Sunday, October 31, 2021

Is The Circles Of Trust The Replacement For The Zero Trust Framework?

 



Introduction

In the world of Cybersecurity today, one of the biggest issues that has come about is to what degree do you trust an individual when it comes to accessing your digital assets that reside in your IT Infrastructure.  It all comes down to confirming without a shadow of a doubt the identity of the individual that is going to access your shared network resources. 

The concept of a so called Zero Trust Model has started to make ripples, but the main flaw with this is that you are presumably trusting nobody at first.

While this may sound great in theory, when it comes to applying this to real world situations, it is an almost impossible task to do.  The problem is that even with this kind of approach, there could always be some issue of trust, no matter through how many layers of authentication that certain individual has gone through.

Therefore, there has to be some degree of implicit trust with the people who will gain access to inside your digital assets.  This is where the Circle of Trust Model comes into play and is the focal point of this article.

The Concept of the Circle of Trust

This model creates certain barriers, as to where the circles will be drawn depending upon where the level of trust will be placed at, when it comes to determining what kinds of data will be shared. Imagine these circles being implemented inside your IT Infrastructure as follows:


As can be seen from the above illustration, the First Layer involves just a baseline of trust.  In this situation, the individual must be fully authenticated with all of the mechanisms that are available.  In this instance, there is no access that can be given to any shared network resources, even if the data is deemed to be non-proprietary in nature.  In the Second Layer, there is now a 50% percent trust that has been established, because he or she has been more or less fully vetted by getting through the First Layer.  In this scenario, the person can then gain access to those shared resources that contain an equal combination of both non-proprietary as well as propriety data.

Finally, in the Third Layer, after being further scrutinized by more defense mechanisms, the individual will now have access to 100% (if not most) to all of the proprietary data that the company has in their databases.  At this juncture, there has been the highest level of trust placed upon them. 

It is important to keep in mind that the above illustration is just a very simplistic view of the concept of the Circles of Trust.  There will of course be many more circles that can be incorporated, but this all depends upon what your security requirements are, and if you also want to impose even more varying Layers of Trust.

In other words, it won’t be as cut and dry as a three step process.  For example,  you will obviously first start with a baseline of trust.  Then that may increase in only incremental levels until the individual has reached the plateau of an intermediate level of trust.  Then, you may even deploy further degrees of trust, because after all, once they have the reached third level, you are almost trusting he or she without any question at all. 

The Circles of Trust model also undescores one fundamental and extremely rule in Cybersecurity:  It is very important to have more than one line of defense, as it is exemplified by the three circles up above.  For example, although the word “trust” has been associated with them, they also imply that a business is going to install at three layers of defense, and probaly even more.

So, another way to view the Circles of Trust is to consider them as a muti tiered security model.  For example, if a Cyberattacker were to break through the first circle, then the statistical probability that they will break through the second and even the third circles becomes substantially lower. 

Still, ther is always that chance a Cyberattacker can still break through all layers of defenses.  The only thing that can be done is mitigating that risk as much as possible. Deploying this kind of approach, takes a multitude of security technologies, which are further described in the next section.

What Are the Security Tools That Are Needed?

When it comes to implementing this kind multi tiered approach, there are numerous tools out there that a business can deploy, but some of the more common ones are as follows:

1)     The Firewall:

This kind of technology has advanced to the point where there are now differing kinds of them, which include:

Ø  Proxy Firewalls;

Ø  Stateful Inspection Firewalls;

Ø  Unfied Threat Management (UTM) Firewalls;

Ø  Next Generation Firewalls (NGWs).

On a fundamental level, the Firewall carefully examines all data packets that are both inbound and outbound to/from the IT Infrastructure.  Its primary goal is to track down and intercept those data packets that are deemed to be malicious in nature, and to prevent them from entering into the Circles of Trust, at the very first layer.  This is typically done by using a set of presetablished rules which have been set forth by the network administrator.  Firewalls have been been a trusted means of defense for a quite a long time, going back as far as 25 years.  The most common notion of a Firewall is that they are simply hardware devices, but they can also be software based as well.

2)     Routers:

A router serves the same function as a firewall, but also, it adds one more component:  It’s other primary role is to forward the data packets in the most optimal and efficient manner possible so that it reaches its final destination in the shortest time possible, without causing any kinds of network congestion.  In other words, in the real world, a data packet simply just not arrives at its final destination in just one fell swoop.  Depending upon how the network topology is laid out, data packets typically go from one to another.  The specific route that these data packets are primarily dependent upon the Access Control Lists that have been set forth by the network administator.

3)     Intrusion Detection Systems:

This kind of security tool are often referred to as “IDSs”, and there are two main types of them:

Ø  The Network Intrusion Devices (aka “NIDs”);

Ø  The Host based Intrusion Detection System (aka “HIDs”).

The first is used to analyze the flow of network traffic to and from the IT Infrastructure, and the second is typicallu used inspect the critical files of a server based operating system.  But which ever one is used, the primary advantage of using them is that they can be easily connected to a SIEM, which stands for a “Security Information and Event Management” system.  This can be used to alert the IT Security team of any abnormal or analamous network traffic patterns that take place.  The SIEM can also be used to filter for false positives and only present the legitimate threat warnings and alerts.

4)     Virtual Private Networks (VPNs):

This is what is used most typically when connecting from a remote location to the IT Infrastructure.  With this, a private (as well as secure) network communications flow is established using the public Internet.  The VPN will literally mask your IP Address, so that it cannot be easily intercepted by a malicious third party.  Also, as a further layer of protection, the data packet payload is encapsulated, wrapped into, another data packet.

