The Hay Days Of Cyber Bug Bounties Could Be Disappearing Soon

 

This is a topic that I have written about before, and in fact, I plan to be writing an eBook about it in Q1 of next year.  This is the issue of secure source coding, but more importantly, finding any weaknesses or gaps, and immediately remediating them. 

Many people like myself have fully advocated for using a modular based approach, in which each module of the source code that is being compiled is thoroughly vetted for any issues.

After all, it makes sense to do it this way, right, rather than waiting till the very end, when really, it is just too late?  However, to many software developers, security is not something they are familiar with, or really for lack of a better term, even care about. 

But that is now catching up with them, as there are more and more headlines coming out as to how software developers need to be much more cognizant in this realm of their employer.

In an effort to help ensure that all is good before the project is delivered to the client, other initiatives have also taken place such as implementing a rock solid DevSecOps program, making more use of the OWASP initiative, etc.  But yet, there is another area in which companies have been using for quite some time in order to unearth the gaps and weaknesses.

This is known as the Bug Bounty program.  This is where a company, before they are just about to launch a new software application into the world, hire a bunch of both ethical and even unethical hackers to totally rip it apart, and report on the most serious vulnerabilities that were discovered.  In return, the hacker is also supposed to provide a fix or fixes to the situation, and submit that back to the company in the way of a detailed report. 

These are then completely reviewed by the IT Security team, and if a report is found that is deemed to be totally astonishing, the hacker is then paid a nice some of money.  We are not just talking about a few hundred dollars, we are talking about well into the five figures, like $30,000 or $40,000. 

This kind of program has been more widely used with those tech companies that have much deeper pockets like Microsoft, AWS, Oracle, IBM, Google, etc.

Obviously, it is not meant designed at all for the SMBs, because of the high amount of payouts that have to be made.  There are both advantages and disadvantages to using a  Bug Bounty program.  For example, this is yet another way for a company to get an outside pair of eyes to look at something, but you really don’t know who is looking at it, because hackers are usually not vetted. 

Also, you are giving an individual access to your IT and Network infrastructure, for a brief period of time.

But on the flip side, Bug Bounty testing is one of the best ways in which you can avoid Zero Day Attacks to external facing web applications. But whatever the situation is, there is now talk in the Cyber world that this program is now starting to crack under its own weight. 

While it may be exciting for the company to remediate something that they completely overlooked and for the hacker to get a great pay out, keep in mind the other party that has to review them:  The It Security team.

Research has found that Bug Bounty programs work great within the first 18 or 24 months since they are first launched, because of the new influx of cases that are being received.  But after that, it tends to become a mountain load of paperwork to be reviewed, and this in part is what causes IT Security teams to fall even further behind, as if they don’t have enough to do. 

Second, there has been a belief in the larger organizations that simply relying upon Bug Bounty programs will be enough to cure them of their Cyber woes.  But this is all myth.  For instance, it can take a while to discover new flaws, but it can take even longer to have them reviewed and their remediative plan of action to be approved as well. 

From then until here,  a newer version of the software package could have been released without knowing there have been bugs from the first version that still need correcting.

Third, Bug Bounty hunters are also getting burned out of the process as well.  It is important to keep in mind here that these hackers are not automatically paid for all of their submissions. Only if it has been selected by the IT Security team, will the hacker get their hard-earned payout.  So it could be years of trial and error until an ethical hacker can win their first bounty.

My Thoughts On This:

I have some numerous thoughts on the Bug Bounty program.  First, I think it is a good idea. As mentioned, it is simply a great way to get an extra pairs of eyes to try to find something that was overlooked. 

But the way in which the programs are offered needs to be changed.  For example, I honestly think that the hackers need to be vetted first before they are allowed to participate.  It’s like getting a third-party supplier involved.  You wouldn’t hire anybody just off the street, would you?

Also, I think all of the ethical hackers that participate and submit a report should get paid, even though if their particular report was not chosen.  After all, they are putting in their own time, and are giving you something in return.  You also need to reciprocate in turn, as well.  But of course, this is not something that you want to broadcast to the entire world, only to those people you have selected.

Perhaps also, you can even add a more motivating factor.  You could perhaps even make a job offer to the winning hackers, if you are so impressed by them.  They may not have to be direct hires, but you can at least get them to be contractors in the beginning. 

That way, you can not only tap further into their direct knowledge and skill set, but this can also be your way of trying to tighten up the job market for Cyber.

Second, I view having Bug Bounty programs pretty much as a nice resource to have for companies, but it should not be the primary tools used to check for vulnerabilities and weaknesses in the source code.  This should all be done internally, making use of DevSecOps. 

Third, if you are going to have a Bug Bounty program, make sure you spell everything out, like a job description. And when work is submitted, pay those hackers on time!!!

Fourth, don’t give everybody access to everything at your company.  Remember and enforce the concept of Least Privilege.

The 3 Grave Consequences Of A Compromised Credential Attack

 

Introduction

The password has always been a long, sought after target of the Cyberattacker.  But given today’s Cybersecurity threat landscape – they are after much more than just that.  For example, they not only want to know more about you, but they want to come after you and literally take everything that identifies you.  It is challenging to know even you are a victim until it is too late.

One of the biggest reasons for this is that the Cyberattacker is taking their own time to find and research their unsuspecting victims.  For example, they are not interested in finding targets en masse, but rather, they are now interested in selecting just a few and finding their weakest spots.  Then, once they penetrate in, the goal is to stay in as long as possible and steal as much as they can in small bits, going unnoticed.

The Types of Attacks

There are three types of credential theft, which are as follows:

1)     Against the individual:

This when one particular individual or even a group of them are selectively targeted.  In this instance, the attack vectors may not be too sophisticated in nature.  For example, Phishing based Emails are still the favored weapon of choice.  Despite all of the publicity and notoriety that it gets, people still fall for phishing schemes.  It can come in one of two ways:

Ø  The victim can be duped into clicking onto a malicious link. Typically, the link that is in the body of the Email message is different than when you hover your mouse pointer over it.  But even this has changed.  The two links now appear to be almost the same, thus tricking the victim even more.  From here, he or she is then directed to a spoofed website that looks so legitimate and authentic that it is almost impossible to tell that it is really a fake one.  From here, the victim then enters their username and password, and the havoc starts.

