Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including the World's Top Cyber Security Risk, Advanced Persistent Threats (APT), Cyber Warfare, Corporate Espionage, Insider Threats and other topics.


Gold Finger The Paramount Brief Gold Finger Mini World Peace

August 25, 2017

Teaching the $ 550 Billion Microsoft Corp about Active Directory Security

Folks,

As some of you may know, over the past few weeks, I have been publicly taking the $ 550 Billion Microsoft (Nasdaq: MSFT) to Active Directory Security School (see PS3 below) because today global security literally depends on Active Directory Security.


In case you're wondering why, here's why -



The Importance of Active Directory Security

From the White House to the British Houses of Parliament, and from Microsoft to the Fortune 1000, at the very foundation of IT, identity and access management, and cyber security at over 85% of all organizations worldwide today lies Active Directory.


In other words, the foundational security of thousands of government and business organizations depends on Active Directory.

To paint a picture - Governments, Militaries, Law Enforcement Agencies, Banks, Stock Exchanges, Energy Suppliers, Defense Contractors, Hospitals, Airlines, Airports, Hotels, Oil and Gas Companies, Internet, Tech and Cyber Security Companies, Manufacturing Companies, Pharmaceutical Companies, Retail Giants ... <the list is long> all run on Active Directory.




Operating in the Dark

Given my background, experience and whatever little I know about the subject, I have reason to believe that most organizations worldwide that operate on Active Directory are operating in the dark today, and have absolutely no idea as to exactly who has what level of privileged access in their foundational Active Directory!


Further, because over the last decade, almost 10,000 organizations from across 150+ countries worldwide have knocked at our doors unsolicited, we know exactly how much these organizations know about Active Directory Security, and we're shocked to know that 99% of them don't even know what "Active Directory Effective Permissions" are, and upon giving this due thought, we have arrived at the conclusion that the world's complete ignorance on this most paramount aspect of organizational cyber security can be attributed to the fact that Microsoft has likely not even once educated its customers about its importance!




Let There Be Light

So, I made an executive decision that we need to educate the $ 550 Billion Microsoft Corp about the paramount importance of "Active Directory Effective Permissions", so that they can in turn educate the thousands of vital business and government organizations at whose very foundation lies Active Directory about its sheer and cardinal importance.


Make no mistake about it - no organization that operates on Microsoft Active Directory today can be adequately secured without possessing the ability to determine effective permissions on the thousands of building blocks of cyber security (i.e. thousands of domain user accounts, computer accounts, security groups and policies) that reside in its Active Directory. Its really that simple.




A 1000 Cyber Security Companies!

Speaking of which, although there are supposedly over a 1000 cyber security companies in the world (, and incidentally at their very foundation too lies Microsoft Active Directory)  not a single one of them has the ability, the expertise or even a single solution to help the world accurately determine "effective permissions"  in Active Directory. Not a single one of them!


Well, except ONE.

Best wishes,
Sanjay


PS: If you can find even ONE cyber security company in the world that can help the world do this, you let me know.

PS2: Microsoft, before you respond, please know this - I've conquered mountains, and I'm likely your best friend.




PS3: To help the world easily follow Active Directory Security School for Microsoft, here are each day's lessons -





August 11, 2017

A Suggestion for President Trump regarding Dealing with North Korea


Dear President Trump,

Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our United States.

Sir, almost all reasonable people would agree that a bellicose and now nuclear North Korea likely poses a threat not just to the United States but to the whole world, and that this threat must be dealt with. While there are several options, including military options, that you may be considering, I just wanted to say that you may want to give a peaceful resolution to this situation a reasonable chance (because wars are gruesomely destructive), and perhaps there may be still something that could be done.


Of course, North Korea must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.




Speaking of Nuclear Weapons and North Korea

I likely speak on behalf of not just millions of American citizens, but billions of people worldwide when I say that this dangerous "sabre rattling" needs to please stop; we just cannot have a(ny) country threatening the world with the use of Nuclear Weapons.

Nuclear Weapons

We should also make NO mistake about this - This must please stop, and yet we must try and do all we can do to resolve this PEACEFULLY, because wars are gruesomely destructive. It is estimated that should this situation result in a war on the Korean peninsula, millions of people in numerous countries may lose their lives and/or be severely impacted.

If I might add, in today's civilized world, no one person in the world, whether it be the leader of any country (whether it be North Korea, Iran, China, Russia, USA, etc.) or entity should be able to endanger the lives of all 7,000,000,000+ people on Earth.

Speaking of peaceful efforts, allow me to voice one unsolicited suggestion, which involves a country that may likely have, over the years, whether unintentionally or otherwise, played^ a (not so small) role in helping North Korea get where it is today, and they now ought to do everything they can to help resolve this situation peacefully, and that one country is China.

 [ ^ Watch this 6 min video - "China is North Korea's largest trading partner and has pushed hard for the livelihood exemptions" , "Sanctions will only be as effective as Beijing wants them to be" , "Regime survival is exactly what China actually wants to see"]




Where Does China Stand on This?

Sir, as of Aug 11, 17, you've certainly tried to have China resolve this problem. However, it does not seem to (yet) have worked.


