Sunday, March 26, 2023

The Evil Of ChatGPT: Having Too Many Identities

 


In the world of Cyber today, AI (aka Artificial Intelligence) is making all the rage once again.  A big reason for this is the evolution of Chat GPT, the new tool that just came out from OpenAI.  I have read many things about it on Linked In, but personally I have not tried it yet. 

I know it has a lot of applications in my world, especially when it comes to writing. For instance, I keep hearing that many authors are now using ChatGPT to create novels, science fiction, rom com, etc.

While this can be advantageous to the author that is suffering from a lapse of writer’s block, it has also received its fair share of criticism as well.  My biggest concern with this is that the Amazon KDP, the world’s largest self-publishing platform, is going to crack down hard on this, making the lives of genuine authors even more miserable.

But another side effect of ChatGPT is the ability to create multiple ID’s for just one person.  This has also created a number of problems, especially where the use of Deepfakes is concerned.  In fact, it is so hard to tell who is real and who is not. 

The use of Deepfakes actually accelerated in the 2016 Presidential campaign, where many fictitious donation sites appeared.

So on this issue of ID’s, I came across an article that sort of lamented the same thoughts that I have.  In fact, the author felt so strongly about distinguishing the major types of IDs that are now in existence, he even broke them down in separate categories, which are as follows:

1)     The Carbon-based Identity:

This is us, the human being.  It also includes the others that we interact with on a daily basis.  But I am going to add one more thing here:  I am not including people in the virtual world, or even those things that exist in the Metaverse.  I am referring to those people that we see every day and have some sort of physical contact with.

2)     The Silicon based Identity:

These are the devices that we use on an everyday basis.  We don’t think about them too much because we take them so much for granted.  But when one of them breaks down, we feel pretty much paralyzed.  Probably the best example of this is our very own smartphone.

3)     The Artificial based Identity:

 

This are the ID’s that are created by AI, such as ChatGPT.  One of the best examples of this is the chatbot that usually appears on the lower left-hand side of your web browser.  While usually you can tell what they are most of the time, confusion can often set in if there is a name and picture that is associated with the chatbot.  They claim to be real, but how do you know that for sure???

Of course, there is then the conglomeration of these IDs just described.  For example, you can combine your Carbon ID with the Silicon based one.  Again, a great example of this is your own smartphone.  When you first procure it, it goes under your name.  If 2FA or MFA is actually installed onto it, you then use your face or fingerprint to actually confirm your identity as a login step. 

My Thoughts On This:

Now that you have an idea of some of the major forms of ID, how do you feel about it?  To me personally, I don’t like it at all. I prefer to have one identity, which is my own name and Social Security number. 

What happened to the good ole’ days when that was the case?  I guess to some people, they feel great in having multiple IDs, because it gives them a greater sense of power, and in an evil way, even having control over them.  It’s like having multiple profiles and accounts on Twitter. 

But the real scary thing about this is when you have to deal with a chatbot or some sort of virtual agent in order to submit confidential and private information/data.  Some cases of this include submitting your banking and/or credit card number to make a payment. 

Or, how about if you have to submit your patient data if you are trying to get on with a new doctor, or before you have to got for a medical test?

Not me.  I prefer to only give this to an actual human being, and it is somebody that I feel is authentic.  Another worst-case scenario are the Voice Recognition systems with some of the larger vendors.  Some good examples of this are Verizon and Comcast. 

It is almost close to impossible to talk to an actual human being until you first go through all of their automated responses.  What happened to the days when you could call a customer service line and an actual human being answered the first time?

Also, if we keep using AI for everything, how do we even know that our own PII (Personal Identifiable Information) datasets will be protected and kept private?  That is yet another scary issue that needs to be dealt with in its entirety.

So as you can see in the end, AI definitely has its place, and there are many advantages to it.  But then there is the severe downside of it, which is in the creation and use of having too many IDs  that are associated with one person. 

 

Saturday, March 25, 2023

A New Way To Avoid A Solar Winds Like Attack: The SoT Framework

 


Do you all remember the infamous Solar Winds attack that occurred some time ago?  That kind of Cyberattack was deemed to be what is known as a “Supply Chain” attack.  No, it has nothing to do with UPS or FedEx, but the aim here is that the Cyberattacker can use just one point of entry to infect literally thousands of victims with malware, ransomware, Trojan Horses, etc. 

With the case of Solar Winds, the attacking group exploited a vulnerability found in one of the tools that was use to disperse software updates and patches to all of its clients.

In response to this, there have been many cries in the Cyber industry to come up with some sort of guidance or framework, that will help to alleviate this same kind of threat vector from happening again. 

As a result, a Cyber based organization known as MITRE (this is the same group that came out with the infamous “ATT&CK” framework.  It is a complete knowledge base of known threat vectors and their corresponding signatures, and it can also be used to create threat models for the future.