5)     Endpoint Security:

This is a crucial area in the Circles of Trust that needs to be fortified.  Many businesses have ignored this, and have typically focused upon securing only the network lines of communications.  With this both the point of origination (which is the device of the end user) and the point of destination (which is the corporate server) are further by using either a firewall, router, or an intrusion detection device, or perhaps even a combnation of all three.  These can all be either hardware or software based.

Conclusions

Overall, this article has examined in closer detail the model of the Circles of Trust, and the security technologies that can be used in it.  Where to put them exactly in the Circles of Trust is once again largely dependent upon your security requirements. 

But, there is one thing to keep in mind:  Simply dpeloying these tools in large numbers is not the answer.  This can become quite costly, and even increase the attack surface for the Cyberattacker.

Therefore, it is very important to conduct a Risk Analysis first, in order to determine where they should be strategically placed instead.

Sources

1)     https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

2)     https://www.forcepoint.com/cyber-edu/endpoint-security

Saturday, October 30, 2021

How To Write The Perfect Cyber Job Description - 5 Golden Keys To Success

 


There is one thing that we keep hearing about today in the world of Cybersecurity:  The worker shortage, and the total number of jobs that need to be filled.  I have written about this before, and of course, this is no easy topic that can tackled in one fell swoop. 

It’s not just here in the United States, but countries worldwide are facing the same problem.

I can’t speak for these other countries, but I can speak about what is going on here.  The bottom line is that the hiring managers are just too damned picky in what they want in terms of experience.  It’s not to say that having experience is important, but the line here is really being stretched. 

Because of this, there are a lot of good candidates that are simply being swept aside.

This all comes down to the Job Description also affectionately known in the recruiting world as the “JD”.  This is where you spell out the requirements that are needed for the job, or perhaps skills that you could pick up later down the road.  Many recruiters are now starting to realize the importance of how to craft the language of the JD, so here are some tips that perhaps you can use:

1)     Keep it broad:

For most Cyber jobs, there is no need to do a deep dive of all the technical details that are needed.  Forget about the years of technology experience that are required (heck, by the time you post the JD on a career site the chances are that it has already become outdated).  Instead, create an image of the job that will draw in candidates, and yes, forget about the certs.  In the end, what do they really mean?  Seriously?  Stay focused on skills that can be transferred.  Keep in mind this rule of thumb:  For every hard-core requirement you come up with, your candidate pool will diminish by at least 80%.

2)     Create an accurate JD:

Let’s face it, the world of Cybersecurity is a huge one, with many specialties that one could choose from.  So, when you write up your JD, try to make it as accurate as you can in terms of what the daily tasks will be.  And make the title job reflective of that as well.  In other words, make that accurate as well also.  A perfect example of this is the title of “Cybersecurity Analyst”.  This has been used for so many JDs that it is crazy.  In fact, just recently, I saw this title being used for a Pen Testing position. So, if you are looking for a Pen Tester, then put in the JD the title of Pen Tester.  And don’t forget to mention salary, hourly rates, benefits, etc.  Also, if you are looking for specific technological skills, then you need to mention that as well.  But don’t get hung up on just that.  Also put an emphasis on the soft skills that will be needed for the job as well, as Cybersecurity now comes down to in the end the ability to communicate effectively and work well in teams and groups.

3)     Don’t let just anybody create the JD:

In today’s busy and digital world, it is always easy to pass on work to the next person.  Heck, even I can get lazy at times as well.  But don’t do this when creating the JD for a Cyber job.  The hiring manager should be doing this, as this person will know best of what the job will entail.  Never hand it off to an HR person, as they will have no idea how to create it, as they are not experienced in this area.  Instead, take the time to create the JD in your own language, and please, avoid using those templates!!!  After you are done, then have a member of your IT Security team take a look at it for a second, or even a third opinion.

4)     Be descriptive on training:

The one thing that job candidates will always want to know about is what kind of training you are willing to provide to them, and of course, if you will pay for it.  There is nothing wrong asking this, IMHO.  To me, it means that the candidate is serious about their career and wants to advance it as far as they can through the proper educational mechanisms.  So don’t be afraid to mention on those areas in which you will offer training.  Look in the end, you will never the get the cookie cutter candidate, and I am telling this from own experience.  And also, if you mention that you are offering training to some degree or another, you will probably even draw a better pooling of candidates.

5)     Drop the mystery of Cyber:

Unfortunately for the industry, we are marked with the image of the person sitting in a hoodie in a dark room hunched over a computer.  It is important to break away from this mold.  Try to avoid that image in the JD that you create, and keep is as clear and down to earth as possible.  Remember, not every job in Cyber carries this image (except for maybe the Pen Testing ones).  Cyber professionals are just normal everyday people who want to help protect the American society that we live in today.  So try to make your JD to fit that mold.

My Thoughts On This:

Hopefully these few ideas will help you to create a better Cyber JD.  It’s not an easy task, but we need to fill the worker shortage ASAP, before the Threat Landscape becomes so complex that we will not even know where to begin.  Also, give your candidates a chance. 

They will not have everything that you are looking for, but focus on those transferrable skills, and use them to your advantage not only for your company, but also for your newly hired employees as well.

Obviously, there is no guarantee that they will stay or not, but the fact that you will be taking an interest in their career development should yield dividends in the end.

Sunday, October 24, 2021

Ransomware 101: To Pay Or Not To Pay???

 


As we have been hearing in the news headlines, Ransomware is the most prevalent threat vector that we have today.  Not only has it gotten worse, but it is expected to continue further down this path well into next year. 

Many Cyber experts now fear a possible Ransomware attack upon our Critical Infrastructure, in which a Cyberattacker literally hold a major US hostage for days on end, with no water, electricity, or oil/gas, thus starving people to death.

Now the question comes down to, whether the actual Ransome should be paid.  This is a topic that I have addressed before, and I still stand firm on what I believe in.  I will reveal that at the end of this blog.  Given just how fierce it has become, many victims now feel compelled that they must pay up in order to get their normal business operations up and running again.

