Thursday, June 29, 2023

Stopping Ransomware At The Hardware Level

 


When the COVID-19 pandemic hit, all broke lose on the Cybersecurity Threat Landscape.  For instance, many new threat variants emerged, and old ones resurfaced.  But probably the biggest threat to evolve was that of Ransomware.  As we all know, this is where a Cyberattacker literally holds your device hostage, and encrypts all of the files that are contained within it.  The only way to recover it is if you a ransom, usually by Bitcoin.

But again, this is no guarantee at all.  Only a very small handful of Cyber attacker groups actually delivered on their promise, and sent out the decryption algorithms to the victim.  Ransomware attacks have now become even deadlier, with the Cyberattacker selling PII datasets on the Dark Web, or even worse, launching extortion like attacks.

What can a business owner do?  Well in today’s podcast, we have the honor and privilege of interviewing Tom Ricoy, the Chief Revenue Officer at a Cybersecurity firm known as Cigent.  They have created many solutions so that you, the SMB owner, can mitigate the risks of a Ransomware attack.  Find out more by listening to this podcast, and the download link is right here:

https://www.podbean.com/site/EpisodeDownload/PB1445D1E72SC2

 

 

Wednesday, June 28, 2023

How To Leverage Automation to Optimize Cyber Risk Management

 


As the Cybersecurity Threat Landscape grows in terms of sophistication, covertness, and stealthiness, one theme remains constant:  Gauging what your risk level is.  To many different individuals and businesses, this will have a very different meaning and approach.  Part of the problem why Cyber Risk is such an ambiguous term is that both quantitative and qualitative factors can be taken into consideration.

Some companies cannot handle any kind of risk, while others can withstand a lot more, and not bear so much of a financial burden in the end.  But just as much as trying to define it is complicated, is calculating what your level of Cyber Risk actually is.  There are many methodologies available that one can choose from, but even this can be confusing as well.

So where does one get started?  Well, in this podcast, we have the honor and privilege of interviewing  Padraic O’Reilly, the Co Founder and Chief Product Officer of Cyber Saint Security.  He and his team have created a number of tools and solutions that you can easily calculate the Cyber Risk of your company.  Find out more by downloading the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB1444039ZA5JD

Saturday, June 24, 2023

The Top 3 Cyber Risks Of Latent Data

 


There is no doubt that businesses today are facing uncertain times.  A lot of this has been due to the layoffs in the tech sector, and the persistent interest hikes by the Federal Reserve to keep inflation lower, and keep it at bay. 

But one thing is also for certain, the growth of AI and ML has picked up its pace very quickly since the beginning of this year, and a lot of that has been driven by the evolution of ChatGPT. 

But what people fail to realize is that both AI and ML are needed to learn.  In other words, they need to be given a baseline from which they can literally learn something, and from there, try to predict the outcomes of an issue or an event, or to simply answer a query that an end user could pose to ChatGPT. 

But in order to do this, it all takes data, and tons of it.  This can be compared to putting fuel in your car.  If you don’t have any, you of course will not go anywhere. 

This is the same with AI and ML.  They need data as their fuel to keep their algorithms and models running on a real time basis. 

This can be in the form of structured data (which are quantitative in nature), or unstructured data (which is qualitative in nature).  Btu what the actual datasets need to be will depend upon what the AI/ML application has been designed to do.

The world of Data Science is truly a unique one, and in fact to get off of the subject a little bit, this is where the majority of jobs will be in the future.  But there are different kinds of data (apart from the ones just mentioned). 

For example, there is Data at Rest, Data in Motion, and Data in Transaction.  TO make life even more confusing, there is now even a new piece of data classification that has been emerging out of the woodworks.

This is known as “Dark Data”.  What is it you may be asking?  Well, a technical definition of it as follows:

These are the information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes (for example, analytics, business relationships and direct monetizing).”

(SOURCE:  https://www.gartner.com/en/information-technology/glossary/dark-data)

In other words, put in simpler terms, this is the information and data that is not being used by a business.  In other words, it is simply being stored for no useful purpose.  One might wonder why a business would do this, but it is hard to give an answer. 

Obviously, they have their own reasons for doing this, and it is something that would not be public information.

One of the biggest issues of storing Latent Data is the sheer cost of storage that can add up quickly.  For example, if you have On Premises Infrastructure, you have finite resources.  But if you have your IT and Network Infrastructure based in the Cloud (such as AWS or Azure), you will have many resources at your disposal to store these datasets.

Although the Cloud offers you both elasticity and scalability in this regard, using more storage will also add up to your monthly bill.  To give you a point of example of this, it has been quoted that Netflix has spent nearly $10 Million per month on storing Latent Data.  (SOURCE:  https://www.comparitech.com/blog/vpn-privacy/netflix-statistics-facts-figures/).

Another key issue to keep in mind is that even if you are not using these kinds of datasets, simply storing them for indefinite periods of time will also make you subject to the guises of the various data privacy laws, such as the GDPR, CCPA, HIPAA, etc.  This will mean that you will have to make sure that you have implemented the right  kinds of controls to protect these datasets. 