Well, they have come out with a new framework that should help curtail Supply Chain attacks, and it is called the “System of Trust”, also known as “SoT” for short.  Within it, also comes a new tool called the “Risk Model Manager” (RMM”).  It was actually first released at the RSA conference last year, and the details of it can be seen at the link below:

https://www.darkreading.com/application-security/mitre-creates-framework-for-supply-chain-security

The actual RMM tool will be formally announced at the RSA conference that is set for this year.  More information about this is right here:

https://www.rsaconference.com/USA/agenda/session/Creating%20the%20Standard%20for%20Supply%20Chain%20Risk%20%20MITREs%20System%20of%20Trust

The actual SoT platform is hosted entirely on the AWS, and it deals with 14 Cyber risk areas, which include some of the following:

*The financial information and data of the third-party vendor.

*The kind of Cyber practices that are enforced and followed.

*Any other risks that should be taken into account.

Of course this is not the complete list of 14 areas, but the above mentioned are some of the key areas of focus for this new framework. It should be noted that while any vendor can use this framework (at least this is my understanding of it so far), one of its main objectives is to also to help vet out third party vendors as businesses still continue to outsource their processes to others for handling.

In turn, once a third party vendor has been decided upon by a company, this framework can also be used to ascertain how they use their own software packages to distribute services to clients.  At the present time, there some 40+ vendors that are working with MITRE to help get it ready for widespread adoption on a global scale.  Some of these include the following:

*Microsoft

*BlackBerry

*CISA

*Cisco

*Dell Technologies

*Intel

*Mastercard

*NASA

*Raytheon

*Schneider Electric

*Siemens

*The Open Group.

These above mentioned heavy hitters are fine tuning the SoT framework by inputting various kinds and types of into a scoring algorithm, and from there, determining the Cyber advantages as well as weaknesses that a third party vendor may have in their systems.  Also, these companies are testing the SoT framework for their own internal uses as well.

Eventually, it is the main intention of MITRE to offer this framework as an open-sourced project, so that businesses can fit and mold it based upon their own security requirements.

It should also be noted that MITRE also came out with a newer framework, called the “D3FEND” model, and this is used by many organizations today in an effort to take an honest assessment of their own security posture.  More information about this can be seen at the link below:

https://www.darkreading.com/endpoint/d3fend-framework-seeks-to-lay-foundation-for-cyber-defense

My Thoughts On This:

One of the primary differences of the SoT versus the other frameworks created by MITRE is that this one is much more holistic in nature.  In other words, it does not look at a specific component or Cyberattacker, rather, the entire IT and Cyber practices of a potential third party vendor comes into the microscope for very minute scrutinization. 

Probably of the biggest obstacles for the SoT framework is that it is still so new, that widespread adoption of it yet has not picked up. But it is expected that this will change for the positive as the big-name companies start to adopt it themselves.

But I have one caveat here. Any company can adopt all of the frameworks that they want to (and there are hundreds of them), but none of it means anything until it has been adopted in full use and practice.  There are organizations out there that still inky use them partially. 

But also remember that frameworks can go only go so far.  In the end, true Cybersecurity comes down to employees, and their ability to report suspicious behavior to the higher ups in a confidential manner.

In this regard, employees should never be regarded as the weakest link in your chain.  They are the strongest, and should be treated as such.

 

Sunday, March 19, 2023

The Top 4 Mistakes Made By Software Developers: Perspectives From A Penetration Tester

 


For quite some time, in fact going into last year, I have written quite a bit in these blogs about the importance of secure source code, especially when it comes to creating Web based applications.  For the longest time, software developers have evaded the Cyber scrutiny.  But now, with everything being remote and digital, the light is on them now to test their code before they send it off to the production environment. 

There is no doubt that the software developer of today is under a lot of strain and pressure to get projects out to clients under budget (if possible), but most importantly, on time.  Thus, security always takes a back seat.  If there is any kind of checking done, it is usually done at the end of the SDLC, when there is really not a lot time to do rigorous testing of the source code.

In order to drive home the importance of this topic, I came across an article in which a Penetration Tester describes how he still sees mistakes being made in the compilation of the source code, and what the vulnerabilities are as a result.  Here is what he has found, so far:

1)     Cross Site Scripting still exists:

The acronym for this is known as “XSS”.  According to the OWASP, it can be technically defined as follows:

               “It is a type of injection, in which malicious scripts are injected into otherwise benign and        trusted websites. XSS attacks occur when an attacker uses a web application to send malicious            code, generally in the form of a browser side script, to a different end user. Flaws that allow               these attacks to succeed are quite widespread and occur anywhere a web application uses input       from a user within the output it generates without validating or encoding it.”

