Bluetooth – Take a Look Around Your Life

What’s Interesting?

I wanted to take a moment to discuss Bluetooth (BT) scanning tools and how easy it is to find a plethora of BT devices around you at any moment. I’ve been watching some of the objects that have come up lately, which are pretty interesting.

Give it a shot for yourself, and remember to be respectful of the devices and their owners you find. Yes, there are often attack surfaces around to tamper with. Yes, some of the devices make it easy to track their owners (especially wearables). Don’t do those things, but do take a look around and be aware of just what all BT devices are in your home and business. The results might shock you.

What do you need to look around?

Here are two easy tools to help:

1) On your mobile phone, grab an app called nRF Connect (available for iOS and Android in their respective stores and on your laptop). It makes it trivial to see all of the named and unnamed devices near you, at the mall, in a crowd, etc.

2) Another option for your mobile devices, and in some cases, your laptop, is LightBlue. This is a simple to learn and use inventory and debugging tool for BT developers. Very useful for exploring as well.

Give it a shot. Take a look around. Again, be respectful of what you find, but it opens the door to a lot of exciting stuff in our environments that are nearly invisible in many cases to our naked eyes.

Use the CISA Known Exploited Vulnerabilities Catalogue to Improve Your Patching Program

Cyber criminals are finding and exploiting vulnerabilities in programs and equipment faster than ever. For an example, just this week the Cybersecurity and Infrastructure Security Agency (CISA) warned of two vulnerabilities with CVE ratings of 9.8 that are being actively exploited in the wild to attack unpatched versions of multiple product lines from VMware and of BIG-IP software from F5. According to an advisory published Wednesday, the vulnerabilities (tracked as CVE-2022-22960 and CVE-2022-22960) were reverse engineered by attackers, an exploit was developed, and unpatched devices were being attacked within 48 hours of the release. Currently, this kind of rapid exploitation is not at all unusual. This means that to keep in step, organizations not only must monitor all of their IT assets for vulnerabilities, they must patch them quickly and intelligently.

This is where the CISA Known Exploited Vulnerabilities Catalogue (also known as the “must patch list”) can be a real help. It is free to all, regularly updated, and can be accessed at https://www.cisa.gov/known-exploited-vulnerabilities-catalog. What is nice about this tool is that it only includes vulnerabilities that are known to be currently exploited and dangerous. This helps you avoid wasting time and effort patching vulnerabilities that can wait. The catalogue also helps prevent organizations from concentrating too much on Microsoft systems. When you view the current catalogue, you will see exploited vulnerabilities in Apple, Cisco, VMWare, Big-IP, Fortinet, Chrome and IBM just to name a few.

As we have emphasized before, it is very important to track all of your IT assets. That is why maintaining current inventories of all hardware devices, software applications, operating systems and firmware applications on your networks is listed as Job #1 in cutting-edge information security guidance. Once you have a process in place to ensure that your inventories are complete and regularly updated, why not leverage all of that work to inform your patching and security maintenance program? You can simply compare the must patch list with your IT asset inventories and see if any of the currently exploited vulnerabilities pertain to your systems. If they do, that gives you a quick guide on which systems should be immediately patched. Remember that in the current threat environment, speed is indeed of the essence!

How Do I Know If My Company Needs a Risk Management Policy?

Risk management policies protect companies against financial losses due to various risks. These risks include legal issues, employee misconduct, environmental hazards, etc.

A company may implement a risk management policy to minimize these risks. However, several questions should be asked before implementing such a policy.

What Are the Risks That Could Lead to Financial Losses?

Many types of risks can lead to financial losses. Some examples include:

• Legal issues

• Employee misconduct

• Environmental hazards

• Product liability

• Cybersecurity threats

• Data breaches

• Other

It is important to understand what type of risk your company faces. For example, if your company sells products online, you will face cyber security risks.

Are There Any Existing Policies?

Before deciding whether or not to adopt a risk management policy, it is important to determine whether any existing policies cover the risks your company faces.

For example, if your company has an insurance policy, then you may not need to implement a separate risk management policy.

However, if your company does not have an insurance policy, then it is necessary to consider implementing a risk management policy.

Is Implementing a New Policy Worth It?

Once you know what type of risks your company faces, it is time to decide whether or not to implement a risk management plan.

Some companies feel that they do not need a risk management plan because their current policies already address their risks. However, this decision should be made carefully.

