Saturday, July 29, 2023

Understanding Why Kubernetes Is So Crucial To Software Supply Chain Security

 


As some of you might know, I am getting ready to take my AZ 900 exam soon.  This is the Azure Fundamentals cert that is offered by Microsoft.  Although this is one of the most basic certs that one can get, I got to tell ya, I did learn quite a bit about Azure so far in exam preps. 

One area that you may have heard of is that of “Kubernetes”.  Prior to my studying, I did hear about it on and off, but it is a huge thing for the Cloud, especially when it comes to software development.

So what it is, you may be asking?  Well, here is a technical definition of it:

“It is an open-source system for automating deployment, scaling, and management of containerized applications.”

(SOURCE:  https://kubernetes.io/)

But despite its importance, many organizations are now shying away from it almost entirely when it comes to developing new web applications.  The reason?  The security that is involved with it.  According to the “2023 State of Kubernetes Report” published by Red Hat, it is a huge issue.  Just consider some of these findings:

*67% of respondents have delayed or slowed deployment of new projects.

*37% have experienced revenue or customer loss because of Kubernetes concerns.

*38% cite other issues with Kubernetes strategies.

The source for the above stats is the actual report itself, and that can be seen at the link here:

https://www.redhat.com/en/blog/state-kubernetes-security-2023

So what can be done to alleviate some of the issues cited?  Here are some key tips:

1)     Use an SBOM:

This is an acronym that stands for the “Software Bill Of Materials”.  In fact, I just wrote an article about this for a client this past week, and essentially, this is a document that states all of the components that are being used to build a software application.  As you can guess, it is mostly all of the software tools that go into it.  But keep in mind that this is just a first step.  Documenting all of this is no doubt important, but even more so is testing all of these components to make sure that all of them have a reasonably high level of security baked into them.  A good example of this are the APIs that are used.  Many software developers use the ones from open-source libraries, and they often go unchecked for any gaps or vulnerabilities.  While the software developers need to make sure on their own that the components, they are using are safe, the hosting repositories have to take responsibility here as well.  For example, they need to make sure that they have complete documentation about all of the APIs, and they also need to make sure that they are updated with the lates patches.  Also, digital signatures need to be put into place so that the authenticity and legitimacy of the APIs can be confirmed.  More information about the SBOM can be seen at this link:

https://www.darkreading.com/application-security/building-a-better-sbom

2)     Using the VEX:

This is an acronym that stands for “Vulnerability Exploitation Exchange”.  This is a specialized type of documentation where software developers can report to the public about the vulnerabilities and gaps that they have found in the tools that they are using to build a web application.  An added feature of this platform is that it can even help prioritize the vulnerabilities which need to be addressed first. 

3)     Confirm that all is working:

Apart from the VEX documents and the SBOM, one of the final seals of approval is what is known as the “Attestation”.  This is where the managers of the DevSecOps team signs off that all and any vulnerabilities that have been found in the source code development phases have remediated, and should no longer pose a problem.  True, anything can happen in the future to the web application once it is handed off to a client, but at least there will be some piece of mind and protection knowing that you have done all in your power to address any security issues that cropped up.  You might even want to take this one step further and even Penetration Test the source code, and put that in the Attestation document.

My Thoughts On This:

This whole issue of Kubernetes Security comes down to one thing:  The resiliency of the software supply chain.  This can be compared to building a car.  For example, your rely upon different suppliers to provide the parts to it, and then they all get put together in once central location (at least this is my thinking). 

The same is true of creating web applications.  Apart from what it is stated in the SBOM, there also could be many other attributes, artifacts, and even objects that could be used as well.

While the above tips are meant to help secure your software development to a certain extent, the true level of security starts at the very beginning of the software supply chain.  Any weaknesses or gaps there can easily and quickly trickle down in a cascading effect.

Friday, July 28, 2023

How You Can Benefit From A vCISO: From Ransomware To Cyber Insurance Negotiations

 


The good news is that in the world of Cyber, the number of Ransomware attacks has actually been declining to some of the lowest levels in years.  It reached its height during the COVID-19 pandemic, when everything and anything was a victim (and technically, this is still the case today).  The mantra then and now has been to never the pay the Cyberattacker the ransom amount that they are seeking.  Why is this the case?  There are numerous for this, some of which include the following:

*There is no guarantee that you will even ever receive the decryption keys that are needed to unlock your computer and files that have been heisted. 

*Doing so will only urge the Cyberattacker to come after you again, but this time asking for even more money.

*It will only fuel the appetite for the Cyberattacker (as well as their ego) to launch even grander attacks.  Their thinking here is that if they can do it multiple times on smaller targets, then there is nothing stopping them.

But there are times when perhaps a ransom payment could be thought of, and actually delivered.  One of the best examples of this is the recent Colonial Gas Pipeline attacks.  It brought a great amount of shortages to the east coast, and the gas/oil futures prices were gyrating totally out of control.  To avoid things from getting worse, the CEO agreed to make a $4.4 million dollar payment, and because of that, things started to normalize out again.

But, this was no easy process to accomplish, that I am sure about.  Although the details of it were kept out of the news headlines, I am sure that there was a lot of back and forth between law enforcement and the Cyberattacker to try to work out a lower ransom.  So, simply paying it is not the answer.  If you decide to make a payment or at least attempt to, it is important that you try to negotiate.  Why you may ask?

