Sunday, November 28, 2021

Looking For A New Career In Cyber? Become A Bug Bounty Hunter

 


As we soon start to close out this year, one of the common themes that you will keep hearing about even going well into next year is the lack Cyber workers.  I have written about this before, and in fact, I have an eBook that will be coming out on this very topic next year. 

The problem is that there it is not a shortage of people . . . there are plenty of people out there, but hiring managers are extremely picky in who they want to hire.  Anyways, this eBook will address this issue.

But there is one area of Cyber that continues to become red hot, and in fact, there is no shortage of workers, believe it or not.  What am I talking about?  I am talking about becoming a Bug Bounty Hunter.  No, this is not the stuff you see on TV. 

But this is for real.  For the most part, organizations, if they can afford it, will try to hire what is known as a “Threat Researcher”. 

These are individuals that are tasked with researching all of the intel their company gets, and try to research, or project what future threat variants could look like.  Of course, they do not go at this alone, they have other tools at their disposal, such as that of AI and ML. 

But now, they may have a companion at their side that could give them some serious competition, depending upon how you look at it.

And these are the Bounty Hunters. This is essentially where a large technology firm, such as Microsoft, Oracle, Google, etc.  will soon put out a new product or service release.  But before that happens, they of course want to know what all of the bugs are before it hits production. 

In an effort to do this, these companies offer large sums of money for any vulnerabilities that are found, as well as the remediative steps that need to be taken.

These payouts to the Bounty Hunters can be quite lucrative, take account into account these earnings:

*GitLab:  Between $20,000 - $35,000;

*Microsoft:  $100,000;

*Google:  $132,500;

*Atlassian:  $10,000.

Wow, IMHO, these are some very nice payouts.  One of the biggest advantages of a Bug Bounty Program is that it encourages all, who have the skills, to hack the systems, and see where the weaknesses are. 

Of course, there is a background check that is conducted before the payout is made just to be sure that the Bounty Hunter is ethical, not some sort of Cyberattacker who is going to funnel their earnings to launch future attacks.

In fact, the interest in Bug Bounty Programs has increased this year, and is only expected to do so going into 2022.  Consider these stats:

*There has been an overall 65% increase in the total number of vulnerabilities/and remediative solutions submitted;

*Microsoft has a total of 17 different Bug Bounty Programs, in which 1,200+ reports were submitted by Bounty Hunters.

Now, although one may be attracted to this new kind of work because of the large payouts, but keep in mind that it is a lot harder to get in reality.  For example, these big tech companies do not select who the Bug Bounty Hunters will be.  Rather, they put out an advertisement of sorts, and everybody in the hacking community is invited to participate. 

So by the time you get to it, it is quite possible that you may be in competition with hundreds of other hackers, all at the same time.  Second, since the identities of the Bounty Hunters are not given out until the payout is made, it is quite possible that there could be multiple hackers working on finding a resolution to the same bug(s). 

The key here is who submits the best remediative plan to fix the issue.

Also, there is a deadline in which to submit the findings and solutions.  These tech giants will of course take their own sweet time to go over each one, in great detail, to see who deserves the payout.  Thus, it can take quite some time before any sort payouts are actually made. 

Most Bounty Hunters tend to go after what is known as the “low hanging fruit” first. 

These are simply the easiest of the vulnerabilities that can be found, and because of that, the challenges become even greater to find the harder to detect ones.  This could prove to be a boon to those who are more patient, as the payouts in these circumstances tend to be much higher. 

Also, as the obstacles become greater, the competition will obviously become much less.

When you have actually discovered a major bug, simply writing a document on it and writing up on how to correct it is not enough.  Most of these tech companies want an extremely detailed and formal write up, which includes some of the following:

*How did you discover the bug in the first place;

*Detail as to the exact steps that you took to get to that bug;

*The tools that you used to discover it;

*If you worked as part of a team, or if this was purely an individual effort;

*Excruciating details on the remediative steps to be taken to resolve the bug.

Each of these tech companies will probably have their own format for you to follow.  The bottom line is that they are interested in the detail.  Obviously, the more you can provide will separate you from the rest of the competition in getting the payout.

But these tech companies are still trying to find the right balance of how to attract and keep engaged the interest level of the Bounty Hunters.  Some of them even believe that a higher payout may not be the complete solution either.

My Thoughts On This

So you want to become a Bounty Hunter now?  Keep in mind that it is not for everybody.  It takes a very analytical mind and an individual with great software coding skills to become successful at it.  And remember, it is a gradual process. 

Most Bounty Hunters did not get the highest payouts after the first discoveries, but over time, as they built up their skills, they received more, if their submitted reports were selected as the finalist.

Also, it takes a lot of time to become a Bounty Hunter. It could even be years till you get your first payout.  But as you can see the financial rewards could be well worth it, if you have a lot of patience and commitment. 

Heck, if you really are interested in this line of Cyber work, you may even want to reach out to a Bug Bounty recruiter, who could probably get you your first few projects (I think they exist).  Or you could even partner up with other friends to start your brand-new venture in this Cyber industry.

Saturday, November 27, 2021

How To Avoid A Smishing Attack: 6 Golden Rules

 


OK, we made it through Black Friday….hopefully retail sales numbers were up for all stores, whether brick and mortar or even just online.  But this just marks the start of the shopping season, until we hit Christmas Eve.  So while a lot of people will be enjoying shopping, the Cyberattacker will also be frolicking around all of the weak spots anywhere they can get into.

Interestingly enough, it seems that the trend in Ransomware attacks have seem to dissipate a little bit (from what I can tell), but now the uptick will be in Phishing Emails, and even worse, in Smishing Attacks.  This is the same thing as the Phishing Email, but instead you get it by text. 

But the cunning thing about this it is really difficult to tell if it is legitimate or not, because there is no other context in which it appears in.

