Have You Switched to Microsoft Advanced Security Auditing Yet?

Stop waiting.

Nothing is more critical during a security investigation (incident response, or “IR”) than the quality of the information coming from your log sources. During a recent incident, progress stopped due to insufficient auditing settings. The IR closed with inconclusive findings and a remediation project to standardize and enable Microsoft Advanced Security Auditing. Microsoft released Advanced Security Auditing with Windows Vista and Windows Server 2008. After 12 years, I still see environments that have not configured it. In today’s threat landscape, most businesses are one incident from regretting it.

What is Advanced Security Auditing?

Here is an explanation from Microsoft:

“Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, the definition of security auditing is the features and services that enable an administrator to log and review events for specified security-related activities.

Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.”

Microsoft goes on to explain the difference between audit policies located in “Local Policies\Audit” and in the Advanced Audit Policy Configuration:

The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.

There are a number of additional differences between the security audit policy settings in these two locations.

There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they allow administrators to be more selective in the number and types of events to audit.

Image of a Local Audit Policy

For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.

In addition, if you enable success auditing for the basic Audit account logon events setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.”

Image of Microsoft’s Advanced Audit Policy Configuration

What does this mean for my organization?

Where possible, SecurIT360 recommends implementing Microsoft Advanced Security Auditing at the domain level. This, in combination, with Event Log Policies force retaining security log information as long as possible on all machines.

SecurIT360 has teamed up with the Center for Internet Security to establish best practice settings. These settings can be the difference between an IR that ends with a conclusion vs. an IR that ends inconclusively.

For more information on how SecurIT360 can assist you with Security Monitoring, Auditing, Managed Detection and Response Services, and Endpoint Detection and response, contact us.



Coronavirus Cyber Security Challenges – The Remote Workforce

The Cyber Security Implications of the Coronavirus

As the fear of the Coronavirus – COVID-19 – spreads, governments and companies are looking for containment strategies that reduce human contact.  Exposed cities are on lockdown, forcing any work to be done remotely and there are more restrictions to come.  Some companies have already closed locations as a precaution, and as restrictions increase, others will be forced to send workers home to work remotely.  The criminals have already started the scams: phishing campaigns to take people to fake news updates to see if they can entice a click.  That is the easy starting place.  No doubt that the cyber criminals will find other ways to try to monetize the situation including new types of Ransomware attacks.

Need help?
Contact one of our representatives and we’ll help you find solutions.

Remote Security Posture vs. Capacity

Many have created remote security policies and procedures to address the potential risks which need to be taken into consideration.  Systems have been designed with capabilities to allow secure remote access and keep sensitive data safe, but they often don’t have the capacity for everyone or even most of the organization to work remote simultaneously.  

Will the workarounds and changes you make to accommodate the need for operations compromise your security?  They might.  It is situations like COVID-19 where the urgency of a solution often does not get full Cyber Security due diligence.  Or, there is not enough time and funds available to implement a prudent secure solution that considers the risks. 

What to Do

Evaluate Risk

The discipline of applying cybersecurity protections is centered around the risk to the organization, its people, its systems, and the information.  Now, you don’t have to stop what you are doing for a couple of weeks and perform a formal risk assessment, but could an extra day or week for a more secure solution reduce hundreds of thousands or millions of risk?  Here are some basics about remote access that you should consider:

  • Who will be accessing the resources?
  • What devices will be used to access resources?
  • What resources will be accessed?  Data, Networks, Applications, Physical systems, etc.
  • What will the individuals be doing with the resources?  Download, screenshot, email, copy, print, control other systems, etc.
  • Will remote access to the information comply with statutory and client requirements that we must abide by?
  • If all of the above are not created equal (and they are not), then which might need to be treated differently?
  • See other known risks below

Implement MultiFactor Authentication 

For everything that is remotely accessible.  There are many options depending upon what you are trying to protect.  It is not a silver bullet and can be circumvented in some cases, but it GREATLY reduces your risk.  You should also require an additional layer or stronger security for certain individuals like your IT administrators and others with access to sensitive information.

Ensure that your basic security protections also apply

You MUST have difficult passwords, require patching, screen saver time-outs, and all of the other basics that you require for your internal network.  

