromised.
Identifying safe sites is not precise nor exact — the task is all a best effort. The beginning of the best effort is listing your site in the filtering engines. If you don’t have your site listed as “safe” by the content filter company, you will likely be blocked!
Most of us are familiar with files, directories, and subdirectories. In the art of computer science, directories are a way to organize files into a meaningful hierarchy. WordPress relies on hierarchical file systems to organize the thousands of required files in a WordPress instance.
History lesson! Hierarchical file systems were introduced in Microsoft’s world with DOS 2.0!
When installing WordPress, it is reasonable to place the installation itself into a subdirectory instead of in the primary web accessible directory (often called “./public_html/”). It is easier to manage the WordPress installation if installed in a simple subdirectory such as “/wp/”. Ease of maintenance is especially important when you are faced with something as drastic as a reinstallation. It is also just a whole lot cleaner, and you can even install multiple WordPress instances on your domain this way.
Hackers have a few things in their favor when it comes to getting into your network and stealing data. One of those things is the elusive zero day. When it comes to hacking, a zero day is an “exploitation against a publicly unknown vulnerability”. But hackers don’t need a zero day. They only need a “zero to me day”. What does that even mean?
Putting your computer in chains is one way of hardening the system
Computer Security. Kind of scary, actually. With the likes of Target going down to hackers in late 2013, and a large attack on Home Depot in 2014, what can the rest of us do? If Home Depot can be compromised, how can I protect myself?
The bad news — you are a target. Why though? Well, let’s consider:
Do you have any financial data on your computer? You are a target.
Does your company operate a health care agency with HIPAA/HITECH protected data? You are a target.
Do you have a point of sale system where you perform credit card transactions? You are a target.
Are you attached to the Internet? You are a target. What? That is crazy sounding. Why am I a target just because I am using the Internet? Because a hacker can use your computer as a relay to attack other computers!
At this point you are likely thinking, oh great, thanks for making my day. But remember, we are trying to make your computers safer. Before we get into that though, let’s take a look at how malware gets on your computer in the first place.
You may think, hey, the only way malware can get on my system is through the network. A firewall is sufficient to protect against those blasted attacks!
Hey look! I have a new email! But… is that email a virus?
Unfortunately, not all malware infects systems the same way. Certainly, network attacks are one attack vector, but there are others.
There are email attack vectors, mp3 attack vectors, html attacks, mpeg attacks, apk attacks, over privilege attacks, Excel attacks, Word attacks, PDF attacks, and in fact the list never ends. An attack is possible anytime there is an interface to a computer. Sure an mp3 attack may come through a network or USB, but it isn’t a network attack. It is an attack on the software that is rendering the mp3. Exploring attack surfaces is well beyond the purpose of this paper, and will not be fully discovered in this paper.
Pixabay – Laugh is on them! But wait, not exactly. Don’t think that your data is safe, and neither think that your data is not worth stealing
One thing to note though. You might think hey, I don’t really care if someone exploits my mpeg player. That is a risk I’m willing to take! What are they going to get? A movie? The laugh’s on them!
Well… not exactly. The way system exploitation works is, exploit a low hanging fruit and get a shell on that system. Once an attacker has a root shell? Game over. He owns you. Even worse, he may own your network, depending on perimeter defenses that are in place. Think: defense in depth.
How to protect your computer
Alright already, we’ve covered enough. You may be thinking, this is way too much to pick up. You are right, it is! The short question is, what can you do to make your computer more safe? Let’s explore a few ways to help protect you from an attack.
1. Update your operating system software
Nothing lasts forever! It might be time to retire your system if you can no longer receive patches and updates
The first thing you should do is to make sure you are using a modern operating system if at all possible. Sure, sometimes this isn’t possible — for example, some programs, especially embedded programs, are still operating on XP. If that is the case for you, you’ll have to make other concessions to safeguard your systems, your networks, and your data.
You may be thinking is, why in the world should I pay to update my operating system? I paid for a version, it is working fine, so why should I update? Because hackers know that there is a delay between the time a patch comes out and the time it is fully adopted in the community. What happens when a patch comes out, especially a security patch, is that hackers are going to reverse engineer those updates to determine how an existing installation can be compromised. And compromise they will.
Again, if at all possible, upgrade your operating system to a modern x64 bit solution and keep that operating system patched. Are you using an outdated version of Windows and don’t wish to pay for an operating system? Then use a free operating system such as Ubuntu or one of the other Linux platforms. If that is not possible, then realize you are providing a fluid and rich attack surface and do what you can to protect perimeter systems.
2. Update your application software
Is your application software end of life? Might be time to find a new software solution!
Are you still using a x16 or x32 bit application? Do what you can to upgrade that application.
In the same way as outdated operating system software present security vulnerabilities, outdated user applications present security vulnerabilities in a very bad way. Each time an application is updated, hackers are very likely to review the updates to identify vulnerabilities in the existing installed user base.