Also, if you have a lot of contacts in your address, the tendency might simply be to just respond to it without looking at it further.  And if this does happen, the chances of getting malware on your Android or iOS device becomes much greater.  Consider some of these stats:

*There has been a 270% increase in terms of these kinds of attacks in 2021 versus 2020;

*Smishing based text messages have an open rate of almost 98%;

*81% of companies in Corporate America, while not directly targeted, have become victims of Smishing attacks.

All of this and of course much more comes from Proofpoint, in their end of year report which is entitled “2021 State of The Phish Report”.  It can be downloaded at this link:

https://www.proofpoint.com/us/resources/threat-reports/state-of-phish

It is also important to keep in mind that the Cyberattacker of today is now the most sophisticated than they have ever been before when it comes to launching Smishing attacks.  The biggest catalyst for this has been the Dark Web.  At this level, pretty much anybody can purchase PII datasets for literally pennies on the dollar, and craft a campaign that looks totally real.

Heck, the Cyberattacker, can even hire out a firm on the Dark Web and do it all for them, which is known “as a Service” type of attack.  Also remember, when deploying this threat vector, it is pretty much your mobile device that is targeted. 

In a way this is good, because the chances of other things getting affected are a lot lower (unless they are somehow connected to your Smartphone).  But on the flip side, and as just mentioned, if you click on that link, your wireless device is pretty much done for.

Keep in mind also that Smishing attacks that are predicted to happen during this holiday season are pretty much financially motivated.  Although there is the interest to capture your username and password, all the Cyberattacker wants to do is get your money and wire it off to some offshore account.  Thus, here are some of the key things to look out for:

*Most of these attacks involve getting a fake delivery package notice.  This is really more of a Social Engineering type of variant, as it pries on your emotions of surprise to respond to it.  Heck, I have started to get these, and I just simply delete them. 

*Some of these Smishing messages can also route you to fake a website where you are prompted to make a payment with your credit card if you want expedited delivery service to your home address.  Obviously, telling a real website from a fake on a Smartphone can be very difficult, because obviously the size is much smaller than versus a laptop.  At least for me, when I see a website on my iOS device, only the actual domain comes up, not the entire directory structure of it.  That makes it even more difficult to tell, also.

*Another variant of the Smishing attack is receiving a text message that you are eligible to receive a free gift or even free products if you fill out a survey, by clicking on the link.  This will of course take you to that spoofed website, and have you enter in your username and password to take you to the survey, which of course, is nonexistent.

In this regard, companies in Corporate America need to pay very careful attention to the Smartphones that they issue out.  For example, it should be only used for work related purposes.  Employees should be reminded constantly that their work phone is not meant for personal uses. 

If possible, they should as much as possible refrain from giving out their mobile work number.  The primary reason for this is that these company issues devices are also prone to Smishing attacks, and if one is opened, any corporate information and data that is stored in them could be easily heisted.

Unfortunately though, the reality is that the technology to discriminate a real text message from a fake one is not there yet.  For instance, it is only that my carrier, Verizon, has taken steps to identify a Spam phone call or not. 

So if an unrecognized number comes through on my iOS device, it will appear as “Spam Call”.  But given how quickly people are more concerned with the latest and greatest tools that are coming out, security still seems to be at the bottom of the rung.

My Thoughts On This:

The bottom line is that no matter how much security training one may receive, and all of the security features they have on their wireless device, we all are prone to falling victim to a Smishing attack much more so than a Phishing attack.  The reason for this is twofold:

*The issue of Smishing attacks has not really been fully acknowledged by either Corporate America or even the wireless carriers themselves;

*We live in a hurried and fast paced world.  We feel the natural urge to respond as fast as possible, especially when we know are receiving a surprise package, especially during this time of the year.

So you know what the best line of defense is?  Take your time to go through all of your text messages.  Read all of them, and if any of them do not look familiar, just simply delete them, like I do.  In this instance, it is best not to even call to see if it was a legitimate text message, as you can quickly become a victim fo Robocalls in this instance.

If it is important enough, the sender can always call you and even send you and email.  When it comes to receiving packages, always sign up for both text and email alerts through the courier.  It is free, and by getting two or more messages, you will have some confirmation that it is a real message.  During these times of giving, it is important to give, but make sure it is to the right person, not the Cyberattacker.

Friday, November 26, 2021

How to Ramp Up Your Security – 7 Top Tips

 



Introduction

Now that we are in the thick of CVOID19, with states now starting to open their economic activity in some fashion or another, Cybersecurity will always be a hot topic in this regard.  There is no doubt that we all have been bombarded with those WFH security tips, how to avoid Zoombombing, how not to fall for a Phishing scam, etc.

There has been out so much that has been thrown out there, that it is difficult to comprehend even where to start.  This is the purpose of this article, to give you, the CIO or CISO of your business, some quick and easy tips that you can use as you open your doors up once again, and transition your employees back into the office.

The Tips

Here are some of the main ones to consider:

Review all plans that relate to mitigating Cyberthreats:

At the present moment in time, many businesses are now realizing that they wished that they       had some sort of response plan in place.  Most specifically, this relates to the Incident Response, Disaster Recovery, and Business Continuity Plans.  The main point here was that a lot of organizations simply could not mobilize their workforce to work remotely, due to the sheer fact that they had no procedures in place for this.  But keep in mind, it is never too late to have these kinds of plans in place. It is now more imperative than ever that you have them, but most importantly, that you are keeping them updated as you practice them.  Speaking of this, which should typically happen at a minimum on a semiannual basis, preferably even quarterly.  Equally important is that you maintain a distinct line of communications in your company, that can be activated at a moment’s notice, 24 X 7 X 365 for the sole purposes of relaying any emergency announcements to your employees and key stakeholders.