If you don’t and they have been leaked out, you will not only be the subject of an audit, but you could also face very stiff fines and penalties as well.  For example, under the GDPR, this can amount to up to 4% of your total gross revenue.  Now, that is a huge chunk of change, IMHO. 

Third, there is a huge risk that simply having data around for no useful purpose whatsoever will become prey to the eyes of the Cyberattacker.  In fact, this would be a very easy really to go after.  If he or she gets hold of it, they can use that to launch ID Theft attacks, sell it on the Dark Web, or worst yet, make it publicly available in an extortion like attack.  

By having this “useless” kind of data, not only are you putting your employees and customers at grave risk, but you are also risking your complete brand image if you do experience a data leakage issue, whether it is intentional or not.

My Thoughts On This:

Simply put, keeping any sort of extraneous datasets around is a huge risk to borne.  Not only can it be costly, but it can even lead to potential security, as just reviewed.  So what is the best way out of this situation?  Just simply delete whatever you don’t need or use. 

For example, if you have launched a recent marketing campaign, and have already used the information and data that has been collected from it, there is no use having it around.

Remember, datasets can lose their value to a company quickly over time, because it has not been updated.  This can also be a costly proposition if you intend to, but have no solid business case to do so. 

But, if you do intend to get rid of Latent Data, make sure you hire a data destruction company to do it.  Have everything documented in case you do ever face an audit from a regulator.

Automatic Vs. Autonomous Vs. Human Penetration Testing: Which Is Best???

 


Just last night, I finished and submitted my final manuscript for my 12th book.  It is all about Ransomware and Penetration Testing.  We all know to varying degrees how dangerous Ransomware can be, but believe it or not, it has been around for the last 30 years or so. 

In fact, the first Ransomware attack was delivered using a floppy disk.  But this threat variant has evolved into something that has become extremely dangerous and costly.

For example, the Cyberattacker of today is not just locking up your computer and encrypting your files.  Rather, they are now threatening extortion like style attacks, where they will expose your PII datasets if you don’t pay up. 

Or worst yet, they can even sell it on the Dark Web.  But as I said stated in the book to be that we all are at risk of becoming a victim of Ransomware, the key is in learning how to mitigate that risk from actually happening.

One of the best ways to do this is through what is known as a Penetration Test.  This is where you hire a team of individuals, or even a company that specializes in doing this, and they literally try to break down your walls of defense.  In other words, they try to take the mindset of an actual Cyberattacker, and try to launch and throw everything and anything they have towards your IT and Network Infrastructures. 

You may be asking at this point why go through all of this?  Well, this is about the best way to truly find out where your weaknesses and vulnerabilities are.  In many ways, its like a cardiologist conducting an angiogram on your heart. 

They will not truly know where the blockages are until your heart is illuminated with the special dye.  Then from there, the course of proper medical treatment can then be followed.

The same thing with a Penetration Test.  A tester will not know what kinds of remediations and controls that you need to put into place to cover your gaps until they do the needed testing.  But it is very important to keep in mind that this all what is known as “Ethical Hacking”. 

In other words, the Penetration Testing team not only needs to you have your explicit permission to do all of this, but you and they have to sign a contract.  And, if the Penetration Testing team feels that they need to do more tests, then they will have to explain the objectives and also ask for written permission in that regard.

Personally I have never done a Penetration Test, but I have heard stories about it form people I know that actually do them.  But this morning, I came across a very interesting article from an individual that does this kind of work, and he offered three tips of free advice on how to keep your business safe.  Here they are:

1)     Adopt the Zero Trust Framework:

This is one of the biggest buzzwords in the Cyber industry today, and the basic mantra of this is to “Never Trust, Always Verify”.  What it all comes down to is that no employee in your business should be trusted when it comes to access of shared resources or PII datasets.  This even transcends down to your employees that have been with you the longest.  Anytime that anybody wants access to something, they have to be verified.  But the key here is that this happen with at least three or more different authentication mechanisms.  This include a password, a PIN number, an RSA token, or even Biometric.  Another part of the Zero Trust Framework is to break out your IT and Network Infrastructures into different zones or segments, with their own layer of defense, using Multifactor Authentication.  So essentially you are breaking away from the traditional Perimeter Defense model, which is so easy for a Cyberattacker to break into these days.  Although this is all heavily preached, it is rarely practiced in the real world.  According to a recent survey to the online magazine called “CIO”, only 25% of organizations have actually deployed this new approach.  More information about this can be seen at the link below:

https://www.cio.com/article/230351/network-segmentation-as-security-imperative.htm

They key takeaway here is that you should have the right mix of controls in place, both from a logical and physical perspective.

2)     Keep your IT/Network Infrastructure Modern:

By this, I don’t mean that you should buy everything out there that has come out.  But keep your systems and devices all updated with the latest patches and upgrades.  This includes firmware.  Whenever you get that “End of Life” notice, it is time to start thinking of replacing your hardware.  Most vendors are pretty good at giving you advanced notice about all of this, and I know for a fact that Microsoft gives customers at least 12 months’ notice before anything comes this extent.  But even after this, there is still a usually a small grace period in which full support is still provided.  The best solution here is to use the Cloud, like Azure.  With this, you don’t even have to be concerned with applications running out of a service life.  Microsoft takes care of all of that for you.