According to a recent research project that was conducted by Veritas, 66% of businesses claimed that it would take at least five business days or more in which to restore operations back to some normalcy.  Obviously, this is time that no business can afford to take place, so the next best option is to merely pay off the Ransome.  More information about this can be seen at the following source:

https://www.techrepublic.com/article/66-of-companies-say-it-would-take-5-or-more-days-to-fully-recover-from-a-ransomware-attack-ransom-not-paid/

But this only fuels the cycle for this madness to continue:

*The Cyberattacker deploys the Malware to essentially lock up the files and the devices of the victim;

*The victim is totally paralyzed by this, and decides to make payment via a Virtual Currency, such as that of Bitcoin.  This is done so that the Cyberattacker cannot be tracked down. 

*This payment is then used to fuel the fire for other attacks like this to happen.

But in some cases, the attack could be so devastating, that the victim really feels that they have no choice but to pay up.  This is best exemplified when the Cyberattacker threatens to make the PII datasets of the company available to the public, or even sell them on the Dark Web for a rather nice sum of money.  These extremes of extortionism have gone even deeper than this.

In an effort to help stop this vicious cycle from happening all of the time, the Department of Treasury back in September announced a new set of rules that would require public reporting in case they did pay the Ransome.  In fact, they had even taken steps to make paying up the Cyberattacker a crime, or even a felony of treason.  But as far as I know, nothing too much of that has actually become law yet.

In fact, the City of Baltimore made news when it was hit by a rather massive Ransomware attack.  Rather than merely coughing up the $76,000 that was demanded of them, the City refused to pay up. Because of this, more than $18.2 billion were spent in trying to rebuild what was taken over by the malicious payload. 

More information about this nefarious attack can be seen at the links below:

https://www.darkreading.com/endpoint/baltimore-city-network-struck-with-ransomware-attack

https://www.darkreading.com/attacks-breaches/baltimore-reportedly-had-no-data-backup-process-for-many-systems

While trying to make paying Ransomware attacks illegal, or even punishable by law, we first need to take a closer look as to what is causing these attacks to take place to begin with. 

Apart from the financial gain of it, many Cyberattackers target their victims because they know they are weak, primarily because they don’t have all of the required security tools or technologies in place.  But remember, it takes more than technology to have a great line of defense.

It also takes every employee in the business that they are working at to have a proactive mindset.  This means if you see something suspicious, report it immediately.  Don’t take any action whatsoever, leave that up to the pros on the IT Security team.  This also means having a 24 hotline in which abnormal behavior can be reported anonymously on a 24 X 7 X 365 basis.

Being proactive means training your employees what Ransomware is, and the signs to look out for in case they see any red flags that are popping up. This definition also extends to the IT Security team.  Given them the tools that they need in order to react in a timely manner to any sort of Ransomware threat that may be looming on the horizon. 

This also means that the C-Suite needs to give the CISO the money that they need in order to accomplish this task.

To put it bluntly, this will all impact the Earnings Per Share (EPS) that no CEO wants to see happen to the company that they are at the helm of.  Being proactive also means that your business has the proper Incident Response/Disaster Recovery/Business Continuity Plans in place and ready to activate them when and as needed.  In fact, this was one of the key lesson learned from the COVID19 pandemic.

My Thoughts On This

So at the beginning of this blog, I had mentioned where I stand on all of this.  My answer is, and always will be, to never make payment of any kind whatsoever.  Why so I say this?  It all comes down to putting the brakes on this madness somewhere, somehow. 

By not paying the Cyberattacker, they will simply lose motivation in launching similar kinds of threat variants.  But y paying them, we are only fueling the fire for more innocent victims to be affected.

Although people might disagree with me, one of the best lines of defense is to make backups of all of your mission critical information and data.  That way, if you are hit, you can come back to some reasonable level of operations hopefully in a quick manner. 

Also, consider migrating your On Premises Infrastructure to the Cloud, such as that of the AWS or Microsoft Azure.  That way, if you are even hit at this level, you can create new database servers and Virtual Machines (VMs) in just a matter of a five minutes or less. Think about all of the time, expense, and effort it would take to restore your servers if you have an On Prem Infrastructure.

Believe it or not, there even have been documented instances in which after the ransom payment was made, that the Cyberattacker actually complied with their end of the deal and released the decryption keys so that the victim could get access back to their files and devices. But don’t count on this happening all the time.

Also, newer ways of tracking the Virtual Payments after they have been made would also help quite a bit in the attribution process of finding the perpetrators.

Just think about all of this in this context:  Back in the Reagan Administration, and even up to now, the mantra has always been never to negotiate with terrorists. So why can’t we do the same thing with the Cyberattacker???

Saturday, October 23, 2021

3 Ways In Which An IC Board Can Be Hijacked & Used In A Cyberattack

 


The Solar Winds attack of recent highlighted one very important trend that is occurring now in the Cyber Threat Landscape:  Supply chain attacks.  When one first hears of this word, the images of Cyberattacks to logistics such as FedEx or UPS often come to mind. 

But what I really mean is that in these instances, the all the Cyberattacker needs to do is literally find  one weak spot, exploit that, and from there, deliver the malicious payload to thousands of victims.

In the case of Solar Winds, the Cyberattacker group was able to infiltrate through the weaknesses that persisted in one of their remote tools, and as the customers of it started to download the latest version, they were totally impacted by the malware. 

In fact there many victims in this scenario, ranging from some of the major agencies in the Federal Government to some of the largest of the Fortune 500 companies.

In fact, the finding of this increased trend has been further substantiated of a recent study that was conducted by the Identity Theft Resource Center, also known as the “ITRC”.  Their research project is entitled “ITRC 2020 Data Breach Report”, and it was discovered that there was at least a 42% increase in the total number of supply chain attacks in the first quarter of this year than ever before. 

