Where Are The Ransomware Attackers Hiding At? 4 Places You Need To Know

 

Ok, I went out yesterday to do some shopping for groceries, and other much needed items.  My favorite store I usually Jewel Osco and Aldi.  Luckily where I live, the two are close by from one another. Durning the height of the COVID-19 pandemic, all that was played on the intercom were warning messages about it. 

But as things tempered down with the vaccinations that came out, the normal music started to emerge again, which was finally great.

So now you hear barely anything COVID-19 anymore.  But now, believe it or not, holiday music has started to play, at least intermittently, to get you in the mood for buying gifts for family and friends.  So yes, this year has gone buy very quickly, even more so than the previous one.  Where does this all lead up to?

This is the starting point where all of the Cyber pundits start to make their predictions for 2023.  I have not seen anything yet, but I bet in the next two weeks its going to start to trickle out.  This year of 2022 has been a relatively quiet one, when compared to 2021, when all of the Ransomware attacks were really coming out. 

Even with the geopolitical concerns that are happening in Russia, luckily nothing major has happened here in the US.

Even this year, Ransomware has declined to a degree that nobody has expected.  But it won’t stay quiet for so long, now that Christmas will be here before we even know it.

So, you might be asking where the Ransomware hackers, have they all disappeared?  No they haven’t, but instead, they have taken on different types of tactics which makes them even more elusive than ever before.

The following list details where they have been this year:

1)     They hire somebody else to do the dirty work:

The Dark Web is not just a place where PII datasets can be sold for a great price, but it is here where you can even hire what is known as Initial Access Broker (aka IAB) to launch the Ransomware attack for you.  More specifically, their services are called “Ransomware as a Service”.  All you have to do is a pick a target or targets, and voila, they do the rest of the work.  So while the IAB breaks down the doors for you to steal the victim’s credentials, you can from there plan how you are going to launch a subsequent attack like an extortion based one, based upon what has been given to you.  IABs are the real thing, as demonstrated by these stats:

*There were more than 1,300 IABs listed on the Dark Web in the last recent checks;

*The price for using their services ranges anywhere from $1k to $10k;

*Average costs of services are $4,600.00 to launch a sophisticated Ransomware attack;

*Some of the highly valued credentials that you can get by hiring an IAB are the VPN login credentials and other forms of privileged access.

               More information about IABs can be seen here at this link:

               https://www.digitalshadows.com/blog-and-research/rise-of-initial-access-brokers/

2)     Cyberattackers are becoming more elusive:

I have written many times before as to how the Cyberattacker is now taking their own sweet time to study their victims.  But in some of these instances, they don’t get onto the Dark Web.  Rather, all of the information and data that they need to build up a profile is publicly available through social media sites and OSINT tools.  Once they can find a weak spot that they can lurk into, they will also then spend forever lurking in silence to see what the prized possessions of the company are, but most importantly, determine where they can drop off their malicious payload(s) at.  These are typically known as APT style attacks.  What is unique about these kinds of threats are that the Cyberattacker can move in a sideways or lateral fashion, thus making them even more detect.  Also, another technique to avoid detection are fileless attacks, where the Cyberattacker can also lurk about in the physical memory of the wireless device, and literally leave no signature trails behind them.

3)     Low profile targets are now getting attention:

As the Fortune 500 companies are becoming less of a favored prey for the Cyberattacker, the next target are the SMBs and nonprofits.  Very often these kinds of businesses simply do not have lines of defenses that are associated with them.  The fallacy in thinking here is that (which I have heard so often) is that:  “If we have not been hit yet, we probably won’t be.  We offer no value to the Cyberattacker”.  Well, just recently, one of my clients told me that their own client said the same thing, and the next day they were hit with a Ransomware attack.  In the end all business have some value for the Cyberattacker.  It does not matter how large or small you are.  Even an SMB could contain just a few PII datasets that could prove to be very profitable for the Cyberattacker in the end. Also, many SMB owners feel that Cyber solutions are too expensive for them to procure.  This is not true anymore.  Many Cyber vendors are now starting to realize that the SMB market can be a lucrative one as well, and thus, are now starting to offer products and services that are very affordable.

4)     The person sitting right next to you:

In this instance, I am talking about Insider Attacks, which have been initiated by a rogue employee.  These kinds of individuals are often hard to detect, but they do give away tell tale signs, especially with changes in their behavior.  These particular individuals may not be planning an attack directly by themselves per se, but rather, they could have been contacted by a malicious third party (via Social Engineering techniques) to give them the details of the insides of the business, especially the IT and Network infrastructure.  From here, the rogue employee would then be paid a handsome price. Consider these stats:

               *57% of the employees that were contacted were offered less than $500,000.00;

               *28% were offered between $500,000 and $1,000,000.00;

               *11% were offered more than $1,000,000.00.