3)     Monitor your logs:

Probably the best way to find out if anything is awry is to keep a constant check on the files that are outputted by your network security devices.  Now, this may sound like a horrible and tedious chore to do, but you can automate this entire process, by using both AI and ML.  For example, they can filter through all of the logs, and alert you and your IT Security for any abnormal behavior in network traffic patterns.  Also, they will be able to filter out all of the false positives that come in.  That way your team can focus on what is for real and legitimate.

My Thoughts On This:

There are also many new buzzwords that are coming out in Penetration Testing, and they are “Automatic” and “Autonomous”.  Many Cyber vendors of today are trying to deploy software packages that can conduct Penetration Testing on their own, proclaiming the fact that human intervention is not needed.  Now, I have to put a disclaimer here. 

I have not personally tried out these tools myself, but if I were having a Penetration Test, I would still want an actual, real live human being doing it.

I am all for automaton for certain parts of a Penetration Test, but you cannot rely on just that solely.  You still need that human presence to walk you through what was discovered, and what the remediations are to fill up your gaps and vulnerabilities.

Saturday, June 17, 2023

The Problem With Borderless Data: How To Come Into Compliance

 


In today’s times, one of the biggest issue in Cyber is that of protecting data, especially those of customers, and employees.  These can also be referred to as Personal Identifiable Information (PII) datasets.  Just about every company, large and small, in Corporate America are always scrambling to figuring out the best ways to not only protect them, but also to make sure that they are not leaked out intentionally or not.

In this regard, many of these companies are also starting to realize than maintaining databases On Prem is probably not the best way to go in having databases.  So, the mass migration to the Cloud has begun, such as to the AWS or Azure. 

The primary reason for this is that these Cloud providers can offer customers the latest in cutting edge technologies when it comes to creating databases, as well as free tools when it comes to protecting them.

But best of all, when compared to an On Prem database, these solutions are a lot more affordable in terms of price, and it is up to the Cloud provider to keep your databases updated and secure.  But keep in mind that you are still 100% responsible for configuring any database that is deployed in the Cloud to your own security requirements.  That is not the duty of AWS or Azure.

But despite this, there still remains a large issue.  For example, what if a US based business also has offices, employees, and even customers in another country, such as the European Union?  Who owns this data, and most importantly, how will this business come into compliance with the data privacy laws for that particular country?

This is where some serious problems come in.  While once again, the Cloud is a great venue, the lines become extremely blurred as to how the data is geographically stored.  While AWS and Azure does give you a choice of the geographic area as to where you want to house your database, it is very general in nature. 

For instance, it will only ask you if you want to have it in Europe, Australia, a certain part of the US, etc.  You really do not know where the exact physical location of your database server is at.

The Cloud providers do this primarily because of security reasons, obviously.  But it is no help to the business, as they are trying to figure which data privacy law they need to come into compliance with. 

The most famous of these is the GDPR, and this was passed and enacted five years ago.  In fact, this law remains as the de facto standard, and it is from this, that many of the other data privacy laws have emerged, and as of today, there are well over 130 of them on a global basis.

Complicating this matter even more is that in order to get the most affordable price for their Cloud deployment, many companies often choose what is known as a “Shared Hosting Plan”. 

Although you will have the look and feel of your own server (you will get a dedicated control panel), the truth of the matter is that your virtual server is actually stored on one physical drive, which houses many other virtual servers, owned by other businesses (these are also known as “tenants”). 

So how do you know that there is no cross talk or spill over from one tenant to another?  There is no guarantee in this, and in this instance, you are left to the mercy of the Cloud provider to prevent this from happening.  So, while you may think your database is being hosted in Europe, how do you know which country it actually reside in? 

Once again, the Cloud providers are very elusive in providing this kind of information.  In the end, the business owner needs to know, so they will know which specific data privacy law affects them, and how they need to come into compliance with it as well.

Now while the Cloud can offer great cost savings upfront, the rest is made up by the business having to shell out huge amounts of money in order to make sure that they have implemented the right controls as mandated by the data privacy law to protect the datasets. 

But once again, if a business does not know at least the general vicinity of where their data is being stored, how will they know which law to follow?

One of the primary reasons why companies are in such a huge rush to come into compliance is not only the damage to brand reputation in case of a security breach, but also it is the fear of the audits.  For example, if a regulator from the GDPR decides to audit your controls, and finds that they are not adequate enough, the company in question can be fined as much as 4% of their entire gross revenue. 

Now, that is a huge chunk of change.

The most recent example of this is Meta, the famous parent company of Facebook.  They were fined a whopping $1.3 Billion because of not having the right controls in place to protect the PII datasets of the customers in the European Union.  More information about this can be found at the link below:

https://www.darkreading.com/endpoint/meta-hit-1-3b-record-breaking-fine-gdpr-violations

And guess which data privacy law the fine was imposed by?  Yep, you got it, the GDPR.  But now here comes a new problem:  The advent of both AI and ML.  For any kind of business, or no matter how large or small they might be, harnessing datasets can be a very time consuming and laborious task, if it is done by human beings. 

