Sunday, May 19, 2024

How To Quell The Fears Of Generative AI: The Steering Committee

 


As this world, and especially here in the United States dives deeper into AI, and especially that of Generative AI, many people are still left scratching their heads, especially in the business and academia communities, as to how to move forward.  For example, there are many questions that still have yet to be answered, both from the technical and social implications standpoints. 

IMHO, the Generative AI is right now in a huge bubble.  We are seeing this with the hyper inflated stock values of those companies that are involved with it, such as Nvidia, Vertiv, etc. ad all of the other companies that are involved with the GPU making process and in the construction of data centers to support all of the applications that are created by Generative AI.

But this bubble will burst, just like the “.com boom” we saw in the late 1990s.  But what is different about this is that AI in general has been around for a long time (in fact, since the 1950s), and because of that, it will still be around even longer for decades yet to come.  VC funding will come and go, but the research into Generative AI will still be strong as new algorithms are being developed on almost daily basis.

So,  in order to be prepared for all of this, businesses need to centralize their efforts in a top-down approach not only to make sure that what they are investing in will produce some sort of positive ROI, but also that the concerns of employees, customers, prospects, and other key stakeholders can also be addressed quickly and effectively.  So you are probably asking now at this point, how can all of this be started?

It can be done through what is known as the “AI Steering Committee”.  In a way, this will be similar to other committees that exist in a business, but its exclusive focus will be that of just Generative AI, and nothing more.  Some of the key members that should be an integral part of this include the following:

Ø  The CISO and a member of the IT Security team, with a managerial title.

Ø  A legal representative, such as that of an attorney, but it is imperative that they are well versed in AI and the Data Privacy Laws.

Ø  If a business has one, the Chief Compliance Officer (they make sure that all of the Data Privacy Laws are being adhered to).

Ø  Key representatives of those that will be involved in the Generative AI process.  Examples of this include AI scientists, AI engineers/architects, etc.

Ø  Any other key stakeholders, especially those from Third Party Suppliers.

Ø  A consultant who can provide advice and direction on the “social impacts” of Generative AI, especially as it relates to customers and employees.

So, once this committee is formed, the next step is to actually get some action items created so that things can move forward.  Here are some suggestions on how to do this:

1)     Start with a Risk Assessment:

Just like how you would conduct a Cyber Risk Assessment,  the same holds true for Generative AI.  But, here the committee needs to figure first if and how Generative AI has been deployed to begin with, and if so, what the impacts it has had both in terms of the technical and marketing standpoints.  If there already have been some  projects that have been implemented, then you and your committee need to figure out if it has posed any kind of risk.  By this I mean, are there any gaps or vulnerabilities that have been identified in the Generative AI app?  If so, what steps, if any, have been taken to remediate it?  Out of anything else, this is what will matter the most.  If there are any holes, this could make the app prone to data leakages, or worst yet, even Data Exfiltration Attacks.  Also, since the data that is housed in a Generative AI Model is now coming under the scrutiny of the Data Privacy Laws (such as the GDPR, CCPA, HIPAA, etc.) the committee also needs to make sure that the right Controls are in place.  This entire process of adding new ones or upgrading existing ones needs to be thoroughly documented. For more information on this, click on the link below:

https://www.darkreading.com/cyber-risk/building-ai-that-respects-our-privacy

2)     Used a Phased In Approach:

Like with anything else that is new, you do not want to deploy 100% all at once.  You need to implement it in various steps, or phases, so that you will not get buy in from your employees, but most importantly, your customers.  This will give time for people who are resistant to change to adapt, at a pace that works for them.  As it relates to Generative AI, the first step here would be thoroughly test a new app in a Sandbox Environment.  If everything checks out, then start to do pilot studies with employees and customers over a period of time to see how responsive they are to it.  If all turns out to be positive, even in the smallest of degrees, then deploy the Generative AI app into the production environment, a bit at a time.  This process is of course very general, but you sort of get the idea.  A lot here will depend upon how the existing processes are currently set up in your business.

