RCR 019: Confidentiality, Integrity, and Availability

Jan 07, 2019

Subscribe: iTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from Reduce Cyber Risk.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity training for individuals working on their CISSP as well as ways to better secure your business's daily activities.

In this show, Shon will go over recent Security News, Security Vendors, and the CISSP training around Confidentiality, Integrity, and Availability. These videos will go over what the hiring professionals should be looking for and what potential candidates should strive to achieve to meet the growing cybersecurity job demand.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

Reduce Cyber Risk podcast where we give you the tools you need to meet your cybersecurity regulatory requirements while helping secure your business and keep the evil hacker horde at Bay I'm your host for this acting for murder podcast each week and I provide the information you need to best protect your business and reduce your company's alright let's get going alright thanks for joining today on reduce cyber risk and we're going to go over a few things and today's episode and basically going to be getting into around security news and we're going to have some great stuff on cybersecurity for business and we're going to get into some training at deals around the cissp the good thing of the training is that even if you are an individual who does not looking for cissp this will be great information that you can utilize for your business at to protect it from the the best way you possibly can in this you'll get yourself a security person in a box that's the plan at least I don't know for the past couple days it's been a little bit of a cold time for me during the holidays so we're going to kind of catch up on some back stuff you'll see some more of these episodes coming out over the next couple weeks but that there was some recent security flaws that came out with a ABB safety PLC in you're probably going on what is that if you're not familiar with the manufacturing facility manufacturing space you'll be dealing they are ABB is there a company that works in programmable logic controllers and they deal with systems that are basically they connect they're like small little operating systems that are connected to Manufacturing Systems and what happens is PLC is a programmable logic controller they have like XP or even Windows 7 systems that are actually operating systems that are Incorporated within the PLC and they these systems run at Animas that's the whole purpose behind him that the question comes into though is that sometimes they don't always get the same kind of security updates that you would like to see from a normal operating system and it's because they are sitting in the manufacturing or the business are they processing space in that they are if you get up let's just say Onnit has he's very sensors and he's very sensors do certain things and Arjun to the sense of Dorothy's the manufacture These Arms of a printing press and it does certain tasks what is Task has a little computer which is a programmable logic and this controller will make these these armed do specific things well the thing is is in the past these have been pretty much a stand-alone system they they were connected through wire connections they are becoming more and more Wireless but the thing around that is is they don't always get updated way they should well there's a recent and so they're 4% they need these the software to be updated with the goal of protecting Shuffle traded by hackers you also don't want that the ability to support them long-term they have this has been an ongoing challenge over the past few years will after be basically since I started putting computers on these automated systems and so now you're seeing these plc's just throughout environments throughout manufacturing environment what are the main companies is a company called ABB industrial tech company in and they provide these BL season is also other companies out there Honeywell and so forth will provide the same type of programmable logic controllers but what happened is that there's a Gateway that they have is called the gateway orszag ATI Echo one and Echo to these gateways were basically allow they communicate with other systems and that's what these specific it was before well when it happened was as there's an issue with them that it was causing causing them to to have some challenges well with a BB they have a safety system so even on like on a manufacturing or contact manufacturing you may have the plc's that are connected operating within the manufacturing area and then you also have a safety system as well and he's Safety Systems any event that there is a runaway condition the Safety Systems will kick in and protect people and the facility from certain Doom but what happened is they found that this Gateway had some issues and they'll therefore they it could be exploited well you don't want your safety system to be exploited that would be bad when is a things could get really ugly real quick so allowing to do was it was a lineman to be exploited remotely I'm over the network so from a manufacturing standpoint anything it's in that world you want you don't really want it connected to the business networks give two networks of your process Network ever business Network want the manufacturing side process I'd to be connected to the business site one it causes issues in the fact that there could be conflict you like say for instance you've got a scan that's going on within the business Network that hits your process that work with these plc's are not designed as robust as a desktop system that sits in your business network will they get scanned that can cause some challenges right then call them basically to Hiccup and tip over we don't want that would be bad so therefore it's a good idea to separate these networks as well what's going down this path is because if the network is together and you you now have someone who can