Introducing The Verizon 2022 DBIR Report: Cyber Trends You Must Know About

 

It is about this time of the year that many of the much larger Cyber vendors start to publish their reports as to what transpired on the Cyber threat landscape.  Some of these include IBM, Malware Bytes, etc.  Of course, there those other vendors that come out with their own periodically, and if there is one that relates to a blog posting that I am writing on, I usually cite it there. 

One such vendor that comes out regularly is Verizon.  One may often think of them as the wireless business, but they are also strong in the Cyber area as well, and their reports are fairly exhaustive in nature.  So without much ado, I now introduce to you the “2022 Data Breach Investigations Report, once again, made available from Verizon.

Interestingly enough, Verizon did not poll any respondents in any particular survey, but rather, they looked at the total number of security breaches that occurred in 2021, and from there, formulated a number of hypotheses. 

So for this project, there were a total of 23,896 security incidents which were studied, and from that 5,212 were actual data breaches. From here, these incidents and breaches were divided into eight distinct groups, which are as follows:

*Web application attacks: 

As the name implies, these are attacks against Web based apps, no matter what they may be.

*DoS/DDoS attacks: 

This is the where the server is flooded with malformed data packets, causing to almost shut down.

*Lost/stolen assets: 

These are both the digital and physical assets that have either lost or stolen.

*Miscellaneous errors: 

These are the unintentional mistakes caused most likely by employees.

*Privilege misuse: 

This is the unapproved escalation of privileges, rights, and permissions.

*Social engineering: 

This is when an individual or employee is tricked into giving out confidential information and/or data points.

*System intrusion: 

These are pretty much the Malware based attacks.

*Everything else: 

This includes any other threat vectors that do not fit in any of the above categories.

These can be seen in the illustration below:

(SOURCE:  https://www.darkreading.com/edge-threat-monitor/most-common-threats-in-dbir)

From the above, the top two security threat vectors were that of Web applications, and Social Engineering, which is not surprising.  This can be seen in the diagram below:

(SOURCE:  https://www.darkreading.com/edge-threat-monitor/most-common-threats-in-dbir)

Here are some of the other key findings from the Verizon Report:

*Systems intrusions are probably amongst the most difficult to detect, because there are so many different avenues that the Cyber attacker can get in and stay for a very period of time going unnoticed.  This is why the average time to detect a security breach is 300 days.

*One key reason for the increase in in the system intrusion attacks is the sheer rise in the total number of supply chain attacks that are happening as well, such as the Solar Winds example, in which over 1,000+ victims were impacted through one single point of failure.  It is through here that the Cyberattacker was able to deploy their malicious payloads.

*In these kind of attacks, there has been a drastic rise in the number of command-and-control VMs that are being used, in an attempt to avoid being tracked down.

*For systems intrusion attacks, the most commonly used threat vectors are as follows:

Ø  Third party software;

Ø  Software updates and patches;

Ø  Desktop sharing software packages;

Ø  E-mail, primarily that of Phishing.

*With regards to the Web based application attacks, the use of backdoors, remote injection techniques, and the use of desktop sharing software to compromise the hosted server were the most vectors that were used. 

*In terms of the most impacted victims, the breakdown is as follows:

Ø  For system intrusion:  Manufacturing.

Ø  For Web based apps:  Manufacturing and financial services;

Ø  For Social Engineering:  Retail and professional organizations (such as staffing firms).

Finally, the report stated that in 82% of the security breaches that were examined, the human element played a key role whether it was intentional or not.

My Thoughts On This:

Truthfully speaking, I have not read the entire Verizon report in detail, there are just some of the key findings that I picked up from it.  But whatever else it has mentioned, it is true that, IMHO Web based attacks and Social Engineering are going to be the norm of the future, going well into 2023.  This stems from two key areas: 

Insecure source code that is being used to create the Web application; and Cyberattackers are fully aware now that people’s minds are on protecting their digital assets.

Therefore, why not turn attention to what is called as the weakest link in the security chain, which is the human being?  Social engineering attacks work great here, especially for those people that are on the go and as a result, do not carefully think about what they are saying.  This is well exemplified by the retail sector, as the report has found.

But another key thing to keep in mind is that with systems intrusion, we will probably not see the likes of another Solar Winds for some time to come. Rather, as it has been forecasted, we will probably see much smaller scale ones happening, but the objective of the Cyberattacker here is to cause even more mass confusion for the IT Security teams that have to deal with them.

Finally, Phishing, probably the oldest of the threat variants will never go away.  It will be here for a long time yet to come, with more potent variations of it coming out. 

Finally, the Verizon Report can be downloaded at this link:

https://www.verizon.com/business/resources/reports/2022/dbir/2022-dbir-data-breach-investigations-report.pdf

I am eventually planning to make an eBook based on this, so stay tuned!!!

5 Point Checklist: How To Draft A Solid BYOD Security Policy

 

Looking back over the past two years, it’s hard to believe that COVID-19 pandemic happened.  When I first say the headlines, I thought it would pretty much stay confined to China.  But it did not, and it has impacted the world we never thought were possible, for the good and the bad. 

It was scary for those first few months, seeing the financial markets literally melt and everybody getting sick. 

Probably one of the biggest lessons learned from this whole thing is the Remote Workforce.  It seems like that everybody wants to work from WFH, and in fact, the people that I know of whom have received offers made WFH a condition of acceptance. 

