AI’s Growing Role in Controlling Devices:

As AI starts entering more workplaces, it is crucial to recognize that AI will become more interconnected with hardware devices in your organization. You might want AI to control room lighting and air conditioning to make it voice-controlled or adapt to the changing activities in the room. AI can also control massive machinery, including robots and high-powered lasers for cutting steel. We’ll all be surprised at how many real-world tangible controls AI can assist. For AI to control devices, computers must drive the machines. Threat actors could exploit weaknesses to disrupt companies, damage equipment, cause expensive delays, and worse.

Machines Driven by Computers, Including Those Running AI and Traditional Computer Control Systems, Introduce a Security Threat:

As AI becomes integral to your operations, remember: Everything from climate control and identity detection to robots and laser cutters hinges on computer systems. AI’s potential is vast, and its growing adoption means more devices linked to our networks.

However, this surge in AI adoption produces an often-overlooked danger that all organizations with industrial controls must consider. The computer systems hosting your AI and traditional solutions can become obsolete faster than the devices they control. Neglecting to update operating systems and using other security controls exposes your organization to cybersecurity threats. While devices might seem to run smoothly, the escalating sophistication of cyber attackers can’t be underestimated.

Executives: Unchain Your IT Pros from the Security Limitations:

Is your IT Team prohibited from applying critical cybersecurity updates to operating systems or upgrading to supported operating systems on workstations that control instruments, lasers, robots, and other machinery? If they are, those workstations pose a security threat to your organization.

Executives must understand that using workstations with old operating systems or without the most recent critical security updates is a significant security risk. In some cases, executives must ask the IT Team if they have encountered this situation. Sometimes, executives are inclined to delegate decision-making to the IT Pros. Instead, the IT team must alert the executives of the pros, cons, and expenses. The executives need to decide if it makes sense to pay to upgrade the applications that control robotics, manufacturing, or other equipment on a network.

Three Definitions:

In case nobody’s explained these terms, it is essential to differentiate between upgrades and updates:

1. Operating System Upgrades: An example is upgrading from Windows 10 to Windows 11. Newer operating systems often have more security features. Microsoft and Apple will naturally be tempted to assign their best and brightest people to develop and update the newest operating systems, so they eventually drop support for old operating systems. Unsupported operating systems are designated EOL (End of Life.) Using an operating system after it is no longer supported is a significant security risk.
2. Operating System Updates, a.k.a. Patches: Security updates are rated by the severity of the security risk and how likely an attacker will exploit the weakness. Critical security updates are the most important to apply. Staying up to date with patches can be a significant struggle in many situations.
3. Application Upgrades: Upgrades to new versions of the software that controls devices such as CNC machines, robotics, lasers, laboratory equipment, instruments, or any other hardware that connects to a computer.

The Shocking Reality:

Some applications that control devices may prohibit operating system upgrades and security patches. The applications might break if the IT team deploys the patches or upgrades the operating systems. Sadly, as reckless as it seems, some companies that create applications to control machinery will no longer provide technical support to your IT team if the operating system on the workstations is upgraded or has security patches. Their software developers may be too busy to create flexible, secure applications and are forced to focus strictly on functionality.

Depending on the application vendor, paying for an upgraded version of a controller application can be very expensive. Fortunately, sometimes, the upgrade charge is reasonable or free. Sometimes, no upgrade is available to permit operating system upgrades or critical security updates.

Another consideration is the risk that upgrading might interrupt manufacturing flow if the upgrading process requires extensive troubleshooting or potentially interrupt production. When equipment operates 24/7, the IT Team is under more pressure since there is no downtime for maintenance.

If the new application’s user interface significantly differs, shop floor personnel might require additional training. Inadequate training can lead to costly mistakes and safety issues. Scheduling training will affect the timing of deploying the new applications.

So, as you can see, when robotics, scientific instruments, lasers, manufacturing, or other equipment works just fine, upgrading the application offers no valuable benefits, and the IT team is busy, we find during audits and security assessments that many manufacturing organizations have outdated operating systems or need critical cybersecurity updates.

The organization’s executives might accept the risk, especially if compensating controls are in place.

Alternative Tactics Increase Security:

Using compensating controls in networks is essential because systems sometimes have significant vulnerabilities before updates are released or installed. Compensating controls are even more essential to help protect workstations if patches are missing.

