How To Bridge The Gap Between Software Development & API Security: 3 Golden Keys

 

Just recently, I wrote a whitepaper for a client on an area of Cybersecurity of which I did not know too much about.  This area is known as “DevSecOps”, and it is simply an acronym that stands for Development, Security, and Operations.  But after I got done writing it, I learned a lot more about it than ever before.

Probably one of the biggest takeaways for me when I wrote this piece simply underscored the fact that Cybersecurity is a team effort.  It is a giant that no one individual can handle on their own, let alone one team. 

Rather, it has to be a collaborative effort with everybody in the company.  The second thing I learned is that there has to be a much better flow of communication between the software development teams and IT Security.

In other words, the old days of siloed approaches and thinking have to disappear and quickly, if we are to be successful in thwarting off threat variants.  The third key takeaway for me is that automation is going to be a critical area here as well.

Of course, it should be used wherever and whenever it can be reasonably, but it should mostly utilized for routine tasks, QA checking, and even for finding any holes and vulnerabilities in the source code that is being compiled.

This is probably the biggest area I hit upon in the content:  The need for greater security in the code.  For example, software developers have been left alone in the blame of Cybersecurity.  Traditionally, this has always fallen on the laps on the CISO and the IT Security team. 

But this can no longer be the case.  As I have said, everybody has a responsibility to protect the digital assets of their company, and yes, even the software development teams that you hire.

This one of the biggest focal points now for DevSecOps:  How to create and compile much more secure source code and streamlining the checking processes that are involved.  So, it is no longer the software developer that will be responsible team, it will also fall onto the hands of the IT Security and Operations teams as well.

The thinking here is that having two extra pairs of eyes will make sure that the Web application that is created either for internal or external uses will be the most secure ever.  But it is important to keep in mind that developing secure source code also involves making use of what is known as APIs. 

These are essentially open-source libraries that are typically deployed between the front and back ends of any web application that is being created.

These APIs typically consist of lines of code that can be modified, edited, revised, reused, etc. over and over again.  The main advantage of this is that the software developer does not have to write code from scratch, thus saving time and money, especially for the client. 

But the problem here is that these API libraries often come from software-based community forums which have not tested them, or have not upgraded with the latest patches and upgrades.

Because of the prevalence that this matter is now taking Corporate America, many businesses and organizations are now starting to become hesitant in using it. For example, according to the latest research report from Anaconda which is entitled the “2021 State of Data Science Report:  On The Path To Impact”:

*41% of respondents are fearful of using open-source APIs’

*23% of the respondents will not even allow its use anymore.

But let us face reality here.  Getting rid of APIs as a whole is not a good idea at all.  As mentioned, your software development teams will then have to write and compile new lines of code right from scratch, which is a task nobody wants to do at all.  So the key now is how to double check those APIs for any holes or vulnerabilities.  Here are some possible ideas that you can make use of:

1)     Everybody should be involved:

This is why DevSecOps exists in the first place.  The goal here is to have multiple eyes looking for areas of weakness that the other set of eyes may have missed.  One great way to get started with this are the frameworks that are offered by both NIST and the OWASP.  They have free, downloadable checklists that you can use which are fairly comprehensive. But you also need to have something extra in hand as well that fits the unique needs of the DevSecOps team.  This is where the Software Bill of Materials (aka “SBOM”)will come in handy.  This is also like a checklist, but instead, it lists the origins of all the source code that has been used to create the web application.  More information about how to create one can be seen at the link below:

https://www.darkreading.com/application-security/log4j-highlights-need-for-better-handle-on-software-dependencies

The SBOM serves as a starting point from which you can access the version history of the source code as it is being developed.

2)     Make use of automation:

I may sound like a broken record on this one.  Yes, I know AI and ML have been one of those techno jargons that has been thrown about and beaten up extensively now with a lot of hype into it, but I think (cannot say for sure yet) that these days may be over.  Why do I say this?  Well, it all comes down to the fact customers want real solutions now. They are tired of fake promises and fake results, they want something now that will truly work in their favor.  With this being said, the newer AI and ML innovations that are being carried out now do bring some solid value to the table finally. In fact, there are solutions out there now that have been specifically designed for the testing of APIs in particular.  Even though with DevSecOps there are more eyes available for scrutinization, they too can get tired.  But AI and ML automation.  Therefore, it is important that you make use of both.

3)     Contribute to the overall effort of the API:

There is often a tendency to think that by taking over an entire open-source project and bringing that in house is a good idea.  The common line of thinking here is that you will now have control of all of the APIs, so the checking and the repairing of them will now go quicker and smoothly, instead of having to depend upon others in the open-source community.  But, this can actually back fire on you.  This is often referred to as “forking a project”.  Remember, although open-source APIs are free to use, it does not mean that you can scarf the whole thing up, because others have contributed to the creation of them as well.  In fact, you will probably not even get the support and backing of the community that developed those APIs.  So rather than taking this extreme approach, it is far wiser to approach the community that developed these APIs and ask how you can contribute to further its cause in terms of ensuring that they are safe and updated to use.  Even remember here it, it takes team work to build a quality set of APIs that everybody can use and deploy.  More information about this can be seen at this link:

https://dodcio.defense.gov/Portals/0/Documents/Library/SoftwareDev-OpenSource.pdf

My Thoughts On This:

If you haven’t noticed, the common theme here in this blog is teamwork, and that is now one of the key missions for any type of DevSecOps teams.  Remember, it now “takes a village” to combat the Cyber threat landscape, and in the future, it could very well even take more villages.  Finally, more information about the study from Anaconda can be seen at this link:

https://www.anaconda.com/state-of-data-science-2021

Think You Will Never Be Hit Because You Haven't Been Yet? If So, The Financial Costs Will Be Much Higher

 

Every day, we keep hearing about how companies are being attacked.  But when you read these kinds of headlines, take a moment or two really analyze it. Have you noticed that the actual dollar amount of the security breach is really never revealed? 

