Sunday, December 26, 2021

How To Keep Your IT Security Team Motivated In 2022

 


With the sheer number of COVID19 cases now spiking up to unprecedented levels and the remote workforce now a reality for probably all of next year, the cyberthreat landscape is now becoming murkier, and more difficult to predict.  With this, IT security teams are now feeling extra pressure to take on more job responsibilities and are being expected to get these new responsibilities dialed in right away.

Now more than ever, these individuals need to be kept motivated at all times, in order to deliver what they humanly can.  How can this be done?  This is the focal point of this article.

How To Keep Your Team Motivated

Here are some key strategies that can be deployed rather quickly and easily:

1)     Create an environment of trust and goodwill:

It is one of the very basic human needs is to be listened to and heard.  In many businesses across Corporate America today, there is a sheer lack of communications between the C-Suite, the CISO, and the IT security teams.  This disconnect has become so bad that nobody even has a clear vision of who is expecting what to get accomplished.  Well, now that we are living in a new norm, it is time to change this, and foster a sense of open communications, and assurances that your IT security team will be heard from the higher ups.  There must be a two-way flow of communications established, so that they know what to expect from you, the CISO.  Also, they need to have their ideas and plans heard so that at least they know that their efforts are not going to a pure naught.  In this regard, it is very important that you spend at least a few minutes on a regular basis with members of your team, even if it is just a phone call or a simple video conference meeting, as face to face dialogue is the most preferred method in which to do this.  Just the fact knowing that they are being listened in an honest and open format will be a prime motivator in of itself.  In fact, research has shown that those employees who feel that they are getting the support from their higher ups will be at least 2X more motivated than other employees.

(SOURCE:  1).

2)     Don’t micromanage:

The very last thing that your IT security team needs is to be micromanaged.  They know what needs to get done, so it is very important for you, the CISO to take a step back and let this happen.  Instead of having each of your employees submit progress reports of what has happened in terms of fighting threat variants, create a chain of command.  For example, break down your IT security team into different subgroups, which is captained by a team leader.  They should report to this person, and in turn, they should report to you.  This will get rid of the fear that the C-Suite is always watching over them, which can be a huge, constant worry, and even be detrimental to getting the job done.

3)     Foster an environment of career growth:

The very worst thing you want the members of your team is to feel stifled in their current positions. Therefore, it is very important that you show you care about their professional growth.  In this regard, perhaps you can sponsor them to get the training that is needed in order to pass an exam for a cybersecurity certification that they have been wanting to get.  Also, try to have training sessions on a weekly basis to keep your team members current on the latest threat variants that are coming out and perhaps even provide an educational forum for them so that they can learn more about the latest security tools and technologies that can be used to combat on a real time basis.  Remember, you always want your IT security team members to maintain as much of a proactive mindset as possible.  You want them to take down potential threats well before even they become a real one.  By showing that you are personally vested in their respective career goals and interests will greatly help to foster that.

4)     Offer rewards:

One of the primary ways of motivating your team members is to offer some sort of monetary based incentive.  Yes, budgets are now tight with all of the uncertainty that is currently transpiring, but even small and simple rewards will go a long way.  For example, if one group from your IT security team exceeds their goals in how quickly they can react to and triage real cyberthreats, you can offer to take them out for a nice dinner somewhere, or even offer gift cards in lieu of that.  Also, with working from home (WFH), those employees that are working remotely most of the time obviously need to get out and do something different.  With this in mind, perhaps you, the CISO, could even offer them to get substantially reduced gym memberships so that they can work out to help relieve the stress they are experiencing.  But of course, if your budget allows for it, giving out cash awards is probably the best motivator of all to show your appreciation for their loyalty and dedication to their cyber jobs.

5)     A little can go a long way:

This is something that will cost you no money whatsoever:  Always keep telling your IT security team about the good job that they are doing, even if something does not appear to go right.  Given the sheer pressure that they are under on a daily basis, the last thing that your members want to hear about what a poor job that they have done.  This will only not break their spirit, but will also cause them to take “Who cares?” Kind of attitude, which is something you do not want at all.  Instead, if there is something that you think needs to be improved or made better, take the route of offering tactful, constructive criticism.  In other words, instead of chastising them, say “Hey, maybe you could implement this instead of what is currently being done”.  Then follow that up with a healthy dose of positive feedback.  Remember, even a little pat on the back on a daily basis can ignite human motivation to degrees that even you may not have ever seen before.

Saturday, December 25, 2021

Why The Password Will Never Die

 


Merry Christmas everybody!!!! From my household of me and my two kitties, enjoy the day with family and friends!!!  But here is one caveat fo to this:  Please also stay safe.  This is the time that the Cyberattacker likes to come out in all forms, primarily to steal your login information. 

So as you continue to shop next up until New Year’s Day for those special deals online, remember to protect your password!!!  Even if it means changing it, please change it!!!

Here is why:  According to a recent by a Cyber company known as Beyond Identity, almost half (to be exact, 48%) of the respondents claimed that they would never visit a website again that would not allow, or permit them to use the same password that they have had before. 

