Saturday, October 28, 2023

6 Golden Aspects Of A Good Cyber Hygiene Plan

 


Introduction

The world of Cybersecurity is bandied about with a bunch big buzzwords, techno jargon, etc.  One these is the term “Cyber Hygiene”.  It has become much more prevalent as the COVID19 pandemic continues, and the Remote Workforce is now a guaranteed happening for the long term.  This is the focal point of this article.

What Is Cyber Hygiene?

In a general sense, Cyber Hygiene means that all employees of a business, even up to and including the C-Suite, must follow a set of best practices in order to make sure that all devices and digital assets are protected from being a Cyber target. 

With the advent of the Internet of Things (IoT) and just about everything being connected together, the attack surface has greatly expanded.  Thus, the need to be proactive is a must these days, and not just something that gets checked off a list at later point in time.

The Cyberattacker of today has now become extremely stealthy and covert – in fact, they find the weaknesses of an unsuspecting victim merely by building up a profile on them with information that is publicly available, primarily those of Social Media Sites. 

In other words, your business and employees could very well be watched without anybody knowing it until it is too late.  This is yet another reason why maintaining a strong level of Cyber Hygiene is more critical than ever.

How To Maintain A Strong Level of Cyber Hygiene

The following are some tips to help your employees maintain a proactive mindset when it comes to Cyber Hygiene:

1)     Conduct an inventory of all of your assets:

This not only includes digital assets, but even physical assets as well.  Remember, the Cyberattacker is going to go after those crown jewels that are the most vulnerable and least protected in your organization.  Therefore, your IT Security team needs to conduct an inventory of everything you have, and from there, complete a Risk Assessment, and rank them on a categorization scale.  This will then give you a good idea of those assets are most prone to a security breach and those that are the least likely to be hit.  Those that are deemed to be the weakest should of course have the strongest controls associated with them.

2)     Teach your employees about passwords:

You need to train your employees about how to keep their passwords safe.  This includes not sharing them with other coworkers, and not to use a slight variation on an existing password when it comes time to reset it.  But most importantly, tell them about the dire need now to create and long complex passwords, by making use of a Password Manager.  With this, these kinds of passwords can be created instantaneously, without your employees having to remember them.  Also, they can be reset on a prescribed time schedule, which is based upon your security policies.

3)     Always update your systems:

This is probably one of the oldest security rules to be found in the books.  But despite this, many organizations fail to heed this, until it is too late.  Therefore, your IT Security team needs to make it an almost daily practice to keep checking for the latest software updates and patches, and deploy them as needed.  But, one key thing has to be remembered here:  As far as possible, always test these patches and upgrades in sandboxed environment first, before they are released into your IT and Network Infrastructure.  This extra practice is to help ensure that what is about to be applied will actually work in your environment, and not make more a security nightmare.

4)     Keep an eye over what is assigned:

This simply means adopt the principle of Least Privilege:  Give only the bare minimum of rights, privileges, and access to your employees that they need to get their job done.  This even includes the members of your IT Security team.  But there is one thing that you also need to keep your eye on – a sudden escalation in the administrative rights that have been given to an employee.  This means that they somehow did this themselves (which could also be indicative of an Insider Attack that is about to take place), or a Cyberattacker has gained access to the database where all of the user profiles are stored at).  Therefore, you need to keep a vigil eye if this does happen.  Any escalation in privileges should occur only when a review of the request has been done, and if the employee really needs it.

5)     Get rid of old equipment:

This is also technically referred to as “End Of Life”.  This means that the hardware or software that is used in the device is no longer supported.  In other words, there will no longer be any software upgrades or patches that are available to them.  Obviously, this can pose a grave Cybersecurity risk to your company.  But just don’t get rid of them by simply throwing these out-of-date devices into the trashcan.  Rather, make use of a data destruction company that can properly purge any information and data, and dispose of them in a safe and secure fashion, so that they are not vulnerable to Dumpster Diving attacks.