Make sure that you stay on top of the Cyber Threat Landscape:

There are many ways that this can be done.  Probably one of the best tools that you can use in this instance is that of Artificial Intelligence, or AI for short.  There are many AI vendors out there now who are offering SaaS based packages that you can deploy in just a matter of a few minutes.  Typically, these can be used to help filter out for false positives that come through, thus presenting your IT Security staff with only those alerts and warnings that are legitimate.  But also, AI tools can be used to help model what future threats your organizations may face, so that you can be better to handle them, if they ever come your way.  Best of all, since a majority of these solutions are now Cloud based, they are very affordable with fixed, monthly pricing.  Another way to keep up with the latest threats is to go online and read the major headlines.  True, there are many sites that offer this information; you can simply select perhaps two or three of them and subscribe to their respective RSS feeds in order to get those headlines that are relevant to your company and industry.  A particularly good source to use is Google, as their repository is always updated with the latest Cyberthreats and their variants.

Enable Multifactor Authentication & Virtual Private Networks:

Let us face it, WFH may now be the next new norm for many businesses in Corporate America.  As the states are relaxing their Shelter in Place orders, many new public places will soon start to open, such as restaurants and cafes.  If your employees are still WFH for an extended period, they will probably want to break away from the home atmosphere and work at one of these places.  The temptation here will be to use the Public Wi-Fi, but this is probably the worst security mistake that they can make.  Rather, your employees should be making use of Virtual Private Networks (VPNs) in order to log in.  Put in simpler terms, your remote employee can log into your corporate network with a network line of communications that is almost invisible to the outside world.  VPN solutions are now very affordable, and in fact even downright cheap to get.  Many of them are available through various ISPs and Cloud providers.  Most plans typically run about $10.00 - $20.00 per month.  Equally important is the use of Multifactor Authentication (MFA).  This is where your remote employee is required to use at least three or more layers of authentication in order to legitimately prove who they are before they can gain access to shared resources.  For example, a combination of a password, RSA Token, and a Biometric modality (such as that of Fingerprint Recognition/Iris Recognition) can all be used in tandem with another.

Keep educating your employees:

As your employees come back to work, now is more important than ever to further educate them about Cybersecurity related issues, especially as they evolved from COVID19.  Some things that really need to be addressed here is how to recognize a Phishing Email, and how to use video conferencing tools in a secure manner.  Because of the pandemic, many Phishing Emails have become extremely sophisticated, and are extremely hard to detect now, even to the trained eye.  In this regard, it would be wise to hire the services of a Cybersecurity Consultant and have him or her give a presentation onto what the latest scams look like.  Then, once this training is over, you can then launch simulated Phishing attacks against your employees, in order to see who still falls into becoming a victim.  Always remind them if they are in doubt about an Email that they have received, they should always contact the sender in order to confirm its legitimacy.  At this point, it is important to keep your employees motivated so that their guard will always be up, even during these times of high anxiety.  In order to do this, you could use the concepts of Gamification, or even reward your employees with a simple gift card if they have observed good levels of “Cyber Hygiene”.  Remember, a small pat on the back can go an exceptionally long way in boosting employee morale.

Protect your business from both the outside and the inside:

The common mis thinking these days is that Cyber related threats always come in from the external environment.  While this may be true to a certain degree, the threat of Insider Attacks is even more real, and can be just as much, if not deadlier to your business.  For example, you may have a disgruntled employee, or even a rogue third party contractor.  These signs are very often difficult to track, until it is too late.  Therefore, as your employees start to come back gradually, it is important that you implement some sort of hotline on a real time basis so that your employees can anonymously report any erratic or malicious type of behavior.

Get back into a regular schedule of software updates:

During this period of WFH, many IT Security teams have not been able to deploy updates and patches on a regular basis, either because they simply could not gain entry into the home networks of the employees, or they were just spread too thin.  The Cyberattacker is fully aware of this and is now ready to pounce upon this as businesses start to open their doors to the public.  Therefore, before you even do this, you need to have a meeting with your IT Security team to see how best you can get back into a regular schedule of deploying software patches and updates, and get them done before you do actually open your doors.

Conduct an in-depth Penetration Testing exercise:

At this point in time, many Cybersecurity vendors are offering exceptionally low and perhaps even free pricing on these kinds of services, in order to help businesses out as they make the transition.  With Penetration Testing, the vendor will literally break down your walls of defenses to see where the unknown gaps and vulnerabilities lie at.  From there, recommendations will be provided as to how they can be filled up.  It is important that you do this as quickly as possible, so that your business does not become the victim of a large scale Cyberattack as your employees return to working in the office.

Conclusions

Overall, this article has examined some of the key steps that you can take to get your business ramped in terms of its security posture in a post COVD19 world.  This list provided is by no means an exhaustive one, a lot of this will depend upon what you, the CISO or CIO and your IT Security team decide upon what is most important, at least initially.

Thursday, November 25, 2021

3 Things The U.S. Federal Government Needs To Do For Cybersecurity

 


Well, first and foremost to everybody out there, have a wonderful Thanksgiving!  May you enjoy the holiday with family friends.  Even despite what the year has brought us, there is still a lot to be grateful for, especially that we, the United States, have survived yet another year of the COVID19 pandemic. 

As for me, being a day off, I was bored so I thought I would write an article anyway.  Except for all of the technojargon that has come and gone as well as all of the vendors, there is a newer trend that is happening in out world today:  The mushrooming of frameworks, policies, templates, etc. by the Federal Government, brought on especially by NIST.

One of the main catalysts for this has been the CMMC, which is a mandate that all contractors/subcontractors in the Defense Industrial Base have to achieve some sort of certification by the DoD before they will be allowed to bit on future contracts or even to continue on existing contracts. 

There also have been other things that have come out to help businesses establish the right balance of controls for data privacy compliance, etc.

But the problem is, as we all know is that by the time the Federal Government has established new guidelines for Cybersecurity, the threat landscape has changed and as a result, these policies need to be updated again.  Very often, the Federal Government is blamed for this, for being too far behind on the curve in keeping up with what is happening out there.

It’s like Biden’s recent Cybersecurity Executive Order.  It’s great that has been signed, but how long will it take before it really has an impact?  My best guess at this point would be probably a few years, at the very least. 

So, what can the Federal Government do to make sure that whatever new frameworks, policies, etc. that they come up with will still have some bearing for the future?