Compensating controls include, and are not limited to, isolating the machines that control robotics, manufacturing equipment and scientific instruments on a separate network away from your network. That separate network must have limited connectivity to only allow traffic to and from the specific devices necessary and limit the kind of data and how it traverses the network to reduce the attack surface and make it more difficult for a malicious program or third party to access that instance or device. I sometimes refer to this tactic in keynote presentations as creating filtered subnets.

Another compensating control is to harden the unpatched or EOL machines by removing all applications except those essential for the equipment’s operation. Examples of applications that must be removed include browsers and email clients since they are common vectors for successful attacks. If the employees operating those devices require internet and email access, consider adding a separate workstation that is patchable for email and web access.

EDR/XDR (Endpoint Detection and Response / Extended Detection and Response) technology is another helpful control. It involves installing a small program called an agent on each computer. The EDR/XDR agent monitors the system’s software, services, and behavior for any signs that threat actors might have already compromised the computer. If the EDR/XDR tool detects an IoC (Indicator of Compromise), it can respond by interrupting the process. When tuned to avoid false alarms, the best response is to allow the agent to effectively quarantine the workstation from the rest of the network until the IT team can investigate. This helps prevent attackers from spreading to more hosts.

However, it is common for IT teams to succumb to the danger of relying too heavily on EDR/XDR to protect their organization and, therefore, neglect implementing other industry best practices to protect systems. Threat actors often set up EDR/XDR tools on their test networks to find ways to circumvent the protections. So, even if your EDR/XDR tool says everything is safe, it doesn’t necessarily mean threat actors aren’t active in your network.

To combat this, companies commonly conduct yearly red-team exercises, performed by exceptionally skilled IT teams that regularly perform these exercises and know the tricks and practices real-world threat actors use. These exercises are designed to test the effectiveness of the detection and response process. These exercises look for weaknesses in EDR/XDR and help keep the IT team in practice, ensuring they’re better prepared in the case of an attack.

Depending on your budget, if $20/user/month for EDR/XDR is not feasible, know that the other cybersecurity controls in this article, such as careful hardening and segmentation with very restrictive filtering, are much less expensive than EDR/XDR and have little if any ongoing expense. I don’t want to diminish the usefulness of EDR/XDR tools. If you are on a tight budget, unless your cybersecurity policy requires EDR/XDR, you might choose to focus on other compensating controls.

The IT Team must alert the executives about the expense of upgrading applications, isolating the shop floor instances on a separate network, deploying an additional network for web and email access, training users and operators, implementing EDR/XDR tools, and other expenses. Include time estimates along with financial estimates. Then, the executives can make an informed decision, and IT can follow their instructions and ask for support as necessary.

Step-by-Step Guidance for IT Teams:

Acknowledge that it can be a significant challenge and sometimes practically impossible to ensure that all workstations run with a current OS and that all critical security updates are applied. But keep applying updates if possible.

Inform your executives whether your team has time to make these changes. IT teams must alert executives of the time and expense involved. The executives will have options such as adding more IT professionals to augment the team, postponing other projects, or accepting the risk of continuing with unpatched systems or EOL OSs with the compensating controls listed below.

Explore all technical, training, and expense changes before upgrading applications.

Ask your supervisor to delegate the price checking to someone outside the IT department if feasible. Your IT team is very busy, so checking the prices might cause the upgrade to be delayed. It can be time-consuming to check with the robotic, manufacturing, and scientific equipment vendors to find the pricing for upgrades to their applications that control machinery.

Investigate more than the pricing. Ask about changes in the upgraded applications affecting the user interface and user experience. Ideally, the upgraded application software operates similarly and has the same interface. Unfortunately, some manufacturers significantly change the user experience when they upgrade their applications.

If users will need training, identify a trainer.

Determine how scheduling the training will affect the deployment timing.

Involve executives in decision-making and send them regular reports about the project’s progress.

Implement compensating controls on the workstations because of the high cybersecurity risk of missing critical patches or using EOL OSs. Compensating controls aren’t a replacement for missing patches, but the controls can help tremendously.

Remember that attackers can exploit security risks long before they are discovered. Only when the vulnerability is discovered will the operating system and application developers know to create or release patches to seal that security hole. Refrain from relying on patches as your sole security control for application software and operating systems.