Ø  The victim can also be duped into downloading a malicious document.  The most favored file extensions used here are that of the .DOC, . XLS, . PPT, and .PDF.  Once any of these attachments are downloaded and opened up, the malware spreads into the victim’s device, in an attempt to steal as many credentials as possible. An excellent example of this is keylogging malware.  The keystrokes are recorded and covertly sent back to the Cyberattacker, in an effort to ascertain all of the credentials that the victim uses.  This has also become rather sophisticated in nature, as the hijacking of the contact list is now commonly used, making it look like that Phishing Email has been sent by a person that the victim knows well.

 

2)     Against the business:

This is technically known as “Corporate Credential Theft.”  In these instances, the Cyberattacker has much more at their disposal in which to harvest as many credentials from victims as they can.  For example, many companies in their digital marketing efforts, very often use Social Media, such as Facebook, Linked In, and Twitter.  Although the communications may be careful in what they post about their company, the Cyberattacker can still glean quite a bit off of it.  Over time, they can see those employees that post material regularly, and the timeframes that they do so.  From here, they can narrow down their list to just a few potential victims and study them even more carefully through their social media activity.  In other words, the Cyberattacker is building up a profile of their victim that can be used to determine their vulnerabilities, even with publicly available information.  A commonly used threat vector is that of the Business Email Compromise (BEC).  This is where an email is sent, or even a Social Engineering based phone call is made purporting to be the CEO and asking his or her administrative assistant to wire a large sum of money to a bank account, which, of course, is located offshore.  Once the money has been transferred, and the mistake has been noticed, it is very difficult to get the money back or even trace down who launched this sort of attack vector.

3)     Credential Abuse:

This is the ultimate goal of any compromised credential attack.  Once all of the credentials have been harvested to the greatest amount possible, the Cyberattacker will then use them for credit card theft/fraud, hijacking money from banking and other types of financial accounts, and worst yet, launch long term Identity Theft attacks.  But there are two new trends that are occurring in this regard, which are:

Ø  The Dark Web:  The Cyberattacker can sell these credentials here for a rather nice profit.

Ø  Lateral Movement:  In this instance, the Cyberattacker will use their hijacked credentials in order to infiltrate the network infrastructure of a business, and from there, move in deeper in a “sideways” fashion in an attempt to find even higher-value targets, such as those of Intellectual Property (IP) and other mission-critical digital assets.  The time that the Cyberattacker resides is very often referred to as the “Dwell Time,” and given just how sophisticated they have become, they can stay in for weeks and even months without ever getting noticed.

How To Prevent Compromised Credential Attacks

This is a serious problem, as according to the Verizon 2020 Data Breach Investigations Report (DBIR), over 80% of the hacking attacks that take place make use of heisted or stolen credentials.  Further, at least 77% of the Cloud security breaches also involve the use of hijacked credentials. 

(SOURCES:  1 and 2).

In the end, probably the best line of defense that you can use is what is known as the “Zero Trust Framework.”  This is a methodology which stipulates that you cannot, under any circumstance, trust anybody internal or external to your company when it comes to accessing shared resources.  Anybody wishing to have this kind of access must be authenticated through at least three or more layers of authentication at each line of defense.

Sources

1)     https://securityboulevard.com/2020/06/credential-vulnerabilities-most-likely-breach-culprit-verizon-dbir/

2)     https://thycotic.com/company/blog/2020/06/17/verizon-2020-dbir-5-top-takeaways/

The Act Of War Exclusion In Cyber Insurance: 3 Golden Ways To Avoid This

 

Along  with the ever so famous two guarantees of life known as death and taxes, there are certain other things that we simply cannot live without.  Now, I realize that this is a very open ended to give to you, but purposes of this blog, I am talking about being business owner. 

Depending upon the industry you are in, you will most likely have employees, whether they be it on a part time, full time, or even a contractor basis. 

There are certain benefits that you will want to offer to them, and if you can afford it, probably medical insurance would be at the of the list, whether it is giving it to them directly or helping them get it at Obamacare.  You will possibly have a small fleet of vehicles, and of course, that will take car insurance.  For the most part, getting these kinds of insurances should not be too much a hassle.

But don’t forget, you are going to need yet another kind of insurance policy – and that is for Cybersecurity.  Before the COVID-19 pandemic hit the United States, getting a basic policy was not too hard to do. 

All you pretty much had to do was apply to a few carriers that you felt comfortable with, sign the paperwork, and pay the first month’s premiums.  Then you were all set.

But given the sheer range of new attack vectors that have from that, most notably of Ransomware, insurance carriers have now greatly ratcheted up the requirements to get a policy.  For example, simply self-attesting to the fact that you have all of the controls in place is not enough anymore. 

You now have to fill out a rather long and detailed questionnaire confirming that all needed controls are in place, and in fact, many of the carriers are now requiring that an MSP or an MSSP sign off on it to confirm that the statements are true.

If it is discovered they are not, you both could be under some serious legal trouble, especially when it comes to perjury. But not only this, now many of the insurance companies are also opting not to pay claims when it comes to Ransomware payments.  For example, a company out of desperation may pay the fine, in the hopes of getting their files back.

The next thing that the business owner will want to do is file a claim to get the money back.  But most likely, that will not happen now. But now, the insurance carriers have found possibly yet another way to keep the small business owner hanging out to dry. 

It now comes down to literally what an act of war is defined as.  Because of all of the turmoil that is now happening on a geopolitical basis, if an SMB becomes a victim because of a direct act of war, any claims filed will not be paid.

This is technically known as an “Act of War Exclusion”.  It is really interesting to note that this kind of exclusion actually has been in place since the start of the Spanish Civil War.  But of course back then, Cybersecurity was a totally unthinkable topic. 

So long story short, suppose you have been impacted by a security breach, and after a detailed forensics has been conducted it was determined that a nation state threat actor actually launched the threat variant.  Would this be deemed as an act of war?  That is a hard question to define, because from a legal standpoint, it can be looked at from many different perspectives. 

But IMHO, I would classify it as an act of war, because the SMB owner suffered a direct attack from a foreign enemy. Btu what makes this so different is that it was launched in the digital world, bit the traditional land battlefield.

Also, our own court system would have a hard time defining what an act of war really is, especially on the Cyber front.  The primary reason for this is because there is no legal precedence that has been established for it.  For the other types of war, yes, there is plenty of precedence that lawyers and judges can use in a large amount. 