If your company does not have a formal risk management policy, then it is possible that some of the risks your company faces could go unaddressed. This means that the risks could become more significant problems down the line.

In addition, if your company decides to implement a risk management program, it is crucial to ensure that the program covers all the risks your company faces, including those currently unaddressed.

Do Your Employees Understand What Is Being Done?

When implementing a risk management plan, it is vital to ensure employees understand what is being done.

This includes explaining why the risk management plan was implemented, how the plan works, and what steps must be taken to comply.

The goal here is to ensure that employees understand your company’s risks and how the risk management plan helps mitigate them.

Will the Plan Be Cost-Effective?

Finally, it is essential to evaluate whether or not the risk management plan will be cost-effective.

Cost-effectiveness refers to the amount of money saved compared to the costs incurred.

For example, suppose your company spends $1 million per year to insure its assets. In addition, suppose that the risk management plan saves $500,000 per year. Then, the risk management plan would be considered cost-effective if it saves $500,000 annually.

In this case, the risk management plan is cost-effective because it saves $500,00 annually.

However, if the risk management plan only saves $100,000 per year, then the plan is not cost-effective.

In Conclusion

As discussed above, there are many reasons to implement a risk management strategy.

These strategies can help your company avoid potential financial losses caused by certain risks.

In addition, implementing a risk management plan can make your company more efficient and productive.

 

How to Rotate Your SSH Keys

SSH keys are used to secure access to and authenticate authorized users to remote servers. They are stored locally on the client machine and are encrypted using public-key cryptography. These keys are used to encrypt communications between the client and server and provide secure remote access.

When you log into a remote machine, you must provide a valid private key to decrypt the traffic. As long as the private key remains secret, only you can access the server. However, if someone obtains your private key, they can impersonate you on the network.

SSH key rotation helps prevent this type of unauthorized access. It reduces the risk that someone has access to your private key, and helps prevent malicious users from being able to impersonate you on your network.

Most security policies and best practices call for rotating your key files on a periodic basis, ranging from yearly to quarterly, depending on the sensitivity of the data on the system. Such policies go a long way to ensuring the security of authentication credentials and the authentication process for sensitive machines.

There are two ways to rotate your keys: manually, and automatically.

Manually

To manually perform key rotation, you need to generate a new pair of keys. Each time you do this, you create a new key pair. You then upload the public key file to the server you wish to connect to. Once uploaded, the server uses the public key to verify that you are who you say you are.

Automatically

An alternative approach is to use automatic key rotation. With automatic rotation, you don’t need to generate a new key pair each time you change your password. Instead, you simply update the permissions on your existing key file.

The following steps show how to configure automatic rotation.

1. Generate a new keypair

2. Upload the public key to the remote server

3. Configure the remote server to use the new keypair

4. Update the permissions on the old keypair file

5. Delete the old keypair

6. Logout from the remote server

More Information

On Linux systems, use the “man” command to learn more about the following:

    • ssh-keygen command
    • ssh-public-key command
    • upload-ssh-public-key command

The examples should provide options for command parameters and sample command output for your operating system.

For more information about the SSH protocol, you can review the Wikipedia article here.

 

Four Uses for the Raspberry Pi in Small Business Security

With Raspberry Pi systems now available fully decked out for under $100, there are many uses that small business security teams can find for these versatile devices. Here are four of our favorites for using them in security roles.

1. Honeypot for Detecting Attackers on Your Network

Our HoneyPoint™ Agent runs on the Pi. It allows you to monitor for potential network compromises and attempts to breach your network by offering a fake system for attackers to target. Since the system has no real use, any interaction with it is suspicious at best, and malicious at worst. This allows for an easy-to-manage detection tool for your business.

2. Nessus Scanning Engine for Vulnerability Management

Nessus now supports running on the Pi 4 with 8 Gigs of RAM. Nessus is a very popular and powerful vulnerability scanner. With it, you can scan your network for vulnerabilities and find out what software needs updating.

3. Run Pi-Hole for Content Filtering

Pi-Hole is one of the best open-source security tools on the Internet. It provides enterprise-quality content filtering for free. Drop this on your network and implement it following the online instructions, and you’ve got affordable protection against malicious advertising, bad content, and many types of malware that inject via the browser.

4. Build a Cheap VPN Server

PiVPN makes setting a VPN for your small business needs incredibly simple. You can use this feature to access systems while you’re away or just to stay safer on public wireless networks. Most folks can deploy this in under an hour, and it can save you an immense amount of risk.

