Website Safeguards: Security Hardening Checklist

Website Safeguards: Security Hardening Checklist

Defacement A website is the front door and the face of your organization. Many hackers deface an organization by hacking their website and posting their message on it. (some well known victims: MIT, NASA, eBay, PayPal, Mossad, Forbes, WikiLeaks, Oracle, Russia Today) DDoS Attackers often use a Distributed Denial of Service attack to overwhelm a web server with requests that ends up bring a site down. It can greatly affect the owner  financially especially if the website generates revenue. (examples of websites going down due to a DDoS attack: Netflix, Amazon, Twitter, Spotify, GitHub, xbox live) Fortunately, CloudFlare offers a free DDoS protection for WordPress websites to get started. OWASP The Open Web Application Security Project (OWASP) is a not-for-profit organization that publishes a Top 10 list of the most common security flaws in web applications along with mitigation techniques. They contain an excellent resource to help harden your website or web application. We highly recommend going over the list.   HTTPS This is an easy...
Read More
Cyber Warfare: Bringing a Knife to a Gunfight

Cyber Warfare: Bringing a Knife to a Gunfight

The enemies of today are well equipped with the latest tools and techniques, knowledge on vulnerabilities and zero day attacks. On the flip side, most companies and individuals are not. Reasons for Lapse in Security Most organizations don't take security seriously until they get affected. They do not see tangible results It is not their primary business They do not budget for security They do not invest in their employees getting security trainings or certifications Common Mistakes Some of common mistakes companies make when applying security measures include: Using Outdated Software Using Old Tools to detect new threats Using human intelligence alone Using Simple Rules Thinking that an antivirus is enough Thinking the "IT" guy is sufficient to understand Security, Networks, Databases, Software, Servers, Helpdesk, Tools, troubleshooting, the list goes on. Helpful Solutions Automation and Artificial Intelligence is leading the way in detecting anomalies. Even encrypted malware can now be detected in some cases based on it's behavior and pattern. Training and Awareness is key. If...
Read More
DNS for Privacy 1.1.1.1

DNS for Privacy 1.1.1.1

First and foremost, this is an awesome domain name!!! Whois shows it was registered in 1997! But I'm sidetracking. This is CloudFlares privacy focussed DNS service. DNS recap: Just like your phone book translates names into phone numbers, DNS translates URLs (like google.com) to it's actual IP address (like 74.125.124.10) which no one has the time to remember. Or telling your GPS to "go Home" rather than your street address. Here's a fun explanation of how DNS works: https://howdns.works The Problem: Most people or routers have their DNS server pointed towards their Internet Service Provider. Your ISP keeps a track of all the DNS queries you make to it to reach a website. And tailors ads or services accordingly. This information is gold to them. They sell this information to data brokers who then send you more spam, junk and mail. You have an online profile with them that you probably don't know about. Privacy Concerns: Your ISP (Like Comcast or AT&T) also know if you prefer Netflix, youtube over...
Read More
What’s with this GDPR?

What’s with this GDPR?

What is GDPR? GDPR (General Data Protection Regulation) is the new EU regulation around data privacy. It primarily highlights that their citizens data should be fully in the control of the citizen and with complete transparency on how it's used. In a nutshell, the exact opposite of what happens with user data in the US. What is the Checklist? Take explicit user consent on how/where their data will be used in simple language (no 50 page agreements with "I agree" at the bottom) Must provide the collected data to the user free of charge at their request Destroy user data records at their request (data brokers watch out!!!) Notify customers of data breaches that may affect privacy Privacy must be baked into a product and not be a bandage What are the fines for non-compliance? Fines can be up to 20 Million Euros or 4% of the companies turnover. Who needs to comply? It's a regulation that all EU countries need to comply with. Furthermore, all...
Read More
Open Source Network/Security Software for the Enterprise

Open Source Network/Security Software for the Enterprise

Software vendors are going to kill me for saying this, but you don't have to break the bank with software costs. There are FREE alternatives. Vendors may debate over which are better. But that decision has to be made on a per software basis and per use-case. As long as you have good support, Open Source software can be as good, even better. The code in most cases is well developed and audited by the open source community. I can see many medium tier organizations run these enterprise open source software and save a lot of money in product fees. They will still have to pay for implementation and support costs, but that will be there with all software anyways. Here's a list I compiled of enterprise level security/network tools an organization can benefit from. By no means is this list exhaustive, a comparison or in any order of priority.   Function Free / Open Source Paid LAN Monitoring Tool Network Monitoring (NMS) NMIS NtopNG (nTop Probe for netflow has a...
Read More
Remembering 100s of passwords 🗒, a thing of the past (Top 5 Password Managers)