6)     Have Security Awareness Training:

This is also one of those things that you hear about on a daily basis, and unfortunately, most CISOs still disregard the importance of this.  With the bulk of the American workforce still working from home (WFH), this kind of training is now even more important than ever before.  There are many ways that you can about to implement this, but the key here is to make the training engaging and to test the employees to make sure that they are taking this seriously.  A good example of this is Phishing training.  After you have explained what it is, how to recognize a rogue email, conduct a mock Phishing campaign to see which of your employees still fall for the bait.  Those that do should be retrained again, with a much stronger emphasis on the seriousness of it.

Conclusions

Overall, this article has provided you with some tips as to how you can maintain a good level of Cyber Hygiene for both your business and employees.  Obviously, there are more action items that need to be taken into consideration, but this list is a good start.  In the end, we all are prone to becoming a victim of a Cyber-attack, but by having a strong level of Cyber Hygiene, that risk should be greatly mitigated.

Friday, October 27, 2023

Fast Track Back To The 1980s: How Did We Survive Without AI Or Google???

 


When it comes to IT Security, there is one tough job that probably nobody wants to have:  Being the tech support person.  I used to do it a long time ago back in my grad school days, and I got a huge feeling of joy when I knew I made a difference in the day of a customer.  But keep in mind that is only 20% of them.  The remaining 80% want everything fixed right now, and when you repair something, they show no appreciation for it, whatsoever. 

As technology has evolved further, and as people are pretty much working remotely now, the support tech is faced yet with another daunting task:  How to keep employees honest and abiding by using only authorized tools for doing their daily job tasks.  This is even harder to enforce when people work from home.  This has been a problem for a long time, and it has become technically known as “Shadow IT”. 

But further exacerbating this problem even more now is the explosion of Generative AI, and how people are using it much more often now in the workplace, in order to meet tight deadlines.  In fact, The Conference just conducted a research project on this, and here is what they found:

*56% of employees now use Generative AI, whether it is allowed or not.

*Only 26% of businesses surveyed have an active AI security policy in place.

*Over 30% of employees use Generative AI to speed up their deliverables even though they were not supposed to.

*91% of the IT support techs polled feel that they feel pressured to compromise security in order to boost the bottom line by using AI tools.

*Astonishingly, 81% of the tech support reps feel that is almost impossible to enforce security policies, especially when it comes to using AI.

More details about this study can be seen at the following link:

https://www.conference-board.org/press/us-workers-and-generative-ai

So now, it’s not so much of the issue of using non approved devices or apps, now it’s becoming the risk of using Generative AI in the workplace when employees are told specifically not to.  So now, this trend has now been appropriately called “Shadow AI”.  So, what can be done about this?  Here are three tips any CISO can adopt and follow:

1)     Let ‘em use AI:

Let’s face it, AI is here to stay, and it is not going anywhere for a long time to come.  So, why not let your employees just use it?  Well, to a certain degree.  You and your IT Security team should find a bunch of AI apps that employees can potentially make use of.  But before deploying them, first vet them and test them out in a sandbox environment.  Then, tell your workers all about it, and encourage them to use it.  By doing this, you will be showing them  that you take their career growth seriously, and by using something at least Generative AI related, this should alleviate the temptation of using non approved AI tools.  But also caution your employees in this regard, and remind them of  the consequences if they don’t follow the rules.  Try to emphasize that as much as you are spending on them, and that they need to reciprocate equally as well.

2)     Educate them:

We all keep hearing every day how important it is to have security awareness training for employees.  The same now also holds true about the use of Generative AI in the workplace.  There are serious risks that can be borne out by not following the security policies that have been set forth.  Remind them that if they do use unauthorized AI apps, this can be a grave consequence not only for the company but even for their jobs as well.

3)     Monitor all activity:

As the CISO, make sure that your IT Security team is monitoring all activity.  There are many tools that can be used to automate this process, and yes, they are AI driven.  LOL. 