               (SOURCE:  https://owasp.org/www-community/attacks/xss/)

               Simply put, this is where a Cyberattacker injects a piece of malicious code into a backdoor (or      another vulnerability) of the Web application.  The idea here is to gain control of the application             in question, and from there, try to hijack information and data as possible.  A very common             example of this are what are known as “SQL Injection” based attacks, where the hacker will   inject malicious queries into a SQL databased (such as SQL Server, MySQL, etc.).  More         information about XSS attacks can be seen at this link:

               https://www.darkreading.com/attacks-breaches/xss-flaw-prevalent-media-imaging-tool-      exposes-trove-patient-data

2)     Vulnerability scans may not be enough:

If any check on the source code is done, it is usually conducted by a Vulnerability Scan.  This kind of test is a good one to conduct, but it does suffer from a number of pitfalls.  Probably the biggest one is that it is not comprehensive enough.  For example, it is only considered to be passive in nature, and will only find those gaps that are blatantly obvious.  It will not go to the extent and detail that a Penetration Test would.  Thus, as I have always said, software developers should always test the source code on a modular basis, so that any unknown vulnerabilities will not have a cascading effect onto the rest of the source code.  If possible, it would be very prudent to conduct a Penetration Test at each level.  To help do this, there are tools out there that can automate this process.  But in the end, human involvement is always necessary to confirm any findings.

3)     Need to think outside of the box:

Software developers are tasked to do one thing only, and do it the best that they can:  Create the source code so that it meets every need and requirement of the client.  And if they can come up with some extra features that would benefit the client, that is a nice to have also.  In other words, the main focus of the software developer is on meeting the business objectives of the project.  They are not tasked with taking the flip side of the equation, which is seeing how the source code could be used maliciously by a Cyberattacker.  But this is not the same as testing.  Rather, the software developer is trying to take the mind of the hacker, and figuring out how the code can be further exploited.  But in the end, it is not fair to ask the software developers to do this herculean task, and probably many of them do not have the mindset to do this.  Because of this, many businesses in Corporate America are now turning to what is known as “DevSecOps”. This is a fancy piece of techno jargon which simply means that along with the software developer team, the operations and the IT Security teams are also involved in the development of the Web application project in order to lend a helping hand to make sure the source code is tested and secure.

4)     Everything is fair game:

When developing the source code, software developers often rely upon APIs.  These are reusable lines of code that are used to bridge the gap between the front and backends of a Web based application.  Any software developer can download these from open sourced libraries, but the problem here is that these API libraries are often not tested or upgraded with the latest patches.  Very often, the software developer thinks that this is not their responsibility, but the bottom line is yes, it is!!!  Ideally, it should be up to the owner or organizers of the API repository to check for all of this, but the ultimate accountability comes down to the person that is going to use and implement those lines of code. This is another area where the DevSecOps concept is becoming quite important, and will be so for a long time to come.

My Thoughts On This:

In a way, I am glad to see that software developers are going to have be more accountable for the code that they create and execute.  But in the end, they should not have to shoulder all of the responsibility, it takes the entire company to make sure that a Web based application is safe and secure to the client.  To use the old saying, “It takes a village”. 

But, there is one area in which software developers have to be completely, 100% responsible for:  It is in the backdoors that they create.  For example, rather than having to go through the usual login process that they create for the application, the software developers will create easy access portals in order to gain quick access to the source code.

But very often, right at the end of the project, they forget to check for these backdoors that they have created.  As a result, this is one of the first areas that a Cyberattacker will scope out for, and try to penetrate into first.

 

Saturday, March 18, 2023

Distinguishing Between Data Privacy & Surveillance

 


I had a few great podcasts this past week, and one of the questions that I usually ask surrounds the Remote Workforce.  My guests last week seem to be in agreement that the WFH concept is one that is going to be around for a long time to come. 

They also said that the so called hybrid model may or may not work, but in the end, you truly have to listen to your employees.  This is not to say that a CISO has to do everything that an employee wants, but remember, a happy employee makes a productive one.

But with remote working, comes a serious issue that many businesses in Corporate America are now facing.  And that is, how much they can spy on their employees to make sure that they are maintaining good levels of Cyber Hygiene.  The major thrust of this are the data privacy laws that have been enacted in the recent years, most notably those of the GDPR and the CCPA. 

But now, another factor has compounded this issue in that what if your remote workers are actually using their own devices in order to gain access to shared resources on your corporate servers? How much prying can you do then? 

For example, if your entire infrastructure is in the Cloud (like Microsoft Azure), and your employees still use their personal devices to access the resources on it, can you still audit those devices?

