Anatomy of a hack

It’s 7:39 AM, I get a panicked message from a friend:

My Facebook just got hacked!!!

For the next two and half days it’s a frenzy of activity to contain, mitigate, restore, and analyze. Finally, coming up for air, we sit down and review what happened.

The prior evening and early morning of the hack, there was an increase of logon/logoff activity on the account from a multitude of IP addresses across the mid-United States. Because the account was not locked to authorized devices, this has gone unnoticed by the victim. Once the login password was established, the hacker(s) went to work, changing the login password, verification phone number, and account login/user id. What really helped the victim is that the email password and the Facebook passwords are (slightly) different, his facebook account was not linked to any other apps for login, and by some divine intervention, he tried logging in about 15 minutes after the compromise, which allowed us to secure the email account, financial accounts, and all other logons that are important. It then took us two days to recover the Facebook account by submitting proof of ID, creating a new email address, and seizing the account back from the perpetrators.

So how did this happen?

We previously posted about several high profile data breaches that resulted in reams on user data being available on the DarkWeb for anyone to procure and see. Reviewing this particular persons history revealed that

1) He was using the same email account to register for various sites that were then compromised
2) He was using a relatively simple password, and when changing it, maintained the overall password structure, adding an alphanumeric character or removing it here and there
3) His password changes formed a pattern that allowed to quickly guess what the other variations may be
4) He had a key-logger malware on his work system that he used to access Facebook

With this information at hand, the attacker(s) were able to attack the victims Facebook account trying to use it as a staging platform for further compromises.

As mentioned above, the impact was minimized by rapid response and some basic controls that were in place. However, the attacker was able to get the victims contact list, so we sent out a notice to all contacts to be on the lookout for potential phishing/social engineering attacks.

So how can this be avoided, or at least minimized?

1) Realize that platforms like Facebook, Google, iCloud, and Office365 are your core access modes for everything you do
2) Follow the latest NIST guidance for password security: at least 12 characters, preferably a phrase, keep the punctuation/spacing
3) enable multi-factor authentication across all platforms (it’s FREE)
4) lock access to your core accounts to certain devices (like a home desktop/laptop and a mobile device)

Feel free to reach out if you have further questions on the matter, until the next time…

What does CloudFare leak mean for your business and what you can do about it

For the last week, the internet has been ablaze with stories about an issue with CloudFare, an Internet Service Provider (ISP). At the heart of the issue is an overflow vulnerability that caused authorization information to become publicly available. Here is a handy comic from on how it works:



While there is plenty of advice on what the individuals and affected websites should be doing to protect themselves and their data (Change your passwords, use two-factor authentication methods such as Google Authenticator or Microsoft Authenticator wherever possible, change your username/sign-in information, etc.), there is very little guidance for what small and midsize business should be doing, if anything, in light of this.

Here is the issue that we often ignore or downright forget about – human beings are creatures of habit. That means that the password someone uses to log in to their OKCupid™ account is probably the same or at least very similar to their banking password, their Uber™ password, and their corporate login. Then there is the propensity of small and midsize business to use a username similar to one of the following iteration, for example for someone named Jane Doe:,, Alternatively, can be company.local.

This means that now the company network, along with its sensitive data, is now vulnerable to external access. The difference between an organization and individual is that while individuals are responsible only for themselves, the organization is responsible for the sensitive information from itself, its owners, its employees, its clients, and sometimes the clients of the clients.

So how does one mitigate the risk? The answer is a phased approach. The initial step should be to force all users to change their passwords immediately. The next step is planning and implementing the following:

  • Ensure there is a policy forcing password changes at least every 90 days
  • Change all usernames to something other than outlined above. For example, initials + random 7 digit number
  • Use a third party tool to force password complexity that protects against usage of common dictionary words. This will safeguard against passwords like Janury2017 or Michelle18
  • Implement a two-factor authentication scheme on the local network
  • Implement a Privileged Account Management (PAM) solution to safeguard super-user type accounts

The last step is ensuring that items 1-5 are implemented and are being maintained via including them in your information security policy and your periodic audit policy. And if you do not have an Information Security Policy? Now is probably a very good time to get one created…and you can still pat yourself on the back for being proactive about it

As always, feel free to contact with any questions, comments, or requests




Creating a secure corporate wireless network

In the increasingly wireless world of today, ensuring that your data is safe is becoming increasingly more and more difficult. This is especially true for organizations that have internal devices that are communicating wirelessly to transfer protected data as well as have to provide wireless internet access to their clients and vendors. Proper implementation will help ensure data security and regulatory compliance.
As in everything that has to do with IT security and compliance, it starts with planning. To achieve security, three items are required:
1) Separation of the corporate wireless network used to access and process confidential information from all other wireless network traffic
2) Controlled access to the corporate wireless network
3) Mechanisms to monitor access, use, and alert of issues

Conceptually, the connectivity looks like this:

