Sunday, October 30, 2022

4 Hidden Cyber Threats That Nobody Cares About

 In the world of Cybersecurity, there is one thing that I have noticed:  There are a lot vendors, MSPs, MSSPs, and who else who live to cite numbers in order to put a fear factor into the eyes of their customers and prospects.  The ultimate goal of this is to get them more prone to purchase their products and services.  In the end, nobody really questions who got what statistic, it sounds impressive enough.

This can even be extended to the various technojargons that are thrown out there, and the two that drive me the craziest are “Risk” and “AI”.  Every Cyber vendor on this planet talks about these two things, but nobody defines what it really means to the products and services that they are trying to sell to you.  The latter is the worst.  Vendors keep pumping that their solutions have AI in them, but what kind of AI is being used?  How is it helping to protect the customer?  These are key questions to be asked, but yet nobody asks them.

When I write a blog and cite any kind of number or stat, I try to provide the source and the link from where it came from.  But I feel that I need to perhaps put more scarier stats into mine, in an effort to educate you more about the realisms of just how dangerous Cyber threats can be.  Important note here:

The numbers and stats presented in this blog come from here, at least initially:

https://www.darkreading.com/vulnerabilities-threats/cybersecurity-risks-and-stats-this-spooky-season

Here we go:

1)     Ransomware is coming back, yet once again:

Although this threat vector is never going to go away per se, 2022 was actually a relatively quiet year, when compared to 2021, when all hell broke lose.  One of the most notorious hacking groups in this regard is known as “Revil”.  It led the infamous supply chain attack on Kaseya, which impacted well over 1,500+ organizations on a global basis.  After this heist, the Ransomware group disappeared, but now announced just recently it is going to make a comeback, on a scale that has never been seen before.

2)     The Emergence of the Remote Workforce:

Ok, this is a subject that has been beaten up to death ever since the COVID-19 pandemic hit.  While the concept of working remotely is really nothing new, COVID-19 made the unthinkable a reality.  For example, the notion of the Metaverse, Web 3.0, and a 99% Remote Workforce were things that everybody thought would happen in the middle of this decade.  But, it is happening RIGHT NOW.  Nobody was really ever ready to have everybody WFH.  Of course, there were a ton of problems, with one of the biggest ones that of the meshing of the home networks with the business networks, leaving a lot of exposure for the Cyberattacker to penetrate into. It seems like that (IMHO) most of these problems have been resolved, some 66% of CISOs polled claim that new problems are always cropping up, and that this cycle will never seem to end.  Plus, the IoT has not helped the situation much either. If people are WFH, why not make it more comfy by connecting everything together?

3)     The internal threat is going to rise:

This is something to really worry about.  We all are so worried about the threats that are inbound from the external environment, that we are failing quickly to pay attention to the internal threats.  By this, I mean the possibilities of Insider Attacks. We would like to think that all of our employees are honest and good, after all they probably passed a pretty exhaustive check, right?  Well, keep in mind that background checks are just a “double check” on an employee at one point in time.  There could always be a rogue employee in your company, or the beginnings of one starting up.  Unfortunately, these kinds of potential security breaches are very difficult to find and confirm, and in fact, 84% of CISOs polled claimed that this is going to be a top concern going into 2023 (but why isn’t it now – what’s the point of waiting until the start of next year???).

4)     The shutdown of Critical Infrastructure:

This kind of attack has always been there, with the most notable one being the Colonial Gas Pipeline attack.  The fear so far that with war in the Ukraine still going on, we could see a barrage of attacks that will lead to the ultimate shutdown of our Critical Infrastructure here in the United States.  Luckily nothing has happened yet, but this could be a real problem even going into next year.  My fear is that multiple US cities could be hit, in a simultaneous attack.  The effects here will be like a nuclear war, but without the radiation being present.

My Thoughts On This:

Well, here you have it, some Cyberattacks with their threat variants backed up with some sort of stat just to prove how dangerous the situation has become.  Who knows when and if they will happen at all, but if it does, I sure hope that we can recover fairly quickly, as the effects will be nuclear like.

 

Saturday, October 29, 2022

Why You Need The Best Of Both Worlds: Physical & Cyber Security

 

When one mentions Cybersecurity, the images of a hacker wearing a hoodie sitting in a dark room in front of a computer, or a large server room very often come to mind.  While it is true that protection of digital assets is of prime interest here, Cybersecurity also encompasses other areas as well, which also includes the human element (protecting against Social Engineering) and even Physical Security.

With the latter, this typically encompasses all of the brick-and-mortar space that a business may occupy.  It also includes the inside offices, too.  Depending upon what industry the business is in, security may be lax or it might be very tight. 

For instance, if it is a law firm, it may not be so tight from the primary means of entrance, but the inside offices will probably be much tighter, such as using a smart card or a FOB system of sorts.

On the other hand, a nuclear facility or even a Critical Infrastructure will have much tighter Physical Security.  But whatever the situation might be, there tends to be, at least in Corporate America, much more of a focus on the digital asset side of Cyber rather than including the physical side.  Why is the case, you may be asking?  Well, here are some key reasons:

1)     Not understanding the importance of it:

Imagine a retail store that has a brick-and-mortar presence in different cities and also has a huge online presence, from which it derives most of its revenue from.  Of course, the business owners are going to pay very close attention to the security layers that are baked into their online store.  This would include making sure that the source code is as secure as possible, and all security certificates are installed and are updated when the time comes to do so.  Because of this, there will be a lot less attention paid to the physical security of the store.  True, there will be the usual alarms and CCTV cameras in place, but will that be enough?  What I am trying to get at is the thinking of business owners here is the Cyberattacker will be far more attracted to the digital aspects, rather than the physical aspects.  But in today’s times, this is far from the truth.  The Cyberattacker knows this fact, and are now targeting the physical aspects of security, using the principles of Social Engineering in order to con employees into giving out confidential information.  Also, keep in mind that Physical Security is subject to the data privacy laws as well, and you have to be just as compliant here as you would with the digital side.