Monitor Remote Access

Is that really John?  Why is he still working at 2:30am?  Geez, he is copying a lot of files right now.  You need to be able to understand that the remote behavior is legitimate and if not, take action.

Train Your Staff About Working Remotely

Ensure they know what is allowed and not allowed and what the risks are.

Consider a Tiered Solution

If you can’t provide the same level of security for everyone, then ensure that those that need the most security are on your best solution.  Create workarounds for others.  Many may be able to operate without remote access to the environment at all.  Cloud services come in handy here.  You can also check with your vendors about emergency temporary licensing or solutions.  See below for some considerations of different types of remote access. 

Known Risks Associated with Remote Access

You CANNOT and MUST NOT trust a home network

The PC itself is an unknown device that has many risks.  I hate to be the voice of doom, but it may already be compromised by a bad actor and be part of a botnet network or otherwise

  1. Could have multiple users including kids playing games and others going to known risky sites
  2. May have risky applications installed
  3. It may not have current or working Antivirus and security software in place
  4. It may not be fully patched and have many vulnerabilities
  5. It may not require a password
  6. You get the picture…

    The Network is consumer-grade and does not have the ability to offer protections that you depend on at work.

  7. Firewall.  There may not even be one, just the device provided by the Internet provider
  8. Security Monitoring and Alerting.  Mature business environments have regular information available to surface anomalies and other risks that home networks do not have
  9. There are other devices that are not secure on the network.  Other computers, mobile phones, smart refrigerators, home automation systems, and who knows what other new security risks (baby monitors…) 

Data Sprawl

This is a big one.  When users know that they may be out of the office for a while, they will find ways to be productive in the easiest manner possible AND they are less concerned about the security or compliance requirements.  Be aware:

  • People will email themselves information.  Either to a home account or to themselves in their corporate account
  • Data will be copied to USB keys and might be transferred to other file-sharing technologies
  • Now that this data is being duplicated into other places, how can we keep up with it and secure it
  • If allowed, the above-copied data will end up on non-company computing devices.  

Increased Scams

We have already mentioned the increase in phishing scams.  Since January, there is documented activity of a number of questionable registered websites related to COVID-19 and reputable organizations like the WHO with the intent to take advantage of those that are looking for legitimate information about the pandemic.

Free WiFi

Hopefully, this is happening a little less in this situation, but you could have workers trapped overseas or on a cruise ship that is using insecure remote access.  Educate and provide alternatives.

Physical Theft

Now that we have more folks out of the office and working on company-owned or personal devices, these devices could be targeted by criminals.  If they get their hands on a home PC – without a password – that has company or customer information on it…

Security Postures of Possible Solutions

Today’s technology provides quite a few options for remote access; some of which are more secure than others.  Below is a discussion about the security considerations of some of the most common methods.  NOTE:  MFA (MULTIFACTOR AUTHENTICATION) is paramount for the security of any remote access solution.  MFA is not the silver bullet as you will see below, but we would not consider a remote access solution without it.

1 – Virtual Desktops

These offer the most protection, if on a company-owned computer and configured correctly.  

Also known as VDI (Virtual Desktop Infrastructure) and DaaS (Desktop-as-a-Service).  VDI is typically hosted internally or privately, while DaaS is typically provided by a hosting company.  This includes VDI and DaaS.  (More about Remote Access at the end of this post.)


  • All of the data and applications remain on the virtual machine located within the data center and its security controls.  
  • You can enforce the same level of security (or a chosen level) based on profiles or rules.  These include:
    • Copying (or not) data to the remote computer
    • Sharing folders with the remote computer
    • Printing
    • Access to certain applications
    • Location-based rules

Risks of VDI and DaaS:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If rules are not established to govern copying files, network sharing, and printing, then the remote computer and network are vulnerable.

2 – VPN (Virtual Private Network)

Good protection but can have hidden risks if not correctly configured.  A VPN is an encrypted tunnel into your private network that makes the connected Computer or network a remote part of the network it connects to.  


  • The secure tunnel allows connection to internal network resources including computers, applications, databases, and file shares.  
  • Some VPN software will enforce local security profiles on the connecting PC (including home PCs) to ensure that minimum requirements are met.  the same level of security (or a chosen level) based on profiles or rules.  