remote into the system will this get we allowed someone within the same network to be able to remote into it and then cause issues with it well if if someone can remote into this PLC from the business Network that's that's not a good thing at all there's processes on how to do that and you would have a remote box that you would potentially like a jump box that you would get into and then from there you would Connect into the PLC or into the safety system that's the proper way of doing something like that on the business Network that's not a good option highly recommend that if you do have ABB in your environment you look for ways to upgrade the system is best you can if there's patches out there you need to look at it fixing that at the time when I saw the read the article are there hasn't been anything yet but that's very possible to have that fixed by now since it's been a couple weeks but again what's causing this is a lack of authentication support which is typical for plc's because they're they're designed because they don't have a lot of memory on these programmable logic controllers they keep them pretty slim and they're at their in operating system are essential and so to have authentication support may not necessarily be one of the things that they're thinking of now the one thing I would say around these vendors is they're having to to take notice of this one is regulations that are coming down forcing them to do this but also it's just there's liability reasons around as well then no longer can just going to throw stuff out there and and say well we don't support it you get what you get because it is what it is that's really not really that good English so if you got any BP plc's that are in your environment just makes you look and see what you can do to potentially upgrade this especially as it relates in this vulnerability to the gate of the gateways at effector plc's there's also some medical breaches that have been occurring recently and I'm not going the Gory details around it but at Medical breaches will continue to be a hot topic for 2019 is this is a brand new year that we're coming into and one thing about this is that in the University of Vermont I have 32 thousand patients have their information compromised or basically disclosed that's that's not good that the interesting part about all this is the Packers the people that are involved with these kind of things they are typically looking for information that they can sell on the dark web people were looking for as much information as you possibly can try to sell it on the darkweb make some money personal information in today's world because there's so much of this data out there for everybody the caught the amount of money isn't that significant that you can make per record anymore I know that if you have to have like everything about an individual to include social security number to the last scene where around 25 bucks record if you have a full up Social Security number along with anything else that may go long either name date of birth and address all those things that could create the ability for you to have identity theft or identity fraud so therefore today's world I mean coming from my perspective of being a hacker for 4 for many years the one thing that you like to do is not that we did this is that you'd steal as much information as you possibly could and in the process of stealing information you can glean from it what you felt was valuable what you didn't think was valuable and so therefore it be a lot of these breaches may never end up being anything just to because they someone got access and decided just to steal as much as I could and then figure out what kind of information they had later so you'll be able to see how that plays out Fort Worth their ccrm facility it's a Clinic that was also exposed while back that's really little unclear as far as the scope of that but if you are in the Dallas-Fort Worth area and you utilize that clinic you might want to know that someone may have gotten your information so between University of Vermont and the Dallas-Fort Worth ccrm there's some few breaches in the medical side of the house that have been in the news let's move on to some for your business have you got a small or medium sized best you probably are struggling with security and or if you not struggle with security you might be thinking I'm not going to worry about it but that's a bad idea I would not recommend are there some downsides for that but which will going through River do cyber risk will go through a lot of those in detail on numerous days the partnership now between untangle and Malwarebytes now little back story about untangle and Tangled deals with a next-generation firewall so it's got your your barracudas and you're fortnite fortnite is not egg it would be a Fortinet would be a good firewall to look at when you deal with that are Palo alto's but untangle has the capability of as a next-generation firewalls well what they've done is these next-generation firewalls also communicate through the cloud they have all the companies nowadays I should say all the right term to utilize and throw everybody in the same bucket but many of these firewall companies have a cloud capability where they all talk back to you it's like the central brain well they have untangle and Malwarebytes have teamed up because Malwarebytes is a endpoint product that focuses on malware protection from Trojans to ransomware you name it right so they are the endpoint of the systems while they teamed up with untangle to work through to have the basically communicate between the firewall and the endpoint now from a security standpoint which was been in the past is these juul vendors from firewall vendors to intrusion-prevention vendors you-name-it they've all have been their own individual product they've said they've done some integration and they do integration especially when you're dealing with an Enterprise however the one thing that has been missing for small and medium-sized businesses has been the integration