Cybersecurity in Plain English: What is a SIEM?

I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon! 

As more organizations beef up their cybersecurity resilience, many new tools and platforms become part of organizational operations. This has led to several contacts of mine asking, “What is a SIEM, and what does it do for cybersecurity, and how the heck do you pronounce it?” Let’s dive in and find out.

A Security Incident and Event Management (SIEM) platform is a tool-set used to bring together information from applications, systems, services, hardware, and other operational components into one place so that all of that information can be used to try to find cybersecurity incidents taking place. Think of it as a gigantic database that pulls in data from hundreds or thousands of sources within the organization and from threat intelligence feeds. Coupled with that database, a SIEM includes systems to remove redundant information and process all the information to look for points of correlation – sequences of events that, when viewed together, indicate something is going on. As for pronunciation, there is a difference of opinion on that. The two top pronunciations are sim (as in simulation or simple) and seem (as in seemingly or seams). Either is generally accepted by the technology community. 

The first step in SIEM operations is ingestion – pulling in data from multiple sources and de-duplicating it. SIEM solutions integrate with thousands of different tools and platforms to ingest data. These can include things like Active Directory and other Identity and Access Management (IAM) systems, hardware platforms, cybersecurity tools like firewalls, anti-malware, and others, Operating System and application logging systems, and quite a large number of other sources. All this information is brought into a de-duplication system that removes redundant data-points to reduce the amount of information being sent into the database for correlation. Because of the sheer number of logs and events being ingested and de-duplicated, SIEM solutions must be highly robust and capable of dealing with massive amounts of data at once, and therefore are typically cloud-based solutions where they can be elastic – able to expand to use more resources as needed, but contract and reduce the amount of resources they use when the extra capacity isn’t needed to reduce costs. 

Once data is being ingested efficiently and de-duplicated, the second phase of SIEM operations – correlation – takes place. Correlation is a real-time operation which looks at the sum total of ingested information to attempt to define patterns within that data which indicate threat activity. For example, odd network behavior alone could be indicative of a threat, but could also be indicative of a user doing something unusual without malicious intent. A SIEM would attempt to correlate that network behavior with other indicators of threat activity; such as an anti-malware tool discovering software attempting to access privileged information, or an IAM system recognizing multiple attempts at privilege elevation (a user or process attempting to gain administrator access to something). Taken individually, these actions may not be malicious or even suspicious – the escalation could be a misconfigured application, and the malware could be a one-off download of something that isn’t recurring or able to impact the organization. But, when correlated together, they indicate that something is going on which is indeed suspicious at the very least.  

SIEM platforms also tie into ticketing and email systems to alert IT and cybersecurity staff when correlated events indicate threat activity is going on. These staffers can then block access, undo changes, prepare incident reports, etc. Many SIEM solutions can also work with Security Orchestration, Automation, and Response (SOAR) platforms to take direct action, but these platforms currently have limitations whenever there is more than one valid action to take, making human staffers a necessary part of the process for many types of incidents. 

Overall, SIEM solutions are an invaluable resource. Through de-duplication of data, correlation of potential or actual threat activity, and the ability to alert staff and SOAR platforms in real time, SIEM solutions act as a massive force-multiplier for organizations. They allow for accurate and timely detection and response to security incidents that would not be possible via manual operations, and keep organizations safer and more resilient without creating massive amounts of staff burnout along the way. 

An Open Letter of Thanks to the Social Media Community

Recently, the company I was working for underwent a re-organization and I found myself laid off. While I hold zero ill-will toward them – and in fact will continue workingHands showing thanks with them in a different way – the experience was a shock to say the least. Of course, my experience was hardly unique; with thousands of layoffs happening across the technology world these days. Still, as anyone who has been through this can tell you, it sets you completely off-balance and off-kilter.

After taking a couple of days to get my brain back in order, the first thing I did was reach out to the communities I’m part of on various social media sites. Places like ThePlatform Formerly Known as Twitter and LinkedIn. The response was staggeringly overwhelming, with contacts from all over the world reaching out to both check in on me and to offer assistance. Thousands of people replied, forwarded, upvoted, and otherwise amplified my post about being laid off, and dozens of companies ended up reaching out to talk to me about a position. Even for someone who has always viewed communities online as a huge strength for any organization or individual, the sheer number of things that got mobilized within hours of my post was beyond anything I could have dreamed of.

