Sunday, January 29, 2023

4 Data Privacy Law Issues You Need To Know For 2023

 


Data privacy issues have been prevalent in our society for the last few years, especially when the COVID-19 pandemic broke out.  New laws were introduced before then, most notably that of the GDPR and the CCPA. 

But at the height of the pandemic, many regulatory agencies backed off from any kind of enforcement actions, because of the financial constraints that were involved.  But now that is past news now, more audits and financial penalties are taking place.  Now, there are new data privacy laws which have emerged, some of which include the following:

*The American Data Privacy Protection Act (also known as the ADDPA).  More information about this bill can be seen at the link below:

https://www.darkreading.com/edge-articles/federal-privacy-bill-that-would-preempt-state-privacy-laws-faces-uncertain-future

*New initiatives for the Privacy Shield Program, which was inaugurated by the FTC;

*It is expected that China and India will be introducing some serious legislation this year as well.

At this point, at least some 100+ countries either have some sort of data privacy law enacted, or will be introducing some kind legislation in the near future.  But here in the United States, what will 2023 be like for data privacy?  Here are some clues:

1)     Tighter budgets:

Given the fears of inflation and the recent amount of tech layoffs, IT budgets are going to for sure be trimmed a lot more than expected.  This means that organizations are going to have to do more with less.  Meaning, there won’t be an open ended wallet for the deployment of new controls.  Companies will probably have to make do with what they already have, or simply upgrade them in the hopes that they will be compliant with the data privacy laws. 

2)     You need a good contact:

Even though budgets are expected to be tight, it does not mean that you can be negligent in your compliance duties. A recent trend has been to hire a so-called Data Privacy Office, also known as a DPO.  This was also a full time position with benefits, much like the CISO.  But now, since many companies are cutting back, so is this role as well.  But all is not lost yet.  There are many Cyber vendors out there who offer DPO services on a contractual basis, much like the vCISO.  The advantage of hiring this kind of individual is that they are paid on a contractual basis, and you can hire them/fire them on an as needed basis.  This offers a lot of scalability options to the business.  For example, if you find yourself conducting a Risk Assessment, you can always hire a virtual DPO for a fixed amount of time to help you with your assessment and examine the state of your controls.  The costs associated of hiring a vDPO is far, far, less than hiring one outright.

3)     The need to be informed:

As mentioned, the amount of data privacy laws that are going to come out is only going to grow this year, not just in the United States, but worldwide as well.  However, keep in mind that you will not be impacted by some of these laws.  Rather, the determining factor is going to be how large your company is (in terms of revenue), your gross revenue, where your offices are located, and most importantly, where your customers are located as well.  This can be quite confusing none the less, so it would be a good idea to consult with your business attorney to see which laws impact you.  And if they cannot answer this, then they should be able to refer you to a lawyer that is well versed in data privacy.  Again, there are many attorneys out there who even offer these kinds of services as well on a virtual basis, for a very affordable price.

4)     It’s not all about money:

When a business owner thinks of a fine or an audit, the financial aspects of it very often come to mind.  But regulators are going to step away from this trend, and offer even newer and different kinds of penalties.  For example, other than being penalized with a stiff fine, members of the C-Suite can now also be held criminally liable as well.  Whether it is fair or not, in the end the buck stops with them.  Heck, even the Board of Directors may tried this way also.

My Thoughts On This:

Whether these predictions pan out or not this year is still something that is to be seen yet.  But one things for sure is that with inflation and the recent tech layoffs, things won’t be easy for companies to become into compliance with the data privacy laws, even of they have the best intentions in doing so.  Because of these uncertain times, perhaps regulators and auditors should give Corporate America yet another break like they did during the pandemic.

But only time will tell.

 

Saturday, January 28, 2023

The Birth Of The EV Charging Industry & The Cyber Threats It Brings

 


It seems that electrical cars are going to become the wave of the future.  Personally, I don’t have one, and I don’t ever plan to have one, as long as my long and trusted Honda Civic 03 keeps on running like it has been. 

But, it seems like that the worldwide adoption for Electrical Vehicles (EVs) is only going to continue to grow at a very strong clip here in the coming years.

While EVs are deemed to be very ecofriendly and green, the batteries in these cars have to be charged, or replenished, like how normal cars would be at the gas station.  But rather than filling in the usual unleaded 87 into your car, you will be literally charging the battery of your car. 

There are numerous stations like these that are propping up in the United States, especially in the larger cities, like here in Chicago.  In fact, my own apartment building will soon be offering EV charging stations for their own residences.

So with all of this, this will give birth to an entirely new industry:  The EV Charging Infrastructure.  But this won’t be something that will exist all by itself, rather, it will be connected into the national power grid in order to keep up with a fresh charge supply. 

While this could bring in more jobs, and even be good news for our economy, it also poses one serious threat:  Cyber-attacks.  This gives an extra avenue for the hacker to make their grand entry into one of our nation’s Critical Infrastructure.