Risks of VPNs:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If not configured correctly, you can be attaching and insecure (home network and all of its insecure devices – your kid’s iPhones) to your corporate network.
  • Depending upon configuration, VPNs allow users to transfer files to remote devices and map network drives to file shares

3 – Remote Desktop Access Strength of security varies, but not as capable as VDI or DaaS.  When paired with a VPN, security is increased, but you still have risks.  Remote Desktop access is provided by software running on a computer inside your corporate network.  Examples include:  RDP, LogMeIn, GoToMyPC, VNC, Team Viewer, and there are others.


  • Access to the same computer and programs that you use while at work.
  • The company computer is subject to all of the company security policies and protections


  • If allowed, the software can be installed and managed without IT’s knowledge, circumventing monitoring and other security controls creating an unmanaged gateway into the company.
  • Some solutions can be accessed from anywhere using a web browser and may not require MFA.
  • Solutions allow for data transfer and printing which can lead to risks of data breaches. 

More About Remote Access

Virtual Desktops – VDI & DaaS

After authentication (including MFA…) the user essentially receives a window that displays the computer and all of its applications on the remote computing device.  The computing infrastructure can be in a private data center or hosted.  There is a virtualization layer where computing and storage resources may be spread across multiple physical devices that sometimes are not in the same physical location.

Virtual Private Networks – VPNs

Instead of routing directly through a public network, VPNs put a layer between your information and public access. It can aid in masking your online activity from the public and provide you with a secure connection to another network online. They work by making your IP address and location anonymous; your data is sent through them before being released into an external server. Generally, outside forces can identify your IP address and track your activity online, but with the veil of VPNs, your online activity can only be traced back to your VPN service provider. 

Remote Desktops

Windows RDP

In Windows, this is a native software program that allows remote connection from another device running the appropriate connection software.  The user receives a screen just as they would sitting in front of the actual computer and is able to see the desktop and use their mouse and keyboard to interact.  One (insecure) way to use RDP is to open a port in the Firewall and allow direct connection from the internet.  This is how many machines have been compromised over the past couple of years.  RDP connections can also be brokered using a local server running Remote Desktop Services.  This is a safer, more secure configuration – don’t forget MFA. 

Local Remote Desktop Programs

Programs like Teamviewer or VNC can be installed locally on a PC or Mac that will allow direct connection over the network.  These function like Windows RDP above and can also be configured insecurely via a Firewall over the internet.

Hosted Remote Desktop

Other software is installed and managed by a cloud provider.  LogMeIn is an example.  The user installs the program on their computer and registers it with the service.  They can then remotely go to a web browser from any computer and authenticate (MFA?) to start a session with the company computer.

Contact Us

Contact us and one of our representatives would be happy to help you.


Cyber Security Budgeting for 2020

It is time to update our annual Cyber Security Budgeting advice.  I just lead an exercise at a conference where folks had limited budgets and needed to determine the best places to spend their Cyber Cash.  As I reviewed what we have adapted over the years, much of it is still the same.  We continue to become more dependent on technology composed of applications, operating systems, processors, storage, and connectivity.  IoT, autonomous vehicles, 5G, Huawei, and other new things continue to proliferate, but we still apply the same principles to protect ourselves.  

So, what is new this year?

The proliferation of Ransomware and Business Email Compromise (BEC).  Crimeware as a service is nothing new, but the cases are skyrocketing.  If you don’t know someone who has had one of the events, then you don’t have very many friends.  The crime groups are becoming better at monetizing these events and they are growing at an amazing pace.  The primary attack vectors is still email and the humans that own these accounts.  This threat landscape and other considerations will move a few things around and I will make note of them. 

So, here is some of the same old stuff:  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over450 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. Tested Backup and Recovery Capability.  More than restoring that occasional deleted file or email.  This is typically IT Ops and we had not specifically called it out previously – it is the best defense against Ransomware.
  4. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  5. End User Security Awareness Training – must include email Phishing
  6. Basic Incident Response capabilities
  7. Security patching for all hardware/software
  8. Endpoint protections – Antivirus/Malware solutions
  9. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  10. Check for consistent password and access controls across all of your platforms
  11. Encrypt portable devices
  12. Approve Basic Policies to establish guidelines
  13. Constant inventory devices on your network
  14. Review firewall, remote access/VPN, and wireless solutions regularly
  15. Comprehensive network documentation
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  19. Evaluate your ability to perform these basic functions adequately – do we need managed services?

