Risks And Opportunities For Generative AI In 2025

 

As we now go deeper into January, many people have started to predict already what the hot markets will be in Cybersecurity.  Without a doubt, one of the gold mines will be that of Generative AI.  Although ChatGPT (created by OpenAI) may not be all the glamour now, it is still being used quite by both businesses and individuals alike.  But it does one thing:  It opened the eyes of the world to what Generative AI is all about, and its opportunities, but also its huge risk potential as well.

One of the biggest concerns here is that of Deepfakes.  This is where a Cyberattacker can take an image or a video of a real person, and replicate that into a fake one, using Gen AI based models.  These are then often used to launch both Phishing and Social Engineering Attacks. 

One of the prime-time venues for this is during any kind of election season here in the United States.  In these cases, the Cyberattacker will create a fake video of the leading political candidate and put that somewhere like on You Tube.  The video will convincingly ask voters to donate money for their election, but any of it sent over will be sent to a phony, offshore bank account.

There are other threats that can also come about as well, but for now, here are some of the main concerns going into this year:

1)     LLMs:

This is acronym that stands for “Large Language Models”.  It is a part of Generative AI, and it can be technically defined as follows:

“Large language models (LLMs) are a category of foundation models trained on immense amounts of data making them capable of understanding and generating natural language and other types of content to perform a wide range of tasks.”

(SOURCE:  What Are Large Language Models (LLMs)? | IBM)

Although the models that drive them can be quite complex, the bottom line is that the goal of them is the words we speak, understand the context in which they are spoken, and provide an appropriate output.  A great example of this is the Digital Personalities that you may engage in, for example, when you have a virtual doctor’s appointment.  It is LLM that drives this kind of application, and learns from the conversation, so that it can talk back to you like a real-life human would.  But the downside of this is many of these models are proprietary in nature, which therefore makes them a very tempting target for the Cyberattacker to break into and wreak all kinds of havoc on the models.

2)     The Cloud:

Right now, the two main juggernauts are AWS and Microsoft Azure.  As companies are starting to realize the benefits of moving their entire IT and Network Infrastructures, there is one problem:  Both of these vendors also offer very enticing tools to create and deploy Generative AI models.  Although they have taken steps to help safeguard their security, especially from the standpoint of Data Exfiltration Attacks, the other main problem is that the Cloud Tenants have not set up the appropriate rights, permissions, and privileges for the authorized users to gain access.  Very often, they give out too much, which can lead to unintentional misconfigurations in the development of the Gen AI models.  As a result, this can lead to unknown backdoors being opened, or worse yet, this could lead to an Insider Attack happening.  Therefore, careful attention needs to be paid in creating both the Identity and Access Management (IAM) and Privileged Access Management (PAM) security policies.

3)     An Aid:

Over the last year or so, one of the biggest issues in Web application development is the lack of attention by the software development team in the security of the source code.  One of the driving factors behind this is that they very often make use of open-sourced APIs.  While this does have its advantages (such as not having to create source code from scratch), its main weakness is that the libraries that host them for downloading do not update them on a real time basis.  Rather, they leave this up to the software developers to do, and they do not.  In an effort to secure the source code before final delivery of the project is made to the client, businesses are now opting to use what is known as “DevSecOps”.  Long story short, this is where the software development team, the It Security team, and the Operations team all come together to serve as a counterbalance amongst one another to ensure that the source code has checked, and even double checked for any weaknesses.  Depending upon the size and scope of the project, this can be quite a tall order.  But the good news here is that Generative AI can be used as aid to help automate some of this checking process.  But, it is important to note that it should not be relied upon 100%, as human intervention is still needed in this regard.

My Thoughts on This:

Well, there you have it, some of the risks and opportunities that Generative AI brings to the table this year.  But, there is yet another area which has not received a lot of publicity yet.  And that is, the Data Privacy Laws of the GDPR, CCPA, HIPAA, etc.  Keep in mind that Generative AI Models (including those in LLMs also) need a lot of data to learn and stay optimized.

