Monday, February 28, 2022

The Next Wave Of The Future: Smart Contracts

 


Hey Everybody,

For the most part, we all have heard of the Blockchain.  It is most commonly used in conjunction with Virtual Currencies, such as that of the Bitcoin and Ethereum.  But did you know that it can also be used for the creation and execution of contracts?  These are technically known as “Smart Contracts”, and a good, technical definition of it is as follows:

Smart contracts are simply programs stored on a blockchain that run when predetermined conditions are met. They typically are used to automate the execution of an agreement so that all participants can be immediately certain of the outcome, without any intermediary’s involvement or time loss. They can also automate a workflow, triggering the next action when conditions are met.

(SOURCE:  https://www.ibm.com/topics/smart-contracts).

In other words, you don’t have to keep following up with everybody to determine when a contract has been signed, or if the key actions in it have been done.  This is all automated through the Blockchain.  Probably the biggest advantage of using a Smart Contract is the protection of all parties that are involved, and the confidential information and data that are stored in them.

In today’s podcast, we have the honor and privilege of interviewing Mr. Anthony Figueora, the CTO and Co Founder of a top AI company known as Rootstrap.  He will be explaining to use all of the details of the Smart Contract, and even how you can use it for your own business.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB11BBBE0FNZ3X

Sunday, February 27, 2022

Understanding The Two Variables Of Cyber Risk & How It Impacts You

 


One of the most important words that is being thrown around today in the world of Cybersecurity is that of Risk.  To many people and businesses, it can have many different definitions.  To some, it may mean how much “pain” and downtime you can suffer before the real financial losses start to hit in. 

For some, it may mean just how prone your digital assets are to a security breach, despite all of the existing controls that you have in place. 

But no matter how you look at it or even define it, the bottom line is that Cyber Risk is real, and it needs to be taken in to every decision making process.  It is a term that nobody really wants to discuss, and to a certain degree, I can understand that. 

Calculating Risk shows how much money your company could lose in the end (no matter how many precautions you take, you will always be prone to some level of Risk).

But, there is yet another variable that is often forgotten about when calculating the level of Cyber Risk that your company is exposed to.  And that is, just how damaging a security breach can be to a particular digital asset. 

For example, you may calculate that digital asset A has a likelihood of a an “8” of being impacted (this is assuming that you are using a categorization scale of 1-10, with 10 being worst). 

Of course, once you confirmed this number, you will then want to deploy all of the controls you can in order to mitigate any changes of digital asset A from being impacted.  But truth be told, and as I have just mentioned, it can still be hit, and this is where figuring out the dollar amount of this is what nobody wants to talk about, because it could have a big impact on the bottom line.

This dollar amount can also be referred to as the “True Cost of A Data Breach”.  So in simple mathematical terms, the two main ingredients of Cyber Risk are as follows:

Cyber Risk = The Statistical Probability Of An Asset Being Impacted + The Dollar Amount of Any Potential Breach

Of course, there are many other variables that need to be included into the above equation, and a lot is going to be dependent upon how many and what of digital assets you have and absolutely need protection. 

While the main goal is to protect each and every one of them, the bottom line reality is that it simply cannot be done.  Therefore, the focus of your Risk Assessment has to be about protecting you mission critical ones.

But for  the purposes of this blog, calculating the actual dollar amount includes the following variables (keep in mind that this is not at all an inclusive list, but must be considered):

1)     The costs of Compliance:

Whether you like it or not, many businesses today are subject to some sort of data privacy law wherever they may conduct financial transactions.  The two most widely known ones are of course the GDPR and the CCPA, and there is also a plethora of other laws that are about to be passed in different states.  These pieces of legislation clearly demand that you have the right controls, as well as checks and balances in place to make sure that all of your confidential information and data are protected as best possible from a security breach.  Of particular attention here are of the PII datasets, of both your customers and employees.  Although it may be hard to digest at first but in your calculations of the dollar amount, you have to calculate the costs of an audit and any financial penalties that you could potentially owe.  Although this will be hard to put an exact number, the key things is to at least come up with some estimates that you can use in your calculations.  You may never be the subject of an audit, but one never knows, therefore, this has to be taken into consideration no matter what.

2)     The costs of Critical Infrastructure:

This can actually be viewed as an indirect cost, but given the geo political situation that is happening today, it needs to be taken into serious consideration.  Let’s illustrate this with an example.  Suppose the city in which you have your business in is hit with a Critical Infrastructure (CI) attack, and there is no water for hours or perhaps even days.  There is no doubt that water is absolutely essential to human life, but for a business it can also be a detriment as well.  For instance, it is used to cool down your data centers, and even heat your brick and mortar office.  If there is no water, your business will obviously experience a serious level of downtime, and this also has to be factored in.  Another CI variable that you must factor in is electricity.  If the power grid has been hit, of course you will not be able to do any work at all, unless you have back up generators at hand.

3)     The cost of Human Life:

Although each and every human life is precious, the bottom line is that you have also have to take into consideration this if you are hit with a security breach, or even a natural disaster.  Suppose there is an earthquake, and you lose some of your employees?  The dollar cost of their lack of presence and expertise in order to bring your business back up and running, as gut wrenching as this may sound, also has to be taken into consideration when you are calculating the financial magnitude of a security breach.  In fact, this is a key variable that many insurance carriers and actuaries when awarding out insurance policies.