               The above stats were taken from a survey just recently conducted by Hitachi, and more     information about that can be seen here:

               https://www.hitachi-      id.com/hubfs/A.%20Key%20Topic%20Collateral/Ransomware/%5BInfographic%5D%20The%20R        ising%20Insider%20Threat%20%7C%20Hackers%20Have%20Approached%2065%25%20of%20E          xecutives%20or%20Their%20Employees%20To%20Assist%20in%20Ransomware%20Attacks.pdf

My Thoughts On This:

The next step in this blog would be how to write on how to mitigate the risks from becoming a victim of a Ransomware attack.  But I am not going to do it, many other Cyber professionals have written blogs, articles, and even eBooks on this same subject matter.  A simple Google search will reveal what you need to know.

Personally, I think Ransomware attacks will probably not emerge so much for the remainder of this year, but a lot is going to depend as to what happens with Russia and the Ukraine.  If things go further south, then things could get worse again on the Cyber front.  But my biggest fears are those Ransomware attacks on our Critical Infrastructure.

What Do Windows 11 & The Zero Trust Framework Have In Common? 9 Key Features

 

Usually on Friday mornings, there is one common denominator:  It’s time to a Windows update.  I don’t know how my computer knows it, but this has been the trend since this spring.  I can tell an update is coming by the way the fan is blowing off in my laptop. 

But this update sort of scared me.  It was the one to Windows 11.  To be honest, I am not ready yet to update to Windows 11, and I don’t know if I ever will be.  So as I hit that update button, I was praying that there would be a choice not to.

Fortunately there was, and hopefully that will be the last of it.  But there was just one small update, and that took only a few minutes to install.  It’s not that I am now willing to give Windows 11 a shot, but from what I heard its best to wait.  Also, from what I hear is that this new OS is filled with more security features than ever before.  But is this a good thing or a bad thing?

Who knows.  Every 2^nd  Tuesday of the new month, Microsoft comes out with what is called “Patch Tuesday”. These are the recommended software patches and upgrades for Windows.  Other tech and firmware vendors have followed suit in this fashion, and in all of these cases, it just blows my mind how many vulnerabilities still keep coming out.

But anyways, the newest security features that have been supposedly installed onto Windows 11 deal with what is known as the Zero Trust Framework.  In this methodology, absolutely nobody can be trusted in either your external or internal environments. 

Everybody has to be verified all the time through MFA procedures.  Even the geo-location and the security settings of the wireless device in question are also checked before granting access.

On a technical note, some of the Zero Trust features that have been added include specifically the following:

*More support for the Pluton security processor;

*More   support for the Trusted Platform Modules;

*Implementation of the Trusted Boot,

*Higher levels of Encryption and Cryptography;

*The inclusion of Code Signing Certificates.

*The adoption of the Smart App Control;

*AI and ML to track down any signs of abnormal behavior;

*Checking the integrity of Windows Defender after each hard reboot;

*Getting rid of passwords by making use of the Windows Hello for Business functionality;

*Deep levels of protection for protecting against credential harvesting attempts when an end user visits a website.

A strategic move that Microsoft has made when it comes to deploying these Zero Trust is that there is nothing that the IT Security team has to do.  Everything is already “bolted on”.  The thinking here is that the adoption will be higher if people were forced to use them, and not voluntarily having to deploy them.  The other line of thinking here is that all companies, no matter how large or small, will have access to the Zero Trust Framework technologies, which will also help to level the playing field to a huge degree.

The following illustration is just a sampling of what is included in Windows, from the standpoint of Zero Trust:

(SOURCE:  https://www.darkreading.com/operations/microsoft-practical-zero-trust-security-windows-11)

My Thoughts On This:

In the end, Zero Trust (as it is also called) is going to the be next big movement in Cyber, whether you like it or not.  Part of the reason for this is that for those businesses that have deployed it to some degree or another, have actually reported some success with it.  Hey, that is far better than nothing.  But the one thing that is going to hamper its full adoption is getting the buy in from employees. 

For example, as I have mentioned many times before, people are creatures of habit.  They simply do not want to change unless they are forced to.  So, there could be a fair amount of grumbling for a long to time to come of having to go through three or more layers of authentication versus just using the normal password.  This is where both sides half to meet halfway.

For example, deploying the Zero Trust Framework should not happen all at once.  Rather, it should be phased in gradually, in different stages.  And at each step of the way, any new processes that are going to be introduced should be tested first in a sandbox environment before they are released into the production environment. 

Heck, anticipate that it could be quite a number of months, or even years, until it is fully deployed properly at your place of business.

But slow and steady is the best way to go, because going in a haphazard fashion will simply not only widen the attack surface, but it could also create many other backdoors for the Cyberattacker to penetrate into. 

But apart from this, another key factor to the successful deployment is communications.  Always let your employees know what is going on, and give them the chance to ask any questions or raise any concerns that they may have.

This will not only increase the chances of getting employee buy in, but they will also feel that they been an important part of the process as well, which in turn should increase employee morale and levels of productivity. 

I think Microsoft is also trying to come up with a way of making Zero Trust a two-way street:  Whatever happens On Prem will also by synched up into the Azure Cloud, especially if the Hybrid deployment is being used.

It is also important to keep in mind that the Zero Trust Framework Is not a tool, but rather it is a methodology.  There is no one size fits all strategy here, you have to customize it to meet your security demands and requirements.  It’s about using existing tools and technologies, then procuring newer ones!!!