3)     Be Positive:

As the fears and concerns still surround Generative AI in general, it will be imperative for the AI Committee to maintain a positive attitude, but yet to be cautious.  In this regard, it is critical that a 24 X 7 X 365 hotline be available so that all key stakeholders can relay their concerns on a real-time basis.  But the key here is that they must be addressed quickly, if not seeds of doubt will start to get planted about Generative AI, and how your company plans to use it.  It is key that the AI Committee be as transparent as possible, and if you don’t know the answer to a question, simply say:  “I don’t know, let me get back to you once I get more information”.  But don’t ignore this person, always keep them updated as much as possible.

My Thoughts On This:

Now how this proposed AI Steering Committee will move forward into the future will depend  a lot on how the actual members of it take their role seriously.  Today, Generative AI is still like a big jigsaw puzzle, and in order for it to be solved, centralization is key, starting with the AI Steering Committee.

Sunday, May 5, 2024

4 Ways How Generative AI Can Combat Deepfakes

 


Just last week, I authored an entire article for a client about Deepfakes.  For those of you who do not know what they are, it is basically a replication made of an individual, but it is primarily used for sinister purposes. 

But the catch here is it is Generative AI that is used to create, and they very often come in the way of videos, most often posted on YouTube.  One of the best examples of Deepfakes is in the Election Cycles.  They are created to create an impostor video of the real politician, but it gets more dangerous here. 

For example, the video will very often have a link to it that will take you to a phony website, asking you to donate money to their campaign.  But in the end, the money that you donate is not going to that cause, rather, it was probably sent to an offshore bank account located in a nation-state Threat Actor, such as Russia, China, or North Korea.  Just to show the extent that Deepfakes have created, consider these statistics:

*Deepfakes are growing at a rate of 900% on an annual basis.

*One victim of a Deepfake Attack actually ended up paying over $25 Million after a fake video of their CFO was posted on the Social Media Platforms.

So what exactly can be done to curtail the rising danger of Deepfakes?  Well, the thinking is that the Federal Government (and for that matter, those around the world) need to start implementing serious pieces of legislation that will provide steep financial penalties and prison time.  But unfortunately, these actions have not taken place yet, due two primary reasons:

*The legislations that are passed simply cannot keep up with the daily advances that are being made in Generative AI.

*Even if a perpetrator is located, it can take law enforcement a very long time to justice, given the huge caseloads that they already have on the books related to security breaches.

*Trying to combat Deepfakes on a global basis takes intelligence and information sharing amongst the nations around the world, some  of which are not ready for this task or simply are unwilling to participate.

So, now the thinking is that the business community should take the fight directly now to the Cyberattacker.  But what tools can be used?  Believe it or not, Generative AI can also be used here, but for the good.  Here are some thoughts that have been floating around the Cyber world:

*It can be used to carefully analyze any kind of inconsistencies between what is real and what is fake.  For example, in a video, there will always be subtle changes in lighting, or unnatural facial movements.  These are very difficult to spot for the human eye, but to a Gen AI tool programmed with the right algorithms, it can seek them out, and fairly quickly.

*While Deepfakes are great at replicating images, they are not so good yet at recreating the voice of the victim.  In fact, the voice will almost sound “robotic like”.  If Voice Recognition can be used in conjunction with Gen AI here, this will probably be yield the first, definitive proof that a Deepfake has been used for malicious purposes.  Also, this kind of evidence should also hold up in a Cout of Law in case the perpetrator is ever brought to justice.

*If the company even makes use of other Biometric Modalities such as that of Facial Recognition, it can also be used to great level of certainty to determine if an image or a video is an actual Deepfake or not.

*Another option that a company can use is what is known as “Content Watermarking”.  These are hidden identifiers that can be placed in an actual image, and at the present time, a fake replication of these will not be able to notice them.  Thus, this is an easier way to tell if an image or video is real or not.

My Thoughts On This:

Even to implement the above-mentioned solutions, it is going to cost money for a company to do.  Given the mass layoffs in the tech sector as of late, and how Cybersecurity is still a “back seat” issue with many C-Suites, these solutions will not be deployed in the near term.  And IMHO, it’s a disaster that is waiting to happen, as once again, Gen AI is advancing at a clip that really nobody can keep with yet.

