How important is cyber risk to the board?

In the midst of the craziness of this week I was researching not for profit organisations when I discovered an anomaly in their annual reports.

The first report I read had no reference to cyber security, information security, business security and data security.   I though that that was a little strange, so I read another.

After downloading and reading 15 not for profit organisations annual reports from last year not one of them made any reference to what they were doing to safeguard their clients, users and sponsors information.

Even in the executive summary, protecting the assets was not mentioned.

One of the 15 had 3 pages on their IT infrastructure but this only discussed the number of people, servers and offices that were managed by the organisation and how people connected to the information required by staff to do their jobs.

If there is no information about cyber in an annual report, I have some questions?

Is the board room accountable to the shareholders when it comes to cyber?

The buck stops with you and if you are not taking into account the digital components of your organisation then you have a problem.

How serious is the board about protecting their staff and stake holders?

If they are not discussing it or just giving it lip service then there is going to be a time when the organisation will suffer a cyber event and no one will know what to do.

Business security is all about preparedness.   What will happen if this happens.  What will be the impact on the organisation in a cyber event.

Has risk management taken into account the unique risks associated with the digital world?

All of the risks in today’s business world have to be addressed.

Of all of the risks that businesses face today, probably 20% are traditional risks.   Some of them also have to be looked at with a cyber component.   For instance, what happens if you lose power, how are you going to mitigate the impact within the organisation at a digital level.

If risk has not been discussed how safe is the data?

A board not addressing today’s risk at management level shows a profound disrespect for the whole organisation.

A simple error, no matter what it is, can expose the organisation to financial, reputational and personal loss.    That loss can be incidental or profound, but if not addressed it will have an impact on the organisation.

Why do they not consider the digital world a risk to the organisation?

A recent discussion, actually about 4 years ago said that although everyone knows computers, not everyone understands the fundamentals of how they work.

Taking this attitude into the board room, everyone knows computers, will have a detrimental effect on business.   It will have a bigger impact because technology is changing.   The increased reliance on all things cloud based, mobile and social means we have to think outside the box.   We have to include all of these items in our understanding of the digital world and the impact on our risk analysis.

What has actually been done to safe guard the data under their control?

In most cases, very little.

We often see – the IT department will handle that!

That is wrong on so many levels.

There is a different skill set, business requirement and technology understanding between making the organisation safe at a digital level than keeping the lights on and the computers operating.

With all of the Compliance and governance in business, how have they got around doing it?

Delegation of duties, without delegating authority, is a regular occurrence.

Yes the ICT team will look after that.


Without the authority to make change, there are going to be large areas within the business that no one has focused on.

Compliance and governance are not a tick in the box process.

It is a complete over haul of business attitude to protect the data that your clients and staff have faith in you protecting.

Break that faith and see what happens to your organisation.

In addition to that governance and compliance are the realms of the board room, delegating it does not mitigate the risk associated with a cyber event.

Ignoring the impact of a cyber event at the board level has already caused a number of high visibility board members to resign or even worse be fired.

My conclusion

Somewhere we are failing.

The message is wrong, the medium is wrong or the people delivering the message are wrong.

No matter how much you slice it, getting people on boards to understand that digital is a thing and protecting data is a thing, is very difficult.

There is an old adage, “to get people to invest in disaster recovery burn down the building next door”.

The same applies in business security.

Getting boards to invest in digital and business security is have something happen.

Organisational wise or personal, an attack on them will get investment in protecting the organisation.

It is no longer a case of investing in insurance, today, digital protection is not insurance, it is an investment in your brand, your reputation, your staff and y

Passwords – it’s not about you

password best practice

Everywhere you go in the digital world we all need some sort of password. We all forget that the password to access a website is a way to personally protect your information on that website. The conundrum is, passwords are hard for humans to remember but very easy for computers to break. I have a system that changes that dynamic.

Although 2 factor authentication and bio metrics are having a significant impact in the way we secure our digital assets, (phones, tables, bank accounts, laptops) there are still millions of websites that do not have that level of security.

We have to make passwords hard for the computers to break.