Because of this, the regulators of these Laws have placed huge scrutiny as to how businesses are safeguarding these kinds of data that are being used.  If the right controls are not put into place, the chances of a Data Leakage are much greater, and this could put the company to face a stringent audit and even face huge financial penalties.  For instance, under the tenets and provisions of the GDPR, this can be up to 4% of the total gross revenue.

This is really something to think about!!!

 

 

How To Get Cybersecurity Insurance In 2025: 3 Golden Tips

 

Well, Happy New Year to everybody out there!!! Here is to be hoped that 2025 will see a decrease in the total number of threat variants that not only impact businesses, but non for profits, government agencies and individuals. 

One theme that is going to get a lot of attention, at least at the beginning of this year, is Cybersecurity Insurance.  Just like other types of insurance policies, the thinking here is that if you merely file a claim (provided that you actually do have the insurance) you will get a payout to help recoup the costs that you experienced as a result of a security breach.

But as we have recently seen with the health insurance industry, this is not such a sure deal.  Today, many carriers that offer Cybersecurity Insurance require many things from the applicant before they can even be considered.  For example:

Ø  If you are the business owner, you must fill out a lengthy questionnaire attesting truthfully that you have all the controls in place to protect the PII Datasets.  Also, you must provide evidence that you have taken steps to address the gaps and weaknesses in your IT/Network Infrastructure.  This is typically done by either conducting a Penetration Test or a Vulnerability Scan.

Ø  After you have the above, in most cases, your questionnaire must be certified by an outside third party that you trust, or with whom you have worked in the past.

Ø  After you have submitted all this stuff with your application, the insurance company can still come on site to your place of business and conduct a random audit to make sure that what you have attested to is correct.

But there are also some other alarming stats as well, such as:

*From 2018 to 2022, premium rates have gone up year over year.

*In 2023, 79% of US businesses experienced a dramatic increase in premiums.

*SMBs with less than 250 employees were likely to be denied any kind of coverage, if they filed a claim.

The last two stats came from a whitepaper that was published by Delinea, which examined the state of the Cyber Insurance Industry in 2023.  To get more details on this, click on the link below:

2024 Data Breach Investigations Report | Verizon

The bad news here is that in 2025, along with the rising premium rates, it is even going to be harder, and more complex, especially for the SMB to procure Cyber Insurance.  But there are some key steps that you can take first to make sure that at least the application you submit shows your best foot forward to the underwriters.  Here they are:

1)     Understand Risk:

Risk is a very subjective term to define, and depending upon the industry, it can have different kinds of meanings.  But for Cybersecurity, at least in my view, this metric represents how much downtime your business can take (because of a security breach) before you start to incur some real financial losses.  The best way to do this is to conduct a detailed Risk Assessment Analysis, to take an inventory of and categorize both your physical and digital assets.  Once you have done this and have ranked each one to their degree of vulnerability, you will have a much better idea of what your actual Risk Posture is.  Also, the insurance company will look at this and see how it compares to the overall average in the Cyber Industry.  If you find that your Risk Posture is overall too high numerically, then you will want to take the steps to bring it down before you apply for any Cyber Insurance.  Of course, the more that you can lower it, the better the chances that you will be given a policy.

2)     Understand The Contract:

If you have been lucky enough to be awarded a policy, you will first receive a contract.  It is imperative that you review in detail over and over again.  Cyber Insurance can be very tricky to understand, and the coverage will vary greatly.  Of course, you will be covered for the direct costs that you incurred because of a security breach, but the very murky areas are after the fact, such as paying legal fees in case your lawsuits, regulatory fines, reputational/brand damage, etc.  Although I am by no means an insurance expert, my best advice is to hire a really good lawyer that can review the contact inside and out, and have him or her negotiate the terms of it with the insurance company so that it will be much more favorable to you.  You do not ever want to file a claim, and have it rejected because it was not covered by your contract!!!

