Saturday, December 31, 2022

7 Expected Cyber Trends For 2023

 


Well, here we are on New Year’s Eve of 2022.  So what will the Cyber world look one day from now?  Here are some thoughts:

1)     Automation will become more popular:

I’ve written numerous whitepapers this past year on automation.  For right now, this is popularly used in the manufacturing industry, such as cars, where Robotics are used quite a bit.  But how about Cyber?  It has made its start as well here, but to of limiting degrees.  For example, it is being used quite heavily in AI, in order to help optimize and clean out large datasets.  It is also being used in both Pen Testing and Theat Hunting.  But will we see more of in 2023?  I think we possibly could, especially when it comes to getting a much more accurate picture of the Cyber threat landscape.

2)     Scary ML:

While AI has its good side, it does possess its dark side as well.  Probably the worst-case usage of it are the Deepfakes.  This is when a fake video of a real person is created, in order to make them look like the real thing.  Luckily, we did not see too much of it in the midterm elections of this year, but it is expected that starting next year and forwards, the malicious use of Deepfakes is only going to get worse.  This is especially true when it comes Social Engineering, and launching Synthetic ID Fraud attacks (this is where bits and pieces about a real person are used to create an entirely fake persona).

3)     Malicious uses of Chatbots:

Remember those pesky things that appear on the lower right-hand side of a website?  That is what I am talking about.  It seems like that just about every website now has them, and when then they do appear at first, they have a horrible sound to them.  But anyways, Chatbots are supposed to be of help when you can’t get through to someone on the customer service line.  But I have never found them to be useful because all I get are canned answers.  But the truth of the matter is that these so called Chatbots are getting much more advanced all the time.  Now it has come to the point where even the Cyberattacker have hijacked Chatbots for malicious purposes.  One such case was the “ChatGPT”.  This is where various languages were used in various Chatbots.  Nothing wrong with that, but the problem was that the language was so perfect the end user did not realize that they were communicating with a malicious third party that could barely even speak English.  More details about this can be seen at the link below:

https://venturebeat.com/security/chatgpt-ransomware-malware/

Worst yet, the chatbot can also be used for a supply chain attacks.  For example, all a Cyberattacker has to do is infect one machine with some nefarious malware, and from there, that will spread like wildfire to hundreds, if not thousands of other unsuspecting victims.

4)     Critical Infrastructure:

We have seen attacks here already happen, but the fear is that it could get a lot worse, especially with the geopolitical tensions right now with the Ukraine and Russia.  What we have seen so far have been much smaller scale attacks (except for maybe the Colonial Gas Pipeline attack), but this could magnify greatly next year and beyond.  For instance, what is feared is that there could be a simultaneous hits in major cities on our own soil.  It could impact everything from the water supply to the national power grid.  Just imagine not having either one for weeks at a time?  Well, that is what could very well happen.  The problem with our Critical Infrastructure (as I have written about before) is that it is built upon technology way back in the 1970s.  So it cannot be ripped out and replaced with a new one, nor can you simply apply patches and upgrades.  This only means that we will simply be a sitting duck in this regard for a long time to come.

5)     Attacks on other targets, with the IoT:

The IoT is blossoming and will one day come into full growth.  This is where all devices that we have contact with in both the physical and virtual worlds are all interconnected together.  This has given to novel items such as smart cars, smart homes, etc.  But the problem with all of this interconnectivity is that if a Cyberattacker found just one weakness to penetrate into, they could get all over into the place, and even launch an attack on Critical Infrastructure from this angle.  For example, it is quite conceivable a Cyberattacker could commandeer a commercial airplane or even a boat, and steer it purposely in the wrong direction in order to cause the greatest amount of damage that is possible.  Yes, in a way it can be advantageous to have all of this interconnectivity, but at what price to society will it come at?  That is the question yet to be answered, and unfortunately, the answer will be quite depressing.

6)     Mergers and Acquisitions:

Although there have been a number of tech layoffs recently, it is still expected that the Cybersecurity industry will grow, just for the sheer fact that we need it.  Therefore, it is expected that there will be more buyouts and transactions that will happen in 2023.  In fact, I have seen this already happen in 2022, as I peruse through the news headlines on a daily basis.  There is at least one headline per day where some VC is giving out money to a startup, or one Cyber company is buying out another one.  There will always be innovation and growth here, so expect this kind of activity to happen for the long term.

7)     More tabs on the workforce:

The COVID-19 pandemic changed the shape of this world, both for the good and bad.  But one thing for sure is that the Remote Workforce will now be a permanent fixture here at least in Corporate America for a long time to come.  Because of this, employers will need better ways in order to keep tabs on their employees.  Unfortunately though, these will be much more covert and stealthier, and in some cases, even scarier in the eyes of the Remote Worker.  This can be likened to the fear of Big Brother watching.  But this a tradeoff proposition:  If employees want to WFH, then they need to accept the fact that there will be a need for their employer to keep closer tabs on them.  Will the Hybrid Workforce model alleviate this?  Let’s find out as 2023 starts soon.

My Thoughts On This:

Well, there you have it, a list of what could possibly happen next year on the Cyber front.  In reality it is hard to say if they will happen, but we will know one year from now, as we await for the start of 2024.  But one thing is for sure:  The oldest threat vector, Phishing, will still continue in full force even going into 2023.

Monday, December 26, 2022

Data Destruction In The Cloud: What Does Really Happen???

 


One of the fallacies in the world of IT, especially for end users is that once you delete a file, it is permanently gone.  While it may appear to be the case when you to try to find it, the truth of the matter is that it is still lurking in your hard drive somewhere, in a partition that is not used as much. 

The only way to retrieve it is through some means, which I am not totally familiar with.  In fact, that is what forensics experts look for.  Have you seen those news shots where law enforcement is taking stuff from a house?