My Thoughts On This:

Hopefully by taking the above-mentioned tips into action, your employees should be a happier crowd.  But then of course, there will be those that whine and complain that they have to use Generative AI 100% all together in order for them to get their jobs done.  If this happens, throw this question back to them:  How did you make it in high school and college when there was no AI or Google???

That is of course, if they are of that age.

Thursday, October 26, 2023

What Is The Latest In Wireless Security? Find Out Here

 


One of the biggest buzzwords we hear in the Cyber world is that of threat intelligence.  This can have different meanings to just about anybody you ask, but on a global level, it simply refers to the act of collecting information and data to try to predict what future threat variants could possibly look like.  This of course can be a very time-consuming process, but there are other tools now which are available to speed up the process, and this includes the likes of AI and ML.

Every business thinks about protecting their digital assets first. But what about the more tangible ones, such as your wireless connections and smartphones that your employees make use of to do their daily job tasks?  After all, wireless devices still a remain a highly prized target in the eyes of the Cyberattacker.  What can be done to fortify your lines of defense in this regard?

Well, in today’s podcast, we have the honor and the privilege of interviewing Dr. Brett Walkenhorst, the CTO of Bastille.  They have created cutting edge solutions for this very scenario.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB14E0A4CUUTIY

Saturday, October 21, 2023

Are Cyber Table Tops Really Worth It? 3 Reasons Why They Still Are

 


In the blogs that I have written not only for myself, but for paying clients as well, I have developed a lot of content when it comes to testing, Incident Response, Disaster Recovery, Business Continuity, etc.  The common denominator in all of this is that there is some kind or type of technological tool and human intervention that is used. 

But there is another way yet in which a business can beef up its line of defenses without having to use any kind of technology per se.

These are known as “Tabletop Exercises”.  It can be defined as follows:

“A tabletop exercise is a discussion-based practice that uses a hypothetical situation to coach a technical or executive audience through the cybersecurity incident response life cycle.”

(SOURCE:  https://www.darkreading.com/operations/top-6-mistakes-in-incident-response-tabletop-exercises)

So as you can see from the above, these kinds of exercises are very much discussion based.  The leader of it portrays a hypothetical security breach, and the audience is asked to come up with a solution.  While these can be effective to some varying degrees, there are a number of key areas that a CISO and his or her IT Security team need to address, in order to make Tabletop exercises even more effective. 

Here are the tips:

1)     Involve the entire audience:

It is very important to remember that a Tabletop exercise is not just another college lecture where you have PowerPoint slides and give out notes.  These are meant to be engaging, and in order to make it so, each member has to be involved and give their input.  In fact, this is really very much like a Security Awareness Training program for your employees.  In order to get great participation, you have to make it both fun and engaging.  In other words, you kind of want to make this like a social kind of event.  If the audience is large enough, break them out into separate teams for even closer collaboration.

2)     Get different groups of people involved:

A cardinal rule of thumb here is never to get the same crowd over and over again.  It is very important that you get different participants all the time, so that you will get varied feedback.  That will be much more meaningful than getting the same answer out every time, but in different ways.  For example, perhaps take a representative number of employees from each department that exists in your business.  That should give you some varied answers.  Also remember that Tabletop exercises are not just restricted to employees, you should also get other key stakeholders involved as well.  Consider this like a focus group interview you are conducting to get market research on a potential new product or service you could launch.