In fact , according to a recent report from Cisco, only 3% of companies in Corporate America have even increased their funding to fight off the nefarious purposes that Gen AI can bring to the table.  More details about this study can be found at the link below:

https://www.darkreading.com/vulnerabilities-threats/innovation-not-regulation-will-protect-corporations-from-deepfakes

To view the actual letter that was signed by some of the major Gen AI pioneers mandating further Federal Government intervention, click on the link below:

https://openletter.net/l/disrupting-deepfakes

 

Sunday, April 28, 2024

7 Key Lessons To Be Implemented For The Cyber Supply Chain

 


I am close to wrapping up the manuscript for my 16th book, which is about the Data Privacy Laws, and how to come into compliance with them.  In this piece, I focus on three key pieces of Legislation:  The GDPR, CCPA, and the CMMC.  Of course, I could not cover each and every page of these Legislations, so I just wrote about the major tenets and provisions that exist from within them.  I have even included a separate chapter that provides a brief framework as to how businesses can come into compliance with these Data Privacy Laws.

So, by coincidence, I came across an article this morning that describes the compliance efforts that Solar Winds took to help remediate and inform their key stakeholders as to the security breach that had occurred (this is more formally known as a “Supply Chain Attack”).  The author of this article points out the flaws and the inconsistencies which took place in this reporting process.

For example, on 10/30/23, the SEC filed a legal complaint against Solar Winds.  The actual text of this complaint can be seen at the link below:

http://cyberresources.solutions/blogs/Solar_Winds.pdf

Basically, the legal document that was filed accused Solar Winds of "misstatements, omissions, and schemes that concealed both the Company's poor cybersecurity practices and its heightened —  and increasing — cybersecurity risks.”

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/solarwinds-2024-where-do-cyber-disclosures-go-from-here)

But as this legal document came out, and made its way into the public, the criticism of the SEC started to pour in.  For example:

Ø  The SEC was too slow in addressing anything.

Ø  The legal document is just a “slap on the wrist” and does to prevent future attacks like this from happening.

Ø  The CISO took all the blame.

Ø  Any future hiring of CISOs will now be carefully monitored as a result.

Of course, there are other many complaints as well, but these are some of the major ones I found in the article.  But, it is interesting to point out here that the Cybersecurity troubles actually started for Solar Winds way b.  in 2018, when it made its filing for an IPO.  In its statements that were made, the SEC accused Solar Winds of simply making “boiler plate” assumptions about the particular level of Cyber Risk.  In other words, they offered no evidence to back up the statements that they had made, such as providing results into any Risk Assessment Study that they may have conducted of their digital and physical assets.

But as time went on, and as the weaknesses and gaps became more prevalent and known to the key stakeholders, none of the upper brass took any initiative to disclose them actually fully. Here is what the SEC even said about this situation:

“Even if some of the individual risks and incidents discussed in this Complaint did not rise to the level of requiring disclosure on their own … collectively they created such an increased risk …" that SolarWinds' disclosures became "materially misleading."

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/solarwinds-2024-where-do-cyber-disclosures-go-from-here).

But even despite these stark statements made by the Federal Government, the gaps and weaknesses only got worse.  And so from here, the story goes, nothing was done to remediate these holes, and as a result of it, some 1,000+ victims were impacted, ranging from the private sector and to the public sector as well.  Some of them included the smallest of the Mom-and-Pop Shops to the largest of the large, such as Microsoft, and various Agencies within the Federal Government.

My Thoughts On This:

So now, the big question is how do we go from here, to make sure that this is prevented.  Although I am by no means a compliance or Data Privacy expert, here are my thoughts, based upon my knowledge in my years of Cybersecurity:

Ø  *Stop the blame game.  Don’t’ simply make the CISO the first target to shoot at.  Everybody is responsible to some degree or another if a security breach does indeed happen to a business.  The first thing that should be top of mind is restoring as quickly as possible business operations as quickly as possible.  Then conduct a detailed forensics examination, to see what exactly happened.  Then point the fingers at who is to really blame.

Ø  *It should be Federal Law that companies, no matte how large or small they are, must report any security breach to key stakeholders, law enforcement, and the regulatory bodies within hours, and not wait for four days, which is the current allowance.