In other words, once you reset your old password to a new one, you cannot use the old one under any circumstances.

There were 1,000 people polled in this survey, also discovered these startling stats:

*1 out of 4 shoppers would abandon their online shopping cart if they had to reset their password upon checkout (depending upon the dollar amount, the max any of these respondents would abandon was pegged at $162.00);

*50% of all of the respondents had to reset their passwords at least once a year;

*The age generation that experienced the most password resets were the Baby Boomers;

*Through another study from Garner, it was discovered that it was discovered that close to 50% of all help desk calls were related to password resets.  The average cost of this is now deemed to be at $70.00 per password reset.  This is actually much lower than a few years ago, when password resets cost a company of $300/employee.

More details on the study conducted by Beyond Identity can be seen here at this link:

https://www.beyondidentity.com/blog/password-resets-and-the-consumer-journey

More details on the study conducted by Gartner can be seen here at this link:

https://www.onelogin.com/blog/is-password-reset-the-pebble-in-your-businesses-shoe

These findings can be seen in the illustration below:

(SOURCE:  https://www.darkreading.com/risk/nearly-50-of-people-will-abandon-sites-prohibiting-password-reuse)

So as a result of this, many online merchants, and even the brick-and-mortar ones are having a hard time retaining customers, and bringing on new prospects for the simple reason is that they do not want to reset their password. 

This creates a source of “friction” between the two, and that is the main culprit why people will leave the website in which they are about to make a purchase in search for the competitor.

So what is a vendor to do?  Well, there has been research currently under way in which a passwordless from of authentication can be used.  In this particular instance, the customer, when they visit the online store, will be given a choice if they want to go this route.  If he or she does, they will then be sent a link in which they can register for this service by simply using their Email address.

From here, an Encryption is issued and tied to this Email address, all they have to enter is simply their Email address once they decide to log back on again.

So far, the reaction from the Cyber industry has been mixed on this one, which really surprises me, even though online vendors want to use it so that they do not lose customers and/or prospects all because of a mere password reset. 

But in the end, the results of these studies (as mentioned in this blog) point to the direction that whatever transpires, the customer is king, and if they want this kind of authentication, then that is what the industry has to develop and implement.

The more hard-core Cyber skeptics feel that this sort of passwordless authentication really offers no protection at all.  For example, what if the Encryption key gets hacked into (and which is quite possible, actually), then what? 

What other forms of authentication are available then to protect the customer?  Really, there is none, and this is the biggest fear, unless of course passwords were used once again as a secondary layer of authentication which then defeats the whole purpose entirely.

My Thoughts On This

In the end, as I have written before, the password will never leave us.  It has been a part of our society for decades, and in the end, people are creatures of habit.  They do not want to change their existing ways until something happens. 

Unfortunately, that is the way it is going to be for a long time to come.  Instead, the Cyber industry needs to come up with a better way not to create a brand-new authentication mechanism, but simply build a better mousetrap.

What do I mean by this?  First, mandate the use of a Password Manager.  That is what these software applications have been created for, to create long and complex ones, and even reset them automatically on a prescribed time basis. 

Then with this, use some other sort of authentication mechanism, such as that of Biometric, like Fingerprint Recognition or Iris Recognition.

It’s probably easier to mandate this kind of approach to employees in a business, but I fully admit that what I propose may simply not work for the online merchants.  For example, how are you going to mandate a customer or prospect to use a Password Manager before they can proceed in the checkout process? 

This could be yet another reason for them to leave.

The other part that is driving this is that the American consumer has now a lot of choices when it comes to online shopping.  As stated earlier before, if they are not happy with one merchant because of the password issue, they Google another, similar site.  It’s like shopping for a lawyer.  If you are not happy with your existing one, you can simply fire them and get a new one.

But in the end, the customer and/or prospect is going to have be flexible and understanding as well.  They should take comfort in the fact that if an online merchant is making them to reset their password, it means that they are trying to adopt good security policies. 

I have been at websites where I have to reset my password.  In my most recent experience, I had to reset my password three different time.

Did that detract from being a customer?  No, it did not.  Yes, it was a pain to do it and have to come up with a new one each time, but I know at least that this particular vendor is trying to protect my account. 

The bottom line is that the Cyber industry can create all of the latest authentication mechanisms, but the American public has to come to some middle ground with it in order to adopt it.

IMHO, that is where the key answer lies at in this whole mess of Password Security.


Sunday, December 19, 2021

Understanding The Data Life Cycle Process & The Cyber Threats That Goes With It

 


Even before COVID19 hit, one of the biggest themes in Cybersecurity was that of data privacy.  Really even before that, nobody cared too much about how their PII datasets were stored or used, as long as it reached whatever objective an individual was trying to get  - for example, such as providing a credit card number for making an online purchase and having the online merchant store that number for the ease and convenience of making subsequent purchases.

Btu when businesses started to move to the Cloud and data leakage stories started to out in the Cyber news headlines, people actually started to care how their information and data were being stored and processed. 

