40 things to do before you spend $1 on AI

AI: Reasons to just say No!
James Mckinlay; Information Security Officer

Contents
Barbican Insurance Group 2
AI: reasons to just say No
The AI bandwagon. And the risks of jumping on it
When every vendor is claiming AI expertise, how
do you differentiate?
What could/should you be doing instead?

Contents
Disclaimer.01
Despite the provocative title I believe there is
definitely a place for AI and ML in both the
Insurance Industry and in Cyber Security

Contents
Disclaimer.02
Before we go any further, I feel I should point out that
everything I’m about to say is obviously just my
personal opinion, which you are of course entitled
to take with the appropriate pinch of salt.

Contents

Contents
AI: reasons to just say No
The AI bandwagon. And the risks of jumping on it
When every vendor is claiming AI expertise, how
do you differentiate?
What could/should you be doing instead?

Contents
исправить основы
Boundary
Firewalls
Secure
Configuration
Access
Control
Malware
Protection
Patch
Management
17 8397

Contents
Boundary
Firewalls
Secure
Configuration
Access
Control
Malware
Protection
Patch
Management
7

Contents
Have you install boundary firewalls ?
Have you changed the default password ?
Is the administrative interface only available to
internal traffic ?
Have computers that do not need to connect to the
Internet been blocked ?
foundation

Contents
Does the “Approved Ports and Services” include business
justification for unencrypted protocols (FTP, HTTP, SMTP)
Do you maintain an “Approved Ports and Services”
register ?
Are redundant rules removed or disabled ?
Are firewall rules subject to regular review ?
careful planning

Contents
Firewall rule review tips
• Consider firewall OS hardening and firewall rule
sets as two different controls to be checked
• Research hardening settings from vendors and
standards orgs (CIS benchmarks) and then
produce your own company checklist of what
matters to you. Measure against this !
• After the first successful firewall configuration
review put the next one in the calendar ( every 6
months ?) as a recurring event and STICK TO IT!

Contents
Boundary
Firewalls
Secure
Configuration
Access
Control
Malware
Protection
Patch
Management
17

Contents
Are unnecessary user accounts on internal workstations removed or disabled ? P
Have default passwords for any accounts been changed to suitably strong passwords ? P
Are strong, complex passwords defined in policy and enforced ? P
Has the auto-run feature been disabled ? P
Do systems only have software on them that is required to meet business requirements ? P
Has a personal firewall been enabled on desktop PCs and laptops ? P
Are user workstations built from a fully hardened base template ? P
Are Active Directory controls used to centralise the management ? P
Are proxy servers used to provide controlled access to the Internet ? P
Remote access to commercially or personal sensitive data and critical information must be
authenticated and logged P
Are mobile devices and tablets managed centrally to provide remote wiping and locking in
the event of loss or theft ? P
Is a mobile device management solution in place for hardening and controlling all mobile
platforms in use within the organisation ? P
Is there a corporate policy on log retention and the centralised storage ? P
foundation

Contents
Is an offline backup solution in place to provide protection against
ransomware ?
Are log files retained for relevant applications on both servers
and workstations for a period of at least three months ?
Are Internet (for both web and mail) log files retained for
a period of least three months?
Are log files retained for operating systems on both
servers and workstations ?
careful planning

Contents
Email filter tips
• Sync with user directory during SML process
• Turn on ANTI-SPAM rules
• Turn on ANTI-Virus rules
• Block at gateway (with bcc to Incident Response ?)
any emails with following attachments
• *.ade *.adp *.app *.asp *.bas *.bat *.cer *.chm *.cla *.class *.cmd *.cnt *.com *.cpl *.crt *.csh *.der *.exe
• *.flp *.fxp *.gadget *.grp *.hlp *.hpj *.hta *.inf *.ins *.isp *.its *.jar *.js *.jse *.ksh *.lib *.lnk *.mad *.maf *.mag
• *.mam *.maq *.mar *.mas *.mat *.mau *.mav *.maw *.mcf *.mda *.mdb *.mde *.mdt *.mdw *.mdz *.msc
• *.msh *.msh1 *.msh1xml *.msh2 *.msh2xml *.mshxml *.msi *.msp *.mst *.ocx *.ops *.osd *.pcd *.pif *.pl
• *.plg *.prf *.prg *.ps1 *.ps1xml *.ps2 *.ps2xml *.psc1 *.psc2 *.pst *.reg *.scf *.scr *.sct *.shb *.shs *.tmp
• *.url *.vb *.vbe *.vbp *.vbs *.vsmacros *.vsw *.vxd *.ws *.wsc *.wsf *.wsh *.xbap *.xnk