They are of course still collecting evidence from it, but this is known more specifically as “latent evidence”.  This is information and data that has been erased, but the remanence of it still remains.  Through this, the forensics can then extract this kind of data, and literally reconstruct back into its entire structure. 

In fact, trying to thoroughly get rid of data and information is an entire field of itself in Cyber, and there are many companies out there that are doing well in this business.  Technically, this is known as “Data Destruction”.

These companies have the tools and equipment to completely wipe out your hard drives of anything and everything before they are discarded.  So, if you are trying to get rid of some old hard drives or even other types of wireless devices that your company does not need anymore, just don’t simply discard them in your outside dumpsters.  Believe it or not, Cyberattackers still “Dumpster Dive”, in search of such prized possessions.

To them, it is very often a challenge to break into the hard drive, and fetch out whatever they can.   But data destruction does not end there.  With the data privacy laws that now abound, most businesses are now required to retain data for a certain time period, for the purposes of auditing. 

The length of this will vary depending upon the industry that your are in.  It’s like keeping your tax records for seven years, you just never know.

Once this time frame is over, you can then purge your databases of this data, of course, by contacting a data destruction company, and doing it the right way.  Now, this is all great if you still have an On Premises IT infrastructure. 

I mean after all; you are physically holding those hard drives. But now that everybody is more or less moving to the Cloud, how does data destruction actually happen?

The AWS and Microsoft Azure definitely have great tools that you can use to keep your data for whatever time period you need or want.  But take a moment and think about this one:  If you don’t want a file anymore from one of your SaaS based applications, you can always click “Delete File”. 

But in the end, where does it really go?  After all, you are now dealing in with a virtual world, so you simply cannot claim it is still in a hard drive somewhere.

Well, I came across a very interesting article this morning in the “Dark Reading” online news portal.  The author of this article asked the very same question I am asking now.  But he went the extra miles to contact the AWS and Azure and Google to try to get some answers.  His responses are as follows:

“Outreach to the major services either was ignored or answered with generic statements about how they protect your data. What happens to data that is "released" in a cloud service such as AWS or Azure? Is it simply sitting on a disk, nonindexed and waiting to be overwritten, or is it put through some kind of "bit blender" to render it unusable before being returned to available storage on the service? No one, at this point, seems to know or be willing to say on the record.”

(SOURCE:  https://www.darkreading.com/cloud/data-destruction-policies-in-the-age-of-cloud-computing-).

I even did a cursory look into Azure to see if they answer this very question.  The responses vary greatly, but in general, the consensus is that once you a delete a Virtual Machine (VM), there is not much more you can do beyond that.  From there, it is up to Microsoft to decide how to handle the actual, destruction processes.

The only answers I could find was that data is purged, and can be no longer accessible through various techniques it uses, which are compliant with the various data privacy laws.  But beyond that, no other specifics were offered. 

So in the end, the author of that article simply concluded that at the present time, Cloud based tenants are not given the option for them to make sure that the information and data are completely and 110% purged from the confines of Azure.

Based upon my knowledge of the Cloud, I think the reason why the AWS and Azure does not provide the specifics on their Data Destruction policies is that once you create a VM, it can be stored either in one physical server or multiple pieces of hardware. 

And, when you store that data onto this VM, it too could be sprawled about many different data centers.  But when you access your VM, it looks like everything is one central repository.  But that is not the case.

That is was why I think the AWS and Azure don’t tell you how the data destruction takes place specifically – that would be giving away their trade secrets.  But keep this one thing in mind.  Your VM is actually hosted on physical server, or even physical servers . . . but where they are located at, you will never know.

My Thoughts On This:

Now, another tricky spot is suppose you have a client that wants proof that their data has been thoroughly purged from your VM.  What can you tell them?  Well, as bad as it may sound the only thing you can tell them is that you are at the mercy of the Cloud provider to ensure that this does actually happen.  All you can do is assure them that they are doing things that are completely compliant with the data privacy laws. 

This is especially true for the defense contractors that deal with the DoD when it comes dealing with their data sets.  They also want that proof that their datasets they have provided are completely purged from the Cloud.  But once, there are no firm answers to give out. 

Sunday, December 25, 2022

Don't Become A Victim Of Multiple Ransomware Attacks!!!

 


Just yesterday I wrote about some the top Cyber trends to expect in 2023 (now only a week away).  I had noted that Ransomware is now on a decline when compared to 2021, but note that it will still be around for quite a long time to come, and even going into next year. 

What the difference will be is how far the Cyberattacker will go with these attacks.  For example, will they just stop at holding your device hostage?  Or will they try to exfiltrate data and sell it onto the Dark Web?

Well, now there is a new fear that is coming out:  If you have been hit with a Ransomware attack, the same or even an entirely different hacking group coming after you again, or even a third time?  In theory, yes, this is a very strong possibility, but the odds of actually happening it in the real world are not known yet. 

As far as I know, I have not come across an organization yet that has been impacted multiple times by the same threat vector.  But different ones? For sure.

But also keep in mind that if you do become a victim of a Ransomware attack the first time around, the chances of having sensitive data stolen is pretty high.  Now, if the same Cyberattacker wants to come back at you for a second or even third time, they necessarily do not have to strike at you with a threat vector. 

All they have to do is scare you into releasing the data they heisted the first time so that you do make some sort of payment.

This ends being an extortion kind of attack, and this is what is trending now in the Cyber world.  In fact, the hacking group may not even ask for any money.  They realize that even reputational/brand damage to your company can be equally, if not more devastating. 

So really, all they have to do is come out into the media, and make claims that they have your data.  From there, the very worst could happen.

In fact, this extortion scheme has gotten so bad that it is expected to cost Corporate America $265 billion by 2031 (SOURCE:  https://securityintelligence.com/news/ransomware-costs-expected-265-billion-2031/).  So what can a CISO do to help mitigate the risks of being hammered 3x over by a Cyberattacker?  Here are some key tips:

1)     Know thy data:

Being the head of your IT Security team, it is ultimately, you the CISO, that has to take responsibility for knowing what kinds of information and data are being collected and used by your company.  But even more important is you need to know at all times where it is all being stored.  Even to this day, a surprising number of CISO’s still cannot provide an answer to this question when they are asked directly about it.  If you really don’t anything about, then ask your IT Security team to help you diagram where all of it is at.

