Sunday, August 28, 2022

It's Not The Human Being - But Apathy - That Is The Weakest Link In The Security Chain

 


In the Cyber world, there is this saying that people, especially your employees, are the weakest link in the security chain.  To some degree or another, this is true.  After all, they are the ones that will use the shared resources and your software apps the most. 

If there are any sort of backdoors that they leave open, such as not logging off, not having a complex password, etc.  then usually blame is pointed at them.  Very often, they are shamed, and made a point of humiliation amongst their peers.

Perhaps this technique could work in scaring the other employees into abiding to your security policies, but it won’t last forever.  The employee you shamed will feel mistreated, and singled out, and even a point of workplace harassment.  

The last thing you need is a lawsuit about employee mistreatment.  But it is important to keep in mind that most employees do not mean any harm, it is sometimes they just forget to do something when they should have.

Maybe they just got called into a last-minute meeting, or a client has an emergency, who knows?  As a boss, supervisor, manager, whatever your title might be, you have to take all things into consideration, and listen to the side of your employee as well.  Not doing so will only set a very dangerous precedent, but it will also show favoritism, which is something else you do not want to happen in the workplace.

But then, there are those group of employees who honestly could care less about Cybersecurity, or even about the protection of who they work for.  Many times in these instances, as long as they are collecting a paycheck, that is good enough for them.  This can be referred to in psychological terms as “Employee Apathy”. 

This simply refers to the lack of interest on their part to protect something that is valuable to the company.

I never realized it before, but this is really a very serious issue when it comes to Cybersecurity.  After all, you want your employees to become both the front and last lines of defense for your company, and you are totally relying upon them to be your eyes and ears when you are not around.  But Employee Apathy is only getting worse.  For example, take into these stats from a recent market research survey:

*33% of employees just don’t understand Cybersecurity;

*Only 39% would report a security incident to their boss;

*25% of the respondents just simply don’t care about Cybersecurity at all.

More information about this research can be seen here at this link:

https://1670277.fs1.hubspotusercontent-na1.net/hubfs/1670277/%5BCollateral%5D%20Tessian-Research-Reports/%5BTessian%20Research%5D%20How%20Security%20Cultures%20Impact%20Employee%20Behavior.pdf?__hstc=170273983.e7b67b07bca4107e2b405b9b9fe6cad9.1659446478842.1659446478842.1659446478842.1&__hssc=170273983.1.1659446478842&__hsfp=868227580&hsCtaTracking=72be695b-db12-45db-b9ba-86cffca26b60%7Cef75f36a-5923-4028-b399-986e51c11fb6

So, what are the ways to improve Employee Apathy in your company?  Here are some tried and tested ways that you can follows:

1)     Improve the level of security awareness training:

This is a topic that I am sure everybody is sick of hearing.  But unfortunately, it has to keep getting repeated because nobody still seems to care about it, IMHO.  First, training is not a one-shot deal.  You have to do this repeatedly, at the Cyber experts recommend at least once a quarter to get any kind of results.  Second, you have to keep the training down to no longer than 30 minutes at max.  That is the attention span of the average human being, and remember, you are also not giving a college lecture on computer science.  It should be easy to understand and consume.  Third, you have to keep your employees engaged.  This is the only way that they will remember anything.  Companies are starting to realize this, and are now using the concepts of Gamification to keep the training competitive.  Fifth, test your employees a few days after training.  For example, if you teach about how to avoid a Phishing email, then launch a mock Phishing attack a couple of days later to see who has fallen prey for it.

2)     Have a hotline:

As it simple as it sounds, employees do not even know how to report a security breach that they may have witnessed.  For instance, almost 50% of the employees in the survey did not even know if their company had a security hotline or not.  So, correct the situation and have a 24 X 7 X 365 telephone hotline in which employees can report on anonymously any thing out of the ordinary that they may see or are currently witnessing.  Then, have a triaging system in place so that the most important tips get first attention.  But make this hotline known to all of your employees!!!

3)     Get rid of the mind games:

Employees want bosses that are tactful, respectful, don’t micromanage, but above all, are polite and honest to their employees.  This simply means be honest to the employee that is making a security mistake, but under no circumstances do not shame or punish them in front of other employees!!!  Instead, take him or her into your office, and have a private conversation as to what happened, and provide strategies as to what can be done better next time to help mitigate any security risks from proliferating into large scale ones.  As I have mentioned before, as we humans, we all make mistakes.  But by nature, we are also, good and kind, and at times, naïve about things.  So to best of your abilities, try to forgive and to a certain extent, forget.

My Thoughts On This:

As I write this blog, probably the one thing I would do differently is to simply take my employees, and just have an open and honest discussion with them as to how their levels of apathy towards Cybersecurity. 

Make sure to take careful notes, and implement the thoughts of your employees wherever you can.  Being a straight shooter like this only make your employees value you that much more, and have respect for what you are trying to accomplish.

