Five ways to ensure your cyber security incident response plan stays relevant

Cybercrime is on the rise – attacks are becoming more frequent, methods more sophisticated, and impacts more severe. And while tools and technologies go a long way in protecting your business data and IT infrastructure, effective planning is also vital to risk mitigation and management.

A cyber security incident response plan can help you protect and restore business operations when and if an attack occurs. With new threats continuing to emerge, it is not only critical for your business to have a cyber security incident response plan, but for it to be regularly reviewed and updated. An outdated plan is rarely useful to anyone.

Here are five tips for staying on top of your cyber security incident response plan:

1.   Update your list of critical systems and information
A catalogue of your organisation’s most vital digital assets is an important tool for prioritising incident response efforts. Over time, your systems will inevitably change so make sure this is echoed in your plan.

2.   Update threat-specific responses
Your incident response plan needs to change to reflect the current cyber threat landscape. Remember, last year’s biggest threat may not be this year’s.

3.   Keep your contact list current
You want to be able to get in touch with the right people in a timely fashion when responding to an incident, and keeping your contacts list up-to-date is the first step for doing this.

4.   Document your discoveries
Simulated cyber attacks are an effective, proactive and risk-free way of identifying any deficiencies in your network. But you need to capture and document the results and key learnings along the way.

5.   Communicate updates to your plan
Any significant changes to your cyber security incident response plan should be shared with relevant team members.

Conclusion

While a robust cyber incident response plan can help reduce your exposure to cyber risks and mitigate the damage from cyber attacks, its efficacy is contingent upon up-to-date information. Ongoing tweaks and refinements will go a long way in helping to bolster your cyber posture.

FirstWave protects businesses and government organisations of all sizes from risk by providing rapid and affordable access to the most advanced, comprehensive and adaptive cloud-based cyber security solutions available. Get in touch with us today to learn more about how we can help your organisation get on the front foot against cyber threats.

Uncategorized

Opmantek Predicts Top Network Management Trends for 2019!

Network management will become an even more prevalent connector as more businesses shift to the cloud and move out of internal infrastructure to new monitoring requirements of emerging smart cities. This research will better predict an answer; where we are going? Why we are going there? What potential surprises are in store?

The following migrations and trends will keep IT on its toes of what to expect in network management through the year ahead.

1. Proactive rather than reactive event management as machine learning and predictive analytics make impending issues easier to predict.

It’s been a long time coming, but with big data now being embraced by organisations, the ability to analyse trends and predict issues with network infrastructure is now simpler and easier than ever before. Anomaly detection is also enhanced with systems that can ‘learn’ what is normal for a particular piece of hardware and alert engineers or any variances from the norm.

2. Linux will rule enterprise networks.

With Linux playing key roles in the Internet of Things (IoT), cloud technology, supercomputing and artificial intelligence (AI) the open source operating system will continue to dominate enterprise networks as we move into 2019. According to the Cloud Industry Forum (CIF), for the first time, businesses are spending more on the cloud than on internal infrastructure; Gartner confirms, 80 per cent of internally developed software is now either cloud-enabled or cloud-native. It is largely Linux that’s making the transition so advantageous. Set to be more significant than ever in 2019, even Microsoft’s Azure, the most popular operating system is Linux.

Reference: Henry Stocker, Sandra. (2018). What to expect from Linux in 2019 [Web log post]. Retrieved from here.

3. Smart cities and buildings bring a new era of monitoring requirements.

Electrical Contractors delivering Building Management Systems must deliver reliability and proven uptime. The Building Management Systems are the brain of modern buildings and they must have a working nervous system, the network. Contractors are continually beginning held responsible for the availability of their devices and ability to provide solutions, proving they are meeting SLAs. Opmantek’s NMIS Enterprise is winning contractor and large-scale development bids, as it ensures all your maintenance reports and SLAs are maintained. Opmantek recently worked with a national building services chain on a smart building monitoring system and we anticipate there being heightened growing demands for this in the future.

Continue reading here.

4. The rise of Network Automation.

Its sink or swim, companies will spend substantial resources in order to automate their network. Fact – manual scripting and pointed solutions will not be able to scale to match the massive increase in network demands. Innovative and smart network automation solutions will be on the rise; devices management, automation of services, enforce compliance across on-prem and hybrid deployments. Next-Gen automation will be equipped with AI and Machine Learning to combat network complexity and security challenges. In 2019 especially, automation will evolve from the traditional detect and respond to more intelligent predict and prevent strategies.

Reference: Vyakaranam, Nikhil. (2019). 5 Powerful Trends That Will Redefine Networking in 2019 [Web log post]. Retrieved from here.

5. Companies will invest significant resources in finding ways to reduce network complexity.

Cisco estimates that by the year 2021 there will be around 27 billion connected devices and 43% of all the devices will be network connected. The already complex IT network is set to become even more complicated. Hybrid and Multi-cloud infrastructures, continuous creation of innovative applications, and heavy demand for bandwidth consuming services such as streaming videos, gaming, and social media applications are all leading to unprecedented levels of interconnections – further complicating the network.