But there is one common denominator with this, and that is remote workers (heck, really everybody for that matter) are now more glued than ever before in front of their smartphone.

In fact according to recent surveys, the following trends were discovered:

*Over 58% use their personal devices to do work related matters when they know it is against company policy to do so;

*84% of the businesses polled said that they have literally given up in trying to come with new strategies to keep employee’s personal devices protected. 

Given these trends, one could surmise that as long the Remote Workforce is here to stay, employees will continue to use their own devices to do their job. So what can, you the CISO, do to circumvent this from happening?  Unfortunately, there is not a lot, unless you want to enter your employee’s home and do all of the upgrades and patching to their personal device.

But we know that this will never happen.  So here are some tips:

1)     Force to have meetings on Zoom or Teams:

These two video conferencing platforms have come a long way since two years ago, especially Zoom with all of the security flaws that it had at the time.  In fact, I have started to use Teams a lot more now, and I am astonished as to all of the features it has with it.  For instance, you can dial directly to other coworkers, and even hold private chat sessions.  But back to the topic at hand, whenever there has to be a meeting, make your employees login through their laptop (or other company issued device).  If you discover that they have connected in through their personal device, kick them off and don’t let them log back in again until they have reconnected using the appropriate device.

2)     Try to make use of the Zero Trust Framework:

I have written about this before, so not much more to say.  From what I have been reading about in recent articles, some 80% of business entities are trying to adopt this framework.  Although there have been some setbacks, overall, it seems that there is some success coming out of it.  Heck, IMHO, it is far better to make use of at least three layers of authentication or more, that just one two, as the 2FA methodology prescribes.  Note that this kind framework is quite extreme, and you may not have all of the buy in from your employees.  But in the end, you the CISO have the ultimate responsibility for the protection of your digital assets.

3)     Implement the use of Mobile Device Management (MDM):

With this policy, you are making sure that each and every wireless device that is accessing the shared resources on your servers has been authenticated through the channels your have set forth.  If your employees are still insistent of using their own smartphone to reach such resources, then you have to tell them that their personal device has to be registered through the MDM tools and directives.  If not, then its plain and simple:  They won’t have access to shared resources.  It’s their choice.  In fact, many companies in Corporate America are adopting the MDM framework, and this market is expected to a high of almost $16 Billion by the year 2025.

4)     Make sure that only legitimate apps are downloaded:

This can be a dicey situation.  If you have given your employees a company issued device, then there is no worry about conducting random audits on them to make sure that only legit apps have been downloaded. But if an employee is using their own device, well then this becomes an issue of privacy rights violation.  I really don’t have a definite answer on this one, so it may be best to consult with your business attorney to see how you can go about doing this.

5)     Train your employees:

If you expect your employees to maintain good levels of Cyber Hygiene when it comes to using their personal devices for doing work related stuff, then you need to give them the ammunition to do so.  So in this regard, you need to be delivering at least on a quarterly basis security awareness training programs, with a focus on safe smartphone usage.  No need to keep these training programs hours on end, even just a simple 30 minute one will do.  Remember , you want your WFH employees to remember and apply what they have learned. In fact, this has been one of the key mantras of Cyber ever since COVID-19 hit.  But quite astonishingly, only 50% actually give any sort of formal training program for their employees, whether they are remote or not.  More information about this can be seen here at this link:

https://newblogtrustlook.files.wordpress.com/2016/10/trustlook_insights_q4_2016_byod.pdf

My Thoughts On This:

This concept of employees using their own smartphones to conduct work related matters is really nothing new, in fact I first wrote about this back in 2012.  It is called “Bring Your Own Device”, or “BYOD” for short.  In the end, given the work climate today, you want to keep your good employees by giving them certain freedoms that would not existed before.

But employees also need to come halfway in this regard, and allow some sort of safety scrutinization of their personal devices by you and your IT Security team, if they are going to use them for work related purposes.  Once again, I am not sure about the legal ramifications of this are, but I would say go ahead and try this policy the best you can.

The worst-case scenario your employee that does agree with this will probably just simply quit.  But of course, during this period of the so called “Great Resignation”, finding a new employee that is willing to abide by your security policies should not be too difficult either.

Healthcare Faces an Aggressive Threat Landscape - How To Remediate It With Node Zero

 

Hey Everybody,

Asd we approach the second half of the year, luckily we remain unscathed yet from a major Cyber breach from occurring. Of course, there are the usual ones that we hear about on a daily basis, but given the political situation with Russia and the Ukraine, there has always been a huge fear that something cataclysmic would happen, especially with our Critical Infrastructure.

But needless to say, there are certain market segments that keep getting pounded with security breaches, and one of them is the healthcare sector.  There is a huge risk here, especially since you are dealing with patient’s records.  If they are ever accessed, people with implanted medical devices are also at a graver risk, because they can be easily infiltrated into as well, putting their own lives at risk. 

What is one to do?

One  solution is  through Penetration Testing, in which all of the gaps and vulnerabilities can be discovered and remediated.  But on the flip side, conducting one can be quite expensive, in the range of at least $30,000.00.  As a result, many SMB healthcare organizations cannot afford this, especially if they need to keep up with compliance regulations (such as HIPAA), which require repeated Pen Tests to be done.

The Cybersecurity Industry is aware of this, and as a result, they have come out with automated tools that you use for your Pen Testing needs.  One such company is called Horizon3, and they have developed a completely autonomous tool called “Node Zero”. 