Finally, minimizing apathy comes directly from the top.  If your CISO takes the time to maintain decent levels of Cyber Hygiene, so will you and your employees.

Saturday, August 27, 2022

The Top 3 Cloud Threats In 2023 Facing Corporate America

 


Let’s take a look at the past.  When was the first time you heard of the term “Cloud”?  Honestly, I heard of it probably back in 2009 or so.  All that I recall from it was that you could an account, get a web hosting plan, and set up a website and/or ecommerce front. 

It was also a place in which you could get your own unique email address depending upon the domain that you got.  You didn’t have to depend upon AOL, Yahoo, Netscape, or even Hotmail (I don’t think Gmail was prevalent at the time). 

I remember I ended up asking some of my other geek friends what this Cloud was all about.  Their response was fairly typical for the time, “Well, it is a place where you store stuff”.  But to a large degree, they were right.  During then, that is all that the Cloud was pretty much used for.  It wasn’t until I took a job as a creative writer with a company known as “emedia” did I fully start to understand what it is more about. 

After all, I was writing most of the copy stuff for most of the IT clients that we had.  By now I had heard of the AWS, and some of the stuff that it could do.  I thought, well, this is pretty cool stuff.  Btu when I got laid off from this job, I lost touch with the meaning of the Cloud, as I took on positions in tech writing that had nothing really to do with it. 

I then got back into it in 2016, when I took a job with a tech company that was an exclusive partner for not only Veritas, but for the AWS as well.

I ended up even attending an AWS conference, where just about every geek that you could imagined attended.  My eyes then opened up even more as to what the Cloud and do, and my interest picked up again. 

One of the very first concepts that I was introduced to was about the Simple Storage Service, known as “S3” for short.  Now, fast forward six years later, and the Cloud has become something that nobody ever imagined that it could.

It's not just a place anymore for storage.  Now, companies can physically migrate their On Prem infrastructure totally into the AWS or Microsoft Azure (the other Cloud juggernaut).  You can create just about any sort of AI application that you want, heck, you can even build out your own virtualized Data Center without having to worry about the cost and the expense of the brick and mortar one. 

Heck, back in the late 90’s, to build an Oracle database server, you would have to spend at least $30,000, mostly in buying the software. 

But with the AWS or Azure, you can now even build out your own Oracle Enterprise server for as low as $80.00/month!!!  But it is important to keep in mind that one of the big catalysts for this move to the Cloud was actually the COVID-19 pandemic.  Because of this, employers don’t have to worry about issuing company devices, all employees can now access what they need once again, in the Cloud.

But, as the demand for the Cloud continues to explode, so do the different configurations that can come along with it.  For example, there is now the Private Cloud, the Hybrid Cloud, and the Public Cloud (which was the original platform). 

As a result, companies can now use various combinations to meet their needs.  While this is advantageous, it has also caused a mass amount of confusion to which nobody has really paid attention to, especially from the standpoint of security.

Here are some typical examples:

1)     Data storage/leakage:

As mentioned, this is what the Cloud was built on.  But as businesses are creating more databases to hold this data and to come into compliance with the data privacy laws (such as that of the GDPR, the CCPA, HIPAA, etc.). there is much more influx of data than every before.  We are not taking about just gigs of data.  We are talking about Terabytes of data, and thousands of it (now often referred to as “Big Data”).  The AWS and Azure have the tools already in stock to help you protect your datasets, but many companies don’t configure them to their own requirements.  Rather, they leave them at the default settings, which is a huge security risk.  Even these Cloud providers say that you are responsible for this as well.

2)     IAM and PAM:

These are acronyms that stand for “Identity and Access Management” and “Privileged Access Management”.  These are both complex areas of Cybersecurity, but simply, these are the techniques that one would use in order to govern the rights, privileges, and permissions for each end user.  I don’t about the AWS, but Azure still has what is known as the “Active Directory” in which you create various user groups and profiles to help govern what is assigned to each employee.  But with so many different Cloud configurations that are now possible, keeping track of all this has become a nightmare for the IT Security team.

3)     The use of the security tools:

I can’t speak for the AWS, but I know for a fact that Azure has a ton of security tools that you can use whatever Cloud deployment that you have.  But remember, these are complex tools in the end, and to a novice like me, it can take quite some time to figure out what to do, and how to do them properly.  In this regard, you are probably best off having an CSP do all of this for you.

My Thoughts On This:

Compounding this problem even more is that companies are now using different providers in order to meet their needs.  For example, they may end up using both the AWS and Azure to fulfill what they are looking for, and try to connect the two platforms together.  Heck, even I am a victim of this. 

For my own tech writing biz, I have three of them.  The reason for this is that sometimes one offers cheaper deals than the other, but primarily, one of them has website starter packages, in which you can create a one-page website off the fly.  You don’t need to know Word Press for that.

But the main problem with using different providers is that it is that much harder to manage all of those passwords, of which I am finding out.  In all honest, if you are a company that is exploring about making a move in the Cloud, try to find a good CSP that you can work with.  They will not only do the entire migration for you, but if you want them to, they can even do the post maintenance work for you as well. 

