A New Way To Avoid A Solar Winds Like Attack: The SoT Framework

 

Do you all remember the infamous Solar Winds attack that occurred some time ago?  That kind of Cyberattack was deemed to be what is known as a “Supply Chain” attack.  No, it has nothing to do with UPS or FedEx, but the aim here is that the Cyberattacker can use just one point of entry to infect literally thousands of victims with malware, ransomware, Trojan Horses, etc. 

With the case of Solar Winds, the attacking group exploited a vulnerability found in one of the tools that was use to disperse software updates and patches to all of its clients.

In response to this, there have been many cries in the Cyber industry to come up with some sort of guidance or framework, that will help to alleviate this same kind of threat vector from happening again. 

As a result, a Cyber based organization known as MITRE (this is the same group that came out with the infamous “ATT&CK” framework.  It is a complete knowledge base of known threat vectors and their corresponding signatures, and it can also be used to create threat models for the future.

Well, they have come out with a new framework that should help curtail Supply Chain attacks, and it is called the “System of Trust”, also known as “SoT” for short.  Within it, also comes a new tool called the “Risk Model Manager” (RMM”).  It was actually first released at the RSA conference last year, and the details of it can be seen at the link below:

https://www.darkreading.com/application-security/mitre-creates-framework-for-supply-chain-security

The actual RMM tool will be formally announced at the RSA conference that is set for this year.  More information about this is right here:

https://www.rsaconference.com/USA/agenda/session/Creating%20the%20Standard%20for%20Supply%20Chain%20Risk%20%20MITREs%20System%20of%20Trust

The actual SoT platform is hosted entirely on the AWS, and it deals with 14 Cyber risk areas, which include some of the following:

*The financial information and data of the third-party vendor.

*The kind of Cyber practices that are enforced and followed.

*Any other risks that should be taken into account.

Of course this is not the complete list of 14 areas, but the above mentioned are some of the key areas of focus for this new framework. It should be noted that while any vendor can use this framework (at least this is my understanding of it so far), one of its main objectives is to also to help vet out third party vendors as businesses still continue to outsource their processes to others for handling.

In turn, once a third party vendor has been decided upon by a company, this framework can also be used to ascertain how they use their own software packages to distribute services to clients.  At the present time, there some 40+ vendors that are working with MITRE to help get it ready for widespread adoption on a global scale.  Some of these include the following:

*Microsoft

*BlackBerry

*CISA

*Cisco

*Dell Technologies

*Intel

*Mastercard

*NASA

*Raytheon

*Schneider Electric

*Siemens

*The Open Group.

These above mentioned heavy hitters are fine tuning the SoT framework by inputting various kinds and types of into a scoring algorithm, and from there, determining the Cyber advantages as well as weaknesses that a third party vendor may have in their systems.  Also, these companies are testing the SoT framework for their own internal uses as well.

Eventually, it is the main intention of MITRE to offer this framework as an open-sourced project, so that businesses can fit and mold it based upon their own security requirements.

It should also be noted that MITRE also came out with a newer framework, called the “D3FEND” model, and this is used by many organizations today in an effort to take an honest assessment of their own security posture.  More information about this can be seen at the link below:

https://www.darkreading.com/endpoint/d3fend-framework-seeks-to-lay-foundation-for-cyber-defense

My Thoughts On This:

One of the primary differences of the SoT versus the other frameworks created by MITRE is that this one is much more holistic in nature.  In other words, it does not look at a specific component or Cyberattacker, rather, the entire IT and Cyber practices of a potential third party vendor comes into the microscope for very minute scrutinization. 

Probably of the biggest obstacles for the SoT framework is that it is still so new, that widespread adoption of it yet has not picked up. But it is expected that this will change for the positive as the big-name companies start to adopt it themselves.

But I have one caveat here. Any company can adopt all of the frameworks that they want to (and there are hundreds of them), but none of it means anything until it has been adopted in full use and practice.  There are organizations out there that still inky use them partially. 

But also remember that frameworks can go only go so far.  In the end, true Cybersecurity comes down to employees, and their ability to report suspicious behavior to the higher ups in a confidential manner.