As of this morning, according to the Global Times newspaper, which although is not an official mouthpiece of the Communist Party, does according to experts most likely reflect government policy, China is likely okay with an armed conflict in the region.

I quote from here -
"Beijing is not able to persuade Washington or Pyongyang to back down at this time. It needs to make clear its stance to all sides and make them understand that when their actions jeopardize China's interests, China will respond with a firm hand."
"China should also make clear that if North Korea launches missiles that threaten U.S. soil first and the U.S. retaliates, China will stay neutral. If the U.S. and South Korea carry out strikes and try to overthrow the North Korean regime and change the political pattern of the Korean peninsula, China will prevent them from doing so."

In other words, by not being against it, China is apparently tacitly okay with an armed conflict in the region. That's concerning.

Today, no country in the world should be okay with any such conflict, especially one involving countries with Nuclear Weapons.

China needs to realize that now is the time to respond to North Korea with a firm hand (; lest it might be too late & cost a 100x.)

China may need to unequivocally understand that this isn't just about a regional conflict or stability in one specific region of the world, but that this could result in the use of Nuclear Weapons and that could potentially dangerously impact the entire world.





The Suggestion - Having China Do More

In reality, as its largest trading partner, China does likely have a substantial amount of influence on North Korea, which is also why most sanctions imposed on North Korea by the U.N. thus far may have only been as effective as China wanted them to be.

Thus, perhaps, all countries in the world that desire peace, led by the U.S., should earnestly communicate to China that unless China does more to help, the world may have no choice left but to begin to look into potentially unfair Chinese trade practices and consider* (even if temporarily) substantially reducing their imports from China (i.e. the import of goods Made in China).


Perhaps, as a consequence, if China realizes that the world may seriously no longer be interested in importing its inexpensive goods, and that it may stand to lose up to a Trillion $ in trade each year, unless it "reins in" North Korea, perhaps it will do more.

(As such, China should be quite concerned about the possibility of any armed conflict in its region as it could impact its people. If concern for the safety of its billion+ people doesn't motivate China, perhaps the potential of a Trillion $ a year of loss, may.)

China may very well understand this today, so they need to flex some serious muscle to help resolve this dangerous situation.





[ A small digression...

An Unintended Impact

Incidentally, this could help kick-start your Made in USA initiative, and perhaps help reduce the trade imbalance with China, and although products for the U.S. consumer may no longer be dirt cheap, it could start bringing back American manufacturing jobs, thus helping your #MAGA slogan.


Speaking of #MAGA, while America is already a great country, its greatness may likely indeed have diminished a bit in light of globalization, and speaking of jobs, perhaps it may help to let the American people know that it is our own companies, i.e. the major companies whose products the American populace consumes, that whether driven by fierce competition and/or a desire to "maximize shareholder value", may have over the years substantially outsourced manufacturing, so and it may be up to the people to consider having (and if they decide, could have) these companies put country/security ahead of maximizing profits.

(It is difficult to walk into a Walmart or a Home Depot anywhere in the U.S. and find any products that are not "Made in China." Obviously, since you Sir, are (supposedly) a Billionaire, I do not expect you to have personally walked into a Walmart or a Home Depot, but in all likelihood a majority all hard-working people living in the U.S. may likely know what I'm talking about.)

Lastly, perhaps we, the American people may also need to realize that it may not likely be possible to simultaneously have both, "dirt-cheap (i.e. super inexpensive) products" and "American manufacturing jobs." Perhaps, if there is a strong desire to bring back manufacturing jobs to the U.S., it may require, even if for a bit, some adjustments as consumers - perhaps consume a little less, but buy quality products that are Made in USA as well as made in all such countries that adhere to fair trade practices.

Here, I should mention that it is also certainly possibly for (a more responsible and fairly competing) China to continue to be a major exporter of goods to the U.S., just as long as the Chinese too engage in manufacturing under fair trade practices, fair employment, regard for the environment, and for human rights, thus making the manufacturing playing-field level for all nations.

Alternatively, in lieu of having thousands of companies bring back manufacturing jobs to America, perhaps we could make solid results-driven investments towards helping our workforce acquire skills in those fields and industries that play a substantial role in contributing to America's exports, in effect helping millions of our people find suitable, respectable and gainful employment, as well as contributing to an increase in American exports, which too will have the effect of improving uneven trade deficits.

Speaking of Made in USA, perhaps the best way for you Sir, to demonstrate your commitment and seriousness of purpose to #MAGA, may likely be to lead by example and have all products made by the Trump Organization be made here in USA.

... end of digression.]





In Summary

The World should stand united on one front - regarding threats involving use of Nuclear Weapons, there must be zero tolerance.


As for North Korea, it must make no mistake about one fact - it must unequivocally understand that if it attacks the U.S. or its territories or allies, the U.S. will have no choice but to act to defend itself, and if it does, it will likely be the end of North Korea.

The Chinese too must understand that any military conflict in their region, especially one potentially involving the use of even a single nuclear weapon, and its fallout, could endanger not just all the countries in the Korean Peninsula, but also likely threaten and perhaps possibly jeopardize the very existence of Earth, and the last I checked, a billion Chinese people too, live on Earth.

