Saturday, September 30, 2023

The 4 Golden Pillars Of An Effective Cyber Disclosure Plan

 


Yesterday’s blog was all about some of the legal repercussions that your business could possibly face if you have been impacted by a Cyber-attack.  The moral of the story here is that while restoring mission critical operations is of utmost importance, you will also have other areas of huge responsibility.  One of them, as also mentioned, is the full disclosure of what has happened to all of the relevant parties. 

So what are some of the steps that you can take to make this happen?  Here are four of them that you, the CISO, and your IT Security team can follow:

1)     Be open and transparent:

This is just as easy as it sounds.  If something happens, you need to notify all impacted parties immediately.  But of course, there is a way of saying things, so you may want to hire a PR specialist that knows how to craft the language in what to specifically say.  For example, you don’t want to say too much (because of the nature of the investigation), and you don’t want to say too little either.  You just want to say the right amount. And of course, you want to keep the language as non-techno jargon as possible, so that people can understand what has happened to them.

2)     Reign in high levels of trust:

Throughout your entire communication process both in the short and long term, you need to foster a sense of trust.  For instance, once you have been impacted by a security breach, there is a very high probability that you could lose some of your customers.  You have no control over this, as they could very well lose faith in your word.  This always happens.  But the key point to remember here is that you have to stay stead fast and calm.  You want to let your customers know that you are addressing the situation, and that you are doing everything you can to find out what happened.  By doing this, the probability of losing more customers should diminish.  But also remember, you have to remedy their own individual fears.  To do this, you should start up an emergency hotline number, and make sure that at least somebody answers it after business hours.  Also consider setting up an email also, which can be watched on a 24 X 7 X 365 basis.  And as mentioned yesterday, you will also need to provide extra services for some time, like free credit report monitoring.

3)     Have that Incident Response Plan in place:

This is something that I have written ad nauseum also.  Nobody really cared about having one in place when the COVID-19 pandemic hit, now businesses are starting to full realize the value of having one.  Not only is it important to have a detailed document, but it must be rehearsed on a regular basis (at a minimum, once a quarter), and it must be updated with the lessons learned after each exercise.  Even more important is to have responsible employees you know that you can count on to respond quickly should a security breach occur.  Also, ti is imperative that you keep the contact information of each team member updated.  Having this plan in place and practicing it will pay huge dividends in the long run.

4)     Keep an eye on the Threat Environment:

By this I mean that you, the CISO, and you and your IT Security team need to keep a close eye on the Threat Landscape.  Obviously, given the dynamics of it changing by the minute, it is impossible for any human being to do this.  But the good news here is that if you use a Cloud provider like Microsoft Azure, a lot of these tools are already available, and they can pretty much keep that eye out for you.  I know for a fact that this platform makes use of AI and ML pretty heavily as well to make this possible.  Heck, they even provide a SIEM so that you can watch everything from one central location in a holistic view.

My Thoughts On This:

One thing I forgot to mention is to have a robust triaging system in place.  Again, Azure pretty much has the tools to help you do this, but one of the most important aspects here is that you want to completely filter out the false positives.  This will help your IT Security team to avoid “Alert Fatigue”, and appropriately respond to the real warnings and alerts that come in.

Also, keep track of the major vulnerabilities that come out by using other sources.  Some of the most reliable ones include those from OWASP and CISA.  Of course, the major Cyber vendors also publish these in different venues as well, and are open to anybody who would like to access them.  A good example of this can be seen at the link below:

https://www.deepwatch.com/deepwatch-releases-2023-adversary-tactics-and-intelligence-ati-annual-threat-report/

Friday, September 29, 2023

Hit By A Security Breach? 4 Legal Repercussions That Could Happen TO YOU!!!

 


The one thing that most businesses don’t want to experience is that of a security breach, and especially a large.  But there is no doubting the fact that we are all prone to becoming a victim of it, the key is just learning how to mitigate that risk from actually happening. 

But it’s not just recovering from one that you need to be worried about.  Given today’s litigious society, there are a whole host of legal issues that you need to be aware of, and even comply with.

Here are the top four you need to know about:

1)     Your Cyber insurance carrier:

You may have Cyber insurance through an established carrier, so you think financially that you are all protected, right?  WRONG.  After you have been breached, one of the first things that you will want to do is file a claim, and expect an immediate payout, just like car insurance.  But unfortunately, it does not quite work that way.  Even before you get your insurance policy, most likely, you will have filled out some kind of questionnaire, assessing the fact that you have all of the needed controls in place.  But after your claim is filed, it is highly likely that your insurance company will revisit that same questionnaire again, and may even want to audit to some degree or another your IT/Network Infrastructure to make sure that those same controls are still in place and working.  If this scenario does happen, answer all questions truthfully.  Any misrepresentation on your part, even by accident, could lead in payout, and even termination of your Cyber insurance policy.  More information on this can be seen at the link below:

https://www.darkreading.com/risk/10-key-controls-to-show-your-organization-is-worthy-of-cyber-insurance

2)     The auditors will come out:

If your company is a large enough one, and is publicly traded, the chances are high that you will face an even harsher audit, and this time with some serious financial penalties.  For example, with the GDPR, you could face fines up to 4% of your total gross revenue, and with the CCPA, the fines can be as much as $7,500.00 for each PII dataset that was compromised.  Once again, you will want to be truthful about everything, but since this is much more serious than an audit by an insurance company, you will probably want to have your lawyer next to you.

