GDPR and CyberSecurity

By far the biggest trend I have seen in finance sector over the last few years has been a relentless drive towards new and more onerous regulation. This is a trend that will only accelerate. No sooner had we tackled our MiFID II project, when we had to push our GDPR project into top gear. MiFIDIII anyone?1

Data Governance

GDPR mandates good data governance by default. In order to comply with the regulation, you will have conduct a root to branch data audit in order to create a data register2. With this, you can categorize your data, assess the risks and update your risk register3. Without it, how can you possibly expect to meet the regulatory requirements for:

How does that relate to Cyber?

This last point is an interesting one. Be honest, how many of you can say with any level of confidence that you can:

  • tell when you have had a data breach;
  • identify who instigated the data breach;
  • identify what has been compromised;
  • produce a detailed report to a regulator within 72 hours

If you do not have the tech tools in your arsenal to meet these requirements, GDPR gives you the perfect excuse to go cap-in-hand to the board to get the budget you will need.

Risk mitigation should be a significant business driver at the board level. The fines under GDPR are potentially eye watering, so you have to convince the board that data movement is now their number one risk. Good luck to you, because the stats are shocking. According to the 2016 Ponemon Study on Malware Detection and Prevention:

Most respondents say C-level executives aren’t concerned about cyber threats. Respondents admit they do not have the intelligence and necessary information to effectively update senior executives on cyber threats. If they do meet with senior executives, 70 percent of respondents say they report on these risks to C-level executives only on a need-to-know basis (36 percent of respondents) or never (34 percent of respondents).

Sixty-three percent of respondents say their companies had one or more advanced attacks during the past 12 months. On average, it took 170 days to detect an advanced attack, 39 days to contain it and 43 days to remediate it.

If you can win the argument and manage to get systems in place that monitor data movement, your CyberSecurity posture will be all the better for it. Knowing where your data is, what it is, and who is accessing it, is most of the battle. The classic CyberSecurity approach of protecting the boundaries and endpoints, no longer cuts the mustard (if it ever did.)

  1. It’s only a matter of time. 

  2. If you have created a data register already, when was the last time you updated it? How often do you review it? 

  3. You have a risk register, don’t you? 

View comments.

more ...

Fixing Windows Updates

Seriously Microsoft... wtf!

I have no idea what travesty I committed in a past life to deserve the pain I have recently experienced with Windows Updates1. However, I do know that my punishment is to know way more about the Windows Update module than any sane IT Manager has the right to know.

By way of atonement for my past sins, I offer the following in the hope that it helps some other poor bugger out there who might be in a similar situation.

What happened?

Our IT Estate has roughly 40 workstations. We use Shavlik to push out Windows patches. I noticed one month that Shavlik was pushing out patches but in many cases could not confirm that they had been installed properly. After a bit of digging around, we decided to have a go at patching those machines manually. That is when things went south.

The machines in question refused to push out updates using Windows Update (seriously… Microsoft… WTF!)

We Googled every single error code and tried every single internet “fix” that we could find. Nothing was working. It was time to admit defeat and do the unthinkable… the last resort… we had no choice… we had to get on the phone to Microsoft support.

What Microsoft found

On the first pass, even Microsoft gave up and recommended an OS re-install. Of course, we all laughed heartily at that suggestion (seriously… Microsoft… WTF!)

After the required amount of pushback, Microsoft relented and escalated internally.

For several more days, Microsoft worked remotely on one of our affected PCs and discovered that a number of patches had been “Staged”, but never installed. They were stuck in this “Staged” state and this was preventing all other patches from installing.

How did we get into this mess

This is our working theory. One word. McAfee.

It turns out that one of our EPO policies was actively preventing some Windows Updates from installing. If you have landed on this page because you have the same problem, you have to disable the following option:

How we got out of this mess

This is where it gets “interesting”. The solution on paper sounds simple:

  • Reset Windows Update:
    • Stop all Windows Update related services
    • Rename the SoftwareDistribution folder
    • Rename the catroot folder
  • Extract a list of all installed/staged packages to a text file using dsim
  • Restart Windows Update services
  • Parse the file containing the installed packages, extract any module name in the “Staged” state, and use dsim to remove those packages.

The problem is that the list of Staged packages was different on every single machine - not the sort of task you want to be doing by hand on that many machines.

The good news is that is is scriptable, but has to be done in phases.

Phase One

Run the following Powershell script on every affected machine (it can be run in a remote Powershell session without disturbing the target machine user):

$res = "\\<yourservershare>\WindowsUpdates\StagedResult." + $env:COMPUTERNAME + ".txt"

net stop BITS
net stop Cryptsvc
net stop trustedinstaller
"Stopping WINDOWS UPDATE..."
net stop wuauserv

"Renaming Windows Update Folders..."
ren $env:systemroot\SoftwareDistribution SoftwareDistribution.old
ren $env:WINDIR\system32\catroot2 catroot2.old
"Getting packages..."
dism /online /get-packages | out-file -encoding ascii $res
net start BITS
net start Cryptsvc
net start trustedinstaller
"Starting WINDOWS UPDATE..."
net start wuauserv

Note that this script outputs the installed packages for that machine to a file called: StagedResult.<COMPUTERNAME>.txt

In our case, we output this file to a shared folder on a server so that we could collate all the files in preparation for phase two.

Here is an example of the dsim output file:

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385
Image Version: 6.1.7601.18489
Packages listing:
Package Identity : Package_for_KB272945231bf3856ad364e35amd646.1.1.0
State : Staged
Release Type : Security Update
Install Time : 17/02/2017 23:04

Phase Two

I have a bit of background in Linux system admin, so I chose to use Cygwin bash scripts for this phase. The principle is pretty simple, so if you are not comfortable with bash, grep or sed, feel free to script in a language of your choice.

The following bash script: takes a generated package list file from phase one as a parameter, then uses grep to extract the list of “Staged” package names, and pipes that output to sed to create a Powershell script that can be run on the source machine to remove all of the Staged packages:

cat $1 | grep -Pzo '(?<=^Package Identity \: )(.*)(?=\n^State : Staged$)' | \
    sed 's/^/dism \/online \/remove-package \/packagename:/' > \

As we had collated all of the files from the affected machines in a shared folder, I used the following script to process them all in the one go:

for f in ./StagedResult*.txt; do
    if [ -e "$f" ]; then
        ./ "$f"

This is an example of the output script for a single machine:

dism /online /remove-package /packagename:Package_for_KB272945231bf3856ad364e35amd646.1.1.0
dism /online /remove-package /packagename:Package_for_KB300374331bf3856ad364e35amd646.1.1.1
dism /online /remove-package /packagename:Package_for_KB302038731bf3856ad364e35amd646.1.1.2

The output filename of the new script is: StagedResult.<COMPUTERNAME>.txt.removal.ps1

Phase Three

We now have to run the targeted output scripts from Phase Two on each of the affected machines. Again, this can be done using a remote Powershell session without disturbing the machine user.

When this phase has been completed and the machine has been rebooted, Windows Updates will work again.

  1. The post was composed on a nice, clean, virus free (and Anti Virus free) Mac. A world where OS updates magically work every time. As if by magic. 

View comments.

more ...