Monday, November 28, 2022

The Benefits Of A vCISO To The SMB

 


As we approach into 2023, many SMBs are going to be reevaluating their security needs and the budget for the upcoming year.  Unfortunately, Cyber is still a low priority for them, either because they still have the mentality that because they have never been breached before that they never will be, or they simply think that hiring an MSP is too expensive. 

Well, they are wrong on both fronts.  The truth of the matter is that many Cyber vendors are now finally making their products and services as SMB friendly as possible. 

This especially true for vCISO services.  Hiring a full time CISO can be very costly, but with a vCISO, you are hiring a former CISO who has the experience you need to get the job done.  They are cost effective, affordable, and best of all, as an SMB owner, you only pay them for the length of the contract.  You can terminate and bring back their services as needed.

In this podcast, we have the privilege of talking with Mr. Tony Dumas, a vCISO at Cyber Elite Corporation.  He offers his insights as to what it takes to be a vCISO, and how an SMB can benefit from having one.  You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB132659AXEWDE

Sunday, November 27, 2022

A 4 Point Roadmap Why The New Will Not & Why The Old Will Save Us In Cyber

 


Just last night, I resumed my studies again for studying in the “Certificate In Cybersecurity” exam.  It is an entry level certification, and is a new one that is being hosted by the ISC2, one of the top testing vendors globally. 

In fact, they are the ones that also host the CISSP, which has basically become the gold bar now in the Cyber industry (like how the MCSE was back in the 90’s, during the Internet Bubble).  One of the topics that I ended up studying was about Incident Response Planning.

Sure, I thought this topic would be easy enough, because I have written on it so many times in the past. No that the material was hard by any means, but the terminology was a little bit more than I had realized. 

One term that I came across which I probably have used a hundred times over as a writer was “Breach”.  I scratched my head, and thought, “OK, what really is a breach?  What technically causes it to happen?”  According to the study materials that I have, it was defined as the point where the Cyberattacker actually decides to break through your perimeter defense. 

Now what happens after that was not mentioned.  But that is how it is interpreted.  But as this term is applied into the real world, security breaches are really nothing new.  We see them happen all of the time, some of them are small cases, or some of them can be very large, such as the Solar Winds hack.  But in the end, something is stolen (no matter how long it takes), and it is of high value and pertinence to the business.

According to a recent research study conducted by Crowd Strike, it was technology that succumbed most to security breaches.  From 2021 to 2022, there were well over 77,000 breaches that have occurred and witnessed by their researchers (however, this number does not include other kinds of breaches that have occurred to other victims). 

More info about this study can be seen here at this link:

https://www.crowdstrike.com/resources/reports/overwatch-threat-hunting-report/

Here are some of the key highlights from this report:

*The Cyberattacker of today is moving away from using malware-based attacks.  According to their research, 71% of the security breaches that they witnessed did not even include malware. 

*Between 2021 and 2022, more than 30,000 vulnerabilities.  Now according to my study material there is a distinction here:  Vulnerabilities are simply a weakness in which a Cyberattacker can penetrate through, such as a backdoor that was still left open in the software development lifecycle.  The breach actually occurs when the Cyberattacker actually penetrates through this weakness.

*Sometimes, a Cyberattacker may not even enter through the vulnerability to break in.  They might just simply deploy a malicious payload such as a “Web Shell”.  These are malicious scripts that allow the hacker to take over a particular Web Server and cause more damage from that.

So what can an SMB, or even a Fortune 500 company do to stop the rising trend in security breaches from happening?  Keep in mind that these tips will only help you to mitigate, or decrease that risk.  It is not a 100%, absolute guarantee.  Here we go:

1)     Review the basics:

At this point the thought of investing newer security seems to be the answer.  The harsh reality of that is actually a resounding “no”.  You really do not need anything.  You can probably make so with whatever you have in place.  It just all needs to be realigned again to give you the maximum protection that is possible.  For instance this means conducting a brand-new risk assessment to see where your most vulnerable assets lie at.  It also means reviewing your security policy and other important docs to see how well prepared you are to handle a security breach should it happen to you.  It also means that your employees are obeying proper password hygiene habits.  It also means that your are applying software patches and upgrades as they come out.  More can be added, but you get the idea.

2)     Keep an eye on your remote services:

This is starting to become a newer type of vulnerability, and something that the Cyberattacker will take complete advantage of whenever and wherever possible.  Probably one of the most broken remote services is that of the Remote Desktop Services, or also known as RDP from Microsoft.  This is a specialized kind of protocol that lets you log into remotely another workstation or server.  It has been hammered many times by Cyberattackers in the past, and truthfully speaking, I don’t how actively it is even being used even more.  In fact, the Solar Winds hack occurred because of weaknesses that were found in one of their remote services, that thousands of clients became highly dependent upon.

3)     Privileged Access:

These days, the Cyberattacker is not so much after the passwords of just your regular employees.  Rather, they want the higher-level privileged accounts, so they can get to the crown jewels even quicker than before.  So, make sure those Privileged Accounts are as secure as possible, by making use of the principles of Privileged Access Management, or also known as PAM for short.  This is starting to become a hot area now in Cyber, especially with SaaS based deployments into the Hybrid Cloud.  I am in the process of writing a ton of articles about PAM for a client, so hopefully I can get those uploaded to my site soon.