At most the only metric revealed is how many people have been affected, or how many PII datasets have been heisted and sold onto the Dark Web.  I can see where companies are coming on this, they don’t want to reveal too many metrics in terms of loss.

After all, this will lead to a horrible degradation in the image of their brand, and even potentially mean lost customers.  The only way that we really find out what the true cost of a Cyber or even a data breach is when a large Cyber company that specializes in market research actually takes the time to create a survey, and polls a number of respondents in order to get a range of what the true dollar amount actually is.

These kinds of surveys are done randomly, but the ones that tend to follow a regular schedule are the reports from companies like Verizon and IBM.  But as I was perusing the news headlines trying to decide on what to write upon, I came across an article which discussed a newer kind of survey, and this one was conducted by a firm known as Forrester Research, a leading market research company.

Their report is entitled "The 2021 State Of Enterprise Breaches”, which actually came out on April 8^th.  As usual, they found some interesting stuff, so here is a summary of it some of the major findings:

*There is really no direct correlation between the total number of security breaches that happen in a given time period, and the total financial cost that is related to it.  For example, a lot depends upon the geographic location of the impacted business, and how ready they were to respond and combat to it.

*It took the average American business about 38 days to discover a security breach, but to actually recover  from the breach took almost 2x as long, at about 62 days. 

*Another interesting finding is that businesses that had some of incident response plan, the cost of the security breach was lower, and the average here was at $3.0 million.  But those that did not have such a plan in place, the cost to recover was much higher, at $4.0 million.

*In other words, there is a huge financial gap between those that are even semi ready to respond to a Cyberattack and those that have nothing in place to respond.  This so called “disparity value” has been tagged at well over $600,000.00

*Believe it or not, the United States had a quicker time on average to respond to a security breach when compared to the other geographic regions around the world.  For example, in the pool of respondents, 59% of American businesses suffered, whereas 63% of the respondents from different parts of the world suffered from an attack.

*Businesses that are located in Europe had the quickest time to respond, primarily because they are so heavily governed by the GDPR. 

*Although it is not a huge surprise, this report also discovered that those businesses that had some sort of response plan in place suffered the least in terms of financial loss.

This study also discovered another key finding.  It appears that many of the respondents are still overly concerned with Cyberthreats that occur from the external environment, than versus what can happen in the internal environment.  Here are some of the key findings in the regard:

*47% of the respondents viewed Cyber threats from the external environment as a top priority, but only 34% of the true Cyberattacks came from the outside world.  Of these, it was discovered later that 24% of these breaches actually came from an internal source, and 21% of them came from a third party supplier, who supposedly was traded.

My Thoughts On This:

Overall, the findings of this research study is depicted below in the illustration:

https://www.darkreading.com/attacks-breaches/more-than-60-of-organizations-suffered-a-breach-in-the-past-12-months

From the information I have provided in this blog, I can come up with two conclusions:

*The Insider Threat is real, and will become even more predominant as companies still stay heavily focused on the external environment.  There needs to be a balance between both worlds, but perhaps a greater emphasis needs to be placed on what is going on within a business.  Given the threat environment today, this is even more crucial than ever before.

*The old mentality of:  “If I have never been hit, I will probably never get hit” needs to go away quickly.  But of course, everybody is entitled to think how they want to, but it is in your best interest to have some sort of incident response plan in place. And, this study proved it:  Those businesses that were impacted but had some sort of plan in place to respond faced a lower financial toll than those entities that did not have anything.

Finally, I think that it should be a federal requirement of some sort that companies, no matter how large or how small, or whatever industry they are in, need to fully disclose at some point in time the average dollar figure of the security breach that they have experienced. This is the only way that Corporate America will finally wake up and smell the coffee to the realities of the Cyber threat environment.

Finally, the Forrester Report can be downloaded at this link:

https://www.forrester.com/blogs/breaches-by-the-numbers-adapting-to-regional-challenges-is-imperative/

How The Terms "Autonomous" & "Automatic" Can Lead To A Proactive Mindset

 

I must say that the last couple of weeks have been rather successful my business partner’s and I new Cyber startup.  For instance, we just formed some key partnerships in which we will be leveraging some of the newest technologies that are out there to help the SMB market more so than ever before.  In this, there are two key keywords (yes, more technojargon) that have been around, but will soon hit the news circuits. 

These are “autonomous” and “automatic”. 

Let’s face it, the Cyber industry is changing the by the minute.  It seems like that hardly you close up shop for the night, the next day something new is on the horizon.  Because of this, IT Security teams simply cannot keep up.  Just imagine if it was only us humans monitoring all of this.  We could never keep up, and things will only get progressively worst.

But luckily, there are many tools out there that can help do the routine processes in the daily hunt for what is bad out there, and this is where the term “automatic” or “automation” comes into play.  We have seen how AI and ML can help automate many procedures, especially when it comes to analyzing all of the warnings and messages that come in, and filter out for the false positives.