Conclusions

As stated earlier, calculating the level of Cyber Risk is something that has to be taken into consideration very seriously today.  It is important to keep in mind that this is not just restricted to the IT Security team, their CISO, and the C-Suite. 

Each and every employee and department in a business will be impacted by this, because after all, they will be using your digital assets to some degree or another when then do their daily job functions. 

One of the best ways to get started on this long road is to first conduct a comprehensive Risk Assessment.  This is where you literally take an inventory of all of your digital assets, and rank them on some sort of categorization scale in terms of their vulnerabilities of being by a security breach. 

Then, you need to calculate, or at least have an estimate of the financial magnitude of it.

It sounds like a herculean task to accomplish, but keep in mind that there are Cyber professionals that make their living doing this.  Your best bet is to have one of them do it, working with you directly.  There are also other frameworks you can use out there for the categorization of your digital assets, most of them are widely available from NIST.

The costs of a data breach is illustrated in the diagram below:


(SOURCE:  https://www.darkreading.com/attacks-breaches/hidden-costs-of-a-data-breach).

In the end, it is quite possible that your company could avoid these stats by being proactive about Cybersecurity.  The time to act is now!!!


Saturday, February 26, 2022

The Cyber World After The Ukrainian Invasion: Don't Depend 100% On Your Insurance Policy

 


Unfortunately, the bad news that was precipitating to happen did actually happen on Thursday morning.  And that is the Russian invasion of Ukraine.  I for sure have my own political views on this, but for purposes of this blog, I will keep neutral; 

Along with the disasters that the people of the Ukraine are facing will and will continue to do so, the ripple effects that will be felt across as a result of this invasion will now be felt across the world, especially here in the United States.

In this regard, probably the biggest thing we have to fear are the Cyberattacks that will be coming from Russia.  Although Cyberattacks from that region are nothing new, it is expected that will intensify in much greater depth, with different targets in mind.  One of the most feared targets is the attack on Critical Infrastructure. 

As I have written about before, this includes such things as the water supply lines, oil and natural gas refineries, nuclear facilities, the national power grid, the food distribution system, etc.  These just won’t be single hit shots, rather, it is expected that there could be a simultaneous attack, attacking different pieces all at the same time.

Of course, there will be other Cyberattacks as well, to all sorts of businesses across all industries.  So what is one to do?  Well, there is the usual laundry list of items that every Cyber vendor is now putting up on their respective websites.  The other  is to get a good Cybersecurity Insurance Policy for financial protection.

But keep in mind that simply because you have a Cyber Policy does not mean that you will actually be covered 100% of the entire way.  Because of its increased demand, many carriers are now restricting what they will actually cover, and in many instance, even restrict the amount of payout that you will be getting.  Just consider some of these statistics:

*There has been at least 17% more data breaches just in Q4 alone, versus the entire year of 2020;

*The average cost of a data breach is now calculated at to be almost $4.5 million, the highest ever.

You can get more information on these stats, respectively, by clicking on the following links:

https://notified.idtheftcenter.org/s/2021-q3-data-breach-analysis?utm_source=pressrelease100621&utm_medium=web&utm_campaign=Q3BreachAnalysis

https://www.ibm.com/security/data-breach

Because of these and other similar trends, businesses across Corporate America are now starting to rely upon Cybersecurity Insurance Policies to help protect themselves.  Just consider these:

*By 2020, there was a 47% increase in the purchase of Cyber Insurance Policies;

*Because of the huge demand, the prices for procuring an Insurance Policy increased by over 27%.

You can get more information on these stats, respectively, by clicking on the following links:

https://www.gao.gov/products/gao-21-477

https://www.ciab.com/resources/q3-pc-market-survey-2021/

But not only are customers are feeling the greater pinch of these increased prices, but they are also paying dearly on the other end:  They are not getting the full coverage as they were expecting.  For example, both the healthcare and insurance industries are greatly limiting the terms of coverage that they offer, just because they have been hit so often with Cyberattacks.

But apart from this, companies in these market segments will not be able to get a complete, full blanket coverage.  This would cover everything, including the downtime from after the Cyberattack happened to bringing up mission critical operations to even assisting with the long-term business continuity plans. 

Now, insurance companies are requiring that these organizations get covered by a piecemeal approach, whereby the client has to purchase different kinds of add ons, technically known as “riders” or “standalone policies” in the insurance industry.

In the worst-case scenario, there are some insurance companies that will even refuse to pay up, depending upon the kind of Cyberattack that has occurred.  The best example of this AXA.  Because of the sheer dollar volume that was paid in ransom payments in France (which as valued at well over $5.5 billion), they will now refuse to pay reimbursements for any ransom payment that has been made.

Because of this, many insurance companies are now conducting audits of prospective policy holders to make sure that they have a baseline set of controls even before their application will even be looked at.  But keep in mind that the Cyber Insurance carriers themselves are now becoming a victim. 

The primary reason for this is that the Cyberattacker knows that any business who has a comprehensive plan will more likely pay something in the end – after all, because they can now afford to. 