If a millennia of history haven't taught us about the horrors and savagery that military conflicts and wars entail, and if a millennia of progress hasn't made us all realize that we all need to peacefully co-exist, then while we may have made material progress, what have we truly learnt?

Instead of predominantly pursuing profits, world-domination and egos, we should (all) instead be first pursuing peace, love and harmony, improving life for everyone, and cherishing and saving our precious planet (because in the Universe, its all we have.)

Most respectfully,
Sanjay


PS: I write neither as a Republican nor a Democrat, merely as a caring citizen, and not just as a U.S. citizen, but as a peace-loving global citizen, i.e. just one of 7,000,000,000+ people that live in 150+ countries worldwide who believe in living in Peace.


*A Note to China: We respect almost everyone, including your great nation, we mean no disrespect whatsoever, and like you we believe in fair trade, including with your nation, but far more importantly, we also value and believe in peaceful co-existence (as should you), so if the suggestion made above seems a tad extreme, please consider that it is only made in light of far more extreme circumstances i.e. a belligerent North Korea threatening (in effect, not only) the U.S. (but global security) with WMDs.

You ought to ask yourselves if you're really doing everything you can to diffuse this incredibly reckless and dangerous situation; should this result in an armed conflict in your region, your great country and its people may very likely be substantially impacted.

This is not the time for any party to play "Chess." This is the time for all countries to help prevent a potentially nuclear conflict.

July 10, 2017

A Letter to President Donald Trump regarding Global and Cyber Security

Dear President Trump,

Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our Great United States.

First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.

I'll do my best to keep this VERY simple.



Top-5 Global Security Risks

As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -


1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats

I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.

As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.




The Importance of American Leadership

Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.


Sir, the elections are over. You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.

If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.

(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)

Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.

Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, today have the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.

[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]





The Cyber Risk

Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.


(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)

Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.

It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.


Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing a Cyber Security Unit with the Russians might NOT be such a good idea, as also voiced by 1, 23.

By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".

A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.


Mr. President, you may likely already have some of the world's best inputs and advice when it comes to cyber security, so I'd just like to share paramount cyber security insight with you - Trillion-Dollar Cyber Security Insight for President Donald Trump.


Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.


Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.

Respectfully,
Sanjay.

January 20, 2017

Trillion-Dollar Cyber Security Insight for President Donald Trump

Dear Mr. Trump,

Hello. I'm Sanjay, President of Paramount Defenses. I just wanted to congratulate you on your historic win, wish you success, as did President Obama, and share VALUABLE cyber security insight that could be VITAL to your administration's success.

Before I get to it, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic U.S. citizen and a cyber security professional, and that my desire to do so publicly has been inspired by how much you Sir share publicly. Given the sheer impact of our important work across America and the world today, we are a 100% non-partisan organization.

One quick vital point - regarding all the talk of Russian hacking to influence the U.S. election, while Russia and possibly others may certainly have tried to influence it, professionally speaking i.e. as a cyber security practioner, in the grand scheme of things, it matters not as to who is trying to hack us, as much as it does that we protect ourselves from being hacked, so from that angle you're likely right that the DNC should have adequately defended itself. You see, once an entity is hacked, at that very moment the damage is done, because their data is now in someone else's hands, and the entity no longer has any control over what the perpetrators do with it. In fairness, one should also add that if indeed Russia did hack the RNC as well, but chose not to divulge their data, then reasonably speaking, that would have amounted to what is being called "an attempt to influence an election."


That said, Mr. Trump, hopefully you'll agree that given our sheer reliance and dependence on computers and technology, the success of your Presidency and your administration will GREATLY depend on the cyber security of our government agencies.

Attribution: Mr.. Trump's photo: Michael Vadon >

In that regard, I thought you should know that at the very foundation of cyber security of our entire U.S. Government (i.e. 600+ federal agencies) lies a single technology, Microsoft Active Directory, the cyber defense of which is paramount to our security.

You may or may not know this yet, but the White House, the U.S. Capitol, all our intelligence agencies, and virtually all our departments (e.g. Defense, State, Justice, Energy, Labor, Interior, Veterans Affairs etc.) all operate on Active Directory.

By the way, I must mention that none of this is classified information. This is all public knowledge. I just happen to know it first hand because I'm former Microsoft Program Manager for Active Directory Security, i.e. a "deep in the trenches" technical guy who possibly knows more about Active Directory security than most people on the planet. (I also happen to be an innovative American entrepreneur who built possibly the world's most relevant and important cyber security company, from the ground up.)

In fact, Active Directory is at the very foundation of cyber security of 85+% of all government and business organizations world-wide (The Americas, Europe, Asia, etc.) including at the foundation of virtually all of the tech companies whose CEOs recently visited you i.e. Microsoft, Amazon, Alphabet, IBM, Intel, Facebook, Tesla etc., as well as a little cyber company called Palantir.

It is very likely that thousands of business and government organizations in Russia too might be operating on Active Directory.