4)     Watch for Social Engineering:

Many Cyberattackers of today are even dissing the notion of using digital threat vectors.  Instead, they have a new ally on their side:  Social Media.  A hacker can quickly build up a profile based upon what people post, and from there, they can launch laser pointed Social Engineering attacks against them in order to gain access to privileged information.  Also, they can use what is known as Open-Source Intelligence, or OSINT for short.  This is all mostly free stuff that is available on the Internet that gives details about other people and businesses.

My Thoughts On This:

Here are some of the quick tips that you can use to keep your business at bay from security breaches.  It is by no means an exhaustive list.  But it is designed to get you and your CISO thinking about things again.  Remember, new does not always equate to security success. Simply building a better mousetrap with what you already have is usually the best way to go.

 

Saturday, November 26, 2022

What Needs To Happen In 2023: The Launch Of The Department Of Cybersecurity

 


Hope everybody out there had a great Turkey Day!!  It’s hard to believe that in just a few short days, we will now be coming into the last month of the year.  Many things have transpired this year, but I won’t get into them. 

Probably some of the better news has been that the Cyber threat landscape, in my opinion, has not been nearly as volatile as the previous year, of 2021.  A lot of this fear was initially triggered by the Russian invasion into the Ukraine, with people thinking large scale Ransomware attacks would happen, but fortunately, nothing did.

One issue that has taken the back seat, as it seems so in the Cyber news headlines, are the data privacy laws that were enacted just a few years ago.  These include the GDPR, the CCPA, HIPAA, etc.  Back in 2019, there was a lot of fear amongst businesses in Corporate America that that they could fall victim to an audit and possibly face steep financial penalties.

Under the GDPR, the fines can be punishing, up to 4% of gross revenues.  The CCPA is a few thousand for a certain amount of PII records that have been stolen or leaked, and I am not too sure what the HIPAA fines are, because they can vary widely between healthcare organizations. 

But once the COVID-19 pandemic hit, enforcement of these laws came to a screeching halt.  The big catalyst in this one money and liquidity soon became a serious concern, with everybody WFH and the global shutdown that took place.

So, from 2020 to 2021, all was silent with enforcement.  But now, as the news of COVID-19 has pretty much dissipated, the talk of them has started up once again. The audits and the financial penalties have started to occur, as I see when I peruse the Cyber news portals every day.  But it seems like that it happens sporadically, there is really no “rhythm” to it (perhaps the regulators want to keep audits a surprise?). 

But now, as we enter into 2023, the fear of the data privacy laws coming down again will soon to become a big fear once again.  Why is this so?  Here are some reasons why:

*With the advancements of technology, especially with the Internet of Things (IoT), people here in the United States now have a much greater insight into how their PII data is being gathered and disseminated.  The American population now more than ever before has the right to have their data deleted from external third parties if they wish to.  If it is not reciprocated in kind, then the consumer has the right to file a lawsuit against that company.

*There has been a mass migration to the Cloud by a lot of US based business, either into the AWS or Microsoft Azure.  Although the initial interests were either in the private or public clouds, now it seems to be for the hybrid cloud.  With this new trend, data leakages are now almost becoming a de facto.  In this regard, it seems to be the AWS that is taking the brunt of this blow.

*Many companies have complained about the sheer high costs that are involved with coming into compliance.  A lot of time and resources are spent with doing compliance checks and trying to either upgrade existing controls or simply putting brand new ones in place.  Because of all this raucous, organizations still have not yet come into full compliance, and thus are becoming a prime target for the federal regulators. 

But on the flip side, apart from complaining about how the high the costs are, businesses do have one very valid point in mind:  The data privacy laws are simply too confusing to follow.  Take for example the GDPR.  Technically, this law was meant for EU based businesses, that fit a certain revenue size. 

But keep in also that many US based businesses also have offices in the US.  So how does this law affect them?  Take the flip side:  What if the US based company has no offices in the US, but as a lot of customers that are from the EU.  Are they still going to face audits and be penalized even under this situation?  There is a lot of head scratching going on this one also. 

The CCPA also has left the same confusion upon businesses that have customers in the US, but have their headquarters in another country.  Will they still be audited in their own country because the CCPA is a law that was originated and passed in CA? 

Again, another question that is yet to be answered.  Another huge point of confusion is that many of the states here are coming with their own version of the CCPA, or other type of data privacy statutes.

There is no uniformity or a set of best practices and standards that businesses can follow, so that everybody can be on the same playing field.  For example again, what if a business is based in IN, and has offices all around most of the country.  How would they even know where it get started in the compliance game if each state has its own concoction of what comprises data privacy?

Fueling more fire to this, is that there are more laws that have been passed, such as the following:

*The American Data and Privacy Act;

*The Data Privacy Shield 2.0.

Adding even more to this “Land Of Confusion” is the fact that many datasets are co-mingled with another in order to process paperwork.  The best example of this is the insurance industry.  They need both the PII and PHI datasets from a claimant in order to process a filed claim, so that some sort of payout can be made.