“One of the hardest things that I have to teach my Australian Defence Force Academy students is that passwords are still the lifeblood of our access to the digital world, we often forget that we have to make them hard so that hackers cannot break them easily, but they have to be easy to remember.” Roger Smith

All passwords have to have the following features:

  • Unique – every website or digital account has to have a separate and different password. There is a very good reason for this!
  • Complex – every password must have a combination of letters, numbers and symbols (a-z, A-Z, 0-9 and punctuation)
  • More than a specific length – all of your passwords have to be longer than 10 characters. It use to be 8 but the increase in computing power over the last 3 years has changed the requirement to 10.
  •  Easy to Remember – we as humans need to be able to remember them without resorting to writing them down.
  • Passwords cannot have –
    • Sequences – 1234, abcd, qwerty
    • Places and locations – towns and cities, high school
    • Single dictionary words – any English language word
    • Leetspeak (hacker speak) – substitute 3 for e, 1 for i or
    • Significant dates – graduation day, kids birthday

The 5 points above create a quandary. It makes it very difficult for us to create complex, unique passwords that are easy to remember.

There are 2 ways to tackle this problem, a password manager or a system that creates passwords that have all of the right criteria. I have a system that will allow users to create complex and unique passwords that are easy to remember and hard for a computer to break!


Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He is the winner of the worldwide 2018 Cybersecurity Educator of the Year award and was Runner up in 2017 .  

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

Too big to fail, what about too small to matter?

The 2008 GFC showed us that when there is a crash, there are certain organisations who are, supposedly,  too big to fail.

Whether those organisations understood it at the time, it was touted that their failure would create an economic wasteland the like the world has never seen before in the whole of human history.

In 2008, this problem was delivered to the world by Governments in spades.

All well and good.   The world survived but the actual business landscape has significantly changed since it happened.

Changed in some areas and not at all in others.

Too big to fail is still touted by governments and industry leaders but there has been a significant change in the working man’s thoughts.

Small and medium business have come to the fore!

The implementation and management of the multinational digital organisations and systems have made SME’s competitive.

Platforms that allow SME’s to compete on an even playing field are everywhere.

Cloud-based systems, social media targetting and the fact that all of our prospects are mobile puts everyone in the same game.

The SME’s agility, adaptability, and responsiveness combined with these platforms make them contestant and champions in the new economic arena.

But with this new found capability comes a lack of understanding of the digital platforms that they are using.   An inability to see the dangers because they are so agile.

So focussed on keeping ahead that they do not see, other possibilities.

What happens when it goes to custard?

The statistics for SME’s failing are not easy to come across.

When they fail there is little fanfare.

Very little ramifications.   The flow on effect is minimal!

The owners usually declare bankrupt because they have funneled everything into the business.   A couple of people are out of a job.

When it comes to SME’s, pride has kept it afloat.

The fact that in some cases they have had to beg, borrow and steal to keep the business viable, afloat and thriving in the changing economic environment is indicative of most SME’s who will do anything and everything to survive.

When the failure is out of the owners hands, that is a different issue.

A natural disaster is one way this can happen, another is a cyber event.

A cyber event can happen at any time, any place and to anyone.

The perfect storm.

The perfect storm created by our reliance on the cyber.  Created by our attitude.   You know the ones – we are too small, we have nothing worth stealing and she’ll be right.

When it happens for an SME, there is no “do over”, no “too small to fail”.  They are just “out of business”

SME’s still have the flexability and adaptability to stay in business but they now need to create resilience.   To be stronger, recoverable and less brittle.

To do that they need to act, in kind, the same way that larger organisation act.   They need to have the right policies, processes and procedures in place.

Have the right framework around them to ensure that they are more flexable and better protected than their competition.

A cyber event can range from a slight inconveniance to profound impact, but no matter what the event you have to have some way back from the brink.

Business continuity, disaster recovery and business resilience are all components of today’s agile business.

Without them, you are not agile, not resilient.

You are definitely too small to matter!

Doing X things to protect your organisation is not the best cybersecurity strategy.

It is no longer a case of do these ‘X’ number of things and your business, organisation or self will be secure from a cyber event.

We have all seen, read or been told that you need to do this or don’t do that (I even wrote an article recently on just that) to fix your cybersecurity.

This attitude is wrong.

All it does is focus you on the ‘X’ number of things that are considered important, it does not fix the overall problem of digital protection, cybersecurity and protecting the organisation’s data against a cyber event.

Today’s threat market is all about two things:

Risk management

Managing the risk to your organisation is totally dependent on the organisation.   Get it wrong though and the organisation is open to litigation, compliance and reputation challenges.

Defining the risk and then mitigating, reducing or ignoring the risk depending on your organisations risk posture.