In fact, those companies that have such a policy are more 2X likely to pay, because they now have a security blanket that they cab literally fall on.  More information about this can be seen at this link:

https://www.insurancejournal.com/news/national/2021/07/07/621416.htm

Now, the Cyber Insurance industry is finding that they are making a loss on all of this, far exceeding their breaking their breakeven point, which is well above 70%.  More information about this statistic can be seen at this link:

https://www.darkreading.com/risk/the-future-of-cyber-insurance

My Thoughts On This:

Unfortunately, the this is the trend that the Cyber Insurance is going to go.  There will be fewer comprehensive policies, making business owners to get riders, thus further driving up the costs of the premiums. 

There will be a lot more scrutinization now when a claim is filed, and payouts may be 100%, depending upon how proactive the would-be policy holder actually has been.  And if you are lucky to get a full payout, it will take a lot longer to get those financial resources, just due to the sheer amount of paperwork that the agents have to review.

So my best advice here is not to think of your Cyber Insurance Policy as a crutch, this simply  means that don’t let it to be your security blanket, as I had previously mentioned.  As a business owner you should already be taking a very proactive stance towards Cybersecurity by maintaining the best levels of Cyber Hygiene that you can have.  Of course, this is a catch all term, but it is inclusive of all that you need to do.

If you take this approach, you will gain in two ways:  You will be able to pass the audit when you first apply, and of you do get hit, the chances are far greater that you will get a 100% payout because of your proactiveness in the first place.

 

Tuesday, February 22, 2022

How To Stay Cyber Ahead In Today's Geo-Political Climate

 


Hey Everybody,

With the rising political tensions that are occurring today, all levels of the US Federal Government are warning not just businesses but American citizens to be aware of hacks and attacks originating from the Eastern European region.  How is one to protect themselves or their business and employees with such news that is coming out everyday, and is constantly changing?  How do we know what it is for real?  But most importantly, how do we beef up our lines of defenses?

Well look no further.  In this podcast, we have the honor and privilege of interviewing of James Fair, the Senior VP of Tech Operations at a form known as Executech.  They are based out of South Jordan, UT, and offer a plethora of services for just about any company in any industry, especially for the SMB.  A sampling of what they offer include the following:

Ø  Managed IT Services;

Ø  Cybersecurity;

Ø  Cloud Services.

To learn how to protect you, your family and business today from any potential security, make sure to listen into this podcast!!

You can download it at this link:

https://www.podbean.com/site/EpisodeDownload/PB11B39C5CGKQY

Sunday, February 20, 2022

Understanding The Importance Of Unifying Your Cyber & Software Development Teams

 


In yesterday’s blog, I went into some detail as to how Cybersecurity is an integral part of the SDLC model, and the importance of software development teams to embrace this fact.  But even if some of eh suggestions are actually put into practice, there is still one problem left:  Getting along with the IT Security team. 

Unfortunately, both still work in their own worlds, and hardly ever share anything with each other.

The developers are heads down immersed in writing and compiling source code for the web application that they are trying to build, and of course, the IT Security team is just trying to keep up with what should have been done yesterday.  So how do you bring these two disparaging worlds together?  Here are some ideas:

1)     Just don’t put everything into a Word doc:

IT Security teams are known for being rather cold and unfeeling at times.  Rather than communicating what they think is going on, they merely put all of the vulnerabilities and gaps that they have discovered into a bullet format, and expect the other party to act on quickly, with a sense of urgency.  Unfortunately, for other departments that are not in the world of IT, people will take offense to this very quickly.  And very often, especially the software development will have no clue about what that document means.  Because of that, there will be pushback, and whatever the IT Security team wants will be put into the backburner.  So to avoid this precarious situation, list the items out in non-techno jargon sense, and put in a friendly, polite CTA.  And always put your contact info in case somebody needs to get a hold of you for questions and/or clarification.

2)     Keep whatever you want done simple:

It is a known fact that Cyber vendors love to go into a lot of detail explaining how to fix a problem. It’s just not our nature, and we are passionate in what we do. The bottom line is that we just want to help people.  But not everybody takes the same approach that we do.  Other people, especially your software developers, are busy folks themselves, and don’t have time to read a 10-page document of what needs to be fixed.  Instead, your best bet would be to put those into bulleted items, once again free from techno jargon, so that it can be read and understood quickly.  In other words, just tell your development team what needs to be fixed in the source code, and the best way for fixing it.  Also, to build a sense team spirit, ask for their input as well in this regard.  After all, your approach may be the best in the end, because you are not directly writing and compiling the source code.

3)     Consider the use of automation:

This one actually goes out to the IT Security team.  Software developers have better access to the most modern tools than we do, so it is imperative that you make the case to your CISO or manager that in an effort to keep up on the same pace as the software development team, you need to have some more modern technology, especially when it comes to automation.  By using the tools of AI and ML, you can more easily spot any weaknesses or gaps in the source code, and have that fixed.  Of course, the more complex ones will need human intervention from a software developer in order to repair them.  In a way, this is a sense of creating goodwill, and you are showing your software developers that you want to help them out too, and that you respect and value the time constraints that they are under as well.  But in this regard, always keep everybody informed of any remediations you have put into the source code, just so that nobody is surprised at the very end.

4)     Timing is everything:

In this regard, just don’t wait until the very end of the project to tell your software development team what you have found and what needs to be corrected.  Rather, this should start very early in the process, and should keep continuing as the development process continues.  I have always been advocate of this, as I have written about the importance of this in previous blogs.  But this is where the mindset of open, honest communications must take place, and will take a great deal of effort if it does not already exist.