Because of this, it is the EV charger that is now most at risk.  In fact, one ethical Pen Tester even simulated and wrote a detailed article about how an EV charger can literally be heisted by a Cyberattacker.  More information about this can be seen at the link below:

https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/

It is important to keep in mind that there are many other components that go along with the EV charging station, and this increased amount of interconnectivity only expands the attack surface to a much greater degree.  So, you may be asking at this point, what are some of the Cyber risks that are involved here?  Well, here is a sampling of them:

*A mass disruption in the availability of charging stations;

*Deploying bots at these stations in order to launch massive DDoS attacks;

*The heisting of PII datasets;

*Credit card hijacking as customers pay to use the charging stations for a certain amount of time;

*Mass disruptions to the national power grid, with far more severe cascading effects;

*On a more qualitative front, if any Cyberattacks do happen, the brand and reputational loss will be far too severe for the charging station to handle.

One of the other main security issues here as well is the cascading effect that a bi directional connection can bring.  Keep in mind that the EV charger is like the IoT, in that it is connected to many other things.  Here is an example of this situation:

“When an EV plugs in to a networked charger, a cascade of bidirectional communications between multiple computers ensues — between the vehicle and the charger, the charger and the driver's mobile app, the charger and the grid, the charger and the back-end management system, the management system and a payment gateway, and the management system and the charge-point operator.”

(SOURCE:  https://www.darkreading.com/attacks-breaches/security-and-the-electric-vehicle-charging-infrastructure)

One way to keep the EV Charging stations at a lower risk from a Cyberattack is to have them follow a strict set of compliance rules and regulations which include the following:

*The Open Charge Point Protocol (OCPP):

This is a set of best practices which oversees the flow of communications between the EV charger the management system (and vice versa).

*The ISO 27001:

This addresses all of the controls that are required for any company, and even can fit to the security requirements of an EV Charging station.

*The ISO 15118.20:

This is another framework that was launched in 2022 to increase the security for bi directional communications between the EV Charger and the actual EV, and vice versa.  It deals with issuing a series of security certificates authenticating the credit card, the credit card holder, as well as even sending unused charge back to the national power gird in a secure manner.

The other security concern deals with the EV Charging Infrastructure.  Many Cyber pundits believe that a national system should be put into the Cloud, as the AWS or Microsoft Azure.  Here the principles of Asymmetric Key Cryptography would be strictly observed and enforced by the security tools which are offered by these Cloud providers. 

Of course, there is then the need to be compliant with all of the data privacy laws, primarily those of the GDPR and the CCPA.  All of the EV Charging stations would have to be responsible for maintain their own levels of compliance, which of course will be an added expense. 

Since credit cards will be the primary means of payment, all of these charging stations will have to abide by the tenets and principles of the PCI – DSS standards as well.

Finally, since the EV Charging stations will be connected to many other points of origination and termination, Endpoint Security will also be a key issue, but the major Cloud providers have the tools in place to address that as well for you.

My Thoughts On This:

It’s only obvious that the digital world that we live in today is only going to be more complex down the road with all of this interconnectivity.  I truly yearn for the days when life was simpler and not so digital. 

The EV Charging infrastructure is still in its infancy, and will probably grow like a beast as the demand for EVs really starts to pick up.  Thus, now is the time to address and remediate any security issues before it gets too far out of hand.

Will I ever buy an EV?  Probably not.  Even in the coldest days here in Chicago, my good ‘ole Honda started up fine.  Can’t say the same of an EV.

Tuesday, January 24, 2023

Why Application Security is Ripe for Reinvention

 


Hey Everybody,

Software development has certainly changed since the days of the dot com craze.  Back then, it was all about Windows 2000, Oracle databases, etc.  But now, the talk is all about using either the AWS or Microsoft Azure in which to develop and host your web based application.  But in today’s world of software development, the concepts of automation, and the ability to reuse code over and over again is the norm.  One of these is the use of APIs.

These are libraries of source code which are designed to make the developers life easier.  For example, they can be downloaded, and modified to fit the needs of the web apps project.  But the problem here is that many of these APIs are open sourced, and have not been updated or even checked for any security issues.  The thinking of these API providers is that it should be up to the software development teams to do all of this, but unfortunately, many of them do not do this.

So how can one bridge this gap?  We will get the answer to this question in today’s podcast.  We have the honor and privilege of interviewing Giora Egel, the Co-Founder and CEO of Neosec.  You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB136FAAEJYQSK

Sunday, January 15, 2023

Introducing the Lite Threat Modeling Approach To Software Development

 


As 2023 lumbers along, one of the key issues that will need to be addressed, and to some degrees it is, is that of source code security, especially when it comes to the use of APIs.  Software developers were never really held accountable for any kind of security standard, so there is probably a lot of source code out there is still vulnerable to a major hack job. 