Well, this morning, I came across an article that sort of addresses these issues.  Here are some thoughts that were shared in it:

1)     Don’t collect too much:

If you are an SMB with an online presence (such as an Ecommerce store), information and data about your customers and prospects are literally your lifeblood.  You want to collect as  knowledge as you can about them so that you can entice them with your latest products and services, and if you have the AI and ML tools on hand, predict what their future buying habits will be like.  But now the line is starting to be drawn is when is too much information collected?  There is really no clear cut answer to this, as a lot depends on your line of business, and what you are selling.  But once again, the GDPR and the CCPA now limit as to how much you can collect.  Also, under these new regulations, your customers now have the right to ask you how their data is being stored, archived, and/or processed.  For example, is it being given away to third parties without their knowledge or consent?  In a worst case scenario, your customer can ask to have all of their data purged, and never shop with you again.  Therefore, is always in your best interest to let customers and prospects know what kinds of data/information are being collected about them.  Also keep in mind that if you do collect “too much” information, this also increases the attack surface, as now the hacker has much more that they can exfiltrate and sell onto the Dark Web for a nice price.

2)     Be careful of the lines you cross:

As mentioned earlier, with the Remote Workforce now in its almost permanency, as a CISO, you have to be careful as what is deemed to be “surveillance” in the eyes of your employees.  Obviously, you do not want to be perceived as Big Brother watching.  So in this regard, you should always tell your employees ahead of time as to what kinds of activities you will be watching them for.  This is especially true of third-party contractors.  But, this issue gets even murkier when the home networks that your employees use to access the corporate networks are blended together.  For example, what if your remote employee uses their own personal workstation to connect to their own network which in turn will be used to gain access to the shared resources?  Can you still deploy employee monitoring tools onto these personal devices?  A few years ago, this was never really an issue.  But this all came about when the COVID-19 pandemic first hit, and everybody for the most part, was required to work from home.

3)     Take preventative measures:

In the end, as the article points out, it is always better to err on the side of caution rather than taking risks.  Here is what is recommended:

*View each piece of data not only in terms of its business value, but also in terms of its privacy value as well.  For example, always ask this question:  Do we really need this piece of information?  Can it be deemed as a privacy risk?

*If you make use of AI and ML tools, also take a look at the datasets that you have acquired (more than likely from a third party vendor) and see if all of the information is really needed before you actually process the datasets.  In other words, look at what you want your expected outcome to be, then ask the question if those extra points will actually help meet your end objective or even skew it.

*Always be extremely careful when handing over any datasets to third party vendors.  Make sure you know how they are using them, and for what purposes they are being used for.  Always conduct regular audits if you feel that this is necessary.

My Thoughts On This:

Let’s go back to #2.  Although I am not a lawyer, IMHO, as an employer, you have every right to question your employees how they are using their devices when it comes to the accessing and storage of it.  But keep in mind, that the law is on your side if your employees are using company issued devices.  

If they are using their own, then this really becomes a dicey situation.  But on the flip side of this, you are a steward of the data and information that you collect and hold, and with that responsibility, you have to take every precaution possible to protect it.

So, that could give you some more latitude in the inspection and/or audit of your remote employee’s personal devices.  But you have to make these stipulations clearly and blatantly known to your employees from the very beginning!!!

Thursday, March 16, 2023

How To Get A Holistic View On All Of Your Cyber Vulnerabilities


 


In the world of Cybersecurity today, the term “Risk” is one term that is bandied quite a bit in today’s circle.  But what is what exactly is Risk?  It can have many definitions to many people businesses.  But very general terms, Risk can be defined as to how much tolerance a business can take before it goes into a serious downturn, especially from a financial standpoint.  Unfortunately, many businesses do not even know how to calculate what Risk really is. 

Either they try to figure it out on their own, or they hire a very expensive consulting company to do it for them, which of course many SMBs cannot afford to do.  So what is the next option?  In today’s podcast, we have the honor and privilege of interviewing Tal Morgenstern, the Co Founder and CPO of Vulcan Cyber.  They offer a unique platform that not only calculates your level of risk, but also shows where the vulnerabilities are in your organization.  It also offers strategies to remediate those vulnerabilities, and this lower you level of risk substantially.

You can download the podcast here:

https://www.podbean.com/site/EpisodeDownload/PB13AE49FANTZS

Wednesday, March 15, 2023

Cybersecurity For Everyone: A New Book By David Pereira, CEO of Secpro, LLC

 


Hey Everybody,

With all of the geopolitical and economic uncertainty that is facing us today, many companies are pinching their budgets as much as they can, which even means laying off valuable employees.  In this regard, the tech sector here in the United States has been amongst the hardest hit so far.  But despite all of these turmoils, organizations will always need help when it comes to beefing up their lines of defenses against the Cyberattacker.

In the past, we have interviewed many Managed Service Providers (MSPs) and even Managed Security Service Providers (MSSPs) to see what kinds of solutions they can offer to organizations, especially the SMBs, where funds are very critical.  There is no doubt that they offer just about everything, but they do not have services in two key areas:  1) Protection of Intellectual Property; and 2)  Providing security awareness training for your employees.