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Compliment SIEM with MDR (Managed Detection & Response)
  3. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  4. Risk Management
  5. Vulnerability Management
  6. Mobile device management solution
  7. NAC – internal Network Access Controls
  8. Data Loss Prevention technologies
  9. Identity Access Management
  10. Forensic capabilities
  11. Application whitelisting
  12. Incident Response Tabletops, Red Team, Blue Team, Purple Team Exercises
  13. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics,implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.


Cloud Computing and Security

Cloud Computing

In its broadest term, Cloud Computing can be defined as the practice of using a network of remote servers hosted by a provider on the Internet (“the Cloud”) to store, manage and process data. In the current enterprise landscape, organizations (called tenants) are steadily migrating technologies to and services into the Cloud looking for a competitive advantage that will enable the business to set themselves apart from the rest of the pack. These advantages of Cloud computing include a reduction in start-up costs, lower capital expenditures, utilization of on-demand IT services, and the dynamic allocation of computing resources and capacities. Along with these and other benefits comes the ubiquitous security effort of protecting the data that is stored and processed in the Cloud.
Even though companies are moving these technologies and services to a third-party entity (the provider) the responsibility for ensuring the integrity and confidentiality of the data still resides with the tenant. It does not change the fact that preventative and detective controls must be in place and corrective activities defined. The move only changes how information security is governed. In this article, we will look at some of the challenges surrounding Cloud Security.

Types and Uses of Cloud Computing

Before we jump into the myriad of topics that make up Cloud computing security let’s look at the types of Cloud computing and their uses. Most Cloud computing services fall into three categories: infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS).

Infrastructure-as-a-Service (IaaS)

The most basic category of Cloud computing services is Infrastructure-as-a-Service, termed as IaaS. With IaaS, an organization is renting IT infrastructure; servers, virtual machines, storage, and networks.

Platform-as-a-Service (PaaS)

This category of Cloud computing provides a platform and environment for developers to develop, test and deliver software applications.

Software-as-a-Service (SaaS)

This category provides applications and software solutions on demand over the internet, accessible to the user, usually via a web browser.

Cloud Security

When moving services and data to the Cloud, an organization needs to understand that security and compliance are a shared responsibility between the tenant and the provider. This is referred to as a shared responsibility model. Depending on the Cloud service that is being utilized, the security responsibility of the tenant includes patching operating systems as well as the applications (IaaS). But as the Cloud service changes, so does the responsibility. Example: when a tenant subscribes to an IaaS offering they are responsible for the OS, application and data security. If the tenant moves to a PaaS offering they are no longer responsible for the OS maintenance and the patching of that OS. Figure 1-1 graphically depicts the boundaries and ownership of security responsibilities. Regardless of the services utilized, the tenant is always responsible for their data security.
An oft-used phrase when discussing cloud security is “the tenant is responsible for security IN the cloud and the provider is responsible for security OF the cloud.” As you can see in Figure 1-1 the security of the data is ultimately the responsibility of the tenant.

Figure 1-1 Security Responsibility in the Cloud

Moving to the Cloud?

Is your organization looking to moving to the Cloud? Are you evaluating providers to find out what service will work best for your requirements? If so, there are a few questions/issues that should be clarified to make an informed decision before committing to a move.

·       What controls does the Cloud provider already have in place and can attest to?

·       Will the provider be willing to submit to external audits and security certifications?

·       Where will your data be located? Regulatory requirements might dictate where the provider must process and store data.

·       What oversight does the provider have over the hiring of administrators who will be operating in their Cloud environment? You may require the provider to follow your hiring criteria.

·       What is done to ensure the segregation of your data if the provider is servicing your data in a multi-tenant environment? Find out what controls or protocols are used to segregate your data and verify that these controls are being enforced. “Trust but verify”

·       What is the process for reclaiming your data in the event of a separation or acquisition? What happens if the provider gets acquired by a different third party?  Make sure that your data will be in a format that can be exported and usable.