Ø  *It is a fact that Solar Winds depended a lot upon other vendors to carry out their work.  This is why this particular hack was called a “Supply Chain” one, because of all of the parties involved.  In my opinion, it should be a Federal Law that businesses have to show complete documentation as to how they have vetted and hired a Third-Party Supplier in this regard.

Ø  *The finger pointing must stop here and now.  Of course, this would only happen in a perfect world, not the real world in which we live today.  As a country and as a society, we need to be much more proactive and not reactive like we are today.  But, this only comes from leading by example.  In other words, if an employee is required to maintain a strong level of Cyber Hygiene, so should the C-Suite and even the Board of Directors,  for that matter.

Ø  *Just like the Department of Homeland Security (DHS) was created right after 9/11, the same needs to be said for a Department of Cybersecurity.  At the present time, the states are running rampant with creating their own Data Privacy Laws, which can vary greatly.  Therefore, we need some sort of central body at the level of the Federal Government that can create common Data Privacy Laws, as a well as a set of Best Practices and Standards so that everybody can have an equal playing field, so there is no more ambiguity.

Ø  *The sharing of intelligence and other types of data and information must be greatly increased, and this can only happen with a centralized body overseeing all of this.

If I*If a  Department of Cybersecurity were to be actually created, then all of the regulatory bodies and agencies must reside here.  By having them spread out across different arms of the Federal Government makes it much worse when trying to instill a degree of accountability.

SoSo, here are my thoughts on this matter.  More to come in the future.

Sunday, April 21, 2024

How To Avoid Being Caught In Global Based Cyberwarfare

 


Although the scope of this blog is to remain as apolitical as possible, sometimes it’s not just that easy to do, especially when you are talking about nation state threat actors, such as those of Rusia, China, North Korea, Iran, etc. 

I also have to be honest and say that this year so far has been amongst the worst that I have ever seen for geo-related conflicts.  For instance, there is the Ukraninan war, the Hamas war, and now even possibly a war with Israel and Iran.

Although these wars are bring fought with the traditional means to do so, there is yet another angle to do this:  The Cyber Warfare that is taking place.  Of course we can’t feel it or hear it, because it is all taking place in the digital world. 

But believe it or not, there are victims of this as well, as we have seen in the Ukraninan war. For example, hackers from Russia have directly attacked its Critical Infrastructure causing havoc to all of its resources.

An example of just horrific this is, click on the link below:

https://www.darkreading.com/ics-ot-security/kyivstar-mobile-attack-ukraine-comms-blackout

So if you are unfortunately in the midst of experiencing this kind of crisis, there are key steps that you need to take to protect yourself and your business.  Here are some of them that you can take:

1)     Employee Safety:

First and foremost, remember always that your employees and other subcontractors that you may have hired are probably amongst the greatest assets that you have.  Thus, you need to take every precaution that is possible, at least from within the confines of your business.  If you have a remote workforce, then check up on your employees periodically to make sure that all is well.  By taking this kind of approach, you will truly show your employees that you care about them and their wellbeing.

2)     Backups:

Apart from your employees, your Datasets are your next big assets.  But as we know today, this is one of the prime targets for the Cyberattacker.  Therefore, as I have written about many times for clients and even here on my own blog (and even in my books), backups are totally essential.  You cannot do without them.  You need to maintain a regular schedule of doing this for however it fits your security requirements, and always keep in mind that you have to maintain multiple copies of your backups.  If you have an On Premises Infrastructure, then of course this will be much harder to do.  So, my advice to you in this regard is to use the Cloud, such as that of Microsoft Azure.  They have great tools already available for you to use.

3)     Cybersecurity Training:

This is probably the next important item down the rung here.  Your employees have to maintain the strongest levels of Cyber Hygiene that are possible, and the only way you can do this is by training them.  So just like how you do your backups, you also need to maintain a regular schedule here as well.  My recommendation is at least once a quarter, and it should be given in person directly.  But don’t make your training sessions as a “one size fits all” approach.  It needs to be specific and tailored to the audience that you are teaching.  For example, if they are members from your finance and accounting departments, then you need to educate them more about the tactics of Social Engineering, and how to spot BEC Phishing Emails (this is an acronym that stands for “Business Email Compromise”, and it is a kind of attack where the sense of fear and urgency is targeted towards these departments in order to wire a large sum of money to a phony, offshore account).

