What is the difference between a Penetration Test and a vulnerability scan?

Ransomware for Medical devices – what happens then?

One of the biggest problems with our bright new shiny digital world is everything we do or use today has some level of digital components.
We know that everyday computers, smart devices, mobile devices and gaming platforms, are digital in nature.
We forget that Fitbits, Internet of Things devices and medical devices also have some level of digital incorporated into them.
So what happens to these devices if they become infected with malware, even worse if that malware is a ransomware.
If I had a pacemaker installed in my body and the medical staff lost control of it (that is what malware and Ransomware does, removes their control and gives it to someone else) I think that I would get a little panicky.

Definitely a WTF moment.

Most medical devices are either WiFi or blue tooth enabled.   That makes them relatively easy to break into.
Researchers have been looking at compromising medical devices and in 2015 there were 25 known vulnerabilities in some of the most popular devices.   What about the unknown ones, how many of them were there?
We all saw what happened with IOT devices when Mirai was released on the internet late 2016.   It compromised a certain level of device that had a hard coded username and password in the system.
We also saw what happens when the wannacry ransomware hit and the fall out from that in May 2017.

Now imagine a wannacry variant that targets your pacemaker.   “Give us $1000 or we stuff around with your heart!”  That would certainly make your life pretty interesting.
What’s to stop it happening?   Whats to stop it happening right now?
I keep coming back to people taking responsibility for the code they write.   I think we need to have a serious look at our new and shiny world and do something about it.  Before it is too late and people start dying!

We need to think things through.

Think like the bad guys.
Oh, and before you say “why would they target my pacemaker?” In most cases it is because they can.
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one in 3 sections of Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI
He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.


Why Business Security is a specialised field

I am sorry, but if I hear another IT person or manager express that they do not know how they were target by malware when they have Anti Virus I am going to scream.

The issues and problems associated with Business Security needs to have a different and more refined and robust focus than normal IT.

They need to focus on what the bad guys are actually capable of.

Normal IT, in most organisations, have a primary focus of keeping the lights on, making things work and keeping it functional.

We have to stop thinking that Business Security is the realm of IT, because it is not.

Business Security is a whole of business process and HAS to be treated that way.

This is why you need a professional who is focused on the security component of an organisation.

Someone who can cross all of the areas of the business and get all levels involved in the process.   For small and medium business, this is an expense that few can afford.

The ways that a system and organisation can be compromised are numerous, and in most ways are practically invisible to small and medium sized organisations.

There are also numerous reasons that they are targeted, but automated systems are the primary contender.

The only reason they are targeted is that they are connected to the internet.

The bad guys need no other excuse than you have a digital device and it is connected to the internet.

In addition small and medium organisations do not have the three things that are vital to protecting the organisation:

  • Skills
  • Time
  • Money

Investing in these things are normally outside the purview of ordinary business.

Its not from want or trying.

Most want to be secure.

They just do not know how to get to that next level, and if they knew would not have the above resources to make it happen.

Cybersecurity / Business Security is a typical catch 22 situation.

Professional Business Security Support

You need to invest in the skills, time and money but do not have the skills, time and money within the organistion to be able to apply what you need.

This is why you need a framework.

A framework that is going to apply a progressive protection strategy around the business.

That framework can be any of the available frameworks but for small and medium business i think that mine would be a great place to start.

My framework puts technology, management, adaptability and compliance into a system where each additional components makes the organisation just that little bit more secure.

Try it here

In addition a managed Security Service Package is a great way to make your money, expertise and time go a lot further.

Most MSSP’s will look after all of those critical components of an organisation.

They have the skills to do it, they have the expertise to make it more secure than an untrained person and will definitely make your money go a lot further.

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Why do i need a Managed Security provider?

Why are we the weakest link in cybersecurity – we just don’t care!

The threats are NOT imaginary.

The threats are real!

The visibility of the wannacry attack actually highlights how vulnerable the world is with its reliance on all things digital

Zero day exploits and known vulnerabilities are available for every operating system, including IOT devices.

 Anything with a digital signature can be hacked.

Where it all breaks down is that in most cases there is a human who is attached to the device.

A human who has the ability to veto all security measures in their hurry to do something, anything with the device.

How often have we seen the “updates available” on our server, laptop, smart device or application and have been in too much of a hurry to apply them.

In most cases it would take 10 minutes out of our busy daily schedule, 10 minutes where we have to find something else to do – not screen related.

cybersecurity We are so busy that we cannot find that 10 minutes?

Most systems are now being designed to make it obvious, and will persistently tell us that we need to update.

What do we do?

We complain that we do not have enough time.   We are too busy.   We cannot stop for that brief space of time to increase our security.

The SMB patch for wannacry has been available since march, that is almost 8 weeks before the cryptovirus attack, but the impact was significant because we were too busy.