Sir, in all likelihood, the Trump Organization may also be operating on Active Directory. (Your IT folks could verify that for you.)


Mr. Trump, our cyber intelligence indicates that the foundational Active Directory deployments of most organizations worldwide may currently be exposed to an alarmingly vast attack surface, and thus may possibly be rather easily compromisable today.

The specific cyber security risk that most of them are all likely exposed to today is succinctly described in The Paramount Brief -


Password (case-sensitive): AreWeReallySecure?


If you're short on time, here's a very brief summary -
In every network powered by Active Directory, all administrative accounts i.e. the accounts of the individuals that possess the "Keys to the Kingdom" lie within Active Directory. It is a well known fact that if a perpetrator can compromise ANY one of these accounts, he/she could easily access and control everything. Thus, in every organization, ideally the number of such powerful accounts must be at an absolute bare minimum.
Unfortunately, in most organizations today, not only are there a HUGE number of privileged user accounts in Active Directory, NO ONE really knows exactly who they are and what power they possess. In other words, most organizations seem to be operating in the proverbial dark, & if breached, could likely be compromised in minutes.
In essence, a huge, unknown number of highly prized privileged accounts in Active Directory constitute a vast attack surface, and the compromise of any one of them would be tantamount to a system-wide compromise. 

In our professional opinion, this poses a major cyber security risk globally, especially considering the statistics, i.e. 100% of all major recently cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account.

From our side, we can certainly (and uniquely) help organizations worldwide precisely identify and reduce their attack surface, as well as empower them to mitigate this serious risk, swiftly and cost-efficiently, but we do need them to understand it first.


I must also mention with due respect to the likes of Peter Thiel, Alex Karp, Ted Schlein & others, I doubt they're familiar with this specific risk or understand the depth of its magnitude, because this is one of those you have to be "deep in the trenches" to get.

Speaking of which, in 2016, we had directly informed the CEOs of most of the world's Top 200 companies (including most of the tech CEOs that came and met you at the Trump Tower), as well as all appropriate officials at most federal and state agencies about this risk to the foundational Active Directory deployments of their organizations; they all received The Paramount Brief.

Our intelligence further indicates that as a result, many of these organizations started to look at the security of their foundational Active Directory deployments for the first time ever. While some may have started bolstering their cyber defenses, sadly, many of these organizations likely continue to remain vulnerable, especially considering how easy it is to compromise them today.

For instance, if an intruder could breach their network (and Microsoft suggests that organizations assume breach ) in many cases, he/she could just deploy Mimikatz DCSync to instantly 0wn them. (Alex/Peter should be able to explain this to you.)

Fortunately the solutions required to swiftly, effectively and cost-effectively help all impacted organizations mitigate this critical risk exist today (e.g. 1,2). However, we're finding that many organizations do not even seem to know about this risk.

We worry that unless certain basic and fundamental cyber security measures are enacted quickly, many of our government and business organizations, as well as those of our allies worldwide, will likely remain vulnerable to cyber attacks in the near future.

From our side, we're doing what we can to educate and safeguard organizations worldwide, but much more needs to be done, and quickly so. Its in that regard that your intentions give many of us in cyber security, as well as the American people, hope...



Making America Great(er and Safer) Again

In addition to making America greater, we must also make (not only) America (but also our allies) safer, not only from physical threats but also from cyber threats. In fact, given our HUGE reliance on technology, and considering how easy it is to launch a cyber attack, the cyber threat may pose a far greater threat to our national security and prosperity than do physical threats.

I've read that it is your intention to appoint a team to combat cyber attacks within 90 days of taking office. That (in your parlance) sounds WONDERFUL. I commend you for this initiative. Indeed, it is imperative and in fact paramount that we do everything we can to safeguard and adequately defend our government and business organizations from being taken out by cyber attacks.


If I had to offer some unsolicited advice, I'd suggest that one of the most important measures one could enact is Attack Surface Reduction. Simply put, the smaller one's attack surface is, the better one's chances of being able to adequately defend it.

For instance, it is so much easier to protect a building that only has one entrance than it is to protect one that has 20 entrances, and where only a few security guards have the master keys to the building, than one wherein who knows how many have them.

That's why, considering the statistics i.e. the fact that 100% of all major recent cyber security breaches involved the compromise of a single (i.e. just 1) Active Directory privileged user account, reducing the number of users that have privileged access within Active Directory to a bare minimum, then adequately protecting them, must be one of the top priorities for all organizations.

Sir, in short, provably secure (least-privileged access adherent) foundational Active Directory deployments at all our federal government agencies and at all business organizations they rely on, are likely going to be vital to your administration's success.

(As you'll likely agree, this isn't rocket science; it's common sense. If a government agency is compromised (e.g. OPM Breach), assets or initiatives it might be working on could be in jeopardy. Similarly, if a business organization (e.g. a Defense Contractor, a Builder etc.) that the government relies on for its various initiatives is compromised, those initiatives could be in jeopardy.)


Thank you, and Best Wishes

In closing, thank you for your time, congrats on your bigly win and good luck as you get ready to serve the American people.

The American people have entrusted you with the great responsibility of leading our great nation, as well as the might of American power, and they're looking to you to make their lives better and to make America greater and safer again.