So, I wanted to say thanks. To everyone who brought me to their HR/Hiring teams. To everyone who suggested a company to reach out to or a job posting I should see. To everyone who re-tweeted/re-posted my post so that it could reach more people who could potentially help. I cannot thank you enough, and consider myself in your debt. This experience has been humbling and inspiring at the same time, and its all because of you – each and every one of you.

The really great news is that – in no small part to everything the community has done – I am indeed employed once more. Can’t say who it is just yet, but keep your eyes on my social media streams for an announcement in the coming days. This couldn’t have happened without the reach and exposure my community gave to me, and for that I am forever grateful.

Cybersecurity in Plain English: What is the SEC doing in Cyber?

I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon! 

Because of recent regulations going into effect in the last couple of weeks, many contacts have asked me “What is the new SEC regulation, and what is the SEC doing in cybersecurity anyway?” The answers might surprise you, as this is a major step forward in regulatory control around cybersecurity, so let’s dive in.

First things first, the obligatory disclaimer. I am not a lawyer or regulatory expert – you should definitely be speaking to one or both of those to figure out how, exactly, your organization needs to get into compliance. I’m just a cybersecurity nerd who read up on things. 

Many regulatory bodies have moved into the realm of cybersecurity over the last several years. In the European Union we saw the General Data Protection Regulations (GDPR), and in the United States we saw the implementation of regulations like the Healthcare Insurance Portability and Accountability Act (HIPAA). Several regional governments across multiple countries have also put forward and even enacted their own regulations. All of these center around privacy – the ability of a user of a service to control how their data is stored, protected, and shared. The new SEC regulations (which went into effect late in 2023 and into 2024) focus more on disclosure of cybersecurity incidents and are not focused on privacy concerns, which makes them significantly different to the regulations we’ve seen before this point. Similar measures are being drafted, voted on, and even ratified across the world, so this is likely to not be the last measure we will see put into effect in the near future. 

But, what do these regulations do, and how do they impact organizations? Well, first let’s define two key terms: SEC Registrant and Material Impact. An SEC Registrant is any company which is required to file disclosures, reports, and other filings with the US Securities and Exchange Commission. This includes US publicly traded companies, and also any companies which are preparing to become publicly traded, though there are exceptions in rare cases – such as some foreign organizations having to file reports even though they are not officially traded in the United States.  

Material impact is somewhat more ambiguous, but Harvard Business School defines materiality as:

“… an accounting principle which states that all items that are reasonably likely to impact investors’ decision-making must be recorded or reported in detail in a business’s financial statements using GAAP standards.”

– https://online.hbs.edu/blog/post/what-is-materiality 

This means that any event which may cause an investor or potential investor to make a specific decision (such as investing or not investing) is considered “material” in nature. The new SEC regulations make it mandatory to disclose any cybersecurity incident with has material impact, meaning any cybersecurity incident which – if it becomes known – would cause an investor or potential investor to alter their decisions regarding the organization itself.  

At their heart, the new regulations create two new reporting requirements for any SEC Registrant. First, all Registrants must file annual reports with the SEC already. These reports are not the “Annual Report” documents that are sent to shareholders and prospects, but rather an official federal filing (Form 10-K) done to keep the SEC and the US Government apprised of what the organization is doing, its overall health, etc. From 2024 onwards, this filing must include details about the cybersecurity resilience of the organization including, but not limited to, which member of the board is responsible for cybersecurity, what issues and incidents have occurred, what measures are being taken to avoid incidents, etc. Most notably, the 10-K filings will have to specifically note who on the board is responsible for cybersecurity resilience, making cybersecurity become a board-level discussion. As most boards are comprised of brilliant business people who don’t generally have deep technical backgrounds (though there are exceptions, of course), this is a massive shift in board responsibility that we haven’t seen in the past. 

Second, the regulations require that, after any cybersecurity incident that has material impact, the company must file a disclosure with the SEC. This is done as an amendment to the existing form used to disclose anything that has a material impact – Form 8-K. Such filings are routinely done any time the organization makes a change or institutes a new operational policy that might impact investor opinion and decisions, but this is the first time that the 8-K will have to be filed in the event of a cybersecurity incident. The new regulations also put a specific time restraint on what the filing must occur. Registrants must file their amended 8-K within four business days of the incident being discovered unless law enforcement and/or the US Government explicitly blocks the filing for matters of national security or the integrity of a federal investigation.

