Proudly Serving Washington

---

Washington Cybersecurity Since 2019

Get protection that goes beyond next-generation firewalls.

As hacker attacks rise, companies are spending more than ever on efforts to thwart them.  But there's something that many companies aren't doing, and could do, that can have a big impact on cybersecurity: upgrading their networks so they aren't as vulnerable.  This type of IT spending goes well beyond narrowly defined cybersecurity tools such as firewalls and encryption.  It involves replacing servers and other crucial hardware, operating systems, browsers, outdated applications, training employees and associates for a positive impact security.

Washington Customers

Some information I know about Washington is I believe the state was admitted or ratified to the United States around or about 'November 11, 1889'.  Washington is located around latitude '47.751076' and longitude of '-120.740135' and has a population of roughly '7,705,281 million'.  If I remember correctly the capital is 'Olympia' and the largest city is 'Seattle'. 

What's My Related Experience?

While I worked at Food Lion Corporate which is owned by Ahold Delhaize I worked within their Cybersecurity group around Varonis audits as a Scrum Master / Project Manager.  The type of work interested me.  I have no deep level knowledge of what they did but it always interested me.  As a project manager I need to know the terminology, concepts and basics around the scale of work they perform so I am by no way a cybersecurity expert.

Staying one step ahead is key.  Security we can never mess up.  If you mess up once it is all over.  They have to get lucky one time and you have to consistently be lucky to thwart them.

What is a Hackers Achilles Heel?

Those communications channels often send smoke signals of the activity.  The hacker always has to use communication pings.  Think of a robber breaking in a home.  Once they have access to the home, they have to figure out a way in.  Once they get in was their security systems to alert someone they are in the home?  Are they taking items from the home now?  The robber is at a disadvantage though.  Time is not on their side.  They have to communicate out to effectively gain access. The trick is to minimize one's trail over and over without being detected at machine speed.  The cyber security professional has to see that.

The Modern Network

A modern network infrastructure does more to protect itself from hackers and user error.  Instead of depending upon employees to install updates, configure servers and identify spam, it backstops them, making software updates and server settings automatically, or using machine learning and artificial intelligence to spot suspicious email attachments or malware and isolate them so that they can't cause widespread harm.

Cybersecurity Posture

There is no single path to network modernization.  There are, however, some important actions that most network modernizations take, and which business leaders should consider as they seek to optimize their company's cybersecurity posture

Simplify Networks

Companies often don't know what data, devices and users are on their networks in the first place, making it more likely that threats will go undetected.  A key goal of network modernization is to simplify and upgrade networks, giving better insight into the activity - legitimate and illegitimate - taking place on their networks.

That can mean simplifying and paring down platforms.  Having a lot of different software platforms that don't communicate with each other well makes traffic difficult to see and understand.  There are different ways to create a simpler, more modern, high-visibility network.  Software-defined networks make it easier to configure and update components and check for problems.

In addition, putting important functions into the cloud can simplify things, because cloud services offer built-in monitoring tools and automatic software updates.

What does Influenced Operations Mean?

Simply obtaining passwords or some other vector of access is easy because users can actually give up information or click on something.  If you can get email servers you can send any email for that server.  No software in the world can identify those emails are not coming from you because the parameters are legitimate around where emails come from.  There is no technical solution to this.  There is 'No Patch for Stupidity'.

Are there Work from Home Vulnerabilities?

While VPN has its place it is detrimental to organizations.  VPN is a piece of software that cuts through all security so individuals can work from home.  So, most companies are making their systems available from outside and calling it a day.  VPN is a cyber hypodermic needle directly into your companies network.  Imagine for a minute had a syringe with a malicious payload the VPN is the path to make it happen.  This whole universal connectivity we have where Apple and other solutions where the iPad talks to the laptop and the laptop to the phone is a problem.  Working from home does increase vulnerabilities.

Can Critical Infrastructure Be Vulnerable?

If you are going to impact critical infrastructure or wait to the hottest day in the summer or deep freeze in the winter.  Get the right shipment to be stifled and it kicks off other major events.

Are there Hacking Rules of War?

A hacker could just target a bottleneck in the supply chain.  Just simply make it hard for a country to get goods into the ports.  There is a cascading effect of the viability of systems from one to another. These hacker groups are not one dimensional in their approach.  It is like what events can I kick off to make a cascading effect scenario? 

What is Ransomware?