Now, the next term of “autonomous” is a new one that is coming out.  This simply means that a Cyber tool does not need any human intervention of any kind.  But of course as we all know; some degree is of course needed.  Now, if you combine these two terms, you’ve got a tool that can literally be your watch dog on a 24 X 7 X 365 basis, without ever getting tired.

And, it is in this regard, it is hoped that this newer level of technology can help Corporate America be even further proactive as to what is happening out there in the Cyber threat landscape.  For example, many companies today do not even know if there is a Cyberattacker that is lurking amongst their IT and Network Infrastructure. 

In fact, many hackers break in, and hide for a long period of time, going unnoticed.  Technically, this can be referred to as the “Dwell Time”. 

During this timeframe, data exfiltration will happen, bit by bit, and these pieces of PII datasets will have more than likely made their way into the Dark Web for resale purposes.  Worse than that, it will then be even months until the company in question discovers that they have been breached.  IMHO, this is totally inexcusable.  Given the advancements in technology, these timeframes need to be greatly reduced.

So this brings up the question yet again:  How do we get business owners from having a reactive mindset to one that is more proactive, as stated earlier?  Well, here are some steps that can be followed, rather quickly:

1)     Get to know your enemy:

Once you realize you have been hit and the damage has been done, it does not end there.  The Cyberattacker will come back again, because now they have full knowledge of not only where your weak spots are, but they know now the degree of the value that your crown jewels possess.  In other words, this is not a one and done deal.  So in this regard, this is your best opportunity to study the attack signature, and build up a profile that can be fed into all of the tools  and technologies that are in your arsenal.  This is also where your threat researcher can come into key play as well.  For example, with the intel you have collected, he or she should be able to extrapolate what future profiles this Cyberattacker can bring to the table.  Remember, they are not going to waste time and money to come up with a brand-new threat variant. Rather, they are simply going to build a better mouse trap just slightly so that they can evade detection the second time around.

2)     Watch for supply chain attacks:

As I mentioned before, Cyberattacks just don’t happen once, they will come back to haunt you again.  They many not hit you directly per se the next time around, but they will make their next impact on your other business associates, namely your suppliers, hence the name of the title.  This has been best illustrated by the Solar Winds attack, where just one piece of software tool was used to infect thousands of other end users.  So in this regard, you need to work with your supply chain to make sure that they are up to snuff with their own Cyber defenses as well.  If you have been hit, it is very important that you share with them whatever knowledge you have so they can better protect themselves as well.

3)     Watch for the post breach period:

After you have been impacted and have started to make the road to recovery of mission critical processes, there is still yet more to be dealt with.  For example, customers and key stakeholders of your organization need to be notified immediately of what has just happened, and the steps that you are taking to rectify the situation, and eventually, how you plan to mitigate this from happening again.  Of course, you will also have to deal with the federal regulators, and law enforcements as well.  But there is something even much serious you will have to deal with:  Building up your brand image and reputation once again that has taken years for your to achieve.  Recent studies have shown that customer will stick with their vendor even after they have been hit, as long as they have been open and honest, and are taking immediate steps to address the situation not only now, but into the future as well.  But the bottom line is that this is not the just the job that is left to the CISO:  Everybody in the C-Suite and even the Board of Directors should be held responsible for doing this.

My Thoughts On This:

In fact, just during the last several weeks, I have been having conversations with people as to why Corporate America is so reactive to Cybersecurity.  Very often the thinking is this:  “If haven’t been hit, then most likely, we never will”. 

But now, I am not sure I totally believe in this viewpoint.  I think business owners are truly aware that they need to take further steps to remediate the holes and vulnerabilities that are lurking in their organizations.

The real fear is if that something is discovered, then it will cost a lot of money to fix it.  So why open a can of worms when there is no need to yet?  Unfortunately, this is a mindset that is really just human nature.  We have it in programmed in our minds to think this way. 

But keep in mind also, that the Cyber industry is starting to realize that the SMB market is a totally overlooked one, and that there are some real opportunities in it. 

So as a result, there are making many of their solutions very cost effective for SMB owners.  In fact, many of them now have solutions that integrate the terms “autonomous” and “automatic” together to help better protect you.  So, it is not all totally expensive.  Once you realize that you need to be proactive, take that step and start a conversation with a Cyber vendor who is willing to work with you, the SMB owner.

A Great Security Model For SMBs: What Is It?

 

The Security Model

It is important to protect your business from the Cyber attacker of today.  The question often gets asked “Well, how do I it?  How do I protect my business?”  There is no  easy answer to this, as each organization will have different needs.  But one thing for sure is that you can implement to the best of your ability, a great security model which can be defined as follows:

Technology + Human Vigilance = Good Security

The Technology Component

In terms of technology, this means that you as a business owner, are doing everything you can to make sure you have the proper tools and devices in place.  This includes setting up and deploying firewalls, routers, network intrusion devices, etc.  This also means implementing Two Factor Authentication on all of your company issued wireless devices that you give out to your employees.

One issue that is bound to come across your mind is cost. You are probably thinking to yourself: “This is going to cost me a lot of money, and I can’t afford it”.  Every small business is on a budget, and they probably cannot afford the latest and greatest security tools which come out.  But the key aspect you have to remember is that you do not have to have the latest and greatest. 

You can even use security tools that are even a few years old (but not too old, like 6+ years).  They can still provide a good means of defense, but the key is they have to be maintained and fine-tuned on a regular basis.