6. MSP exodus from SaaS monitoring.

In recent times, there has been a shift in the market to Software as a Service (SaaS) purchasing and many vendors now offer cloud-based solutions, a ‘simple’ network monitoring play for MSP’s. In 2019 we predict that customers will begin to feel the restrictions with SaaS platforms being less capable of supporting all network devices.

Along with pricing linked to log processing volumes and retention of historical data inhibiting, the ability to deep dive and analyse long term trends will become less desirable. With the continued popularity of enterprise cloud environments, we expect more organisations to be seeking a self-hosted cloud monitoring system moving forward.

Continue reading here.

If there’s one thing we know for sure, it’s that network management transformations will continue to reshape how we conduct business and interact with technology, in 2019 and in the years ahead.

Uncategorized

Tips to keep ransomware attackers at bay

As a business owner or manager, you need to address a range of cybersecurity threats. Ransomware is one of the most widespread and insidious.

Ransomware is malicious software (malware) that encrypts files or locks computers. People or groups behind ransomware attacks demand payment – often in digital currency – to restore access.

Ransomware can infect a business or government organisation in many ways. For example, a worker may inadvertently open a malicious attachment or click on a link in a phishing email to a malware-laden website. Once ransomware infects a computer or network, it may seek to spread to vulnerable shared systems.

According to the 2018 Internet Organized Crime Threat Assessment from Europol – the European Union’s law enforcement agency – ransomware remains the key threat in law enforcement and industry reporting.

In 2017, ransomware attacks called WannaCry and NotPetya – that exploited vulnerabilities in older or unpatched versions of Microsoft Windows – caused billions of dollars’ worth of damage to businesses and organisations worldwide. Industry experts expect similar attacks to occur in future.

So how can your business protect itself against ransomware attacks?  The following steps may help minimise the risk of infection.

  • Promptly apply patches and updates to all software on devices connected to the network. Automate this process where possible.
  • Undertake regular backups and keep them off the network. This protects the copied material from infection if a ransomware incident does occur.
  • Install anti-virus software and keep it updated.
  • Use application whitelisting or other measures to limit the execution of unauthorised software.
  • Undertake education programs to make workers aware of the risks of opening an attachment or clicking on a link in a suspicious email, or visiting unknown websites. These programs should make workers aware of techniques attackers use to trick them into facilitating a ransomware infection. For example, attackers frequently create and send emails that purport to be legitimate communications from government service providers or prominent businesses, but actually include attachments or links to websites loaded with ransomware.
  • Develop a plan to minimise damage to the business or organisation if a ransomware incident does occur.

You should note that Australian Government cyber-security bodies typically recommend against paying ransomware owners. There is no guarantee owners will restore access to the compromised files and they or other attackers may identify your business or organisation as a target for future attempts.

If you would like to learn more, please contact us at info@firstwave.com.au.

Uncategorized

Using Postman to Query The Open-AudIT API

I often utilise Postman to query the Open-AudIT API when developing. Just using a browser, it’s difficult to send anything other than a GET request – but Postman makes it simple to send a POST, PATCH or DELETE as required. You can get it from https://www.getpostman.com/downloads/ for Windows, Mac and Linux.

Install and start Postman. You can elect to create an account or not. You can also elect to create a new item using the wizard, or just close the modal and jump in. Let’s do that!

For the below, my Open-AudIT server is running on 192.168.84.4. You should substitute the IP address of your Open-AudIT server.

First, you need to make a post to /login to get a cookie. Set the dropdown to POST and the URL to http://192.168.84.4/omk/open-audit/login. Set the header Accept to application/json. Set the Body to form-data and provide the username and password keys, with values as appropriate for your installation. By default, it will look as below.  Now click the Send button.

Postman Open-AudIT API 1 - 650
Postman Open-AudIT API 2 - 650

You should see the JSON result saying you have been authenticated.

Once that’s done, it’s time to request some data. Make a GET request to http://192.168.84.4/omk/open-audit/devices and you should get a JSON response containing a list of devices. You can see the start of the JSON in the screenshot below.

Postman Open-AudIT API 3 - 650

What about changing the attribute of an item? Not too difficult. You’ll need the ID of the device you want to change, along with the attribute name from the database. You can see these in the application by going to menu → Admin → Database → List Tables and clicking on the “system” table. Let’s change the description for our device with ID 14.

You’ll need to create a JSON object and assign it to the “data” item to do this. It’s not too difficult. Your JSON object should look like below (formatted and indented for easy reading).
{
"data": {
"id": "14",
"type": "devices",
"attributes": {
"description": "My New Description"
}
}
}

It looks worse than it is. Normally you would use code to do this, so it’s a simple two line conversion. Because we’re using Postman, we’ll have to do it ourselves. A useful site is https://jsonlint.com/

So now you have your payload, let’s send it to Open-AudIT. Make a new PATCH request and use the URL http://192.168.84.4/omk/open-audit/devices/14.
Supply the data attribute in the body → x-www-form-urlencoded section and hit Send. You should see the request as below.