In this podcast, we have the honor and privilege of interviewing of Snehal Antani, the Co-Founder and the CEO.  He will do a deeper dive into this cutting-edge product, and so you will get to see for yourself how you can benefit from the “Node Zero”.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB12353C7S7E2D

Thinking Strategically Is Far More Valuable Than $$$ To Cyber Protect Your Town

 

Whenever we hear about Cybersecurity in the news, especially when it comes the government, it is always what happens in DC that comes our first in the news, and for that matter, gets the most attention.  For example, when Biden announced his Executive Order for Cybersecurity some time ago, everybody was all for it. 

But the verdict is still out if it all has come to any fruition or not yet.  Then there were I believe one or two more major ones that Biden signed off one, plus a plethora of others that the House has tried to introduce, but I don’t has gotten anywhere substantial yet.

But what about the local governments?  When do we hear about them?  Unfortunately we don’t really hear anything about them until some sort of disaster has impacted them.  For example, last year which was deemed to be the year of Ransomware, there were a bunch of cities and towns that were hit by such attacks. 

Some had their water supply choked off, there were attacks on their energy grids, and even IT/Network Infrastructures were infiltrated into.

Unfortunately, it is these local governments that are left hanging out on their own trying to figure what to do if they have been hit by a security breach.  Some have paid the ransom, and some have not (good for them, actually).  The Federal Government does seem to help out, and many of the Cyber vendors don’t offer too much help because there is not enough money to be made off of local government contracts.

So, what is a mayor to do to help their defend their town or city?  Here are some ideas:

1)     Try to get hold of a Cyber Vendor who can work with you:

Ok, this may sound like that I am going back against what I just earlier said, but there are Cyber Vendors that focus, or at least partially, on the local government sector.  These are not easy to find at first, but after enough digging and Google searching, you should be able to find a few vendors.  But just don’t take the first one that you meet, try to get some choices lined up.  After all, they have to meet your needs, and fit within your budget also.  After you have selected one, it is important that they stay with you for the long haul, and not bail out on you.  In this regard, try to get a long-term contract going.  Now, as the leader of your town or city, if you are completely new to Cyber (and there is nothing wrong with that), one of the best pieces I can offer to you is to first hire a vCJSO.  These are CISOs that have many years of experience in the field, but are now working on a contractual basis for fixed term projects. Having one on your staff even for a short term can be a big benefit, as they will most likely have the contacts to help you find that Cyber Vendor to work with you for the long haul.  But timing is of the essence here, as it Ransomware attacks on US local governments have reached a staggering cost of almost $19 Billion.

2)     Don’t be a miser:

For the most part, everybody knows that local governments all over the US are hard pressed for money, and are under constant pressure to keep watching their budgets.  In fact, the lack of money is an excuse that is often by used by mayors or other leaders, for totally ignoring Cybersecurity.  But don’t you make that kind of excuse either!!!  The moment you start doing that, you are setting up yourself for failure.  While you may not get all of the money you need, there is always some to be found somewhere.  For example, you can always have fund raisers, or if need me, set up a Go Fund Me account on Facebook.  Also, the Federal Government, while of course not doing a very good job at advertising it, has money set aside, believe it or not, for the local governments.  At the height of COVID-19, the American Rescue Plan was signed into law.  In it, there has been about $350 Billion allocated to the 50 states and their local governments.  Now it does not specifically dictate how that money should be spent once its allocated to a state, but that should give you more reason to spend more than you do for Cybersecurity.  In fact according to a recent study by Deloitte,  it has been discovered that spend only 1% - 2% of that money for Cyber related needs.  More about this report can be seen here at this link:

https://www2.deloitte.com/content/dam/insights/us/articles/6421_Ransoming-government/DI_Ransoming-government.pdf

Heck one study even found that at least 45% of Ransomware attacks are hit upon the local governments and their corresponding municipalities.  More on this can be seen at this link:

https://blog.barracuda.com/2020/08/27/threat-spotlight-ransomware/

In fact, don’t be afraid to even approach your local SBA offices.  Although there are designed to work SMBs, they can help local governments as well.

The moral of the story here is that while you may not get all of the money you need, there is availability at least for some of it.  You just have to be creative in finding them. And once you get some extra money in your wallet, think strategically as to how it will be spent for what Cyber purposes.  In other words, just don’t give a blank check to your IT Security Administrator, get the bare minimum that you need, and figure out the best optimal way to deploy those new gadgets.  Remember, two firewalls can be just as effective as having ten of them, provided that they used in the most optimal way.

3)     Conduct a Risk Assessment:

Once you have found a Cyber Vendor that you can work with, it is first very important that you conduct a Risk Assessment.  This simply means, on a general level, you are taking an inventory of all of your digital and physical assets, and ranking them on some sort of vulnerability scale.  Of course, those that are found to be the most vulnerable should receive the immediate attention of your IT department.  From there, you then need to figure out the controls you will need to put into place.  There are many frameworks out there that are available for free to help you do this.  For example, they include the ones from the CIS and NIST.  Follow these links to get more information on them:

https://www.cisecurity.org/controls/cis-controls-list

(FOR THE CIS)

https://www.nist.gov/cyberframework

(FOR NIST)

After this, the next step would be to conduct a deep dive Penetration Test, in order to discover any other gaps or weaknesses that have not been seen yet.  Then follow a path of security where eventually at some point you will be able to deploy the Zero Trust Framework.  This is where absolutely nobody is trusted.  Sound extreme?  Yes, it is, but has yielded some results to the businesses that have implemented this methodology.

