Don’t be ‘Petyafied’!

Image result for petya check point

Just when the world was recovering from the crisis caused by wannacry – there’s yet another bump in the wire and this time its far more serious than its predecessor. Yes, its’ PETYA.

** By predecessor it’s implied a ransomware although there’s minimal to no relation between these two

First things first – Petya looks like an attempt in all muscle and power to bring down ‘Ukraine’. There’s already mounting evidence that Petya’s focus on Ukraine was deliberate. The initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky.

Underline is – The attackers had complete control over where they planted Petya (at least initially) and they chose to plant it in some of the most central institutions in Ukraine.

Now, let’s get to the nuts and bolts of this new kid on the block.

How Petya commences and proceeds?

Petya takes over computers of its victims and demands $300, in Bitcoin. It spreads rapidly across an organization once a computer (first in the organization – known as patient zero) is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry,” said Ryan Kalember, of cybersecurity company Proofpoint. However, unlike WannaCry, ‘Petya’ tries to spread internally within networks, but not seed itself externally.

How to temporarily and permanently stop the infection?

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine. This is a temporary and corrective measure. For a permanent and preventive approach, make sure the Windows OS is patched with latest patches from Microsoft and you AV/HIPS or host firewall software are updated to protect against this threat.

What if my system is already infected and encrypted?

If your system reboots with the ransom note, please don’t pay the ransom – the attacker’s email address has been shut down by the email provider so there’s no way to get the decryption key to unlock your files anyway. The best way to move forward is to disconnect your computer from the Internet, reformat the hard drive and restore your files from a backup.

** Backing up your files regularly and keep your anti-virus software up to date are highly recommended.

What software can I use to protect against Petya?

One of the post popular host firewall and AV solutions is Zonealram

If you already have any AV software make sure to update. Windows updates as mentioned earlier will help prevent the infection.

It’s one thing about individual PC’s however, what can I do to protect my Enterprise wide network?

Well, there are a couple of ways to offer preventive defense. One is, to segment your network (normal subnet based or micro segmentation using SDN) so to protect critical systems from other user facing systems. This also offers capability to protect between the layers of network, storage, compute and so on within your private DC or your cloud ecosystem. Checkout Check Point’s vSEC solution

The other approach is to have your existing or new firewall gateways to offer Advanced Threat Protection (ATP) as well as endpoint agents offer advanced Sandboxing and on the host defense capabilities. Checkout and

Hope this article helps you be protected from nasty threats and conduct business as usual.

Leave a comment

Posted by on July 1, 2017 in Cyber Security


Tags: , , ,

I don’t ‘Wanna Cry’ – And that’s for a fact!

So, there’s been a rant about the Windows vulnerability and un-patched systems being exploited by Wanna Decryptor. Well, while some of that is supposedly the user’s fault (why to click on something you’re not sure of what it is) and some of it is fault of the way the ransomware has been described in the wilderness. Why the latter you may ask? Simply because, there’s been a lot of hoax and noise about what seems to be yet another ransomware attack – only this time it is related to a vulnerability that was supposed to be fixed only if the users updated Windows.

Apart form the noise, here are some facts and finds pertinent to this specific ransomware.

The malware itself: Wanna decryptor (wncry) ransomware is reported to be based on a tool developed by the NSA to hack into computers. The NSA tool was used by a hacker group called the Shadow Brokers. The code is publicly available and can be found in

Delivery: The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a web page or a Dropbox link.

Activation and exploit: Once wncry is activated, the ransomware spreads through the computer and locks all the files. Once the files have been encrypted wncry deletes the originals and delivers a ransom note in the form of a read me file. Moreover, it changes the victim’s computer’s wallpaper to a message demanding payment to return the files.

The specifics: wncry malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect.

Mitigation: Use latest AV definitions, personal / corporate firewalls, and don’t click on anything that doesn’t sound right.

Repercussion: $300 ransom to be paid to un-encrypt your data.

Story from Microsoft: Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch.  Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities. Either way, here’s the location of the security update

Summarizing – this is a big outbreak and getting to know the malware well before running into it serves well. Patch your Windows machines and make sure the AV signatures are updated. And above all, don’t click on anything unintended or unaccounted for.

Leave a comment

Posted by on May 15, 2017 in Security Posts


Tags: , , , ,

CHFI All The Way! My Cyber Security Journey’s Milestone.