3)     Wire transfers not going through:

In the case of a Ransomware attack, if you do decide to make a ransom payment (it is highly advised that you do not do this), you will most likely try to send it via transfer.  But it is not as easy as that.  Given the tighter financial regulations today, many financial institutions will not wire that money to a foreign organization, unless it is an established one.  Further, to make things worse, the US Treasury Department's Office of Foreign Asset Control even made it an act of treason if you make a ransom payment to nation state threat actor.  Also keep in mind that if you do make a Ransomware payment, your insurance company will not reimburse you for it!!!  More information about this can be seen at the link below:

https://www.darkreading.com/risk/us-treasury-warns-of-sanctions-violations-for-paying-ransomware-attackers

4)     Notifying impacted parties:

Remember, it is not just your company that is impacted, but your customers as well.  Therefore, you have a legal obligation to inform them if they have any of their confidential information or data stolen.  The laws have become strict now, and in some situations, you must provide written notification (USPS mail or email) of what has happened.  Then, you need to provide a proper course of action, such as offering free credit reporting and monitoring services.  But even if you take all of these precautionary steps, you could still face a barrage of lawsuits, so be ready for that as well. 

My Thoughts On This:

The best advice that I can give you here is to first conduct a comprehensive Risk Assessment Analysis, then from there, make sure that you have all of the needed controls deployed, and that they are optimized and updated at all times. 

Then if anything happens, and your business does indeed become the victim of a security breach, at least you will have everything done in your power.  That is all anybody can ask for.

Also, try to find a good lawyer that has a solid Cyber experience, especially when it comes to compliance and the data privacy laws.  They will truly become your best friend and advocate if you are hit.

Thursday, September 28, 2023

A CISOs Perspective On AI: Truths & Fallacies

 


In today’s world, one of the first priorities for most businesses is to Cyber proof their businesses.  But unfortunately, for the SMBs, budget is always a concern.  For example, many of these kinds of owners often try to find the cheapest deals possible.  Very often, they will mix and match products and services, without thinking about their interoperability.  But the good news is that a new trend is occurring, in which Cyber vendors are now offering “one stop services” at an affordable price.

In today’s podcast, we have the honor and privilege of interviewing Bruce Roton, the CTO of a leading company known as Cyberproof.  He explains how any sized business can benefit from their complete solutions package.  Listen in to this podcast today!

You can download it at this link:

https://www.podbean.com/site/EpisodeDownload/PB14AFFCDNYVFV

Saturday, September 23, 2023

4 Top Cyberthreats Posed To Super Bowl 2024

 


It’s hard to believe, but we are now fast tracking into October.  This is the last quarter of the year, and believe it or not, people are already talking about the next Superbowl.  But there is a different twist to this time.  Most of the headlines that I am reading are now focused on Cyber securing this event.  In fact, many government agencies, most notably that of the CISA, are taking a huge part in this endeavor.

But this now this  begs the question:  Just how prone are professional sporting events to Cyber-attacks?  The answer is, very prone.  In fact, according to a recent survey, at least 70% of all professional sports organizations were subject to some sort of security, with at least 30% of them experiencing a very serious one.  More details on this can be seen at the link below:

http://cyberresources.solutions/blogs/Sports_Security.pdf

What is the reason for this increase?  Here are some possible clues:

*The sports arena is becoming heavily digitized, such as online betting.  With this, there is now a lot more valuable information and data that the Cyberattacker wants, so they will go after it.

*This industry is expected to grow at a very fast rate – it will reach over $623 billion by 2027.

(SOURCE:  https://www.thebusinessresearchcompany.com/report/sports-global-market-report)

*The IoT is heavily used here, and because of all these connections to thousands and perhaps even millions of them, the attack surface has greatly expanded.  Just consider this:  Microsoft helped to secure a recent sports event in which there were 100,000 endpoints, 144,000 identities, 14.6 million emails that were being transmitted, and over 644 MFA transactions that occurred. 

(SOURCE:  https://www.microsoft.com/en-us/security/business/security-insider/reports/cyber-signals/cyber-signals-issue-5-cyberthreats-increasingly-target-the-worlds-biggest-event-stages/)

You may be asking at this point, what are some of the Cybersecurity risks that are posed to these kinds of events?  Well here is just a sampling of them:

1)     The Digital Signage:

Any kind of sporting event, no matter how large or small, will have signage for them, especially those that are electronic in nature.  But did you ever come to think that if these are overused (or “over worked”) that they could become a prime target?  Remember, its not all about the lights that they display, but there are also powered by a computer.  If the processing limits have been exceeded, then these systems cannot counter back any incoming threat variant.