In God We Trust, so wish you God Speed in your efforts to fulfill your promises to make America great(er and safer) again.

Most Respectfully,
Sanjay


PS: At Paramount Defenses, because we understand the paramount importance of cyber security to the business and national security interests of the United States and those of our allies, we care deeply about cyber security and we take it very seriously.

January 10, 2017

Who Needs WMDs Today?

Folks,

Today, I would like to share with you another Trillion $ question, one that I had originally asked more that 10 years ago. Today it is exponentially more relevant, given the paramount role that Cyber Security plays in national and business security.

So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?


Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.

Why would an entity bother trying to acquire or use a WMD when (if you're really smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which the organizations of the world operate?

Today, all you need is two WDs in the same (pl)ACE and its Game Over.

Puzzled? Allow me to give you a HINT:.

Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
(A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute and knowledgeable mind more than a minute to figure it out, given that I’ve actually already provided the answer above.

Some of you will have figured it out. For the others, I'll shed light on the answer soon. Stay tuned...

Best wishes,
Sanjay


PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help, tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder whose been able to breach an organization's network perimeter to root within seconds.)

PS2: If this intrigues you, you may want to check out - Defending Active Directory Against CyberAttacks

PS3: On a more serious note, WMDs are possibly the most horrific creation of humans. Only those who have no respect or regard for the most precious thing in the world, life, would even think about acquiring or using them. If in 2 millennia of history, humans haven't learn this, and don't understand that all 7,000,000,000 of us on this precious planet we call home should all strive to peacefully co-exist, then I'm afraid humans haven't learnt much. As such, given the rate at which mankind is exploiting this unique, beautiful and so precious planet we call home, it may likely not last another millennia or even a few hundred years. We ALL owe it to our planet to take utmost care of it.

January 1, 2017

Cyber Security/Hacking: Russian Code Likely Running in U.S. Government

Folks,

In light of all the talk of Russia's purported involvement in the recent U.S. Elections by way of hacking, we felt the need to let it be known that today, computer code that was either likely written in Russia and/or that is still likely supported from within Russia, is likely still running in highly privileged security contexts across potentially many parts of the U.S. Government.


To the wise, we need say no more.

By the way, this is neither something that we uniquely know nor is it classified information. This information is freely available in the public domain and can be easily deduced by some basic online sleuthing, by anyone with merely an Internet connection.

Just one more thing; as a cyber security professional, I find the means by which whoever hacked the DNC and John Podesta's emails absolutely laughable - I mean what an amateur job it was, and yet the profoundness of its impact is almost unbelievable!

I mean, here we worry about how someone could write a few lines of code targeting Active Directory and potentially be in a position to proverbially shut the motor of the world, and there some kid just phishes John Podesta into obtaining access to his Gmail account and thereby to vast amounts of private email, which he/she then purportedly passes on to WikiLeaks, who ends up releasing it in the public domain. and that according to the CIA, that ends up influencing the U.S. Election.

Best wishes,
Sanjay

PS: To the respected folks in our govt., please know that we already informed the highest cyber security officials concerning the likely presence of Russian code earlier last year. However, if there is still a need to identify it, pls let us know; we're here to help.

November 23, 2016

The World's Biggest Cyber Security Breach (Yet) & Role of Cyber Weapons

Folks,

I'll keep this very short. The recent U.S. Elections, possibly the world's most important global event, are now over, and one of the biggest takeaways from it would undoubtedly have to be the sheer impact that a cyber security breach can have today.


In fact, professionally speaking, if one were to consider the impact of a cyber security breach, the recent breaches of the DNC and Mr. Podesta's Gmail account, albeit so amateurwould have to be possibly the world's biggest cyber security breach yet.

Why?  Because these simple breaches resulted in the compromise of the confidentiality of vast amounts of an entity's sensitive private data (i.e. 1000s of emails of the DNC and Mr. John Podesta), the public disclosure of which is widely believed to have influenced the outcome of arguably the most important event on the planet, the election of the President of the United States.

In fact, the Director of the NSA, Admiral Michael Rogers recently said that there shouldn't be "any doubt in anyone's mind" that there was "a conscious effort made by a nation state" to sway the result of the 2016 presidential election.

If you can impact the most powerful office in the world, you can potentially impact the future of mankind as well as the planet. Since these cyber security breaches impacted the most powerful office in the world, they'd have to be the world's biggest yet.

In light of these breaches, there's been talk about the need for and role of cyber weapons to bolster America's cyber defenses.



[ (If I may digress for a bit.)  Begin Digression] 

Speaking of Cyber Security Weapons

Given cyber security's paramount importance in today's world, and the growing role that cyber warfare plays in modern warfare, the need for and the importance of cyber security weapons is becoming clearer. Reportedly, recently the U.S. Government may have been signaling more emphasis on developing cyber weapons to deter attacks, punish intruders and tackle adversaries.