My Thoughts On This:

Another line of thinking is to find out those resources that are freely available to the SMBs in your city or town.  I know there are a lot of them, especially when Trump signed into law this kind of allocation before he left office.  You don’t have to have deep pockets to adequately mitigate the Cyber risks that are posed to your city.  You just have to think strategically, especially when it comes to doing the Risk Assessment.

And to the Cyber Vendors:  Yes, we are all businesses and have to make money.  But Cybersecurity is also a team effort for everybody.  Forget the bottom line for a little and offer your services even pro bono to a local government for a small period of time. Doing so could yield you a lot of fruit in the end.

The 5 New Ways In Which Your Android & iOS Devices Are Being Targeted

 

Well, happy weekend everybody!!!  It’s hard to believe that in another week it will be Memorial Day Weekend, and soon, half the year will be over.  Honestly, this year has gone by the fastest than I ever remember. 

But speaking of the halfway mark, in June I will be releasing my midyear Cyber Report. Just to pique your curiosity somewhat, the topic will be about the true cost of Security Breaches that have occurred here in the United States.

Everybody talks about it; nobody has really put a firm dollar value to it.  This is where I am hoping this report will have.  One of the other objectives of it is to hopefully raise some alarm bells as well.  I could have written about other topics, but last year I covered Ransomware, and at the beginning of this year, I covered Phishing.

Anyways, as we hit June, there is yet another form of threat vector out there that has not received the attention it should be getting.  We are all so obsessed with the Cyber impacts from Russia invading the Ukraine, that this one has totally faded out. 

What am I talking about?  It is attacks to our mobile devices, whether there are notebooks, tablets, laptops, smartphones, etc. 

Luckily, I came across an article which covered some of the major avenues in which your device can be attacked.  Some of them I never even thought of before.  So, here we go:

1)     Conducting Fraud:

When one thinks of an attack to a smartphone, the immediate thoughts that come into mind are that of the Cyberattacker taking 100% control of the device, or implanting some kind of Malware on it in order to gain access to the information that is stored on it.  But now, hackers can use your smartphone as a way to conduct fraudulent based activities.  This is technically known as “On Device Fraud”, or “ODF” for short.  This kind of attack first hit the mobile apps that were created for the customers of the major banks, but now it is being used anywhere fraud can be carried out. Two of the most notorious threat variants are that of Octo and Teabot.  They both allow for the hijacking of video conferencing and screen sharing on your Android device.  More information about these two can be seen at these links:

https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html

(FOR OCTO)

https://www.zdnet.com/article/teabot-android-banking-trojan-continues-its-global-conquest-with-new-upgrades/

(FOR TEABOT)

2)     Redirecting phone calls:

Think Smishing attacks and Robocalls are annoying enough?  Well, here is something that is even scarier.  Placing a call on your smartphone with a legitimate phone number, the Cyberattacker intercepting it, and instead rerouting your call to another receiver.  In this entire process, you do not even know what is happening until the person picks up on the other side.  This trend started to happen with a rogue mobile app Trojan Horse known as “Fakecalls”.  During the installation process of this app, the Cyberattacker overwrites all of the permissions on your smartphone.

More information about this nasty Trojan Horse can be seen at this link:

https://usa.kaspersky.com/blog/fakecalls-banking-trojan/26354/

3)     Taking over push-notifications:

This is when you receive a direct notification, such as a One Time Password (OTP) in which you have to respond to.  For example, many financial institutions now require some sort of 2FA, and using an OTP fits this bill perfectly.  But now, there is a new piece of Malware called the “FluBot” that directly targets the push notification functionalities of Android based devices.  This Malware will reply automatically to any sort of push notification that you may receive, even without you knowing about it.  Even worst, it can even hijack the address book in your Android device, and spread itself like a worm to infect other wireless devices to your contacts.  This kind of attack is known technically as “Push Message Phishing”.  There is another variant of this which is known as “Sharkbot”, and information about both can be seen at these links:

https://www.darkreading.com/threat-intelligence/flubot-malware-s-rapid-spread-may-soon-hit-us-phones

(FOR THE FLUBOT)

https://www.darkreading.com/endpoint/google-removes-dangerous-banking-malware-from-play-store

(FOR THE SHARKBOT)

4)     The creation of new domain names:

A new trend that started to occur when COVID-19 hit was the registration of many domain names by the Cyberattacker.  While one intent of this was to create phony and fictitious websites, the other has been used to create multiple command and control centers hosted on VMs.  For example, when a Cyberattacker launches an attack, he or she may not specifically target the victim. Rather, they will issue remote commands through one of these servers to in target the victim, in an effort to disguise themselves.  But keep in mind that tracking these kinds of ill-used domains has been a target of law enforcement, such as that of the FBI.  So to avoid further detection, the Cyberattacker will shut down the VM on which a domain has been used, and create a new one, to host a new domain to be used for these malicious purposes.  The Sharkbot variant has been used for this very purpose, in an effort to stay covertly inside your wireless device for extended periods of time.  In a way, this can also be compared to that of an Advanced Persistent Threat.