The key is to look what the trends are now, and see which ones will still carry out at least for the next few years down the road.  It is also very important to keep in mind that the emergence of the near 99% Remote Workforce has also played a huge part in dictating this picture, and this will also have to be kept in mind as well. 

So, what should the areas of emphasis be when creating these new pieces of documentation?  Here is a sampling:

1)     The Cloud:

Although Corporate America started to realize the benefits long before COVID19 hit, it is the pandemic which has fueled this growth to a much more permanent level.  For example, many  businesses are now migrating their On Prem Infrastructures entirely into a Private Cloud(s) platform such as that of the AWS or Microsoft Azure.  Although in theory the same controls should still take effect, there could be some differences.  The adoption of the Cloud is only going to grow into the future, as the thought of the “Metaverse” is now starting to get embraced by companies as well.  This is where avatars are used 100% to represent ourselves in the real world.  Also, data privacy is a whole new ball game here as well, as leakages are more prevalent in the Cloud than ever before.

2)     Address the issue of Endpoint Security:

Before the near 99% Remote Workforce took hold, many companies simply relied upon the traditional VPN in order to secure the lines of network communications from the point of origination to the point of destination, and vice versa.  But with everybody WFH now, the VPNs have reached their breaking points, and the thoughts of protecting these Endpoints have been a forgotten about issue.  Because of both of these factors, the Cyberattacker now has a new ways of getting in, and staying in for much longer periods of time, going unnoticed.  As a result, organizations in Corporate America have started to realize this and have started to do something about it, albeit too late, IMHO.  Therefore, any new frameworks or guidelines that come out by the Federal Government have to address these two issues, and even provide checklists to make sure that not only is newer technology being used to keep up with the sheer implosion of people WFH, but that the right tools are also in place to help fortify these Endpoints, as they will only grow more into the future as well.

3)     Wireless Access:

Even more so than the VPN, this kind of access will proliferate into the future as well, probably even more so than anything else.  Once again, it is COVID-19 that has really brought this on.  For example, when everybody was in the office, this was barely an issue.  But once again, with everybody WFH, the meshing of the home and corporate networks became a problem.  For example, many remote workers still continue to use their home networks in order to access the corporate networks.  While this may be secure in one sense, how on earth do the IT Security teams apply software patches/upgrades to the wireless devices without first getting access to the home network?  Nobody will allow this to happen, because of the privacy issues that are involved.  People would much rather sooner quit than giving access to some stranger they do not even know.  Compounding this problem are when people choose to work in public venues, so as the local Starbuck’s, and choose to totally ignore all of the employer’s security policies.

My Take On This

Well, there you have it, some of the top Cyber issues that the Federal Government has to take into consideration when creating their new frameworks and guidelines.  But the reality is that it will literally take forever for the government to respond to this, as mentioned before.  So what is one to do? Well, just make sure that you are keeping snuff as to what is happening now.

In terms of compliance, this means keeping up with the tenets of the GDPR and the CCPA so that you do not get fined or audited.  But more than anything else, whatever good security practices you have on hand right now, make sure you keep up with that, and more!!!

Sunday, November 21, 2021

Understanding The Differences Of Cyber Hygiene In The Cloud & On Prem

 


Yet once again, one of the biggest buzzwords to be thrown out there in our world of Cyber is “Hygiene”.  Actually, I don’t think this term actually started to gain root until when everybody started to work from home, when of course, security was a huge mess. 

But when we hear of this term, the images of people working directly at their computers or perhaps even going to the office to access stuff, in a safe and secure manner (really? LOL).

But Cyber Hygiene is actually an all-encompassing term which embraces all forms of both digital and physical assets.  Long story short, it simply refers to the fact that you are abiding by the security policies of your company, and trying your best in not becoming a victim.  But this term can also apply to the Cloud as well, and how safely you access stuff. 

For example, suppose you are trying to access a VM in Microsoft Azure to gain access to some shared resources.  In this regard, are you still following your company’s security policy?  Hopefully you are.  But keep in mind that as the near 99% Remote Workforce is now going to be with us for a long time, Cyber Hygiene in the Cloud is going to become a key issues. 

Here are some quick ways in which it can be addressed:

1)     Determine exactly what you have in the Cloud:

With the COVID-19 pandemic, many businesses in Corporate America have a made a total, 100% transition to the Cloud, whether it is the AWS or Azure.  Of course, there are still some that are reluctant to make the transition over, and some prefer a mixed approach where some assets stain the Cloud and some stay On Premises.  But no matter what you are using, take inventory of all of the assets that you have deployed to the Cloud.  All those controls that you have deployed On Premises now have to be moved over to the Cloud as well.  Remember, the GDPR and the CCPA just doesn’t look for stuff On Premises – they look to make sure that all appropriate and needed controls are also deployed on your Private or Public Cloud as well.  To keep things efficient, try to use the same methodology that you use On Prem for the Cloud as well as when it comes to asset categorization and risk level.

2)     Determine the effectiveness of those controls:

Although the same sort of controls will be required for the Cloud as to what you had On Premises, you still need to make sure that they are working the intended way either in AWS or Azure.  Although the controls should work fine, there still may be some adjustments that are needed.  One good approach is create a sandbox environment first, and test those controls there first before you move them into the production environment in your Cloud Infrastructure.  A good framework to help keep all of your controls would be to use what is known as the “Cloud Controls Matrix” that is available free from the Cloud Security Alliance.  You can download it at this link:

https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

3)     The transition to the Cloud:

Suppose you have an On Premises Server and have migrated that over to the AWS or Azure.  Once that process has been done, your new VM could be set up differently, and the way you access stuff in it could also change as well.  In fact, you may not even move everything over, depending upon how old your data is what the exact purpose of the new VM is.  So, whenever you have made the move over completely, take stock of what each new VM is actually doing.  For example, is one just being used to serve the company Intranet, and the other is a database server?  Of course, all of them will need protection via the controls, perhaps not all of them will have to be so strictly enforced.  Perhaps the server with the company pages does not need to have as many controls associated with it as the VM which houses the database server?  The reason for this is that although there is a plethora of benefits with a Cloud based structure, you are always going to be charged with how much resources you are using, technically known as “consumption”.  These costs can add up quickly, so you need to allocate resources accordingly.