With 80 million password hacks occurring on a daily basis, the Zero Trust Framework is here to stay, for a very, very long time.

One Key Trait That Molds A Successful Cyber Employee: No Certs Or Degrees Needed

 

I’ve got to tell you one thing.  Despite the COVID-19 pandemic and the recent surges in the level of inflation, one would think that the American economy would literally have to pot by now.  But it hasn’t.  It seems like we keep on marching right along, with great jobs numbers and lower unemployment claims week after week.  True, there have been some ups and downs, but the overall trend appears to be solid. 

I wish I could say the same about the Cybersecurity Industry.  There are sill tons of jobs to be filled, and despite the demand for workers, nobody can seem to fill this gap.  It should be easy, right, with something that is so red hot?  But unfortunately, it is not.  There are reasons for this, but what people are now starting to realize is that hiring managers in Cyber are being just too damned picky.

For example, a candidate has to have X number of years in this and that, they have to have a college degree, but worst of all, they have to have all of these certs, which really make no sense to me.  To a certain degree, I can see the value of a cert or even certs in Cyber.  After all, once you have found an area in Cyber that you want to focus on, there is nothing wrong thinking about getting a cert to help you advance in your career.

But unfortunately, many people that I know of in Cyber love to show off with all of their arrogance their certs.  Heck, there is one person I know who has more certs that could fill the entire alphabet 3x time over. True, it looks quite impressive at first glance, but after a while, it fades away.  In the end, you even start saying to yourself “Who really cares?”  In all honesty, I have tried to go on for some key certs.

I remember back in the day of the .com craze, the MCSE from Microsoft was the craze.  It literally became the gold bar standard for the world of IT.  But what has happened to it now?  It has faded in the dust.  But I did try to take the exam, only failing the first one miserably (and there were 7 of them in total you had to take in order to get the full cert). 

Then came along the CISSP, which is now the gold standard for the Cyber world.  I never really took the exam, but I took some of the practice exams, and never did well in them either.  From what I hear, it is about as bad as taking the bar exam.  So, I gave up the idea of getting a cert in Cyber until I decided to take the Security+ cert.  I started studying with my full heart, and eve did fairly decent on the practice exams. 

But just a couple of weeks ago, I found out that the ISC2 is offering an entry level in Cyber, which is called the “Certificate in Cybersecurity”.  So, I now have shifted direction for the last time, and have even signed up to take the cert exam.  But I go in knowing the fact that this is merely an entry level cert, it will not have the glamor that the CISSP has.  But that’s fine by me.

I am only taking it as a point of validation for others who see my credentials.  Yes, I have written a ton of books, eBooks, whitepapers, articles, blogs, etc. on Cyber, but this cert will at least be some yardstick to show to others that yes, I do know to varying degrees what I am talking about. 

And that is how hiring managers and even candidates should view a cert. It is by no means and end all nor should be a break all.  A cert is just that:  It is a benchmark that will separate your from others in pool of candidates.

In other words, it will help you to get that interview, but not necessarily that job.  How you do in the interview will of course be the ultimate determinant in that.  Now comes another important point:  Should hire somebody based upon the fact that they have a college degree or even an advanced degree in Cyber?  The bottom-line answer is no.  It’s just like getting a cert.  Having a college or advanced degree shows that you have been dedicated to reach a certain educational level, but it does not mean that that person will make a great Cyber employee either. 

Because of this, there are now cries in the Cyber industry that hiring managers should drop the college requirement also.  But to be honest,  I am mixed on this one.  I think at minimum, a candidate should have an associates degree.  This will show some degree of trainability, which will be very important should this person be hired.

Third, there are also cries in the Cyber industry that hiring managers should stop the cookie cutter approach to hiring a manager. I can vouch for this myself.  I have applied to numerous tech writing jobs in the past, and in fact, it was down to two candidates, me and the other person.  But the other person got the job instead, because either they were more skilled in one writing technology, or they had a little bit more experience.

I thought that this was totally ridiculous, I mean if a person has been writing for 14+ years, that experience should count.  I mean if you know how to write and know an industry quite well, those skills for the most part, should be transferable. 

This the same for the Cyber industry.  So what if a person does not Pen Testing experience?  If they know a programming language like Python, and seem to be analytical in their approach, they should be given a chance.

What I am trying to get at is look outside of the world of Cyber.  In fact, why not have a job posting that lists no specific requirements, and from there, see the candidate pool you get.  You will probably get responses from different majors, but that is actually great. 

Keep in mind that one does not have to have a STEM degree to have an analytical mind.  Even a liberal arts major can bring that to the table, with all of the reading and writing that they have to do.

My Thoughts On This:

The Cyber worker shortage is only going to get worse before it gets any better.  It’s all going to become dependent on the hiring managers.  As I have mentioned, there are a great pool of candidates out there . . you just need to look beyond that JD and see for yourself. 

But there is one trait that will be common amongst all Cyber workers, and this should be the number one qualification that you should be on the lookout for:  self-motivation and persistence.

The Cyber Future of Critical Infrastructure In 2023

 

Introduction

Our Critical Infrastructure is of at grave risk today.  But instead of looking at the situation right now, let’s see what the future could hold in 2023.