5)     Getting through Google and Apple:

Apple has one of the most stringent requirements when it comes to uploading of new apps to iTunes, and Google not so much. But even despite these tight requirements, Cyberattackers have found ways to bypass all of this and deploy the rogue mobile apps.  These kinds of apps are technically known as “Droppers”.

My Thoughts On This:

There are numerous ways in which to lessen the odds of becoming a victim of a smartphone attack:

1)     Limit mobile app usage.  I know life is a lot easier with a mobile app for everything, but the more you put on, the more you are increasing your attack surface.  Try restricting how many mobile apps you put on to those that are really only necessary.  As for myself, I hardly ever use mobile apps.  I only have two of them.

 

2)     Always read the reviews of a mobile app you want to use.  If they are any good, then it just gives that mobile app more credibility. But take this with a grain of salt.  Even a Cyberattacker can put up fake reviews.

 

3)     Always confirm the authenticity of the mobile app. By this, I mean actually try to call the creator of it.  Any legitimate mobile app designed by a real company should have a distinct website, with real contact information.

 

4)     Always keep your wireless updated with the latest versions and software patches/upgrades.

 

In the end, for the sheer lack of a better term, you have CYA.  In other words, trust your gut.  If it doesn’t feel right, then download it.

Wanna Be An Awesome CISO? Follow These 4 Cardinal Rules

 

I have a new book that is coming out in the early part of August.  The thrust of the book is how to actually create and launch a new Cyber business.  But it is not from the standpoint of the recent college graduate or a seasoned IT professional, but rather it is from the viewpoint if the burnt out or even terminated CISO who is looking for greener pastures. 

One way that this goal could be accomplished is to start a consulting gig, focusing around offering vCISO services, which is a hot ticket item right now.

But unfortunately in the end, whether it is right or wrong or fair, it is the CISO that usually takes the fall for everything.   After all, they are the easiest person to be blamed and put in the firing line.  The CISO has a lot to deal with, ranging from how well the lines are beefed up to dealing with the Board of Directors.

But one area that they are often faulted for is the lack of communication from them to others in the company, or if they do at all, the communication is sparse and confusing at best.  So, what is a CISO to do in this regard?  Here are some tips to help with that communication breakdown:

1)     Understand thy audience:

As a CISO, you will be asked to talk to different people that are a part of your organization.  These include both the internal and external stakeholders.  Not everybody is going to understand Cybersecurity the way you do, so you need to angle the content to that specific group you are talking to.  Take these cases:

*For the Board of Directors:  Keep things in dollars and cents.

*For employees in your company:  Keep things simple to understand, avoid any and all kinds of techno jargon.

*For the IT Department and your team:  You can get all geeky you want.

*For shareholders:  Keep the topic centered around how all Cyber efforts are going to impact the Earnings Per Share (EPS).

Get the idea?

2)     Start with the business objectives first:

In any form of presentation that you may give, it is always key that you never first start talking about metrics, and KPIs.  Why so?  Well, first your audience will probably have no idea what you are talking about, and second, you need to provide some kind of reference point for these metrics that you eventually want to point out.  One of the best ways is to first talk about your business objectives from the standpoint of Cyber, focusing in on what has been accomplished so far and what hasn’t.  It is equally important to provide a roadmap as to how plan to finish those objectives whose goals have not been met yet.  Then once you have laid all of this out, you can then get into some of these metrics and KPIs.  Nobody likes quotas and such, but you and your IT Security team need to be judged against something that is quantitative and measurable.  Sure, you can even throw in some qualitative aspects as well.  For example, of the key metrics that you can talk about is the meantime to detection.  This describes how long it takes a company to detect a security threat that resides in their organization.  So far, the average is a long period of time, so point out how you plan to shorten down that time frame for your organization.    Another key point to remember in these types of presentations is that you should keep them only 30 – 40 minutes in length, tops.  Beyond that, you will probably start to have people nodding off in the audience.

3)     It takes everybody:

Traditionally, IT Security teams have taken an isolationist role in what they do, because everybody else in the company thinks that if anything breaks down, these are the guys that should fix it.  While this might be true in a theoretical sense, they can only do so much. They should not at all be finger pointed or isolated by any means.  What I am trying to get at is security involves everybody in the company, all the way from the Board of Directors down to the overnight cleaning crew.  The CISO can foster this kind of thinking by visiting each department on a personal level, and tell them directly that they are a part of the security chain as well, and that their input is highly valued.  But the CISO first needs to take this mentality with their own IT Security team.  There are still many complaints that CISOs often ignore their own employees, and don’t even make the time to listen to them.  Then, the gap between effectively communicating with other members of the C-Suite and especially the Board of Directors needs to improve as well.  The view that the other members of the C-Suite take is that Cyber is a CISO only effort, and that they take no part in it.  But guess what?  With the data privacy laws that are out there today, even the C-Suite and the Board of Directors can be held both personally and financially liable as well if there ever is a security breach.

4)     Establish the layers of accountability:

Once you have demonstrated that everybody has some sort of “teeth” in the defense game for their company, the next step is establish some sort of accountability.  In other words, if other employees have agreed to what you have said is correct, then they need to be held accountable for their own roles and actions to help protect the digital assets.  For example, employees should be held accountable if they click on a Phishing email.  Another area where accountability is going to be of grave importance is in the creation and implementation of the Incident Response/Disaster Recovery/Business Continuity plans.  This really cannot be outsourced to an outside third party, the employees in your organization have to be responsible for this.  In other words, as these plans are being crafted, you need to take certain employees that you think you can trust and make them part of the process, and give them assignments in these plans.  Therefore, you should rehearse these plans on a regular time period in order to make sure that all employees know their assignments and are ready to act out in a very quick fashion should a security breach actually happen.