3)     Vary up the threat variants:

As mentioned earlier in this blog, the facilitator of a of the Tabletop exercise usually first starts out with a hypothetical security breach.  But it is also important here to keep in mind as well that you need to mix up the threat scenarios.  For example, in one training session, talk about Ransomware, the other Phishing, etc.  But always make the threat relevant to the business.  For example, if you choose to use a Phishing based scenario, then give the example of a Business Email Compromise (BEC) attack, and how the accounting team can fall into the trap of responding to a fake invoice.  But also remember not to make the scenarios so depressing for the audience that they simply do not want to want to respond or give feedback.  It takes a balance  here.  Further tips on how to do this can be seen at the link below:

https://www.darkreading.com/edge-articles/designing-tabletop-exercises-truly-help-thwart-cyberattacks

Also remember that by varying your attack scenarios,

My Thoughts On This:

One of the key areas that is extremely beneficial from a Tabletop exercise is the feedback that is solicited from the audience.  Remember to incorporate these into all of your security plans, primarily your Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans.  But the best lesson learned is to practice them on a real time basis, at least once a quarter!!!

Friday, October 20, 2023

How To Embrace The Era Of Cyber Transformation - 3 Golden Nuggets

 


One of the key buzzwords in Cybersecurity is that of “Transformation”.  Just like other techno jargons that fly out there, this term can have different meanings to people.  But broadly speaking, it can be defined as follows:

“A cybersecurity transformation enables you to rapidly reduce cyber risk and confidently adopt new digital technologies that support your strategic goals.”

(SOURCE:  https://www.pwc.com/m1/en/services/consulting/technology/cyber-security/transformation.html)

But in the end, it is the CISO who has to embrace this definition and make it work for their organization.  Of course, being such a broad definition, this is for sure a tall order to fulfill.  So, how can it be done?  Well, one lesson I have learned in life is to break down things into more manageable tasks, and get help when you need it.

So in this regard, here are three steps that a CISO or even a vCISO can take to accomplish this part of their mission.  Here we go:

1)     Get the right people:

Very often, when a CISO gets a new project that is handed down to them, their first inkling is to handle it all by themselves in order to prove their grain of salt to their higher ups.  But this is totally flawed thinking.  The primary role of the CISO (vCISO) is to get the project, but assign it down to the relevant members of the IT Security team (or even other departments as necessary) to get the job done.  Take for example a Disaster Recovery (DR) plan.  Obviously, a CISO cannot write the entire by themselves, so you delegate to the different people who can write the different sections to compile the entire thing.  Then you, the CISO, it is your responsibility to review the document and deliver the final one to the higher ups.  But most importantly, you also will be responsible for practicing the DR plan on a regular basis to make sure that it is up to snuff, and that the people on the team will react in a quick manner to bring up mission critical processes as quickly as possible.  Make sure to spread the knowledge that you have, and always communicate in a clear and concise manner.

2)     Make sure your goals are the company goals:

By this, I simply mean that whatever you are doing, make sure as much as possible that it is also relevant to the entire company and not just to your team.  Take for example the DR plan once again.  Obviously, your IT Security team can’t write it all.  You need to get people from other departments involved (such as HR, Finance, Accounting, etc.) to write their parts as well.  After all, they will be directly impacted by a security breach as well.  Another example would be Cyber security awareness training.  You can’t use a one size fits all approach for this.  For instance, what your IT security team needs to be trained will have no relevance whatsoever say, for the HR department.  They need to be trained in the concepts of Social Engineering so they can spot our calls directly from phony recruiters.

3)     Think of the holistic picture:

This can considered to be kind of a repeat of the last one.  But in this instance, once you are given a project and completed it over the required time period, you need to be asking yourself, “How will the company benefit from all of this?”  Of course, the first though here is to see how your specific role can benefit from this, and how you can advance.  But in the long term, this is rather a selfish way of thinking.  Instead, think also (and most importantly), how your entire company can benefit from it.  Ultimately, when you present the final deliverable to the CEO and Board of Directors, they will see the ROI quickly.  And in the end, this will simply be brownie points for you, the CISO, in the end.

My Thoughts On This:

I guess the moral of the story here is that for you, the CISO, you need to get away from the siloed way of thinking that is so prevalent in the Cyber industry today.  Working in siloes serves no purpose whatsoever in today’s digital age.  By taking the holistic approach and way of thinking, you, your company, and everybody else will advance in the long run.