Moving to the Cloud takes a lot of time and thought, and it should be done in a phased approach. In other words, it’s not a one and done kind of thing.  It’s a beast that will need to have continual monitoring to it. 

You don’t want to end up in a recent survey that was recently conducted by Cloud Security Alliance which found that only 41% were not sure if they had experienced a security breach in the Cloud.  More details on this study can be seen at the link below:

https://cloudsecurityalliance.org/artifacts/state-of-cloud-security-concerns-challenges-and-incidents/

Sunday, August 21, 2022

5 Cyber Reasons Why You Should NOT Have An Ecommerce Store

 


Does everybody remember the heydays of the late ‘90s when anything .com related was making money?  I certainly do.  Those were exciting times, and in some ways, wish that they would come back.  Brings back the good times. 

Well apart from the .com, there was also a craze back then to start an online store.  After all, it was the era of Ecommerce, wasn’t it?  Back then, it was fairly easy to get one, as the major tech giants had their own version of it.  All you had to do was buy a plan, and you were off in the running.

But with the sheer advancements in technology, you can actually create your own online store with the current CMS that you are using for your website (for example, Word Press uses Woo Commerce as their customizable online store) and integrate the two together.  In fact, many ISPs are now even offering hosting plans in which you can build your own store using templates.

But whatever method you choose, online stores have always been and continue to be a prime target for the Cyberattacker.  This is especially the case of you are using the CMS to create the store, as you will most likely being using open-sourced APIs well.  So what can you do protect yourself in this regard?  Here are some key steps that you can follow:

1)     Be careful of what you store:

There is always the temptation to store all information and data about your customer, as this makes it easier for them to make future buying easy, and you want to them to come back as repeat customers with the most convenience possible.  But given how data conscience everybody is here today, your best bet is to store as minimal amount of information as possible, which even includes credit card numbers.  Remember, if your database gets hacked into, you will be held responsible for all this.  Not only will you have angry customers, but the chances are even higher that you can face an audit , from auditors.  You could also face a hefty financial penalty, which could wipe you out permanently.  Why go through all of this.  At the most you should have is customer first and last name, and email address.  That’s it, and nothing more.

2)     Keep track of all of the vulnerabilities that are out there:

This may sound like an impossible task to do, but the truth of the matter it is not.  You can make use of AI and ML tools, or you can even outsource this particular function to a reliable MSSP.  Also, one of your best resource in this regard is that of CISA.  They post the latest vulnerabilities on a regular basis (not sure if it is in real time or not).  You can check this out by visiting their website at:

https://www.cisa.gov/insights

3)     Keep checking your systems:

By this I mean always check that your online store is free from any vulnerabilities or gaps.  The best way to do this is via a Penetration Test.  While these kinds of tests are very comprehensive, the downside of them is that they are expensive.  For example, one test can easily cost you $30-$40,000.  Imagine if you had one every quarter for compliance reasons?  That can really hit the bottom line hard.  But the good news here is that many Pen Testing companies are offering hosted plans, which makes it very affordable.  There are even some that let you purchase a one-year license to run an unlimited amount of Pen Tests.

4)     Be careful of third-party vendors:

Creating an online store from scratch can be actually a very complex process.  For this reason, you may even want to consider outsourcing the development of it.  But just like anything else, be extremely careful here.  Make sure that whoever hire in the end, takes secure source coding very seriously, and that a thorough QA test is done at the end.  Insist that any open-sourced APIs are tested also and upgraded.  Also insist that you get access to each source code module, so you do your own testing.  Remember that in the end, you will be held responsible if anything goes wrong in this regard!!!

5)     Always keep a detailed history:

By this also, I mean keep a detailed log history of each and every thing that happens on your online store, even if it is non-financial in nature.  Always keep an eye for any suspicious transactions, or anything else that may seem to be out of the ordinary.  This could be the first warning sign of somebody trying to break into it.  Remember to have all of this data recorded to a SIEM, where it can be centrally stored and accessed.

My Thoughts On This:

As mentioned, before it may sound exciting to build your own store.  Btu consider the benefits versus the risks.  And most importantly, think long term.  If you really want to have an ecommerce store, my best recommendation would be to go a hosting provider that offers various different subscription levels, such as the Verizon Store that I am currently using. 

Just like a Cloud deployment, everything is pretty much taken care of for you, all you have to do is enter in the product/services, and its relevant pricing.  And off you go in wild world of online selling.

Saturday, August 20, 2022

How OSINT Can Be Used To Protect Your Business & Employees

 


I was having a conversation with a good friend of mine yesterday evening.  We went to grad school together at good ‘ole SIUC, in the major, but different thesis topics.  Back then, the Internet at least here in the United States was just starting to emerge very slowly, but at the university, nobody was really using email. 

All we had was just the mainframe.  So when we collected our data, we had put everything in Lotus 123 (not joking here), and upload it so we could use the software package called SAS to analyze it.