Well, the primary benefit of this is that ti can give law enforcement the critical time they need to track down the footsteps of the Cyberattacker with hopes of bringing them to justice.  But this negotiation process takes a group of people, with the ransomware negotiator at the helm.  Believe it or not, there are companies that specialize in doing this very task.

But now the question has started come about, is if the CISO should now become involved in this process as well.  Well, there are differing views on this, but a subset of this question is if the CISO should become more involved in the procurement process when it comes to getting Cybersecurity insurance.  After all, if you are hit with a Ransomware attack, and make payment, you will want to get reimbursed by your insurance carrier.

So how can the CISO help in this regard?  Here are some areas:

1)     Will be able to get more information:

When most CISOs start a new position, they are still getting acclimated to what it is in their new IT and Network Infrastructure.  But with the Cyber threat landscape the way it is today, many insurance carriers are demanding a lot more information from businesses with regards to their security practices, and in fact, making them even fill out a lengthy questionnaire which can run as long as 20 pages.  Very often, this is left to the manager of the IT Department to figure out.  But if the CISO were to get involved in this process, not only would make him or her learn quickly about what is going in their new environment, but it would also give a very positive impression to the underwriters of the insurance policy that this business is serious in what they are doing.  And, by having the CISO sign the questionnaire, there can be more assurances that are provided that the right controls are put in place (at least in theory), and therefore, the business will not be a huge risk or gamble to take on.

2)     They can become a good partner:

The truth of the matter is that most people are afraid to work with an insurance carrier.  But if you were to bring your CISO in to the table to work with them, they can actually forge a very valuable partnership.  For example, by filling out the questionnaire, the insurance company can act as a fresh pair of eyes when it comes to reviewing the controls you have in place.  Best of all here is that rather than having to hire an expensive auditor, you can use this new partnership for free.

My Thoughts On This:

Keep in mind not that every company can even afford to hire a CISO in the first place, given just how expensive it is to hire and keep them.  A lot of this is because of the enormous salaries that have to be paid, along with all of the extra perks, such as stock options and other types of bonuses.  Plus, the day of the traditional CISO will most likely come to end soon, as the burnout rate is very high.

But, businesses still do a need a leader to keep the ship on straight and navigable Cyber world.  So, are there any options?  Yes, there is.  This is called the “vCISO”.  This is where you actually hire a highly experienced, ex CISO on a contract basis.  What you pay them is a fraction of what you pay for a salary.

Best of all, you only keep them on for as long as you need them.  You terminate the contract when you don’t need them, and bring them back on board again as needed.  These people are highly skilled in what they do, and even have more contacts that you can penetrate into if you have other needs.

But whatever the situation is, you still need a leader in both Ransomware and Cyber Insurance negotiations, whether they are a direct hire or a CISO on a contract basis. 

 

 

Why Threat Hunting Is So Important In Cyber

 


There is no doubt today that companies in Corporate America are becoming much more cost conscience than they ever have before.  A lot of reasons can be cited for this, but the fear of inflation appears to be the be the largest threat to the economy so far.  But the good news is that it seems like inflation is starting to cool off so far.

But even despite the other good economic news that’s coming out, businesses, especially the SMBs, will always be cost conscience for the longest time to come.  This is even true of Cybersecurity.  Business owners now want an all-encompassing package that will meet their Cyber needs, for an affordable price.  The good news here is that it is available.

In today’s podcast, we have the honor and privilege of interviewing Jerry Derrick, the VP of Engineering at Camelot Secure.  They offer a total Cyber solution called “Secure 360”.  To learn more about this, and how you can acquire it for your business, listen to the podcast.  It can be downloaded at this link:

https://www.podbean.com/site/EpisodeDownload/PB1467EE14Z456

Saturday, July 22, 2023

Will Generative AI Be The Boon Or Bane Of MFA?

 


In the world of Cyber today, there is a plethora of technojargons out there.  Two of them have been around for a long time, and these are “Authentication” and “Authorization”.  While the two have totally separate meanings, they are often used in conjunction with each other. 

So before we move any further, it is important now to distinguish these two, so here we go:

Authentication can be defined as:

“Authentication is the act of validating that users are who they claim to be. This is the first step in any security process.”

(SOURCE:  https://www.okta.com/identity-101/authentication-vs-authorization/)

Authorization can be defined as:

“Authorization in system security is the process of giving the user permission to access a specific resource or function.”

(SOURCE:  https://www.okta.com/identity-101/authentication-vs-authorization/)

So as you can see, authentication is merely confirming who you are, and authorization is giving you access to what you need on a shared server.  It is also important to note that the former comes first, then the latter (believe it or not, even if this is a point of confusion). 

In relation to this, there are two other pieces of technojargon that you need to be aware of: Two Factor Authentication (2FA) and Multifactor Authentication (MFA).

With the first one, you are using at least two methods to confirm the identity of an individual.  With the other one, you are using at least three (and perhaps even more) methods of authentication.  For the longest time, 2FA was the preferred choice instead of just using the password, but even this has proven to have weaknesses. 

