Sunday, January 30, 2022

The Next Damaging Cyber Trend: Click Paralysis & How To Avoid It

 


Let’s face it, right now, we as Americans are facing a high level of anxiety and nervousness.  A lot of this has been triggered by the huge upsurge in Omicron, the fears of inflation of what the Fed is going to do, rising political tensions in the Ukraine, at least here in Chi-town, the cold weather. 

But another key factor that is raising angst with us, especially with the Remote Worker, is the Cyber Threat Landscape. 

The reason for this is that on a daily basis (depending upon how much we tune into the news), is that you keep hearing about attacks every day.  Now, the newest one to come out and haunt our minds is the increased threat of Russian based Cyberattacks as tensions loom further as to what is going to happen in that part of the world.

Also thrown into the mix is that employers, yes, actually believe it or not, seem to be taking Cyber Hygiene much more seriously now, and are reminding employees of that, and the consequences of not following the security policies. 

While this is of course a good thing, this has stepped the boundaries onto the other extreme:  Remote Workers are now too scared to touch anything on their devices, for the dire fer of being blamed if something goes wrong.  This has become now known as “Click Paralysis”.

This is starting to become a huge concern now, as the productivity levels of businesses have fallen, as IT Security teams are doing their best to protect the digital assets of their employers.  What is now needed in Corporate America is a sense of balance being secure, and allowing employees to relax about things so that they can get their work done, and be productive.

So how can one embark on such a mission?  Here are some key strategies that any CISO should be following:

1)     Maintain a sense of transparency:

When we all worked at the brick-and-mortar offices before COVID19 hit, there was some sense of openness that was maintained, of course depending upon your boss. At least at the places where I have worked at, I was fortunate enough to have that in my managers.  But now, with everybody working from home, and being in the digital world that we are in now, this level of transparency has now for the most part, disappeared.  True, we can still see each other on Face Time, Zoom, Microsoft Teams, etc.  But it just isn’t the same anymore.  Somehow, managers across Corporate America are going to have find a way to bring all of this back, as the notion of the Remote Workforce looks like is now going to be a permanent fixture.  It has transcend all levels of the employer and employee relationship, even from the standpoint of Cybersecurity.  Employees don’t want to be scolded if they make a mistake, for the most part, we just need to be told what we did wrong, learn from our mistakes, and move forward.  So, it is in this sense that managers have to cultivate more a friendship kind of environment, and most importantly, one that will foster a sense of deep trust.  At least from the standpoint of Cybersecurity, one way to do this is have a hotline of sorts in which employees can report suspicious behavior to the IT Security team on an anonymous basis, without the fear of retaliation or job loss.  In fact, according to a recent survey conducted by Price Waterhouse Coopers (PwC), only 26% of the respondents polled felt that they could report an incident to their manager without the fear of reprisal.  Now, that is pretty bad, and this number has to improve greatly before a true sense of openness, honesty, and transparency can even evolve.  More information about this survey can be see at the link below:

https://www.pwc.com/us/en/library/covid-19/survey-adopt-a-cyber-savvy-culture.html

2)     Employees are your strongest asset:

Its’ in the news headlines all the time, that your employees are the weakest link in your security chain.  They see and read about it, and by mistake, you probably reinforce it as well when you communicate to them.  Because of this daily onslaught, your employees are indirectly brainwashed into actually believing this nonsense.  So as result, they are too afraid to try anything new, and if something does go wrong, they then blame themselves, which leads into more self-pity, and decreased productivity.  The time to stop this is NOW!!!  You need to change this around by telling your employees on a constant basis that they are your greatest assets, after all they are your eyes and ears when you are not around.  You need to tell them that it is OK to make a mistake, and that if anything does happen, your business can recover.  But of course, you have to strike a particular balance here as well, in that you do not want employees purposely to make mistakes by letting their guard down.  One of the best ways to do this is by having a good Security Awareness Training program.  Yea, I know, we all have heard about this, but the moral of the story is that it should not be some boring lecture for one hour that your employees care nothing about.  Rather, you need to make them fun and competitive by instilling a sense of teamwork and togetherness.  In other words, you want them to come back for more training, and not the other way around.  This is one strong way in which to motivate your employees to have a stronger level of Cyber Hygiene.  In fact, include the concepts of Gamification in your training approaches.

My Thoughts On This:

Now more than ever, you need to rely on your employees to be that proverbial 6tth sense for you to help you keep an eye on those digital assets.  As I wrote about in yesterday’s blog, it all comes down to being proactive. 

However, that does not simply mean that you go on a spending spree to buy new security tools and technologies.

Rather, it means instill a sense of Cyber empowerment with your employees, by taking action on the steps detailed in this blog.  It also means recognizing your employees for a job well done on the Cyber front. 

You don’t have to be lavish on the spending, even a gift card, or a reduced membership price to the local gym can help the human spirit go a long way than you have ever imagined. 

Also keep reminding your employees that the Cyberattacker can be defeated.  It may not happen all at once, but over time, it will certainly happen as long as you take the earnest efforts to maintain a sense of openness and transparency.

Saturday, January 29, 2022

5 Key Reasons Why We Live In Such A Cyber Reactive Society

 


Often, I get asked by client and prospects when did Cybersecurity actually start?  This is actually a hard question to answer, because nobody really nobody knows the answer to it.  Technically, you could say when the first mainframes came out in the 1960s, and the first Internet was born, which was called the APRANET. 

This allowed computers to be connected together, which posed the possibilities of them getting hacked.  But I can say for sure that the first documented Phishing attack actually occurred in the late 1990s, when a threat variant was launched against AOL.

So since then, obviously technology has advanced greatly, and has come to the point where we can literally say to Siri or Cortana, “Please start the coffee maker”, and it will start.  But of course, things are going to advance further much more than this as the years pass. 