Every bit of our thesis was sone at the library, including the literature review, and the data collection.  Heck, I had to go through all of the data journals, and literally handwrite everything down on paper and pen. Every time we had to make revisions to our thesis, we had to print it out all again, since nobody had email.  I am sure I killed a few trees by doing that.

But fast forward some twenty years later, we have now have Google, data repositories up the wazoo, and all sorts of email packages that we can use. 

What would take us weeks back then we can now do in just a matter of a few minutes. Heck, we can even hire somebody to ghostwrite our thesis (not a recommended approach though).  So we asked each other last night, how did we do it back then?  All we could answer was “I don’t know”.

So, this brings up yet another point. If we ever wanted to know more about a person, we literally had to call him or her up, and start a conversation.  Or even better yet, in person, face to face (OMG, I can’t believe I am actually saying that!!!).  Or in a worst-case scenario, depending on how desperate you were, you also could have hired a private detective.

But now, it seems like you can find information on just about anybody with a few clicks of the mouse.  The explosion of social media has certainly helped in this regard, as people are now posting things without giving too much regard to it.  Heck, you can even now order a background check on somebody that is very thorough and detailed. 

All of these sources from which you can gather information and data about a particular individual or group have now come under the collective term of what is called “Open-Source Intelligence”, or “OSINT”.

In a way, this can be compared to open-source APIs, which are free to download and use by the public.  The same can be said here of OSINT. But the scary thing about it, IMHO, is that there is a lot more information out there about you available in the open forum than you realize. 

In fact, this is how the Cyberattacker first gets started when they collect information about their intended targets.  Just do a simple background check, check out their social media profiles, find out their weak spots, and basically infiltrate. 

Or, if the Cyberattacker wants to be more exact about what they are doing, they can always penetrate into the Dark Web to get more data about their targets.  But the good news here is that as much as OSINT can be used for nefarious purposes, you can always take that information around and help use it to protect your own business, clients, and most importantly, your family and friends. 

How can this be done?  Well, just like doing a Penetration Test, you have to think like a Cyberattacker, and how they use the tool.

Once you have a grasp of this, then take the reverse of it, and apply it to your “allies” (for lack of a better term).  To get started with, here are some of the most common OSINT tools that the Cyberattacker uses today:

* Social media sites (Facebook and Linked In are the most notorious here)
*Online romance sites (like eHarmony, Match.com, etc.)
*Mapping tools
*Physical exercise and activity mobile apps
*Specialized OSINT tools like Censys and Shodan

*Google (especially Google Earh and Maps)

*GitHub (one has to have more advanced Cyber knowledge here, as it is a source code repository)

*Google Dorking, with this, the Cyberattacker is manipulating the advanced search features of Google I order to gain more information about their target

*Sodan/Censys:  These are search tools that have been designed for the ICS based technologies.

The above-mentioned resources are just a fraction of what is truly available.  To get a sense of this, visit the OSINT framework, which can be seem at the link below:

https://osintframework.com/

You’ll be totally shocked when you go this website.

My Thoughts On This:

Once you have had the time to go through the bulk of these resources (or you could merely contract a vendor to do all of this), then present all of it you the people you selected.  They will be in total shock and awe when they see what is available out there in the public forum about them. 

But this is the only way to do it.  We live in such a reactive society that only this kind of approach is truly effective when trying to get people to have good levels of Cyber Hygiene.

But of course, there is always information and data that will be collected about us, whether we like it or not.  In a way, it kind of feels that Big Brother is watching over us.  But there is nothing we can do about this, this part of the price that we have to pay if we want to live in an interconnected society. 

But, after you have “shock and awe” your employees about what you have found on them, the only thing you can really emphasize is not too share too much information on social media profiles, and to make full usage of the privacy options that each one of them has to offer.

Also keep in mind that the OSINT tools can also be used for Pen Testing exercises as well, as the Red Team needs to get as much information and data as possible about their client.  Finally remember that the favored tool that the Cyberattacker is going to use when launching OSINT based attacks is that of Social Engineering. 

This is something that you really need to emphasize in your security awareness training programs.

Monday, August 15, 2022

Protecting Yourself From The Coming Worldwide Cyber War

 


As the world becomes more digital by nature, and the Remote Workforce now taking a permanent foothold here in the United States, security awareness training is becoming even more paramount than ever before, as literally, employees can work wherever they want to know.  With this in mind, how do you know your employees are maintaining a good level of Cyber Hygiene?

Sure, you can spy on them.  But that probably would not settle with them too well. Again, it goes down to training them in what they need to do, and what to be on the look for in this regard.   Many companies have failed, and continue to fail their employees in this regard.  It is not just a one-time deal, it needs to be happen on a regular basis, like at least once a quarter.

But apart from that, delivering a security awareness training program can be hard.  It should not be just a one-hour lecture, but rather, it should be fun, entertaining, and even competitive.  But how do you all of this?  What is the secret sauce?