In this regard, employees should never be regarded as the weakest link in your chain.  They are the strongest, and should be treated as such.

 

The Top 4 Mistakes Made By Software Developers: Perspectives From A Penetration Tester

 

For quite some time, in fact going into last year, I have written quite a bit in these blogs about the importance of secure source code, especially when it comes to creating Web based applications.  For the longest time, software developers have evaded the Cyber scrutiny.  But now, with everything being remote and digital, the light is on them now to test their code before they send it off to the production environment. 

There is no doubt that the software developer of today is under a lot of strain and pressure to get projects out to clients under budget (if possible), but most importantly, on time.  Thus, security always takes a back seat.  If there is any kind of checking done, it is usually done at the end of the SDLC, when there is really not a lot time to do rigorous testing of the source code.

In order to drive home the importance of this topic, I came across an article in which a Penetration Tester describes how he still sees mistakes being made in the compilation of the source code, and what the vulnerabilities are as a result.  Here is what he has found, so far:

1)     Cross Site Scripting still exists:

The acronym for this is known as “XSS”.  According to the OWASP, it can be technically defined as follows:

               “It is a type of injection, in which malicious scripts are injected into otherwise benign and        trusted websites. XSS attacks occur when an attacker uses a web application to send malicious            code, generally in the form of a browser side script, to a different end user. Flaws that allow               these attacks to succeed are quite widespread and occur anywhere a web application uses input       from a user within the output it generates without validating or encoding it.”

               (SOURCE:  https://owasp.org/www-community/attacks/xss/)

               Simply put, this is where a Cyberattacker injects a piece of malicious code into a backdoor (or      another vulnerability) of the Web application.  The idea here is to gain control of the application             in question, and from there, try to hijack information and data as possible.  A very common             example of this are what are known as “SQL Injection” based attacks, where the hacker will   inject malicious queries into a SQL databased (such as SQL Server, MySQL, etc.).  More         information about XSS attacks can be seen at this link:

               https://www.darkreading.com/attacks-breaches/xss-flaw-prevalent-media-imaging-tool-      exposes-trove-patient-data

2)     Vulnerability scans may not be enough:

If any check on the source code is done, it is usually conducted by a Vulnerability Scan.  This kind of test is a good one to conduct, but it does suffer from a number of pitfalls.  Probably the biggest one is that it is not comprehensive enough.  For example, it is only considered to be passive in nature, and will only find those gaps that are blatantly obvious.  It will not go to the extent and detail that a Penetration Test would.  Thus, as I have always said, software developers should always test the source code on a modular basis, so that any unknown vulnerabilities will not have a cascading effect onto the rest of the source code.  If possible, it would be very prudent to conduct a Penetration Test at each level.  To help do this, there are tools out there that can automate this process.  But in the end, human involvement is always necessary to confirm any findings.

3)     Need to think outside of the box:

Software developers are tasked to do one thing only, and do it the best that they can:  Create the source code so that it meets every need and requirement of the client.  And if they can come up with some extra features that would benefit the client, that is a nice to have also.  In other words, the main focus of the software developer is on meeting the business objectives of the project.  They are not tasked with taking the flip side of the equation, which is seeing how the source code could be used maliciously by a Cyberattacker.  But this is not the same as testing.  Rather, the software developer is trying to take the mind of the hacker, and figuring out how the code can be further exploited.  But in the end, it is not fair to ask the software developers to do this herculean task, and probably many of them do not have the mindset to do this.  Because of this, many businesses in Corporate America are now turning to what is known as “DevSecOps”. This is a fancy piece of techno jargon which simply means that along with the software developer team, the operations and the IT Security teams are also involved in the development of the Web application project in order to lend a helping hand to make sure the source code is tested and secure.