What The Future Holds

Cyberattacks on Critical Infrastructure are occurring at a more rapid rate now, and it has garnered the attention of the industry.  However, it still has not fully captured the sense of urgency yet in that something needs to be done to fortify these structures further.  What is anticipated for the future?  Here is a glimpse:

1)     Segmentation could occur:

In the digital world, this one of the big buzzwords that are being floated around right now.  At present, most businesses typically have just one defense line that separates the threats from the external environment into the internal environment.  This is very often referred to as “Perimeter Security.”  But the fundamental flaw (and a very serious one) is that once the Cyberattacker is able to break through this, they can pretty much move laterally and get access to anything they want to.  Thus, with the implementation of MFA and the Zero Trust Framework, there have been calls now to further divide up the IT and Network Infrastructure that exists in the internal environment into smaller chunks, and this is known as “Segmentation.”  Each segment would have its own set of defenses, and the statistical probability of a Cyberattacker breaking through all of these segments becomes lower each and every time, and as a result, they give up in frustration.  It is hoped that this same line of thinking can also be applied to Critical Infrastructure as well. However, the main problem is that they all consist of legacy computer systems, which may or may not support the Segmentation efforts.  Even if they do, there is no guarantee that it will be sustainable for the long term.

2)     The Internet of Things:

Right now, this phenomenon has been further catapulted by the rise of the Remote Workforce, where pretty much everything has gone digital.  This is the notion where all of the objects that we interact with within both virtual and physical worlds are interconnected with another.  There is a great interest, and even efforts are currently being undertaken to bring the world of the IoT into Critical Infrastructure.  This now becomes known as the “Industrial Internet of Things,” or “IIoT” for short.  But it is expected that this trend will quickly dissipate into the future as more Cybersecurity attacks are launched against Critical Infrastructure.  The reason for this is simple:  With an IIoT in place, the attack surface becomes much more significant, and the number of backdoors that the Cyberattacker can penetrate into is now greatly multiplied. 

3)     The financial damage will escalate:

As more threat vectors are launched, they will obviously become more sophisticated and covert in nature.  Given this, the financial toll that it will take on Critical Infrastructure that are impacted is expected to reach well over the multimillion-dollar mark.  Also, is it anticipated that the downtime period to recover from future attacks will be a lot longer than what it is at present, thus adding more to the financial toll.  With the convergence currently taking place within the IT and the Operational Technology (OT) realms, the Cyberattacker will quickly gain access to either the ICS or SCADA systems via any vulnerabilities gaps that persist in the network of the Critical Infrastructure.

4)     A closer collaboration with Cybersecurity:

It is also expected that the Critical Infrastructure leaders will start to work closely with the Cybersecurity Industry.  Not only will there be attempts made to try to add on security tools/technologies that can interoperate with the legacy ones, but there will be even a greater effort to share threat intelligence information/data on a real-time basis so the IT Security teams of Critical Infrastructure can be much better prepared to handle any threat vectors that are looming on the horizon.  This new movement has been termed the era of “Shared Responsibility appropriately.” 

5)     A greater need for Cybersecurity Insurance:

Essentially, by purchasing this kind of policy, a company, in theory, can be protected by financial losses if a Cyberattack impacts them.  But the reality holds different in the sense that there is still a lot of confusion out there as to what will technically be covered.  So while a company may think they have full coverage, the chances are still there that they will not get a 100% payout.  But despite this, the Critical Infrastructure is starting to understand the need for some sort of financial protection in case they are breached.  Thus, there will be a great increase in demand for Cybersecurity Insurance Policies in the coming years in order to recoup any financial damages incurred by attacks on legacy systems.

6)     Migration to the Cloud:

At present, there is a lot of efforts now to move On-Premises solutions to a Cloud-based platform, such as that of AWS or Microsoft Azure.  While there could be some success with this as it relates to Critical Infrastructure, there is also the realization that a pure 100% migration will probably not happen.  The primary reason for this is that, once again, most of the developed technologies for Critical Infrastructure were developed back in the ’70s and the ’80s.  Thus, trying to put all of this into something as advanced as the Cloud probably will not be able to occur.

Conclusions

It is important to keep in mind that Cyberattacks do not just happen to digital assets.  This is where the current mindset is at with Corporate America, and this drastically needs to change.  For example, there are physical assets as well, namely that of the Critical Infrastructure. 

As we have seen with the last attack (in which the perpetrator actually tried to poison the water supply), this area of industry is at grave risk.  An equal amount, if not greater, attention needs to be spent in this area as well in order to come up with ways to mitigate further its risk of being impacted by a security breach.

The downtime suffered here will be a lot longer and even more devastating than what has been witnessed with security breaches that have transpired in the digital world.

Sources

1)     https://iiot-world.com/ics-security/cybersecurity/six-cybersecurity-predictions-for-critical-infrastructure-and-the-iiot-in-2019/

Cyber Security Hack: What Business Leaders Need to Be Aware Of

 

Hello Everybody,

As we soon come close to Q4 of this year, budgets are on the mind across Corporate America, when it comes to planning to 2023.  IT is sure to get the microscope as it always does, especially when it comes to Cybersecurity.  But because the threat landscape is the deadliest it has ever been, the C-Suite and the Board of Directors are opening up their purse more so in this regard.