That risk posture has to have a basis in fact.   Every organisation is different, therefore every organisations risk posture will be different.

“She’ll be right”, “it will never happen to us” and “we have nothing worth stealing” are stupid risk postures and should be avoided at all costs.

Lets take patching – you can not implement a patching process if you have not looked at the associated risk of applying, waiting or ignoring a patch to software or operating systems.

Some patches are critical and the risk to the organisation outweighs the impact of a cyber event.   These need to be applied immediately.

Other patches could mitigate some risks to a system and can be applied as part of the patch process.    We recommend within 15 days.

There are also patches out that would have minimal impact on a system.   If the system was not patched and it was compromised they would not get access to critical data.   These can be applied based on the organisations risk posture.

Looking at the overall risk to an organisation will drive the security around that organisation and the underlying risk associated with a breach can be discussed as part of the overall business risk assessment.

Using frameworks

When used correctly a framework increase the awareness and security around an organisation.

We use NIST, but any framework will do.

A framework allows an organisation to take the blinkers off and focus on the organisation as a whole.

It is a holistic approach to protecting the organisation from a cyber event because it looks at a number of related but often overlooked,  important features of digital and cyber protection.

Each of the components of the framework allows the organisation to implement change in a managed and focused way.

It allows an organisation to improve security, with each change benefiting the organisation.

It is a process, not a knee jerk reaction to the next threat.

Business security is not about implementing a decent firewall, installing end point protection and sitting back because you think you are safe.

Business security is about education, policies and procedures, business continuity, visibility and viability.

This solution cannot be achieved through reaction, it needs to be a proactive process embraces by all members of the organisation.

Cybersecurity and the conference and event industry

I have never thought about having to apply cybersecurity requirements to an environment like a trade show, concert environment or conference / seminar where lots of people come together for a short period of time and you have minimal control over their activities.

Thinking more about it, a high number of transient clientele like a trade show, would be a lucrative target for a cyber criminal.

Applying some of the basic principles that make an environment secure here are some ideas.

I am going to talk about things that I have seen and heard of in the last 2 years.

Some will seem far fetched!

An additional problem, is the fact that your attendees will NOT have cyber hygiene as a priority.

Unpatched and outdated system will be part of the norm.

This will make compliance with the new GDPR rules a large part of your organisations focus.

YOU have to protect your attendees from themselves!

Cybersecurity and protecting your environment is now business critical.

Free WiFi.   

You have to offer free WiFi in today’s world.

To secure WiFi you have to know what the capabilities are for creating a cyber issue.

The target are three fold.

  • Access to and theft of unencrypted information,
  • a man in the middle attack and
  • duplicate WiFi access point.
If you are thinking of running free WiFi with no encryption, don’t!   all encrypted information over a free WiFi can be captured as plain text and used.
If you are thinking of having a free WiFi system that people use by going to a website and “signing up / signing in”, don’t!   It is not hard for a dedicated cyber criminal to replicate the sign in page, make it look and feel like the original sign in.   By doing this the cyber criminal can capture the login process and In the process download malware to the device.
If you are thinking of having a single pass phrase for all users, don’t!  Once again, I can replicate your system and deliver internet to the clients but through my system.   There are a number of WiFi systems that use enterprise level support for WPA2.   you can use these systems to personalise and manage all of your staff and visitors.
One of the hardest systems to counter is the man in the middle attack using a Raspberry Pi pumpkin or a “WiFi pineapple”.   Either of these systems can be purchased and configured for under $200 and can cause monumental issues for any delivery of free WiFi.

They create issues by changing a fundamental process within the internet system.

The username and passwords (both randomly generated) can be delivered to the users with their badges.   This will allow for single sign on per account that is a managed and monitored connection.

Opportunities for marketing – putting individual usernames and passwords on the trade show passes.

“Drive by” attacks of Near Field Communication (NFC).

This is stealing information from a fit bits, credit cards, smart devices, passport or drivers license using a scanner for pin and chip technologies.

NFC is designed to allow people to pay for items using their credit card, wave the card over a reader and it deducts money from your bank accounts.

Normal readers have a range of approximately 2 centimeters, but criminals can buy or make scanners that increase the range to 2 metres.

Opportunity for marketing – branded thin aluminum rfid protective credit card sleeves as part of the sign up process.

Rapid response

In regards to all of the attacks that can happen over a WiFi network you need to be able to shut it down in a minimal amount of time to reduce the risk to your organisation as well as to your attendees.

