Sunday, May 17, 2020

Program Maturity - Cyber-security and Operational Risk Maturity

The Balancing Act

In reviewing my LinkedIn notifications I was wonderfully surprised to find  an article written by Gideon T. Rasmussen, VCISO topic: Cyber-Security and Operational Risk Maturity.  As soon as I saw it I was thinking this is center to our consulting business I better pay attention. So here we go.


As Gideon T. Rasmussen comments on leveraging risk I immediately get hooked.  How can you even begin to understand your operational and situational awareness with out at first understanding your risk.  At Integris Security we advise our clients if not done within the past twelve months get a solid risk assessment done ASAP!  This risk assessment can then help you set priorities, establish tactical and strategic budgeting, technology goals and priorities and help you weigh your operational risk.  We at Integris believe this will improve the overall maturity of your cyber and operational approach.  But let's go on and see what else Rasmussen's nicely laid out article reveals.

Rasmussen's talks about U.S. Department of Commerce's,  N.I.S.T. (National Institute for Science and Technology).  For a great many of us in the IT security practice N.I.S.T. for years has been the go to "tool shed" for in-depth building blocks.  Their publications can take you from the very beginning of ....   What should I do? Where do I start? To a polished well informed presentation.   N.I.S.T. has a great many publications and they are 100% free.

The F.F.I.E.C., also provides great free guidance.  The men and women of the Northeast Chapter of the F.F.I.E.C., are your local financial services regulators.  You should get to know them, work with them and understand how they are approaching many of the same issues we all are trying to tackle every day.  Integris Security highly recommends you  review the regulators guidance and find answers to your company's compliance problems. These tools are also 100% free and incredibly useful information.

I do take issue with Rasmussen regarding this statement:
"There are no requirements for disaster recovery or business continuity. The card brands do not care if your business goes under, as long as their payment card data is secure." 
This is a nit, and can also be style but the point has to be made.  Their are literally hundreds of best practices for disaster recovery and business continuity and they should be put to use, despite the lack of attention by card brands to advise this.  Promotion of best practices is something we owe to the industry as a whole in our writings and presentations.  Taking on the Card Brands for lack of attention to Rasmussen's legitimate concerns would do better as a separate article, another a day and time in my eyes. We're talking Cyber-Security and Operational Risk Maturity.  At Integris Security we push all to stay focused.  Good practice is too important to relegate to tomorrow's news.  Let's keep it up front and worthy of continual presence and persuasion in our discussions in how to improve cyber-security and operational risk maturity.

In maturity level II, I love this discussion of controls and it reminds me of C.O.B.I.T., as well as the many information security joint forums held with ISACA in years past and their auditor/members.  You gotta love the structure that these individual professionals have developed and the principles that they follow.  This is a serious group of security professionals and we could all learn allot from them.  Rasmussen then lays out the common controls read: GAP analysis, and Risk based deployment of controls, while not much new here he provides a great review.  All solid material for a CEO and others within the organization to read and understand when weighing decisions on investment in the security program or cutting the fat off an already lean program.  These decisions will not be easy ones for sure.

My own note here:

The Cyber-Security and Operational Risk Maturity discussions can not be left alone to the operational business units, departments or divisions of your company.  These discussions need to expand and involve audit committee's at the board level and become a fluid ongoing discussions lead by the chair of the audit, technology and other important committees as the board and operational personnel try to achieve a balance of risk Vs reward and continue to build market value for the company's shareholders and investors.
 Joseph R. Concannon             

In maturity level III, Risk Management, Rasmussen covers it nicely and I smiled as he stated:
"It is necessary to tailor controls to the organization and to adapt to changes in the threat landscape."
Nicely done Gideon T. Rasmussen, these words couldn't be truer.  It also reminds me to tell our readers to remember that each organization has its own culture.  Some are very risk sensitive and others not so much so.  I often use Johnson and Johnson and Martha Steward Living as examples.  Two great companies but their approach to security was night and day.  Johnson and Johnson a security controls organization (almost war like) and Martha Steward Living a creative design firm.  The cultures were completely different at the time of my interview with security personnel.  Management of your and the company expectations are very important.  Don't get ahead of your skates or you  may get caught off balance.  Knowing the culture of your organization is key and very important.  Now that you have new security and risk management information in hand how do you operationalize it?  The best advice is work with your team and leader and try to introduce incremental improvements to improve your organizations overall security/risk posture.  This will work to your benefit for the short term tactical business operations as well as long term strategic planning for important improvements.