4)     Perimeter Security:

It is imperative that you get away from this kind of security model.  It assumes that you have one line of defense circling and protecting your business.  But despite how fortified this is, once a Cyberattacker breaks through it, they have complete reigns over your IT and Network Infrastructure.  So to avoid this from happening, implement what is known as the “Zero Trust Framework”.  This is where you segment all of your digital assets into different zones, and each one has its own layer of defenses.  The thinking here is that if they can break through one zone, the chances of them breaking through all of the others becomes almost statistically insignificant because of all of the authentication mechanisms that are involved.

5)     Sharing:

In order to keep ahead of the game, you need access to intelligence.  The only way that you can get this is by forming partnerships with others in your industry to share that level of knowledge.  Also, there is a greater movement now in the Cyber industry for even more extensive partnerships to be created between the academic, public and private sectors.  I know for a fact that the FBI and Secret Service already do this, as they offer seminars to the public so that such knowledge can be shared.  Also, you can contribute to and get a wealth of information from such sources as the NIST, CISA, OWASP, etc.

My Thoughts On This:

Apart from taking these above-mentioned steps, don’t forget this one last thing:  Have your Incident Response, Disaster Recovery, and Business Continuity plans in place and ready to go if they are needed.  Also, make sure that you take the time to rehearse these as well, so all of the people that are involved with these plans will know exactly what to do.

Many business learned the hard way during the COVID-19 pandemic by not having these kinds of plans in place.  But make sure you are not caught again “with your pants down” in these uncertain times.

Sunday, April 14, 2024

The Impacts Of Liquid Cooling On AI Datacenters

 


When we think of AI, hear about it, or even use it, we often think of ChatGPT.  While in a way this is correct, Generative AI (from which ChatGPT is derived from) is just a subset of AI.  For example, there are other areas as well, such as Machine Learning, Computer Vision, Neural Networks, Large Language Models, Natural Language Processing, etc.

But yet, there is yet another area of AI which will receives almost no public attention whatsoever, and those are the companies that own the datacenters which house the servers to host the AI applications.  But a point of clarification is needed here.  Although many of the AI applications are now SaaS  based, and in fact, you can even create and host your own AI app on Microsoft Azure – you still need a physical server to host all of this software.

Because of the huge growth in AI, there in turn has been an increased demand for datacenters.  In fact, if you listen to a business channel like CNBC, you will see them even talk about the stocks of some of these companies that own these datacenters.  For example, some names that come to mind here include Vertiv, Advanced Micro Devices, Nvidia, Iron Mountain, etc.

The demand for datacenters is going to be red hot in the coming years.  In fact, it is predicted that the entire AI market will be worth well over $1.3 Billon in just revenue alone.  This represents a staggering growth rate of over 37% from today’s numbers.

(SOURCE:  https://www.marketsandmarkets.com/Market-Reports/artificial-intelligence-market-74851580.html)

Given all of the servers and networking technologies that a datacenter has to contain, the temperature in them can get very hot.  As a result, these physical infrastructures need to be cooled on a 24 X 7 X 365 basis throughout the entire year.  But, despite the profits that are being made, the costs of cooling, take a big chunk out of that – it can be almost as much as 40% for a datacenter’s electricity bill. 

(SOURCE:  https://www.computerweekly.com/news/366568452/Datacentre-operators-face-capacity-planning-challenges-as-AI-usage-soars)

Because of these staggering costs, many datacenters are now opting for another form of cooling rather than the traditional ones.  This makes use of water, as now referred to as “Liquid Cooling”.  At least here in the United States, the datacenters rely upon a freshwater supply for cooling – this is the same source that provides us with our drinking water.  Although we think that water is a plentiful resource that we will never run out of, consider these statistics:

*The typical datacenter uses at least 1-5 million gallons of water, on a daily basis.

(SOURCE:  https://www.washingtonpost.com/climate-environment/2023/04/25/data-centers-drought-water-use/

*Almost a third of the world’s servers are located here in the United States.