Then came along the passages of the GDPR and the CCPA, adding more fuel to the fire.  Now, the American people wants to know every detail of what is happening to their confidential stuff – and rightfully so.

But now the question emerges really what the Data Lifecycle Process like is, from when it is first collected to where it is ultimately stored and archived.  The reason for this is that people want to know in more excruciating detail about this – and this has been catalyzed by the COVID19 pandemic. 

It should be noted that each end every entity, whether it is public or private or profit/nonprofit has their own way of actually collecting data and using it.

But essentially from a bird’s eye view, it consists of the following steps:

1)     It’s creation:

Data can consist of both hard-core numbers (which is known as quantitative data), or other types which are not numbers related (which is known as qualitative data).  Also, this is known as structured and unstructured data, respectively.  But where does it all originate from?  Truthfully speaking, given the digital world we live in, it can from anywhere, and from any source.  But the most common image of data creation is when an end user submits their information on a “Contact Us” page on a website, or when they make an online purchase, as just stated.  Even the stuff that you put on Social Media sites is considered to be qualitative data, since anybody can view it, and even build a profile on you based upon it.

2)     It’s storage:

Once the data is actually created, it must be stored somewhere.  Traditionally it has been stored in On Premises databases, but given now that most businesses in Corporate America are now in the Cloud, this is where it is now stored.  For example, the two major Cloud Service Providers, the AWS and Microsoft Azure, now offer dedicated data storage resources, or you can even create a virtual database (such as SQL Server or Oracle) and store the PII datasets that way as well.  But from the standpoint of Cybersecurity, this is one of the areas that needs the most protection, and also gets the most scrutinization if a data leakage issue actually occurs.  This is best exemplified by the recent stories of S3 misconfigurations in the AWS buckets.  This was not the actual fault of AWS, but rather the tenant of that Cloud space that did not configure things properly.

3)     It’s usage:

Now, once the data is stored securely somewhere, it will be used somewhere, by someone.  The most common example of this is its use by external, third parties.  For example many companies actually outsource their data processing operations to other people in order to cost effectively support their operations.  A good example of this would be payroll processing.  Many companies will organize the payroll for a certain time period, and then send that off to an independent processor, like ADP to organize, process it, and make sure that the pay is deposited accurately.  But once again, there are strong Cybersecurity issues here as well.  For instance, a business is trusting PII datasets to another entity.  Therefore, they have to very carefully out this entity, and make sure that they follow of the security policies that have been set forth.  Also, individuals want to even know how these external, third parties are handling their data as well – which really was never issue before the ramp up of the digital world we live in now.

4)     It’s archiving:

After the information and data has been processed and use for whatever the purpose may be, the next step is to store that data securely, for later usage.  Cyber threats about here as well, especially when it comes to the leakage of that data – whether it was intentional or not.  As also stated previously, this has been a huge issue with the major Cloud providers and others as well.  But a key caveat remains here:  A company simply cannot hold the data for as long as they want, or without giving a good reason for what its next purpose will be.  Also, under the tenets of both the GDPR and the CCPA, individuals must be notified in writing if their PII datasets are going to be held longer than what its original intent was for, and they must be given the right to have their data deleted by the company in question, provided written notification has been provided by the individual.

5)     It’s final destruction:

At some point in time, a company will simply purge the PII datasets once they are no longer needed.  But it is not as easy as that.  The rules of the data privacy laws must be followed to the exact letter, and simply deleting it does not guarantee that it has all been permanently destroyed either.  There are still remnants of it that will remain, and those will have to be purged as well.  In this instance, the best way to do it would be simply to burn the disks containing the PII datasets, or better yet, giving it to a data destruction company to handle it.

My Thoughts On This:

So here you have it, a quick overview of how the Data Lifecycle Model actually works.  Again, it will be different from company to company.  But the bottom line is that Cybersecurity will be a key concern here as well, especially as we now make the entrance into 2022. 

It is highly expected that Ransomware will be the major threat variant, and of course the capture of PII datasets in that regard is the ultimate goal of the Cyberattacker.

Both Corporate America and even the Federal Government have a duty to protect this, and as American citizens, we have a key part to play as well.  For example, with the passages of these data privacy laws, it is now our right to know exactly where our PII datasets are going, and how they are being used. 

So take full advantage of this new right, after all, to be blunt, nobody else is going to look after this except for you.

Saturday, December 18, 2021

What Will It Take For Congress To Understand The Real World Of Cybersecurity Law

 


Just a few weeks ago, I wrote a blog on how the Federal Government is trying to come down hard on businesses, both private and public, for not disclosing Cybersecurity breaches as they are impacted.  Probably the first well known law into this is the Executive Order signed by President Biden earlier this year. 

Ever since then, different members of the US Congress have tried to draft their own bills to make things even harsher.

For example, under new US banking regulations, any bank hit by a security breach must report that within 36 hours to regulators and relevant law enforcement agencies.  Senator Mark Warner (D-VA), has also introduced a new bill entitled the “Cyber Incident Notification Act”, which requires businesses to report to any Cyber attacks within a 24 hour period, if not, face penalties of up to .5% of revenue on a daily basis until it is actually reported.