Pipeline hacks, selling of data on the dark web, social security systems, medical records all are critical.  Corporations say 'we have backups'.  Ok, how often do you check your backups?  You know the first thing the ransomware hackers do is go after your 'Business Continuity Plan'.  They encrypt the backups or turn them off before they do anything else.  I am not super satisfied around companies 'Remediations' and 'Business Continuity Plans'.  They want you to bow down to their asks end the end to give you a decryption key that may or may not work.

For example, the Colonial Pipeline was NOT literally hacked.  They found stollen VPN credentials to obtain information to get in, and extort money that would keep them from going back in again.  Once access is gained the malicious software acts like it is like any other software meant to be run in the organization because users allowed it to.

Move Beyond Passwords

Instead of expecting people to manage passwords and other forms of authentication, some companies are using more modern methods that utilize cryptographic keys.  When a user signs up with an internet service personally or through work, a pair of encryption keys is created, a private one residing on the user's device and a public one with the company.  Both keys must be available when the user logs on, with the user's private key typically being unlocked by providing their face, fingerprint or another authentication factor that proves they are who they say they are.

Integrate Hardware and Software

The latest security software and protocols won't always work with older servers and network gear, so keeping hardware up-to-date can improve security.  Usually, the problem involves firmware - the software, often built into a computer, that controls the device and permits other software to run on the machine.  But some businesses stick with old hardware that can't run the newest version of firmware, which often includes a host of cutting-edge security features.

Imagine trying to take advantage of all the security features in Apple's newest operating system - but using an old iPhone.  The new features simply won't work on the outdated hardware.  At some point, you must replace the phone.  Some new hardware has cutting-edge security features built into the computer chips themselves - which older hardware obviously doesn't have. 

If at any point you decide to reach to me just know the area codes I am familiar with for Washington are '206, 253, 360, 425, 509, 564'.  For Cybersecurity assistance you will find my rates very reasonable for Washington.  Now just keep in mind my time zone is 'Eastern Standard Time (EST)' and I know the time zones in Washington are 'Pacific Standard Time (PST)' in case you wish to call me.  Anyway let me continue.

Cybersecurity Oligarchs

We are almost certain that operatives that work within the Russian military services are tied to cybersecurity crimes because their tactics and methods are very similar to the activities of cyber-crime.

Retooling While Under Attack

If a nation is taken out of say the SWIFT payment system the attitude may be well if we cannot use it, we will make sure you can't either.  Vulnerabilities that exist become more prevelant when motives increase.  Retooling should start early on not when the attacks actually start.

Anonymous

Anonymous is a hacker collective that seems to be leaderless.  They are identified by the white masks they wear.  Wikileaks had anonymous come to their defense.  Anonymous has split off into various factions.  Anonymous factions are often not armed with the right intelligence to discern who they should go after.

Hactivist

Some Hactivist are excited about taking down a Russian sattelite.  It is all fun and games until it is actually done.  For example, the satellites are utilized for nuclear missile systems.  So, what would Russians response be to fire off nuclear weapons in return?  This could trigger large human loss.

What is more sinister in 2015 the Russian state groups like GRU were doing tests on the Ukranian infrastructure back then.  They deployed KillDisk and it took down the power systems down in Ukraine.  They designed it as malware to go through the system and take down utilities as a worm (sandworm).  The workers were watching someone on the screen actually shut off regions of breakers.

Pre-Established Plumbing

Established plumbing by adversaries.  We watch communications go out around 'Hey I am here when you need me' type of handshake pings.  We are literally waiting for them to turn on the switch for the 'Access they Have' and create havock.  The grenade is already under the bed in essence.  All it takes is someone remember pulling the string on the pin outside the window to create a problem.

Drawing Fire

Cybersecurity folks know that their job draws fire upon them primarily through doxing revealing identifying information about someone online, such as their real name, home address etc.  Typically if it gets this far the FBI gets involved and arrests take place.

Nation States

The job comes with risks where cybersecurity experts have to maybe rethink how one can do things better because one can only obfuscate oneself so much.  If countries, adversaries are mad at you, companies with henchmen upset with you it can quickly escalate on a personal level if your identity is uncovered.

Missed Opportunities

Oftent times cybersecurity requires analysis around what cyberactivity is happening at the moment.  When you have simultaneous routes of malicious activity going on at the same time it takes away resources from other areas.  The field of cybersecurity is getting larger because the threat is growing fast.