My Thoughts On This:

Well, there you have it.  Some of more of my “free” suggestions.  Now I am by no means a software developer, nor would I even attempt to even become one.  But I know enough of both sides of the equation to speak something about this.  Its time that we end the siloed approach to Cybersecurity, after all it takes a village to keep one step ahead of the Cyberattacker. And this blog is just one small steppingstone in that direction.

Saturday, February 19, 2022

What Does A Software Bill Of Materials Have To Do With Cyber? Find Out Here

 


As the drum cries start to beat about a possible Russian invasion into the Ukraine, many of our own Federal Agencies are also warning the American public about possible Cyberattacks originating from Russia. 

So far, as I peruse the news headlines on a daily basis, I have not seen concrete stories to this effect.  But, it does not mean that something has not actually happened.  I would say that there is a good chance something could have happened, but for obvious reasons, it does not want to get reported.

But anyways, all of this yet once underscores the need for not just Corporate America, but the average American folk to be proactive about their levels of Cyber Hygiene.  No need to repat them here, a simple Google search can tell all that you need to know.

But keep in mind that maintaining good Cybersecurity practices is not just about protecting your digital assets.  It also means making sure that any backdoors or vulnerabilities that exist in your Software Development Lifecycle (SDLC) are fully addressed and remediated. 

This is a topic I have covered on occasions before, and in fact, I have an eBook on Amazon just dedicated to this.

So it all comes down to this one common denominator:  Security is still not yet a high priority for software development teams.  It call comes down to two things: 1) Software developers are in such a time crunch for the deliverable that they simply lose oversight of the importance of checking for security gaps and vulnerabilities, or 2) A lot of the software development work is outsourced somewhere else, where the Quality Assurance (QA) standards are substandard.

So apart from what I have said in the past, here are some other tips that your software development team can implement as well:

1)     Decrease the attack surface:

Today, many businesses those of the MSPs, are now relying upon just one software-based mechanism in  order to reach out hundreds if not thousands of people.  This is yet once again best exemplified by the Solar Winds attack.  The Cyberattacking group deployed a piece of malicious code into one package called the “Orion”.  This is a tool that was used to push software updates and patches to all of the clients from just one source point.  Because of everybody had access to it, this malware spread to literally thousands of clients, and as a result, they became infected. In technical terms, these are known as “Supply Chain Attacks”.  Despite the security weaknesses this poses, unfortunately, many MSPs and their associated software development teams are choosing to go this route, for the sheer sake of convenience.  Btu what can be done to help the mitigate risks here?  If you are insistent of just having one point at which to deliver all of your updates and firmware in one simultaneous spread, then make sure that tool has been thoroughly tested, and continues to be so for any security vulnerabilities that can crop up.  This is what happened in Solar Winds attack.  The Orion package had many weaknesses and holes, it was never tested.  Or even a more bullet proof way to handle this is store all of your upgrades and patches in one central place, and then notify your clients that they are available for download.  That way, they can deploy them on their own, and you have basically cut out the risks that are involved with simultaneous based implementations.

2)     Create a Bill of Materials:

Ok, this is a term that is probably used quite a bit a bit in the manufacturing industry.  This simply means that you are keeping an inventory of all of the inputs that are being used to create a product.  The same concept can apply here to the software development world as well. Obviously, the inputs are going to be quite different, as they will primarily be software modules that your team has developed.  But whatever the task is, they need to b accounted for, and whether or not they have been security tested, and have made their way to the QA process for other checks that are needed.  This is also known technically as the “SBOM”, and in fact, this is now mandatory per the Cyber Executive signed by Biden.  There are frameworks out there that you can use to help you build out your SBOM, and one that I see seriously recommend is available through the OWASP project.  More information about this can be seen here at this link:

https://cyclonedx.org/

3)     Deploy the Zero Trust Framework:

 

This is probably one of the most beaten-up terms in Cybersecurity.  Essentially, this means that you are getting rid of the Perimeter Security approach, and instead, breaking out your IT and Network Infrastructure into different zones, and each one of them requiring at least three different layers of authentication that the end user must go through.  Well, this same concept should be equally applied to the SDLC world as well.  So, if a software developer wants to gain access to a particular software module, he or she will also have to go through at least three or more layers of authentication.  In the end, they are no different than your or I, and they should not be given any levels of implicit trust, as the name of this Framework dictates.

My Thoughts On This:

The Cyberattacker of today is realizing that many IT Security teams are simply too focused upon the protection of digital assets.  Therefore, they are now going into areas of penetration where security is not so much of a focus, and one of them is the SDLC world.  They know that a lot of stuff goes untested, especially when it comes to open-source APIs.

But you know what?  Your software development team needs to be held to the same, if not higher levels, of Cyber Hygiene that regular employees are required to abide by. After all, they are the ones that know all of the inner workings of not only your apps, but those are designed and delivered to your clients as well. 

If they wanted, they quite easily flip the switch, and launch a rather covert, and quick insider attack if they wanted to.

Sounds scary?  Well it does.  Now is the time to take proactive measures and higher levels of accountability of your software development team.