But now that breaking into digital assets seems to be the norm now, and knowing that they are being more closely watched, the Cyberattacker of today is going after something that is not so well kept safe. 

According to this report, they are trying to infiltrate the actual hardware itself, focusing upon the legacy systems of Critical Infrastructure, on a scale of devastation that could far surpass that of the Colonial Gas Pipeline attack.

How is this being done?  It is being done in the firmware itself, and this has become technically known as “Extensible Firmware Interface”, or “EFI”, kinds of Cyberattacks.  Here are four plausible scenarios that are quite likely to happen:

*IC Cloning:

This merely refers to the integrated circuit boards that reside in your workstation, wireless device, or even your smartphone.  The good news here is that this sort of technology is advancing on a daily basis, and in fact, has really become quite complex in nature.  Thus, it makes no sense for the Cyberattacker to target these items, because once they figure that out, the technology has progressed to the next level of sophistication.  But this does not mean that the integrated circuit boards of legacy-based systems cannot be a target.  For instance, when the Critical Infrastructure was being built out in the 60’s 70’s and even the 80’s, the thought of a Cyberattack never crossed anybody’s mind.  Rather, the main security concern back then was upon the physical access side of things, such as an impostor gaining access to the controls.  Thus, there is really no security per se on these systems, which make them such an easy target.  Even if a company were to attempt to secure them from Cyberattacks, it is no easy proposition to undertake.  The integrated circuit boards are deeply embedded from the other hardware of the Critical Infrastructure, and because of that, you simply cannot rip them out and put new ones in.  Also, trying to implement newer layers of security tools on them is also a dicey issue, as there will have to be a very strong level of interaction between that and the integrated circuit board that is being used.

*The degradation of the signing key:

This is actually part of the encryption process, and it used widely in order to confirm that the message that has been sent from the point of origination to the point of destination has indeed remained intact, and it has not been altered or changed in any way, shape, or form. While this process is deemed to be secure enough, the keys that are used are still at grave risk being heisted by a Cyberattacker and compromised in such a way that a piece malicious software can still look to be legitimate and safe to the end user.  In fact, this is how in part, the Solar Winds attack actually took place.  This sort of integrity checking mechanism has traditionally been used for the protection of digital assets, but it can also be used for hardware components in the Critical Infrastructure also.  As a result, one of the fail safes that has been implemented is if one of the keys has been compromised in any way, then the other key that was used must be revoked, or put in simpler terms, should “self-destruct”.  However, this is rarely tested on a real time basis, and because of that, if it were ever to be used in an integrated circuit board setting, it could take a very long time (we are talking weeks here) before such a breach like this would ever be noticed.

*The threat of an insider attack:

I have written about this topic many a time before in previous blogs.  The bottom line is that this kind of Cyberattack is extremely hard to detect until it is too late.  You can screen and vet all of your employees as much as you think is necessary, but there is no guarantee that a disgruntled employee won’t cause serious damage to your legacy-based systems, especially your integrated circuit boards.  But of course, this also hinges om the fact that have to really know what they are doing, and are launching their attack in phases, in a covert manner.  Also, there is a huge fine line that has to be walked here, as you do not to spread paranoia in your company that “Big Brother” is watching.  Because of this, many firms are now opting for implementing the Zero Trust Framework, in which absolutely nobody can be trusted, until the are completely verified and authenticated.  In this regard, probably one of the best lines of defense that you can implement is to deploy a 24 X 7 X 365 hotline, in which suspicious or abnormal behavior can be reported in an anonymous fashion.

My Thoughts On This:

IMHO, attacks on Critical Infrastructure are only going to get much worse than what we have already seen.  We really need to take the time to deploy some sort of protective layers on them.  But this does not mean that we do things in haphazard fashion.  Every layer of security must first be tested in a sandboxed environment before is released into the production environment.

If this is not followed my more mayhem and fallout could happen because the interoperability simply did not exist, thus making a grave situation even worse, by giving the Cyberattacker newer avenues in which to infiltrate into the legacy based integrated circuit board.

Sunday, October 17, 2021

The Importance Of Delivering The Right Message In Your Cyber Awareness Training Programs

 


Once the COVID19 pandemic hit at full throttle last March of 2020, IT Security teams and employees were scrambling fast to fit the new WFH model.  But as time went on, and things started to smoothen out a little bit, one of the key mantras in Cyber still continued, and that was Employee Awareness Training. 

Of course, with everybody working at different hours and Zoombombing taking its full effect, no company in its right mind could really give any sort of training.

But as that too dissipated, CISOs started to come to grips with the new norm and started to begin this training once again.  One key thing that they also understood is that teaching employees of what to do and what to do is not a one size fits all kind of thing. 

Training has to be unique, different, interesting, and above all, fit to the needs of them.

In other words, just as dynamic as the Cyber Threat Landscape has become, so too has Employee Awareness Training.  This is a topic that people have not paid too much attention to in the headlines, because of the sheer rash of Ransomware attacks that have taken place. 

But as we start to wind down Q4 of this year, it is important to tweak your overall messaging so it fits the current time. 

Here are some key tips:

1)   1)   Try to understand why employees do what they do:

What I mean here is despite knowing what a Phishing Email could potentially look like, employees still click on malicious links and/or download attachments that could contain viruses and other forms of malware.  So rather than scolding them which gets nowhere, try to get into their shoes and explain to them the importance of simply deleting suspicious looking Emails, and report them to the IT Security team. Explain the importance of using password managers, and how it will not only protect the company, but even their jobs as well.  But even more important, you also need to explain the key factors in what the IT Security team is looking for when it comes to identifying suspicious behavior. Teach the following as well:

                              *The importance of password requirements;

                              *Not using the same passwords over and over again;

                              *Why there is a cap in the total number of failed logins;

                              *Reviewing user access to systems and applications that make use of PII datasets;

                              *When and where are alerts are used.