2)     Misunderstanding of linkages:

If a company is very large, like Wal Mart, then there will be some lines separating the actual E-Commerce front with the physical stores, as order fulfillment will occur at the warehouse level, not at the store level.  But, if you are small business owner like me, then the lines will be the same.  I have an E-Commerce store in which I sell my eBooks and newsletters.  Any impact here will be felt on the business overall, because my brand will now have been totally ruined.  The bottom line is that no matter how large or small your business might be, there will always be a direct linkage, or connection between your online presence and your physical presence.  You need to pay attention to both, and have the right controls in place.  And as my illustration shows, an impact in one area will have an impact on the other.  It’s like a weighing scale that you need to carefully balance.

3)     The IoT:

This is an acronym that stands for the “Internet of Things”.  Loosely defined, it is where all of the objects that we interact with are connected together in both the virtual and physical worlds.  Probably one of the best examples of this are Siri and Cortana.  Here, we are using our wireless device to interact with a personal assistant that exists in the virtual world.  While this is certainly advantageous, it has many security weaknesses as well.  For instance, the network lines of communication are not secure by any means.  All of the information that is transmitted is available in cleartext.  So if any information and data is intercepted by a malicious third party, a lot of damage can be done in this regard.  A good example of this is an employee using a scanner to order new stock to be placed.  Anybody with a network sniffer that is hidden in their pocket cam intercept the data packets that are being sent back and forth, and reassemble them later.  This can give valuable insights into the warehouse that is storing these products, and where the security issues and weaknesses may reside at.  The moral of the story here is to make sure that your lines of communication are encrypted here, as you would for your online presence here.

4)     Giving great customer service:

In the retail sector, the tendency is to always to try to bend over backwards to help your customer out, no matter what the cost might be in the end.  We are motivated to do this in anticipation of getting a nice compliment or even a raise.  But be careful here.  A good example of this is the customer walking in asking in to help them reset their password on their portal at your online store.  But once again, be careful here.  This could be a ploy so that you can access the databases at the corporate level to reset it.  A cunning Cyberattacker will always looking over your shoulder to see what steps you are taking.  This is technically known “Shadow IT Management”.  In this case, you should always tell your customer that while you do want to help them out, their best bet is to call tech support to have the password reset.

My Thoughts On This:

As we fast approach now in 2023, I believe that attacks to physical structures (and not just Critical Infrastructure) will take prevalence.  The reason for this is that, and which has been the theme for this blog is that because we have so much attention paid to the protection of digital assets, we have totally neglected the protection of our physical ones.

The Cyberattacker is well aware of this, and this will now become their prime target because of the sheer ease of penetration into it.

 

 

Sunday, October 23, 2022

What Is Of Importance To The Cyberattacker When Hijacking Passwords

Ah yes, the password. I have written about this nemesis of ours on who knows how many occasions. But no need to rehash the past. Instead, this morning as I was perusing the news headlines on what to write about, I came across an article that does not harbor too much on the mistakes that people when creating or resetting passwords, but rather it discusses more about what the Cyberattacker does from their standpoint when they want to hack into something.

Apparently, some time ago, a listing of passwords was leaked out to the public. But this is not any ordinary file  - it was 100Gb in size and contained well over 8.4 billion different passwords that people use on an almost daily basis. This file that was leaked to the public is known as “RockYou2021”. Through research conducted by Rapid 7, the following was discovered:

*Over a year long period, Cyberattackers used that list to try break into various servers on a global basis.

*From this list, there were 512,000 variations of these passwords that were created.

*The above stats prove that the Cyberattacker is taking the easy route in order to get passwords that work. For example, the days of conducting dictionary style attacks in order to get passwords are now over. Instead, password lists are now available on the Dark Web for pennies on the dollar, and the Cyberattacker can now use these instead to launch Credential Stuffing attacks. These passwords are real and valid.

The bottom line here is that the Cyberattacker is not producing any news to get passwords. Just get them from somewhere, and off you go.

In fact, since many people around the world still use reuse the same password, or produce easy to guess modifications of it, cracking into a database and heisting passwords only takes a very short period of time now. We are not talking about hours; we are talking now just minutes.

For example, back in 2021, a Cybersecurity researcher based in Israel claimed that he could heist network-based passwords stored in Wireless Access Points in just under a few minutes.

Part of the reason for this is that many of the end users who visited the public places where these Wireless Access Points were at simply used their smartphone numbers as their passwords, with or without the dashes. More information about these discoveries can be seen here at the link below:

https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks

As mentioned previously in this blog, many people do not take the time to create a strong password. They want to create an easy ones to remember, some of the following are a few examples:

*123456

*123456789

*qwerty

This can be clearly seen in the diagram below:


(SOURCE:  https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks)

It should be noted here that many scientific studies with regards to password usage have focused primarily upon the end user. This study conducted by Rapid 7 (as noted in this blog) is one of the first of its kind to focus on the kinds of passwords that the Cyberattacker likes to go after and uses more quickly.

In fact, password guessing is still one of the favored threat variants that exists today, according to another Cyber firm known as ESET.

These studies have also further indicated the Cyberattacker is taking the least path of resistance when it comes to password cracking. But, interestingly enough, hackers are not using the entire RockYou2021 list. Instead, they are just taking a handful. Why is the case?

It has been hypothesized by Cyber researchers that since the bulk of the passwords are the same as the ones as listed above or some easy variation of it, there is no need to use every password on that list (plus it would take a very long time to go through all of them, even if automated tools were being used). Simply put:  A small, representative sample of passwords can and does represent the entire set of them.