Well, listen into our podcast and you will find out.  We have the honor and privilege of interviewing Tom Kirkwood, the CEO and Co-Founder of Iron Tech Security.  One of their prime service offerings is in the area of security awareness training.  Find out how the pros do it!!!

You can download the podcast here:

https://www.podbean.com/site/EpisodeDownload/PB129C4F582YBY

Sunday, August 14, 2022

The OCSF: Just How Effective Will It Be???

 


As I have said repeatedly, the Cyber industry is one in which there is plenty of technojargon.  So the next one to come of age is “Framework”.  There is nothing really new about it, it’s been around for quite some time, but it is being used quite a bit these days. 

Generally speaking, a framework can be thought of as a set of guiding principles in which to guide companies from accomplishing a certain task that they want to.  For example, the National Institute of Standards and Technology, also known as a “NIST” has compiled a ton of these Frameworks to help business owners better protect themselves.

They range from providing checklists as to how you should conduct a risk assessment to how you should become compliant with the many data privacy laws that are now coming about.  I know about some of them, but not in a lot of detail.  Probably the one I am the most well versed in is the NIST SP 800-171, which deals with the CMMC. 

While the NIST documents do provide excellent content in how to use the tool that is provided in it, it is always wise to check with a compliance expert first to see if that is what you really need.

OK, so fast forward a little bit, and just last week, a major Cyber conference was held, known as Black Hat USA, very similar to that of the RSA conference which is held in the Bay Area every year.  At these venues, everybody is showing off their latest gadgetry, but something unique came from this one. 

The AWS and Splunk sponsored the start of a new initiative, called the “Open Cybersecurity Schema Framework” or “OCSF” for short. 

There are also 18 other vendors that have agreed to help sponsor and contribute to this framework, and they are as follows:

Broadcom (Symantec);

Cloudflare;

CrowdStrike;

DTEX;

IBM Security;

IronNet;

JupiterOne;

Okta;

Palo Alto Networks;

Rapid7;

Salesforce;

Securonix;

Sumo Logic;

Tanium;

Trend Micro;

Zscaler.

So as you can see from this list, you have some big players that want to help out this new framework.  So you, may be asking at this point, what is this all about?  Well, as you may realize, there are literally hundreds of network security products out there, and they all record every last detail that transpires in your security environment. 

These files can be quite huge, so advancements have been made to consolidate all of these transactions into the most relevant ones into one central dashboard, which is known as a SIEM.

AI and ML have a big part in this filtering process, as they comb through all of the false positives, and discard them.  Thus, only the real warnings and alarms are presented to the IT Security team, so that they triage them from just one dashboard. 

But the problem here is that all of these different devices output their data into different formats, which can be quite time consuming to decipher.  So, the primary objective of this new framework is to try come with a best of standards so that these different formats can be created into a single one.

The benefits of this are twofold:

1)     The IT Security team can make better decisions in a shorter time period;

2)     Any intel and information gathered can be shared with other organizations as well.

One of the other key advantages of this framework is that it is based on an open-sourced platform, meaning any individual or company can contribute to it, thus expanding the knowledge base. It is important to note that this is not something that just came out of the air, rather, it has its groundings in the set of ICD Schema specifications as it has been developed by Broadcom. 

More information about this can be seen at this link:

https://icd-schema.symantec.com/

The technical details about the OCSF can be found at GiHub, at this link below:

https://github.com/ocsf/ocsf-docs/blob/main/Understanding%20OCSF.pdf

In fact, recent studies have also discovered that the Cyber industry wants some sort of set best standards to follow.  Here are some of the results of that:

*77% of the respondents want to see as many open frameworks as possible;

*85% view integration and cooperation with other vendors as almost being necessary these days.

More information about these findings can be seen at the link below:

https://www.esg-global.com/research/esg-research-technology-perspectives-from-cybersecurity-professionals?

While many participants at Black Hat applauded this effort, many also still wonder if this framework will have the legs to walk and continue to grow.  For example, at the heart of any framework, is the Steering Committee. 

These are made up of government officials, private industry vendors, and even day American citizens. The purpose of them is to make sure that the framework is fulfilling its purpose, and not veering off course from it.  At the present time, the steering committee is still made up largely of vendors, there is very little input yet that has been provided by the American public.

My Thoughts On This:

From the outset, I think that this new framework is a great step forward.  But as it was eluded to before, many Cyber pundits still wonder how long this will last.  For example, some wonder is this all talk full of hot air, or will there actually be something that comes of it?  It is still too early to tell, primarily because this not a government directed effort, like the NIST frameworks have been.

But on this theme, many CISOs in Corporate America are now starting to realize that they have what is known as “network security sprawl”.  This is where there have been too many products deployed to beef up the lines of defenses.  The thinking here is that the more you have, the better off you will be.  But this is far from the truth.  The more tools you have out there, simply makes the attack surface that much larger. 

Plus, many CISOs often purchase network security devices from different vendors, which makes the differing output files even more problematic to solve.  The reason for this is that each vendor has their own set of rules for outputting events, and the is the exact problem that the OCSF framework is trying to solve. 

