Tag Archives: Cyber War

Some thoughts on “Protecting against ransomware using PCI DSS and other hardening standards”

20 May 2018

Post “Protecting against ransomware using PCI DSS and other hardening standards” (1) published this week by Paul Norris in SC Media UK is really worth reading. Hardening is a proven method to reduce the attack surface of a computer network. If well done, the spreading of ransomware and thus the impact on an organization can be limited.

Hardening, patching, etc. serve a common goal in cyber war: Describing the limits of conflict. Everett Dolman writes in chapter 5 of “Pure Strategy: Power and Principle in the Space and Information Age” (2):

“Tactical thinkers seek to define and describe situations. Decision-making in real-time tactical mode requires it. The more knowledge of the limits to conflict, the more creatively the tactical genius can deploy, maneuver, and engage forces. Knowing completely what cannot be done allows for an investigation what can be done.”

Hardening, patching, etc. decrease the number of options / attack vectors an attacker can use for getting on and exploring a network. IT security groups can then focus on the remaining attack vectors, and prepare for the unknown.

Let me give two examples to illustrate this.

  1. If all external storage devices are technically blocked in your organization an attacker cannot use them for delivery of weaponized documents. Furthermore, if users have no chance to change this your IT security group can focus on investigating other attack vectors.

  2. If you implemented the measures for mitigation of high and medium risk findings described in the DoD “Windows 7 Security Technical Implementation Guide” (3) you can be sure that attacks based on bypassing UAC to get elevated privileges are no longer possible.

But be aware that the attacker also knows what cannot be done after a standard is implemented…

Have a great week.

  1. Norris P. Protecting against ransomware using PCI DSS and other hardening standards [Internet]. SC Media UK. 2018 [cited 2018 May 20]. Available from: https://www.scmagazineuk.com/opinion/protecting-against-ransomware-using-pci-dss-and-other-hardening-standards/article/761956/

  2. Dolman EC. Pure Strategy: Power and Principle in the Space and Information Age [Internet]. Taylor & Francis; 2004. (Strategy and History)

  3. Department of Defense. Windows 7 Security Technical Implementation Guide [Internet]. STIG Viewer | Unified Compliance Framework®. 2017 [cited 2018 May 20]. Available from: https://www.stigviewer.com/stig/windows_7/

Lessons learned from Tom Clancy’s ‘Novel Red Strom Rising’

14 December 2015

In the past weeks I listened to Tom Clancy’s ‘Novel Red Strom Rising’ during my ride to the office. Red Storm Rising is about a Third World War in Europe around the mid-1980s. From a IT security point of view one of the most impressive scenes is about a missile attack against the carrier Nimitz.

Nimitz has a layered defense system which successfully destroys all missiles except of two which cause severe damage. However, the continual emergency drill was successful, the carrier achieves the dry dock under its own steam and is soon back in combat.

In the IT world we are facing similar problems when a cyber attacker manages to get across first line of defense, i.e. the firewall which separates the company network from the internet. In the best case, if a Information Security Management System (ISMS) is in place, everyone reacts the right way and serious damage is prevented.

But reacting the right way requires some practice, and the lack of practice is the crux of the matter. Is all software available to rebuild a system from scratch? Have you ever performed a restore test to make sure your backup concept works and your business critical systems could be restored to the required point in time, and in the defined time frame?

Practicing of security procedures is often avoided because of the risk for the systems and the costs. But without practicing you cannot ensure the effectiveness of your ISMS. It is all a question of finding the proper balance.

I digged somewhat deeper into military strategy in the past weeks. In publication ‘The Strategic Game of ? And ?‘ John Richard Boyd shows the direction to a strategic approach to defense in cyber war:

The Strategic Game is one of Interaction and Isolation. A game in which we must be able to diminish adversary’s ability to communicate or interact with his environment while sustaining or improving ours.

Seems to be a good motto for 2016.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all and the best wishes for health, happiness and prosperity in the New Year.

Christmas Trees