3)     Pay Attention to Compliance:

More than ever before, businesses both here in the United States and the European Union are coming under very close scrutiny of the Data Privacy Laws, most notably those of the GDPR, CCPA, HIPAA, etc.  As a result, the insurance company that you have applied to for a policy will want to make sure that you have taken every effort to mitigate the risk of being audited by any of them.  The primary reason for this is that the financial penalties can be quite steep, and the insurance companies do not ever want to pay out such a huge amount if a claim was filed under this circumstance.

My Thoughts on This:

Filing for Cyber Insurance is going to be just as bad as doing your tax returns, in the amount of time that it will take to prepare the documents.  Thus,  in this regard, it is very important that you keep copies of all of your documents, and keep records of all of the Cyber Risk Assessments that you have done. 

Once your policy is up for renewal, you will want to show the insurance company each detail as to how you have overall fortified your Security Posture. 

Obviously, it is not easy to get Cyber Insurance, but it can be done.  It will just take a lot more due diligence on your efforts to make sure that every “I” has been dotted, and that every “t” has been crossed.

Finally, once you are awarded a policy, do not take your pedal off the gas pedal.  Keep taking those efforts to keep your Security Posture strong over the long haul.  In the end, Cyber Insurance is meant to supplement, not replace the need to be very proactive about the Cyber Threat Landscape.

Here Comes 2025: The Major Cyber Threats To Happen

 

Ok, here we  go, as we fast approach now into 2025, here are the predictions as what the major Threat Variants and Attack Vectors will be:

1)     The Zero Day Exploit:

This is a term that non-Cyber people may not know about, so here is a technical definition of it:

“A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. "Zero day" refers to the fact that the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems.”

(SOURCE:  What is a Zero-Day Exploit? | IBM)

Put another way, when a vendor knows that their software offering has vulnerabilities in it, they create software patches for customers to download to fix the weaknesses.  But with a Zero Day Exploit, the vendor has no knowledge of a vulnerability.  But the Cyberattacker knows this already, because of all the scouting work that they do on their targets and victims.  So, once they are ready, they move in for the kill, which totally blindsides the vendor, and has a cascading effect on all its customers.  It is possible to recover from this kind of attack, but it could take an exceedingly long time, because there are no fixes for it, and thus they must be created after the fact.

2)     Supply Chain Attacks:

This is the kind of Threat Vector in which the Cyberattacker needs just one point of entry to deploy the malicious payload.  The best example of this was the Solar Winds breach.  Through just one weakness, the Cyberattacker was able to insert a nefarious piece of Malware into their software update platform called Orion.  Once this was activated, thousands of victims were impacted, including agencies in the Federal Government and even Fortune 50 companies.  Another recent one was the CrowdStrike fiasco.  Although they still claim that it was not a Cyberattack, just one thing went wrong in their software deployment package, which had a global effect, especially with the airlines, like Delta.

3)     Attacks On Remote Workers:

As we all know, this exploded during the COVID-19 pandemic.  But now it is the past, many companies have now mandated a hybrid work environment.  But the common denominator here is that employees will, for a part of the week, be working remotely, wherever it may be at.  Very often, the home network will be used, which leaves a huge invite for the Cyberattacker to get into.  Although companies may issue standard wireless devices for work use, there is no stopping the employees from connecting into the corporate network with their home one.  Although VPNs are a great tool to use to secure the network lines of communications, they have been proven to show their limits during the pandemic.  As a result, businesses are now opting for the Next Generation Firewall, which alleviates some of the weaknesses of the VPN.

4)     Targeting AI And ML:

I have written a lot about both in my previous blogs, but even using the models that have been derived from them have their vulnerabilities as well.  Probably the biggest issues that will be seen in 2025 are that of Data Poisoning and Data Exfiltration Attacks.  The former can be technically defi.  as follows:

“An Artificial Intelligence poisoning attack occurs when an AI model's training data is intentionally tampered with, affecting the outcomes of the model's decision-making processes. Despite the black-box nature of AI models, these attacks seek to deceive the AI system into making incorrect or harmful decisions.”