So, now the choice is to use MFA, because of all of the possible combinations that it can offer.

But as in anything else, there are also some weaknesses that can be found with MFA as well.  So, now a new idea has emerged, and that is using Generative AI as a possible means of identification in an MFA methodology.  I think I recently wrote a blog about this recently, but in simple terms, Generative AI is when you use it come up with new outcomes, or approaches. 

A good example of this is in content creation.  Many writers are now using ChatGPT to come up with new content, rather than having themselves do it (I have my views on this, but I will save it for a later time).  So how can Generative AI help with an authentication approach?  Here are three ideas:

1)     Confirming the user:

As mentioned earlier, there are numerous ways in which to confirm the identity of an individual, and at the present time, it is the password that is most heavily used.  There is a strong movement to get away from this in an MFA setting, and the preference is now to start using Biometrics, such as Fingerprint Recognition, and even Iris Recognition.  But, there is some squeamishness with end users about this, especially if their templates get hacked into.  Plus, every that time that an employee uses a Biometric modality, they have to keep submitting their fingerprint or have their iris scanned.  So, the hope here is that a Generative AI system can alleviate these bottlenecks, by “remembering” a template when it is first created.  But the worry here is what if a Generative AI can automatically recreate a template, and be used for nefarious purposes.  At the present time, the templates are just mathematical representations of either the finger or the iris.  So even if it were to be stolen, they cannot be reverse engineered to recreate the actual finger or iris.  But can Generative AI do this?  I really don’t know, to be honest.  It is also important to note as well that most Biometric systems require what is known as “Live Scan”.  This simply means that a person needs to have a pulse first before it can be authenticated.

2)     Creating user profiles:

This is when a network security device, for example, creates a profile over a certain period of time of network traffic.  This is very often used to determine what is normal activity and what is not.  In this regard, Generative AI could potentially be used to create baseline profiles of people as a means of identification.  For example, a Generative AI system could possibly be created to keep track of the activities of an employee, and build a profile on them.  If all is normal, then it is quite like that the employee will be confirmed.  But if anything falls out of the norm, then they will be rejected.  As far as I know, nothing like this is being used in the real world.  But if it ever does happen, businesses will have to notify employees of this happening.  Keeping profiles of network traffic is one thing, but using it on people is totally different thing.  And if they are not notified, it could be a sheer violation of privacy rights.

3)     Document Security:

With the world being almost totally digital today, making sure that documents are original and the signatures are legitimate is a huge concern.  While the Blockchain has proved useful here, the Cyberattacker of today can still find ways to alter documents and their corresponding signatures.  But Generative AI can be used here to confirm the legitimacy of these two items.  But once again on the flip side, what is to prevent a Cyberattacker from using ChatGPT to create an identical looking document and use that to launch a Business Email Compromise (BEC) Phishing attack?  But it is expected that Corporate America will spend more money to fight fraudulent documents, as some 60% of businesses plan to increase their budgets to help fight fraud.  More information about this can be seen at the link below:

http://cyberresources.solutions/blogs/fraud.pdf

My Thoughts On This:

Honestly, I never thought about Generative AI being used in this context, when it comes to authentication.  It could be a great way to secure the identities of individuals, but also at the same time, given the easy access of it (as exemplified by ChatGPT) the flip side is also clearly evident.  Therefore, before rushing into using AI for anything, test it out first in an isolated environment.

Make sure it “behaves” nicely with all of your other systems, and that it does not pose any further risks or vulnerabilities.

Friday, July 21, 2023

Looking For A Job In Cyber? 3 Websites You Can Use

 


As most of us know, the job market of today is probably one of the most challenging and daunting ones ever.  I have to be honest, although I do freelance technical writing, I too am looking for a job as well.  I have been looking solid for two months now, and while I have had interviews, nothing much has come to fruition has of yet. 

While the job reports that come out every month may still be strong, one has to look at the areas in which they are occurring, and it is mostly on the services side.

At this point, one may ask is how did we get here?  Well, it all comes down to one thing:  Inflation, and the Federal Reserve being late to the game to fix it.  You see, during the COVID-19 pandemic, tons of money was created in order to get us through those awful times. 

\I was always fearful that we would have to pay a price for that down the road, and now we are.

The enormous injections of money is what really caused the inflation that we are having right now.  Back then, the tech companies had a lot more money in which to hire people, but now that it is no longer there, they had to let go of them, which in turn led to the huge number of layoffs.  But there is always hope,  and my own optimistic belief is that this cannot last forever either.

But now the interesting thing is that there still continues to be a huge worker shortage in the Cyber industry.  Many people are now left  scratching their heads with so many people that are available now  for the workforce, why is this still happening? 

Well, it comes down to one thing:  Hiring managers are  simply too fussy in what they want to  select in terms of candidates.  They simply don’t want to take a chance to hire someone that may not have all of the skillsets, but have the ambition and drive to learn.

In turn, this has left job seekers in a huge state of confusion about what to do to get a career in Cyber.  Believe it or not, the industry has actually done something  to help people out.  In much the same way that frameworks and standards have been created to reduce risk and security breaches, so too they have also been created to help out job seekers.  