Of course, nobody has that kind of time.  So as a result, many businesses are now relying upon AI and ML to automate the processes of going through the datasets, and manipulating them to find any intelligence or unseen trends.

Because of this, not only does the storage of data becomes an issue but even where it is being processed becomes a whole different ballgame.  For example, what if a US business has the actual data stored in Germany, but the actual processing of it takes place in California? 

Now, they have to deal with two sets of data privacy laws, not only the GDPR, but also the CCPA.  This not only adds more confusion, but even more expense as the business tries to come into compliance with both sets of laws.

In the end, the technical term for all of this is “Borderless Data”.  For more insight into this, click on the link below:

http://cyberresources.solutions/Blogs/Borderless_Data.pdf

My Thoughts On This:

This of course is by no easy means to resolve.  Probably one of the best ways forward is for the Cloud provider to be more transparent to the Cloud tenants into the geographic location of where the databases are being hosted at.  This does not have to be public information, and the Cloud provider can (and should) disclose this to a trusted officer of the tenant. 

Another option would be to offer one location where all of the databases created and processing will take place.  For instance, if the business picks one datacenter in the US, at least they will have a much better idea of which data privacy law to follow. 

But for the time being, what makes this matter even worse is that each state is now coming up with their own data privacy laws, with different provisions attached to them.

So, this once again brings up the question of centralizing all Cyber efforts into one place, at least here in the United States. Is time now for the Department of Cybersecurity to do this?  It may very well happen.  Stay tuned. 

Friday, June 16, 2023

Going On Summer Vacation? 3 Golden Ways To Stay Cyber Safe

 


In the blogs that I have written before in the past, a common theme was when the Cyberattacker would strike. As we all know, this can happen ay any moment.  But, in a given calendar year, there are other times when the Cyberattacker lurks out of the woodworks in more droves than usual.  Some of these include the following:

*Tax Season

*Black Friday

*Cyber Monday

*December, as gift shopping ramps up to greater degrees

But there is also another time when they lurk out.  And believe it or not, that time is now, as the summer season officially starts on June 21st of this year.  Now is the time when people will be planning their much-earned trips and vacations, and basically let loose. 

But unfortunately during this time period as well, people let their guards down, and personal security becomes much more of an open door for the Cyberattacker.

For example, people tend to forget if they are making payment for a trip over a secure website, or how much personal information they are giving out.  There is also the tendency to use the credit card much more casually, and not paying attention to where it is being used, and more importantly, who is processing the transaction with your card.

So what can you do to stay safe this summer as you enjoy your trip(s)?  Here are some quick tips that you can follow:

1)     Leave work at home:

For a lot of Americans, this is a no brainer.  Heck, who wants to think about work when you are lying on the beaches of Hawaii or Florida?  But for many people, especially those who are remote workers, there is no segregation of fun time and work time.  Even when they are on vacation, they still tend to be at work.  But one of the biggest security mistakes is to take your work with you where you travel, especially when it comes to transporting work-related devices.  This is the time you could lose something very critical, or perhaps your work laptop could even be stolen, and from there, all of the information and data on it can be hijacked and sold on the Dark Web.  So the best advice here is, leave work stuff at home.  If possible, even try to lock up work-related devices in a safe in order to add more assurances that the chances that they could be stolen will be mitigated. 

2)     Don’t log into public hotspots and WiFi’s:

One of the cardinal rules in Cybersecurity is to never log into your device at a public spot, using their network connectivity.  Nine out of ten times, these connections are very often unencrypted, and the password to use is publicly known.  Worst yet, a Cyberattacker could be sitting next to you, acting very friendly.  But very little to your knowledge, he or she could be carrying a portable network sniffer in their pocket, which can very easily transfer the data packets that are being transmitted from your device to the public hotspot.  Once these data packets have been collected, they could be very easily reassembled again in order to capture the details of all your network communications.  Very likely this will even include your passwords, credit card and other banking information.  From here, the Cyberattacker can then log into your accounts, and cause even more damage.  So when you are on vacation,  try to avoid at all circumstances into using public networks!!!  If you have to use a work-related device at a public place, try to use as much as possible the hotspot from your iOS or Android device.  At least they have passwords that are difficult to guess at first try from the Cyberattacker.  Another threat you need to be concerned about when on vacation (or for that matter any other time you visit a public spot) is what is called “Juice Jacking”.  This is where the Cyberattacker deliberately inserts malware into the wireless charging stations.  This has become so bad that even the FBI and the FCC have put out alerts on this.  To see more information about this, click on the link below:

https://www.fcc.gov/juice-jacking-tips-to-avoid-it#:~:text=Cybersecurity%20experts%20warn%20that%20bad,passwords%20directly%20to%20the%20perpetrator.

Apart from using your own hotspot, as an additional layer of protection, always use a VPN.  These are essentially software packages, and are very affordable through many ISPs.  Also in an effort to become a victim of Juice Jacking, always charge up your phone with your own cables.  Remember, using public WiFi’s is the one area where the Cyberattacker will be making their move.  In fact, according to one recent survey, over 40% of respondents claimed that their personal information has been hijacked in this fashion (SOURCE:  https://www.forbes.com/advisor/business/public-wifi-risks/).