Any SEC filing must be signed by stakeholders (usually high-ranking board members) who attest that the information is complete and correct to the best of their knowledge (and being purposefully ignorant of a situation is not accepted as an excuse for not having the knowledge in question if the signatory would have had access to said knowledge). Essentially, purposefully not filing properly and/or knowingly filing a report with false information is a literal federal offense. This would mean that signatories are liable if they fail to disclose an incident, or if they report incorrect information on the state of their cybersecurity resilience. Penalties can include fines, being barred from an industry or from holding a position at a public company, or even federal charges being filed that could result in jail time in extreme incidents. In other words, there is iron in the glove when it comes to enforcement of these regulations – which business leadership have been very well aware of in other areas of SEC reporting for decades now. 

The impact of these two regulations going into effect has been sweeping and even surprising overall. First and foremost, the specifics of several incidents became public knowledge due to the filing requirements – such as the gaming/casino attacks that occurred late in 2023. While organizations might otherwise downplay the impact of these incidents, or even attempt to completely hide the incident entirely, now the details are becoming public knowledge and impacting things like share prices and customer trust. Other incidents may come to light with the new annual report regulations, showing which companies are properly defending their organizations and which are not. Most surprisingly, advanced persistent threat (APT) groups – organized criminal groups who create and run coordinated attacks against high-value targets – have actually embraced the new regulations. In one now-famous incident, ALPV/BlackCat filed a complaint with the SEC; detailing MeridanLink’s failure to comply with the reporting requirements when that organization did not file an amended Form 8-K in a timely fashion ( https://www.scmagazine.com/news/hacker-group-files-sec-complaint-against-its-own-victim ). It should be noted that this reporting was for an incident that occurred before the go-live date of the regulations, and as such did not actually trigger an SEC investigation; but it shows that threat actors will indeed weaponize this system to force organizations to pay their ransom fees in order to minimize or control what information becomes public about an incident they suffer. 

The new SEC regulations have been challenged, however. The Congress of the United States of America has claimed that the SEC over-reached with the regulations, as such measures are in the purview of Congress and not the SEC. We’ll have to keep an eye on the ongoing debate to see if the regulations are allowed to stand, or if Congress strikes them and renders them invalid. Even if the SEC regulations do get struck down, it would be likely that Congress would pass their own, similar measures to replace them, so this story is going to be sticking around for a while either way.

The SEC has taken a decisive step toward mandatory reporting for cybersecurity incidents that may impact investor decisions. It is likely we will see more governments move in the same direction due to the financial impact of the massive number of cybersecurity incidents seen in the last few years; and the sheer impact that those incidents have had on national and global economic factors. Organizations should definitely prepare for how they will meet these new regulatory requirements to remain in compliance. 

Cybersecurity in Plain English: What is a Threat Actor?

I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon! 

hacker in hoodie

A common question that I hear from both non-technical professionals and experienced cybersecurity pros is, “What’s the difference between a hacker and a threat actor?” Let’s dive into this topic and spell things out – youmight be surprised that those two terms are different, though related to each other. 

A hacker is simply anyone who uses a system for something other than its intended purpose. While we most commonly associate the term with people who use technology in unexpected ways, in fact just about everyone who reads this is a hacker. When you drink coffee to alter the way you transition from just waking up to fully alert, you are hacking you body by introducing a chemical that alters the way your body would naturally perform that process – one example of the phenomenon known as “bio-hacking.” Hacking – in and of itself – is not a harmful or threat activity, it’s merely finding a different (and presumably more effective) way of doing something that uses tools and techniques that aren’t explicitly designed for that purpose. 

Specifically in the technology world, a hacker is someone who utilizes hardware and/or software in a way that it wasn’t designed to be used. Modern examples of hackers are researchers who attempt to subvert hardware and software defenses with the express purpose of making those systems more secure by identifying and closing security gaps. Penetration testers are also examples of hackers – using the tools and techniques which would otherwise be considered threat activity, but with the express permission and authorization of the organization being tested to identify and quantify security weaknesses. 

In short, hackers are everywhere, and primarily do what they do either in order to prove it can be done without causing damage or disruption, and/or to actually make systems better overall. The modus operandi of a hacker is not to perform a criminal act without express permission, but rather to ensure that anyone attempting to perform a criminal act can be blocked, discovered, identified, etc. 