       2) Explain what it is all about:

               Whenever you are trying to discuss about a threat variant in the training, just don’t gloss over it.       Tell your employees what it is all about.  Probably the best example here is that of Ransomware.      Instead of simply saying that it is just another piece of malware (which it is), teach them what     really happens, and the aftereffects that can take place, such as locked of files and wireless          devices, how the PII datasets are sold onto the Dark Web, and worst yet, explain to them also             the new technique that is used by the Cyberattacker – Extortion.  Perhaps putting in a little bit of           a fear factor will make them realize just how important maintaining a good level of Cyber       Hygiene really is.  Heck, even do a deeper dive and explain how the IT Security team looks for      such things as malformed data entering and leaving the IT infrastructure, as these are telltale   signs of a possible Ransomware attack.

3)The importance of Endpoint Security:

               This is a topic that I think I have written about previously in some detail in other blogs.  But long story short, these are the traditional points of origination and destination when a line of    network communications has been established between the company servers and your wireless             device, and also vice versa.  Most businesses have only been concerned with protecting the   information/data that has been transmitted, and not these so-called Endpoints.  Because of this,      the Cyberattacker has started to hang out in these areas in a very covert fashion, and ready to          move when the timing is right, especially in a lateral fashion. Obviously, there is not really too            much the employee can do to help safeguard the Endpoints, it is really the job of the IT Security        team.  But in this regard, it is very important to explain to them what this is all about, and what         your team is doing to secure these Endpoints at the present time.  This includes how software           versioning used, how the latest firmware and software patches/upgrades are applied, how alerts are filtered through from the Network Intrusion Devices (NIDs), etc.  By shedding light on      this aspect on this as well, employees will come to appreciate all the hard work that it takes to                protect the digital assets of your company, and hopefully this will instill into them a greater sense of urgency to maintain good levels of Cyber Hygiene.

4) Doing work outside of the home:

               Humans are social creatures by design, and there are times when they will feel like working               outside of the home, such as at a Starbuck’s or Panera Bread.  In these cases, remind them not                to use the Public Wi Fi that is offered at these places. Remind them to instead use their wireless           device as a hotspot instead, because this is encrypted and makes use of a much stronger      password.  Also tell them to never use their own devices at these public places, always use    company issued devices.  Finally, also remind them of Social Engineering.  For example, there could literally be a Cyberattacker sitting just two feet away from them with a network sniffer in     their pocket capturing all of the data packets that is being transmitted to and from your         employee’s device.  And, if they ever have to travel., remind them the importance to check to           make sure that where they are staying also supports the usage of VPN technology.

My Thoughts On This

One key thing in these training programs is once again, use the tactic of fear to jar up your employees a bit.  Simply tell them that the total number of Cyberattacks is not going to go away, and in fact, is increasing, and it is expected that this will be the case even going into 2022.  This can be seen from the illustration below:


(SOURCE:  https://www.darkreading.com/attacks-breaches/north-american-orgs-experience-497-attacks-per-week-on-average-currently)

I will review this in much more detail in a future blog.  You should also explain to the employees in your company what further steps the IT Security team is taking to further fortify the lines of defenses:

               *Blocking access to websites that have suspicious IP addresses at the point of origination;

               *Taking new steps to block the installation of unapproved software apps onto company issued               devices (this is also known as “Shadow Management”);

               *Using rules in firewalls and routers to ensure that only HTTPS based connections are ensured.

Remember, you should not just rely upon the HR department to deliver this kind of training.  It also takes a strong level of cooperation from the IT Security team as well to deliver a great training product.  So as we wrap up, you may be asking what should Employee Awareness Training look like for 2022?  Well, once reach that point, I will tell you.  But for sure once again, Ransomware will be a key chunk of it.


Saturday, October 16, 2021

To The SMB Owner: Why You Need To Understand The Importance Of SSL Certificates

 


Apart from the key products and services that you are offering to your existing customers and prospects, image plays a very important role.  Yea, as business owners, we want that fancy websites that looks better than everybody else’s, with the fancy designs, logos, online store, etc.  But all of this does not mean anything if your online presence is not secure.

There are many ways in which a website can be made secure, ranging all the way from writing and compiling secure source code, to making sure that your database is secure if it is going to hold the PII datasets of your customers (like credit card information, contact info, etc.). 

But one obvious one, and which will stand out more is the locked padlock and the “HTTPS” that stands out in your domain name once end users log into it.

If they don’t see it, there are pretty high chances that they will immediately close out their Web browser, given the times that we live in today.  And of course, this will be the first glaring red flag that they will remember about your business, so you do not want to risk this.

In the end, it all comes down to implementing the needed SSL certificates.  These are very affordable these days, and you can choose the lifespan of how long you want them to last, ranging from one to five years.  But keep in mind though that if you choose a longer lifespan, you are going to pay more. 

That is why most SMB owners go for the cheapest route possible, which is paying for the one-year lifetime.

Now the problem arises, suppose you have multiple websites with just that one year lifespan, how do you keep track of which SSL certificate needs to be renewed when?  Under most circumstances, your ISP should be emailing to you notifications, if you have elected for that kind of option.  But you, the SMB owner, need to take a proactive role as well, in case you do miss an email or it just never comes through.