Strongly consider isolating shop floor machines on a separate subnet, especially those you are prohibited from patching and those using EOL OSs. Isolate that subnet completely with an air gap or utilize aggressive filtering at the switch or router to limit traffic to only the required source, destination, ports, and protocols.

Additionally, hardening the workstations against attacks is strongly recommended.

Remove or restrict web and email access. This is one of the most effective ways to harden workstations, as web and email are two of the most common vectors for malware.

If the workers at those devices need access to the web and email, consider deploying a separate workstation to their station they can use for web and email. If feasible, that workstation should not be on the shop floor network. If you put those workstations on the equipment network, you would need to allow email and web traffic, and modifying access control lists to allow more sources, destinations, ports, and protocols can significantly reduce the security you would otherwise introduce to the equipment control network. Strive to exclude TCP ports 80 and 443 on the AI device network while allowing full functionality of the AI and other computer-controlled devices.

Be sure you limit the sources of inbound and destinations of outbound network traffic to the absolute minimum. If you need to run new cables to facilitate the additional workstations for web and email at the workers’ stations, then running new cables might be a significant investment. Deploying a WiFi network for email and web access might be more economical. Keep the key secret. If you share the WiFi password, workers might connect other devices to the equipment network and compromise security. Completely blocking email and web access and access to external IP addresses will hamper the workers on the manufacturing network from exposing the hosts to many threats.

Strongly consider using EDR/XDR tools, along with the Red Team Exercises, to help ensure the configurations’ effectiveness and allow your IT team to prepare for actual emergencies.

Summary:

Protect workstations that control hardware such as robotics, pharmaceuticals, lasers, and scientific instruments, regardless of whether they utilize AI. This helps ensure the safety and operability of your systems, protecting your organization and workers.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

(Image source: Bing. Learn more at [Bing.com].)

The post An Executive’s Handbook to Securing Modern Manufacturing Networks and Robots, AI or Not appeared first on Foster Institute.

Apple’s new App Tracking Transparency feature prompts you to allow apps to share your information. Google is working on an alternative solution for Android users.

While many users will appreciate being able to control the sharing, the websites and app developers that rely on income based on tracking information will suffer. Some predict Facebook might lose 5% of its revenue.

Please forward this to your friends to be sure they know about this controversial leap towards increasing privacy.

The post Controversial New Privacy Control Prompts on Your Phone appeared first on Foster Institute.

The companies they hacked. But it isn’t ransomware; this is an example of bug bounty activities. Companies, including Microsoft, Zoom, and Apple challenge hackers to break in and reward them when they do.

The rules are simple: Attackers have 15 minutes to exploit a vulnerability that allows them to run a program on the target computer. In real life, an attacker could run a virus or some other malicious program.

An attack team calling themselves DEVCORE successfully took control of a Microsoft Exchange Server and earned two hundred thousand. An attacker who calls themselves OV broke into Microsoft Teams and earned another 200K. Daan Keuper and Thijs Alkemade from Coputest netted two hundred thousand for taking over a computer using Zoom messenger.

The great news is that Microsoft, Apple, and the other participants will create updates and patches to protect their products. Provide your IT team with time to install the updates to protect your organization. See more about the results here: https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results

Please forward this to your friends in case they are not aware of hacking contests that ultimately make the world a safer place.

The post Hacker Contest Nets Winners Hundreds of Thousands of Dollars appeared first on Foster Institute.

Take a few moments to have the anti-scammer conversation with those you love. Their computer screen might display Microsoft’s logo stating that there is a virus on their computer. It is a scam, and they should not phone the tech support number on their screen.

Encourage your loved ones to watch the hilarious TED talk video: ted.com/talks/james_veitch_this_is_what_happens_when_you_reply_to_spam_email

Please forward this to your friends, so they alert their trusting loved ones.

The post Protect Loved Ones from Tech Support Scams and Share this Hilarious Video appeared first on Foster Institute.

A little background information helps explain what is going on: Every device connected to a network has a serial number, called a MAC address. That address is how the network identifies the device and differentiates it from all the other devices on a network. As you can imagine, networks need to know what devices are connected. Think of what might happen if the network thought your computer was a printer. Printer paper might not come shooting out of your keyboard, knock over your coffee or smoothie, but you get the idea.