between these various systems and it's just really comes down to is one they don't really not as much of a market there and so therefore what ends up happening is people go well we don't not the small and medium-sized businesses what is partnership now is where they're integrating the 4 bytes in points into untangles ecosystem that deals with next-generation firewalls what is allowing to do is it's allowing it administrator which may be the owner of the small business right few small business out their owners you're probably going to write it allows the it administrators to have visibility into the Network's now you may want to if you're a small-business owner you may even have this outsourced to a third party if you do this would give them potential access into this as well they also the third party might actually be looking to offer this as a service to you but the one thing part is that this is something out that they'd made available because they see a market and they see a need so I think they're really good partnership I haven't gone into the Gory details around it other than to see what that the press release that came out so I've heard of untangle not as much as I've heard of Malwarebytes obviously but it's a great opportunity if you are a small business to allow you to get some integration between devices and services within your business within the security rule all right also just came out with a small business Security Act I was not aware of this at all and it came out in August of 2018 now what it does is it provides resources for small business and it basically provides guidelines on how to secure your small business so it's a little backstory nist National Institute of Standards and Technology was originally designed for the dod and it was designed as a way to help DOD get some level of standardization OK Google go to the next topic than this small business cybersecurity act this came out in August of 2018 and honestly I was not aware that it actually even came out what it does is it provides resources for small businesses and basically guidelines for them on how to operate and managed security as it relates to their business now if you're not around isn't technology and they came out originally for protecting the dod Department of Defense the purpose behind that was that they needed some level of standardization around how they do business and the Mist has been around for not just cyber security has been for a long time. Well this has a lot of great Publications out there around cybersecurity that can help you and so I would highly recommended your small or mid-sized business you check out that capability and see what's there and available to you if you have a third party vendor what you can do if you're evaluating third-party vendors I would actually recommend that you quiz them on this ask them what are they using to to manager networking how are they understanding their best practices around your network and that would come down to these security best practices from this will be a good place to start however it's the one thing that's downside to this some great product but it's voluntary I am not a big proponent of Regulation I think there are times when regulation is needed and but for the most part I think the US government needs not to necessarily be in everybody's chili and I think it comes on to any government is when these people start getting the government gets over Regulatory and it ends up causing some challenges voluminous amounts of regulations that are in the United States that we don't some people adhere to some people don't and it's also very challenging to cost a lot of money for all these regulations not saying that they're not all needed there are many that are needed at 1 to protect people and to protect resources however there's a lot on that are not so in the case of this those I say all that to come back to this point is that it is not regulatory is not mandatory that small medium businesses follow this so therefore what's going to happen is because it's voluntary the challenges that will come into it mini will not even look at it and and so they're there has to be some sort of fine alignment or balance between this in that with big unless it's regular. Unless it mandatory or its regulatory iodized ozette design recording us at 5 but if they don't have regulatory requirements around it the big he comes into is that unless there's some reggaeton situation that is sort of pushing people in this Direction people just won't pay attention to it so what's going to happen is many small and medium-sized businesses unless you really truly have you been burned before you've been hacked or you are more on a early adopter you probably won't be looking much at this capability so therefore it's important that we have some level of regulatory requirements almost needs to be implemented in some way to help with giving some more guidance to the small medium businesses around security so but if you are a small medium-sized business and or you're evaluating a third party to look at your door to handle security for you is a really good thing to consider is taking a look at what nist put out from their small business cybersecurity Act alright let's listen to some training we got around for reduce cyber-risk now I'm going to go into a couple different areas around as it relates to the cissp and the reason I say that is because I've got cissp courses that I'm putting out but the main thing is is that I want to kind of get the information I'm going to go from a reduced cyber-risk piece of this this training is going to focus on what are some key aspects that you need to be aware of one is a small medium sized business owner also as a person who's looking for the cissp which helps a person security future and helps you move on your security world so this is going to be some really good information that can help you with that so again this very beneficial for business owners as well as Security Professionals and availability over the overview secrecy of the