Posts

The following was originally posted to the blog site of author L.A. Sartor. She and Josh were kind enough to allow me to share this extremely cool bit of knowledge with you. By the way, many of you will remember Josh from his wonderful cybercrime presentations at the Writers’ Police Academy, and from his fascinating articles here on The Graveyard Shift.

So, without further ado, I’ll ask L.A. Sartor to introduce today’s guest blogger …

 

Author L.A. Sartor

“This is the final installment of Josh’s 3-part series.  I hope you’ve found it as scary and as useful as I have.  Thanks, Josh, for your time and your expertise.”  

 

 

 

 


If you have been following this blog series, you know that the first blog discussed the cyberattack kill chain and how hackers target individuals and systems and the second blog covered common cyberattacks and how they are perpetrated and identified. In this final post, I am going to discuss what users can do to harden their systems against attack.

Typically, criminals are lazy and take the path of least resistance. Just like locking your doors and having an alarm system will deter the majority of home burglars, there are preventative steps a computer user can take to cause a criminal to move on to someone else who is easier to compromise. The major caveat to this is if you happen to be specifically targeted by the attacker, who may not be easily deterred by basic preventative measures.

Cybersecurity is a fine balance between convenience and security; users and businesses must make an informed risk-based decision when determining the level of security that should be applied to systems and applications. Too much convenience and your systems are wide open to attacks. Too much security and work is inhibited

In no particular order, here are my suggestions and opinions on how to keep yourself cybersafe:

Multifactor Authentication

I have an entire blog post dedicated to Multifactor Authentication (MFA). If you want the details, please read it – but to summarize here, use MFA for everything that you possible can. Can it be a hassle to always have your phone with you? Yes. Does it make it nearly impossible for someone to access your online information without your phone? Yes. Use MFA like Google Authenticator or text messaging for banks, Dropbox, iCloud, Google, etc. If you are wondering what sites and services offer MFA, look at this website.

Physical Security

Equally as important as having good cybersecurity, you must protect your devices. Once an attacker has physical access to your phone, tablet, computer, etc. it is game over. Use strong passwords, use screen savers that require a password once they come on, don’t share your password with others, and don’t leave your devices unattended.

Never, ever, connect your phone or device to charging stations in public places or to a rental vehicle via USB cables. Studies have shown that in some cases, data is collected within rental car computers and in charging stations and malware can be implanted on the connected device. If you must charge, use power plugs or cigarette lighter chargers and never directly connect a USB cable to a hub. The only exception is if you buy a USB cable that has had the data wire removed or use a data blocking device in line like this one.

Password Manager

I have already mentioned in my second blog post what the dangers are of reusing the same password for everything, but it is impossible to remember multiple passwords. I have a few recommendations when it comes to passwords and it involves another risk-based decision. For instance, if you have enabled MFA on your accounts, then you have greatly reduced the risk of unauthorized access, so the complexity of your passwords is not as important as it would be if you didn’t have MFA (the convenience – security balance). Even reusing passwords on accounts with MFA is more tolerable because the one time password (OTP) used with your app or text message provides the extra security.

For me, I use a password manager to maintain all of my passwords. I don’t like having my browser save my passwords because if my system or browser is compromised, those passwords will most likely get stolen. I also don’t trust cloud password managers because if the cloud provider is compromised, my passwords may also be compromised (this has happened).

I recommend standalone databases that are installed on your system and encrypted themselves. I like KeePass and a lot of security research has been done on this program. It uses excellent encryption and you can place the database in a shared location if you want (such as a home network attached storage (NAS) device) and it is usable on mobile devices. It’s not stored in the cloud and allows you to maintain usernames, URLs, passwords, and other secure notes. It also has a password generator, which allows you to create very complex passwords immediately.

I actually do not know most passwords to websites, I use KeePass to generate hugely complex passwords for sites that don’t utilize MFA and just store them within KeePass. If I need to access the site I copy/paste the complex password into the browser and never see it.