Here are some quick tips in how to do this:

1)     Have a defined process in place:

Just as much as people harp upon the fact that you need to check for passwords on a regular basis, your IT Security team, or even somebody else from your IT Department should be checking on a regular basis when the SSL certs expire.  Now if you have just one website, then there is no need to do this.  This is only if you have multiple sites.  Keep in mind that you do not have to all out fancy here.  Even if you have a basic spreadsheet with the domain, its SSL unique ID, and date of expiration, you are all set to go.  You don’t even have to check on a daily basis.  Just have someone examine that Excel sheet at least once a week and do a random check on a couple of the sites just to make sure all is functioning well from that standpoint.

2)     Automate the process:

Now suppose that you are classified as a medium sized business, with having at least 1,000 or greater employees.  In these instances, managing the SSLs will become quite a bit more tedious than using the solution described in #1.  So in these instances, you may even want to consider automating this process.  One of the best ways to do this is use either AI or ML.  Although this may sound complex, it really is not.  For instance, many may ISPs even offer this option as add on, and if you choose this, the SSLs that are about to expire will be updated automatically with a newer one, and your credit card will be charged accordingly (but keep in mind of this option that you have chosen – you don’t want to all of a sudden think why these charges are all of a sudden appearing from time to time).

3)     Keep a visible environment:

It is also important to keep in mind that it is not just Web sites that need these crucial SSL certs.  Even IoT devices need them to certain degree as well.  For example, if you have a Remote Workforce that is totally into the IoT by the kinds of devices that you are issuing to them, then these network connections also need to be secured by a factor that is much more.  Thus in this particular instance, using a spreadsheet will be archaic at best.  You actually need to map out all of these interconnections, but don’t think of drawing them out in Visio.  Instead, get a Microsoft Azure account, and from this, you can map out all of these network connections on a real time basis, and any updates can be made automatically to it. This will give you a great, bird’s eye view of what is happening to all of your IoT devices, and the SSLs that are associated with them.

4)     Pay careful attention to your legacy apps:

All of the information that I have presented thus far is based solely on the premise that the apps and devices that you are currently making use of are fairly recent.  But then there are those businesses that still make use of legacy systems, especially those that make use of technology going back to the 1970s like SCADA.  In these cases, it is almost impossible for today’s SSL certs to be used on them.  For these situations, you will have to think of other alternative means, or simply get rid of these old systems if possible, and replace them with newer ones, if it is affordable to you, as an SMB owner.

My Thoughts On This

Well, there you have it, some quick and easy tips to help you manage your SSL certs.  It is even quite easy to install them by yourself, but I would actually recommend that your ISP do them for you, just to make sure that everything is done properly. 

Also, many of these ISPs offer special sales on this kind of stuff, especially now with Black Friday and the Christmas shopping season coming up.

Try to get as many of them as possible when they are cheap.  Also, when you buy them, the SSL certs do not become activated yet.  They only do so once they are installed.  For instance, I have purchased a few SSLs myself when my ISP had them on a special size.  I just keep them on inventory and use them when it is absolutely needed.

Another point I want to reiterate here is the importance of having your websites updated with the SSL certs.  When I do my own prospecting, and come across a website with warning message that it may be insecure because of an invalid cert, guess what I do?  I just navigate away from that page. 

This is one of the surest ways in which you can lose prospects and other visitors to your site. The moral of the story: 

Sunday, October 10, 2021

Understanding The Blockchain & Bitcoins: Important For The SMB

 


Hey Everybody,

We have all heard about the Blockchain, especially as it relates to the Bitcoin.  Of course, this has garnered a lot of news attention this year, given just volatile this digital currency has become, and even how it has been used to pay the ransom as it relates to Ransomware attacks.

But what exactly is the Blockchain from a technical perspective? How is it different or the same as the Bitcoin? Is there more than one Blockchain in existence?  What are the latest trends? What are the risks by investing in the Bitcoin?  What are the Cyber issues that are involved? What are the limitations of the Blockchain?  What does the future hold for it?

Well, in this podcast, we have the honor and privilege of interviewing Anthony Figueroa is the CTO & Co-Founder of Rootstrap, based in California.  He will be answering these questions and much more.  So listen into this podcast to learn more about this exciting technology.

You can download the podcast here:

https://www.podbean.com/site/EpisodeDownload/PB10E94C3WWMV9

Saturday, October 9, 2021

How To Implement Endpoint Security In 3 Quick Steps

 


There is no doubt that the Cybersecurity Threat landscape is changing on a daily basis.  It seems like that hardly one type of attack comes out, new variants of it are launched at a subsequent point in time.  There is no doubt that it is difficult to keep up with this cat and mouse game, literally giving the IT staff of any organization a serious run for their money.

Remember, the Cyberattacker of today is no rush to launch their threat vectors.  As opposed from their “smash and grab” style from some time ago, they are now taking their time to select, profile, and carefully study their potential victims.  This is done in an effort to find any unknown vulnerabilities and weaknesses, so that they can stay for much longer periods in the confines of their victim.

Then, once they are in, they can then accomplish their specific objectives, bit by bit, unbeknownst to their victim, until it



is too late.  But very often, businesses and corporations only think of protecting of what lies within their IT Infrastructure.  For example, this includes the servers, the workstations, the network connections, wireless devices, etc. 

The Need for Endpoint Security

Very often, little attention is paid to fortifying the lines of defense of the endpoints of these systems.  For instance, a CIO or a CISO is probably more concerned with securing the lines of network communications by using a VPN, rather than the starting and ending points of it.  In this aspect, the Cyberattacker is well aware of this, and is starting to take full advantage of it in order get in and stay in forever long as they can.

Thus, as one can see, securing the endpoints of an IT Infrastructure is thus becoming of paramount importance.  In this blog, we examine some of the latest, best practices that an organization can take to further enhance their Endpoint Security.