In this podcast, we have the honor of interviewing David Pereira, the CEO of SecPro.  In this segment, he will be providing more detail into these new services, and how an SMB can greatly benefit from them.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB13B85CBUQ5FD

Sunday, March 12, 2023

How To Fine Tune Your Cyber Budget In These Uncertain Times

 


As many of you know, the Silicon Valley Bank in California essentially shut down on Friday, due to its insolvency.  Now the FDIC is taking over so that insured deposits can be paid out in a timely manner, which will hopefully stop the rush to the banks in panic withdrawals. 

The exact reason for the bank’s demise is still being filtered through, but a lot of people are blaming the bank’s heavy investments into the tech and crypto based sectors.

It will make the headlines for sure all of next week.  So, the second largest bank failure in American history should raise a red flag to a lot of the people in the C-Suite, especially the CISO, or the vCISO, who ever is in charge. With the economic headwinds and geopolitical situations will uncertain, the CISO has to keep a close eye on their Cyber budgets and plan for the future.

Although nobody can predict the future with any degree of accuracy, here are some key events to keep in mind to make sure that your budget stays as flexible as possible:

1)     The Russian invasion of the Ukraine:

While this happened over a year ago, the conflict still remains, and is getting more entrenched.  At the beginning of the war, there was a lot of fear that there would be major Ransomware attacks here in the United States, especially onto our Critical Infrastructure. Luckily nothing has happened yet, but as the war drags on, anything is possible.  So this is a huge variable that has to be factored into your budget.

2)     Uncertainty of the United States markets:

There is no doubt that inflation is on the mind of every American today.  Heck, even I went grocery shopping today, and could not believe how much the costs of basic food items have risen.  But not only this, but the fear of inflation has greatly spooked the financial markets, and this was best exemplified just last week.  With these roller coaster ups and downs, companies are fearful to spend or deploy any cash into budgets, and that even includes hiring people.  Again, this is evident in the layoffs the tech sector has been seeing since the beginning of this year.  While layoffs are never any good for anybody, it is still important to keep in mind that when compared to the 2008 recession, the number of people losing jobs is not nearly as much.  Also, the job numbers still look very strong here in the US, based upon last Friday’s report.  But in the end, nobody knows what the Fed will do in terms of raising rates so this is something that you will have to keep a close eye on as well.

3)     The Data Privacy landscape:

When the COVID-19 pandemic was in its climax, data privacy regulators backed off from conducting audits and imposing any kind of financial penalties.  But now that the pandemic is more or less behind us, this is going to ramp up again to even greater degrees, as companies make even greater strides to move to the Cloud.  So, money will have to be spent in making sure that all of your controls are in place and are totally optimized.  To many CISOs this might seem like a sheer waste of time and money, but some spent now will help you avoid that audit and paying 10x more in financial penalties.

4)     Security training:

This is a component of your Cyber budget that you cannot let go.  Employees will need to be trained on a regular basis, and of course this is going to cost some money.  As a CISO, be on the look out for developing more effective means of training.  You can always outsource this particular function to a reputable Cyber vendor that specializes in this.  This can help you save some money in the end.

5)     Investments in new security technology:

This is an area in which, as a CISO, you need to have second thoughts on.  For example, I have written a lot in the past that it is always better to do with less than with more.  There are two reasons for this:  a) With more technologies in place, it will only expand the attack surface for the Cyberattacker, and b) Having more tools will simply mean that your IT Security team will more log files to filter through, which further lead to a phenomenon known as “Alert Fatigue”.  My thinking here is that if you can conduct a Risk Assessment, and from there take stock of you have, you can possibly rearrange things so that you create a more efficient and effective means of beefing up your lines of defenses.  The bottom line is this:  You are far better off with deploying three firewalls than ten firewalls, as long as they are strategically placed.

My Thoughts On This:

In my view, the uncertainty of inflation and the geopolitical situations will remain with us for a long time to come.  Therefore, it is important for you, the CISO to plan properly and accordingly.  But remember that you do not have to be alone in this process.  If possible, try to get an advisory board to work with you and to provide a second opinion.

One of the primary benefits of this is that if you need an infusion into your Cyber budget, you will have a group of well-seasoned executives to back you up not only in front of your CEO, but the Board of Directors as well.

 

Saturday, March 11, 2023

How To Avoid A Cyber Threat By Smelling Out The Urgency

 


There is one thing that is for sure in the Cyber world today:  The attackers are getting more and more clever in what they do.  And in fact, they phony websites and Phishing based emails look so real now it is almost impossible to tell what is real and what is not.  Even to the Cyber experts, this can be a problem, as even they can be duped into becoming a victim as well.  So now. What do they do to tell the differences?