Perhaps one of the first mandates of this new framework should be that before embarking on new products, a CISO must first conduct a risk assessment to determine how any existing devices can be more strategically placed.  For example, instead of purchasing would just 3 firewalls suffice instead of having 10 of them?

Not only will this make formatting the log output files easier, but it will streamline the reporting process into a much more efficient one.

Saturday, August 13, 2022

The SOC2 & ISO 27001 Certs - Are They Worth Getting?

 


In the world of IT and Cyber, there is one common denominator:  Certifications.  I have written about this before, and in fact, have even written a couple of whitepapers on this very topic for a couple of writing clients that I have. 

Back in the day of the .com craze, it was the Microsoft MCSE cert that ruled.  Btu now with everybody either going into the AWS or Azure, the plethora of certs have exploded even more.  In fact, just a few days ago, I was looking at all of the Cloud certs available, and my head just exploded.

This is an addition to the other certs that are offered through the other institutions as well, such as those of ICS(2) and CompTIA.  So its no wonder that when a person wants to get a Cyber cert, they are very often bewildered as to even where to start.  

But it is not just individuals.  The same holds true for companies as well.  Given how compliance  a lot of things are today, companies are pursuing their own type of cert that they think are relevant to them.

A lot of this relates to the data privacy laws, such as those of the GDPR, the CPPA, HIPAA, etc.  Also, many other states are now passing their own version of them, and even other countries around the as well.  Now imagine if you are a multinational company, what kind of certs do you need so that you can have the regulators and auditors stay off your backs?

This can be a difficult question to answer, as you will be subject to the data privacy laws of each country that you operate in, or at least conduct financial transactions.  In other words, at the present time at least, there does not exist a set of international standards that a company can follow. But here in the United States, the two most popular certs that companies go after tending to be the SOC2 and IOS27001. 

But now, here comes the tradeoff:  It can take up to 6 months to get one of these certs (it’s not the same as passing as a Cyber cert).  Because of this huge time commitment, it takes a drainage of employee resources, and worst yet, it can even make an impact on the bottom line, as this is considered to be a non-revenue generating activity.  So now the question comes is it really worth it?

It can actually be quite helpful from two different angles:

*By having one of these major certs, it proves to a regulating body of one these data privacy laws that you are taking compliance very seriously, and that there are very good chances the controls that you have implemented are up to snuff.  As a result, the chances that you will get audited and/or even face financial penalties are thus greatly lowered.

*Having these certs is actually a good thing to have when approaching sales prospects and new customers.  It shows to them also that you are taking Cyber and the protection of PII datasets seriously, and have a proactive mindset.

*You will have greater chances of getting quality third party vendors that you can outsource your business processes to, as they will also be required, to varying degrees to have this cert.

There are also the downsides of this as well:

*As mentioned, it is a huge expense and time commitment for a company to get one.  Perhaps it may be time to rethink if it is really worth the effort, when these resources can be diverted to other revenue generating projects.  Also, you have to keep in mind the industry that you are in.  Not all of them are subject to the guises of the data privacy laws previously described.

*Now, here is the catch 22.  Even though you have may the cert in hand, you can still become a victim of a Cyberattack.  There is no stopping that.  All the certs will do for you is have you engage in certain types of activities that will help reduce this risk from happening, such as by deploying the right set of controls and/or upgrading the existing set that you have.  Now if you are hit and have this cert, people are then going to ask you, “How did this happen?”  Unfortunately, this can be a very difficult situation to be put into.

*Even here in the United States, there is no set of best standards when it comes to the actual awarding of the certs.  As a result, the number of organizations that that put you in the ringers has increased by 4x.  So, how do you know who is for real and who is not in this regard?  This is where you have to practice your due diligence.  To make things worse, every training organization has their own methods of awarding one of these certs has their own set of guidelines in terms of rewarding it.  So how do know which one is better?

*After a company has received their cert, the chances are fairly high that they will let their guard down.  For example, being proactive is not just a one-time deal.  It has to happen on a daily basis, with each and every employee.  Obtaining the cert has taught you and your employees valuable skills to keep that mindset. But after achieving it, many companies let out a sigh of relief and forget all that they have been through.

My Thoughts On This:

So in the end, the fundamental question remains: Should your company get either one of these certs that have been examined in this blog?  Once again, it comes down to the market you are in.  If you are business that deals with a lot of data, then of course it makes sense to have one. 

But if you are not one, then it may make more sense to pursue a cert that is closely aligned to what you are actually doing. 

But keep in mind that if you decide to get this kind of cert, it is merely a starting point.  You still need to keep your guard up, by conducting routine drills, security awareness programs, and pen testing exercises (it is highly recommended that the last two be done on at least a quarterly basis). 

Also, make sure that you carefully vet out the testing agency who will be awarding your cert in the end.