2)     Get rid of the siloes:

For the longest time, Corporate America lived in what are called “siloes”.  This simply means each department in a company merely did their own thing, without working as a team with the other teams.  IT Security has been notorious for doing this, but now, with the advent of the 99% Remote Workforce, people are realizing that all departments now have to come together at varying degrees for the common good of their employer.  So, this approach should also work for your databases.  Rather than keeping 10 different bases, it is probably even wiser to consolidate all of them into one central repository, and from there move them into a Cloud platform, such as that of Microsoft Azure.  In fact, a lot of Cyber pundits are now calling for this kind of centralization.  Why is this?  Well, your data becomes easier to manage and optimize, and you can implement all of them into one place.  Thus, it is also easier to keep track of any malicious behavior. 

3)     Keep analyzing:

With the help of both AI and ML tools, you can quickly analyze the data that you have, and what is incoming and even what is outgoing.  Of course the goal here should be to look for unusual patterns in network traffic, but you and your IT Security team also need to keep creating new baseline profiles as the needs dictate them.  In other words, you should never rely upon a static baseline for a long time.  Your profile is a dynamic one, and thus should be updated based upon what you see in the external and internal environments of your company.

4)     Incorporate PAM:

This is an acronym that stands for “Privileged Access Management”.  This methodology should be used when managing Privileged Accounts, especially those in a Hybrid Cloud environment. Essentially, these accounts can be viewed as “superuser” accounts where higher than normal rights, privileges, and permissions are assigned to certain employees in a company.  You should never rely upon manual process here.  Your IT Security team has enough to worry about, and you don’t want any of your Privileged Accounts to be hijacked.  A good PAM based solution will help you to automatically delete and/or decommission those that are not in use anymore, or simply deemed to be inactive.

5)     Work proactively after the attack:

After the dust has settled, you will then want to discover entry points where the Cyberattacker was able to penetrate through.  A good forensics analysis should help to reveal this, but only a Penetration Test can truly tell you what really happened.  Therefore, you should run one immediately after the attack, and immediately fill any gaps with the remediative steps that have been provided to you.  But even after this, you should be running a deep Pen Test scan at least once every quarter.  This can be expensive, but now many companies are coming with Pen Testing solutions from which you can get a license for a certain amount of time.  This will let you run as many scans as you want or need to.

My Thoughts On This:

All if this comes down to in the end, should you ever pay a Cyberattacker the Ransom?  The answer will vary of course, but in my view, it should never be paid.  By taking this approach, it will lessen the chances that you will be hit repeatedly in the future. 

In fact,  depending upon who you pay the Ransom to, this could even be a felony under United States law.  And if you do pay it, the chances of getting a payout by your insurance carrier is almost nil.

And remember, always back your data.  With Cloud today, you can store your data across different data centers located in different parts of the world.  So, if you are hit, you can immediately switch over to your redundant data center, with very little downtime. 

Saturday, December 24, 2022

What The Cyber Threat Landscape Will Look Like In 2023 - 4 Key Takeaways

 


Well, here we are on Christmas weekend, with the big day being tomorrow.  Hopefully everybody is safe and sound from this deep freeze the United States is going through.  What is even harder to believe is that in in one week it will be 2023.  It just seems like yesterday, back in 2020, when the COVID-19 pandemic made all of the news wires.

So, it is now during this time period that all of the security pundits are making their predictions for next year.  I sort have eluded to this in my blogs over the last couple of weeks, but I have not formalized into content yet.  That will be the purpose of today’s blog, so here we go:

1)     More disruption:

This term here always gives me the shakes when I hear it, because it is such an overused technojargon.  But when it comes to an actual attack, then that is different.  Many pundits are predicting that Cyberattackers will launch threat vectors just for the sake of doing so.  For example, they may not really be after anything per se, but rather, they want their presence to b known and felt.  This may lead to a chain of other disruptive style attacks to happen, but the idea here is to simply be a nuisance to a business.  And it won’t be a one-time deal, rather, it will happen quite frequently.  In this aspect, to see more worms, trojan horses, viruses, and DDoS attacks to occur.  The good news is that Ransomware attacks will probably even decrease some more, as they have fallen by well over 8% in the last part of this year (SOURCE:  https://blog.checkpoint.com/2022/10/26/third-quarter-of-2022-reveals-increase-in-cyberattacks/).  Probably another form of a disruptive attack are those pf the data leakages, whether the are intentional or not.  Just this year alone, 93% of US businesses experienced this, and over half lost data permanently (SOURCE:  https://www.securitymagazine.com/articles/97631-93-of-orgs-have-suffered-a-data-related-business-disruption).

2)     The Critical Infrastructure:

This is something I have been blabbering about this entire year.  We have seen attacks already happen, with the Colonial Gas Pipeline incident being the best example of this.  In the end, this led to huge shortages on the east coast, the futures prices for natural gas spiked, and in the end, the CEO had to pay a multimillion ransom.  Many pundits believe that 2023 could be the year when a much bigger, and a much more catastrophic Critical Infrastructure attack could happen.  For example, there could be multiple attacks om large cities here in the US, leaving our water and oil pipelines rendered useless, and there could even be a cataclysmic effect on the national power grid.  The unfortunate thing about all of this is that is that there is not a lot that can be done to fortify the level of security, as most of these infrastructures were built in the 1970’s.