2)     Hot Spots:

Everybody wants to connect their mobile devices so that they can be in touch with family and friends about the score.  But to do this, you need to be connected to a hotspot of some sort.  As I have written about many times in the past, these kinds of network plug ins are not secure, their lines of communication from your device and back is not encrypted.  So the best advice here is to not even connect, or you use the hotspot on you smartphone to connect.  At least this requires some sort of complex that is somewhat hard to guess.  The same also goes for mobile apps.  When sporting events pop up, like the Super Bowl or even the Olympics, there are a lot of rogue mobile apps that come onto the stores.  Be careful of what you download, and make sure that the app is real and legitimate.  In a worst-case scenario, contact the vendor to confirm this.

3)     Point of Sale Terminals:

Who can’t resist at half time going to the snack and drink bar and totally gorge on Coke and Hot Dogs?  It’s truly the American way.  But how many of you actually pay with hard cash?  Probably not many.  You will most likely pay with a credit card.  But be careful here of credit card skimmers.  Make sure that not only your card has that secure chip, but the Point of Sale Terminal also has that well.  Even shake it a little bit to make sure that it feels firm.  A credit card skimmer will feel a little  loose when it is shaken.  Always keep checking your credit card statement online to make sure that there are no fraudulent charges.  On the safer side, if you are attending a large sporting event, make sure you visit a food vendor that has been officially endorsed by the venue, or even its sponsors.

4)     The Physical Infrastructure:

Just as there are digital threats, there is also an equal amount that is posed to the physical premises of the sporting event.  It is up to the sporting venue to secure this, but you can take steps to protect yourself as well.  Keep an open eye, and especially watch for pick pocketers.  The best line of defense here is to keep all of your valuables at home.    Also, report any suspicious activities to the venue security.

My Thoughts On This:

Unfortunately, as the world goes on, sporting events will continue to be plagued with Cyberthreats and security breaches.  The best thing you can do is just be proactive and keep your guard up.  Or better yet why not watch the event from home, invite family and friends, and have a nice party?  Much better than trying to face all the crowds in the real thing.

Friday, September 22, 2023

The Battle Between On Prem & The Cloud - 3 Stark Differences

 


I have written a lot on both On Premises and Cloud based Infrastructures, from many different angles, especially from the standpoint of both Cyber and Privileged Access Management.  Plus , I am learning more about them from my new job, when it comes to both AI and ML. 

But I never really took the time to really understand the key differences between the both of them.  So in this blog, I am going to take the time and do so.  Here we go:

1)     There are many combinations:

With the Cloud, there are three major deployments that you can pick from:  The Infrastructure as a Service (aka the “IaaS”), the Platform as a Service (aka the “PaaS”), and the Software as a Service (aka the “SaaS”).  And there are also multiple combinations that you can use, such as the Public Cloud, the Private Cloud, and the Hybrid Cloud.  Now depending upon your requirements, you can mix and match as much as you want, creating all sorts of different combinations.  Heck, you can even connect different Cloud Providers together, such as the AWS, Microsoft Azure, and even the Google Cloud Platform.  So as you can see, things can get pretty hairy and even extremely complicated with how many resources you deploy, and how you set them up.  For example, you can even create your own Virtual Data Center, and store that across different physical locations throughout the world, depending upon how your Cloud Provider has their geographic distributions set up.  One of the key advantages here is that it is usually the Cloud Provider that will manage your entire infrastructure, and even apply the needed software updates and patches that are needed for them.  But you are ultimately responsible for all of the configurations and settings.  So if your Cloud deployment gets exposed to a data leak, you are the one that is responsible for it, not the Cloud Provider!!! 

With the On Prem Infrastructure, you are responsible for everything, from the maintenance to applying the software updates and patches, and getting new equipment when and as needed.  Also, you will have to hire dedicated staff as well for this.  The bottom line here:  Lots of $$$ being spent, with no firm ROI on it.

2)     The Demilitarized Zone:

The acronym for this is the DMZ, and no, I am not talking about the one on the Korean Border.  This is another security layer for both an On Prem and Cloud based Infrastructure.  The technical definition for this is as follows:

               “In computer networks, a DMZ, or demilitarized zone, is a physical or logical subnet that           separates a local area network (LAN) from other untrusted networks -- usually, the public        internet. DMZs are also known as perimeter networks or screened subnetworks.”

               (SOURCE:  https://www.techtarget.com/searchsecurity/definition/DMZ)

               Simply put, this is just another layer of security that is added on, to separate your Network              Infrastructure from any sort of rogue data packets, malicious domain links, and anything else            that is deemed to be untrustworthy in the world of Cyber. 

With the On Prem Infrastructure (assuming your businesses has a brick and mortar one), the DMZ is more or less clearly defined, so your IT Security team will know all of the ins and outs of it easily.

But with a Cloud based Infrastructure such as that of Microsoft Azure, defining the DMZ becomes a lot murkier, because it becomes much more a logical “thing” and when compared to the DMZ for an On Prem Infrastructure.  But the good news is that with Azure, you get a lot of great tools to help you create your DMZ in terms of a visual perspective, so that it can be understood a lot easier. 

3)     The Software Update Process:

With an On Prem Infrastructure, you have total control over how and when you want to deploy the needed patches and upgrades to your IT and Network Infrastructure.  For example, when I was working for my first job after graduating with my MBA, I was heavily involved with Software Configuration Management.  I was responsible for checking the patches and upgrades at the vendors website every Monday AM, and downloading what I thought I needed.  Then, we would have a team  meeting to review them, and then after that, submit a Change Management Request to get these patches installed.  But given how complex things have become, and with all of the different devices and interconnectivity that exists between them, this process has become quite complex.  Although you have full control over what you want to install, it is also your responsibility to make sure that it is done on a regular basis.  If not, you are at prime risk for a security breach.