Your threat and vulnerability map will be constantly evolving, as targets and priorities come and go.  The risk assessment report provides you with items for your to-do list.  The report will show best practices and offer a target rich list for you to prioritize.  Rasmussen I believe understands this and covers it nicely and provides some bonus points by laying out some bullets for a prospective slide deck to communicate your findings and setting some future objectives.

The Risk Register is a platform to inform and Rasmussen points this out clearly.  Want to know more about your risk?  The Risk Register is a place you want to go to identify, define, understand impact, respond, prioritize, and take notes.  Its an invaluable tool given to us by the folks from project management.

Maturity level IV, Strong Risk Management, Rasmussen lays out a ten step program.


Rasmussen says:


1. There is appropriate separation of duties in the CISO’s reporting structure, such as reporting to the CEO, Chief Risk Officer or Board of Directors. When the CISO reports to the CIO, it is a conflict of interest  2. Cyber-security metrics, KPIs and KRIs feed into an Enterprise Risk Management program.  3.The CISO provides updates to the Board of Directors or similar executive group.  4.The cyber-security program maintains controls specific to line of business products, services and assets. 5. A process management program is in place, to include policy, an inventory and process risk analysis.  6. A fraud prevention program is in place, to include fraud risk assessments conducted by an independent third party. 7. An operational risk management function maintains a risk scenarios inventory and conducts quantitative risk analysis. 8.The organization leverages the Three Lines of Defense Model, with active support from operational management, risk management and compliance functions and internal audit. 9.  Operational functions and lines of business are required to declare self-identified audit issues, with metrics in place to demonstrate the control environment is improving continuously 10. Incident response and business continuity exercises are conducted annually to include senior executives, lines of business leaders, information technology, legal, public relations and critical suppliers
This information is a like having a great cyber-security road map.  However, just like any road map their are going to be detours, accidents, potholes and your going to need the awareness, patience and skills to work around it all.  If you follow the program laid out by Rasmussen you'll be in a better position to mitigate those great unknowns and navigate your way freely from obstructions.

At Integris Security we say: you make it, we make it secure!  We look forward to having these and many other important discussions with you and really enjoyed our read of Gideon T. Rasmussen's LinkedIn article concerning Program Maturity - Cyber-Security and Operational Risk Maturity and hope that you will too!  Their is much to learn and many experiences to endure before we can truly say we're secure.


#Cyber-Security  #HomelandSecurity  #InfraGard #ISSA #ISACA #FFIEC #NIST










Saturday, May 2, 2020

Big Data: Security, Trust and Integrity

In information security the jewel of all certifications is the CISSP (certified information systems security professional).  The certification is your entry key into the top tier cyber security jobs and earned respect of your peers in the industry. 

The group that hosts the coveted CISSP certification is (ISC)2: the world's leading cyber security professional organization.  They actively promote their members and insist you want one our people at the switch if threats of an attack are at your doorstep. 

A great many information security professionals have earned this certification and live up to its standards and for that they are proud card carrying members.  I salute them for their achievement. 

One of the most important aspects of the certification in my eyes is the code of ethics.  The code of ethics tells you something about the individual and the organizations they belong to.  (ISC)2 spares no dime on its code.  The code of ethics is huge and prominent.  Honor and duty are fundamental in any cyber security career.  The group lays it out like this:

  • Our code
  • Code of ethics preamble
  • Code of ethics canons
We again salute (ISC)2 for their outstanding work.  Note well that prominence of the code, its preamble and canons can not replace the responsibility of the issuing organization to aggressively maintain the standards so that they ensure its integrity.  The organization owes it to its members to police itself and has a complaint procedure, ethics committee and international working group.

As data becomes accessed from hundreds and in some cases thousands of sources we reflect on the role of the information security professional has in the work place and what a pivotal role it is.  Untimely and inaccurate intelligence/data can cause food supply shortages, it could run up the price of a barrel of oil and shift geopolitical affairs world wide.  The use of big data and concerns around integrity have never been more critical and important.  