Then another question I guessed asked from time to time is how did we get so bad at Cybersecurity, and how is it that the Cyberattacker has the upper hand now?  Well, there are many different reasons, and I will give the big one at the end of this blog.  But here are some of the reasons that have been cited so far:

1)     The Cyberattacker is very organized:

Honestly, one does not need to be wearing a hoodie, be sitting in a dark room with a laptop in front of them, with an IQ of an exponential amount.  In other words, you really do not have to be that intelligent in order to launch a true Cyberattack.  The reason I say this is that now, anybody could go onto the Dark Web and hire a Cyberattacker agency to do the work for you.  Why they are so successful these days is that they are organized, and they plan well ahead of time as to how they will attack.  In fact, this is why the Solar Winds hack was so successful.  It took months of planning ahead of time, and the Cyberattacker took all the time that they needed to carefully study their victim, and find their weakest spot.  This has become now known as the “Corporatization of Cyberattacks.”

2)     Payloads are much more intelligent:

With the advent of Artificial Intelligence (AI) and Machine Learning (ML) tools now become widely available, the malicious payloads, also called the “Malware” has become much more sophisticated in nature, and even more “intelligent”.  For example, most payloads can now sit in a dormant state in the IT/Network Infrastructure of the victim, going undetected for long periods of time (average is 90 days).  But they are not just simply sitting there.  They are actually collecting bits of information and data that it can use to leverage itself when it comes time for them to literally “explode on the scene”.  Of course by then, the damage has already been done, and the best anybody can do is try to mitigate any further damage as much as possible.

3)     Supply Chain Attacks:

By this, I don’t mean attacking the direct logistics and shipping lines that exist (but this is also a key target).  Rather, this is the instance where the Cyberattacker will use one weak spot to deploy the malicious payload, and from there, it can further spread itself in zombie like fashion, affecting thousands of other devices.  This is now technically known as a “Supply Chain Attack”.  Once again, the Solar winds example is the best one to use here.  Long story short, the company had a software package called Orion, which thousands of other customer used.  All the Cyberattacker group had to do was merely insert the malware in just one weak spot of Orion, and from there, it spread itself to hundreds of other victims, which included branches of the US Federal Government, businesses in Corporate America, and even the nonprofit sector as well.  Watch for this trend to continue in 2022, but with the Critical Infrastructure being the primary target in this regard.  In fact, 97% of the businesses in the United Kingdom were victims of this kind of attack in 2021.

4)     The Remote Workforce:

Now that this has taken firm root for the long haul now, this has opened a whole host of vulnerabilities for the Cyberattacker to penetrate into, thought things are a lot better now than when everybody first started to work from home almost two years ago.  For example, there is the intermeshing of the corporate and home networks, employees using personal devices to do work related functions, Zoombombing, employees using public WIFI’s in order to access the corporate network, etc.  But probably one of the biggest problems is that with such dispersed workforce, the threat of Insider Attacks and Social Engineering has become very real now.  Thus, businesses now have to examine closely any external threats along with any suspicious behavior that could be precipitating from within.

My Thoughts On This:

As mentioned, Cyberattacks are only going to grow, they will never stop.  Just consider some of these stats for 2021:

*The total number of PII dataset breaches increased by 17%;

*Over 40 million healthcare records were stolen;

*The payouts for Ransomware was pegged at $590 million.

These numbers are only expected to get worse as time goes on.  So what is the big reason why Cybersecurity is so bad today?  Well, it’s just the matter of the fact that we live in a reactive society.  We simply don’t think that we will ever become a victim, and we will only take steps to protect the business, customers, and employees after we have been hit with a security breach.

IMHO, this is how 9/11 happened.  The Presidential Administration at the time had the intelligence information and data to merit that something was going to happen, but they did not act on it in enough time.  Heck, even the hijackers that took control of the airplanes displayed very erratic behavior as they were taking flying lessons, but nobody reported them.

Unfortunately, this is the way our society works, and will do so for the long haul.  Humans are simply creatures of habit, and don’t want to change until something bad really does happen.

Sunday, January 23, 2022

Understanding The M & A Frothiness In The Cyber Industry

 


A few weeks ago, I wrote a blog about with the huge explosion of Merger and Acquisition (M & A) activity in the Cyber industry, many Cyber attackers are now taking advantage of these vulnerable situations in which to launch various threat variants. 

After all, people’s guards are down, excited about buying and perhaps even being bought out.  There is not much attention paid to the security aspects of it, especially when it comes to the covert theft of Intellectual Property (IP) during this transition period.

But M & A activity is expected to grow further, thus fueling the Cyber industry and all of the vendors to newer heights than they have ever seen before.  It’s hard to believe but just in the first three quarters of 2021, there was a whopping 238 deals that took place and closed. 

But keep in mind that it is not just Cyber companies buying out each other, but rather, it is the Private Equity Firms and even the Venture Capital firms themselves that are engaging in most of this activity.

Just in the first of 2021, there was a huge influx of almost $12 billion going into not the mature vendors, but the startups.  For example, this trend led to the development of new Cyber based startups coming out of the woodworks, in particular what are known as the “Unicorns”. 

These are the companies that have of course just evolved, and are worth more than $1 billion at the time of their valuation.

Six of these came out in 2020, with nine more coming out in 2021.  In fact, this trend is expected to continue well into 2022.  Here are some of the key reasons why:

1)     The investments of the past:

M and An activity in the Cyber industry is really nothing new, and in fact, it has gone on in full force since the last decade.  But it is not until now that its explosive growth is coming out into the limelight.  The primary reason for this is that for most companies in Corporate America, Cyber is now the big thing.  In fact, it is probably one of the biggest things for all Americans, given how the dynamics of the threat landscape are changing all of the time.  Because of this, many entrepreneurs just want to start up a company that will eventually be bought.  They are not interested in furthering the growth of their companies into offering something that is solid, rather their goal is have something can be publicized with all of the glory and glamor, in order to further hype up their valuation amount.