But rather than giving the CISO a blank check, they are keeping a close eye on how every dollar is spent, especially with the fears of inflation still creeping out there.  Therefore, you need to find an MSP that serve not just all of your IT needs, but even your Cyber ones as well.  You simply do not want one that is all over the place, it is much better that you find one that fits your industry the best, as they will have a better understanding of your situation, and how to make it better.

In this regard, we have the honor privilege of interviewing Adam Pittman, the President of Computerbilities.  They focus upon the manufacturing and construction industries.  Listen in to today’s podcast, see how Adam’s expertise can help you out today.

You can download the podcast as this link:

https://www.podbean.com/site/EpisodeDownload/PB12C646DJWIA7

3 Top Warning Signs Of Employee Fraud - A Must Read

 

Whenever an employee is hired, an employer would always like to think that he or she would be with them for a long time.  This may have been the trend back when my parents were growing up, but this is certainly not the case anymore. 

Given the digital age that we live and the Remote Workforce that we have now, people are now leaving jobs at rates never seen before in search of other ones, or even perhaps to become a gig worker.  Even despite COVID-19 still lingering on, and the persistent inflation that we are still having, the job market is still very robust.

In fact, you probably have even heard of this era known as the “Great Resignation”.  But whatever it is, the fact is that we are living in unprecedented times.  But, as employees come and go, there is a new Cybersecurity risk that is starting to emerge into the mainstream now:  Employee fraud. 

Whenever we think of this term, we often think of ID Theft, or somebody stealing our credit number.  While these are true cases of it, employee fraud occurs when an ex-employee tries to steal something of value from their previous employer.

For example, it could be a piece of intellectual property, or even names and other types of contact info from customers (especially if this ex-employee wants to start their own business).  And in fact according to a recent report from Microsoft, more than 40% of the current employees are considering leaving their position. 

This only increases the chance of fraud from increasing even more.  More details about this report can be found here at this link:

https://www.microsoft.com/en-us/worklab/work-trend-index/hybrid-work?OCID=AID2101651_SEM_ConnexityCSE&szredirectid=16250758885630100478810070302008005

According to the Cressey Fraud Triangle, there are three key reasons why an employee would engage in committing an act of fraud:

1)     Financial Pressure:

The employee may have all of a sudden been hit with a huge crisis, such as a medical one, and the costs are just too staggering for them to deal with.

2)     There is an opportunity to do it:

Because of the lack of controls, or even a vulnerability, there also exists a chance where an employee could heist something without any ever noticing it.

3)     The act of rationalization:

Somehow, the employee has decided in their own mind that it is OK to commit an act of fraud for personal gains.

More information about the Fraud Triangle can be seen here at this link:

https://www.researchgate.net/figure/Figur-5-The-Fraud-Triangle-Bolton-2015-Stuart-2011_fig4_319872767

What is interesting about this triangle is that usually takes just one factor or even a combination of them for the employee to commit the illegal act.  But apart from these three motivating factors, there are also other three telltale signs that an act of fraud could be occurring or there is the potential of it in actually happening:

1)     The employee is spending too much:

This simply means that the employee is spending far more than they are earning.  Usually the excess buying is triggered to make the person “feel good” that they have something they think that they have wanted, but they really don’t need it.

2)     Money shortages:

As mentioned earlier in this blog, the employee could have been hit with a huge, unexpected expense.

3)     Different kinds of relationships:

By this, I mean that the employee is starting to develop unusually strong ties to their clients and/or third-party vendors.  If this is happening, this typically means that they are wanting to start their own business, and are looking at getting some customers to transition to their new gig.

More information about other telltale signs can be downloaded at this link:

https://www.acfe.com/fraud-resources/global-fraud-survey

My Thoughts On This:

At the end of the day, there is only so much that you, the employer can do, to help mitigate the risk of employee fraud occurring at your business.  But here are some actionable tips that you can take:

*Always maintain an open-door policy.  As far as possible, if an employee is having a problem with something, take the time and listen to them, like a good friend would.  In these cases, they are often not seeking advice, they just want somebody to listen to them. 

But if they need advice, you should also refer them to the HR department, who can take further steps to help the employee resolve the issue.

*Always try to maintain a casual work environment:  By this, I mean do not micromanage.  Let your employees flourish and contribute to the bottom line of your company.  A big part here is the new kind fo work environment that we are now in. 

If an employee wants to work remotely, let them, as long as they are getting the job done, and also offer them flex hours as well so that they can also meet the needs of their family as well. But also make sure you can contact them if the need arises.

*Always be encouraging:  Right now, we are living through some difficult times.  Heck, we made it through COVID-19, so we will make it through this year as well. If your employee wants to explore other areas of your company to work, give them that opportunity.  To the best of your ability, try to always be supportive.