The Rapid 7 study also examined the kinds of passwords that the Cyberattacker uses when trying to gain access to those Privileged Accounts. Examples of these include the following:

*administrator

*user

*admin

*nproc

In other words, the Cyberattacker is the old-fashioned concept of using “a little a lot.”  And if it is paying off, why not use this approach? There is no need to waste extra time and resources to try different, more difficult variants of the above passwords.

But now the question that comes up is out of those 8 billion password, how does the Cyberattacker know which ones to pick? It all comes down to experience, being lucky, and the laws probability that something will work.

My Thoughts On This:

So now, you may be wondering, “OK, what is the bottom line here?” The bottom line here is that you do not want anything to hacked into, whether it is professional or personal. I am not going to say again here what should do, a simple Google search will reveal what you need to do. You can find all those checklists there.

But what I do recommend is that you make use of a good Password Manager, or get your organization to try to use some SSO based technology like Biometrics, where Passwords are no longer needed. Then that way, password security should no longer be an issue.

 


Saturday, October 22, 2022

6 Ways In Which Local Governments Are Being Proactive About Cyber vs. The Private Sector

 


One of the other things that I do other than technical writing and podcasting is that as a secondary line of business, I also sell other Cybersecurity related services. This includes everything from Pen Testing to doing Compliance Work to Threat Hunting, to even doing Vulnerability Scans.

Sometimes I have had luck with it, and sometimes not. A lot depends on the level of interest and timing. But the one common thing that I do get is pushback, and it can be hard.

For example, there is one Cyber product that I am selling, and it is very affordable for the SMB. Even despite this, many SMB owners simply say to me:  “I am not interested, because if I have not been hit before, I won’t be ever.” 

That is a rather farfetched statement to make, but it is what it is, I guess. But in a sharp comparison, the good news now is that the government sector, believe it or not is actually taking more proactive steps to protect their boundaries.

This was discovered in the recent study entitled “2022 Deloitte-NASCIO Cybersecurity Study”. What are some of the catalysts that are driving this unexpected trend? Here are some of the indicators:

1)     People are taking notice:

Believe it or not, it is your local politician that is taking note of the increased in the Cyber landscape that is unfolding. In fact, another recent trend I have noticed is the increased number of legislative bills that are being introduced in some of the states. In fact, some 44% of the states have allocated a budget in order to have a dedicated CISO on their side. But the study did find that many of the states do not have an intelligence or data sharing program yet put into place. Hopefully, that will change when the new state CISO comes on board.

2)     The purses are opening up:

Another startling discovery: States are actually spending more money on Cybersecurity. Now, it is not a huge amount by any means, but it is certainly a good start. The bad news is that many state elected leaders still do not where the spend is going, which is not good. But all in all, it is reported that some 30 states are letting go of being a miser when ti comes to Cyber.

3)     Priorities are getting more attention:

In the past, just trying to get something out of the C-Suite in terms of the financial help was the main attention getter for the state. But now since that budgets are loosening a bit now; the focus has now shifted to combatting the actual threat variants themselves. Also, trying to replace legacy security technology and increasing Cyber staffing are now of top concern, along with securing Critical Infrastructure.

4)     Compliance kicking into gear:

When the COVID-19 pandemic first hit, many of the data privacy laws such as those of the GDPR, CCPA, HIPAA, were not being enforced, so that they companies could conserve their cash flow to keep moving forward. But with what appears to be that the pandemic is now over, the enforcement actions have kicked into high gear. Of course, nobody wants to be audited and pay huge fines, so the states are now hiring virtual based Privacy and Data Officers to help out with any sort of compliance related issues.

5)     More collaboration:

        This one of the key areas in Cybersecurity that is still lacking. Many of the IT Security teams of      today are still working in a siloed approach, but there are efforts to tear these walls down, by              making use of DevSecOps. In the public sector, the state level CIO does not have many contacts           with other resources, such as the educational sector. Only 35% of them have any direct contact             with people like professors, research institutes, etc.

6)     Cutting down the amount of time for actual hiring:

At the present time, it takes a horrendous amount of time to hire a Cyber professional for a state level job. Some this can be attributed to conducting background checks and the overall bureaucratic nature of the process. For instance, 46% of the CISOs reported in this survey claim that it takes six months or greater to hire somebody for their staff. So many states are now hiring contractors to counter the time in what it takes to hire somebody directly. In fact, there is some success with this, as the need to outsource to MSSPs has increased by 78% just this year alone.

My Thoughts On This:

It seems like to me that with Biden as President, the understanding of how important Cybersecurity is to our nation is starting to pick, especially with this recent Executive Order. But unfortunately, the government at any level will be too slow to respond to a direct security breach.

This is where the private sector can come into play. In fact, there should be a consortium of Cyber vendors that can come in quickly with first responders to help the government fight off and mitigate that breach.

But this will involve creating more partnerships with the private sector, something that the government IMHO has been slow in or is unwilling to do. Also, the government needs to forge closer ties to the academic sector, as this will be one of the best ways to get access to cutting edge research. In fact, this needs to be done at all levels, by no means should any intelligence not be shared with the relevant parties.

But all in all, at least things are starting to move forward in some direction with the local governments. Hopefully, this manifests into a triad of sorts:  The academic, private and government sectors. Once finally everybody can come together as one, this will be one awesome triad, like the Trident nuclear missile.

Finally, you can download this report at this link:

https://www2.deloitte.com/us/en/insights/industry/public-sector/2022-deloitte-nascio-study-cybersecurity-post-pandemic.html

Sunday, October 16, 2022

Why Securing Your Backups Is So Important - Especially NOW!!!