Saturday, October 14, 2023

To Use ChatGPT Or Not: A Writer's Dilemma

 


Although it is a story now past well gone, but do you remember the Hollywood writer’s strike?  I never really paid too much attention to it, not until today.  Apparently, there was a lot more at stake than I had realized.  At the crux  of the matter was how Artificial Intelligence (AI) would impact the writer’s ability to get the much-deserved credit, and most importantly, compensation for all of that hard work.

Probably even last year, this would not have been an issue at all, or even long before that.  As I have written before, AI has been around for a very long time.  In fact, I wrote an entire book about it, and I covered in some detail as to how AI will never be even remotely close to the human brain. 

The best that it will ever achieve in terms of business dominance is being used for automation purposes for mundane and routine tasks, and possible augmentation to other processes.

The primary reason why AI has become such a furor is the dawn of ChatGPT. It seems like everybody I know uses it, for good reasons of course.  But in the world of writing, no matter what the form is, authors and writers are now using this platform to create novels, books, manuscripts, etc.  While there is nothing legally wrong with this, I find ethical issues with it.

I mean I am all for using ChatGPT as an aid, or a supplementary tool, but not for using to write an entire manuscript.  You see, there is really nothing magical about ChatGPT.  It once again uses AI algorithms, most notably those of the GPT4.  So, to give you an idea of how it works, you simply tell ChatGPT the permutations of the content that you want to write, and wham-bham, it will give you something in just a few minutes.

But keep in mind that this is not original content!!!  Remember, ChatGPT is nothing but garbage in and garbage out.  So, as the input to give you your desired output, it will need content from other books, texts, manuscripts, etc.  The problem here is that ChatGPT will not tell you where it extracted its information from.  So if you end up somehow publishing this work, you run the risk of a lawsuit, if other authors and writers see that their work is in yours!!!

In fact, just recently, there have been a few lawsuits in this regard.  For me as a technical writer, I hardly put any emotion or throughs into the words I write.  My job is to merely take all of the complicated stuff that happens in the Cybersecurity world, and bring it down to a level that anybody can understand and apply.  Probably the best example of this is these blogs I write.

I look up articles on the Internet to see what the latest happenings are, and write it in such a way it is meaningful to you, and that you can apply it somehow in your everyday life.  I have never used ChatGPT for anything I have ever written, and I don’t ever intend to. 

It is my most heartfelt opinion that a writer or an author should be able to write content on their own, using their own style and voice.  Of course, one will need resources to use, and that is why there is Google, and I guess to a certain extent, ChatGPT.

But if you are a novelist or a creative writer of different sorts, ChatGPT will be of no use to you.  You see, AI cannot output sentiments, emotions, feelings, or anything like that.  It only gives you a directed output to what you are asking directly, through the various queries that you submit to it. 

So in this regard, you need to learn how to create meaningful queries, which are also known as “Prompts”.  In fact, a whole news of social science has evolved into this, officially known as “Prompt Engineering”.

My Thoughts On This:

Back to the Hollywood saga:  Eventually, the writers were able to an agreement to a contract.  They will get compensated and credit for the work that they have done, but in return, if they use ChatGPT or any other type of AI tool for content generation, then they have to explicitly state that in their respective manuscripts. 

Will we see more of theses kinds of disputes and lawsuits down the road?  I predict that there will be.  As ChatGPT evolves further, writers and authors will have different purposes for using it.  But I sincerely hope that anybody in the writing field, no matter what it might be, will use their natural brain much more so than an artificial one.

If you want to see an article which details some ChatGPTs disadvantages, click on the link below:

https://www.darkreading.com/application-security/chatgpt-other-generative-ai-apps-prone-to-compromise-manipulation

Friday, October 13, 2023

The Return Of The Keylogger!!!