Your WiFi system will need to have alerts and be monitored to allow your organisation to protect them.


In today’s world anything can cause a disruption to an event and although most are though about here are a couple more.

Print off a copy of all attendees and have it located at all entrances, just a basic power failure at the wrong time can be catastrophic.

Disaster recovery / business continuity

For any business in todays business world, a failure of the ICT can have a significant impact on the organisation.

A risk analysis of everything that could go wrong and will have an impact on the organisation needs to be put into perspective.

Each risk has to be mitigated, ignored, transferred or eliminated.

The organisation would also have required functionality to allow it to manage the number of people who will be attending.

The Basics

In addition to what expectations the attendees have there are certain expectation of the organisation that have to be addressed.

These include the fundamentals:
  • Passwords
  • patching
  • encryption
  • backups
  • End point protection

As you can see from above it is not just about protecting the actual event itself.

It is a slow build up to protect everything and everyone that comes in contact with your organisation.   In today’s litigious and compliant world we have to be very aware of the impact of a single event.

Do it correctly and you can use the security of the event as a selling point.   A marketing leverage point that puts your events well above any one else.

Cybersecurity is all about Infosec!

“Using smart technology is not smart unless infosec procedures are set in place.” Laith Alkhouri

We are inundated with shiny and new.

The newest mobile device, the newest computer, the newest operating system, the newest application or apps, all that newness.

All of that smart technology!

Individuals and organisations often forget, in the rush to get things to market, the first reiteration of shiny and new can have some serious flaws and issues.

We forget it too!

Going back a couple of years when everyone was jumping on the band wagon of “you need an app for that“, some of the NFL teams released apps for you to track you favorite team, keep up with the stats and buy their merchandise.

They forgot that a financial transaction needed access to either credit card information or bank account details.   These transactions were in plain text in transmission as well as when stored on the device.

No encryption.

If you purchased that jumper then you had a really good chance of having your financial details stolen.

To stop themselves from being sued they put all of the onus on everyone using the system through a comprehensive waiver.   You agreed to the terms and conditions probably without realising it, you agreed when you installed the app.

The way all of the software companies manage their apps are the same.   You want to use the app then it is your problem because you agreed to the terms and conditions.

The legal beagles have not caught up with this yet.   As a user, are we not entitled to have some semblance of security and safety when using a product.

Are we not entitled to sue someone when using their product and something happens?

When did that change?

I suggest that when you install your next app that you have a look at the terms and conditions before you say yes.   In most cases you have no rights what so ever if something is stolen, according to them.

Oh look something shiny and new, I just have to have it!


Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one in 3 sections of Amazon.   He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

What is the difference between a Penetration Test and a vulnerability scan?

Ransomware for Medical devices – what happens then?

One of the biggest problems with our bright new shiny digital world is everything we do or use today has some level of digital components.
We know that everyday computers, smart devices, mobile devices and gaming platforms, are digital in nature.
We forget that Fitbits, Internet of Things devices and medical devices also have some level of digital incorporated into them.
So what happens to these devices if they become infected with malware, even worse if that malware is a ransomware.
If I had a pacemaker installed in my body and the medical staff lost control of it (that is what malware and Ransomware does, removes their control and gives it to someone else) I think that I would get a little panicky.

Definitely a WTF moment.

Most medical devices are either WiFi or blue tooth enabled.   That makes them relatively easy to break into.
Researchers have been looking at compromising medical devices and in 2015 there were 25 known vulnerabilities in some of the most popular devices.   What about the unknown ones, how many of them were there?
We all saw what happened with IOT devices when Mirai was released on the internet late 2016.   It compromised a certain level of device that had a hard coded username and password in the system.
We also saw what happens when the wannacry ransomware hit and the fall out from that in May 2017.

Now imagine a wannacry variant that targets your pacemaker.   “Give us $1000 or we stuff around with your heart!”  That would certainly make your life pretty interesting.
What’s to stop it happening?   Whats to stop it happening right now?
I keep coming back to people taking responsibility for the code they write.   I think we need to have a serious look at our new and shiny world and do something about it.  Before it is too late and people start dying!

We need to think things through.

Think like the bad guys.
Oh, and before you say “why would they target my pacemaker?” In most cases it is because they can.
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one in 3 sections of Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI
He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

Why do we still believe these 6 idioms about the Internet?