(SOURCE:  https://www.usitc.gov/publications/332/executive_briefings/ebot_data_centers_around_the_world.pdf)

But now, we are facing an imminent water crisis, brought on by two fronts:

*The sheer amount of water shortages that are now happening because of global warming and an increased demand for more drinking water by our population.

*The increased number of Cyberattacks against our Critical Infrastructure, namely that of our water supply lines.  More details on these kinds of attacks can be seen at the link below:

https://www.cnn.com/2023/12/01/politics/us-water-utilities-hack/index.html

So now the trick is for datacenters to start to rely upon other means in which to procure their water resources.  Considerations have been given to the options:

*Using sewer water, and even water from the oceans.

*The deployment of more advanced freshwater tracking technologies to get an accurate view of just how much fresh water is actually being consumed.  More information about this can be found at the link below:

https://datacenters.lbl.gov/water-efficiency#:~:text=Key%20best%20practices%20for%20water,Evaluate%20chillers%20for%20replacement

*Procuring grants and other sources of funding from the Federal Government to look at alternate means of using less fresh water, but yet will maintain the current levels of cooling that are needed by a datacenter.  In fact, the Department of Energy) just announced a grant of $40 million in this regard.  Details on this can be seen at the link below:

https://www.energy.gov/articles/doe-announces-40-million-more-efficient-cooling-data-centers

*Building out the datacenters in areas of the United States where the temperature is cooler, and there is an abundant supply of other forms of water, such as water from the Atlantic and Pacific Oceans, or even in the Gulf of Mexico, and the surrounding Great Lakes regions. 

But from the standpoint of Cybersecurity, more effort and initiative has to be taken to shore up the defenses on our water supply lines.  This is not just a local or state issue, rather, this is something that must be addressed and fully funded by the Federal Government.  But it is important to keep in mind that our Critical Infrastructure is made up entirely of technology and equipment that was made back in the 1970s.

In fact, many of the vendors that made these parts are probably no longer in existence.  So, it is not just a matter of ripping out the old stuff and putting new ones in to help solve the Cyber problem.  At the present time,  this simply will not work.  The only option we have is to add more layers of security, but this has to be done very carefully, in order to ensure that whatever is deployed will be interoperable and compatible with the old stuff.

My Thoughts On This:

So now the big question is:  “What if my datacenter runs out of a fresh water supply, or it is hit with a Cyberattack?”  The fundamental answer to this comes down to proper planning.  You need to have an Incident Response Plan, a Disaster Recovery Plan, and a Business Continuity Plan to address this.  Two areas of focus should be:

*Sourcing a secondary source of freshwater for your datacenter in case of any interruptions.

*Beefing up your lines of defenses in case you are indeed hit with a Cyberattack, and your cooling systems were the primary target.

So as you can see, in order for all of this to work, it is going to take a huge partnership with the private and public sectors, and even that of academia in order to make all of this work. But it can happen, over time, which is something we do not have the luxury of right now.

Finally for more details on how our precious water supply systems can be further protected, click on the link below:

https://www.scmagazine.com/perspective/heres-how-we-can-make-water-utilities-more-secure

Sunday, April 7, 2024

The Key Fundamental Cyber Question That Needs To Be Asked And Answered

 


Today’s blog is a little bit different than the others, and yes, that means no AI!!!!  This is an issue that I have addressed many times before, and even in one of the books that I wrote about on Risk and Cybersecurity Insurance.  This is the topic of whether a CISO is really understanding what they get when they purchase a holistic, end to end Cyber based solution.

What got me to this topic was an article that I had read this morning about a Cyber Executive who interviewed many people in the industry to see what kinds of trends exist in their buying patterns.  Here is what he found:

*Not planning the solution in its entirety.  In other words, asking questions and evaluating the product and/or service to make sure that it addresses all of our needs.  In other words, CISOs very often look for curing the symptoms and not the actual cause.  Once they have found something that can do this, they immediately jump at it without thinking clearly if this is what they really need.

*CISOs are often taken aback by all of the bells and whistles that comes with an all-inclusive security package.  For example, if a dashboard looks sleek, that is the catalyst that decides if they will buy or it not.  Or now, the big thing is Generative AI.  If the package comes with it, buy it!