Here are some clues that even the experts use to make sure that they think twice before clicking on that email or visiting a questionable website:

1)     Taking the time to breathe:

There is no doubt that all of us, in today’s society, get tons of emails every day in our inbox.  Heck, even I do.  Most of them are from other Cyber vendors and  lot of them are just newsletters or some other piece of content, such as alerting people about the latest threats that are out there.  In fact, it has gotten so bad that only do I mark most of them as Spam, but even some legitimate emails go into my Spam folder as well.  So I have to comb through that as well, wasting more time.  What I am trying to get at here is that there are times you might be expecting a real email from somebody that you actually know.  But instead, by coincidence (and I do mean that), you get an email from a Cyberattacker.  This psychological phenomenon is also known as the “Confirmation Bias”.  Technically, it can be defined as follows:

               “The tendency to process information by looking for, or interpreting, information that is   consistent with one's existing beliefs.”

               (SOURCE:  https://www.darkreading.com/risk/scams-security-pros-almost-fell-for).

               Let me illustrate this with an example.  A few years ago, during the holidays, I had made a purchase using my PayPal account.  About 5 minutes later, I got an email from PayPal saying that           the transaction did not go through.  Of course, I was quite alarmed, and I clicked on the link to           respond to without checking it first.  When I logged in, I realized that I was at a phony site. I         logged out immediately, and called PayPal.  They said that they never sent such an Email.  So I       quickly changed my password.  To this day, I don’t even know how it happened.  Somehow,   Cyberattackers are aware of your behavior, and when you do make a legitimate purchase at a            reputable Ecommerce store like Amazon, they send you a Phishing Email a few minutes stating    that something is wrong with your account.  Because of this sense of urgency, you respond.  The moral of the story here is this:  Even if you are expecting an Email from somebody you know,            always contact them to make sure that they sent it.

2)     Submission to authority:

From the moment that we are born, we are always taught to obey our elders, especially those that are in a position of authority.  This is of course a good trait to have as we evolve into adulthood, but this is yet another area that Cyberattackers use to make unsuspecting victims fall prey.  In fact, disguising oneself as this kind of figure falls into the realm of what is known as “Social Engineering”.  This is where the Cyberattacker uses techniques to particularly prey upon our most vulnerable emotions and feelings.  I can even relate to this a long time ago.  I was not in Cyber back then, but rather, I was a creative writer.  But back then, Smishing was still existent.  Long story short, I got a phony call from somebody stating that they were from the IRS.  They had made claims about a tax return that was in error from a few years ago.  Being much more naïve back then, I fell for it.  They had made further claims that I owed $3,000.00 in back taxes, and that I have to make payment with my credit card.  I immediately hung up. They kept calling back, and eventually I answered the phone.  The guy on other end (who claimed he was from the IRS) even yelled at me to make payment. Again, I started to fall prey to this, and almost gave my credit card information.  Something inside me made me hang up, and I did.  Eventually they stopped calling.  I called the Secret Service, and they said that the whole thing was a scam.  Luckily, they never got my credit card number.  This can also happen in the physical world also.  There are even stories of people who dress up as cops and even somehow can get the flashing lights installed onto their cars.  They then pull somebody over, and use that as a technique to cause even much graver harm to their victim much more so than a stolen credit card number.  Again, the moral of the story here is if you ever get a call, or a Phishing email, or any thing like that, or even something suspicious even in the snail mail, never respond quickly to it.  You’re your time, go through it, and try to confirm its legitimacy, if any.  If you have any doubts, always contact the sender.  On that point, Cyberattackers have even resorted to using the USPS as a means for reaching out and luring victims into their cross hairs.

My Thoughts On This:

As you can see here, the common thread is invoking that particular sense of urgency.  And, this is what the Cyber pros use when trying to detect a fake site, a phony call, or a Phishing email.  So keep one thing in mind:  There is always time. A legitimate and true organization will always give you some sort of time period to respond in, which will be reasonable to you.

So if you get anything with a sense of urgency attached to it, first, take your time and breathe.  Read and reread your Email, snail mail letter, etc. over and over again.  Try to find any clues if it is a fake or not.  Look for things like spelling mistakes, capitalization, misuse of grammar, etc.  Any doubts?  Call the sender before you do anything!!!  And remember, always trust your gut.  If something does not feel right, delete it, or just throw it away.

Also keep in mind that with the emergence of AI now coming into the world, it will even be that more difficult to tell what is real and what is not.  This is especially true of ChatGPT, the latest AI craze.  But that will be a topic for a future blog.

Thursday, March 9, 2023

The MSP & The MSSP: How To Get The Best Of Both Worlds

 


As 2023 ramps on forward, inflation is right now one of the biggest fears.  As a result, many businesses are now cutting back on things, especially when it comes to Information Technology and Cybersecurity.  This is especially true of the SMBs across the entire country.  With the financial markets in turmoil, nobody is sure what the future holds.