So, if hackers break things and perform threat-like activities, how are they different than threat actors? Well, I’m not a lawyer, so I can’t speak to the legal definition, but I can speak to the practical difference: intent. Threat actors perform operations against technology with the express purpose of disrupting operations, destroying systems, stealing data, extorting an organization, etc. In other words, a threat actor differentiates themselves from a hacker because they are performing these actions in furtherance of a goal already considered to be a criminal act. They have no intent to make the cybersecurity resilience of an organization better. They don’t intend to advise or counsel an organization on potential or actual security gaps. They’re doing it to cause harm and/or make money illicitly – and typically for no other reason. Yes, there are threat actors who perform their operations to highlight a political issue, and there are threat actors who will falsely purport to be “helping” companies by exposing security flaws – but that is clearly and demonstrably not their goal in doing what they do. The disruption, harm, extortion, or espionage that occurs is their primary goal, and cannot be overlooked for any other factor in the threat activity itself. 

Some of the earliest examples of threat actors were “phone-phreaks” who realized that by playing a specific tone into a public pay-phone, the phone would believe the user was an Operator and allow for free long-distance calls. While the tone had a legitimate purpose, that purpose was most definitely not to allow just anyone to make free calls, and therefore was being used fraudulently. This is a great way to explain the difference between a hacker and a threat actor: A hacker would recognize this could be done, then inform the phone company and provide all the evidence so the company could close the gap. A threat actor doesn’t inform the phone company, and instead performs acts of theft of services for their own benefit alone.

To sum up, threat actors are indeed a sub-set of hackers. The difference lies in intent. Hackers look to make things better – by improving a process or closing a security gap. A hacker may make money doing what they do, but they make that money as a result of services, bug bounties, or publication of research. They will also take necessary steps to ensure that intrusions are minimized, data retrieved is destroyed, etc. Threat actors have the primary goal of harming someone or something, or financially benefiting from the act alone through techniques like extortion. There will always be some gray area between these groups, as one is a sub-set of the other, but the intent of the person or group performing the operation can be used to determine which group they belong in.  

Cybersecurity in Plain English: What is Cybersecurity Resilience?

I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon! 

Resilience

Cybersecurity resilience – the key term on just about every CIO/CISO/CSO/CTO’s mind these days. Tons of vendors say they can help with it. Regulators are beginning to demand it. Customers are expecting it. But, what isit? This is a question I’ve gotten from many readers over the last year, so let’s dive in and spell it out.

 

When we speak about resilience in the general technology world, what we’re really talking about is the ability to withstand events that would cause downtime or damage. An email server is resilient when it can continue to provide email services even if one or more servers/services go offline. SaaS technology is resilient when it can be maintained online at full or near-full capacity even if a Cloud provider has issues in one or more regions. For the most part – outside of cybersecurity – resilience is the practice that drives High Availability, Disaster Recovery, and Business Continuity operations. Stay online, or be able to get back up and online quickly.

 

In the cybersecurity world, resilience incorporates general technical definitions of the term with the addition of threat activity which may be encountered. This means that instead of the primary concern being uptime balanced against redundancy, we’re instead looking at the system’s ability to withstand an attack without allowing the attacker to gain control of the system or steal its data. As you might guess, this is a more complex operation than general technical resiliency, but the good news is that cybersecurity resilience is rated on much more of a sliding scale. Customers and regulators can demand that you must be within a certain level of uptime easily – the technology to perform that type of operation is available today within at least reasonable costs. Total cybersecurity resilience is not something that’s possible with today’s technology (and not likely to become available in the very near-term), and as such it is more about being able to prove you have done what you could, rather than proving you’re bullet-proof. 

 

Key components of cybersecurity resiliency are:

 

1 – Layered security methodologies: Whenever we talk about cybersecurity resilience, we’re talking about being able to have security controls compensate for each other if one should be bypassed by a novel attack. So you would perform security awareness training for employees, implement endpoint controls (like anti-malware tools), identity solutions (like Active Directory, Okta, etc.), web gateways (firewalls, proxies, etc.), and other layers of security controls to allow for catching and blocking threat activity that could slip through any one control. 

 

2 – Security-by-design development protocols: If you build technology – either hardware or software – you start by building in security as a primary development metric. This is different from traditional development which primarily addressed security as part of late-stage development operations. By understanding the threat landscape and building defenses into the hardware or software being developed, the likelihood of successful attack is reduced.