With the bill introduced by Senator Elizabeth Warren's (D-MA) called the “Ransomware Disclosure Act”, any impacted businesses would have to report any Ransomware payment made within a 48-hour timespan. 

But now the question is starting to hit lawmakers:  OK, it’s great to have all of these greatly tightened requirements, but in the real world, it is even possible to enforce them, just given the fact how complex Cybersecurity has actually become?

A lot of this is due to the labor shortage.  Simply put, many IT Security teams just don’t have the manpower to report all of these incidents in the prescribed time period.  Their efforts are of course, to mitigate what has impacted them, and to restore mission critical business operations as quickly as possible.

Many Cybersecurity experts feel that the politicians who craft these policies simply have not lived in the real world.  Their view is that they can sit in their ivory towers threatening Corporate America, but what do they know about fighting off Cybersecurity attacks? 

Also, many organizations even here in the US are feeling the brunt of both the CCPA and the GDPR, and are trying to deal with coming into compliance with those laws before they get faced with an audit.

There has to be of course some middle ground here, so what can be done?  Here are some ideas I have come across as I peruse the  Cyber news headlines every day:

1)     What if a Ransomware payment is made?

In the past I have written, and I still believe in this today, that a Ransomware payment should never be made.  But now the Federal Government wants to punish those innocent victims that have actually made a payment.  For example, the Department of Justice is trying to make to the point that if such a payment were to be made, that company would be held for acts of treason against the United States.  Although we need to know the specific circumstances for which a Ransomware payment is made, it could very well be the case that the business really had to make the payment in order to get things moving again.  Take for example a hospital.  Suppose they have been hit with Ransomware, their first thoughts are going to be get things up and running again, for the lives of their patients. So if it means making a payment, then the will probably do it. Why let patients suffer because of some government legislation? So this issue needs to be seriously looked at.  I really don’t think its fair to put a blanket legislation across all businesses.  It needs to be reviewed on a case-by-case basis.

2)     How much information and data should actually be released?

Just as much as much as businesses are subject to being scrutinized as to how much confidential information and data they are allowed to give out, the same holds true for the Federal Government.  In other words, how much should they ask for from the business that has been a victim of the Cyberattack?  If too much is given away, is that going to harm them in any way?  Will they be more subject to scrutiny and audits if too much is given out?  Again, this will vary upon each individual business, as Ransomware attacks vary.  In this regard, you simply cannot apply a one size fits all sort of policy.  Also, to what degree will this information and data be kept private, and out of the eyes of the prying public?  Can we actually trust government officials to keep things sealed, so that it does further impact a businesses good and honest reputation?

3)     The reporting timeframe:

As stated earlier in this blog, there is pressure on most businesses to report any security breaches within a 36-hour time span.  But again, how realistic is this? When a business is first hit, their immediate attention is in trying to recover as quickly as possible. That in itself can take three days or even longer.  Obviously reporting this is a priority, it is not an immediate one for most businesses as they have much more at risk to lose in the end.  Also, any investigation will take a lot longer obviously, so what is the timeframe for reporting this?  It can’t be done in the 36-hour time period, of course. 

My Thoughts On This

I am all for businesses reporting their security breaches to regulators within a timely period.  Not these crazy deadlines of just one day.  But what defines timely?  Again, this is a gray area.  I think maybe within one week would be fair? 

I mean that should give a business enough time to restore mission critical operations, and yet, still take the time to report it to regulators.  Also, the punishment cannot be the same for all businesses either.

For instance, what if a subsequent audit shows that an impacted business have put in all of the necessary safeguards, but they still got hit?  Are you going to invoke the same kind of financial penalties as a you would, say to a Fortune 500 company that has been impacted many times over, with no lessons being learned?  Probably not.

Another problem here is just the sheer conflict of all of the data privacy laws that are going to be coming out by all of the individual states.  How should a security breach be reported if a business is hit in one state, and not the others? In the end, we all have a part in this.  Yes, there needs to be a legislative oversight into all of this.

But the lawmakers in Congress have to know what is realistic, and businesses have their role too.  For example, perhaps a dedicated resource should be hired for just the very purpose of reporting security breaches and dealing with regulators. 

Sunday, December 12, 2021

4 Golden Keys To Keep Your Cyber Attack Surface Small

 


In the world of Cybersecurity today, everybody basically throws in their two cents of advice of what to do.  Heck, even I do it.  You hear it all from calculating your levels of Cyber Risk and Resiliency, to figuring out how Cyber Hygiene you are, how to best implement controls, the top 5 best practices for this and that, blah, blah, blah. 

But the one thing you don’t typically hear about is how wide your attack surface actually is.

What is it exactly, you may be asking?  It can be technically defined as follows:

“The attack surface is the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data. The smaller the attack surface, the easier it is to protect. Organizations must constantly monitor their attack surface to identify and block potential threats as quickly as possible. They also must try and minimize the attack surface area to reduce the risk of cyberattacks succeeding. However, doing so becomes difficult as they expand their digital footprint and embrace new technologies.”