Remembering 100s of passwords 🗒, a thing of the past (Top 5 Password Managers)

Gone are the days when you only needed to remember 3-5 passwords. Passwords were primarily for email accounts and a handful of social media and maybe an online bank account. Now you need at least 10 accounts for literally everything, from emails, eCommerce sites, social media, cloud apps, your thermostat, all your gov sites. You probably think you don't have that many but the average person has well over a 100 passwords (I just made that up, but I have way over that, I lost count). I often end up using the same password for most accounts, until some website tries to be secure and tells me I need an "special character". I don't need a $%!&(*@ character if I don't want one! Or a combination of Capitals and numbers! Pretty soon my passwords are appended by numbers and some sites don't allow repeated passwords over time! Needless to say, this can't keep up for too long. Until a better way comes...
Read More
Preparing for Death 💀 in a Digital World (Top 10 Checklist)

Preparing for Death 💀 in a Digital World (Top 10 Checklist)

Death does not come to anyone by asking. It is always sudden and people never expect it. Our lives are heavily intertwined in the digital world. As such, when (not if) that happens we should be prepared from a Cyber perspective. We have hundreds of online credentials that our lives depend on. It would make the life of our next of kin much easier if we had settled them or let them know how to settle them before our number is up. Some of the important things we can do are as follows. The best way to incorporate these tasks are to gradually implement every one of them over a period of a few weeks/months. 1. 📝 Will I always thought wills were just about money! But that's only one aspect of it. No one would want their children (under 18) to go to foster homes or go through a year of court hearings (probate) to decide who their guardians should be and how their assets should be...
Read More
Don’t WannaCry 😭Tonight

Don’t WannaCry 😭Tonight

Name:  Wanna Cry a.k.a Wanna Crypt Type: Worm, Ransomware Target: Windows Computers running SMB file sharing Original Creators: NSA (Yes, the US gov.) EternalBlue is the exploit that was developed by the NSA most likely to be used on "we the people". It was leaked by hackers in April 2017 and used in the WannaCry ransomware a month later. This ransomware only targeted certain Microsoft Operating Systems and it spread using the file share feature (SMB). Microsoft even patched their OS back in March 2017. But how many people keep their systems updated? Microsoft even went as far as to create a patch for end-of-support systems like Windows XP and Windows Server 2003! Microsoft issued a statement criticizing government spy agencies and the NSA of hiding critical security flaws from vendors. Most security specialists blame the National Security Agency (NSA) for committing the original sin. Of course, if a hacker had created EternalBlue, he would be serving time (...just saying💁🏻‍♂️) The irresistible actions of the NSA for...
Read More
Dark Web, Deep Web, Clear Web 🕸, what’s the different?

Dark Web, Deep Web, Clear Web 🕸, what’s the different?

There's a lot of talk about the Deep Dark web. These words are used interchangeably, but they are very different. Surface or Clear Web This is what most of us are familiar with. Anything searchable by Google (hence indexed or crawled by search engines) is part of the Surface web 🕸. We may think that this is all the content on the internet, but you'll be surprised, it's estimated that this accounts for only 4% of the content on the internet. Deep Web This is where 90% of the content lives. You've come across it all the time, but probably didn't know that it was categorized as Deep Web. This is everything you CAN'T search with a popular search engine like google, (who uses Bing or Yahoo 🤷🏻‍♂️), DuckDuckGo, etc. Like, Uber ride fairs from point A to point B. You must do so by searching within their own databases, you have to search DEEPER. Things like eCommerce websites, property info, people search engines, traffic violation data,...
Read More
Cat6 Cabling Nuances 🤷🏻‍♂️ – Different Types

Cat6 Cabling Nuances 🤷🏻‍♂️ – Different Types

Troubleshooting starts at Layer 1 - the Link Layer. So it's important to get this right. You may say "it's just cabling, how hard can it be?". We'll, read along. I've seen way too many people get it wrong and pay for an expert to re-do it, so I thought I'd touch upon this fundamental topic. The goal here should be to get the cabling done right the first time around to avoid countless hours of troubleshooting cabling issues. The last thing you want is to climb up ladders in narrow spaces tracing cables and re-terminating jacks. I'd rather spend the extra 10mins terminating a connector right, than coming back to it later and re-doing everything. The 2 main types of Cat6 cables are Solid Core and Stranded. Solid Core Each of the 8 cables inside the outer cover that for the 4 Paris is made up of solid copper wire. It's usually either 24 gauge (AWG) or 23 AWG (thicker). Stranded Think of stranded cable as...
Read More