Cyber Security: The Essential Role of Internet Service Provider

It has been logically proven to me that some elements of cyber security of any internet user is solely on shoulder of ISP but that has been the last thing we ever cared perhaps because we tend to complicate simple things!

ISP is supposed to be the only owner, or main layer to internet user cyber security when it comes to global threats, isolated or even targeted threats. This is a fact that all the traffic must pass through ISP before reaching to or originating from user. ISP can and they probably are filtering everything, they can decide if internet is neutralized or balanced, then how/why they do not care about global threats to internet users?!

Threats like phishing seem very isolated at the first glance but technically they are traceable, and ISPs can easily kill them at the origination long before they turn to a global concern. Also threats like all the nasty contents of dark web, software piracy or illegal distribution (upload and download) of any digital content.

ISP is technically able to not only just filter but mitigate many cyber-insecurities and they have everything “already” in place, but for some reason we skip this most important link and start building perimeter security from scratch! In terms of filtering and any mitigation, I do not mean simply blocking a port or protocol from a source or to a destination; I am talking about intelligently see the patterns and gather baselines and identify root causes… ISP is capable of even remediation of many types of cyber threats, either towards businesses or home users, but again, for some unknown reason to me, we decide to create a new separate entity and call it e.g. managed security service provider, security operation center as a service…and ignore the power of ISP as the sole owner and responsible party to cyber security.

Regulating Dark Web!

I came across an article the other day on Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources! 

A publication from justice.gov with interesting insight but opened an old wound for me! Trying to regulate an environment which is naturally unregulated sounds not reasonable. it is like saying you can go to drug underground market but please promise you only use it for medical purpose and by the way, make sure drug dealer is a good person! And washes his hand (yeah don’t forget about COVID-19!) 

Today’s dark web is an inevitable result of a millennium movement towards non-disclosure as oppose to full disclosure. A silent movement against the direction of disclosing security vulnerability details. an argument with those believed disclosing vulnerabilities gives community a better chance to defend, but shall we disclose how to build a bomb to stop making bombs or have a better understanding on how to disable a bomb?! 

I personally stopped disclosing security vulnerabilities, anything I published after 2000 was super naïve material and not usable for serious hacks! Because at some point I stepped back and I try to understand how disclosure is really benefiting the community, not at all, I mean limited if not zero. 

But in opposite side, malicious hackers always used info to turn it to profit, hence using it maliciously and of course in a destructive manner. How many, if ever did you find any security product or solution relying on vulnerability disclosure to mitigate a security problem? 

Today’s exploit DB and similar are nothing but vitrines! real deals organically created the dark web, this time more destructive than 90’s dark material on surface web. So again, thinking about rules, ethics, DOs and DON’T in such environment is irrelevant. Security pros, we, need to do something to make that intelligence unavailable! We need to make it unreachable not trying to regulate its usage or direct the intension. 

We regulate healthcare industry to make sure anybody touching PHI has some sort of HIPAA training and awareness, but how we could make sure these companies that gather intelligence are abiding to rules and ethics?!

Fix Cybersecurity Issues vs Making Money Out of Them!

Have we really been fixing cyber-security issues and challenges, or we just want to make money out of “lack of awareness”?

The simplest analogy I can think of is cigarette and generally tabaco industry. If we really believed that those are against society and individual health, how much is cost of cancer and other complications of consuming tabaco, we could simply stop producing them, not “trying” to make it harder for them (i.e. taxes, age restrictions…) which is actually useless and ineffective, hence totally ironic. 

Same with cybersecurity, are we going to take steps to put a remedy out there, or we are again “trying to show” that we care about the fact and we make effort to mitigate irrelevant elements of it and keep it forever there to make money out of it? 

Dealing with cyber-insecurities is not that hard. It starts within our organizations and it has to be supported by governments in order to be effective, but seems to me the entire community doesn’t have enough appetite to go toward a simple solution, just like banning tabaco all together forever, and we want just short time noneffective mitigations to demonstrate the effort and keep the market hot! 

You may find this weird coming from a cyber security professional, but let me tell you that during more than 2 decades of active consulting and training sessions, all of my efforts have been focused on one mission: make sure client understand the problem and then find rational to fix it. that’s 180 degree against what market is heading always, let’s sell this product, this solution, which is usually not the solution to the real problem, but a short time expensive way of mitigating effects and consequences. 

Cybersecurity should not be our problem in 21st century, we as humans have way more important things to do, we should care about water, food and health of the society, we should focus on education not identity theft, we must focus on soil and h2o not internet bandwidth. 

Still my job as a security professional is to make sure my client can remediate root causes and focus on business as it supposed to be this way, people and businesses should be able to focus on what they are doing, not distracted by lame cyber criminal who taking advantage of a market solely focusing to make money out of complications rather than making money from real business interactions by adding valuable products, tangible assets to societies.

always be result-oriented: has security community made your cyber life easier or harder? are you more confident than 20 years ago? are people telling you to blame only malicious hackers for that?