·       Will the provider be able to completely restore your data or service in the event of a disaster? How long will it take to restore your data?

·       Will they support eDiscovery and the investigative process?

Your Data/Your Responsibility

Don’t fall into an “out of sight, out of mind” mode about your data when you move to Cloud services. It’s your data and the security of that data is, and always will be your responsibility regardless of where it is stored or processed.

Breaches can cause serious damage to your reputation and significant expense for your company.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.


ENISA – Cloud Computing Risk Assessment

Cloud Security Alliance – Security Guidance for cloud computing


Everything you wanted to know about Ransomware…but were afraid to ask

What is Ransomware?

Ransomware is a type of malicious software that prevents users from accessing their computer system or files until a sum of money (ransom) is paid. In the malware landscape, ransomware has earned itself a well-deserved nasty reputation.

There are two types of ransomware identified in this branch of the malware family tree; 1) locker ransomware and 2) crypto ransomware

Locker ransomware effectively locks Windows access preventing the user from accessing their desktop or files. Typically designed to prevent access to one’s computer interface, Locker ransomware mostly leaves the underlying system and files unaltered.  A message would be displayed on the screen with instructions on how to regain access to the files. Winlocker is an example of this type of ransomware.

Crypto ransomware was designed to prevent access to specific, valuable data by encrypting the files using strong, public-key encryption. After performing the encryption, the bad actor would demand payment in exchange for a key that could be used to decrypt the files. Examples of this type of ransomware include Cryptolocker and CryptoWall among others.

Ransomware History

Modern crypto ransomware variants didn’t really come into the forefront of cybersecurity until around 2005. However, would you believe the first of this type was seen in 1989? The AIDS Trojan was identified in 1989 in England, making it the first of its kind. Also known as PC Cyborg Trojan it was propagated by mail…that’s right, no ‘e’. The creator of the virus, Dr. Joseph Popp snail-mailed some 20K diskettes through physical postage to victims under the guise of supplying AIDS research information.

The malware would replace the AUTEXEC.BAT file when the diskette was inserted into the user’s disk drive. The altered BAT file would track the number of times the computer was rebooted.  When the boot count reached 90 a splash screen informed the user of their situation; “Unless you pay me $$ you will not get your files back”. The virus worked by encrypting filenames. Relatively primitive in design it nonetheless rendered the files unusable. It didn’t take long for security researchers to reverse engineer the code and give users the ability to unlock their files.

The AIDS Trojan established the ransomware threat in 1989 but this type of malware wasn’t widely used in cybercrime until many years later. Jump forward to 2005 to see the accelerated acceptance and use of ransomware by criminal enterprises and bad actors.

Evolution of Ransomware
Ransomware in today’s threat landscape is affecting users worldwide. Different variants have evolved over the years. Driven by criminal enterprises who have seen the opportunity for financial gain, this family of malware has seen a dramatic increase in use over the last 15 years. Other direct revenues generating risks in the digital age include misleading apps and fake anti-virus.

Misleading Applications

Some of the early manifestations of revenue generating malware were called “misleading applications” and “fake anti-virus”. The first wave of these types of malware was identified around 2005.

Misleading applications intentionally misrepresent the security status of a user’s system. Fake anti-virus programs attempt to convince the user to purchase software to remove non-existent malware or security risks from the computer. Pop-up Ads would be presented to users while browsing, usually from sites which had been compromised. The ads posed as spyware removal tools, system performance optimizers or anti-virus solutions.

The ads would exaggerate the condition of the system or the impact of a discovered “threat”. The offer was to fix these issues for a small license fee. As a rule, there were no actual threats or issues and even if the user paid the extortion fee nothing was changed on their system.

These were not ransomware by the strict definition but nonetheless, they exploited a user’s lack of security awareness and fear.SpywareClear, ImproveSpeedPC, SpySherriff, and RegistryCare are early examples of this type of malware.

Locker and Crypto Ransomware

Around 2008 the attack methodology shifted from fake anti-virus to a more troublesome form of revenue generating malware. Enter the Locker Ransomware family of malware. Now, cybercriminals disabled access and control of a user’s computer, effectively holding the system hostage until payment is made.