2)     Cyber companies don’t want to build:

The main powerhouses of the Cyber industry simply don’t feel the urge anymore to invest any further cash into Research and Development in order to come out with something new and unique.  Rather, they want to use that money to buyout these startups who have laid the groundwork for a new product or service, and from there, all that has to be done is merely build a better mousetrap with more bells and whistles attached to it.  To a certain degree this does make some sense, because one can just buy the frame, and customize to fit the needs of the Cyber market at that point in time.  But how long can this last?  Who knows.  As long as the bigger Cyber vendors have the $$$ to do this, the trend will continue. Further, this trend is expected to continue for those startups that offer such things as the IoT, and other Cloud based security services.

3)     It is a way to show revenue growth:

This kind of M and A activity can also be used, whether it is for the good or the bad, to show another revenue source on part for the larger Cyber vendors.  For example, if some of the revenue streams ae falling short in other areas, all that needs to occur is to buy out a startup that is making money and that also has a high valuation level.  After all, once you purchase a company, you are not just buying out its IP, but its profitable balance sheets and income statements as well.  Isn’t this kind of shady?  Yes, it is, but as long as it is done legally, there is really nothing that can be done about it.

4)     Cybersecurity will always be around:

Unlike most other industries, Cyber is unique in that it touches just about every market segment, and it is something that everybody will be needing now and well into the future.  In a way, this is similar to the food industry, in that people need to eat.  Thus, this gives those entrepreneurs with a very creative mindset to start up a company to keep coming with new ideas for products and solutions – whether it is just hype or the actual, real thing.  The bottom line here is that as long as there are new threat variants coming out every day, there will be a need for more Cyber based startups.

5)     Startups will be sold again and again:

Just because a Private Equity or a Venture Capital firm has bought out a Cyber startup, it does not mean that they will keep it.  After all, their primary bread and butter is money, and they will want to sell, or “flip” the startup at a higher price to another company, which could very well be a larger and more dominant Cyber vendor.  To these money firms, holding onto startups for a long period of time is like holding onto inventory, they want to get rid of them as quickly as possible.  Or these IPOs could be positioned to become an IPO if these money firms pump enough capital into it.

My Thoughts On This

In the end, Cybersecurity is going to be around with us for quite a long time to come.  It is unlike the Internet bubble; in that we need to have some sort of security to protect both our physical and digital based assets. 

So, this M and A activity that I have just written about here will be one of those catalysts that will continue to drive the Cyber industry further.

My main concern here is that is that this simply seems to be all too frothy for me.  Meaning, nobody is building a rock-solid product or service that will truly meet the needs of the American consumer or business.

All that is being created are bells and whistles in order to capture the attention of the Private Equity and Venture Capitalist firms.

I predict that this could be the beginning yet of another bubble that will eventually burst.  But rather than that being the end of it, another one will be created and so forth, just given the sheer demand for Cybersecurity, and the needs to keep up with what is out there.

Saturday, January 22, 2022

Data Security Issues With The Remote Workforce & How Forensics Can Help

 


Introduction

The concept of the Remote Workforce has now become a reality for the long term, going well into 2022, and possibly even beyond. While most Cyber experts were predicting that a near 99% Virtual Workforce was possible in a 4-5 years, it came to fruition in just a matter of two months, right when the COVID-19 pandemic started.

Many businesses across Corporate America were not prepared for the sheer gravity of this situation, and as a result, new Cybersecurity issues have sprouted, especially concerning the intermingling of home networks with corporate networks. As a result, this has exposed confidential information and data to being easily heisted by malicious third parties.

There are other data security issues as well that have come about recently, and this is the focal point of this article.

The Main Issues

1)     The use of the Virtual Private Networks (VPNs):

The VPN has normally been one of the most relied upon tools in which to transmit confidential information/data across a network connection. While this technology has been designed to support a workforce that works remotely about 20-30% of the time, it simply has not been able to keep up with the magnitude that became necessary beginning in March of 2020. Because of this, the total number of brute force attacks has escalated to levels never seen before. For example, these kinds of security breaches now make up for at least 45% of the cases that Incident Response teams must respond to (SOURCE: 1). This kind of attack is carried out in almost the same fashion as it would be against a server. For example, the Cyberattacker targets a specific portal that is associated with a VPN, and completely overwhelms it with hundreds of phony authentication requests, making use of an already heisted list of credentials (most likely purchased from the Dark Web). Once the right username/password combination has been found, the Cyberattacker then has a quick and covert way to access into the lines of communication and hijack proprietary information/data that is in transit. Worst yet, this point of entry can be used to leverage lateral movements into other corporate networks, in an attempt to hijack the Personal Identifiable Information datasets of employees and customers for further exploitation.

2)     Lack of company issued equipment:

In the rush to get employees to work remotely as quickly as possible, many organizations were under a severe time crunch in order to issue equipment that had all the necessary protocols installed onto them. As a result, many devices were not set up properly, or remote employees were not given anything at all. Because of this, during the interim, people have been using their own personal devices or smartphones to conduct their daily job tasks. This, of course, has been a huge security risk because of the lack of security controls that are on them. It could also mean risking further exposing confidential information and data to levels that are totally unacceptable.

3)     The use of the Cloud:

Over the course this year, many businesses have also realized some of the strategic benefits of using a Cloud based platform (such as that of the AWS of Microsoft Azure) in which they can move their entire On Premises Infrastructure into. While these providers do offer an extensive suite of tools that a company can use to protect their virtual databases, the problem now comes to a matter of proper configuration. In these cases, the default ones are used, which are often not compatible with the security requirements of the organization, thus offering a new backdoor for the Cyberattacker to penetrate into, to heist confidential information and data.

4)     The use of insecure networks:

 

When restrictions were eased up during the summertime, many remote employees started to work in public places, such as that of Starbucks or Panera Bread. While these venues do offer internet connectivity, they are very often insecure, as they offer no level of encryption whatsoever. Rather than using a secure connection, the tendency was to use these public connections in order to carry out work related duties. As a result, all the information and data that was transmitted back and forth were done so in a clear text format, making it quickly visible to the outside world. Or worst yet, these venues are also the perfect places in which a Cyberattacker can leverage a Social Engineering attack. For example, a Cyberattacker can easily pose as a patron, and engage in a conversation with a remote employee. Even if a secure network connection was established, a data packet sniffer could easily be covertly hidden in a clothing pocket so that the data packets can be captured, and the information residing in them could be exfiltrated at a subsequent point in time.