3)     Watch for abnormal activity:

As mentioned, once the summer comes, everybody wants to go on vacation, especially around Memorial Day weekend and the 4th of July.  But as a business owner or CISO, always try to be completely manned at all times.  Never try to staff your SOC with just a minimal one, in other words, your IT Security team should be fully staffed year-round, so that they can respond to threats quicker.  Try to arrange vacations and other paid off time periods to accommodate this.  If need be, even hire temporary contractors to augment your staff if you find yourself shorthanded,  though this should only be done as a last option.  Another alternative here is to use AI and ML.  These tools can keep track of anything out of the ordinary, and immediately alert you if something is not right.

My Thoughts On This:

When you are on vacation, your first priority is to enjoy yourself and relax wherever you are at.  Don’t let the Cyberattacker get the best of your fears.  Your best line of defense is simply to practice common sense, and be aware of your surroundings, especially if you are visiting a geographic location, you have never been to before.

Saturday, June 10, 2023

How Biden's Backstop Plan Can Make Cyber Insurance Available To All

 


As I keep saying, there is no doubt that the Cyber world is an ever changing and dynamic one.  It could even be changing literally on a minute-by-minute basis.  It’s because of this, and the overload of information that comes, which makes it difficult for both individuals and businesses alike to try to keep with the latest, and protect themselves the best way that they can.

But some good news here is that businesses can be protected to varying degrees financially, with the help of Cyber Security Insurance.  Simply put, this means that if your business has been hit with a security breach, then technically you can file a claim, and get some sort of payout from it, in order to help you bounce back. 

But remember, getting Cyber Insurance is not as simple as that.  It is nowhere near like purchasing card insurance.  For example, when you first file an application with a carrier, you must have to prove to them first that you have taken all of the steps first to be proactive about protecting your business. 

This is very often demonstrated by completing a questionnaire, and having a third party assess the fact that everything is true.

This of course can take quite a bit of time, especially if you don’t have the controls in place, which is very often true of the SMB owner.  Once you get approved, then of course you have to pay your monthly or annual premiums.  This can be an expensive chore, depending upon how big your business is, and the kind of industry that you are in. 

Finally, keep in mind that if you do file a claim, there is no guarantee that you will get a payout of any kind.  The reason for this is that insurance carriers have really cracked down, especially when it comes to Ransomware payments. 

Not only this, even if you have never filed a claim, an insurance company can still always audit you to make sure that you are compliant with your agreement. 

This convoluted circle has been getting worse lately, and because of it, many business owners of today (and even individuals) are finding it harder to get a good, comprehensive policy.  Some good news here is that the Biden Administration has taken a stance to make this easier to attain, with their recent National Cybersecurity Strategy. 

More information about this can be seen at the link below:

https://www.darkreading.com/ics-ot/bidens-cybersecurity-strategy-calls-for-software-liability-tighter-critical-infastructure-security

But they have actually gone one step further ahead of this.  For example, do you remember the horrific days of 9/11, and the WTC buildings collapsing?  Well, that same fear still exists, but not on the physical level like that.  Now, the fear is that of a huge and massive Cyberattack against the United States, brought on by nation state actors. 

One such scenario could be where the Critical Infrastructures are totally wiped out in all of the major US cities, such as Chicago, Los Angeles, NYC, etc.

The main problem here is that these are old, legacy based systems.  Not only would it take a very long time to bring these systems back online, but it would also be a very expensive proposition as well.  This is where the Biden Administration would also step in.  In their plan, they have called for what is known as a “Cyber Insurance Backstop”.

Although I am not familiar with all of the details into it, the basic thrust here is that should the US fall victim to nationwide Cyber-attack, the Federal Government would step in, and provide whatever financial assistance is needed in order for the nation to recover as quickly as possible. 

In a way, this is also analogous to the situation back in the 08-09 recession where they also stepped in to bail out the big banks and other financial institutions.  An article from the Wall Street Journal about this can be seen at the link below:

https://www.wsj.com/articles/u-s-government-to-explore-cyber-insurance-backstop-ddc94c11

Although there are those critics who fear government intervention (not trying to get political here), but who would not want this kind of assistance?  As a private US citizen, I know that I would want to have it!!! 

As stated earlier, although the details of it are still in the works, there are some huge benefits into having a national plan like, some of which are as follows:

*There will be less burden on the insurance carriers.  In the event of a national Cyber-attack, it will be this group that will be called to act first.  But given the fact that they do have limited resources as well, they will need that extra surge of money from the Federal Government so that they don’t go broke as well.  In other words, there would be a transference of risk, which would be hugely beneficial to all.

*In the event of a wide scale Cyber disaster, the Federal Government can out more money into the market, so that there will not be a demise of our financial infrastructure.  I am thinking that this would happen in a manner similar to that when COVID-19 hit, and the Trump Administration back then literally signed into law the law the allocation for trillions of dollars.  Of course, there will be side effects from all of this down the road, as we are seeing now with inflation.