(SOURCE:  https://www.fortinet.com/resources/cyberglossary/attack-surface).

So as you can see from the definition, your attack surface is pretty much your entire IT/Network Infrastructure, and all of the weak spots in them.  Yes, even those points that are fortified can still be considered as part of the Attack Surface, because a good Cyberattacker can always find a way in. 

An example of this is an On Prem Infrastructure.  All of the servers, workstations, devices, as well as physical and digital assets are the Attack Surface. 

So imagine your entire office, and there you have it.  But now that the Cloud has taken hold of Corporate America, the Attack Surface becomes much murkier.  For example, just because you think you have a dedicated Private Cloud, that that is only your total surface. 

You probably have shared resources with other Cloud tenants that you don’t even know about, and if something happens to them, it could also roll over to your deployments as well.

For example, even with your own Cloud Deployment, you will be moving all kinds of resources and workloads around.  Heck, you may even be store all of your Virtual Machines (VMs) in different data centers dispersed throughout the world.  While the purpose of doing this is primarily for redundancy, this technically also increases the Attack Surface as well. 

Now that the Remote Workforce will be with us for quite some time to come, this too has greatly expanded the Attack Surface as well.  For instance, you no longer have employees just working from one central location, they are now all over, working from who knows where.

Heck, even the improper testing of source code in a Web Application before it is released to a customer can also expand the Attack Surface.  For instance, many software developers use untested and outdated APIs to build the code, and it still does not get tested. 

The Cyberattacker is fully aware of this as well, and this is a key area in which they can inject malicious payload for subsequent attacks, after the app is handed off to the client.

Another catalyst for the expansion of the Attack Surface is the sheer deployment of a massive amount of security tools and technologies, without strategically deploying them.  As I have written before, this all goes back to the old proverbial statement that there is “Safety In Numbers”.  Many CISOs believed this before COVID19 hit, but now they are realizing that this actually a huge mistake, and are scaling back, if they still maintain an On Prem Infrastructure.

OK, now that you have some idea of what an Attack Surface actually is, how do you go about either making sure that you do not expand too much further, or if have to, how do you protect that expansion?  Here are some key tips:

1)     Get a good view of it:

Probably the best way to keep track of just how big or small your Attack Surface actually is, is to simply map it out.  Now of course, this can be a time consuming and laborious process if you still have an On Prem Infrastructure.  But if you have a Cloud deployment, especially with Microsoft Azure, you have the tools already in your account to map it out, in just a matter of minutes.  Best of all, as you move or add resources around your Private Cloud, or even move them to different data centers worldwide, this map will be updated for you on a real time basis.  No more work is needed on your end.

2)     Keep an inventory of what you have:

When one thinks of this, the notion using Excel spreadsheets often comes to mind.  But forget this approach (unless once again, you an On Prem Infrastructure).  Once again with Azure, you have the tools to keep an updated list of all of resources that you have at that moment in time.  Heck, you can even load up a list with all of the resources that have been taken out as well. Also, this is updated in real time as well. 

3)     Make use of dashboards:

Along with Azure, I think that the AWS also offers dashboards and SIEMs as well.  The idea of these tools is to give you a centralized view in one place as to all what is happening to your Private Cloud.  It is important that you make good use of these tools, as they are provided as part of the entire package that you are paying.  Not only will you be able to get a holistic view of your Cloud Infrastructure, btu you can also see the threats that are lurking out there, and even see of all of the network connections that you have.  Thus, with kinds of tools, your IT Security team should be able to cultivate a proactive mindset, which is so important when trying to keep your Attack Surface as small as possible.

My Thoughts On This

Based upon the tips I just gave you; your first thoughts are that I am simply pumping out the needs to go the Cloud.  But actually I am not.  Yes, the Cloud has its advantages as well disadvantages (especially when it comes to data leakages), and in fact I know of many SMBs who have still opted to maintain their On Premises Infrastructure.

But by migrating to something like Microsoft Azure, once again, you already have the tools in place to help you understand the depth of your Attack Surface in just a matter of minutes, as opposed to doing this on manual basis.  These minutes become absolutely critical especially when dealing with today’s Cyber threat landscape.

Also keep in mind that yet another driver for the growth of the Attack Surface is also the Internet of Things, or also known as the “IoT” for sort.  This is where all of the objects that we interact with both in the physical and virtual worlds are all interconnected together. Sop keep this in mind if you are planning to implement IoT based devices for your company.

Saturday, December 11, 2021

How To Avoid Internal Fraud - 3 Action Items To Be Taken

 


Last weekend, I wrote about a new type of fraud that is happening in more occurrence these days:  Synthetic based ones.  This occurs when the Cyberattacker used both real and fake information about you in order to create a whole new profile, essentially making you a person with totally different characteristics. 

The goal of this is fly under the radar for as long as possible, as many businesses are simply not up to speed yet in capturing these kinds of attacks.

But whatever variant it is, it all comes down to one thing:  Fraud, especially that of internal ones, are extremely difficult to detect.  The major reason for this is that they are often conducted by actual human beings, primarily carried out by using Social Engineering tactics. 