*CISOs very often don’t take a close look at the triaging process and the legitimate warnings and alerts that come through.  Very often, they leave this to their IT Security teams to filter through.  But IMHO, this is the wrong approach to take.  It is this very process that paint the entire picture of what exactly is going on the IT and Network Infrastructure.  It’s like taking aspirin to stop a chest discomfort without seeing the doctor to determine the underlying cause and to see if further action is needed. 

*Another area of key weakness is that CISOs do not adopt and enforce is a software patching process.  Instead, if they even do have a process in place, they often rely on automation which may or may work.

So, what does the author recommend as to how a CISO should make their purchasing decisions?  He starts off with first that an organization needs to have a comprehensive Security Program in place first, which should answer these fundamental questions:

*Examining all current processes for your lines of defenses, and asking this question:  “Why are we using it?  Give me the reasons.”

*Your current strategies for fending off an imminent threat, and how to even deal with those that are lurking about your IT and Network Infrastructure, when you finally discover them.

*How quick is the response time?  This is where the key metrics of the “Meant Time To Detect” and the Mean Time To Respond” become especially critical.

*What are the current methods for Incident Response, Disaster Recovery, and Business Continuity?  Are there even plans in place, and if so, how often have they been rehearsed?

*Who is part of the Incident Response team, and do they know what they need to do if they are called upon during the time of a security breach?

To help the CISO address all of the issues, and even more, he recommends following the Security Framework as outlined by NIST.  It can be downloaded at the link below:

https://www.darkreading.com/cybersecurity-operations/biggest-mistake-security-teams-make-when-buying-tools

He gives his own model for Cybersecurity, which is as follows:

“Program = Tool + People + Processes + Goals”

(SOURCE:  https://www.darkreading.com/cybersecurity-operations/biggest-mistake-security-teams-make-when-buying-tools)

In my writings, I have produced something similar, but with not as many variables in it.  This is as follows:

Great Cyber:  People + Technology

In other words, to have truly effective lines of defense for your business, you cannot rely too much upon one side or the other.  You need both, as the model proposed by the author also suggests.

Towards the end of the article, the author also points out two key areas the CISO also needs to address in crafting their plans.  They are as follows:

1)     Involve everybody:

In Corporate America today, people still think that all issues that are related to technology fall onto the shoulders of the IT Department.  While the proverbial buck does stop here, it is important to remember that each and every employee has to tow their own line for the collective good!!!  In other words, “Cyber Hygiene” is not just left to the IT Department.  Everybody has their role in this, to make sure for example, that they recognize the signs of a Phishing Email and discard it.  Or, creating long and complex passwords with the help of a Password Manager.  It takes all of the employees to fill the cracks!!!

2)     Conduct Risk Assessments:

This is one area in which I have belabored heavily upon.  In order to lay out your Security Framework, you first need to identify all of the vulnerabilities that are present.  Simply put, this means inventorying all of your digital and physical assets, and ranking them on a numerical scale in terms of their degree of vulnerability.  Of course, those with the highest ranking should receive immediate attention, by either putting in new controls or upgrading the existing ones that are in place.  Also, by conducting this kind of Assessment, you will know where all of your security tools lay at, and from there, you can then decide if you really need them or not.  This is called decreasing your Attack Surface, and will enforce the efficient use of the tools.  Remember, by having too many of them, you widen the gap for the Cyberattacker to penetrate into.

My Thoughts On This:

To be honest, I agree with the author on these points.  As a CISO, if you are considering procuring a new solution, ask this basic question:  “Am I really addressing the underlying issue or just the symptom”?  By thinking along these lines, you and your IT Security team will go a lot further in staying ahead of the Cyberattacker.

Sunday, March 31, 2024

Why Hackers Are Now Breaking Their Own "Ethics"

 


It was just yesterday that I was writing a tentative outline for a possible course on Continuing Education (CE), at a nearby Junior College.  The proposed topic is on Penetration Testing, and I even wrote a blurb on the outline as to how Pen Testers are actually “Ethical Hackers”.  If you are new to Cybersecurity, you may be wondering, “OK, what is exactly hacking that is Ethical?”  Well, it does exist, and here is a technical definition for it:

“Ethical hacking is the use of hacking techniques by friendly parties in an attempt to uncover, understand and fix security vulnerabilities in a network or computer system.”