(SOURCE:  Data Poisoning Attacks: A New Attack Vector within AI | Cobalt)

Remember that an AI or ML model requires tons of data for it to initially learn and to keep optimizing their algorithms.  But the outputs are only as good as the data that is fed into it (thus, “Garbage In – Garbage Out”).  The Cyberattacker is fully aware of this and will intentionally try to hijack a model to insert malicious datasets to it.  The net effect could be benign, such as creating a false output for the end user, or it could even be worse, such as infecting devices, like in a Supply Chain Attack.

5)     5G:

While most of us are comfortable with having used 4G on our smartphones, many of the wireless carriers are now making the move to the next level up, which is the 5G.  I personally have 5G on my iPhone, and whenever the connection is solid, I can access the Web very quickly on Safari.  But since 5G is still in untested waters, there are still some major vulnerabilities that are associated with it.  Some of them are:

Ø  The huge growth in the interconnectivity of devices – especially where IoT (Internet of Things) is involved.  All of this only increases the attack surface for easy penetration.

Ø  Distributed Denial of Service (DDoS) Attacks:  Through any opening in the 5G, a Cyberattacker can easily insert a huge swath of malicious data packets which can bring wireless to an almost screeching halt on a global basis.

Ø  Critical Infrastructure:  Many of them that exist here in the United States are completely outdated with technologies, going as far back as the 1960s and 1970s.  If these facilities try to adopt the 5G, the Cyberattacker does not have hut directly into a nuclear facility, as an example.  Rather, they can intercept the 5G network lines of communications and attack that way, in a much more covert manner.

My Thoughts on This:

There are other Threat Variants/Attack Vectors that I can include here, but I wanted to give you the ones that could really cause some damage if they do at all happen.  You very well could be asking yourself how you can mitigate all of this from happening to your business.  I could create a laundry list of what you can do, but a quick Google search will reveal all this also.

So, I am going to keep it simple for 2025:  Nip it in the bud.  Find the vulnerabilities, gaps, and weaknesses before the Cyberattacker does.  This can all be very easily achieved using Penetration Testing, Vulneability Scanning, and Threat Hunting.

How Non Human Identities Outnumber The Human Population By 50:1

 

Back in the day, when I was in graduate school during the Internet Boom, the two big buzzwords back then were “B2B” and “B2C”.  These both stand for “Business to Business”, and “Business to Consumer”, respectively.  Well fast forward from those times to now, where the world of Cybersecurity is now filled with all kinds of techno jargon. 

And with the explosion of Generative AI, the dictionary here expands with a newer one, which is called “M2M”, or “Machine to Machine”.

Now this term has just recently given birth to an even newer one, which is now “NHI”, or “Non-Human Identities”.    These are the Chatbots, Virtual Personal Assistants, and even the Digital Personalities that you engage in instead of speaking with a real human being.

 These kinds of NHIs are now literally dominating the world.  In fact, it has even been cited that they outnumber actual human identities by a factor of 50:1. 

Because when you communicate with an NHI, you are giving away your own personal information and data.  In turn, the Generative AI models that power them are storing them to not only recall this information/data if you were to engage with them, but to also train the algorithms so that they can be fully always optimized.

Apart from all of this being transmitted back and forth, there is now a cry in the Generative AI world that there needs to be set of bet practices and standards that businesses must adhere to if they make use of NHI that is customer facing.  Here are the factors that are driving this movement:

1)     Complexity:

Gone are the days when businesses just had an On Premises Infrastructure.  As I have written about before in previous blogs, there is now a strong movement to go to the Cloud, using a major platform such as that of the AWS or Microsoft Azure.  But, there are still some CISOs who relish the old fashioned ways of doing things, so they opt for a hybrid based approach, which is a combination of both On Premises and the Cloud.  This kind of blend does not make things any easier, in fact, it makes it much more complex for the IT Security team to manage.  If an NHI is created and deployed by using both words, then everybody needs to follow and stick to the same set of rules, especially when it comes to data/information storage and processing.