But with the Cloud based Infrastructure, the good news is that the Cloud Provider does all of this for you, so you have nothing to worry about.  But the only concern here is that they usually do not tell you what gets deployed, and at times, it happens a patch can get installed onto your Virtual Machine, and cause a major conflict.

My Thoughts On This:

As can be seen from this blog, both kinds of infrastructure have their plusses and minuses.  But if it were  me, I highly favor the Cloud based Infrastructure.  My reasons for this?  It is far cheaper than the On Prem solution, and you can add and take resources as needed within minutes versus the days or weeks that it can take with an On Prem Infrastructure.

Saturday, September 16, 2023

How To Fix Misplaced Trust In Cyber: 4 Golden Tips

 


Today, I am going to talk about a term that is used widely in Cybersecurity, but it is not a technojargon.  Rather, it is a word that is used in everyday language, and this is “Trust”.  In the world of Cyber, we hear about the Zero Trust Framework, the Circles of Trust, Implicit Trust, blah, blah, blah.  But now the question comes, is “How much trust do we invoke with the people and machines that we encounter on a daily basis?” 

This is a question is a tough one to answer, as it is up to each individual to decide on this.  But, when it comes to the protection of digital and physical assets, a study from “Kroll”, entitled the  "2023 State of Cyber Defense” found some interesting trends:

*Only 37% of the CISOs have faith that the company they work for have implemented all reasonable means of having a Cyber defense.

*There are more mistakes being made with installing security tools, such as Network Security Devices.

*Most striking, CISOs have more trust in the regular employees than their own IT Security team.

The report can be downloaded at this link:

http://cyberresources.solutions/blogs/Kroll_Report.pdf

Obviously, the first thing that comes to mind is that a CISO (or even a vCISO) should for the most, have complete (or at least mostly) into their IT Security team.  After all, who can they count to put out the fires, when the going gets tough?  This kind of Trust can also be referred to as “Misguided Trust”.  A formal definition of it is as follows:

“It is loyalty placed in other persons or organizations where that loyalty is not acknowledged, is not respected, is betrayed, or is taken advantage of.”

(SOURCE:  https://en.wikipedia.org/wiki/Misplaced_loyalty)

So what can be done to help improve this issue of misguided trust between the CISOs and their IT Security teams?  Here are some tips that can be easily followed:

1)     Don’t assume!!!

It is human nature that managers will always have a layer of assumption ingrained into their thinking.  This can be a good thing and a bad thing.  But unfortunately, it errs much more towards the latter.  When it comes to the CISO, however, they assume that everybody in the company will understand what they are talking about, even when it comes all the way down to the administrative assistant.  The CISO thinks that through just one round of training, all employees will be well versed in how to combat a Phishing threat.  But this is not true.  Some employes may learn quickly, but the truth of the matter is that most employees will not pick up the first time.  It is quite likely that they will need repeated training over and over again, and at regular times.  So as a CISO, you should never assume that employees know what you know!!!  The rule of thumb here is to walk a mile in each of the employees shoes.  In other words, look at the job titles of the people you will be training, and try to customize the training around that, and the department that they work in.

2)     Set up metrics and KPIs:

Nobody likes to be gauged by this, but the harsh reality is that this is the only way to hold people accountable.  This is obviously the case with people in sales.  But what about for an IT Security team?  These can be a bit harder to figure out, but some of the best ones are how quickly they can at least detect and respond to a threat variant.  I don’t think its fair a metric to judge how long it takes to put something out, because each threat vector and have varying levels of impact.  But the bottom line here is that accountability will lead to a greater level of trust that is not misguided!!!

3)     Don’t take things for granted:

Whenever there is a tech issue with a server or a workstation, the natural feeling is that employees will take it for granted that the IT Department will fix it within minutes.  But this is not true.  This is also the same fact with the IT Security team.  When a security breach happens, people think that it will be put out in a few minutes.  But the truth of the matter is that this  is not the case.  It can take days, or even weeks.  The full time to recovery can take even months, depending upon the severity of it.  This is where employees should not take these teams for granted, and the reverse is true.  The CISO should not assume that the existing processes in place will fix the problem.  While this should be the case, they won’t unless they are tested and retested on a regular basis, and updated with the needed software and firmware patches.

4)     Involve everybody:

When developing the Cyber goals and objectives, the CISO must craft their plans so that all key stakeholders, and even all employees are involved to some degree or another.  The CISO must be transparent and honest in everything that they do, so that for the most part, everybody will be on the same page.  But probably the most important thing to remember here is to maintain an open line of communications!!!  People want to be heard and respected, and so does the CISO.  The only way to have this is to have that direct line open 24 X 7 X 365.

My Thoughts On This:

As mentioned earlier in this blog, the Zero Trust Framework is a methodology where absolutely nobody can be trusted.  I should know, as I have already written numerous published books and eBooks on this topic.  But in the end, there will always have to be some level of faith and trust.  The question is how to go about building it up properly, so that it does not become “Misguided”.