Not only did the cybercriminals increase the impact to the user’s system with lockerware they also increased the dollar amounts they were demanding. Additionally, as the use of locker ransomware gained popularity (its use peaked around 2011 and 2012) it shifted from just reporting non-existent issues or errors to actually taking control of access to the computer.

2013 brought the next step in the malware evolution; crypto ransomware. This was the year that the first variant of CryptoLocker was identified and with it a came a new mechanic to the ransomware modus operandi; asymmetric encryption.

As was discussed earlier, locker ransomware changed access controls and prevented a user from accessing the data. This meant that the data was still on the system in a readable format but a user could not access it through the OS.  Crypto ransomware differed in that it actually rendered the data unreadable by using encryption techniques. The user still had logical access to the data files but could not read them.

CryptoLocker was a hugely successful but short-lived variant in this malware family. The original CryptoLocker botnet that controlled it was shut down in the middle of 2014. However, it was reported that hackers successfully extorted nearly $3 million USD before being shut down.

The old saying “imitation is the sincerest form of flattery” very appropriately describes cybercriminal activity in the crypto ransomware field subsequent to CryptoLocker.  Since its launch, cybercriminals have widely mimicked and copied the CryptoLocker approach. So much so that the Cryptolocker name has become synonymous with ransomware.

Ransomware – What Lies Ahead

Ransomware is a constantly evolving threat. It is difficult to predict the direction ransomware will head in the coming years. The threat landscape is continually changing with cybercriminals always looking for new methods and vectors in which to generate revenue. The ransomware concept has matured to a healthy level so much so that “Ransomware as a Service” is an identifiable vertical in the cybersecurity theater.

The battle against ransomware is a major task that requires everyone’s participation. Engineers and production designers creating new technologies or products will need to embed security into their creation process by considering use cases that could be leveraged for malicious intent. End users will need to stay vigilant and utilize basic security best practices to help protect their data. Security awareness needs to be emphasized to end users to help them avoid clicking on malicious links and making sure their systems and software are appropriately patched.

One of the most important (and underemphasized) mitigation strategies that you can do to protect yourself and your data is making backups. At the least, backup the data that is important to you and do it on a regular basis.

Ransomware Solutions

There is no bullet-proof solution when it comes to cybersecurity.   Security is a process, not a product.  Knowledge is a powerful weapon in the fight against cybercriminals. This knowledge can be gained by both individual research and professional consultation. While reading up on ransomware and cybersecurity will increase your awareness of threats and help you better understand how to recognize and avoid future attacks, a consultation with SecurIT360 can provide valuable tools to take your cybersecurity strategy to the next level.

If you would like to learn more about how you can protect your corporate data, please click here to contact us.  You can also click here to subscribe to our blog which covers multiple topics on security threats and strategies to protect your data.  SecurIT360 provides audits, assessments, and analysis of systems and operations across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.


A Vulnerability Scan is NOT a Penetration Test (Pentest)

What is the difference between a Penetration Test and a Vulnerability Scan?

Understanding the difference between a penetration test and a vulnerability scan is critical to understanding security posture and managing risk. Vulnerability scans and Penetration tests (pen test for short) are very different from each other in both process and outcome. However, sometimes the terms are incorrectly used interchangeably. In this article, we will explore the differences between the two as well as how they relate to each other.

Starting with the definitions of each you can see an immediate differentiator, the objective.

The objective of a vulnerability scan is to identify, rank, and report vulnerabilities or potential vulnerabilities that, if exploited, may result in system compromise. The objective of a penetration test is to discover and exploit existing exposures that could allow access to sensitive information or resources. Where the vulnerability scan is looking for open doors the pen test is entering those open doors.

Another major difference between the two is in the process and cost. Penetration testing requires the use of multiple tools and an experienced, certified security professional to conduct and monitor the test. During her/his engagement, the pen tester will generate scripts, change parameters of the attack and change settings on the tools being used. A very hands-on process.

On the other hand, a vulnerability scan is an automated process that does not require real-time management. The scan is automated and generally conducted using a single tool. Vulnerability scans can be scheduled to run automatically without manual intervention or manipulation. It does, however, require specific knowledge of the products/systems and the environment being scanned.