Using a Pi for some other risk management or security purpose? We’d love to hear about it. Drop me a line on Twitter (@lbhuston) and let me know what you’re up to. We’ll feature any ground breaking ideas in future posts.

 

A Cynefin Risk Management Use Case

Lately, I have been working on using the Cynefin framework to help a client with supply chain risk management. I’m not going to dig into the specifics here, but I wanted to share a quick workflow that we used during this process that has been very useful for us.

Risk Matrix

First, we built a risk matrix for supply chain risk. Basically, there are a number of these available via the various search engines. We took some of the most common ones and tore them down to commonalities, then built them into our matrix. We turned this into a simple spreadsheet.

Heat Mapping

Next, once we had our risk matrix, we did an exercise where we heat mapped the various risks, scoring them high/medium/low subjectively. This gave us an excellent tool to monitor our situation and communicate it with our stakeholders.

Applying Cynefin

Next, we mapped all of the high risks into the cynefin framework by researching the present state of each, whether best practices were available and relevant, being developed, or still in the experimental stage. This gave us a good idea of which problems we could simply focus on using known techniques and skills against, which ones we needed to take existing decent practices and optimize them, and which problems we needed to experiment with solutions for.

Sharing and Feedback

Overall, the exercise took around an hour to complete once we compiled the basic templates and completed the risk matrix research. For those of you facing complex risk management problems, this workflow might assist. Let me know on social media (@lbhuston) if it provides any help or if you have suggestions and feedback. Thanks for reading!

Patching Perfection Now a Must for All Organizations

Look at the state of cybersecurity now. What a mess! Things have been getting steadily worse now for years and there seems to be no end in sight. Every time we seem to be getting a handle on one new malware campaign another one comes online to bedevil us. The latest iteration is the Log4j debacle. In its wake, the government has demanded that their departments increase their efficiency and timeliness in the patching of their systems. Non-government organizations should take a cue from this and also increase their efforts to patch their systems in a timely manner. It is certain that cybercriminals are not wasting any time in exploiting unpatched vulnerabilities on the computer networks of all kinds of organizations.

One thing to keep in mind in the present environment is that the most serious and far-ranging exploits against computer networks in the last several years are coming from nation states and government sponsored hackers. These groups are developing very cleaver attacks and then striking selected targets all at once. Once they have taken their pound of flesh, they are then ensuring that their exploits are shared with cybercriminals around the world so that they too may get on board the gravy train. That means that organizations that are not a part of the original attack list have some amount of time make their systems secure. But this lag time may be of rather short duration. It would be unwise to simply wait for the next patching cycle to address these virulent new exploits. This means that organizations need to institute programs of continuous vulnerability monitoring and patching, despite the headaches such programs bring with them.

Another thing to keep in mind is that organizations need to ensure that all network entities are included in the patching program, not just Windows machines. All operating systems, software applications, hardware devices and firmware applications present on the network should be addressed. To ensure that all these network entities are included, we advocate combining vulnerability management programs with hardware and software inventories. That way you can ensure that no systems on the network are “falling through the cracks” when it comes to monitoring and patching.

Although perfect patching is not a panacea, and is reactive rather than proactive in nature, it goes a long way in preventing successful attacks against the average organization. This is especially true if your reaction time is short!

3 Common Challenges Implementing Multi-Factor Authentication

Multi-factor authentication is becoming increasingly popular among businesses and consumers alike.

However, many organizations struggle to implement the technology successfully.

Here are three challenges organizations face when implementing multi-factor authentication.

1. Lack of Awareness

Many organizations don’t understand what multi-factor authentication is or why they should use it.

They think it’s too complicated, expensive, or unnecessary.

This misconception leads to a lack of awareness about the security risks posed by weak passwords and phishing attacks.

2. Security Concerns

Some organizations believe that multi-factor authentication adds complexity and cost to their IT infrastructure.

But, in reality, multi-factor authentication doesn’t add much overhead.

Instead, it provides additional layers of protection against cyberattacks.

3. Complexity

Organizations sometimes find it difficult to integrate multi-factor authentication into their existing systems.

For example, they might have to replace old software or change user interfaces.

Some Potential Solution Ideas

If you’re struggling to implement multi-factor authentication, here are some tips to help you overcome these challenges.

1. Educate Employees About Multi-Factor Authentication

Educating employees about multi-factor authentication helps them understand its importance.

Make sure employees know that using multi-factor authentication reduces the likelihood of fraud and improves overall security.