My Thoughts On This:

Improving the lines of communications in any organization is not an easy task, and in many instances, it can take a long to time to fully accomplish.  Although timing is critical given the way the Cyber threat landscape is unfolding in front of us, take the needed time as well to make sure that whatever you trying to communicate is being heard and understood.

Always ask for a feedback.  After trying to change your ways for some period of time always ask a sampling of employees to see how are you doing.  This is the only that you will know what is working and what is not in terms of communications improvement.  Remember, this should be a very honest and transparent process.

To The eCommerce Merchant: 3 Proven Tactics To Combat Fraud as a Service

 

As we keep paying attention to those threat variants that are making the news headlines, it is also very important to note that there are other attack vectors out there that are just as much damaging, if not even more. 

One such thing that you need to be aware of is Fraud.  While there is nothing new about this, the way it has precipitated been mind blowing.  It’s not just matter of having your wallet or purse stolen, now it is about your Digital Identity that is at stake.

With everybody working at home and even fewer people yet visiting the traditional brick and mortar stores, most of the American population are now shopping online.  Heck, depending upon where you live, you can even have your groceries delivered to you.  But making sure that you remain safe in the digital world, especially as it relates to eCommerce, is a difficult thing to do.

But to make things even more complicated, the Cyberattacker of today is now resorting to a new thing called “Fraud as a Service”.  I think in the past I wrote something about “Ransomware as a Service”, and this is where the Cyberattacker can essentially hire a professional from the Dark Web and have the deploy the malicious for pennies on the dollar.  Now is the same with Fraud.

In this regard, the Cyberattacker can make use of two attack vectors:  Bots and Brand Impersonation.  With the former, the hijacking of One Time Passwords (OTPs) is now the norm.  In this scenario, the hacker already knows your login credentials, but they need that OTP to continue to complete the authentication process. 

With the latter, you are redirected to a phony eCommerce site which looks like the real thing.  This is often done through Phishing attacks or Domain Name Heisting (this is where the actual domain of a legitimate business is hijacked, or a an almost similar one is registered by the Cyberattacker – for example, target.com could become targett.com).

But combatting Digital Fraud is a two-pronged effort.  What do I mean by this?  It rakes both the online vendor (the one that is hosting the eCommerce store), and YOU, the customer.  In today’s blog, we will focus upon the former.  A future blog will deal with how you can better protect yourself.  So, what can the online vendor actually do?  Here are some key steps that can be followed relatively quickly:

1)     Keep track of how many purchases are being made:

I am actually an online vendor myself to a certain degree, and of course we all want tons of sales and transactions coming through our retail sites.  But guess what . . . it can also be a bad sign as well.  How so?  Well this is where the bots come into play.  They can load up shopping carts and literally make hundreds of purchases in a just a matter of a few minutes.  Heck, they will even use brute force methods in order to detect the proper login credentials of the unsuspecting victim.  So on a daily basis, take a look at your transaction history and see if there is any unusual ordering.  If there is, then this could be a telltale indicator that you have bots, and not real customers hitting your online store.  To mitigate this, perhaps you should put restraints on how many times customers can purchase items from your store in a pre-established time period.  While you could make some customers about this, tell them that it is for their own online safety.  Always being open and upfront in this regard will always win in the end.

2)     You may have to screen every order:

This is where keeping track of malicious behavior (as eluded to in the last section) will come into play.  It may come to the point where each and every transaction will have to screened to make sure that there no bots that are entering into your system.  For example, you may have a customer that just purchased an item from their iPhone, from a certain location.  Then they drove a few miles away, to visit a friend, and then made yet another purchase at your online store, but this time from a Samsung, and a different location.  Would this considered to be fraud?  To you, the business owner, it could look that way, when in reality it was never the case.  Therefore, with the help of automated tools such as that of AI and ML, you can easily up profiles on your customers in just a matter of minutes and set up various baselines.  Those that fall outside of this threshold should be flagged for possible malicious intent.  And remember, you do not have to manually do this. The AI and ML tools that are available today can very easily do this for you, and present everything in one dashboard.  You should even consider  running various types of batch analyses against other customer profiles, to make sure that the same credit card number is not being used over and over again.  But keep in mind that once you start using AI and ML tools for these purposes, it will be your job to make sure that they are fed with the most recent data on a real time basis.  This is the only way that the algorithms will continue to learn about your customers, in an effort to also stop any false positives from filtering in (this is where a legitimate customer is flagged for malicious behavior). 

3)     Try to avoid automatic declines:

Credit card companies are pretty good today at detecting fraudulent purchases, and even if just one or two are made, the card will be automatically declined.  In this case, they will call the customer, confirm the orders, or in a worst-case scenario, issue a new card to the victim.  But this is not the cut and dry scenario with an online merchant. For example, using that old saying, it can take years to get a new customer, but only seconds to lose one, using automatic declines may not be best suited here. Therefore, you may want to let purchases go through, but only stop them if there is any unusual activity that has been detected.  This is where keeping your AI and ML tools up to date with the latest data and having them run on a real time basis becomes absolutely critical.  Then at the end of the day, after you scour through the files that have been outputted, you can always reach out to that particular customer to confirm their order in case they have purchased an extraordinary amount which falls outside of their baseline.  In fact, taking this approach will show to the customer that you are proactive about keeping their data safe, and in turn, this could bring in more repeat business.  In fact, according to recent study, 40% of online customers will not return back to the same vendor if their purchase has been declined.