4)     Everything is fair game:

When developing the source code, software developers often rely upon APIs.  These are reusable lines of code that are used to bridge the gap between the front and backends of a Web based application.  Any software developer can download these from open sourced libraries, but the problem here is that these API libraries are often not tested or upgraded with the latest patches.  Very often, the software developer thinks that this is not their responsibility, but the bottom line is yes, it is!!!  Ideally, it should be up to the owner or organizers of the API repository to check for all of this, but the ultimate accountability comes down to the person that is going to use and implement those lines of code. This is another area where the DevSecOps concept is becoming quite important, and will be so for a long time to come.

My Thoughts On This:

In a way, I am glad to see that software developers are going to have be more accountable for the code that they create and execute.  But in the end, they should not have to shoulder all of the responsibility, it takes the entire company to make sure that a Web based application is safe and secure to the client.  To use the old saying, “It takes a village”. 

But, there is one area in which software developers have to be completely, 100% responsible for:  It is in the backdoors that they create.  For example, rather than having to go through the usual login process that they create for the application, the software developers will create easy access portals in order to gain quick access to the source code.

But very often, right at the end of the project, they forget to check for these backdoors that they have created.  As a result, this is one of the first areas that a Cyberattacker will scope out for, and try to penetrate into first.

 

Distinguishing Between Data Privacy & Surveillance

 

I had a few great podcasts this past week, and one of the questions that I usually ask surrounds the Remote Workforce.  My guests last week seem to be in agreement that the WFH concept is one that is going to be around for a long time to come. 

They also said that the so called hybrid model may or may not work, but in the end, you truly have to listen to your employees.  This is not to say that a CISO has to do everything that an employee wants, but remember, a happy employee makes a productive one.

But with remote working, comes a serious issue that many businesses in Corporate America are now facing.  And that is, how much they can spy on their employees to make sure that they are maintaining good levels of Cyber Hygiene.  The major thrust of this are the data privacy laws that have been enacted in the recent years, most notably those of the GDPR and the CCPA. 

But now, another factor has compounded this issue in that what if your remote workers are actually using their own devices in order to gain access to shared resources on your corporate servers? How much prying can you do then? 

For example, if your entire infrastructure is in the Cloud (like Microsoft Azure), and your employees still use their personal devices to access the resources on it, can you still audit those devices?

Well, this morning, I came across an article that sort of addresses these issues.  Here are some thoughts that were shared in it:

1)     Don’t collect too much:

If you are an SMB with an online presence (such as an Ecommerce store), information and data about your customers and prospects are literally your lifeblood.  You want to collect as  knowledge as you can about them so that you can entice them with your latest products and services, and if you have the AI and ML tools on hand, predict what their future buying habits will be like.  But now the line is starting to be drawn is when is too much information collected?  There is really no clear cut answer to this, as a lot depends on your line of business, and what you are selling.  But once again, the GDPR and the CCPA now limit as to how much you can collect.  Also, under these new regulations, your customers now have the right to ask you how their data is being stored, archived, and/or processed.  For example, is it being given away to third parties without their knowledge or consent?  In a worst case scenario, your customer can ask to have all of their data purged, and never shop with you again.  Therefore, is always in your best interest to let customers and prospects know what kinds of data/information are being collected about them.  Also keep in mind that if you do collect “too much” information, this also increases the attack surface, as now the hacker has much more that they can exfiltrate and sell onto the Dark Web for a nice price.

2)     Be careful of the lines you cross:

As mentioned earlier, with the Remote Workforce now in its almost permanency, as a CISO, you have to be careful as what is deemed to be “surveillance” in the eyes of your employees.  Obviously, you do not want to be perceived as Big Brother watching.  So in this regard, you should always tell your employees ahead of time as to what kinds of activities you will be watching them for.  This is especially true of third-party contractors.  But, this issue gets even murkier when the home networks that your employees use to access the corporate networks are blended together.  For example, what if your remote employee uses their own personal workstation to connect to their own network which in turn will be used to gain access to the shared resources?  Can you still deploy employee monitoring tools onto these personal devices?  A few years ago, this was never really an issue.  But this all came about when the COVID-19 pandemic first hit, and everybody for the most part, was required to work from home.

3)     Take preventative measures:

In the end, as the article points out, it is always better to err on the side of caution rather than taking risks.  Here is what is recommended:

*View each piece of data not only in terms of its business value, but also in terms of its privacy value as well.  For example, always ask this question:  Do we really need this piece of information?  Can it be deemed as a privacy risk?