 


In today’s Cyber world, most of the threat variants that we keep hearing about are pretty much Phishing and Ransomware.  But as these have become the prominent ones of today, don’t forget the old-fashioned ones still linger around. 

These are the Trojan Horses, Worms, Viruses, etc.  But there is still one that we hardly hear about:  The Key Logger.  You may be asking at this point what exactly is it?  Well, it can be technically defined as follows:

“Keyloggers are a particularly insidious type of spyware that can record and steal consecutive keystrokes (and much more) that the user enters on a device. The term keylogger, or "keystroke logger," is self-explanatory: Software that logs what you type on your keyboard. However, keyloggers can also enable cybercriminals to eavesdrop on you, watch you on your system camera, or listen over your smartphone's microphone.”

So simply put, it is a malicious payload that is deployed onto your computer – it records each and every keystroke that you make.  The Cyberattacker uses this primarily to capture your login and password information.  Of course, they could even record a conversation that you are having and use that to launch an extortion style attack, but without the Ransomware component attached to it.

The question often arises if they are legal or not.  Technically, they are not illegal, but it depends upon the activity in which they are engaged in.  For example, if you are a remote worker, your employer could very well deploy a keylogging software to keep an eye on you to make sure you are doing work related activities.  But, if the Cyberattacker is engaging in it, then by all means, yes, it is illegal.

But the history of keylogging goes back far than even Phishing ever did (its first notable attack was on the AOL subscriber base in the late 1990s).  Believe it or not, the first piece of keylogger came out in the 1970s.  This was actually used to spy on electric typewriters. 

This was developed in the Soviet Union by scientists, during the peak of the Cold War.  At the time, ti was called the “Selectric Bug”, and more information can be found here on it at this link:

https://spectrum.ieee.org/the-crazy-story-of-how-soviet-russia-bugged-an-american-embassys-typewriters

But of course now, in today’s digital world, keyloggers have become extremely stealthy and also covert.  You simply do not know when it has been deployed onto your device or computer.  So now, here are the following major types of keyloggers:

1)     The USB keylogger:

Ye, you got it.  Those portable storage devices that you use, such as the USB ones, can also consist of a keylogging software, which nobody knows about.  So, once you insert it, that malicious payload will be deployed onto your computer.

2)     The Acoustic keylogger:

Believe it or not, the way that click on your keyboard resonates with a unique sound.  The keyloggers of this type can record this, and even recreate an entire document from it.  A study on this was conducted by UC Berkely, and in one instance, they were able to recreate 96% of the content of a document.  More information about this can be seen at the link below:

https://newsarchive.berkeley.edu/news/media/releases/2005/09/14_key.shtml

3)     The Electromagnetic keylogger:

Yes, even your keyboard can emit faint electromagnetic charges.  More technical information about this can be seen at the link below:

https://vimeo.com/2007855?pg=embed&sec=2007855

4)     The Smartphone keylogger:

If the Cyberattacker can break into your smartphone, it will be quite easy for them to use the sensors on it to launch a keylogger onto it.  Research has shown that the accuracy rate of this can be as high as 97%.

5)     The Software keylogger:

This is probably the most “famous” one out there, and has been used for the longest time.  These often appear as Trojan Horses, or can even be deployed if you click on a malicious link.  That is why is why it is also imperative that you do not click on web advertisements when you are in your web browser.

My Thoughts On This:

Keylogging software can also be used for ethical purposes as well, especially when it comes to developing new products and services, in an effort to enhance the end user experience.  It can also be used to detect gaps and vulnerabilities in the source code of a software application.

Now you might be wondering, how can you protect yourself from getting a keylogger?  Well just practice good Cyber Hygiene.  It will never eliminate the risk in its entirety, but it will for sure mitigate it. And always keep your smartphone updated with the latest patches and upgrades.