For example, you could have an employee that you have had for a long period of time, they appear to be happy, but underneath, they are planning a Fraud based attack on your company.

Employees, whether they have a criminal background or not, are often the most thought of suspect, because they know the internal workings of your organization, especially the weak spots.  So it all comes down to one thing really, which is quite unfortunate in some ways: 

You simply cannot trust anybody these days, no matter how well you may know them.

But for purposes of this blog, we will stick to how it relates to business, and some measures you can take to help avoid it.  Here we go:

1)     Create and deploy a fraud hotline:

I have actually written about this before, but although employees might be the proverbial weakest link in the security chain, they can also be your best source of internal eyes. For example, depending upon how large your business is, you cannot be at all places all of the time.  So therefore, you have to rely on your employees to report anything to you that may be suspicious or simply out of the ordinary.  Therefore, you need to maintain a special hotline in which an employee can anonymously report this kind of activities without any fear of reprisals being taken against them.  In this regard, probably the best people to answer this hotline would be your IT Security team.  In fact, according to a recent report by the Association of Certified Fraud Examiners  ( also known as “ACFE”), 43% of all fraud cases are captured by these kinds of tips.  More detail about this report can be found at this link:

https://www.acfeinsights.com/acfe-insights/announcing-the-2020-report-to-the-nations

But keep in mind one more important thing:  All of the above assumes that you still maintain a brick-and-mortar office of sorts.  Given how the world now is now going to digital to the 99% Remote Workforce, obviously having a tip line may not be as effective.  Therefore, your best bet is to migrate to a Cloud based platform, such as that of Microsoft Azure.  They have all the tools you could ever need to identify and stop fraudulent attacks to your digital assets as they happen on a real time basis.  Heck, they even give you tools to even help you track down the perpetrator as well.

2)     Maintain the right set of controls:

Once again, this is one of the biggest buzzwords still being bandied about in the world of Cybersecurity.  But you know what?  Having the right set of controls in place has now become mandatory, as set forth by the data privacy laws of the GDPR and the CCPA, as well as others.  The term controls is a catch all term, and which ones you use are largely dependent upon the kind of digital assets that you have.  In terms of fraudulent based activity, there are two types of controls:  Active and Passive.  With the former, it means that the controls you have in place are doing their job to mitigate the risk of internal fraud from actually happening.  This would include setting up rights and permissions according to the job details of the employee, having a segregation of duties, deploying Multifactor Authentication (MFA), having a regular password reset schedule, putting in physical devices to add more security, etc.  With the latter, as its name implies, you are taking a less formal approach.  Instead, you are making use audits, sudden changes in the level of inventory, etc. in order to detect any fraudulent activity.  So you may be asking now which approach is the best?  Well, using both, and a hybrid approach is the best one to take.  This will to help to ensure that you are taking all of the steps necessary to protect your business from internal fraud.  In fact, according to the same report as just mentioned, almost 30% of all fraudulent activity occurs because of a sheer lack of controls.

3)     Watch for any signs of abnormalities:

Let’s face it, life is a rat race. We all have our daily ups and downs, and emotional swings.  It is just a part of who we are as a human being.  But one thing for sure is that no matter how much we try to hide our feelings and emotions so that they are not so apparent to others, there are always involuntary clues that are given out.  But when it comes to your employees, one of the key things to look out for is how their behavior changes when they do, they work.  For example, if there are drastic mood swings, unusual relationships with external, third parties, a reluctance to attend meetings, or even share in responsibilities, these are for sure red flags.  Now it doesn’t mean necessarily that your employee who is displaying these emotions is going to launch an internal fraud attack, but typically it is those that are disgruntled that are more prone in doing this.

My Thoughts On This

As I mentioned earlier, Internal Fraud will always be hard to detect. But for your employees, whether they are remote or not, always conduct training sessions, in a manner very similar as to how you would do a Cyber related security awareness training program.

Always take your best efforts to make your employees feel happy, and most importantly, appreciated.  True, money and budgets are tight, but you do not have to spend a lot of money to do this.  Even simple verbal acknowledgements and gift cards can do wonders to the human spirit as well. 

In the end, remember that the costs associated with keeping your employees happy will far outweigh the costs if you are hit with an Internal Fraud attack.

Tuesday, December 7, 2021

Learn How To Deploy XDR At Your Company

 


Ever since the COVID19 pandemic has taken grip up of this world, and especially here in the United States, one of the remaining and albeit remnants of all of this is the 99% Remote Workforce.  Now, people much prefer to work from home than having to go to the traditional office settings.  Because of this new reality, IT Security teams have been fast scrambling to shore up all lines of defenses as possible.

But unfortunately, one area that has not received attention is that of Endpoint Security.  These are technically the points of origination and destination of the network lines of communication between the remote worker and the servers where the shared resources are at.  Because of this, the Cyberattacker has been penetrated this area, and literally hangs out here until they are ready to make their move.