It has been a lot of fact, learning and fun filled weeks that I’ve been trying to get a handle on the art of cyber forensics. And like the idiom goes – All is well that ends well. I’ve been able to achieve a milestone to my learning and jousting with computer/network forensics by attaining my Computer Hacking Forensic investigator or CHFI. After CEH this is my second ECC certification (after almost 4 years since I achieved CEH)

So, why forensics or digital/cyber investigation related study and certification? I decided to change gears the forensics way because, it’s one of the least understood and discussed about cyber security stream. Any certification or on the job experience would not normally involve doing forensics or understanding and deploying your inner Sherlock Holmes. This side of cyber security is often unseen, unheard and blindsided in wake of daily operations and business as usual. And that’s what caught my attention – the things which allure the most however, are not very well understood or discussed amongst security professionals.

It’s been a lot of learning and head scratching (well sometimes almost banging my head in the wall over some rather intricate topics), playing around with some tools (like EnCase, Mobiledit) and most importantly understanding how the end-to-end cyber forensics process pans out. I learned a lot and came to know things above and beyond the nature of job that a security professional such as myself may be usually engaged with.

As usual, I’ll share my experience with this certification and my journey to achieve the same. I hope that my experiences are useful and that you can achieve this certification.


The exam itself – This exam has been there since last 7+ years and has evolved a lot from its predecessors. I took the v8.0 as I have been preparing for a while for it although, v9.0 is very muc available since last year. CHFI is a pretty draining exam in that it addresses many areas of cyber forensics from – PC forensics to Mobile forensics to application forensics and finally network forensics. It covers all basics and covers the know how required from a forensics to investigation to conclusion. Which is great as this is something not taught in security 101. What we traditionally learn and practice is network, application and information security; not their underbellies in terms of conducting a forensic investigation, tracing the evidence(s) back to the perpetrator and going through chain of evidence/custody. And this goes on and on; you’ll have to use your imagination to guess where. A lot of uncommon topics are more than enough to throw off and it’s not unusual to be lost in the depths of legal obligations or standards and even the way an envidence must be handled from discovery to its presentation to convict the cyber criminals. See the topics covered and other requirements here –
The insights to the exam – The exam is a killer in that it is a 180 degree twist and covers subjects much apart from what we as security professionals are used to do vs. what this certification demands. This is certainly for the folks who have been in the ICT industry for a while and have a good grasp of security – both from network and information security backdrop. The exam is 4 hours long (not that you have to sit for all 4 hours unless it takes that much time to answer all questions) and consists of 150 questions – multiple choice (single and multiple options) as well as true and false type. This is a closed book and proctored certification exam. Now, it is important to note that this exam is only delivered online via and you get an online proctor from Oh yes, before I forget to mention – you need to undergo an eligibility and verification process (and pay a fee for this and other ECC certifications) with EC-Council. You have to go through an application where they verfiy your security experience and only upon successful application you can you sit for the exam. A minimum of 2 years of security experience is required. I was exempted from the eligibility process and application as I already have CEH and more than 10 years of security experience.

My experience during the exam – The questions were very varied and not so much so expected. Saw a lot about basics being tested such as HDD geometry and OSI stack pertinent to forensics and traffic analysis. As expected, there were questions on PC, mobile and network forensics and best practices to lead an investigation. I did enjoy the time during the test and instead of being stressed I maintained my clam to ensure that I don’t get fatigued (both click wise and mental) as well as to ensure that the right choice was indeed the right choice; the first time. 4 hours is more than enough from a time perspective and it takes grits to hold up the security persona during the exam coming from a non-forensic background.

I marked quite a few questions on my way to completion of first pass, as I wold call it. Managed to complete the firt pass in about 2 hours. I completed the second pass in another 15 min or so looking over the marked questions. The worst thing would have been to second guess myself and hence, I changed just a couple of answers where it made absolute and concrete sense. And then submitted for grading. I passed with 93% (70% is the minimal score to pass). And that calls for a happier weekend knowing that I would have achieved another milestone in my quest for knowledge!

The preparation – For the prep I used a number of resources:

1. CHFI official slides. These are very helpful and that’s where most of my preparation would come from
2. CHFI all-in-one guide. This was also helpful specially with exam practice questions
3. I read through a few other forensics books and articles. To name a few – Computer Forensics a Pocket Guide, Computer Forensics for Dummies, Computer Incident Response, Digital Forensics for Network, Internet, and Cloud Computing, and so on. I skimmed the content where I knew it and read where I knew I had holes from an information and understanding of subject point of view
4. Practiced a few more questions from

Summarizing – This is hands down one of the most alluring and comprehensive certification pertinent to computer and network forensics. Security practitioners and professionals who intend to further their understanding on this subject matter (which is quite interesting and uncommon) should go for it. For me, it was the journey that was more rewarding than the certification.