Speaking of cyber security weapons, interestingly, unlike military weapons (e.g. conventional and nuclear weapons) which have traditionally and primarily been in the hands of and controlled by governments, since the development and deployment of cyber security weapons only requires technical cyber security expertise (, not massive infrastructures (e.g. materials, factories, bases, launch pads, personnel, deployment vehicles, satellites etc.)), they could actually be moderately easily developed as well as controlled by non-government entities (e.g. $B corporations) and potentially be used by not just governments (nations) to aid, assist and gain superiority in modern (and cyber) warfare and diplomacy, but also by business organizations alike to influence business and political outcomes, such as to influence elections in other nation states (e.g. Russia.)

Given today's super highly digitally connected world, cyber security weapons are likely to play a prominent role in global affairs.

(By the way, I only happen to know a thing or two about cyber security weapons since we recently built one, primarily to serve as a deterrent, and to demonstrate the sheer technical superiority (defensive and offensive capabilities) in the cyber security space that exists today for the protection of the business and national security interests of the United States and its allies.)

[End of Digression]



Of all the major recent cyber security breaches (Snowden, Target, JP Morgan, Sony, Anthem, OPM etc.), in terms of impact, the recent breaches of the DNC & Mr. Podesta's Gmail account may possibly have been the biggest cyber security breach(es) yet.

Oh and I say yet because today it is entirely possible to develop powerful cyber security payloads/weapons that could possibly automate the compromise/destruction of a specific organization or a vast number thereof, in a specific nation, or many thereof.

We care deeply about cyber security.

Best wishes,
Sanjay

November 4, 2016

Does Anyone Really Care? (Speaking of Cyber Security, Microsoft & Trust)

Folks,

This is important so if you care about cyber security, you'll want to take a few moments to earnestly read this in its entirety.


Microsoft (, Google, the U.S. Elections, the Russians) and an Unpatched Critical Zero-Day Vulnerability

On Oct 21, 2016, Google's Threat Analysis Group reported 2 critical zero-day (i.e. previously unknown) vulnerabilities, one to Adobe and to Microsoft. Adobe acted swiftly and patched the vulnerability in its Flash software on Oct 26, i.e. within 5 days.


On Oct 28, 2016, after 7 days of having reported it to the appropriate vendors, per its published policy for actively exploited critical vulnerabilities, Google publicly disclosed this vulnerability. As of Oct 28, Microsoft had not yet patched this vulnerability.

Publicly disclosing a critical unpatched vulnerability in Windows (versions 7,8,8.1 and 10*), especially one that is being actively exploited, could potentially impact security globally, and just 10 days before the world's most important election, i.e. the U.S election, also possibly impact the future of mankind. (But wait, don't arrive at any conclusions yet; please read this entire post.)
* Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.
If there's one thing the world has learnt this year, it is that in today's world, hacking and its impact can undoubtedly influence an election. The second thing the world has learnt this year is the ease with which purportedly Russian hackers have been able to engage in political hacking to compromise the cyber security of various U.S. entities including the DNC and Mr. John Podesta.

With just days left before the election, publicly disclosing a critical unpatched vulnerability in Windows could potentially empower many more malicious entities, including those widely believed to have already done so, to engage in further hacking in their attempt to further influence the election. If by any chance, U.S voting booth machines happen to be running an impacted version of Windows, and hackers are able to compromise them by exploiting this unpatched vulnerability, __ <you can fill in the blanks.>

By the same token, so could Microsoft not doing everything it can to immediately patch this critical vulnerability. In other words, in light of the possibilities shared above, like Adobe did, ideally Microsoft should have patched this without any delay.

It appears Google felt that it should be patched immediately. It appears the $ 500B Microsoft did not. You can be the judge.

(Instead of patching this immediately, what does Microsoft do and say?! Its astonishing, so please keep reading...)




Microsoft, are you Serious ?

Since Google probably took Microsoft by surprise by, per its published policy for actively exploited critical vulnerabilities, publicly disclosing this vulnerability 7 days after reporting it to Microsoft, Microsoft was likely left with no choice but to public defend itself and issue a statement, and instead of patching it immediately, it did a most astonishing thing (; see "But it was.." part below.)


On Nov 01, in a short blog post paradoxically titled Our commitment to our customers’ security, written by an Executive Vice President in the Windows and Devices group, it in effect said that an activity group called STRONTIUM conducted a low-volume spear phishing campaign to target a specific set of customers by leveraging this unpatched vulnerability, and that Microsoft is coordinating with Google and Adobe to investigate the campaign and create a patch, which they plan to release on Nov 08.

Excuse me Microsoft, but by then the election would have been over, and by not releasing a patch immediately, you left a 7-day window (no pun intended) of opportunity that who knows how many malicious entities, including those widely believed to have already done so, could use to engage in further hacking in their attempts to possibly further influence this historic U.S. election.

But it was the very next sentence in the blog post that was unbelievably astonishing and I quote - "To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack."

Microsoft, are you kidding us?

This could potentially further impact the most important election in mankind's history, and instead of the $ 500 Billion Microsoft Corp immediately fixing the critical zero-day vulnerability, which they themselves are saying may have been used by purported Russian hackers in enacting the recent political hacks (, and which they should have ideally found before the STRONTIUMs of the world do/did so in the first place), they're using (even) this to pitch the latest version of Windows!   That's just unbelievable!