For 25 years the internet has been around.
Since its inception, thanks Tim, we have seen how it can be used for ‘good’, but we have also seen, in the last 10 years, how it can be used for bad, evil and nasty stuff.
The bad utilization is starting to have significant impact on the business world but we still have a number of areas where we do not see the dangers.
These are some of the internet attitudes that we come across constantly:

It will not happen to me

In one word, OK two – automated systems.
The free automated systems that are now available to any bored 14 year old cause major problems for anyone connected to the internet or digital world.

I have anti virus, that’s all I need.

We are constantly shown that most business organisations think in one dimension when talking about the Internet.
The fact that the bad guys and even the automated systems think in a multi faceted approach when it comes to targeting us.   Anti virus will find 95% of attacks and stop about 85%.
That leaves a significant number of areas where AV will not protect you at all

My password is strong enough for me

I was recently watching an interviewer on one of the late night shows that was sent out to the streets to ask people for their passwords.   The ridiculous easy way, in which she got that information, was astounding.
One of the other features to come out of it was people still use dictionary words, personal information, easy to remember sequences.
Passwords have to be complex, unique and more than 9 characters.   Its not easy for you it is easy for them.

I only trust my friends on social media

On my Facebook recently there has been a spate of people who are already my friends asking to hook up on Facebook again.
It can be very difficult making sure that you do not fall for this type of scam

3d people – man person with umbrella and arrows. Protection against problems

I am not rich and famous why would they pick on me

On the Internet everyone has something of value.
Even though you may not have money or access to money, trade secrets or you think your personal information is not important you still have one thing that the cyber criminal considers important.
You have some sort of technology that they can then use to target other people from and hide their attack behind.

Digital security is very expensive

The fundamentals are not.
Use a firewall, use an anti-virus, back everything you consider important up, patch it all and use a decent password.
None of these are expensive, but they all lift anyone out of the realms of easy targets.
In addition here are a couple more – Trust no one and be paranoid.

I don’t need a back up because it will never happen to me

If you think that your information on your digital device is not worth backing it up then ask yourself this question – if I lost my laptop, dropped my phone in the toilet or my tablet was stolen what information could I not live without.
That’s the information that needs to be backed up.
Backups are for any digital device that has your information on that is irreplaceable.
The bad guys have changed, we have not.
They’re are smarter, more persistent and definitely more brazen.   We have to adapt to their changes and make sure we are protecting ourselves, if we don’t no one else is
Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Why Business Security is a specialised field

I am sorry, but if I hear another IT person or manager express that they do not know how they were target by malware when they have Anti Virus I am going to scream.

The issues and problems associated with Business Security needs to have a different and more refined and robust focus than normal IT.

They need to focus on what the bad guys are actually capable of.

Normal IT, in most organisations, have a primary focus of keeping the lights on, making things work and keeping it functional.

We have to stop thinking that Business Security is the realm of IT, because it is not.

Business Security is a whole of business process and HAS to be treated that way.

This is why you need a professional who is focused on the security component of an organisation.

Someone who can cross all of the areas of the business and get all levels involved in the process.   For small and medium business, this is an expense that few can afford.

The ways that a system and organisation can be compromised are numerous, and in most ways are practically invisible to small and medium sized organisations.

There are also numerous reasons that they are targeted, but automated systems are the primary contender.

The only reason they are targeted is that they are connected to the internet.

The bad guys need no other excuse than you have a digital device and it is connected to the internet.

In addition small and medium organisations do not have the three things that are vital to protecting the organisation:

  • Skills
  • Time
  • Money

Investing in these things are normally outside the purview of ordinary business.

Its not from want or trying.

Most want to be secure.

They just do not know how to get to that next level, and if they knew would not have the above resources to make it happen.

Cybersecurity / Business Security is a typical catch 22 situation.

Professional Business Security Support

You need to invest in the skills, time and money but do not have the skills, time and money within the organistion to be able to apply what you need.

This is why you need a framework.

A framework that is going to apply a progressive protection strategy around the business.

That framework can be any of the available frameworks but for small and medium business i think that mine would be a great place to start.

My framework puts technology, management, adaptability and compliance into a system where each additional components makes the organisation just that little bit more secure.

Try it here

In addition a managed Security Service Package is a great way to make your money, expertise and time go a lot further.

Most MSSP’s will look after all of those critical components of an organisation.

They have the skills to do it, they have the expertise to make it more secure than an untrained person and will definitely make your money go a lot further.