The role of the CISSP member becomes exponentially more important and his/her integrity should not come in question, hence the focus on "Big Data" in this article.  Data can shift global markets, take down thriving economies and strip citizens of their bill of rights so the importance and focus on this topic is both timely with a need to be accurate.  As governments and citizens react to COVID-19 the initial focus was on data driven models which reported that millions were in peril if the US Government did not act quickly.  Today we see state governments restricting the movement of its citizens, baring them from accessing their properties (Michigan), removing business and liquor  licenses from businesses who refused to comply (Maine) and here in NYC the issuance of one thousand dollar fines if you are found in non compliance - wear your mask, don't get closer than six feet or else!  

As time passes we are learning that models are just that models.  Accuracy depends on the information you put into models we have learned and if the data is awful so is the model and its outcome. Thus data its custodians and security personnel take heed. I think I made the case, data its timeliness and accuracy is very, very important.  The integrity of data custodians, security personnel has never been more acute.

 

Monday, April 27, 2020

Pandemic: Human Resource Help

A Resource no one should ignore


As some of you will no doubt know I do a lot of networking on LinkedIn.  I'm always interested in what's growing, what's moving and how to advance the story of our lives here in America.  Many of my professional connections are on LinkedIn and I am thrilled that I can reach into the resource from time to time seek the advice and opinions that they willingly provide.


This post is about exposing a resource whose time has come.  The need is here and people should pay attention to the depth and breathe of posts.  Its about helping others who may really be in a bind due to the downturn (self imposed) of our economy during this pandemic.  As we press forward and reopen our economy the endless opportunities will slowly give rise to America's unlimited potential which should be great news for everyone involved.

In the meantime, Andrew Seaman does a segment on LinkedIn called #Gethired and provides some tremendous resources that I have found to be just terrific and incredibly helpful.  Andrew is a great writer and inserts into his posts another resource of LinkedIn called LinkedIn Learning.  I have viewed many of the videos and taken a number of these courses and found the quality to be top notch.  He quotes experts from the field and links them in his posts for additional value.  I call that bonus points.

A take away from the resume course is in the table I'm inserting below.  Within a few minutes you can brighten your day and freshen up that resume with color and relevance.


Keywords
Tell a story
Contrast/Compare
Never give up

I was also interested in what LinkedIn was saying on its blog.  Yes, if you didn't know it LinkedIn has a blog and this is another terrific resource for all involved.  LinkedIn has managed to pull together a great team of individuals on its platform who do one terrific job of communicating.  That can not be understated.

That's what this post is all about.  Take a look at your LinkedIn account and drive some attention to the posts and resources that LinkedIn personnel and contactors have so handsomely put together in one place for your use.

@andrewseaman #Gethired

Thursday, April 23, 2020

APWG 4th Quarter Report 2019

Fraud and confidence schemes of the modern day: Phishing

History:

Prior to sophisticated electronics and computers, fraudsters or con men found ways with far less technical means to swindle people out of anything of value.  Then came the Internet. 
Phishing has its roots in the 1790's, and more recently 1990's with Vic Commodore computers, AOL, credit cards number thefts and the Warez community.  "The Warez Scene" as it is known was a group of people specializing in distribution of pirated content dating back to 1975.  Phishing attempts were crude in the early days.  As phishing became more prominent criminal elements started to get focused: first on selecting specific companies as targets, then focusing on extorting top tier executives and eventually the complete hostage taking of companies technical assets (software, hardware, networks) with the introduction of ransomware.   

The internet just made all of this a lot easier. In 1995 random credit generators existed with the use of algorithms.  For a more complete reading see Ed Skoudis' Malware timeline that tracks the growth of technology, industry and subterfuge.  January 2, 1996 the term phishing was for the first time posted on a Usenet group on AOL.  By September of 2003 hackers and con men began registering domains of popular companies, by October of 2003 Pay Pal users found malware contained on clickable emails and the Minmail Virus was introduced to the public.  

2004 produced another first as email solicitations for the U.S. Presidential campaign of John Kerry came in from bogus sites in India and Texas.  Phishing was now making its debut in US Presidential campaigns.  Fraudsters continued to use phishing in the years following and in its pursuits found novel ways to leverage the internet like link manipulation, web site cloning, filter evasion, website forgery, covert redirect and much more.