 

There is one thing in the last few years that I have not mentioned, which is in fact, a key prey for the Cyberattacker?  What is it, you may be asking?  Well, believe it or not, it is the backups that we create of our datasets. 

We keep hearing day in and day out about the need to create daily backups, after all this is the best way to recover from a security breach, especially that of Ransomware.  But now, the Cyberattacker is after these backups. 

Consider some of these interesting stats:

*The lack of data backups by Corporate America (yes, they are still those organizations that fail to do this) has caused the cost of Cyber Insurance premiums to go as high as 91%;

*Backups were targeted in an astonishing 94% of all Cyberattacks, with a strong impact being made in 68% of those cases;

*Without the appropriate backups in place, it can cost a company 35% more in terms of financial expenses when trying to restore back to mission critical operations.

It seems that many organizations are far too obsessed with keeping track of their compliance, rather than making sure that people have the access to what they only need.  In this aspect, you really can’t blame the CISO too much. 

Coming into compliance with the data privacy laws is of top concern at the moment, because of the fears driven by audits and the sharp financial penalties that come into place for not being compliant. 

But perhaps, the CISO has too much on their plate?  Perhaps they should hire a v based Chief Compliance Officer to make sure that all is up to snuff?  In fact, this is the number one complaint that IT Security teams have about their CISO:  They never listen. 

I realize I am digressing here a little bit, but the truth of the matter is that all employees pretty much take cue of what to do from the C-Suite, which technically, they are supposed to do.

But now perhaps it’s time that the CISO shift their directions and focus more on the basic things:  Like making sure backups are more or less safe and secure.  So what can he or she do in this regard?  Here are some tips:

1)     Improve the security awareness training:

OK, once again I realize that this is also a beaten-up subject, but in this regard, I mean training for the IT Security team.  You, the CISO, need to stress on the team, in a nice manner, that while taking backups is a key job function, making sure that sure that they are out of predatory hands is just as important.  It would probably be wise to first discuss where the backups are.  If they are on site, then they should be stored in a secure room, with only a few people being given access to it, using MFA at the very minimum in terms of security protocols.  If they are stored in the Cloud, then once again, you need to confirm with your team where it is located at as well. For instance, is it in the Public, Hybrid, or Private Clouds? Once this has been determined, you can then establish the right profiles for those people who need to gain access to them.  Here, you can use the Azure Active Directory, which is a great tool to use for this scenario.  Then from here, you can set up the rights, privileges, and permissions for the people on the IT Security staff that will be gaining access to the backups.  Even though you may think that you are all on the same side, rogue employees can also exist from your own team. Therefore, in this and all instances, the concept of Least Privilege must be applied!!!  Also, make sure that taking backups is a role shared job, meaning that it rotates between people, and not just one person does it.

2)     Get an audit done:

In all many fields, whoever is responsible for getting a job task done feel that their way is the best way.  It’s just human nature to think this way.  While it is great that you take pride in what you do, this is not the best way to approach the task at hand.  Rather, what you need to tell yourself is that you need a second pair of eyes to confirm that the controls you have put into place to safeguard your backups has indeed been done correctly.  What I am trying to get at is you should probably get a third-party assessor to confirm that the procedures that you have in place to secure backups is good, and if not, follow there remediative plan of action.  For me, its like writing a whitepaper. Sure, I have been doing tis for years, but often, it is difficult to profred what I have just read.  That is why from time to time I hire a proofreader to go over my work and check the obvious mistakes, of which I probably could not find.

3)     Create a sense of camaraderie:

Although this should be done for all departments in your company, at the present time, as the CISO, your IT Security team comes first.  Break away from the siloed approach that has pervaded your organization for so long, and implement a culture that fosters open communications and teamwork.  Remember, when fighting off the bad guys, you need a team that is going to follow your lead, and nobody else’s.  As mentioned, you want to develop a sense of trust on your team, so that they will take that extra mile to make sure that those backups are protected.

My Thoughts On This:

Remember, when it comes to securing backups, as the CISO, just don’t stay so focused on the threats from the external environment.  You also need to stay focused equally if not more on the internal environment of your company as well.  Remember, all it has to take is one rogue employee to mess with your backups. 

Now although you can’t watch your employees all the time, your others can.  That is where developing a trusting environment comes into play.  Also, make sure that your CCTV systems are in place and fully functionable and outfitted with the latest technology, such as that of Facial Recognition. 

This will be one of your best resources to use if indeed you have a rogue employee in your midst.

Sources for the stats mentioned in this blog include the following:

https://www.wsj.com/articles/cyber-insurers-raise-rates-amid-a-surge-in-costly-hacks-11652866200?mod=djemalertNEWS

https://www.ibm.com/downloads/cas/L57KW7ND

Saturday, October 15, 2022

4 Main Causes Of Data Leakages: How To Fix Them

 


Just yesterday, I published a new e-Book on AMZN. It is actually my end of year report, as it will be the last eBook for the year.  The topic is on data breaches, and how filling in the worker shortage gap could help eliminate some of these things from happening. 

The breaches are as usual from the past year, but data leakages was at the top now, when the previous year it was down towards the middle.

I have often been asked what a data leakage is, and how you really define.  Well, a data leakage is just that . . . data is being exfiltrated either intentionally or not, and is going out somewhere to a point of destination where it should not be going to.  You can easily compare this to a fluid leak in your car.  Obviously, you don’t want it to leak anything.

What is interesting to note that is that data leakage issues hardly ever occurred when businesses had their IT and Network infrastructures On Prem.  It only started to make waves once COVID-19 hit, and all businesses were (and are still) making the rush to the Cloud. 

More than likely, the Cloud migration was not properly planned, or it was not thoroughly tested before the deployment went live.