Wednesday, October 11, 2023

The Latest Innovation In Cybersecurity: 24 X 7 X 365 SOC Services With Cyber Insurance

 


In today’s world, many organizations, especially the SMBs, are seeking Cyber solutions that are holistic in nature.  Cyber vendors are starting to do this now, rather than having to have business owners put together a piece meal approach, where interoperability could be a huge problem.  But there is yet another thing that the SMB owner is seeking which can be so hard to get these days:  Cybersecurity Insurance.  It is rare to see a Cyber vendor bundle that together with a complete, defensive solutions package.  But, there is one.

In this podcast, we have the honor and privilege of interviewing Chase Norlin, the CEO of a leading Cyber company called Transmosis.  In this podcast, he reviews in detail about their complete Cybersecurity solution, and how the insurance bundle is tied into it.  If you are an SMB owner, this is a must listen to podcast. 

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB14C9ECBH3FND

Saturday, October 7, 2023

Need A Cybersecurity Ally? NIST Is Right There

 


Whenever I have talked about doing a Risk Assessment Survey (like in yesterday’s blog), I always put in the disclaimer that one should follow a prescribed set of procedures for doing this, like a particular framework.  In this regard, I have always strongly advocated the use of the ones that have been set forth by the National Institute of Standards and Technology, also known more popularly simply as “NIST”. 

One of the areas in which I have extensively written about is that of the CMMC, which is actually a derivative of the NIST Special Publication (SP) 800-172. 

In fact, NIST goes back a way long time.  My first interaction with them came when I attended a Biometrics Conference in 2002, in Alexandria, Virgina.  It was quite a well-organized event, with the major vendors coming out and showcasing their products and solutions. 

But since then, NIST has taken a very active role now in Cybersecurity, coming up with different standards, metrics, KPIs, best practices, and of course, the various frameworks that it has established.

Their first SP to be released on Cybersecurity came back out in 2014.  The ultimate goal of the NIST is to help businesses of all kinds and types, and even government agencies, to help them fortify their lines of defenses even more. 

Not only do the SPs provide timely guidance, but NIST also has a ton of templates that any business owner can use.  They make look confusing at first, but once you start plowing through them, they aren’t too bad to figure out.

But the unfortunate part of all of this is that Corporate America still has not yet adopted the services provided by NIST in a timely manner.  Some reasons that are cited for this include no penalties for lack of usage, and many business owners do not feel that the certifications they offer are as relevant as some of the others that are out there.

But the other problem here is that NIST has not really put forth the time to make their certifications as glamorous as those from CompTIA or even the ISC(2).  They do have some certs, and to see them, follow the link below:

 https://www.strikegraph.com/blog/what-is-nist-certification

But although these certs may not hold the appeal like the others, if your business’s main bread and butter is that of providing services to the government (whether it is IT Security or Cybersecurity related), the more you have from the NIST, the far better your image will be when it comes time to bidding, and even perhaps wining on contracts from the Department of Defense (DoD). 

Going back to the CMMC, the DoD now even requires defense contractors and their subcontractors to have some sort of certification level as it has been laid out by NIST.

The moral of the story here is that while the private sector may not hold the NIST in high regard yet, the Federal Government certainly does so.  And, if you can acknowledge that fact, and get some of their certs, you will be golden in the eyes of the government officials that award out the contracts. 

In fact, many in the private sector are calling out for the NIST to have certification levels that come onto par with those that are provided by the ISO, such as the ISO 9001 (Quality Management System), and the ISO 27001 (Information Security Management System).

People would like NIST to not only offer ones like the above two, but to also offer certifications whenever a businesses has adopted and made use of a particular type of framework.  The only downside to this is that if a business aspires to get one of these certifications, they will then have to go through a huge audit process to make sure that all of the necessary controls have been put into place, in a way like getting an ISO certification.

My Thoughts On This:

As I was writing this blog, I was quite surprised that the NIST is not actually its own government agency, or even part of one.  But rather, it is a private entity all on its own, but is supported and as mentioned, highly regarded by the Federal Government. 