Today APWG provides an annual report for phishing and much of the same rings true about fraud and con men.  They find a soft spot and prey on their victim.  They are patient, technically smart and hungry for a win while the rest of us are just trying as best as we know how to avoid them at all cost.  

Who is APWG?

The APWG is registered as a U.S. based 501(c)6 corporation (a business oriented not for profit) as defined by the the IRS internal revenue code.  On its web site APWG states, it is a international coalition unifying the global response to cybercrime across industry, government, law enforcement and NGO communities.

APWG.EU the institution's European chapter established in Barcelona in 2013 as a non-profit research foundation incorporated in Spain and managed by an independent board, including APWG founding directors; and the STOP. THINK. CONNECT. Messaging Convention, Inc., a US-based non-profit 501(c)3 corporation jointly managed by APWG and Washington, D.C.-based N.C.S.A..

What is Phishing?

Phishing as defined by the APWG (anti phishing working group) is a crime employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social engineering schemes prey on unwary victims by fooling them into believing they are dealing with a trusted, legitimate party, such as by using deceptive email addresses and email messages. These are designed to lead consumers to counterfeit Web sites that trick recipients into divulging financial data such as usernames and passwords. Technical subterfuge schemes plant malware onto computers to steal credentials directly, often using systems that intercept consumers’ account user names and passwords or misdirect consumers to counterfeit Web sites.

What are the numbers?

Thousands of URL's emanating from hundreds of thousands of web sites


APWG tracks phishing sites which can consist of hundreds if not thousands of URL's all leading to the same attack destination.  Web sites reported for Q2 and Q3 2019 represented a larger number of web sites than those reported Q4 for 2019 on a quarter by quarter basis for that year.  However a year to date look at Q4 2019 Vs Q4 2018: 162,155 Vs 138,328 respectively represents a 14.694% increase.  The summer months of July, August and September 2019 showed the months greatest increase roughly between 80-90 thousand phishing web sites reported per month.

 Greg Aaron, APWG Senior Research Fellow and President of Illumintel Inc., stated “July though October was the worst period for phishing that the APWG had seen in three years, and then phishing levels settled back down to more normal levels.”

In the news: COVID-19

"Cyber-criminals are already targeting healthcare organizations—specifically hospitals—with phishing campaigns, ransomware, and other malicious acts that can adversely impact health information technology, medical response, and patient safety. As cases of the virus began to increase in the US, so too did the amount of email-based phishing campaigns referencing COVID-19." https://cyber.nj.gov/alerts-advisories/cyber-threats-cybersecurity-for-healthcare-during-covid-19

"Threat actors are targeting Small and Midsize Businesses (SMBs) with phishing emails in an attempt to deliver the Remcos remote access trojan (RAT). Aimed at SMBs that may be experiencing financial problems from COVID-19 shutdowns, the threat actor impersonates the US Small Business Administration (US SBA)." https://cyber.nj.gov/alerts-advisories/threat-actors-target-smbs-using-government-grant-phishing-emails

"After three years, the Zeus Sphinx banking trojan has resurfaced in coronavirus-themed phishing campaigns containing information on government relief payments." https://cyber.nj.gov/alerts-advisories/zeus-sphinx-banking-trojan-and-other-covid-19-financial-relief-phishing-campaigns

"Google found there were 149,195 active phishing websites in January. That number rose by 50 percent in February to 293,235 websites. Now, in March, there are 522,495—a 350 percent increase since the beginning of the year." https://www.pcmag.com/news/phishing-attacks-increase-350-percent-amid-covid-19-quarantine

"The COVID-19 pandemic has created an environment ripe for fraudulent activity, with threat actors leveraging fears of the virus to perpetrate a variety of malicious and criminal exploitation. Observed scams and fraud have included selling fraudulent personal protective equipment (PPE), hawking fake cures and tests, spreading disinformation, phishing campaigns, and other related scams. The Intelligence Bureau (IB) assesses that this activity will continue, and it will potentially pivot to leverage changing government responses to the pandemic and shifting needs for supplies. Additionally, the IB assesses that cyber-enabled crime will also evolve to prey upon the public’s need to remain updated on the stream of ever-changing COVID-19-related information and may shift from COVID-19 themed outbreak to recovery lures."  NYPD SHIELD, 04/23/20
Attribution: 4/23/20 conference call