But the sad news here is that insurance providers are trying as much as possible to avoid paying claims on the context of being a victim of war.  One of the ways that they are doing this is by putting in clear and concise language that any Cyberattacks that have precipitated and that you have become of, will simply not be covered, much like Ransomware payments won’t be either.

An interesting question here is are third party vendors affected by this exclusion as well?  After all, they were doing for a company, and if they get impacted, and in turn the third-party supplier does as well, will they be allowed to get payment if a claim is filed? 

This is just one example of how murky this situation is, and the difficulty of defining what truly constitutes a Cyber War.

My Thought On This:

Unfortunately for the SMB owner, things are not going to get easier for them as they try to apply for Cyber Insurance and even file for a claim.  Now, I am far from being an insurance expert, but I have written a lot on this subject matter (heck even wrote book on it just recently), but based on my knowledge, here is my two cents worth:

*Always have your Incident Response, Disaster Recovery, and Business Continuity plans in place and rehearsed. By having such plans in place, not only will you be able to recover in a quicker period of time, but you can also prove to the insurance carrier that you had such plans, and followed them to the letter.  This will prove to them to a certain degree that at least you had the right controls in place before you were impacted.

*There are many carriers out there, so be extremely selective.  Probably the best advice I can give you in this regard is to get a lawyer that specializes in just Cyber issues.  There are many of them coming out today, so it should be too difficult to find a good one. As far as possible, have this lawyer get your insurance policy for you.  That way, they can read through all of the legalese of the insurance contract, and make sure that you will be covered totally, also from the standpoint of being covered from Ransomware attacks and Cyber Warfare.  Also, hopefully it never happens, but if you are impacted by a security breach, this same lawyer can also vigorously defend your rights in case your claim is denied for whatever reason.

*Always, as mentioned before, conduct a detailed forensics examination after you have been impacted.  This is the only true to confirm if it was a nation state threat actor that actually launched the attack.  If this was the case, then you will have a better chance of getting a payout on your claim.

But, if you already have a Cybersecurity Insurance Plan in place, or are in the process of getting one, don’t let your guard down.  Keep being proactive.  The fallacy in thinking here with many SMB owner is that because they already have insurance in place, they will get a payout no matter what.  But the moment this happens, you have just increased your likelihood of not getting a payout!!!

For more, detailed on Cyber War exclusions, click on the link below:

https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA21-042-PD.aspx

 

The Slow Rise & The Meteoric Fall Of The Traditional Firewall

 

For the most part, we all have heard about Firewalls.  There is nothing new about them, and in fact, they first originated in the mid 90’s when Windows 95 was first born and the Internet Explorer was the brand-new replacement to Netscape Navigator. 

Back then, VDs and VMs were, or Azure were not even in our vocabulary.  Probably some of the best-known Firewalls back then were that of Linksys and Cisco (can’t really remember any others).

At the time, they were basic security tools.  Their main function was to scan data packets that were inbound to the IT and Network infrastructure of a company, and discard them before they could penetrate through.  The reverse of this is also true.  The way that a Firewall knew in what sort of data packets to discard were built upon a set of rules and permutations that were programmed into them.

But over time, technology of course advanced, and then came the Router.  This was deemed to be a huge step up over the Firewall, as now this newer security tool could also to determine the most optimal network path that the data packet should take in order to reach its destination in the quickest and most efficient manner. 

But what was nicer about a Router, was that it also contained an Access Control List, or ACL for short. 

This was once again a listing of what kinds of data packets should be blacklisted, and not allowed through.  But this time, it could actually learn from the past, and build its own database of known threat vectors from that. 

This was then compared to the new influx of data packets.  Then after this, Cryptography for uses in security was the next big advancement, and with this data packets were further protected from falling into the hands of a malicious party.

But the problem here is that with this, it was far more difficult for the Firewall and/or the Router to detect for any malicious data packets.  In effort to combat this, some of the major vendors improved their technology to the point that the Firewall and/or Router could literally disassemble the data packet inspect it, and reassemble it again so it could move forward. 

But all of this took a lot of processing and computational power, which was not fruitful in the end.

Then came AI and ML, which has given a whole new twist to the Firewall and Router technology.  For example, not only could these tools build their databases of threat signature profiles, but they could now learn how to do this on a real time basis. 

This simply means that almost no human intervention is required, the Firewalls and Routers can even predict what future malicious data packets can look like.  But the downside here is that is with AI and ML, a huge amount of data has to be fed into them first before they can learn anything.

But not only this, they have to keep continuing to be fed this data.  And the datasets that are used have to be optimized and cleansed also on a real time basis so that the here is no statistical based skewness that is produced into the output.  So the toss up here is that with the new advances being made, there is always a lot of time spent on something else in order for the whole thing to happen.

Now enter the COVID-19 pandemic.  Although the concept of WFH has been around for quite a long time, Firewalls and Routers were meant to work at peak capacity only about 25% of employees working remotely.  They were not designed at all to work at the peak capacity that we are seeing now, which is over 99%.  As a result, many types of Firewalls and Routers (and even VPNs) have been broken down, which has now made them a prime source of attack.

My Thoughts On This:

I forgot to mention, that in between all of this, anther technological advancement was made a few years ago also, which is known as the “SIEM”, and is still being used actively by IT Security teams in Corporate America today. 

This is a centralized dashboard which presents all of the needed information and data in one, holistic view.  One of the key advantages of this is that it can also filter through false positives, thus only presenting the real threats to the IT Security team.

Another technique that has been attempted to ease the burden on Firewalls and Routers is to simply log into them any blacklisted domains.  While this has been to a proven technique to use, it does not take into account any blacklisted ones which have become whitelisted.  In other words, human intervention is still required, which defeats the whole purpose of any technological advancement. 

But believe it or not, in all of these situations, there is still yet another viable solution that is present, and seems to be working well.  This is the known as the Next Gen Firewall.  This is the latest, and most cutting-edge technology out that is out there. 

For example, not only does it consist of all of the advancements mentioned in this blog, but it is also designed to handle the capacity of the near 99% Remote Workforce, and even beyond that as well.

But as far as I know, this new breed of technology is now available in the Cloud, such as Microsoft Azure.  So if you want to use one, you are going to have to open up a brand-new account, and pretty much migrate almost all of your IT and Network infrastructure into it. 