2)     Automation:

One of the biggest benefits of that Generative AI brings to the table is that it can be used to automate processes and functions.  For example, this can be seen with robotic arms in a car assembly plant, and even in Cybersecurity, it is being used in Penetration Testing and Threat Hunting in the more mundane and routine tasks.  But, there is a key problem here:  You simply cannot rely upon automation 100% (at least in my view).  For example, what if there is no human intervention if a Data Exfiltration Attack were to occ. to an NHI?  Well, the bottom line is that it would go completely unnoticed, until it is way too late.  This debate about whether to completely automate or not is currently one of the biggest debates that is happening and will continue for a long time in the world of Generative AI.

3)     Easy Prey:

An NHI in any form is actually a very easy prey for the Cyberattacker to go after.  They may not attack it directly, but they can very easily go after the connections which they are linked to.  These are often not very secure, and once a Cyberattacker is able to penetrate through just one of these network lines of communications, they can wreak all sorts of havoc in just a short matter of time.

4)     Mergers And Acquisitions:

There are a lot of buyouts that are taking place with Cyber Vendors.  Some of these include the following:

Ø  Authomize being purchased by Delinea.

Ø  Venafi being purchased by Cyber Ark

It should be noted that the above two buyers are Privileged Access Management (PAM) vendors.  The point here is that with all these mergers happening, there is a lot of information and data that is being transferred, especially with the Generative AI models and the NHIs that they power.  It is very necessary here to have a standard checklist that both the buyer and the buyee must abide by to make sure that nothing is leaked out, intentionally or not.

My Thoughts on This:

As for me, I am still very old fashioned.  Although I am a technical writer in the world of technology, I absolutely hate technology.  I like the way we do things.  I am not sure if I am up for all this Generative AI stuff.  For example, I would much rather see my doctor in person, rather than chat with a Digital Personality.

But if I must bend on this, we cannot depend upon Generative AI on its own.  We need to have human intervention here.  As for the best practices and standards, it is about time that Corporate America did something about it.  The Federal Government has done something about it, but it is way too slow to keep up with the rapid changes that are happening in Generative AI.

To use the old proverb, “its going to take a village” for all this to happen.  It will require a hands-on deck cooperation with the private and public sectors, as well as with academia.  But even if we were to produce such a set of best practices and standards, who is going to enforce it? 

The FBI?  The DHS?  These are tough questions that still must be answered, and as a society, we must figure all of this out soon.

Why Students From K-12 Are So Vulnerable In Becoming A Cyber Victim

 

Whenever we hear about a Cyberattack or a security breach, we often think that the entity involved is a Fortune 500 company, or even a healthcare organization.  True, these are prized targets, but many people do not think that the education sector could be at risk also, or for that matter, even the nonprofits. 

Well truth be told; they are also in the cross hairs of the Cyberattacker as well.  You might be asking, “Why?”.  Well, here are some reasons:

*These institutions contain a large amount of PII datasets, not just of students, but also teachers, administrative assistants, and other faculty, including principals and superintendents.

*While most schools do have some kind of IT/Network Infrastructure, they are often running legacy hardware and software, even on par with the systems found in Critical Infrastructure.

*The schools contain a very volatile group of victims – young children, all the way from K-12. In this regard, they can easily become the victim of a Cyberbullying Attack.

*The schools very often have an extremely limited budget, and therefore, they cannot upgrade their IT/Network Infrastructure in a timely manner.  Because of this, there are many vulnerabilities and weaknesses that are present, making it extremely easy for the Cyberattacker to penetrate covertly.

In fact, in 2023, the educational sector witnessed its largest number of Cyberattacks ever recorded, even more so than what was around during the COVID-19 pandemic.  A lot of this can be attributed to the fact that students these days have easy access to smartphones. 