By this, you have to make sure that all of your servers, workstations, and wireless devices are installed with the last security patches and upgrades.  This also means that you are also regularly testing your network security devices to confirm that they are doing the job that they are supposed to be doing. 

However, keep in mind that if you do not have an IT department per se, you can always outsource this function to a third-party vendor (but once again, you need to be careful in this aspect as well – this topic will be covered in a future blog).

The Human Vigilance Component

This component of the Security Model is harder to accomplish than the Technological one.  The reason for this is that it involves changing your own mindset as well as your employees about keeping a constant “guards up” attitude.  In other words, this part requires a huge psychological shift in thinking and attitude.

However, in order to expect your employees to have a proactive mindset, you as the business owner, have to take the lead.  The first step in this process is to craft a Security Policy which meets the needs of your business.  One of our previous blogs covered some of the important components of a good Security Policy, and that would be a good reference point to start from. 

After you have written and implemented it, you can then create a little Infographic covering the highlights of your Security Policy.  You can then give this out to your employees so that they can be constantly aware of what they need to do to keep things safe.

Second, in order to help foster this proactive mindset, it is imperative that you have training sessions with your employees on at least a quarterly basis. These training sessions do not have to be literally formal.  Rather, you should conduct them in a relaxed and fun atmosphere, such as a Lunch and Learn. 

Third, after you have instilled into your employees what your expectations are, you then need to empower them to be to be the Security advocates for your business.  You may be wondering; how can this be accomplished? 

One of the best ways to do this is to establish an open line of communication with them, in which they speak both freely and directly.  If they see something out there that they feel could be a Security threat, then they should have the means to be able to tell that to you directly.

Also, if they witness any insider Security threats from within your business, they should also be able to voice their information to you in a confidential manner.  Perhaps, even try to “gamify” your Security approach.  For instance, you can create quarterly contests in which your employees can contribute their own ideas on how to make your business more secure.  The employee with the most number of votes will win a prize, such as a gift card, or something similar.

Conclusions

Overall, this blog has reviewed what it takes to make your business as fortified as possible, using the Security model provided.  Remember, it takes both technology and a strong, human mindset to thwart off the Cyber attacker of today.  You just can’t rely on one component or the other, you need them both in equal amounts.

Trying To Go Passwordless? Use These 5 Keys

 

As now enter into the second half of April, and hopefully you have your taxes filed and getting a refund, the Cyber Threat landscape still remains about the same.  I peruse the news headlines on a daily basis, and except for the usual data leaks and some Ransomware attacks, there is nothing earth shattering that has happened, at least not yet.  Let’s hope that it stays that way.

But there seems to be an increase in some technojargon usage, and no its not the Remote Workforce or the Zero Trust Framework.   Rather, it is MFA that is coming back again.  For those of you who are not familiar with this acronym, it simply stands for “Multifactor Authentication”.

This is where you are required to go through at least three or more layers of differing kinds of authentication before you can gain access to what you are seeking.

But at the heart of this authentication process still remains the pesky password.  Many organizations across Corporate America are trying to get rid of this all together, but the use of passwords has become so ingrained into our society for who knows how many decades that it will never truly disappear by 100%.  It will still stick with us in some form or fashion.

Recently, I have had a few podcasts where my guests and I have actually talked about in this more detail.  They too are trying to go “passwordless”, but going up against a lot of employee on this.  It all comes down to the fact that it is simple human nature. 

Once we get used to something, we don’t want to change unless we have to.  And even, if we have supposedly adopted this new change, we still fight in yearning for the old ways again.

So, if you are CISO, or even an IT Security Manager and really want to get rid of that password all together, here are some tips for you:

1)     Start with baby steps:

Never attempt to eradicate passwords 100% all at once.  Always use some sort of phased in approach first, so that your employees will get time to get used to doing something new and different.  For example, if you still rely upon Perimeter Security where the password is still the primary means of defense, add one in more layer of authentication.  This could be a challenge/response kind of format, or even using something as an RSA token.  This is known as 2FA, or “Two Factor Authentication”.  For example, first start with your employees entering in their password first, then enter in the numeric code that is displayed on the token. Once your employees start to like this idea, then gradually move up to MFA.

2)     Adjust your policies accordingly:

Even before you implement 2FA, conduct a thorough assessment of all of the digital assets at your company, and determine those that require 2FA or MFA access.  If there are areas that are not as critical, perhaps you can still continue to be using just a password to give your employees some more time to adjust to a new process.  But keep in mind, for those areas, always keep a close eye for any suspicious behavior because you are still using only one line of defense.

3)     Try to bring everything together in one:

By this I mean don’t assign on an individual basis each and every employee’s rights, permissions, and privileges.  Rather, migrate to a Cloud platform, such as that of Microsoft Azure.  Here, you can make use of what is known as the “Azure Active Directory”.  This is simply a super sophisticated way of creating groups and profiles for the various departments of your business.  From here, you can then assign those rights, privileges, and permissions that are common to the people in that group, and it will be automatically assigned to them.  Also through the Azure Active Directory, you can also create what are known as “Federated Identities”.  This is where the same login credentials can be used in a more secure way in order to gain access to other shared resources on the network drive.