But keep in mind also that the NIST just does not come out with frameworks, it also works closely with other agencies (like CISA) and other companies in the private sector to keep an exhaustive library of all of the known threat vectors, and their signature profiles.

IMHO, the best way to get started with NIST is to get to know them better.  Here is the link to their website:

https://www.nist.gov/

From there, you can access all of their resources, which I think for the most part are free.  To get more detail on the NIST Cybersecurity Framework, click on the link below:

https://www.darkreading.com/physical-security/a-guide-to-the-nist-cybersecurity-framework

 

 

Friday, October 6, 2023

Enhance Your Patching Process With These Top 4 Metrics

 


One of the key components of any kind of security policy for a business is to have a regular schedule of performing software patches and upgrades.  But what the timing should be, is really entirely up to the CISO, or even the vCISO.  In my opinion, given the dynamics of the Cyber Threat Landscape, it should be done once a week.  In fact, when I started my first IT job over 20 years ago, this was the norm, even all the way back then.

But it takes resources to monitor all of this stuff, as you will most likely need to have a dedicated person on hand to do all of this.  Not many people think about this, but it matters a lot to the other members of the C-Suite, and even to the Board of Directors.  But the good news here is that there are metrics and Key Performance Indicators (KPIs) that you can use to help put a quantitative assessment to this.

So, here is a review of some of the major ones that you can make use of:

1)     The Mean Time To Remediate:

The acronym for this is the “MTTR”.  It simply measures how long it takes to get your dedicated resources to put the software patches and upgrades into your production environment after they have been first announced.  The one primary disadvantage with this kind of metric is that it treats all patches and upgrades in the same manner.  So for example, a low priority one will receive the same kind of weighting as a high priority one.  However, some CISOs have been known to use the MTTR solely just for tracking the latter.

2)     The Mean Time To Detect:

The acronym for this is the “MTTD”.  Essentially, this metric shows how long it takes for your IT Security Team to detect an actual threat variant that exists in your IT /Network Infrastructure, and also how long it takes for them to apply the relevant patch to remediate it.  In a way, this can be viewed as an enhancement to the MTTR.  For more information on this, click on the link below:

http://cyberresources.solutions/blogs/Threat_Report.pdf

3)     The Mean Time To Prioritize:

The acronym for this is the “MTTP”.  This metric reflects the degree of vulnerability of all of the digital and physical assets that you have at your business.  Typically, all of the details for this will come into play when you first conduct a comprehensive Risk Assessment Analysis.  This can then be fed into the MTTP, and it will show how quickly you need to respond to a security breach that has impacted your most vulnerable assets.  One of the responses is mitigation of course through your Incident Response (IR) Plan, but the other key component is applying the relevant software patches and upgrades in a timely manner.

4)     The Mean Time To Communicate

The acronym for this is the “MTTC”.  This is actually a new metric, and this is the first that I have even heard of such a thing.  This metric shows how well your IT Security team can interact with the other members of the IT Department.  If your business is large enough, these two departments will have independent tasks and duties to protect it.  For example, the IT Security team would be responsible for the checking and downloading of the software patches and upgrades, but then, it would be up to the IT Department to actually roll them out into the production environment.  But this metric can also be used to gauge how effectively your IT Security team can also communicate with the other relevant members of the other departments in your business. 

My Thoughts On This:

Honestly, nobody really likes to be gauged by a set of metrics and KPIs, but this is the only way that value can be shown to the higher ups, as previously mentioned.  But a key factor here is to have the buy in form all of the members of the IT Security team, and determine which ones are the most relevant to your security requirements.

A good way to help speed things up in the deployment process is to make use of automated tools, such as those making use of AI and ML.  There are plenty of tools out there, the hard part will be in figuring out which ones will be the most relevant for helping to secure your business.

I am also going to be writing a special whitepaper on the software upgrade and patching process (softwareupdate.art), so stay tuned for it!!!

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...