 

5)     The lack of proper patching:

Before the COVID-19 pandemic hit, companies (for the most part) maintained a fairly normal schedule of applying the needed software patches and upgrades to all of the servers, databases, and employee devices. But with many remote employees now using their own home-based networks in order gain access to shared resources, it has almost become impossible for IT Security teams to deploy these patches. After all, you cannot force a remote employee to install something onto their home network if they don’t want to. Many organizations are still trying to find a fix to this grave issue, and in the meantime, the Cyberattacker has yet another easy way to get access to your most critical information and data. This is due to the fact that many remote employees still have not upgraded the security levels of their home-based networks and rely upon just one password to protect them.

Conclusions

Overall, this article has examined some of the key areas in which your mission critical information/data can be covertly hijacked without even you knowing about it, until it is too late. But if your company is unfortunately hit with a security breach, you still owe it to your key stakeholders to conduct a thorough examination of what has happened and ensuring it can be mitigated in the future.

One way to do this is to conduct a Forensics investigation, led by a team of experts.

Sunday, January 16, 2022

The End Of The CISO & CIO Are Now Here: Embrace The "v"

 


When I was doing my MBA at BGSU just before the Internet bubble started, the world of Information Technology was just starting to explode.  As far as I remember, Microsoft kept coming out with new versions of Windows, as well as their Office line of products. 

E-mail was easier to use, with the likes of Eudora (thus effectively getting rid of the UNIX based Email approach) was getting popular, and heck even Netscape and their browser were starting to take off, which started the battle with Internet Explorer.

The main ISP at the time was AOL, and I think I even used that for the next decade until high-speed broadband came out.  The IT job market was explosive, and continued that way until about 2000.  At the time, everybody I knew of aspired to reach to the top, which meant even being the CIO of a company.  That was a big term back then, as anybody can attest to.

Even during the time of the major debacles of both Enron and WorldCom, the title CIO was still one to be aspired to go after.  Now fast forward about twenty years later at a breakneck speed, and now you don’t even hear the term of CIO even being mentioned anymore.  Now, it is the CISO which is the term that is being literally slammed around, but unfortunately in a bad way.

So, now the question comes up, is the role of the CIO even needed any more.  I actually wrote an article about this some time ago for a client, which offered the differences of what a CIO is and what a CISO is. 

Technically speaking, the former has been in charge of the overall business direction of the IT Department of the company.  Most of the technical tasks have been delegated downwards to the IT Managers that reported to the CIO.

The latter is much more concerned with the technical side of the IT world for the business, as the name implies.  Given the world that we live in today, it is no wonder that this job title is so widely used and heard of. 

But today, as I was perusing the news headlines of what to write about, I came across a very interesting article as to how the CISO should report to the CIO.

Admittedly, it caught me off guard, because this the first time in a while I had even heard the term CIO being used.  The article started off with saying that there were two schools of thought to this, and that they were as follows:

*The CISO should report directly to the CIO;

*The CISO should report directly to the CEO;

*The CISO should report directly to the legal department, and whoever the head attorney there is.  This thinking has been spawned mostly by the data privacy laws of the GDPR and the CCPA which have been recently enacted.

Interestingly enough, and if I am understanding the article correctly, in my view, the author actually reversed the job expectations of these two titles.  Broadly put, he implied that the CISO should now be responsible for the business aspects and direction of the business, and that the CIO should be held accountable for the technical aspects. 

Hmm, after reading those few paragraphs, I thought OK, I guess everybody can have their own opinion as to what they think is right.  The author then further made the hypothesis that the roles of the CISO and the CIO should be completely separate from one another. 

In other words, there is no reporting hierarchy here, the CISO does not report to the CIO, but rather both of them report directly to the CEO.

My thoughts are on this, wouldn’t be rather confusing for the CEO to have two different points of view, as it relates to technology and Cybersecurity? I mean after all, when one thinks of technology, the immediate thoughts of Cybersecurity automatically pop up. 

Nobody thinks of IT anymore as just mere desktops, workstations, and servers, they all now get lumped together into the same term.

His main premise for this hypothesis is that the first thing the CISO is known for is asking for money for their Cybersecurity budget, and that this should not be clouded with the visions that CIO has for the IT department. 

In other words, the author makes the claim that these two roles should be “decoupled” from one another.  To some degree,  I can see where the author is coming on this one, and to be honest, I think he is just trying to be fair to the CISO in their requests.

He finally makes the conclusion that by having distinct lines of separation, there will be a good system of checks and balances for the organization.

My Thoughts On This 

If you want my opinion, get rid of the role of the CIO entirely.  It is totally outdated, and really not even needed anymore.  But, keep the role of the CISO, but instead, make the role that of the “vCISO”.  Why is this?  Well, given today’s uncertainty about the COVID19 pandemic, no company in Corporate America now really wants direct hires for the role of the CISSO. 

The reason for this is pure and simple.

They are too expensive for the bottom line, given the enormous salary that you have to pay them, as well as those perks and bonuses.  Secondly, CISOs only last at most for 18 months, and from there, either get fired or they just quit.  Nowadays, you see many Cyber vendors offering what are known as “vCISO” services.

This is where essentially you procure the resources of an actual CISO, but you just hire them for a fixed term contract, and for a fraction of the price it would cost to hire a regular CISO. You can keep them for as long as you need.  In other words, there is scalability here. 

Bring them on when you need them, and when don’t, terminate the contract.

Plus, by going with vCISO route, they will probably bring a plethora of other contacts with them, which can help with staff augmentation purposes for your IT Security team.  All of this will never happen under the traditional CIO and CISO job titles.