Now that we have looked at some of the psychological routes that you the business owner can take, let is look at some of the technical ones:

*Always maintain a tight set of controls:  This is of course easier said than done, depending upon how large your business is.  Btu when it comes to the financials, you have to be very watchful here, especially over your bank accounts, and any company credit cards that you may issue to your you employee.  As soon as your employee leaves for whatever reason, make sure that you cut off ties to these financial assets. 

*Disable or delete accounts:  Once an employee is gone, you should either disable or get rid of their accounts all together, especially if they are privileged ones. Many times IT Security teams forget to do this, and thus, the ex-employee now has a huge backdoor to get into.  There are also tools out there that will do this automatically for you, you will just have to configure them properly.

*Maintain a real time fraud alert hotline:  By having this, your other employees can report in an anonymous fashion any suspicious behavior they see.  In fact, In fact, is has been discovered that 42% of all employee fraud cases have been stopped because of an anonymous tip, and 55% all fraud cases have been reported by employees.

In the end, there is only so much you can do to mitigate the risk of employee fraud from happening at your place of business.  All you can do is take proactive steps, and let your employees be your eyes and ears for any suspicious activity that could be happening.

Breaking Down The Complexities Of Maritime Cybersecurity

 

Tomorrow marks a very sad day in our nation’s history . . . 9/11.  I will never forget what I was doing that day, or how I even heard about the first attack coming in.  I will just leave it at that.  May our Lord and Savior continue to bless all of the victims of that horrible day, and let any healings continue. 

Since then, security has always been a hot button topic for American citizens and our own government.  But back then, it was all about physical security, Cyber was still barely even thought of.

Airports and airlines went on a huge lockdown like never seen before, and still even continue to do this day, to varying degrees or another. But to be honest, every point of entry and exit into the United States is at risk. 

This not only includes the roadway point at the borders in Canada and Mexico, but even our maritime ports as well.  While increased traffic means that there is more international trade going on, it also poses not only the physical but even Cybersecurity risks as well. 

Just consider some of the stats:

*Maritime trade increased by over 22% since COVID-19 hit;

*The stopping period for the large cargo ships has now become almost 32 hours versus the 28 hours it once was back in 2020. 

It is this longer dwell time that is starting to raise concern here in the Cyber community.  But Cybersecurity around these ports is a very complex issue because there are so many factors surrounding it.  Consider the following:

*Physical security is still a risk – for examples, stowaways are still a huge problem, especially from those ships coming in from China and regions there;

*Many ships come from other countries – thus they are using outdated technologies that cannot be updated with the more recent software patches and upgrades;

*Many maritime ports both here in the United States and abroad are still using outdated Critical Infrastructure equipment.  Because there is so much interdependency here that you simply cannot rip out old systems and put new ones in.  It’s almost like other pieces of Critical Infrastructure that we have on land.

*It takes a lot to get a cargo ship from its point of origination to its point of point of destination.  There are many parties involved, and all of them have to be held accountable and aware for what is going on.  The captain of the ship is just one part of a huge cog.

But unfortunately, there is really nothing that can be done to fix all of these vulnerabilities in a short period of time.  All of the parties involved in maritime affairs have to agree with what has to get done.  Some examples of Cyber threats include the following:

*Out of life Operating Systems, like Windows 7 or Windows 8;

*Software packages that have not been updated in a long period of time;

*No antivirus protection that is being used;

*Open ports on the ship’s computer network;

 

*The lack of 2FA or MFA protocols;

*Staff that is not trained in what Cyber Hygiene is all about.

What is even more startling is that Cyberthreats to maritime have increased well over 400% on a global basis.  According to Cyber experts that specialize in this area, a contributing factor to this huge increase is due to the Industrial Internet of Things, also known as the “IIoT”.

This is where all of the objects that we interact with both in the virtual and physical worlds are all interconnected together.  While this can be advantageous, it poses grave threats as well, because these connections are often not secure themselves.

So if point is hit, this will lead to an overall cascading effect, very much in the same fashion that a supply chain attack would (such as the Solar Winds one).  Making things worse, before a ship can dock here in the United States, the captain of the maritime vessel must fill out an extensive amount of paperwork before they are allowed to dock.

Very often, this can be well over 40 pages long, thus adding more aggravation when trying to get cargo off on time.

These must be sent to the maritime point of destination and approved before the cargo ship is allowed to even dock.  So in this regard, email or file transfer protocol has to be used, but then even there are risks, such as hijacking of the FTP Server, or making the documents part of a large-scale Phishing attack.

These both could be easy to do, especially if there is a mismatch between the cargo ship’s technology and the maritime port.  As a result, there will be many  backdoors for which the Cyberattacker can easily penetrate into.

My Thoughts On This:

As it was examined earlier in this blog, there are simply too many entities and moving parts which are far too outdated in which a fast solution can be found.  If anything, it can take just as long or even longer than the airline industry to come to grips with what is happening in maritime security.  Security at the airports is far better now since 9/11, but it took how long? 10 years? 15 years?

To solve the issue of maritime Cybersecurity means that we have to take a step back, and look at the entire picture from a holistic sense.  In this regard, perhaps probably the best way to get started is from the cargo ship itself. 