3)     The supply chains:

Remember the Solar Winds hack?  That is an example of a supply chain attack, where one point of entry is used to infiltrate and expose hundreds if not thousands of other victims.  This is expected to continue into 2023, but my prediction is that we won’t see such large-scale attacks anymore.  Rather, they will be much smaller in nature, but they will be happening much more frequently, in order to be nothing but a deep nuisance, once again.  Bu the changing trend here is that the Cyberattacker won’t be acting alone.  Rather, they will form alliances with other hacking groups.  They will probably have other nation threat actors backing them up with financial support and a place to stay in hiding.  In other words, watch for a new type of organized crime forming here.

4)     Phishing:

Yes, the oldie but the goodie will still be around next year.  Did you realize that the first true Phishing attack occurred back in the late 90’s, and the victim was AOL?  That is how old Phishing is.  But keep in mind that the Cyberattacker has become much more sophisticated in this regard, and now they take their time to study their unsuspecting victims.  For example, they can study the Socia Media sites, and even use the various OSINT tools that are out there to find the weaknesses and vulnerabilities of their victims.  But it is important to keep in mind here that the Cyberattacker is not just going after everybody.  Rather in 2023, they will have a favorite one in mind: The C-Suite, their families, and their friends.  The concepts of Social Engineering will be used to here in order to launch what are known as “Sextortion” based attacks.  In these instances, the Cyberattacker will try to “extort” money out of their victims by threatening to release private information and pictures of their friends and family.  These can be very damaging, as these attacks become more personal in nature.  In the end, the targets will be the high-profile executives across Corporate America.

My Thoughts On This:

In the end, there is no way that you cannot be a victim Cyberattack.  It can happen to any of use, whether it is now or in 2023.  All we can do is to try and mitigate that risk from happening to us.  And this is where being proactive about things become important.  One of the best ways to do this is to watch what you put on your Social Media sites.  The safest bet here is to not even use them at all, or if you have to, use one or two of them at most. 

In my case, I am only active on Linked In and to some degree, Twitter.  A simple Google search will also reveal  many other ways to protect yourself in 2023.

Sunday, December 18, 2022

Introducing A New Vulnerability Reporting Framework: Automation & Efficiency

 


If you ever go through some of the Cyber news headlines like I do on a daily basis, you will, over a period of time, come to notice that each vendor comes out in a certain time of the month to announce the latest software patches and upgrades that they have come up with. 

Probably the best example of this is the Microsoft Patch Tuesday.  This event occurs on the second Tuesday of each month, and every time, there are about 70 different kinds of vulnerabilities that these patches try to repair.

Following suit are the other tech vendors, such as Oracle, Apple, Google, Cisco, Adobe, etc.  But from what I have seen, these guys only announce patches and upgrades on as needed basis.  Between this batch, it seems that Google and Adobe have the greatest number of them, but not nearly as what Microsoft has. 

The gaps and weaknesses that they are supposed to repair are based upon the vulnerabilities of which other people have discovered, such as in the Bug Bounty Programs.

But the main problem is that each vendor has their own reporting style for discovered vulnerabilities.  This can make it very confusing not only for the end user to understand, but also for the people of the IT Security team that are charged with parsing through all of them and deploying whatever is needed. 

But just in the nick of time, there has been a new framework which has been designed to help streamline this process of reporting.

It is formally known as the Common Security Advisory Framework (CSAF) 2.0.  More details about it can be seen at the link below:

https://oasis-open.github.io/csaf-documentation/

This framework was created and developed by both people from the Cyber industry and even outside.  It is built upon a previous methodology, which was known as the OASIS Open.  More information about this can be seen at the link below:

https://www.oasis-open.org/

One of the powerful advantages that this new framework has is that it is machine readable.  This means that just about any device can read them, and with the appropriate add ons, compare it to with what is already in existence in the projects of their customers, or in the IT/Network Infrastructure of third-party vendors, and even the in the Software Bill of Materials (this is merely a listing of all of the development modules that are going to be used for the building of a Web apps product).

Another key advantage here is that the CSAF is also an automated one.  So, if you have the right AI/ML tools in place, your device should be able to rank the vulnerability reports from top to bottom in just a matter of a few minutes (I am assuming that the top ones will be the most critical vulnerabilities and the bottom ones will the least critical). 

In the end, this alleviates a lot of pressure for the IT Security team having to go through each report.

From within this framework, there are four types of baseline profiles that are some of the most important to keep your eye on.  They are as follows:

*The Base Profile: 

This creates the standard of what information is mandatory for filling in the fields when compiling a threat report.

*The Security Advisory Profile:

This gives information and detail about the products/services that are affected from the vendor, where the patches and upgrades can be downloaded, and any other remediation strategies which should be taken.

*The Information Advisory Profile:

This functionality provides information about other weaknesses and gaps that have been discovered, but don’t immediate attention, and thus, they can be triaged towards the latter part of the rung.

*The Security Incident Response Profile:

This part provides a summary finding of actual security breaches that have occurred on the business world, and the kind of impact that it has had on the company, third party suppliers, other business partners, and most importantly, customers and employees.

There are other some key components as well, which are as follows:

*The Secvisogram:

This is essentially an online editor which allows you to fill in the required fields in order to submit a full fledged CSAF report.  You can see the fields at the link below:

https://secvisogram.github.io/

*The  CSAF CMS back end:

This can be considered to be the back-end provider, where all of the CSAF documentation is kept, and can always be queried for at a subsequent point in time, if necessary.

*The CSAF Provider:

This functionality also allows one to create CSAF based reports, but they are static in nature only.  In other words, they can only be created and updated via manual processes, such as using HTML coding.

*The CSAF Checker:

This part confirms that all parts of the CSAF report have been completed, before it is actually submitted for publication.

*The CSAF Downloader:

This functionality allows one to actually download the CSAF report to an allocated spot.

My Thoughts On This:

To be honest, I don’t deal very much with these kinds of security reports, no matter who the vendor is.  The closest I came is when I wrote a few blogs some years ago on the Microsoft patches that came out.  But I am glad to see that there are some efforts being made here to create some sort of best practices and standards for the Cyber industry.  Many people that I have talked to on my podcasts are for this.