Also as mentioned, with the advent of the data privacy laws, there are other “v” roles coming out, such as that of the vCCO (Chief Compliance Officer) and the vCDPO (Chief Data Privacy Officer).  There are probably other “v” roles that will emerge for the Cyber industry.

But if you really somebody like a CIO, then you need to hire what is known as a vBISO, which stands for Business Information Security Officer.  They offer the same business kind of advice that a CIO would.  Yea, there are a lot of acronyms here, but that is the direction that the world is now headed to.

So my view?  Once again, forget the CISO and CIO titles.  Go with the “v” roles instead.  They will give you the biggest bank for your buck, btu best of all, the services that they will offer to you will be totally vendor neutral and unbiased, thus allowing you to make the best decisions possible for your company.

Saturday, January 15, 2022

2 Brand New Ways To Train A Cyber Newbie In Secure Coding

 


The issue of the lack of workers in the Cybersecurity field is going to be one that plagues 2022 probably even more so than last year.  With more sophisticated threats coming out day by day, companies need to hire workers quickly in order to come up to speed. 

As I have said before, its not there are not enough people to fill these jobs.  It’s just that companies want that cookie cutter Cyber consultant with every cert under the belt.

The problem here is that nobody wants to train these much younger candidates, even if it means on the job training.  There are many job titles which need to be filled, and now there is a new one that has just cropped up:  The need for software developers that know how to write secure code.

One would think that a recent graduate from a reputable computer science program would be taught in their courses in the principles of how to write some baseline level of secure code. 

But very often they are not, and the culprit here are the computer science professors themselves.  Rather than devoting to quality instruction, many of them just want to do their research.

Which is fine of course, if that is what they choose.  But critics have pointed out that if a professor is assigned to teach a computer science in programming, then they owe it professionally to their students to spend some of that time in teaching the students how to write secure code. 

Because of this, it has been found that at least 76% of all applications by software developers have experienced at least one major security flaw.  More information about this can be seen at this link:

https://www.veracode.com/state-of-software-security-report

From this report, there are other factors that have been cited as to why there is no training in this regard at the collegiate level:

*Professors simply do not know anything about secure software coding principles;

*If they do know something about it, their focus is more on protection rather than teaching as to how a Cyberattacker can actually manipulate a Web app and break in from the weakest point, such as that of a Trojan Horse, or a SQL Injection Attack, as examples.

The study (from the link above) also concluded that as much as there is a gap between the unrealistic cookie cutter job descriptions and the candidates that are out there, there is also a gap that exists between academia and the real world of Cybersecurity.  But the latter is an issue for an article at later point in time.

So what can be done to resolve the problem that we have now, which is the lack of software developers that have some basic training in secure coding?  Here are some ideas:

1)     Train ‘em:

If you have found a candidate fresh out of college with hardly any training in secure software coding, and if they are excited and you think they have potential, snag ‘em up.  Train them in the ways that you think secure coding should be done, and if you don’t know much about this, then get somebody from your IT Security team to get heavily involved in the early stages of this training to the newbie.  By showing that you are taking this extra time for training, not only will the newbie be more motivated to learn, but there will probably be a much higher chance that they will be loyal employees, and stick around with you for the long haul (this is also another problem that the Cyber industry is having – employees bailing ship for a higher paying job).  But, keep in mind, try to keep this training exciting to some degree.  Don’t make into some boring college lecture.  Use the same principles that you have adopted to create a great Security Awareness Training program and use them here as well.  Now, this is all in house training.  You may even want to supplement this with training from outside vendors, just as a way to add more mix to the flavor.  But above all, try to keep this training with real instruction, to make it more interactive.  Just don’t make the whole training program based on some computer modules.

2)     Think long term:

The CISOs in Corporate America are under constant pressure, and that vise is closing in tightly every day, making them reach their mental breaking points quickly.  Oen of the pressures they face is that they need to get software development projects off to the client in the expected time of delivery, for the sheer reason so that they will make payment on it.  Because of that, the excuse is often made that they cannot afford the time to train newbies in this aspect.  But here is where the risk versus reward tradeoff comes into play.  Yes, there is risk that the project could slow down, but guess what?  That cost pales in comparison to the cost if a major security breach were to happen to that project you deliver.  The client is going to point their fingers directly at you, and you could even possibly face a lawsuit.  Now, if you just could have taken some time to train that newbie in how to write secure code, there is a good chance that all of this could have been avoided. And if it comes to the point where you hired a couple of new developers, and you also got a new project handed down to you, try to bake in that extra training time into the deadline of the project.

My Thoughts On This:

Yes, it all goes back to the same issue as I have mentioned before:  Companies will never find that cookie cutter job candidate, and if they do, there is no guarantee that they will even be the right fit for the job when they start. 

Recruiters are simply basing their expectations on what they put on paper, not what could potentially happen in the new world. 

So take the risk, and hire that newbie.  There is really nothing to lose, and IMHO, the benefits far exceed the costs of doing this.  But keep in mind also that your experienced developers will have to be at the forefront of the latest secure coding practices as well. 

So make the training fun, and make it competitive so that everybody will in the end:  You, the CISO, your employees, and your clients.

In the end, it has been cited that there is a Cyberattack that occurs every 39 seconds to a Web based app, the cost of malicious data exfiltration will far surpass the $424 million mark from last year.  Try not to be part of these stats, by simply training your team.

Thursday, January 13, 2022

The Next Evolution: Web3

 


For the longest time, and even as far back as I can remember into the mod 1990’s, we all have become highly dependent upon the web, and the Internet.  We take it for granted that once we flip open our wireless device, we can immediately pop up a web browser and we can get access to what ever we need to do, or get access to information for a project that we might be working on.

The web browsers have even come under heavy scrutiny lately, especially from the Cyber standpoint.  But, there is now a new level of web, which is known as the Web 3.0, which could be coming out very soon. 

As its name implies, it will be the third generation of the World Wide Web, but it is destined to be far more interactive than the web as we know it now.