In response to this, a new methodology called “Extended Detection Response”, or “XDR” has started to make news headlines as an alternative to protect these vital endpoints.  In this podcast, we have the honor and privilege of speaking with Carrie Bowers, the Director of XDR at a leading Cyber firm known as Agio.  She will be explaining what XDR is all about, and how you can use it for your company.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB114D5832MCG8

Sunday, December 5, 2021

What Cybersecurity Will Look Like For The 2022 Olympic Winter Games

 


I remember when growing up, watching the Summer Olympics was always a huge thing for me and my parents.  They really loved the opening ceremonies, and probably one of their most favorite sports to watch (as well as mine) was swimming.  It was fun to see all of the spectators on TV, cheering on their favorite athletes, and just essentially partying and having a good time.

Back then, the thoughts of Cyberattacks and even a world pandemic never crossed people’s minds.  The only fear back then was the physical one, in which people could possibly carry a weapon, such as a gun.  There was of course that one bombing, in which numerous people were injured.  

But fast forward to now, and the entire sporting venue has changed literally a world over.

The COVID19 pandemic has changed everything, even including the Olympics.  The perfect example of this were the 2021 Tokyo Olympics.  It was supposed to occur in 2020, but with the outbreak, it was rescheduled to 2021. 

But even then, there was thought of rescheduling it yet again, because of a new onslaught of COVID19 which was starting to resurface again in Tokyo.

But the country forged ahead anyways, and decided to have it, but with the caveat were that there were no spectators allowed into the venues.  Many people questioned this, and even started to ask why even bother having it? 

But the Japanese government went ahead with it anyways, and the results that were yielded from it was actually in the end a double-edged sword for the country.

For example, there was a net loss of well over $30 billion, and some even question if the country will be even able to recoup from this huge deficit.  But on the flip side, these Olympics did prove one thing:  The Cybersecurity initiatives and efforts that were undertaken were amongst the best that ever happened in any public venue setting.

The consortium of people that were responsible for planning all of this was known as the “Olympic Cybersecurity Work Group for the Cyber Threat Alliance”, or also known as the “CTA” for short. 

This particular alliance met many times up to the actual run up of the Olympics, and prepared numerous Cyber analyses and presented their findings numerous times to the higher ups of the Olympic Committee.

They even went beyond this, and actually updated their documentation and findings in real time as possible, new threat variants were emerging on the horizon.  The group heavily cautioned the Japanese government of possible Cyber attacks by nation state actors, especially as it related to data hijacking, and Deepfakes, which could have been used to launch massive Phishing campaigns. 

Other possible targets were even the Critical Infrastructure of Japan.

Since it appeared now that the Olympics could only be attended in the virtual sense by live steaming only, this would be the next possible target by the Cyberattackers.  Because of this, the Cyber vendor that was primarily responsible for the Cyber defenses of the Tokyo Olympics, NTT Communications, really then stepped up their ante.

For example, an astonishing 11,000 Wi-Fi access points were deployed, and were watched on a 24 X 7 X 365 basis in order to make sure that they were not tampered with by any means. 

Also, great efforts were also taken to protect the endpoints of these systems, as they were also favored targets as well.  The results of these massive efforts eventually paid off. 

There were no actual Cyber threats that were occurred, and it was even reported that over 450 million potential Cyber-attacks were blocked.  More details about this can be found on the link below:

https://group.ntt/en/newsrelease/2021/10/21/211021a.html

This sheer volume represents more 2.5X of the total number of Cyberattacks that took place at the London 2012 Summer Olympics.  How was NTT able to yield this kind of success?  They have attributed to the following reasons:

*Taking a holistic and proactive approach (which is exemplified by all of the reports and findings that they published and presented to the Olympic Committee);

*Constantly monitoring the Cyber threat landscape on a real time basis;

*The deployment of various SOC based services;

*Having a dedicated team of more than 200 Cyber professionals on hand, ready to act on a moment’s notice.

My Thoughts On This

Well, I have to be honest, it is great to see a Cybersecurity take such a proactive approach when it comes to fortifying the lines of defenses, and having such a great success with it. In fact, this probably the first time that I have ever written anything like this. 

But now, here is the interesting thing:  The Winter Olympic Games are supposed to happen in 2022, and of all places, in China. 

The good news here is that NTT will be the same Cyber vendor here as well, so hopefully the same rate of success will also carry over here as well.  According to their reports, there could be well over half a billion Cyber events that could take place. 

Just try to fathom that kind of number!!!  But it is important to keep in mind that NTT will have to probably reevaluate their Cyber portfolio for Beijing, because of the constantly changing threat landscape, especially with the recent rash of Ransomware attacks.

But once again, because of the recent variants of COVID19 that have also broken out, there will be no spectators allowed either at these games.  Therefore once again, live streaming will be what will primarily be used to watch the athletes. 

I am expecting that the bulk of the Cyber security measures will have to take place here, especially when it comes to the use of Deepfakes, as described earlier. 

While we are fortunate to have other means to have the Olympics, whether it is Winter or Summer, the days of seeing and watching people come together could now very well be gone.  What is the next thing to happen?  Well, the athletes could represent themselves as Avatars, and have the Olympics in the Metaverse.