The Best Practices

Here is what is recommended:

1)     Make use of Automated Patching Software:

One of the first cardinal rules of Security in general is to have your IT staff to stay on top of the latest software upgrades and patches.  In fact, there will be some experts that will claim that you should even have a dedicated individual to handle this particular task.  Perhaps if your organization is a Smaller to Medium sized Business (SMB), this could be possible.  But even then, this can be quite a laborious and time-consuming process.  But what about those much larger entities that perhaps have multiple IT environments and thousands of workstations and servers?  Obviously, the number of endpoints that you will have to fortify can multiply very quickly.  Thus, it is highly recommended that you have a process is place that can automatically look for the relevant patches and upgrades, as well as download and deploy them.

2)     Have a well-trained and very proactive Cyber Response Team:

Once your organization has been impacted by a Cyberattack, there is no time to waste.  Every minute and second that is lost just delays your recovery that much more.  Therefore, you need to have a dedicated Cyber Response Team whose primary function is to respond and mitigate the impacts of a Cyberattack within a 48-hour time span, at the very maximum.  In order to do this, they must be well trained, and practice on a regular basis (at least once twice a month) to real world scenarios.  They also must be equipped with the latest Security tools to determine if there are any other Security weaknesses or vulnerabilities that have not been discovered as yet.  This primarily involves finding and ascertaining any malicious behavior or abnormal trends that are occurring from within the IT Infrastructure.  Also, the Cyber Response Team needs to have a dynamic alert and warning system in place in order to notify of them any potential Security breaches, especially at the endpoints.

3)     Perform routine Security Scans on your Endpoints:

Just as important it is to maintain a routine schedule for keeping up to date with software upgrades and patches, the same holds true as well for examining the state of the endpoints in your IT Infrastructure.  In fact, it should be the duty for the Network Administrator to formulate such a schedule, and this should include conducting exhaustive checks for any signs of potential Malware.  Sophisticated antivirus software needs to be deployed at the endpoints and maintained regularly.  As a rule of thumb, it is recommended that these Endpoint Security Scans should be conducted on a weekly basis.

                                                                     Conclusions

A future blog will continue to examine the topic of the importance of Endpoint Security.

Sunday, October 3, 2021

The Next Breed Of Distributed Denial of Service (DDoS) Attacks The SMB Owner Must Be Aware Of

 


Well. It’s hard to believe that we are now in the last quarter of this year.  And in the next month or so, guess what is going to happen apart from hearing about the Holidays?  The predictions as to what will happen in the Cyber Threat Landscape in 2022. 

But we’ll deal with that later.  As 2021 continues to soldier forward, the major theme has and will be that of Ransomware.

The bottom line is that there is really nothing new with these threat profiles, rather they are simply better mutations from the original strain, sort of like how the Delta Variant emerged from the original COVID19 virus. But there is one threat out there that that has always loomed on the horizon, and that is the Distributed Denial of Service attack, also known as “DDoS” for short.

Simply put, this is where a Cyberattacker tries to choke off a server that is hosting shared resources or even Web based applications with the outside world by flooding with malformed packets.  The idea is not to kill off the server per se, but to bring down to its knees for long periods of time.

But this year, it appears that the trend is changing.  Rather than engaging these long kinds of bursts, it seems to be that the Cyberattacker is trying to launch shorter among of attacks but making them much more intense in nature.

Here are some of the findings discovered by researchers so far:

*The number of these short-term DDoS attacks have grown at least by 4x and have increased in the level of intensity at least by 2x in the first half of this year;

*Most of these above-mentioned attacks had a sustained duration of at least eight minutes or less;

*Interestingly enough, it is the same businesses that are being hit over and over again;

*The Cyberattacker is making more intense usage of the TCP protocol (which stands for “Transmission Control Protocol”, which is what is used to access Web based applications today.  With this technique, the Cyberattacker is able to mask their attack as a legitimate piece of network traffic flow.  Malicious usage of this protocol has increased by 32% in the first half of this year;

*Other kinds of network protocols that are used to launch these shorter frames DDoS attacks include the User Datagram Protocol (also known as “UDP”), and the SYN data packets. Both of these saw sharp increases in the first of this year, with upticks at 43% and 21%, respectively;

*The industries that were impacted the most were the IT, financial, and business sectors, at 29%, 25%, and 22%, respectively.

NOTE: The above findings were formulated by examining over 5,600 different DDoS attacks.  The actual, published report of these findings can be seen here at this link:

https://www.imperva.com/blog/cheap-and-nasty-how-for-100-low-skilled-ransom-ddos-extortionists-can-cripple-your-business/

So what is the reason behind this new trend?  Well threat researchers have attributed this to the much wider availability of cheap or even free resources that are available, especially from the Dark Web.  In other words, the Cyberattacker of today does not have to create ultra-sophisticated threat vectors, they can even hire an outsourced firm to do it for literally pennies on the dollar.

Simply put, with the barriers to entry now lowered to its greatest level ever, and the digital landscape growing everyday (proliferated mostly by the advent of the 99% Remote Workforce), the Cyberattacker now has a much greater landscape in which to launch their attacks.  But worst yet, they can even mask their footprints even better now, with the process of Attribution taking a lot longer as a result.

Because of this, it is now the major Cloud platforms such as that of the AWS and Microsoft Azure that are now being hit, because of the huge growth in the creation and usage of both Virtual Machines (VMs) and Virtual Desktops (VDs). 

These types of DDoS attacks have now become technically known as “Pulse Wave Attacks”.  It is also a game of mind war warfare as well.  For example, with these shorter bursts the tendency is to just slow down the services of one application.

Once this has been resolved, the tendency is for the IT Security team to breathe easier and move onto to the next threat variant.  But the Cyberattacker is also taking advantage of this kind of mindset as well, by launching a new Pulse Wave Attacker just minutes later, thus totally overwhelming the IT Security team yet once again. 