Because the MAC address uniquely identifies you for everyone else, think of the MAC address as a fingerprint for your device. Potentially, an advertiser, or someone in a public place, could use your fingerprint, in this case, your device’s MAC address, to track you, your activities, and what networks you use.

Apple, Google, and Microsoft want to help protect your privacy, so they might periodically change the MAC address on your computer to a different address. The new behavior strives to help keep you more anonymous on public networks at hotels and coffee shops. However, randomly changing MAC addresses can break essential security features, including:

1) As my friend did, you might start receiving alarming alerts that another person connected a new device to one of your websites or accounts. The warnings are concerning until you realize it is your computer reconnecting with a new unique index. After a time, you might ignore the alerts. But then you won’t know if a real attacker broke into your account with some other computer, tablet, or phone.

2) Parental controls at home fail if the safety restrictions are unique for each family device. When a youngster disconnects and reconnects to your network, sometimes they are no longer protected.

3) Your company keeps an inventory of your computers, tablets, and phones. It is challenging to keep the list current when your IT team must track three times as many devices as you have.

How do you solve this? It is possible to disable the randomization feature, but it takes time to reconfigure. Time is a precious commodity for you and your IT team too. An example of how to disable the behavior on iPhones, iPads, and Apple Watches: support.apple.com/en-us/HT211227

However, your employees or kids could change the feature back again to help them hide on your networks.

The answer to my friend’s question is that if the website tells you a date, time, and location of that person’s login, and you know you weren’t logging in from there at that time, yes, you need to be concerned. Otherwise, your experience may be because your device is disguising itself from the website. Disable the randomization feature, and the problem might go away.

Please forward this to your friends so that if they, or their IT team, cannot figure out why some of your security features are breaking, they will know to suspect their devices are rotating through MAC addresses.

If you want more technical details, a network identifies your device with an index number called a MAC address when you connect. There are more than 280 trillion possibilities for a MAC address; the odds are that nobody you know has the same number as your device. The first half of the number identifies the manufacturer; that makes it easier to find unidentified devices on a network.

Other problems you’ll notice because of rotating MAC addresses include:

4) Security tools at the office fail to work if the security tools rely on associating users with their computers, tablets, or phones. This problem affects both BYOD and company-issued devices.

5) IT Professionals can configure necessary reservations for computers, tablets, and phones. Those reservations are based on index numbers. When the index changes, the reservation stops working, and systems can fail or lose security.

6) Your websites will forget you. Some sites have a feature to Remember This Computer, so you do not need to go through as many steps each time you log in. The sites identify your devices by their index numbers. Your device will need to be re-remembered when your index changes.

MAC addresses look like FF:FF:FF:FF:FF:FF:FF:FF where each value I listed as F can be a hexadecimal digit 0,1,2,3,4,5,6,7,8,9, A, B, C, D, E, or F. If you know where to look, your phone, tablet, and computer can tell you the MAC addresses of each network interface.

The new behavior is causing lots of frustration in the cybersecurity world. This battle isn’t over yet.

The post Your Phone, Tablet, and Computer Started Hiding You – and How to Overcome the Associated Problems appeared first on Foster Institute.

Cloning a hard drive creates a second drive that looks, to a computer, identical to the source drive. If your laptop or computer gets ransomware or seems infected somehow, you can restore a cloned drive’s image to effectively reset the computer to how it was when you most recently made a clone. Additionally, if the hard drive crashes, the clone could quickly replace that drive’s functionality.

Create frequent clones of your computer’s hard disk to one or more external USB hard drives. Keep making your other backups too.

For Windows computers, Microsoft provides the System Image Creation feature. Commercial options include Shadow Protect Desktop from StorageCraft and Acronis True Image.

For Macs, options include Carbon Copy Cloner, Acronis True Image, and SuperDuper! Check compatibility with your version of OSX. Apple Time Machine is always compatible, and it is possible to boot into recovery mode to restore a drive from Time Machine, but it’s not a clone.

(We do not receive compensation for, nor do we endorse specific products. It is essential to give you examples.)

Please forward this to your friends to ensure they know cloned hard drives often permit speedy recovery of ransomed computers. If they have a clone image of a hard drive, work from home users can likely stay productive even when their computer malfunctions.