Another point of centralization that is needed is when it comes to the data privacy laws.  Once again, many people feel that this should be done at the Federal level, rather than having each state come up with its own set laws.  That way, businesses will be all on the same footing, and who knows, by having this, maybe the world will be ready to have a set of Cyber best practices and standards for everybody to follow.

Saturday, December 17, 2022

How To Implement A Data Cleansing Process: 4 Point Checklist

 


Today, data is the lifeblood of any business, no matter how large or how small it may be.  You depend upon it to keep in touch with your customers, and you examine the traffic to your website to see which pages seem to bring the most attention. 

Also, you keep track of buying patterns so that you can use that for market intelligence when you launch new products and services.  Therefore, this makes you the steward, or the custodian of this data.  Even the laws make you this steward, especially by the provisions of the GDPR and the other financial regulations that are in place here in the United States.

In fact, this whole realm of being a data steward falls into the realm of what is known as “Data Management”.  This is not really a new topic per se, but in the world of Cyber, it is certainly making news headlines.  So, how does one go about making sure that their data is actually being managed properly?

Here are some key tips that you use rather quickly:

1)     Data Cleansing:

In general terms, this simply means that you are keeping your data “clean”, as you take in new information, whether it is from your website or other sources.  You want your database(s) to have the best, organized data as possible.  This involves:

*Having a complete record set for both your employees, customers, and prospects.  This means that all fields are filled out, and there no null values.

*Make sure that all of the records have at least one unique ID next to it.  If you are dealing with people, this could perhaps be their Social Security numbers, or in a worst-case scenario, you can create a unique ID from a random number generator.  If you do find two pieces of datasets with the same ID#, then you know something is not quite right, and needs to be investigated further.

*These datasets should be available to those employees in your business who need them, based upon the principle of Least Privilege.  Not everybody needs to have this kind of access, so make sure that you delegate the rights, privileges, and permissions accordingly.

2) Making it all centralized:

               Back in the days before the Cloud came about, many businesses had their IT and Network              Infrastructures On Prem.  This means that all of the servers and databases were held in some           room, and locked.  Because of this, many databases were held in different servers, and trying to   find which one was where was a pain, especially for audit purposes.  But now with everybody         going into the Cloud, centralization has now become a key trend, even for datasets.  Therefore,            if and when you make your move to the Cloud, you should seriously consider centralizing all of    your data into one major database.  You might view this is as a security risk, but remember that          the major Cloud Providers (such as that of Microsoft Azure) have many tools that you can use to      protect that database, and even provide real time alerts and warnings if any suspicious activity is                detected.  If you still keep your data in disparate locations, this will not only lead to sprawl, but         will also increase the attack surface for the Cyberattacker.

2)     Get rid of the siloes:

Many companies today unfortunately, still work in “siloes”.  This simply means that the different departments work independent from each other, with no communication.  And, if a security were to actually happen, nobody would know how to react to it.  This is where the siloes can become a huge impediment.  Therefore, it is time to break them down, and centralizing data is a huge step forward.  So for example, if HR, and Accounting need access to these datasets, they should be able to get it to readily and easily.  In fact, you can even create what are known as “Federated Accounts”, in which an employee can use the same login credentials to gain access to different pieces of datasets.

3)     Data backup:

This is probably the biggest here, and is the one that has been repeated so many times.  ALWAYS BACK UP YOUR DATA!!! Preferably, you should be backing up your data in the Cloud, so that you can get instant access to it at any time or any location.  Again, Cloud Providers like Azure have made it very easy to back up all of your data, so that you really don’t even need a database administrator to do this for you.  Heck, you can even automate this tool so that you don’t even have to give a second thought to it.  In this regard, there are three types of backup you can choose from:

*Full backup:  A 100% new backup is made, in its entirety.

*Incremental backup:  This is when a backup is made from the last one that was performed.

*Differential backup:  This is when a full backup is made, but then reverts to an incremental one as newer backups are made.

My Thoughts On This:

These are just some of the steps that you can take to maintain an overall Data Governance Strategy for your company.  But remember, keeping data sets “clean” serves other purposes as well.  For example, if your line of business makes heavy usage of both AI and ML, you have to make sure from the very beginning your datasets are cleaned and optimized. 

If not, you will get results that are not accurate. While this might sound like a Herculean task in the very beginning, it is not.

There are many automated tools out there that help you mine your data and flag the ones that seem to be outliers.  Also, by keeping your data cleansed, you will automatically come into compliance with the data privacy laws with once again the GDPR, the CCPA, HIPAA, etc.  This will help you to avoid any audits and costly fines. 

Finally, if you are ever impacted by a security breach, by having the right data strategy in place, you will be able to recover quickly without too much of an impact.

Sunday, December 11, 2022

How To Mitigate Cyber Risks In Online Gaming/Betting - 4 Golden Tips

 


In yesterday’s blog, I had mentioned about gift giving with regards to IoT gadgets.  As I was perusing the news headlines this morning as to what to write on, another idea came to my head.  How about online gaming tools, and sports betting online? 

These seem to be getting very popular these days, and not just with teenagers in high school.  Even adults like to play games while they WFH.  Or better yet, if they are ambitious enough, they could even place bets online for their favorite teams (mine will always be Purdue).

But as enjoying as these games are, remember they are also connected to the Internet, and that means they too are prone to Cyberattacks, even when you least expect it.  So, how does one mitigate the risks of becoming a victim while you think you are Speed Racer?  Here are some things to keep in mind:

1)     Limit access to accounts:

Maybe even more so than banking or credit card platforms, online gaming/betting accounts are even riper for account takeover.  The tactics will vary from hacker to hacker, but the best advice you can give to your clients is to be simply aware of any unusual activity that could be occurring with their own accounts.  For example, if they get notifications of attempted logins, or for some reason or another the gaming platform is slowing down for any reason, these are signs that a breach is imminent or that there is somebody inside already.  Some of the best tactics that you can employ in this regard are the use of MFA, and of course, security awareness training.  But in the end, the end user has to take responsibility by being proactive for any telltale signs that could be emerge.