You know, I don't make it out to Washington much but I would like to see the 'Willow Goldfinch' state bird.  I am a little familiar with the Washington 'Western rhododendron' state flower as well.  However, I do not know much about Washington's state tree the 'Western Hemlock'.  Fishing is fun to me perhaps I would like reeling in the Washington 'SteelHead Trout' state fish.  Anyway, sorry I went off topic.  Let me continue.

Phone Systems

The terrifying capabilities of cyber activity across phones is real and is wormable affecting systems at a very rapid rate.  A wormable event is something you don't want.  It could take years to fix the damage.

Office Practices for Increased Security

As a rule of thumb, I have come up with 8 practices that will increase security which your office can handle.  They are:

1.  Inventory assets

The first step in any risk assessment is to inventory your hardware and software.  Your data is your core asset, so it is important to understand where it is in order to protect it.  Sometimes small practices have a vague sense of a few computers over here and a few over there, but if you ask them what operating system they are running, they tend not to know.  They don't know if their systems are patched or if the operating system is out of date and not getting security updates.  Having a simple spreadsheet with all your hardware and software assets listed is a good first step.

2.  Secure mobile devices

Keep in mind staff members will put their e-mail on their iPhone because it is easy.  That person is walking around with the data on their phone, and the practice has no idea.  If they lose that phone and it doesn't have a passcode, that data is vulnerable.  If nothing else, (practices) should have a written mobile device policy.

3.  Strengthen passwords

At some small physician practices, employees share the same password for every login.  But if your practice uses a cloud-based EHR, the login page is on the internet where potentially anybody could touch it, so your password strength becomes critical.

Consultants say that having strong password policies is a signal to employees that you take security seriously.  Industry experts suggest that passwords should be at least 8 to 10 characters long and contain a mix of upper- and lower-case letters, numbers and symbols.  It's also important to force employees to change their passwords regularly.  These rules should apply to logins for operating systems, EHRs and wireless networks.

4.  Focus on staff education and training

Medical professionals and office staff benefit from regular training on good security and privacy practices, both to help prevent attacks and respond appropriately if something goes wrong.  Employees need to know what to do if it looks like some kind of malware has been downloaded.  Don't forward it to everyone in the office about how strange it looks.  People can recognize simple things like how to know whether you are on a secure internet connection or not with 'https'.

Managed service providers often offer penetration testing, which tests staff awareness of cybersecurity covertly by simulating phishing attacks.  If employees click on the link, they are directed to training on what to look for when determining whether an email is potential malware.

5.  Use encryption and get rid of outdated software

Consultants commonly advise practices to put encryption on all their devices and upgrade operating system and browser software.  Windows XP and Internet Explorer can still be found on work machines even though those programs are no longer maintained by Microsoft and haven't received security updates from Microsoft for years, Apgar notes.  Many practices are still running Windows 7, which Microsoft will stop offering extended support for in January 2020.  It is time for everybody to upgrade to the latest version of Windows for instance.

6.  Use a commercial-grade firewall

Unlike the router you use for internet and TV service at home, a commercial-grade firewall can offer internet traffic filtering and compare against blacklists of known malicious spoofed websites.  The main point is for people trying to come into your network from the outside, it is a much bigger wall.

Firewalls also allow network administrators to customize a practice's security protocols regarding web browsing and e-mail communication to create a tailored experience for each user on the network.

7.  Keep up with patching

Make sure your software is being updated on a regular basis and evaluate the physical security of your computers and office.  (Criminals can steal data by breaking a window and stealing the computer, too.) If you have a file server in your office, the responsibility to have all networks buttoned up is more squarely on the shoulders of the practice.

Owens recommends applying patches and security updates at least monthly for operating systems, browsers, Adobe products and Java.  That applies to software or firmware updates to medical devices, too.

8.  Review contracts with IT service providers

For smaller practices that outsource their IT tasks to managed services providers (MSPs), it's a big mistake to assume that the MSP is taking care of everything when it may not be.  There is this assumption the MSP is doing all this, but sometimes it is not in the contract. 

One of his client practices was breached, and the physician assumed that the MSP was regularly looking at firewall logs.  The MSP responded by saying, if you want me to regularly look at your logs, here is the fee.  Make it clear to both sides which services are being provided and which are not.

Above all, physician practices need to assess their vulnerabilities and discuss with those in charge of IT which tasks and services are being provided and who is responsible for what - and document it in writing.

Remediation

Data can be sold on the dark web.  Corporations often say we have backups but still does not resolve the issue around already captured information.  The one thing ransomware cannot touch is disconnected backup storage so make sure you have that.  The most you would loose potentially would be one day of operational data.