 

Sunday, February 13, 2022

How To Address The Log4j To Your Board Of Directors: 4 Point Guide

 


So far this year, the Cybersecurity front seems to be, about the same as it was last year.  Of course anything can happen right now, given that a Russian attack on Ukraine seems to be more or less imminent. 

Because of this, our own Federal Government has been putting out news alerts about a huge escalation in the number of Cyberattacks that could potentially originate from that area.  Fingers crossed, that nothing happens. 

Trying not to get political here, but what the world needs right now is peace, given what the Omicron variant has done so far to the world. But last month, lots of attention and news headlines were spent on another major hack, which probably had ramifications far worse than that of the Solar Winds attack.  What is this hack you may be asking?

Well, it is the Log4j.  Now, I don’t know all of the details about this one, and I know it sounds bad on my part, but truthfully, I have not really kept up to speed with what has been happening on this front. 

Essentially, Log4j is a log recording tool which can be used by both network administrators and end users alike.  Here is a good, technical definition of it:

“Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It’s open-source software provided by the Apache Software Foundation.”

(SOURCE:  https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896)

It consists of an Open-Source platform, and while the intent of this is provide a tool to keep track of suspicious behavior, its very nature allows it to be quite easily used in a malicious way by the Cyberattacker. 

Because of this, there are many open backdoors in which the Cyberattacker can penetrate through, and from there, deploy their malicious payloads in a simultaneous fashion like how the Solar Winds hack occurred.

I will write another blog in the future that will cover more about the technical nature of this hack, but the main purpose of tis one today is the lack of communication that took place in Corporate America when it came to notifying all of the impacted stakeholders. 

This is especially true for the Board of Directors of any company.

Many of these people that occupy this high perch still have no idea of just how truly devastating a Cyberattack can be.  In fact, according to a recent survey from Gartner, 88% of all businesses in Corporate America still view Cybersecurity just as a business risk. 

They still do not take the holistic approach that it is also a technological risk, which can have dire consequences for the entire company they are in charge of leading.

More information about this study can be found on the link below:

https://www.gartner.com/en/newsroom/press-releases/2021-11-18-gartner-survey-finds-88-percent-of-boards-of-directors-view-cybersecurity-as-a-business-risk?_sp=08da4deb-e68b-4d57-b132-36a807ba4534.1644774530609

In fact, the Log4j hack had such a far-reaching impact that even the Cybersecurity and Infrastructure Security Agency (also known as “CISA”) had issued various bulletins on how to mitigate the risk and damage that it posed. 

Heck, even the FTC also just recently announced that it would take legal action against those companies that did nothing to further protect the PII datasets of employees and customers that could have been impacted by it. 

These messages were also targeted to the Board of Directors in Corporate America, by pointing out directly that they could even be criminally negligent if they don’t further steps to be more proactive about Cybersecurity.

But unfortunately, explaining all of this to a Board of Directors falls squarely on the shoulders of the CISO.  And if they cannot do this in a succinct way, then of course their jobs are in limbo.  So what can a CISO so to talk about the damage potential a hack like Log4j can have on their company?

Here are some tips:

1)     Explain the entire picture:

In order for your Board of Directors to get the complete of what is going on, you have to explain this to them in terms that they can understand.  For example, mention all of the big-name IT vendors that have also been hit by this:  Amazon Web Services, Oracle, Cisco, IBM, Fortinet, VMware, Microsoft, etc.  Hammer down the point here that even despite the fact that these companies had probably some of the best lines of defenses possible, they too became victims.  The idea here is to point out that anybody can be a victim, even your own company.  So what is the point of waiting until you are impacted to be proactive?  Enunciate the importance of doing this now.

2)     Break things down into dollars and cents:

Unfortunately the boards in Corporate America only understand one thing: The bottom line.  So in this regard, perhaps, you the CISO, should work closely with the financial analysts in your company to actually break down the dollar and cent cost of an impacted company (assuming that you can get those numbers from somewhere), and from there, extrapolate those findings as to what the potential financial loss could be to your company.  This should get some ears perked up.

3)     Illustrate the picture of who all will be impacted:

In a large-scale attack such as this one, it is not just you, your employees and customers that are impacted.  Keep in mind also your external third parties, such as suppliers, will also be bear the brunt of the damage as well, because they are making use of the PII datasets that you have provided them.  Also tell your board that if they are impacted, they will not be held legally responsible, rather, it is your company that will be.  Explain what this will mean in terms of brand loss and reputational damage.

4)     The need for manpower:

Just about every IT Security team imaginable is stretched well beyond their breaking points.  There is simply not enough people around to help detect and thwart off the looming threat variants that are out there.  Explain to your board you need more people, and that you desperately need the funding to do that.  Tell them that you do not have get direct hires (which of course will bring more cost to the company), even hiring contractors will work just as well to (of course, after they have properly vetted).  Heck, even tell them you can hire college graduates with not much experience.  This will also help solve the problem of the huge employment gap that the Cyber industry is faced with today.

My Thoughts On This:

In the end, in a large business setting, everything comes from the top, and that is how all employees all the way down to your overnight cleaning will act.  Don’t blame the CISO for anything and everything.  In the end, the buck stops with the Board of Directors, and the people who occupy these seats need to act as such. 

The time for these people who think that they have God like powers has to stop here and now. 