The following are some of newer “Cyber Career Frameworks” which have evolved thus far:

1)     The National Initiative for Cybersecurity Education (also known as “NICE”):

This framework provides detail in 33 Cyber related job tasks, and 52 different job titles.  True, this can seem to be rather confusing, because there is a lot of overlap here.  This framework places a very strong importance on the Tasks, Knowledge, and Skillsets that are required.  To help Cyber job seekers guide through this maze, a tool called the “Cyber Career Pathways” was created.  The “NICE” and toolset can be found at the following links:

https://www.nist.gov/itl/applied-cybersecurity/nice

https://niccs.cisa.gov/workforce-development/cyber-career-pathways-tool

2)     The Cyber Career Framework:

This is a framework that has been created and implemented for job seekers in the UK, and when in comparison, it is much easier to navigate through.  For example, it only covers 16 Cyber job specialties, and also covers the following topics:

Working Life

Job Responsibilities

Salary

Knowledge

*Skills

*Tips on how to climb the proverbial corporate ladder.

What is unique about is that Cyber job seekers can even create a visual map of where they are right now, and where they want to be, based upon the qualifications the possess at this point       in time.  They too are offering a toolset that can be used with this, which is known as the Cyber       Security Profession Chartered Standards (“CSPCS”).  The goal of this is to offer the job candidate cost effective tools to get the Cyber certs that they aspire to.

The framework and the toolset can be seem at the following links:

https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/

https://www.ukcybersecuritycouncil.org.uk/professional-standards/

3)     European Cybersecurity Skills Framework (also known as the “ECSF”):

This is a much broader Cyber job framework, developed and implemented by the EU as one collective.  Other organizations from around the world have also contributed to this effort, most notably the (ISC)2 and ISACA.  It focuses primarily on just 12 Cyber related job roles.  A manual is also provided, to help the job seeker navigate through this portal.  The framework and manual can be downloaded at the following links:

https://www.enisa.europa.eu/topics/education/european-cybersecurity-skills-framework

https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-ecsf

My Thoughts On This:

It is expected that these job frameworks will help all involved in the job creation and recruiting process, which include:

*Hiring Managers

*The Job Candidate

*Recruiting Agencies

*High Schools, Colleges, Junior Colleges, and Universities.

But in the end, if you really want a job in Cyber, show to the prospective employer both your analytical and qualitative skills.  You really don’t need to have a degree in Cyber, these  skills can literally be picked up from  any job or degree.  But in my view, the most crucial strengths that I would look for if I were a hiring manager is:

1)     How well can the candidate communicate, both verbally and written?

 

2)     Can they work well in a team environment?

 

In Cyber, that’s all it comes  down to.  Hard skills are trainable, but not  the ones just listed.

Sunday, July 16, 2023

A CISO's Ultimate Guide To Patch Management: 5 Golden Tips

 


In the world of Cyber, one of the mantras that CISOs and their IT Security teams keep hearing about is the need to keep up with the software patches and upgrades for their systems on a regular basis.  But unfortunately, many of them fail to do this.  In fact, a recent study by the Ponemon Institute found that over 42% of businesses were impacted by a security breach, and a lot of that could have been mitigated by simply applying the needed patches.

More information about this study can be seen at the link below:

http://cyberresources.solutions/blogs/The%20State%20of%20Vulnerability%20Management%20In%20the%20Cloud%20and%20On-Premises.pdf

From what I have seen, there have been many tidbits of advice offered on the web, but there are few places that actually offer a central place for some key tips.  So, this is the purpose of this blog, and here we go:

1)     Decide what updates are needed:

               The notion with many CISOs is that they should download and apply everything, then all will be   good.  However, the opposite of this could happen.  There may be some patches that you may     not need, and in the end, it could cause more harm than good.  So, you need to sit down and             figure out which patches are needed the most, and work from there.  Ideally, you should designate somebody from your IT Security team to look for the newest patches and decide which is the most critical to download.  But of course, this person should not have all of the              authority to do so, you should probably have a meeting at least once a week to review what the              patches are and what is needed first.  To help address what is indeed critical, use some kind of     ranking system, and keep it simple.  For example, you can use a scale of 1-10, where “1” would           be the least needed and “10” would be the most needed.  Or, if you want to use an established           framework, then the Common Vulnerability Scoring System (aka “CVSS”) could be used.  Here is                their ranking system:

               *7.0–10.0 is critical

               *4.0–6.9 is important

               *0.0–.3.9 is optional

2)     Test your patches:

As you download your needed patches, make sure you test them out first in a sandboxed environment.  This is an isolated area to see how well it would work, and how it will co mingle with your software applications and even hardware.  It is very imperative that you do this first before you put them into the production environment!!!  Many vendors are notorious for having glitches in their patches, and as a result, rather than fixing the problem, it makes it worse, and leaves you that much more open to a breach.  And once you decide a patch is safe enough to be applied, it is also very important that you do it in a phased in, planned approach.

3)     Apply the patches one at a time:

One other key rule that as a CISO you need to keep in mind is that apply your patches one at a time, don’t ever rush to do them all at once, as this could cause things to get messed up!!!  So  for example if you have ten patches to be applied, test them one at a time in the sandbox (or in parallel if you can create a multiple number of them).  Once they have been approved for the production environment, then apply them one at a time.  By doing it this way, you are more or less assured that everything will go through in a seamless fashion, with no major hiccups or downtime.