In this blog, we are going to take a further look as to the other catalysts of data leakages.  Here we go:

1)     Reliance upon suppliers:

We now live in a world that is totally interconnected with another, whether we like it or not.  Because of this, we are more reliant upon third party suppliers.  Gone are the days when you could meet any potential partner face to face, everything is now done via Teams or Zoom.  Because of this, the risks of data being leaked at your outside supplier are now even greater than ever before.  For example, suppose you outsource your payroll functions to a third-party vendor.  You really don’t need to meet face to face, any meetings can be held digitally.  Obviously you will be sharing private information and data (especially about your employees) with this processor.  You don’t know if they have all of the controls in place to protect all that data.  If they don’t, the chances of data leakage from happening are far greater now.  But here is the catch that you need to be aware of:  If anything does happen to this payroll processor, you will be held for any damages caused by the data leakage not, you!!!

2)     Misconfigured buckets:

Whenever you transition from an On Prem to a Cloud Infrastructure either on the AWS or Microsoft Azure, one of your first goals is to create a secure storage space in which to store your information and data in.  These are technically known as “storage buckets”, and in the AWS, this known as the “S3 Bucket”.  S3 is an acronym that stands for “Simple Storage Service.”  While it is a great tool to have and is relatively simple to deploy, many companies fail to configure their S3 buckets to their own security requirements and instead, rely upon the default settings that the AWS provides.  This has been a huge culprit in the data leakage issues surrounding these S3 buckets.  Everybody wants to blame Amazon, but the truth of the matter it is you, the CISO that should take ultimate responsibility to make sure that everything is configured properly.

3)     Poor source code:

Today, we are seeing source code being compiled in a way that is totally insecure.  For example, software developers often do not test the modules for any weaknesses or misconfigurations, or it they do, it is often done at the last minute, and very hastily.  Very often, open-source APIs are also used, which often have not been tested or updated with the latest patches and upgrades.  Because of all of this poor source code being compiled, a lot of backdoors are now being left open, for which the Cyberattacker can now penetrate quite easily into, and exfiltrate data from.  This is happens quite a bit, but you hardly hear about in the headlines, because nobody wants to admit it publicly and lose customers over it.

4)     No encryption being used:

This is essentially where you use a mathematical algorithm to scramble all of your datasets so that they remain in a garbled state, and is incomprehensible should it be intercepted by a malicious third party.  The only way that they can be made decipherable is by unlocking them with a private key.  In fact, encryption tools are already available with the major Cloud Providers, and it should be done automatically.  However many businesses are still naïve about this fact, and still store their datasets in a cleartext format.  So once that data is exfiltrated, a Cyberattacker can do anything that they want with it, even sell it on the Dark Web.

My Thoughts On This:

If you want a complete laundry list on how to mitigate the risks of data leakage, a simple Google search will suffice.  There, you will find a checklists and frameworks that you can use.  But for purposes of this blog, here is what would normally be recommended:

*Whether we are in the digital world or not, it is your responsibility to vet out each potential third party completely and thoroughly with whom you are considering with.  Make sure that their security policies and protocols that they have put into place is at least equal to what you have in your own business.

*Before going into production mode, always double check that your storge bucket settings are configured the way they need to be.  Do not rely upon the default settings!!!

*Testing the source code should be a no brainer by now.  After all, you are creating a portal for either your customers or your employees, and you have to make sure that that as far as possible, that there are no obvious backdoors that are open.  Testing of the source code should be done on a modular basis, so it all does not pile up in the end.  In fact, there are many automated tools that you can use as well to test the validity of the source code that is being compiled.

Finally, as you migrate to the Cloud, make use of a Cloud Services Provider (CSP).  They can help you plan the transition from beginning to end, and even help you with the encryption issues as well.

Sunday, October 9, 2022

How To Make The Change Into Cyber With No Experience: 4 Golden Keys To Success

 


There are at times, I often reflect on my own life, and try to figure out what I can have done better, not just from a personal standpoint, but from a professional one as well.  I am happy where I am in Cyber now, but I keep wondering is there a different path in high school and college that I could have taken which would have allowed me to get where I am at now quicker. 

One of the biggest obstacles I had back then was a phobia of learning programming.  I tried it in high school and even in college, but I simply could not grasp the skills and the mindset that were needed.  Funny to say, the first job I took right after finishing my MBA was being a COBOL programmer.  Luckily, they had a training period for it, but I did not do very well in that either.

So after I took stock of all my computer experiences from high school up until that first job, I realized that OK, I am not a programmer, but I was good at understanding and working on the application side of computers and technology. 

So that is why you see me today as a tech writer and not a practitioner of a particular Cyber field, such as Penetration Testing or Threat Hunting.

So, this brings up the next question:  How does one get started in a career in Cybersecurity?  Well, if you are still in high school or college, the answer seems to be fairly straightforward:  Try to become a technology major, or better yet, try to become a Cybersecurity major. 

Many colleges and universities are now offering undergraduate and even graduate degrees both on campus and online.  This will give the bulk of the preparation that you will need to start that first job in Cyber.

But if you are amid-career person and are looking at transitioning over to Cyber, the path to where you want to go could be even murkier.  But to help you get yourself aligned, here are some tips you can follow:

1)     Try to work with people:

By this I mean try to work in a place where you can help people with their computer problems.  The ideal situation here would be to work in a help desk like environment for a couple of years.  But if you are in a whole different career line, this may or not be feasible.  Other possible solutions here would be to work for a local computer store in your neighborhood where you have that customer facing interaction, or even any other kind of technology store.  A great example of this is the “You Break It We Fix It” franchise.  You bring in any technology equipment that is need of repair, and either it is done on the spot or it is shipped to somewhere else where the parts are available.  Even when I was doing my MBA, I held a full-time job as a sales consultant for the University Computer Services where I was interfacing with tech customers directly.  That is one of the best venues where I learned about computers, and that experience has even carried with me on today.  Having this kind of entry level experience will also teach you great communications skills, which is so needed in the Cyber world today.