My Thoughts On This:

It is expected that by 2023, 65% of the world’s population will be under some sort of data privacy law.  Thus, before we hit 100%, the time to act is now.  I have always been a strong advocate of a Department of Cybersecurity, like the DHS. 

The primary reason for this is that at least the bills that are introduced into Congress and the Senate will be centralized, and at this level, the states can have their input into them, thus eliminating the need for each state to pass their own laws.

By having such an entity, there will be at least a set of best practices and standards, so that US based businesses will not have to guess anymore.  Also, it will serve as a point in which intelligence gathering and sharing can occur at a worldwide level, in a quick and expedient fashion.

But to the business owner dealing with the world at the present time – just stay the course and try to be compliant as much as you can.

Sunday, November 20, 2022

3 Top API Security Trends For 2023

 


As we lumber along into 2023 in a rather face clip, there is one thing that will remain for certain in the digital world:  The number of connected devices is only expected to grow at a much higher clip than ever before.  Consider some of these stats:

*By 20232, there will be an average of 4 connected device for every individual;

*By the end of next year, there will be 30 billion connected devices in total;

*The number of digital machines that will be interconnected will be at a whopping 15 billion.

But the common denominator connecting everything together is the software applications that reside underneath them.  For example, it makes no sense for an app to communicate from one device to connect to another, totally different device if there was no business reason behind it. 

But software apps are the thing of both now and the future.  Although this interconnectivity does bring its key set of advantages to the table, it does bring in its Cyber risks as well, as now the attack surface has greatly widened.

Because of this, many software development teams and the companies that they work for are now coming under the microscope more so than ever before, because much of the source code that was used to create the app was never fully tested. 

Or at best, only bits and pieces of it were, thus leaving many backdoors open for a malicious third party to enter into. 

In fact, if you take a quick peruse through some of the Cyber headlines that are available on the various online portals, you will find at least 2-3 stories in which insecure source code was the culprit of a security breach in happening. 

At fault here are the APIs that are used in the source code development process itself.  Let’s use an illustration here.  Suppose a client came to your team and asked that you develop a specialized web app for them.

If you were to create the source code from scratch, it would take many months to get the project completely built out.  By nature, software developers don’t like to waste time in the coding process, if possible, they would like to take shortcuts and reuse the same code in order to keep up with the schedule of delivery. 

So in this regard, the API is a widely used tool.  It is a software library, or module, that bridges the front end of the app (which is what the end user sees) and the backend (which is the database, which houses the data about the end user, for example, when they fill out the contact form.

The API is nothing but a bunch of code that can be modified in order to meet the strict needs of the software development team.  Some of these APIs are closed source, meaning you actually have to purchase the license in order to fully use them.  But a bulk of them are open source, which simply means that you can download them for free from a reputable vendor, such as that of Git Hub.

But the problem with these open-source APIs is that they are really never updated with the latest patches and upgrades.  In the rush to get things done, software developers go on blind trust that these APIs are indeed safe to use, without testing them first.  And, if there are any untested APIs in the project, this is yet another avenue for backdoors to be left open.

But this is not the only problem to be faced when using API’s.  The other issue is now coming up with the permissions that are being established with them.  For example, rather than having to keep modifying the level of permissions for every new software build that comes out, software developers are implementing super user privileges from the very first build itself, and letting it go at that. 

They take the blind assumption that these privileges will be modified over time, when and as needed.  But, when the second build does come around, many of these same developers forget to do this, thus leaving a huge security gap here. This is becoming a very serious here, as it is evident from these stats:

*According to the Salt Security State of API Security Report, 20% of all of the respondents some sort of security breach because of overprivileged APIs;

*On a monthly basis, there are at least 27 million malicious calls made to these APIs.

More details about this can be seen here at this link:

https://content.salt.security/state-api-report.html?utm_medium=banner&utm_source=web&utm_campaign=hellobar

So what can be done to help stop this abuse of over privileging APIs?  Here are some tips to communicate with your software development team, whether they are insourced our outsourced:

*Get them to think about security first:

As mentioned earlier in this blog, software developers are always under huge time constraints to get things done on time.  Get away from this line of thinking, and instead, give them the time that they need to develop a product that not only satisfies the needs of the client, but is also as secure as possible.  This means that the developers literally have to test each line of code, one by one, to make sure that it is secure.  Sounds like that this will take forever?  Not really. Today, there are automated tools which are available that can do this, and some of the top ones are available from Git Hub.

*Always test the code:

This is a no brainer of course.  But it’s not from the standpoint of security.  Every source code module must be tested independently in a sandboxed like environment to make sure that they are secure before they are joined with other modules.  This will help to prevent any failure in one module to cascade downward towards other source code modules.

*Get rid of adding super user privileges:

To nip the problem in the bid, just get rid of over privileging from the very beginning.  This will allow for your software development team to adopt the principles of the Zero Trust Framework right when the first lines of source code are created.  Remember, permissions can always be added later.  In fact, this is becoming a hot button topic of today, as many companies are now moving to the Cloud.  But because many SaaS apps are now both available in the internal and external environments, many organizations are now favoring to put them in the Hybrid cloud.  This is where the Zero Trust Framework would work quite well in.  In fact, Microsoft Azure even offers tools that you can use for the assigning of permissions, rights, and permissions for your newly deployed SaaS deployment.  Many of these tools make use of the MIM-PAM methodology when assigning permissions. 