1 Comment

Posted by on April 29, 2017 in Cyber Security


Tags: , , , , , ,

IoT Hack = Security Lapse. And its just the beginning

Dallas, Texas – On Apr 8 2017, around 11:42 PM for no apparent reason, 156 tornado sirens went off (all together) and woke up what can be best described as – scared and baffled residents. When the sirens repeated in 90-second cycles, the locals thought they were being (or about to be) bombed.

Dallas Mayor – Mike Rawlings posted an update for citizens on his Facebook page ( where he described the incident as the hack i.e. an attack on emergency notification system. He also wrote, “This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure.”

The news was posted on many major news channels and websites – including CNN

The most comprehensive coverage is fro

Now, while news channels/websites and reporters talk about the situation and have provided updates on how the issue was handled and finally resolved – lets consider some facts and try to derive some inference from the incident from cyber security perspective.

First – it is more than assured that this was an intentional hack and not a ‘mistake’ by someone in the emergency service grid. Hence, this infers that; the security controls deployed were either not enough or not tested properly during the planning and deployment cycles. At first there were speculations of the system not being controlled at all by a back-end software however, that was ruled out and this proves the point enough – integrating security (controls) in every system (offline or online) from planning, deployment and testing point of view should be an absolute zero tolerance exercise.

Second, the hacker(s) were motivated and determined to make it happen – at the most awkward hour. This hacker or hacking group made it look easy enough without leaving much of an evidence that the trail could be picked up and the perpetrator of the cyber crime is apprehended.

Third, connected systems expose the attack surface – and yes while this is a known fact, who would imagine that an emergency system grid could be hacked? That too – whole of it!! It is supposed to be a closed and monitored system – isn’t it? This brings us to the discussion where we can either discuss about standards not being in place from IoT / grid computing security point of view or we can simply say – it is about time someone did something about cyber security pertinent to public and government deployment. While this was clearly an issue with implementation of security for the sensors; this could go well beyond just the alarms as more often than not, one emergency system is connected to another e.g. 911 has taps into fire, police etc.

Last but nevertheless most importantly – while security analysts analyze and wonder how this could have been pulled off, for the people who experienced this ‘it was very real and scary’. This serves well to remind us all that how helpless we feel when technology is abused.

Note: The intent of this article was not to give the information that is widely available in terms of this incident however, to further deep dive and see the causalities of ill-fated security systems/controls. And, to extrapolate the kind of damage that can be done at large – anywhere in the world by that someone nasty – who knows how to get pass the security  (if at all there was some). 

Leave a comment

Posted by on April 20, 2017 in Cyber Security


Tags: , , , ,

Good Friday Just Became Better – With My CCSK Certification!

Holy Moly – The sweet taste of achieving the much coveted certification in the wake of furthering my Cyber Security journey. Aced the certification with a strong 90%. I’m now Certified Cloud Security Knowledge (CCSK) certified. My Good Friday just became a whole lot better!!!


It’s been sometime that I’ve been dragging my feet and finally decided to write the CCSK certification. Been busy with authoring and mentoring (cannot really complain as it’s my passion) hence, the delay. Like they say – better late than never!!


In the following sections I’ve shared my experiences, my preparation, the insights and details to the certification exam. Hope these get you to your own CCSK summit.
The exam itself – This exam has been there for sometime now and I took the v3.0 (v2.1 is alo available but hey, latest is greatest right!). CCSK is a pretty comprehensive exam. It covers all basis (and more) from cyber security / security from a Cloud Service Provider (CSP) and a Cloud Consumer perspective, and then some. It also addresses domains which are usually blind spotted for example – cloud risk management, vendor management, supply chain management and such.

The insights to the exam – The exam can be daunting if you have little to no security experience and specially – if you come in with minimal (all encompassing security) virtualization, security controls, risk management, physical security and traditional DC experience. The exam consists of 60 questions – multiple choice and true and false type, to be completed in 90 min. It is an open book, take anywhere exam however, that doesn’t demean its importance at all, in fact – it take a lot of time to understand the subjects and topics and then be prepared for the exam itself. It’s the journey in this matter that’s much more valuable than the result itself.

My experience during the exam – I completed the first pass in about 30-35 min (of the allocated 90 min) and marked all questions for second pass (Yes, you can mark questions for review and come back to them). Finally submitted the questions for grading by 45-50 min mark and passed with 90% (80% is the minimal score to pass) and that calls for a jolly moment!

