Quality Plus Consulting - Breakfast Bytes

Location services issues and how it relates to personal physical security
Originally aired 1/3/2020

Email security and cyber risk insurance
Originally aired 10/11/2019

The dark side of smart cities
A clothing line designed to distract the panopticon
Geofencing warrants
Horror stories of hospital IN-security
Originally aired 9/6/2019

Why many IT business decision makers make mistakes
Over 25 years, bar none, the business decision makers that have regular meetings with us are vastly better decision makers. This directly leads to them saving money by not wasting money.
Why bidding out IT jobs often fails

Sim jacking
More AWS data breaches affect hundreds of thousands of people
Hacking using smart light bulbs
IoT bricker
MFA options
https://simjacker.com/
https://www.sciencedaily.com/releases/2019/10/191023075139.htm
Originally aired 11/1/2019

Vehicles and privacy issues
Originally aired 2/1/2020

Wireless security, wireless TCO, 3-2-1 backup strategy, MFA and IP access control strategies
Originally aired 3/6/2020

I read an article authored by two IT people where the article provided what I felt was a bunch of misinformation about what to do in the event of a cyberattack.
I'm not disclosing here who the authors were or providing a link. Instead I thought the best approach was to provide direct actionable intel on what to do in the event of a cyberattack that counteracts the misinformation in the article.

What did you do about the PrintNightmare vulnerability? I describe what we did at QPC Security and for our clients. I also discuss how business owners and executive management can use IT steering committees to make sure that information technology decisions are being made properly and their risks are being mitigated. I often see poor, uninformed decisions being made that lead to massive adverse business financial impact that were completely avoidable by simply using a decision process that is not flawed.
Listen in to learn more about using good decision-making practices that will protect you from financial ruin.
We regularly save clients hundreds of thousands of dollars by simply having ongoing meetings and preventing missteps.
Gone are the days that executive management can delegate and abdicate. You must be involved, and you must get external advice.
 
Only large enterprise can afford to have industry connection subscriptions such as IANS. This resource is completely inaccessible to SMB. The cost of the annual subscription to something like that is typically in excess of $40,000 per year, but you would then have to employ an extremely skilled internal information security officer to even be able to make use of any of the value of the subscription. This is why those resources are financial unobtanium for SMB. It is critical that SMB have relationships with managed security services providers who have a certified virtual information security officer to manage your account.
Think You Could Have Prevented The Impact Of The PrintNightmare Attack? – Think Again | QPC Security

I discuss converting the hearsay from some reported incidents into tangible, actionable intelligence. A ransomware remediator initially reported some really high level unusable data. I pushed for more details, and got them, but immense questions remained.
I help you understand what you can do from a process and systems perspective in order to have provable, attestable, non-tamperable proof about the status of your systems. And I am including a list of questions below for you to ask your cybersecurity insurance provider.
 
Scenario:
Customer of IT service provider has their own insurance policy.
They get a business email compromise event. Insurer for the customer denies the claim on the basis that the IT service provider (MSP) was not using an email security service that was known to then security expert of the insurer. Further investigation reveals that the MSP was providing their own EDR service with hundreds of whitelists in place. (Whitelists are exceptions to security scanning, which is an extremely bad practice.)
The security expert for the insurer effectively claimed that the BEC occurred because they did not know who the email security service provider was, and they concluded that the EDR/EPP could not have been effective becuase the software was not known to them.
The distillation is that the product could not have possibly had security efficacy if it was unknown to the security expert.
 
There was no discussion about provable, non-tamperable, attestable configuration proof. It was around how that security product was not on Gartner and Forrester reports, the security expert thought that the IT service provider should not have using that tool. So they claimed that due care was not exercised and the claim was denied.
I find this quite suspect because the insurance company in question was insuring the customer of the MSP, yet the insurance company required no attestable proof of efficacy of security solution prior to issuing a policy. Nor did the insurance company require an assessment prior to issuance of a policy. 
 