 

3 – Testing regularly: For any set of security controls, the only way to know that they are working (and being able to prove that they’re working) is to test them on a regular basis. This means running controlled threat activity within the production environment, and as such you may need to leverage professionals like penetration testers who know how to do that safely. 

 

4 – Tuning regularly: No cybersecurity is “set it and forget it.” Every tool, policy, control, etc. must be reviewed on an ongoing basis to ensure that it isn’t falling behind in its primary role of defending the organization. This can be based on your testing in part 3 above, but can also include regular review of best-practice documentation from the vendors of your hardware and software. The cybersecurity threat landscape is changing all the time, so regularly tuning systems and controls to counter those threats is a necessity. 

 

5 – Monitor your environments: Cybersecurity incidents happen fast, and your organization needs to know that they happened, that your controls held, or that you need to take immediate action to counter the threat activity. This requires monitoring the organization’s systems to make sure that if something does happen, technology and cybersecurity team members know about it fast and begin to deal with it immediately. As the tools and systems used to monitor can be complex – such as SIEM solutions and security orchestration (SOAR) platforms – this may be another area where your organization can benefit from a partner who has the expertise in-house already. 

 

6 – Document everything. While it may sound like overkill, unless it is documented, it doesn’t exist. So all the layered compensating controls, security-by-design operations, testing, and tuning aren’t useful to an organization unless they’re documented; and that documentation is kept updated. This aids in satisfying auditors and regulators, but also greatly aids the cybersecurity team if something does happen. They can quickly assess the situation based on up-to-date information about the overall security of the organization, then take action. 

 

Cybersecurity resilience is less a set of strict requirements, and more about knowing that your systems and data are as defended as possible, and what you will do if those defenses fail unexpectedly. Through the six areas above, you can provide a solid measure of that resilience that can be shared with auditors, regulators, and anyone else who may need you to show your work and prove that you’re taking the necessary steps to defend your systems, data, and customers. 

New York State Unemployment Insurance Help

Noun insurance 2093990Guest Post:

Pat G, a long-time friend of mine and all around wonder-woman who takes photos of BIRDS OF FREAKIN PREY, was furloughed along with many of her co-workers. After the living nightmare of trying to file for unemployment insurance here in New York State, she documented her trials and asked me to post the resulting info here so that others don’t have to go through what she went through:

Pat’s message starts here:

Please, pass this info to anyone you know in NYC trying to collect unemployment insurance.  Despite the Dept. of Labor’s efforts, the system is still backlogged and getting through is nearly impossible for many.  I was able to get through and am shocked that not one media outlet has mentioned that there IS a way to do it. 

With so many people throughout New York State filing for unemployment, the system is overwhelmed and getting through to a real life human being is near impossible.  However, this IS away to get a claim processed and eventually get a person.  Here is my story:

My last day working was Sunday, March 15th.  Once I was let go, I immediately attempted to file for unemployment.  The last time I actually collected from them was in 2011, so I figured that all my info (including direct deposit) would still be on their website.  After numerous attempts to set it up on the Dept. of Labor website, I was prompted to call which I did.  I was eventually able to give all my info using their automated voice system.  It took about 15 minutes.  The system then informed me that it was going to transfer me to someone who will complete the last step which is the interview.  The phone cut off.  When I would get through it would keep hanging up.  This went on for three days.  Finally, I clicked on the contact us link and noticed they had a twitter feed.  There were complaints from fellow New Yorkers who had equally bad experiences.  I saw that one was actually answered that said to direct message them.  As I already have a twitter account, I subscribed to their feed, then clicked the direct message box and left a brief explanation of my dilemma.   I got a reply a few minutes later asking for my name and telephone number which I gave.  Less than five minutes later I got a reply saying that someone would call me.  

Lo and behold, 45 minutes later, a very helpful woman did call. She patiently listened to my tale than asked for my social security number for verification.  Apparently, the system worked and it did record all my info.  She said that someone would call me back in two hours.  90 minutes later, I got the call and completed the interview.  I was given a number to file my first claim which I did on Sunday, March 22nd.  As the State has temporarily waived the 7 day wait, the money was in my checking account on Tuesday, March 22nd.  I have not had a problem since. 

Please pass this on to anyone filing for Unemployment.  Let them know the following:

1.  Do NOT file your claim online, do it over the phone.

2.  Once the automated system records all your info, a voice will tell you to hold for an agent to finish your claim.  One of two things will happen.  Either you WILL be cut off, or a voice will tell you to call back and THEN you will be cut off.