Thus, the temptation to download mobile apps, especially those that involve sharing posts on social media (the most notorious of these is Facebook) and games.

Many of these students are simply not cognizant of where to safely download these mobile apps, such as from the Apple Store.  Although there are parental controls that can be deployed on these devices, many of them are not the best, and the source code that was used to create them was never tested.  But these apps can also be used by the teachers for online learning to the students. 

Another weakness here is the Digital Personalities that the mobile apps use.  They try to take the place of the traditional teacher, but what they can do for the student can only go so far.  For example, a Digital Personality can ask a student about their personal information/data, and innocently, they will submit it without giving it a second thought. 

But what happens when the vendor goes under, and falls off the radar?  The question of how they used and processed that student’s information/data comes under scrutiny, even more so, where it is stored.

This was the case in the Los Angeles Unified School District.  They made use of a Digital Personality named “Ed” and its experience with a chatbot named "Ed."  It was used both by students and teachers, but one day, the vendor, AllHere, suddenly went under, and completely went silent. Obviously, both school administrators and parents were overly concerned as to what happened to the student’s PII datasets.  More details about this link can be seen below:

An Education Chatbot Company Collapsed. Where Did the Student Data Go? | EdSurge News

It is also especially important to remember that information/data about the student is not just school records.  A lot of this also includes medical records as well, so that the nursing staff at the school and take easily take care of an ill student. 

These are also at risk, and the scary part is that if the Cyberattacker does get their hands on this, they can easily sell them onto the Dark Web or use them in an Extortion Attack against the child, as sickening as this sounds. 

To drive home just how serious this situation is, here are some stats:

*61% of schools that were hit by a security impacted students from K-12, with no discretion whatsoever.

*85% of the schools that were the victim of a Ransomware Attack had their all their devices locked and files encrypted, making them completely unrecoverable.

*The cost of downtime for schools increased by at least four times from 2023 to 2024.

*Surprisingly, the educational sector is one of those that are almost reluctant to report a security breach to law enforcement and federal authorities – only 22% of those entities that have succumbed to a security breach reported anything.

(SOURCE:  The Education Industry: Why Its Data Must Be Protected)

My Thoughts on This:

As one can see, there is no easy fix for this horrible situation.  When you compare this to Corporate America, at least one can claim that the business can somehow set aside the needed funds to beef up their lines of defenses. 

But the same cannot be said for school.  They are often at the mercy of the state government to procure the money, but if the budget does not have money, there is nothing that a school can do except start having fundraisers.

I sincerely do hope that the new Presidential Administration does take Cybersecurity very seriously in terms of having a strong budget not just for American businesses in general, but especially for that of the educational sector but also for nonprofits. But even with their limited funding, here are some tips that schools could make use of:

*Consider moving to the Cloud.  Many schools still have an On Prem Infrastructure, which is making it very costly for them to maintain.  By moving it a platform like Microsoft Azure, the costs will become much affordable, and many of the tools there which are comparable to what one would use for the On Prem Infrastructure are much more sophisticated and are available for a fraction of the cost.  Also, Microsoft has been very well-known offering steep discounts to the educational sector.

*Security Awareness training must be given to all involved – not just the teachers, but also the students and the parents alike.  However, it is very crucial that this training is tailored appropriately to the grade level in question.

*Schools should ban the use of smartphones all together, at least until the students are upper classmen in high school.  Although this may be viewed as being harsh, this is one of the best ways to reduce the attack surface.

Of course, there are other tips as well. But the above are some starters.  Very often, I usually ask my close friends from time to time: “How did we make it through school without Google or smartphones”? We had to learn the old-fashioned way, when life was much simpler and less interconnected than it is today.

Gosh, I yearn so much for those   days to come back.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

 

In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.  I have written man blogs and articles, even published an eBook (through Amazon) and an actual published book about, through CRC Press. 