But the best of all, there is no added cost to start using the Next Gen Firewall from Azure.  It is already factored into your overall, monthly bill.

While this powerful tool is there, don’t expect Microsoft to configure for you also, based upon your security requirements.  That is entirely your responsibility, and if there is any data leakage, you will be held accountable.  Therefore, it is always wise to check in with a Cloud Services Provider (CSP) in order to fully ensure that your migration is complete, and all the necessary configurations have been set correctly.

The Importance Of Having A Robust & Dynamic Intelligent Feed For Cyber

 

In the world of Cybersecurity today, many businesses are starting to realize the importance of collecting the relevant information and data that they need in order to keep with the ever-changing landscape.  But trying to make projections and estimates into the future by hand takes forever, and technically, no human being can ever keep with this.  If they can, then the threat probably has already come and gone.

So, this is where role of AI comes in.  With this, you make extrapolations into the future within just a matter of a few seconds.  While this is very much an advantage, it can be a drawback also.  For example, AI systems require a huge amount of data in order to learn about the future.  But you simply cannot go out and purchase datasets off the shelf.

Rather, these data feeds that you use have to fit into your environment, and your security requirements.  But just as important, they have to be cleansed and optimized so that you get the most optimal results possible, without any skewness from occurring.  It is not easy to find these kinds of data sources, and in fact, this can be deemed to be one of the hardest tasks that an IT Security team can embark one.

But the good news is that there is a company out there that specializes in this very tasks – they are known as Wapack Labs, and in this podcast, we have the honor and privilege of interviewing Jim McKee, the Founder and CEO.  He will explain more detail as to how Cyber information and data feeds can work for your business.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB1278D202IZWE

The Good & The Bad Of OSINT - Which Side Are You On???

 

Whenever we have talked about a Cyberattack happening, for a lack of a better term, had some comfort in the fact knowing that we could expect a malware, worm, a Trojan Horse of sorts, or even Ransomware. 

But given the advances of technology, a Cyberattacker does not have to do all of this anymore in order to steal PII.  He or she can build a profile on you based on a methodology known as “OSINT”, also known as “Open-Source Intelligence”.

Just as its name implies, this Open-Source data that is legal to get and use, after all, it’s available on the Internet. It’s really like getting a background check on somebody, but with that, you have to pay some sort of fee. OSINT is free, and it can also be viewed as a data aggregator. 

This simply means that it is a one place shop where you can collect the information that you need that is collected from hundreds of different sources.

OSINT and be used for both the good and the bad.  For example, I did a podcast some time ago with a client that had an OSINT based business.  The degree to which he was able to use publicly known information totally blew me away.  He narrated this story of how they were able to solve a hit and run accident, even the police could not solve it. 

If I remember correctly, it all came down to collecting a small piece of car paint, and matching that up with other cars that passed by, which were taped by the CCTV cameras.  In a way, this also reminded me of the unfortunate incident of Pan AM Flight 103, a Boeing 747 that blew up over Lockerbie, Scotland.  It all came down to locating a tiny electronic component which forensics were able to trace back to a store in Libya.

Then, I wrote an article for a client about the OSINT methodology, and how some of the components of it could be used to hypothetically protect a well-known movie star.  But with the good, comes also the bad, and this is where ethe Cyberattacker now comes into play. 

As mentioned before, they no longer have to access the innards of your IT and Network infrastructure, and move laterally in order to get information about you. 

All they need are the tools of OSINT, a very close examination of your social media profiles, and the use of some AI and ML tools.  From here, they can build a whole new profile about you, even a create a totally different facial structure of you using Deepfakes (I think I just wrote an article about this a few weeks ago).  But the end result of this totally scary. 

With this newfound profile, a Cyberattacker can now launch ID Theft attack against, and you may never even know about it.

At least in the past, the Cyberattacker would have to know some specific information about you, such as your Social Security number, or Driver’s License number, but even this is not needed anymore.  With all of this, a Cyberattacker can easily open up new bank accounts, credit cards, you name it. 

But you are not going to believe this also.  There are also tools out there that let the Cyberattacker create that fictitious profile about you. 

This tool is called “Fake Name Generator”, and example of a fake profile can be seen below:

(SOURCE:  https://www.darkreading.com/attacks-breaches/how-hackers-create-fake-personas-for-social-engineering)

Heck you even create a picture of a real person that looks almost like the real thing by using a tool called “This Person Does Not Exist”.

My Thoughts On This:

Ok, I even find this to be rather extremist, and I have been in Cybersecurity for years.  But keep in mind, even in the case of digital attacks, the Cyberattacker will always leave behind some evidence, even to the smallest amount that is possible.  In the case of a faked profile like we have been talking about this blog, look for some of the following clues:

*A person looks head on, directly into the camera lens;

*There will be some nuances in their facial structure;

*Other extraneous accessories can fade in and fade out.  For example, if the subject is wearing earrings, one lobe of the ear may drifting further down than the other ear, although the earrings may look completely identical;

*The sides of the picture have some strange sidings to them.

What can you do to help avoid in becoming a victim in these kinds of scams?  Well, the first rule is never to respond to anything that you are suspicious.  For example, I get tons of robocalls and suspicious emails every day.  All I do is never respond to the phone call, or simply delete the email. 

But there have been numerous times in the past where I have received emails which seemed to questionable, but I had some doubts about that as well.

So in these cases, I normally try to find the Linked In profile of the person in question, and if I can’t, then that is a huge red flag.  I try to check out their Social Media profiles, and if there is nothing there, then I just delete the email.  But keep in mind that the Cyberattacker could quite possibly be ahead of you in this regard, by having a fictitious Linked In profile and Social Media sites already populated.

Then there are the other rules as well:  Check your credit card and bank account balances at least 3x a day, and always monitor your credit report.  If possible, try to have a good friend even conduct a background check on you to make sure that everything is clean.  Finally remember that the Cyberattacker does not have to use just digital means to get a hold of you.

Attacks using the snail mail have now been on the rise, so pay careful attention to those as well.  In the end, if you have any doubts that you simply cannot resolve, or if you feel that you have become, always contact your local FBI office.  They will always be glad to help you out, and they will have the specialized tools needed to examine any evidence that you give them.