3.  When this happens, go to the NYS Department of Labor Twitter feed and leave a direct message (click the tiny envelope) [Note from Mike: It may look different in your Twitter client, so look for “Send a Private Message” or “Send a Direct Message”]

4.  When they call you back, be prepared to answer questions regarding employment, etc.  Have your bank account number ready if you choose direct deposit (which is the fastest way to get it).

Good luck.

Religion Expects, but Lives Matter More

Noun Religion 2207552

The SARS-Cov-2 pandemic has changed how we live our lives. We’re being physically distant from one another, virtually working, checking in on relatives and friends more often; doing a thousand little things differently in order to not do the hundreds of big things we can’t do right now. One of the biggest things for many is ways in which we can live our faiths. As we approach some of the holiest days of both the Christian and Jewish calendars; many are concerned that they will not be able to attend Passover Seder and Easter Mass. As a lapsed Catholic, and the child of both Christian and Jewish parents, I know how critical and important these very social gatherings are to members of the faithful. For most of us, we’ll celebrate while remaining distant from each other because we want to ensure that we can do everything we can each do to make sure this deadly virus doesn’t spread further and faster than it already is.

What is disheartening is that many in the United States (and elsewhere in the world, the US is not alone) are defying the public and government recommendations and even outright orders to not gather in large numbers to celebrate mass and attend Seder and other religious celebrations. Beyond disheartening, this is outright terrifying to many of us, as dozens and even hundreds of people gathering in close proximity can create an outbreak situation if any one of them is infected – even if they’re not yet showing any symptoms of COVID-19 at all.

I can speak to the Christian message on this topic, and it is very clear. Stay home, socially distance, and protect yourself and others. I was raised Catholic, but have even now retained a strong sense of Christian identity, and I can find nothing that demands we risk the lives of others in order to attend formal worship. Yes, there are many verses that talk about us worshiping no matter the personal cost to ourselves, but they specifically speak to political ramifications of celebrating mass when governments and armies might arrest us for doing so. On the contrary – Matthew 6 verses 5-6 even clearly state that going to worship because we believe we must be seen to be doing it is explicitly not important:

“5 “And when you pray, do not be like the hypocrites, for they love to pray standing in the synagogues and on the street corners to be seen by others. Truly I tell you, they have received their reward in full. 6 But when you pray, go into your room, close the door and pray to your Father, who is unseen. Then your Father, who sees what is done in secret, will reward you.”

The idea of a Eucharistic Fast – a period of time where one does not celebrate by the taking of communion – isn’t unknown to the Christian faith, and is called for during the pandemic. Celebrate with the congregation by live-streamed services, pray and seek wisdom, but do not attend communal events. Even if you believe (and there is biblical wisdom on both sides of this one) that you should not be concerned with your own safety in order to take the eucharist, you must be concerned for the safety and well-being of everyone else as per Matthew 22, 35-40 which speaks to us of Jesus’ own words:

“Then one of them, which was a lawyer, asked him a question, tempting him, and saying, Master, which is the great commandment in the law? Jesus said unto him, Thou shalt love the Lord thy God with all thy heart, and with all thy soul, and with all thy mind. This is the first and great commandment. And the second is like unto it, Thou shalt love thy neighbor as thyself. On these two commandments hang all the law and the prophets.”

The second highest commandment is to love your neighbor as yourself – and risking their health if you are infected but not showing any symptoms goes against this in every possible sense.

While I was shown some of the faith of Judaism over the years from that half of my family, I feel significantly less able to give advice on missing the Seder for SARS-CoV-2. Thankfully, I do have many friends who are practicing and religious Jews, and a couple who are even Rabbis. Their thoughts about what the Torah has to say on the subject were even more direct than the Christians’ were.

Simply put, life is more important than anything else.

The idea of “Pikuach Nefesh” – saving a life – outweighs all other obligations of the faith. This is true to the point that otherwise outright outlawed actions and even failure to properly celebrate Shabbat are acceptable if a life will be saved. Celebration of Passover is one of the most important occurrences of the Jewish calendar, but even an occasion as critical and important as Passover and the Seder must come second to the preservation of life. Gathering with others when you may be infected (even when not symptomatic), endangers the lives of others in direct opposition to Jewish law.