4)     Keep everybody informed:

It is important to note that as you get deeper into this process, all key stakeholders, especially your employees need to kept informed of what is going on.  Of course, you do not want to give out all of the details, but employees will feel much more empowered and motivated to maintain a strong level of Cyber Hygiene, whether it is remote, On Premises, or in the Cloud.  You also need to remind that the same security policies apply in all kinds of environment.

My Thoughts On This

Remember, moving to the Cloud is not an easy task, especially if you have a large organization.  It should be noted that it should be done in phases, especially when it comes to moving the controls over.  It is always best to hire a solid, reputable Cloud Services Provider (CSP) that can pretty much do all of this for you, as they will have the experience. 

Best of all, they can continue to oversee your new Cloud environment after the migration has been completed, and all of the security aspects of it as well.

In this regard, many CSPs are now focusing these services onto the SMB market exclusively . . . this making it much more affordable.

Saturday, November 20, 2021

How To Stay GDPR/CCPA Compliant With ML & AI

 


It just struck me today that I have been doing a lot of writing on AI and ML this year.  In fact, I even wrote an entire book on this subject, and it came out in the springtime.  Even on my podcasts, I usually ask my guests what they think of it, and if they are currently using or planning to implement it in their future product and service lines.  

The answer I get most of the time is that they plan to deploy it in a phased approach.

The main reason for this is that the terms AI and ML are very much misused in the Cyber Industry, especially by the vendors themselves.  There is a lot of hype around it when selling products, and of course, customers get excited when they think they are deploying the latest and greatest.  It’s like calculating Cyber Risk. 

Every vendor under the sun claims to have their own unique, trademarked formula.  But truth be to tell, all of these fancy formulas all stem from the same set of statistical techniques.  But that is about as far as I am going to take this, don’t want to get too critical (though I do have some rather harsh views on this). 

It’s the same thing for AI and ML:  Garbage In and Garbage Out for the data that is being used to train the systems.

But with respect to the latter, it finally dawned on me the other day is that the datasets that are feeding into the AI and ML systems also have to be compliant with the data privacy laws, especially that with the GDPR and the CCPA.  That is something that never occurred to me, even as I wrote my book about it.  But with this in mind, you now have to keep into account compliance from this perspective as well.

So how do you do it?  Here are some quick tips:

1)     Make sure that you have the permission to use it:

This relates to when you are collecting customer information and data as they visit your website.  Nowadays, you have to have a check box on your contact form asking the prospect that they consent to having their private data collected, and also being stored and processed for uses down the road.  You also have to give them the right to opt out and have their Personal Identifiable Information (PII) datasets deleted from your databases upon request.  But it does not go as far as just as your website.  It also includes if you are processing orders from customers on the phone or even your online store.  The main intention here of course is to feed this kind of real time information and data into your AI system so that you can further study their buying patterns, and even try to predict what future purchases could be.  But, you have to let the know for what purposes the information/data is being collected, and they also have the right to opt out in this regard.

2)     Scrub your data:

The above scenario pretty much applies to when you are interacting with customers and prospects on a real time basis.  But what if you are feeding data into your AI and ML systems from previously collected sets?  How do you keep clean with the GDPR and the CCPA in this regard?  The best way here is to go through these datasets, and purge anything that appears to be personal, or that can identify a particular individual.  In this regard, you will probably purchasing these kinds of datasets from a vendor, and really it is there job to do this.  But to be really safe, you should probably run a double check on it as well.  If you can, as far as possible, try to train your systems without the PII datasets involved.  Although the GDPR and the CCPA are still very murky in this area (thus giving you some leeway), it is best to be safe rather than sorry.  This all comes down the “Right To Be Forgotten” provision in the GDPR.  More information about this can be seen at this link:

https://gdpr-info.eu/art-17-gdpr/

3)     Know where your data resides at:

I remember reading an article some time ago polling CISOs if they were their data is stored at.  Quite astonishingly, a majority of them did not know where it was kept at.  But, you should not be a part of this statistic!  If you have to collect PII datasets to train your AI and ML models, you must know every step of the way how these types of data are being archived, stored, and even processed.  In fact, this all has to be documented.  Yea, it sounds like a real pain, but taking the extra steps to do this now will save you the nightmares of having to go through an audit and face serious financial penalties down the road.  In fact, you really have no choice in the matter.  The GDPR and the CCPA both have specific mandates that require you to know where all of your data is kept at.

4)     Always protect the data:

If you ever read through the provisions of both the GDPR and the CCPA, one of the most common terms you will see is that of “controls”.  Essentially, these are the tools that you have put into place to protect your PII datasets in case they are every heisted, such as in a Ransomware attack.  This is where conducting an assessment on your existing state of controls on at least a yearly basis is absolutely crucial, and fixing up any weaknesses.  By doing this, not only are you showing to regulators that are in compliance, but you will have a much better chance of getting a liability payout from your insurance company as well.  But this is something that you should not go alone at.  You really need to have a compliance specialist help you out with this, such as that of a vCCO or vDPO.  Also, try to come up with and even use fake identifiers. If you have to mark out certain datasets, just to play it even more safe.

My Thoughts On This:

So as you have fun experimenting around with your ML and AI systems, just keep in mind that you too, are subject to the tenets of the GPDR and CCPA as well in this regard.  Everybody has a stake in this, but it ultimately comes down the CISO for the overall responsibility, so make sure to keep him or her always apprised.

Also, make sure that you purchase your datasets (which will be used for training purposes) from a vendor that has good, solid reputation, and is also abiding by the rules and regulations of the data privacy laws.  If need be, you may even have institute an entirely new vetting process for this.