Organic Compliance! Deep Dive into a Clause, No Matter which…

One of the effective techniques to handle ISO 27001 or any other security management standard or framework is to go deep into a matter regardless of where you want to start or even where to are forced to start. 

In practice, the main challenging question and the answer for that to many organizations, when they want to be complied with a standard or regulation would be: where we should start? 

Let’s talk about ISO 27001, shall I start with Asset Management, or Risk Management, both are fundamental, can I start with Suppliers?! What about when I am forced to start with Compliance Clause, or Access because Customers are pushing me or at least the whole things is customer-driven? 

The answer is actually very simple, execution is also so simple, we just need to deep dive into a matter/Clause, no matter where to start, links are going to organically take you where you should be, this is the beauty of almost all well-crafted framework or standard. 

I usually walk through how to exactly execute such a technique in context of any organization or business function, regardless of scope or type of security management framework, but for sake of this brief article, I would like to direct you to only one important things to keep in mind: go deep into any topic you face, and do Not address tomorrow, do not procrastinate elements to any time later and you will automatically cover all the elements of other clause or related topics. 

Most organizations hesitate to do so because particularly when you are in rush, you think better cover more areas, rather than being mature in one area, but practically, you will automatically cover all areas if you deep dive into a matter solely!

Is EFS secure?

I have seen many official statements about EFS being so insecure and we should not use it blah blah…and that is so surprising for me something from professional sources hearing a unprofessional statement, or better say, inaccurate assumption about one of the simplest and effective ways towards cryptographic practices! 

Assuming you know what Encrypting File System (EFS) is generally, the problem is relying on the way we use it, not necessarily EFS native problems. Sometimes even those native issues are arising sue to our way of using things which I have experience a lot regarding EFS. 

An uneducated, think-s/he-knows-EFS tries to configure it and then boom! Of course, we end up with wrong assumption of EFS is insecure. I assure you can utilize EFS at the right time and right lace more effective than many other cryptographic solutions! That is a strong opinion, but I recommend Not using it Only if you do know about it! 

If you know how to utilize EFS you would probably laugh why I am even bothering and killing myself to make sure folks understand the beauty and usefulness of this light-weighted encryption beast! Yes, because it bothers me how then we skip this super useful technology where it supposed to be so effective and we go for other solutions which might not be the right choice because of the type of dealing with encryption or price. 

as a matter of fact, BitLocker has the same problem in opposite direction: folks think that is breakable, and more than that, I have seen hundreds of them use it in wrong place, which again, that is not the problem with BitLocker if we use it in a way which makes it ineffective. 

Anyways, give EFS to a knowledgeable IT staff (an encryption guru is not needed) and s/he knows where and when utilize it cheaper, and more effective than any other encryption solution out there. I explain in one of my workshops how to turns EFS to a compliance saver! And how to turn BitLocker to a compliance disaster!

The Main Source of Cyber Threat Intelligence

Which firm, company or solution can have the most comprehensive source of threat intelligence? The question should come to your mind when you are shopping for this security matter for any reason.

Sources can have different type of data and then convert it to useful information via either active or passive mechanisms to gather intelligence, but most important factor is being traffic inclusive regardless of what type of data is being gathered and how it is being analyzed, translated into different contexts (businesses and functions) and presented.

So, the question is: where we can find an all-inclusive traffic observer? Is this a company, with that shinny solution, which claims they have thousands of customers and they anticipate threats in a very broad spectrum because they have from small business to large, from healthcare to technology, from manufacturing to accommodation?

No entity can have better threat intelligence than an ISP when it comes to traffic, everything will be extracted from traffic, how a firm with 10 thousand of customers can have better vision comparing to a small ISP with millions of users?! The best threat intelligence can be collected via ISP gateways, that is where we can observe, collect, and decide how to deliver different packages of “intelligence” to the right targeted consumer. Are ISPs actively or passively involved in this process? I believe No, but that is a different story. Technically, an ISP is like an ocean of threat intelligence comparing to best solution/biggest company in this market as a swimming pool!

Do Managed Security Services Elevate Overall Security Posture?

Does a managed security service enhance overall security posture? Usually No! 

Managed security services are highly built on customer expectation instead of precise protocols to build a security barrier for client.

There are many factors involved in quality of security services after migration to a managed service but most effective one is “client expectations”, or better say, client understanding of cybersecurity realm. That’s why most of the companies downgrade by migrating to managed service because they think best way to manage an unknown and scary world is to bring someone else to take care of it for them, but if one’s did not understand the challenges of Cybersecurity and was not able to manage it before then there is no way expecting an MSSP can manage it. 