Contents
Web proxy tips
• Sync with user directory during SML process
• Explicit block/deny for all administrator accounts
• Explicit block/deny the following file types
• .bin .com .dll .dmg .dot .exe .ocx .pif .reg .scr .au3
.bat .jar .sh .py
• Monitor the following file types
• word excel powerpoint pdf visio zip gz tar 7z ace rar

Contents
Ransomware tips
• FSRM (free windows service on Fileservers)
• Set to block ransomware file types and ransom notes
• Project -> https://fsrm.experiant.ca/
• Current File Group Count: 1725

Contents
Boundary
Firewalls
Secure
Configuration
Access
Control
Malware
Protection
Patch
Management
9

Contents
Are shared drives/folders using strict access controls ?
Do accounts lockout after a number of bad attempts ?
Have you published a “Password Policy” ?
foundation
Is all user access authenticated ?
Is all user access tied to an individual ?
Are accounts disabled or removed when no longer required ?

Contents
Do you have a robust starters/leavers/movers process ?
Are administrative accounts limited to smallest number
of users ?
Are admin accounts denied from email and web ?
careful planning

Contents
Password Choice tips
• Look at latest guidance from NCSC
• https://www.ncsc.gov.uk/guidance/password-
guidance-summary-how-protect-against-
password-guessing-attacks
• Look at adding “pwfilters” to Windows domain
controllers, good explanation here ->
• https://www.blackhillsinfosec.com/the-
creddefense-toolkit/

Contents
Boundary
Firewalls
Secure
Configuration
Access
Control
Malware
Protection
Patch
Management
3

Contents
Background – Application Whitelisting
NSA Top 10 (no.1) ASD Top 8 (no.1)

Contents
Are all applications running on devices controlled by
Application Whitelisting Technology ?
Are users prevented from installing software ?
Do you maintain an “Approved Software” list ?
foundation

Contents
Boundary
Firewalls
Secure
Configuration
Access
Control
Malware
Protection
Patch
Management
8

Contents
Do you perform regular external vulnerability scanning ?
Do you keep tablets up to date ?
Do you keep mobiles up to date ?
Is all software licensed ?
foundation

Contents
Do you patch computers within 14 days of patch release ?
Do you perform internal vulnerability scanning ?
Do you patch network devices?
Do you decommission EOL software ?
careful planning expect resistance

Contents
Vulnerability Scanner tips
• Have a “packer.io” script that builds a base VM
{vmware|virtualbox} with custom answer file for
{Ubuntu16|Centos7}
• Have a script {bash|ansible} that deploys
openvas9 to {Ubuntu16|Centos7} in 25 minutes
• Have a bash script for {nmap|masscan} that
sweeps a subnet and creates a separate
OpenVAS task for every IP that responds

Contents
Where did the packer idea come from ?

Contents
If you can do all that, you can pass

http://norman-ai.mit.edu/#inkblot

Machine learning (Tim Crothers, Senior Director – Cybersecurity, Target Corporation)

Contents
Time is precious, thank you for yours.
https://www.linkedin.com/in/jmck4cybersecurity/

40 things to do before you spend $1 on AI

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 40 things to do before you spend $1 on AI

Similar to 40 things to do before you spend $1 on AI (20)

More from James '-- Mckinlay

More from James '-- Mckinlay (12)

Recently uploaded

Recently uploaded (20)