Sunday, November 14, 2021

Need To Get More $$$ For Your OT? Try These 4 Golden Tips

 


In the world of Cybersecurity today, we are starting to realize that not all assets are digital in nature.  For example, it’s not all about the VMs or Virtual Desktops that you in Microsoft Azure or the AWS.  There is also a physical component to as well, which is just as much prone, or even more, to various threat variants. 

These are the legacy systems and even the modern systems of today that are used to support our national electrical grid or even run the robots along the manufacturing line.

This can all be referred to what is known as “Operational Technology”, or “OT” for short.  Technically, it can be defined as follows:

“It is the hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.”

(SOURCE:  https://www.gartner.com/en/information-technology/glossary/operational-technology-ot)

So, the keyword in this definition is industrial equipment, no matter how old it is.  And as just mentioned, they too are just as vulnerable.  Just think about some of the past events that have happened – the Colonial Pipeline attack, the various attacks to our water supply, etc. 

These need to be secured as well as the newer forms of OT come out.  But, this means asking for more money.

So how do you go about doing this, when you have enough of a hard time trying to get just a regular Cybersecurity budget approved?  Here are some things to keep in mind:

1)     Think about who are you are going to ask the money from:

Ultimately in the end, it is the C-Suite that will give more or less the final nod for some increased spending.  So, think about the language they want to hear.  Unfortunately, IMHO, the only thing they can really understand are just a bunch of numbers put together with some buzzwords attached to the presentation.  The big buzzword right now is “Risk”.  So in your proposal or memo in requesting for money, try to approach from this perspective.  This is not the place to dazzle the C-Suite with fancy models and algorithms, just simply point out where the current level of risk your OT technology stands at this point in time, and how the increased spending can reduce it down to a much more tolerable level.  And also, don’t forget to include the ROI that will be gained from increased spending, as this will be the next question to be asked by the C-Suite.

2)     Explain how the other areas could be mitigated:

Whenever a company is impacted by a security breach, whether it is on the digital assets, or even the OT technology itself, there will always be costs that will be incurred, no matter what.  These include downtime, getting the mission critical systems back up and running ASAP, the costs of employees containing the attack, etc. can all add up very quickly.  Explain to your C-Suite a what of scenario:  What if had the extra spending, the possibilities of having these extra costs will be mitigated.  But if not, and we are hit, they will be there, and the chances of even getting a payout on your Cyber Insurance Policy could take time as well.  I am sure that your C-Suite will like the former approach better.

3)     Come up with a plan:

In making the pitch to your C-Suite, always show a high-level plan as to how the extra funding will be used.  It does not have to go into a super amount of detail (that is your CISOs job), but showing where the money will be allocated to beef up with segments of the OT processes you have in place will go a long a way.  It will show to them that you have done your homework, and will know how to spend the money rationally and effectively as possible.  If you are asked for some details, then you will need to provide them as well.  In this instance, use the document that you created for your CISO, and pull stuff from that, but remember to keep it short and easy to understand.

4)     Provide some metrics as to how the money will be spent:

One thing about the C-Suite is that they like to see things presented as an incremental plan, rather than throwing everything in and the kitchen sink.  So rather than showing a PPT slide deck showing just how one large dollar volume will be spent, break that up into different slides and show how the money will be divided up and allocated to the various components of your OT assets.  Try to put this in a chronological approach, like first say X amount of $$$$ will go here, then the next bucket of money will be spent here, etc.  And if you really want to dazzle them, try to show the ROI at each step as well, but the C-Suite needs to fully understand that this also be just an incremental measure as well.

My Thoughts On This

Well, there you have it, some quick tips that hopefully you can use.  Keep in mind that asking for extra funding for OT security may actually prove to be a little bit easier than you may think.  For example, the C-Suite is always inundated with requests for the digital asset protection.  Remind them of the recent attacks that happened to the Critical Infrastructure.

Then play the what if scenario if all of a sudden there was a simultaneous hit where we had no water, gas/oil, electricity for weeks.  Then remind them that if there was just simply increased funding to protect all of these OT processes and technologies, the chances of this scenario from actually happening may never occur in the first place.

That should hopefully perk up your C-Suite’s ears quite a bit.

Saturday, November 13, 2021

The Tips & Tricks Into Finding A Great Threat Hunter

 


Some months ago, I wrote a blog posting on the importance of Threat Hunters on your IT Security team.  The stereotype for these people is that they are often shy, and tend to work by themselves, and others, if need be. 

They don’t carry out the image of the cloak and dagger, and hoodie image that the Pen Testers do.  The Threat Hunter actually looks more to be a like a scientist, given their title, which is all they do pretty much for their jobs.

They take into consideration all of the intel and information/data that is coming in, and from there, try to build up what future threat profiles could possibly look like down the road.  True, there are AI and ML tools that can do this, but it always takes a human to a certain degree to see just how accurate and realistic it all looks.

Therefore, hiring for a Threat Hunter for your staff, even if it is on a contract basis, is a different breed of animal than hiring for other types of Cyber positions.  So, what are the skills and traits that you look for when hiring for one?  Here is a quick checklist that just about HR professional can use:

1)     It is an analytical based interview:

Unlike other Cyber positions, you will be asking your candidate questions like what kind analytical courses did they take in college, if they attended?  This is important, as it shows they have the mindset of a potential scientist.  If they answer with such things as calculus, encryption, cryptography, you know then you are golden. But keep in mind that simply taking analytical courses is not just the make or break for possible candidates.  You also need to be asking them about the direct experiences that they have had with Threat Hunting, and how they approached it to find answers to questions.  Heck, your candidate may not even have gone to college. But that should not disbar them.  When interviewing candidates for a Threat Hunting position, try to bring in a member of the IT Security team as well that can ask more of the technical kinds of questions to probe their analytical thinking, and above all, to see if they could fit in well in the current environment. In this regard, you want your future Threat Hunter to think like an actual Cyberattacker, much like a Pen Tester would.