Friday, September 15, 2023

How The New Rwandan Data Privacy Law Will Impact US Businesses

 


When we think  of data privacy laws and all of the facets  and provisions that surround them, we often think of the United States first, then following us would be the European Union (EU), with ever famous law called the GDPR.  But believe it or not, there are other nations around the world, that you may not have even heard of, that are also adopting their own form of data privacy laws. 

These can even include the poorest of the poor countries, especially those found in Africa.

One  such place is Rwanda.  In fact,  in October of 2021, during the height of the COVID-19 pandemic, the government  of this country passed their own data privacy law.  It is formally called the “Law on the Protection of Personal Data and Privacy (Data Privacy Law).” 

Just like the CCPA and the GDPR, the primary goals are to protect the PII datasets of the citizens of Rwanda, to give them far greater control as to how businesses can use their data, and making sure that organizations are implementing the right controls to protect them.

This law just does not impact people in Rwanda, but it also has global reach as well, especially if entities transact business there, or have customers in that geographic area.  Here are some of the key provisions of it:

“*Article 48 bars data being transferred to third parties unless they are authorized by the National Cyber Security Authority (NCSA).

Article 50 requires all personal data to be stored in Rwanda except for registered entities with NCSA-issued certificates to store data abroad.

Article 17 mandates data controllers and processors to keep a record of personal data-processing activities and submit the data to NCSA upon request.

Article 38(3) requires controllers and processors to provide data protection impact assessments (DPIAs) when processing poses a high risk to individuals' rights.

Article 43 mandates a data processor to inform the data controller of a data breach within 48 hours of discovery. It also requires a data controller to notify NCSA within 48 hours of becoming aware of a breach. The data controller must inform the subject of the data breach unless the breach is communicated to the public.

Article 9 requires a parent or guardian's consent before the personal data of a child under 16 can be processed. It also states that consent is acceptable only if it's in the child's interest. However, consent is not required if processing the data is important to the child's welfare.

Article 8 grants data subjects the right to revoke consent at any time.

Articles 29–31 require that anyone who intends to process data must register with the NCSA and be granted a data protection and privacy (DPP) certificate.”

(SOURCE:  This is a direct quote taken from Dark Reading, at this link:  https://www.darkreading.com/dr-global/navigating-rwanda-new-data-protection-law)

Much more detailed information about Rwanda’s Data Privacy Law can be found at the links below:

https://dpo.gov.rw/

https://securiti.ai/rwanda-data-protection-law/

Up this point, since 2021, the Rwandan Government has allowed for a two-year transitory period for business to come into compliance with this law.  But this grace period will end on October 15th of this month.  Just like the GDPR and the CCPA, there are also rather harsh financial penalties (by Rwandan standards) if compliance is not met.  Here are the details into this:

*A fine of up to 1% of the total revenue for a business (this can  range anywhere from $1,700.00 to $4,250.00).

*Any data processors or third-party vendors that are  not certified under this new law  will also face the same financial penalties as described above.

My Thoughts On This:

Believe it or not, Rwanda now becomes the 35th nation in Africa to have a rather comprehensive data security law.  I never knew about this.  In fact, this is deemed  to be one of the most  stringent and strongest data privacy laws on the African Continent.  Some of the other key benefits of this are as follows:

*The confidence of the Rwanda consumer should pick up, as they now they have a recourse and legal actions to protect their data.  More information about this can be seen at the link below:

https://www.darkreading.com/endpoint/why-the-culture-shift-on-privacy-and-security-means-today-s-data-looks-different

*They will now be assured that businesses are taking far more precautions to protect their PII datasets by implementing the right controls.

*It is anticipated that the flow of international trade should pick up, as more countries will have stronger faith about the security steps the Rwandan Government talking serious steps in terms of protecting commerce.

Probably best of all is that the Rwandan Government has also created a data protection authority, called the NCSA, to enforce this data privacy law.  In closing, I think we here in the United States could learn a thing or two from this new law passed in Rwanda.

 

 

Sunday, September 10, 2023

The Top 3 Rules You Need To Put Into Your Generative AI Policy

 


Today, the biggest trend in Cybersecurity is that of Generative AI.  Most of us have heard of this term, some of us have not.  So for the latter, here is a technical definition of it:

“Generative AI enables users to quickly generate new content based on a variety of inputs. Inputs and outputs to these models can include text, images, sounds, animation, 3D models, or other types of data.”

(SOURCE:  https://www.nvidia.com/en-us/glossary/data-science/generative-ai/)

So unlike the traditional AI models of the past, with these new algorithms  like GPT4 and Large Language Models (LLMs), you can submit a question or query to ChatGPT, and it will create a brand-new piece of content for you, based upon the data that has been fed into it.  So for example, if you are an author, and you ask it to create new sci fi, it will output just exactly that.

So as you can see from a very general level, Generative AI can be used for the good, and even for the bad.  But this is still all so new in terms of applications, it is hard to predict what the future will hold in this regard. 

But it is not just individuals, but now many businesses are adopting for their own uses as well.  Thus, there is now fear that employees could potentially misuse this, especially if they are given free access to it by their employers.