The preparation – For the prep I used the two documents (both available here i.e.

  1. Cloud Security Guidance
  2. ENISA Cloud Risk Assessment Report:

These two documents cover all basis in terms of questions. Just a thorough read and you should be fine.  One of my dear and old time friend (who happens to be a security geek as well) Sumanta Bhattacharya helped me by brainstorming on the topics and coming out with logical and conclusive derivations.

Summarizing – This is a certification that’s a must to do for security practitioners and professionals who intend to or currently engage with cloud. An excellent certification that pushes a person beyond their scope of thinking in context of Cloud and so much more.


1 Comment

Posted by on April 15, 2017 in Cyber Security, Security Posts


Tags: , , , , , ,

Cyber Ops – Up Up and Away!!!

I’ll be spending a good amount of time doing something that I’m passionate about and which I think brings me the satisfaction of knowing that it will be a career catalyst for many professionals (especially security professionals).

To be precise, I’ll be spending most of my time from late Mar till May writing on Cyber Security. Now, it matters how this time I spend and the material I author helps the larger community gain from it – and that’s been my motto since I stepped up as an author and an evangelist.

Demystifying: I’ll be authoring Cisco’s latest Cyber Security / Cyber Ops on two fronts – writing the practice tests / question banks (to go with the premium content):

  • Cyber Ops – SecFnd
  • Cyber Ops – SecOps

I’ll be writing practice question banks which will help the CCNA Cyber Ops aspirants to attain these world-class cyber security certifications. These practice tests will be available as part of the premium package with the following books written by Omar Santos and Joseph Muniz.



I have to admit that Cisco has come a long way and now with these certifications, the gaps from InfoSec and CyberSec would be more than addressed. These certifications are bench-marking in terms that they will help bridge the gap between the old and new security paradigms – network and cyber.

All in all – I’m enjoying my time writing these questions and hope that they will help the aspirants succeed in their attempts to grab these two really cool certifications.

Happy learning and reading!


Leave a comment

Posted by on April 11, 2017 in Cyber Security


Tags: , , , , , ,

Terminator and SkyNet might be here before you think!

Terminator movies have taught us a couple of important lessons – Whatever you do you cannot control the destiny. And, don’t let all the control to the machines.

That said – with IoT beginning to connect ‘Things’ and with no security standards (well not much of them anyway) established during the IoT wars; don’t you wonder if that ‘smart’ machine in your home or office is secure enough and will absolutely do what it’s supposed to do?

Time to think again! A recent publication by SCMagazine clearly articulates the fact that it’s about time that security was made paramount before going live with anything that is ‘smart’ enough to take decisions.

An excerpt follows:

As many of these “smart” machines are self – propelled, it is important that they’re secure, well protected, and not easy to hack. If not, instead of helpful resources they could quickly  become dangerous tools capable of wreaking havoc and caus ing substantive harm to  their surroundings and the humans they’re designed to serve. We’re already experiencing some of the consequences of substantial cybersecurity  problems with Internet of Things (IoT) devices that are impacting the Internet,  companies and commerce, and individual consumers alike. Cybersecurity problems in  robots could have a much greater impact. When you think of robots as computers with  arms, legs, or wheels, they become kinetic IoT devices that, if hacked, can pose new  serious threat s we have never encountered before.  As human – robot interactions improve and evolve, new attack vectors emerge and threat  scenarios expand. Mechanical extremities, peripheral devices, and human trust expand  the area where cybersecurity issues could be  exploited to cause harm, destroy property,  or even kill.


There are references of incidents where life threatening situations occurred because security was at loss for example:

  • A robot security guard at the Stanford Shopping Center in Silicon Valley knocked  down a toddler; fortunately, the child was not seriously hurt
  • A Chinese – made robot had an accident at a Shenzhen tech trade  fair, smashing a  glass window and injuring someone standing nearby
  • In 2007 a robot cannon killed 9 soldiers and seriously injured 14 others during a  shooting exercise due to a malfunction
  • Robotic surgery has been linked to 144 deaths in the US by a recent study

Time to wake up to reality that (cyber) security controls are more than desired with robotics let apart IoT; the mother ship of connectivity (and increases the attack and exploit surface manifold).

Bottom line: Trying to let control go to leverage automation may not be a good idea unless there are strict security norms and cyber security controls in place.

Watch out – that smart machine may be just too smart for your liking!!!

Leave a comment

Posted by on March 15, 2017 in IoT Security