4)     Adopt the concept of Least Privilege:

With this simply means is that you are giving your employees just enough permissions to access what they absolutely have to in order to do their daily job tasks.  For example, your network administrator will have a much higher level of this than say, your administrative assistant.  But you also need to keep a constant eye on this, as you do not want an employee to gain more privileges than what they need.  The reason for this is simple:  If their username/password are compromised, then the Cyberattacker will have far greater to access to your crown jewels.  This can be avoided by conducting a routine audit at least on a quarterly basis.

5)     Try to educate:

Normally, I would be pretty emphatic about this, but believe me, trying to train employees on good password Cyber Hygiene is very difficult.  You can go on and on ad nauseum about the importance of creating long and complex passwords, the syntax of a good password, blah, blah, blah.  But in the end, your employees are going to go back to their old ways, even trying to circumvent and new policies and rules you have put forth in this regard.  Probably the only way that you are going to get your employees to change is to reward them for good behavior.  It sounds like what a parent would do to a little kid, but in this instance, you may not have much choice in the end.

My Thoughts On This:

Believe it or not, there is a way to go 100% passwordless.  That is through the use of Biometric technology, such as Fingerprint Recognition or Iris Recognition.  Through one swipe of the finger, or one scan one the eye, respectively, your employees can login within seconds that the time it takes to enter in a password. 

But this too will be a hard task to accomplish, because then your employees will be worried about violations to their Civil Liberties and Privacy.

Your best friend here is the Password Manager.  With this, your employees can create all kinds of crazy passwords and have them reset automatically by this software package.  Best of all, your employees will not have to remember their passwords anymore, which will greatly reduce the risk of the so called “Post It Syndrome”. 

In fact, this may be the best route to go first, rather than trying to adopt and implement 2FA and/or MFA.  But the irony here is that the Password Manager requires a password itself so that your employees can log into it.

Using The Tactics Of Security Nihilism Will Not Work - 3 Reasons Why

 

Just yesterday, I wrote an article for a client on what is known as “Compliance as a Culture”.  Essentially, this is a concept where you want all of the employees in your company to be compliant not only with your Security Policies, but also maintain strong levels of Cyber Hygiene that are possible. 

Remember, we all have (or for at least most of us) have heard of the word “Compliance” being used so much as it relates to abiding by the CCPA and the GDPR.

But as I just mentioned, there is so much more to that.  When it comes to abiding by the data privacy laws, the fear tactic has always worked.  For example, as a business owner, I am sure that you would never want to get audited, or worst yet, face all of those stiff fines and penalties.  But using this kind of method can only work so far, especially when it comes to your employees.

The technical term for this is also known as “Security Nihilism”.  Even to this day, trying to scare employees in training programs is a technique that is quite often used in order to make sure that they come clean with all of your Security Policies. 

But in the end, rather than fostering that so called “Culture of Compliance”, you will literally not only create a wall between your IT Security Team and your employees, but you will even have an atmosphere and hatred.

One never wants this, as this will only lead to a huge decrease in productivity levels for your company.  So, what can be done about this? Obviously, you need to come up with ways in order to treat your employees differently.  Probably the best way is to approach them in a very non hostile manner, like treating them as a close friend.  Here are some tips you can implement:

1)     Employees are not the weakest link in your chain:

I get so irritated when people say this.  Yes, employees can and will mistakes, but it is not to mean that they did it intentionally.  Remember that as a business owner, you are far from being perfect either.  Remember your IT Security team can go only so far.  They need a lot of extra eyes and ears as well, and this is where your employees will come into play, even all the way down to your overnight custodial staff.  In this regard, a lot of business owners like to maintain that “gotcha” style of training.  In other words, if a simulated Phishing is launched, those that fall and prey are then taken aside and chastised.  What is the point to this?  As mentioned earlier, you are simply only going to foster a feeling of hate and reprisal with those employees that fell bait.  Instead, take that employee aside, and explain to them what happened.  In fact, don’t even mention the fact that he or she did something wrong. Rather, after pointing the flaws that just occurred, tell them what solutions can be used to rectify the problem.  Taking this approach will not only create a friendly environment, but you will probably even have a more loyal employee to you in the end.

2)     Rewards always help:

From time to time, in order to make sure that your employees are trying to maintain the best possible levels of Cyber Hygiene, rewards can also be a great thing.  For example, perhaps once a month or every two, you should hold a contest as to who is not only maintaining those good levels, but you should also take the opposite as well: providing rewards to those employees that have reported security breaches that were actually looming in on the horizon.  Remember, giving out rewards does not have to be a budget breaker.  Even small items, such as gift cards, a free gym membership, or even a lunch or dinner out can go a long way for the human morale.

3)     Improve your Security Awareness Training programs:

In Corporate America, the thinking is that this is one a done deal, and that you should cram in as much info as you can. But in all honesty, this is probably the very worst approach that you can take.  You need to keep your employees sharp when it comes to spotting security vulnerabilities and gaps, and one of the only best ways to do this is by having regular Security Training Awareness programs. As a rule of thumb, this should probably be done at least once a quarter.  Now, the next point is that your training programs should be longer than 30 minutes, at max it should be 45 minutes.  That is about the average attention span of a human being.  Anything longer than that will simply lead to information overload.  Also, stay away from the boring lecture style format.  You want to make your training programs engaging so that your employees will come with something at the end, and actually apply it. So make the training fund and competitive, and even give rewards here as well.  One of the best ways that you can take this kind of approach is to utilize the concepts of what is known as “Gamification”.  The bottom line here is that never make use of the “Fear, Uncertainty, and Doubt (FUD)” approach.