So what can be done about this?  Well, here are three tips you can use:

1)     Create the policies:

Most companies now have policies place to protect their digital and physical assets.  How granular this becomes, of course depends primarily upon the CISO or even vCISO that is in charge.  But whatever the situation is, now is the time to update these policies with what can be called “Acceptable AI Usage”.  This is something that you will probably need a good lawyer for, as there is not too much legal  precedence out there for this kind of stuff.  Basically you will have full control over company issues devices, but not personal devices.  This becomes even trickier with a remote workforce.  In this regard, some of the things you need to consider putting in your policies include:

*How Generative AI can be used for work purposes in terms of productivity;

*How it will be monitored on company issued devices, especially during off hours and break times.

For some more insight into this, click  on the link below:

https://www.darkreading.com/analytics/following-pushback-zoom-says-it-won-t-use-customer-data-to-train-ai-models

2)     Watch how it is being used:

You and your IT Security team need to keep close tabs on what kind of information and data is being shared with ChatGPT.  Once again, when it comes  to the personal devices of your employees, you have no control over this.  The best you can do is to provide proper security awareness training for them on a regular basis.  This will be needed as tools like ChatGPT grow in popularity and usage.  But for the company issues devices, you can keep a very careful on how it is being used.  But you will need  to warn employees ahead of time that they will be monitored in this regard.  If you make use of Social Media as well for your marketing purposes, this is yet another area in which you should include in your new security policies. 

To see a good discussion on this,  click on the link below:

https://www.darkreading.com/vulnerabilities-threats/generative-ai-projects-cybersecurity-risks-enterprises

3)     Have accountability:

At this point in time, it is difficult to hold employees accountable for actions or work-related activities that have taken place with Generative AI tools.  Typically, even if you ask it who worked with it when, it won’t give an answer.  So somehow, you and your IT Security team will have  to come up with some sort of audit trail and the access times as well as the IP addresses  of the devices that have accessed these tools. Another area that you need to be concerned with is the quality of data that is being fed into the Generative AI tools.  Remember, it is still essentially “garbage in and garbage out”.  So not only do you have to make sure on a real time  basis that the training data  is optimized, but you also need to constantly remind employees to check their work if they use  AI, in order to make sure that the output is accurate.  Unfortunately at the present time, these kind of check and  balance systems are not available in Generative AI. 

A good review on this can be seen at the link below:

https://www.darkreading.com/application-security/chatgpt-other-generative-ai-apps-prone-to-compromise-manipulation

My Thoughts On This:

Right now, there is great fear and angst  that AI will take over the world and replace human beings.  This is nothing but a huge myth.  We are far from understanding what the human brain is all about, and we neve will.  All that AI will do is help to augment existing processes, not replace them.

Saturday, September 9, 2023

It's Time To Upgrade! 3 Golden Ways To Do It

 


In all of the buzzwords that are being thrown  about today in Cybersecurity, we often don’t hear about the word “Legacy”.  But old systems which still reside in an IT and Network Infrastructure can pose very serious threats. 

Although many people may think that this is not true, it is quite the contrary.  As much as the Cyberattacker wants the new stuff, they will also be happy with old stuff.  For example, they can put together bits and pieces of stolen information and data, and put that together to create a profile on an  unsuspecting victim.

From here, ID Thefts can then be launched at a subsequent point in time.  But there are different categories of “Legacy” you need to be aware of, and they are as follows:

1)     Legacy Accounts:

These can be defined as follows:

“Legacy identities are accounts that exist in an organization's identity store despite no longer being needed.”

(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/securing-your-legacy-identities-data-and-processes)

The security issues are that these dead accounts simply add more bloat, and take up more storage.  The best way to identify and remove these accounts is to conduct regular audits (even as high as monthly) to make sure that no such accounts actually exist.  If they do, just simply delete all traces of them.  Also, if an employee leaves a company, and their Legacy Account still exists, they could still login and create quite havoc, which is something you don’t need.

2)     Legacy Data:

This can be defined as follows:

“Legacy data is any data an organization stores that is outdated or obsolete — that is, it has outlived its usefulness.”

(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/securing-your-legacy-identities-data-and-processes)

However, deciding what is needed and not can be a tricky situation.  Many companies are required to keep archived data  for a certain period of time, such as accountants and the tax returns of their clients.  There are also other risks as well, such as not providing an adequate amount of protection to these kinds of datasets.  If your business is not bound to such a timeframe, the best advice here is to simply delete the old data that you don’t need.  This not only help reduce the bloat that it creates, but it will also decrease the attack surface.

3)     Legacy Processes:

This can be defined as follows:

               “Processes and procedures that are not kept up to date through regular review and practice               should be deemed as legacy.”