Because of this, DevSecOps has become quickly adopted, and this is where the IT Security Team, the Operations Team, and the Software Development Team all come together to make sure that the source code has been checked on multiple levels.

There are also automated tools out there that can help with this process, but now, it seems like there is yet another new that has just come to market.  It’s called “Lite Threat Modeling”, also known as “LTM” for short.  As its name implies, it is actually a watered-down version of the actual Threat Hunting exercises which take place. But interestingly enough, this process uses more of the cognitive approach rather than real world simulations.

For example, rather than examining the modules of source code that are harnessed through, an LTI will take a holistic approach, and examine the project from the entire perspective.  For example, here are some of the questions that get typically asked:

*What kind of Cyberattacker or hacking group would want to break into this application?

*What parts of the Web app can be easily be broken through, and how can that be done?

*What is the worst-case scenario that can happen?  In other words, what is our tolerance to risk in these cases?

*What kind of impact will this have on our brand and customer reputation?

According to experts, a LTM is best used when your company is throwing around the idea for launching a new Web app, whether is for internal purposes or it will be external facing where clients and prospects can get direct access to it. 

It should also be used throughout the Software Development Cycle (SDLC), and any vulnerabilities or weaknesses that are discovered because of it must be remediated before it can be released into the production environment. 

At this point however, it is up to and your team to try come with a set of best standards in order get the maximum use of the LTI approach.  Examples of this include the following:

*Determining the various threat categories;

*Identifying the sources of threat vectors which could impact the Web app;

*Developing the methodology as to how the threat vectors will be fought off.

Also provided below are some tips that you can use for your LTM processes:

1)     Stay on the world real threats:

Face it, Cyber experts love to plan out every threat vector that is possible, even those that seem to be too farfetched.  That’s fine, but for the purposes the LTI, you need to stay focused on the here and now.  One way to do this is to comb through your log files and determine where all of the suspicious behaviors lay at.  A great tool to use here is your SIEM.  Also, examine what security breaches you have fended off in the past.  Focus on this.  Once you have a bearing of what is going on, then look towards the future vectors.

2)     Don’t get technical:

Another thing that Cyber folks love to do is always find a solution once a problem has been discovered. Of course, this is a very good attribute to have, but for the LTM, it is overkill at this point.  Why do so I that?  Well, these are just theoretical threats.  So, how can you find an answer some thing that doesn’t even exist yet?  Therefore, at this point you and your IT Security team just need to be focused on risk, and how much of it you can tolerate of it.

3)     Tools aren’t everything:

Because software developers have become so reliant on automation, they think that tools can are magic cure all.  But truth to be told, they are not.  Technology can only go so far, and it has breaking points.  Therefore, a human touch is also needed.  That is why so many companies are now embracing the concept of DevSecOps.

4)     It’s not a onetime deal:

TML is by no way is one shot project.  The Cyber world is always changing and you need to keep using this model as many times as you can.  Ideally this should be done at the start of every software module.  So as you finish one, all of the vulnerabilities and gaps that are found should be remediated, so there will be no cascading effects in subsequent modules.  This applies to all other forms of testing, especially that of Penetration Testing.

5)     Don’t get too bogged down:

It’s very easy for a Threat Researcher to get bogged in every minute detail.  But this is not what the LTM is designed to do.  It is effective at high level thinking.  In other words, keep thinking about the macro strategies that will make your Web a successful one.  This all comes down to determining the right mix of controls that you need, from both a technical and non-technical angles.  This will include such items as encryption, security awareness training, etc.

My Thought On This:

I have written a lot about Threat Hunting, and in fact, I have a whole chapter just devoted to it my upcoming book on the Zero Trust Framework.  I for sure have my views on the LTM, but I will reserve on saying more about it until I see more people using it.

Saturday, January 14, 2023

CMMC 2.0 - What's Next?

 


Hey Everybody,

The CMMC 2.0 is coming up very quickly!!!  Listen to this podcast to learn more about it.  In it, you will find out more about the following:

*The GCC Cloud;

*The FedRAMP;

*The CMMC 2.0 and how it differs from the CMMC 1.0;

*The Enclave.

You can download the podcast here:

https://www.podbean.com/site/EpisodeDownload/PB1361D868ERJS

What New Cyber Job Titles Will Erupt In 2023? Find Out Here

 


There is no doubt that the Cyber world is full of technojargon and new job titles that keeping coming out all of the time.  Probably some of the most abused job titles are that which include “Analyst” and “Consultant”.  But I better be careful of what I say here because I call myself a consultant. But anyways, 2023 is expected to be a year of yet even crazier job titles, so without further ado, let us introduce them to you:

1)     The Cyber Satellite Engineer:

Remember when Sputnik made all the rage back in the late 1950s?  Well, in my view, that was the start of space race, which ended when man landed on the moon (or when the first shuttle flew?).  Ever since then, the use of satellites have become very important for all of the nations on earth, but from a defense and scientific purpose. But with the advent of the Internet of Things (IoT), satellites are now even connected to gadgets here on Earth.  Probably the best examples of this are Siri and Cortana.  They use the Global Positioning System (GPS) to able to guide you wherever you want to go when you are driving.  So, it will take a trained Cyber expert to make sure all of your connections to these satellite systems (and vice versa) are safe and secure.