Additionally, there is a difference in scope. Depending on the requirement, a pen test will target high-value assets and the associated targets. This includes data assets and business functions. Vulnerability scans are generally enterprise-wide and touch servers, routers, firewalls, switches, and applications.

Even though a pen test is usually targeted/scoped for a single subject it requires more time to complete. In comparison, vulnerability scans take a short period of time. Depending on the size of the project a vulnerability scan can finish in hours compared to a pen test which can take days or even weeks.

There are various reasons for an organization to conduct pen tests and/or vulnerability tests. Satisfying compliance standards, defining a security posture, determining the effectiveness of security controls or testing an incident response program are among these reasons. Even though they are accomplished using different toolsets and processes, both pen tests and vulnerability scans serve important functions for protecting your environment and reducing risk.

If you would like to learn more about pen and vulnerability testing or discuss in greater detail how this could benefit your business please click here to contact us. You can also click here to subscribe to our blog which covers multiple topics on security threats and assessments. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.


Best Practices for Privileged Account Management – Part 1

Basic Privileged Account Management

Abused and Misused privileges are often seen as being the cause of breaches within organizations around the world.  Privileged account management should be a major focus for Security and IT management who are looking to mitigate the risks of data breaches and insider risks.

What is Privileged Account Management?

Privilege Account Management is the definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems.  It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories (FICAM-09).  In other words, how an organization manages privileged passwords and delegates privileged actions.  Do you delegate, control, and filter privileged operations that an administrator can execute?  Do you audit, record, and monitor privileged access?

Why is it important to an organization?

When it comes to utilizing high business value IT systems, privileged users, such as administrators, typically have the widest operational latitude.  They are typically responsible for deploying and managing functionality on which the business depends, from vital day-to-day functions, to strategic capabilities that enable the business to maintain its competitive edge.

However, there are risks to wielding this power.  IT complexity means that minor changes could potentially have unintended, and severe impacts on availability, performance, and/or integrity.  Malicious attackers, inside and outside of the organization, can capitalize on administrative level access to inflict serious damage to the business.  Given the increasing sophistication and popularity of modern attacks via malware and other methods, it is common for attackers to gain and exploit such privileges by impersonating trustworthy personnel.

What are some common best practices?

There are countless solutions out there for organizations to implement and everyone has their opinion on what is the best way to do it.  Below are a set of common privileged account best practices all organizations should follow:

  • Inventory all privileged accounts and assign ownership to that inventory
  • Do not use shared accounts
  • Minimize the number of personal privileged accounts
  • Limit scope for each privileged account
  • Use privilege elevation for users with regular access
  • Use contextual and risk-appropriate authentication methods for privileged access
  • Document policies and processes for the management of privileged accounts
  • Monitor and log all privileged access activity
  • Implement separation of duties model to manage superuser administrative privileges
  • Use default administrator, root, and similar accounts only when absolutely necessary

Best Practices for Privileged Account Management – Part 2

Privileged and Service Account Management

We spoke previously on the management of privileged accounts and how important it is to keep them accountable. Privileged accounts are one of many different types of accounts that should fall under your organizations Account Management Program and another one to add to that would be service accounts.

What is a service account anyway? In basic terms, a service account is an account that a service on your computer uses to run under and access resources. This should not be a user’s personal account. While they may look the same, the separation of users from services is very important for both tracking and the ability to tighten down what an account can and cannot do. A service account could also be an account that is used for a scheduled task (sometimes referred to as a batch job account), or an account that is used in a script that is run outside of a specific user’s context. A scheduled task account should not be a personal user’s account for the same reasons that a service should not run under a personal user’s account.

You may ask what is so important about these? It seems like if it is not a user account, then how would it have access to my organization’s network? On the contrary, these accounts are a favorite target of many malicious actors because they are often implemented in such a way that they have a higher level of access than a user account. Historically, they also have not changed passwords as often (if ever) as user accounts.

Services are often installed under the built-in Local System account, which gives what are essentially local administrator privileges, so they are more predictable in how they will be able to be used if compromised. While local administrator privileges may seem somewhat harmless since they are not usually useable on other computers on your network, the local administrator privileges can end up granting access to domain username/password combinations and or lead to account changes that allow for easier connections to other parts of your network. As a result, both locking down a service account and following good password change and audit procedures is an important part of keeping your systems secure.