Freeware software
Do you use an outdated version of Firefox? Or an outdated Adobe reader? My suggestion is: Don’t. But how about if our company forces you to use an outdated version of one of these applications? Yes, that can be an issue. You can only do so much especially if these decisions are above your pay grade. If you are forced to use outdated software, realize that those are reasonable attack vectors. Being aware is the first step to security.
Paid commercial software
But what about paid applications, you might ask? You paid nearly $5000 for your AutoCAD solution and more than a thousand for Adobe, is paying for an updated version really necessary? The answer is yes. You happen to be using a coveted piece of software. If you spent thousands for AutoCAD, it is likely that you have drawings and blueprints that are worth thousands more. Someone could use those drawings, especially if they can freely exfiltrate them from your computer.
How about layered applications like Internet Information Services, or IIS, used to serve web pages to the world? Well, you picked up on an easy target! IIS is a common attack vector, in part because it is easy to thumbprint the version that is being used on a network. Once an attacker identifies that an old version of IIS is being used, the attacker only needs to find a known vulnerability with that particular version of IIS to compromise the server.
Keeping your application software updated will go far in protecting your systems. Will it cost money? Yes, it likely will cost. I am a big proponent for open source software and the Free Software Foundation, so I’m not supporting the idea of having to spend money on new software. If you can find an equivalent open source software package that can do an equally good job for you, I’d suggest migrating to that open source software. Otherwise, yes, you’ll have to pay for that update.
Software updates or compensating controls
If an application cannot be updated, do what you can to find a different and more modern application to use in its place, or add some other compensating controls to the software deployment
3. Use a virus protector
A lot of people are going to discount virus protection as part of the solution. Why? Because virus protectors provide a false sense of security. Virus protectors only protect against “known” viruses.
This is true. Virus protectors do provide a false sense of security. That said, virus protectors do provide protection against known viruses, so why not use one?
There are several free solutions, one of which is Windows Defender.
4. Download only from known good sites
This is a really important artifact. Download only from known good sites.
For example, are you looking for an HP printer driver? Then go to the HP web site for the download. Do what you can to avoid “third party” driver sites.
Are you looking for a game or a program? Download from downloads.com / cnet.com, or from another known good source. There are web sites that are devoted to providing you excellent software — with associated trojan or other form of malware attached.
Are you looking for a free Hollywood movie or free APK sideload of the latest Android software through The Pirate Bay? Then be aware that the free download may also have a free Trojan attached. How will you know whether that illegal download is malware? You likely won’t know, even if you run it through the Cuckoo Sandbox automated malware analysis software.
5. Behavior modification
Don’t be Pavlov’s dog! If your behavior is “security unsavory”, then it is time to change your behavior
Wait a second, behavior modification? I’m not looking for a psychologist! I don’t want to be Pavlov’s Dog! Well, that is not exactly what I mean by behavior modification.
Be careful about downloading software that you are not absolutely sure about. Downloading it to your primary computer, especially if you use that computer for financial transactions, is doubly dangerous. Set up a second computer or a Virtual Machine where you can run any questionable programs,. If those programs perform unexpected actions your financial records will not be compromised.
You know those sweet popups that promise the first thousand who click on the banner will win a free iPad? Yeah, you aren’t going to get a free iPad. What you will get is infected. Don’t click that ad. Sadly, that the ad even popped up may be very bad news, you may already be infected.
6. Use reasonable passwords
It might be better said as: Don’t use unreasonable passwords.
Protect your passwords! Writing them down in a conspicuous place is not suffiicent
What does this warning mean anyway? One of the ways a hacker attempts to gain access to a system is through password cracking. Password cracking is a method to gain access to a system by way of basically “guessing” the password. A trained hacker will use one of the many password cracking software suites.
Is it reasonable to use abc123 or 1234 for a password? Probably not. Is it reasonable to use a single dictionary word? Probably not. Once a hacker has identified a username these types of passwords are very quickly guessed.
So what are more reasonable passwords? Throw in a few upper case letters and maybe symbols. For example, @bC123* is going to be a much less likely guess compared to abc123, and a long passphrase like Mygr3atsecretpa$$w0rd is better still.
7. Periodic scans
Another great safeguard is to run periodic full scans of your system. Run Microsoft Defender/Security Essentials full scans, but also run other scans such as the free Trend Micro Housecall.
8. (Advanced) Use a two way firewall
This might not at first sound reasonable. Why would I need a two way firewall? Because if a Trojan or other rogue executable finds its way on your computer, a bidirectional firewall will be able to alert you that the software is trying to communicate.
A great free solution is ZoneAlarm Free Firewall.
The five word solution!
With regard to computer security and systems hardening, there is no easy answer
So what is the solution to keep me and my data safe from attackers? The answer is: There Is No Easy Answer. There are things you can do to make yourself more protected, and there are things to avoid that would make you less protected. Some of them have been covered in this paper.
The best advice available is: Be aware. Your data and your systems are costly, and compromises to your systems can be even more costly.
If you need personal advice on how to protect your data and your systems, feel free to contact me.