In the end, your Board of Directors are normal human beings, just like you and me. They have no special or magical powers, maybe except for the ego trip they get by being at the top.  But this all has to be put aside, and your Board of Directors must understand that they have a huge stake in the Cybersecurity of your company as well.

Once all of the ego checks have been put into place and the finger pointing as has stopped, only then can Corporate America be truly on the road path to instilling a proactive mindset which will transcend down all the way to the employees.

Saturday, February 12, 2022

The Impacts Of A Slow Internet On The Remote Workforce & How To Fix It

 


Introduction

Let’s face it, the Remote Workforce is now a reality. The amazing thing is that this has been launched in just a matter of a three months, rather than the 3-4 years many Cybersecurity experts predicted it would take. But given the unexpected uptick in the COVID19 positivity rate, the Remote Workforce will likely become, more or less, a permanent scene that is already starting to precipitate. There have also been Cybersecurity issues involved with this; some have been worked out, while some need more smoothing out.

One such example of this is the impact on the spike of Internet usage, causing connections to be much slower than normal. According to a recent survey that was conducted by WhistleOut:

Ø  35% of the respondents claimed that a weak Internet connection prevented them from conducting their daily job tasks at some point in time in the last few months;

Ø  65% of the video conferencing calls (primarily that of Zoom) have either been cut, dropped, or even completely frozen while in process, because of a strained Internet;

Ø  43% of the respondents said that they have had to use their mobile hotspot to supplement their existing Internet connection;

Ø  83% of them claimed that it is impossible to do even half a day’s work with a slower than normal Internet speed.

(SOURCE: 1).

What can be done to resolve this escalating issue? Obviously putting in fiber optic cabling on a global basis will take quite a bit of time to do. Thankfully, there are some other fixes that you can implement in the meantime.

How To Make The Most Of Your Current Bandwidth

Here are some quick tips:

1)     Consider boosting your Internet signal:

This just takes some simple tweaking in your home router to boost your signal. For example, you should consider relocating your router to a more central point within your home. By doing this, the signals will be much stronger in nearly all cases. Preferably, you should avoid walls and other such barriers. Instead, try to position your router so that it is near an open space, such as a window, or a patio door. Also, to juice up the Internet speed even further, you should probably get what is known as a Wi-Fi Repeater, also known as a Wi-Fi_33 Extender. This device will simply amplify your existing Internet connection strength.

2)     Test your Internet speed:

There are a number of free tools that will allow you to test to see just how quick your Internet speed is. For instance, a very reliable tool that you can use (and is also available for free) can be seen here at this link. If you discover that your Internet speed is actually slow, then your home network could very well be what most call “saturated”. This happens when all the members of your family are attempting to connect to the Internet at once and using resources that are literally hogging up your bandwidth levels. For example, this typically happens when you are trying to steam an Internet video, which takes up a lot of processing power. A quick tip here is to try and limit this kind of activity until after work hours. But saturation can also exist from your Internet Service Provider (ISP). If you are on a lower tiered plan, there is a good chance that your Internet speed will be throttled down, in order to accommodate the other ISP customers that are trying to access the Internet as well. The only fix to this is to upgrade your plan to a higher tiered option.

3)     Change your work hours:

As we all know, traditional brick and mortar locations are traditionally available from 8 AM to 5 PM. But with working virtually, all of that can change. For example, the peak levels of Internet usage are typically in the morning hours, usually from 8 AM to 11 AM. Perhaps, with approval from your manager, you could start your workday at 12 PM or so, after most video meetings have already taken place. Or perhaps you could even work later hours in the night, or work on the weekends also, when the levels of Internet usage are lower. This is especially true during the summertime when people spend a lot more time outside.

4)     Set clear and distinct boundaries for non-work Internet usage:

It’s not just parents that are working at home, but many kids are also learning virtually from home as well. But school hours vary, and with that in mind, you need to keep your children occupied with other non-Internet activities that will conserve bandwidth while you are working remotely. As previously mentioned, Internet based entertainment can consume a lot of your bandwidth. Therefore, restrict this to after work time and for just for a few hours only.

Conclusions

Overall, this article examined some quick and easy tips you can implement that should help you get a higher degree of Internet bandwidth. However, apart from this, you also need to determine the range of bandwidth that the resources you use for work-related purposes are.

Also, a detailed chart of just how much bandwidth is being consumed by the major video conference carriers (which includes Zoom, Microsoft Teams, Google Meet, and Skype) can be seen here.

If you find that the above mentioned tips provided do not help much with alleviating your slow Internet speed issues, the only other option is to simply upgrade your existing plan to a higher tiered one that offers the speeds that you need to work productively.

In this regard, you may even want to consider upgrading to a business account, which offers the highest speeds possible. But before you actually do this, make sure that your employer will help offset this cost, based on a percentage of how much bandwidth is used for work related activities.