And there you have it. Celebrations of faith – in both Christian and Jewish families – are critical to our understanding and practice of that faith. That being said, both religions are quite clear that endangering the lives of others in order to celebrate your faith is simply unacceptable at best – and a defiance of the tenants of that faith at worst.

Please, stay home. Celebrate in your heart, live your faith in your deeds.

 

A note on comments: I have allowed comments on all of my blog posts, and will do so with this one as well, but will allow no intolerance or attacks.  Please do comment, but remember that you are speaking to a community of many people, many faiths, and many countries.  Remain respectful in your comments and they will be posted – even if they are not in agreement with me.

Chinese APT Group Weaponizes COVID-19 Fears

While there are currently upwards of seven cyber threat campaigns centered on SARS-CoV-2 (the virus that causes the illness now known as COVID-19); one stands out from the rest.  According to CheckPoint Research (https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/), this campaign is a continuation of previous attacks by the Vicious Panda APT group, with the latest iteration using the threat of the Coronavirus to entice users into falling for the downloader/stager scheme.

 

Though not particularly novel or intricate, the somewhat complex stager to downloader to dll methodology does have one thing that sets it apart.  Vicious Panda is the codename of a Chinese APT group – meaning that the country which saw the first devastating wave of COVID-19 patients, and the first loss of life from the disease, is now using it to disrupt data systems in other parts of the world.

 

The attack itself is straight-forward.  An email hook via a poisoned attachment – in this case a rich text file – is emailed or otherwise delivered to the target. Relying on a known exploit in the Equation Editor component in Windows systems installed with Microsoft Office, the RTF file executes code that performs additional actions on the infected machine.  In the case of this campaign, a series of download files (mostly DLL’s) sets up both a persistence factor so that the attack re-launches itself until removed whenever a Microsoft Office app is run; and a Remote Access Trojan (RAT) to allow the attackers to gather details and data from an infected device.

 

The RAT is the more problematic of the executable components; as in addition to stealing data and user information through screen shots and process dumps, a RAT can be configured to download and launch additional executable code. While the initial attack is independently dangerous, this ability to persist beyond reboot and to download more attack code at any time makes this significantly more worrisome.

 

As for mitigation against this threat, while the actual downloaded vector is new, the methods and techniques used to successfully land the attack are not.  Updates and patches exist for Windows to defend against the Equation Editor exploits, which have existed since 2017 but have remained unpatched on many Windows devices.  Patching against CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 will limit the ability of the initial infection vector (the poisoned RTF file) to land, and thereby defend the device itself.  It’s recommended that systems be patched as soon as possible if the fixes for these three CVE’s have not yet been applied.

 

While the actual attack binaries do appear to be new, they function with the same effect as most RAT’s; so monitoring for unusual activity around screenshots, file manipulation, data exfiltration, and unknown process initiation can identify that a device is infected.  Any device that exhibits these unusual behavior patterns should be temporarily isolated until further investigation can be performed to confirm infection or identification of the reason for the unusual operations.

 

Leveraging the COVID-19 fears of the world is despicable.  Threat groups have never been known for their reserve or decency, but launching attacks that play off the panic of the world right now is unacceptable beyond belief.  That it is coming from the country that experienced the first outbreak is even more bewildering and disappointing.  I urge all threat groups to not make the situation worse by playing off the fears of an international pandemic crisis.

 

It’s doubtful that we will see an end to attacks taking advantage of national and international crisis events.  As disheartening as that it, we must face reality and realize that any opportunity can and will be used to spread malware that disrupts and/or destroys businesses.  This example, though, is extraordinarily despicable for two reasons:  First, the disruption of many businesses during this specific crisis can, and will, lead to the loss of lives.  Disruption of a single manufacturer or medical equipment or devices will make the already devastating shortage of masks, sanitizers, ventilators, and other vital healthcare equipment so much worse.  People who might have lived will die, and their blood will be directly on the hands of these threat actors.  Secondly, the apparent origination of this specific threat from an Advanced Persistent Threat group from China – the first and one of the most significantly impacted countries – is simply baffling.  After the loss of life, disruption of business, and overall health impact of this virus; the country that was at the start of the chain of the pandemic should not be weaponizing the fear of that pandemic for furtherance of state-sponsored cyber threat goals.