Here is a good definition of it:

“Web 3.0 is the upcoming third generation of the internet where websites and apps will be able to process information in a smart human-like way through technologies like machine learning (ML), Big Data, decentralized ledger technology (DLT), etc.”

(SOURCE:  https://coinmarketcap.com/alexandria/article/what-is-web-3-0)

In other words, a very general overview of it is that the end user will have control over the data that they share, rather than the other way around, where the companies have control of it in their databases. 

In today’s podcast, we have the honor and privilege of interviewing Anthony Figueroa, the Co-Founder and CTO of Rootstrap, Inc., a leading AI firm in the Bay Area to explain more about the Web 3.0, and what it means to you.

You can download the podcast here:

https://www.podbean.com/site/EpisodeDownload/PB117A6DFSUNE2

Tuesday, January 11, 2022

Understanding The Importance Of Conducting A Risk Assessment In 2022

 


As we steamroll into 2022 at a fast clip, one of the biggest buzzwords that you will hear about is Cyber Risk.  Although if you Google this term, you will see many different variants of the definition come up, as it will vary from business to business, and even people’s perception of it.  But how it is defined largely depends upon what your security needs are, and the appropriate controls that you have put into place to  mitigate the chances of any security breach from happening.

But of course as we all know, we all are prone to becoming a victim, there is no way around that.  But there are many ways in which you can reduce those chances from actually happening.  This is an example of risk.  Another example of it is how much downtime can your business tolerate (if hit by a security breach) before real financial damage starts to set in.

So as you can see, there are different ways to look at Cyber Risk.  But today, we hear from a Cyber professional who has done this for years, and we will be getting her insights.  In this podcast, we have the honor and privilege of interviewing the CEO of Tech Safe Systems, Ms. Kim Harshberger.  We will be covering the following topics:

*What is a Risk Assessment?

*Why do I need a Risk Assessment? 

*When should I have a Risk assessment done for my business?

*What can I expect to learn from this process?

*Why should I hire an outside firm to assess my company’s vulnerability? 

*What differentiates TechSafe Systems from other providers?

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB1177DD54P7DZ

Sunday, January 9, 2022

The Good & Bad News For Critical Infrastructure Cybersecurity In 2022

 


As I mentioned in last week’s blog, the Cyber pundits have been playing it rather low key when it came to making predictions as to what 2022 could look like.  The year before that, the headlines were packed with predictions.  Maybe people are getting tired of hearing about Cyber-attacks, or perhaps the assumption is that the same will continue this year?

Even I have not posted any predictions, as I think it will be the latter.  The threat landscape will probably be a lot like 2021, but with perhaps some newer variants coming out.  Ransomware will still be at the top, but with a different target:  The nation’s Critical Infrastructure.  Sure, we have all heard this term, but what does it really mean?

Well, it simply refers to those systems that are at the heart of our nation, and what we come upon as a necessity for daily life.  Typical examples of these include our water supply, electrical grid, nuclear facilities, rail and air systems, and even our agricultural sector when it comes to food processing and distribution. 

You may be wondering why now all of a sudden, they will be a target?  Well actually, they have been targeted for quite some time, but just never made the news headlines.  At least until now.

Probably the biggest story to catch our attention in this regard was the Colonial Gas Pipeline attacks.  Here were some of the impacts of it:

*Almost 50% of the gas pipelines in the eastern part of the United States was shut down;

*Drastic increases in the price of natural gas in the financial markets;

*Over 10,000 gas stations ran out of fuel;

*The company paid out a whopping $4.4 million to the Cyberattack group in order to bring systems back online again.

It is important to keep in mind that the many of the integral components of the Critical Infrastructure were built back in the 1970s and early 1980s.  Back then, Cybersecurity was never an issue, people were only concerned about physical security.  Plus, many of the parts that have gone into building these components are no longer available these days, so you simply cannot rip them ou and put new ones in that are Cyber compliant.

Theoretically you could do that, but the downtime suffered would be totally detrimental to the country.  And, you simply just cannot add on new Cybersecurity tools and technologies.  They have to be able to work seamlessly with the legacy systems, without any issues.  So given all of this, what does 2022 hold for our Critical Infrastructure?  Well, there is the bad and the good.  Let’s first start with the bad:

1)     More attacks will continue:

Unfortunately, this is going to be the norm.  While they may not be the large-scale attacks like the one just described, it is anticipated that that there will be many small attacks, in order to throw the IT Security teams off guard as their main emphasis has always been on the protection of digital based assets.  IMHO, I don’t know of how many Cyber professionals out there that have credentials to specifically safeguard the legacy systems of the Critical Infrastructure.

2)     The IoT will grow even more:

The trend here will be for further growth in what is known as the “Internet of Things”, or the “IoT” for short.  This is where all of the objects that we interact with on a daily basis in both the physical and virtual worlds are all linked together.  While this does have its advantages, many IoT systems still lack strong Cyber standards, thus making them a prime target for the Cyberattacker, because of the expanded surface.  But the emphasis here in 2022 will be that on the growth of the IIoT, with first “I” represent the term “Industrial”.  This includes market segments such as gas turbines,  all types of manufacturing equipment, or charging stations for electrical cars.  Since they depend to some degree or another on our Critical Infrastructure, once again, this will only exacerbate the targeting of legacy systems even more.

Now, here is the good news:

1)     More involvement from the Federal Government:

The Biden Administration, in their Executive Order that came out last year, mentioned specifically putting aside a huge chunk of change to upgrade the nation’s Critical Infrastructure, and to implement some kind of Cyber countermeasures into them.  How long this will take is anybody’s guess, but at least now we have the attention of the leaders of our country.  Hopefully this will shake some things up this year.  What is really needed is funding, and more than what is already been promised.