data is that is basically around data not being disclosed or available to people to see and that's the confidentiality aspects of this long as you want only authorized people have access what you just like right you only want people that have authorized access you don't want unauthorised people have access well that's where confidentiality comes into play as well you want the people that have the rights to have the access if you want them to people that are that need the information to have the information hear anything around a confidentiality so we're going to get into company Shelly want to talk about maintained and the data maintained as well as how the data is potentially compromised so confidentiality maintained which is basically saying that you have disk encryption okay so you have encryption and place that is protecting your information so that is a device endpoint device encryption that's drive that you have connected encryption place that is going from your point to point from your tunnels one server talking to another server and that's that is encrypted so that would be SSL for having secure Communications with the internet could be having an ipsec tunnel which is basically a communication do you have encryption that is resident on the device as well as encryption that is set up that is communicating from point to point option is password storage and vaults who have various locations store your passwords in I don't recommend you store them in your email and I had a friend of mine that is a manager at a bank that is what a local bank and I made a comment to him they're doing some upgrades on their passwords and I saw that and I said hey that's cool since you guys store all your passwords in like a password vault which would be something like cyber-ark or something I secure them in a in a really safe spot that's awesome what were the safe spot that you store your passwords in and he goes a storm in my email I almost fell over I like you store your passwords in your email and I go don't don't you dance alone securing goes well. Have the best access to them like any good. We had a little education on that the bottom line is do you store your passwords in a secure environment it could be a password Vault like LastPass cyber-ark it could be as an Excel spreadsheet I wouldn't recommend it but it could be but at least the spreadsheet with them be potentially protected with a password as well so that's confidentiality maintain access controls these are folders applications or any place where data is stored and transmitted those would have access controls and I would allow you allowing information in or out that's important as well to have these controls in place that's confidentiality maintain now when your confidentiality is compromised so those are examples of how to keep it is when your data is shipped in plain text or stored unprotected so this kind of comes back to the encryption piece of this if you ship your data just in over the wire no cryption no protection of that would be compromising your confidentiality also not storing an encrypted on a hard drive or USB stick that would become that would be compromising your confidentiality so those are key things that you would not want to do a password protected files that would be bad if you don't want to do that now there might be times when you have to how you manage cyber-risk within your organization and there may be cases where you just have to deal with it and get to suck it up buttercup right so if that's the case then you just but you know the risks that you're accepting for your business confidentiality be compromised everyone has access to files and folder structures with I'll being done on the everyone quote about everyone that's bad you don't want everyone to have access to file and folder structures unless you have to write this you really don't care what great more power to you have everyone on it but if you have any level of regulatory requirements or any sort of security concerns like intellectual property protection whatever it is the everyone is not necessarily a good option just telling you just also employees that are socially engineered they click on a link that allows unauthorized access that right there would be your confidentiality compromised so those are key pieces where that would be cause you issues with confidentiality as it relates to Integrity okay the key thing around this is that Integrity is completely dependent upon the confidentiality of the data so company job is important Integrity work hand-in-hand and this is maintaining assurances around the accuracy and completeness of the data that's from the beginning to end that's the life cycle of it so that the data from the beginning to the end is accurate and complete that's how it's your integrity insist it's good you want that right modifier unauthorized so what you don't want is you don't have a data packet that is intercepted that potentially could have been modified the other thing that comes into this is from former military background psychological operations I'm kind of use this as a primer around the Situation's a primer as I talk about psychological operations and how a fud fear uncertainty and doubt can cause some challenges especially in the cyber world one example of that would be during 2003 I think it was when the NASDAQ there was he made the comment in 2003 they could hack the US Stock Exchange just by making that comment stock market drop 300 so that then back then it wasn't up to 27000 or whatever it is today it was a lower number so that 300-point shift was a significant and just because they said that they could hack it didn't mean to actually could they just said it so that's when the fear and certainty and doubt come into play and cause people to make reactions to it will if you can't trust the data that's coming and going from your network then that would cause but fear uncertainty and doubt and so therefore you would have some challenges swear I can't use that as an example of how you if it's potentially be modified