I have even formed some partnerships with various Cyber vendors offering their Penetration Services as well. Some of them have ranged the gamut from doing manual testing to having it completely automated.

There is a huge debate about this, and in all the writing and discussions I have had about it, I am in the middle of it.  I think certain parts of the Penetration Testing process can be automated through Generative AI, but you need the human component as well, especially when it comes to communicating with and preparing the final report for the client.

But the bottom line is this:  In order to launch a successful Penetration Testing exercise, whoever is doing the offensive work (which is called the “Red Team”) needs to take the mindset of an actual Cyberattacker. 

Normally, a checklist or some kind prepared agenda is followed, with written permission from the client.  But given just how stealthy the Cyberattacker has become, and the interconnectedness of both digital and physical based assets, is simply having this enough? 

Again, there is debate about this, but the consensus from what I have seen so far is that this is “No, it is not enough”.  So, what can be done about it?  Here are some tips that I came across in a recent article:

1)     The Need for Creativity:

In this instance, and I really do hate using this tired quote is to literally “Think Outside of The Box”.  This simply means that the people doing the offensive work need to take a careful stock of what the physical and digital assets of the client are.  Once this has been done, do not prepare a checklist.  Instead, as the question of “Why?”.  “Why is this asset so attractive to me, from the standpoint of breaking into it?”  In other words, the actual Cyberattacker will know that the Red Team in this regard will too often be predictable.  So, it is important here to break away from this trend and become unpredictable.  This will yield even better results in the end.

2)     Avoid “Button Pushing”:

This is the actual term that was used in the article.  This simply means find that fine line between automation and human control.  Just do not simply rely upon Generative AI and canned scripts to do the entire job.  As the Red Team, you need to push the boundaries just a little bit more each time you conduct an actual exercise.  This is where group effort and having a clear line of communication plays a crucial role. From some of the Penetration Testers that I know of, they tend to be introverted and isolationists.  Break away from this mold and “bang heads together” with your team to accomplish this.  Remember two heads are better than one.

3)     Take Notice of Intention:

When things were On Premises, it was clear to find out what the intent hacker would be.  But with a lot of businesses now making it to the Cloud, this has become a murky area to figure out.  To crack this, try to figure out what the intent of an actual Cyberattacker would be.  But just do not look for the obvious things such as theft of passwords and Data Exfiltration, instead try to find those exceedingly small, minute points that the Cyberattacker would be most interested in tapping into.  In this regard, one of their main intentions of them is to launch what are known as Supply Chain Attacks.  This is where a malicious payload can be inserted into one tiny vulnerability and from there a cascading effect will take place that will impact hundreds or even thousands of victims.  We saw this in the Solar Winds hack, and even though CrowdStrike denies it was an actual attack, just one mistake made in their software update tool created havoc around the world.  Remember, the Cloud is still to some degree an undefined territory, especially in Public Deployments.  This is where the Cyberattacker is trying to find those very tiny cracks in which to slip into.

4)     Create The Culture:

This is the role for the CISO of an organization.  They must take the initiative to create a “Hacker Culture” from within their IT Security team.  Meaning, it is not just one person that should try to have this kind of mindset, but rather, everybody needs to.  One of the best ways to do this is to launch simulation exercises, and there are many tools online that you can use to do this.  Or even better yet, engage a true Cyberattacker that has now turned to the “good side”.  Have conversations with them as to what they hacked into in the past, why they did it, and what their primary intention was.  If you trust them implicitly, then it would also be best to have them engage in the actual Penetration Test with your team.  After all they have been in the trenches before, and what more assets can you have?

My Thoughts on This:

Well, there you have it, some tips to launch a better Penetration Test.  In the end, complete automation can only take you so far.  In fact, in my view, these tools are far more vulnerable to making mistakes than what a human being would do.  For example, what if they hit the wrong target by mistake?  Or, what if the results they provide are not even accurate?