Make sure you are using PINs, fingerprints, or complex passwords to access your mobile devices. There are pros and cons to using different methods, but make sure you are at least using something and preferably more than just a four-digit PIN.

Patch, Patch, Patch

Make sure that your Operating System (OS) (i.e., Windows, Mac OS X, iOS, Android, Linux) is setup to automatically download and install updates. Frequent patching is one of the best ways to prevent cyberattacks that leverage known vulnerabilities. In addition to patching the OS, make sure to patch all other third party software installed on your devices. This is relatively simple with iPhones for example because it will automatically update the OS as well as apps installed on the device.

This becomes more complex with computers because although the OS may update, other software like Java, Adobe, Office, Chrome, Firefox, etc. usually don’t. Mac is generally better at third party app management than Windows, but Windows is getting there with Windows 10. There are apps available to help keep your Windows third party software updated, look at https://ninite.com/ for example.

Install and Maintain Security Software

Just as malware has come a long way, so has security software. Today’s (good) security software really does a lot more than the old antivirus software (hence calling it security software instead of just antivirus). Because of the sharing of common information and malware, the market for specialized security software is much different than it used to be and in fact many great products are completely free. Windows Defender for example is actually a decent security software tool and built in to Windows. The nice thing about Defender is that it updates as Windows updates and you don’t have to worry about an incompatibility with your security software anytime you upgrade your OS (used to be a common issue).

Although there are many myths around Macs being more secure than Windows computers, they face many of the same vulnerabilities as PCs. The difference really is that because Windows systems has the greatest market share and are more common in businesses, most malware is written and directed at PCs. There is plenty of Mac malware though and running a Mac without security software is no longer an option.

There is a mix of commercial and open source security software tools available and they range in price from free to an annual subscription of around $50 to $60. Ideally, look for a software that provides anti-malware, firewall, intrusion prevention, web protection, and crypto-attack detection. Here are a few examples of security software tools I would consider (these are my own personal opinions and I’m not endorsing any particular vendor, but have personal knowledge of the tools below).

If you really want to compare different security software vendors, check out this site.

Use Encryption

Encryption has come a very long way and is now built-in to devices and free to use. Encryption essentially scrambles the data on your device and without the key (a password in most cases) the data cannot be descrambled and read. Any Windows device and especially those that travel like tablets and laptops should be encrypted with BitLocker. Don’t discount your home computers though, because if they are stolen in a burglary you don’t want your data in the hands of someone else.

For Mac computers, use the built-in FileVault 2 encryption option. I would caution against having the key stored within Apple’s cloud though. Apple offers to store the key online as a backup (because if you forget your password, you will never get to your data), but this creates a vulnerability. Another option is to take a screenshot of the emergency backup key, print it, and maintain it somewhere like a safe deposit box (same is true for BitLocker and storing the key with Microsoft).

While no one wants a device stolen, if your device is stolen and you have ensured that it is always password protected (including auto-locking after 15 minutes of no use) and it is encrypted, you can rest assured no one will be looking through your data.

Maintain Backups

There are two primary reasons to have backups; one is for the accidental file deletion that you need to restore, and the other is for full disaster recovery. Backup software has also come a long way and both Windows 10 and Mac OS X have built-in backup solutions. My recommendation is to always have frequent incremental backups occurring at least once a day, if not hourly. These backups can be to a connected drive (such as a USB hard drive), or wirelessly to a device like a NAS. Windows and Macs both carve out a portion of the system’s hard drive for incremental backups too, for those times when something is accidentally deleted and just needs to be recovered immediately.

For disaster recovery though, I recommend having a completely separate portable hard drive that you do full backups on. You must decide how frequently you want these backups done (weekly, monthly, quarterly, etc.) and the question you must ask yourself is how much data are you willing to lose if something happens (this is called the Recovery Point Objective in IT-speak). For example, if I decide to do full backups monthly, am I willing to potentially lose a month’s worth of work, photos, etc. if my computer was stolen or destroyed? Remember that the disaster recovery disk is for those situations where you cannot access the original computer for some reason like a fire, flood, or theft. You may also do ad-hoc backups if you just completed some important work and you don’t want to wait until the next month to backup. Just put a recurring appointment on your calendar for full backups and make sure to stick with it.

There are two very important items to remember with your backups. First, the backup disk must also be encrypted. If your backup data is unencrypted and your home is burglarized, the criminals will just get your data off of the backup drive instead of the computer. Both Mac and Windows will allow you to encrypt external drives with FileVault 2 or BitLocker, respectively. Or, you can purchase hardware encrypted drives, such as an Aegis drive (https://www.apricorn.com/).

Second, the disaster recovery backup needs to be stored offsite. Local backup drives are for convenience, but disaster recovery backups are used in the event the original data or system is unavailable. If your disaster recovery drive and computer are in the same place and they are both destroyed, you are completely out of luck. Some people may store an encrypted hard drive at their office, at a friend or family member’s home, in a safe deposit box, or somewhere else they have access to.

Some people may choose to back up to the cloud, which is certainly more convenient but may be less secure. There are ways to encrypt data within the cloud so only you can access it, but this takes additional steps and some advanced knowledge.

Do Not Ignore or Disable Security Settings

Read security warnings that pop up and don’t disable security settings are that designed to keep you safe. For example, automatic software downloads and installation, or user access control (UAC) may be frustrating, but they are extremely important. Also make sure your computer’s built-in firewall is turned on. Windows 10 and Mac OS X both have good firewalls.

Never Use an Administrative Account for Normal Use

This is called the rule of least privilege. Always use the least privileges on a computer necessary to do your work. Your computer should have at least two accounts on it and every user should have their own account (especially kids). One is a full administrator account that you can use to change settings, install software, do maintenance, etc. This admin account should have a password that is unique and hard to guess and should never be used for normal tasks such as web surfing or checking email. If a computer is attacked while logged in as the admin, the likelihood of malware being able to execute and install is much greater. The subsequent accounts should be normal user accounts and not have admin privileges. This is where you conduct the majority of your work such as email, web surfing, etc. If you need to install something under your normal account, you will be prompted to temporarily provide your admin username and password. This is good, as it causes you to think and make sure what is being done is something you requested and not malicious.

To make sure I am never logged in to the wrong account, I make the desktop background of my admin account a bright red solid color. Then, just by looking at my desktop, I know that I should not be doing anything online.


About The Author:

Josh Moulin serves as a trusted advisor to federal government IT and cybersecurity executives. Previously, Moulin was the Chief Information Officer for the Nevada National Security Site, part of the U.S. Department of Energy’s Nuclear Weapons Complex and before that spent 11 years in law enforcement including 7 years as the commander of a cybercrimes task force.

Moulin has a Master’s Degree in Information Security and Assurance and has over a dozen certifications in law enforcement, digital forensics, and cybersecurity including as a Certified Ethical Hacker. For more information, visit JoshMoulin.com or connect with him on LinkedIn or Twitter.


L.A. Sartor

If you love stories filled with suspense, adventure, fighting against all odds and winning love, then please click here to visit the website of author L.A. Sartor. You’ll be glad you did!

The following was originally posted to the blog site of author L.A. Sartor. She and Josh were kind enough to allow me to share this extremely cool bit of knowledge with you. By the way, many of you will remember Josh from his wonderful cybercrime presentations at the Writers’ Police Academy, and from his fascinating articles here on The Graveyard Shift.

So, without further ado, I’ll ask L.A. Sartor to introduce today’s guest blogger …

Author L.A. Sartor


I’m incredibly honored that Josh Moulin, who was my cyber expert for 
Forever Yours This New Year’s Night, responded with a “yes” when I asked him to do a series on what is a cyberattack, how to recognize them, and how to protect yourself.

Take it away, Josh.


Cyberattacks and data breaches are unfortunately commonplace in the daily news cycle. Many of us have had our personal, healthcare, and financial data breached so much that we are used to receiving letters notifying us of unauthorized disclosures or getting signed up for yet another credit monitoring service. Cybercrime is out of control and the most infuriating part is that most of the attacks are not sophisticated or require an expert hacker. Indeed, most of the successful attacks use the same modus operandi that they have for a decade.

The fact that the majority of attacks are not sophisticated is as troublesome as it is helpful. Since we know what most attackers do, it makes the identification and prevention of these attacks easier. Individuals and small to medium businesses often assume (incorrectly) that if the United States Federal Government or massive corporations such as Home Depot, Anthem, Yahoo!, Target, and Equifax, who spend millions of dollars each year in cybersecurity can’t keep hackers out, then there is no possible way they can defend themselves.

It is true that many cyberattacks are easily preventable and only effective because mistakes have been made which create vulnerabilities. However, it is also true that this world has nation-state military units and sophisticated hackers which target government agencies, universities, corporations, and high-value individuals. When a skilled attacker has set their sights on a victim and has the means, opportunity, and intent to launch a cyberattack against that victim, these attacks may use techniques, tactics, and procedures that are highly complex and extremely difficult to detect. For the purposes of this article, I am not discussing these advanced attacks.

In this first blog post of a three-part series, I am going to focus on the cyberattack kill chain and lay the foundation for how cyberattacks happen. The focus audience of this post is individuals who are trying to protect their personal devices and data from cyberattacks. The next blog post will discuss the most common attacks and how to spot them, and finally I will discuss preventative strategies that people can take including security software, configurations, and backup strategies.

Cyberattack Kill Chain
Each cyberattack goes through a series of steps to accomplish its mission. Depending on the target, mission objectives, and abilities of the attacker this kill chain may happen very quickly or may take months to years to accomplish. Sometimes an attack is to simply disrupt a business competitor or political adversary. Attacks like this are generally carried out through Distributed Denial of Service (DDoS) attacks or website defacement. Other attacks are performed with the intent of gaining intelligence about a competitor or government agency, and yet others are to steal intellectual property, harass someone, or to support a political ideology (hacktivism).

The attack kill chain is comprised of the following steps:
1. The target is defined: This may simply be a target of opportunity (e.g., a person in close proximity to a hacker that has a vulnerable mobile device) or could be targeted due to the person’s position, the value of their data, etc

2. Reconnaissance: The attacker begins to research the target. What information is available via public open source intelligence (OSINT) such as Facebook, LinkedIn, Google, public databases, etc. What IP addresses are assigned to the target, what operating systems do they use, and are there any known vulnerabilities for the target’s Internet connected systems?

3. Weaponization: The attacker develops their weaponized attack, which is generally malware (malicious software) such as a Trojan horse, virus, ransomware, worm, etc. or may utilize a previously unpublished exploit known as a zero-day (0-day). The weapon must be able to exploit a vulnerability, which is what the attacker discovers during the recon stage.

  1. Delivery: The attacker delivers the payload to the victim. This may be done in a variety of ways such as via an email attachment or embedded link (phishing), through a chat session, uploading a file to a server on the Internet, compromising a website and then sending the victim to the compromised website (also called drive-by attacks), or several other methods.5. Exploitation: Once the payload has been delivered, the malicious code must execute to exploit the system. Malicious code can be executed by the attacker, by the system itself, or frequently by a user who clicks something and executes the malware.

    6. Installation: After the vulnerability is exploited the malware is installed on the system. Most attackers want one thing: persistence. They want to get on a system and stay on a system, having the ability to do internal recon now that they are inside the network and laterally move to other systems to stay within the network and spread their attack. Some advanced malware only lives in RAM and never actually “installs” on a hard drive, making post-mortem examinations of systems difficult.