The additional outcome of that was that the security expert for the insurer claimed that the IT service provider was asked how they validated their claim that the product was effective when it supposedly had no industry vetting. Industry vetting in this context simply means that the software/hardware company has engaged in a pay to play evaluation scheme known as Gartner and Forrester. 
Simply buying a product that has been rated in a pay to play scheme as effective has no bearing on its configuration in a particular environment or context. NONE. Therefore, it should not be of any bearing in an evaluation of coverage. If the facts of this case as reported on a forum were true, then the insurance company sure needs to get its act together and require attestable proof of configuration efficacy before issuing a policy.
 
The BEC customer is then suing the MSP (IT service provider).
 
Some of the data we do not have is the content of the contract for service between the MSP and their customer.
I also do not know what security coverage the customer declined but that the MSP offered.
We do not know what other security measures were or were not involved.
We do not know if the customer was offered phishing testing and cybersecurity awareness training and then declined it. Ultimately, it was the action of one of the users at the customer's site that caused the BEC and ransomware incident to occur. Negligence or responsibility is not knowable to us based upon the limited information.
However, I think we can all agree that all parties involved would have been much better off if a viable ongoing configuration validation testing system would have been in place.
 
Let's ask some questions of the insurance providers.
In the mind of the security expert for the insurer, what qualifies as “industry vetting”?
What evaluation criteria is being used to determine if it is a covered event or not?
What criteria do they have for software and hardware vendor selection by IT service providers?
What configuration attestation do they require?
 
What constitutes an incident that the insurer is comfortable with the IT service provider responding to, versus what they deem the entire environment must be put in stasis for?
If this BEC scenario occurs and causes ransomware on endpoints, for example, what is the procedure that the insurer requires?
 
I have heard that the insurer requires that the IT services company do nothing. The covered party is supposed to call the insurer and then the insurer will send their incident response team.
How long will that take? Is the internet connection supposed to stay on the entire time?
When can a recovery from backups process start?
 
If the insurer requires systems be frozen in time and that no one touch them, does the covered party have to acquire all new computer equipment and start the recovery process to their new computer equipment because the insurer will not allow them to touch their current equipment?
If the insurer’s incident response team takes a week to get there and another week to do their analysis, this is at least two weeks where recovery cannot even start.
For most businesses, this would mean that they are out of business if they cannot conduct for two weeks, but more likely four because of the time needed for recovery.
 
What pre-planning does the insurer want the covered party to do in terms of incident response planning with the insurer?
What reports or attestation of state of what assets does the insurer want?
Does the insurer require 365 days of log data from all assets and will that need to be made available to the incident response team?
Where can this data be stored assuming that the on-device storage is contaminated by the breach?
 
And finally:
What certification or credentialization on the part of the staff at the IT service provider is the insurance company going to presume is adequate for them to be considered experts in the stated technology or security strategies?

Watch this excellent video: The Last Inch – Solari Report
 
Hyper Precise location services
Verizon unveils Hyper Precise Location service in more than 100 markets | VentureBeat
 
Apple iPhone is constantly taking pictures of you if you use face unlock
Apple Tech is Constantly Spying on You (renegadetribune.com)
 
Good reference article on the Colonial Pipeline attack
From Fuel Shortages to Gas Hikes: How the Colonial Pipeline Co. Fell Victim to a Ransomware Attack? | SOCRadar® Cyber Intelligence Inc.
 
CHD Sues FCC to Stop New Rule That Could Lead to ‘Wireless Wild West’ • Children's Health Defense (childrenshealthdefense.org)
 
CHD 5G and Wireless Harms Project Team • Children's Health Defense (childrenshealthdefense.org)

Barb Paluszkiewicz Chief Executive Officer of CDN Technologies and Felicia King of Quality Plus Consulting discuss the Colonial pipeline cybersecurity incident.
What would you do if it happened to you?
Lessons learned
Great examples of how to avoid this happening to you
Felicia was a guest on Barb's KNOW Tech Talk podcast. It is posted here also for accessibility.