My Thoughts On This:

It is important to keep in mind that Access Management and the role it plays in APIs are also going to become a hot trend in the 2023, and going well into the future.  Thus in this regard, it would be very prudent for your software development team to adopt the DevSecOps approach. 

This is where both the Operations Management and IT Security teams come together to work with the developers, in order to make sure that the app is being developed maintains a strong security posture after the project has been delivered to the client. 

And finally, this approach will also help to ensure that over privileging in any circumstance does not become a common practice. 

Saturday, November 19, 2022

5 Ways In Which To Keep An Ex Employee From Going Rogue On You

 


With talks of inflation starting to dissipate a little bit, and while the job growth here in the United States seems to be still rather robust, I’ve got to be honest and say than I am a bit surprised to see the total number of tech layoffs that have been happening here in the United States. 

Now, it is nothing like when the Great Recession happened, but it is still surprising when all you keep hearing about are the number of Cyber jobs that still need to be filled.

Whatever it is, I hope these people will find something that they are passionate about, and will take them to even higher levels.  However, given this trend, there is now a new Cybersecurity fear that is coming up. 

And that is, how will terminated employees react when they are let go?  Meaning, is it possible that they could launch an Insider Attack, given all of the knowledge they have about their former employer (especially those that have worked in the IT Department)?

Put another way, how could one of these possibly disgruntled employees make an attempt to cause damage by stealing the datasets that they have worked years on?  The probability in these cases is very real.  Maybe this was not so much a problem a few years ago, but with companies now making the rush to the Cloud, these datasets are now becoming vulnerable to anything that is nefarious.

During the offboarding process, employees are normally asked to turn in their badges, laptops, and any other security tokens that they may have been given during the course of their tenure.  But now, this a complex process, given that many people WFH from now, you now have digital tools that are performing some the more mundane tasks, and that there are contracted workers that could be dispersed worldwide?

Just consider some these stats from a recent survey that was conducted by a recent survey from Oomnitza:

*10% of the respondents have lost possession of their digital assets after they terminated an employee;

*42% of the former employees try to break into the former employer’s Cloud deployments in order to try to heist some sort of PII dataset.

More details on this survey can be found at this link:

https://www.oomnitza.com/resources/2022-state-of-offboarding-process-automation/

So, all of this now filters down to this basic question:  How can I have an offboarding program that will more or less or guarantee that my former employee will not try to cause any harm?  Here are some tips that you can follow:

1)     Process Automation:

As mentioned earlier, whenever an employee leaves, the checklist was quite simple.  But now it has become a complex process.  Because of this, there have been advancements in the area of automation to make sure that not only everything has been retuned, but all accounts, user profiles, and groups that this employee once belonged to are now either deleted or deactivated.  This can be a good thing to have, because with so many rights and privileges being granted, the IT Security team can even forget to disable something.  As a result, this can be a backdoor for the ex-employee to enter into.  One such automation package that has been given great attention is what is known as “Enterprise Technology Management” solutions, or ETM for short.  In these kinds of software packages, you can enter all of the user groups and profiles that each and every employee belongs to.  So once an employee decides to quit or is terminated, all you have to do is enter the last day that they will work, and everything else is done automatically, in terms of deprovisioning all of the former employee’s accounts.  In the end, nothing is left behind, thus leaving your environment reasonably safe and secure.

2)     It takes a simultaneous approach:

Remember, employee termination now touches just about every department of a business, ranging not only from the IT Security team, but to HR, and even Finance/Accounting.  Once it has been decided that there will be a mass layoff, or that an employee gives their two week notice of their intention to quit, all of these departments need to come together to make sure that all of their own digital assets will be safe.  In terms of HR, they need to make sure that all of their employee records will be intact, and from the finance/accounting perspective, these departments need to make sure that all PII datasets (especially those that contain Social Security numbers and home addresses) will also be secure as well.  In other words, there needs to be some sort of policy between these three departments that will serve as a trigger point for simultaneous notification of an employee departure.

3)     The need to have sound IAM policies:

This is an acronym that stands for “Identity & Access Management”.  In short, this is an area of Cyber that stresses the need to make sure that all employee accounts, and their associated rights and permissions are updated all of the time, and any escalation in them requires a special review by the IT Security team.  Also, a key aspect of this is the concept of “Least Privilege”.  This simply means that all employees are given enough access to what they need to support their every day job tasks.  This even includes the C-Suite and the Board of Directors.  Nobody is immune to this rule, whatsoever!!!  By having an effective IAM policy, this will trickle down to ETM solution, as described previously.  Meaning there will be no need to do double the amount of work.  It would be ideal if these systems could potentially “cross-talk” with one another in order to keep things updated on a real time basis.

4)     Pay close attention to the Hybrid Cloud:

This is where the Public and Private Cloud deployments intersect with each other.  In today’s world, many applications are being put into this kind of environment in order to save time on deciding exactly where else to put the SaaS applications at.  This simply means that people will have certain access to some apps, and some won’t.  It is one thing if applications were being loaded up one at a time, but now the corporate world is finding itself deploying many of them all at once.  With this, comes the confusion as to who has access to what, which can lead to data leakage issues.  Therefore, special attention needs to be given to the Hybrid Cloud if you are making use of one.  I know that Microsoft Azure provides tools that you can use for almost free to help fortify your Hybrid Cloud.