2)     The AI Mentor:

Artificial Intelligence (aka “AI”) is taking the world by storm.  It can be used in just about every industry imaginable, and Cyber is no exception.  Over in our world, it primarily used for automating the mundane processes, and even trying to make predictions about future threat vectors.  But AI is complex, and in today’s times, you really need to have a dedicated person on staff to run all of this.  But where they are needed the most in is when it comes to making sure that the datasets that are fed into the AI systems are cleansed and optimized.  If they are not, your output (or your results) will be totally skewed.  And they can also be used to train the IT Security staff about how to actually use AI.  In many ways, think of this new person as an “AI Administrator”.  When is comes to anything and everything related to AI, the buck will stop with them, kind of like the role of the vCISO.

3)     The Threat Endurance Manager:

At the present time, and as far as I know, I don’t think Critical Infrastructure (CI) sites have a dedicated IT Security with them. Therefore, at some point in time this year, when CI systems start to get prone to Cyberattacks, they will then need a dedicated personnel to help them out put out any fires that may erupt.  This is where this world would come in.

4)     The Digital Footprint Consultant:

This is a Cyber kind of role where this person will look forward into the future to protect the brand image and reputation of a company in case of any security breach.  They will look as to what happened in the past, in terms of reputational damage, and try to avoid those mistakes from being made.  Remember, a business can recover from a Cyberattack it is every hit by one, provided they have all of the steps in place. But trying to recover from the brand damage is a totally different one.  Remember, it can take years to get a customer, and just mere seconds to lose them.  This is where this role will come into play, to make sure that this does not happen to you.

5)     The Digital Bodyguard:

Imagine the normal bodyguard, somebody like a Chuck Norris.  But rather protecting you physically, this new title will protect you in the digital world, especially when it comes to Cyber bullying.  Consider these stats:

*46% of high school student have experienced some of Cyber bullying;

*41 of US employees face some kind of Cyber threats from their employer;

*24% of them say that they have been stalked in some way or another.

The primary objective of this role is to protect your online identity, no matter where it is, but especially on Social Media.  These people will work with you on a one-on-one basis, and will do their very best to protect you and your families.  In fact, a very lucrative market here would be the protection of the rich and famous.  Heck, this would even a great Cyber business to start!!!

Sources for the stats:

https://cyberbullying.org/Cyberbullying-Identification-Prevention-Response-2022.pdf

https://www.pewresearch.org/internet/2021/01/13/the-state-of-online-harassment/

https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/11/17164103/Kaspersky_Digital-stalking-in-relationships_Report_FINAL.pdf

My Thoughts On This:

There is another role that will still make waves, and this is the Cyber Investigator.  While this role has been around for quite some, is predicted that people with these titles will take a qualitative role (such as handling the psychological aspects of a Cyberattack).  To be honest, I really see the roles of AI Mentor and the Digital Bodyguard really exploding this year.  But both will take a lot of experience and expertise.

Thursday, January 12, 2023

How An SMB Can Come Into Compliance On Shoestring Budget

 


Compliance is one of the hottest buzzwords today.  But achieving it is an entirely different matter.  Not only is it an expensive process, but it is an administrative nightmare.  But business owners have no choice but to come into compliance.  If there are any data leaks, whether it is intentional or not, more than likely you will be faced with a time consuming by federal regulators, as well as very stiff financial penalties on top of that.  For example, if you come under audit by the GDPR, your financial penalties could be as high as 4% of your total gross revenue.

So, what is a business to do?  Well, in today’s podcast, we have the honor and privilege of interviewing Justin Beals, the CEO and Founder of Strike Graph.  Their main services are helping businesses just like yours to come into compliance with following regulations:

*SOC2

*HIPPA

*GDPR

*CCPA

*PCI DSS

*ISO 27701

*ISO 27001

*CMMC

Learn how you can these services by downloading the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB1354713XWEVN

Sunday, January 8, 2023

Breaking Down The Advantages & Disadvantages Of The IaaC

 


As we know today, the Cloud is a mighty powerful thing.  After the COVID-19 pandemic, many businesses have made their move to the Cloud, when it is on the AWS or Microsoft Azure Cloud platforms (in full honesty, I am more partial for Azure, especially with the tools that they available for the SMB owner). 

It seems like that on a daily basis there are more and more tools that are becoming available.  Let’s face it, the Cloud has many advantages, especially when it comes to price affordability and especially that of scalability.