 

Just How Badly Do We Need A vCIRO? Find Out Here

 

Long before the COVID-19 pandemic, the so-called C-Suite consisted of just a few members:  The CEO, CIO, CFO, and the CMO.  Even when I was doing my MBA, these are the only titles that existed, even during the time of the .com craze. 

But fast forward now, and there have been many more C-level titles that have been added to the mix.  Pretty much all of these have to do with Cyber, so now you will find such people as a vCCO, vCPO, vBISO, vCDO, etc.

Now, there is a new one that has been added to the mix:  the vCIRO, also known as the “Chief Risk Information Officer”.  You may be scratching your head right now, pondering what this person really does? 

To be honest, this is the very first time that I have heard of this term, and I even venture to say that it is just a new piece of technojargon that has hit the Cyber industry.

But to be fair, the primary role of this person (as it appears to me) is to take charge of overseeing the level of risk that their business exposed, and from there, report to the rest of the C-Suite as well as the Board of Directors if the current level of risk is tolerable enough, or it needs to come down to where the industry norms are at.

So, the vCIRO is primarily tasked with conducting the risk assessments, taking stock of which physical and digital are most at risk to a security breach, and what kind of controls are needed to further protect them, so they are not so vulnerable. 

Traditionally, these sorts of tasks have been assigned to the vCISO and their respective IT Security team, but given how overloaded are there, this task is now being ferreted off to the vCIRO.

This morning, I read an article as to how the vCIRO role will now be different from the vCISO role.  Here are where some of the lines of division will now be at:

1)     They are much more business focused:

Although calculating risk is much more of a Cyber role, it also has a huge business role as well.  For example, you need somebody who talk this kind of language in pure simplistic terms so that the other members of the C-Suite and the Board of Directors can understand quickly.  It is important to keep in mind here that these people only speak dollars and cents, and nothing else.  They have no concept of the Cyber threat landscape, so why bore them with all of that?  So, this is where this new role is going to come into play:  To put into business terms what Cyber risk is all about, and what it means to the bottom line.

2)     The decision-making process will be made autonomous:

It has always been assumed with the CISO role that whatever he or she says will be transmitted down to the very bottom rung of the company, in a top-down fashion.  However, this will not be the case of the vCIRO.  Rather, they will be given almost total freedom to make decisions on their own, with the interest of the company as their guiding objective.  There will be no top-down reporting here, rather it will only be top up, as mentioned earlier in this blog.

3)     There will be a balance in language being used:

Right now, the CIO has been blamed for either a lack of understanding of the business side of Cyber, or that they know how to communicate only in technojargon, that nobody can understand.  In other words, there is nothing in between.  Well, it is highly expected for the vCIRO to assume this boundary, and to able to speak both sides of the fence.

4)     More metrics will be involved:

Since part of this new job title has “Risk” in it, you can count on the fact that the person who fills this role will be heavy into metrics and other forms of Key Performance Indicators (KPIs).  But they won’t be dazzled with anything that can be measured, rather their main focus will be on those metrics that matter the most, and presenting them in an understandable way to the other members of the C-Suite, and the Board of Directors.  For example, one such area will be the Mean Time To Detection, also known as the “MTTD”.  This metric merely reflects how long it takes a company to detect a security breach, and at the current time, it is well over 90 days.

5)     They will take a proactive role in the business:

The CISO has often been slammed, whether rightly or wrongly, of being too negligent of the other business activities that are happening to the other departments of the organization.  IMHO, there really the CISO has really no time for this, as they are tasked with too many things as it is.  But since the role of the vCIRO is now more limited by nature, it is assumed that he or she will take on the burden of understanding what the business (from the standpoint of Cyber) needs are across all of the Business Units (BUs).

My Thoughts On This:

Fundamentally, I think the role of the vCIRO is actually a good one.  Risk Management is taking on much more importance in the world of Cyber, and there needs to be someone who is dedicated in doing this exact thing.  But also keep in mind, that there will be a whole new slew of “v” related titles that will be coming out in Cyber.

In my view, the primary reason for this is that the days of the traditional CISO will soon be coming to end.  This will be driven by the further emergence of the vCISO.  This group of individuals are far most cost effective than hiring a CISO outright. 

Plus, these individuals have their own groups of contacts that they can bring on board as well, depending upon the needs of your project.

For instance, rather than paying a CISO a salary of $100K for one year, you can hire a vCISO with the same amount of knowledge (and probably even more) for just $20K on a fixed term contract.  Right now, it does seem awfully confusing who to turn to with all of these “v” titles that are coming up. 

So my suggestion here would be to hire vCISO first, and let them assess your current environment.

They will not waste any time here, as they know time is of the essence, and get to the heart of the matter in no time.  After they have done their assessment, then let them tell you how to move forward.  Very likely, as mentioned before, they will most likely have their own Rolodex of contacts that will be able to bring on board, rather than having you to hire these individuals separately. 

An Aging National Power Grid + The Explosion Of EVs = A Huge Cyber Nightmare

 

Just wondering, how many of you out there own electrical vehicle (EV)?  To be honest, this is a market I have not paid too much attention to, and in fact, I don’t think I have even seen one where I live at.  The closest I have seen remotely electric are those things that people stand up on and go around on.  They are not too much of a common sight here in the burbs of Chicago, but in the city, I am sure that they are quite a big hit.

So, why am I bringing all of this up, you may be asking?  Well, probably for the first time, I came across an article this morning, which not only gave a glimpse into the EV industry, but the Cybersecurity impacts that these new vehicles can have on our already strained national power grid. 

First, let me paint the picture of just how huge the EV industry really is (it totally blew my mind away):

*There are well over 600,000+ EVs hitting the roads and highways today in the United States;

*It is anticipated that as the production processes for EVs improve over time, there will be about 1 million produced a month;

*70% of Americans would purchase an EV if they could afford it;

*By the year 2026, there will be 26 million EVs on the roads and highways;

*By the year 2030, the state of California will have 4 million EVs;

*By the year of 2040, EVs will account for 60% of all automobile sales across dealerships in the United States.

(SOURCES:  https://www.statista.com/statistics/665823/sales-of-plug-in-light-vehicles-in-the-us/; https://www.bloomberg.com/news/articles/2022-04-08/plug-in-ev-fleet-will-soon-hit-a-20-million-milestone; https://policyadvice.net/insurance/insights/electric-car-statistics/).