My Thoughts On This:

Letting go of an employee for lack of a better term, sucks from both sides of a fence.  If you are faced with this situation as a manager, you need to try to be as cordial and understanding as possible.  You need to show empathy, and offer all means of support that are within your means, especially when it comes to severance packages, and reimbursing for unused vacation and PTO time. 

Try to provide ways for your soon to be ex-employee to find another job. 

Taking this kind of approach can prove to be just as fruitful in avoiding any subsequent security breaches as well.  Also, keep an eye for any malicious behavior for up to two weeks after the employee leaves your business.  This is the peak time for Insider Attacks to happen, and according to a survey by Cyberhaven, 83% of rogue behavior occurs in this time span.  More information about this can be seen here:

https://www.cyberhaven.com/blog/2022-insider-risk-report/

Sunday, November 13, 2022

What's Going On At Twitter After The Musk Takeover? An In Depth Analysis

 


Today, I reminisce back to the days when social media was still it its infancy, perhaps.  I remember Facebook as the juggernaut back then, which was well over 10 years ago.  I never really cared to much for the social media platforms back then, and even the same continues to this day. 

The only one I am really active on is Linked In.  My first aggressive push though into social media was when I first started the tech writing biz, which was in 2009.

I remember opening accounts with Twitter, Facebook, Linked In, and My Space (are they even in existence anymore???).  I used these sites mostly for blasting out my blog posts and other content that I had wanted to share. 

Nothing too much happened with it, so I just kept using Twitter and Linked In.  I tried opening up accounts on Instagram and Pinterest, but was simply too lazy to post anything.

But now it seems like social media is a part of our ever day lives, and we simply cannot live without it, just like our smartphone.  But now, the headlines are being filled with Twitter, and how Elon Musk has changed it radically before he bought it some weeks ago. 

For example, he came up plans to terminate up to 50% of the Twitter workforce, and in one huge blow just this past week, all of the IT Security people also quit.

Probably the person to bear the brunt of all this was the former CISO of Twitter, Lea Kissner.  Late last week she resigned from this position, offering no real reason why.  But based on what she wrote, it sounds like she is on the hunt to find greener pastures somewhere else, or maybe even start her own thing (this is just my assumption only).

There were also two other key people who left as well:  Chief Compliance Officer Marianne Fogarty and Chief Privacy Officer Damien Kieran. Now the main worry is who is going to manage all of the data compliance issues, as many people, when they first open their account, have to share some personal information, such as their phone number, and e-mail address. 

If there is no solution as to who is going to fill this void, it is quite likely that Twitter could come under the audit eyes of the regulators from both the CCPA and the GDPR.

These three key layoffs are believed to be a detrimental blow to Twitter, as the company has tried recently to make greater efforts in improving their levels of Cybersecurity.  For example, this includes getting rid of duplicate accounts that are no longer being used, and even using two further steps for confirming the identity of an individual before their particular account will be provisioned.

For example, this happened to me a few weeks ago.  One of my older accounts got hacked into, so I tried to create a new one.  Normally in the past, one could get away with just confirming it with a One Time Password sent from Twitter to your smartphone. 

But now, not only do they require that, but you also have to complete this Captcha of sorts which has very difficult to discern pictures.

It took me about 6 different attempts until even I got it right.  I really don’t use it that much now, only when it is needed.  One of the other main concerns now is who is going to fill these voids of these key people who just left?  At this point, nobody really knows yet.  But apart from the security aspect, there are other huge concerns as well now that Elon Musk is going to have to face by himself if there is nobody to help him.  Some of these are as follows:

*Protecting user privacy;

*Eliminating spam like messages;

*The opening up of fake accounts which can be used to spur nefarious activities;

*Most importantly content moderation, especially those accounts used by right wind politicians.

There have been other key layoffs at Twitter as well, but these people did not get the notoriety as the others did.  These people are:

*CEO Parag Agarwal;

*Chief Financial Officer Ned Segal;

*Chief Attorney Vijaya Gadde;

*General Counsel Sean Edgett.

Wow, it seems like that Musk’s entire C-Suite were either terminated or fired.

I know that Twitter in the past has made comments about trying to use AI and MI on a much greater level when it came to policing accounts and keeping an eye on the content that was inbound and outbound. Another area of concern for people heavily outside of Twitter is that now who is going to continue with these efforts, which are so critical to Twitter? 

Unfortunately, nobody knows the answer to that either.  With all of these key people gone and more terminations and quitting still yet possibly to come, there will be nobody to fill in this void, as they will have to be trained into this newer initiatives.  Of course, Twitter could possibly outsource all of this, but then that would be like giving away the trade secrets of the company.

Musk’s response to all of this that these terminations were all a part of a cost cutting effort, because of decreased spending on ads on Twitter from third party vendors.  Now, I am not privy to all of the happenings at Twitter, but from what I read in the news, many of these vendors did not leave until Musk took over. 

They were simply afraid as to what he was going to do next, and quite frankly, I really don’t blame them.  If I was spending cash on ads, and something drastically changed, I would hold off too.