But there is yet another feature of the Cloud that is also intriguing to me, and in fact, I just came across in an article today.  It is known as the “Infrastructure as a Code”.  You are probably thinking “oh great, another as a Service”. 

My thoughts somewhat also, but this one is rather different from the others.  First, let me give the technical definition of it, which is as follows:

“Infrastructure as Code or IaC is the process of provisioning and managing infrastructure defined through code, instead of doing so with a manual process.

As infrastructure is defined as code, it allows users to easily edit and distribute configurations while ensuring the desired state of the infrastructure. This means you can create reproducible infrastructure configurations.”

(SOURCE:  https://www.bmc.com/blogs/infrastructure-as-code/).

If I have it right, it is simply another way to manage your Cloud based deployment (whether it is on the SaaS, the PaaS, or the IaaS) rather than having to go through any manual re configurations.  Since source code can be used over and over again, this is just another way to make to make your life easier in the Cloud. 

Just like AI, Infrastructure as a Code is just another way to automate some of your more mundane and ordinary processes in the Cloud, wherever it may reside at.

These processes are actually recognized as pieces of code by the Cloud, thus making management and provisioning of files even easier, as well.  But even with this huge advantage, the “IaaC” (this is the acronym for it) also brings along a set of disadvantages as well.  

First, is that it is not all bullet proof in terms of security.  While it will let you do things in the Cloud faster, you will also face greater risks of misconfigurations and settings not being applied properly.

Of course, the end result of all of this, is data leakages in occurring, which is the last thing you want to happen to your business.  But yet, another key area in which the IaaC is used is in the Software Development Lifecycle, which is also known as the “SDLC” for short. 

It is this process that software development teams use create a Web application right from scratch.  Although the Cloud is used in this process, many of the tools that are needed are typically rented and used on as needed basis.

For example, if the software development team needs to create a test server, they can create a brand new VM and its corresponding databases on a whim, and then delete them when it is not necessary to have them any longer.  This process, of constant software development and code reuse is also technically known as the Continuous Development and Continuous Deployment”, or CI/CD for short. 

When the IaaC is used any manual processes that are involved with the source code development becomes fully automated.  It is also quite useful in deploying the various APIs that are needed, as well as checking them for any type of security issues that they may have as well (which is a huge, hot button issue today). 

It also creates a baseline of each of the source code modules that have been compiled, so if a software developer has to roll back to a previous module or even build, they can do so automatically, and in a fraction of the time it would normally take. 

However, even in this environment, misconfigurations can still happen, and they do occur.  So, here in lies the second major disadvantage with the IaaC.  Although it can do a spot check for any errors as the software development process continues (imagine a continuum of going from left to right), it cannot catch for any misconfigurations that go in the reverse process, which is from right to left. 

In this case, it is highly probable that the software developer(s) is trying to roll back to a previous source code module, but is doing it manually, which is something that the IaaC simply cannot track, at the present time.  If this rolling back process is not done properly, it can have a cascading, negative effect on the other source code modules as well. 

The third area in which the IaaC does not do well are in those Cloud environments that are simply too large.  For example, if you are just using one type of deployment model, it can work quite well. 

But if you are using all three of them in tandem with another, then it will barely work at all (at least this is based on my understanding of it).  And once a misconfiguration is leaked into this kind of environment, it is usually quite difficult to catch and isolate.

Therefore, if your business is in this large-scale environment, it is always prudent to use the IaaC in smaller chunks rather than having it to try to digest everything all at once.  Therefore, if you are going to introduce the IaaC into your environment, it is first best to test in a sandbox environment first, correct any errors that you find, and then release it into the production environment. 

But again, the key here is to do it bit by bit, and not huge in huge chunks all at once, where mistakes are sure to happen.

My Thoughts On This:

To be honest, I am not a software developer by any means.  And probably there are areas of the IaaC of which I am not familiar with it all.  But it’s a learning curve, and I plan to keep up with it the best that I can.  Stay tuned for more about this new thing for the Cloud throughout this year!!!

Saturday, January 7, 2023

Introducing The Latest In Cyber AI: The ChatGPT

 



Here we are into the first full weekend of2023.  Still sort of feels like the holidays are upon us.  So, you may be wondering at this point what will the topic for today?  Well, it has to do with a topic that I really love reading about it, and even talking about. 

But it is sooo misused in the Cyber industry that I get nauseated any time a so-called Cyber expert talks about. It is Artificial Intelligence, also known as AI for short.  Long story condensed, it is an area of computer science where a computer is trying to replicate the thinking and reasoning powers of the human brain.

Obviously, we can come nowhere to explaining to how the human brain really works.  At best, we probably have reached only .1% of how it truly works.  My father was a neuroscientist at Purdue, and this is his exact quote, if I remember correctly. 