Wireless network data flow

On smaller networks, some, or even all of these devices, can be combined. It is common in smaller environments for the network router and the edge firewall to be one physical device, such as a Cisco ASA or SonicWALL TZ series firewalls. While some of these devices come with built in wireless access points, it is not generally recommended unless there are other considerations in play, such as location, type of business, etc.
The devices used in creating secure wireless networks must have the following features:
1) Support for Virtual Local Area Networks (VLANs)
2) Support for management via either console, SSH, or secure web connection
3) Support for the Simple Network Management Protocol (SNMP)
4) The wireless access points must support either Remote Authentication Dial-In User Service (RADIUS) or the Lightweight Directory Access Protocol (LDAP)

Thankfully, most devices sold today across all price ranges will support these.
The main differences between the two wireless networks are authentication mechanisms and access provided. The guest network can have a broadcast Service Set Identifier (SSID) that everyone can see with a simple password based or web based authentication mechanism. I would highly recommend using web based authentication as it allows for a written disclaimer and acknowledgement process that can be monitored and logged. The process looks like this:

Guest Wi-Fi Connectivity

For the corporate network, the process is more complex. Turn off the broadcast of the network SSID. To ensure that only appropriate devices can access the internal wireless network, it is necessary to implement physical access controls, such as creating an allowed Media Access Control (MAC) address policy. In addition to that, clients will need to authenticate to an internal authentication server via either LDAP or RADIUS in accordance with internal company access policy, which should include provisions for password complexity, periodic changes, and multi-factor authentication.

Corp Wi-Fi Connectivity

The last step is to set up a monitoring mechanism that will alert if there is unauthorized access to either the wireless networks or the devices providing access and managing the flow of data.
When planning and implementing a secure wireless network infrastructure, make sure to have appropriate data access, wireless access, and password policies in place as well as an appropriate infrastructure to manage the implementation of these policies.

Feel free to reach out with any questions or comments.
Continue reading Creating a secure corporate wireless network

Securing Data in the cloud. Part I: Approach

After the previous article, I received many questions about ensuring security and compliance when using resources hosted with a public cloud services provider. To begin with, I will restate what I said previously. Just because your cloud services provider is secure and compliant does not mean your organization is.

To start with, approach to cloud security and compliance is very similar to on premise infrastructure security and compliance. The pitfalls are similar as well. It starts with being proactive instead of being reactive. Security and compliance is not a list of checkboxes to be filled out; it must be included as part of the overall business strategy. Just like any other business plan, a security and compliance plan needs to contain explanation of what the company does, what the risks are, an approach strategy broken down into tactical steps, outline of appropriate action items, and a timeframe for implementation.

What makes it more challenging with cloud is properly classifying data stored and processed in various service offerings hosting different workloads. When the infrastructure is in-house, it is comparatively easy to control resource encryption, access control features, monitoring, and audit. When in cloud, not so much as we are reliant on tools available from the provider to secure and encrypt our workloads.

Securing cloud workloads starts with identifying two questions:

1) What type of workloads is the organization using?
2) What data is on these workloads?

The workloads can be virtual servers hosted on the public platform, virtual servers hosted on dedicated platform, or SaaS and PaaS offerings, such as SharePoint Online.

From the security standpoint, the data types revolve around what information is contained, i.e. personal data, financial data, or company data that is eyes only/confidential.

Answers to these questions will drive what options are available to you and your compliance.

Please bear in mind that different vendors have different approaches as to the granularity of access they provide to the client. This is one of the reasons why what is being secured and how it will need to be secured must be reviewed at the early stages of the decision making process. It can narrow down the field of available vendors considerably.

As always, feel free to reach out with any questions, suggestions and requests

HIPAA Compliance for medical practices and associated services

Over the last few months, I have had the pleasure of speaking to medical professionals, practice owners, and service providers that work with medical practices. A lot of them expressed confidence that they were HIPAA compliant simply because they were using cloud-based Electronic Medical Records and practice management systems. When probed on whether or not they had internal policies, sign-offs, and secure end-user systems, the response more often than not was a blank stare. When asked if they have every taken the opportunity to review the requirements on the Department of Health and Human Services website, the response was a wry smile and a shake of a head.

To dispel the myth, just because your cloud EMR/Practice management suite vendor is HIPAA compliant, does not mean that you are. Compliance means having and adhering to a written Information Security policy that

1) Identifies the organization and persons responsible for information security
2) Has a set of written policies and procedures that define how the data is accessed, stored, distributed and deleted
3) Has a set of written documents, policies and procedures that explain how the systems that are used to access and store the data are
designed, implemented, monitored and disposed
4) Explains the process to be followed in case there is a breach
5) Provides for periodic audit of the organization to ensure that the policy is adhered to
6) Is updated as the security requirements change

A baseline template for this policy as well as a checklist to help ensure that appropriate items are included can be obtained for a multitude of sources. Here are some of them:

Privacy & Security

I do recommend that when designing and implementing the information security policy, one consults a professional to ensure that everything is done properly. For any questions, feel free to reach out at or here on LinkedIn.