4)     Have a Change Management Team:

This is the fancy techno jargon for documenting all of the patches you have downloaded, and intend to apply.  In this regard, you should have a representative from each department in your company attend the weekly meeting, in order to get their input as to how they could possibly be affected by the patches.  For example, you may think that applying them is necessary from a Cyber standpoint, but these patches can also have effects on other applications that are used by the differing departments.  Therefore, you need to have buy in and approval from these representatives.  Just don’t simply make a blanket statement that they are needed, customize your pitch as to how it will be relevant to everybody on the Change Management Team.

5)     Guage the success:

After you have applied your needed patches, it is then important to gauge how successful they have been.  Of course, which metrics to be used are entirely dependent upon your own requirements, but a good rule of thumb would be if you experience less security breaches than before.  A good reference to start with is at this link:

https://blog.gitnux.com/patch-management-metrics/

My Thoughts On This:

In one of my first jobs in IT, I was the one that was responsible for the entire patch management process.  To give you idea of what it entailed, here is what was done, on a weekly basis:

*Monday:  Go to vendor’s website, check for any new patches.  Have a meeting with the team later in the day to see what is needed.

*Tuesday – Wednesday:  Download the patches in a sandbox environment, using isolated servers.  Review results, and submit them to the Change Management Team.

*Thursday:  Get feedback from Change Management Team, and get the necessary approvals.

*Friday:  Notify the end users of patch schedule, and the times when interruptions could be expected.  After people leave for the weekend, start the patch update process into the production environment.  This should be done only after hours or on the weekends!!!

As you can see, the patch management process is in itself a full-time job, so the need is imperative to have a dedicated resource for this.  As I indicated in the schedule above, this needs to be done on a weekly basis, with no change in schedule.  Given the Cyber Threat Landscape of today, it is imperative that all of this is done on a timely basis.  By adhering to a strict schedule, you will have the proof that you are trying to be compliant.

Saturday, July 15, 2023

6 Ways In Which Generative AI Can Be Used In The SOC

 


Just last Tuesday, I completed a rather intense, 6 hour long Generative AI course from Microsoft.  Not only that, but the exam was also very challenging.  I would put it on par with any of the (ISCC)2 exams.  But anyways, probably the biggest buzzword right now in the world of tech (not just Cyber) is that of “Generative AI”.  What is it you may be asking?

Here is a technical definition of it:

“Generative AI refers to deep-learning models that can generate high-quality text, images, and other content based on the data they were trained on.”

(SOURCE:  https://research.ibm.com/blog/what-is-generative-AI)

So in other words, you feed a Machine Learning (ML) system some data, and it gives you an output.  Honestly, there is really new nothing new about that, this has been under research and development.  But what is different about it this time is that it will create new content for you, based upon the query that you submit to it.

One of the best examples of this is ChatGPT.  It is created by OpenAI, and uses the GPT4 algorithms (which are essentially Large Learning Models, or LLMs for short).  You simply as it, for example, to write a poem, and it will create one for you.  Of course, it can create more complex outputs for you as well, depending on what you ask it to do.

So, as you can see, Generative AI has the potential to be applied to a lot of industries.  One such area is that (and you guessed it correctly) of Cybersecurity.  AI and ML to some degree are already being used here when it comes to conducting routine and mundane tasks (a god example of this are Penetration Testing and Threat Hunting). 

But another area in Cyber where Generative AI has a very strong potential is for use in the Security Operations Center, also known as the “SOC” for short.  This would  be yet another way in which to keep an SOC modern, and updated at all times.  Other non-AI and ML recommendations can be seen here at this link:

https://www.darkreading.com/vulnerabilities-threats/5-tips-for-modernizing-your-security-operations-center-strategy

So, how can Generative AI be used for the SOC?  Here are some tips, based upon the job title that are working there:

1)     The Frontline Folks:

These are the people that are tasked with getting all of the warnings and alerts that come in.  It is their job to filter through them, and to sort out what is real and not.  While this might seem to be time-consuming, in reality it is not nearly as bad now.  This is because with the advent of the SIEM and the AI and ML tools that are incorporated into it, a lot of this is now done automatically, based upon the rules and configurations that have been deployed into the system.  But even despite this, there are false positives that can still filter through, leaving the team to have to manually filter them out.  But Generative AI can take this one step further, and with this, the team can ask specific queries in order to filter out certain alerts and warnings that are truly legitimate.  This will give the team a better understanding of what they could be imminently facing.

2)     The Threat Researcher:

I have written about this role before, and essentially, these are the people who gather all of the intel that can, and from there, try to make hypotheses about the threats that are on hand, and even possible ones down the road.  This is by no means an easy job, and it takes a lot of analysis of the data, both quantitative and qualitative in nature.  It can be truly painstaking work, but Generative AI can be used to ask questions about the available data that is present, and from there, do a more sophisticated analysis, or make even more realistic projections as to what future threat variants could possibly look like. 