2)     More advanced tools:

The positive here is that there has been a huge development in automation, at least when it comes to the Cyber world.  In this regard, you have to give credit to the tools of Artificial Intelligence (AI) and Machine Learning (ML).  With them, many of the mundane and routine processes can be done automatically, which even includes the detection of suspicious activity and even threat variants that have hit your systems.  Many of them can now be stopped, with hardly any human intervention involved.  There is work now being done as to how this can be applied to the Critical Infrastructure.  For example, if security breach is to happen, the entire infrastructure has to be brought down in order to mitigate the threat.  But by using AI and ML here, there does not have to the need for a 100% shutdown, rather, the threats can be stopped in real time, as they are happening right now in the digital world.

3)     The C-Suite will be paying attention:

Whether you love or hate them, the C-Suite of the Critical Infrastructure will now be held to the hot seat, and grilled by their respective Board of Directors as to what is being done to protect their systems.  The bottom line here is ignorance and excuses from the C-Suite will no longer be acceptable.  They will be held accountable (at least this is the thought for right now) for any actions not taken to help prevent Cyberattacks from occurring to nation’s Critical Infrastructure.

My Thoughts On This:

Although protecting the Critical Infrastructure can be a difficult task from a technical standpoint (as discussed earlier), I do hope and pray that we take attacks to Critical Infrastructure much more seriously now.  We, as nation, simply cannot keep paying the ransom, because if we do, this will only stimulate more attacks.

Remember the horrific days of 9/11?  Well, it won’t be airplanes crashing into buildings, but it will be a Colonial Gas Pipeline attack, but magnified on a scale of 10X, where there will be simultaneous attacks on different components of the Critical Infrastructure.

To put it bluntly, can you imagine going with food and water for weeks?  I cannot.

Sunday, January 2, 2022

The Zero Trust Framework Is Not A Product: It's A Philosophy & Mindset

 


In the world of Cybersecurity, there is no shortage of techno jargon related terms.  In fact, I would say that 2021 was probably one of the years in which this exploded, and it even came to the point where somebody even published an article on the most beaten up and over used Cybersecurity terms. 

Well, in today’s blog, I am about to bring you one of those over used terms. 

It is called the “Zero Trust Framework”, and this is a subject area in which I have written a good amount in, not just for this blog site, but in articles I have written for clients.  Generally put, the idea behind this is that you are implementing multiple layers of authentication mechanisms across your business. 

But it goes one extreme:  Absolutely nobody is to be trusted, not even those employees that have been with for the longest time.

The problem is that the Zero Trust Framework has been brought out more as an out of the box product.  It really is not.  But what it is a framework, or even a concept, that lets you increase your levels of security, depending upon the exact needs of your security requirements. 

I have to confess as well; I may even have brought this out as a product that can be deployed.

So the goal of this blog is to hopefully get rid of the line of thinking that it is a product, but rather, it is an abstract way of thinking that you can mold to fortify the lines of defenses.  How can this be done?  Here are some tips:

1)     Make into a mindset way of thinking:

Many IT Security teams do a very good job of explaining walls of defense, what has been divided and not in the IT and Network Infrastructure of your business.  They will mention about all of the security mechanisms that they have deployed, and how each layer works.  But it is important to keep in mind here that they are talking in a micro way of thinking. The Zero Trust Framework requires that you (the CISO) and your IT Security team take a holistic, or macro view of how these tools and technologies should be deployed. So in other words, rather than taking a siloed approach, go to a whiteboard and draw your IT and Network Infrastructure, then from there put in what is divided and what is not.  That will give you a much clearer idea of what is going on.  Better yet, use a diagram-based tool like Visio that will let you create this, that way you can put in the updates as they evolve without having to redraw the entire thing again.

2)     Authentication never ends:

The thinking in Corporate America today is still that the authentication and/or verification process is a one and done deal.  Meaning, once your employee’s identity has been confirmed, that’s enough.  But the truth is, is still not enough.  Although it may sound like a pain in the butt and totally inconvenient, your employee must be thoroughly authenticated for each and every piece shared resource that they want to gain access to, 24 X 7 X 365.  The key here is that each and every employee has to be treated this way, not just a select few.

3)     Give out only what is needed:

With the dawn and what it seems like the never ending COVID19 pandemic, the 99% Remote Workforce is now going to be a reality for a long time to come, if not permanently.  Because of this, many businesses are now moving everything to a Cloud based provider like that of the AWS or Microsoft Azure.  The idea here is that all of your digital assets can be accessed easier, and it will be in a safer type of environment, which will be monitored on a real time basis.  In fact, bot of these Cloud providers offer a robust set of security tools that you can start using in just a matter of minutes.  One of the things that will be easier to monitor is the kinds of privileges, rights, and permissions that your employees have been assigned, and if there has been misconfigurations made to them, whether it is intentional or not.  In this regard, you always want to keep making use of an old concept in Cybersecurity:  Establish the most minimal access rights that an employee needs in order to get their job done.  Then if they need more, the request should be evaluated and then if it is needed, then it should be assigned.  This is called the concept of “Lease Privilege”. 

4)     Make sure that everything is an optimal state:

In today’s digital environment, many if not most businesses are outsourcing some of their own processes to third party vendors in an effort to get the job done quicker.  While this many the case, keep in mind that somebody else now has access to your PII datasets, and that exposes the risk factor even more.  Because of this, you have to now take the assumption that there is always a security tool or technology that is not running efficiently to protect your digital assets.  Therefore, the Zero Trust Framework mandates that you also have to assume that nothing you deploy is working properly, and that they must constantly checked to make sure that they are running in the optimal state that you have established.  But keep in mind there are many automated tools that can do this for you, especially when it comes to using AI and ML. So, you don’t have to have an individual constantly watching over your security tools and technologies all of the time.  But what they need to be on the lookout for are the legitimate alerts and warnings that come in, and act on those quickly.

5)     Build a baseline model:

The Zero Trust Framework is not a one size fits all approach.  Meaning, what works for one company probably will not work for you.  Therefore, you the CISO, and your IT Security team, have to take careful inventory of all of your digital assets, and categorize according to them according to their particular level of risk.  This is where a comprehensive Risk Assessment comes into play.  Then from here, build up the baseline profile of what you and your team think is a threat and not, and accordingly, the appropriate alarms will then go off.  But it is also important that this baseline profile be updated on a regular basis, in order to take into account any situation changes that may occur.  Remember that creating this takes both quantitative and qualitative factors into consideration, not just one or the other.  Again, using the tools of AI and ML will be a huge boon here, as these tools can do all of this in just a matter of few minutes.