What can you do?

When it comes to the configuration and management of service accounts, there a few things listed below that can help.

  • Password Management – Some administrators like to set these accounts up with passwords that do not expire or use the same password for all the service accounts. Instead, there needs to be a strategy for managing these passwords and changing them on a regular basis, as well as using unique passwords.
  • Privilege Management – It is best practice to implement the principle of least privilege. Only provide the minimum necessary privileges to service accounts. If your service account must run with administrative privileges, deny that account access to all of the directories besides the one or two that it needs.
  • Naming – Consider names that are not completely obvious to the service, for example SQLService would be helpful to administrators, but it is more helpful to attackers. While obfuscation is not usually a recommendation to secure systems, in this case it may slow someone down enough to not want to try every account available.
  • Auditing – Logging and auditing of service accounts, and all accounts in any case, is very important to keep systems secure. Using an event log aggregator and looking for specific events can be helpful in discovering security problems and services that are not working correctly.

Locking down your service accounts should be a basic component of your hardening guide for all computers. While it requires more time to lock down a new service account to allow access only to what it needs, it is well worth the time spent. Defense-in-depth requires that you look at more than the perimeter, and service accounts are one major place where the in-depth strategy can serve you well.




WannaCry – Worldwide Ransomware Attack – Updated

A widespread ransomware attack has spread across the globe infecting tens of thousands computers in as many countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in many languages.  There have been several versions and updates, but the ways to protect remain the same.  Recently, a decryption tool has been discovered – see here.

Technical Details

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through a Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows SMB vulnerability.  Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017.  According to open sources, one possible infection vector is via phishing emails.

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL.  During runtime, the loader writes a file to disk named “t.wry.”  The malware then uses an embedded 128-bit key to decrypt this file.  This DLL, is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files.  Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.  Subsequent versions are manifested differently.

What to do to protect against Wana Decrypt0r aka WannaCry

1.    Patch all Windows Operating Systems

  1. For supported Operating Systems see MS17-010
  2. Emergency Patch for Windows XP and Windows 2003 is here

2.    Run a port scan and or Vulnerability Assessment against your firewalls. 

Ensure that Remote Desktop Protocol (RDP) and SMB protocols are not open to the internet.  These are typically on ports 3389, 445, and 139 respectively, but can be mapped to different ports on your firewall.  These configurations are security best practice.

Verify Other Protections Are working as expected.


Do NOT assume you are safe just because you have purchased and installed a product.


3.    Backups

Review your backups to ensure that they are working as expected.  Test restores of critical data.

4.    SPAM Filter

Enable strong spam filters to prevent phishing e-mails from reaching the end users.  Most enterprise filters should detect WannaCry.

5.    Antivirus & Malware Protections

  1. Ensure that real-time scanning enabled to detect file downloads, email attachments, and web links
  2. Ensure that scan engines are up to date and that definitions are downloaded and regularly deployed – at least daily. We recommend more frequently
  3. Configure anti-virus and anti-malware solutions to conduct routine scans
  4. Inventory protected machines to ensure that all have products installed and that they are functional

WannaCry Remediation

  • Isolate compromised computer systems.
    1. Unplug from network to prevent spreading
    2. Power down other computers or unplug network access switches during eradication
    3. Wipe and reload infected machines
    4. Paying the ransom does not guarantee you recovery
  • Ensure that proper logging is enabled and preserved on key systems.
  • Contact law enforcement. Contact a local FBI field office upon discovery to report an intrusion and request assistance.  Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan.
  • Ideally, organizations should not store critical data on workstations. Critical data should reside on centralized storage systems.  Storage systems should have complete, verified, and tested backups.  Ofen the most efficient response is to restore data from a known clean backup.



File name:  @WanaDecryptor@.exe


Confirmed indicators – SHA-256 Hashes:


Yara Signatures

rule Wanna_Cry_Ransomware_Generic {


description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”


$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “wcry@123”

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”


$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8



/*The following Yara ruleset is under the GNU-GPLv2 license ( and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {


description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “”

date = “2017/05/12”


$ms17010_str1=”PC NETWORK PROGRAM 1.0″


$ms17010_str3=”Windows for Workgroups 3.1a”



$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”


all of them