July 2019 – TCM Labs

Your Periodic Web Services Review

For some groups, the website is a low-risk front door for general marketing; for others, the site is tied to web commerce and the daily revenue figures. The website may list addresses, phone numbers, hours of operation, and key personnel. It may advertise detailed job openings. It may be the gateway to web applications and portals servicing different clients, suppliers, partners, employees, and others.

So, if you’ve done your homework and kept your basic information up to date — including (1) your list of assets needing protection, (2) your modeled threats, and (3) your lists of who should and should not be able to access what — then you have a basis for a plan to monitor, test, and periodically review that everything is in order. Consider some very basic questions:

Is uptime critical? Do you monitor load and availability? Who is alerted when something goes awry? When is the last time you tested that system?
How long would it take to notice that your website has been defaced? How will you detect it? Who is notified? Do you have a plan to recover from such an event? Are those systems tested?
The website is often a first stop for open source intelligence gathering ahead of focused attacks — especially “social engineering” efforts. When was the last time you had a fresh pair of eyes review your public content as part of a risk assessment?
When were your web applications last tested? Here, “web application” may mean your proprietary systems with online access, or it may mean your ordinary WordPress deployment for your basic website, or it may mean anything in between. Do you track and monitor attempts to access? Are you alerted to odd behavior?
Are your systems kept up to date with security patches? If the systems are hosted, do you have contractual guarantees in place from the providers?
Etc.

If you haven’t done so in a number of years, I’d propose a simple experiment for you: Throw up a simple website at a public IP address, register a domain name, then point that name to that server address. Now sit back with a bowl of popcorn and watch the logs… The amount of time between registration and being swarmed by automated attacks and probes is essentially nil — and those probes are looking for all vulnerabilities, from the ancient to the ones just announced yesterday. All have come to accept that this is just the way it is now, so the defense is up to you.

Stay current. Review your posture and test your systems, from detection through response and recovery.

TCM Labs works with clients to help ensure that your defenses are current and that your compliance checks occur at a manageable pace throughout the year, giving you ample time to make mitigations before the final reports. For more information contact us via our web form.

Politics & Communication Readiness

Social media has lit up with discussion and links to stories of overseas software developers being locked out of their accounts on popular developer websites. The reason? U.S. trade sanctions. It’s said, for instance, that a developer in Iran is locked out of GitHub, a well-known, highly utilized software collaboration site that hosts an incredible trove of open source software projects. GitHub was recently acquired my Microsoft…

Personally, I figured that our nearest problems to general freedom of communications would be the rescinding of FCC consumer protections; the DOJ’s incessant push for weak encryption and back-doors; the draconian notions that we should all be monitored for our own good and protection; government partnership with industry to circumvent protections; and even the purely commercial interests in tracking our every location, search, click, and view. They’re the everyday news stories that numb us. But in some cases, we can count on some balance of “mutually assured destruction” and general detente to ensure some sense of sanity, at least on average…

The individual’s ability to communicate with family, with community, regionally, and even internationally, is really quite fragile. The same is true for general access to information, and insomuch as the least of us are pawns at best in larger games, our accesses may be altered or revoked on a whim.

So, here’s your periodic reminder: Whatever your personal skills may be, make sure that you have people in your circle who know how to keep lines of communication open in a wide variety of circumstances. Build secondary digital and analog networks alike that do not necessarily rely on the commercial internet. Remember that most network equipment works just fine to connect peers if enough forethought is given to planning the routes. Consider finding the more forward-thinking ham radio operators to help bridge the gap where wires aren’t practical.

We advise our ordinary commercial clients to generally do the same: If the internet is critical to your business operations, ensure that you have multiple accesses, parallel stacks of network equipment for fail-over, load balancing to handle demand, redundant power sources should a piece of equipment fail or a transformer down the road blows, … We advise that the client have a clear communications plan as part of their incident response strategy. If it’s that important, build redundancies and periodically practice using them. Why would you do less for your personal connections?

TCM Labs encourages business and personal clients alike to have tested communications plans in place so that they will have access to the people and information they need even in degraded or hostile network environments. If this is a concern for you, take the initiative now.

The Lab

TCM Labs takes client requirements and prototypes solutions in our lab network enclaves.

The ability to experiment, to investigate, to stage solutions, and to roll back mistakes, is absolutely paramount to any kind of success in the IT World.

When I began with computers and playing with software programing in the 80s, the biggest investments above the computer itself were the compilers for different languages. As long as you had working backups of the DOS floppies and you didn’t trash your hard drive (if you had one), you were good: you always started with a system in the same state after the BIOS loaded. Software development, particularly for isolated systems, was very low risk. Make changes and try them out. If you don’t like the outcome, rollback to an earlier version and try again.

When I began exploring linux in the 90s, that became a slightly different story. Lucky to have one computer in the house, the notion of screwing up a dual-boot installation and leaving the computer inoperable was terrifying. There was no backup or throw-away laptop on the side. Playing with disk partitions and the master boot record? Cold sweats. The cost of a making a mistake was huge. We irrationally moved through that fear and fortunately came through alright.

The barriers to entry for real IT and computer science expertise was daunting. Skip forward 30 years? For $10 per month, you can stand up a small linux server in the Amazon cloud, and with a few mouse clicks you can back-up the entire state of the machine. Misconfigure it and screw it up? Restore back to your last save snapshot. Alternatively, for a one-time $35 expense, you can buy a Raspbery Pi which is arguably more powerful than one of those basic AWS micro-instances. Making a backup of the entire state means making a copy of a micro-SD card. Similarly for restoring.

Suddenly, the ability to investigate, to experiment, to stage solutions, and to rollback mistakes is accessible. Now anybody interested in exploring is welcome to build and enter their own rabbit hole…

I’m sure we’ll spend future posts describing the components of such a lab for folks who are interested in the tech, but for now, it’s just a bit of the backstory.

TCM Labs takes client requirements and prototypes solutions in our lab network enclaves. Clients are given access into our networks to explore the technologies and debug solutions ahead of a deployment into their own environments. Contact us to explore solutions for your environment.