Businesses are looking for cost effective solutions to meet these needs to at least survive.  There are many Managed Service Providers out there that offer a plethora of IT services to businesses of all sizes and kinds.  This can even be confusing to choose from.  Many of them do not provide Cyber services either.  As a result, organizations have also to turn Managed Security Service Providers (MSSPs) to fulfill this need, thus doubling the cost.

What can an SMB do in this situation?  In this podcast, we have the honor of interviewing Andrew Schear, the Founder of Bloomfield Networks.  They offer both MSP and MSSP services to businesses, thus offering literally two for the price of one.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB13B166CAWKZB

Sunday, March 5, 2023

3 Reasons Why Corporate America Cannot Enforce Least Privilege

 


In the world of Cybersecurity, there is one mantra (there are probably hundreds of them) that rings true:  You never want to give out more rights, permissions, and privileges than you absolutely have to.  This holds for not only your employees, but the C-Suite, the Board of Directors, contractors, and even your third party suppliers. 

In other words, you only want to give enough for them to get their job done.  No more and no less.

This has become technically known as the concept of “Least Privilege”.  While in theory it sounds very plausible, in reality, it is quite different.  There are numerous reasons why businesses in Corporate America fail to adopt this principle. 

It could be that the IT Security team is just too busy and view this as a low priority, or the higher ups simply just don’t care.  Well, I came across an article this morning that cites three key factors why Least Privilege is so slow in being implemented.

Here they are:

1)     The digital world:

With the Remote Workforce of today, everything has pretty much gone all digital.  In the end, there is no need for an On Prem infrastructure, you can now put everything in the Cloud, like the AWS or Azure.  With all of this, employees are now getting access to more shared resources than they ever had before.  It’s still a mystery how this is possible, but because of this, the rights and permissions have not been properly assigned.  The end resultant is that many backdoors are now left open, the attack surface has increased, and Social Engineering threat variants are on the uptick.  If a business has moved to the Cloud, one of the first things they need to take stock are all of the rights that have been assigned to all people that are associated with the organization. But apart from this, whatever permissions an employee needs has to propagate to the other services that they could be accessing in the Cloud.  In other words, there needs to be some degree of visibility of who has what, and unfortunately, this is lacking today.  This is illustrated in the diagram below:


(SOURCE:  https://www.darkreading.com/attacks-breaches/everybody-wants-least-privilege-so-why-isn-t-anyone-achieving-it).

1)     Too many employees:

If you are an SMB with just a handful of employees, then implementing the concept of Least Privilege.  But now just imagine if your business is a multinational one, with literally thousands of employees and contractors around the world?  Then implementing Least Privilege can be quite an undertaking, at least initially.  But, there is no reason why this should be such a torture down the road.  I know for a fact that Microsoft Azure has great tools that you can use to enforce Least Privilege.  For example, there is the Azure Active Directory which lets you set up various groups, profiles, etc.  From there, you can then assign the needed rights and privileges, and then enter in the employees that belong in that profile.  In other words, if you have three employees that are starting out as administrative assistants, rather than assigning their privileges manually (which is not only time consuming but will also lead to more errors), you can merely enter in their names into the group they belong in.  Also, Azure has great IAM tools that you make use of to further enforce Least Privilege.

2)     How to quantify it:

Today, there is talk in the Cyber world of trying to quantify how Least Privilege has been distributed throughout a business.  But unfortunately, it is not a reality yet.  It would really be great to see numbers associated with how much an employee is given access to the shared resources, and what they can do with it.  But in the meantime, all the IT Security team can use are dashboards and visual cues to see how Least Privilege is being managed, and even misused.

My Thoughts On This:

It is important to keep in mind that the Cyberattacker of today is not simply going after any password of any employee.  Now, they are taking a much more targeted approach, and trying to go after those employees that have privileged or “super user” access. 

These would include primarily those that have administrative titles in both the IT department and the IT Security team.  There is a way to protect these kinds of accounts, and it is known as “Privileged Access Management”, also known as “PAM” for short.

This will be the focal for a future series of blogs, but in the meantime, I just published an eBook on this last week on Amazon.  You can buy it here at this link:

https://www.amazon.com/dp/B0BX1QZH7G#detailBullets_feature_div

 


Saturday, March 4, 2023

4 Key Takeaways From The Recent Biden Cyber Initiative

 


Remember back a couple of years ago, when Joe Biden became President, he signed an Executive Order (EO) for Cybersecurity?  I wrote a couple of articles on that for clients, but honestly, I have not heard too much about it after that.  There have been commentaries about whether if anything has come out of it or not, but I have not kept up.  But being the fact that it is the Federal Government, it could take a very long time before any concrete results are seen.