*If you make use of AI and ML tools, also take a look at the datasets that you have acquired (more than likely from a third party vendor) and see if all of the information is really needed before you actually process the datasets.  In other words, look at what you want your expected outcome to be, then ask the question if those extra points will actually help meet your end objective or even skew it.

*Always be extremely careful when handing over any datasets to third party vendors.  Make sure you know how they are using them, and for what purposes they are being used for.  Always conduct regular audits if you feel that this is necessary.

My Thoughts On This:

Let’s go back to #2.  Although I am not a lawyer, IMHO, as an employer, you have every right to question your employees how they are using their devices when it comes to the accessing and storage of it.  But keep in mind, that the law is on your side if your employees are using company issued devices.  

If they are using their own, then this really becomes a dicey situation.  But on the flip side of this, you are a steward of the data and information that you collect and hold, and with that responsibility, you have to take every precaution possible to protect it.

So, that could give you some more latitude in the inspection and/or audit of your remote employee’s personal devices.  But you have to make these stipulations clearly and blatantly known to your employees from the very beginning!!!

How To Get A Holistic View On All Of Your Cyber Vulnerabilities

 

In the world of Cybersecurity today, the term “Risk” is one term that is bandied quite a bit in today’s circle.  But what is what exactly is Risk?  It can have many definitions to many people businesses.  But very general terms, Risk can be defined as to how much tolerance a business can take before it goes into a serious downturn, especially from a financial standpoint.  Unfortunately, many businesses do not even know how to calculate what Risk really is. 

Either they try to figure it out on their own, or they hire a very expensive consulting company to do it for them, which of course many SMBs cannot afford to do.  So what is the next option?  In today’s podcast, we have the honor and privilege of interviewing Tal Morgenstern, the Co Founder and CPO of Vulcan Cyber.  They offer a unique platform that not only calculates your level of risk, but also shows where the vulnerabilities are in your organization.  It also offers strategies to remediate those vulnerabilities, and this lower you level of risk substantially.

You can download the podcast here:

https://www.podbean.com/site/EpisodeDownload/PB13AE49FANTZS

Cybersecurity For Everyone: A New Book By David Pereira, CEO of Secpro, LLC

 

Hey Everybody,

With all of the geopolitical and economic uncertainty that is facing us today, many companies are pinching their budgets as much as they can, which even means laying off valuable employees.  In this regard, the tech sector here in the United States has been amongst the hardest hit so far.  But despite all of these turmoils, organizations will always need help when it comes to beefing up their lines of defenses against the Cyberattacker.

In the past, we have interviewed many Managed Service Providers (MSPs) and even Managed Security Service Providers (MSSPs) to see what kinds of solutions they can offer to organizations, especially the SMBs, where funds are very critical.  There is no doubt that they offer just about everything, but they do not have services in two key areas:  1) Protection of Intellectual Property; and 2)  Providing security awareness training for your employees.

In this podcast, we have the honor of interviewing David Pereira, the CEO of SecPro.  In this segment, he will be providing more detail into these new services, and how an SMB can greatly benefit from them.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB13B85CBUQ5FD

How To Fine Tune Your Cyber Budget In These Uncertain Times

 

As many of you know, the Silicon Valley Bank in California essentially shut down on Friday, due to its insolvency.  Now the FDIC is taking over so that insured deposits can be paid out in a timely manner, which will hopefully stop the rush to the banks in panic withdrawals. 

The exact reason for the bank’s demise is still being filtered through, but a lot of people are blaming the bank’s heavy investments into the tech and crypto based sectors.

It will make the headlines for sure all of next week.  So, the second largest bank failure in American history should raise a red flag to a lot of the people in the C-Suite, especially the CISO, or the vCISO, who ever is in charge. With the economic headwinds and geopolitical situations will uncertain, the CISO has to keep a close eye on their Cyber budgets and plan for the future.