But when it comes to AI, one of the key objectives to deploying in the Cyber world is that for task automation.  For example, in the world of Pen Testing, there are many, mundane tasks which are often quite repetitive.

So the goal here is to try to get a tool with AI functionality that can do these tasks so it can free up the Pen Tester’s time to focus on other key areas of the exercise.  There have even been attempts to try to model the future Cyber threat landscape using AI.  In this regard, it is hoped that we model that threat vectors could like perhaps months from now, or even within a short amount of time, like days.

But the key thing to remember that an AI tool has to learn, like how the human brain has to learn from past experiences.  But the only way to do this is to feed the AI tool tons of information and data, which are technically known as “datasets”. 

The initial (or first) learning phase will need quite a bit of this, but as time goes on, the AI tool will start to learn from past trends, provided that you keep giving it these data sets on a 24 X 7 X 365 basis.  But a huge disadvantage here is that you have to make sure that all of your datasets are optimized, or “cleansed”.  This is the only way that you will get unbiased results.

If you fail to do this, your results could be greatly skewed in the end.  So as you can imagine, the old saying of “Garbage In Garbage Out” fits quite nicely with AI.  But Cyber is not the only industry in which AI is being used.  Another big one is that in the creation of Chatbots. 

These are the little dialog boxes that you see in the lower right hand of your screen when you are at a website.  I find them to be rather annoying, so I hardly ever use them, unless I am at a website which I fully trust.

The fundamental idea of a Chatbot is to give you an automated reply when you ask it a question.  But the goal here is not just give you any kind of canned response, rather, people are trying to design it in such a way that it gives you a realistic, smart, and personalized response to you, based upon your previous interactions either with it, or with customer service. 

One such group that is trying to develop this kind of Chatbot is known as “OpenAI”.  They have developed a new mechanism which is known as “ChatGPT”, which is a partial acronym for “Generative Pre-trained Transformer”.

But for right now, it is only available for Beta testing, but even with this crowd, it appears to be quite popular.  The organization is planning to launch a full-blown public version of this sometime later this year, and it will be known as “ChatGPT-4”. 

What separates this Chatbot from the others in the pack is that it can provide very detailed types of responses, and even admit completely when it is wrong.  But another very powerful feature of it (which I think is way cool) is that it can even compile source code, and even write content (but to what degree, I do not know).

But with the good, comes the bad, namely the disadvantages, especially as it relates to Cyber. Here are some examples of it:

*By its own very nature, ChatGPT will not create a piece of bad code, or what is known as malware.  It has protocols built inside it to prevent this from happening.  But hackers, given their inquisitive minds, have claimed to find a way around these protocols so that they can get ChatGPT to write piece of malware, which can be deployed anywhere, at any time.  In this instance, the Chatbot is not directly asked to create a piece of malware, rather, it is asked what are the steps to create one.  Answers are provided, even with sample code.

*Business Email Compromise (BEC) are forms of Phishing attacks in which an employee is conned into wiring large sums of money to a phony, offshore account.  Security tools are much better now in terms of quarantining these kinds of emails before they reach the inbox, so the trick is to create a different email every time a new BEC is launched.  But it can take some time for the Cyberattacker to create these kinds of messages so they cannot be racked.  But if the ChatGPT were used for this, unique BEC messages could be created literally on the fly.  Also, the Chat GTP can be used even for regular Phishing attacks, by getting rid of many of the mispronunciations, missing words, and typos that are found in today’s Phishing email.

The illustration below shows how the ChatGPT can be used to create a basic BEC email:


(SOURCE:  https://www.darkreading.com/omdia/chatgpt-artificial-intelligence-an-upcoming-cybersecurity-threat-).

My Thoughts On This:

IMHO, we have to take a balanced view of what AI can do for Cyber.  Yes, it can do great things, but on he flip side, it can do many bad things as well, especially if it is used for nefarious purposes.  A good example of this is the Deepfakes.  This is when a fake image is created of a real, live person. 

This can be used for phony purposes, especially when it comes to election time.  In fact, it has been said that it was used in the 2016 Presidential Election campaign in order to raise campaign money. 

But given the way the digital world is today, who is to know what is real and not?  The lines in deciding this have become so blurred that it can be hard for a trained Cyber professional to even discern these differences.

A disclaimer should also be made at this point about the illustration of the BEC email.  As stated previously, you cannot just simply to ask it directly to create one.  Rather, you have to keep prompting it with many questions so it can create one for you.  By doing it this way, it is also learning, and as result, it can create a BEC email for you in a shorter period of time, and without having to ask it so many questions.


Monday, January 2, 2023

The Art Of Warfare Is Being Changed: DDoS Attacks First, Then The Ground Campaign

 


Back in high school, my favorite subject was that of US History.  What we learned back then was about the colonization on the East Coast, and of course the American Revolution, and from there, the movement westwards. 