The post Prepare Now to Recover Quickly from Ransomware on Mac and Windows Computers appeared first on Foster Institute.

It makes sense that malware uses strategies to infect and hide inside of networks undetected. Here is some fascinating insight into that self-preservation: The malware related to SolarWinds attack looks for specific security related software, including a free program named WireShark, before installing itself. If Wireshark is running in Windows, the virus installation terminates itself.

Should you run WireShark on your computers 24×7? Ordinarily, IT Professions remove WireShark in case attackers installed it. Paradoxically, running WireShark will stop the initial activation of the SolarWinds attack. WireShark is not the only choice. Open this Microsoft article and use CTRL-F search for the word WireShark to see the other security related tools that will horrify some malware: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

But, after SUNBURST installs itself, it is too late. It doesn’t look for security related tools after installation.

This message is not a recommendation to run these applications, nor is it intended to dissuade you. If organizations start adopting this strategy to thwart cautious attacks, it will be interesting to see how malware responds.

Forward this article to your friends so they receive this insight into how bad actors strive to avoid detection and discuss implementing this unconventional approach to stopping malware installations.

The post Tips and Tricks: An Unconventional way to Protect Yourself from SolarWinds and Future Hacks appeared first on Foster Institute.

There are so many webpages about the Solar Winds attack. Here are three of the most useful. Please forward this to your IT team.

Do not let the title of this Microsoft article fool you. Microsoft explains how the attack starts and progresses, complete with diagrams. Not only is this page fascinating reading about this horrible attack, understanding the tactics helps your team protect you from future supply chain attacks:
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Microsoft’s recommendations about how to protect Office 365: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754

SUPERNOVA is malware that different attackers made to impersonate the SolarWinds SUNBURST attack, and it is dangerous too. SolarWinds addresses both in their comprehensive information about determining if SolarWinds installations are affected and how to protect your organization: https://www.solarwinds.com/securityadvisory

Please forward this message to other organizations you care about, especially your suppliers, so their IT Pros have three of the most useful links amongst the dozens of others.

The post Three of the Most Useful Links About the SolarWinds Attack: appeared first on Foster Institute.

SolarWinds is a well-respected organization, and many organizations utilize their products. Not enough details are known to discredit their organization. Clearly, attackers see them as valuable enough to use as an infection vector.

This is called a supply chain attack because bad actors use a trusted product in an organization’s supply chain to attack the organization. A similar well-publicized attack happened with a popular tool, with many benefits, called CCleaner. The attackers successfully compromised 2.3 Million PCs.

The CCleaner supply chain attack is an illustration of dwell time. Attackers waited five months from the time they gained access to CCleaner before they launched the attack on CCleaner users. Many computers were safe, but not 2.3 Million of them.

Remember: Just because your organization fixes a vector through which the infection came does not eliminate damage already done. As an analogy, if you were the king or queen of a castle, and you found that attackers entered your castle walls to attack your city, raising the bridge over your moat does not eliminate the attackers who already made it inside.

Supply chain attacks are one of many reasons to eliminate as much software as possible at your organization. If a program is not essential, remove it asap. SolarWinds is vital for many organizations.

Please forward this to your friends so they can alert their IT departments to address this situation, and know to remove all non-essential software from all computers.

The post Emergency Update if Your IT Team Uses SolarWinds Products, and How to Protect Against Supply Chain Attacks appeared first on Foster Institute.

Here is how the scam works: Suppose you want to look up a company online named Super Duper, so you type the store’s name into your favorite search engine. An attacker might have purchased the top result to take you to the website superduperco.com. However, if you knew to scroll down past the paid-for-results, you would have seen that the real website is superduper.com. Attackers set up a website and named it superduperco.com.

Their deceptive site might contain malicious advertising, ask you to enter credit card numbers during checkout, or tempt you to download malicious programs and apps. They might ask you to login or reset a password, and they capture the password you type in.

If you look up a retailer in a search engine, skip past the ads and paid results. Scroll down to see real search results. Even then, be skeptical in case attackers used SEO techniques to appear at the top of the actual search results.

Please forward this to your friends to alert their users that top search engine results can be a trap.

The post Beware: Attackers Buy Top Search Engine Results to Trick You appeared first on Foster Institute.