or unauthorized in an undetected manner transfer process to ensure proper change of the data so you have a process to ensure the data in a in a way that maintains the Integrity of the data right it's it changes can occur but it has to be in a proper format Integrity maintained are some security mechanisms that must be in place to make sure the data is not compromised scripture would be good right at Transit and unrest so if the date is being moving to and from and you know you get encryption and no one can has your keys within you can feel confident that the data will not be molested in any form or shape add to the data via authentication procedures so you're keeping the unauthorised people out and the authorized people in and allowing access to the data so again you have a procedure in place to manage the information that is everything you have some level of oversight or audit that will ensure that the proper access is being granted and this would be hopefully an automated system and in as well you'd have some level of logging and monitoring and plays to verify and validate that the right people are getting the information that they need so again that's Integrity maintained now Integrity compromised would be cut it or data transmitted or stored in an unprotected contain without encryption again wide open free to get molested not good methods in place you basically don't have the right Authentication people access to the information and therefore the everyone group becomes more of an issue so if you had the upper room group set up and you know that everyone has access to this bucket of data how do you know they didn't mess with it how do you know someone didn't didn't copy it didn't delete it didn't do something else so again that's bad you want to make sure you have proper authentication mechanisms in place and then finally systems are not logged or monitor to ensure the Integrity of the data again you gave you can't it's pretty hard to ensure that you are utilizing the most current and up-to-date information Emily and uninterrupted access that's availability so you don't want the Stray backhoe that takes out your fiber you want them to be up and operational and is Amazon AWS with mentioned multiple times they do 9 or they do what 99% with like 13 nines of availability so it's important part that means you have redundant systems in place to maintain the availability of the system or the data at all times as an example you may have multiple firewalls in place that one can failover in the event of a failure that would be high availability so it must be available at all times and also must include efficient uninterrupted access which would be the prevention of a denial-of-service attack and this denial-of-service attack could be from external entities as well as internal you could have a scanner that's in your environment that is scanning ports will fit scanning ports that are in your environment and it causes all this traffic to go over the the internal Network well as we talked about earlier with the ABB plc and therefore what'll happen is they will turn around and tip over and they do unprofessional things in the event of being scammed so you that would cause a denial-of-service internally and externally would be somebody attacking you and trying to shove gobs of data at your website to shut it down so again that's denial-of-service now these are intentional and unintentional like I mentioned with the unintentional you're dealing with the scan that happens in your network the intentional would be somebody not liking you and scanning you from the outside maintain this would be that the powers maintained and kept available at all times this would be an uninterrupted power sources UPS is what they're called they keeping power on your environment and that would be that if you have a blip in the power grid and all of a sudden things start acting weird the UPS will kick on and make sure that it stays operational they're just big batteries in many cases or they can be a generator that would be in place to ensure that if you had a an outage the generator could be operational so those are around power maintain place that will ensure the system stay operational in the event of a failure so again we talked about with the firewalls do you have multiple devices in place to manage those firewalls in the event they tip over right and then finally this is one that has so often looked and I'm guilty of this as well do you have a disaster recovery continuity policy in place with a testing plan to be operational in the event things go walkie they go sideways that it's really important to do this it is and I recommend that you have policies and procedures guidelines all of those things but kiss keep it simple so you want to make sure that you have those employees and then you want to eat you also don't want to have you don't have to say I have to have all of these Disaster Recovery plans for every system focus on critical Business Systems that's a great way to reduce your risk and then finally availability compromise what what does that mean when we talk about a denial-of-service attack that right there is availability compromised with its internal or external that cause issues Central systems being unavailable if you have your main systems that you require for your business to operate and they're down well that's not good so therefore your availability can be compromised with so yeah we talked about confidentiality integrity and availability and how to best protect your Networks thanks so much for joining me today on my podcast if you like what you heard please leave a review and as I was greatly appreciate any and all feedback also check out my videos that are on YouTube just search for Sean Gerber and you will find a plethora of content to help you secure your business lastly head on over to reduce cyber risk and looked at all the free stuff it's available for our email subscribers it's growing each and every day thanks again for listening

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .