SWAT Assessment for Cybersecurity

by Albert E. Whale, CEH CHS CISA CISSP
Founder & CEO

Attacks are running full speed ahead

Everyday new attacks are reported in organizations of various sizes.  Some of the attacks are recent, most are attacks that occurred months earlier, and are just recently being discovered.  What makes these events so difficult to discover?  There are several reasons that these attacks are undiscovered.  Most of these are focused on existing People, Process and Technology (PPT).  Even though the intent is to secure the organization, there are several faults in utilizing the existing strategy.

What we have discovered, is that PPT Service offerings are exclusively focused on known attacks and threats.  This excludes the unknown activities, and the existing exploits that have been successful already.  There are other reasons why many tools do not identify, because they are focused on the Static Network[1]. This is great but misses opportunities which are present when the employees are using the network.

The static review essentially reviews the exposed tip of the iceberg.  This is only 10% of the iceberg, the other 90% of the environment is not reviewed.  This includes the use of Third Party Vendors and their Applications (think SolarWinds breach), active users (current attacks of the environment from the Internet), as well as attacks from personal devices[2]. 

Can you see now why Firewalls and Virus Scanners are not effective?

While the use of SIEMs improve coverage, they require the configuration of events.  SIEMs only discover the activities after the event has already occurred. Both the lack of configured events, and backlog of manual review lead to more activities going undiscovered.

With 90% of the environment not being reviewed, it’s clear why attacks are not detected for months later (if at all).

SWAT – Secret Weaknesses in Applications & Technology

The SWAT Analysis is our Proprietary assessment for businesses, which identifies the cyber secret faults which are left undetected by today’s security tools.  Think about it, all of the testing tools are focused upon the CWE and CWE rankings for information. Their detection is solely based on understanding what has already been detected.  That leaves a huge gap in understanding what is occurring within the environment. Our SWAT Analysis is based on several attack strategies, as well as the NIST Zero Trust Architecture. We take into account all of your current activities, including the Third Party Vendors, the activities of the Users, and the personal devices in your environment.  This is totally different than existing testing activities, and better yet, it fully automated to support your organization’s needs.

I want to get started with the SWAT Analysis – Please contact me

Taking it to the next level

Everyone thinks that they are secure until they are proven! There are so many hacks in the news lately, the Colonial Pipeline (Ransomware – $5M), US Insurer – CAN Financial (lost – $40 Million), Ubiquiti, Parler, Experian^[1], Microsoft Build Engine^[2] and Many more.

^[1] I was recently interviewed by CSOnline.com – https://www.linkedin.com/posts/albertwhale_how-api-attacks-work-and-how-to-identify-activity-6801611480853807104-2JKr

^[2] Hackers use Microsoft Build Engine to Deliver Malware Filelessly – https://thehackernews.com/2021/05/hackers-using-microsoft-build-engine-to.html

We are confident our SWAT Assessment will find activities.  Here is an assessment we performed on a WiFi Network.  

The point of the video is that the network was considered secure, before the SWAT Analysis.  The video shows that traffic of Laptops, Personal devices and other equipment on the WiFi have compromised activities during the review period.  With the amount of activity taking place, it appears that a significant amount of malicious activity exists in and out of the network. 

Everyone understands that there is no need for 46 countries to be active inside their network.  If you don’t know who is already inside, how can you develop a protection plan to support your business?

Tell me about ITS Safe^TM – set up a 10 minute call.

Seeing the activity inside

The SWAT Analysis examines the network traffic, the configuration of the devices, and assesses the security of the environment.  The SWAT analysis tests the use of the network with activity.  This analyzes the active devices, and their security as well.  In the case of WiFi we easily identified the infected devices that were connected to the environment and permitted to communicate with the organization.

The traffic we discovered did not trigger any sensors or activities with the security tools already in place.  This is further outlined in recent blog posts

• You are not alone
• 5 Reasons that your business is at serious risk
• Ransomware is costing Millions per day.

Why do you need a SWAT Analysis?

Everyday new exploits are detected in the equipment we use which were not previously identified.  Additionally, more manufacturers are connecting back to their organizations from the equipment you are installing inside your networks.  Imagine the equipment inside your network offering a backdoor into your environment.  That includes connections inside and outside of the continental USA.  Every time we discover connections to outside locations, we are informed that they were not authorized, and also not identified.  Imagine the equipment that you have providing a back-door connection to China.  Is that what you wanted?

I developed the SWAT Analysis to uncover the activities which go undetected inside networks every day.  Some of these include:

• Misconfigured security controls
• Obsolete communication protocols
• Deprecated encryption technology
• Malware activity undetected in the network
• Identify the origin of the breach
• Abuse of existing Protocols
• Use of protocols for other activities
• Connecting to malicious DNS
• Requesting your IP Address for access
• Connecting to Malicious websites
• Unauthorized backdoor connections to external sites

Just to name a few.  We look at how the Network reacts with activity from within.  This is totally a different perspective.

Next Steps

We have seen all Organizations at risk.  Mature organizations as well as new organizations have opportunities for malicious activities which are not normally discovered, until it is too late. Failure to detect the unwanted activities costs organizations Millions[5] at that time.

What can organizations do?

• Backups will recover data to a certain extent,
  • but they will also include the problems which the tools you are using cannot see
• Testing with the same tools will lead to the same results
• Insurance does not fix the problem; in fact, it gives the organization a false sense of security
  • Insurance does not fix the security problem
  • Insurance does not pay to fix the security issues which caused the attack
• Wait for the Breach to occur, and then pay the ransom
  • Fixing the problem may take from 6 to 18 months

SecOps

SecOps stands for Security Operations.  Security Operations sole purpose is to increase the operational security within an organization.  It does this by assuring that operational changes are implemented as soon as there is a change in the environment.  This completely trumps the Annual Scanning of the network, because operational changes are made almost every week, traditionally known as patch Tuesday.

If your organization is running Logfile analysis to see things that have already occurred, then you need our SWAT Analysis combined with the power of continuous monitoring to get ahead of the attackers.  Logfile analysis takes activities which have occurred within the network and recorded it.  This is a historical record of events that were successful[6].  With ITS Safe we can deploy the basis for Zero Trust in your environment and utilize the ability of Machine Speed to intercept and block malicious activities, BEFORE they can complete.

Let’s get started! –  Contact me

IT Security Solutions recommends at least an annual Security assessment to determine the security posture and formal detection of internal activities. While this is the minimum recommendation, even doing the Minimum does not detect the activities as well as our continuous monitoring solutions for our clients.

IT Security Solutions, Inc. is a Pittsburgh based technology company with 25+ years of cyber security domain expertise catering to businesses of all sizes. The solutions offered range from technology security audits and penetration testing to continuous network scanning. The company recently launched ITS Safe™, a proprietary managed security solution that blocks hackers from attacking networks – the largest IT security threat facing businesses today.

Contact IT Security Solutions to discuss how a SWAT Analysis will benefit your company today.

www.IT-Security-Solutions.com w www.ITS-Safe.com

412-889-6870 – info@IT-Security-Solutions.com

[1] The Static Network is the network without any users active already.

[2] Personal devices normally have less security, and are either being used outside of the office, or connected to equipment in the office network (WiFi).

[3] I was recently interviewed by CSOnline.com – https://www.linkedin.com/posts/albertwhale_how-api-attacks-work-and-how-to-identify-activity-6801611480853807104-2JKr

[4] Hackers use Microsoft Build Engine to Deliver Malware Filelessly – https://thehackernews.com/2021/05/hackers-using-microsoft-build-engine-to.html

[5] In many cases the business closes from the weight of the breach, fines, ransom and loss of revenue.

[6] This is the reactive approach for cybersecurity, let it happen, then try to fix it.  Whereas, ITS Safe takes a proactive approach to blocking the unwanted activity, and not permitting it to occur.

Ransomware is costing Millions of dollars per day.

Written by 

Albert E. Whale, CEH CHS CISA CISSP BSEE
May 9, 2021

Ransomware is costing Millions of dollars per day. Maybe you think that I’m exaggerating, I’m not. The cost in the Healthcare industry alone in 2020 was over $21 Billion, that’s only in Healthcare.  What happens to your business after the Ransomware breach?  Your costs go up, people lose their jobs, and your clients seek other businesses to deal with, right?

Recently ‘Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks’

You’ve probably seen Disaster Girl before, haven’t you?

IT Security Solutions has reported issues with many different Routers, Wireless Access Points, and other devices inside the networks.  This is the big problem because traditional tools are unable to discover the Built in Malware, the Configurations deployed, or any number of other factors.  

What are you doing to protect your business environment?  If your plan is the Legacy Firewall or Virus Scanners on the end points, then you are only looking for tomorrow’s attack.  

What happened yesterday?  Did you or your staff report issues inside the environment which may be the start to Ransomware?  I’m guessing, probably not.  Please don’t expect the SIEM that you invested in to identify the security issues either.  These devices are typically programmed from internal teams, and they don’t have 100% coverage on the logfiles they are reviewing.  

At best, they can tell you about the activities which already occurred, they stopped nothing.  Is that the plan?  Review the logs to determine what could have happened?  In the meantime, the average breach costs approximately $4 Million dollars, takes MONTHS to identify and 6 to 18 months to fix.  Can your business hold its breath for that long?  Can our Country hold its breath?

Recently the Colonial Pipeline breach force the shutdown of country’s Oil, Gas & Diesel distribution network.  

Cyberattacks Against U.S. Infrastructure Are ‘Here To Stay’ After 100-Gigabyte Colonial Pipeline Hack, Biden Official Warns – forbes.com

I’ll bet you thought that your backups would protect your business.

No Timeline for Massive Oil Pipeline Restart Has Traders Worried – Bloomberg.com

Hot Backups are not the answer.  If they were, Ransomware would not be as effective as it already is.  These issues outline serious cybersecurity matters in our businesses and our National Critical Infrastructure.  If we continue to the same thing over and over again, we will continue to have the same results.

If your business hasn’t changed the strategy for your organization, we can help.  Today can be the first day, for your organization’s stability.  Let us have a conversation together and develop the strategy that will work for you.

IT Security Solutions recommends at least an annual Security assessment to determine the security posture and formal detection of internal activities.  While this is the minimum recommendation, even doing the Minimum does not detect the activities as well as out continuous monitoring solutions for our clients.

IT Security Solutions, Inc. is a Pittsburgh based technology company with 25+ years of cyber security domain expertise catering to businesses of all sizes. The solutions offered range from technology security audits and penetration testing to continuous network scanning. The company recently launched ITS Safe™, a proprietary managed security solution that blocks hackers from attacking networks – the largest IT security threat facing businesses today.

Contact IT Security Solutions to discuss how a paradigm shift will benefit your company today.

www.IT-Security-Solutions.com  www.ITS-Safe.com

412-889-6870  

info@IT-Security-Solutions.com

What you may have inside your Businesses

Here are just a few of the situations IT Security Solutions has encountered when performing an assessment.

All of the comments are focused on organizations with more than 2 computers in their network, a Firewall and Virus protection on each computer.  If this describes your organization, then your business could be at serious risk

1. If your organization has ever had a Virus or Malware in your computer or personal device.  Today’s intruders deliver more than one piece of malware.  In fact each piece of malware also includes the ability to scan your network, and find how many other computers, printers and other devices there as well. 
   
   Also, the malware only resides on your computer as long as it’s needed to update the computer to include a backdoor for the attackers to return.  That means that the chance for a Virus scanner to see the malware on the computer is seriously limited.
   
   More than likely, the Malware succeeds in the attack of your computer, and you will not ever know that your computer was effected, until it’s too late.

• If your office has an internet connection which is used for business activities during the day, what else is permitted?
  
  This about the activities on Social networks like Facebook, Instagram, Snap Chat, here is a list of 65+ Social Networking Sites –
  
  https://makeawebsitehub.com/social-media-sites/
  
  

Attackers exploit the distribution of Social Media channels to connect and control tens of thousands daily. To the intruders, this is like shooting fish in a barrel.

• If your organization uses a generous work policy, that includes any of the following.  Remote Access, Remote Offices, Laptops which are permitted outside of the office, remote workers.
  
  Each of these are issues which require additional care and security needs.  All of them introduce their own threats into your environment.

The above was written before the Pandemic put all of us in a Work from Home effort.  

Before the Pandemic, there was a definite definition of security protecting the organization. This was how the security of the organization looked. However, the security of organizations evaporated during the Pandemic, see the figure just below.

Even the VPNs that connect back to the Office, bypass the firewall and are permitted directly.  Think about the security at your employees’ homes.  Is there any wonder why the attacks are concentrating now at home?

The part that is missing above is the lack of screening from employees and the use of VPNs.  The VPN is intended to Mask the communications from one endpoint to the other while connecting over the Internet. VPNs do not protect the connection or the business. The Firewalls permit the VPNs to connect internally and do not filter any information. You may expect that the VPN protects your business, but this is not the case.

The VPN permits direct communications to the office and repeats the same situation that was exposed during the Target breach.  The Target breach permitted the infected computer of the HVAC Vendor to get access to the entire network, and the credit card information.  That was a recipe for disaster.

• Does your organization permit personal devices to connect to your network, or have business email on them?  (this could be considered two different issues)
  
  Give this a moment to sink in.  On your personal devices (iPhones, Tablets …), where are the Firewalls or Virus Scanners?  You should realize that these devices do not have one unless you have installed something yourself.  Even if the device has a firewall or scanner on it, what level of protection do you expect that this provides?
  
  
• How long ago was your last Security/Risk Assessment?  These activities are recommended at least annually, and normally within 30 days of making a change to the network.
  
  The important thing to remember here is that the Security Assessment is performed by certified individuals that are interested in protecting your business.  Ultimately you can choose not to perform the assessment, in which case the intruders will be performing the assessment, and they are constantly doing that. 
  
  When the Intruders perform the assessment, you won’t be told the results of the assessment.  You may not be aware of what they have discovered until they want you to.  That’s right, they don’t need to let you know, and you may not know just how much of the company that they have accessed.  Your current tools are not able to detect the intrusion or stop it. 
  
  In fact, today’s security tools can only partially detect the next attack.  Firewalls and Virus Scanners are reported to be only 4% effective.

How many of the above items can you relate to?  Do you have the tools we describe above?  Do you want to prevent the attacks on your computers, or allow the Intruders to continue to have access to your environment?  (prevention is the cure).

Bonus

Your network has likely evolved beyond the initial PCs, and Printers.  Many networks have added WiFi, personal Devices, and many other Internet of Things (IoT) devices which have no protects either.

Our personal devices (cell phones, tablets) are never off of the Internet, and we insure that they have sufficient power at all times.  We are now so dependent on these devices, that we also allow Business Communications on them as well.

This presents the opportunity for attackers to engage in our want for information, as well as the convenience of connecting to everyone (including high value targets), to get the access and information that they are seeking.

The critical problem here is that you cannot stop, what you cannot see.  We have the tools and experience to highlight the unseen activities, and stop the attackers before they can succeed.

_______________________________________

IT Security Solutions, Inc. is a Pittsburgh based technology company with 25+ years of cyber security domain expertise catering to businesses of all sizes. The solutions offered range from technology security audits and penetration testing to continuous network scanning. The company recently launched ITS Safe™, a proprietary managed security solution that blocks hackers from attacking networks – the largest IT security threat facing businesses today.

Year after the year, the Pittsburgh business community recognizes IT Security Solutions, Inc. for their domain expertise and thought leadership in the cyber security space.

Contact IT Security Solutions to discuss how you will benefit by reviewing your security today.

www.IT-Security-Solutions.com  www.ITS-Safe.com

412-889-6870 – info@IT-Security-Solutions.com

ITS Safe™ Security Appliance

Seeing the Unseen

A shift in the security paradigm needs to address the Unseen attacks in the environment. Detecting the Unseen activities in the environment explains why there are so many attacks being reported on a daily basis.  The unseen attacks depend on the ability of the attackers to hide in plain sight.  We will outline several of them here to uncover the unseen activities within almost every network[1].

Figure 1 – Scope of security Testing

The image above describes the current state of Security Tools, Techniques and Practices. While the traditional tools and techniques are all point in time application of practices, we can also classify them as reactionary practices as well. Let’s examine the methods outlined above.

Security Assessments (review of security for a host, a network, software or other asset) are only valid up to the time the report is generated.  As soon as the observer generates the report, the Assessment of the environment ends, and it becomes stale[2].  This is a point in time observation.

Today’s Security Tools look for tomorrow’s attacks. Tools that security researchers and network testing teams all use to assess the activities inside the network are based on testing for Known threats[1], and how the environment will respond to the next attack.  These tools test the environment for detecting known threats[2] on potentially new attacks.

The ITS Safe^TMsecurity appliance is designed to Detect, Defend against, and Destroy Intruders^TM. While other tools and testing activities look for the future state of security in the organization, the ITS Safe appliance examines all activities to uncover and detect unwanted connections that were completed before you began the observation of environment[3].

Everyday around the world, new activities are discovered in new and existing equipment, software, and third parties to organizations.  Firewalls are breached[4], Vendors we use are hacked[5], software we create is breached[6] and app we use on our phones are backdoors for attackers as well[7].

A comprehensive review of the cyber security digs deeper than reviewing the exposed 10-20% of the network, and actually reviews the active network as a comprehensive ecosystem.

IT Security Solutions recommends at least an annual Security assessment to determine the security posture and formal detection of internal activities.

IT Security Solutions, Inc. is a Pittsburgh based technology company with 25+ years of cyber security domain expertise catering to businesses of all sizes. The solutions offered range from technology security audits and penetration testing to continuous network scanning. The company recently launched ITS Safe™, a proprietary managed security solution that blocks hackers from attacking networks – the largest IT security threat facing businesses today.

As you can see there is much more than meets the eye when it concerns the security within your network. Call IT Security Solutions today, and let us help you protect your organization today!

www.IT-Security-Solutions.com – www.ITS-Safe.com

412-889-6870

info@IT-Security-Solutions.com

https://its-safe.it-security-solutions.com/contact-me

[1] Known threats are used in Virus scanners, network scanning, software analysis, and logfile monitoring tools.

[2] Security Tools cannot test for unknown threats because these events are currently not known.

[3] Think of this as reviewing the activities that are already active, that are not detected as tomorrow’s threats, because they are considered as part of the current environment.

[4] https://www.zdnet.com/article/sonicwall-says-it-was-hacked-using-zero-days-in-its-own-products/

[5] https://www.wired.com/story/solarwinds-hack-china-usda/

[6] https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html

[7] https://www.helpnetsecurity.com/2020/03/06/hackers-target-consumers/

[2] The Security Assessment becomes stale because the users in the network add additional threats from their use of the environment.

[1] Every network we have examined include several of these activities, if not all of them.

The FireEye and Solarwinds breach.

I was drinking my coffee this morning and I read that FireEye was Breached.  What?  I read that a second time.  This time I also found out that their testing tools were also stolen.  This is bad, I thought, because FireEye is used in many industries, but to suffer a Breach and lose your testing tools will certainly compromise their reputation.

How did this happen?

According to FireEye’s website, this came as part of a Global Campaign[1]. More importantly, they are indicating that users of the SolarWinds Orion network monitoring product was the source of the Breach.

The issue here is that they gained access to the internal resources and utilized these resources internally to hide and disguise their activity. They indicated that these activities occurred earlier this year, sometime in the Spring of 2020.

When was the last time your company had a formal security assessment?  How about an assessment for the software you use internally as well?  While you cannot be everywhere all at the same time, mandating security assessments for the vendor tools you use is a good way to delegate.   Don’t forget to have an assessment performed on the network, your design, and security policies and procedures.

Everyone thinks that they have it covered, until they don’t. It’s what they are missing that causes the Breach.

Everyone thinks that they have it covered, until they don’t. It’s what they are missing that causes the Breach.  While we understand that no one wants to be told that they missed something.  

Which is better

• Finding a problem and fixing it before a Breach,
• Announcing it to the world that you’ve had a Breach?

… the cost of a Breach is very costly usually $200k to $3.8M or more.  These are also known as Business ending events.

The cost of a Security Assessment is generally a fixed priced and is easily absorbed by the business.  However, the cost of a Breach is very costly ($200k to $3.8M or more), and it is shared by the business and all of its clients.

Security is our Business

There are many ways to effect change in the organizations.  The most beneficial are the ones that are driven from the top down.  While organizations were built to support the business internally, the advancement of the attackers to gain access to the internal resources has changed the way we need to work on Cybersecurity.

Here are a few quick hits that will move the needle for you more in your favor.

• Make time for a Security Assessment as recommended
• Develop your company’s Policies and Procedures
• Employ a comprehensive monitoring appliance to maintain your company’s security.

As we have seen in the FireEye Breach and other Breaches, the attacks are from the inside – out.  Meaning that they were able to get past the Firewalls, and not get detected by Virus scanners or other current technologies. These tools are all based on their ability to identify new attempts with the current Known threats.  That leaves all of the previously successful Breaches, and attacks using unknown threats exposed.

The ITS Safe^TM security appliance includes out of the box capabilities to start working right away.  ITS Safe is built to Detect, Defend against and Destroy Intruders.  We are shifting organizations from a traditional security approach to continual assurance.

By implementing ITS Safe, the detection of activities inside allows us to eliminate the threats that other tools miss entirely.  Get ITS Safe Today to keep your business safe.

Minimizing the threats of attacks on employees and businesses are the basis for the development of the ITS Safe^TM Managed Security Appliance.  Because attacks can happen anytime, the ITS Safe appliance continually monitors activities inside the network for both Inbound and Outbound traffic.

Sign up today to get a complimentary consultation

https://its-safe.it-security-solutions.com/managed-security-service-for-your-organization

https://IT-Security-Solutions.com –   Contact me now

We are your trusted cyber security partner.

[1] A Global Campaign makes sense because they are all connected to the Internet, and that’s still a Global network, if my memory serves me right.