I also took world history, and learned more about regional conflicts, such as those between India, Pakistan, and China.  Then, when I went to Purdue for the undergrad years, I also took a year of US History once again, but the topics covered were more about the Cold War, between the United States and the former Soviet Union.

Back then, Cyber warfare and Cyber terrorism were terms not even heard of.  The main battle lines were all about how large the army, navy, and air force was of any country.  But now, as we start the New Year, the lines of conflicts have drastically changed.  Although the fear of nuclear war is still there (largely driven by the Ukrainian – Russian conflict), the thought is now about the digital warfare that can take place between nations. 

Yes, this has been going on for some time, as countries have been spying on each other for quite some time, the digital warfare concept is starting to emerge as something different.  For example, it is not a “throw everything you have and including the kitchen sink” threat vectors launched by the Cyberattacker, but rather, they are much focused. 

In this regard, it seems to be that the Distributed Denial of Service (DDoS) attacks are the favored attacks to be used.

Once again, the prime catalyst for this has been the war between Ukraine and Russia.  Just days after it started, it seems like the Ukrainians already had their guard up, and fended much of the opening salvos of DDoS attacks from the Russians. 

Much to my surprise, the Ukrainian military was even able to gain the support of hackers from other parts of the world to aid in this fight.  In fact, between March and April of last year, the total number of DDoS climbed by an escalating 236%, more than ever before.

Why are DDoS attacks the Cyber weapon of choice?  Well, it is an old threat vector that can be modified very quickly to fir today’s digital warfare needs.  Second, they can be launched within minutes, and literally flood and break the back of the global Internet in just a matter of a few hours. 

The idea of a DDoS attack is to pound servers with useless and meaningless data packets until the services provided by them come to a screeching halt.

So, the goal is not to really infect other computers or devices with worms, viruses, and malware.  The mission of the DDoS style attack is to simply be a large nuisance, and to detract the IT Security team from other critical tasks that it has to achieve.  In fact, the Ukrainian conflict just itself brought on 6,000,000 new types of DDoS attacks alone. 

This is according to the recent report from Netscout, which is entitled the “DDoS Intelligence Report”.  More information about this can be seen at the link below:

https://www.netscout.com/threatreport

But keep in mind, it is not just Eastern Europe where all of these DDoS attacks are happening.  It is also happening in other parts of the world, which includes the following:

*India, total number of attacks went up (specific number not known)

*Belize, total number of attacks went up (specific number not known)

*Finland, which witnessed an increase of 258% in the total number of DDoS attacks;

*Hong Kong/China/Taiwan, total number of attacks went up (specific number not known)

It is interesting to note that these DDoS attacks which happened were not just solo events, rather, there was an event which triggered it.  For example, in the ones with Finland and India, it was once again the Ukrainian  - Russian that triggered them.  In the case of Hong Kong/China/Taiwan, it was the recent visit by Nancy Pelosi, which was once again, the main trigger. 

But here is the scary fact:  It is not the Cyberattacker themselves that are launching these DDoS attacks, but rather, it is groups that are hired from the Dark Web.  These are technically known as “Booter/Stressor” services, and these are outsourced groups that will launch a DDoS for almost pennies on the dollar for the Cyberattacker. 

But even here, this is nothing new, as a Cyberattacker can even hire a paid service to even launch a devastating Ransomware attack.  This is also known as a “Ransomware as a Service”.

My Thoughts On This:

Obviously, no kind of Cyberattack against anybody is good.  Most of the victims are just innocent by standers.  But here is the sliver lining, if there was one, through this kind of attack.  A DDoS attack cannot just be pinpointed at a target. 

Rather, it has to go through the DNS system, and at some point, to the Internet Service Provider (ISP).  Because ISPs have become much better at responding to different threat vectors, the chances are high that they will be able to bring back up services and websites fairly quickly after a DDoS attack has happened.

But of course, it all depends upon the magnitude of the attack.  The larger the DDoS attack is, the longer time it will take to resolve.  But the bottom line is that yes, everything should all be fine in the end.  But this does not relieve of your duties to protect your company. 

As CISO (or even vCISO), you still have a responsibility to your employees and organization to make sure that all controls are put into place to mitigate the risks of any kind of Cyberattack from happening.

The best way to do this is to conduct a comprehensive Risk Assessment once again on those assets (such as servers, Web based apps, databases, etc.) that are facing towards the external environment and are available for the public to access.  After you do this, it is always very prudent to conduct a Penetration Test to see where any other gaps or vulnerabilities may at.

But also keep in mind that your partner companies, especially the third-party suppliers are also prone to becoming a victim of a DDoS attack, and they need to be fully aware of that, and take the same, proactive steps that are you taking as well.