My Thoughts On This:

Right now, if things continue to go along some the same tangent as they are for Twitter, the greatest fear they have face is that of dealing with the compliance regulators, as stated  earlier in this blog.  But this not would be so much from the GDPR or the CCPA, but rather, this would come from the FTC. 

Right now, they have their audit eyes on them, as Twitter was slapped with a $150 million just a few months ago.

In fact, the FTC has also ramped up its actions against Twitter, especially when it comes the privacy of its user data. Some these are:

*The selling of email IDs and phone numbers to outside third parties;

*The need to beef up the use of Multifactor Authentication (MFA);

*Notifying subscribers of any malicious activities that occur on their account.

And as a result, it is quite likely that a broad sweeping security audit on Twitter could happen  any time (again this is something that I am assuming).

When I first heard Elon Musk took over Twitter, I had bad feelings about it.  Now, let’s see what the future holds and what the impacts will be to companies worldwide as many of them make heavy usage for their Twitter marketing campaigns.

Saturday, November 12, 2022

5 Compelling Reasons To Hire Vets For Cyber Jobs

 


I just wanted to say to the troops and people who have served in the United States military, no matter what branch it might be, Happy Veterans Day!  It is through your sacrifice that the United States has become the land of hope and the powerhouse of democracy that it is today, despite all of the dirty politics going on.  Thank you for your service!

It’s also interesting that this morning, I came across a news article that the headline basically stated:  “Why military people make great Cyber employees”.  Believe it or not, I agree 100% with this statement.  Through the podcasting and tech writing that I have done, I have come across many people from the US military who have either worked in Cyber (or are continuing to do so), or have even started their own Cyber businesses, and they have been very successful at it.

So, why do former members of the military make great Cyber employees?  Here are a few reasons why:

1)     They can adopt to newer forms of technology:

Not all members of the military serve in an electronics kind of role.  Some have served as commandos, or even as drill instructors.  But whatever it is, it seems that veterans have a much easier time to quickly pick in learning newer technologies than say, a college graduate.  The reason for this is because of the intensity of the bootcamps they go through, members of the military have been taught how to transition quickly from one scenario to the next in a quick fashion.  For example, if they are on the shooting range one day and taught how to use a rifle the next, the learning curve will be much lower than for say, the average civilian.

2)     They take understand the mindset of the enemy:

This comes down to the fundamental question:  Why do we have a military?  Well, the answer to that is obvious:  To protect us from the enemy.  Back in the days of the Cold War, it was the Soviet Union, and now it is the Cyberattacker.  Who ever we are fighting, the soldier of today has to take the mindset of what the enemy is possibly plotting, and how they will carry that out.  This is the same type of mentality that Cyber workers are told to take, especially those of Pen Testers and Threat Hunters.  But veterans have that huge leg up:  They already know how to do it, because they have been trained extensively in how to do it.

3)     Leadership is needed:

One of the biggest complaints amongst Cyber workers is that their so-called leader, which is primarily the CISO, does not know how to lead.  They may talk tough in front of the Board of Directors, but deep down, they are scared to death about holding onto their job.  Therefore, it is very difficult for them to learn to be a leader.  But not people in the military.  As far as I have seen from the videos on You Tube, the recruits are taught how to be leaders from the moment they arrive at boot camp, and the skills that they have learned in this regard, are groomed continuously.  So the moral of the story here is if you want a CISO to lead, get a veteran.  They will take the ball a lot further than a civilian would.  And they just won’t talk tough.  They will deliver.

4)     The Cybersecurity landscape is changing:

As many Cyber workers can attest to, there is no such thing as a typical day in the office.  It’s never a 9-5 kind of thing, and this is where many employees get burnt out at.  They want to leave right when the clocks hit this time, because they are so mentally drained.  But people who come out of the military are trained to work at all times of day and night and even in the most extreme of conditions.  Probably the best example of this are the SEALS, Delta Force, and other special commando forces.  So thus, they will have more stamina to put in extra longer hours, and work anytime as and when needed to do so.  And also, veterans can handle the stresses of a constantly changing environment much more so than a civilian could, because their minds and bodies have trained that for years.

5)     There is more to Cyber than just digital:

Whenever we think of Cyber, we always think of digital assets, and this is rightfully so, because this is all we hear about.  But remember, Cyber also consists of the other side of the coin, which is the physical security aspect as well.  This typically involves securing the main points of entry and exit externally and internally to the business.  In fact, the Cyberattacker of today is now focusing on this realm, because everybody’s attention is still focused on the digital, so physical security gets very little attention. This is where Social Engineering comes into play, and if a Cyberattacker is smart enough, they can enter in through a doorway pretty easily, undetected.  But people who are in the military not only get training in Cyber stuff, but they also get trained in the physical aspects as well.  After all in a warfare situation, some of the stuff involves house to house and building to building searches. 

My Thoughts On This:

Well, there you have it, why veterans have a higher edge up on Cyber skills than what most civilians have to offer.  But it doesn’t mean that you should ignore the latter. A great Cyber workforce would include employees from both sides of the fence.  Another boon that most veterans have is that they can still receive continuing education for almost free, provided the government.