 

Sunday, August 7, 2022

Why It Is Important To Take A Top Down Approach For IAM - 2 Key Considerations

 


Day by day, businesses across America and even globally are starting to understand the importance of moving entirely to the Cloud, and totally eradicating with their On Orem infrastructures.  Now, there is really nothing wrong with the latter per se, it’s just that these are old legacy systems, which can cost a fortune to maintain.

In today’s world, nobody can really afford that.  In fact, many of the vendors that use to make the reliable ecommerce back in the day, are probably no longer even in existence today (one good example of this is Compaq – I bought their ProLiant server many years ago). 

And with the world going all digital one day, with the expectations that we will soon evolve into the Metaverse, being totally in the Cloud makes much more sense.  Keep in mind tough that a complete migration to the Cloud requires careful planning and is usually done in phases in order to make sure that nothing is left out.

In this regard, it is best to make use of what is known as a Cloud Services Provider, or CSP for short.

Not only can they plan the entire migration for you, but they can also do it, and maintain it after it has been all said and done.  But after a smooth transition from On Prem to the Cloud has been done, your work has just started, at least from the standpoint of security. 

Probably the biggest issue here is that of Identity and Access Management.  This is essentially a field of Cyber in which you establish all of your user and group profiles, and from there, assign the needed rights and permissions.

If you are using Microsoft Azure, then a lot of this headache will be eliminated if you make use of the Active Directory.  This is actually pretty complex, but cut to the chase, this is the centralized database in which all of the above is stored at.  It can be very simple or complicated to use, a lot depends upon your security requirements, and just how big your organization is.

It is important to keep in mind that Azure gives you all of the tools you need in order to create a sound IAM Policy.  But Microsoft won’t do that for you (of course you hire them for a huge consulting fee), it is up to you to configure your security environment the right way, which is according to your requirements.  In fact, this is where many companies fail at. 

They think that simply because they have moved into the Cloud, all is well.  No, there is much more work to be done.

In fact, this is why data leakage has been such a huge issue with the AWS.  It’s not that the Private Cloud that has been deployed is weak, it’s the fact that the owners of it have not configured the S3 buckets properly. They leave it at the default settings, thinking that it is enough. 

But on the flip side, the Cyberattacker already knows what they are, such it is just a matter for them of breaking into your Cloud environment, tampering with the settings, and from there, exfiltrating all of the data that they can get their hands on.  This is the first area a good IAM policy must address.

Also bear in mind that many organizations also fail to remember that one of the key mantras of the Cloud is automation.  What once took hours to do On Prem can now be done in minutes in Azure.  For example, this means that all of the network log files, enabling new software applications once the triggers and conditions have been met, managing all of the Cloud Access Brokers (CASBs), etc.  With all of this stuff being interconnected together, privileges and rights can cross each other, and in fact, even be used in the wrong way, thus leaving more exposure for the Cyberattacker,  You can consider all of this automation as little robots running around in your Private Cloud trying to get their assigned tasks done.

And if the right privileges are not in place, chaos is about too erupt to a degree of which you have never seen before.  This is the second area that a solid IAM policy must also address.  In fact, these are referred to as Non-Human Identities, and have become a prime target for the Cyberattacker to chase after.

My Thoughts On This:

So there you have it, the two main areas in the Cloud in which IAM must address.  Of course, there are many other areas as well, especially those that relate for the Remote Workforce.  The traditional security technologies of yesterday are simply not enough to keep up with the security demands of today. 

Thus, companies have to invest into some newer technologies in order to keep up.  These are also, I believe, available in Azure, so take a look around.

But remember, one of the key tenets of an IAM policy is a top-down approach.  This simply means that if the top brass, such as the C-Suite are obeying it, then there is a far greater chance that the employees underneath will follow in the same fashion.  This is how you should also plan for your IAM strategies.  You should always start from a holistic sense, using this top-down mentality. 

For example, take a look at all of the departments you have.  Then from there, craft out the user groups you will create for each one of them, as well as their respective rights and permissions.  Once this has been done, then add in your employees to each of the groups that they will be a part of, and assign the right rights and permissions in an en masse format. 

Also, it is equally important to set up the permutations either the deactivation or total eradication of a particular individual once their job assignments have been completed.

Many IT Security teams fail to do this key task, and because of that, it leaves a huge, backdoor for the Cyberattacker to penetrate into.  You should never have to take a micro approach with an IAM Policy.  If you are, then that means something is not right and needs to be seriously reevaluated.

Finally, don’t discount the use of your log files that are outputted from your network devices. They will give you all the information that you will need when it comes to calculating the patterns of when your employees log in and log out of all your Cloud based applications.  This can also be useful in crafting out a good IAM policy.

Saturday, August 6, 2022

4 Golden Ways How Chess Can Ante Up Your Cyber Mindset

 


This may sound like an odd question to many of you out there, but with most of us WFH, have you been finding that you are playing more board games with your kids in an effort to spend more time with them?  If so, you are not alone.  There are a number of families with whom I have had conversations over the last week or so, and it seems like that board games are the norm after dinner.