2)     On the job training:

I often get asked the question, “Where did you get your Cyber education from?”  Truth be told, I don’t have any formal training in the field.  I ended up teaching myself everything.  It’s not that I picked up a book and started reading Cyber, it’s in the line of work that I am in.  Writing about this stuff day in and day out year after year, you tend to learn quite a bit over the long haul.  As my dad would always say, the best teacher is often just you.  If you are starting a new career in Cyber, make sure that you do get that on-the-job training.  At the present time, many recruiting managers are only hiring workers that fit the mold. But they are now starting to realize that in order to help fill the Cyber worker shortage, they need to break away from this trend.  So many of these companies are now offering on the job training in lieu having specific Cyber experience.  Make sure again that you are going to be offered this before you start working, just to make sure that everybody is on the same page.

3)     Some skills can be taught:

For some areas of Cybersecurity, baseline skills can often be self-taught, which will be an added bonus when you start your first job.  A typical example of this once again Pen Testing.  There are many free tools that are available online that you can download and start to experiment with.  But be careful about where you download stuff at!!!  Kali Linux is also another good example of this.  It also comes a free download, and this is the tool of choice for many Pen Testers for real world scenarios.  There are also plenty of other training videos that are available for free such as Professor Messer’s online training for the Security+ cert.

4)     If needed, get the appropriate cert:

I am very cautious about this one.  There are so many Cyber certs out there, it is almost impossible to know to even where to get started from.  Also, I think a lot of these are simply money racket schemes.  But they are some good ones out there, such as from CompTIA and ISC2. They both offer entry level certs into Cybersecurity, and in fact, I am going to take the one from ISC2 very shortly.  It is a new one that came out in September.  Once you have this baseline cert, then you can decide if you need more down the road, depending upon what area in Cyber you eventually land in.  Heck, it could even be the case that you many not need any certs at all.  There are some Cyber professionals that I know of out there who have no certs and are quite successful.  Keep in mind that a cert is only a steppingstone to something else, and nothing more than that.

My Thoughts On This:

IMHO, I think anybody from any walk of life could potentially get a job in Cyber, even if you don’t have much experience.  It all takes a persistency and a willingness to learn.  So whatever skills you do have, try package them so that you can show case these two items.  That will carry far more weight in gold than all of the certs in this entire world.

Saturday, October 8, 2022

The 5 Hidden Dangers Of IoT Gift Shopping

 


If you think about it, its really now only about 2 more months till Christmas time.  The weather has been so nice and warm, that is hard to believe it is going to happen.  So, as the thoughts of gift giving and being with family friends start to emerge, the question of what to shop for becomes front and center. 

The holiday shopping season is going to be an interesting one this year, driven by the fears inflation and as COVID-19 has more or less dissipated from the headlines.

For example, will people still shop online, or will they make a tour through the brick and mortar?  What kinds of gifts will people choose to give away?  Here, there are two common answers:  Gift cards and cheap electronic devices.  There is nothing wrong of course with the first choice, but it is the latter which is more gut wrenching for the Cyber professional.

Some of the more common reasons for this is if it was made in China, or if it is a device which can be interconnected with others, which is also known as the Internet of Things or IoT, for short.  It is the latter which resonates the most level of fear. 

Bluntly put, we are not at the level yet where devices can be connected safely together, without the fear of a malicious third-party prying in.

We do not know how secure the other devices are, and in fact, many of the wireless connections themselves are often insecure, which only expands the threat landscape that much more.  But there are so many IoT devices out there, at first glance, it is almost impossible to know what is safe to buy as a gift and what is not.

Well, the following is a broad sampling of those IoT devices that you should avoid buying as gifts for others this holiday season:

*IoT Cameras:

CCTC cameras are all over the place and all over the world, whether people like them or not.  But they do have their highly valued use, as law enforcement agencies have been able to apprehend suspects quicker now even more so than before.  But, CCTV cameras have become much “smarter” now, coupled with the use of Facial Recognition and Computer Vision technologies.  At the present moment, all of these cameras operate in a standalone mode, but there is talk now to connect all of them together, so that one continuous video fed can be seen, rather than having to view one reel at a time.  While this is obviously great for law enforcement in the real world, putting in interconnected cameras in your home is a bad idea, due to the fact that security measures which have been supposedly put into them have not even been tested yet by the vendor.

*Smart Toilets:

OK, laugh as much as you want about this, but this technology does actually exist today, and is even used in Smart Homes.  I don’t know why one would have to worry about security here, but scientists here claim that the sides of our backs have a unique, biological trait to them (just like a fingerprint or iris) that can potentially be used for identification and verification scenarios.  While this concept may work in other countries, it will not go too far here in the United States for reason alone: The invasion of privacy rights.  In fact, according to a recent survey, 20% of Cyber experts fear that their Smart Toilet could be hacked into, and 30% of the other respondents would not even consider using it. More information about this survey can be seen here at this link:

https://www.darkreading.com/vulnerabilities-threats/7-iot-devices-that-make-security-pros-cringe?slide=3

*The Digital License Plate:

While digital technology has found its to some degrees in drivers licenses (for instance here in IL, many drivers licenses now have some sort of Biometric technology implemented into them), the hope is that they will eventually find their way onto our license plates.  While this sounds extremely convenient, like not having to wait on end at the driver’s license branch, it does pose a number of serious Cyber risks as well.  Probably the biggest one here is that they can still be easily replicated and forged.  At least with our drivers licenses we have control over them, but with license plates, we do not.  What is out there to prevent anybody from taking a picture of our license plates at 2AM???  Having this kind of technology in place on a large scale can also stoke the fears and even realities of Cyber stalking, at a point when we really don’t need that right now in our society, given all of the horrific crimes that are already taking place.