Although nobody can predict the future with any degree of accuracy, here are some key events to keep in mind to make sure that your budget stays as flexible as possible:

1)     The Russian invasion of the Ukraine:

While this happened over a year ago, the conflict still remains, and is getting more entrenched.  At the beginning of the war, there was a lot of fear that there would be major Ransomware attacks here in the United States, especially onto our Critical Infrastructure. Luckily nothing has happened yet, but as the war drags on, anything is possible.  So this is a huge variable that has to be factored into your budget.

2)     Uncertainty of the United States markets:

There is no doubt that inflation is on the mind of every American today.  Heck, even I went grocery shopping today, and could not believe how much the costs of basic food items have risen.  But not only this, but the fear of inflation has greatly spooked the financial markets, and this was best exemplified just last week.  With these roller coaster ups and downs, companies are fearful to spend or deploy any cash into budgets, and that even includes hiring people.  Again, this is evident in the layoffs the tech sector has been seeing since the beginning of this year.  While layoffs are never any good for anybody, it is still important to keep in mind that when compared to the 2008 recession, the number of people losing jobs is not nearly as much.  Also, the job numbers still look very strong here in the US, based upon last Friday’s report.  But in the end, nobody knows what the Fed will do in terms of raising rates so this is something that you will have to keep a close eye on as well.

3)     The Data Privacy landscape:

When the COVID-19 pandemic was in its climax, data privacy regulators backed off from conducting audits and imposing any kind of financial penalties.  But now that the pandemic is more or less behind us, this is going to ramp up again to even greater degrees, as companies make even greater strides to move to the Cloud.  So, money will have to be spent in making sure that all of your controls are in place and are totally optimized.  To many CISOs this might seem like a sheer waste of time and money, but some spent now will help you avoid that audit and paying 10x more in financial penalties.

4)     Security training:

This is a component of your Cyber budget that you cannot let go.  Employees will need to be trained on a regular basis, and of course this is going to cost some money.  As a CISO, be on the look out for developing more effective means of training.  You can always outsource this particular function to a reputable Cyber vendor that specializes in this.  This can help you save some money in the end.

5)     Investments in new security technology:

This is an area in which, as a CISO, you need to have second thoughts on.  For example, I have written a lot in the past that it is always better to do with less than with more.  There are two reasons for this:  a) With more technologies in place, it will only expand the attack surface for the Cyberattacker, and b) Having more tools will simply mean that your IT Security team will more log files to filter through, which further lead to a phenomenon known as “Alert Fatigue”.  My thinking here is that if you can conduct a Risk Assessment, and from there take stock of you have, you can possibly rearrange things so that you create a more efficient and effective means of beefing up your lines of defenses.  The bottom line is this:  You are far better off with deploying three firewalls than ten firewalls, as long as they are strategically placed.

My Thoughts On This:

In my view, the uncertainty of inflation and the geopolitical situations will remain with us for a long time to come.  Therefore, it is important for you, the CISO to plan properly and accordingly.  But remember that you do not have to be alone in this process.  If possible, try to get an advisory board to work with you and to provide a second opinion.

One of the primary benefits of this is that if you need an infusion into your Cyber budget, you will have a group of well-seasoned executives to back you up not only in front of your CEO, but the Board of Directors as well.

 

How To Avoid A Cyber Threat By Smelling Out The Urgency

 

There is one thing that is for sure in the Cyber world today:  The attackers are getting more and more clever in what they do.  And in fact, they phony websites and Phishing based emails look so real now it is almost impossible to tell what is real and what is not.  Even to the Cyber experts, this can be a problem, as even they can be duped into becoming a victim as well.  So now. What do they do to tell the differences?

Here are some clues that even the experts use to make sure that they think twice before clicking on that email or visiting a questionable website:

1)     Taking the time to breathe:

There is no doubt that all of us, in today’s society, get tons of emails every day in our inbox.  Heck, even I do.  Most of them are from other Cyber vendors and  lot of them are just newsletters or some other piece of content, such as alerting people about the latest threats that are out there.  In fact, it has gotten so bad that only do I mark most of them as Spam, but even some legitimate emails go into my Spam folder as well.  So I have to comb through that as well, wasting more time.  What I am trying to get at here is that there are times you might be expecting a real email from somebody that you actually know.  But instead, by coincidence (and I do mean that), you get an email from a Cyberattacker.  This psychological phenomenon is also known as the “Confirmation Bias”.  Technically, it can be defined as follows:

               “The tendency to process information by looking for, or interpreting, information that is   consistent with one's existing beliefs.”