My Thoughts On This:

Right now, we all are under a lot of stress and pressure, especially with the new variants of COVID-19 coming out, and the situation happening in the Ukraine. One of the very last things you want to do is add further pressure to your employees by using fear tactics to make them straight about Cyber Hygiene. I am strong believer of Karma, and what goes around comes around.

Taking the fear approach is only going to come back to haunt you, and perhaps even cause your business to implode.  Treat your employees like how you would want to be treated:  Respect and friendliness.

How The Windows OS Has Impacted My Life & What The Future Holds

 

When I was growing up in West Lafayette, my parents taught me three things that will never change in my life:  death, taxes, and getting m undergrad degree from Purdue.  So after high school, I did attend Purdue, and just like a lot of other college undergrads, I switched my major around a number of times until I got into Age Econ. 

Then, I was taught one more thing by professors in that program that was going to be an almost guarantee:  You will be using Windows from Microsoft for the rest of your life.

So far, the have been correct.  Windows 3.1 first came out when I was at Purdue, and to be honest, I knew hardly anything about computers at that point in time.  I was totally blown away by that OS, and especially how easy it was to print my resume on a laser printer.  So, I continued using that until I graduated, and even after.

When I hit my grad days at Southern Illinois University, Windows was never heard of. All we had to use in in the Ag Econ department was pretty much Word Perfect, and Lotus 1-2-2 for any spreadsheet apps.  Nothing like the glory of Windows 3.1 of course, but it was still good enough to get the job done. 

The turning point came when I went to Bowling Green State University to get my MBA.  That is where I got my kick into computers, as I was an MIS major. During this time frame, Windows ’95 came out, and it totally blew everybody away once again.

Also, Windows NT was making its debut, and in my MIS classes, any group project or case study we did had to center around NT. 

Then, after I graduated, we had the .com craze. Just about every vendor was getting pumped, even including Microsoft.  Every .com venture had to have a Windows network topology running NT, and Oracle as the backend (not too many people were hip about using SQL Server back then). 

Then this all collapsed, and Windows 2000 came out, both the personal and server editions.  That is where I got my first introduction to Active Directory.

So fast forward now the last 20 years, and now we have Windows 10 as the primary OS being used around the world.  At the time, there was talk and rumor that this would be the last OS from Microsoft.  Then one day, out of the blue, the announcement came that Windows 11 was soon to be released. 

I went “Huh???”  But unlike the other OS’s, this one is absolutely free to upgrade to, provided that you meet the minimum requirements, from the standpoint of hardware.

I have written articles recently on some of the key differences between Windows 10 and Windows 11, and I will address them in a future blog.  But since my passion is Cyber, we will explore now as to how Windows 11 is different from this standpoint. Here are some key areas:

*First, the Windows 11 OS has been carefully crafted to implement what is known as the “Zero Trust Framework”.  Essentially, your business is doing away with Perimeter Security, and is now focusing on segmenting out your IT and Network Infrastructure into different layers, each with its own set of Multifactor Authentication (MFA) protocols.  In the end, nobody can be trusted, even your long-term employees.  Does sound it sound harsh?  It is, but apparently it seems to be working.

*The implementation of a new kind of processor (this is assuming that you are buying a brand-new laptop with Windows 11 already installed onto it).  This is known as the “Microsoft Pluton”. 

*There is now a Smart App Control that allows the end user to prevent any form of unauthorized application from running;

*There is a control which has the default features enabled to prevent the heisting of your device, creating secure guest accounts for end users and authenticating them;

*The Pluton processor also implements what is known as the “Trusted Platform Module”, or TPM for short.  This has been designed in such a way so that any information or data (also known as “artifacts”) is further protected from the Cyberattacker;

*Further, Microsoft has made it so that the use of a TPM is now a baseline security requirement.  This simply means that if your existing computer or wireless device does not have it, you will not be able to run Windows 11 on it;

*The TPM can also be viewed as an add on to the CPU, it is not actually a separate component by itself.  This means that if you are running Windows 11, any software patches or upgrades that are installed, will also be automatically transmitted to the TPM if it is applicable to it;

*If any dedicated firmware updates have to be made to the TPM, the IT Security team can do it seamlessly through the Windows Update feature from a central location.  The advantage here is that each computer or wireless device will not have to be updated separately;

*There is also known what is the “Smart App Control”.  Unlike the previous versions of the Windows OSs, the use of AI and ML are being used for the first time here.  For example, if there are any new apps that are being installed, and they are deemed to be suspicious, Windows 11 will prevent the download from happening, or even block the use of the application all together.  Also, any scripts that are being accessed from the Internet (most notably those of the Java Script) will be carefully examined and blocked, if they are deemed to be malicious in nature;

*There will also be what is known as the as the Hypervisor-Protected Code Integrity, also known as the “HVCI” for short.  This is primarily designed to ensure that the drivers that are used to boot up the Windows 11 OS are free from any malware or malicious code.

My Thought On This:

The security features detailed in this blog is jus an overview.  If you want to read up more about it, click on the link below:

https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/

In the end, Windows 11 has also been primarily designed to cater to the needs of the Remote Workforce – which is now going to become a permanent fixture in the American culture.  The next question to eb asked is if you should upgrade to Windows 11 right away? 

For right now, the consensus seems to be that of a big “NO!!!”.  The primary reason for this is that if you upgrade to it, you could even lose some of the functionality that you already have in Windows 10.