The argument here is that with an automated tool, for just one flat annual fee, you can run multiple Penetration Tests as needed.  This is stands in sharp comparison to a manual one conducted by a human team, which can range anywhere from $30K-$40K per test.  But in the end, remember you get what you pay for.

How To Increase The Security Posture Of Your IoT Devices: 5 Point Checklist

 

I think over a week ago, I wrote a blog post about the security that goes along with the Internet of Things (IoT) devices, and especially giving them as gifts this Holiday Season.  In today’s blog, we are going to add onto that and talk about IoT security from the standpoint of business entities. 

There is of course a lot more at risk here, especially if an organization is large, and has employees located in different geographic locations throughout the world.  So, here is a quick checklist as to how you, as a CISO, head of an IT Security team, or even a business owner, can do a Risk Assessment:

1)     Take stock:

By this I mean conduct an inventory of all your digital and physical assets.  Then, rank them according to their degree of vulnerability, using a categorical scale, such as 1-10.  In this case, one would indicate least vulnerable, and ten would be the most vulnerable.  Anything in between would be an increasing level of vulnerability, or decreasing, depending upon how you look at it (such as 2-9, or 9-2, respectively).  Then out all those assets, not only identify the ones that are most vulnerable, but also confirm which one of those are of an IoT nature.  Then, decide upon the appropriate controls, and deploy them.  Or if you already have an existing set of controls, then you and your IT Security team need to produce a plan of action to upgrade them to decrease the level of vulnerability as much as possible.  It is important to note that if you have both legacy and recent systems, trying to determine the right set of controls could be more difficult.  In this case, your best bet would be to consult with an MSP or an MSSP to work this out for you.

2)     Power Consumption:

Because of their level of interconnectivity, IoT devices are known to be extremely hungry for both processing and consumption power.  Therefore, if you do make use of a Vulnerability Scanner, or even doing something in Penetration Testing, make sure that whatever you use is “lightweight” in design.  As a result, this will not put an extra burden on those resources that are powering the IoT devices, and you can still be able to pinpoint any weaknesses or gaps accurately.

3)     Updates:

Just like the importance of a Security Policy, having a reliable Software Update Policy is just as equally or if not more paramount.  This is the one area where most businesses fail, and as a result, they become the victim of a security breach.  Thus, it is important to create a regular schedule when you will be checking for the latest updates that come out from the vendors that you work with and decide upon a good time (preferably after business hours) in which they should be deployed.  But there is one very important caveat to be remembered here:  There could be times that even these patches and updates could have flaws in them.  So therefore, it is important to evaluate them in a sandboxed environment first, before installing them into production mode.

4)     Access:

Obviously, you want to limit access to those end users who need to have entrance into your IoT devices.  Some of the best ways in which to do this is to is to implement Multifactor Authentication, also known as “MFA” for short. This is where you deploy at least three or more different authenticating mechanisms to fully identify the person who wants to gain access.  In this case, try to eliminate using passwords, together, and use something that is much more robust, such as an RSA token, a Smart Card, in conjunction with Fingerprint Recognition and/or Iris Recognition.

5)     Attack Surface:

As a business owner or a CISO, it might be very tempting to connect as many IoT devices together as possible, because the thinking here is that this will increase productivity and offer seamless communications.  While there might be some truth to this, the bottom line is that with all this interconnectivity, you are simply expanding the attack surface for the Cyberattacker.  Through just one point of entry, a malicious payload can be easily deployed and have a cascading effect upon your entire IT and Network Infrastructure.  The moral of the story is just to connect what needs to be absolutely connected, and always keep track if you are adding more, unneeded connections.  This can be easily done by using the various Heat Maps in Microsoft Azure.

My Thoughts on This:

Well, there you have it, a quick list as to what you can do to mitigate risks to your IoT devices, and to fill in those gaps and weaknesses that you discover.  This all requires a 24 X 7 X 365 watch, and although this might seem impossible to do from the outset, you can automate much of this, especially by making use of a DIEM based platform.