Privacy problems with IoT and wearables
Bluetooth
Ransomware guidance from US Treasury
Bluetooth BLUR attacks
https://hexhive.epfl.ch/BLURtooth/
 
Bluetooth range estimator
https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/range/#estimator
 
Treasury warns that paying ransomware is a crime
https://www.insurancejournal.com/news/national/2020/10/01/584906.htm
 
How to upgrade the technology firmware in your automobile

School cybersecurity attacks
automated hack strategy

Zero trust cybersecurity posture concepts
How many agents should be on an endpoint?
Examples of some good products we should use and why
Concepts of the technology security stack

Overview of the secure endpoint strategy you need to be using for 2021
The CIA you care about – confidentiality, integrity, and availability of the data on and accessed by your technology systems
You need strategies effective a protecting against the efforts of nation state actors and large criminal enterprisesYour bank account, identity, business, and mental health are at stake
What security posture strategy works now?
Who do you partner with and vet or assess them?
It is not about simply selecting the technology. It is much more about the partner who services you.
Zero-trust posture coupled with the proper services
https://qualityplusconsulting.com/resources/recommendations/306-secure-endpoint-strategy-2021

Counterparty Risk
Solarwinds hack and how it related Dominion voting machines
Juice jacking - don't use public charging stations
Juice jacking: Why you should avoid public phone charging stations (nbcnews.com)
SolarWinds Exposed FTP Credentials Publicly in a Github Repo (ampproject.org)
IoT Cybersecurity improvement act
Text - H.R.1668 - 116th Congress (2019-2020): IoT Cybersecurity Improvement Act of 2020 | Congress.gov | Library of Congress
Trickbot UEFI bios mods
One of the Internet’s most aggressive threats could take UEFI malware mainstream | Ars Technica

Challenges with having baseline 101 level quality IT services
Beware of outsourced help desks
Items to use to assess your IT services provider
 
 
The most secure help desk outsourcing is no help desk outsourcing.
There are many ways in which help desk outsourcing can create compliance and security violations.
 
How Help Desk Outsourcing Undermines Your Security | IT Pro (itprotoday.com)
 
The user's identity should be validated when they are calling for support. We use a system where end users have support PINs that change and are readable to them and us through a system. That is not the only method of validation.
 
How should you be investing in equities? You probably are not an industry insider. You probably cannot run a company like the one you are investing in. You don't have tremendous expertise in risk management for that industry. So how are you to make a decision about what company to invest in?
 
How MSPs are the breach vector for a lot of clients
The BIGGEST issue that creates problems for your business when you utilize any outsourced IT whatsoever is if the service provider's executive management team is not comprised of highly experienced, and highly trained security personnel.
Businesses owned and operated by sales and marketing people usually end up making decisions using the wrong criteria.
Since you cannot do what they do, you have to trust in the management of that company.
 
Many of these companies have zero ability to assess the efficacy of any security solution or strategy. They use and promote the flavor of the year that they picked up at a conference or that is being talked about in their industry groups and peer accountability groups.
 
There are tons of IT service providers that say that in order for them to scale, they have to use large help desks of 60 - 200 people or more that end up having administrative access to things in your environment.
 
Questions for the technology service provider
What type of technology do you use?
Will the same be used to support my company?
How will you manage my current infrastructure?
How will integrations with legacy systems be managed?
Do you use subcontractors?

Evaluating counterparty risk
How supply chain attacks can be defeated
What is a realistic cost for incident response?

Exchange HAFNIUM attack
Pretty much every Exchange server on the planet got hacked that was internet accessible without protections in front of it
Anything that does not have MFA protections in 2021 is going to be hacked, especially if it is accessible from the internet
Not having MDR and THIS with zero trust posture is just not acceptableYes this is increasing the cost substantially, but your alternative is what?
It is possible to proxy the traffic ingressing to the Exchange server and inspect that for IPS signaturesFireboxes Detect HAFNIUM Attacks in the Wild | Secplicity - Security Simplified
It is also possible to put a web portal in front of the Exchange server that is required to be accessed with MFA before it would be possible to use the services there.Reverse Proxy for the Access Portal (watchguard.com)
 
Patching properly and thoroughly is an art form
Getting updates deployed for an operating system requires quite a bit of technique and multiple layers with validation
How thorough is your third party patch catalog and platform?
Are you looking for EOL or deprecated software?
Are you cataloging what business software is dependent on deprecated junk and what are you doing about getting rid of it?
How frequently are the physical machines being patched for firmware, drivers, BIOS?
Do you have mechanisms to update PowerShell?
Are you auditing and restricting WMI and PowerShell?
 
Ubiquiti - multiple significant security fails
Ubiquitous for all the Wrong Reasons | Secplicity - Security Simplified