The suggestion here so far is if your heart is absolutely set on having Windows 11, have the Geek Squad do it for you, or simply buy a new device that has Windows 11 already installed onto it.

The Next Threat Variant To Emerge From COVID-19 & The Ukraine Crisis

 

As I look back two years ago when the COVID-19 pandemic first hit, never did I think, or for that matter, really anybody else, that the world would be forever changed as it has been right now.  Sure there are global tensions right now, but those will have a way of working out.  All conflicts of that nature, for the most part, have some kind of resolution in the end, if history proves right.

But the pandemic is something that will stay with us permanently now, just like the flu virus has.  There will be peaks and troughs in terms of the total number of people getting sick or dying, but eventually the human race will accept it and move on with it.  Heck, even the WHO is giving some thoughts right now as to classifying COVID-19 now as an “endemic”.

True, the virus has brought a lot of bad with it, but on the flip side, it has brought some good with it also.  Consider some of these:

*The near 99% workforce which was once thought to be a future concept is now a reality and seems like it will be now forever;

*The vaccine creation process has greatly increased.  For example what would take 4 years to bring a vaccine to market has now happened in just a matter of months;

*Although there is a still a great deal of reactiveness in our culture, at least people have now started to realize the importance of Cybersecurity, and what it means.

The focus of this blog is going to be on the latter, because of course that is where my experience is in.  The threat landscape is an always changing one, and will only get crazier over time.  Many security pundits predicted that 2022 will be the worst year ever, and while the total number of Ransomware attacks do continue, so far at least to me, I don’t see a lot of difference from last year.

But, just like the COVID-19 variants that have come out, such as that of Delta and Omicron, there will also be many variants of Cyber attack vectors as well. Remember, unless they have deep pockets or have a well-developed research team, the Cyberattacker of today really does not want to create new variants from scratch.

Rather, they are just happy to create something a little different from a previous launch.  In other words, all they want to do is merely build a better mousetrap in mind.  So with this in mind, many Cyber analysts have their eyes on a possible new variant, and this one is called “HEAT”, and it is acronym for “Highly Evasive Adaptive Threats”. 

It has been discovered by Menlo Security, and it targets primarily the vulnerabilities that are found in all of the web browsers that are being used today, most notably those of Chrome and Edge.  The reason for this is prey is simple and clear: 

With everybody working from home (WFH), one of the primary tools that is used for conducting everyday job tasks is the browser itself.  In fact, it has even been cited that at least 75% of the remote workers are on the web to do their job functions. 

More information about this can be seen at this link:

https://cloud.google.com/blog/products/chrome-enterprise/chrome-is-helping-it-teams-support-cloud-first-workforce

And in fact, Menlo Security has discovered a whopping 224% in HEAT based attacks since the second half of last year.  So what makes this new variant so stealthy?  Here are some clues:

1)     It avoids the conventional IDSs and IPSs:

These are acronyms that stand for an Intrusion Detection System and Intrusion Prevention System, respectively.  The former uses known profiles to detect threats, and the latter uses heuristic learning algorithms to help stop the threats from happening in the first place.  But, the HEAT variant is so sophisticated it can evade both of them by using a technique known as “HTML Smuggling”.

2)     Avoids link analysis:

Most email systems today are actually pretty good in blocking emails that seem to contain a malicious link that is embedded within them.  For example, either the email is quarantined or the images and links are totally disabled should the email still find their way into the end user’s inbox.  But the HEAT variant can bypass all of this, using other sophisticated techniques, which in all honesty, have not been completely discovered yet.

3)     Replicating the good sites:

The worst of domain name heisting and the creation of phony websites reached its peak at the height of the pandemic.  This still continues, but in the past, there were always some telltale signs of a phony website.  But now, with the advanced techniques of the HEAT variant, the Cyberattacker is able to 100% replicate an honest and good website and make it look like the real thing.  Because of this, they ae able to avoid the being blacklisted by the various domain registries around the world.

4)     Evades firewalls and routers:

Both of these tools are used to sniff out for malicious data packets, and prevent their entry into the internal environment.  But a drawback of them is that they are highly dependent upon known signatures from previous attacks in order to learn what a malicious data packet is.  Because of this, many businesses are now making use of what is known as the “Next Generation Firewall”, which makes of both AI and ML in order to learn and build profiles about these known signatures.  From here, this tool can project as to what a malicious data packet could like into the future.  But even here, the HEAT variant can bypass most of this by simply hiding in a vulnerability discovered in the Java Script coding.

My Thoughts On This:

IMHO, the world will be seeing more of this kind of variant this year, and even going into 2023.  As I have described, the Cyberattacker is cheap about the creation of a slightly newer variant built upon a previous one, but they are extremely proactive about being much more sophisticated in their ways.  The bottom line in all of this is that they are able to evade detection by hiding in the various memory components of the wireless device or the web browser itself.

In the end, the only defense you have is to make sure that you, your employees, and your business maintain strong levels of Cyber Hygiene.  No need to repeat all that again, a simple Google search can reveal what you need to do right now.

Finally more information about HEAT can be seen here at this link:

https://www.menlosecurity.com/blog/two-minutes-onhighly-evasive-adaptive-threats-heat/

How The Newest Version Of The PCI DSS Standard Will Effect You

 

With all of the turmoil that is breaking out right now in the Ukraine, all Cyber eyes have been pretty much on that.  But keep in mint that there is plenty happening here too, in the United States.  The fears of attacks to Critical Infrastructure are growing every day, and Ransomware attacks still persist. 