    7. Command & Control: Once the malware is installed it generally opens up the system to receive commands from the attacker (known as Command & Control, or C2). Malware may “phone home” occasionally asking for any new commands from the C2 which may tell the malware to perform functions such as copy and send data from the computer to the attacker’s system, activate the system’s webcam, or any number of other things.

    8. Exfiltration: Generally the main goal, this is the step where the attacker gets access to data and begins sending (exfiltrating) the data from the system to the attacker.

Source ~ Event Tracker

There are several ways to make yourself less susceptible to a cyberattack, such as reducing the attack surface, target hardening, and learning how to identify potentially dangerous situations online or in emails.

A Practical Scenario

An author is putting their finishing touches on their latest work in preparation of sending it off for review. This author is somewhat controversial and critics are anticipating the release of the new book, posting negative comments all across the Internet. A hacker decides to make a statement by attempting to hack this author’s computer and disrupt the author’s ability to publish the book as well as steal a copy of the book before it is released. Step 1, target acquisition is complete.

The hacker begins by finding out as much as possible about the author through social media, Internet posts, interviews, and any other source of OSINT. The hacker is able to determine through social media that the author has a daughter in the fourth grade and because of geotagged photos posted of the author’s daughter, the hacker determines what school the daughter attends. The hacker now downloads the logo of the elementary school as well as an offline copy of the school’s website. Step 2, reconnaissance is complete.

The hacker obtains a variant of ransomware from a hacker website and places the malicious code on a server controlled by the hacker and sitting inside of Amazon Web Services (AWS). The malicious code is just waiting to be downloaded and executed by anyone who visits the server. Step 3, weaponization is complete.

Next, the hacker drafts an email using the same logo, colors, and “look and feel” of the elementary school’s website. The hacker addresses the email to the author’s email address (which was obtained via Google) and sends an email to the author during school hours that there has been an active shooter incident at the school. Included in the email is a link that tells the author to click for further details.

As any parent would, the author clicks the link of the email. When the author clicks the link, they are directed to a webpage that looks exactly like the school’s site. They receive some bothersome pop-up that the don’t read because they are terrified about their child’s safety and just click “ok” to close the window and see what is going on at the school. In reality, when the author clicked the link they navigated to a fake site hosted by the attacker and their computer downloaded the ransomware code. When the code attempted to execute, a pop-up appeared asking for administrative privileges to execute the code. When the author clicked “ok” they just executed the ransomware on their computer. Steps 4, 5, and 6 (delivery, exploitation, and installation) are complete.

The ransomware on the author’s computer begins immediately encrypting data on the hard drive and searches the drive for any .doc or .docx files, compresses them, and exfiltrates them to the attackers C2 server located in AWS. The author has now lost their latest manuscript and cannot access any files on their computer due to the ransomware encryption. Steps 7 and 8 (C2 and exfiltration) are complete.

This scenario is exactly the kind of targeted social engineering attacks that occur on a daily basis and are extremely easy to perpetrate. In future blog posts I will discuss how to recognize attacks and how to harden your systems to try and prevent malicious activity.


About the author:

Josh Moulin serves as a trusted advisor to federal government IT and cybersecurity executives with the world’s leading IT advisory and research firm. Previously, Moulin was the Chief Information Officer for the Nevada National Security Site, part of the U.S. Department of Energy’s Nuclear Weapons Complex and before that spent 11 years in law enforcement including 7 years as the commander of a cybercrimes task force.

Moulin has a Master’s Degree in Information Security and Assurance and has over a dozen certifications in law enforcement, digital forensics, and cybersecurity including as a Certified Ethical Hacker. For more information, visit JoshMoulin.com or connect with him on LinkedIn or Twitter.


L.A. Sartor

If you love stories filled with suspense, adventure, fighting against all odds and winning love, then please click here to visit the website of author L.A. Sartor. You’ll be glad you did!