2)     They must be curious:

Apart from being analytical, your candidate should also exhibit a strong sense of curiosity.  Meaning along wit knowing the difference between integrals and differentials (LOL), they must be curious about the world that is around them.  Some great question to ask here is what kind of stuff do they like to read?  How do they keep abreast of what is happening in the Cyber world them?  What motivates them?  If you really want to test this, during the interview (perhaps in the second phase), you should pose to them a certain kind of Cyber scenario and ask them how they would find the answer to it, and what specific resources that they would use, apart from using Google.  A good question to also ask here is what some of their favorite Cyber sites are.  For me, being a tech writer, my favorite ones of those are those that bring reputable news stories and headlines.  A key feature to look out here is how the candidate looks at you when they respond to your curiosity-based questions.  If they look at you square in the eye, then you can tell for the most part that they are being honest.  But if they tend to get squirmy, then that should be somewhat of a red flag to you.

Ok, now let’s fast forward quite a bit and assume that you have found your ideal Threat Hunter.  The next question that often arises, is how do you keep this talent to the best that you can?  Well, here are some answers that could help:

1)     Create a social kind of atmosphere:

By this I don’t mean to have a party every day at your office (but that may not be a bad thing wither), but encourage your Threat Hunters to work with others on the IT Security team, and vice versa.  Try to get your team to share ideas amongst one another, and above all, share that information and data as well.  Let your Threat Hunters that you will be around for them, and they should not feel afraid to speak their mind, and ask for advice/help when needed.  From my experiences, Threat Hunters, as mentioned previously, tend to be a rather shy bunch.  Try to break that mold away from them.  Oh yea, and may not hurt to take your team out to lunch or dinner every few weeks to build these social skills.

2)     Let them do more:

By this I mean, don’t limit the Threat Hunters to just their specific job titles.  Let them explore other avenues as well.  In other words, don’t limit them.  By nature, Threat Hunters are explorers as well, and you should let them explore your kingdom, within reason of course.  Let them go beyond their limits, and the in the end you will be rewarded.  In fact, this reminds of the days when I was a white belt in Taekwondo.  One day, my instructor that all students could attempt break a concrete brick if they wanted to.  I asked, does that also include us newbies?  His reply was:  “I do not limit students by any means”.  So with those words, I broke the brick the first time around, and boy, did that motivate me to even higher levels.

3)     Always invest in and motivate your Threat Hunters:

We all know that the world of Cybersecurity is changing quickly, and that your employees mut be able to keep up with this.  Part of your job in the end is to give them the tools to get that extra education.  Yes, it can be expensive.  But this is something that you are going to have to convince your CISO about.  There may not be a direct percentage ROI immediately when you provide this training, but the chances are that happier employees will be around with you the longest.  And that can save time and money right there because a high employee turnover is not only expensive, but can also tarnish your company’s image in the end as well.  And always, whenever it is warranted, keep offering praise to your Threat Hunters.  They are not used to it by nature, so a simple pat on the back or even a random $15 gift card to Starbucks or Panera Bread can go a long way to keep employees as well. 

My Thoughts On This:

Yea, yea, everybody is complaining about the lack of Cyber workers.  The truth is that there is not, it’s how you approach it.  In this regard, and as I have written about before, take a holistic approach to it, and don’t get hung up by degrees or worst yet, certs.  Blah to the latter. 

If you think you have found the right candidate, by all means, offer them the job, and give them the chance they deserve to prove their worth to you and your company.

Sunday, November 7, 2021

Why The Era Of Software Sandboxing May Not Be Over Yet

 


As it has been apparent from the blogs, I have been writing that software developers need to be as much on the hook as possible to make sure that the source code they compile is as safe and secure as it can be. 

Unfortunately, this is an issue in which many developers just ignore, or if they actually do it, it is often at the very end when there is really no time to do it all, as the project has to be delivered on time to the client.

If testing source code is done properly, software developers will very often use a tool called which is known as “sandboxing”.  This is essentially where a cut of the production environment is simulated in a testing environment. 

From here, the source code is tested in order to discover any flaws, or vulnerabilities that might be present.

In this regard, there are three types of sandboxing environments that evolved over time, and these primary ones include the following:

*Full environment testing:

This is where the complete source environment is tested in a sandbox before it is released off to the client or the production environment.

*Operating System (OS) Testing:

This is the kind of environment where only the OS is tested, for example if newer updates are coming out, or a whole new one is going to be released.

*Cloud based Testing:

This is where a Virtual Machine (VM) can be configured and deployed either on the likes of the AWS or Microsoft Azure, and this is what is used for the sandbox environment.  

But, given the digital transformation that is beholden upon us so quickly pretty much by COVID19, sandboxing may soon be a thing of the past, despite how long it has been in the IT world.  Why is this so?  Well, there are five primary reasons cited for this, and here they are:

1)     It can only be used on a static basis:

`      It is important to note that sandboxing is not only used to test for source code, but it can also be used to test malicious threat variants, by literally “exploding” them.  For example, if your       company is hit by a malware, and once the .EXE files of that have been recovered, it can           triggered once again to determine how it actually worked, and the possible ways it could have infiltrated through your lines of defense. In other words, sandboxing can only be used from the             standpoint of investigation, and not really predicting what future variants of it could look like in the future.

2)     Sandboxes themselves are prone to hacks:

Yep, you heard me correctly.  The environment that has been created to test the safety of the source code needs to be protected as well.  In many ways, this is like a password manager.  They are great to use keeping your passwords secure, but they themselves need a master password to log into first.  You may be asking why a Cyberattacker would be interested in a testing environment?  Well, as I mentioned before, it replicates to some degree or another the actual production environment.  By hitting this key area first, the Cyberattacker will know firsthand what the weaknesses and gaps are in the actual IT/Network Infrastructure, and go from there, unhindered.  Also, sandboxes are prone to Social Engineering attacks as well.  For example, it could be the case that someone claiming to be a contractor that does work for your company could call a member of your software development team, and have them give out access.  Of course, this is not going to happen all at once, it will happen in stages.