*A centralization to Cyber efforts and initiatives.  After 9/11, the Bush Administration created the Department of Homeland Security (DHS).  This was done in an effort to centralize all of the information and intelligence coming in about terrorist activities.  The same needs to be done for Cyber, in that a Department of Cybersecurity needs to be created.  With this kind of centralization, there is a greater chance that insurance policies will contain clearer language, and  making it available for everybody (kind of like Obama Care).  It is hoped that this effort will cut down on the sheer number of frivolous lawsuits that are occurring today.

My Thoughts On This:

Al though I am by no means a Cyber Insurance expert, I have written whitepapers and articles about it, so I do know something about it.  Heck, I even have had people ask me questions about it.  Yes, the Cyber landscape is complex one, but how recovery to an attack does not have to be. 

In this country, insurance companies are often both loved and hated, in the sense that most of your claims will get paid, but not all of them.

With this backstop strategy, there will be some guarantees now that full payments and restitution can be made.  After all, if the Federal Government can provide this kind of assistance to victims hit by natural disasters (such as hurricanes, floods, fire, etc.) why can’t this  be applied to the Cyber world as well?

It can be, and it will.  The only question now is when.

 

 

Friday, June 9, 2023

How To Keep Your SOC Up To Speed: 5 Golden Tips

 


Many people may not know it, but if your business outsources the IT Department or even your Cybersecurity stuff, it is more than likely you are making use of what is known as “Managed Services Provider” (“MSP”) or a “Managed Security Services Provider” (“MSSP”). 

The former takes care of your day-to-day IT stuff, whereas the latter looks after your security needs.  But what is secretive about these kinds of organizations is that many of them have what is known as a “Security Operations Center”, or “SOC” for short. 

Depending upon the Service Level Agreement (SLA) that you have with them, they will typically keep a 24 X 7 X 365 watch on all of your IT assets, and make sure that they are protected with the best level of controls possible. 

All of this is being monitored by a team of professionals at the SOC.  Some of them can be very large (like on the range of what Microsoft has), or some of them can be very small, being manned by only 2 or 3 people.

Whatever the size is, their primary job is to make sure that your business is protected.  Because of this, it is very important for the SOC to stay ahead of the curve, and adopt the latest technologies so that in the end, they can offer you the best services that are possible.  But apart from that, given the world that we live in today, they also have to:

*Gain the deepest levels of trust from their customers.  After all, if your business has been impacted by a security breach, your MSP or MSSP will be the first ones to be blamed (along with the CISO of course), and probably even found liable. 

Of course, then you will want to switch quickly over to another provider.  Also, the landscape here is very competitive amongst them.  The only way that they can win out is through great customer service.

*Have to protect your data and its sure it remains intact.  If your business has tons of data that it uses, more than likely, you will be storing it at the site of your MSP or MSSP, or if it is being stored in a Cloud deployment that you have, then they will oversee that as well.  The bottom line here is that if you are trusting them with your datasets, then they become the stewards of it, and have the complete responsibility for its safety.  Again, if anything happens, they will be the first ones to be blamed.

*Make sure that there are extremely minimal disruptions to your IT and Network infrastructures.  These days, the Cyberattacker is now resorting to the old means launching a threat variant.  A prime example of this is the good ‘ole DDoS based attacks, which can literally bring your servers to a crawl.

*Coming into compliance.  If your MSP or MSSP is going to be your data steward, then they are going to have to come into strict compliance with the data privacy laws such as that of HIPAA, GDPR, and the CCPA.  If they don’t have the right controls in place and are audited, they could face some serious fines and penalties.  For example, under the GDPR, the penalty can be as much as 4% of gross revenue.

So, in order to keep up with all of these requirements, what can an MSP or MSSP do?  Here are some tips:

1)     Stop emphasizing technology so much:

This goes back to something I have written about who knows how many times.  Good levels of Cybersecurity does not come from technology itself.  Yes, it is important that an SOC use the latest ones out there, and are updated, but equally important are the people that man them.  You need to train individuals who can decipher and trigger any alerts or warnings that are coming in.  Also, you need a human being to contact a customer in case a security breach is about to erupt.  But most importantly, get away from the siloed approach that are so often seen in the SOCs today.  You need to foster a sense of open transparency and communication, because after all what is important in the end is keeping your customers safe.  There is no way that it can be accomplished when nobody in the SOC is communicating with another.

2)     Make sure you are safe:

Although it is the job of the MSP or MSSP to make sure that their customers are secure, they also need to make sure that they are safe themselves.  Remember, the threat landscape is wide open to the Cyberattacker.  They will attack whenever and wherever possible.  And this even includes the SOC.  So, make sure that you conduct the right kinds of Risk Assessments, in an effort to make sure that your infrastructure is as airtight as possible.

3)     Use existing frameworks:

The one thing that the world of Cybersecurity is known for are all of the frameworks and standards that are in existence (with even newer ones coming out).  An SOC should try to pick one and stick to it, and apply that to their customers as well.  One of the primary reasons why I say this is that if there is a security breach and you are audited, you can at least say that your SOC was following established procedures, in an effort to help soften the blow of any penalties that might be invoked.