But just very recently, the Biden Administration came out with a new directive which has been called the “National Cybersecurity Strategy”.  The main objective is to take away the burden from individuals like us, and add more incentives so that all parties involved will be held responsible.

Here are some of the key takeaways of this new initiative (and maybe legislation???):

1)     A balance of accountability:

               Here is this part in Biden’s own words:  “"[The strategy] takes on the systemic challenge that too           much of the responsibility for cybersecurity has fallen on individual users and small users . . . by        working in partnership with industry, civil society, and State, local, Tribal, and territorial          governments, we will rebalance the responsibility for cybersecurity to be more effective and   equitable."  Simply put, the Biden Administration feels that as a society, too much of the blame     for security breaches in happening in the first place has been put on individuals and small                business.  Now, he wants all parties involved from the manufacture of a product to the point of          sale of it to have their equal responsibility.  It is supposed to come down to five separate areas:           Critical Infrastructure, the disruption of Cyberattack groups, having the vendors be more                responsible for the security features that they put into their products, the processing of data,          having better Cyber technologies that are affordable for all, and having much greater       international cooperation in terms of hunting down and prosecuting Cyberattackers and their              associated groups.  Of these, the Biden Administration feels that Critical Infrastructure and   holding the vendors to higher degrees of accountability will be the most important to success.            In this regard, he wants CISA and NIST to have a greater say so in terms of enforcement with        respect to their various frameworks.

2)     Having a Secure By Design approach:

With this, the main intent of focus is on the Critical Infrastructure of this country.  This includes things like the national power grid, water supplies, oil and gas lines, the food distribution system, nuclear facilities, etc.  The goal is to introduce a set of requirements and mandates that will make the CISOs of these places upgrade the technology that they have, so that they will be as Cyber proof as possible.  But here is the kicker:  As I have written before, the this is all legacy technology.  It was built and deployed in the 1960s and 1970s when nobody even heard of Cybersecurity.  One cannot just rip out these old technologies and put new ones, and also at the same time, you simply cannot deploy software upgrades and patches (and even firmware).  All of this stuff has to be interoperable with the legacy systems.  If not, you will even have bigger problems down the road.  IMHO, the key here is to examine all of our Critical Infrastructure, and create frameworks as to what will work best with what we already have.  It’s like our nuclear arsenal.  At the present time, the United States has an aging inventory of Minuteman III missiles.  Are you going to take those out and put new ones in place?  Probably not.

3)     Making vendors responsible:

This is probably the best one so far, in this entire initiative.  The aim here is to make vendors of Cyber products more accountable for the stuff they produce and sell.  They now have to held to much higher standards in terms of manufacture.  They also simply cannot walk away if a security breach actually occurs to one of their products.  In other words, the old days of blaming the consumer for anything and everything should now come to an end.  One of the areas that is going to get very close scrutinization is in the Software Development Lifecycle (SDLC) when it comes to the development of web interfacing applications and products.  Software developers have long been overlooked in this process, but now, they or their employers will be held to much greater levels of responsibility in case something does go wrong, and customers are impacted. This will all come down to creating what is known as a “Software Bill of Materials” framework.  But keep in mind that this already has been a long haul, even ten years in the making.  There has been legislation introduced on this, but it never moved forward.  The most recent action has taken place with the “Securing Open-Source Software Act of 2022”.  More details about this can be seen at the link below:

 https://www.congress.gov/bill/117th-congress/senate-bill/4913

One approach the Biden Administration plans to use is what is known as the “Carrot and Stick”.  The goal here is to offer small incentives and subsidies to the Cyber vendors in order to make them make more secure products.  Of course, the greater the effort that they put in, the more money they will receive.

4)     Greater cooperation:

Also, the Biden Administration wants to have much greater levels of cooperation with law enforcement agencies all over the world in order to bring Cyberattackers to justice.  Right now, the main parties involved here are the FBI and the Secret Service.  While they have done an awesome job in what they have achieved so far, they too have limited resources.  Thus, they need much more cooperation from countries abroad, especially when it comes to the sharing of intelligence.  Maybe other incentives could also be offered to make this part of the Initiative to move forward much more quickly. There also needs to be an emphasis on greater public and private cooperation here in the United States. 

My Thoughts On This:

The end resultant of all this is to difficult to tell.  Given the nonpartisan cooperation that exists in Congress today, it will probably be a very long time until any of this comes to fruition, if at all.  But I will give the Biden Administration a huge credit for one thing:  They are at least aware of what is happening out there in the Cyber world, and when compared to past Administrations, they are taking a much more proactive approach in securing the United States.  My hats off to them for at least that much.

The entire National Cybersecurity Strategy can be seen below at this link:

https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...