Sources

1)     https://www.pcmag.com/news/a-third-of-remote-workers-say-weak-internet-has-hurt-their-productivity

2)     https://www.speedtest.net/

3)     https://www.flexjobs.com/blog/post/work-from-home-slow-internet/

4)     https://business.frontier.com/blog/how-much-bandwidth-does-my-business-need/

5)     https://completetechnologyresources.com/is-your-internet-bandwidth-enough-for-remote-work/

6)     https://business.frontier.com/blog/home-office-internet-speed/

Sunday, February 6, 2022

4 Key Reasons Why Your Cyber Start Up Has No VC Funding

 


I think just about a week ago or so, I wrote a blog as to how the Merger and Acquisition Activity Is going to further fuel the growth of the Cybersecurity industry in the coming years.  Part of this is the larger companies buying out the small ones, and also Venture Capital (VC) and Private Equity (PE) firms taking part in the mix as well. 

Obviously, these latter group of people don’t want to hold on to their new assets for too long, as they want to make money them as well.

This has prompted a new trend in the Cyber industry for people to launch startups with all of the bells and whistles, so that they will look attractive to a potential buyer.  But that is far as they will go, and now it is starting to backfire on them, as the VCs and PEs want something of substance and value as well when they make their purchases. 

After all, they just can sell air either, right?  In fact, in many ways it feels eerily resemblant to that of the late 90’s – as long as you had a .com in your name, you were guaranteed to get something.  So, what is an investor looking for, and how can you increase your chances of getting some funding? 

Well, I came across an article that actually takes the opposite approach, and instead, points out the warning signs that a VC or PE looks for.

So what are they?  Here we go:

1)     Hiring from the Dark Side:

In simpler terms, this means that a company has hired an individual(s) who have been illegal, hard-core hackers in the past (hence the name “Black Hat”), but now have turned over to the good side. Who knows why they do this, but businesses want to scour up these individuals in order to have access to their knowledge and hacking skills.  Unfortunately, VCs and PEs don’t look at this away.  They simply will not invest in a startup that has hired these kinds of individuals.  They simply don’t want their good name associated with anything illegal that may have happened in the past.  I can see where they are coming from on this, after all, they are potentially investing a lot of money, and don’t want anything bad to happen.  But I don’t agree with this. To me, what has happened in the past stays there.  You have to evaluate what the assets you have now, and everybody deserves a fair chance to prove their worth.  What I would tell a VC or PE is that you are taking a risk in other areas of the transaction, so why are you afraid of this one?

2)     Stop the bells and whistles:

This goes back to what I said before.  Cyber startups need to come up with something solid, whether it is a product or service.  In other words, just don’t chase what is red hot at the moment, because given the ever-changing dynamics of the Cyber Threat Landscape what is red hot today could turn out to be ice cold tomorrow, to varying degrees.  Also, make sure that your new product or solution actually meets the needs of your existing customer base and prospects.  Sure, this could take some market research, but if you want to get that funding or be acquired, you need to do this.  VCs and PEs are looking at this very heavily now, especially from a business model standpoint.  They all know it will take time to get something to market and to start making money off of it, but they want to see that the potential actually exists, and that could be something viable.  Some of the areas that they are interested in are services surrounding the Cloud, the Remote Workforce, and especially given today’s times, the Zero Trust Framework.  Cyber vendors are also notorious today for creating solutions that creates alerts and warnings for the Cyber team, but that is fay as they go.  They do not make an attempt to actually solve a problem. This is yet another key area that VCs and PEs look at, as they think that this will give them a differential advantage in the marketplace after the acquisition has been complete.

3)     Hiring former government or military personnel:

For some reason or another, VCs and PEs will not invest in a start up that is run by individuals in these backgrounds.  Honestly, I don’t why.  They simply feel that they do not have the real-world experience.  But IMHO, this is the most ludicrous statement ever concocted.  For example, I have had the honor and privilege of interviewing many ex-government and military personnel who have started their own Cyber companies, and are quite successful at it.  If I ever reach to the point where I can invest in a Cyber startup, I would rather spend my $$$$ on a startup headed by these kinds of individuals rather than some kid right out of Harvard or MIT.  These people have the discipline to get things done, and have even deeper levels of experience, given any covert work they may have done for the government.

4)     Creating solutions that are not defensive in nature:

This is yet  another one I cannot quite understand.  Simply put, VCs and PEs will not invest in a Cyber startup if there solutions and/or products are offensive in nature.  In other words, forget about developing the next generation of Penetration Testing Tools, but instead come up with a softer version of it, one that is defensive in nature. To me, this does not lead to a proactive approach or mindset which is so badly needed in Cybersecurity today.  If it was me, I would much rather invest in a company that is developing solutions that will help businesses take this kind of approach when it comes to building up their respective lines of defenses.

My Thoughts On This

So long story short, if you are Cyber startup, and want to receive some sort of VC or PE funding, or even want to be bought out for that matter, go back to the traditional ways of creating something.  Find something you are passionate about in Cyber, and then go from there. 

Your passion will be your guide in building something that can not only meet the needs of people, but will be attractive to investors as well.

Perhaps just a build a better mousetrap to get started with.  And don’t forget this one cardinal rule:  Always provide great customer service.  With all of the technological advancements that are happening today, people yearn for the days when life was purely simple and straight. 

They are sick of bells and whistles.  Deliver something of quality and value that could meet their needs, and you will be all set.

Saturday, February 5, 2022

How An APT Attack Is Launched In 5 Steps

 


Introduction

A trend that has dramatically shifted in this COVID19 pandemic is  that the Cyberattacker is now taking their own sweet time to launch their threat vectors.  Gone are the days of the “Smash and Grab” campaigns, where they would take all that they could in one attempt. 