4)     Respond quickly:

If they are impacted, your customers are counting on your efforts to mitigate the risk as quickly as possible, so that they can be up and running quickly, with minimal amounts of downtime.  This will hinge of course the SOC having a well-defined Incident Response (IR) plan in place.  It is not just enough to have it documented, but it must be rehearsed on a regular quarter (something like at least once a quarter), and the plan must be updated with any lessons learned.    To make this is effective as possible, try to get your customers involved as well.

My Thoughts On This:

Another line of defense that an SOC can use is the Zero Trust Framework.  This is where you further segment out your IT and Network infrastructures, and are always practicing this mantra:  “Never Trust, Always Verify”.   For more details on enhancing your SOC, click on the link below:

https://www.darkreading.com/attacks-breaches/7-metrics-to-measure-the-effectiveness-of-your-security-operations

 

 

How To Defend Your Business From A Gun Attack

 


In the world we live in today, mass shootings, unfortunately have become an unsettling norm.  There hardly goes by a day when one does not hear about shootings of innocent people happening, whether it is on the school playground, a college campus, or even the ordinary shopping mall.  Worst yet, people have even shot in their own backyards.

What can be done about this?  Obviously, this is a political issue, and it must be dealt with at the Congressional with stricter laws.  But this, of course, can take quite some time to accomplish.  Until then, we have to rely upon technology in order to better detect who has a gun or other type of weapon.  True, there are the traditional magnetometers that you see in airports, but the technology must be versatile enough so that it can be deployed into any kind of environment.

In this podcast, we have the honor of Chris Ciabarra, the Co-Founder and CTO of an organization known as Athena Security.  Chris has led the developments into the technology of advanced weapons detection systems, and best of all, can fit just about any kind of environment where it is needed the most.  Find out more about this by listening to the podcast.

You can download it at this link:

https://www.podbean.com/site/EpisodeDownload/PB142C983QZBPG

Saturday, June 3, 2023

Beware Of The Phishing Variant: The "Picture In Picture" Threat

 


I think I wrote in a previous blog about how Phishing scams have become much more powerful and sophisticated, and it’s not because that the Cyberattacker is getting smarter.  It’s because they now have much more powerful tools at their disposal in order to make a fake email message more convincing. 

Gone are the days of looking primarily at misspelled words, typos, URL links that don’t match up, etc. 

Now, you have to look at the picture that is embedded in the email in order to see if an email is genuine or not.  But how can one go about doing this?  That’s the problem.  It is very difficult to do, even for a trained eye.  That is why Cyberattackers are now using this tactic in order to lure in their bait. 

But in this instance, no ordinary picture heisted from Google will do the trick.  Rather, it has to be a glossy like picture of a major brand, such as Target, Panera, McDonald’s, etc., where people do most of their online shopping at.

In their Phishing email messages, the Cyberattacker will very often hide a malicious link behind the image.  It will offer something enticing, such as getting a gift card, or getting reduced pricing on a product or service that you want to buy. 

But what is worse about this is that if you hover over the image, no link appears.  You won’t know until you actually click on the image, and from there, you will be taken to a phony, but very authentic looking site of the major brand.

In fact a Cyber vendor, known as Avanan, just recently demonstrated how stealthy this can be.  More information about this experiment can be found at the link below:

https://www.avanan.com/blog/the-picture-in-picture-attack

The threat researchers who researched this have named this kind of attack the “Picture In Picture”.  But given how AI is now becoming freely available to just about everybody (thanks to ChatGPT), this kind of new attack has become that much more dangerous, because it is so difficult to discern.  This is primarily due to the following reasons:

1)     Filters cannot pick them up:

Although Corporate America has done a much better job when it comes to deploying filters to sort out and quarantine spam emails before they reach the inbox of the employees, when it comes to scanning emails with images, they only scan the images themselves for any malicious payloads.  At this point in time, they simply cannot detect anything malicious that is behind the picture or image.  This is technically known as “Picture Obfuscation”.  There is way around this, and it is also called “Optical Character Recognition”, or “OCR” for short.  This is where the filtering system has to break down every pixel in the image to see if there is anything malicious hidden.  But this can take some time to do, and because of that, many companies have not adopted it into the mainstream yet. 

2)     Come in AI:

As mentioned earlier in this blog, the hysteria and boom around AI has not made things easier for the IT Security team.  Case in point is ChatGPT.  Although Open AI has claimed that there are safeguards built into the system from creating malicious code, people have still been able to do this.  A prime example of this is a researcher at a Cyber vendor known as Forcepoint that convinced ChatGPT to create an image that can be used in a Phishing campaign, but also directed it not to create any kind of direct malware.  More information about this can be seen at the link below:

https://www.darkreading.com/attacks-breaches/researcher-tricks-chatgpt-undetectable-steganography-malware

Tools like ChatGPT are going to only make the problems of creating convincing Deepfakes even worse, as many Cyber experts now fear will be the case.