Oh, and by the way, in that same blog entry, Microsoft goes on to say, and I quote "Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016." Er, here's a simple question for Microsoft - "How come STRONTIUM is able to find so many 0-day exploits, and if so, how come you, a $ 500 Billion company are not able to find and patch them before STRONTIUM or for that matter anyone else can?" Perhaps Microsoft could take a petty $ Billion from its Cloud marketing budget and use it to assemble a team dedicated to finding and fixing such vulnerabilities in their foundational Windows software.




Speaking of Trust  (Actions Speak Louder Than Words)

Microsoft if you are truly committed to your customers' security and to Trustworthy Computing, and I believe you are, please back your words with appropriate and responsible actions because to your customers your actions speak louder than words.


I believe that not immediately releasing a patch for a serious unpatched vulnerability in Windows that is currently being exploited to inflict great harm, especially days before the world's most important election that has already been influenced by the impact of such hacks, was not responsible. Further, ill-using this situation to pitch your latest version of Windows to customers was not responsible. Neither was not educating customers for 16 years about something so vital to their security (; context in next para.)

Just last week, I had to publicly take Microsoft to Active Directory Security School, because over the last 16 years, across the entirety of security guidance (whitepapers, blogs, videos etc.) they have released on Active Directory Security, they have not once mentioned the most important and cardinal aspect of Active Directory security - Active Directory Effective Permissions.

In my professional opinion, in not having done so, even if unknowingly, they may have left over 85% of the world to deal with a massive cyber security challenge, a prime example of which is the sheer lethal power of Mimikatz DCSync made possible by a certain talented Mr. Benjamin Delpy, and for which Microsoft has no solution to offer to the world today. (None whatsoever.)

In fairness to them, they might say that they don't have to have a solution to every problem, because they have a huge partner ecosystem that helps address many such problems. They may be right, but they don't even seem to know that this problem is so difficult to solve that out of thousands of partners in their ecosystem, not one of them has a solution to this Trillion $ problem (; except one, and that's only because behind it, is one of their own i.e. a passionate former Microsoft cyber security expert.)


Microsoft is spending billions of dollars to become a dominant player in the Cloud, and to persuade IT executives at the world's biggest public and private organizations to move to their Cloud. However, they need to understand that if they want the world to move large parts of their IT infrastructures and IT assets into their cloud, especially the Keys to these Kingdoms (i.e. Domain Controllers), they're going to have to demonstrate trustworthiness and EARN trust, and that's done by actions, not mere words.

By the way, the "mere talk is cheap" saying applies to everyone, including us; behind my talking is decade of industrious action.

I.e., this is coming from someone who loves Microsoft, cares deeply about cyber security and who's persevered for a decade to solve arguably the world's most difficult cyber security problem for Microsoft and the world, and whose work today uniquely helps secure and defend the foundational cyber security of so many prominent organizations across six continents worldwide, including the United States Government.

Along with great power, comes great responsibility.

Best wishes,
Sanjay

PS: Satya, in August I said someday I'll tell you what the most valuable thing in life is. It's Trustfollowed by love, faith & time.

November 1, 2016

Election Influencing Podesta/DNC Email Hacks, Cyber Attacks and Russia

Folks,

There is no doubt that the recent email hacks of John Podesta and the DNC will have influenced the U.S. presidential election.



Given my background, I am often privately asked about my thoughts on the Podesta / DNC Email hacks purportedly carried out by Russia. Due to paucity of time, instead of having to respond to this so many times, I figured I'd publicly share a few thoughts.

But first I do wish to make it unequivocally clear that as (the CEO of) not just America's, but possibly the world's most relevant cyber security company today, we are professional, completely unbiased and objective, and this is only a professional opinion.

Disclaimer: My thoughts below are based on a cursory assessment of how Mr. Podesta's email was hacked. It is believed that at the time the DNC was hacked, they too may have been using Gmail, and thus may have been hacked in a similar fashion.



Simple Hacks, Huge Impact

Brass tacks, the Podesta/DNC email hack is simply a case wherein an entity that was engaging in high-value communications using a relatively low-assurance system (i.e. a free/low-cost email service) and insufficient security controls (i.e. not requiring two-factor authentication for password changes/resets) was compromised using simple social engineering involving very basic technical means by a 2nd entity, who in turn purportedly passed the compromised data to a 3rd entity that disclosed it publicly.

The 1st entity was John Podesta / the DNC, purportedly the 2nd entity was Russian hackers, and the 3rd entity was WikiLeaks.

When I say relatively, I mean that compared to (say) an in-house deployed, managed and controlled Active Directory integrated Microsoft Exchange Server based communications infrastructure that also requires 2-factor authentication (i.e. Smartcards), a free/low-cost email service is a relatively low-assurance system, especially when being used for high-value communications.

For those may not know, Mr. Podesta was using a Gmail account; he apparently received a phished email and clicked on a link.