Before they are allowed to dock,  the captain of the ship should run through a checklist of what has or what hasn’t been done from a Cyber point of view, and transmitted to the officials at the point of destination.

Then from there, based upon the results of the checklist, the port authority should then decide whether to allow the ship to dock or back to its homeport.  But of course, this checklist can be forged as well.  In order to stop this from happening, the United States Federal Government needs to hire the total number of Border Control Agents.  And, just as much as they check for dangerous cargo, they should also be able to conduct risk assessment on the ship’s IT and Network infrastructure as well.

How To Show Your Cyber Employees That You Value Them: 3 - Point Checklist

 

Well, Happy Labor Day everybody!!  Hopefully your taking the day off, and enjoying the time with family and friends.  As we are getting close to the last quarter of the year, there is one topic I don’t think I have covered:  And that is the Secure Operations Center, or SOC. 

As I mentioned in yesterday’s blog, this is where an MSP or even an MSSP has individuals from their IT Security team closely watch the IT and Network infrastructures of their clients.  Yea, in some ways it’s like going into the flight deck of a Boeing 787, with all of the modern computers and screens that are present.

But that is just the image which is portrayed.  I have a few friends that are MSPs also, and they even have their own SOC, but maybe not so modern.  Also as mentioned, one even has it a in a shared office space.  But wherever it is located, one thing is for sure:  It is a secure environment, and the people that are hired to watch those screens have their full client’s trust in their hands.

In a way, it’s like air traffic control, btu rather than guide airplanes, in and out of the runways, you are watching the flow of data packets, and keeping track of any abnormal activity that could be present.  But since really nobody talks about the people that work in the SOC, nobody really understands the pressure that they are under. 

All we keep hearing about is the burnout rate from other members of the IT Security team and the CISOs.

But in fact, the burnout rate starts from the SOC itself.  According to a recent study conducted last year, more than 1,000+ SOC workers complained about burnout, high levels of stress, alert fatigue, and just the sheer amount of the information and data that needs to be processed. 

Yes, there are automation tools that can help a lot with this, but in the end, it still takes a human eye and judgment to make the final call.  More information about this study can be seen at this link:

https://www.devo.com/resources/2021-devo-soc-performance-report/

So what can be done to help improve the employee morale at your SOC?  Here are some tips you can deploy:

1)     People always want to know how they are doing:

Whether it is in a job situation or you are an entrepreneur (like me), you always want feedback.  You always want to know if you are meeting or surpassing expectations, and what you can do better.  As a leader or a manager, always be proactive about this. Also equally important is to spontaneous about the feedback you are giving.  Whenever a manager scheduled a specific meeting time, I dreaded that, because it just instilled mor fear into me.  Don’t do things that way.  If have a few minutes, pull your employee aside for a minute and tell them how things are going.  Tell them what they are doing well at, but equally if not more important, tell them the areas in which they need some improvement in.  But consider this as constructive criticism.  Don’t take a printed rating scale and evaluate that way.  Keep it informal, relaxed and friendly.  Also from time to time, take your employees out to coffee or even lunch to keep the evaluation environments changed up.

2)     Consider job rotation:

This is probably even more important now than ever before, especially in Cybersecurity.  For example, once some of the employees on your SOC team have worked consistently for about a month, pull one or two out for abut a week, and have them work in other areas within the other areas of the IT Security team.  This serves some key advantages.  First, your SOC employees will get away from being isolated in a locked room, and they will learn how to cultivate relationships with other members.  Second, they will get a much better insight into the various processes that go into keeping tabs on the Cyber threat landscape.  Third, if somebody from your SOC team calls in sick one day, you can bring in one of your other employees that have been cross trained in SOC operations to fill the gap for as long as needed.  So, here is an idea:  Why not first start this job rotation model with your Threat Hunter and/or Modeler?  After all, they are hired to predict what the future looks like, so why not give them an idea of what the present looks like?  That might even fine tune their thinking processes also.

3)     Work outside of the company:

Whenever the time permit, have your SOC team work outside of the business. For example, perhaps arrange it so that they can lead a Cyber boot camp for kids and teens to spur further interest in Cyber.  Or perhaps encourage them, if they have time, to teach Cyber at a local junior college.  Also, have them work inside other departments of the company as well.  This will give them the chance to see what other employees are doing, and especially what their Cyber concerns are as well.  This not only further shows to the SOC team the importance of their work, but it also fosters teamwork across the entire organization.  But most importantly, it will help to get rid of that siloed work environment!!!

My Thoughts On This:

Well, there you have it, 3 quick tips that you can almost deploy starting even tomorrow.  But just a few key points to remember.  First, always treat your SOC employees with the utmost respect.  At the end of the day, they are human beings also, just like you and I, and they are no different. 

If you have an issue with employee, just don’t yell at them in front of everybody else, as it will accomplish nothing.  Instead, have a private conversation with them, and tell them what is going on, using a constructive criticism approach.

From time to time, keep reminding your employees how important they are, without blowing up their egos out of proportion.  In this regard, taking them out to dinner or lunch every once in a while, or even a simple gift card will suffice.  Or for that matter, even a simple pat on the back will go a long way.