Obviously, the world will run of out crude oil one day, so I think it is great to see that we are taking a proactive stance in looking for alternative energy sources to help us get through our every day lives.  But as all good as this sounds, there is a flip side to this. 

These EVs have to be constantly charged, and current research shows that you have to visit a charging station in between every 200 and 400 miles of driving.  The worst part is that EV charging stations are still not a common place like the normal gas station, so if you get stuck, you are literally frozen unless AAA can charge you out.

Because of the limited number of EV stations that are out there, whatever is in existence has to rely upon a power source from somewhere, namely the national power grid.  But here in lies one of the problems – it is close to 70 years old, and it was not designed to handle the huge influx of EVs.  Of course, nobody back then even conceived of an EV. 

Right now in the US, there are some 9,200 national gird generators, over 600,000 miles of electrical lines that generate well over 1 million megawatts of electricity.  This kind of configuration served well back in the day, when our needs were simple, and not what they are like today. There have been talks in DC about creating what is known as a “Smart Grid”.  This is where all of the electricity that is depleted from the national grid can be put back into it, thus making it more responsive to the needs of Americans.

For example, electricity that is generated from wind solar panels.  But once again, keep in mind the age of the national grid.  One cannot simply rip out the old infrastructure and put a brand new one in.  In fact, it’s like the SCADA and Industrial Control (ICS) that we have in place also.  But there is yet another fear to the national power grid, and that is the Cyberattacker. 

Once again because of its age, there have not been too many security updates made to it,  thus leaving many backdoors open for easy penetration.  In fact, we have already witnessed some disruption to our power grid because of a security breach, but luckily, yet nothing cataclysmic has happened yet.

Now you throw in the demand from the power grid from the EVs as well as other technologically advanced devices, and now you have what is called a huge Internet of Things, or IoT that has a huge attack surface that has grown exponentially overnight. 

This is in turn will leave many points of entry that will remain unprotected for long periods of time to come. And it could be one lucky shot by a Cyberattacker that will finally bring the entire national grid down in just a matter of minutes.

My Thoughts On This:

Although I just painted a very sad picture, the bottom line is that it is real, even if EVs were not existent.  The national power grid is weak in terms of security, and as I have described, there is really not much one can do about it. 

The best that this nation can do is simply add on any security layers that are possible, but one has to make sure that all components work together.  Its not like at all downloading Windows patches onto your laptop.

We are talking about mixing the latest technologies with tools that are ancient, by comparison.  You may even be asking how did we even get into this hole to begin with?  Well back when the national electrical grid was being conceived of nobody gave a thought to Cybersecurity, because it was totally unheard of. 

Everybody was concerned about the physical security components, such as only letting authorized individuals having access to strategic points along the grid.

Heck even the EVs themselves can also bring their own Cyber risks as well.  As it was nicely summed up in this quote: "An electric vehicle has far more hardware chips and software components than an internal combustion engine. More complexity means we need to be more careful around security in general."

(SOURCE:  https://www.darkreading.com/attacks-breaches/how-to-keep-evs-from-taking-down-the-electrical-grid).

My point is that it is quite easy people to say that “we need to do this or that” to shore up the defenses of the national power grid.  But the truth of the matter is that we need the support of our political leaders in DC to make it all happen. 

We need new money to be put into research and development in order to come up with new ways to help protect the grid.  Even the states cannot do this by themselves.

It really needs to be a national effort in the end.

Looking Into The 2024 Cyber Crystal Ball: What Is Going To Happen???

 

From my experience, you usually do not hear what is predicted for the Cybersecurity landscape for the next year until you have reached Q4 of the existing year.  But since we are now in the halfway point of the year, people have already started to make predictions. 

But believe it or not, it is not for 2023, but rather, it is for 2024!!!  Yes, you read me correctly.  When I came across a couple of news articles that mentioned this, I had to rub my eyes a few times to make sure I was seeing things correctly.

But its true.  So what is predicted?  Let’s take the plunge:

1)     Cloud adoption will stop:

After the COVID-19 pandemic hit, many businesses started to realize the strategic benefits of moving to the Cloud (like AWS or Azure), on a 100% basis.  Of course, there are those companies that are still lagging behind on this; either their existing systems are too complex to the move to the Cloud (which means part of it will be in the Cloud and the other part will remain On Prem) , or the business owner is simply not convinced that the Cloud is the way to go.  In fact, some 59% of all businesses in Corporate America are now in the Cloud, at peak levels.  At the present time, one of the key advantages of the Cloud is that it offers fixed, and affordable pricing.  So the business owner will at least now what the expenditures will be for the coming year.  But it is feared that with these huge moves to Private or Public Hybrid Cloud deployments, this monthly fee will greatly escalate, thus making it far less affordable than what it is right now.  Also, there are fears that all of the great resources which are available right now will simply stall out because there will be a heavy reliance upon the major Cloud providers to come up with new innovations upon external, third parties.  But apart from this, the biggest fear is that of data privacy, and how well the PII datasets will be protected in the Cloud.  Data leakages are still a big issue, but keep in mind that this is not the fault of the AWS or Azure, but rather it is the fault of the Cloud owner, due to not configuring their infrastructure properly. In fact, it has been cited that some 63% of all data leakages that take place can be attributed back to some sort of misconfiguration (AWS S3 buckets have been getting hit hard in this respect).

(SOURCE:  https://cloudsecurityalliance.org/press-releases/2022/04/12/new-cloud-security-alliance-survey-finds-saas-misconfigurations-may-be-responsible-for-up-to-63-percent-of-security-incidents/#:~:text=of%20Security%20Incidents-,New%20Cloud%20Security%20Alliance%20Survey%20Finds%20SaaS%20Misconfigurations%20May%20Be,63%20Percent%20of%20Security%20Incidents).

2)     Activism will take a turn for the worse:

At the present time, many large activist groups are venting their frustrations and feelings out on the social media channels, most notably that on Facebook and Twitter.  While this so far has been contained, there is grave fear that by 2024 they could turn to the dark side, and launch Cyberattacks of their own, thus giving them the new founded term of “Hacktivists”.  The seeds have been sown with this with the Russian – Ukraine conflict, where many activists have come to the help of the latter by launching Cyberattacks against Russian targets.  While this can be deemed as an eye for an eye tactic, the concern is that by 2024, Hacktivist groups will start to attack the Critical Infrastructure of nations around the world in order to make their viewpoints and stances known. 