*The Smart Speaker:

This type of IoT device has been around the longest.  For example, when you speak with Cortana or Siri on your smartphone, this is an example of a smart speaker application.  But there are also versions of this which are far more sophisticated, and which you can install at your home.  You can still speak into the speaker, but the results are far more powerful.  For example, you can ask Siri or Cortana to turn on the TV, your coffee machine, or even ask your robot to do certain things.  But once again here, there is a huge security risk here, especially with the vendors of these IoT devices actually listening in onto the conversations that you are having. 

*The Smart Kitchen:

Thoughts of automated stoves and microwave ovens are often conjured up here. While personal and confidential data cannot really be hijacked here, the Cyberattacker can easily play with the controls on them so that they will not work when you need them the most, or even turn up your oven to such a high level that it will become a grave fire hazard, without letting you turn it down.

My Thoughts On This:

Personally, as much as I love writing about Cyber, and that I even do have an advanced degree in MIS, I hate technology.  There is nothing “smart” where I live at, and I intend to keep it that way.  Heck, I still drive a very old Honda Civic which so far has withstood the sheer extreme changes of Chicago.  But that being aside the point, given these security risks, should you still give an IoT device as a gift?

That is really up to you, but if you are going to go down this route, make sure you warn your gift receiver about the risks, and above all, one of the most the important things that they should reset the security setting thresholds to what they think is safe. 

Many vendors still leave it at the default settings, which offers no security at all.

Or perhaps the best and least complicated way to give away gifts is to merely just send gift cards!!!

Sunday, October 2, 2022

To All Black, Grey, & White Hatters: The Time For Ethical Standards Has Come

 


As you know, Cybersecurity is a huge field to be in.  There are many different areas in which somebody can specialize in, depending upon what you are most interested in, and where your skill set is at.  As for me, I landed in the writing aspect of it, because writing is something I have always loved doing, even back in college. 

And I also love the sense that hopefully through my books, eBooks, blogs, podcasts, tweets, etc. that I am educating people.

But apart from this, one area of Cyber that has always intrigued me was Penetration Testing.  Essentially, this is where a hired firm or contractor takes the mindset of a Cyberattacker, and tears down everything that they can. 

From here, all of the known and unknown vulnerabilities are then discovered.  From here, a final report is then complied and given to the client as the remediative steps that they need to take, though it is entirely up to them to do that.

But now, the question I get asked and I even ask myself (especially during the podcasts) is how far can this kind of hacking can go.  Well, there are legal limits.  Meaning, before any kind of Penetration Testing can take place, the client has to sign a contract which stipulates what can and cannot be tested. 

These are the limits that can be pushed.  If the Pen Tester wants to go beyond this, they then have to explicit and written consent of the client to do so.

Also in these contracts, there are usually clauses that state the client bears all of the risks for any data loss, and they will have backups created just in case.  In the end, this is what is known as “Ethical Hacking”.  Technically, it can be defined as follows:

“It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. It’s finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.”

(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/should-hacking-have-a-code-of-conduct-).

So, now you can see why these kinds of testers are called “White Hats”.  Their profession is clean hacking, and they have taken that oath not only to themselves and to the company that they work for, but to the client as well.   But while most Pen Testers is honest in what they do, they are also the “Grey Hats” and the “Black Hats”.

The former refers to those hackers who were once on the dark side, but now have turned over a new leaf, and the latter refers to those individuals who are on the dark side still, and hack for illegal purposes, but it may not be to hurt people directly.

For example, a Black Hat may just hack into a system out of curiosity.  Or they may try to hack into something big, in order to get a huge rush out of it, and so which will give them a badge of honor in their own circles. Then, there are those who hack for malicious gains, and have no sense of what from wrong, whatsoever. 

But there is some evidence coming into light recently that even the worst of the Black Hat hackers have a sense of scruples amongst themselves. 

For example, during the peak of the COVID-19 pandemic, many of the Black Hatters poo pooed on the idea of creating phony and fictitious websites in order to give out false information about the virus to the public, all in an effort to capture the login credentials of the unsuspecting victim.

Given some attacks recently on high profile companies, the Black Hatters even banded together the punish the group that the launched the threat variants.  Because of this sense of right from wrong, this particular hacking group eventually disbanded from the Dark Web, and were later apprehended and brought to justice.

Heck, there have even been some stories where Ransomware groups have even provided the decryption keys to the victim after they have been paid via Bitcoin from the victim.  So given all of this, and just how important to Pen Testing is, there seems to be a call now in the Cyber industry that all hackers, no matter what their status is (White or Grey or Black Hat) should now abide by a set of an ethical set of standards.

It is as follows:

1)     Hack with good intentions:

Yes, even the White Hatters can turn at a flip of the switch, but the bottom line here is that you hack to find what is wrong with the lines of defenses for the client that has hired you to do this task.  No more and no less.  If you feel that you need to do more, then you need to get permission, as stated before.  Finally, be straightforward in reporting your findings.  Avoid as far as possible any kind of techno jargon.  That won’t impress the client.  But what will is in how you describe the remediative actions that need to be taken.

2)     Tell them how to go further:

After their present their findings to the client, most White Hatters will not deploy the needed controls to remediate any weaknesses and gaps.  Usually, the client will be referred either to an MSP or MSSP for this step to take place.  A good White Hatter will not pick anybody out of the blue for this, rather, they will refer them to others whom they trust and feel comfortable with.  Also, a good White Hatter will always follow up with the chosen MSP or MSSP to make sure that the work is being done, and that the client is satisfied.