(SOURCE:  https://www2.clear.sale/consumer-behavior-intro-unlocked)

My Thoughts On This:

Notice that this blog put a heavy emphasis on using AI and ML tools.  This may sound fearful at first, but it should not be.  In this regard, your best bet is to probably hire an MSSP to install these tools for you.  That way, they can also do a Dark Web scan to make sure that none of your customers PII datasets are down there, but also nobody has heisted your domain name in an effort to create a phony website. 

In other words, apart from keeping your customers protected from Farud as a Service, you also need to make sure that your IP is also equally protected.

Who Is Managing Your Business Operation Ecosystem Cyber Risk?

 

One of the big buzzwords that we hear of today is called “Cyber Risk”.  But unfortunately, there is no clear cut definition of this, and a lot depends upon a number of key variables that are unique to your own environment.  For example, risk may mean the financial loss that your company goes through after suffering a cyber breach, or it may be the damage that could potentially be placed on key digital assets after you have conducted an assessment.

But generally put, risk can be thought of as the amount of “pain” your business can bear in terms of downtime without incurring damaging costs.  For example, suppose you are hit with a Ransomware attack.  How much downtime can you take until the permanent financial losses start to mount?

There are numerous ways to calculate risk, there is no established standard for this.  Because of this, it is highly recommended that you seek the help of a cyber vendor that specializes in this.  One such company is known as Opora, based out of Israel, with office in NYC as well. In this podcast, we have the honor and privilege of interviewing Joel Blaiberg, the Director of Sales Engineering.  Find out how they calculate risk, and how you can benefit from it.

You can download the podcast at this link:

https://astcybersecurity.podbean.com/e/who-is-managing-your-business-operation-ecosystem-cyber-risk/

Should You Outsource Your Mobile App Development?

 

In a previous blog, we had mentioned that there could be times when you may want to actually outsource your mobile app development.  Of course, the conditions under which you do that will vary, but there are pros and cons to doing this.  We review these in more detail.

The Pros Of Outsourcing

1)     It is budget-friendly:

If you want to develop an app, controlling costs and preserving cash flow of your business is probably at the top of your mind.  When you develop a mobile app in-house, you will need to have a team that is dedicated to this task.  When this approach is taken, you will have to pay for salaries, benefits, time off, bonuses and more. But by outsourcing to a third-party agency, the costs are obviously much lower.

2)     You get access to a broader range of talent:

When you hire an exclusive mobile app development agency, that is all they do day in and day out.  This means that you will have a wide breadth of experience that you can utilize to build your project according to the needs of the client.  Also, this will save you time in trying to find and recruit the talent that you would need if you were to do this in house.

3)     You will have a team that is available on call whenever you need it:

If you outsource your work to an agency located in a different part of the world, you will be able to access them reasonably quickly after business hours.  For example, if you do have a team of mobile app developers here in the United States, you can augment them by hiring an agency, say in India, that can work well after business hours locally until the next day.  That way, you have a staff that is working on an almost 24 X 5 X 365 basis to get your project done on time for your client. 

4)     Your in-house team can be focused on accomplishing different tasks:

If you have a lot of projects coming down the pipeline, you will want to keep your existing team focused on whatever they are working on the present time, and whatever workflows that you may have planned for them in the future.  With hiring a mobile app development agency, you can pass on work to them to get done so that none of your existing processes will need to be altered or affected in any way.

The Cons of Outsourcing

Of course, with the pros, come the cons, which are as follows:

1)     The risk of data privacy and loss:

Whenever you outsource any type of project to a different entity, there is always a much greater chance that the confidential information/data that you share with them could be leaked out to others either intentionally or non-intentionally.  Here in the United States, as well as the European Union, both data loss and data privacy are being taken extremely seriously these days, backed up by the compliance powers of the CCPA and the GDPR, respectively.  If anything like this ever does happen, you will be held primarily responsible for any security breaches, not the agency that you hire.  This means that you could face some severe financial penalties.  Also, the testing of the source code is on your shoulders, not on the agency.  This means that you will have to do some sort of penetration testing or threat hunting to make sure that the code is secure and that any unknown vulnerabilities have been wholly discovered and repaired.

2)     You will have less control over the development process:

If you have an in-house team create the mobile app, you can always ask for updates whenever you want to, or feel it is necessary, and get a response almost immediately.  But if you outsource, you will have less oversight in this regard, which could result in considerable lag time in getting a needed response.  Also, the agency will not want to divulge all of their “secret sauces” as to what goes on in the way they develop mobile apps so that it will not get leaked out to competitors.

3)     Changes can be expensive:

Mobile app development is always a continuous proposition; it never changes, especially when it comes to updating the source code and making any changes the client requests.  Obviously, your in-house team can do these quickly, without any extra charges incurred.  But, if you outsourced your project, and if there are changes to be made after the fact, you will be charged extra for it by your agency, and it will not be cheap by any means. 