Sunday, January 1, 2023

A New Cyber Trend For 2023: The Death Of The CIO & CISO

 


Happy New Year everybody!!  I wish that all of my friends and family out there, and people soon to be met have all of their dreams come true this year.  2022 was for sure a challenging one, and even for me personally.  Let’s hope that the world will be a better place this year, and that we can all live in peace and harmony together.

Well, back to work.  In yesterday’s blog, I wrote some of the top Cyber trends that are going to happen this year.  I concluded it with by simply saying nobody knows for sure if they will happen.  But in today’s blog, I want to make my own, big prediction for 2023. 

You may be asking what is it?  Well, it is literally the death of the CISO role.  Why do I say it?  Look at the world around us.  Everything is all digital, and the workforce is pretty much all remote. 

Even the talk of a Hybrid based work environment really has not taken off, as many workers will choose to WFH, brought on primarily by the COVID-19 pandemic.  Businesses are abandoning their once traditional brick and mortar locations, in favor of much renting out much cheaper virtual offices. 

Plus, given the uncertainty of the financial markets, the tech layoffs, and inflation, many companies are going to simply hold onto the cash on their balance sheets until things stabilize out some more.

So with all of this, the end of the CISO is now at hand, giving further rise to the role of the vCISO.  With the former, a lot of expense was paid out in hiring, salary, and offering lucrative benefits.  But with the latter, all of that is gone. 

You hire someone on a contract basis, for a fixed fee that is just a fraction of what it would take to hire a CISO full time for one year.  Of course, there are many other benefits of having a vCISO, such as scalability, access to greater resources, etc.

But now that this is going to the trend now this year, what will be expected of the vCISO?  Here are some clues:

1)     May or may not have control over:

When a vCISO comes into work for you, they typically don’t waste any time.  Usually all that they need is a few hours of orientation at most, and off they start working.  So, the question now comes:  What happens if there is indeed a security breach that happens under their watch?  Under the new laws, it is supposed to reported to federal or state authorities, within a short time, like 24-48 hours, and no longer than that.  If this is the case, then the chances of getting audited are even higher than normal.  Btu since a vCISO is a contracted employee, what should they do?  Should it be left to the other members of the C-Suite.  No matter what the situation might be, the vCISO is still viewed to be at the top of the chain of command when it comes to the security of the business with whom they are contracted to work with.  In other words, the buck literally stops with them.  So yes, in the end, it is still expected that the vCISO will report any breaches quickly.  But there will be pressure put upon him or her in the manner the breach should be reported.  For example, other members of the C-Suite may want to word the language in any communications in such as way that there will be minimal damage to the bottom line, and any loss to brand and reputation.  In the end, it may be even wiser to hire a PR company for relaying these kinds of communications, and even other types as well.

2)     Responding to a breach:

This is where the role of the Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans will come into play.  But since the vCISO is once again a contracted employee, whose responsibility is it to make sure that these documents are created, tested, and enforced?  Once again, it will be that of the vCISO.  After all, that is why you hired him or her, so that your business will be able to respond quickly in case a disaster does happen.  Since most vCISOs are on a fixed contract basis, they will make sure that this is a priority and will get it done quickly.  They are not going to waste any time.  So now the question that comes into mind is if there is no vCISO, or they are in between contracts, who is the next person to take charge of all of this?  Well, naturally it would be the next in line, which is most likely the head or manager of the IT Security team.  This brings up another important point:  Your company will have to work out a line of succession in case there are periods of time in which you have no vCISO on hand.

3)     Working with the C-Suite and above:

Technically speaking, if the vCISO is hired on a 1099 basis, then all that he or she has to do is simply the job tasks that has been discussed and outlined specifically in their contract.  This means that they are totally immune to any company politics, or anything else like that.  Also, the only people that they need to interact with are the ones that the resources that will be required to get their job done.  But as we now forge ahead into 2023, this mindset is going shift drastically.  This means that the vCISO is going to have to step outside of the bounds of their contract, and try to establish relationships with the other members of the C-Suite as well as the Board of Directors.  Also, they will be expected to establish their lines of communications with them in such a way that it is understandable, free from techno jargon, but above, what the actions taken mean to the bottom line.  Also, it will be up to the vCISO to make sure that Cybersecurity remains a top issue with the others in the C-Suite and the Board as well.  Ultimately in the end, it will be once again the vCISO who will also be held responsible for maintaining a clear lines of communications with everybody in the company, in a top-down manner.  The bottom line is that you should be able to provide the answer to this question all the time:  “Why should I care”?

My Thoughts On This:

In the end, the vCISO is always going to be in the hot seat.  But the beauty about this role is that it can be terminated until you can find another replacement, in a rather quick fashion.  Heck, there are over 3,000 Cybersecurity companies, and I would say it would be safe to say that most of them to have some kind of vCISO services that you can make use of.

I also get asked the role of the CIO.  Truthfully speaking, this is pretty much a phased-out title now.  I have never really seen it being used any more, as the role of the vCISO has now taken root.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...