3)     Documentation is a must:

Throughout every step of the way, a good White Hatter will always document all of the key steps that have been taken during the Pen Testing exercise.  This serves two key reasons:  If in the off chance something does go wrong during a Pen Test, the White Hatter will have proof that they did everything by the book.  Second, this set of detailed documentation, along with the log files, will form the backbone for the report to be given to the client.  So the more you can capture, the better.

4)     Always keep an open line of communication:

A good White Hatter will always keep the client informed of what is going on, even before the final is even delivered.  In this regard, the client does not need to sit next to you, but rather, even simple communications via email every few hours will be great.  It is very important to remember that in this line of business you never, ever want to ghost your clients.

My Thoughts On This:

What I envision down the road is that some kind of hackers forum or union will be established, in which all of kinds of Hatters will have to sign and abide by this ethical set of standards as just described.  Of course, this will list will have to be revised over time, but the four tenets of it will be starting point of it.

Who knows in the end, perhaps more the Black Hatters will then be convinced to turn to the good side?  Whenever I ask this question, the thoughts of how Darth Vader turning over a new leaf in Return of the Jedi comes to mind.  But hopefully everybody’s sake, it will not be too late.

Saturday, October 1, 2022

Why BEC Attacks Will Far Surpass Ransomware In 2023


Just last weekend, I wrote a blog in which I partially wrote about how the Cyber pundits are already making predictions for 2023.  Although it is still a bit early to tell what could happen, there are two known catalysts out there now which will dominate the threat landscape:

*The Russian annexation of key territories in the Ukraine;

*The Cyberattacker shifting gears in their tactics.

Now I cannot say too much about the first point, because anything could change in that part of the world.  But, I can talk with some certainty about the second one.  After some time, the Cyberattacker usually will change the way in which they launch their threat variants. 

There are reasons for this, but one of the primary ones is to still keep their identity as elusive as possible.

Another one could be is that they are simply tired of what they are doing at the current time and want to go onto something else.  This really only happens when the profit potential is dissipating. Such is the case with Ransomware. 

It was the threat variant of choice back in 2020, right when COVID-19 pandemic was at its peak, but this year, as it takes the back seat in the news, the total number of Ransomware attacks have actually fallen for 2022.

Of course, it is still out there, but not to the magnitude of severity that we have seen.  But now, the trend is shifting into another direction, which are known as “Business Email Compromise”, or “BEC” attacks. 

This is where an employee of a company is sent a Phishing kind of email, demanding that the financial or accounting department wire a hefty sum of money to a third party in order to complete a deal.

The money is sent, and voila, it is gone forever in a phony, offshore account.  The scenario I have jus depicted is of course a very simplistic one, but these are the details of the basic form of attack. Just consider some of these stats to show you how BEC attacks are on the rise:

*It has doubled since Q2 of this year by 34%;

*The attacks for end users has increased by 84%.

More information about these stats can be seen at the following links:

https://arcticwolf.com/resources/blog/incident-response-insights-from-arctic-wolf-labs-1h-2022/

https://abnormalsecurity.com/blog/bec-attacks-increasing-new-research-shows

Also, according to the FBI, BEC attacks accounted for $2.4 billion of the $6.9 billion in losses so far to the American consumer and businesses.  This is almost 34%, whereas Ransomware attacks only accounted for a mere .7% of this entire total.  More information about this can be seen at this link:

https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

There are numerous reasons cited why BEC attacks have become so much more popular this year, but four of the most cited are as follows:

1)     BEC payments do not require a virtual currency to be used, unlike a Ransomware attack, where Bitcoin is still the preferred means of payment.  But it can take time for a victim to get the virtual currency collected, unlike with BEC attacks, where the real currency is used.

 

2)     BEC  attacks can make use of multiple attack methods.  In our example earlier in this blog, we used Phishing.  But a BEC attack can take place via Social Engineering, Vishing, Smishing, Robocalls, traditional mail, etc.

 

3)     There are also other technological weaknesses that are giving rise to the proliferation BEC attacks – some of these include the recent weaknesses that have been found in Microsoft Exchange, VMware, and the Remote Desktop Protocol (RDP).

 

4)     Cyberattackers are also purchasing PII datasets from the Dark Web for pennies on the dollar.  These can then be used to launch Social Engineering attacks.

 

These four findings can be seen in the diagram below:


(SOURCE:  https://www.darkreading.com/threat-intelligence/cybercriminals-see-allure-bec-attacks-ransomware)

My Thoughts On This:

With all of these stats now presented to you, you may be wondering how you can protect you and your business from a BEC attack from taking place.  Once again, it all comes to security awareness training.  Keep in mind that a BEC attack is going to focus primarily on one thing: 

Directly asking for money.  So the moment that your administrative assistant gets an email or a phone call asking for money, you need to tell them to stop the conversation immediately, and have him or her report that back to their higher ups and the IT Security team.

Then the request for the money to be sent over needs to be validated.  But if it already has been sent, your next course of options is to immediately call your local FBI office to try to recoup whatever you can.  To varying degrees, the FBI has been successful in retrieving money in such kinds of attacks.

But in the end, it is going to be the finance or accounting department that will send the money, if the request is legitimate.  Therefore, it is very important to make sure that the right controls have been implemented, and upgraded with the latest patches and firmware upgrades. 

Any and all requests for money transfers should be confirmed with at least two layers of approval.  True, this may seem to be a bit much, but this is one sure fire way of having a good set of checks and balances in place.

In fact, many financial institutions today have automated alarms in place to warn them any fraudulent activity from taking place.  If anything is detected, the transaction is halted immediately until the details of it can be confirmed.

In fact, this very situation happened to one of my clients the other day.  They were about to send out a wire transfer to a phony bank account.  The only thing that prevented this from happening were the AI and ML detection tools that were in place to detect potential fraud.


How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...