Postman Open-AudIT API 4 - 650

Deleting an item is even easier. Let’s delete an Org. In this case, our Org with ID 2. Make a new DELETE request to http://192.168.84.4/omk/open-audit/orgs/2. That’s it – easy!/span>

And if we want to read a specific entry, it’s just a GET request. Let’s get our default Org – ID 1. Just make a GET to http://192.168.84.4/omk/open-audit/orgs/1.

What about running a query? What’s the HTTP verb used to EXECUTE something? There is none. But we’ll make do by supplying /execute after the ID. So to execute a query, make a GET request to http://192.168.84.4/omk/open-audit/queries/1/execute. To execute a discovery, task or baseline, use the same format – ID/execute.

Remember we always receive the result in JSON as that is in our request header. We could receive it as HTML is we want – just remove that header item. Maybe more useful is a CSV output. Remove the Accept header and change the URL for a GET to http://192.168.84.4/omk/open-audit/queries/1/execute?format=csv. Done – CSV output you can copy and paste into Excel.

It really is that simple. The only one to watch is the PATCH request because you have to create your own JSON. Just about everything else is quite discoverable. Make sure you check the pages for Collections which detail the request formats. And don’t forget the Open-AudIT API page as well.

Onwards and upwards.
Mark Unwin.

Uncategorized

Open-AudIT | Device SubSection Data Retention Options

With the release of Open-AudIT 3.1.0, we have massively expanded the options around keeping and processing data from devices. SubSections of a device within Open-AudIT refers to the many tables that hold specific data types – software, netstat ports, processors, memory, disks, users, groups, etc, etc. These options exist (for now at least) in the Configuration of Open-AudIT. The items of interest are create_change_log* . and delete_noncurrent*. We previously had these options for a couple of select couple of Subsections, but have expanded these to cover every subsection.

Create Change Logs

The items named create_change_log_* use the database table names to specify which subsection they apply to – so create_change_log_software and create_change_log_memory are both valid examples. You can override ALL items by setting create_change_log to “n” – this will stop any change logs being generated, regardless of the individual table setting. So if a device has a piece of software added (for example), a corresponding change log would not be inserted if create_change_log_software was set to “n”. This is set to “y” by default. This matches how Open-AudIT has always worked.

Special Items

We have also introduced three special configuration items for Netstat Ports. Because ports above 1024 are mostly designed to be dynamic, we now provide three options for keeping this data:

  • create_change_log_netstat_registered
  • create_change_log_netstat_well_known
  • create_change_log_netstat_dynamic

These options correspond to the ports 0-1023, 1024-49151 and 49152-65535. See this wiki list of TCP and UDP port numbers. In particular, Windows DNS servers open a LOT of ports high in the range that are (in my opinion) silly to keep track of, see here and here. By default, only create_change_log_netstat_registered is set to “y”. We may add to these options in the future for other subsections if required.

Delete NonCurrent Items

Along similar lines, the configuration items for delete_noncurrent* use the database table names to specify which subsection they apply to. If set to “y”, then no historical entries will be kept for that table, only the “current” items as at the last audit (or discovery). Again, these individual items can be overridden by the global “delete_noncurrent” item. If set to “y”, it will remove all noncurrent items from all tables. This is set to “n” by default. This matches how Open-AudIT has always worked.

Hopefully, these options provide some customisability for you to only keep the data you actually need.

Onwards and upwards.

Mark Unwin.

Uncategorized

Open-AudIT | The Default Network Address

With the new release of Open-AudIT 3.1.0, we no longer require the configuration item “default”network”address” to be set for Discoveries. It is still required for the “Audit My PC” functionality, but we hope to minimise this dependence going forward as well.

Why was Default Network Address required?

Initially, when we ran a discovery, on both Linux and Windows, we ran the audit script in such a way that it needed to know where to submit its results. What URL should it use – hence the requirement for the configuration item. A while back now we changed how Discoveries ran under Linux, removing this requirement.

Linux

Linux discoveries send the audit script to the target, run it with a flag of “submit_online = n” and “create_file = w”. So do not submit the result to the server, create a file and output the filename to the console. The server waits for the script to finish and captures the console output. It now has the filename of the result on the target system. It copies the result from the target to itself and processes it. All good so far.

Windows

We could never make Windows work this way. The account we use for Apache is the standard “Local System” account. This account has no access to network resources. Hence it cannot simply copy the script to or from a target PC. This was always a pain because the Linux way of running the Discovery was so much better and cleaner. After some (more) research we realised we can use network resources via “net use” – we simply don’t assign a drive letter. Yay! So Windows now can copy the audit script to the target, run it, wait for the console output and then copy the result file back and process it, just like Linux.

Finally!

All that is a long explanation for “we don’t need the default network address set”. That’s one less item a user needs to worry about.

We do still have the requirement to set the default network address for the functionality of the “Audit My PC” on the login page. We have plans to minimise this as well – if you can view the login page, we can use the request URL and work out what the default network address should be.

For now, it’s still required (as at 3.1.0), but look for it to be removed as a requirement in a near future release.

One step at a time, we’re trying to make Open-AudIT as easy to use as possible.

Onwards and upwards.

Mark Unwin.

Uncategorized