My Thoughts On This:

This new kind of Phishing attack just described should not be confused with yet another kind of Cyber-attack, which is known as “Steganography”.  This is much more complex to not only create, but to even execute as well.  More detail about this can be seen at the link below:

https://www.darkreading.com/endpoint/picture-in-picture-obfuscation-spoofs-delta-kohls-credential-harvesting

It should be noted here that the “Picture In Picture” attack is much easier to create, and is considered to be a watered-down version of Steganography based attacks.  Although many businesses in the United States have tried to the hybrid work model, the truth of the matter is that many employees still prefer to work from home, for many different reasons. 

Because of this, the Cyberattacker is now targeting this group of people.

This is because many employees still receive their work email on their personal devices (even though they should not be), and they are very often not up to snuff with company issued devices when it comes to security.  As a result, these emails fall into the inbox of the employee, and when they see something very enticing, he or she will of course jump on it. 

After all, who can’t resist a substantially marked down trip to Cancun?

There are now cries in the Cyber industry that URL protective mechanisms should be put into place as well as spam filters.  That way, if a suspicious looking email does arrive, the filtering system can then look beyond the image and actually look at the URL embedded into it. 

If the major web browsers can do this (such as Edge, Chrome, and Safari), why cant a spam system look for this also?

But despite all of the technology you may want to use to combat this new Phishing attack, it all comes down to the old-fashioned ways of protection.  And that is, keep educating your employees about this.  Always tell them to trust their gut, and if something does not feel right, just simply delete the message and/or forward it onto the IT Security team for further inspection and review.

Friday, June 2, 2023

The Top 5 Cyber Threats To Apple Devices You Need To Know

 


In all of the blogs that I have written (and it has been at least a thousand or so), all of my content, when it came to Cybersecurity, dealt with the Windows environment.  I never talked about Apple or anything like that. But now, as Cyberattacker has pretty much saturated infiltrating Windows based systems, their eyes are now on Apple based technologies, primarily the macOS and the iOS.  So what are some of the top threats you may be asking???

Well, here is a sampling:

1)     The LockBit:

This has been primarily a malware that has targeted Windows based systems for the last several years, and has literally wreaked havoc upon Corporate America.  While the good news is that this strain has not become prevalent yet for the macOS or iOS, the fear is that it is going to happen very soon.  Cyber based research labs have been experimenting with it, and so far, all the malware does is just encrypt certain files. But as the sophistication of it evolves over time, it could be used for a widescale Ransomware attack on Apple based devices. More information about this malware can be seen at the link below:

https://www.darkreading.com/remote-workforce/researchers-discover-first-ever-major-ransomware-targeting-macos

2)     The XCSSET:

So far, this has been a very dangerous strain, targeting mostly macOS based systems.  It was discovered back in 2020, and some of the havoc it can wreak are as follows:

*Hijack information and data from the Safari web browser;

*Launch SQL Injection attacks;

*Take over all sorts of apps;

*Take unauthorized screen shots;

*Data exfiltration to a remote source;

*Encrypting the entire hard drive.

More information can be seen at the link below:

https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/

3)     The AMOS:

This is an acronym that stands for the “Atomic macOS Stealer”.  The main purpose of this strain of malware is to simply steal data, and from there, wither sell it on the Dark Web or make it publicly available in an extortion style attack.  It is also used to be the backbone of “Malware as a Service”, in which a Cyberattacker can hire a third party on the Dark Web to launch a Ransomware like attack.  It has also been known to steal and hijack browser cookies, and even heist data that is submitted on contact forms.  More details about this can be seen here:

https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/

4)     The MacStealer:

This is a much more dangerous variant, as it can steal just about every bit of confidential information and data from an end user, including credit card information.  It can not only take over the Firefox and Chrome web browsers, but it affects all versions of the macOS.  It is also used heavily in Phishing attacks, and sends typically sends attachments with the following poisoned extensions:

*.txt

*.doc

*.PDF

*.xls

*.ppt

*.zip

Further details can be seen at the link below:

https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware

5)     The Rust Bucket:

This is actually a division of the notorious Lazarus Group.  They have developed malware that has targeted primarily the financial sector.  But now, they are using the same mechanics of this strain to specifically target macOS systems.  It was first discovered in this environment just this year, in April.  What is unique about this kind of malware is that the Cyberattacker can remotely control the malware from an entirely different system, thus masking their tracks.  From here, this strain can engage in all forms of data exfiltration, and send it back to the hacker, which can be used for later nefarious purposes, such as launching ID Theft attacks.  What makes this even more dangerous is that it can be used for Social Engineering attacks as well.  More information on this specific piece of malware can be seen at the link below:

https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

My Thoughts On This:

It is important to keep in mind that while Cyberattacker is now shifting their focus onto Apple technology, the overall structure of both the macOS and the iOS platforms are actually still pretty resilient.  For example, as far as I know, it is still rather difficult to “jailbreak” an iOS device (but keep in mind that even if you are successful in doing this, you will totally void out the warranty and any tech support that you may have for your device).

As another plus, Apple also probably has the most stringent requirements for mobile app developers before they can upload anything to the Apple Store, when compared to Google.  The company makes app developers to thoroughly test out their source code before it can even be considered for submission.

But be on the lookout for any updates and/or patches from Apple!!!

 

 

 

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...