Now, they are carefully studying their targets in smaller numbers and uncovering their weak spots quicker.  Then, once they get in, the goal is to stay in for a long period of time, and take key assets a bit at a time, going unnoticed until it is too late.

A perfect example of this is what is known as the “Advanced Persistent Threat”, or “APT” for short.

Defining What An APT Is

An APT can be technically defined as follows:

“It. . . is a sophisticated, systematic cyber-attacks program that continues for an extended period of time, often orchestrated by a group of skilled hackers. The hacker group, or the APT, designs the attack with a particular motive that can range from sabotage to corporate espionage.”

(SOURCE:  1).

Breaking down this definition further reveals more.  For example, we are not talking about some novice Cyberattacker that are launching these kinds of variants.  These hackers more than likely originate from those nations that are deemed to deemed to be nation state threat actors, with extremely sophisticated skills and abilities. 

Second, the ultimate objective is not just to steal Personal Identifiable Information (PII) datasets, but to go well beyond that.  Rather, they want things of extremely high value, such as Intellectual Property (IP), to even extortion to fetch a large sum of money.

Also, the Cyberattackers that launch these kinds of campaigns are extremely organized in what they do, so that can be in a covert state for a very long period of time. 

The Anatomy Of An APT

In fact, there is a 6-step process which is normally followed, which is as follows:

1)     Gaining the foothold:

Getting access through a very weak spot in the network infrastructure is the primary way in which the Cyberattacker gets in.  But as mentioned, they take an enormous amount of time to find this position.  The reason for this is that they do not want to raise any alarms or triggers that a security breach is underway, only that a short-lived compromise occurred.  This is how they can stay in for so long.

2)     The malware is deployed:

With an APT, the malware that is installed is not really meant to cause any sort of initial damage.  Rather, the intended goal of the payload is to listen to and probe for other avenues in order to get into other areas of the network in a stealthy manner.  This information is then relayed back to the Cyberattacker, so more of them can enter in.

3)     Further points of compromise are installed:

Once the other weak spots have been determined, additional “toeholds” are deployed in order to gain access to what is being sought after.  The primary reason for doing this is that it acts as redundancy for the Cyberattacker, in case one point of compromise gets sealed off, they have others that can be used.

4)     The attack begins:

Now, the Cyberattacker is set to go after the very high value targets.  As also mentioned previously, their goal is to take the smallest chunks as possible, so that it does not garner any attention.  Once this has been accomplished, they can then “reassemble” the asset back into its original form.

5)     The Cyberattacker then leaves:

Just as quietly as they entered in, the same is true as they leave.  They remove all traces of their existence, and because of that, only a short-lived compromise is recorded onto the logs of the network security devices.

At the present time, the traditional lines of defense, such as antivirus/antimalware apps, firewalls, network intrusion devices, routers, cannot detect APT attacks as they happen.

The Warning Signs Of An APT

Although APT attacks are extremely difficult to detect, they do give away some telltale signs.  But the caveat here is that it takes a very well-trained eye to scope out for them.  Here are some of them:

Ø  Typically, most network access activity occurs during the normal business hours.  But in order to avoid detection, the Cyberattacker will attempt to launch their APT attack during the non-peak time, such as during the night.  If there is an increase of activity during this timeframe, then something is definitely going to happen.

Ø  There will be an increased amount of Trojan Horses in your network infrastructure.  While the Cyberattacker will deploy malware that is almost close to impossible to detect, from time to time, Trojan Horses will still be used.

Ø  Unusual flows of data will be apparent.  Keep in mind that the Cyberattacker will take out only the smallest amounts of it as possible at a time.  But the timing in which they are taken out will be rather unusual, once again, probably during non-business hours.

Ø  The data will be aggregated together in very small chunks.  Although it is quite normal for a network infrastructure to bundle this together, the Cyberattacker will not only group them in a way that is very unusual but will even store them at very odd places that you would not even think of until they are ready to exfiltrate them out.

How To Fend Off An APT

In the end, each and every business is prone to APT attack.  But the key is what you can do decrease the statistical odds or mitigate the probabilities of this from happening.  Here are some steps that you can take:

1)     Implement the Zero Trust Framework:

This is a methodology in which you cannot trust anybody or anything, whatsoever.  In order to establish legitimacy of whom they claim to be an employee must go authenticated through least through or more unique mechanism.

2)     Make use of constant monitoring:

Although your employees work in only a certain part of the day, it does not mean that your security devices should also.  They should be on a 24 X 7 X 365 basis, continually keeping an eye on your network infrastructure.  In this regard, you should consider seriously of make use of what is known as a “Security Information and Event Management”, or “SIEM” package.  This will present real time information and data to your IT Security team and filter out for the false positives.

3)     Whitelist only authorized applications:

By doing this, any software application that has been installed without prior approval will be brought to your attention immediately.  Using non authorized apps is one of those backdoors that Cyberattackers very often look for when launching an APT attack.

Sources

1)     https://www.forcepoint.com/cyber-edu/advanced-persistent-threat-apt

Beware Of That IoT Device You Are Going To Give As A Gift!!!

  As we fast track now into Thanksgiving and the Holidays, gift giving is going to be the norm yet once again.   To me, I think it should be...