(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/securing-your-legacy-identities-data-and-processes)

These kinds of systems are often found with On Prem Infrastructures.  In fact, the most common place where you will find Legacy Systems are with out Federal Government.  For example, many branches still use mainframe technology along with JCL and COBOL, and many others, while updated some time ago, are still using unsupported versions of Windows.  In fact, they are also common with our nation’s Critical Infrastructure, because many of them still use outdated ICS and SCADA systems.  But unfortunately, you simply cannot rip out old pieces and put in new ones.  Many companies are still dependent upon using them, and not only would be disruptive to them, but it could also even to our nation as well.  The best piece of advice here to mitigate any kind of Cybersecurity risks is to start thinking how best you can replace the older technologies, a bit at a time.  But if you are a tech company, the answer is pretty easy to guess:  Move to the Cloud, and that way, your processes will be kept up to date all of the time.

My Thoughts On This:

As far as possible, you will want always to want to get rid of delete old stuff, especially when it comes to data.  The data privacy laws have become quite strict about this, such as the GDPR, CCPA, and HIPAA.  In fact, if you keep old information and data when it is not needed, this could open you up to a wide scale audit, which is something you want to avoid at all costs.

For more information about Legacy Systems, click on the link below:

https://www.darkreading.com/vulnerabilities-threats/prevention-is-the-only-cure-the-dangers-of-legacy-systems

Friday, September 8, 2023

The Rise Of The Infostealer - What You Need To Know

 

There is one common denominator in the world of Cybersecurity today, and that is new threat variants are simply just rehashes of older vectors.  The Cyberattacker of today doesn’t want to spend time creating something from scratch, rather, if they can get their hands on anything, and just refine it a little bit more, that would be the best option.

In other words, it is just a matter of building a better mousetrap.  But even these days, there are plenty “as a Service” attack toolkits that are available for purchase, for literally pennies on the dollar.  Some  examples of this are Ransomware as a Service, Phishing as a Service, you name it. 

But there is one threat variant which lurks out there, and this what is known as an “Infostealer”.  You might be wondering what it is, so here is the technical definition of it:

“An information stealer (or info stealer) is a Trojan that is designed to gather information from a system. The most common form of info stealer gathers login information, like usernames and passwords, which it sends to another system either via email or over a network.

Other common information stealers, such as keyloggers, are designed to log user keystrokes which may reveal sensitive information.”

(SOURCE:  https://www.trendmicro.com/vinfo/us/security/definition/Info-stealer#:~:text=An%20information%20stealer%20(or%20info,email%20or%20over%20a%20network.)

So as you can see from the definition, this kind of malicious payload uses the old-fashioned means in which to deploy itself – primarily through Trojan Horses and Keyloggers.  In fact, Infostealers have been around since 2006, and are basically scrapers that go after your confidential information, primarily your passwords and other sorts of financial information. 

It does this all covertly, without you even knowing about it.  Probably the most famous of these is known as the “Zeus Trojan”, and more information about this can be seen at the link below:

https://www.darkreading.com/attacks-breaches/us-sets-5-million-bounty-for-russian-hacker-behind-zeus-banking-thefts

But according to a new report entitled "Stealers Are Organization Killers”, there is now an upward trend in the number of Infostealer hacks that are happening today.  They now attack all systems, including Windows, MacOS, and all of the different flavors of Linux.  This can be seen in the illustration below:



(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/3-strategies-to-defend-against-resurging-infostealers)

You can view the report in more detail at this link:

https://www.uptycs.com/blog/infostealer-rise-in-danger

But what is also fueling the growth in the Infostealers is Generative AI, largely thanks to ChatGPT.  So given this trend, what can a business do help mitigate the risks of a Infostealer infiltration?  Here are three quick strategies that you can deploy:

1)     Be proactive:

By this, I mean you need to keep a constant vigil on the threat environment, on a real time basis.  Of course, all of this can be automated, by using a SIEM.  But you want to go beyond this.  For instance, you an always start with a Vulnerability Scan, but the best way to track down these malicious payloads is to Penetration Test at least once a quarter. True, they can be expensive (at least $30,000 per test), but many Cyber vendors now offer packages in which you can get a license in which you can conduct an unlimited amount of Penetration Tests for a flat, annual fee. 

2)     Implement good Access Control Policies:

Of course, you have no control as what your employees do with their own, personal devices.  But you have this with company issued devices, and all of your Cloud based deployments.  Make sure that you review your security policies in this regard on a regular basis, and keep updating them.  But even more importantly, implement Privileged Access Management technology (also known as “PAM”) to further protect superuser accounts.

3)     Try to keep up

You will always, as far as possible, want  to stay ahead of the proverbial cat and mouse game.  One of the best ways is to keep analyzing the information and data that your network security devices are giving you, and try to keep modeling the future Cyber Threat Landscape as it fits for your business. Of course, no human can do this kind of herculean task on their own, so this is where both AI and ML will become  very useful to you.

My Thoughts On This:

I think that this is the first time I have written anything on topic, but I learned quite a bit from it.  Oh yea, along with the above-mentioned tips, don’t forget the good ole fashioned one:  Always keep training your employees, especially about how to recognize a Phishing email, Trojan Horses, and Key Loggers.  Also, try to daily antivirus and antimalware scans on all company issued equipment on a daily basis.

The Critical Role of Managed Services Providers in SMBs Cybersecurity

 


Today, the Cybersecurity world is full of vendors that are ow starting to offer many affordable services to the SMB market, and most importantly, at a price point that they can afford.  But to the SMB owners, it is still like a jigsaw puzzle, and as a result, they have to find different vendors that offers the Cyber services that they need.  But before they decide what they need, they need  to so some sort of assessment first.