 

Remote Working for Newbies

Noun remote work 1350970

 

When even the Federal Government is sending workers to work from home, there’s a lot folks in municipal and private organizations and companies working from outside their office for the first time. In my career, I have been rather lucky in that I have nearly always worked remotely. Companies I have worked for based in California or Israel often found it more economical to just cover my home Internet expenses than set up a physical office near me and the few other folks who worked in the area.

For those new to remote work, here’s a few tips I’ve had good experiences with over the years:

Set aside space: Even though you’re not in the office, you’re still at work. Claim some space in your home or apartment that will be used as exclusively as possible for work. While most (including me) won’t have the luxury of being able to set up a formal home office, you can designate a part of your living space that you will use when you’re working. The purely mental differentiation can help you focus on work when it’s working hours.

Don’t ignore your family, but know that you are at work: Even though you’re at home, during the workday your time still “belongs” to your employer. In much the same way as you will absolutely deal with emergency family matters when in the office, you should limit family time during working hours to just necessary events. Don’t ignore family members who are at home with you by any means, but do let them know that when you’re working, you’re working. If it can wait for 5pm, it should. If it cannot, you will deal with it immediately just like you would if you were still in the office. This gets significantly harder when you’re physically in the same space with the family members in question, but you must firmly hold the line.

Defend the company (and yourself): If you’ve been issued company equipment to work remotely, use that – and only that – equipment to do work. This will allow you to work on a device that the company IT team is still keeping patched and updated with anti-malware tools. If not, ensure that you keep your own devices updated with patches and fixes (don’t ignore the “you need some updates” messages), and make sure you have at least basic anti-malware/antivirus tools installed and kept up-to-date. If the company supplies a virtual private network (VPN) tool, be sure that you use it any time you have to work on company applications and data. Finally, make sure everyone knows that the company laptop is only to be used by you, and for work. Even if it’s more powerful than your home PC, the kids, your significant other, or anyone else who’s there can’t use it to play games or watch videos.

Digitally separate work and personal life: If you are using your own PC or laptop for remote work, take some steps to keep work data and personal data independent of each other. For example, use one email client for your own email accounts, and Outlook for company accounts (if Outlook is provided for you as part of your company’s email system). Use one browser (like Chrome) for personal use and a different one (like Edge or FireFox) for work use. Alternately, make liberal use of “Private” or “Incognito” modes in a browser when doing work tasks. Create a new folder in your My Documents folder, and keep your work stuff only in that folder. Little things like this – which are both free and easy to do – can help maintain the boundaries between work and home data and applications; avoiding both risks to company data and potentially embarrassing situations if someone sees your bookmarks on a web conference.

Use defensive web conferencing techniques: Speaking of Zoom, Webex, Teams, and other web conferencing tools, there are definitely ways to use them that keep your privacy intact. First, invest in a camera cover. These stickers or sliders cost only a buck or two, and can avoid a lot of embarrassment if the web conferencing software turns your webcam on automatically without warning. Next, never share your entire desktop. Just about every web conferencing system will let you share a specific application or upload a powerpoint or other document. This way, if you get an unexpected private pop-up alert, it isn’t broadcast to everyone watching the conference itself. If possible, buy a low-end gaming headset that works with your laptop/desktop (or a higher-end one, but they can get quite expensive). Gaming headsets have uni-directional microphones; which means they help filter out the background noise of anything going on around you. Using a headset also helps avoid the feedback loops and squelching that using built-in audio systems can cause. Finally, if you feel up to it, you can go into the settings of the web conference tool and turn off video connectivity and set the application itself to not start automatically on a reboot. As a side-note, a shower curtain with a nice pattern or flat color suspended from mug hooks in the ceiling makes a great backdrop if you do wish to use your camera during calls and web conferences.

Leave the house when you can: This one is critical. Remote work can be very isolating, and the tendency to just stay in the house can be overwhelming. Granted, right now we’re all trying to enforce social distancing, but you can still go visit a local business during not-so-busy hours (when less people will be there) or take a brief walk. Calling friends and family can also help keep you connected to the world outside your apartment. Stay safe, but remember that you are not chained to your desk, and can step outside for some air whenever you need to.

Remote work can be an incredibly positive experience. Clearly delineating work from home – digitally, physically, and mentally – can make the process easier to manage and much more rewarding for you. If you find you hate remote work, this crisis will end; hopefully soon. If you find you love it, then proving that you can be just as effective and productive when remote will give you a better chance at making it permanent.

Miketalon.com Privacy Policy