Sectors:

The most targeted sectors for 2019 was shown as a pie chart as follows:

  • Saas / web mail 30.80%
  • Payment card industry 19.80%
  • Financial institutions 19.40%
  • Social media 6.80%
  • E commerce / retail 5.4%
  • Cloud storage / file hosting 3.4%
  • Telecom 3.3%

Business email compromise campaigns:

As noted by APWG: In a BEC (Business email compromise) attack, a scammer targets employees who have access to company finances, usually by sending them email from fake or compromised email accounts (a “spear phishing” attack). The scammer impersonates a company employee or other trusted party, and tries to trick the employee into sending money.  APWG states attackers could prepare for weeks for such an attack inside financial systems, personnel systems and other area likely to produce a positive harvest of legitimate looking emails.  The BEC attack is said to cost the industry billions of dollars. Wire transfers can be 5 to 20 times larger in the amount of money gained by attackers over gift cards whose amounts are generally much smaller.  The use of gift cards is stated to be used as a way of laundering other funds to buy physical goods which can later be sold rather than put them into cryptocurrency exchanges, which is said to be another popular way of laundering money.

Schemes:

The following is a list of schemes in priority:

  • Gift card (click here: Google play cards scheme {most request} decreased but eBay, Target, Best Buy, and Sephora all saw increases)  62%
  • Direct transfer 22%
  • Payroll diversion 16%
Taken from a conference call 4/23/20:

Analysis:

Deception of others and stealing (confidence schemes, con games) is not uncommon, however use of the internet since the 1990's has created miles of new paths to travel for those with criminal intent.  Our nation has and is enduring heart-ships heretofore not contemplated (9/11, COVID-19).  Duping of unsuspecting victims will continue to happen using these incidents and a great many others to pry money out of the hands of unsuspecting victims. It is said 93% of data breaches are still caused by phishing incidents with the cost estimated at 1.6 million dollars for mid sized companies. These incidents will continue for some time to come.  Awareness training should continue as a mitigation strategy to reduce the incidents.

Update 4/23/20: Corporate email 


Per conference call today 4/23/20 thanks to everyone on the call.  We are also reviewing a NYPD Shield report 4/20/20 and when we have a green light will post highlights on this page.

Selected Terms:

  • APWG: Anti Phishing Working Group
  • BEC: business email compromise
  • SSL: Secure sockets layer, standard security technology for establishing a encrypted link between a server and client (web site)
  • Saas: Software as a service
  • gTLD: Generic top level domains legacy, such as: .com, .org, .Asia, .biz
  • nTLD: New generic top level domains examples: .work, .icu
  • ccTLD: Country code domains examples: .UK, .MX
  • NCSA: National cyber security alliance
  • Spear phishing: email spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information
  • Whale phishing: is a specific type of phishing attack that targets high-profile employees in order to steal sensitive information from a company
  • Smishing phishing: criminals sending text messages via telephones
  • Viinishing phishing: is an actual telephone conversation
  • Angler phishing: Fake URL's, cloned web sites, social media etc.


Thursday, April 16, 2020

Zooming not so fast....slow down

Video Conferencing Software/Weak Security?


Never Share Passwords
Keep Meeting ID’s Private
Make Use of Waiting Rooms

Zoom, the video conferencing software maker learned a lot of lessons this past month as a result of legions of new visitors who stopped by and signed up as new customers.  The software company Zoom updates from the past weekliterally exploded with new customers during Mid March 2020 as a result of the COVID -19.  However a number of security incidents started happening and with that a fire hose of commentary poured into their email boxes, security blogs, conference calls and forums.  Security professionals came on strong.  One security practitioner commented that the right out of the box the default settings needed serious review and the general public was at the point of the spear - buyer beware.  Waiting rooms, passwords, and many other enhancements all focused on security and reducing risk were heard from all quarters.  