3)     Making use of Open-Source tools:

With everything now moving to the Cloud, and the respective providers now even embracing the use of Open-Source packages (to my surprise, I was surprised to see the sheer amount of Open-Source tools that are available in Azure) the software development community is now trending towards using more freely available tools that are available on the Internet, such as APIs to help in the source code creation efforts.  But as I have written about before, many of these APIs go untested, unpatched with many holes and gaps which exist in them.  Very often, this goes untested, making the final product full of backdoors for the Cyberattacker to penetrate into.  In fact Gartner has even predicted that by 2025, some 70% of all software projects that are created will have an Open-Source component to it that has not been fully vetted.

(SOURCE:  https://www.gartner.com/en/newsroom/press-releases/2021-11-10-gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences).

My Thoughts On This:

Ok, so there are still two years out for all of this happen, if it does come true.  So what can you do mitigate these risks from happening to you:

1)     Try to remain as apolitical as possible.  I am not talking about doing this from your personal life, but rather from the standpoint of you being a business owner.  As far as possible, you should refrain (as well as your employees) from making sharp political stances, and posting them on social media sites.  In today’s digital world, you simply do not know who is watching you and where.  True, you can have all of the advanced technologies in your lines of defenses, but the best line of defense here is to simply stay mum and silent, and instruct your employees to do the same, at least when it comes to posting political things on company owned sites.

 

2)     With regards to the use of Open-Source APIs, your best bet is to sandbox them first, see where the holes and vulnerabilities lie at, and fix them, before you release the APIs into the source of the project that your team is developing.  In fact, source code checking has started to become a hot button topic today, and is expected to get more under the microscope.  In fact, I will be writing an eBook on this very topic in Q1 of 2023, so stay tuned.

 

3)     In terms of the Cloud, I would not worry about anything stagnating quite yet.  The truth of the matter is that the AWS and Azure will want to remain competitive with another as far as possible, so there will be many innovations that will be coming out.  If not, they will simply lose customers, which they don’t want to see happen.  I can’t speak for the AWS, but I know that so far, there has been a great job done by Microsoft in order to keep Azure glimmering with new functionalities.  But remember, just don’t make a sudden plunge into the Cloud.  You need to come up with a detailed plan first, and any migration must take a phased in approach.  Also in this plan, you need to detail how you will use the security tools and features that the AWS or Azure provide to you, and how you will make sure that all is configured properly to avoid data leakages.  Always make use of a Cloud Services Provider (CSP) if you can, as they can help you every step of the way, both pre and post migration.

Will there be now predictions made for 2025 even before 2022 is over?  Well, we will have to wait and find out.

 

5 Golden Rules To Use In Avoiding Zero Day Attacks

 

Well everybody, Happy 4^th of July!!!  Hopefully the second half of the year goes by better than this last one!!!  Looking back at the last half, really, the Cyber Threat Landscape does not appear to different than in 2021. 

There are the usual Ransomware and Phishing attacks, but nothing has caught my eye that I remember.  Sure, there was the fear of escalated attacks from Russia as it invaded the Ukraine, but nothing disastrous has happened (at least not yet).

But there is one variant that all IT Security teams need to be on the look out for, and these are technically known as the “Zero Day Attacks”.  What is it, you may be asking?  A technical definition of it as follows:

“[It] is a cyber-attack targeting a software vulnerability which is unknown to the software vendor or to antivirus vendors. The attacker spots the software vulnerability before any parties interested in mitigating it, quickly creates an exploit, and uses it for an attack. Such attacks are highly likely to succeed because defenses are not in place. This makes zero-day attacks a severe security threat.”

(SOURCE: https://www.imperva.com/learn/application-security/zero-day-exploit/).

Basically put, it is a weakness or gap in a software application that even the maker of the software product does not even know about.  The only way it becomes known is if a Cyberattacker examines the software package on their own, and tries to find that particular backdoor.  Once he or she discovers it, they then try to penetrate as quickly as possible.

From here, they can stay in for as long as they want, because really, nobody else has discovered this gap. Once the Cyberattacker has decided where they will deliver the malicious payload, they drop it, and get away as far as they can in order to cover their tracks (but even the shrewdest of Cyberattackers always will leave some evidence behind).

So now you can tell why it is called a Zero Day attack – there are no telltale signs or even warnings that something is about to happen.  In a way, this is probably about the worst form of Cyberattack, because everybody is caught off guard, and the end result can be almost disastrous, even bringing the business to its knees.

But believe it or not, Zero Day Attacks are nothing new. They have been around for even over twenty years, but the difference between then and now is that given the digital world we live in, news about them spreads like wildfire.  Even the largest of the tech giants such as Google and Microsoft keep track of these, given the amount of access they have now to threat intelligence.

There was a huge rise in these kinds of threat vectors just last year, and it is even expected that they will continue to grow.  Some of these Zero Days are extremely sophisticated like the Solar Winds hack, where the Cyberattacker looks for holes in an external third party which can infiltrate thousands of end users. 

Or they can be low level ones, such as attacking a piece of software, such as Word, Excel, or even PowerPoint (these have been among the favorite targets for Cyberattackers).

Given how covert these Zero Day Attacks can be, what can you do to protect your business?  Here are some key steps:

*Try to use antimalware/antivirus spyware software that has some sort of AI embedded into them.  The reason I say this these newer versions actually look for patterns of unusual behavior, and alert you in that way.  Previous versions simply compared known attack signatures which existed in their database.  While this can be effective way of doing this, keep in mind that the antivirus/antimalware vendor has to update these databases.  Usually it is not done on a real time basis, it is done by batches, this leaving the window of vulnerability open even longer/

*Keep up to date with all of your software patches and upgrades.  Yes, you keep hearing this all of the time, but it still remains one of the best ways to fend off any threat variants. It’s a pain I know, but it will be well worth it in the end.

*Keep up with the latest Cyber threat bulletins that are made to the public.  Some of the leading sources for this include CISA, and the FBI.  Always carefully look over these bulletins, and double check that your IT/Network Infrastructure are not vulnerable to them.

*Expand your IT Security team.  Yea, I know, this is a broken record just like keeping track of software patches and upgrades.  But now is the time to hire and expand your base, with real humans!!!  Remember, technology can only go so far, you also need the human element in there as well.  Who cares if you hire somebody that is not experienced enough. Train them in the best way you can.  There is no substitute for on-the-job training, and learning while the real thing is happening.