2. Use Technology That Works For You

Multi-factor authentication tools are becoming more popular by the day. Many low-cost, or even free, solutions exist from vendors like Microsoft, DUOand others.

Look for solutions that have easy integration with your existing business infrastructure and systems.

3. Work With A Partner

A partner who has experience implementing multi-factor authentication can be helpful.

An experienced partner can provide guidance and support throughout the implementation process.

4. Make Sure The Solution Is Right For You

Before choosing a solution, make sure it meets your organization’s needs.

As always, if we can be of assistance, drop us a line to info@microsolved.com. We’d be happy to help!

3 Essential Raspberry Pi Hardening Steps

Raspberry Pi hardening is essential for securing your device against attacks.

Here are three essential Raspberry Pi hardening steps:

1. Disable SSH If You Don’t Need It

Disable SSH access to your Raspberry Pi using the following command:

sudo raspi-config

Choose “Advanced Options” and then choose “No ssh”.

2. Change Your Password

Change your password to something secure. You can use the following command:

passwd

3. Update Raspbian

Update your Raspberry Pi’s operating system to the latest version available. This ensures that your device is up to date with security patches and bug fixes.

To update your Raspberry Pi, follow these instructions:

sudo apt-get update

sudo apt-get upgrade

In summary, hardening your device by following these steps will help you protect your Pi from attacks. Making these three basic steps a part of every Pi install you do will go a long way to giving you a safer, more dependable, and more private experience.

 

 

Why Emulate a PLC with a Raspberry Pi

One of the most powerful uses of emulating a PLC (Programmable Logic Controller) field device with a Raspberry Pi is that it provides an affordable and easily obtained platform for prototyping, performing ladder logic testing, and researching various industrial control systems and cybersecurity concepts.

Raspberry Pis are Affordable

Raspberry Pi models 3 and 4 are significantly more affordable than real PLCs. A typical PLC can cost hundreds or thousands of dollars.

The Raspberry Pi costs around $35-50 depending on your model choice. This makes them very accessible to hobbyists, students, researchers, developers, and anyone else who wants to work with the basics of industrial control systems. The low cost makes them ideal candidates to emulate a PLC in many scenarios.

Raspberry Pis are Easily Obtainable

PLCs can be quite difficult to come by, especially if you want one without any pre-existing software installed. Many manufacturers will not sell their products to third parties unless they have some kind of existing relationship. If you don’t already know someone at the manufacturer then you may need to pay a hefty upcharge. Additionally, purchasing the addons for power supplies, specific programming software, and such can quickly turn into a slog of paperwork and supporting tasks. The lead time and delivery times can take weeks to months.

The Raspberry Pi, on the other hand, can be purchased at many big-box electronics or computer stores, directly from many providers, or even delivered to your door from Amazon and other online sources. It uses a common USB power supply and can be configured and programmed using open source tools available online. Lead time is a couple of days to a few hours, letting you stay focused on your work.

The OpenPLC Project

The OpenPLC Project is a stable, well-documented toolkit for emulating basic PLC operations on the Pi. It has been used successfully to simulate a variety of different types of PLCs and includes support for ladder logic and other common PLC functions. You can find the programming reference and review the available capabilities here.

You can get OpenPLC up and running on a Pi in less than 30 minutes. In our testing, we were able to begin using the emulated PLC in our lab within an hour!

Going The Extra Mile With SCADABR

SCADABR is an open-source supervisory control and data acquisition software package designed to allow you to create interactive screens or human-machine interfaces (HMI) for your automation projects. It provides tools for creating graphical user interface widgets, event handlers, timers, and dialogs. With its ability to communicate with multiple controllers (including OpenPLC), ScadaBR is an ideal companion for the OpenPLC Runtime and Editor.

Using a Pi, OpenPLC, and SCADABR together, can get you a very powerful and useful PLC platform up and running for under $100 and in less than a few hours. Once implemented, you can use the platform to learn about industrial controls systems, ladder logic, PLC programming, and operations. You can also do basic ladder logic research and testing, and even prototyping for future real-world PLC deployments. Cybersecurity folks also have a very capable platform for learning about industrial control security requirements, performing vulnerability research, reverse engineering, or practicing their assessment skills in a safe environment.

While you might not get the full power of a true PLC (there are some limitations to Pi’s capabilities), you will likely get more than you expect. If you have an interest in or a need for some basic industrial control systems capabilities, this is a great place to start.