In fairness to Mr. Podesta, apparently his assistant did ask their IT staff about the legitimacy of that phished email, and was told that it seemed legitimate and was okay to click on. In addition, at that point in time, apparently someone did ask as to whether or not two-factor authentication was enabled on his account, and if not, suggested that it be immediately enabled.

All said and done, apparently Mr. Podesta did end up clicking that link and at that very moment his account was compromised.


The rest i.e. the huge impact of the public disclosure of this sensitive data on the U.S. presidential election, is all over the news.


Now, strictly speaking, the only thing that makes this a huge deal is that in this case the compromised data happened to be vast amounts of high-value sensitive, private email conversations of one of two parties contesting an election in a specific country. The actual technical means involved in compromising security here were basic, a 2.5 on a scale of 1 to 10, 1 being very easy.

You see, usually perpetrators begin by trying to phish a target just to gain a foothold inside the organization's network perimeter. However, in a case where emails may be all they're after, and the target's already using a free/low-cost email service, merely step 1, i.e. being able to successfully phish that free/low-cost email service account will get them to mission-accomplished, because once they have compromised that email account, right then and there they have access to all of the account's emails.

Thus, using relatively easily targetable and compromisable free/low-cost email accounts likely increased their risk exposure.


From a professional cyber security standpoint, one of the most fundamental principles of security, the Principle of Adequate Protection, states that "an asset must be protected to a degree consistent with its value". In line with it, ideally entities engaging in high-value communications should be using sufficiently high-assurance systems and employing adequate security controls.   In light of this, in this case, the use of a free/low-cost email service to engage in high-value communications seems perplexing.

If you have high-value/sensitive communications to engage in, please do not use low-assurance / inadequately-secure systems to engage in them. If you must absolutely have to use a low-assurance/free email service such as Gmail for high-value/sensitive communications, at least do enable 2-factor authentication for password changes/resets to protect against phishing attacks.

At the end of the day, it matters not so much as to who compromised you, as it does that someone was able to compromise you. Once you've been compromised, the impact of that breach is purely a function of the perpetrator's motives and actions.



Speaking of Massive Cyber Attacks

Sorry for a brief digression. As a mature cyber security practioner, what I find more amusing than comical write-ups such as this and this is that the recent DoS attacks to hit the U.S. east coast were being referred to as a massive/huge cyber attack.

Don't get me wrong. Those attacks may have been massive/huge in terms of the number of websites they momentarily DOS'ed out, but if you consider the technical mechanics involved, brass tacks, its still just a (large) bunch of old-fashioned basic TCP/IP SYN flooding, using compromised IoT devices. Its fancy, but its still simple stuff with relatively low moment-in-time impact.


To put things in perspective, a massive cyber security attack would be one wherein a proficient adversary such as an advanced persistent threat could gain control over large parts of a country's power-grid, government, security and financial infrastructures. These are the kinds of cyber attacks we (know of and) worry about. In fairness, most cyber security companies aren't there yet.



Speaking of Russia

It is widely suspected that Russia carried out the DNC and Podesta email hacks. No one likely knows the facts, neither do I, so in regards to Russia, I'll share what I do know.


This so-called "hack" was so simple, that possibly even a smart freshman from anywhere in the world could have carried it out.

That said, speaking of Russia and its purported cyber attacks on U.S entities, what should be more concerning (and we know this based on publicly available info) is that most likely, code that was likely either written in Russia or is still being supported / updated from inside Russia, may likely be running in highly privileged security contexts in various parts of the U.S. Government.

(Responsible disclosure: Strictly speaking, there's nothing to disclose here since this info has been publicly available for years, yet out of an abundance of caution, earlier this year we did bring this to the attention of several top U.S. Government officials.)

The Russians are considered to be adept at hacking, so if it was them, I'm surprised that they would resort to using such basic attack vectors (i.e. phishing a Gmail account); I suppose it must be their starting point, and it appears they got lucky at step 1 itself. Now, if their target was a specific Gmail account to begin with, then of course that is exactly where they would start.



An Important Concluding Point

I'd like to make one very simple and important point - it matters not as to who is trying to hack you, because as long as you have digital assets of value to someone, there could be (and likely already are) many entities wanting to hack you, driven by various motives; what matters is that you need to protect yourself from being hacked by anyone in the first place.

In this specific case, although any logical mind can easily see why Russia might stand to gain a lot from the outcome of the U.S. election, one could similarly reason that many other countries in the world could stand to gain much from its outcome as well. In fact, not just countries, many corporations worldwide could stand to gain or lose much based on the outcome of this election.

The point again being that it matters not as to who is trying to hack you (or why), it matters that you protect yourself from being hacked by anyone. Mature entities consider it a norm to assume that they are always operating in a hostile environment with numerous adversaries trying to hack them 365-24-7. That is the unfortunate reality of engaging in business in a digital world.

By the way, I prefer not to use the word hack, because there's a connotation of casualness to it. It would be nice to see the media use professional terms like breach, compromise, security incident etc. as they rightfully have a serious connotation.

As I conclude, I'd like to request all organizations (including of course, all media companies and all cyber security companies) worldwide to look  within and if required, consider bolstering their cyber security defenses and enhancing their security posture.

Best wishes,
Sanjay