So there is no extra financial pressure for the organization in this regard.  So if you hire a vet, and they want to get a cert, most likely the government will pay for that, and the respective bootcamp that goes with it.  Finally, former military people don’t have chip on their shoulders.  Their mentality will most likely be (depending upon the individual), “Let’s roll up our sleeves as a team, and get the job done!!!”.

Sunday, November 6, 2022

(Belated) Cybersecurity Awareness Month – Medical Devices

 


Introduction

Last month, October, was Cybersecurity Awareness Month.  I realize I am about a week late, but here is a blog that I had wanted to post then.  Here we go! It’s about Medical Device Cybersecurity.

Why Is It So Important?

Probably many, many years ago, nobody ever thought that an implanted pacemaker could be the target for a Cyberattack.  But fast forward to now, and unfortunately this is now the new reality.  One of the main reasons why this is so because medical devices have pretty much become interconnected with everything else in our lives.  This has become popularly known as the “Internet of Things”, or the “IoT” for short.

With this vast expanse, the Cyberattacker has a lot more fertile territory in which they can penetrate into.  Thus, healthcare practitioners of all types now have to be careful when they are working with your implanted device.  For example, your kidney dialysis machine, or even your pacemaker could be at grave risk.  As horrible as this sounds, a Cyberattacker can now easily tamper with the settings of an internal pacemaker, and literally make the patient have a heart and possibly even lose their own life.

Just How Serious Is It?

While the example illustrated is a bit extreme (but still quite possible), the following statistics just underscore how Medical Device Cybersecurity has become:

Ø  On average, the healthcare industry has suffered at least 3X more Cyberattacks than any other industry;

 

Ø  Healthcare data breaches have increased by almost 200%, with Texas being the main target;

 

Ø  Over 41 million patient records have been hacked into;

 

Ø  The theft patient data is quite lucrative, especially on the Dark Web.  For example, each record can sell as much as $60, and the information that is contained within them can be used to build an entirely new patient profile.  This can then be used to launch subsequent Cyberattacks;

 

Ø  Although 2021 has been known as the year for Ransomware attacks, it is expected to grow at least 5X as much in the coming year, and once again, Healthcare will be one of the heaviest hit;

 

Ø  Quite surprisingly, almost 60% of attacks, including those against medical devices, are considered to be “Insider Jobs”.  This simply means that from within the confines of the Healthcare Organizations, Cyberattackers are still hiding in the IT and Network Infrastructures, ready to pounce once the moment strikes;

 

Ø  Medical Devices that are used by patients are at least 20+ years old.  Thus, there is no way to apply the needed software patches or upgrades, because they will not even work on these legacy devices;

 

Ø  The average hospital room contains at least 15-20 interconnected medical devices;

 

Ø  It is predicted that by 2028, there will be at least 50 billion Medical Devices that will be connected amongst one another in the US Healthcare Industry;

 

Ø  At least 98% of the Medical Devices that are used at the present time remain unencrypted and unsecured, thus leaving them open wide to large scale Cyberattacks such as Ransomware;

 

Ø  It is the implanted Medical Devices that are at most risk.  These include the following:

 

o   Cardiac Defibrillators;

o   Cardiac Pacemakers;

o   Insulin Pumps;

o   Equipment that is used for Neurostimulation;

o   Ear Tubes;

o   Any many more.

(SOURCE:  1).

How To Protect Yourself From A Cyberattack

Truthfully, there is really no way that an individual patient can protect themselves from being hacked.  The primary reason for this is that as stated previously, the bulk of these devices are located internally from within a patient, and thus, they are highly dependent upon both the medical practitioners and the Healthcare Industry to take some bold steps.

Here are some recommended tips:

1)     Understand how the device has been built:

Remember, a medical device is no longer just a hardware component.  It also has a huge software part of it also, so the Healthcare Provider that is considering procuring a new lot of medical devices for their patients need to understand this was developed.  In this regard, the Provider should ask the manufacturer if the source code that was compiled to create the medical device was actually tested, and if any flaws or vulnerabilities were discovered, and mitigated.  Obviously, they will not come out and reveal the actual code, but they should at least answer this question with no hesitation whatsoever.  Anything else, that should be a huge red flag.

2)     The move to the Cloud:

Primarily fueled by the COVID19 pandemic and the bear 99% Remote Workforce, many businesses in Corporate America, and even many of the Healthcare Organizations have opted to move entirely to the Cloud.  While this does offer a greater expanse of Cybersecurity, the Cloud too is still at risk.  Therefore, if you are planning this kind of migration, it is most prudent if you go with a well-known Cloud Provider, such as that of the AWS or Microsoft Azure.  They have the security tools on hand that can be deployed in a matter of a few minutes not only to protect your patient’s medical information and data, but also even protect the network lines of communications to the medical devices.  Also, another key advantage with using this kind of approach is that the Cloud environments that are available from these providers are already compliant with the myriad of data privacy laws, which includes the likes of HIPAA, GDPR, CCPPA, etc.

3)     Never use the vendor settings:

When the time comes that you have actually procured the needed medical devices for your patients, it is very important to keep in mind that you do not use the default security settings set by the vendor.  The reason for this is that these only offer the most minimal levels of security, therefore, you need to set them to what is required and mandated by your Security Policy.  Also, make sure that you are on a regular schedule of applying the needed software patches and upgrades.  Your vendor should be able to work with you on this critical aspect.