*The only way to detect any unknown vulnerabilities is to actually a conduct a deep dive Penetration Test.  But depending upon how exhaustive you want them to be, these can only be done at one point in time, and they are expensive.  For example, the average Pen Test costs on average $20k-$30k.  Just imagine if you had to do that 4x a year.  That would really eat up your bottom line.  But the good news is that there are new Pen Test tools that are coming out on the marketplace, which allow you to do run them both automatically and autonomously on a real time basis.  The bottom line here is that you pay a yearly license fee, and you can run as many Pen Tests as you need to without any extra costs incurred.

My Thoughts On This:

Another god way to detect the unknown is to have a Bug Bounty program.  This is where you hire hackers of all sorts, and the literally break into your system to find the unknown vulnerabilities.  In return, you pay that individual or group a handsome prize of money.  But, be careful of you participates in this, as you do not want a Cyberattacker from nation state participating in this.

Finally, as mentioned earlier, be always on the lookout for any anomalies.  Don’t just look for known attack signatures.  Any unusual behavior means that something is happening in real time, and that for sure merits your attention in order for a Zero Day from happening.

 

Watch Out Recruiters!!! Don't Be Deep Faked By A Candidate!!!

 

I remember that I when I finished my MBA probably about twenty years ago or so, interviewing for a job was so different.  If there was an on-campus event, if the recruiter felt that there was a good match, you would be called back for an interview the next day, and believe it or not, it was all face to face.  Back then, phone interviews were barely ever used, unless there was some reason or another that the candidate could not come in.

In fact, If I remember correctly, all of my interviews were faced to face.  When an offer was made, you would get it directly mail, adding an extra zest to the hard work you put in to get that job.  But fast forward twenty years later, everything in the recruiting industry is now done on Zoom or Microsoft Teams.  It seems like that the phone has become the last option now.

Given all of these technological advancements, while it can be a good thing, it has also greatly hindered the recruiting industry as well.  For example, if you get an email from a recruiter about a possible job role, it is hard to tell even if it is real or not.  Or for that matter, given the explosion of robocalls, how do you know if the person calling on the other end, is even real or not?  Is this person calling from some call center in India?

Now, the threats to the recruiting industry have taken a different for the worse. There has been an implosion in the use of what are known as “Deepfakes”.  I have written about this before, but essentially, this is where a fake video reproduction is made of a real-life person. 

Probably a good example of this are the politicians.  Back in the recent Presidential Elections, many fake videos were made of all of the leading candidates.

These we were aired all over the TV networks, and even You Tube.  They would be asking for money donations, but any money sent would of course be sent to an offshore account.  To create an authentic look Deepfake, very often AI is used.  To make things even crazier, Cyberattackers are also using stolen identities to further impersonate the victim. 

This can be very easily done, as most job hunters actually link a copy of their resume to their Linked In profile, which can be downloaded quite easily.  Or, job candidates don’t sign out of their accounts (such as those of Career Builder, Dice, Simply Hired, Glassdoor, etc.). which makes this an  easy backdoor for the Cyberattacker to penetrate into as well.

Also, it is not hard to make a video of somebody you do not even know of.  In this instance, Cyberattackers can merely visit the social media profiles of their intended targets, grab a video of the real person that has been posted, and replicate them from those sources. 

In fact, the FBI jus recently put out a warning about these Deepfake videos, and quite interestingly enough, the industry that is falling prey for this kind of scam is the IT one.

Also, this scam so far has been only used for remote work positions, not for direct office roles.  Although the FBI cannot specify any motive for the Cyberattacker is going about this way to launch a new threat vector, the thought is that by getting an offer through the use of Deepfakes will give them quicker access to confidential information and data, especially the PII datasets of both customers and employees alike. 

Now, it takes on average for the Cyberattacker of at least a few months before they can find a covert way to get in, by finding unknown vulnerabilities and weaknesses.

Just recently also, the FBI put out yet another warning of threat actors from North Korea acting like freelance contractors using Deepfakes as a way to get interviewed for various IT jobs.

My Thoughts On This:

Apart from the political front, the use of Deepfakes have also found their home in Social Engineering attacks as well.  Here are some of the more notorious examples of this:

*Back in 2019, the CEO of a German company was Deep faked and convinced the victim to wire transfer $243,000 to aid in a business emergency (which of course was not true).

*In the fall of 2021, an employee of a company based in the United Arab Emirates (UAE) was Deep faked and convinced to transfer $35 million to a fictitious offshore bank account.

(SOURCES FOR THIS:  https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402; https://www.darkreading.com/attacks-breaches/deepfake-audio-scores-35-million-in-corporate-heist).

But keep in mind that as Deepfakes are making quick headway, so is the technology that is being used to catch them.  For example, background checks are now becoming more sophisticated.  If a recruiter has any doubt about a candidate being a Deepfake and they lack the proof at the time of the interview, they can easily order today a deep and comprehensive background check on the candidate. 

Any mismatches can be detected quickly, and reported back.

Also, Deepfakes are not yet a perfect crafted technology as of yet.  For example, there is often a lag time between the video and the audio whenever the Deepfake answers a question from a recruiter. It is always very important to try to find this specific nuance. 

If you, the recruiter notice this, don’t dismiss just a bandwidth or network connectivity issue.  You could be dealing with a Deepfake, especially if this time lapse goes on through the entire interview.

Also keep in mind that Deepfakes are used for only short-term purposes.  As stated, the Cyberattacker wants to use this method only as a quicker way in which to penetrate your lines of defenses and from there, stay in. 

Also, there is research that is also being done to better identify Deepfakes early on in the process at the University of California in Riverside.  More information about this can be seen here, at this link:

https://openaccess.thecvf.com/content/WACV2022/papers/Mazaheri_Detection_and_Localization_of_Facial_Expression_Manipulations_WACV_2022_paper.pdf

Research is also being done at George Mason University, and more information about that can be seen here:

https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Deepfake-Social-Engineering-Creating-A-Framework-For-Synthetic-Media-Social-Engineering.pdf

Finally, as recruiter, if you have any doubts about a job candidate with whom you just interviewed, it is your right to conduct a deeper background check.  And of course, any discrepancies that appears to lead to a Deepfake should be immediately reported to the FBI.