4)     Stark cultural differences:

Depending upon the country in which you hire the agency, there could be significant differences in terms of communication, work style, and even language barriers.  In the end, this could prove to be very frustrating for you, especially if you are spending more time explaining what needs to get done versus getting the tasks accomplished.

One More Key Benefit

Overall, the decision whether you want to outsource your mobile app development project is a choice that you will have to make based on your needs.  This is going to be driven primarily by the budget you have and the time constraints that you are under to deliver the app to the client.  But when outsourcing, there are fewer administrative headaches involved, which is illustrated in the diagram below:

(SOURCE: 1).

Sources

https://www.hyperlinkinfosystem.com/blog/8-pros-and-cons-of-opting-for-a-mobile-app-development-company

Another Reason Why Not To Pay That Cyber Ransom: There Is No ROI

 

I don’t know if I have been naïve lately or not, but I have been finding that the news headlines regarding Russia and the Ukraine starting to dissipate somewhat in the headlines.  Heck, even the Cyber headlines have slowed down about being aware from Cyberattacks coming in from Russia. Or maybe its perhaps inflation and the raising of interest rates took the headlines?

Well whatever is happening out there, let’s have some good news out there next, we could all use some for sure.  But when it comes to the Cyber world, at least nothing has too much changed there either, which I guess could be a positive. 

The only thing I really keep seeing anything about are the number of Ransomware attacks that are happening, but by now, in a sad way, we all are getting used to it.

But I did come across a news headline late last week as to how although the total number of attacks are still continuing, the total number of companies having the capability to recover that data is actually slowing down. 

This could be for a number of reasons, such as the Cyberattacker is not making good on its promise to send over the decryption keys, or that the encryption algorithms that were used to scramble the data in the first place are so powerful that they cannot be broken.

Sophos, a leading Cybersecurity company, just came out with its recent report about the state of Ransomware attacks.  The report is entitled the “State of Ransomware 2022”.  The report can be downloaded at this link:

https://www.sophos.com/en-us/whitepaper/state-of-ransomware

One of the key findings is that the total number of Ransomware attacks increased by at least 43% in 2021, which is not surprising.  IMHO, that was probably the year in which Ransomware groups truly made their mark. 

But on the downside, the report also found that the impacted companies simply could not recover the data that they lost.  Another reason for this that needs to be included is that many companies in Corporate America, even despites the lessons that have been learned from COVID-19 simply do not have the right data backup strategies and policies in place yet.

Here are some other noteworthy findings from the report:

*The total number of Ransomware as a Service incidents are growing at a very rapid pace. These are groups that are formed by professional Cyberattacking groups, and have some of the stealthiest and most covert techniques on hand in order to launch devastating Ransomware attacks.

*The average cost of a ransom payment is now pegged at $812,000.00.

*So far, it has been the energy and manufacturing industries that have amongst some of the hardest hit by Ransomware attacks.  This is illustrated in the diagram below:

(SOURCE:https://www.darkreading.com/attacks-breaches/ransomware-crisis-deepens-data-recovery-stalls)

*On average, it took a business one month or even greater to recover from a Ransomware attack, at a cost of over $1.4 million.

Now, comes the question is it really even worth to pay the ransom?  The reason I say this is that victims are now facing even much higher costs for recovery, including paying the ransom.  If you factor all of this in based upon the number I have presented in this blog, the total cost could be well over $2.2 million.  Consider these statistics also from the Sophos Report:

*While 99% of the victims could recover some of their data, only 61% of them could recover those datasets that were encrypted.

*46% of the total respondents actually paid a ransom, and out of that, only 4% were able to make a full data recovery.

Possibly another reason why companies in Corporate America still don’t have the right back up strategies in place could be is that they have become lazy about it all, because they have a comprehensive Cyber Insurance Policy.  But even here, things are starting to get tight.  Getting a Cyber Insurance Policy is not getting the same as car insurance.  Consider these stats:

*94% of the respondents have found that it is much more difficult to get a comprehensive plan;

*97% have had to increase the total amount of their security controls just so that they qualify as an applicant;

*Only 40% of the total number of Cyber policies actually paid for the ransom payment.

My Thoughts On This:

In the end, no matter how much we do to protect our businesses and the valuable data that resides in them, we all are prone to becoming a victim of Ransomware.  So, the key here is how to mitigate the odds in that happening to you. 

I have to be honest here, and I think that the best solution now is just simply move what ever you have On Prem to a Cloud based solution.

I am sure that there will be a lot of resistance to this at first, because it can be very daunting and nebulous at first.  But remember, you are not alone in this process.  There are a ton of Cloud Service Providers (CSPs) that you can hire that can take care of the entire migration process for you. 

Not only that, but you can also work with them in the long term in order to make sure that all is up to speed with your Cloud deployment.

Also, go with a very reputable Cloud provider, such as that of Microsoft Azure.  They have all the tools you need to protect your datasets.  Another reason why I say to use something like this is that redundancy is a quick and easy process here.  For example, you can easily replicate your Cloud deployment across multiple data centers literally around the globe. 

So in case you are hit, your failover will be very quick, without any disruptions experienced.  Also, by using the Cloud, any VMs that have been hit by a Ransomware attack can quite honestly be deleted, and rebuilt again, in just a matter of five minutes or so.

So really, there is no reason anymore not to have a good data backup plan in place, when a business owner now as all of the tools and technologies available to them to make it happen.