2)     Keep the design in mind:

This is where the concepts of User Experience (or UX) will come into play, and this is a key area where online game developers need to pay great attention to.  For example, many of the gamers of today are really young kids, with really no sense in their head about how to watch their digital footprints.  This where parents have to keep an even closer on, but many of them simply just do not have the time to enforce this on a routine basis.  Therefore, you need to create gaming platforms that are compatible to the different age groups that you are marketing to.  For example, for the very young crowd you might just create a platform that does include any payment options, and has much more parental controls on it.  And as you create different versions of the gaming platforms for older crowds, you can release more options.

3)     Mobile apps:

One way that the vendor of online games tries to entice users into purchasing more add ons for their gaming platform is through the use of mobile apps.  While Apple is very conscience of what gets uploaded to their App store, Google is not.  Therefore, it is very easy for a Cyberattacker to create a rogue malicious app, and encourage you to buy it at a low cost for your gaming system.  But more than likely, this kind of app could very well contain malicious payloads that can be inserted.  Worst yet, if you have a Smart Home, if the Cyberattacker is able to take control of your gaming platform, then the chances are even higher they could move laterally across your Smart Home.  If you are ever a get a notice about a mobile update, first read any online reviews about it.  If there are none, then the next best course of action would be to call the gaming vendor directly and see what is going on.

4)     Moderate chats:

Many gaming platforms, like video conferencing ones, offer chatting tools so one gamer can communicate with another one, especially if they have formed a team with another one.  One can even invite guests and add new accounts to them if they want to join in.  But be careful here.  The same security rules that apply to a Zoom meeting apply here as well.  In other words, be very careful of who you game with, chat with, and create guest accounts with only those people that you know.  Anybody else trying to come in, just kick them out block them permanently.  And if you can report them to the vendor, then you probably should.

My Thoughts On This:

Personally, I am not a gamer, nor will I ever become one.  I simply do not get into that kind of technology.  In terms of the security perspectives, many online gaming vendors are now starting to make use of the Blockchain to fortify their offerings.  Another point to keep in mind also:  Always keep your gaming platform updated with the latest software patches and firmware updates.

As we approach to the holiday vacation time, enjoy your gaming systems, but just be aware of your surroundings and any unusual activity so that you do not become the victim of a Cyberattacker.

 

 

Saturday, December 10, 2022

The Top 3 XIoT Attacks You Need To Know About

 


I was just talking to one my old grad school buddies last night on the phone, and we were both discussing just how fast this year has gone.  He mentioned that he still has some shopping to do.  So, this brings up the topic of gifts for the Holidays. 

True, everybody has their own style of shopping and they know what their family and friends want, but it seems to come down to two things:  Gift cards and electronic items.  In terms of the latter, I have stayed out of the loop of what the newest things are, except for what I see in the Cyber headlines.

It seems like anything that has the term “Internet of Things” (or IoT) branded into it, seems to be a popular choice.   I surmise that the reason for this is that it brings up images of conveniences, and in some ways, it even gives one the image of stature, by keeping ahead of the neighbors. 

But honestly, while it may be great to have your coffee pot, toaster, or even car started by Siri or Cortana, there are a lot of disadvantages to it as well, especially from the standpoint of Cyber.

For one, by having so many interconnected devices in your home (which gives birth to the name “Smart Home”) you are merely opening the attack surface that much more for the Cyberattacker.  For instance, many of the communications that take place between your gadgets are still sent in what is known as “Plaintext”. 

Nothing is encrypted.  Second, it is much easier for the Cyberattacker to launch remote attacks against your gadgets, and even control them thousands of miles of away.

This is the fear now are seeing with Smart Cars and even the latest versions of airplanes that have been produced by both Airbus and Boeing.  There is so much technology and electronics that are packed into them that it is much easier now for a hacker to break into them, and literally steer them off course. 

Back in the days of traditional analog technology, this probably would never have been a problem.  But now it is.

Now, there is even a greater problem.  These IoT gadgets that you can get at the store are now making their into the IT and Network Infrastructures of Corporate America.  This has given rise to an even newer term, called the “Extensible Internet of Things”, or “XIoT” for short.  Here are some examples, that you the CISO and your IT Security team be on the look for:

1)     Connections to the endpoint:

Although organizations are doing a much better job of protecting their endpoints (which in my books are the points of origination and termination of the network lines of communication), some are still not, and the Cyberattacker knows this.  Thus, it becomes an easy point of access for them to enter quickly and covertly.  But now for example, suppose your endpoints are well fortified, if you introduce an IoT device into your infrastructure, it could disable what you have already worked so hard to made secure.  Why is the case?  Well, network security tools have been designed already to be compatible with endpoint security technology.  This is not the case with IoT stuff, because there is hardly any security features installed into them to begin with.  The moral of the story here is don’t connect any device that you are not familiar with into your IT/Network Infrastructure.  If you have to, always test the device and the connections in a sandboxed environment first.  Technically speaking, this kind of attack, is known as a “Pivot Point Attack”.  Back in 2019, Microsoft witnessed the first kind of this attack, where a Cyberattacker went from a VoIP system, then to all of the printers in a company.  More information about that can be seen here:

https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

2)     Data Theft:

When one hears this term, they often think of theft from a database of PII datasets.  While this is the traditional way of looking at it, it is important to keep in mind that data can be anywhere, for example, even in your copier, printer, or even digital fax machine.  One of the industries most prone to this is the healthcare one.  Just about every medical device that is used to conduct an examination on you will contain some kind of data on you.  Also, it is this industry that tends to use more IoT based devices than some others.  Because they are also connected to other medical devices, the IoT stuff will also hold some sort of data within them.  So in the mind of the Cyberattacker, why go something that is harder to get into, like a CAT scan machine, when I can easily gain a foothold with an insecure IoT device and exfiltrate data that way?