But it is not just malformed data packets that are used in these Pulse Wave style of attacks.  Bots are also used, and according to researchers, this accounted for well over 60% of the network traffic in the first half of this year also.  But scary enough, out of this, only 36% of this network traffic was deemed to be legitimate. 

Bots are also much nastier in nature, such as scraping for login information (such as usernames and passwords), and one favorite target of them are the thousands of E-Commerce sites that are in existence today. 

My Thoughts On This:

What is the best line of defense against these new breed of DDoS attacks?  As I have mentioned before, we are all at risk, nobody is immune to it.  But one of the primary advantages of going over to the Cloud, is that these platforms typically offer a great suite of security tools that you can use to protect both your VMs and VDs. 

But the responsibility of actually deploying them comes down to you and your IT Security team, not the Cloud Provider.  There is no doubt that keeping track of all this and mitigating any risks of this new breed of DDoS attack is a very challenging  one. 

Therefore, you should probably engage the services of an MSP to not only help with your transition to the Cloud, but also help you to keep an eye on it for the long term as well.

Saturday, October 2, 2021

The Case For Why We Need A Department Of Cybersecurity

 


Whenever a new Presidential Administration takes over, usually it’s the first 100 days which are the most observed closely.  It is during this time period that the new President tries to undo everything that his predecessor has done, and Biden is no exception to this rule.

And in fact, Trump Administration did the very same thing as well, when he basically tried to demolish Obamacare, upon which millions of Americans, even including me, are heavily dependent upon.

But what makes the Biden Administration different in this regard is the sheer onslaught of Cyberattacks that have been happening, especially when it comes to Ransomware.  As far as I remember, this is totally unprecedented. 

The Trump Administration did have to deal with this, but not to the extent that it is happening now.  Because of this, Biden has shaped an entirely new framework for just dealing with Cybersecurity.

For example, back in my he signed the first ever Executive Order legislating that new mandates have to be implemented as quickly as possible.  Some of these include the following:

*Supply Chain security issues have to resolved (such as in the case of the Solar Winds hack);

*The US Federal Government must deploy newer technologies;

*Between both the public and the private sectors, there will be a much transparent process when it comes to sharing of intelligence information and data;

*Rewards of up to $10 million will be made that leads to the apprehension of known Cyberattacker suspects.

There is more of course, and a future blog will go into that in more detail.  But there are some other key things that have precipitated since this Executive Order, and are as follows:

*A specialized task force has been created:

When it comes to conquering Cybersecurity, no one company or individual can do it alone.  It literally takes a village to accomplish this task.  As a result, just recently, Biden announced the creation of a brand-new task force that has been put together to deal with one thing primarily – the rising occurrences of Ransomware.  Although I have not studied as to who the exact members are, it is composed of a broad representation of Cybersecurity experts from both Corporate America and the Federal Government.  Probably the biggest advantage of this is that there will be a greater degree of “Cyber Resiliency”, in that new ideas and fresher ways of combatting threats will be thought of, and which will be made available to those entities that are wanting this type of guidance and direction.  But more importantly, by wielding such a powerful consortium of individuals, this will also help to greatly foster the cooperation and working with other nations when it comes to finding out who the bad guys are whenever a threat has been launched and made impact (technically, this process is known as “Attribution”.).  One of the other key objectives of this task force is to also stop ransom payments that are on their to the Cyberattacker.  So far, paying a ransom like this is not totally a crime yet, but it all depends on the situation.  In other words, under some circumstances, it can be considered an act of treason by the Department of Treasury, but this area is still murky.  But whatever it is, one of the other primary objectives of the Biden Administration is to prevent Ransom payments all together, and rightfully so.  Although companies are desperate to get their files back after they have been hit, paying the Ransom is no guarantee of anything, especially when it comes to getting the decryption algorithms.  Further, by paying the Ransom, this will only further fuel the appetite of the Cyberattacker into conquering much more lucrative targets.  In fact, the Department of Justice wants to escalate Ransomware attacks to that of a terrorist activity, which will make access to Federal Government resources much easier.  It is also hoped that by elevating the threat status of Ransomware attacks, the rising epidemic of it will eventually slow down, because the full weight of the US Government will now be behind any sort of Ransomware investigation.

*A coalition will be formed:

Do you remember the days of the 1st Gulf War when President Bush was so successful in creating a coalition of nations to oust Iraq out of Kuwait?  Well, the same is anticipated here with this Cyber Task Force that Biden has created.  For instance, with this, it is hoped that more countries that are allies with the United States will come together as one strong coalition, and muscle up against those countries that are harboring known Cyberattack groups.  It is anticipated that by taking such an approach that nation state actors will give up these Cyberattacker groups so that they can be brought to justice.  Let’s face it, the last thing the world needs right now is a World War III that is fought totally by computers.  The effects of this could be far more devastating that anyone can ever anticipate.  For example, Critical Infrastructure will be the huge target, that will impact water supplies, oil and gas pipelines, the world electrical grid, and even the food supply system.  The world will be like as if nuclear war had just happened.  So it is hoped that with enormous diplomatic pressure and international sanctions by this coalition, these nations will want to have no part in being blamed for housing Cyberattack groups.

My Thoughts On This:

I think that these first steps that have been taken by Biden are great and is much needed.  But keep in mind, that these efforts will not yield in fruitful results overnight, rather, it could take weeks or even months.  And of course, just given how quickly the Cyber Threat Landscape is changing, this is time that cannot be lost.  But unfortunately in this regard, we are also dealing with government bureaucracy and red tape, which prevent from anything quick in happening.

I am also hoping that eventually the Biden Administration will form a centralized entity called the Department of Cybersecurity” and will be set up in a manner very closely to that of the Department of Homeland Security (DHS).  We cannot go at this alone or in separate groups.  We need a common entity that can handle all of this.  It will probably take more than a village.  It could very well take the entire world.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...