I thought that we had learned from the “code red” attack in the early 2000’s, that patching is a very important part of digital security, obviously not!

“Code Red” crippled the internet because of un patched SQL servers, the patch had been available for 3 months prior to the release of the virus.

Most of the problems with security in the digital world is US.

We are too focused on our tools to see the underlying features that have actually been put in place to protect us.

There is a quote I often use in my training “THERE IS NO PATCH FOR HUMAN STUPIDITY”

 We are the weakest link in cybersecurity, in the digital chain where we should be the strongest.

In most cases we are very stupid!

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Ransomware – So you think you have nothing worth stealing?

Lets just look at that for a moment

In today’s world we all use the internet to do business, to communicate, to have fun.

What we forget is this!

  • You have a Mobile phone or tablet = target
  • You have email = target
  • You have a web site = target
  • You own a Smart TV = target
  • You live in a Smart home = target
  • Have anything that is part of the Internet of things = target

There is no getting away from it.

If you are connected to the internet, the digital world, the cyber world, in any shape or form – you are a target.

Do you now agree that you are a target!

By being a target, what are they after?

Most people think that they have nothing worth stealing?

In today’s digital world, that is bull.

If I was a hacker – What could I steal from you?

Lets just start with just the basics –

  • money or access to money
  • Intellectual property, trade secrets or restrict access to information
  • PI information about you

Additionally, Technology – your computers, phones, tablets, your smart devices.

Things you may not even consider your phone systems and your gaming console.

So you are also saying that you have nothing worth stealing!

So lets look at the phenomena that is the fastest growing digital crime ever seen – ransomware.

Ransomware Why is ransomware so effective?

To anyone who has been a target of ransomware, you realise very very fast that not having access to things that you considered not inportant, suddenly become very important.

With a ransomware attack you have three actions –

  1. its not important so I won’t worry about it,
  2. I will pay the ransom or
  3. I will restore from backup

Your choice, but i can guarantee that not having a tested and secure backup will haunt you.

The problem with the digital world is we are all exposed.

We are all targets.

More importantly, if you don’t do something about it who will?

Want to know more about business security?

Join us for the business security intensive

http://www.business-security.com.au/intensive

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Ransmware, Crypto Virus and educating your users

Ransomware, so you think it’s a joke?

“Never before have so few, stole so much, from so many that the many fail to see a problem!”

Ransmware, Crypto Virus and educating your users

Ransomware, Crypto Virus and educating your users

I got a phone call from a mate the other day wanting some advice.

My mate is attached to a not for profit organisation that has a number of self-managed branches all over Australia.

His question was “what do you know about ransomware?”   

My immediate response to that was “why, it hasn’t happened to you, has it?”

It turns out that one of the branches of his NFP organisation had been targeted through a phishing email and one of the volunteers had opened it.   Not realising what they had done, it had also been left to encrypt over the weekend.   ALL of their data was now encrypted.

My first response – restore from backup, clean the virus or better still rebuild the infected computer, and educate the users.   In that order!

I knew a forensic investigation was not going to tell us much!

But, wait there is more!

No we did not have end point protection installed on any computers or servers and when the incumbent IT Company (WTF) looked at the backup, they had not had a successful backup since 3 1/2 weeks prior.

The incumbent and external IT Company had not been seen on site in more than 12 months.    There was no reporting, no management and no proactivity.

All they had was a help desk and when that was needed it all turned to crud.

This scenario happens every minute of every day.

Often, we do not see the problems that the digital world creates, so like the ostrich, we hide from the repercussions in the hope that it will not happen to us.

This really is a bad attitude, both as an individual, but more importantly as an organisation.

No one is immune, there is no vaccine, everyone can be targeted and more importantly, being attached to the internet, everyone is.

The criminals are persistent, uncaring and, although we do not give them credit, most importantly clever.   They patiently wait for anyone and everyone to make a mistake and they capitalise on that mistake.

Just think of this – if we had no important data worth stealing (or encrypting) then ransomware would not be a 5 billion dollar industry.

The most important things to do – personally and as a business:

  • Trust no one
  • Be paranoid
  • Use common sense
  • Have a tested backup
  • Use antivirus
  • Get a decent firewall
  • Patch it all
  • Education
  • Audit and report

Try this little experiment – how long can you use a new computer before you realise that you need access to some old information.   If it’s not very long then you need to protect yourself from ransomware.

In addition I sent them this link – to see how mature their organisation is and it was completed by the IT person and they got a 1.7.   If it was at this maturity level, they would not have had the significant problem that they had.

I guarantee that if it was completed by management or a member of the board they would have got below 0.5.

Try it and see! http://business-security.com.au/go/audit/

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.