Conclusions

Remember, it takes an entire ecosystem of individuals to help guarantee some reasonable level of medical device Cybersecurity, all the way from the vendor to the parts supplier, and even the doctors and nurses that are using them for their patients.

A future article will take look at yet another angle that is being used to help safeguard the medical devices of today – the public and private security frameworks.

Sources

1)     https://cybersecurityventures.com/15-cybersecurity-statistics-to-diagnose-the-ailing-healthcare-industry/

2)     https://www.synopsys.com/blogs/software-security/medical-device-security-best-practices/

 

Saturday, November 5, 2022

Looking For A Good Bounty Hunter? Pay Attention To These Top Ten Needs

 


As we approach into 2023, there is one thing that is for sure, at least on the Cyber front:  The need for good researchers.  True, one can argue the fact that most AI and ML tools can pretty much do this, and give the IT Security team a pretty painting of what future threats will look like down the horizon. 

While these tools are great in combing through huge amounts of data, when it comes to research, it always takes human involvement in order to confirm if something will be for real or not.

Honestly, finding good researchers is a hard task to accomplish.  In fact, I have written about this in some detail in a previous blog.  It takes quantitative skill, curiosity, persistence, and the ability to communicate results effectively with the team.  Some researchers are hired on a contract basis, while most of these kinds of efforts are spread throughout the IT Security team. 

But yet, there is another way to get researchers onto your team (and who knows, they might even make a good full-time employee).  These are known as the “Bug Bounty Hunters”.  These are the people who are given a security vulnerability and attempt to find a solution to it. 

If it is picked by the vendor, this person or team is then awarded a good sum of money.  We are talking like five figures or even higher. 

There is nothing new to this, many of the tech titans do it, and even those not involved in the tech field even offer it.  But one of the major drawbacks of this kind of program is that it can take forever to get a payout.  A large part of this is the review process that is involved by the vendor. 

Another complaint that the Bug Hunters complain about is that the criterion for how the payout will be awarded is not disclosed.

There are other complaints which are stacking up, and these include the following:

*How the vendor exactly classifies what a vulnerability really is.

*They want to know more details about the previous year’s payouts.  They claim that once they know this, they can then make a decision easier if they want to participate or not.

*How long it takes the IT Security team to triage their incoming alerts and warnings.  If this process appears to be quick, then then the Bug Hunter knows that they are dealing with the real thing, and not with an entity that simply blows security related issues. 

*Probably one of the most important:  The rules of determining on the timeframe of when the bounty will be paid.  Of course, everybody wants to be paid fairly quickly, but to be fair, the vendor also needs some time to go through all of the solutions presented in order to select which one will be the best to use.  In other words, some common ground needs to be found here. 

*The vendors like to pay out as little as possible, and of course, the Bug Hunter wants to get the maximum amount possible, because they feel that their time is valuable, which is of course true.  It is often advised that in these kinds of conditions, and average payout is probably best.

*Bug bounty hunting is a lot like Penetration Testing, but on the side of the Red Team.  Therefore, the Bug Hunter is going to have tear down the walls of defense of the vendor, in order to find a good enough solution. But contracts need to spell out clearly what get can ethically hacked into.  While this should take of the legal ramifications, it typically does not.  Therefore, the Bug Hunters are often fearful if there will be some sort of reprisal by the vendor.  Because of this, a clause known as the “Safe Harbor”.  This clearly states that a vendor will not go after a Bug Hunter if their efforts that have been conducted was the result of living up to the terms of the contract in good faith.  While most Bug Hunters tend to be ethical in nature, some are not.  Therefore, the Bug Hunter want to know to what degree that they will be protected and the other resources that they can turn to in case they get burnt.

*Quickness:  The Bug Hunters want prompt answers to the above, and they want to hear from the people that have actually requested submissions.  But above all, if their submission is selected, the Bug Hunter should be notified promptly and the payout made the same day, if possible.

*Clear submission guidelines:  The Bug Hunter wants to know up front what the other requirements are for submitting a solution.  They should not be told of what other information is needed after the initial solution has been submitted.

*It is not the admin assistant that is reading the solution:  Bug Hunters, if they are serious in what they are doing, will prepare their solutions in a professional manner.  It may require a lot of “geek-speak”, so they expect the people that are reading the solution will actually have the same level of expertise.  In fact, this should be part of the entire disclosure process:  The names and the biographies of the people that will be reviewing the solution should also be provided to the Bug Hunter as well.   

*An advocate:  Unless the Bug Hunter does their due diligence, they will want some outside support to advocate for them in case something goes wrong.  IMHO, some sort of external third party should be used, such as a lawyer that has a background in Bug Hunter cases.

My Thoughts On This:

In the end, implementing a Big Bounty program could be the best way to hire a researcher for your company.  For instance, you will be able to witness firsthand the level of expertise that is involved helping you to find a solution. 

But remember, treat your Bug Hunters like you would like your employees, with respect, honesty, and a clear lines of communication.  But above all, make your payments quickly.  If you wait a long time to do this, not only will the image of your company start to erode, but it will be harder to find quality help when you need it the most.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...