               (SOURCE:  https://www.darkreading.com/risk/scams-security-pros-almost-fell-for).

               Let me illustrate this with an example.  A few years ago, during the holidays, I had made a purchase using my PayPal account.  About 5 minutes later, I got an email from PayPal saying that           the transaction did not go through.  Of course, I was quite alarmed, and I clicked on the link to           respond to without checking it first.  When I logged in, I realized that I was at a phony site. I         logged out immediately, and called PayPal.  They said that they never sent such an Email.  So I       quickly changed my password.  To this day, I don’t even know how it happened.  Somehow,   Cyberattackers are aware of your behavior, and when you do make a legitimate purchase at a            reputable Ecommerce store like Amazon, they send you a Phishing Email a few minutes stating    that something is wrong with your account.  Because of this sense of urgency, you respond.  The moral of the story here is this:  Even if you are expecting an Email from somebody you know,            always contact them to make sure that they sent it.

2)     Submission to authority:

From the moment that we are born, we are always taught to obey our elders, especially those that are in a position of authority.  This is of course a good trait to have as we evolve into adulthood, but this is yet another area that Cyberattackers use to make unsuspecting victims fall prey.  In fact, disguising oneself as this kind of figure falls into the realm of what is known as “Social Engineering”.  This is where the Cyberattacker uses techniques to particularly prey upon our most vulnerable emotions and feelings.  I can even relate to this a long time ago.  I was not in Cyber back then, but rather, I was a creative writer.  But back then, Smishing was still existent.  Long story short, I got a phony call from somebody stating that they were from the IRS.  They had made claims about a tax return that was in error from a few years ago.  Being much more naïve back then, I fell for it.  They had made further claims that I owed $3,000.00 in back taxes, and that I have to make payment with my credit card.  I immediately hung up. They kept calling back, and eventually I answered the phone.  The guy on other end (who claimed he was from the IRS) even yelled at me to make payment. Again, I started to fall prey to this, and almost gave my credit card information.  Something inside me made me hang up, and I did.  Eventually they stopped calling.  I called the Secret Service, and they said that the whole thing was a scam.  Luckily, they never got my credit card number.  This can also happen in the physical world also.  There are even stories of people who dress up as cops and even somehow can get the flashing lights installed onto their cars.  They then pull somebody over, and use that as a technique to cause even much graver harm to their victim much more so than a stolen credit card number.  Again, the moral of the story here is if you ever get a call, or a Phishing email, or any thing like that, or even something suspicious even in the snail mail, never respond quickly to it.  You’re your time, go through it, and try to confirm its legitimacy, if any.  If you have any doubts, always contact the sender.  On that point, Cyberattackers have even resorted to using the USPS as a means for reaching out and luring victims into their cross hairs.

My Thoughts On This:

As you can see here, the common thread is invoking that particular sense of urgency.  And, this is what the Cyber pros use when trying to detect a fake site, a phony call, or a Phishing email.  So keep one thing in mind:  There is always time. A legitimate and true organization will always give you some sort of time period to respond in, which will be reasonable to you.

So if you get anything with a sense of urgency attached to it, first, take your time and breathe.  Read and reread your Email, snail mail letter, etc. over and over again.  Try to find any clues if it is a fake or not.  Look for things like spelling mistakes, capitalization, misuse of grammar, etc.  Any doubts?  Call the sender before you do anything!!!  And remember, always trust your gut.  If something does not feel right, delete it, or just throw it away.

Also keep in mind that with the emergence of AI now coming into the world, it will even be that more difficult to tell what is real and what is not.  This is especially true of ChatGPT, the latest AI craze.  But that will be a topic for a future blog.