3)     A way to keep coming back:

Once a Cyberattacker has a found a way in, they will want to stay in for as long as possible.  Eventually they will leave once they collected all of the prized possessions that have.  But will they come back again?  More than likely yes, but not immediately.  They will probably go after other targets, then come back.  Also, given how easy it was to penetrate through the IoT device, they will probably use the same entry vehicle once again, to see what new things procured and deployed.  Once again here, try not to use an IoT  based device in your organization unless you absolutely have to.  It’s just one less thing to worry about.  Also, it could be the case that the Cyberattacker could even find a home in the IoT device itself to camp out in.  These kinds of attacks are known as “Persistence Attacks”.

My Thoughts On This:

There have been attempts by the states to introduce legislation in order to make vendors instill a baseline of security into their products.  One example of this was the one passed and enacted in California a few years ago, but nothing came out of it, because it was deemed to be broad in scope. 

As I have mentioned 2x times in this blog, if you can, avoid implementing IoT devices into your IT and Network environments.

And if you have to, test them out thoroughly before they are moved out into production.  Also, remember to change the default settings on them that fits your own security requirements, do not rely upon the vendor settings, as the will provide no protection whatsoever!!!

Also, IoT security deserves the same amount of attention like anything else.  It should not receive any lower priority, rather, it should be given an elevated status.

 

Sunday, December 4, 2022

How FinTech Companies Will Be The MSPs For The US Banking System

 


Well, here we are now loafing into the last month of December.  I actually did some shopping yesterday, and I couldn’t believe how packed the parking lots were.  You would think that with some of the layoffs that are happening in the tech sector would have some sort of impact on spending, but that is totally untrue. 

But the troubling thing (?) is that most of the customers were paying with either a credit card or debit card of sorts.  No hard cash trading hands, or even checks being written.

So, now this brings me up to our financial system here in the United States.  Now of course, I have not travelled the world in some 20 years or so, but I do think we have the best banking system in the world.  I remember a few times when things went bust, the Feds were here to rescue us.  Probably the best time I remember this happening was during the 2008-2009 Great Recession.

I had a good chunk of change in what was as the Reserve Primary Fund.  This was deemed to be the largest mutual fund in the world, with some $60 Billion in its funds.  It was also one of the most trusted in the world.  Then when all of the banks went bust, so did this one. 

The mutual fund literally “broke the buck”, and now was valued at some .98 cents per share.

Because of this, this mutual fund froze all assets, and all redemptions were halted. It was not until almost 6 months later, that Ameriprise (the broker dealer at the time) and the Feds bought back these toxic assets so that shareholders (like me) would start to get their money back.  That was a scary time, and I will never forget it.  But now, times have changed, and there is even a scarier front that we are facing.

And that is of the Cyberattacker and the threat vectors that are posed to our financial system.  Luckily nothing has happened yet to the degree where our entire financial system is frozen, but you keep hearing all the time as to how accounts are hijacked into, and how data leaks are such a common thing now. 

But despite all of this, believe it or not, our banking system is probably one of the most secure in the world, and we just don’t realize it.  A lot of this has to do with the fact that most security takes place behind the scenes, without us even knowing it.

*Since the 08-09 crisis, all bank accounts are now insured up to $250,000.

*Layered security is already place.

*Many banks (including mine) are now requiring the usage of 2FA, such as a One Time Password.  But now many of them are thinking of going to MFA, where at least three or more layers of authentication are actually being used.

*Almost all banks now use some sort of AI or ML based technology to keep track of any fraudulent activity happens on your account.  This is especially great when a company has become a victim of a Business Email Compromise (BEC) attack, and the victim is conned to sending out millions of dollars to some phony, offshore account.

*Opening a basic bank account today requires more paperwork and forms of ID than ever before.  In fact, if you are a new business trying to open a bank account, the scrutinization increased even more.

*Many online banking portals now require their customers, from time to time, to refresh their answers to the challenge/response security features.

*If you are at online store, and make a large purchase that is out of the norm of your baseline spending, it is highly likely that the credit card company will halt that purchase, and contact you directly to confirm that you are actually making that transaction.

*The banking system at least here in the United States, is being watched all of the time by regulatory officials that represent the various laws, such as that of the GDPR, CCPA, and other data privacy laws.  Because of this, banks always have to make sure that they have adequate controls in place to safeguard your money.

But despite all of this, there are two main areas of concern that still hound the banking system:

*With everything going all digital, if your needs are simple, and have all of the necessary docs and IDs in place, you can even open up a bank account online.  Because of this, there is now a huge explosion of customer information and data must be stored securely.  Trying to keep up with all of this has been a big battle.  But the banks have no choice here, if they do not come into compliance, they will face a time exhausting audit and even stiff financial penalties.

*Because of the digital trend, banks here in the United States have now become even more dependent upon third party vendors to outsource some of the business ops to.  So now comes the question as to who can be trusted and who can’t when trying to make a decision on vendor selection.

In attempt to resolve the last issue, many banks have now started to partner up with Financial Technology companies.  In a way, they can be compared to the MSP of the Cyber Industry.  Because of the finance commonality, there is an inherent layer of trust, which makes it easier for a bank to outsource some of their business functions to.  Consider some of these stats:

*65% of banks have partnered with a FinTech firm;

*35% of them have intentions to form a business relationship with a FinTech firm;

*An over whelming 89% of the banks polled claimed that forming a partnership with a FinTech firm is important to them.