To the credit of Zoom, now known as that easy, cheap video conferencing software have made the changes to improve security (change to many of the default settings, like requiring password as a default for all meetings, establishing a waiting room so you can verify participants and sprinkling of the message not to share passwords, etc) and reduce the risks to many of its users. Zoom has taken it on the chin for many in this functional area: "Video Conferencing Brands" while the rest of the pack gets the opportunity to take another look at security.  Zoom brought on a security professional and kinder days seem to be in the future. Zoom also has a HIPAA compliant application separate from what general users get to use.  See the photo above for the last known update from Zoom.  Zoom is growing and has been sending out improvements as they become available.

Video Conference Software:

Never Share Passwords
Keep Meeting ID’s Private
Make Use of Waiting Rooms



Here are some additional products for consideration:
  • GoToMeeting
  • Webex Teams
  • Skype for business
  • Google Hangouts
  • Join.Me LogMeIn
  • Amazon Chime
  • Microsoft Teams
  • Cisco Webex Meetings
  • Updox
  • Vsee
  • Zoom for healthcare
  • Spruce health care messenger
  • Apple Face Time
  • Doxy.me
  • Face Book Messenger Chat
  • Blue Jeans - recently purchased by Verizon
Check out each of these products and note well during a declared national emergency many if not all maybe used without compliance penalty.  However, after the emergency is over please do use HIPPA compliant software.  See shorturl.at/fijHL for future updates at U.S. H.H.S. dot gov.


NIST - Navigating the Conference Call Security Highway



Today 4/25/20 I reviewed an article from Dr Eric Cole, Secure Anchor Consulting. These are some of his thoughts:

Zooming now household word
Due to pandemic March/April 2020 video conferencing increases 1000 fold.  "Zooming" takes on a life of its own for all brands of video conference calling software.
ZOOM BOMBING:  DEFINED
Is where a person joins into Zoom video conferencing calls uninvited and either 1.) listens in, 2.) gathers important info to use at a later time or 3.) become disruptive to your meeting or event.
How do you protect a Zoom call?
    1. Remember you are a target, 2. Cyber security is your business, 3. Make sure your software is up to date. 

    • Make sure your computer operating system is up to date
    • Make sure your Zoom app is up to date and other apps as well
    • Make sure you are using anti-virus software and its up to date
    • Do not post Zoom links in the public eye
    • Don't click on links you don't know
    • Setting up meetings:
      • Use strong passwords
      • Do not share the meeting ID
      • Use a non obvious meeting ID
      • Use the waiting room function
      • Lock the meeting once everyone is in

New Post: 5/5/20


Jeff Furman my "go to guy" for Project management hosts a blog and has some Zoom fun and other suggestions check it out here:  https://www.linkedin.com/pulse/so-your-internet-crashes-middle-zoom-session-what-you-jeff-furman/

Take a peek at the: Project Management Answer book click the link.

New Post: 5/7/20 am

On a conference call today.  Discussion of fat client verses thin client again for VT software (for the young at heart this seems to reoccur every 5-10 years), functionality services were discussed (I think more of what you are used to using drives the most favorite product discussion) and end to end encryption took place.   Zoom came up and given that it is slowly improving its security posture some note it is moving into the "pack" of other VT implementations given that it will become less of a pick up and use utility because of security concerns.  Those with more security concerns and less functionality can look here: https://www.infosecnews.org/national-security-agency-releases-guide-to-secure-video-conferencing

New Post: 5/7/20 pm

Take a look at this very comprehensive post from Citizen Lab:
https://citizenlab.ca/2020/04/faq-on-zoom-security-issues/

Then this video by none other than: Dr Eric Cole

A few weeks ago there was a lot in the news about ZOOM Bombing. So ZOOM took action and set up some default security to 'appease the masses'. But here's the thing... they did too little, too late AND ZOOM meetings are still being targeted.
It's not over! The adversary is still on the prowl and creating havoc.
I recorded a quick video for you to share with your organization to help keep the awareness around how to protect against ZOOM Bombing.

Dr Coles Tips:


#security  #cybersecurity @Zoom @NIST #VideoConferenceCalling #VT #DrEricCole  #zoombombing


Last edit: Monday, 5/5/20 0930 hours











Sunday, January 5, 2020

Policing in America 2020

Is it safe to police America's big cities?

A couple of days ago I borrowed a graphic I found posted on LinkedIn by another retired captain, "Get Out Of Jail Free" card. Those who are familar with the "Monopoly Game" will be familiar with this card from the popular board game.  It was funny at first and got a chuckle out of a number of people.  I posted the graphic on social media and everyone enjoyed how much this joke seriously reflected real life.