3)     Other Use Cases:

There are other areas in Generative AI can be used in the SOC:

*Risk Assessments:  At the present time, this can be a very laborious and time-consuming process. But with AI and ML, the process can be greatly sped up, especially when it comes to analyzing which of the digital and physical assets are most at risk.

*Threat Content Management:  This is where the AI or ML system can also collect data and information on a real time basis, and them automatically to its training sets.  This will result in a lesser need for human involvement.

*Customer Service:  The best example of this are the Chatbots.  These tools are seeing a huge explosion right now, and will continue to do so as long as AI and ML continue to be around.  Rather than having to wait in a queue to talk to somebody in the SOC, it is hoped that the Chatbot can alleviate these wait times by providing “smart answers” to what the client is asking about. 

My Thoughts On This:

While all of this certainly sounds advantageous, keep in mind that Generative AI is still a piece of technology, and it has its shortcomings just like everything else.  It has to be fed the right pieces of data so it can generate the right outputs.  Also, the Generative AI tool is only as good as the questions that are being asked.

If you want detailed answers, you have to structure your questions (or queries) in a certain way.  Believe it or not, this is an up-and-coming field, known as “Prompt Engineering”.  But there is also yet another flip side to this, and that is where the Cyberattacker can use Generative AI for malicious and malicious purposes.

There is already great levels of fear in this regard, as ChatGPT can potentially be used to create malicious code from which Ransomware attacks can be launched. 

In my view, we will never replace the human brain.  AI and ML can only augment, and not replace processes.  We still need to have the human element around.  Using Generative AI will bring us one step closer to one of the ultimate goals in Cyber:  To reduce the time it takes to detect and respond to threats.

Tuesday, July 11, 2023

How Physical Security Is Just As Important As Cyber Security

 


When one thinks about or even hears the word “security”, very often Cyber comes to mind.  But if you look at it deep enough, Cybersecurity primarily deals with the protection of all kinds and types of digital assets.  This can be anything from the shared documents all the way to the Intellectual Property (IP) that your company owns.  Although this is of course very important, also keep in mind the physical location where you may be working at.

There is probably confidential and private items that you do not want anybody to access on.  Therefore, it is very important to protect the doors and main access ways to prevent any mishaps from happening.  Not only this, but you also have to protect the inner areas as well.  In this regard, you need to implement what is known as a “Multimodal Security Solution”, which encompasses using more than one layer of security.

How can this be done?

In today’s podcast, we have the honor and privilege of interviewing  Rick Guetschow, the CTO at Hivewatch.  He will explain all of the details that a business needs to do in order to physically protect itself.  You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB145270348K53

 

Saturday, July 8, 2023

When Should You Offer Pro Bono Cyber Services? 4 Golden Tips


Just last weekend I wrote a blog about how the Biden Administration has done (and hopefully will continue to do so) a better job with launching Cybersecurity efforts when compared to past Administrations.  In a way, he is trying to forge new business relationships with the private sector, which of course will be a win-win for all involved. 

But yet, there needs to be another key piece of the Cyber puzzle that yet needs to be solved.   That is, relationships have to also forged with the public sector.  Defining this can be a bit tricky, it just depends on what you define as a “Public Sector”.  In my view, these are the smaller governmental agencies that are found at the city and town levels.

Unfortunately, this grouping has long been ignored, due to the fact that they are very low profit margin for the Cyber companies to make money off of.  While the primary goal of any business is to make a profit, there comes a time when one sort of has to bite the bullet in order to serve the greater good.  In this case, these public based entities really have don’t have the money or manpower to truly fortify their defenses.

Because of this, stronger relationships have to be created with the public and private sectors, so that these entities can have some degree of security baked into them.  Remember, the Cyberattacker is not just after the high-net-worth companies of the Fortune 500. 

They are out to get PII datasets wherever they can.  And because those entities that are in the public sector barely have any defenses, they have now become a primary target.

So what can be done about this?  Here are four ways that this can possibly be accomplished:

1)     The private sector Cyber companies have to adjust:

As I had just mentioned, Cyber companies simply do not want to touch nonprofits and the miniscule governmental agencies because they believe that there is no money to be made off of them.  But this is a very shallow way of thinking.  True, you may not do a lot from the outset, but think about it:  This particular entity could very likely come back for more business, on a repeated basis.  That means in the medium to long term, you have a source of recurring revenue, which is what so many Cyber vendors are striving for these days.  Also, if they are happy with your work, they could refer you to other public sector entities that need Cyber help.  So in the end, you could have a book of business that is not only ultimately profitable, but one that will be with you for the long term.

2)     Educate them:

Because of the sheer lack of security defenses that they have, many public sector companies truly have no clue what even to look for in a Phishing email.  This could be a great opportunity for a Cyber vendor to offer all sorts of training services, and to educate a plethora of individuals.  Once again, there may not be a lot of money to be made here, but just think once again of the long term:  As you educate more people in this sector, there are greater chances that word of mouth about your services will spread like wildfire, with the resultant being new business coming in from different directions that you never even thought of before.