More information about this can be seen at the link below:

https://19538404.fs1.hubspotusercontent-na1.net/hubfs/19538404/220110%20SYNCTERA%20Bank-Fintech%20Partnerships.pdf?__hstc=197324528.a494842efb2e954db50418a9a75b93cc.1651076748563.1656253782972.1656265273139.8&__hssc=&hsCtaTracking=892e1abe-b4be-40c9-bb79-ddb6ad3bd7b6%7C67567be7-c1b8-46e0-920c-055220cf93f2

My Thoughts On This:

While I think it is great to see our banking system so dedicated to Cybersecurity, the threat vectors will always abound.  For example, just in the last year alone, 300 million Americans were impacted by some sort of security breach at their financial institution. 

In the end, there is only so much that a bank can do to protect you.  Ultimately it is important that you “CYA” and be proactive on keeping track of them.

Saturday, December 3, 2022

The Benefits of Hiring a Fractional Security Advisor

 


Introduction

Because of COIVD19, the IT Security teams across Corporate America have now been stretched well beyond their breaking points, and worst yet, the leader that has been called upon for leadership simply cannot keep up.  Now, the other issue that is being faced as businesses start to open their doors, is how much of a budget do they really have in order to mitigate future cyber threats?

Cash flow will be of grave concern, as many companies are still trying to hold onto whatever liquidity they have on their balance sheets.  For example, there may even no longer be a need to have a dedicated, full CIO/CISO on staff, as there is a significant cost to paying their salaries and benefits.  The trend now is to hire what are known as IT Security Advisors, for just a fraction of the cost. 

The benefits of hiring these kinds of consultants is the focal point in this article.

So, What Are The Benefits???

1)     You get a wide breadth of expertise:

While your CIO is probably a well-educated individual with deep experience, it does not necessarily mean that they have all the expertise that you need to keep up with the dynamics of the Cyberthreat landscape.  For example, as businesses are letting their workers back in once again, one of the main issues to be dealt with is that of creating and maintain a rock-solid Business Continuity (BC) Plan.  Because of the pandemic, many CIOs and CISOs are now fully understanding the importance of having this, so that they will be 100% prepared for the next major event. Unfortunately, they may not necessarily have the knowledge in crafting out such a plan.  Therefore, you need to reach out to a Cybersecurity Advisor who has these specific skills that can help you to create this.  You do not have to hire this person on a full-time basis, you can hire them for a fixed time period, at a very affordable price.  Very likely, this individual will more than likely have other contacts as well that can offer even their own level of expertise to other aspects of your BC Plan.

2)     It is a very cost-effective approach to take:

 

As it was just described, cash flow is of prime importance to any business, no matter how large or small.  Everybody is now on a very tight budget, at unprecedented levels never seen before, and paying your existing CIO is probably out of the question.  The average salary for a CIO is now pegged at about almost $270,000.00.  Keep in mind that this does not even include benefits, bonuses, stock options, and other perks.  When you add all of this together, the entire compensation package can come close to almost $2,000,000.00.  In today’s times, which business can really afford this?  Not many.  So, this is where the role of hiring a well-established IT Security Advisor will become crucial.  In monetary terms, you can save at least 40% by hiring such a person.  Best of all, you don’t have to pay all of extras like you would have to for a CIO, all you have to so is pay them for the time that you need them, on a flat fee basis.  When your project is done, you can terminate the contract, and bring them back on board again on an as needed basis.  As a result, you will have that much more money in your IT budget to spend on other items that you need to shore up your cybersecurity posture.

 

3)     You will get an unbiased view:

The C-Suite across Corporate America has often been viewed as a place where company politics often play out.  Because of this, many of the decisions that are made may not necessarily reflect what is best for the business.  What you need (and especially right now) is an individual who is not bound by such nuances, and that can offer you in precise terms, what you need to do right now in order to clean up and improve your current levels of the proverbial cyber hygiene.  This is where the role of the Cybersecurity Advisor will come into crucial play.  In other words, he or she can come right in, conduct an exhaustive assessment of how things are being done right now in your company, and offer you real world solutions to make things better.  Because they are an external resource you have hired, they can provide you an insight that is completely neutral and what is best for your business.

4)     You can get staff augmentation:

For quite some time now, there has been a severe shortage of skilled workers in the Cybersecurity industry.  Obviously, hiring on new, full time staff could very well be out of the question right now, as you are trying to keep up with paying your existing staff.  But because everybody is so overworked right now, other pressing Cybersecurity needs could literally take a back seat right now.  But this does not necessarily have to be the case for your business.  For example, if you hire the right kind of IT Security Advisor, they can actually augment your current, full time staff, and help them keep up with their daily job tasks. As also mentioned earlier, they will probably have other contacts on board that you can hire as well for a fixed term contract.  For example, if you take this kind of approach, they can help out with the other cyber services that you may offer to your clients. Also, they can even help out with your internal security needs as well. For instance, they can help out with Penetration Testing, helping you assess your current levels of cyber-risk tolerance, help you determine where the weaknesses may lie in your Web based applications, assist with keeping up on a regular software patch and update schedule, and even help you come into compliance with the GDPR and the CCPA.

5)      Proactiveness will be a main area of focus:

Although every CIO/CISO, at the bottom of their hearts, would like to have a proactive Cyber mindset that transcends to each and every employee in their business, this is an almost impossible task to do.  A primary reason for this is that the burnout rate is so high amongst them, that it is almost impossible to keep them on for the long haul.  For example, 91% of CIOs and CISOs across Corporate America at the present time feel a huge amount of stress, thus causing them to quit at unprecedented levels.  But by hiring an external Cybersecurity Advisor, he or she will not feel this to such a high degree, and as a result, they will  be able to quickly to foster that proactive cyber mindset and even foster higher levels of motivation amongst your IT Security team that is so badly needed today.

Conclusions

Overall, this blog has examined some of the strategic benefits of hiring an external IT Security Advisor to help you out with your cyber needs.  This is by no means an exhaustive list, and it is also important to keep in mind that you simply should not hire the first person to respond to your job posting.  Rather, it is particularly important that you follow a strict vetting process, as you will be entrusting your Cybersecurity Advisor to highly confidential information and data that resides in your business.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...