Finally as an SOC manager, don’t think it is your way or the highway.  You too are also an employee in the company, and you have others you need to report to.  So in this regard, have an open-door policy.  Let your employees tell you how you are doing, and how the whole environment is.  Try to take their feedback, and implement it.

This simply shows that you value their input also, and will only result in a much stronger, more unified SOC team.

The 3 Golden Keys To A Successful Threat Hunt

 

Back in the days of the Cold War, and I believe that it is the case now, the military doctrine of the United States has always been to take a defensive role.  Meaning, it will never invade another country unless US interests are at stake, or American lives are in danger. 

This is the same with the nuclear weapons. Back then, we would not have fired off a volley of Minuteman and Trident missiles unless the Russians have launched first.  This same line of thinking has also taken fruition in the world of Cybersecurity. 

Many companies are taking a defensive posture, which is a good thing.  This simply means that they have a line of defense that is circling their business, and if they are hit by a Cyberattacker, well there is some defense that will last for a little while.  In fact, this line of posturing has probably led to Corporate America into its current way of thinking: “Well, if I have never been hit before, I probably will never be”.

Unfortunately, this is far from the truth.  Those companies that say very same thing are the ones that are going to be hit next.  They are simply admitting that they have just the bare minimal up to protect themselves, and letting the Cyberattacker aware of that. 

As I have written about many times before, we have to take a proactive Cyber stance, especially with the dynamics that we are dealing with in the world today.

Taking a proactive stance does not mean you have to invest in every bit of the latest security technology that is out there, but that you simply take much more of the common sense steps to maintain a good level of Cyber Hygiene at the place of your business. 

Taking this kind of mindset does not happen over time, it can take a very long time and is often led from the top down to the very bottom.  In the end, it takes both the human and technological factors to make this into a reality.

So speaking of which, the human factor . . . this is the Threat Hunter.  Essentially, these are the groups of individuals that take all of the intel and information and data that they can get their hands on, and from there, formulate predictions as to what the future threat landscape could potentially look like.  More specifically, they have three tasks in mind that they have to accomplish:

*Identifying the various patterns of unusual behavior;

*Hunt down any threat variants that matches the criteria for the above;

*Help the IT Security team build up the arsenal to fend those threats off. 

It is important to note that with the last bullet, once again, I does not  that the vCISO or CISO has open budget and can but will nilly.  Rather, the existing security tools that are in place can be used even further, assuming that they are placed strategically.

So, this is where having a great Threat Hunter comes into play.  It takes a person with a combination of the following skills:

*Great analytical mind;

*The ability to communicate effectively.

To be honest, the first characteristic is more of a subjective one.   You do not have to hire a PhD rocket scientist, but you do need to find somebody that is very keen of the environment around them, is very observant, and take a macro view of the world and break down into its individual components.  And perhaps even more so that the first trait, you want somebody who is not afraid to communicate with the others in the IT Security team to let their insights be known. 

But most importantly, the vCISO or the CISO also needs to take the time to listen to their Threat Hunting team.  In short, it is not easy to find this kind of person, and it can take quite a bit of recruiting . . . after all, you want somebody that you can trust as well.  In some ways, it is even more complex than becoming a forensics investigator. 

Now since these are highly valued individuals to have on your team, unfortunately, Corporate America has been very slow in welcoming them on board.   Probably the reason for this is that Threat Hunters are often viewed as living in their own worlds, working in a dark room and wearing that infamous hoodie. 

While they may be introverts by nature, there is nothing wrong with that.  You don’t have to go out with them every night and go drinking, but the IT Security team must embrace them enough so that they feel part of the team.

Also, the notion of Threat Hunters and Threat Hunting is still new to many companies.  The world of Cybersecurity is still filled with images of Pen Testers, people sitting in large SOCs with 12 computer screens in front of them, and global espionage. 

Well, it is now time to get rid of those thoughts and fill them with how great you make your IT Security team, by adding in a few Threat Hunters as well.  To eb brutally honest, one of my clients does have a SOC.  But they only have three people on the team, located in a shared office space.

Also, there is this myth now that with the emergence fo AI and ML, that can take over the role of Threat Hunting.  While it is true that they can make great assets when it comes to automation, you still need the human touch in order to draw the final conclusions. Also keep in mind with these tools, it is merely “garbage in and garbage out”. 

What you get out is only as good as what you put into the system.  This is where data optimization comes into play, and this is where the human factor comes into play.

My Thoughts On This:

Remember that in the end, successful Threat Hunting must have an objective, and an end goal.  You simply cannot tell your Threat Hunters to just go at it.  If you are just starting out with a new team of Threat Hunters, try this simple model first:

*Crete a hypothesis as to how a Cyberattacker can break into your lines of defense, based on what has happened in the past;

*Establish the goal the goal to be accomplished (such as how to remediate the first step);

*Run any new intel/information/data through your automated tools to see if both the objectives and the end goals of have been met.

There will be times where these two do not mesh, and there will also be times where your expectations have been far surpassed.  But to the Threat Hunter, always be open and honest to the IT Security team as to what is working and what is not.  As much as you want to be a part of their word, they need to be a part of yours as well.