3)     Start with the basics:

If you ever get an education engagement, or even get a contract from a public sector company, remember to always keep things as basic as possible.  Quoting an old marketing proverb, “Reduce it to the Ridiculous”.  Meaning, there is no need to talk about Generative AI or the Zero Trust Framework.  Start first with a simple Vulnerability Scan, and from there, point out any gaps or weaknesses that have been found.  From there, show the nonprofit (as an example) what steps are needed to correct them.  This will most likely be using passwords that are very weak, or those that have been used over and over again.  Have them start out with using a Password Manager, and show the benefits it brings by creating longer and more complex passwords, as well as resetting them on a prescribed timetable.  Also, it will be very important to conduct a basic Risk Assessment, just to get an idea of how vulnerable the digital assets could be.  When coming out with a new Cyber strategy, try to use whatever existing security tools that they have and try to reorganize them so that that maximum protection can be offered.  Remember try not to get too many tools (if needed).  Most likely, the nonprofit will not be able to even afford them, much less have the staff to filter through all of those log files.

4)     Share information:

Just like how the Biden Administration is trying to foster a trusting relationship of information sharing between the Federal Government and the private sector, the same holds true for the Cyber Vendor and the nonprofit.  Obviously, you don’t want to give all of your trade secrets away, but simply sharing what you see on the Cyber Threat Landscape good be a great starting point as well.  This will be probably the very first step in creating a trusting relationship that will last for the long haul.

My Thought On This:

There comes the time when a Cyber Vendor sees new market opportunities and you want to seize them, but there is simply not as much money to be made off of them as you would like.  A great example of this is the SMB market. 

For the longest time, this remained an untapped one, for the reason just described.  But now many Cyber Vendors are realizing the opportunities here, and have adjusted their pricing and business models accordingly.

The same will hold true in the public sector, with the smaller governmental agencies and the nonprofits leading the way.  But until this happens, and if you the Cyber Vendor want to tap into it before your competition does, you may have to offer your services “Pro Bono” at least initially.


Friday, July 7, 2023

2 Key Reasons Why Generative AI Will Fail

 


As I have written about before, and I think in even just last week’s blog, AI and ML are taking the world by storm.  Now, there is nothing new when it comes to their science.  Researchers have been examining this since the 1950s. 

 

But what is different this time is how much more attention people are paying to it.  A lot of this has been triggered by ChatGPT, but interestingly enough, interest in its use seems to be waning, according to some of the latest news headlines.

But to me, this is not surprising.  As I have said, and will continue to say so, it is all just a hysteria, much like the .com era of the late 90s was all about.  Any business that had a “.com” in its name had VC money pouring into it.  But of course, by 2000, it all died down.  The same thing will happen with ChatGPT.  But what is different this time is that the traction that AI and ML have brought to the forefront will never go away.

Instead, people are going to try build better mousetraps (as the saying goes) when it comes to AI, and try to explore different use cases for it.  One such area that will get more attention in this aspect is that of securing the source that is used to create the web apps of today.  This is an area that has long been forgotten about, and it is only until now that it is coming under the limelight.

For the longest time, software developers were never held accountable for double checking the security of what they have created.  But now this is not the case.  As much as CISOs and employees are now being held more responsible abiding for abiding by the security policies of their employers, so too are software development teams.

But to give them some benefit of the doubt, they also need some help to fix the vulnerabilities in the source code that they create.  This is possibly where both AI and ML can come into play.  Consider some of these statistics:

*A bulk of software development teams, at least 65% of them, are planning to use AI and ML to help double check their code within the next three years. 

(SOURCE:  https://about.gitlab.com/press/releases/2023-04-20-gitlab-seventh-devsecops-report-security-without-sacrifices.html)

*Over 66% of all businesses reported that there are well over 100,000 weaknesses in the source code that they create, and 50% of these cases still remain open well after three months.

(SOURCE:  https://www.rezilion.com/wp-content/uploads/2022/09/Ponemon-Rezilion-Report-Final.pdf

https://www.veracode.com/press-release/quarter-technology-applications-contain-high-severity-security-flaws-which-pose)

Now while there are good possibilities for AI and ML to come to the rescue, they do have some limitations, which are explored as follows:

1)     It’s only as good as what it is fed:

There is a popular myth that AI and ML can think and reason on their own, much like the human brain.  However, this is far from the truth.  While the human brain can initiate a thought process on its own, AI and ML simply can’t do that.  What they need first is fuel in order to ignite this process.  This comes in the way of feeding it datasets, and large amounts of it, on a 24 X 7 X 365 basis.  Also, the datasets that are used have to be cleansed and optimized as well, in order to help prevent erroneous results from being produced.  This is where human intervention is still needed and will continue to be required.  Once this happens, can only then the AI and ML tools learn something and produce a reasonable output.  Now here lies another disadvantage.  At the present time, AI and ML can only solve relatively easy problems in the source code.  There are nowhere near to the point where they can fix complex issues.  For this, they will need to be fed with different datasets that are far more sophisticated in order for them to come to this stage.  Keep in mind that although a human eye can spot gaps, weaknesses, and vulnerabilities without any formal training, an AI or ML system needs to have this.