3)     It is not a perfect solution:

Traditionally, it is has been the Virtual Private Network (VPN) that has been at the heart of securing the lines of communications for remote workers.  But this is assuming it is only about 20% that are remote.  But when COVID19 hit, the remote workforce has been now at almost 99% capacity.  The VPN simply cannot sustain this kind of workload.  Thus, is has shown signs of wear and tear, to a great degree.  The only other solution is the Next Generation Firewall, which some businesses in Corporate America have now started to implement.  This is the same situation with the traditional sandbox.  Whie it has been designed to be able to handle only a certain amount of workload at a time, it simply cannot keep up with the advancements in the digital apps that are coming out today.  It too is showing signs of its breaking point, and Cyberattackers are taking full advantage of that as well.

My Thoughts On This

Just as a disclaimer, I am not at all a software developer by any means.  I may know very little Python, but that is only source code that I have used in recent books.  Many people firmly believe that the era of sandboxing is over. 

But before we jump the gun here, keep in mind that just like the VPN, the sandbox was designed with technical limitations in mind.

Just because it cannot keep up with what is all that is happening now, it does not at all by many means that it should be simply discarded.  Rather, it should be used as part of a holistic solution when testing the security of source code.  For example, I have always been an advocate of testing source code at a modular level, rather than waiting till the very end.

So, sandboxing should be used along with other tools like Pen Testing in order to ensure to the customer that their deliverable is about as safe as it can be (again, there are no 100% guarantees in this either).  If you are going to use a sandbox environment, do it an AWS or Azure, as stated before. 

Create a VM, test your stuff, and then once you are done, you can simply delete that VM, leaving no traces behind for the Cyberattacker to latch onto.

Remember, whatever route you choose to go with the sandboxing, make sure you have the buy in that is needed, and that everybody is in the loop of what is going on.

Saturday, November 6, 2021

How The MVSP Framework Can Help The SMB Owner

 


Well, as we are now knee deep into Q4 of this year, security pundits have already started to predict what 2022 will be like.  Not too many have come out yet, which is quite surprising.  About a year ago, just about anybody with the title of “Cyber” with their name threw in their two cents worth. 

Of course, I will be also, but it will be closer to the end.

But one thing I have seen come about as I go through the news headlines is that given the horrible rash of Ransomware attacks this year, many companies have now started to come together in an effort to help find solutions. 

I would say that this probably has been fueled by the recent efforts of the Biden Administration, which is of course good.

The most recent of this kind of coming unity has transpired between Google, Salesforce, Okta, and Slack.  Together, they have come out with what is known as the “Minimum Viable Secure Product”, or “MVSP” for short. 

This is a checklist of source that has ben designed to create the minimum-security baseline that is needed for a company in order to make use of a third-party product or service, such as an API.

It has been cited that one of the prime drivers for this has been the Solar Winds hack of some time ago, when a third-party tool was used to infiltrate literally thousands of victims from just one trigger point.  Technically speaking, these are also known as “Supply Chain Attacks”.

The concept of this kind of survey is really nothing new.  It has actually existed for a long period of time, but the only difference between then and now is that there was no standard baseline in which to actually create the instrument.  As a result, many companies would have surveys that would take hours to complete, which in the end was a total waste of time.

And with the Cyber Threat Landscape changing by the minute, nobody has the time to sit down for hours to fill it out. Thus, that is why the MVSP came out, in an effort to address needs and requirements quickly.

But the nice thing about this tool, it also gives you an insight into the various controls that you will need in order to safeguard your PII datasets, in case you do decide to make use of a third party offering.

Better yet, the MVSP could also be a helpful guide to your business in coming into compliance with the tenets and the provisions of the GDPR, CCPA, HIPAA, etc.  Originally, the concept of this project first came into being with Google and Salesforce, but then mushroomed over to other companies, as just described. 

Probably one of the biggest advantages of the MVSP is that it is also highly scalable and flexible, and can be adjusted to your security requirements rather easily.  For example, it can be used throughout the stages of vendor selection, which can range anywhere from coming up a list of potential suppliers to ultimately choosing one. 

Also a key benefit is that the MVSP is designed to be rather short in nature, and so it can fit in quite easily as an addendum into RFP, which tend to be rather long to begin with.

So now the next question that you may be asking is how does one go about in actually using this kind of tool?  Well, there is really no clear-cut answer.  Just about any company can use it, and even those that are not involved in the tech sector. 

But it really comes in useful if you are either developing a Web application, or you do this as a service for other customers as part of your business.

For example, if you are creating a brand-new website for your company, it is quite likely that your software development team (or whoever else you hire) will use various sorts of APIs in this process.  You can use this survey in order to vet out APIs that are deemed to be safe to use, as many of them go outdated, or are not even upgraded with the latest patches and upgrades. 

On the flip side, if you are web development company that creates apps for other clients, then the MVSP is a must for you. You can consider this is as add to the normal testing that you should be doing to make sure that the product you are delivering is safe and secure.

Also, the IT Security team can use this tool as well in order to set up a baseline of they would like to see when it comes to procuring new security products and tools. 

My Thoughts On This

Personally, I think it’s great that these bigger tech companies are coming together to serve the needs of the average, everyday American citizen, and especially those that fall under the range of the SMB market.  Another great advantage of this the MVSP is that it is based on the Open-Sourced Model. 

This simply means that this project will continually to evolve and grow over time, as more updates are made to it.

And it is not just the tech giants that can contribute to this.  As far as I know, anybody can provide contributions to it, after you have used it.  But as the creators say, you should not just rely on this particular methodology to help beef up your lines of defenses. 

It just one more tool that you can add easily into your arsenal.

In fact, the next iteration of the MVSP will be focusing on how your existing set of controls can be further enhanced and/or developed.  Finally, much more detailed information on this can eb found at the following link:

https://mvsp.dev/

Protecting Yourself From The Coming Worldwide Cyber War

  As the world becomes more digital by nature, and the Remote Workforce now taking a permanent foothold here in the United States, security ...