My Thoughts On This:

As I have mentioned before, the Zero Trust Framework is extreme, in that people you even trust the most now on a technical level cannot be trusted.  So now the question comes, how do you approach this when dealing with your employees and management, especially the C-Suite. 

Some may take the view that they should never be told that you are planning to deploy such a framework, in order to keep the level of friction down.

But I take the stance that honesty is the best policy here.  Always be upfront with your policy and the C-Suite.  This will always foster a better relationship in the end with everybody that is involved.  No need to keep anything secret.

But instead of using the term “Zero Trust”, perhaps a better phrasing would be “Zero Assumption”.  Just some food for thought.

Saturday, January 1, 2022

Why Mergers & Acquisitions Are A Favorite Cyber Target

 


Well, Happy New Year everybody!!!  It is so hard to believe that 2021 is already over, and that we are now starting 2022.  As I have told my clients and prospects, 2021 is the year that has gone by the fastest for me.  Hopefully the New Year will ring in prosper and happiness to everybody’s life.  But one thing won’t change and that is the Cyber Threat Landscape. 

Quite surprisingly, there have not been as many news headlines this year as in previous ones about what 2022 will be like.  Perhaps everybody assumes that it will be the same or worse?  Eventually sometime in the next week or so, I will put up on my thoughts on this as well. 

But one thing that did catch the news headlines was all of the Merger and Acquisition (M and A) activity that took place last year, in 2021.  It seemed like just about every day some deal was happening, or there was a Cyber company that was in the round of getting some sort of VC or Angel Ingel Investor funding.

This was all despite the COVID19 pandemic still going on, with new variants coming out (primarily that of Delta and Omicron), and causing some turmoil on the markets.  It is expected that this trend will continue into 2022, as some of the larger Cyber vendors gobble the smaller ones, and as the latter joins forces with other smaller entities.

In a way, this reflects a strong economy, but also it reflects that perhaps research and development/innovation could be slowing down as well.  This makes sense to a certain degree, after all why spend the time to come up with something new, when you can just buy the Intellectual Property from another company by simply buying them out, and then branding that as your own?

Whatever the case may be, M and A activity in the Cyber world is now starting to become a growing threat surface for the Cyberattacker. 

In fact just in 2021, there has been an almost 500% increase in the total number of Ransomware attacks.  It is believed that a good chunk happened to those companies that were in the middle of a buyout.

Why would the Cyberattacker take advantage of this kind of prey, you may be asking?  Well, both entities (the buyer and the buyee) are both in a state of flux, with confidential information and data being shared amongst one another, buy out details being finalized, etc. 

In other words, there is now an increased level of vulnerability as pretty much everybody in the C-Suite has their guard down, especially the CISO.

So if anything, this is the time where everybody’s guard must be up, because it is so hard to tell what is real and what is not in today’s digital economy.  Although there is no magic bullet that shield this vulnerability from occurring, there are steps that both sides can take to mitigate the risk of becoming a victim of a Ransomware attack.  So, what are they?  Here we go:

1)     Both sides should be Cyber ready:

During the initial talks of the Merger and Acquisition activity, both sides of the C-Suite (especially the CISOs) must assess each other’s Cyber Risk profile.  There must be an equal plane between both parties, and if not, it has to be leveled out to the satisfaction of both sides.  In other words, one cannot be greater than the other.  Once everybody is content with this, then the talks should continue.  If there is still a mismatch, then the talks should be halted until this is resolved.  After all, you are dealing with some pretty serious stuff here:  Intellectual Property, the PII datasets of employees and customers on both sides, market intelligence, etc.  The worst thing you want to happen is news breaking out of a security breach just right as a deal is about to close.  Also, communication is very important during this phase, so make sure that the IT Security teams on both sides of the fence are kept aware of what is happening of any adjustments that need to be made.

2)     Have all documentation in place:

By this I mean that all of the Incident Response/Disaster Recovery/Business Continuity Plans must be ready to be enacted if a security breach happens during Merger and Acquisition negotiations.  Both sides need to have these documents in place, and they have to be well rehearsed so that everybody knows what they need to do, with no minute of hesitation.  A great thing to do here would be to hold a mock simulation exercise of a security breach where the IT Security teams from both parties work together to stop the attack from happening.  Not only will this test the readiness of both sides, but it will also show any weaknesses which need to be resolved first before the actual can take place.

3)     Try to show a strong image:

With all of the information that is available on the Internet today, and especially through the Social Media sites, the Cyberattacker of today can build a profile of not just individuals, but of business entities as well.  They take their own sweet time to do this, and once they find a weak spot, they will make their move. And keep in mind that this is all done with publicly available information.  So therefore, both sides need to portray that image that their lines of defenses are strong, and that nobody involved in the transaction is a soft target.  Also, the CISOs on both sides (as well as the others that are involved) need to be very careful what is posted in the public domain.  The best advice here would be to post as little as possible, until the actual deal is signed, and done.  In this regard, it may well be worth the expense to even hire an outside Public Relationship firm that specializes in Cybersecurity to help out with this process.

My Thoughts On This:

I have to be honest, in all of the writing that I have done, it never occurred to me that a Merger and Acquisition activity could also be a target.  But now it makes sense.  As mentioned, the very worst thing you want to happen is for a Cyberattacker to make a muck of things during the deal making process. 

If they do steal stuff in this phase, most likely, they will end up selling it on the Dark Web.

The end result of this is just bad publicity for both sides, and especially for the buyer, it could mean that the value of your target company could also tank in value, especially if it is a publicly traded company, as Earnings Per Share (EPS) could take a huge it. 

So, it is very important that both sides make sure that everybody is on the same page in terms of Cybersecurity before any deal making talks continue.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...