2)     There is no verification involved:

When source code is checked with human intervention, it is usually checked in an iterative fashion in order to make sure that any known issues have been remediated, and is now as airtight as possible.  But AI and ML simply cannot do this.  Yes, given the right inputs they can calculate a reasonably decent output, they have not evolved to the point yet where they can verify and confirm the results on their own.  But human nature dictates to believe whatever an AI or ML systems produces, well, because it is more sophisticated than the human brain.  But it is not!!!  And it will never be!!!  We need to get away from this kind of thinking and always remember any output from an AI or ML system has to be fully verified as well!!!  Also remember that with AI and ML, there is an inherent level of trust that is afforded to them.  But, the world is now going to what is known as the “Zero Trust Framework”, where nobody can be trusted at all.  So how will AI and ML work in this kind of environment?  That is yet to be seen, and no doubt be a huge issue further down the road.

My Thoughts On This:

This area of AI and ML, which this blog has reviewed falls under the realm of “Generative AI”.  Loosely put, this is where it is hoped that these tools one day will be able to initiate their own thinking processes, like the human brain can.  But this will never happen, and even if it does, it will be only to a very miniscule amount at best.  Also, it will take many, many years to even reach that level.

Remember that in Cybersecurity, it takes the best of both of words of technology and humans to make anything work.  You can’t go too much to the extremes in either direction, you need a balance of both, where all of the pieces are working together in a harmonious fashion.

BTW, if you are interested in learning more about the latest ChatGPT algorithms, you can download a whitepaper from Open AI at this link:

http://cyberresources.solutions/blogs/gpt_4.pdf

 

Tuesday, July 4, 2023

Breaking Down The Impacts Of The CISA BOD-23-01

 


As I mentioned in a blog this past weekend, when compared to many of the other previous Administrations, the one being led by Biden has done, IMHO, the most for Cybersecurity.

True, all of it may not be enacted it because of all of the political mudslinging that is going on right now, but the fact remains that least Biden is aware of the Cyber Threat Landscape that is on us today, and he is trying to do something about it.

Well today (ironically on the 4th of July), I just came across a news article that addresses a new effort for the government sector.  This is being led by the United States Cybersecurity and Infrastructure Security Agency, also known as “CISA” for short. 

Their new directive is entitled “Binding Operational Directive 23-01”, or also known as the “BOD 23-01” for short.

But believe it or not, it is not targeted towards the private sector or Corporate America.  Rather, it is geared towards the Federal Government itself.  One of the main reasons driving this new piece of legislation are the vulnerabilities that the Critical Infrastructure has today. 

Ultimately, it is our own government that is responsible for the safety of them, and in turn, the various governmental agencies at the state and local levels also need  them.

So given this double-edged sword,  it is no wonder that something like this is needed. But the interesting thing about this is that it is not geared at beefing up any lines of defenses, but rather, its primary objective is to give a framework for the Federal Government to identify where all of its assets are, and from there, find out where all of the vulnerabilities lie at.

There are two key aspects of this new directive, which are as follows:

1)     Asset Discovery:

The definition here of what an asset is anything that is connected to a Network Infrastructure.  This will primarily involve determining all of the IP addresses of these particular assets.  But as we all know, even with the Federal Government they make use of the Cloud as well, most notable that of the Azure.  With this, things can get complex very quickly, and this is yet another impetus for this new act.  But there will also be a special focus on those devices that are considered to be “BYOD”, or any other unauthorized device that is making unauthorized usage of network resources.  Once these are identified, then further steps will be taken to completely eradicate them, as they can pose a serious risk as well.

2)     Vulnerability Enumeration:

This is essentially conducting a Vulnerability Scan, but on a more sophisticated level.  THE following are what will be the focus when a scan is being done:

*Operating Systems

*Software Applications that are hosted on servers

*Open Ports

*Determining if any software apps are close to reaching their “End of Life.”

*Finding out what software patches are missing and that need to be immediately applied

*Locating any misconfigurations

*Determining if there is any sort of deviation to baseline levels when compared to what the security policies mandate.

But the enforcement of this new act is going to be rather strict, with the following mandates:

*These tests have to be run every seven days.

Software vulnerabilities must be assessed for Privileged Access Management (PAM) accounts.

*There must be an inventory of all assets maintained all of the time, and which can be accessible.

*All of the results from the tests done must also be sent to the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard, which is a service maintained by CISA.

My Thoughts On This:

A couple of things stand out as I write about this:

*CISA does not exactly specify how the various governmental agencies are to come into compliance with this new act, but as long as they meet the above-mentioned requirements within the timeframes set forth.

*It is highly likely that the Federal Government will need to make use of automation tools, such as that of AI and ML.  But the paradox here is that many of the Network Infrastructures of the government are still legacy base, so using automation may or may not work as effectively.

*There will be no additional funding that will be provided for the various government agencies to conduct these tests on a regular basis.  Rather, they will have to use their own resources already to hand.

With the last point, this means that there could be more opportunities for the private sector to fill in any lack of resources. 

I have to be honest about one thing:  If CISA is going to mandate these kinds of tests to see where all of the vulnerabilities are, why not take it further, and make it mandatory that the appropriate controls are also implemented at the same time?  Would this not help to protect our Critical Infrastructure even more, and to improve the security posture of the Federal Government???

Finally, more details about the BOD 23-01 can be seen at the link below:

https://www.darkreading.com/attacks-breaches/will-new-cisa-guidelines-help-bolster-cyber-defenses-

 

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...