Yet New York Democrat legislators buoyed by the fact they just won a stinging majority in the NYS Senate, once the bastion of Republicans, gathered in jubilant victory in Albany to show all New Yorkers their radical progressive agenda.  You could laugh this off and say we told you so, but each of you needs to feel and hear the pain this causes for your fellow New Yorkers.  How New York State releases criminals only to be picked up by Federal authorities later on.  How New York State ignores the mental health crisis hitting our streets and how every member of society is at risk because of it.  Monsey, NY another example where the home of a jewish rabbi was invaded over the holiday and a very sick, mentally ill man who struck guests with a machete was in the making for years, but largely ignored by the NYS Legislature.  How a young boy in park playing basketball is shot and killed and it becomes just another number in the end of year homicide  count. How a young Laurelton man would be walking today if only the police enforced the noise code in the 105th Precinct.  Instead, a bullet found his spine after the police were rebuffed the first time and second radio run found this Laurelton man laying face down on the ground with a bullet in his back.  This victims dilemma was a policy change by the NYC Mayor.  Thank you Bill deBlasio.  The stories of the innocent and the fallen like Liu, Ramos, Moore, and others goes on and on.  They are all are victims of a political system where 75% of the voters couldn't give a damn.

This all started with Mark Weprin and the Community Safety Act.  Few will remember, but it was the moment when then City Councilman Weprin did a 180 on Law Enforcement and voted yes to usher in the progressive wing of the New York City Council.  A day some of us will never forget.

Police Officer Eddie Byrne gave his life for our city which was the turning point for crime control in NYC.  Just as New Yorkers reached beyond 2000 murders a year.  As one police officer after the next
was cut down in the streets crime, disorder and fear was aggressively addressed.  Some of us will never forget.  For Cuomo, deBlasio the City Council its the politics of the moment, for the families of the fallen its the story of their lives.  Mark Weprin left public service mid term to work for a Law Firm so he could pay for good schools for his children.  We wish him and his family well.  However, the stain of his time at the NYC Council will be never be forgotten and when New Yorkers tire of the bodies piling up again they too will call upon the NYPD and ask them once again to shoulder the responsibility of bringing crime, disorder and fear under control.  The price NYPD will pay for this effort will not come for free and not without more families shattered.

We vote Republican for many different reasons as individuals.  As a club we vote Republican because we understand broken windows works, the responsiblity of not only joining together with the community in unity to make our streets safe but also to hold residents accountable to a standard of behavior which makes us a free people.  Please remember voting matters and elections have consequences.

Friday, September 28, 2018

FBI ALERT: 9/27/18

I-092718-PSA "RDP Warning needs to be heeded".

Questions regarding this PSA should be directed to your local FBI Field Office.

Local Field Office Locations: www.fbi.gov/contact-us/field.  

ISSUE: Remote Desktop Protocol has been on the rise since mid-2016 as attack vector

RDP or remote desktop protocol is being exploited by attackers to conduct malicious activity the FBI warns in its public service announcement on September 27th, 2018.  Members, clients and others are advised to reach out to your local FBI Office for information concerning this public service announcement.  

Definitions:  Remote Desktop Protocol (RDP) is a proprietary network protocol that allows an individual to control the resources and data of a computer over the Internet. This protocol provides complete control over the desktop of a remote machine by transmitting input such as mouse movements and keystrokes and sending back a graphical user interface. In order for a remote desktop connection to be established, the local and remote machines need to authenticate via a username and password. Cyber actors can infiltrate the connection between the machines and inject malware or ransomware into the remote system. Attacks using the RDP protocol do not require user input, making intrusions difficult to detect.

Some Suggestions For Protection:

  1. Audit your network for systems using RDP for remote communication
  2. Verify all cloud-based virtual machine instances with a public IP do not have open RDP posts, specifically port 3389, unless there is a valid business reason to do so.  Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access it through a firewall.
  3. Apply two-factor authentication, where possible
  4. Apply system and software upgrades regularly
  5. Maintain a good back-up strategy
  6. Enable logging and ensure logging mechanisms capture RDP logins.  Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
For additional recommendations see the PSA.