Saturday, December 4, 2021

Understanding What Synthetic Identity Fraud Is & How To Avoid It

 


As we all know, one of the primary aims of the Cyberattacker is to ultimately steal our identity, and sell whatever information they can get from it on the Dark Web, or try to use it get a hold of our bank accounts and the like. 

Normally, the norm has been to go after our real information, and launch attacks that way.  But now, there is a new trend that is occurring, and in fact, it is quite scary.  These are called “Synthetic Identities”.  You may be asking at this point what is it?  Well, here is a god definition of it:

“It is created by using a combination of real information (such as a legitimate Social Security number) with fictional information (which can include a made-up name, address or date of birth). Fraudsters increasingly use synthetic identities to commit payments fraud, which can escape detection by today's identity verification and credit-screening processes.”

(SOURCE:  https://www.federalreserve.gov/newsevents/pressreleases/other20190709a.htm).

So essentially, in these instances, the Cyberattacker is taking information and data that is real abut out, and combining it with fake information/data about you.  It is important to keep in mind that most Cyber systems of today only keep an eye out for your legitimate information in case if it is ever stolen. 

Thus, to avoid detection, the Cyberattacker is now combining that the unreal data to fly under the radar and avoid detection.

In fact, this new form of Cyber threat has gotten so bad that it has literally cost the US financial system over $20 billion just last year.  Back in 2016, it was just $6 billion (bad enough though).  Unfortunately, in these instances, the most common targets are the kids and the elderly folk of our American society. 

The primary reason for this is that these groups of people tend to have basically no credit history whatsoever. 

Because of that, the all the Cyberattacker needs is just the name of the individual, and pretty much their Social Security number.  From here on out, all of the fake information and data can be created, and it will be even harder to detect, because there is virtually no financial history that law enforcement can tie back to in case, they ever do become a victim.

With this, the Cyberattacker can create phony credit cards, bank accounts, etc. and use these vehicles for a much longer period of time.  The ultimate goal here of course is to collect all of the money that is possible, and house them under offshore accounts. 

And since these are technically not stolen credit cards or bank accounts, detecting the fraudulent usage of them has become that much more difficult.

Although difficult to detect, there are some very subtle telltale signs if a Synthetic Identity Fraud is actually taking place.  These include:

*People with near perfect credit scores, which in today’s world is a dream to have;

*Any sudden changes in contact detail, such as phone number, email addresses, etc.  Now of course, people are going to be changing their contact details from time to time, but any rapid or excessive changes are good indicators;

*If at the checkout line, the customer is taking too long to remember and enter in their PIN number that is associated with their respective banking account;

*Or, if the vendor is using a Biometric modality, such as Signature Recognition and it detects and any anomalies in the way and manner in which the signature of the customer is actually being signed.

Of course, it takes a very well-trained eye to detect all of the above, so that is why the Cyberattacker is able to get away with this so frequently now.  The most common industries that are targeted for Synthetic Identity attacks are sports betting and the financial ones. 

The average financial damage to a victim in these instances can range anywhere from $81,000 to $97,000.

My Thoughts On This:

It is important to note that Synthetic Identity Fraud is just a small percentage of the overall, fraudulent activities that occurs here in the United States.  But still, it is rising at an increasing rate, and as mentioned, they are very hard to detect.  So now you might be asking, how does one protect themselves?

Well, it all comes down to what age group you belong in, and how active you are with making purchases, whether it is in the brick-and-mortar stores, or even online.  For example, if you have kids, you have to make doubly sure as to receives their PII datasets. 

With this, you also have to make sure that the elementary or high school that they are enrolled in as well are taking serious efforts to protect it. 

If you are an elderly person with no credit card and just make purchases with a check or automatic payment or withdrawal, you need to be checking your account statements on a regular basis, or better yet, have a relative check your online accounts at on a regular basis to make sure there is no questionable activity that is taking place.

Now, if you are like most of the American crowd, you probably have a couple of credit cards and bank accounts.  Because of this, you have to be much more proactive on your own behalf. 

For example, check your online accounts at least twice a day, examine all financial related documents that you receive in the mail (Cyberattackers are now even sending fake postal mail to lure you in), and check your credit report as much as possible.  Report any fraudulent activity immediately.

Also, keep in mind what you post on Social Media.  This is now a very much favored tool with the Cyberattacker, as they can now build up a profile on you by keeping track of the pictures, videos, and content that you post. 

They do this over a long period of time, so make sure to use all of the privacy settings that are available to you on these platforms.  Never put your credit card information on them!!!

Now comes the question of using AI and ML to track Synthetic Identity fraud.  Yes, these can be great tools to help combat it, especially looking for the very subtle clues as described previously.  But it can also be used for the proverbial dark side as well, especially when it comes to creating what are known as “Deepfakes”.  This is when an image of a real person is used in order to con you in, even though the whole thing is phony.  This occurs typically when there is a Presidential Election.

Finally, if you want to get further details into Synthetic Identity fraud, you can download a report at this link:

https://www.fiverity.com/resources/fiverity-introduces-2021-synthetic-identity-fraud-report2

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...