Because of all of this, the stakes of holding PII datasets is growing even more menacing as well.  For example, the data privacy laws of both the GDPR and the CCPA are now starting to take full bite, with audits and penalties now starting to take place. 

This was largely ignored during the height of the COVID-19 pandemic, but now since that seems to be coming down, the auditors are now really ramping up.  But there is one regulation out there which has not received so much limelight until now. And that is the PCI Standards Security Council set of standards, also known as the “PCI DSS”.

Essentially, this is a consortium of the major credit card companies (which includes the likes of Discover, Master Card, VISA, American Express, and the JCB), and the major goal is to ensure that a strict set of guidelines are implemented when it comes to the protection and usage of the credit card information and data of each and every card holder. 

This consortium was founded in 2006, and in fact, there is a dedicated website in which you can get much information on, and the link for that is:

https://www.pcisecuritystandards.org/

The PCI DSS has set forth some very strict and specific standards when it comes to safeguarding to the PII datasets, and the types and kinds of controls that the major credit processors have to implement.  A future blog will examine this much more detail.

Just like the GDPR and the CCPA, every few years, the PCI DSS also updates their own set of standards, and the last version to come out was back in back in 2018, known technically as “v3.2.1”.  But just last week, the most recent version came out, and this is now known as “v4.0”. 

The primary reason for this new cut is the amount of credit card fraud that took place during the COVID-19 pandemic, the sheer rise of making online purchases on wireless devices, and the deployment of customized shopping carts on the major Cloud platforms such as that of the AWS and Microsoft Azure.

While the overall structure of the PCI DSS standards have not changed in v4, a few more general enhancements were made to it, especially addressing the need for credit card processors to make their security models into a continuous one (this essentially means maintaining a proactive mindset), and adding extra sets of validation procedures and methods.

But there are two key differences with v4 than with the previous versions, and they are as follows:

*Online merchants can now make use of what is known as “Customized Implementation”.  This simply means that the online merchants can now custom create and implement those controls that will be used to protect the PII datasets.  But, if this option is chosen, there will be much scrutinization by the auditors of the PCI DSS to make sure that these customized controls do actually meet the pre-established standards.

*The Identity and Access Management (IAM) methodologies as set forth by the NIST Special Publication 800-63B will also be strictly enforced as well, and credit card processors as well as the online merchants will have to implement the following:

Ø  Multifactor Authentication (MFA);

Ø  Passwords have to be changed on at a minimum every 12 months;

Ø  Longer and more complex passwords have to be created (consider the use of a Password Manager here);

Ø  Access controls and the respective privileges that are assigned have to be reviewed at least once every six months (of course the more, the better);

Ø  Access for contractors or other third-party vendors can be granted only on an as needed basis.

As one can see from the above, PCI DSS consortium is slowly moving towards adopting the Zero Trust Framework.  Also, a brand-new security standard will also be strictly enforced and this is known as the “PCI 3DS Core Security Standard”.  More details about this can be seen at the following link:

https://blog.pcisecuritystandards.org/what-to-know-about-the-new-pci-3ds-core-security-standard

Also, details on the NIST Special Publication can be seen here at this link:

https://pages.nist.gov/800-63-3/sp800-63b.html

Also, any credit card information and data that is stored in cleartext will have to be eliminated with the ramp up v4. 

My Thoughts On This:

The good news here is that v4 will not be fully enforced until at least 2025, which will give the online merchants time to get readjust and calibrate their existing transaction and storage processes.  The language that is contained in v4 will be translated into different languages as well, and this is expected to be completed by this summer.

Interestingly enough, the older version, v.3.2.1, will still have effect for two years after v4 is being rolled out.  But after that it, will be totally phased out and v4 will take full force.  A diagram for the implementation of v4 is illustrated below:

(SOURCE:  https://www.darkreading.com/edge-articles/what-s-new-in-pci-dss-4-0-for-authentication-requirements-_

Once again, one of the key differences of v4 compared to the other versions is that the online merchants now have a greater flexibility in the types of controls that they need to implement.  But nobody should be caught off guard by this, because the compliance standards and enforcement expectations will be much higher in this regard.

Learn About How Your Business Can Benefit From Autonomous Penetration Testing

 

Hey Everybody,

As the Cyber threat landscape is getting further complex each day, there are many tools out there which you can use to detect where your vulnerabilities may lie at.  Many of these are manual based, and there are many free tools available out there on the Internet that you can download and use yourself.  But unless you have some sort of technical background in this, this will most likely be a task that you do not want to take on yourself.

In these cases, it is always best to hire a dedicated Penetration to do this for you.  There are literally hundreds of them that you can choose from, but there will of course be the expense of hiring them throughout the tenure of the testing exercise.  Some of them try to be reasonable, but for the average SMB, the cost can still be prohibitive.

The Cybersecurity Industry is aware of this, and as a result, they have come out with automated tools that you use for your Pen Testing needs.  One such company is called Horizon3, and they have developed a completely autonomous tool called “Node Zero”. 

In this podcast, we have the honor and privilege of interviewing of Snehal Antani, the Co-Founder and the CEO.  He will do a deeper dive into this cutting-edge product, and so you will get to see for yourself how you can benefit from the “Node Zero”.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB11E9BBFTKUK4