Whether its playing Twister, Trivial Pursuit, etc.  at least you are engaging your mind with others which helps stimulate the brain and the thought process far more that just sitting in front of your computer or watching TV. 

But there ,is one game out there, that could do more than just that.  It is called Chess.  This is probably one of the most “thinking” games that are involved, as it requires, skill, strategy, and even knowledge about your opponent.

But being good at it does not happen overnight, rather it takes time, and perhaps even a lifetime.  In fact, they are some people who are so good at it that they can even make it a career.  Personally, I have played Chess the most back in high school, when I was on the team, and on and off throughout college.  Heck, I even played it online a few times with friends as well.

So, you may be asking at this point where am I going with this?  Well, Chess can also be a great way to build up your mindset to hone in your Cyber skills.  Yes, everybody wants to have their skills sharpened, but simply getting certs after certs or doing online training is not going to cut it in the end.  As Cyber professionals, we all need to find ways to increase our thinking power, so here are some ways in which playing Chess can actually do that:

1)     You can understand your opponent’s doubts:

In the world of Pen Testing the goal of the Red Team is to get into the minds of a Cyberattacker, and literally break down within the legal bounds of your contract.  The same can said of Chess.  You are trying to get inside the mind of your opponent to see where their weaknesses may lie at.  But the best thing about this particular situation is that you are sitting directly in front of him or her.  So, this gives you an opportunity to study their gestures and reactions.  Remember, human beings react differently to certain things in the physical sense, so this is the perfect opportunity to study those moves.  And no, it does not AI or ML to do this.  Remember, as I have pointed out before, humans are also creatures of habits.  It is quite likely that the same bodily gesture will be used to reflect the same manners of weaknesses.

2)     The creation of a plan:

In everything that I write as it relates to security breaches, I always harp upon the need to have an Incident Response/Disaster Recovery/Business Continuity Plans in place.  These are the documents that will guide you when you are hit.  The same of true is of chess.  You need to have some sort of plan in place before you embark on your next game.  It doesn’t have to be on paper, but you need to have some sort of strategy mapped out as to how you want to defeat in your opponent.  Of course, unless this is a good friend of yours, you will not know who your opponent is, therefore you need to be on your toes to keep changing your strategy as your game evolves.  This is the very same true of Cybersecurity.  Simply knowing what the threat signatures have been in the past are not enough to predict future strategies.  Of course, you have AI and ML to help you to do this, but in the end, you have to make your own calls. For example, you need to have a game plan in mind every day as to how you plan to identify future threats and combat them.  Of course, they probably will not evolve the way as you have planned out, but that is the beauty here:  Learning to be adaptable and make changes to your game plan, as you have to do in Chess.

3)     Time management:

In the world of Cyber, there is no such thing as time. We have to act quickly in order to keep the Cyberattacker at bay.  But of course, reality dictates the opposite, as it takes IT Security teams at least 6 months to detect an attack in progress, and the Cyberattacker of today is staying in for longer periods of time in order to fully understand your environment.  But once the moment happens, you have to be ready to strike back in a minute’s notice.  This is where the value of time management comes into play.  But unfortunately, the IT Security teams of today are so overburdened that time management is not even heard of.  For them, just trying to keep their heads above for a single day without going insane is a herculean task.  But playing a game of Chess (and often) and making use of a time clock will help to a great degree sharpen your time management skills.  For instance, you are given a X amount of time in order to make a move, and this could be the one that dictates whether you win or lose the game.  The same can be said of trying to capture the Cyberattacker or fighting off a threat.

4)     An Introduction to Automation:

As mentioned earlier in this blog, humans are creatures of habit.  We simply don’t want to change unless we have to, even of it makes our lives easier.  The same could also be said of automation.  This is where the role of AI and ML come into Cyber, especially when it comes to doing repetitive tasks and filtering out for false positives.  But in the world of Chess, you do not have to all the time have a human opponent – you can also have an automated one. This was made famous after Chess Master Garry Kasparov lost to a computer automation tool developed by IBM called “Deep Blue”.  This all happened back in 1997, so who knows how much the technology has evolved since then?  More information about this historic Chess match can be seen at the link below:

https://www.history.com/this-day-in-history/deep-blue-defeats-garry-kasparov-in-chess-match

My Thoughts On This:

So, here are some ways in playing a game of Chess parallels the world of Cybersecurity, and how it can sharpen your IT Security Teams reasoning and thought processes.  Of course, it would be great to sit in front of a Cyberattacker to learn their tactics and strategies, but of course this will never happen until the turn to the good side.

As an IT Security manager, you need to challenge your staff in different ways.  Perhaps consider having a Chess camp once a quarter where they do nothing but play games against each other or a computer.  True, it may sound kind of boring, but have it some place where relaxation is the key, such as a hotel.  And of course, add some extra incentive as playing a game of Chess may not excite all of your employees:  A gift card for each attendee, and a grand prize for the ultimate winner.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...