But, we are not talking about the traditional risk assessment.  What we are talking about is mapping out the business processes of an SMB, and figuring out what they need from that.  In this podcast, we have the honor and privilege of interviewing both Adam Barney and Mike Kold of Framework IT.  Find out in this podcast how they determine what an SMB truly needs, from the standpoint of Cyber services.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB148A4AD9P535

Saturday, September 2, 2023

A Chronological Overview Of Cyberattacks On ICS/Critical Infrastructure

 


As the political environment starts to worsen here in the United States, and as the drama starts to unfold next year with all of the trials and new Presidential Elections, Cybersecurity will for sure start ramping up yet once again. 

There will of course be the fears of the Chinese and Russians once again interfering, but now the new fear will be those of attacks onto our Critical Infrastructure.  This is something that I have written about before, and have even written articles on.

We have already seen attacks take place, with the most famous example being that of the Colonial Gas  Pipeline.  But once inside the infrastructure, the Cyberattacker is geared  towards one main thing:  Gaining access to the Industrial Control Systems, also known as the “ICS” for short.  You may be wondering what it is exactly? It can be defined as follows:

“Industrial control system (ICS) is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.”

(SOURCE:  https://www.trendmicro.com/vinfo/us/security/definition/industrial-control-system)

So as you can see, it is not just one system or component, but rather multiple ones of them, which make for example, the water supply system abundant and immediately available when you turn the faucet on.  But what makes these so vulnerable is that they are all interconnected together. 

So if you hit one component, it will have a cascading effect on the others, most likely shutting the whole thing down.

Unlike with digital assets, where you can segment them out into different zones, the same cannot be said of Industrial Control Systems.  The primary reason for this is that the ICS technology is incredibly old, going back all the way to the 1960s.  But attacks to ICS systems is nothing new, as a review of the following attacks demonstrate:

1)     Stuxnet:

This is probably the most talked about attack to an ICS system.  It was not launched by Cyberattackers, but rather by the United States.  The intent here was to target the centrifuges in the key nuclear facilities located in Iran, in an effort to halt their nuclear program.

More details on it can be seen at the link below:

 

https://www.darkreading.com/vulnerabilities-threats/10-years-since-stuxnet-is-your-operational-technology-safe-

 

2)     Havex:

This is an actual security breach in which the Cyberattackers launched different attack vectors, such as using Phishing Emails and defacing the websites of various ICS facilities.  In this instance, legitimate software patches and upgrades were replaced with malicious ones, which were hard to tell from.  Once they were downloaded and applied, the goal was to totally infect the Network Infrastructure of an ICS facility.

More details on it can be seen at the links below:

https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-176-02a

https://archive.f-secure.com/weblog/archives/00002718.html

3)     Black Energy 2 -3:

This kind of attack was launched at the United States directly, focusing upon nuclear power plants, electric grids, water purification systems, and oil and gas pipelines. This same piece of malware was used to attack into the Energy Infrastructure of the Ukraine.  But this time, the Cyberattackers had manually find their way around the IT and Network Infrastructures, and from there, and delivered the malicious payload.

More details on it can be seen at the link below:

https://abcnews.go.com/us/trojan-horse-bug-lurking-vital-us-computers-2011/story?id=26737476

4)     Industroyer Crashoverride:

This piece of malware was designed to specifically cause damage to the Critical Infrastructure in which the Cyberattackers targeted.  This was deemed to be a step up when compared to the other previous three attacks, because the Cyberattackers communicated directly with ICS based protocols.

More details on it can be seen at the link below:

https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf

5)     Trisis/Triton:

This attack was deemed to be different than the others, in that this threat variant specifically the targeted the safety mechanisms that are in place at the various ICSs.  This was also considered to be a step up than when compared to the other attacks.

More details on it can be seen at the link below:

https://www.darkreading.com/vulnerabilities-threats/schneider-electric-triton-trisis-attack-used-0-day-flaw-in-its-safety-controller-system-and-a-rat

6)     Industroyer2:

This was once again geared towards the energy facilities based in the Ukraine, but this time, the threat variant was aimed at the circuit breakers, by repeatedly turning them on and off, in both random and successive fashions.

More details on it can be seen at the link below:

https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/

7)     Pipedream:

So far, this has been deemed to be one of the worst pieces of malware to come out against ICS.  It has the ability to directly interact  with other components of the ICS, and even find  its way around it on an automated basis.

More details on it can be seen at the link below:

https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/

My Thoughts On This:

So as you can see, the threats against ICS and Critical Infrastructure is getting much more sophisticated and covert, as evidenced by the above chronology of events.  But the silver lining in the cloud here is that it does take  time for the Cyberattacker to launch a threat against an ICS.  It is not the same thing as targeting IT or Network Infrastructure,  as the components are far more outdated and require careful study.

But even in this realm, the Cyberattacker is about to catch up, and take the lead. It is absolutely imperative that this does not happen, so that as a society, we can mitigate the risks of anything  drastic happening to our precious resources.  Remember, their goal  is not to steal just PII datasets, but cause as much physical damage as possible.

 

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...