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

What are the riskiest network TCP / UDP ports and how do you secure them?

Vulnerabilities do not rest on TCP ports, they rest on services.

Any TCP port can be open but if there is no corresponding service using that port an attack on the port will most probably fail.

There are exceptions to this – TCP Port knocking and encryption allow a port to be open but will register as closed.

All hacking / malware attacks are targeted at those services and each of those services can have different applications behind them.

A little background – A Quick introduction to hacking.

Vulnerabilities are discovered and used in attacks based on a number of things:

  • application, – what is the application that is using the TCP port, Apache and IIS have different vulnerabilities and they both can be as unsafe or as safe as each other.   It depends on the attacker, defender, version and the installation process
  • version, – one version will be more secure that the previous one – In the labs we demonstrate a problem with VS-FTP version 2.3.4 it has a back door hard coded into the software.   Anyone who knows that can use it to compromise the server it is installed on.   By upgrading to 2.3.5. you remove the vulnerability and the back door.   With the introduction of IOT the main vector of attack are port 80 attacks and hard coded default usernames and passwords
  • installation process – the installation process for a number of applications have a default username and password.   If these are not changed then the system is vulnerable.   Tomcat and vnc are examples of known default usernames and passwords.
  • interaction within the application and the operating system. – there are a number of applications that are vulnerable when installed on a specific type of operating system.  Code red – targeted port 80 (HTTP) to attack the SQL components of a web server on port 1433 (MSSQL)

Fingerprinting and scanning

This is the process of finding out what application and services are behind the port.

It also tells us what version is running.

A simple NMap scan will deliver this information to anyone who knows how to use it.

A simple Nessus scan will reveal even more!

User rights and shell

A hacker needs 2 things to be dangerous.

He needs to have the authority – administrator (god) access and he needs to create a shell, something to run commands, scripts or applications in.

You can still do damage to a system if you have less than admin access but it is only to the application that is running – compromising tomcat will give me access to the web server component of a system.  There are ways to escalate the user from a service to the administrator.

If you do not have the ability to gain a shell then most attacks will not work.

In the world of penetration testing we can discover hundreds of vulnerabilities but only one or two or ten will enable me to compromise the system with both administrator access and a shell.

They are the only ones we report, resolve and remediation.

Hackers use Google and YouTube

Most hackers will find information on what they are targeting, how to do it and what they need to do through a basic search.

So with that all being said – here are the top 20 ports with their corresponding application. Insecure network services

TCP PortsPort numbers

  • 21. TCP – Ftp – file transfer protocol – one of the oldest ports on the internet and is used to transfer information from one system to another over a TCP connection.   Can be used in Command and Control of malware.
  • 23 – TCP – telnet – the most basic of shells, can be used to transfer commands and scripts from computer to computer.   Unencrypted and easily captured.
  • 25  TCP – SMTP – email servers – exchange, sendmail, and any system that has been designed to send email as part of its system requirement.
  • 69 – UDP – TFTP trivial file transfer protocol – used to update and transfer information from computers to routers.   Information can be intercepted because it is a UDP connection.
  • 80. TCP – HTTP – hyper text transfer protocol – Apache, iis
  • 143 – TCP – imap – mail protocol
  • 110 – TCP – pop3 – mail protocol
  • 443 – TCP – HTTPS secure hypertext transfer protocol
  • 53 – TCP/UDP -DNS domain name service – bind, windows
  • 8080 – TCP – tomcat  management –
  • 161 – TCP – SNMP –
  • 3389 – TCP – RDP – remote desktop protocol
  • 4444 – TCP/UDP – metasploit
  • 1433 – TCP – SQL
  • 137,138,139 – UDP – netbios
  • 1723 – TCP – VPN PPTP
  • 9100 – TCP Internet Printing
  • Gaming ports – inbound and outbound – some games install and connect to a web based server on a specific port based on the game.   The game allows an attacker to use the game as a platform to store and activate malware.

There is no way to secure individual ports and their applications except to make sure the application and operating system are up to date.

There are a number of ways to protect an organisation:

a second generation firewall / next generation firewall will inspect packets at the network, data and physical level as they enter and leave and compare that information to its database.

If an attack is indicated it will either stop it or move it to a sandbox.

The other ways are through logging, auditing and reporting.

Depending on the size of the organisation a SIEM maybe necessary, but a process of alerts is vital to catching the initial components of a breach.

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.