Providing managed security services is a market highly built on customer expectation versus definite and precise protocols to build a security barrier for client. This is currently happening with cheapest analysts you could imagine. There is no way to set up a SOC for any number of clients and dedicate analysts for them with less price than having same workforce in-house. So obviously quality of security services is affected, not considering securing an unknown entity where all the objects and workflows are unknown is way more than a tune-up sessions, months and even years of understanding a system. 

Imagine one brings a firm to secure their house and let them watch video cameras 24/7, even if privacy is not a concern which it has to be, we usually bring people to “set-up” things, not to watch them for us. 

However, there are pieces one could outsource and utilize managed security services for areas that are meant to be managed by third-party. There are tasks we could pass to a 3rd-party security provider which I am going to cover later on “how and where to refer to a managed security services provider”? 

Does Cloud Guarantees Security?

There is a wrong perception of Cloud security among consumers of the Cloud solutions and platforms. Actually, classic Clouds are more insecure than traditional computing even though it is set on stone for most people even many “IT professionals” that Cloud computing is natively more secure, or by default it is at least more secure than on-prem software. 

Classical Could Computing is more insecure than traditional computing!

A couple of big downsides to Cloud are: 

  • Relying on default configurations 
  • Formulating based on the platform 
  • Prone to more frequent and targeted attacks 

Cloud users are tending to accept and apply default configurations to their environment. It does not matter if this is because of lack of knowledge of the Cloud platform or just an over-trust relationship. The result is insecure at least due to unjustified configuration and settings which are supposed to be highly customizable which they are actually not in a real-world scenario. 

Both Cloud services and platform providers and consumers formulate workflows and force systems and presume functionality based on a given criteria not what different businesses demand. This is not the default behavior or a native flaw in Cloud computing but because the platforms are not abstract enough then software becomes highly dependent on the original ideas and formulas. The immediate sign of this is more and more seeing software products being so similar in architecture, design, implementation or even application. 

The last one is an inevitable result of Cloud computing. We experience this every single moment online. Remember what made Microsoft Windows with thousands of flaws more comparing to Linus or Mac was not really because Windows is more insecure, but because it is more targeted based on the market share. Now, as a cybercriminal, would you target Amazon web services or a proprietary software sitting somewhere secluded from the Clouds?! 

Why trying to compromise and find flaws within a tiny piece of proprietary software instead of Microsoft Azure platform? 

Why Folks Are Not Able to Secure Their Network?

The question simply is: Why we do not feel insecure even spending a lot, giant teams of professional and bunch of fancy tools? 

And the answer simply is: Wrong Direction! 

As long as one’s going wrong direction, we certainly cannot even imagine being able to reach the destination. How it is possible to reach the goal when going opposite direction?! 

Direction for securing networks and all other sort of cyber entities is wrong and that is why we won’t be able to reach a favorable level of security, no matter how much we spend or try. Actually, sometimes we even get more far behind it because we are spending on a wrong set of subjects, so we even get more insecure over time. 

And if you ask why I am so sure that direction is wrong, rather than trying to prove with providing right logical approach, I simply ask you: would not we be secure if the (popular) approach was right? 

You could have at least one online firm who is feeling good about their security, only if the direction, approach and methodology was right. Instead, you can find millions of cyber firms struggling more and more every day. 

Choosing the right direction to secure your online assets is the first fundamental step. Without that, you will be lost like most of the community. Sounds naïve? But then why despite thousands of tools and professionals to set them up, still community is not certain even for a fraction of a second feeling that countermeasures are enough strong to secure an online asset? 

What is the right methodology to secure computer assets? The answer would be shocking after you realize how it is simple, cheap and easy to accomplish.

Is Whitelisting a Good Security Practice?

Whitelisting has been for sure a relatively standard and sometimes as a hardening security measure but it depends how we implement and maintain it and where it is initially enforced. 

Whitelisting could be against you if setup at the wrong spot or with inadequate supportive elements. I highly recommend whitelisting behavior rather than whitelisting elements like applications, IP addresses, emails, domains, users… 

One of the most obvious negative usage of whitelisting is where we unintentionally give more opportunity to file-less malware attacks and all sort of insecurities around anything whitelisted among operating system without being supported by enough factors and elements of validation. This is simply when we rather focus on behavior than solely origination of a file for example. 

Blind whitelisting, that what I call when we just filter based on one factor, is highly prone to be defeated. It is vulnerable to forgery and easily bypassed because there is no support. File-less malware heaven is actually a traditional whitelisting approach. 

What is so effective and almost undefeatable is behavioral whitelisting where we filter a set of elements even considering order of execution. For your information, almost all EDR solutions in the market currently either lacking behavioral whitelisting, or they solely rely on traditional one-stop whitelisting which is really dangerous and totally against the nature of an EDR.