(SOURCE:  https://www.ibm.com/topics/ethical-hacking)

So as you can see from the above definition, the operative word is “friendly”.  In the world of Penetration Testing, the guys that do the actual hacking belong to what is known as the “Red Team”.  But they can only carry out their planned hacks with explicit and written consent for the client that they are doing it for.  But this now brings up another key point.

Even with the traditional “bad guy” hackers, there used to evolve a code of “Ethics” as well.  Hacking has been around since the 1960s, and since then, a certain code of cadence was created.  Examples of this include the following:

*Any entity that involved healthcare, and the delivery of life saving services, were completely of limits.  This means primarily hospitals and ERS.

*Critical Infrastructure could not be touched.  If it were to be, it would be considered an act of war by the impacted country, with the repercussions unthinkable (perhaps even a nuclear war).  But it is important to keep in mind here that Cyberattackers are pushing the envelope as far as they can, with the prime example being that of the Colonial Gas Pipeline attack.  Although the actual pipeline was not affected, it did affect the financial markets and the supply chain in a cascading effect.

More details on this can be seen at the link below:

https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years

*Individuals and businesses that were going to become a victim could only be hit once, and not anymore. 

*The COVID-19 pandemic also ushered in a new era of “bad guy” hacker Ethics, especially in the way of not targeting testing places and those entities providing the much-needed vaccinations.

But after the pandemic eroded away (it is still technically here, though), the rules of “Ethical Hacking” by the Cyberattacker has changed greatly. This has been brought up a lot by the covertness, stealthiness, and sophistication of Ransomware attacks.  For example, we are not just seeing computers being locked up and files encrypted, we are now seeing it in its worst form ever.  This includes the selling of PII datasets on the Dark Web and conducting Extortion like Attacks.

A lot of the disappearance of a kind of good gestures in “bad guy” hacking has been catalyzed by two main factors:

1)     The increased interconnectivity with just about everything (primarily brought on by the IoT).

2)     The advent of Generative AI.

In my own view, it is the latter which is the dominant force here.  For example, a Cyberattacker can easily create the source code for crafting a piece of malicious payload that can be deployed to launch a Supply Chain Attack (like the Solar Winds hack), or even use it to create a Phishing Email that it is almost impossible to tell the difference between a real one a fake one. 

Another unfortunate catalyst driving this new trend is the fact that many of the hackers are now getting much younger in age.  In fact, with so much that is available online and on the Dark Web, even a novice still in junior high school and rent a service called “Ransomware as a Service”, and have a third party launch a devastating attack for literally pennies on the dollar.

Also in the hacking circles, it has even become a badge of honor to attack high value targets, such as companies that are in the Fortune 500.  In fact, the Cyberattackers in this regard have become so brazen that will even leverage the media to their own benefit in order to fully advertise what they have done.  In a horrible sense, this is how a Cyberattacker adds to their “resume”.  More details on this can be seen at the link below:

https://www.darkreading.com/threat-intelligence/ransomware-gangs-pr-charm-offensive-pressure-victims

But this has also led to the take down of the more traditional Ransomware groups, such as “Black Cat”.  Heck, even Cyberattackers are snitching on their own brand so that they can remain at the top of the hacking list, with the “best reputation” that is possible.  More information about this can be found at the link below:

https://www.darkreading.com/cybersecurity-operations/feds-snarl-alphv-blackcat-ransomware-operation

My Thoughts On This:

Back in the day, hacking simply meant that somebody would just break into a computer system just to see what it contained, it was just a “curiosity” based attack.  But as it has been described in this blog, this is no longer the case.  Going into the future, just simply expect the worst.  Things will not get any better.  The more that you try to fortify your systems, the more the Cyberattacker is going to pound on your door.

For more information on what is expected in the way of hacks for 2024, click on the link below:

http://cyberresources.solutions/blogs/2024_Hacks.pdf

How To Quell The Fears Of Generative AI: The Steering Committee

  As this world, and especially here in the United States dives deeper into AI, and especially that of Generative AI, many people are still ...